CN101336554A - Secure distributed handover signaling - Google Patents
Secure distributed handover signaling Download PDFInfo
- Publication number
- CN101336554A CN101336554A CNA2006800517083A CN200680051708A CN101336554A CN 101336554 A CN101336554 A CN 101336554A CN A2006800517083 A CNA2006800517083 A CN A2006800517083A CN 200680051708 A CN200680051708 A CN 200680051708A CN 101336554 A CN101336554 A CN 101336554A
- Authority
- CN
- China
- Prior art keywords
- base station
- target
- source base
- nonce
- context
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
- H04W12/122—Counter-measures against attacks; Protection against rogue devices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/0005—Control or signalling for completing the hand-off
- H04W36/0011—Control or signalling for completing the hand-off for data sessions of end-to-end connection
- H04W36/0033—Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
- H04W36/0038—Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information of security context information
Abstract
The invention provides apparatuses and methods for providing security measures for a handover execution procedure in a communication network. In one example, the handover procedure is initiated by more than one base station. In another example, a base station may not launch a Denial or Service (DoS) attack towards other base stations or towards a core network using handover signaling messages. For example, a user device may send at least one encryption parameter, such as a Nonce associated with the user device to a source base station. Handover of the user device from the source base station to a target base station may be accomplished based on the at least one encryption parameter to avoid the DoS attack.
Description
The cross reference of related application
The application number that the application requires on January 4th, 2006 to submit to is the interests of 60/755,793 U.S. Provisional Application, and it is bonded to this by reference.
Technical field
The present invention relates generally to communication network.Specifically, the invention provides safety measure in communication network.
Background technology
Communication network has occupied critical role in information exchange.For example, the network that is used for the communication of mobile media content provides the scalable method to a large amount of client's media stream.Because the increase of network infrastructure availability, the exchange that may realize the enhanced media service with communicate by letter.
In representative network, the client is connected to the network service.When the client wants to serve, wish that this service is obtainable for the customer.Yet under many circumstances, owing to run counter to the safety of system, possible refusing user's or tissue use the service of expectation.For example, can take place that break in service provides or even the destruction system in programming or the denial of service (DoS) of required file attack.This DoS attack can cause the bigger cost of time and money two aspects.
In typical DoS attack, the user is rejected the resource that visit is wanted.Have polytype DoS attack, but major part has a common target, that is, the victim is deprived the service and the resource of its expectation visit.This attack can cause the loss of productivity and resource.Therefore, need a kind of method and system of attacking of on communication system, preventing, with the integrality that keeps communication system and/or guarantee correct exchanges data in the communication network.
Summary of the invention
For the basic comprehension to some aspect of the present invention is provided, provided general introduction below.General introduction is not a detailed summary of the present invention.Its purpose had not both lain in sign key point of the present invention or essential elements, did not lie in the scope of the present invention that defines yet.Following summary is introduced some notion of the present invention as just the following preorder that is described in more detail with the form of simplifying.
In an example of the present invention, provide a kind of method that is used for the safe handoff procedure of mobile communication equipment.In an example, comprise that the measurement report of the Nonce that is associated with mobile communication equipment is sent to source base station.Source base station and target BS can communication context information.
In another example, mobile communication equipment can confirm to switch with target BS.In another example, target BS can be transmitted to core network to the content of being signed and part is encrypted, to be used to switch the checking of message.
Description of drawings
By can obtain the more complete understanding to the present invention and its advantage in conjunction with the corresponding following explanation of referenced drawings, wherein identical reference marker is represented identical parts, and wherein:
Fig. 1 has illustrated wherein can realize the block diagram of the wireless communication system of various aspects of the present invention;
Fig. 2 has illustrated according to the block diagram of the portable terminal of aspect of the present invention;
Fig. 3 has illustrated according to the system of aspect of the present invention, wherein can export to the switching decision of target device via corresponding evolution node-B (eNB) or base station;
Fig. 4 is the block diagram according to aspect of the present invention, and it shows the inner example that inserts handover security of active wireless electricity;
Fig. 5 is the flow chart according to aspect of the present invention, and it shows the inner example that inserts handover security of active wireless electricity of Fig. 4;
Fig. 6 illustrates the diagrammatic sketch that the active safety with new round trip switches example according to aspect of the present invention;
Fig. 7 is the flow chart according to aspect of the present invention, the example that its active safety that shows the new round trip of having of Fig. 6 switches;
Fig. 8 illustrates the block diagram that initiatively switches example with pre-assigned SKC according to aspect of the present invention; And
Fig. 9 is the flow chart according to aspect of the present invention, its show Fig. 8 have a pre-assigned SKC initiatively switch example.
Embodiment
In the following explanation of various embodiment,, and shown in the accompanying drawings and can realize various embodiment of the present invention with reference to the corresponding accompanying drawing that constitutes a specification part.Be to be understood that and utilize other embodiment, and under the situation that does not break away from the spirit and scope of the present invention, can carry out the improvement of 26S Proteasome Structure and Function.
Can in a large amount of networks and communication protocol, utilize the present invention.Fig. 1 has illustrated to adopt the example of the wireless communication system 110 of system and method for the present invention, the mobile device 112 of one or more network-enabled, for example PDA(Personal Digital Assistant), cell phone, portable terminal, personal video recorder, mobile television, personal computer, digital camera, digital camcorder, portable voice frequency equipment, portable radio or its combination communicated by letter with service source 122 by radio network 114 and/or cellular network 116.Although described mobile device here, the present invention never is defined in this.For example, can in static equipment, provide of the present invention aspect.In the example of static equipment, can also be provided for the backward channel that contact service provides entity.Portable terminal/equipment 112 can comprise digital broadcast receiver apparatus.Service source 122 can be connected to several service providers, and wherein the service provider can be provided to the service source to the information or the description of its actual programme content or its service and program, and the service source further is provided to mobile device 112 to interior perhaps information.Several service providers can comprise, but not be defined as one or more TVs and/or digital television service provider, AM/FM wireless service provider, SMS/MMS Push Service provider, internet content or visit provider.
In one aspect of the invention, mobile device 112 can comprise the wave point that is configured to send and/or receive digital wireless communication in cellular network 116.The information that mobile device 112 receives by cellular network 116 or radio network 114 can comprise that the user selects, uses, service, electronic image, audio-frequency fragments, video clips and/or WTAI (Wireless Telephone Application Interface) message.As the part of cellular network 116, one or more base stations (not having to show) can be supported when receiver device is positioned at the management area of cellular network 116, with the digital communication of receiver device 112.
As shown in Figure 2, mobile device 112 can comprise processor 128, memory 134 and/or other memory and the display 136 that is connected to user interface 130.Mobile device 112 can also comprise battery 150, loud speaker 152 and antenna 154.User interface 130 can also comprise keyboard, touch-screen, speech interface, four directionkeys, joystick, data glove, mouse, roller ball, touch-screen, or the like.In addition, mobile device 112 can comprise analysis module 180, is used for receiving the information in the service guide (that is ESG segment) and analyzes this information so that unit, subelement and the attribute of editing service/provide alternately or source template to be provided.And mobile device 112 can comprise Template Editors 190, is used for coming the edit messages template based on the attribute or the subelement of ESG segment.
Computer executable instructions and data that other parts in processor 128 and the mobile device 112 use can be stored in the computer-readable memory 134.Memory can be implemented as the ROM module or the combination in any of incoming memory module at random, selectable volatibility and the nonvolatile memory of comprising, and wherein some memory module can be dismountable.Software 140 can be stored in memory 134 and/or the memory device, thereby to provide instruction to make mobile device 112 can carry out various functions to processor 128.Alternative, some of mobile device 112 or whole computer executable instructions can be embodied in hardware or the firmware and (do not show).
In an example of DVB standard, a DVB 10Mbit/s transmission can have the audio program channels of 200 50kbit/s or video (TV) program channel of 50 200kbit/s.Mobile device 112 can be configured to based on digital video broadcasting-hand-held (DVB-H) standard or other DVB standard, and for example DVB-MHP, DVB-satellite (DVB-S), DVB-land (DVB-T) or DVB-cable (DVB-C) receive, decode and handle transmission.Similar, perhaps can use other digital transmission form to transmit the content and the availability information of supplemental services, for example ATSC (advanced television system association), NTSC (national television system agreement), ISDB-T (integrated service digital broadcasting-land), DAB (digital audio broadcasting), DMB (DMB) or DIRECTV.In addition, Digital Transmission can be by time slicing, for example in the DVB-H technology.Time slicing can reduce the average power consumption of portable terminal and make it possible to carry out level and smooth and seamless switching.If time slicing comprises the bit rate required with using conventional flow mechanism transmission data and compares the higher instant bit rate of use and send data with the form that happens suddenly.In this case, mobile device 112 can have one or more buffer storage, is used for storing before presenting the transmission of decoded time slicing.
Fig. 3 shows such system, and wherein for example the subscriber equipment of mobile communication equipment (UE) can export to the switching decision of target device via corresponding evolution node-B (eNB) or base station.Shown in the example of Fig. 3, subscriber equipment (UE) 301 can with first base station 302 alternately to send measurement reports to first base station 302.Measurement report can comprise, for example corresponding to the nonce of UE 301 (that is, the parameter that can change along with the time, it can limit or prevent the unauthorized access to data).UE 301 can further communicate by letter with second base station 303.For example, UE 301 can send message to confirm switching to second base station 303.Be used to confirm that the message of switching can comprise various parameters.
And can communicate by letter in handoff procedure with second base station 303 in first base station 302.For example, first base station 302 can send message so that the context of switching to be provided to second base station 303 in association messages.Contextual information can be further encrypted to prevent the earwig between first base station 302 and second base station 303.For example, contextual information can use the specific protection key of UE to encrypt, and the specific protection key of this UE is shared between can be in the contextual information of first base station 302, second base station 303 and UE 301 listed any base station.Be used for encrypting contextual information the specific protection of UE can (be that the 2nd eNB (for example second base station 303) encrypts at contextual information by the 3rd node 304 with the form transmission of encrypting.Contextual information can also comprise other key material of being encrypted to second base station by the 3rd node 304 in the network.This other key material can be used to the conversation establishing between UE and the Section Point to encrypt and the integrity protection key.
Fig. 4 and Fig. 5 have illustrated active wireless electricity inside to insert an example of handover security.In this example, UE 301 is operably connected to source base station (eNB1) 302.UE 301 sends measurement report to be initiated to the switching of target device to eNB1 302.In this example, target device is operably connected to target BS (eNB2) 303.Measurement report can be the measurement report of signature, and it can comprise the nonce (Nonce corresponding to UE 301
UE).Nonce
UEBe not used in the new Nonce that creates encryption key before can further being
UE
Source base station 302 can receive and comprise Nonce
UEMeasurement report (401, step 501) and can be based on the measurement report and the Nonce that receive
UEExport to the switching decision of target BS 303.Therefore, in this example, source base station 302 is based on the handoff procedure of initiating UE 301 from the measurement report of UE 301.Source base station 302 can produce message (for example context PUSH message) to initiate the handoff procedure (402, step 502) of UE 301.The context PUSH message can comprise the session keys context (SKC) that UE 301 is specific.The context PUSH message may further include the Nonce that source base station receives in measurement report
UEIn addition, the context PUSH message can comprise the identifier (ID for example of source base station
ENB1) and/or the identifier of target BS (ID for example
ENB2), and parameter that is associated with encryption and information, for example Nonce that produces at source base station 302
NET, corresponding to temporary identifier or UE_TID (UE temporary identifier) parameter and/or other RAN contextual information of UE.This information can also be comprised in the context PUSH message and further fail safe can be provided the data that sent.For example, can encrypt UE_TID and RAN contextual information, eavesdrop the message of communication between source base station 302 and the target BS 303 to prevent the earwig.In an example, can use session keys context protection key (SPK) (that is SPK, corresponding to UE 301
UE) encryption UE_TID and RAN contextual information.SPK
UECan be the protection key of sharing between the base station that in the SKC of UE 301, is comprised, and can limit the base station that is authorized to carry out data access.For example, each row among the SKC of UE 301 can be included as the SPK that relevant base station is encrypted
UE
And in this example, target BS 303 can receive context PUSH message (402, step 502) from source base station 302.Based on the context PUSH message that is received, target BS 303 can process information (step 503).For example, whether target BS can check the message that is received by correct transmission and reception, and perhaps whether the destination of the message that is received is this target BS really.Can finish checking with multiple mode to the correct transmission of message.For example, the context PUSH message can comprise identification parameter, for example ID
ENB2, be used to identify the target BS that receives corresponding message.For example, be Base Station Identification that target BS can prevent that the packet victim from resetting to a plurality of base stations.
Target BS can further be verified the row of the SKC that creates for target BS in the core network (CN), with the integrity protection of checking from the context PUSH message of source base station.And target BS can be deciphered corresponding SPK
UE, and can create corresponding cryptographic key (CK) and/or Integrity Key (IK) (that is CK, for corresponding UE 301
UE_eNB2And IK
UE_eNB2), and can decipher UE_TID (UE temporary identity), the nonce that receives from source base station
UE, nonce
NET, and RAN contextual information.
And for the parameter of encrypted data communications, target BS can be created corresponding to the cryptographic key of UE 301 (CK) and/or Integrity Key (IK) (CK for example
UE_eNB2And IK
UE_eNB2).For example, target BS can be created CK
UE_eNB2And encrypt radio link identifier (RLID for example
ENB2), context ID (CTXID
ENB2) and/or corresponding to the UE_TID of target BS.In another example, the SK of the SKC that target BS can the based target base station in capable
UE_eNB2, and/or Nonce
UE, and/or Nonce
NET, and/or the UE_TID parameter create CK and/or IK.Therefore can encrypt this content and it is signed at target BS.For example, can use from target base station identifier (ID for example
ENB2) and/or Nonce
UEAnd/or Nonce
NETIn the Integrity Key (IK for example that derives
UE_eNB2) finish signature to encrypted content.
Target BS can further send message (for example, context acknowledgement message) (403, step 504) to source base station.The context acknowledgement message can comprise, for example, and (the Sign for example of signature
UE_eNB2{<content〉}) and (Encrypt for example that encrypts
UE_eNB2<content〉}) and content, it can comprise identifier (for example, the ID of source and target base station
ENB1, ID
ENB2), Nonce
UE, Nonce
Net, and radio link identifier (RLID
ENB2) and/or context ID (CTXID
ENB2).The context acknowledgement message also can be signed.For example, can use can be from SPK
UEIn the Integrity Key (IK for example that derives
UE_CTX) the context acknowledgement message of signing.
Shown in the example of Figure 4 and 5, source base station can receive context acknowledgement message (step 504) from target BS, and can further transmit the content (404, step 505) of this message in switching command.Switching command message can comprise for example Nonce
NET, and can further use Integrity Key (for example, IK corresponding to source base station
UE_eNB1) sign and use Integrity Key (IK corresponding to target BS
UE_eNB2) carry out fully or partly the signature.UE 301 can receive switching command message, and can verify the signature from source base station and target BS.Therefore, UE 301 can receive and comprise Nonce
UE, Nonce
NET, AAA-Key, ID
ENB2And enciphered data corresponding parameter and the data of UE_TID.Based on the data that received, UE 301 can derive Integrity Key (IK) and cryptographic key (CK) (for example, the IK corresponding to target BS
UE_eNB2And CK
UE_eNB2).Therefore, UE 301 can be based on the signature of IK and CK checking from target BS, and the RLID to being received
ENB2And CTXID
ENB2Be decrypted.
UE 301 can send message to finish switching to target BS.For example, UE 301 can send switching authentic information (405, step 506) to target BS.Switching authentic information can comprise, for example, uses cipher key shared (for example, IK between UE 301 and core network (CN)
UE_CNAnd CK
UE_CN) quilt the created content of signing and encrypting.And switching authentic information can comprise the identification parameter (ID for example of source and target base station
ENB1Perhaps ID
ENB2), Nonce
UE, Nonce
NET, and/or UE_TID, can prevent location tracking thereby can also encrypt UE_TID based on UE_TID.Can further sign to this message content, thereby make source base station can check UE 301 successfully to be connected to target BS for source base station.
Target BS can receive switching authentic information (step 506), and can be forwarded to source base station (406, step 507) to this message as acknowledgement message (for example handoff completion message).Source base station receives handoff completion message and can verify information in the handoff completion message---Nonce for example
UE, the base station the Nonce of identification information
NETInformation and the information that is derived from UE 301---accuracy.
In addition, signed and/or information encrypted can further be forwarded to core network (comprising Mobility Management Entity (MME) and/or user plane entity (UPE)).For example, can be used as message in the core network about switching the checking of message.In this example, target BS can send the message (for example, changing mapping message) (407, step 508) of being signed and encrypting to UPE, perhaps can send the message (for example, reorientation Indication message) (408, step 509) of being signed and encrypting to MME.Change mapping message and/or reorientation Indication message and can comprise the switching authentic information of signing and partly encrypting for core network.These message may further include UE_TID.
Target BS can be respectively in response to changing mapping message and reorientation Indication message, from UPE (409, step 510) and/or from MME confirmation of receipt message (410, step 510).In addition, UPE can notify MME (411, step 511).
In this example, the base station deception that the signature of UE can prevent to be held as a hostage in the message is to the position renewal of core network (CN) down to MME or UPE.And the message of signature prevents that the assailant is to core network (CN, MME, UPE) injection phase updating message.The base station of being held as a hostage in another example, is replay position updating message and other base stations or core network are not initiated DoS attack not.
Fig. 6 and 7 has illustrated to have another example that the active of new round trip is switched.In this example, source base station can receive from UE 301 and comprise Nonce
UEMeasurement report (601, step 701).Source base station can produce Nonce
NET, and to UE 301 transmission message (for example, handoff request message), to prepare indication (602, step 702) in response to the measurement report that receives from UE 301 and/or as the switching to target BS.Handoff request can comprise the Nonce that receives from UE 301
UEAnd Nonce
NETAnd handoff request can comprise identifier (for example, the ID of target BS
ENB2).
UE 301 can receive handoff request (602) from source base station, and can derive the corresponding session key that is associated with UE 301 and target BS (SK for example
UE_eNB2).Session key can be based on any amount of encryption association parameter, for example identifier (the ID of target BS
ENB2), Nonce
UEAnd/or Nonce
NET, UE_TID etc.
UE 301 can send response message (for example, switching response message) (603, step 703) in response to the handoff request message from source base station.In this example, handoff response can comprise identifier information (for example, the ID of source base station
ENB1), identifier information (for example, the ID of target BS
ENB2), Nonce
UEAnd/or Nonce
NETIn addition, switching response message can be signed and/or be encrypted to small part.
Source base station can receive switching response message (step 703) from UE 301, and can give target BS (604, step 704) this forwards.For example, source base station can be given target BS (step 704) this forwards in the context PUSH message.The context PUSH message can comprise above-mentioned other parameter.
Target BS can receive context PUSH message (604) from source base station, and can handle this message.For example, target BS can verify whether the message that is received is planned to send to this target BS and can be deciphered SKC clauses and subclauses about this target BS.Target BS can also be derived cryptographic key (CK) and the Integrity Key (IK) that is associated with UE 301.For example, can be from SKP
UEMiddle CK and IK (for example, the CK of deriving
UE_CTXAnd IK
UE_CTX).And target BS can be deciphered the data that receive in the context PUSH message.For example, target BS can be deciphered the UE_TID that receives, the Nonce from source base station in the context PUSH message
UE, Nonce
NETAnd RAN context.In another example, target BS can also be based on encryption association parameter (for example, SK
UE-eNB2, Nonce
UE, Nonce
NET, UE_TID) obtain CK and IK (for example, CK
UE-eNB2And IK
UE_eNB2), can check the UE signature, UE RAN context and SKC can be stored, and RLID and CTXID (for example, the RLID that is associated with target BS can be kept
ENB2, CTXID
ENB2).Target BS can send message (for example, context acknowledgement message) to confirm this context (605, step 705) to source base station.For example, target BS can send the context acknowledgement message, and this context acknowledgement message can be signed and can be comprised identification information (for example, ID
ENB1, ID
ENB2), Nonce
UE, Nonce
NET, and enciphered message, for example UE_TID, CTXID
ENB2, RLID
ENB2
In this example, source base station can further send message in response to the context acknowledgement message to UE 301.For example, source base station can be to UE forwarding contexts acknowledgement message (606, step 706) in switching command.UE can receive switching command and can verify the signature of source base station and target BS.UE 301 can also decipher new RLID and CTXID.
Fig. 8 and 9 has illustrated to have another example of pre-assigned SKC and/or the contextual active switching of RAN.In this example, source base station can receive from UE 301 and comprise Nonce
UEMeasurement report (801, step 901).In response to the measurement report that receives from UE 301, source base station can produce Nonce
NETAnd to target BS transmission message (for example, context is PUSH message in advance) (802, step 902).Alternative, context PUSH message in advance can be independent of measurement report from UE 301.If desired, source base station can send one or more message (for example, context advances message in advance) to one or more base stations, is used to prepare the base station to receive UE.Context PUSH message in advance can comprise Nonce
NETAnd the Nonce that receives from UE 301
UEAnd handoff request message can comprise identifier (for example, the ID of source base station
ENB1), identifier (for example, the ID of target BS
ENBx), UE_TID and or RAN context.If context is the identifier of the PUSH message base station that do not comprise message and mail in advance, then can in statu quo resend this message to a plurality of base stations.
In this example, target BS receives context PUSH message and can verify and decipher SKC clauses and subclauses about target BS in advance, from SKP
UEDerive CK and IK (for example, CK
UE_CTXAnd ID
UE_CTX) and checking context PUSH message.In addition, target BS can be deciphered UE_TID, Nonce
UE, Nonce
NETAnd the RAN context, and can be based on SK
UE_eNBx, Nonce
UE, Nonce
NET, UE_TID derives CK and IK (for example, the CK be associated with target BS
UE_eNB2And IK
UE_eNBx).And target BS can be stored UE RAN context and SKC, and the reservation RLID and CTXID (for example, the RLID that are associated with target BS
ENBxAnd CTXID
ENBx).Target BS can also in response to context in advance PUSH message send context acknowledgement message in advance to source base station.Context acknowledgement message in advance can be signed and can partly be encrypted, and can comprise identification information (for example, ID
ENB1, ID
ENBx, Nonce
UE, Nonce
NET, UE_TID, CTXID
ENBx, or RLID
ENBx
Source base station can receive context and confirm in advance and can store the message that is received.So source base station can also receive from UE 301 and comprise Nonce
UEMeasurement report, and can locate the message corresponding in response to measurement report with target base station resources message.In response to receiving measurement report, source base station can to UE 301 forwarding contexts in advance acknowledgement message as switching command.UE 301 can receive switching command and can be based on encryption parameter, for example, and AAA-Key, ID
ENBx, Nonce
UE, Nonce
NETAnd/or UE_TID, derive SK
UE-eNBx
The present invention includes clear and definite disclosed any new feature or characteristics combination or its any summary here.Although, those skilled in the art know that said system and technology exist multiple variation and change according to comprising that the specific examples of carrying out preference pattern of the present invention described the present invention.Therefore, the spirit and scope of the present invention embodiment that should be added such quilt of illustrating is broadly explained.
Claims (30)
1. method comprises:
Send the measurement report that is associated with mobile communication equipment to source base station, described measurement report comprises first encryption parameter;
Receive switching command from described source base station, described switching command comprises and corresponding second encryption parameter of target BS; And
Send switching authentic information to described target BS, described switching authentic information comprise with described source base station and described target BS at least one corresponding identification information.
2. the method for claim 1, wherein said measurement report comprises the Nonce that is associated with described mobile communication equipment.
3. the method for claim 1, wherein said measurement report are configured to cause described source base station to send the context PUSH message to described target BS.
4. method as claimed in claim 3, wherein said context PUSH message comprise at least one in following: the identifier that is associated with described source base station, the identifier that is associated with described target BS, session keys context SKC, the Nonce that is associated with described mobile communication equipment, the Nonce that is associated with network or network context.
5. the method for claim 1 further comprises the content that receives the context acknowledgement message from described source base station.
6. method as claimed in claim 5, wherein said mobile communication equipment is determined session key in response to the content that receives described context acknowledgement message.
7. method as claimed in claim 6, wherein said switching authentic information further comprise at least one in following: Nonce that is associated with described mobile communication equipment and the Nonce that is associated with network.
8. computer-readable medium, storage computation machine instructions, when being carried out by processor, described instruction causes described processor to be carried out to comprise following method:
Send the measurement report that is associated with mobile communication equipment to source base station, described measurement report comprises first encryption parameter;
Receive switching command from described source base station, described switching command comprises second encryption parameter corresponding with target BS; And
Send switching authentic information to described target BS, described switching authentic information comprise with described source base station or described target BS at least one corresponding identification information.
9. computer-readable storage medium as claimed in claim 8, wherein said measurement report comprises the Nonce that is associated with described mobile communication equipment.
10. computer-readable storage medium as claimed in claim 8, wherein said measurement report are configured to cause described source base station to send the context PUSH message to described target BS.
11. computer-readable storage medium as claimed in claim 10, wherein said context PUSH message comprise in following at least one: the identifier that is associated with described source base station, the identifier that is associated with described target BS, session keys context SKC, the Nonce that is associated with described mobile communication equipment, the Nonce that is associated with network or network context.
12. computer-readable storage medium as claimed in claim 8 further comprises the instruction that is used for receiving from described source base station the content of context acknowledgement message.
13. computer-readable storage medium as claimed in claim 12, wherein said mobile communication equipment is determined session key in response to the content that receives described context acknowledgement message.
14. computer-readable storage medium as claimed in claim 13, wherein said switching authentic information further comprise in following at least one: Nonce that is associated with described mobile communication equipment and the Nonce that is associated with network.
15. a device comprises:
Processor, and
Memory, storage computation machine instructions, when described instruction is carried out by processor, indicate described device to carry out and comprise following method:
Send measurement report to source base station, described measurement report comprises first encryption parameter;
Receive switching command from described source base station, described switching command comprises and corresponding second encryption parameter of target BS; And
Send switching authentic information to described target BS, described switching authentic information comprise with described source base station or described target BS at least one corresponding identification information.
16. device as claimed in claim 15, wherein said device comprises mobile communication equipment.
17. device as claimed in claim 15, wherein said memory further storage are used for from the instruction of the content of described source base station reception context acknowledgement message.
18. device as claimed in claim 15, wherein said switching authentic information further comprise in following at least one: Nonce that is associated with described mobile communication equipment and the Nonce that is associated with network.
19. a computer-readable medium, storage computation machine instructions when described instruction is carried out by processor, causes described processor to be carried out and comprises following method:
Receive the measurement report that is associated with mobile communication equipment at source base station, described measurement report comprises encryption parameter;
Send the context PUSH message to target BS, described context PUSH message is configured to initiate the switching of described mobile communication equipment;
Receive the context acknowledgement message from described target BS;
Send switching command to described mobile communication equipment; And
Just finish of the switching of described mobile communication equipment, just receive handoff completion message from described target BS from described source base station to described target BS.
20. computer-readable storage medium as claimed in claim 19 further comprises being used for to comprising that at least one core network of Mobility Management Entity MME and user plane entity UPE send to change the instruction of mapping message.
21. computer-readable storage medium as claimed in claim 19 further comprises the instruction that is used for sending to the Mobility Management Entity MME of core network the reorientation Indication message.
22. computer-readable storage medium as claimed in claim 19, wherein said context PUSH message comprise in following at least one: the identifier that is associated with described source base station, the identifier that is associated with described target BS, session keys context SKC, the Nonce that is associated with described mobile communication equipment, the Nonce that is associated with network or network context.
23. computer-readable storage medium as claimed in claim 19, wherein said measurement report comprises the Nonce that is associated with described mobile communication equipment.
24. computer-readable storage medium as claimed in claim 19, wherein said switching command comprise second encryption parameter that identifies described target BS.
25. computer-readable storage medium as claimed in claim 19, wherein said context acknowledgement message comprise in following at least one: the identifier that is associated with described source base station, the identifier that is associated with described target BS, the Nonce that is associated with described mobile communication equipment, the Nonce that is associated with network, the radio link ID that is associated with described target BS or the context ID that is associated with described target BS.
26. computer-readable storage medium as claimed in claim 19, wherein said context acknowledgement message is used Integrity Key to sign by described target BS.
27. computer-readable storage medium as claimed in claim 26, wherein said Integrity Key are to derive from the SKC protection key SPK that is associated with described mobile communication equipment.
28. computer-readable storage medium as claimed in claim 19, wherein said context PUSH message comprises network context.
29. an equipment comprises:
Be used for sending to source base station the device of measurement report, described measurement report comprises first encryption parameter;
Be used for receiving from described source base station the device of switching command, described switching command comprises and corresponding second encryption parameter of target BS; And
Be used for sending the device of switching authentic information to target BS, described switching authentic information comprise with described source base station or described target BS at least one corresponding identification information.
30. equipment as claimed in claim 29, wherein said measurement report comprises the Nonce that is associated with described mobile communication equipment.
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US75579306P | 2006-01-04 | 2006-01-04 | |
US60/755,793 | 2006-01-04 | ||
US11/616,337 | 2006-12-27 |
Publications (1)
Publication Number | Publication Date |
---|---|
CN101336554A true CN101336554A (en) | 2008-12-31 |
Family
ID=40198346
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNA2006800517083A Pending CN101336554A (en) | 2006-01-04 | 2006-12-28 | Secure distributed handover signaling |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101336554A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102893645A (en) * | 2010-05-10 | 2013-01-23 | 诺基亚公司 | Key derivation during inter-network handover |
CN109791590A (en) * | 2016-08-22 | 2019-05-21 | 诺基亚技术有限公司 | Security processes |
CN112956236A (en) * | 2019-02-02 | 2021-06-11 | Oppo广东移动通信有限公司 | Method and device for processing safety information in switching process, network equipment and terminal |
-
2006
- 2006-12-28 CN CNA2006800517083A patent/CN101336554A/en active Pending
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102893645A (en) * | 2010-05-10 | 2013-01-23 | 诺基亚公司 | Key derivation during inter-network handover |
US9264957B2 (en) | 2010-05-10 | 2016-02-16 | Nokia Technologies Oy | Key derivation during inter-network handover |
CN102893645B (en) * | 2010-05-10 | 2016-04-13 | 诺基亚技术有限公司 | Key during switching between network is derived |
CN109791590A (en) * | 2016-08-22 | 2019-05-21 | 诺基亚技术有限公司 | Security processes |
CN112956236A (en) * | 2019-02-02 | 2021-06-11 | Oppo广东移动通信有限公司 | Method and device for processing safety information in switching process, network equipment and terminal |
CN112956236B (en) * | 2019-02-02 | 2022-10-21 | Oppo广东移动通信有限公司 | Method and device for processing safety information in switching process, network equipment and terminal |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7864731B2 (en) | Secure distributed handover signaling | |
EP3468138B1 (en) | Protection system, method and device for transmission data | |
US8983065B2 (en) | Method and apparatus for security in a data processing system | |
CN101836470B (en) | Methods and apparatuses for enabling non-access stratum (nas) security in LTE mobile units | |
US8121296B2 (en) | Method and apparatus for security in a data processing system | |
US20100191965A1 (en) | Verification of system information in wireless communication system | |
CN102026178B (en) | User identity protection method based on public-key mechanism | |
US20060291660A1 (en) | SIM UICC based broadcast protection | |
US20040120527A1 (en) | Method and apparatus for security in a data processing system | |
CN102106111A (en) | Method of deriving and updating traffic encryption key | |
AU2002342014A1 (en) | Method and apparatus for security in a data processing system | |
CN101981892A (en) | Systems and methods for group key distribution and management for wireless communications systems | |
CN112087724A (en) | Communication method, network equipment, user equipment and access network equipment | |
KR100553550B1 (en) | Method and System for Providing Broadcast/Multicast Services Considering Time or Location by Using Mobile Telecommunication System | |
CN101820624B (en) | Method and apparatus for security in a data processing system | |
CN101336554A (en) | Secure distributed handover signaling | |
CN101682624A (en) | A method of storing content | |
CN101127596B (en) | A method and system for program stream secret key encryption in broadcast mobile TV service | |
He et al. | User authentication scheme based on self-certified public-key for next generation wireless network | |
CN101262589A (en) | Mobile TV playing control system and playing control network of mobile TV | |
CN101087188B (en) | MBS authentication secret key management method and system in wireless network | |
CN114342472A (en) | Handling of NAS containers in registration requests upon AMF reallocation | |
JP2951311B1 (en) | Mobile communication dynamic secure grouping communication method | |
CN101399960B (en) | Program stream key encryption method and system in broadcast type mobile television service | |
WO2006136280A1 (en) | Sim/uicc based broadcast protection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20081231 |