Method for indicating base station security information
Technical field
The present invention relates to the communications field, particularly, relate to method for indicating base station security information based on Long Term Evolution (Long-TermEvolution abbreviates LTE as) system.
Background technology
At present, the LTE network is by E-UTRAN (Evolved UMTS Terrestrial RadioAccess Network, the evolution UMTS Terrestrial radio access network), the base station (Node B of evolution (Evolved Node B, abbreviate eNB as)) and evolution packet switching center (EvolvedPacket Core, abbreviate EPC as) form the network configuration flattening.
Wherein, E-UTRAN comprises the set of the eNB that is connected by the S1 interface with EPC, can connect by X2 interface between the eNB.S1, X2 are logic interfacing.An EPC can manage one or more eNB, and an eNB also can be controlled by a plurality of EPC, and simultaneously, an eNB can manage one or more sub-districts.
At present, at 3GPP (3rd Generation partnership project, third generation mobile partner plan) in 36.413 agreement, as base station and mobile management entity (MobileManagement Entity, abbreviate MME as) after transport layer sets up and to finish, S1SETUP REQUEST (the S1 interface is set up request) message can be initiated to MME in the base station, comprise time trail (Time Advance the abbreviates TA as) scope of supporting in base station Global ID (overall identification), base station title and base station in this message.
But; in the LTE system; the use of Home eNodeB causes the base station, and security issues become increasingly urgent; the user can comprise the signatory content of relevant safety when using certain base station; such as; other height of safety requirements level or additional safeguard protection configuration (such as the use of the optional security algorithm in backstage, base station, security algorithm comprises employed all cryptographic algorithm in the current communication system).Base station security information can be provided with in the attribute of base station in advance, also can be provided with in upper layer network node or network management system.
At present, how between base station and MME, to transmit, do not provide solution in the industry as yet for the security information of base station, and this obviously is unfavorable for realizing the flexibility of BTS management, can not ensure the safe in utilization of base station, therefore, needs are a kind of can solution to the problems described above.
Summary of the invention
Consider the problem of a kind of security information of between base station and MME, transmitting the base station of the needs that exist in the correlation technique and propose the present invention that for this reason, the present invention aims to provide method for indicating base station security information, in order to address the above problem.
To achieve these goals, according to an aspect of the present invention, provide a kind of method for indicating base station security information.
Method for indicating base station security information according to the embodiment of the invention comprises: the base station is to mobile management entity (Mobile Management Entity, MME) send S1SETUPREQUEST message, and in S1 SETUP REQUEST message, carry and be used for MME the first required base station security information of security set is carried out in the base station; MME carries out security set according to first base station security information, returns S1 SETUP REQUES message to the base station, and carries the second relevant base station security information of security set that carries out with MME in S1 SETUP REQUES message.
Wherein, comprise the authentication identification information in first base station security information, be used to indicate the base station whether to support authentication process, wherein, MME adjudicates whether initiate authorizing procedure according to the authentication identification information, and, judge under the situation of initiating the judgement flow process at MME, comprise authentication information in second base station security information.
Wherein, further comprise security algorithm information and/or base station level of security information in first base station security information, wherein, security algorithm information is used to the security algorithm of indicating MME can adopt or advise adopting, and base station level of security information is used to indicate the level of security of base station.
MME can be base station selected security algorithm according to security algorithm information and/or base station level of security information, wherein, comprises the security algorithm parameter information in second base station security information, and the security algorithm parameter information comprises: safe key, security algorithm index.
According to a further aspect in the invention, provide another kind of method for indicating base station security information.
Method for indicating base station security information according to the embodiment of the invention comprises: the base station sends S1 SETUP REQUEST message to MME, wherein, carries base station identification information in the S1 SETUP REQUEST message; MME searches first base station security information of base station in database according to base station identification information, carry out security set according to first base station security information that finds, return S1 SETUP REQUES message to the base station, and in S1SETUPREQUES message, carry the second relevant base station security information of security set that carries out with MME.
Wherein, comprise the authentication identification information in first base station security information, be used to indicate the base station whether to support authentication process, wherein, MME adjudicates whether initiate authorizing procedure according to the authentication identification information, and judge under the situation of initiating the judgement flow process at MME, comprise authentication information in second base station security information.
Wherein, further comprise security algorithm information and/or base station level of security information in first base station security information, wherein, security algorithm information is used to the security algorithm of indicating MME can adopt or advise adopting, and base station level of security information is used to indicate the level of security of base station.
MME is base station selected security algorithm according to security algorithm information and/or base station level of security information, wherein, comprises the security algorithm parameter information in second base station security information, and the security algorithm parameter information comprises: safe key, security algorithm index.
By above-mentioned at least one technical scheme provided by the invention, by setting up base station security information is set in the flow process at S1, solved the problem that the security information of the base station that exists in the correlation technique is transmitted between base station and MME,, can ensure the safe in utilization of base station than correlation technique.
Other features and advantages of the present invention will be set forth in the following description, and, partly from specification, become apparent, perhaps understand by implementing the present invention.Purpose of the present invention and other advantages can realize and obtain by specifically noted structure in the specification of being write, claims and accompanying drawing.
Description of drawings
Accompanying drawing is used to provide further understanding of the present invention, and constitutes the part of specification, is used from explanation the present invention with embodiments of the invention one, is not construed as limiting the invention.In the accompanying drawings:
Fig. 1 is a schematic diagram of setting up flow process according to the S1 of correlation technique;
Fig. 2 is the flow chart according to the method for indicating base station security information of first embodiment of the invention;
Fig. 3 is the Signalling exchange flow chart of method shown in Figure 2;
Fig. 4 is the schematic diagram according to the method for indicating base station security information of second embodiment of the invention;
Fig. 5 is the Signalling exchange flow chart of method shown in Figure 4.
Embodiment
Below in conjunction with accompanying drawing the preferred embodiments of the present invention are described, should be appreciated that preferred embodiment described herein only is used for description and interpretation the present invention, and be not used in qualification the present invention.
At first, as shown in Figure 1, when eNB and MME transport layer set up finish after, eNB can send S1 SETUP REQUEST message to MME, comprise the TA scope that base station Global ID, base station title and base station are supported in this message, further, MME sends S1 SETUP RESPONSE message to eNB.As mentioned above, in order to realize the flexibility of BTS management, need be in the security information of between base station and MME, transmitting the base station.
Based on foregoing, in method for indicating base station security information, set up increase eNB security information (cell) in the flow process at present S1 according to the embodiment of the invention, the present invention has provided following embodiment.
First embodiment
In the security information indicating means according to the embodiment of the invention, the secure information storage of eNB is in eNB this locality.
Fig. 2 is the flow chart according to the security information indicating means of the embodiment of the invention, and Fig. 3 is the Signalling exchange flow chart according to the security information indicating means of the embodiment of the invention.As shown in Figure 2, comprise following processing:
Step S202, the base station is to mobile management entity (Mobile Management Entity, MME) send S1 SETUP REQUEST message, and in S1 SETUP REQUEST message, carry and be used for MME the first required base station security information of security set is carried out in the base station; (corresponding to 301 among Fig. 3, eNB sends S1 SETUP REQUEST message to MME, and this message is expanded, and increases eNB associated safety ability cell)
Step S204, MME carries out security set according to first base station security information, and, return S1 SETUP REQUES message to the base station, and in S1 SETUP REQUES message, carry the second relevant base station security information of security set that carries out with MME if the S1 interface is set up successfully.(corresponding to 302 among Fig. 3, MME sends S1SETUPRESPONSE message to eNB, and this message is expanded, and increases eNB associated safety ability cell)
Particularly, in above-mentioned steps S202, wherein, first base station security information can comprise the authentication identification information, be used to indicate the eNB station whether to support authentication process, in this case, in step S204, whether MME initiates authorizing procedure according to authentication identification information judgement, and is included in MME judges authentication information under the situation of initiating the judgement flow process in second base station security information.
In addition, in step S202, first base station security information can also comprise security algorithm information and/or base station level of security information, wherein, security algorithm information is used to the security algorithm of indicating MME can adopt or advise adopting, can represent with the security algorithm index, the level of security that base station level of security information is used to indicate eNB, in this case, in step S204, MME can be that eNB selects security algorithm according to security algorithm information and/or base station level of security information, and comprises the security algorithm parameter information in second base station security information, and the security algorithm parameter information comprises: safe key, security algorithm index etc.
Preferably, eNB receives S1 SETUP RESPONSE message in step S206 after, second base station security information that MME is issued update stored in this locality (as Fig. 3 303 shown in).
Second embodiment
In the security information indicating means according to the embodiment of the invention, the eNB secure information storage is in upper layer network node or network management system (such as MME or NMS).
Fig. 4 is the flow chart that illustrates according to the method for the embodiment of the invention.As shown in Figure 4, specifically comprise following processing:
Step S402, base station (eNB) power on the back with after MME sets up the S1 transport layer and is connected, and the base station wherein, carries base station identification information in the S1 SETUPREQUEST message to MME transmission S1 SETUP REQUEST message; (corresponding to 501 among Fig. 5, eNB sends S1 SETUP REQUEST message to MME)
Step S404, MME searches first base station security information of base station according to base station identification information (for example, eNB Global ID, eNBName information) in database;
Step S406, MME carries out security set according to first base station security information that finds, and returns S1 SETUP REQUES message to the base station, and carry the second relevant base station security information of security set that carries out with MME in S1 SETUP REQUES message.(step S404 and step S406 are corresponding to 502 among Fig. 5, and MME sends S1SETUP RESPONSE message to eNB, and this message is expanded, and increase eNB associated safety ability cell)
Particularly, in above-mentioned steps S404, first base station security information that finds can comprise the authentication identification information, be used to indicate the eNB station whether to support authentication process, in this case, in step S406, MME adjudicates whether initiate authorizing procedure according to the authentication identification information, and judge under the situation of initiating the judgement flow process authentication information that in second base station security information, comprises at MME.
In addition, in step S404, first base station security information that finds can also comprise security algorithm information and/or base station level of security information, wherein, security algorithm information is used to indicate MME can adopt or advise the security algorithm that it adopts, can represent with the security algorithm index, the level of security that base station level of security information is used to indicate eNB, in this case, in step S406, MME can be that eNB selects security algorithm according to security algorithm information and/or base station level of security information, and comprises the security algorithm parameter information in second base station security information, wherein, the security algorithm parameter information comprises: safe key, security algorithm index etc.
Preferably, eNB receives S1 SETUP RESPONSE message in step S408 after, second base station security information that MME is issued update stored in this locality (as Fig. 5 305 shown in).
As mentioned above, by means of above-mentioned at least one technical scheme of the present invention, by method for indicating base station security information is provided, make under the situation of macro base station and Home eNodeB coexistence in the LTE system, can be by transmission eNB security information and the management between base station and MME, can realize the base station safety management, make BTS management more flexible, for network security management and base station access-in management provide effective means, for example beginning scene, shared network operation are safeguarded, many producers equipment controles etc. have broad applicability.
The above is the preferred embodiments of the present invention only, is not limited to the present invention, and for a person skilled in the art, the present invention can have various changes and variation.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.