Embodiment
Below in conjunction with drawings and Examples, the specific embodiment of the present invention is described in further detail.
Switch between 3GPP Access Network and the reliable non-3 GPP Access Network; all adopt AKA (Authentication and Key Agreement; key agreement) authentication protocol, the fail safe protection key of network needs can be derived from the root key that another network A KA authentication produces.Promptly support two access networks of AKA authentication protocol, its authentication root key is reusable, can realize that the authentication root key is shared.The authentication root key is shared and is comprised dual mode, and a kind of is to have ready conditions to share the authentication root key, and a kind of is directly to share the authentication root key.The shared authentication root key of having ready conditions mainly is to consider fail safe, the root key that source network is issued objective network is not the root key that source network is using, but in source network, from the root key of current use, generating the root key that uses to objective network by certain algorithm, this root key is called the root key of deriving.Directly share the authentication root key and be meant source network trust objective network, directly send the root key that is using to objective network and use.
Switching between 3GPP Access Network and the insincere non-3 GPP access network, its key sharing mode also include condition and share the authentication root key and directly share authentication root key dual mode.After terminal equipment switches to objective network, need insert the 3GPP Access Network by ePDG, in the process that root key is shared, terminal equipment and ePDG (Evolved Packet Data Gateway, packet data gateway) sets up IPSEC (Internet Protocol Security, IP security protocol) tunnel between.The foundation in IPSEC tunnel has comprised IKE (Internet Key Exchange, IKE) process and tunnel authentication and licensing process.
The 3GPP Access Network comprises two kinds of access situations such as UTRAN (UMTS Territorial Radio Access Network, UMTS Terrestrial radio access network) and E-UTRAN.
Switch to the reliable non-3 GPP Access Network by E-UTRAN and share root key process Authentication Authorization process.E-UTRAN sends the authentication root key has three kinds of situations, 1 to the reliable non-3 GPP Access Network) have ready conditions by MME (Mobility Management Entity, Mobility Management Entity) and share the authentication root key; 2) have ready conditions by HSS (Home Subscrition Server, local subscribed services device) and share the authentication root key; 3) directly share the authentication root key.
Embodiment one introduces in detail and switches to the reliable non-3 GPP Access Network by E-UTRAN and have ready conditions by MME and share the switching flow of authentication root key.Fig. 3 is a kind of 3GPP Access Network of the embodiment of the invention and the switching flow figure of reliable non-3 GPP Access Network.In conjunction with Fig. 3, switching flow is described in detail.
Step S301 in source network, sets up carrying between terminal equipment and the PDN GW, and the transmission of upstream and downstream data is arranged, and terminal equipment is professional normal.
Step S302, if the source network signal is lower than preset threshold, source network or terminal equipment meeting selected target network, if terminal equipment selected target network, it can pass through NAS (Non-accessStratum, Non-Access Stratum signaling) and send authentication request message to MME, also can pass through AS (AccessStratum, the Access Layer signaling) message sends to the base station, sends to MME by the base station again.If source network selected target network, then terminal equipment provides measurement report to source network, and measurement report comprises contents such as source network ID, signal strength signal intensity.
Step S303, MME is according to the selected switching target network information, the address that obtains the network entity in the objective network reliable non-3 GPP Access Network.The mode of obtaining can be a static configuration, also can be DNS (Domain Name System, domain name supervising system) inquiry, perhaps multiple mode such as DHCP (Dynamic HostConfiguration Protocol, dynamic host allocation protocol) inquiry.
Step S304, the present embodiment root key generating apparatus of deriving is MME, and the root key that the network that MME inserts according to current E-UTRAN is using is deduced out the root key of deriving by certain algorithm.Send safe context to the reliable non-3 GPP Access Network.Wherein safe context comprises the sign and the up-to-date root key of deriving at E-UTRAN networking.
Step S305, MME send authentication request message to HSS, and authentication request message comprises parameters such as the security capabilities of address, terminal equipment of the network entity of reliable non-3 GPP Access Network and safe context.
Step S306, HSS transmit and to receive that authentication request message gives AAA Server.
Step S307, present embodiment authentication server are AAA Server, and AAA Server by certain algorithm, generates the fail safe protection master key that the reliable non-3 GPP Access Network needs according to the root key of receiving of deriving.
Step S308, AAA Server be according to the IP address of the network entity of the objective network that receives, gives other network entity of objective network with the key distribution that generates, and generates the fail safe protection sub-key that other network entity needs.
Step S309, AAA Server (Authentication Authorization and AccountingServer, AAA server) send authentication and receive the response to HSS, the authentication information such as comprising security parameter of receiveing the response.Wherein security parameter comprises that AAA Server generates the algorithm information of fail safe protection master key, sub-key, and parameter information such as random number.
Step S310, HSS sends authentication and receives the response to MME.
Step S311, MME joins the derive parameters such as algorithm information of root key of generation in the security parameter that authentication receives the response, and security parameter is sent to terminal equipment.MME transmission security parameter can be mutual by the mode and the terminal equipment of NAS message to the method for terminal, and security parameter information is sent to terminal equipment.Also security message can be sent to the base station, the base station sends to terminal equipment by the mode of AS message.Certainly, MME transmission security parameter is not limited to above two kinds of methods to the method for terminal.
Step S312, terminal equipment is according to the algorithm information that comprises in the security parameter of receiving, select respectively and generation derive root key, fail safe master key, algorithm that sub-key is identical, in conjunction with the current root key that is using, generate and insert the safe key that objective network needs, switch to objective network then, be established to the connection of objective network reliable non-3 GPP Access Network according to the safe key that generates.
Step S313, in objective network reliable non-3 GPP Access Network, terminal equipment is established to the connection of PDNGW, and finishes the configuration of carrying.After finishing the configuration of reliable non-3 GPP Access Network access bearer, the carrying of source of release network 3GPP Access Network.Terminal is accomplished to the connection of reliable non-3 GPP Access Network, and up, downlink data transmission is arranged in carrying.Because the reliable non-3 GPP Access Network is different with the network security rank of 3GPP Access Network, so, the reliable non-3 GPP Access Network can be from the once complete authentication of new initiation, upgrades the safe key that generates previously, and the information such as level of security of itself and reliable non-3 GPP Access Network are consistent.Owing to connect,, can not have influence on the continuity of business so current full authentication process can not influence being connected of terminal equipment and reliable non-3 GPP Access Network with the reliable non-3 GPP Access Network.
If HSS and AAA Server unify, be HSS/AAA Server, step S306 so, S309 does not need, and other step is constant.
Have ready conditions by HSS and share the authentication root key if switch to the reliable non-3 GPP Access Network by E-UTRAN, in this case, as shown in Figure 4, most of step is still identical with the step of embodiment one, specifically has with different under the step:
Step S404, MME send a safe context to HSS.
Step S405, the root key generating apparatus of deriving is HSS, HSS generates the root key of deriving according to the root key of current use.
Step S406 adds the root key of deriving in the safe context that MME sends to, then the safe context that has added the root key of deriving is sent to AAA Server.
Step S410, HSS puts into the security parameter that AAA Server returns with the derive algorithm information of root key of generation, and will add in the security parameter of algorithm information, sends authentication and receives the response to MME.Certainly the realization in this step also can be taked following steps, and HSS sends to AAA Server at step S407 with the derive algorithm information of root key of generation, is directly added in the security parameter by AAA Server, sends to terminal equipment.Really, generation the is derived method that the algorithm information of root key sends to terminal equipment is not limited to above two kinds of methods.
Step S411, MME are directly receiveed the response authentication and are sent to terminal equipment.
If embodiment one directly shares the authentication root key, in this case, most of step is still identical with the step of embodiment one, and following difference is specifically arranged:
The step S304 of embodiment one deletes, because do not need the deduction to current use root key, so this step does not need yet.
The step S305 of embodiment one replaces with, and the root key that MME or HSS will use joins in the safe context, sends to AAA Server.
The step S311 of embodiment one replaces with, and MME directly sends to terminal equipment with the security parameter that AAA Server sends, and does not change.
It is substantially the same with the flow process that is switched to the reliable non-3 GPP Access Network by E-UTRAN to switch to the reliable non-3 GPP Access Network by UTRAN, also existing has ready conditions by MME shares the authentication root key, has ready conditions by HSS and shares the authentication root key and directly share three kinds of modes of sharing with key of authentication root key.The main difference point is: the function of MME is realized that by SGSN MME does not participate in the switching flow, and the root key generating apparatus of deriving also becomes SGSN.The function of base station is realized by RNC.So only above 2 need be replaced for one li at embodiment, can obtain switching to the flow process of reliable non-3 GPP Access Network by UTRAN, therefore do not remake and be repeated in this description.
Switch to E-UTRAN by the reliable non-3 GPP Access Network, its root key has two kinds of sharing modes, 1) AAA server has ready conditions and shares the authentication root key; 2) directly share the authentication root key.
Embodiment two introduces in detail and switches to E-UTRAN by the reliable non-3 GPP Access Network and have ready conditions by AAAServer and share the switching flow of authentication root key.Fig. 5 is a kind of reliable non-3 GPP Access Network of the embodiment of the invention and the switching flow figure of 3GPP Access Network.In conjunction with Fig. 5, present embodiment is described in detail.
Step S501, terminal equipment are by connecting between reliable non-3 GPP Access Network and the PDN GW, and the configuration carrying, and the transmission of upstream and downstream data is arranged, and terminal equipment is professional normal.
Step S502, if the source network signal is lower than preset threshold, source network or terminal equipment meeting selected target network are prepared to carry out network and are switched.If terminal equipment selected target network, it can be initiated to the handoff request of source network behind definite switching target network, requires to carry out root key and shares.If source network selected target network, then terminal equipment provides measurement report to source network, and measurement report comprises contents such as source network ID, signal strength signal intensity.
Step S503, the network entity in the reliable non-3 GPP Access Network be by static configuration or DNS inquiry, and perhaps mode such as DHCP inquiry is determined the address of the MME in the objective network.
Step S504, reliable non-3 GPP Access Network network entity send authentication request message to AAAServer, and authentication request message comprises the message such as address of MME.If under the situation of roaming, need to carry out the message transfer through one or more authentications, charging and devolution AAA Proxy.
Step S505, the root key generating apparatus of deriving of present embodiment is AAA Server, AAAServer generates the root key of deriving according to the root key of current use by certain algorithm, shares with objective network E-UTRAN.
Step S506, AAA Server send authentication request message to HSS, and authentication request message comprises information such as the address of MME and safe context.Safe context comprises information such as the sign of reliable non-3 GPP Access Network and the root key of deriving.
Step S507, the authentication server of present embodiment are HSS, and HSS obtains the root key of deriving according to the safe context information of receiving, according to the root key of deriving, by certain algorithm, generate fail safe protection master key.Certainly, HSS also can not generate fail safe protection master key, but the root key of directly will deriving is regarded fail safe protection master key as.
Step S508, HSS are according to the address information of the MME that receives, and distribution security protection master key generates the fail safe protection sub-key that E-UTRAN inserts to be needed.
Step S509, HSS send authentication and receive the response to AAA Server, the authentication information such as comprising security parameter of receiveing the response.Wherein security parameter comprises that objective network generates fail safe protection master key, the selected parameter of sub-key, and parameter information such as random number.
Step S510, AAA Server joins the derive parameters such as algorithm information of root key of generation in the security parameter that authentication receives the response, and security parameter is sent to the reliable non-3 GPP Access Network.
Step S511, the reliable non-3 GPP Access Network sends to terminal equipment by switching command message with security parameter.The notice terminal equipment can carry out network and switch.Switching command message can be by NAS message, also can be that the AGW (Access Gateway, IAD) of reliable non-3 GPP Access Network sends message to the BS base sites, sends to terminal equipment by BS by the information of eating dishes without rice or wine again.Certainly, the reliable non-3 GPP Access Network, the method that sends switching command message is not limited to above two kinds of methods.
Step S512; terminal equipment is according to the algorithm information that comprises in the security parameter of receiving; utilize respectively and the algorithm that generates derive root key, fail safe master key, sub-key; in conjunction with the current root key that is using; generate and insert the fail safe protection sub-key that objective network E-UTRAN needs, and send Attach Request message to objective network.
Step S513, MME are initiated to the Location Update Procedure flow process of HSS, and in this flow process, MME is initiated to the registration in the HSS, and HSS returns subscription data and gives MME.
Step S514, in objective network E-UTRAN, terminal equipment is established to the connection of PDN GW, and finishes the configuration of carrying.After finishing the configuration of E-UTRAN access bearer, terminal is accomplished to the connection of E-UTRAN, and up, downlink data transmission is arranged in carrying.Because the reliable non-3 GPP Access Network is different with the network security rank of 3GPP Access Network, so E-UTRAN can upgrade the safe key that generates previously from AKA authentication of new initiation.Owing to connect,, can not have influence on the continuity of business so current full authentication process can not influence being connected of terminal equipment and E-UTRAN with E-UTRAN.
Step S515, the carrying when the network trusted non-3 GPP access network of source of release inserts.
It is to be noted if HSS and AAA Server unify, be HSS/AAA Server, step S506 so, S509 does not need, and other step is constant.Step S507 in addition, also can be, HSS obtains the root key of deriving according to the safe context information of receiving, does not generate fail safe protection master key, and the root key of directly will deriving is distributed to MME.
If embodiment two directly shares the authentication root key, in this case, most of step is identical with the step of embodiment two, and following difference is specifically arranged:
The step S505 of embodiment two deletes, because do not need the deduction to current use root key, so this step does not need yet.
The step S506 of embodiment two replaces with, and the root key that AAA Server will use joins in the safe context, sends to HSS.
The step S510 of embodiment two replaces with, and AAA Server directly sends to terminal equipment with security parameter, and does not change.
It is substantially the same with the flow process that is switched to E-UTRAN by the reliable non-3 GPP Access Network to switch to UTRAN by the reliable non-3 GPP Access Network, and also existing has ready conditions by AAA server shares the authentication root key and directly share two kinds of modes of sharing with key of authentication root key.The main difference point is: the function of MME is realized that by SGSN MME does not participate in the switching flow.So only need to do corresponding the replacement two li of embodiment, can obtain switching to the flow process of reliable non-3 GPP Access Network by UTRAN, therefore do not remake and be repeated in this description.
Switch between 3GPP Access Network and the insincere non-3 GPP access network, because the 3GPP Access Network comprises UTRAN and two kinds of access situations of E-UTRAN, switch so also just exist between E-UTRAN and the insincere non-3 GPP access network, and situation about switching between UTRAN and the insincere non-3 GPP access network.
E-UTRAN switches to insincere non-3 GPP access network and equally also has the mode of having ready conditions and sharing the authentication root key, have ready conditions and share the authentication root key and directly share three kinds of shared root keys of authentication root key by HSS by MME.
Embodiment three introduces terminal equipment in detail and switches to insincere non-3 GPP access network from E-UTRAN, and selection is had ready conditions by MME and shared the flow process of authentication root key.Fig. 6 is a kind of 3GPP Access Network of the embodiment of the invention and the switching flow figure of insincere non-3 GPP access network.In conjunction with Fig. 6, be described in detail.
Step S601 in the 3GPP Access Network, connects between terminal equipment and the PDN GW, and the configuration carrying, and the transmission of upstream and downstream data is arranged, and terminal equipment is professional normal.
Step S602, if the source network signal is lower than preset threshold, source network or terminal equipment meeting selected target network are if terminal equipment selected target network then provides supplementary to help the selected target network by source network.Supplementary comprises information such as network topology, operator's preference and strategy.If source network selected target network, then terminal equipment provides measurement report to source network, and measurement report comprises contents such as source network ID, signal strength signal intensity.
Step S603, terminal equipment send authentication request message to MME, and wherein authentication request message comprises the IKEv2 parameter of User ID and terminal equipment.The IKEv2 parameter comprises protocol header IKEHeader, and security association Security Association disposes quiet lotus Configuration Payload, transmission selector Traffic selector, parameters such as certificate Certification.
Step S604, MME is according to the selected objective network information of obtaining that will switch, the address that obtains the ePDG in the reliable non-3 GPP Access Network.The address that can obtain ePDG by multiple modes such as static configuration or DNS inquiry or DHCP inquiries.
Step S605, the root key generating apparatus of deriving of present embodiment is MME, MME deduces out the root key of deriving according to the root key that current E-UTRAN Access Network is using by certain algorithm.And send safe context to the reliable non-3 GPP Access Network.Wherein safe context comprises information such as the sign at E-UTRAN networking and the up-to-date root key of deriving.
Step S606, MME send authentication request message to HSS, and wherein authentication request message comprises the parameter and the terminal equipment IKEv2 parameters such as security capabilities, safe context of address, the terminal of the ePDG in the reliable non-3 GPP Access Network.
Step S607, HSS transmit the authentication request message of receiving and give AAA Sercer.
Step S608, the authentication server of present embodiment are AAA Sercer, and AAA Sercer generates the fail safe protection master key that the reliable non-3 GPP Access Network needs according to the root key of receiving of deriving by certain algorithm.
Step S609; AAA Sercer is according to the IP address of the network entity of the reliable non-3 GPP Access Network of receiving; protect master key to be distributed to other network entity of reliable non-3 GPP Access Network the fail safe that generates, generate the fail safe protection sub-key that other network entity needs.And, information such as the IKEv2 parameter of terminal equipment and User ID are sent to ePDG, ePDG distributes the IP address an of this locality to give terminal equipment according to the Configuration Payload in the IKEv2 parameter, set up terminal to the inbound SA of going out of ePDG (Security Association, Security Association) as the local address of terminal.EPDG sends its corresponding ePDG ID and IKEv2 parameter to terminal equipment, and the IKEv2 parameter comprises that ePDG distributes to information such as terminal equipment IP address.If be in roaming state, need one or more AAA Proxy to carry out the transfer of message.
Step S610, AAA Sercer sends authentication and receives the response to HSS.Authentication parameter informations such as information such as comprising security parameter, ePDG ID, ePDG IKEv2 parameter, and random number of receiveing the response wherein.
Step S611, HSS sends authentication and receives the response to MME.
Step S612, MME joins the derive algorithm information of root key of generation in the security parameter that authentication receives the response, and MME sends the authentication that includes security parameter, ePDG ID, ePDG IKEv2 parameter and receives the response to terminal equipment.
Step S613, terminal equipment in conjunction with the root key that is using, generate fail safe protection master key, sub-key that objective network needs according to the security parameter of receiving.Set up terminal equipment to the inbound SA of going out of ePDG according to ePDG IKEv2 parameter, promptly finish the configuration of terminal equipment to the IPSEC tunnel between the ePDG.Handover network is to objective network then.
Step S614; terminal equipment is established to the connection of insincere non-3 GPP access network according to the fail safe protection sub-key that produces; and the IPSEC tunnel between migration terminal equipment and the ePDG is to insincere non-3 GPP access network, and the migration in IPSEC tunnel can be based on the MOBIKE agreement.
Step S615, in insincere non-3 GPP access network, terminal equipment and PDN GW connect, and finish to take advantage of to carry and dispose.The carrying of source of release network E-UTRAN.At this moment, terminal is finished with the network of insincere non-3GPP and is connected, and has the upstream and downstream data to transmit in the carrying.Because insincere non-3 GPP access network is different with the network security rank of 3GPP Access Network, so, insincere non-3 GPP access network can be from the once complete authentication of new initiation, upgrades the safe key that generates previously, and the information such as level of security of itself and insincere non-3 GPP access network are consistent.Owing to connect,, can not have influence on the continuity of business so current full authentication process can not influence being connected of terminal equipment and insincere non-3 GPP access network with insincere non-3 GPP access network.
If HSS and AAA Server unify, be HSS/AAA Server, step S607 so, S610 does not need, and other step is constant.
If terminal equipment switches to insincere non-3 GPP access network from E-UTRAN and has ready conditions by HSS and share the authentication root key, in this case, switching flow as shown in Figure 7, most of step is still identical with the step of embodiment three, and the following steps difference is specifically arranged:
Step S705, MME send a safe context to HSS.But this context does not comprise the root key of deriving that sends to AAA Server.
Step S706, the root key generating apparatus of deriving of present embodiment is HSS, HSS generates the root key of deriving according to the root key of current use.
Step S707 adds the root key of deriving in the safe context that MME sends to, then the safe context that has added the root key of deriving is sent to AAA Server.
Step S711, HSS puts into the security parameter that AAA Server returns with the derive algorithm information of root key of generation, and the authentication of having added algorithm information receiveed the response sends to MME.Certainly the realization in this step also can be taked following steps, and HSS sends to AAA Server at step S707 with the derive algorithm information of root key of generation, is directly added in the security parameter by AAA Server, sends to terminal equipment.Really, generation the is derived method that the algorithm information of root key sends to terminal equipment is not limited to above two kinds of methods.
Step S712, MME are directly receiveed the response authentication and are sent to terminal equipment, do not make any modification.
If embodiment three directly shares the authentication root key, in this case, most of step is still identical with the step of embodiment three, and following difference is specifically arranged:
The step S604 of embodiment three deletes, because do not need the deduction to current use root key, so this step does not need yet.
The step S605 of embodiment three replaces with, and MME or HSS add the root key that is using in the safe context to, sends to AAA Server.
The step S612 of embodiment three replaces with, and MME directly sends to terminal equipment with the security parameter that AAA Server sends, and does not change.
It is substantially the same with the flow process that is switched to insincere non-3 GPP access network by E-UTRAN to switch to insincere non-3 GPP access network by UTRAN, also existing has ready conditions by MME shares the authentication root key, has ready conditions by HSS and shares the authentication root key and directly share three kinds of modes of sharing with key of authentication root key.The main difference point is: the function of MME is realized that by SGSN MME does not participate in the switching flow, and the root key generating apparatus of deriving also becomes SGSN.The function of base station is realized by RNC.So only above 2 need be replaced for three li at embodiment, can obtain switching to the flow process of insincere non-3 GPP access network by UTRAN, therefore do not remake and be repeated in this description.
Switch to E-UTRAN by insincere non-3 GPP access network, its root key has two kinds of sharing modes, 1) AAA server has ready conditions and shares the authentication root key; 2) directly share the authentication root key.
Embodiment four introduces in detail and switches to E-UTRAN by insincere non-3 GPP access network and have ready conditions by AAAServer and share the switching flow of authentication root key.Fig. 8 is a kind of 3GPP Access Network of the embodiment of the invention and the switching flow figure of insincere non-3 GPP access network.In conjunction with Fig. 8, present embodiment is described in detail.
Step S801, terminal equipment finish the carrying configuration by connecting between insincere non-3 GPP access network and the PDN GW, and the transmission of upstream and downstream data is arranged, and terminal equipment is professional normal.
Step S802, if the source network signal is lower than preset threshold, source network or terminal equipment meeting selected target network are prepared to carry out network and are switched.If terminal equipment selected target network, it can initiate the handoff request of road source network behind definite switching target network, requires to carry out root key and shares.If source network selected target network, then terminal equipment provides measurement report to source network, and measurement report comprises contents such as source network ID, signal strength signal intensity.
Step S803, the network entity in the insincere non-3 GPP access network be by static configuration or DNS inquiry, and perhaps mode such as DHCP inquiry is determined the address of the MME in the objective network.
Step S804, ePDG send authentication request message to AAA Server, and authentication request message comprises the message such as address of MME.If under the situation of roaming, need to carry out the message transfer through one or more AAA Proxy.
Step S805, the root key generating apparatus of deriving of present embodiment is AAA Server, AAAServer generates the root key of deriving according to the root key of current use by certain algorithm, shares with objective network E-UTRAN.
Step S806, AAA Server send authentication request message to HSS, and authentication request message comprises information such as the address of MME and safe context.Safe context comprises information such as the sign of insincere non-3 GPP access network and the root key of deriving.
Step S807, the objective network generating apparatus of present embodiment is HSS, HSS obtains the root key of deriving according to the safe context information of receiving, by certain algorithm, generates fail safe protection master key.Certainly, HSS also can not generate fail safe protection master key, but the root key of directly will deriving is regarded fail safe protection master key as.
Step S808, HSS are according to the address information of the MME that receives, and distribution security protection master key generates the fail safe protection sub-key that E-UTRAN inserts to be needed.
Step S809, HSS send authentication and receive the response to AAA Server, the authentication information such as comprising security parameter of receiveing the response.Wherein security parameter comprises that HSS generates the algorithm information of fail safe protection master key, sub-key, and parameter information such as random number.
Step S810, AAA Server joins the derive parameters such as algorithm information of root key of generation in the security parameter that authentication receives the response, and security parameter is sent to insincere non-3 GPP access network.
Step S811, insincere non-3 GPP access network sends to terminal equipment by switching command message with security parameter.The notice terminal equipment can carry out network and switch.Switching command message can be by transmitting on the carrying IPSEC tunnel, also can realizing by expansion IKE message.Certainly, the method for ePDG transmission switching command message is not limited to above two kinds of methods.
Step S812; terminal equipment is according to the algorithm information that comprises in the security parameter of receiving; utilize respectively and the algorithm that generates derive root key, fail safe master key, sub-key; in conjunction with the current root key that is using; generate and insert the fail safe protection sub-key that objective network E-UTRAN needs, and send Attach Request message to objective network.
Step S813, MME are initiated to the Location Update Procedure flow process of HSS, and in this flow process, MME is initiated to the registration in the HSS, and HSS returns subscription data and gives MME.
Step S814, in objective network E-UTRAN, terminal equipment is established to the connection of PDN GW, and finishes the configuration of carrying.After finishing the configuration of E-UTRAN access bearer, terminal is accomplished to the connection of E-UTRAN, and up, downlink data transmission is arranged in carrying.Because insincere non-3 GPP access network is different with the network security rank of 3GPP Access Network, so E-UTRAN can upgrade the safe key that generates previously from AKA authentication of new initiation.Owing to connect,, can not have influence on the continuity of business so current full authentication process can not influence being connected of terminal equipment and E-UTRAN with E-UTRAN.
Step S815, the carrying when the insincere non-3 GPP access network of source of release network inserts.
It is to be noted: if HSS and AAA Server unify, be HSS/AAA Server, step S806 so, S809 does not need, and other step is constant.Step S807 in addition, also can be, HSS obtains the root key of deriving according to the safe context information of receiving, does not generate fail safe protection master key, and the root key of directly will deriving is distributed to MME.
If embodiment four directly shares the authentication root key, in this case, most of step is still identical with the step of embodiment four, and following difference is specifically arranged:
The step S805 of embodiment four deletes, because do not need the deduction to current use root key, so this step does not need yet.
The step S806 of embodiment four replaces with, and the root key that AAA Server will use joins in the safe context, sends to HSS.
The step S810 of embodiment four replaces with, and AAA Server directly sends to terminal equipment with security parameter, and does not change.
It is substantially the same with the flow process that is switched to E-UTRAN by insincere non-3 GPP access network to switch to UTRAN by insincere non-3 GPP access network, and also existing has ready conditions by AAA server shares the authentication root key and directly share two kinds of modes of sharing with key of authentication root key.The main difference point is: the function of MME is realized that by SGSN MME does not participate in the switching flow.So only need to do corresponding the replacement four li of embodiment, can obtain switching to the flow process of insincere non-3 GPP access network by UTRAN, therefore do not remake and be repeated in this description.
By above embodiment as can be seen, the mode of the embodiment of the invention by taking root key to share, before terminal equipment switches to objective network from source network, finish authentication and the licensing process of terminal equipment at objective network, reduced terminal equipment in the influence of the authentication of objective network and licensing process to handover delay, accelerated terminal equipment at internetwork switch speed, guaranteed terminal equipment in network switching process professional continuously, realized the seamless switching of source network to objective network.
Fig. 9 is the structure chart of a kind of authentication server of the embodiment of the invention.Authentication server comprises key lead-out unit 931, cipher key distribution unit 932 and message sending unit 933.Key lead-out unit 931 can receive the root key that derive root key or source network are using; and the root key that is using according to derive root key or source network; generate the needed fail safe main protection of access objective network master key by certain algorithm; and sending to cipher key distribution unit 932, the algorithm information that will generate fail safe main protection master key simultaneously sends to message sending unit 933 as selected parameter.Cipher key distribution unit 932 is distributed to this master key the target network entity of objective network.The generation that message sending unit 933 reception mark network entities send inserts the algorithm information parameter of the needed fail safe main protection of objective network sub-key; and the algorithm information that generates the fail safe protection master key of objective network added in the security parameter, send to derive root key generating apparatus or terminal equipment.
Figure 10 is a kind of system construction drawing of the embodiment of the invention.Form by source network 91, the root key generating apparatus 92 of deriving, authentication server 93, target network entity 94 and terminal equipment 95, wherein authentication server 93 also comprises key lead-out unit 931, cipher key distribution unit 932 and message sending unit 933, and terminal equipment 95 comprises IPSEC tunnel processing unit 951.Connect between source network 91 and the terminal equipment 95, and finish the carrying configuration, have the up-downgoing data to transmit.In the time will switching to objective network by source network 91; share the authentication root key if adopting has ready conditions; root key generating apparatus 92 obtains the root key that source network 91 is using by deriving; generate the root key of deriving by certain algorithm; then the root key of deriving is added to the key lead-out unit 931 that sends to authentication server 93 in the safe context; key lead-out unit 931 is according to deriving root key; generate the needed fail safe main protection of access objective network master key by certain algorithm; and sending to cipher key distribution unit 932, the selected parameter that will generate fail safe main protection master key simultaneously sends to message sending unit 933.Cipher key distribution unit 932 is distributed to the target network entity 94 of objective network with this master key, and target network entity 94 derives the fail safe protection sub-key of objective network according to fail safe main protection master key.Target network entity 94 will generate the message sending unit 933 that the selected parameter of fail safe protection sub-key sends to authentication server 93; message sending unit 933 will generate the fail safe protection master key of objective network; the algorithm information of sub-key adds in the security parameter; send to the root key generating apparatus 92 of deriving; the root key generating apparatus 92 of deriving adds the information that generates the pairing algorithm of root key of deriving in security parameter; then amended security parameter is sent to terminal equipment 95, terminal equipment 95 generates the fail safe protection sub-key of objective network needs according to the information in the security parameter.If the switching between 3GPP Access Network and the insincere non-3 GPP access network, the IPSEC tunnel processing unit 951 of terminal equipment 95 also needs to set up the IPSEC tunnel between terminal equipment and the ePDG so, and, objective network is moved in the IPSEC tunnel by the MOBIKE agreement.Terminal equipment 95 just can connect with objective network like this.After terminal equipment 95 just can be finished the carrying configuration with objective network, terminal equipment 95 discharged the carrying with source network 91.Realized seamless switching.
In the time will switching to objective network by source network 91; directly share the authentication root key if adopt; directly the root key that source network is being used adds the key lead-out unit 931 that sends to authentication server 93 in the safe context to; key lead-out unit 931 is according to deriving root key; generate the needed fail safe main protection of access objective network master key by certain algorithm; and sending to cipher key distribution unit 932, the selected parameter that will generate fail safe main protection master key simultaneously sends to message sending unit 933.Cipher key distribution unit 932 is distributed to the target network entity 94 of objective network with this master key, and target network entity 94 generates the fail safe protection sub-key of objective network according to fail safe main protection master key.Target network entity 94 will generate the message sending unit 933 that the selected parameter of fail safe protection sub-key sends to authentication server 93; message sending unit 933 will generate the fail safe protection master key of objective network; the algorithm information of sub-key adds in the security parameter; send terminal equipment 95; terminal equipment 95 generates the fail safe protection sub-key of objective network needs according to the information in the security parameter; if the switching between 3GPP Access Network and the insincere non-3 GPP access network; the IPSEC tunnel processing unit 951 of terminal equipment 95 also needs to set up the IPSEC tunnel between terminal equipment and the ePDG so; and, objective network is moved in the IPSEC tunnel by the MOBIKE agreement.Terminal equipment 95 just can connect with objective network like this.After terminal equipment 95 just can be finished the carrying configuration with objective network, terminal equipment 95 discharged the carrying with source network 91.Realized seamless switching.
By the foregoing description as can be seen, the mode of the embodiment of the invention by taking root key to share, before terminal equipment switches to objective network from source network, finish authentication and the licensing process of terminal equipment at objective network, reduced terminal equipment in the influence of the authentication of objective network and licensing process to handover delay, accelerated terminal equipment at internetwork switch speed, guaranteed terminal equipment in network switching process professional continuously, realized the seamless switching of source network to objective network.
The above only is a preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.