CN101336554A - Secure distributed handover signaling - Google Patents

Secure distributed handover signaling Download PDF

Info

Publication number
CN101336554A
CN101336554A CNA2006800517083A CN200680051708A CN101336554A CN 101336554 A CN101336554 A CN 101336554A CN A2006800517083 A CNA2006800517083 A CN A2006800517083A CN 200680051708 A CN200680051708 A CN 200680051708A CN 101336554 A CN101336554 A CN 101336554A
Authority
CN
China
Prior art keywords
base station
target
source base
nonce
context
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CNA2006800517083A
Other languages
Chinese (zh)
Inventor
D·福斯贝里
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nokia Oyj
Original Assignee
Nokia Oyj
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Oyj filed Critical Nokia Oyj
Publication of CN101336554A publication Critical patent/CN101336554A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • H04W36/0033Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
    • H04W36/0038Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information of security context information

Abstract

The invention provides apparatuses and methods for providing security measures for a handover execution procedure in a communication network. In one example, the handover procedure is initiated by more than one base station. In another example, a base station may not launch a Denial or Service (DoS) attack towards other base stations or towards a core network using handover signaling messages. For example, a user device may send at least one encryption parameter, such as a Nonce associated with the user device to a source base station. Handover of the user device from the source base station to a target base station may be accomplished based on the at least one encryption parameter to avoid the DoS attack.

Description

The hand off signaling of safety distribution
The cross reference of related application
The application number that the application requires on January 4th, 2006 to submit to is the interests of 60/755,793 U.S. Provisional Application, and it is bonded to this by reference.
Technical field
The present invention relates generally to communication network.Specifically, the invention provides safety measure in communication network.
Background technology
Communication network has occupied critical role in information exchange.For example, the network that is used for the communication of mobile media content provides the scalable method to a large amount of client's media stream.Because the increase of network infrastructure availability, the exchange that may realize the enhanced media service with communicate by letter.
In representative network, the client is connected to the network service.When the client wants to serve, wish that this service is obtainable for the customer.Yet under many circumstances, owing to run counter to the safety of system, possible refusing user's or tissue use the service of expectation.For example, can take place that break in service provides or even the destruction system in programming or the denial of service (DoS) of required file attack.This DoS attack can cause the bigger cost of time and money two aspects.
In typical DoS attack, the user is rejected the resource that visit is wanted.Have polytype DoS attack, but major part has a common target, that is, the victim is deprived the service and the resource of its expectation visit.This attack can cause the loss of productivity and resource.Therefore, need a kind of method and system of attacking of on communication system, preventing, with the integrality that keeps communication system and/or guarantee correct exchanges data in the communication network.
Summary of the invention
For the basic comprehension to some aspect of the present invention is provided, provided general introduction below.General introduction is not a detailed summary of the present invention.Its purpose had not both lain in sign key point of the present invention or essential elements, did not lie in the scope of the present invention that defines yet.Following summary is introduced some notion of the present invention as just the following preorder that is described in more detail with the form of simplifying.
In an example of the present invention, provide a kind of method that is used for the safe handoff procedure of mobile communication equipment.In an example, comprise that the measurement report of the Nonce that is associated with mobile communication equipment is sent to source base station.Source base station and target BS can communication context information.
In another example, mobile communication equipment can confirm to switch with target BS.In another example, target BS can be transmitted to core network to the content of being signed and part is encrypted, to be used to switch the checking of message.
Description of drawings
By can obtain the more complete understanding to the present invention and its advantage in conjunction with the corresponding following explanation of referenced drawings, wherein identical reference marker is represented identical parts, and wherein:
Fig. 1 has illustrated wherein can realize the block diagram of the wireless communication system of various aspects of the present invention;
Fig. 2 has illustrated according to the block diagram of the portable terminal of aspect of the present invention;
Fig. 3 has illustrated according to the system of aspect of the present invention, wherein can export to the switching decision of target device via corresponding evolution node-B (eNB) or base station;
Fig. 4 is the block diagram according to aspect of the present invention, and it shows the inner example that inserts handover security of active wireless electricity;
Fig. 5 is the flow chart according to aspect of the present invention, and it shows the inner example that inserts handover security of active wireless electricity of Fig. 4;
Fig. 6 illustrates the diagrammatic sketch that the active safety with new round trip switches example according to aspect of the present invention;
Fig. 7 is the flow chart according to aspect of the present invention, the example that its active safety that shows the new round trip of having of Fig. 6 switches;
Fig. 8 illustrates the block diagram that initiatively switches example with pre-assigned SKC according to aspect of the present invention; And
Fig. 9 is the flow chart according to aspect of the present invention, its show Fig. 8 have a pre-assigned SKC initiatively switch example.
Embodiment
In the following explanation of various embodiment,, and shown in the accompanying drawings and can realize various embodiment of the present invention with reference to the corresponding accompanying drawing that constitutes a specification part.Be to be understood that and utilize other embodiment, and under the situation that does not break away from the spirit and scope of the present invention, can carry out the improvement of 26S Proteasome Structure and Function.
Can in a large amount of networks and communication protocol, utilize the present invention.Fig. 1 has illustrated to adopt the example of the wireless communication system 110 of system and method for the present invention, the mobile device 112 of one or more network-enabled, for example PDA(Personal Digital Assistant), cell phone, portable terminal, personal video recorder, mobile television, personal computer, digital camera, digital camcorder, portable voice frequency equipment, portable radio or its combination communicated by letter with service source 122 by radio network 114 and/or cellular network 116.Although described mobile device here, the present invention never is defined in this.For example, can in static equipment, provide of the present invention aspect.In the example of static equipment, can also be provided for the backward channel that contact service provides entity.Portable terminal/equipment 112 can comprise digital broadcast receiver apparatus.Service source 122 can be connected to several service providers, and wherein the service provider can be provided to the service source to the information or the description of its actual programme content or its service and program, and the service source further is provided to mobile device 112 to interior perhaps information.Several service providers can comprise, but not be defined as one or more TVs and/or digital television service provider, AM/FM wireless service provider, SMS/MMS Push Service provider, internet content or visit provider.
Radio network 114 can be included in the wireless radio transmission of the IP data broadcasting on the DVB-H.Radio network 114 can be broadcasted for example numeral or the service of anolog TV signals and the supplemental content relevant with service by transmitter 118.Radio network can also comprise wireless, the radio network of TV or IP datacasting.Radio network 114 can also send supplemental content, and it can comprise TV signal, audio frequency and/or video flowing, data flow, video file, audio file, software document and/or video-game.In the situation that sends the IP data broadcasting service, actual programme content can be transmitted to subscriber equipment 112 by radio network 114 in service source 122, and transmit additional informations by cellular network 116 to subscriber equipment 112, authority of a user and for example to the visit information of this actual program content.
Mobile device 112 can also pass through cellular network 116 contact service sources 122.Cellular network 116 can comprise wireless network and base transceiver station transmitter 120.Cellular network can comprise second/third generation/the 4th generation (2G/3G/4G) cellular data communications network, global system for mobile communication network network (GSM), OMA radio network, FLO, MBMS, perhaps other cordless communication network, for example WLAN or WiMAX network.
In one aspect of the invention, mobile device 112 can comprise the wave point that is configured to send and/or receive digital wireless communication in cellular network 116.The information that mobile device 112 receives by cellular network 116 or radio network 114 can comprise that the user selects, uses, service, electronic image, audio-frequency fragments, video clips and/or WTAI (Wireless Telephone Application Interface) message.As the part of cellular network 116, one or more base stations (not having to show) can be supported when receiver device is positioned at the management area of cellular network 116, with the digital communication of receiver device 112.
As shown in Figure 2, mobile device 112 can comprise processor 128, memory 134 and/or other memory and the display 136 that is connected to user interface 130.Mobile device 112 can also comprise battery 150, loud speaker 152 and antenna 154.User interface 130 can also comprise keyboard, touch-screen, speech interface, four directionkeys, joystick, data glove, mouse, roller ball, touch-screen, or the like.In addition, mobile device 112 can comprise analysis module 180, is used for receiving the information in the service guide (that is ESG segment) and analyzes this information so that unit, subelement and the attribute of editing service/provide alternately or source template to be provided.And mobile device 112 can comprise Template Editors 190, is used for coming the edit messages template based on the attribute or the subelement of ESG segment.
Computer executable instructions and data that other parts in processor 128 and the mobile device 112 use can be stored in the computer-readable memory 134.Memory can be implemented as the ROM module or the combination in any of incoming memory module at random, selectable volatibility and the nonvolatile memory of comprising, and wherein some memory module can be dismountable.Software 140 can be stored in memory 134 and/or the memory device, thereby to provide instruction to make mobile device 112 can carry out various functions to processor 128.Alternative, some of mobile device 112 or whole computer executable instructions can be embodied in hardware or the firmware and (do not show).
Mobile device 112 can be configured to by specific DVB receiver 141 based on digital video broadcasting (DVB) standard---and for example DVB-H or DVB-MHP receive, decode and handle transmission.In addition, receiver device 112 can also be configured to receive, decode and handle transmission by FM/AM radio receiver 142, WLAN transceiver 143 and telecommunications transceiver 144.In addition, mobile device can be configured to receive transmission based on digital audio broadcasting (DAB) standard (not showing).In one aspect of the invention, mobile device 112 can receive radio data stream (RDS) message.
In an example of DVB standard, a DVB 10Mbit/s transmission can have the audio program channels of 200 50kbit/s or video (TV) program channel of 50 200kbit/s.Mobile device 112 can be configured to based on digital video broadcasting-hand-held (DVB-H) standard or other DVB standard, and for example DVB-MHP, DVB-satellite (DVB-S), DVB-land (DVB-T) or DVB-cable (DVB-C) receive, decode and handle transmission.Similar, perhaps can use other digital transmission form to transmit the content and the availability information of supplemental services, for example ATSC (advanced television system association), NTSC (national television system agreement), ISDB-T (integrated service digital broadcasting-land), DAB (digital audio broadcasting), DMB (DMB) or DIRECTV.In addition, Digital Transmission can be by time slicing, for example in the DVB-H technology.Time slicing can reduce the average power consumption of portable terminal and make it possible to carry out level and smooth and seamless switching.If time slicing comprises the bit rate required with using conventional flow mechanism transmission data and compares the higher instant bit rate of use and send data with the form that happens suddenly.In this case, mobile device 112 can have one or more buffer storage, is used for storing before presenting the transmission of decoded time slicing.
Fig. 3 shows such system, and wherein for example the subscriber equipment of mobile communication equipment (UE) can export to the switching decision of target device via corresponding evolution node-B (eNB) or base station.Shown in the example of Fig. 3, subscriber equipment (UE) 301 can with first base station 302 alternately to send measurement reports to first base station 302.Measurement report can comprise, for example corresponding to the nonce of UE 301 (that is, the parameter that can change along with the time, it can limit or prevent the unauthorized access to data).UE 301 can further communicate by letter with second base station 303.For example, UE 301 can send message to confirm switching to second base station 303.Be used to confirm that the message of switching can comprise various parameters.
And can communicate by letter in handoff procedure with second base station 303 in first base station 302.For example, first base station 302 can send message so that the context of switching to be provided to second base station 303 in association messages.Contextual information can be further encrypted to prevent the earwig between first base station 302 and second base station 303.For example, contextual information can use the specific protection key of UE to encrypt, and the specific protection key of this UE is shared between can be in the contextual information of first base station 302, second base station 303 and UE 301 listed any base station.Be used for encrypting contextual information the specific protection of UE can (be that the 2nd eNB (for example second base station 303) encrypts at contextual information by the 3rd node 304 with the form transmission of encrypting.Contextual information can also comprise other key material of being encrypted to second base station by the 3rd node 304 in the network.This other key material can be used to the conversation establishing between UE and the Section Point to encrypt and the integrity protection key.
Fig. 4 and Fig. 5 have illustrated active wireless electricity inside to insert an example of handover security.In this example, UE 301 is operably connected to source base station (eNB1) 302.UE 301 sends measurement report to be initiated to the switching of target device to eNB1 302.In this example, target device is operably connected to target BS (eNB2) 303.Measurement report can be the measurement report of signature, and it can comprise the nonce (Nonce corresponding to UE 301 UE).Nonce UEBe not used in the new Nonce that creates encryption key before can further being UE
Source base station 302 can receive and comprise Nonce UEMeasurement report (401, step 501) and can be based on the measurement report and the Nonce that receive UEExport to the switching decision of target BS 303.Therefore, in this example, source base station 302 is based on the handoff procedure of initiating UE 301 from the measurement report of UE 301.Source base station 302 can produce message (for example context PUSH message) to initiate the handoff procedure (402, step 502) of UE 301.The context PUSH message can comprise the session keys context (SKC) that UE 301 is specific.The context PUSH message may further include the Nonce that source base station receives in measurement report UEIn addition, the context PUSH message can comprise the identifier (ID for example of source base station ENB1) and/or the identifier of target BS (ID for example ENB2), and parameter that is associated with encryption and information, for example Nonce that produces at source base station 302 NET, corresponding to temporary identifier or UE_TID (UE temporary identifier) parameter and/or other RAN contextual information of UE.This information can also be comprised in the context PUSH message and further fail safe can be provided the data that sent.For example, can encrypt UE_TID and RAN contextual information, eavesdrop the message of communication between source base station 302 and the target BS 303 to prevent the earwig.In an example, can use session keys context protection key (SPK) (that is SPK, corresponding to UE 301 UE) encryption UE_TID and RAN contextual information.SPK UECan be the protection key of sharing between the base station that in the SKC of UE 301, is comprised, and can limit the base station that is authorized to carry out data access.For example, each row among the SKC of UE 301 can be included as the SPK that relevant base station is encrypted UE
And in this example, target BS 303 can receive context PUSH message (402, step 502) from source base station 302.Based on the context PUSH message that is received, target BS 303 can process information (step 503).For example, whether target BS can check the message that is received by correct transmission and reception, and perhaps whether the destination of the message that is received is this target BS really.Can finish checking with multiple mode to the correct transmission of message.For example, the context PUSH message can comprise identification parameter, for example ID ENB2, be used to identify the target BS that receives corresponding message.For example, be Base Station Identification that target BS can prevent that the packet victim from resetting to a plurality of base stations.
Target BS can further be verified the row of the SKC that creates for target BS in the core network (CN), with the integrity protection of checking from the context PUSH message of source base station.And target BS can be deciphered corresponding SPK UE, and can create corresponding cryptographic key (CK) and/or Integrity Key (IK) (that is CK, for corresponding UE 301 UE_eNB2And IK UE_eNB2), and can decipher UE_TID (UE temporary identity), the nonce that receives from source base station UE, nonce NET, and RAN contextual information.
And for the parameter of encrypted data communications, target BS can be created corresponding to the cryptographic key of UE 301 (CK) and/or Integrity Key (IK) (CK for example UE_eNB2And IK UE_eNB2).For example, target BS can be created CK UE_eNB2And encrypt radio link identifier (RLID for example ENB2), context ID (CTXID ENB2) and/or corresponding to the UE_TID of target BS.In another example, the SK of the SKC that target BS can the based target base station in capable UE_eNB2, and/or Nonce UE, and/or Nonce NET, and/or the UE_TID parameter create CK and/or IK.Therefore can encrypt this content and it is signed at target BS.For example, can use from target base station identifier (ID for example ENB2) and/or Nonce UEAnd/or Nonce NETIn the Integrity Key (IK for example that derives UE_eNB2) finish signature to encrypted content.
Target BS can further send message (for example, context acknowledgement message) (403, step 504) to source base station.The context acknowledgement message can comprise, for example, and (the Sign for example of signature UE_eNB2{<content〉}) and (Encrypt for example that encrypts UE_eNB2<content〉}) and content, it can comprise identifier (for example, the ID of source and target base station ENB1, ID ENB2), Nonce UE, Nonce Net, and radio link identifier (RLID ENB2) and/or context ID (CTXID ENB2).The context acknowledgement message also can be signed.For example, can use can be from SPK UEIn the Integrity Key (IK for example that derives UE_CTX) the context acknowledgement message of signing.
Shown in the example of Figure 4 and 5, source base station can receive context acknowledgement message (step 504) from target BS, and can further transmit the content (404, step 505) of this message in switching command.Switching command message can comprise for example Nonce NET, and can further use Integrity Key (for example, IK corresponding to source base station UE_eNB1) sign and use Integrity Key (IK corresponding to target BS UE_eNB2) carry out fully or partly the signature.UE 301 can receive switching command message, and can verify the signature from source base station and target BS.Therefore, UE 301 can receive and comprise Nonce UE, Nonce NET, AAA-Key, ID ENB2And enciphered data corresponding parameter and the data of UE_TID.Based on the data that received, UE 301 can derive Integrity Key (IK) and cryptographic key (CK) (for example, the IK corresponding to target BS UE_eNB2And CK UE_eNB2).Therefore, UE 301 can be based on the signature of IK and CK checking from target BS, and the RLID to being received ENB2And CTXID ENB2Be decrypted.
UE 301 can send message to finish switching to target BS.For example, UE 301 can send switching authentic information (405, step 506) to target BS.Switching authentic information can comprise, for example, uses cipher key shared (for example, IK between UE 301 and core network (CN) UE_CNAnd CK UE_CN) quilt the created content of signing and encrypting.And switching authentic information can comprise the identification parameter (ID for example of source and target base station ENB1Perhaps ID ENB2), Nonce UE, Nonce NET, and/or UE_TID, can prevent location tracking thereby can also encrypt UE_TID based on UE_TID.Can further sign to this message content, thereby make source base station can check UE 301 successfully to be connected to target BS for source base station.
Target BS can receive switching authentic information (step 506), and can be forwarded to source base station (406, step 507) to this message as acknowledgement message (for example handoff completion message).Source base station receives handoff completion message and can verify information in the handoff completion message---Nonce for example UE, the base station the Nonce of identification information NETInformation and the information that is derived from UE 301---accuracy.
In addition, signed and/or information encrypted can further be forwarded to core network (comprising Mobility Management Entity (MME) and/or user plane entity (UPE)).For example, can be used as message in the core network about switching the checking of message.In this example, target BS can send the message (for example, changing mapping message) (407, step 508) of being signed and encrypting to UPE, perhaps can send the message (for example, reorientation Indication message) (408, step 509) of being signed and encrypting to MME.Change mapping message and/or reorientation Indication message and can comprise the switching authentic information of signing and partly encrypting for core network.These message may further include UE_TID.
Target BS can be respectively in response to changing mapping message and reorientation Indication message, from UPE (409, step 510) and/or from MME confirmation of receipt message (410, step 510).In addition, UPE can notify MME (411, step 511).
In this example, the base station deception that the signature of UE can prevent to be held as a hostage in the message is to the position renewal of core network (CN) down to MME or UPE.And the message of signature prevents that the assailant is to core network (CN, MME, UPE) injection phase updating message.The base station of being held as a hostage in another example, is replay position updating message and other base stations or core network are not initiated DoS attack not.
Fig. 6 and 7 has illustrated to have another example that the active of new round trip is switched.In this example, source base station can receive from UE 301 and comprise Nonce UEMeasurement report (601, step 701).Source base station can produce Nonce NET, and to UE 301 transmission message (for example, handoff request message), to prepare indication (602, step 702) in response to the measurement report that receives from UE 301 and/or as the switching to target BS.Handoff request can comprise the Nonce that receives from UE 301 UEAnd Nonce NETAnd handoff request can comprise identifier (for example, the ID of target BS ENB2).
UE 301 can receive handoff request (602) from source base station, and can derive the corresponding session key that is associated with UE 301 and target BS (SK for example UE_eNB2).Session key can be based on any amount of encryption association parameter, for example identifier (the ID of target BS ENB2), Nonce UEAnd/or Nonce NET, UE_TID etc.
UE 301 can send response message (for example, switching response message) (603, step 703) in response to the handoff request message from source base station.In this example, handoff response can comprise identifier information (for example, the ID of source base station ENB1), identifier information (for example, the ID of target BS ENB2), Nonce UEAnd/or Nonce NETIn addition, switching response message can be signed and/or be encrypted to small part.
Source base station can receive switching response message (step 703) from UE 301, and can give target BS (604, step 704) this forwards.For example, source base station can be given target BS (step 704) this forwards in the context PUSH message.The context PUSH message can comprise above-mentioned other parameter.
Target BS can receive context PUSH message (604) from source base station, and can handle this message.For example, target BS can verify whether the message that is received is planned to send to this target BS and can be deciphered SKC clauses and subclauses about this target BS.Target BS can also be derived cryptographic key (CK) and the Integrity Key (IK) that is associated with UE 301.For example, can be from SKP UEMiddle CK and IK (for example, the CK of deriving UE_CTXAnd IK UE_CTX).And target BS can be deciphered the data that receive in the context PUSH message.For example, target BS can be deciphered the UE_TID that receives, the Nonce from source base station in the context PUSH message UE, Nonce NETAnd RAN context.In another example, target BS can also be based on encryption association parameter (for example, SK UE-eNB2, Nonce UE, Nonce NET, UE_TID) obtain CK and IK (for example, CK UE-eNB2And IK UE_eNB2), can check the UE signature, UE RAN context and SKC can be stored, and RLID and CTXID (for example, the RLID that is associated with target BS can be kept ENB2, CTXID ENB2).Target BS can send message (for example, context acknowledgement message) to confirm this context (605, step 705) to source base station.For example, target BS can send the context acknowledgement message, and this context acknowledgement message can be signed and can be comprised identification information (for example, ID ENB1, ID ENB2), Nonce UE, Nonce NET, and enciphered message, for example UE_TID, CTXID ENB2, RLID ENB2
In this example, source base station can further send message in response to the context acknowledgement message to UE 301.For example, source base station can be to UE forwarding contexts acknowledgement message (606, step 706) in switching command.UE can receive switching command and can verify the signature of source base station and target BS.UE 301 can also decipher new RLID and CTXID.
Fig. 8 and 9 has illustrated to have another example of pre-assigned SKC and/or the contextual active switching of RAN.In this example, source base station can receive from UE 301 and comprise Nonce UEMeasurement report (801, step 901).In response to the measurement report that receives from UE 301, source base station can produce Nonce NETAnd to target BS transmission message (for example, context is PUSH message in advance) (802, step 902).Alternative, context PUSH message in advance can be independent of measurement report from UE 301.If desired, source base station can send one or more message (for example, context advances message in advance) to one or more base stations, is used to prepare the base station to receive UE.Context PUSH message in advance can comprise Nonce NETAnd the Nonce that receives from UE 301 UEAnd handoff request message can comprise identifier (for example, the ID of source base station ENB1), identifier (for example, the ID of target BS ENBx), UE_TID and or RAN context.If context is the identifier of the PUSH message base station that do not comprise message and mail in advance, then can in statu quo resend this message to a plurality of base stations.
In this example, target BS receives context PUSH message and can verify and decipher SKC clauses and subclauses about target BS in advance, from SKP UEDerive CK and IK (for example, CK UE_CTXAnd ID UE_CTX) and checking context PUSH message.In addition, target BS can be deciphered UE_TID, Nonce UE, Nonce NETAnd the RAN context, and can be based on SK UE_eNBx, Nonce UE, Nonce NET, UE_TID derives CK and IK (for example, the CK be associated with target BS UE_eNB2And IK UE_eNBx).And target BS can be stored UE RAN context and SKC, and the reservation RLID and CTXID (for example, the RLID that are associated with target BS ENBxAnd CTXID ENBx).Target BS can also in response to context in advance PUSH message send context acknowledgement message in advance to source base station.Context acknowledgement message in advance can be signed and can partly be encrypted, and can comprise identification information (for example, ID ENB1, ID ENBx, Nonce UE, Nonce NET, UE_TID, CTXID ENBx, or RLID ENBx
Source base station can receive context and confirm in advance and can store the message that is received.So source base station can also receive from UE 301 and comprise Nonce UEMeasurement report, and can locate the message corresponding in response to measurement report with target base station resources message.In response to receiving measurement report, source base station can to UE 301 forwarding contexts in advance acknowledgement message as switching command.UE 301 can receive switching command and can be based on encryption parameter, for example, and AAA-Key, ID ENBx, Nonce UE, Nonce NETAnd/or UE_TID, derive SK UE-eNBx
The present invention includes clear and definite disclosed any new feature or characteristics combination or its any summary here.Although, those skilled in the art know that said system and technology exist multiple variation and change according to comprising that the specific examples of carrying out preference pattern of the present invention described the present invention.Therefore, the spirit and scope of the present invention embodiment that should be added such quilt of illustrating is broadly explained.

Claims (30)

1. method comprises:
Send the measurement report that is associated with mobile communication equipment to source base station, described measurement report comprises first encryption parameter;
Receive switching command from described source base station, described switching command comprises and corresponding second encryption parameter of target BS; And
Send switching authentic information to described target BS, described switching authentic information comprise with described source base station and described target BS at least one corresponding identification information.
2. the method for claim 1, wherein said measurement report comprises the Nonce that is associated with described mobile communication equipment.
3. the method for claim 1, wherein said measurement report are configured to cause described source base station to send the context PUSH message to described target BS.
4. method as claimed in claim 3, wherein said context PUSH message comprise at least one in following: the identifier that is associated with described source base station, the identifier that is associated with described target BS, session keys context SKC, the Nonce that is associated with described mobile communication equipment, the Nonce that is associated with network or network context.
5. the method for claim 1 further comprises the content that receives the context acknowledgement message from described source base station.
6. method as claimed in claim 5, wherein said mobile communication equipment is determined session key in response to the content that receives described context acknowledgement message.
7. method as claimed in claim 6, wherein said switching authentic information further comprise at least one in following: Nonce that is associated with described mobile communication equipment and the Nonce that is associated with network.
8. computer-readable medium, storage computation machine instructions, when being carried out by processor, described instruction causes described processor to be carried out to comprise following method:
Send the measurement report that is associated with mobile communication equipment to source base station, described measurement report comprises first encryption parameter;
Receive switching command from described source base station, described switching command comprises second encryption parameter corresponding with target BS; And
Send switching authentic information to described target BS, described switching authentic information comprise with described source base station or described target BS at least one corresponding identification information.
9. computer-readable storage medium as claimed in claim 8, wherein said measurement report comprises the Nonce that is associated with described mobile communication equipment.
10. computer-readable storage medium as claimed in claim 8, wherein said measurement report are configured to cause described source base station to send the context PUSH message to described target BS.
11. computer-readable storage medium as claimed in claim 10, wherein said context PUSH message comprise in following at least one: the identifier that is associated with described source base station, the identifier that is associated with described target BS, session keys context SKC, the Nonce that is associated with described mobile communication equipment, the Nonce that is associated with network or network context.
12. computer-readable storage medium as claimed in claim 8 further comprises the instruction that is used for receiving from described source base station the content of context acknowledgement message.
13. computer-readable storage medium as claimed in claim 12, wherein said mobile communication equipment is determined session key in response to the content that receives described context acknowledgement message.
14. computer-readable storage medium as claimed in claim 13, wherein said switching authentic information further comprise in following at least one: Nonce that is associated with described mobile communication equipment and the Nonce that is associated with network.
15. a device comprises:
Processor, and
Memory, storage computation machine instructions, when described instruction is carried out by processor, indicate described device to carry out and comprise following method:
Send measurement report to source base station, described measurement report comprises first encryption parameter;
Receive switching command from described source base station, described switching command comprises and corresponding second encryption parameter of target BS; And
Send switching authentic information to described target BS, described switching authentic information comprise with described source base station or described target BS at least one corresponding identification information.
16. device as claimed in claim 15, wherein said device comprises mobile communication equipment.
17. device as claimed in claim 15, wherein said memory further storage are used for from the instruction of the content of described source base station reception context acknowledgement message.
18. device as claimed in claim 15, wherein said switching authentic information further comprise in following at least one: Nonce that is associated with described mobile communication equipment and the Nonce that is associated with network.
19. a computer-readable medium, storage computation machine instructions when described instruction is carried out by processor, causes described processor to be carried out and comprises following method:
Receive the measurement report that is associated with mobile communication equipment at source base station, described measurement report comprises encryption parameter;
Send the context PUSH message to target BS, described context PUSH message is configured to initiate the switching of described mobile communication equipment;
Receive the context acknowledgement message from described target BS;
Send switching command to described mobile communication equipment; And
Just finish of the switching of described mobile communication equipment, just receive handoff completion message from described target BS from described source base station to described target BS.
20. computer-readable storage medium as claimed in claim 19 further comprises being used for to comprising that at least one core network of Mobility Management Entity MME and user plane entity UPE send to change the instruction of mapping message.
21. computer-readable storage medium as claimed in claim 19 further comprises the instruction that is used for sending to the Mobility Management Entity MME of core network the reorientation Indication message.
22. computer-readable storage medium as claimed in claim 19, wherein said context PUSH message comprise in following at least one: the identifier that is associated with described source base station, the identifier that is associated with described target BS, session keys context SKC, the Nonce that is associated with described mobile communication equipment, the Nonce that is associated with network or network context.
23. computer-readable storage medium as claimed in claim 19, wherein said measurement report comprises the Nonce that is associated with described mobile communication equipment.
24. computer-readable storage medium as claimed in claim 19, wherein said switching command comprise second encryption parameter that identifies described target BS.
25. computer-readable storage medium as claimed in claim 19, wherein said context acknowledgement message comprise in following at least one: the identifier that is associated with described source base station, the identifier that is associated with described target BS, the Nonce that is associated with described mobile communication equipment, the Nonce that is associated with network, the radio link ID that is associated with described target BS or the context ID that is associated with described target BS.
26. computer-readable storage medium as claimed in claim 19, wherein said context acknowledgement message is used Integrity Key to sign by described target BS.
27. computer-readable storage medium as claimed in claim 26, wherein said Integrity Key are to derive from the SKC protection key SPK that is associated with described mobile communication equipment.
28. computer-readable storage medium as claimed in claim 19, wherein said context PUSH message comprises network context.
29. an equipment comprises:
Be used for sending to source base station the device of measurement report, described measurement report comprises first encryption parameter;
Be used for receiving from described source base station the device of switching command, described switching command comprises and corresponding second encryption parameter of target BS; And
Be used for sending the device of switching authentic information to target BS, described switching authentic information comprise with described source base station or described target BS at least one corresponding identification information.
30. equipment as claimed in claim 29, wherein said measurement report comprises the Nonce that is associated with described mobile communication equipment.
CNA2006800517083A 2006-01-04 2006-12-28 Secure distributed handover signaling Pending CN101336554A (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US75579306P 2006-01-04 2006-01-04
US60/755,793 2006-01-04
US11/616,337 2006-12-27

Publications (1)

Publication Number Publication Date
CN101336554A true CN101336554A (en) 2008-12-31

Family

ID=40198346

Family Applications (1)

Application Number Title Priority Date Filing Date
CNA2006800517083A Pending CN101336554A (en) 2006-01-04 2006-12-28 Secure distributed handover signaling

Country Status (1)

Country Link
CN (1) CN101336554A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102893645A (en) * 2010-05-10 2013-01-23 诺基亚公司 Key derivation during inter-network handover
CN109791590A (en) * 2016-08-22 2019-05-21 诺基亚技术有限公司 Security processes
CN112956236A (en) * 2019-02-02 2021-06-11 Oppo广东移动通信有限公司 Method and device for processing safety information in switching process, network equipment and terminal

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102893645A (en) * 2010-05-10 2013-01-23 诺基亚公司 Key derivation during inter-network handover
US9264957B2 (en) 2010-05-10 2016-02-16 Nokia Technologies Oy Key derivation during inter-network handover
CN102893645B (en) * 2010-05-10 2016-04-13 诺基亚技术有限公司 Key during switching between network is derived
CN109791590A (en) * 2016-08-22 2019-05-21 诺基亚技术有限公司 Security processes
CN112956236A (en) * 2019-02-02 2021-06-11 Oppo广东移动通信有限公司 Method and device for processing safety information in switching process, network equipment and terminal
CN112956236B (en) * 2019-02-02 2022-10-21 Oppo广东移动通信有限公司 Method and device for processing safety information in switching process, network equipment and terminal

Similar Documents

Publication Publication Date Title
US7864731B2 (en) Secure distributed handover signaling
EP3468138B1 (en) Protection system, method and device for transmission data
US8983065B2 (en) Method and apparatus for security in a data processing system
CN101836470B (en) Methods and apparatuses for enabling non-access stratum (nas) security in LTE mobile units
US8121296B2 (en) Method and apparatus for security in a data processing system
US20100191965A1 (en) Verification of system information in wireless communication system
CN102026178B (en) User identity protection method based on public-key mechanism
US20060291660A1 (en) SIM UICC based broadcast protection
US20040120527A1 (en) Method and apparatus for security in a data processing system
CN102106111A (en) Method of deriving and updating traffic encryption key
AU2002342014A1 (en) Method and apparatus for security in a data processing system
CN101981892A (en) Systems and methods for group key distribution and management for wireless communications systems
CN112087724A (en) Communication method, network equipment, user equipment and access network equipment
KR100553550B1 (en) Method and System for Providing Broadcast/Multicast Services Considering Time or Location by Using Mobile Telecommunication System
CN101820624B (en) Method and apparatus for security in a data processing system
CN101336554A (en) Secure distributed handover signaling
CN101682624A (en) A method of storing content
CN101127596B (en) A method and system for program stream secret key encryption in broadcast mobile TV service
He et al. User authentication scheme based on self-certified public-key for next generation wireless network
CN101262589A (en) Mobile TV playing control system and playing control network of mobile TV
CN101087188B (en) MBS authentication secret key management method and system in wireless network
CN114342472A (en) Handling of NAS containers in registration requests upon AMF reallocation
JP2951311B1 (en) Mobile communication dynamic secure grouping communication method
CN101399960B (en) Program stream key encryption method and system in broadcast type mobile television service
WO2006136280A1 (en) Sim/uicc based broadcast protection

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20081231