CN101340708B - Method, system and apparatus for network switching - Google Patents

Method, system and apparatus for network switching Download PDF

Info

Publication number
CN101340708B
CN101340708B CN2007101231802A CN200710123180A CN101340708B CN 101340708 B CN101340708 B CN 101340708B CN 2007101231802 A CN2007101231802 A CN 2007101231802A CN 200710123180 A CN200710123180 A CN 200710123180A CN 101340708 B CN101340708 B CN 101340708B
Authority
CN
China
Prior art keywords
network
authentication
key
terminal equipment
root key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2007101231802A
Other languages
Chinese (zh)
Other versions
CN101340708A (en
Inventor
帅扬来
陈璟
朱文若
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Changzhou Xiaoguo Information Service Co., Ltd.
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN2007101231802A priority Critical patent/CN101340708B/en
Publication of CN101340708A publication Critical patent/CN101340708A/en
Application granted granted Critical
Publication of CN101340708B publication Critical patent/CN101340708B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention discloses a network switching method, which relates to the technical filed of network communication and comprises the steps that: a target network to be switched is selected; a source network sends a sharing authentication root key to an authentication server; the authentication server distributes a master security protection key to a network entity corresponding to the target network according to the sharing authentication root key; the network entity generates a subordinate security protection key required for accessing the target network and sends an authentication response message to the authentication server; the authentication server sends the authentication response message to terminal equipment generating the subordinate security protection key according to the authentication response message; according to the subordinate security protection key, the terminal equipment is switched from the source network to the target network. The invention also discloses a system and a device of network switching. The method, the system and the device of the invention solve the problem of the service interruption of the terminal equipment caused by network switching, realize the seamless switching of a network and maintain the continuity of the service of the terminal equipment.

Description

The method, system and device that a kind of network switches
Technical field
The present invention relates to network communications technology field, particularly relate to the method, system and device that a kind of network switches.
Background technology
3GPP (3rd Generation Partnership Project, 3rd Generation Partnership Project) be actively to advocate the third generation standardization body that UMTS (Universal Mobile Telecommunications System, universal mobile telecommunications system) is the master.Along with the fast development of science and technology, the development of modern communication technology is also advanced by leaps and bounds, and in order to keep the competitiveness of 3GPP system, 3GPP is also constantly carrying out technology evolution.Particularly strengthen the 3GPP system handles ability of the IP data service of growth fast.Most important several sections in the technology evolution comprises: reduce time delay, Gao Su user data rate more, the power system capacity of enhancing and bigger coverage, and the reduction of operator's integral body cost.
Fig. 1 is evolution network framework figure under a kind of non-roaming scene of prior art, as shown in Figure 1, the core net of wireless evolution network mainly comprises MME (Mobility Management Entity, Mobility Management Entity), three logic function modules of user's anchor point PDN (Packet DataNetwork, packet data network) Gateway between user's face anchor point Serving Gateway between the different access systems and 3GPP connecting system and the non-3GPP connecting system in the 3GPP system.Wherein MME is responsible for the mobile management of chain of command, comprise the management of user's context and mobile status, distributing user temporary identity sign, safety function etc., it is corresponding to the control plane part of current UMTS internal system SGSN (Serving GPRS SupportNode, GPRS Support Node); Serving Gateway directly faces the access of 3GPP connecting system, it is the user's face anchor point between the inner connecting system of 3GPP, under roaming scence, Serving Gateway can be used as local user's face anchor point between non-3GPP connecting system and 3GPP connecting system, and a user can only have a Serving Gateway in a period of time; PDN Gateway is the user's face anchor point between middle 3GPP connecting system of EPS (Evolved Packet System, evolution grouping system) and non-3 GPP system, and for the user provides PDN visit, a user can have a plurality of PDNGateway simultaneously.
The network switching is meant that terminal equipment leaves a source network, the process of target approach network.In handoff procedure, index that weigh to switch effect comprises: handover delay, service switchover quality etc., have only the influence of these indexs allow user's perception less than, just can reach seamless switching.Wherein, handover delay is unusual important index, if in the handoff procedure, time delay is oversize, can cause service disconnection.So, guarantee the quality of service in handoff procedure, must reduce handover delay.
Network switches the switching comprise between the homogeneity network and the switching between the heterogeneous network.Switching between the homogeneity network, as the switching between the 3GPP Access Network, its authentication and authorization data can be shared, because the authentication mode of homogeneity network is similar, require similar for chain of command and user's face and the fail safe protection of eating dishes without rice or wine; After switching to objective network, do not need to re-authenticate, authorize or carry out the generation of sub-key.But the switching of heterogeneous network; more complicated more than homogeneity network; because the authentication mode difference of heterogeneous network; and; require for user's face, chain of command or the fail safe of eating dishes without rice or wine protection different, so, can't share the safe context data of generation for heterogeneous network; as chain of command, the user's face that generates or the fail safe protection key of eating dishes without rice or wine, must regenerate these keys at objective network.Switching for heterogeneous network.To generate the fail safe protection key that needs at objective network, can in objective network, re-authenticate and realize.
Prior art provides between reliable non-3 GPP Access Network and the 3GPP Access Network, and between insincere non-3 GPP access network and the 3GPP Access Network based on the switching flow of different I ETF (Internet Engineeing TaskForce, Internet engineering duty tissue) agreement.Fig. 2 is a kind of 3GPP Access Network of prior art and the switching flow figure of reliable non-3 GPP Access Network.As shown in Figure 2,
Step S201, terminal equipment and E-UTRAN (Evolved UMTS Territorial Radio AccessNetwork, the UMTS Terrestrial radio access network of evolution) Access Network connects, and terminal equipment carries out service data visitation by the connection of setting up.It between Serving GW and PDN GW one section PMIP (Proxy Mobility IP, proxy-mobile IP tunnel) tunnel.
Step S202, terminal equipment is found the reliable non-3 GPP Access Network, and selected this reliable non-3 GPP Access Network, prepares to switch.
Step S203 is established to the connection of reliable non-3 GPP Access Network.This process is to be inserted by reliable non-3 GPP to specify.
Step S204 is on the terminal equipment, carry out EAP (Extensible Authentication Protocol, extended authentication agreement) authentication process between reliable non-3 GPP Access Network and the AAA Server.In authentication process, the IP address of PDN GW is sent to the PMA (Proxy Mobile Agent, terminal mobile agent) of reliable non-3 GPP.
Step S205 after completing successfully the EAP authentication process, triggers attachment flow.
Step S206, the PMA of reliable non-3 GPP send PBU (Proxy Binding Update, agent binding message) message to PDN GW.
Step S207, PDN GW create or revise the BCE (Binding Cache Entry, banding cache inlet) at this user, and, return the PMA that IP address allocated is given reliable non-3 GPP.
Step S208 finishes the foundation in PMIP tunnel between reliable non-3 GPP and PDN GW.
Step S209 finishes the network attachment flow process.Connect at terminal equipment and PDN GW, have the upstream and downstream data to send, terminal recovers professional by the reliable non-3 GPP Access Network, carries out data and transmits.
In realizing process of the present invention, the inventor finds that there are the following problems at least in the prior art: after terminal equipment switches to objective network from source network, just carry out authentication and licensing process, and the process time of authentication and mandate is longer, need 2RTT (Round Trip Time, round-trip delay), set up with the objective network carrying and expend time in, the time-delay that produces probably causes service disconnection, and terminal equipment can't be used.
Summary of the invention
The problem that the embodiment of the invention will solve provides the method, system and device that a kind of network switches.By the mode of taking root key to share, before network switches, finish authentication and the licensing process of terminal equipment at objective network, reduce handover delay, make a concentrated effort to finish whole switching flow, thereby realize seamless switching.
For reaching above-mentioned purpose, the method that the technical scheme of the embodiment of the invention provides a kind of network to switch may further comprise the steps: the selected objective network that will switch; Source network sends shares the authentication root key to authentication server; Described authentication server is according to described shared authentication root key, and distribution security protection master key is to the map network entity of described objective network; Described network entity generates and inserts the fail safe protection sub-key that described objective network needs, and receives the response to described authentication server transmission authentication; Described authentication server sends authentication and receives the response to terminal equipment, and described terminal equipment is receiveed the response according to described authentication and generated described fail safe protection sub-key; According to described fail safe protection sub-key, described terminal equipment switches to described objective network by described source network.
The system that the technical scheme of the embodiment of the invention also provides a kind of network to switch, comprise source network, terminal equipment, target network entity, authentication server, described authentication server is used for according to sharing the fail safe protection master key that the authentication root key generates the objective network needs, be distributed to the network entity of objective network correspondence, and return authentication and receive the response to terminal equipment; Described target network entity is used for generating the fail safe protection sub-key that inserts described objective network needs according to described fail safe protection master key, sends authentication to described authentication server and receives the response; Described terminal equipment is used for the fail safe protection sub-key of receiveing the response and generate inserting the objective network needs according to the authentication of returning of authentication server, switches to described objective network according to described fail safe protection sub-key by described source network.
The technical scheme of the embodiment of the invention is also carried a kind of authentication server, comprises key lead-out unit, cipher key distribution unit and message sending unit; Described key lead-out unit is used for generating fail safe protection master key according to the root key that derive root key or source network are using; Described cipher key distribution unit is used for protecting master key to be distributed to the network entity of objective network correspondence described fail safe; Described message sending unit is used for receiveing the response and sending to terminal equipment including the authentication that generates the selected security parameter of described fail safe protection master key.
Compared with prior art, embodiments of the invention have the following advantages:
The mode of embodiments of the invention by taking root key to share, before network switches, finish authentication and the licensing process of terminal equipment at objective network, reduce handover delay, make a concentrated effort to finish whole network switching process, thereby the seamless switching between the realization network has kept the business continuance of terminal equipment.
Description of drawings
Fig. 1 is evolution network framework figure under a kind of non-roaming scene of prior art;
Fig. 2 is a kind of 3GPP Access Network of prior art and the switching flow figure of reliable non-3 GPP Access Network;
Fig. 3 is a kind of 3GPP Access Network of the embodiment of the invention and the switching flow figure of reliable non-3 GPP Access Network;
Fig. 4 is the another kind of 3GPP Access Network of the embodiment of the invention and the switching flow figure of reliable non-3 GPP Access Network
Fig. 5 is a kind of reliable non-3 GPP Access Network of the embodiment of the invention and the switching flow figure of 3GPP Access Network;
Fig. 6 is a kind of 3GPP Access Network of the embodiment of the invention and the switching flow figure of insincere non-3 GPP access network;
Fig. 7 is the another kind of 3GPP Access Network of the embodiment of the invention and the switching flow figure of insincere non-3 GPP access network;
Fig. 8 is a kind of insincere non-3 GPP access network of the embodiment of the invention and the switching flow figure of 3GPP Access Network;
Fig. 9 is the structure chart of a kind of authentication server of the embodiment of the invention;
Figure 10 is a kind of system construction drawing of the embodiment of the invention.
Embodiment
Below in conjunction with drawings and Examples, the specific embodiment of the present invention is described in further detail.
Switch between 3GPP Access Network and the reliable non-3 GPP Access Network; all adopt AKA (Authentication and Key Agreement; key agreement) authentication protocol, the fail safe protection key of network needs can be derived from the root key that another network A KA authentication produces.Promptly support two access networks of AKA authentication protocol, its authentication root key is reusable, can realize that the authentication root key is shared.The authentication root key is shared and is comprised dual mode, and a kind of is to have ready conditions to share the authentication root key, and a kind of is directly to share the authentication root key.The shared authentication root key of having ready conditions mainly is to consider fail safe, the root key that source network is issued objective network is not the root key that source network is using, but in source network, from the root key of current use, generating the root key that uses to objective network by certain algorithm, this root key is called the root key of deriving.Directly share the authentication root key and be meant source network trust objective network, directly send the root key that is using to objective network and use.
Switching between 3GPP Access Network and the insincere non-3 GPP access network, its key sharing mode also include condition and share the authentication root key and directly share authentication root key dual mode.After terminal equipment switches to objective network, need insert the 3GPP Access Network by ePDG, in the process that root key is shared, terminal equipment and ePDG (Evolved Packet Data Gateway, packet data gateway) sets up IPSEC (Internet Protocol Security, IP security protocol) tunnel between.The foundation in IPSEC tunnel has comprised IKE (Internet Key Exchange, IKE) process and tunnel authentication and licensing process.
The 3GPP Access Network comprises two kinds of access situations such as UTRAN (UMTS Territorial Radio Access Network, UMTS Terrestrial radio access network) and E-UTRAN.
Switch to the reliable non-3 GPP Access Network by E-UTRAN and share root key process Authentication Authorization process.E-UTRAN sends the authentication root key has three kinds of situations, 1 to the reliable non-3 GPP Access Network) have ready conditions by MME (Mobility Management Entity, Mobility Management Entity) and share the authentication root key; 2) have ready conditions by HSS (Home Subscrition Server, local subscribed services device) and share the authentication root key; 3) directly share the authentication root key.
Embodiment one introduces in detail and switches to the reliable non-3 GPP Access Network by E-UTRAN and have ready conditions by MME and share the switching flow of authentication root key.Fig. 3 is a kind of 3GPP Access Network of the embodiment of the invention and the switching flow figure of reliable non-3 GPP Access Network.In conjunction with Fig. 3, switching flow is described in detail.
Step S301 in source network, sets up carrying between terminal equipment and the PDN GW, and the transmission of upstream and downstream data is arranged, and terminal equipment is professional normal.
Step S302, if the source network signal is lower than preset threshold, source network or terminal equipment meeting selected target network, if terminal equipment selected target network, it can pass through NAS (Non-accessStratum, Non-Access Stratum signaling) and send authentication request message to MME, also can pass through AS (AccessStratum, the Access Layer signaling) message sends to the base station, sends to MME by the base station again.If source network selected target network, then terminal equipment provides measurement report to source network, and measurement report comprises contents such as source network ID, signal strength signal intensity.
Step S303, MME is according to the selected switching target network information, the address that obtains the network entity in the objective network reliable non-3 GPP Access Network.The mode of obtaining can be a static configuration, also can be DNS (Domain Name System, domain name supervising system) inquiry, perhaps multiple mode such as DHCP (Dynamic HostConfiguration Protocol, dynamic host allocation protocol) inquiry.
Step S304, the present embodiment root key generating apparatus of deriving is MME, and the root key that the network that MME inserts according to current E-UTRAN is using is deduced out the root key of deriving by certain algorithm.Send safe context to the reliable non-3 GPP Access Network.Wherein safe context comprises the sign and the up-to-date root key of deriving at E-UTRAN networking.
Step S305, MME send authentication request message to HSS, and authentication request message comprises parameters such as the security capabilities of address, terminal equipment of the network entity of reliable non-3 GPP Access Network and safe context.
Step S306, HSS transmit and to receive that authentication request message gives AAA Server.
Step S307, present embodiment authentication server are AAA Server, and AAA Server by certain algorithm, generates the fail safe protection master key that the reliable non-3 GPP Access Network needs according to the root key of receiving of deriving.
Step S308, AAA Server be according to the IP address of the network entity of the objective network that receives, gives other network entity of objective network with the key distribution that generates, and generates the fail safe protection sub-key that other network entity needs.
Step S309, AAA Server (Authentication Authorization and AccountingServer, AAA server) send authentication and receive the response to HSS, the authentication information such as comprising security parameter of receiveing the response.Wherein security parameter comprises that AAA Server generates the algorithm information of fail safe protection master key, sub-key, and parameter information such as random number.
Step S310, HSS sends authentication and receives the response to MME.
Step S311, MME joins the derive parameters such as algorithm information of root key of generation in the security parameter that authentication receives the response, and security parameter is sent to terminal equipment.MME transmission security parameter can be mutual by the mode and the terminal equipment of NAS message to the method for terminal, and security parameter information is sent to terminal equipment.Also security message can be sent to the base station, the base station sends to terminal equipment by the mode of AS message.Certainly, MME transmission security parameter is not limited to above two kinds of methods to the method for terminal.
Step S312, terminal equipment is according to the algorithm information that comprises in the security parameter of receiving, select respectively and generation derive root key, fail safe master key, algorithm that sub-key is identical, in conjunction with the current root key that is using, generate and insert the safe key that objective network needs, switch to objective network then, be established to the connection of objective network reliable non-3 GPP Access Network according to the safe key that generates.
Step S313, in objective network reliable non-3 GPP Access Network, terminal equipment is established to the connection of PDNGW, and finishes the configuration of carrying.After finishing the configuration of reliable non-3 GPP Access Network access bearer, the carrying of source of release network 3GPP Access Network.Terminal is accomplished to the connection of reliable non-3 GPP Access Network, and up, downlink data transmission is arranged in carrying.Because the reliable non-3 GPP Access Network is different with the network security rank of 3GPP Access Network, so, the reliable non-3 GPP Access Network can be from the once complete authentication of new initiation, upgrades the safe key that generates previously, and the information such as level of security of itself and reliable non-3 GPP Access Network are consistent.Owing to connect,, can not have influence on the continuity of business so current full authentication process can not influence being connected of terminal equipment and reliable non-3 GPP Access Network with the reliable non-3 GPP Access Network.
If HSS and AAA Server unify, be HSS/AAA Server, step S306 so, S309 does not need, and other step is constant.
Have ready conditions by HSS and share the authentication root key if switch to the reliable non-3 GPP Access Network by E-UTRAN, in this case, as shown in Figure 4, most of step is still identical with the step of embodiment one, specifically has with different under the step:
Step S404, MME send a safe context to HSS.
Step S405, the root key generating apparatus of deriving is HSS, HSS generates the root key of deriving according to the root key of current use.
Step S406 adds the root key of deriving in the safe context that MME sends to, then the safe context that has added the root key of deriving is sent to AAA Server.
Step S410, HSS puts into the security parameter that AAA Server returns with the derive algorithm information of root key of generation, and will add in the security parameter of algorithm information, sends authentication and receives the response to MME.Certainly the realization in this step also can be taked following steps, and HSS sends to AAA Server at step S407 with the derive algorithm information of root key of generation, is directly added in the security parameter by AAA Server, sends to terminal equipment.Really, generation the is derived method that the algorithm information of root key sends to terminal equipment is not limited to above two kinds of methods.
Step S411, MME are directly receiveed the response authentication and are sent to terminal equipment.
If embodiment one directly shares the authentication root key, in this case, most of step is still identical with the step of embodiment one, and following difference is specifically arranged:
The step S304 of embodiment one deletes, because do not need the deduction to current use root key, so this step does not need yet.
The step S305 of embodiment one replaces with, and the root key that MME or HSS will use joins in the safe context, sends to AAA Server.
The step S311 of embodiment one replaces with, and MME directly sends to terminal equipment with the security parameter that AAA Server sends, and does not change.
It is substantially the same with the flow process that is switched to the reliable non-3 GPP Access Network by E-UTRAN to switch to the reliable non-3 GPP Access Network by UTRAN, also existing has ready conditions by MME shares the authentication root key, has ready conditions by HSS and shares the authentication root key and directly share three kinds of modes of sharing with key of authentication root key.The main difference point is: the function of MME is realized that by SGSN MME does not participate in the switching flow, and the root key generating apparatus of deriving also becomes SGSN.The function of base station is realized by RNC.So only above 2 need be replaced for one li at embodiment, can obtain switching to the flow process of reliable non-3 GPP Access Network by UTRAN, therefore do not remake and be repeated in this description.
Switch to E-UTRAN by the reliable non-3 GPP Access Network, its root key has two kinds of sharing modes, 1) AAA server has ready conditions and shares the authentication root key; 2) directly share the authentication root key.
Embodiment two introduces in detail and switches to E-UTRAN by the reliable non-3 GPP Access Network and have ready conditions by AAAServer and share the switching flow of authentication root key.Fig. 5 is a kind of reliable non-3 GPP Access Network of the embodiment of the invention and the switching flow figure of 3GPP Access Network.In conjunction with Fig. 5, present embodiment is described in detail.
Step S501, terminal equipment are by connecting between reliable non-3 GPP Access Network and the PDN GW, and the configuration carrying, and the transmission of upstream and downstream data is arranged, and terminal equipment is professional normal.
Step S502, if the source network signal is lower than preset threshold, source network or terminal equipment meeting selected target network are prepared to carry out network and are switched.If terminal equipment selected target network, it can be initiated to the handoff request of source network behind definite switching target network, requires to carry out root key and shares.If source network selected target network, then terminal equipment provides measurement report to source network, and measurement report comprises contents such as source network ID, signal strength signal intensity.
Step S503, the network entity in the reliable non-3 GPP Access Network be by static configuration or DNS inquiry, and perhaps mode such as DHCP inquiry is determined the address of the MME in the objective network.
Step S504, reliable non-3 GPP Access Network network entity send authentication request message to AAAServer, and authentication request message comprises the message such as address of MME.If under the situation of roaming, need to carry out the message transfer through one or more authentications, charging and devolution AAA Proxy.
Step S505, the root key generating apparatus of deriving of present embodiment is AAA Server, AAAServer generates the root key of deriving according to the root key of current use by certain algorithm, shares with objective network E-UTRAN.
Step S506, AAA Server send authentication request message to HSS, and authentication request message comprises information such as the address of MME and safe context.Safe context comprises information such as the sign of reliable non-3 GPP Access Network and the root key of deriving.
Step S507, the authentication server of present embodiment are HSS, and HSS obtains the root key of deriving according to the safe context information of receiving, according to the root key of deriving, by certain algorithm, generate fail safe protection master key.Certainly, HSS also can not generate fail safe protection master key, but the root key of directly will deriving is regarded fail safe protection master key as.
Step S508, HSS are according to the address information of the MME that receives, and distribution security protection master key generates the fail safe protection sub-key that E-UTRAN inserts to be needed.
Step S509, HSS send authentication and receive the response to AAA Server, the authentication information such as comprising security parameter of receiveing the response.Wherein security parameter comprises that objective network generates fail safe protection master key, the selected parameter of sub-key, and parameter information such as random number.
Step S510, AAA Server joins the derive parameters such as algorithm information of root key of generation in the security parameter that authentication receives the response, and security parameter is sent to the reliable non-3 GPP Access Network.
Step S511, the reliable non-3 GPP Access Network sends to terminal equipment by switching command message with security parameter.The notice terminal equipment can carry out network and switch.Switching command message can be by NAS message, also can be that the AGW (Access Gateway, IAD) of reliable non-3 GPP Access Network sends message to the BS base sites, sends to terminal equipment by BS by the information of eating dishes without rice or wine again.Certainly, the reliable non-3 GPP Access Network, the method that sends switching command message is not limited to above two kinds of methods.
Step S512; terminal equipment is according to the algorithm information that comprises in the security parameter of receiving; utilize respectively and the algorithm that generates derive root key, fail safe master key, sub-key; in conjunction with the current root key that is using; generate and insert the fail safe protection sub-key that objective network E-UTRAN needs, and send Attach Request message to objective network.
Step S513, MME are initiated to the Location Update Procedure flow process of HSS, and in this flow process, MME is initiated to the registration in the HSS, and HSS returns subscription data and gives MME.
Step S514, in objective network E-UTRAN, terminal equipment is established to the connection of PDN GW, and finishes the configuration of carrying.After finishing the configuration of E-UTRAN access bearer, terminal is accomplished to the connection of E-UTRAN, and up, downlink data transmission is arranged in carrying.Because the reliable non-3 GPP Access Network is different with the network security rank of 3GPP Access Network, so E-UTRAN can upgrade the safe key that generates previously from AKA authentication of new initiation.Owing to connect,, can not have influence on the continuity of business so current full authentication process can not influence being connected of terminal equipment and E-UTRAN with E-UTRAN.
Step S515, the carrying when the network trusted non-3 GPP access network of source of release inserts.
It is to be noted if HSS and AAA Server unify, be HSS/AAA Server, step S506 so, S509 does not need, and other step is constant.Step S507 in addition, also can be, HSS obtains the root key of deriving according to the safe context information of receiving, does not generate fail safe protection master key, and the root key of directly will deriving is distributed to MME.
If embodiment two directly shares the authentication root key, in this case, most of step is identical with the step of embodiment two, and following difference is specifically arranged:
The step S505 of embodiment two deletes, because do not need the deduction to current use root key, so this step does not need yet.
The step S506 of embodiment two replaces with, and the root key that AAA Server will use joins in the safe context, sends to HSS.
The step S510 of embodiment two replaces with, and AAA Server directly sends to terminal equipment with security parameter, and does not change.
It is substantially the same with the flow process that is switched to E-UTRAN by the reliable non-3 GPP Access Network to switch to UTRAN by the reliable non-3 GPP Access Network, and also existing has ready conditions by AAA server shares the authentication root key and directly share two kinds of modes of sharing with key of authentication root key.The main difference point is: the function of MME is realized that by SGSN MME does not participate in the switching flow.So only need to do corresponding the replacement two li of embodiment, can obtain switching to the flow process of reliable non-3 GPP Access Network by UTRAN, therefore do not remake and be repeated in this description.
Switch between 3GPP Access Network and the insincere non-3 GPP access network, because the 3GPP Access Network comprises UTRAN and two kinds of access situations of E-UTRAN, switch so also just exist between E-UTRAN and the insincere non-3 GPP access network, and situation about switching between UTRAN and the insincere non-3 GPP access network.
E-UTRAN switches to insincere non-3 GPP access network and equally also has the mode of having ready conditions and sharing the authentication root key, have ready conditions and share the authentication root key and directly share three kinds of shared root keys of authentication root key by HSS by MME.
Embodiment three introduces terminal equipment in detail and switches to insincere non-3 GPP access network from E-UTRAN, and selection is had ready conditions by MME and shared the flow process of authentication root key.Fig. 6 is a kind of 3GPP Access Network of the embodiment of the invention and the switching flow figure of insincere non-3 GPP access network.In conjunction with Fig. 6, be described in detail.
Step S601 in the 3GPP Access Network, connects between terminal equipment and the PDN GW, and the configuration carrying, and the transmission of upstream and downstream data is arranged, and terminal equipment is professional normal.
Step S602, if the source network signal is lower than preset threshold, source network or terminal equipment meeting selected target network are if terminal equipment selected target network then provides supplementary to help the selected target network by source network.Supplementary comprises information such as network topology, operator's preference and strategy.If source network selected target network, then terminal equipment provides measurement report to source network, and measurement report comprises contents such as source network ID, signal strength signal intensity.
Step S603, terminal equipment send authentication request message to MME, and wherein authentication request message comprises the IKEv2 parameter of User ID and terminal equipment.The IKEv2 parameter comprises protocol header IKEHeader, and security association Security Association disposes quiet lotus Configuration Payload, transmission selector Traffic selector, parameters such as certificate Certification.
Step S604, MME is according to the selected objective network information of obtaining that will switch, the address that obtains the ePDG in the reliable non-3 GPP Access Network.The address that can obtain ePDG by multiple modes such as static configuration or DNS inquiry or DHCP inquiries.
Step S605, the root key generating apparatus of deriving of present embodiment is MME, MME deduces out the root key of deriving according to the root key that current E-UTRAN Access Network is using by certain algorithm.And send safe context to the reliable non-3 GPP Access Network.Wherein safe context comprises information such as the sign at E-UTRAN networking and the up-to-date root key of deriving.
Step S606, MME send authentication request message to HSS, and wherein authentication request message comprises the parameter and the terminal equipment IKEv2 parameters such as security capabilities, safe context of address, the terminal of the ePDG in the reliable non-3 GPP Access Network.
Step S607, HSS transmit the authentication request message of receiving and give AAA Sercer.
Step S608, the authentication server of present embodiment are AAA Sercer, and AAA Sercer generates the fail safe protection master key that the reliable non-3 GPP Access Network needs according to the root key of receiving of deriving by certain algorithm.
Step S609; AAA Sercer is according to the IP address of the network entity of the reliable non-3 GPP Access Network of receiving; protect master key to be distributed to other network entity of reliable non-3 GPP Access Network the fail safe that generates, generate the fail safe protection sub-key that other network entity needs.And, information such as the IKEv2 parameter of terminal equipment and User ID are sent to ePDG, ePDG distributes the IP address an of this locality to give terminal equipment according to the Configuration Payload in the IKEv2 parameter, set up terminal to the inbound SA of going out of ePDG (Security Association, Security Association) as the local address of terminal.EPDG sends its corresponding ePDG ID and IKEv2 parameter to terminal equipment, and the IKEv2 parameter comprises that ePDG distributes to information such as terminal equipment IP address.If be in roaming state, need one or more AAA Proxy to carry out the transfer of message.
Step S610, AAA Sercer sends authentication and receives the response to HSS.Authentication parameter informations such as information such as comprising security parameter, ePDG ID, ePDG IKEv2 parameter, and random number of receiveing the response wherein.
Step S611, HSS sends authentication and receives the response to MME.
Step S612, MME joins the derive algorithm information of root key of generation in the security parameter that authentication receives the response, and MME sends the authentication that includes security parameter, ePDG ID, ePDG IKEv2 parameter and receives the response to terminal equipment.
Step S613, terminal equipment in conjunction with the root key that is using, generate fail safe protection master key, sub-key that objective network needs according to the security parameter of receiving.Set up terminal equipment to the inbound SA of going out of ePDG according to ePDG IKEv2 parameter, promptly finish the configuration of terminal equipment to the IPSEC tunnel between the ePDG.Handover network is to objective network then.
Step S614; terminal equipment is established to the connection of insincere non-3 GPP access network according to the fail safe protection sub-key that produces; and the IPSEC tunnel between migration terminal equipment and the ePDG is to insincere non-3 GPP access network, and the migration in IPSEC tunnel can be based on the MOBIKE agreement.
Step S615, in insincere non-3 GPP access network, terminal equipment and PDN GW connect, and finish to take advantage of to carry and dispose.The carrying of source of release network E-UTRAN.At this moment, terminal is finished with the network of insincere non-3GPP and is connected, and has the upstream and downstream data to transmit in the carrying.Because insincere non-3 GPP access network is different with the network security rank of 3GPP Access Network, so, insincere non-3 GPP access network can be from the once complete authentication of new initiation, upgrades the safe key that generates previously, and the information such as level of security of itself and insincere non-3 GPP access network are consistent.Owing to connect,, can not have influence on the continuity of business so current full authentication process can not influence being connected of terminal equipment and insincere non-3 GPP access network with insincere non-3 GPP access network.
If HSS and AAA Server unify, be HSS/AAA Server, step S607 so, S610 does not need, and other step is constant.
If terminal equipment switches to insincere non-3 GPP access network from E-UTRAN and has ready conditions by HSS and share the authentication root key, in this case, switching flow as shown in Figure 7, most of step is still identical with the step of embodiment three, and the following steps difference is specifically arranged:
Step S705, MME send a safe context to HSS.But this context does not comprise the root key of deriving that sends to AAA Server.
Step S706, the root key generating apparatus of deriving of present embodiment is HSS, HSS generates the root key of deriving according to the root key of current use.
Step S707 adds the root key of deriving in the safe context that MME sends to, then the safe context that has added the root key of deriving is sent to AAA Server.
Step S711, HSS puts into the security parameter that AAA Server returns with the derive algorithm information of root key of generation, and the authentication of having added algorithm information receiveed the response sends to MME.Certainly the realization in this step also can be taked following steps, and HSS sends to AAA Server at step S707 with the derive algorithm information of root key of generation, is directly added in the security parameter by AAA Server, sends to terminal equipment.Really, generation the is derived method that the algorithm information of root key sends to terminal equipment is not limited to above two kinds of methods.
Step S712, MME are directly receiveed the response authentication and are sent to terminal equipment, do not make any modification.
If embodiment three directly shares the authentication root key, in this case, most of step is still identical with the step of embodiment three, and following difference is specifically arranged:
The step S604 of embodiment three deletes, because do not need the deduction to current use root key, so this step does not need yet.
The step S605 of embodiment three replaces with, and MME or HSS add the root key that is using in the safe context to, sends to AAA Server.
The step S612 of embodiment three replaces with, and MME directly sends to terminal equipment with the security parameter that AAA Server sends, and does not change.
It is substantially the same with the flow process that is switched to insincere non-3 GPP access network by E-UTRAN to switch to insincere non-3 GPP access network by UTRAN, also existing has ready conditions by MME shares the authentication root key, has ready conditions by HSS and shares the authentication root key and directly share three kinds of modes of sharing with key of authentication root key.The main difference point is: the function of MME is realized that by SGSN MME does not participate in the switching flow, and the root key generating apparatus of deriving also becomes SGSN.The function of base station is realized by RNC.So only above 2 need be replaced for three li at embodiment, can obtain switching to the flow process of insincere non-3 GPP access network by UTRAN, therefore do not remake and be repeated in this description.
Switch to E-UTRAN by insincere non-3 GPP access network, its root key has two kinds of sharing modes, 1) AAA server has ready conditions and shares the authentication root key; 2) directly share the authentication root key.
Embodiment four introduces in detail and switches to E-UTRAN by insincere non-3 GPP access network and have ready conditions by AAAServer and share the switching flow of authentication root key.Fig. 8 is a kind of 3GPP Access Network of the embodiment of the invention and the switching flow figure of insincere non-3 GPP access network.In conjunction with Fig. 8, present embodiment is described in detail.
Step S801, terminal equipment finish the carrying configuration by connecting between insincere non-3 GPP access network and the PDN GW, and the transmission of upstream and downstream data is arranged, and terminal equipment is professional normal.
Step S802, if the source network signal is lower than preset threshold, source network or terminal equipment meeting selected target network are prepared to carry out network and are switched.If terminal equipment selected target network, it can initiate the handoff request of road source network behind definite switching target network, requires to carry out root key and shares.If source network selected target network, then terminal equipment provides measurement report to source network, and measurement report comprises contents such as source network ID, signal strength signal intensity.
Step S803, the network entity in the insincere non-3 GPP access network be by static configuration or DNS inquiry, and perhaps mode such as DHCP inquiry is determined the address of the MME in the objective network.
Step S804, ePDG send authentication request message to AAA Server, and authentication request message comprises the message such as address of MME.If under the situation of roaming, need to carry out the message transfer through one or more AAA Proxy.
Step S805, the root key generating apparatus of deriving of present embodiment is AAA Server, AAAServer generates the root key of deriving according to the root key of current use by certain algorithm, shares with objective network E-UTRAN.
Step S806, AAA Server send authentication request message to HSS, and authentication request message comprises information such as the address of MME and safe context.Safe context comprises information such as the sign of insincere non-3 GPP access network and the root key of deriving.
Step S807, the objective network generating apparatus of present embodiment is HSS, HSS obtains the root key of deriving according to the safe context information of receiving, by certain algorithm, generates fail safe protection master key.Certainly, HSS also can not generate fail safe protection master key, but the root key of directly will deriving is regarded fail safe protection master key as.
Step S808, HSS are according to the address information of the MME that receives, and distribution security protection master key generates the fail safe protection sub-key that E-UTRAN inserts to be needed.
Step S809, HSS send authentication and receive the response to AAA Server, the authentication information such as comprising security parameter of receiveing the response.Wherein security parameter comprises that HSS generates the algorithm information of fail safe protection master key, sub-key, and parameter information such as random number.
Step S810, AAA Server joins the derive parameters such as algorithm information of root key of generation in the security parameter that authentication receives the response, and security parameter is sent to insincere non-3 GPP access network.
Step S811, insincere non-3 GPP access network sends to terminal equipment by switching command message with security parameter.The notice terminal equipment can carry out network and switch.Switching command message can be by transmitting on the carrying IPSEC tunnel, also can realizing by expansion IKE message.Certainly, the method for ePDG transmission switching command message is not limited to above two kinds of methods.
Step S812; terminal equipment is according to the algorithm information that comprises in the security parameter of receiving; utilize respectively and the algorithm that generates derive root key, fail safe master key, sub-key; in conjunction with the current root key that is using; generate and insert the fail safe protection sub-key that objective network E-UTRAN needs, and send Attach Request message to objective network.
Step S813, MME are initiated to the Location Update Procedure flow process of HSS, and in this flow process, MME is initiated to the registration in the HSS, and HSS returns subscription data and gives MME.
Step S814, in objective network E-UTRAN, terminal equipment is established to the connection of PDN GW, and finishes the configuration of carrying.After finishing the configuration of E-UTRAN access bearer, terminal is accomplished to the connection of E-UTRAN, and up, downlink data transmission is arranged in carrying.Because insincere non-3 GPP access network is different with the network security rank of 3GPP Access Network, so E-UTRAN can upgrade the safe key that generates previously from AKA authentication of new initiation.Owing to connect,, can not have influence on the continuity of business so current full authentication process can not influence being connected of terminal equipment and E-UTRAN with E-UTRAN.
Step S815, the carrying when the insincere non-3 GPP access network of source of release network inserts.
It is to be noted: if HSS and AAA Server unify, be HSS/AAA Server, step S806 so, S809 does not need, and other step is constant.Step S807 in addition, also can be, HSS obtains the root key of deriving according to the safe context information of receiving, does not generate fail safe protection master key, and the root key of directly will deriving is distributed to MME.
If embodiment four directly shares the authentication root key, in this case, most of step is still identical with the step of embodiment four, and following difference is specifically arranged:
The step S805 of embodiment four deletes, because do not need the deduction to current use root key, so this step does not need yet.
The step S806 of embodiment four replaces with, and the root key that AAA Server will use joins in the safe context, sends to HSS.
The step S810 of embodiment four replaces with, and AAA Server directly sends to terminal equipment with security parameter, and does not change.
It is substantially the same with the flow process that is switched to E-UTRAN by insincere non-3 GPP access network to switch to UTRAN by insincere non-3 GPP access network, and also existing has ready conditions by AAA server shares the authentication root key and directly share two kinds of modes of sharing with key of authentication root key.The main difference point is: the function of MME is realized that by SGSN MME does not participate in the switching flow.So only need to do corresponding the replacement four li of embodiment, can obtain switching to the flow process of insincere non-3 GPP access network by UTRAN, therefore do not remake and be repeated in this description.
By above embodiment as can be seen, the mode of the embodiment of the invention by taking root key to share, before terminal equipment switches to objective network from source network, finish authentication and the licensing process of terminal equipment at objective network, reduced terminal equipment in the influence of the authentication of objective network and licensing process to handover delay, accelerated terminal equipment at internetwork switch speed, guaranteed terminal equipment in network switching process professional continuously, realized the seamless switching of source network to objective network.
Fig. 9 is the structure chart of a kind of authentication server of the embodiment of the invention.Authentication server comprises key lead-out unit 931, cipher key distribution unit 932 and message sending unit 933.Key lead-out unit 931 can receive the root key that derive root key or source network are using; and the root key that is using according to derive root key or source network; generate the needed fail safe main protection of access objective network master key by certain algorithm; and sending to cipher key distribution unit 932, the algorithm information that will generate fail safe main protection master key simultaneously sends to message sending unit 933 as selected parameter.Cipher key distribution unit 932 is distributed to this master key the target network entity of objective network.The generation that message sending unit 933 reception mark network entities send inserts the algorithm information parameter of the needed fail safe main protection of objective network sub-key; and the algorithm information that generates the fail safe protection master key of objective network added in the security parameter, send to derive root key generating apparatus or terminal equipment.
Figure 10 is a kind of system construction drawing of the embodiment of the invention.Form by source network 91, the root key generating apparatus 92 of deriving, authentication server 93, target network entity 94 and terminal equipment 95, wherein authentication server 93 also comprises key lead-out unit 931, cipher key distribution unit 932 and message sending unit 933, and terminal equipment 95 comprises IPSEC tunnel processing unit 951.Connect between source network 91 and the terminal equipment 95, and finish the carrying configuration, have the up-downgoing data to transmit.In the time will switching to objective network by source network 91; share the authentication root key if adopting has ready conditions; root key generating apparatus 92 obtains the root key that source network 91 is using by deriving; generate the root key of deriving by certain algorithm; then the root key of deriving is added to the key lead-out unit 931 that sends to authentication server 93 in the safe context; key lead-out unit 931 is according to deriving root key; generate the needed fail safe main protection of access objective network master key by certain algorithm; and sending to cipher key distribution unit 932, the selected parameter that will generate fail safe main protection master key simultaneously sends to message sending unit 933.Cipher key distribution unit 932 is distributed to the target network entity 94 of objective network with this master key, and target network entity 94 derives the fail safe protection sub-key of objective network according to fail safe main protection master key.Target network entity 94 will generate the message sending unit 933 that the selected parameter of fail safe protection sub-key sends to authentication server 93; message sending unit 933 will generate the fail safe protection master key of objective network; the algorithm information of sub-key adds in the security parameter; send to the root key generating apparatus 92 of deriving; the root key generating apparatus 92 of deriving adds the information that generates the pairing algorithm of root key of deriving in security parameter; then amended security parameter is sent to terminal equipment 95, terminal equipment 95 generates the fail safe protection sub-key of objective network needs according to the information in the security parameter.If the switching between 3GPP Access Network and the insincere non-3 GPP access network, the IPSEC tunnel processing unit 951 of terminal equipment 95 also needs to set up the IPSEC tunnel between terminal equipment and the ePDG so, and, objective network is moved in the IPSEC tunnel by the MOBIKE agreement.Terminal equipment 95 just can connect with objective network like this.After terminal equipment 95 just can be finished the carrying configuration with objective network, terminal equipment 95 discharged the carrying with source network 91.Realized seamless switching.
In the time will switching to objective network by source network 91; directly share the authentication root key if adopt; directly the root key that source network is being used adds the key lead-out unit 931 that sends to authentication server 93 in the safe context to; key lead-out unit 931 is according to deriving root key; generate the needed fail safe main protection of access objective network master key by certain algorithm; and sending to cipher key distribution unit 932, the selected parameter that will generate fail safe main protection master key simultaneously sends to message sending unit 933.Cipher key distribution unit 932 is distributed to the target network entity 94 of objective network with this master key, and target network entity 94 generates the fail safe protection sub-key of objective network according to fail safe main protection master key.Target network entity 94 will generate the message sending unit 933 that the selected parameter of fail safe protection sub-key sends to authentication server 93; message sending unit 933 will generate the fail safe protection master key of objective network; the algorithm information of sub-key adds in the security parameter; send terminal equipment 95; terminal equipment 95 generates the fail safe protection sub-key of objective network needs according to the information in the security parameter; if the switching between 3GPP Access Network and the insincere non-3 GPP access network; the IPSEC tunnel processing unit 951 of terminal equipment 95 also needs to set up the IPSEC tunnel between terminal equipment and the ePDG so; and, objective network is moved in the IPSEC tunnel by the MOBIKE agreement.Terminal equipment 95 just can connect with objective network like this.After terminal equipment 95 just can be finished the carrying configuration with objective network, terminal equipment 95 discharged the carrying with source network 91.Realized seamless switching.
By the foregoing description as can be seen, the mode of the embodiment of the invention by taking root key to share, before terminal equipment switches to objective network from source network, finish authentication and the licensing process of terminal equipment at objective network, reduced terminal equipment in the influence of the authentication of objective network and licensing process to handover delay, accelerated terminal equipment at internetwork switch speed, guaranteed terminal equipment in network switching process professional continuously, realized the seamless switching of source network to objective network.
The above only is a preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.

Claims (23)

1. the method that network switches is characterized in that, may further comprise the steps:
The selected objective network that will switch;
Source network sends shares the authentication root key to authentication server;
Described authentication server is according to described shared authentication root key, and distribution security protection master key is to the map network entity of described objective network;
Described network entity generates and inserts the fail safe protection sub-key that described objective network needs, and receives the response to described authentication server transmission authentication;
Described authentication server sends authentication and receives the response to terminal equipment, and described terminal equipment is receiveed the response according to described authentication and generated described fail safe protection sub-key;
According to described fail safe protection sub-key, described terminal equipment switches to described objective network by described source network.
2. the method switched of network according to claim 1 is characterized in that, the selected objective network that will switch specifically comprises by described source network or described terminal equipment selects the objective network that will switch.
3. the method switched of network according to claim 1 is characterized in that, sends at described source network and shares the authentication root key and also comprised before authentication server, and the source network network entity is according to the information of objective network, the network entity of selected described objective network.
4. the method switched of network according to claim 1 is characterized in that, shares the authentication root key and is
The root key of deriving that the root key that is using according to described source network generates, or
The root key that described source network is using.
5. the method for switching as network as described in the claim 4 is characterized in that, the described root key that is using according to source network generates the root key of deriving and specifically comprises:
Mobility Management Entity MME generates the described root key of deriving according to the root key that described source network is using;
Local subscribed services device HSS generates the described root key of deriving according to the root key that described source network is using;
Authentication, authentication and charging server AAA Server generate the described root key of deriving according to the root key that described source network is using.
6. the method for switching as network as described in the claim 4 is characterized in that, described source network sends to be shared the authentication root key and be specially to authentication server:
Described shared authentication root key joined send to described authentication server in the safe context.
7. the method for switching as network as described in the claim 6 is characterized in that, described source network sends to be shared the authentication root key and also comprise to the authentication service implement body:
The security capabilities and/or the IKE IKE parameter of terminal equipment are sent to described authentication server.
8. the method switched of network according to claim 1 is characterized in that, according to described shared authentication root key, distribution security protection master key also comprises before the map network entity of described objective network at described authentication server:
Described authentication server generates the fail safe protection master key that described objective network needs according to described shared authentication root key.
9. the method for switching as network as described in the claim 8 is characterized in that, described authentication server is protected master key with described shared authentication root key as the fail safe that objective network needs.
10. the method for switching as network as described in the claim 7; it is characterized in that; after the fail safe protection sub-key that the described objective network of described network entity generation access needs; also comprise the IKE IKE parameter of packet data gateway ePDG, set up the security alliance SA of described terminal equipment to packet data gateway ePDG according to described terminal equipment.
11. the method for network switching is characterized in that according to claim 1, described authentication is receiveed the response and is comprised that generating described fail safe protects the selected security parameter information of sub-key.
12. the method as network as described in the claim 11 switches is characterized in that, described authentication is receiveed the response and is also comprised and generate the selected security parameter information of described fail safe protection master key.
13. the method as network as described in the claim 11 switches is characterized in that, described authentication is receiveed the response and is also comprised and generate the selected security parameter information of root key of deriving.
14. the method as network as described in the claim 11 switches is characterized in that the IKE IKE parameter information that described authentication is receiveed the response and also comprised packet data gateway ePDG.
15. the method as network as described in the claim 11,12,13 or 14 switches is characterized in that, described terminal equipment is receiveed the response according to authentication and is generated fail safe protection sub-key and specifically comprise:
Described terminal equipment obtains the information that described authentication comprises in receiveing the response, and in conjunction with the root key that is using, generates and inserts the described fail safe protection sub-key that objective network needs.
16. the method for switching as network as described in the claim 15; it is characterized in that; described terminal equipment is receiveed the response generation fail safe protection sub-key according to authentication after, also comprise: the IP-based fail safe protection tunnel IP security protocol IPSEC that disposes described terminal equipment and packet data gateway ePDG.
17. the method for switching as network as described in the claim 16, it is characterized in that, after the IP security protocol IPSEC of described terminal equipment of configuration and packet data gateway ePDG, also comprise:, objective network is moved to from described source network in IP security protocol IPSEC tunnel by removable IKE MOBIKE agreement.
18. the method switched of network according to claim 1 is characterized in that described terminal equipment switches to described objective network by source network and specifically comprises:
Described terminal equipment connects according to described fail safe protection sub-key and described objective network, and finishes the carrying configuration;
Described terminal equipment discharges the carrying configuration with source network.
19. the method for network switching is characterized in that described terminal equipment is switched to by source network after the described objective network according to claim 1, also is included in and initiates authentication process in the described objective network again one time, upgrades described fail safe protection sub-key.
20. the system that network switches is characterized in that this system comprises source network, terminal equipment, and target network entity, authentication server,
Described authentication server is used for being distributed to the network entity of objective network correspondence according to sharing the fail safe protection master key that the authentication root key generates the objective network needs, and returns authentication and receive the response to terminal equipment;
Described target network entity is used for generating the fail safe protection sub-key that inserts described objective network needs according to described fail safe protection master key, sends authentication to described authentication server and receives the response;
Described terminal equipment is used for the fail safe protection sub-key of receiveing the response and generate inserting the objective network needs according to the authentication of returning of authentication server, switches to described objective network according to described fail safe protection sub-key by described source network.
21. the system as network as described in the claim 20 switches is characterized in that, also comprises the root key generating apparatus of deriving,
The described root key generating apparatus of deriving is used to receive the root key that source network that described source network sends is using, and the root key that is using according to described source network generates the root key of deriving, and the described root key of deriving is sent to described authentication server.
22. the system as network as described in the claim 20 switches is characterized in that described terminal equipment also comprises IPSEC tunnel processing unit,
Described IPSEC tunnel processing unit is used to dispose the IP security protocol IPSEC tunnel between described terminal equipment and the packet data gateway ePDG, according to described IP security protocol IPSEC tunnel, switches to described objective network; And the IP security protocol IPSEC tunnel that moves between described terminal equipment and the packet data gateway ePDG arrives described objective network.
23. an authentication server is characterized in that, comprises key lead-out unit, cipher key distribution unit and message sending unit;
Described key lead-out unit is used for generating fail safe protection master key according to the root key that derive root key or source network are using;
Described cipher key distribution unit is used for protecting master key to be distributed to the network entity of objective network correspondence described fail safe;
Described message sending unit is used for receiveing the response and sending to terminal equipment including the authentication that generates the selected security parameter of described fail safe protection master key.
CN2007101231802A 2007-07-02 2007-07-02 Method, system and apparatus for network switching Expired - Fee Related CN101340708B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2007101231802A CN101340708B (en) 2007-07-02 2007-07-02 Method, system and apparatus for network switching

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2007101231802A CN101340708B (en) 2007-07-02 2007-07-02 Method, system and apparatus for network switching

Publications (2)

Publication Number Publication Date
CN101340708A CN101340708A (en) 2009-01-07
CN101340708B true CN101340708B (en) 2011-12-21

Family

ID=40214638

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2007101231802A Expired - Fee Related CN101340708B (en) 2007-07-02 2007-07-02 Method, system and apparatus for network switching

Country Status (1)

Country Link
CN (1) CN101340708B (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101730093B (en) 2009-02-20 2013-01-16 中兴通讯股份有限公司 Safe switching method and system
CN101931950B (en) * 2009-06-19 2014-02-05 电信科学技术研究院 Method, system and device for acquiring key in switching process
CN102546154B (en) * 2011-12-19 2015-09-16 上海顶竹通讯技术有限公司 The changing method of terminal in mobile communications network
CN102497273B (en) * 2011-12-27 2018-09-28 西安西电捷通无线网络通信股份有限公司 A kind of method for authenticating entities and apparatus and system
CN104038938A (en) * 2013-03-06 2014-09-10 中兴通讯股份有限公司 Terminal switching method, access controller and access point
CN107820283B (en) 2016-09-13 2021-04-09 华为技术有限公司 Network switching protection method, related equipment and system
CN109391941B (en) * 2017-08-03 2020-12-25 华为技术有限公司 Access authentication method and device
CN109391937B (en) * 2017-08-04 2021-10-19 华为技术有限公司 Method, device and system for obtaining public key
CN113453230B (en) * 2020-03-25 2023-11-14 中国电信股份有限公司 Terminal management method and system and security agent
CN115103416B (en) * 2022-07-25 2023-10-13 北京小米移动软件有限公司 Network switching method, device, equipment and storage medium

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1905734A (en) * 2005-07-25 2007-01-31 华为技术有限公司 Method and system for object base station to obtain KI

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1905734A (en) * 2005-07-25 2007-01-31 华为技术有限公司 Method and system for object base station to obtain KI

Also Published As

Publication number Publication date
CN101340708A (en) 2009-01-07

Similar Documents

Publication Publication Date Title
CN101340708B (en) Method, system and apparatus for network switching
Chan et al. Requirements for distributed mobility management
EP2415288B1 (en) Mobile communication method, mobile communication system, and corresponding apparatus
US8654716B2 (en) System and method for name binding for multiple packet data network access
EP2458914B1 (en) Method for reselecting bearer binding and event report function
EP2338264B1 (en) Optimization of handovers to untrusted non-3gpp networks
EP2832127B1 (en) Communications system
AU2007304555B2 (en) Encryption in a wireless telecommunications
EP2115964B1 (en) Mechanism to uniquely identify and unify a user's set of packet bearer contexts in a mobile telecommunications network
CN101374334A (en) Method and system for transferring packet data network identification information
CN1989756A (en) Framework of media-independent pre-authentication support for pana
Forsberg LTE key management analysis with session keys context
WO2004036332A2 (en) Virtual private network with mobile nodes
CN101897217A (en) Internet protocol version 4 support for proxy mobile internet protocol version 6 route optimization protocol
Vintilă et al. Security analysis of LTE access network
CN101336000B (en) Protocol configuration option transmission method, system and user equipment
KR20140055857A (en) System and method for providing mobility in heterogeneous network
CN103796281A (en) Management method, device and system for packet-data network type
CN101534496A (en) Method for obtaining home link information by user
CN102340766B (en) Home network obtains the method and system of net element information in visited network
US20200169885A1 (en) Method and system for supporting security and information for proximity based service in mobile communication system environment
CN101990312B (en) Connection establishing method of mobile network and system
CN101964968A (en) Method and system for inquiring domain name in mobile terminal
EP2361473A1 (en) Method and communication system for protecting an authentication connection
EP3195643B1 (en) Method, server, base station and communication system for configuring security parameters

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
ASS Succession or assignment of patent right

Owner name: CHANGZHOU XIAOGUO INFORMATION SERVICE CO., LTD.

Free format text: FORMER OWNER: HUAWEI TECHNOLOGY CO., LTD.

Effective date: 20140313

C41 Transfer of patent application or patent right or utility model
COR Change of bibliographic data

Free format text: CORRECT: ADDRESS; FROM: 518129 SHENZHEN, GUANGDONG PROVINCE TO: 213164 CHANGZHOU, JIANGSU PROVINCE

TR01 Transfer of patent right

Effective date of registration: 20140313

Address after: 213164 building C, building 407-2-6, Tian An Digital City, 588 Chang Wu Road, Wujin hi tech Industrial Development Zone, Changzhou, Jiangsu, China

Patentee after: Changzhou Xiaoguo Information Service Co., Ltd.

Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Patentee before: Huawei Technologies Co., Ltd.

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20111221

Termination date: 20160702