CN101600205B - Method and related device for accessing SIM card user equipment to evolution network - Google Patents
Method and related device for accessing SIM card user equipment to evolution network Download PDFInfo
- Publication number
- CN101600205B CN101600205B CN2009101522012A CN200910152201A CN101600205B CN 101600205 B CN101600205 B CN 101600205B CN 2009101522012 A CN2009101522012 A CN 2009101522012A CN 200910152201 A CN200910152201 A CN 200910152201A CN 101600205 B CN101600205 B CN 101600205B
- Authority
- CN
- China
- Prior art keywords
- tuple
- key
- encryption key
- sim card
- subscriber equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 105
- 230000004044 response Effects 0.000 claims abstract description 107
- 230000011664 signaling Effects 0.000 claims description 102
- 238000004846 x-ray emission Methods 0.000 claims description 29
- 238000013475 authorization Methods 0.000 claims description 15
- 230000005540 biological transmission Effects 0.000 claims description 8
- 230000015572 biosynthetic process Effects 0.000 claims 1
- 238000004422 calculation algorithm Methods 0.000 description 55
- 230000008569 process Effects 0.000 description 27
- 238000010586 diagram Methods 0.000 description 12
- 238000012545 processing Methods 0.000 description 11
- 238000009795 derivation Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 8
- 238000003780 insertion Methods 0.000 description 7
- 230000037431 insertion Effects 0.000 description 7
- 230000000977 initiatory effect Effects 0.000 description 6
- 238000000926 separation method Methods 0.000 description 4
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 description 4
- 238000010295 mobile communication Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000007774 longterm Effects 0.000 description 2
- 238000004321 preservation Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000000205 computational method Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The embodiment of the invention relates to a method and a related device for accessing SIM card user equipment to an evolution network. The method comprises the following steps: receiving a quadruple authentication vector (AV) which is generated by a home subscriber server (HSS), corresponds to the SIM card user equipment and comprises random number and expected challenge response; sending authentication request message which comprises the random number in the quadruple AV to the SIM card user equipment; receiving user end challenge response generated by the SIM card user equipment according to the random number in the quadruple AV; and if the received expected challenge response in the quadruple AV and the user end challenge response are consistent, achieving successful authentication. Therefore, the SIM card user equipment can be added into the evolution network, or shifted into the evolution network from other networks, or shifted out from the evolution network; and the method and the related device ensure that an SIM card user can be accessed to the evolution network.
Description
Technical field
The present invention relates to the mobile communication technology field, particularly a kind of method and relevant device of SIM card subscriber equipment cut-in evolution network.
Background technology
The wireless network of existing third generation partner program (3rd Generation Partnership Project is called for short 3GPP) is divided into 3GPP wireless access network and core net two parts.Wherein the 3GPP wireless access network is divided into 3 kinds again: 1. global system for mobile communications (Global System for MobileCommunications, be called for short GSM) edge wireless access network (GSM/EDGE Radio AccessNetwork, be called for short GERAN), this GERAN is the 2G Access Network, comprising base transceiver station (BaseTransceiver Station, be called for short BTS) and base station controller (Base Station Controller, BSC); 2. global terrestrial radio inserts (Universal Terrestrial Radio Access, be called for short UTRAN), this UTRAN is the 3G Access Network, comprising base station (Node B, be called for short NodeB) and radio network controller (Radio Network Controller, RNC); 3. the general continental rise wireless access network of evolution (Evolved Universal Terrestrial Radio Access Network, be called for short EUTRAN), this EUTRAN is Long Term Evolution (Long Term Evolution, be called for short LTE) Access Network, base station (the evoluted NodeB that comprises evolution, be called for short eNB), the core net corresponding with the LTE Access Network of following evolution is System Architecture Evolution (System Architecture Evolution is called for short SAE).
Be mobile management entity (Mobility Management Entity among eNB and the SAE with the relevant entity of safety in the future evolution network; be called for short MME); wherein eNB mainly finishes Radio Resource control (Radio Resources Control; be called for short RRC)/user's face (User Plane; abbreviation UP) safety protection function of signaling; MME mainly finishes the non-access signaling safety protection function of (Non-Access Signalling is called for short the NAS signaling).For guaranteeing the communication security of future evolution network, subscriber equipment (User Equipment, be called for short UE) need to share identical RRC encryption key (K_RRC_enc), RRC integrity protection key (K_RRC_int) and UP encryption key (K_UP_enc) with eNB, with RRC/UP signaling between protection UE and the eNB; UE also needs to share identical NAS encryption key (K_NAS_enc) and NAS integrity protection key (K_NAS_int) with MME, with NAS signaling between protection UE and the MME.
In the 3GPP standard, evolvement network only supports universal subscriber identity module (Universal Subscriber Identity Module is called for short USIM) card user to insert this evolvement network at present; (Subscriber Identity Module, SIM) card user, evolvement network forbid that then the SIM card user inserts and for subscriber identity module.Like this, for a lot of operators (for example China Mobile), when following evolvement network is arrived in network upgrade, certainly will want the mandatory user of carrying out to change card work, the SIM card that is about to the user is replaced by usim card.Like this, may increase the burden of operator on the one hand, also may cause user's commentaries on classics net on the other hand.
Summary of the invention
The embodiment of the invention provides a kind of method and relevant device of SIM card subscriber equipment cut-in evolution network, is linked into the safe handlings such as authentication/key of evolvement network/move to evolvement network/when evolvement network shifts out to realize the SIM card subscriber equipment.
According to the embodiment of the invention, a kind of method of subscriber identity module SIM card subscriber equipment cut-in evolution network is provided, comprising:
Mobile management entity MME sends the authorization data request message to home subscriber server HSS, so that described HSS generates five-tuple AV according to tlv triple AV, and generates and the corresponding four-tuple AV of described SIM card subscriber equipment according to described five-tuple AV; Described tlv triple AV comprises random number RA ND, expectation challenge responses SRES and encryption key Kc, described five-tuple AV comprises RAND, expectation challenge responses XRES, integrity protection key IK, encryption key CK and authentication parameter AUTN, and described four-tuple AV comprises RAND, AUTN, XRES and root key Kasme;
MM/E receives the four-tuple authentication vector AV corresponding with the SIM card subscriber equipment that HSS generates;
MME sends authentication request message to described SIM card subscriber equipment, comprises the random number among the described four-tuple AV in the described authentication request message;
MME receives the user side challenge responses that described SIM card subscriber equipment generates according to the random number among the described four-tuple AV;
If the expectation challenge responses among the described four-tuple AV that receives is consistent with described user side challenge responses, then authentication success.
According to the embodiment of the invention, also provide a kind of subscriber identity module SIM card subscriber equipment to move to the method for evolvement network, comprising:
Mobile management entity MME receives that Serving GPRS Support Node SGSN sends comprises the encryption key among the tlv triple authentication vector AV or the message of encryption key among the five-tuple AV and integrity protection key, and generates non-access signaling NAS encryption key and NAS integrity protection key according to the key that receives;
Described SIM card subscriber equipment generates NAS encryption key and NAS integrity protection key according to the encryption key among the tlv triple AV in the described SIM card subscriber equipment after receiving switching command message or tracing area reception message;
Described MME adopts the NAS encryption key of its generation and NAS integrity protection key that the signaling that sends to the SIM card subscriber equipment is protected, and described SIM card subscriber equipment adopts the NAS encryption key of its generation and NAS integrity protection key that the signaling that sends to MME is protected.
According to the embodiment of the invention, also provide a kind of subscriber identity module SIM card subscriber equipment from the method that evolvement network shifts out, comprising:
Mobile management entity ME is according to encryption key among the generation of the root key among the four-tuple authentication vector AV five-tuple AV and the encryption key among integrity protection key or the tlv triple AV;
Described MME will comprise encryption key among the described five-tuple AV and the message of the encryption key among integrity protection key or the described tlv triple AV sends to Serving GPRS Support Node SGSN;
After described SIM card subscriber equipment receives switching command message or tracing area reception message, according to encryption key among the generation of the root key among the four-tuple AV five-tuple AV and the encryption key among integrity protection key or the tlv triple AV;
Described SIM card subscriber equipment is protected the signaling that sends to network equipment according to encryption key among the five-tuple AV that self generates and the encryption key among integrity protection key or the tlv triple AV, and described network equipment is protected the signaling that sends to described SIM card subscriber equipment according to encryption key among the five-tuple AV of described MME generation and the encryption key among integrity protection key or the tlv triple AV.
According to the embodiment of the invention, a kind of subscriber identity module SIM card subscriber equipment also is provided, comprising:
The 3rd receiver module, be used to receive the authentication request message that mobile management entity MME sends, described authentication request message comprises that home subscriber server HSS generates five-tuple AV according to tlv triple AV, and according to the random number among the described five-tuple AV generation four-tuple AV corresponding with described SIM card subscriber equipment;
First generation module, the random number that is used for the described four-tuple AV that receives according to described the 3rd receiver module generates the encryption key Kc among the tlv triple AV, generates the user side challenge responses according to Kc again;
Second sending module, be used to send authentication response message to described MME, comprise the described user side challenge responses that described first generation module generates in the described authentication response message, make described MME carry out authentication to described SIM card subscriber equipment according to described user side challenge responses with from the expectation challenge responses that home subscriber server HSS receives.
According to the embodiment of the invention, a kind of mobile management entity MME also is provided, comprising:
The 4th receiver module is used for receiving the encryption key that comprises tlv triple authentication vector AV of Serving GPRS Support Node SGSN transmission or the message of encryption key among the five-tuple AV and integrity protection key;
Second generation module is used for the encryption key of the described tlv triple AV that receives according to described the 4th receiver module or the encryption key among the five-tuple AV and integrity protection key and generates non-access signaling NAS encryption key and NAS integrity protection key;
The first signaling protection module, the described NAS encryption key and the NAS integrity protection key that are used to adopt described second generation module to generate are protected the signaling that sends to subscriber identity module SIM card subscriber equipment.
According to the embodiment of the invention, a kind of subscriber identity module SIM card subscriber equipment also is provided, comprising:
The 5th receiver module is used to receive switching command message or tracing area and receives message;
The 3rd generates module, is used for generating non-access signaling NAS encryption key and NAS integrity protection key according to the encryption key of tlv triple authentication vector AV;
The second signaling protection module is used to adopt the described the 3rd described NAS encryption key and the NAS integrity protection key that generates the module generation that the signaling that sends to described MME is protected.
According to the embodiment of the invention, a kind of mobile management entity MME also is provided, comprising:
The 4th generation module is used for according to integrity protection key and encryption key among the root key generation five-tuple AV of four-tuple authentication vector AV; Or, according to integrity protection key and the encryption key among the generation of the root key among the four-tuple AV five-tuple AV, according to the encryption key among integrity protection key among the five-tuple AV and the encryption key generation tlv triple AV;
The 3rd sending module; be used for to carry the integrity protection key of the described five-tuple AV that described the 4th generation module generates and the message of the encryption key among encryption key or the tlv triple AV and send to Serving GPRS Support Node SGSN, make encryption key among the five-tuple AV that described SGSN generates according to described MME and the encryption key among integrity protection key or the tlv triple AV protect the signaling that sends to subscriber identity module SIM card subscriber equipment.
According to the embodiment of the invention, a kind of subscriber identity module SIM card subscriber equipment also is provided, comprising:
The 6th receiver module is used to receive switching command message or tracing area and receives message;
The 5th generation module is used for according to integrity protection key and encryption key among the root key generation five-tuple AV of four-tuple authentication vector AV; Or, according to integrity protection key and the encryption key among the generation of the root key among the four-tuple AV five-tuple AV, according to the encryption key among integrity protection key among the five-tuple AV and the encryption key generation tlv triple AV;
The 3rd signaling protection module is used for the encryption key of the five-tuple AV that generates according to the 5th generation module and the encryption key among integrity protection key or the tlv triple AV signaling that sends to RNC or SGSN is protected.
By above technical scheme as can be known, the method and the relevant device of a kind of SIM card subscriber equipment cut-in evolution network that the embodiment of the invention provides, by processing to the authentication vector of SIM card subscriber equipment cut-in evolution network/move to evolvement network/when evolvement network shifts out, can guarantee SIM card user cut-in evolution network safely so that the SIM card subscriber equipment joins in the evolvement network or move to the evolvement network or can shift out from other networks from evolvement network.
Description of drawings
Fig. 1 is the structural representation of the 3GPP wireless network of the embodiment of the invention;
Fig. 2 is the schematic flow sheet of method of the SIM card subscriber equipment cut-in evolution network of the embodiment of the invention;
Fig. 3 is the signaling process schematic diagram of method of the SIM card subscriber equipment cut-in evolution network of the embodiment of the invention;
Fig. 4 is generation tlv triple AV, the five-tuple AV of the embodiment of the invention and the schematic diagram of four-tuple AV;
Fig. 5 moves to the schematic flow sheet of the method for evolvement network for the SIM card subscriber equipment of the embodiment of the invention;
Fig. 6 switches to the signaling process schematic diagram of the method for EUTRAN from GERAN/UTRAN for the SIM card subscriber equipment of the embodiment of the invention;
Fig. 7 moves to the signaling process schematic diagram of the method for EUTRAN from the GERAN/UTRAN Idle state for the SIM card subscriber equipment of the embodiment of the invention;
The schematic flow sheet of the method that Fig. 8 shifts out from evolvement network for the SIM card subscriber equipment of the embodiment of the invention;
Fig. 9 switches to the signaling process schematic diagram of the method for GERAN/UTRAN from EUTRAN for the SIM card subscriber equipment of the embodiment of the invention;
Figure 10 moves to the signaling process schematic diagram of the method for GERAN/UTRAN from the EUTRAN Idle state for the SIM card subscriber equipment of the embodiment of the invention;
Figure 11 is the signaling process figure that the SIM card subscriber equipment of the embodiment of the invention inserts the method for 2G/3G network;
Figure 12 is the structural representation of the mobile management entity of the embodiment of the invention;
Figure 13 is the structural representation of the SIM card subscriber equipment of the embodiment of the invention;
Figure 14 is another structural representation of the mobile management entity of the embodiment of the invention;
Figure 15 is another structural representation of the SIM card subscriber equipment of the embodiment of the invention;
Figure 16 is the another structural representation of the mobile management entity of the embodiment of the invention;
Figure 17 is the another structural representation of the SIM card subscriber equipment of the embodiment of the invention;
Figure 18 is the structural representation of the gradual network system of the embodiment of the invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
Fig. 1 is the structural representation of the 3GPP wireless network of the embodiment of the invention.As shown in Figure 1, wherein dotted line is the Access Network and the core net of evolvement network with the lower part.To specifically describe the negotiating safety capability that allows SIM card user cut-in evolution network with a plurality of embodiment based on the structure of this 3GPP wireless network below.
Fig. 2 is the schematic flow sheet of method of the SIM card subscriber equipment cut-in evolution network of the embodiment of the invention.As shown in Figure 2, during present embodiment explanation SIM card subscriber equipment cut-in evolution network, the four-tuple authentication vector that mobile management entity (MME) generates according to HSS (Authentication Vector is called for short AV) to the method that UE carries out authentication, comprises the steps:
The four-tuple AV corresponding that step 201, reception home subscriber server (Home Subscriber Server is called for short HSS) generate with the SIM card subscriber equipment, described four-tuple AV comprises random number RA ND and expectation challenge responses XRES;
Four-tuple AV also comprises: authentication parameter (AUTN) and root key (Kasme);
This MME is follow-up can also to generate non-access signaling (NAS) encryption key and NAS integrity protection key according to the Kasme among the four-tuple AV;
The user side challenge responses (RES) that step 203, reception SIM card subscriber equipment generate according to the RAND among this four-tuple AV;
Wherein specifically can comprise before the step 201:
Step 200a, HSS receive the authorization data request message that MME sends;
Step 200b, HSS generate the five-tuple AV corresponding with the SIM card subscriber equipment according to tlv triple AV, further generate four-tuple AV again, and this tlv triple AV includes random number (RAND), expectation challenge responses (SRES) and encryption key (Kc);
For example: earlier generate integrity protection key IK and encryption key CK among the five-tuple AV, further generate root key Kasme among the four-tuple AV according to IK and CK again according to the encryption key Kc among the tlv triple AV.
Step 200c, HSS are carried at this four-tuple AV in the authorization data response message and send to MME.
Between step 202 and step 203, can also comprise:
Step 202a, SIM card subscriber equipment receive the authentication request message of carrying the RAND among the four-tuple AV that MME sends;
Step 202b, SIM card subscriber equipment generate Kc among the tlv triple AV according to the RAND among the four-tuple AV and with the shared key K i of HSS;
Step 202c, SIM card subscriber equipment generate user side RES according to the Kc among the tlv triple AV;
Step 202d, transmission are carried the authentication response message of user side RES to MME.
The method of the SIM card subscriber equipment cut-in evolution network that present embodiment provides, the authentication process of the authentication vector by to SIM card subscriber equipment cut-in evolution network the time, can be so that the SIM card subscriber equipment be linked in the evolvement network, and guaranteed the fail safe of SIM card subscriber equipment cut-in evolution network.
Wherein the SIM card subscriber equipment specifically can include mobile device (Mobile Equipment, be called for short ME) and SIM card, this ME can also be according to integrity protection key IK and the encryption key CK among the generation of the encryption key among the tlv triple AV five-tuple AV, further generate the root key among the four-tuple AV again, and Kasme is kept in evolved packet system (EPS) the NAS safe context on the SIM card subscriber equipment; This ME is follow-up can also further to generate NAS encryption key and NAS integrity protection key according to the Kasme among the four-tuple AV.
Except including described Kasme, also include NAS protection algorithm integrallty and the cryptographic algorithm and the up/descending NAS Counter Value etc. of SIM card user equipment safety capability, selection in this EPS NAS safe context.ME in the SIM card subscriber equipment specifically can comprise the processing of this EPS NAS safe context:
If what ME found its insertion is SIM card, then ME is as follows to the treatment principle of EPS NAS safe context:
The first, the EPS NAS safe context before can deleting under the following situation, preserved of ME:
1. pull out SIM card under the ME power-up state;
When 2. ME started shooting, ME found that the SIM card of inserting not is the SIM card of correspondence when creating EPS NAS safe context in the past;
Find not have plug sim card when 3. ME starts shooting.
The second, when shutdown, ME is saved in EPS NAS safe context in the non-volatile internal memory (for example flash memory flash) on the ME, and these ESP NAS safe contexts of mark are effective in non-volatile internal memory.
When three, starting shooting, if EPS NAS safe context mark in non-volatile internal memory of preserving was effective in the past, the EPS NAS safe context of preserving before then ME takes out from non-volatile internal memory uses.
Four, during the attachment removal network (comprise the attachment removal that attachment removal that the SIM card subscriber equipment initiates, attachment removal that MME initiates or HSS initiate), ME upgrades ME with current local EPS NAS safe context and go up the EPS NAS safe context of preserving in the past in non-volatile internal memory, and these ESP NAS safe contexts of mark are effective in non-volatile internal memory.
Five, during attach to network, the EPS safe context that ME preserves before the mark in non-volatile internal memory is invalid.
When six, moving to connected state, for example when the SIM card subscriber equipment when the Idle state (ECM-IDLE) of EPS Connection Management is moved to the connected state (ECM-CONNECTED) of EPS Connection Management, the EPS safe context that ME preserves before the mark in non-volatile internal memory is invalid.
When seven, moving to Idle state, for example when the SIM card subscriber equipment when the connected state (ECM-CONNECTED) of EPS Connection Management is moved to the Idle state (ECM-IDLE) of EPS Connection Management, ME upgrades ME with current local EPS NAS safe context and go up the EPS NAS safe context of preserving in the past in non-volatile internal memory, and these ESP NAS safe contexts of mark are effective in non-volatile internal memory.
Because the embodiment of the invention can be so that the SIM card subscriber equipment be linked in the evolvement network, so also realized on this SIM card subscriber equipment each parameter in relevant with cut-in evolution network, the EPS NAS safe context of preservation it on is effectively managed.
Below by specific embodiment method with the SIM card subscriber equipment cut-in evolution network of Fig. 2 is described.Fig. 3 is the signaling process schematic diagram of method of the SIM card subscriber equipment cut-in evolution network of the embodiment of the invention.Wherein in conjunction with Fig. 1, LTE server net is MME.In the prior art, UE is when inserting the LTE network, when before network attachment process (ATTACH) or band of position renewal (TAU) process, the type that detects the card that the ME of UE inserts is a SIM card, forbid that then SIM card inserts, promptly UE does not send ATTACH request message or TAU request message to network side; But the UE of malice still may initiate ATTACH request message or TAU request message to MME, MME is in the NAS message that is subjected to the initiation layer 3 that UE sends, after being ATTACH request message or TAU request message, MME sends the authorization data request message to HSS, HSS checks it is the user who inserts SIM card, then send the authorization data that carries error code and acknowledge message to MME, expression forbids that UE inserts the LTE network, MME sends the NAS response message of initiation layer 3 again to UE, comprising error code, forbid that SIM card inserts the purpose of LTE network thereby reach.As shown in Figure 3, the embodiment of the invention provides a kind of method of SIM card subscriber equipment cut-in evolution network, comprises the steps:
Step 301, when ME is attached to the LTE network, detecting it is the subscriber equipment (UE) that inserts SIM card;
Whether last can the configuration of ME allows this SIM card subscriber equipment to insert the LTE network, when being configured to forbid that the SIM card subscriber equipment inserts the LTE network, is the SIM card subscriber equipment if ME detects, and forbids that then this SIM card subscriber equipment inserts the LTE network; When being configured to allow the SIM subscriber equipment to insert the LTE network, if it is the SIM card subscriber equipment that ME detects, then continue the processing that this SIM card subscriber equipment inserts the LTE network, for example send ATTACH request message or TAU request message to LTE network equipment MME.
Also can dispose on the ME all the time the SIM card subscriber equipment that inserts the LTE network is inserted processing.
Step 302, MME receive the NAS message of the initiation layer 3 that the SIM card subscriber equipment sends;
This NAS message is specifically as follows: ATTACH request message or TAU request message;
Step 303, MME send the authorization data request message to HSS;
It is the SIM card subscriber equipment that step 304, HSS detect subscriber equipment according to the user signing contract information of self storing, if be configured to allow the SIM card subscriber equipment to insert the LTE network on it, after then HSS receives the authorization data request message of MME transmission, then generate four-tuple AV; Concrete operations are as follows:
HSS generates tlv triple AV, five-tuple AV and four-tuple AV, wherein tlv triple AV comprises: { random number (RAND), expectation challenge responses (SRES), encryption key (Kc) }, five-tuple AV comprises: { RAND, expectation challenge responses (XRES), Integrity Key (IK), encryption key (CK), authentication parameter (AUTN) }, four-tuple AV comprises: { RAND, authentication parameter (AUTN), XRES and root key (Kasme) }.Fig. 4 is generation tlv triple AV, the five-tuple AV of the embodiment of the invention and the schematic diagram of four-tuple AV, as shown in Figure 4, comprising:
A) HSS at first generates the tlv triple AV{RAND of SIM card subscriber equipment, SRES, and Kc}, concrete steps are as follows:
3041a, HSS produce the random number RA ND that length is 16 bytes earlier;
3042a, be input parameter with the shared key K i of RAND, SIM card and HSS, utilize the A3 algorithm generate the expectation challenge responses SRES=A3 that length is 4 bytes (Ki, RAND);
3043a, be input parameter with the shared key K i of RAND, SIM card and HSS, utilize the A8 algorithm generate the encryption key Kc=A8 that length is 8 bytes (Ki, RAND).
B) HSS further generates the five-tuple AV{RAND of SIM card subscriber equipment according to tlv triple AV, XRES, and IK, CK, AUTN}, concrete steps are as follows:
3041b, HSS adopt RAND among the tlv triple AV as the RAND among the five-tuple AV, and the series number SQN that to produce a length be 6 bytes;
3042b, to generate length according to Kc be 16 byte basis key K=C1 (Kc), wherein, C1 is a transfer function, and be input with parameter K, RAND, SQN and authentication management territory (AuthenticationManagement Field is called for short AMF), utilize the f1 algorithm to generate message authentication code (MessageAuthentication Code, be called for short MAC)=f1 (K, RAND, SQN, AMF);
For example calculating K is specially: the 0||Kc of K=8 byte, perhaps 0 of the K=Kc||8 byte, perhaps K=Kc||Kc;
3043b, be input with K and RAND, utilize the f5 algorithm generate authenticate key (AuthenticationKey is called for short AK)=f5 (K, RAND);
3044b, generation authentication parameter
The separation point position of AMF is 0 herein;
3045b, utilize the f3 algorithm generate encryption key CK=f3 (K, RAND), and utilize the f4 algorithm generate Integrity Key IK=f4 (K, RAND);
In addition, IK that generates among the 3045b and CK also can directly be produced by Kc, for example utilize c4 algorithm computation CK=c4 (Kc||Kc), utilize c5 algorithm computation IK=c5 (Kc1xor Kc2||Kc||Kc1xorKc2);
3046b, generation expectation challenge responses XRES=f2 (K, RAND);
In addition, the XRES that generates among the 3046b also can be directly according to A) in SRES generate, for example 0 of XRES=SRES||12 byte, the perhaps 0||SRES of XRES=12 byte, perhaps XRES=SRES1 xor SRES2||SRES||SRES1 xor SRES2||SRES1 xor SRES2||SRES||SRES1xor SRES2 supposes that herein SRES=SRES1||SRES2 and SRESi are 2 bytes.
A in this step 304) and B) can also finish before step 303, promptly tlv triple AV and five-tuple AV can generate in advance.
C) HSS further generates the subscription authentication vector four-tuple AV{RAND of LTE network, AUTN, and XRES, Kasme}, concrete steps are as follows:
3041c, parameters R AND and XRES such as B) middle gained;
The method of 3042c, calculating parameter AUTN and B) 3044b in to calculate the method for AUTN basic identical, difference is that the separation point position of AMF herein is 1;
That is,
The separation point position of AMF is 1 herein.
3043c, according to B) in IK and CK calculate root key (Kasme), for example (IK, CK), KDF is cipher key derivative function (Key Derivation Function) to Kasme=KDF herein.
Step 305, HSS return the authorization data response message to MME, wherein comprise the four-tuple AV that generates in the above-mentioned steps 304;
Step 306, when MME receives four-tuple AV, this MME carries parameters R AND and the AUTN among the four-tuple AV in the subscription authentication request message that the SIM card subscriber equipment sends;
Follow-up MME can also generate NAS encryption key Knas_enc and NAS integrity protection key K nas_int according to the Kasme among the four-tuple AV; Knas_enc=KDF (Kasme for example, the cryptographic algorithm sign), Knas_int=KDF (Kasme, the protection algorithm integrallty sign), here KDF is cipher key derivative function (Key Derivation Function), cryptographic algorithm is designated the sign of cryptographic algorithm AES or SNOW 3G, and protection algorithm integrallty is designated the sign of protection algorithm integrallty AES or SNOW3G;
After ME in step 307, the SIM card subscriber equipment received the subscription authentication request message of MME transmission, what find this ME of insertion was SIM card, and then ME generates user side RES, user side IK and user side CK, and concrete operations are as follows:
3070, ME checks whether the separating position of the AMF among its AUTN that receives is set to 1, if not, then return to the response message that authentication is refused in expression of MME; This 3070 is an optional step, promptly can carry out at this, also can not carried out;
3071, ME sends to SIM card to the RAND that receives;
3072, the SIM card utilization is calculated the SRES algorithm identical with Kc with HSS in the 3042a of step 304 and 3043a, calculates SRES and Kc according to RAND and Ki, and Kc is sent to ME; Alternatively, SIM card can also send to ME with SRES;
3073, ME takes the identical algorithm of HSS calculating K among the 3042b with step 304, comes calculating K according to Kc;
3074, ME takes the HSS among the 3045b with step 304 to calculate the IK algorithm identical with CK, calculates IK and CK; And further take with 3043c in identical algorithm computation go out root key Kasme; Follow-up ME can adopt the method identical with above-mentioned MME, calculates corresponding NAS encryption key Knas_enc and NAS integrity protection key K nas_int according to this root key Kasme;
3075, ME takes the HSS among the 3046b with step 303 to calculate the identical algorithm of XRES, calculate RES=f2 (K, RAND); When needs calculate RES with SRES, then SIM card need send to ME with SRES in 3072, correspondingly, computational methods can for: for example 0 of RES=SRES||12 byte, the perhaps 0||SRES of RES=12 byte, perhaps RES=SRES1 xor SRES2||SRES||SRES1 xor SRES2||SRES1 xor SRES2||SRES||SRES1 xor SRES2 supposes that herein SRES=SRES1||SRES2 and SRESi are 2 bytes.
Wherein, alternatively, between 3073 and 3074, can also comprise:
307a, ME take the HSS among the 3043b with step 304 to calculate the identical algorithm of AK, utilize the f5 algorithm to generate AK;
307c, ME calculate XMAC=f1 K (SQN||RAND||AMF);
307d, ME compare the XMAC and the MAC among the parameter A UTN of its calculating, if inconsistent, then return to the response message that authentication is refused in expression of SGSN; And/or, ME checking sequence SQN whether within a suitable scope, if not, then send a synchronization failure response message to SGSN.
Need to prove that the algorithm identical with network side that the SIM card subscriber equipment adopts in this step can obtain from network side by the mode of consulting in advance, and be concrete, can obtain above-mentioned algorithm from MME.
Step 308, SIM card subscriber equipment send the subscription authentication response message to MME, wherein carry RES;
Step 309, MME are carried out authentication by the XRES among RES relatively and the four-tuple AV is whether consistent to the SIM card subscriber equipment, if RES is consistent with XRES, then authentication successfully;
Step 310, MME send the NAS response message of initiation layer 3 to the SIM card subscriber equipment, and so far the SIM card subscriber equipment can be linked in the evolvement network.
The method of the SIM card subscriber equipment cut-in evolution network that present embodiment provides, generate five-tuple AV according to tlv triple AV, generate the four-tuple AV that in the LTE network user is carried out authentication according to five-tuple AV, make and use the UE of SIM card also can be linked in the LTE network, guaranteed the fail safe of SIM card subscriber equipment cut-in evolution network.
Need to prove, present embodiment is the method for SIM card subscriber equipment cut-in evolution network, the parameter that network side and SIM card subscriber equipment obtain when all preserving SIM card subscriber equipment cut-in evolution network, behind SIM subscriber equipment cut-in evolution network, can also carry out follow-up switching flow, thereby make above-mentioned parameter to be applied in the subsequent embodiment based on present embodiment.
Fig. 5 moves to the schematic flow sheet of the method for evolvement network for the SIM card subscriber equipment of the embodiment of the invention, and this moves and comprises that Idle state moves and/or switches.In the present embodiment, the source core net in the 2G/3G network is Serving GPRS Support Node (SGSN), and the target core network equipment in the evolvement network is MME; Present embodiment is primarily aimed at UE and switches to evolvement network or UE move to evolvement network from 2G/3G network Idle state method from the 2G/3G network.As shown in Figure 5, comprise the steps:
Concrete, in the step 501, MME is according to encryption key and integrity protection key among the generation of the encryption key among the described tlv triple authentication vector AV that the receives five-tuple AV, and further generate root key Kasme according to encryption key among the five-tuple AV and integrity protection key, generate non-access signaling NAS encryption key and NAS integrity protection key according to root key Kasme then; Or MME generates root key Kasme according to encryption key among the five-tuple AV that receives and integrity protection key, generates non-access signaling NAS encryption key and NAS integrity protection key according to root key Kasme then;
In the step 502; the SIM card subscriber equipment is according to encryption key and integrity protection key among the generation of the encryption key among the tlv triple AV that self the preserves five-tuple AV; and further generate root key Kasme according to encryption key among the five-tuple AV and integrity protection key, generate non-access signaling NAS encryption key and NAS integrity protection key according to root key Kasme then.
Method when the SIM card subscriber equipment that present embodiment provides moves to evolvement network has realized SIM card subscriber equipment moving from the 2G/3G network to evolvement network, and has guaranteed the fail safe in the moving process.
Below by two specific embodiments the method for SIM card subscriber equipment SIM card subscriber equipment when the 2G/3G network switches to evolvement network is described respectively, the method for SIM card subscriber equipment when the SIM card subscriber equipment moves to evolvement network from 2G/3G network Idle state.
Fig. 6 switches to the signaling process schematic diagram of the method for EUTRAN from GERAN/UTRAN for the SIM card subscriber equipment of the embodiment of the invention.In existing scheme, when the MME in the EUTRAN network receives forwarding redirect request (the ForwardRelocation Request of the SGSN in the GERAN/UTRAN network, be called for short FRR) during message, check MM Context (the Mobile Management context) parameter in this FRR message, if comprise the encryption key Kc among the tlv triple AV of SIM card subscriber equipment in this MM Context parameter, then MME sends an expression refusal SIM card subscriber equipment switches to EUTRAN from GERAN/UTRAN response message.And in the present embodiment, can realize the switching of SIM card subscriber equipment from GERAN/UTRAN to EUTRAN, as shown in Figure 6, this SIM card subscriber equipment comprises the steps: from the flow process that GERAN/UTRAN switches to the method for EUTRAN
Step 601, source radio network controller (Radio Network Controller is called for short RNC) or source base station subsystem (Base Station Subsystem is called for short BSS) send redirect request (RelocationRequest) message to source SGSN;
Step 602, if in the authentication process when the SIM card subscriber equipment inserts the 2G/3G network, that source SGSN obtains from HSS is tlv triple AV, when then this source SGSN sends FRR message to target MME, wherein carry the encryption key Kc among the tlv triple AV of SIM card subscriber equipment;
This step 602 can also send FRR message to target MME for: source SGSN, wherein carries tlv triple AV that calculate, untapped in FRR message, comprising Kc; Perhaps
This step 602 can also calculate encryption key CK and integrity protection key IK among the five-tuple AV according to the encryption key Kc among the tlv triple AV for: source SGSN, and the FRR message that sends the encryption key CK that carries among the five-tuple AV and integrity protection key IK then is to target MME;
This step 602 can also for: if in the authentication process when the SIM card subscriber equipment inserts the 2G/3G network, that source SGSN obtains from HSS is five-tuple AV, when then this source SGSN sends FRR message to target MME, wherein carry CK and IK among the five-tuple AV of SIM card subscriber equipment;
Step 603, target MME judge that according to this encryption key Kc the user that request is switched is the SIM card subscriber equipment, if configuration allows the SIM card subscriber equipment to insert the LTE network on target MME, then generate temporary key (Kenb), NAS signaling encryption key (Knas_enc) and NAS signaling integrity protection key (Knas_int);
Specifically comprise: if carry in the FRR message that source SGSN sends in step 602 be the encryption key Kc among the tlv triple AV, then target MME is according to Kc derivation encryption key CK and integrity protection key IK, for example:, utilize c5 algorithm computation IK=c5 (Kc1 xor Kc2||Kc||Kc1xor Kc2) according to c4 algorithm computation CK=c4 (Kc||Kc); Derive root key Kasme according to the IK and the CK that obtain again; Derive temporary key Kenb, NAS signaling encryption key Knas_enc and NAS signaling integrity protection key K nas_int according to Kasme.
Perhaps, if carry in the FRR message that source SGSN sends in step 602 be encryption key CK and integrity protection key IK among the five-tuple AV, then step 603 is derived root key Kasme for target MME according to the IK and the CK that obtain; Derive temporary key Kenb, NAS signaling encryption key Knas_enc and NAS signaling integrity protection key K nas_int according to Kasme.
Step 604, target MME send handoff request (Handover Request) message and wherein carry parameter K enb to target eNB;
Step 605, target eNB are calculated RRC signaling integrity protection key (Krrc_int), RRC signaling encryption key (Krrc_enc) and user's plane signaling encryption key (Kup_enc) according to parameter K enb;
Step 606, target eNB send switching request response (Handover Request Ack) message and give target MME;
Step 607, target MME send and transmit redirect response (Forward Relocation Response) message to source SGSN;
Step 608, source SGSN send redirect command (Relocation Command) message to source BTS/RNC;
Step 609, source RNC or source BSS send switching command (Handover Command) to the SIM card subscriber equipment, and wherein this SIM card subscriber equipment includes ME and SIM card;
What 610, ME found its insertion is SIM card, then according to Kc derivation encryption key CK and integrity protection key IK, for example: according to c4 algorithm computation CK=c4 (Kc||Kc), utilize c5 algorithm computation IK=c5 (Kc1 xor Kc2||Kc||Kc1 xor Kc2); Derive root key Kasme according to the IK and the CK that obtain again; Derive temporary key Kenb, NAS signaling encryption key Knas_enc and NAS signaling integrity protection key K nas_int according to Kasme, and calculate RRC signaling integrity protection key (Krrc_int), RRC signaling encryption key (Krrc_enc) and user's plane signaling encryption key (Kup_enc) according to parameter K enb;
Step 611, after finishing above-mentioned key handling flow process; continue the handoff procedure of the SIM card subscriber equipment of back to EUTRAN; wherein; Signalling exchange between MME and the SIM card subscriber equipment need adopt Knas_enc and Knas_int to protect, and the Signalling exchange between SIM card subscriber equipment and the target eNB need adopt Krrc_int, Krrc_enc and Kup_enc to protect.
The card user equipment that present embodiment provides has been realized the switching of SIM card subscriber equipment from GERAN/UTRAN to EUTRAN, and has been guaranteed the fail safe in the handoff procedure from the method that GSIMERAN/UTRAN switches to EUTRAN.
Fig. 7 moves to the signaling process schematic diagram of the method for EUTRAN from the GERAN/UTRAN Idle state for the SIM card subscriber equipment of the embodiment of the invention.As shown in Figure 7, comprise the steps:
Step 701, SIM card subscriber equipment send tracking area update (TAU) message to target MME;
Step 702, target MME send context request message (context request) to source SGSN;
Step 703, if in the authentication process when the SIM card subscriber equipment inserts the 2G/3G network, that source SGSN obtains from HSS is tlv triple AV, when then this source SGSN sends context response information to target MME, wherein carry the encryption key Kc among SIM card user's the tlv triple AV;
This step 703 can also send context response information to target MME for: source SGSN, wherein carries untapped tlv triple AV, comprising Kc; Perhaps
This step 703 can also calculate encryption key CK and integrity protection key IK among the five-tuple AV according to the encryption key Kc among the tlv triple AV for: source SGSN, and the context response information that sends the encryption key CK that carries among the five-tuple AV and integrity protection key IK then is to target MME;
This step 703 can also for: if in the authentication process when the SIM card subscriber equipment inserts the 2G/3G network, that source SGSN obtains from HSS is five-tuple AV, when then this source SGSN sends context response information to target MME, wherein carry CK and IK among SIM card user's the five-tuple AV;
Step 704, target MME judge it is the SIM card subscriber equipment according to encryption key Kc, if configuration allows this SIM card subscriber equipment to insert the LTE network on target MME, then generate Knas_enc and Knas_int;
Specifically comprise: if carry in the context response information that source SGSN sends in step 703 be the encryption key Kc among the tlv triple AV, then target MME generates encryption key CK according to Kc, integrity protection key IK, for example:, utilize c5 algorithm computation IK=c5 (Kc1 xor Kc2||Kc||Kc1 xor Kc2) according to c4 algorithm computation CK=c4 (Kc||Kc); Generate root key Kasme according to IK and CK again; Generate NAS signaling encryption key Knas_enc and NAS signaling integrity protection key K nas_int according to Kasme.
Perhaps, if carry in the context response information that source SGSN sends in step 703 be encryption key CK and integrity protection key IK among the five-tuple AV, then step 704 generates root key Kasme for target MME according to IK and CK; Generate NAS signaling encryption key Knas_enc and NAS signaling integrity protection key K nas_int according to Kasme.
Step 705, target MME send tracing area and receive message to the SIM card subscriber equipment, and wherein this SIM card subscriber equipment includes ME and SIM card;
What step 706, ME found its insertion is SIM card, then according to sharing key K i calculating K c, generate encryption key CK according to Kc again, integrity protection key IK, for example:, utilize c5 algorithm computation IK=c5 (Kc1 xor Kc2||Kc||Kc1 xor Kc2) according to c4 algorithm computation CK=c4 (Kc||Kc); Generate root key Kasme according to IK and CK again; Generate NAS signaling encryption key Knas_enc and NAS signaling integrity protection key K nas_int according to Kasme;
Step 707, after finishing above-mentioned key handling flow process, continue the Idle state moving process of the SIM card subscriber equipment of back to EUTRAN, wherein, the Signalling exchange between MME and the SIM card subscriber equipment need adopt Knas_enc and Knas_int to protect.
The SIM card subscriber equipment that present embodiment provides moves to the method for EUTRAN from the GERAN/UTRAN Idle state, realized that the SIM card subscriber equipment is under non operating state, move to the process of EUTRAN from GERAN/UTRAN, and guaranteed the fail safe in the Idle state moving process.
The schematic flow sheet of the method that Fig. 8 shifts out from evolvement network for the SIM card subscriber equipment of the embodiment of the invention, this shifts out and comprises that Idle state shifts out and/or switches.In the present embodiment, the source equipment of the core network in the evolvement network is MME, and the target core network in the 2G/3G network is SGSN; Present embodiment is primarily aimed at UE and switches to 2G/3G network or the UE method when the evolvement network Idle state moves to the 2G/3G network from evolvement network.As shown in Figure 8, comprise the steps:
Step 801, mobile management entity MME are according to encryption key among the generation of the root key among the four-tuple authentication vector AV five-tuple AV and the encryption key among integrity protection key or the tlv triple AV;
Step 802, described MME will comprise encryption key among the described five-tuple AV and the message of the encryption key among integrity protection key or the described tlv triple AV sends to Serving GPRS Support Node SGSN;
After step 803, described SIM card subscriber equipment receive switching command message or tracing area reception message, according to encryption key among the generation of the root key among the four-tuple AV five-tuple AV and the encryption key among integrity protection key or the tlv triple AV;
Signalling exchange between step 804, SIM card subscriber equipment and the network equipment adopts above-mentioned key to protect; particularly; described SIM card subscriber equipment is protected the signaling that sends to network equipment according to encryption key among the five-tuple AV that self generates and the encryption key among integrity protection key or the tlv triple AV, and described network equipment is protected the signaling that sends to described SIM card subscriber equipment according to encryption key among the five-tuple AV of described MME generation and the encryption key among integrity protection key or the tlv triple AV.
In this step 804; the wireless access network that SGSN connects may be the 2G network; it also may be 3G network; if 2G network; then described network equipment is SGSN; Signalling exchange between SGSN and the SIM card subscriber equipment directly adopts the encryption key from the tlv triple AV that MME directly obtains, and perhaps the encryption key among the tlv triple AV that obtains of encryption key from the five-tuple AV that MME obtains and integrity protection key derivation is protected.If 3G network; described network equipment is RNC; then SGSN will issue RNC from the encryption key the five-tuple AV that MME directly obtains and integrity protection key or encryption key and integrity protection key from the five-tuple AV that is generated by the encryption key the tlv triple AV that MME obtains, be used to protect the signaling security between UE and the RNC.
The SIM card subscriber equipment that present embodiment provides has been realized SIM card subscriber equipment moving from evolvement network to the 2G/3G network, and has been guaranteed the fail safe in the moving process from the method that evolvement network shifts out.
Below by two specific embodiments the method for SIM card subscriber equipment SIM card subscriber equipment when evolvement network switches to the 2G/3G network is described respectively, the method for SIM card subscriber equipment when the SIM card subscriber equipment moves to the 2G/3G network from the evolvement network Idle state.
Fig. 9 switches to the signaling process schematic diagram of the method for GERAN/UTRAN from EUTRAN for the SIM card subscriber equipment of the embodiment of the invention.As shown in Figure 9, comprise the steps:
Step 901, source eNB send handoff request (Handover Request) message to source MME;
Step 902, source MME derive encryption key CK ' and the integrity protection key IK ' among the five-tuple AV, or source MME derives encryption key CK ' and integrity protection key IK ' among the five-tuple AV, again further according to IK ', CK ' derives the encryption key Kc ' among the tlv triple AV, and cipher key index KSI ';
Particularly, source MME is according to integrity protection key IK ' and encryption key CK ' among the Kasme derivation five-tuple AV among the four-tuple AV, can also be again derives encryption key Kc ' among the tlv triple AV according to IK ' and CK '; For example:, suppose that wherein CKi and IKi are 64 and CK=CK1||CK2, IK=IK1||IK2 according to c3 algorithm computation Kc '=c3 (CK1 xor CK2 xor IK1 xorIK2); Deriving according to the cipher key index eKSI of evolution obtains KSI ', and for example: the codomain of KSI '=eKSI (Valuefield) part, eKSI totally 4 position bit are made up of the index type of a position bit and the codomain of 3 positions herein.
Step 903, source MME send to transmit and relocate request-message to target SGSN, wherein carry Kc ' and KSI ', or IK ', CK ' and KSI ';
In this step 903, be kept at the tlv triple AV among the MME before also can in transmitting RELOCATION REQUEST message, carrying;
Step 904,
If objective network is 2G, then:
If that target SGSN receives is Kc ' and KSI ', then this target SGSN uses this Kc ' and KSI ' to replace previous Kc and the KSI that preserves;
If that target SGSN receives is IK ', CK ' and KSI ', then target SGSN is further derived encryption key Kc ' among the tlv triple AV according to IK ' and CK ', for example: according to c3 algorithm computation Kc '=c3 (CK1 xor CK2 xor IK1 xor IK2), suppose that wherein CKi and IKi are 64 and CK=CK1||CK2, IK=IK1||IK2 can use this Kc ' and KSI ' to replace previous Kc and the KSI that preserves then.
If objective network is 3G, then:
If that target SGSN receives is Kc ' and KSI '; then this target SGSN further calculates integrity protection key IK ' and encryption key CK ' among the 5 tuple AV according to Kc '; for example according to c4 algorithm computation CK '=Kc||Kc; c5 algorithm computation IK '=Kc1 xor Kc2||Kc||Kc1 xor Kc2 for example; here Kc1 and Kc2 are 32, and Kc=Kc1||Kc2.
If that target SGSN receives is IK ', CK ' and KSI ', then continue the processing of step 905.
Step 905, target SGSN send redirect request message or handoff request message arrives Target RNC or target BS S;
If objective network is 3G, target SGSN also will be IK ' in the step 904 and CK ', and KSI ' sends to RNC.Target RNC is substituted into the IK that preserved in the past, CK, KSI with the IK ' that receives, CK ', KSI '.
Step 906, Target RNC or target BS S return redirect request response message or handover request ack message to target SGSN;
Step 907, target SGSN send transmits redirect response message to source MME;
Step 908, source MME send switching command message to source eNB;
Step 909, source eNB send switching command to the SIM card subscriber equipment, and this SIM card subscriber equipment comprises ME and SIM card;
What step 910, ME found its insertion is SIM card, then ME can be according to integrity protection key IK ' and the encryption key CK ' among the Kasme derivation five-tuple AV among the four-tuple AV, can also be further derives encryption key Kc ' among the tlv triple AV according to IK ' and CK '; IK, the CK and the KSI that preserve before can also using IK ', CK ' and KSI ' to replace it, or the Kc and the KSI of preservation before use Kc ' to replace it, and ME is clear 0 with initial value (START), and this initial value is used to prevent Replay Attack;
Step 911, after finishing above-mentioned key handling flow process, continue the handoff procedure of the SIM card subscriber equipment of back to GERAN/UTRAN, wherein, for the 2G network, the Signalling exchange between SGSN and the SIM card subscriber equipment need adopt Kc ' to protect.For 3G network, the signaling IK ' between SIM card subscriber equipment and the RNC, CK ' protects.
The SIM card subscriber equipment that present embodiment provides has been realized the switching of SIM card subscriber equipment from EUTRAN to GERAN/UTRAN, and has been guaranteed the fail safe in the handoff procedure from the method that EUTRAN switches to GERAN/UTRAN.
Figure 10 moves to the signaling process schematic diagram of the method for GERAN/UTRAN from the EUTRAN Idle state for the SIM card subscriber equipment of the embodiment of the invention.As shown in figure 10, comprise the steps:
Step 1001, SIM card subscriber equipment send routing region updating (RAU) request message to target SGSN;
Step 1002, target SGSN send context request message to source MME;
Step 1003, source MME are derived integrity protection key IK ' and encryption key CK ' in the five-tuple according to the root key Kasme among the four-tuple AV, can also derive Kc ' according to IK ' and CK ' again; For example:, suppose that wherein CKi and IKi are 64 and CK=CK1||CK2, IK=IK1||IK2 according to c3 algorithm computation Kc '=c3 (CK1 xor CK2 xor IK1 xor IK2); Cipher key index eKSI derivation according to evolution obtains KSI ', for example: the codomain part of KSI '=eKSI.
Step 1004, source MME send context response information to target SGSN, wherein carry Kc ' and KSI ', or IK ', CK ' and KSI ';
In this step 1004, preserve before also can in context response information, carrying, SGSN corresponding ternary group AV, comprising the Kc ' that step 1003 calculates, two parameters of other among the tlv triple AV here are that same SGSN sends to this source MME before.
Step 1005,
If objective network is 2G, then:
If that target SGSN receives is Kc ' and KSI ', then this target SGSN uses this Kc ' and KSI ' to replace previous Kc and the KSI that preserves;
If that target SGSN receives is IK ', CK ' and KSI ', then target SGSN is derived encryption key Kc ' among the tlv triple AV according to IK ' and CK ', for example: according to c3 algorithm computation Kc '=c3 (CK1xor CK2 xor IK1 xor IK2), suppose that wherein CKi and IKi are 64 and CK=CK1||CK2, IK=IK1||IK2 can use this Kc ' and KSI ' to replace previous Kc and the KSI that preserves then.
If objective network is 3G, then:
If that target SGSN receives is Kc ' and KSI '; then this target SGSN further calculates integrity protection key IK ' and encryption key CK ' among the 5 tuple AV according to Kc '; for example according to c4 algorithm computation CK '=Kc||Kc; c5 algorithm computation IK '=Kc1 xor Kc2||Kc||Kc1 xor Kc2 for example; here Kc1 and Kc2 are 32, and Kc=Kc1||Kc2.
If that target SGSN receives is IK ', CK ' and KSI ', then continue the processing of step 1006.
Step 1006, target SGSN send the routing region updating response message to the SIM card subscriber equipment, and this SIM card subscriber equipment comprises ME and SIM card;
If objective network is 3G, also comprise in this process: target SGSN also will be IK ' in the preceding step 1005 and CK ', and KSI ' sends to RNC.Target RNC is substituted into the IK that preserved in the past, CK, KSI with the IK ' that receives, CK ', KSI '.
What step 1007, ME found its insertion is SIM card, then ME can be according to integrity protection key IK ' and the encryption key CK ' among the Kasme derivation five-tuple AV among the four-tuple AV, can also be further derives encryption key Kc ' among the tlv triple AV according to IK ' and CK '; IK, the CK and the KSI that preserve before can also using IK ', CK ' and KSI ' to replace it, or the Kc and the KSI that preserve before using Kc ' and KSI ' to replace it, and ME is with initial value START clear 0;
Step 1008, after finishing above-mentioned key handling flow process; continue the Idle state moving process of the SIM card subscriber equipment of back to GERAN/UTRAN; wherein, for the 2G network, the Signalling exchange between SGSN and the SIM card subscriber equipment need adopt Kc ' to protect.For 3G network, SGSN need send to corresponding RNC to IK ', CK ', and the signaling between UE and the RNC adopts IK ', and CK ' protects.
The SIM card subscriber equipment that present embodiment provides moves to the method for GERAN/UTRAN from the EUTRAN Idle state, realized that the SIM card subscriber equipment is under non operating state, move to the process of GERAN/UTRAN from EUTRAN, and guaranteed the fail safe in the Idle state moving process.
Figure 11 is the signaling process figure that the SIM card subscriber equipment of the embodiment of the invention inserts the method for 2G/3G network.Wherein referring to Fig. 1,2G/3G server net is SGSN.As shown in figure 11, the method for this SIM card subscriber equipment access 2G/3G network comprises the steps:
Step 1101, SGSN receive the NAS message of the initiation layer 3 that the SIM card subscriber equipment sends;
This NAS message is specifically as follows: adhere to request (ATTACH request) message or routing region updating request (RAU request) message;
Step 1102, SGSN send the authorization data request message to HSS;
After step 1103, HSS receive the authorization data request message of SGSN transmission, be the SIM card subscriber equipment, then generate tlv triple AV or five-tuple AV if detect; Concrete operations are as follows:
Wherein tlv triple AV comprises: { random number (RAND), expectation challenge responses (SRES), key parameter (Kc) }, five-tuple AV comprises: { RAND, expectation challenge responses (XRES), Integrity Key (IK), encryption key (CK), authentication parameter (AUTN) }.With reference to figure 4, comprising:
A) HSS at first generates the tlv triple AV{RAND of SIM card subscriber equipment, SRES, and Kc}, concrete steps are as follows:
11031a, HSS produce the random number RA ND that length is 16 bytes earlier;
11032a, be input parameter with the shared key K i of RAND, SIM card and HSS, utilize the A3 algorithm generate the expectation challenge responses SRES=A3 that length is 4 bytes (Ki, RAND);
11033a, be input parameter with the shared key K i of RAND, SIM card and HSS, utilize the A8 algorithm generate the key parameter Kc=A8 that length is 8 bytes (Ki, RAND).
B) HSS further generates the five-tuple AV{RAND of SIM card subscriber equipment according to tlv triple AV, XRES, and IK, CK, AUTN}, concrete steps are as follows:
11031b, HSS adopt RAND among the tlv triple AV as the RAND among the five-tuple AV, and the series number SQN that to produce a length be 6 bytes;
11032b, to generate length according to Kc be 16 byte basis key K=C1 (Kc), wherein, C1 is a transfer function, and be input with parameter K, RAND, SQN and authentication management territory (AuthenticationManagement Field is called for short AMF), utilize the f1 algorithm to generate message authentication code (MessageAuthentication Code, be called for short MAC)=f1 (K, RAND, SQN, AMF);
For example calculating K is specially: the 0||Kc of K=8 byte, perhaps 0 of the K=Kc||8 byte, perhaps K=Kc||Kc;
11033b, be input with K, RAND, utilize the f5 algorithm generate authenticate key (AuthenticationKey is called for short AK)=f5 (K, RAND);
11034b, generation authentication parameter
The separation point position of AMF is 0 herein;
11035b, utilize the f3 algorithm generate encryption key CK=f3 (K, RAND), and utilize the f4 algorithm generate Integrity Key IK=f4 (K, RAND);
In addition, IK that generates among the 11035b and CK also can directly be produced by Kc, for example utilize c4 algorithm computation CK=c4 (Kc||Kc), utilize c5 algorithm computation IK=c5 (Kc1 xor Kc2||Kc||Kc1 xorKc2);
11036b, generation expectation challenge responses XRES=f2 (K, RAND);
In addition, the XRES that generates among the 11036b also can be directly according to A) in SRES generate, for example 0 of XRES=SRES||12 byte, the perhaps 0||SRES of XRES=12 byte, perhaps XRES=SRES1 xor SRES2||SRES||SRES1 xor SRES2||SRES1 xor SRES2||SRES||SRES1 xor SRES2 supposes that herein SRES=SRES1||SRES2 and SRESi are 2 bytes.
A in this step 1103) and B) can also finish before step 1102, promptly tlv triple AV and five-tuple AV can generate in advance.
Step 1104, HSS return the authorization data response message to SGSN, wherein comprise the tlv triple AV{RAND that generates in the above-mentioned steps 1103, SRES, Kc} or five-tuple AV{RAND, XRES, IK, CK, AUTN};
Particularly, HSS is last can be configured to send tlv triple AV or five-tuple AV for different SGSN, for example can be configured according to SGSN place network of network sign; When being configured to send tlv triple AV, then do not need to carry out top B) middle operation of calculating five-tuple AV authentication vector.
Step 1105, when SGSN receive when the five-tuple AV, this SGSN carries parameters R AND and AUTN in the subscription authentication request message that the SIM card subscriber equipment sends;
For the situation of SGSN reception tlv triple AV, same as the prior art, to not influence of the authentication parameter on SIM card subscriber equipment and the HSS.
After ME in step 1106, the SIM card subscriber equipment received the subscription authentication request message of SGSN transmission, what find insertion ME was SIM card, and then ME generates corresponding ternary group AV or five-tuple AV, wherein,
A) concrete operations of generation tlv triple AV are as follows:
11061, ME sends to SIM card to the RAND that receives;
11062, the SIM card utilization is calculated the SRES algorithm identical with Kc with HSS in the 11032a of step 1103 and 11033a, calculates SRES and Kc according to RAND and Ki, and Kc is sent to ME; Alternatively, SIM card can also send to ME with SRES, ME with SRES as user side challenge responses RES;
B) if need ME to generate five-tuple AV, the further operation that then generates five-tuple AV is as follows:
11063, ME takes the identical algorithm of HSS calculating K among the 11032b with step 1103, comes calculating K according to Kc;
11064, ME takes the HSS among the 11035b with step 1103 to calculate the IK algorithm identical with CK, calculates IK and CK;
11065, ME takes the HSS among the 11036b with step 1103 to calculate the identical algorithm of XRES, calculate RES=f2 (K, RAND); When needs calculated RES with SRES, then SIM card need send to ME with SRES in 11062.
Wherein, alternatively, between 11063 and 11064, can also comprise:
1106a, ME take the HSS among the 11033b with step 1103 to calculate the identical algorithm of AK, utilize the f5 algorithm to generate AK;
The message authentication code of 1106c, ME calculation expectation (expected Authentication Code is called for short XMAC)=f1K (SQN||RAND||AMF);
1106d, ME compare the XMAC and the MAC among the parameter A UTN of its calculating, if inconsistent, then return to the response message that authentication is refused in expression of SGSN; And/or whether ME checking sequence SQN within a suitable scope, if not, then send a synchronization failure response message to SGSN.
Step 1107, SIM card subscriber equipment send the subscription authentication response message to SGSN, wherein carry challenge responses RES;
Step 1108, SGSN are carried out authentication by RES relatively and the SRES that obtains from HSS or XRES be whether consistent to UE, if both unanimities, then authentication successfully;
Step 1109, SGSN send the NAS response message of initiation layer 3 to UE, and so far the SIM card subscriber equipment can be linked in the 2G/3G network.
The SIM card subscriber equipment that present embodiment provides inserts the method for 2G/3G network, using tlv triple AV authentication to insert 2G network and usim card user existing SIM card user uses five-tuple AV authentication to insert 3G network to combine, re-construct a kind of five-tuple AV that produces according to tlv triple AV, make and use the UE of SIM card not only can insert the 2G network but also can insert 3G network, guaranteed that the SIM card subscriber equipment inserts the fail safe of 2G/3G network.
Figure 12 is the structural representation of the mobile management entity of the embodiment of the invention.As shown in figure 12, this mobile management entity (MME) comprising: first receiver module 121, second receiver module 122, authentication module 123 and first sending module 124.Wherein, first receiver module 121 is used to receive the four-tuple authentication vector AV corresponding with the SIM card subscriber equipment that home subscriber server HSS generates, and described four-tuple AV comprises random number and expectation challenge responses; First sending module 124 is used for sending authentication request message to described SIM card subscriber equipment, comprises the random number among the described four-tuple AV in the described authentication request message; Second receiver module 122 is used for receiving the user side challenge responses of SIM card subscriber equipment according to the random number generation of four-tuple AV; Authentication module 123 is used for the expectation challenge responses of the four-tuple AV that comparison authentication first receiver module 121 receives and the user side challenge responses that second receiver module 122 receives, if the expectation challenge responses is consistent with the user side challenge responses, and then authentication success.
The specific implementation of the mobile management entity that present embodiment provides does not repeat them here as described in the above-mentioned method embodiment.Authentication process when the mobile management entity that present embodiment provides can be realized SIM card subscriber equipment cut-in evolution network.
Figure 13 is the structural representation of the SIM card subscriber equipment of the embodiment of the invention.As shown in figure 13, this SIM card subscriber equipment comprises: the 3rd receiver module 131, first generation module 132 and second sending module 133.Wherein, the 3rd receiver module 131 is used to receive the authentication request message that MME sends, and described authentication request message comprises the random number among the described four-tuple AV; The random number that first generation module 132 is used for the four-tuple AV that receives according to the 3rd receiver module 131 generates the user side challenge responses; Second sending module 133 is used to send authentication response message to described MME, comprise the described user side challenge responses that described first generation module 132 generates in the described authentication response message, make described MME carry out authentication to described SIM card subscriber equipment according to described user side challenge responses with from the expectation challenge responses that home subscriber server HSS receives.
This SIM card subscriber equipment can also comprise: first preserves module 134.Wherein, first generation module 132 also is used for generating encryption key and integrity protection key among the five-tuple AV according to the encryption key of tlv triple AV, and then further generates the root key among the four-tuple AV; First preserves the non-access signaling security context of evolved packet system that module 134 is used for the root key that first generation module 132 generates is kept at the SIM card subscriber equipment.
The specific implementation of the SIM card subscriber equipment that present embodiment provides does not repeat them here as described in the above-mentioned method embodiment.Authentication process when the SIM card subscriber equipment that present embodiment provides can be realized SIM card subscriber equipment cut-in evolution network.
Figure 14 is another structural representation of the mobile management entity of the embodiment of the invention.As shown in figure 14, this mobile management entity (MME) comprising: the 4th receiver module 141, second generation module 142 and the first signaling protection module 143.Wherein, the 4th receiver module 141 is used for receiving the encryption key that comprises tlv triple authentication vector AV of Serving GPRS Support Node SGSN transmission or the message of encryption key among the five-tuple AV and integrity protection key; Second generation module 142 is used for the encryption key of the described tlv triple AV that receives according to described the 4th receiver module 141 or the encryption key among the five-tuple AV and integrity protection key and generates non-access signaling NAS encryption key and NAS integrity protection key; Described NAS encryption key and NAS integrity protection key that the first signaling protection module 143 is used to adopt described second generation module 142 to generate are protected the signaling that sends to subscriber identity module SIM card subscriber equipment.
The specific implementation of the mobile management entity that present embodiment provides does not repeat them here as described in the above-mentioned method embodiment.When the mobile management entity that present embodiment provides can realize that the SIM card subscriber equipment moves to evolvement network to the processing of key.
Figure 15 is another structural representation of the SIM card subscriber equipment of the embodiment of the invention.As shown in figure 15, this SIM card subscriber equipment comprises: the 5th receiver module the 151, the 3rd generates the module 152 and the second signaling protection module 153.Wherein, the 5th receiver module 151 is used to receive switching command message or tracing area reception message message; The 3rd generates module 152 is used for generating non-access signaling NAS encryption key and NAS integrity protection key according to the encryption key of tlv triple authentication vector AV; The second signaling protection module 153 is used to adopt the 3rd NAS encryption key and the NAS integrity protection key that generates module 152 generations that the signaling that sends to described MME is protected.。
The described the 3rd generates module 152 specifically is used for generating encryption key and integrity protection key among the five-tuple AV according to the encryption key of tlv triple AV; and then further generate root key among the four-tuple AV, and then further generate NAS encryption key and NAS integrity protection key
The specific implementation of the SIM card subscriber equipment that present embodiment provides does not repeat them here as described in the above-mentioned method embodiment.When the SIM card subscriber equipment that present embodiment provides can realize that the SIM card subscriber equipment moves to evolvement network to the processing of key.
Figure 16 is the another structural representation of the mobile management entity of the embodiment of the invention.As shown in figure 16, this mobile management entity (MME) comprising: the 4th generation module 161 and the 3rd sending module 162.Wherein, the 4th generation module 161 is used for according to integrity protection key and encryption key among the root key generation five-tuple AV of four-tuple authentication vector AV; Or, according to integrity protection key and the encryption key among the generation of the root key among the four-tuple AV five-tuple AV, according to the encryption key among integrity protection key among the five-tuple AV and the encryption key generation tlv triple AV; The 3rd sending module 162 is used for sending to Serving GPRS Support Node SGSN with carrying the integrity protection key of the described five-tuple AV that described the 4th generation module 161 generates and the message of the encryption key among encryption key or the tlv triple AV, makes encryption key among the five-tuple AV that described SGSN generates according to described MME and the encryption key among integrity protection key or the tlv triple AV protect the signaling that sends to subscriber identity module SIM card subscriber equipment.
The specific implementation of the mobile management entity that present embodiment provides does not repeat them here as described in the above-mentioned method embodiment.The mobile management entity that present embodiment provides can be realized the processing to key when evolvement network shifts out of SIM card subscriber equipment.
Figure 17 is the another structural representation of the SIM card subscriber equipment of the embodiment of the invention.As shown in figure 17, this SIM card subscriber equipment comprises: the 6th receiver module 171, the 5th generation module 172 and the 3rd signaling protection module 173.Wherein, the 6th receiver module 171 is used to receive switching command message or tracing area reception message; The 5th generation module 172 is used for according to integrity protection key and encryption key among the root key generation five-tuple AV of four-tuple authentication vector AV; Or, according to integrity protection key and the encryption key among the generation of the root key among the four-tuple AV five-tuple AV, according to the encryption key among integrity protection key among the five-tuple AV and the encryption key generation tlv triple AV; The 3rd signaling protection module 173, the encryption key and the encryption key among integrity protection key or the tlv triple AV that are used for the five-tuple AV that generates according to the 5th generation module 172 carry out the signaling protection.
The specific implementation of the SIM card subscriber equipment that present embodiment provides does not repeat them here as described in the above-mentioned method embodiment.The SIM card subscriber equipment that present embodiment provides can be realized the processing to key when evolvement network shifts out of SIM card subscriber equipment.
Figure 18 is the structural representation of the gradual network system of the embodiment of the invention.As shown in figure 18, this gradual network system comprises: as Figure 12, Figure 14 or the described mobile management entity of Figure 16 (MME) 18, this MME18 is used for the SIM card subscriber equipment that is linked into gradual network system is carried out authentication process, perhaps the SIM card subscriber equipment that moves to gradual network system or shift out described gradual network system is carried out key handling.
The specific implementation of the gradual network system that present embodiment provides does not repeat them here as described in the above-mentioned method embodiment.The gradual network system that present embodiment provides can be realized the authentication process of SIM card subscriber equipment cut-in evolution network, the SIM card subscriber equipment move to evolvement network or when evolvement network shifts out to the processing of key.
One of ordinary skill in the art will appreciate that all or part of flow process that realizes in the foregoing description method, be to instruct relevant hardware to finish by computer program, described program can be stored in a computer and can obtain in the storage medium, this program can comprise the flow process as the embodiment of above-mentioned each side method when carrying out.Wherein, described storage medium can be magnetic disc, CD, read-only storage memory body (Read-OnlyMemory, ROM) or at random store memory body (Random Access Memory, RAM) etc.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (16)
1. the method for a subscriber identity module SIM card subscriber equipment cut-in evolution network is characterized in that, comprising:
Mobile management entity MME sends the authorization data request message to home subscriber server HSS, so that described HSS generates five-tuple AV according to tlv triple AV, and generates and the corresponding four-tuple AV of described SIM card subscriber equipment according to described five-tuple AV; Described tlv triple AV comprises random number RA ND, expectation challenge responses SRES and encryption key Kc, described five-tuple AV comprises RAND, expectation challenge responses XRES, integrity protection key IK, encryption key CK and authentication parameter AUTN, and described four-tuple AV comprises RAND, AUTN, XRES and root key Kasme;
MME receives the four-tuple authentication vector AV corresponding with the SIM card subscriber equipment that HSS generates;
MME sends authentication request message to described SIM card subscriber equipment, comprises the random number among the described four-tuple AV in the described authentication request message;
MME receives the user side challenge responses that described SIM card subscriber equipment generates according to the random number among the described four-tuple AV;
If the expectation challenge responses among the described four-tuple AV that receives is consistent with described user side challenge responses, then authentication success.
2. method according to claim 1 is characterized in that, comprises before the four-tuple AV corresponding with the SIM card subscriber equipment that described reception HSS generates:
Described HSS receives the authorization data request message that mobile management entity MME sends;
Described HSS generates five-tuple AV according to tlv triple AV, and generates the described four-tuple AV corresponding with described SIM card subscriber equipment according to described five-tuple AV;
Described HSS sends the authorization data response message to described MME, and described authorization data response message comprises described four-tuple AV.
3. method according to claim 1 is characterized in that, described SIM card subscriber equipment generates the user side challenge responses according to the random number among the described four-tuple AV and comprises:
Described SIM card subscriber equipment according to the encryption key formation base key among the described tlv triple AV, generates described user side challenge responses according to described random number and foundation key according to the encryption key among described random number and the shared key generation tlv triple AV; Or,
Described SIM card subscriber equipment generates the expectation challenge responses according to described random number and shared key, and generates described user side challenge responses according to the expectation challenge responses that self generates.
4. method according to claim 1 is characterized in that, described method also comprises:
Described SIM card subscriber equipment is according to the encryption key among described random number and the shared key generation tlv triple AV;
Described SIM card subscriber equipment is according to integrity protection key and encryption key among the generation of the encryption key among the described tlv triple AV five-tuple AV;
Described SIM card subscriber equipment generates root key among the described four-tuple AV according to the integrity protection key among the described five-tuple AV and encryption key.
5. a subscriber identity module SIM card subscriber equipment moves to the method for evolvement network, it is characterized in that, comprising:
Mobile management entity MME receives that Serving GPRS Support Node SGSN sends comprises the encryption key among the tlv triple authentication vector AV or the message of encryption key among the five-tuple AV and integrity protection key, and generates non-access signaling NAS encryption key and NAS integrity protection key according to the key that receives;
Described SIM card subscriber equipment generates NAS encryption key and NAS integrity protection key according to the encryption key among the tlv triple AV in the described SIM card subscriber equipment after receiving switching command message or tracing area reception message;
Described MME adopts the NAS encryption key of its generation and NAS integrity protection key that the signaling that sends to the SIM card subscriber equipment is protected, and described SIM card subscriber equipment adopts the NAS encryption key of its generation and NAS integrity protection key that the signaling that sends to MME is protected.
6. method according to claim 5 is characterized in that,
When described MME received encryption key among the described tlv triple AV that described SGSN sends, the key that described basis receives generated the NAS encryption key and NAS integrity protection key comprises:
Described MME is according to encryption key and integrity protection key among the generation of the encryption key among the described tlv triple AV five-tuple AV;
Described MME is according to the root key among encryption key among the described five-tuple AV and the integrity protection key generation four-tuple AV;
Described MME generates described NAS encryption key and NAS integrity protection key according to the root key among the described four-tuple AV;
When described MME received encryption key among the described five-tuple AV that described SGSN sends and integrity protection key, the key that described basis receives generated the NAS encryption key and NAS integrity protection key comprises:
Described MME is according to the root key among encryption key among the described five-tuple AV and the integrity protection key generation four-tuple AV;
Described MME generates described NAS encryption key and NAS integrity protection key according to the root key among the described four-tuple AV.
7. method according to claim 5 is characterized in that, described SIM card subscriber equipment generates described NAS encryption key according to the encryption key among the tlv triple AV in the described SIM card subscriber equipment and NAS integrity protection key comprises:
Described SIM card subscriber equipment is according to encryption key and integrity protection key among the generation of the encryption key among the described tlv triple AV five-tuple AV;
Described SIM card subscriber equipment is according to the root key among encryption key among the described five-tuple AV and the integrity protection key generation four-tuple AV;
Described SIM card subscriber equipment generates described NAS encryption key and NAS integrity protection key according to the root key among the described four-tuple AV.
8. a subscriber identity module SIM card subscriber equipment is characterized in that from the method that evolvement network shifts out, and comprising:
Mobile management entity MME is according to encryption key among the generation of the root key among the four-tuple authentication vector AV five-tuple AV and the encryption key among integrity protection key or the tlv triple AV;
Described MME will comprise encryption key among the described five-tuple AV and the message of the encryption key among integrity protection key or the described tlv triple AV sends to Serving GPRS Support Node SGSN;
After described SIM card subscriber equipment receives switching command message or tracing area reception message, according to encryption key among the generation of the root key among the four-tuple AV five-tuple AV and the encryption key among integrity protection key or the tlv triple AV;
Described SIM card subscriber equipment is protected the signaling that sends to network equipment according to encryption key among the five-tuple AV that self generates and the encryption key among integrity protection key or the tlv triple AV, and described network equipment is protected the signaling that sends to described SIM card subscriber equipment according to encryption key among the five-tuple AV of described MME generation and the encryption key among integrity protection key or the tlv triple AV.
9. method according to claim 8 is characterized in that,
In the 2G network; described network equipment is described SGSN, and then described network equipment comprises the signaling protection that sends to described SIM card subscriber equipment according to encryption key among the five-tuple AV of described MME generation and the encryption key among integrity protection key or the tlv triple AV:
Described SGSN protects the signaling that sends to the SIM card subscriber equipment according to the encryption key the tlv triple AV that receives from described MME; Or,
Described SGSN protects the signaling that sends to the SIM card subscriber equipment according to the encryption key among the described tlv triple AV that generates according to the encryption key among encryption key the five-tuple AV that receives from MME and the integrity protection key generation tlv triple AV;
Or,
In 3G network, described network equipment is a radio network controller (RNC), then also comprises after the message that described MME will comprise encryption key among the described five-tuple AV and the encryption key among integrity protection key or the described tlv triple AV sends to SGSN:
Encryption key and integrity protection key among the five-tuple AV that described SGSN generates with the encryption key among the described five-tuple AV and integrity protection key or according to the encryption key among the described tlv triple AV send to described RNC;
Then described network equipment comprises the signaling protection that sends to described SIM card subscriber equipment according to encryption key among the five-tuple AV of described MME generation and the encryption key among integrity protection key or the tlv triple AV:
Described RNC protects the signaling that sends to the SIM card subscriber equipment according to encryption key and integrity protection key the five-tuple AV that receives from described SGSN.
10. method according to claim 8 is characterized in that, described MME comprises according to the encryption key that the root key among the four-tuple AV generates among the tlv triple AV:
Described MME is according to encryption key and integrity protection key among the generation of the root key among the described four-tuple AV five-tuple AV;
Described MME generates encryption key among the described tlv triple AV according to the encryption key among the described five-tuple AV and integrity protection key.
11. method according to claim 8 is characterized in that, described SIM card subscriber equipment comprises according to the encryption key that the root key among the four-tuple AV generates among the tlv triple AV:
Described SIM card subscriber equipment is according to encryption key and integrity protection key among the generation of the root key among the described four-tuple AV five-tuple AV;
Described SIM card subscriber equipment generates encryption key among the described tlv triple AV according to the encryption key among the described five-tuple AV and integrity protection key.
12. a subscriber identity module SIM card subscriber equipment is characterized in that, comprising:
The 3rd receiver module, be used to receive the authentication request message that mobile management entity MME sends, described authentication request message comprises that home subscriber server HSS generates five-tuple AV according to tlv triple AV, and according to the random number among the described five-tuple AV generation four-tuple AV corresponding with described SIM card subscriber equipment;
First generation module, the random number that is used for the described four-tuple AV that receives according to described the 3rd receiver module generates the encryption key Kc among the tlv triple AV, generates the user side challenge responses according to Kc again;
Second sending module, be used to send authentication response message to described MME, comprise the described user side challenge responses that described first generation module generates in the described authentication response message, make described MME carry out authentication to described SIM card subscriber equipment according to described user side challenge responses with from the expectation challenge responses that home subscriber server HSS receives.
13. a mobile management entity MME is characterized in that, comprising:
The 4th receiver module is used for receiving the encryption key that comprises tlv triple authentication vector AV of Serving GPRS Support Node SGSN transmission or the message of encryption key among the five-tuple AV and integrity protection key;
Second generation module is used for the encryption key of the described tlv triple AV that receives according to described the 4th receiver module or the encryption key among the five-tuple AV and integrity protection key and generates non-access signaling NAS encryption key and NAS integrity protection key;
The first signaling protection module, the described NAS encryption key and the NAS integrity protection key that are used to adopt described second generation module to generate are protected the signaling that sends to subscriber identity module SIM card subscriber equipment.
14. a subscriber identity module SIM card subscriber equipment is characterized in that, comprising:
The 5th receiver module is used to receive switching command message or tracing area and receives message;
The 3rd generates module, is used for generating non-access signaling NAS encryption key and NAS integrity protection key according to the encryption key of tlv triple authentication vector AV;
The second signaling protection module is used to adopt the described the 3rd described NAS encryption key and the NAS integrity protection key that generates the module generation that the signaling that sends to described MME is protected.
15. a mobile management entity MME is characterized in that, comprising:
The 4th generation module is used for according to integrity protection key and encryption key among the root key generation five-tuple AV of four-tuple authentication vector AV; Or, according to integrity protection key and the encryption key among the generation of the root key among the four-tuple AV five-tuple AV, according to the encryption key among integrity protection key among the five-tuple AV and the encryption key generation tlv triple AV;
The 3rd sending module; be used for to carry the integrity protection key of the described five-tuple AV that described the 4th generation module generates and the message of the encryption key among encryption key or the tlv triple AV and send to Serving GPRS Support Node SGSN, make encryption key among the five-tuple AV that described SGSN generates according to described MME and the encryption key among integrity protection key or the tlv triple AV protect the signaling that sends to subscriber identity module SIM card subscriber equipment.
16. a subscriber identity module SIM card subscriber equipment is characterized in that, comprising:
The 6th receiver module is used to receive switching command message or tracing area and receives message;
The 5th generation module is used for according to integrity protection key and encryption key among the root key generation five-tuple AV of four-tuple authentication vector AV; Or, according to integrity protection key and the encryption key among the generation of the root key among the four-tuple AV five-tuple AV, according to the encryption key among integrity protection key among the five-tuple AV and the encryption key generation tlv triple AV;
The 3rd signaling protection module is used for the encryption key of the five-tuple AV that generates according to the 5th generation module and the encryption key among integrity protection key or the tlv triple AV signaling that sends to RNC or SGSN is protected.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2009101522012A CN101600205B (en) | 2009-07-10 | 2009-07-10 | Method and related device for accessing SIM card user equipment to evolution network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2009101522012A CN101600205B (en) | 2009-07-10 | 2009-07-10 | Method and related device for accessing SIM card user equipment to evolution network |
Publications (2)
Publication Number | Publication Date |
---|---|
CN101600205A CN101600205A (en) | 2009-12-09 |
CN101600205B true CN101600205B (en) | 2011-05-04 |
Family
ID=41421398
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2009101522012A Expired - Fee Related CN101600205B (en) | 2009-07-10 | 2009-07-10 | Method and related device for accessing SIM card user equipment to evolution network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101600205B (en) |
Families Citing this family (25)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102111669B (en) * | 2009-12-24 | 2012-12-12 | 中国移动通信集团公司 | Method, device and system for mobile television authentication |
CN101715188B (en) * | 2010-01-14 | 2015-11-25 | 中兴通讯股份有限公司 | A kind of update method of air interface key and system |
CN101854630A (en) * | 2010-05-25 | 2010-10-06 | 中兴通讯股份有限公司 | Method, system and user equipment for realizing card authentication |
CN102378174A (en) * | 2010-08-25 | 2012-03-14 | 大唐移动通信设备有限公司 | Access method, device and system of user terminal of SIM (Subscriber Identity Module) card |
CN102158861A (en) * | 2011-03-18 | 2011-08-17 | 钱袋网(北京)信息技术有限公司 | Expansion card, encryption card, mobile terminal, communication data receiving and transmitting method and equipment |
CN103188669B (en) * | 2011-12-28 | 2016-09-14 | 中国电信股份有限公司 | 2G or 3G mobile card is made to access the method for LTE network, system and mobile terminal |
CN103188671B (en) * | 2011-12-28 | 2016-08-03 | 中国电信股份有限公司 | HRPD Mobile phone card is made to access the method for eHRPD network, system and mobile terminal |
CN103702328B (en) * | 2012-09-28 | 2017-11-21 | 中国电信股份有限公司 | UIM clampings enter the authentication method and system of EPC networks |
CN103781069B (en) * | 2012-10-19 | 2017-02-22 | 华为技术有限公司 | Bidirectional-authentication method, device and system |
CN103796202A (en) * | 2012-11-01 | 2014-05-14 | 中国电信股份有限公司 | Network access method and system, terminal, access network equipment and core network equipment |
WO2014109283A1 (en) * | 2013-01-10 | 2014-07-17 | Nec Corporation | Mtc key management for key derivation at both ue and network |
CN105075306B (en) * | 2013-01-22 | 2019-05-28 | 华为技术有限公司 | The method and the network equipment of the safety certification of mobile communication system |
WO2014113920A1 (en) * | 2013-01-22 | 2014-07-31 | 华为技术有限公司 | Method and network device for security authentication of mobile communication system |
CN103929735B (en) * | 2014-04-08 | 2017-06-20 | 华为技术有限公司 | Method, device and the user equipment of safe context are updated in user equipment |
CN105813006B (en) * | 2014-12-30 | 2019-06-25 | 中国移动通信集团公司 | A kind of information upgrade method, terminal device, network management device and system |
EP3285512A1 (en) * | 2016-08-17 | 2018-02-21 | Gemalto Sa | Authentication server of a cellular telecommunication network and corresponding uicc |
CN107333263B (en) * | 2017-06-12 | 2021-03-02 | 浙江神州量子网络科技有限公司 | Improved SIM card and mobile communication identity recognition method and system |
CN109699028B (en) | 2017-10-23 | 2020-08-25 | 华为技术有限公司 | Method, device and system for generating secret key |
CN109756896B (en) * | 2017-11-02 | 2022-04-29 | 中国移动通信有限公司研究院 | Information processing method, network equipment and computer readable storage medium |
CN109788480B (en) | 2017-11-14 | 2021-01-05 | 华为技术有限公司 | Communication method and device |
CN110461015B (en) * | 2018-05-07 | 2021-11-19 | 中国移动通信有限公司研究院 | Method and equipment for network switching |
JP2022544374A (en) * | 2019-08-16 | 2022-10-18 | アイディーエーシー ホールディングス インコーポレイテッド | Registration and Security Enhancement for WTRUs with Multiple USIMs |
EP4013091A4 (en) * | 2019-08-18 | 2022-08-31 | Huawei Technologies Co., Ltd. | Communication method and apparatus |
CN112995090B (en) * | 2019-12-02 | 2022-11-08 | 中国电信股份有限公司 | Authentication method, device and system for terminal application and computer readable storage medium |
CN111526503B (en) * | 2020-04-29 | 2022-06-24 | 中国电子科技集团公司第五十四研究所 | Authentication method and system for GEO satellite Internet of things |
-
2009
- 2009-07-10 CN CN2009101522012A patent/CN101600205B/en not_active Expired - Fee Related
Also Published As
Publication number | Publication date |
---|---|
CN101600205A (en) | 2009-12-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101600205B (en) | Method and related device for accessing SIM card user equipment to evolution network | |
US11418325B2 (en) | Key processing method in dual connectivity mode and device | |
US11863982B2 (en) | Subscriber identity privacy protection against fake base stations | |
US20220150062A1 (en) | Method, device, and system for deriving keys | |
JP4976548B2 (en) | Method, system, and apparatus for negotiating security functions when a terminal moves | |
KR101463671B1 (en) | Local security key update at a wireless communication device | |
US20080039096A1 (en) | Apparatus, method and computer program product providing secure distributed HO signaling for 3.9G with secure U-plane location update from source eNB | |
US20100166184A1 (en) | Method of handling security configuration in wireless communications system and related communication device | |
EP2205014A2 (en) | Method of handling inter-system handover security in wireless communications system and related communication device | |
JP4390842B1 (en) | Mobile communication method, radio base station, and mobile station | |
CN101516089B (en) | Switching method and system | |
CN102158855B (en) | Method of handling security in srvcc handover and related communication device | |
US20110222690A1 (en) | Method and system for deriving keys | |
CN103781069B (en) | Bidirectional-authentication method, device and system | |
WO2007110748A2 (en) | Apparatus, method and computer program product providing unified reactive and proactive handovers | |
US8938071B2 (en) | Method for updating air interface key, core network node and radio access system | |
KR20180066899A (en) | Method and system for generating session key using Diffie-Hellman procedure | |
WO2012009972A1 (en) | Key distribution method and system for handover | |
CN113170369A (en) | Method and apparatus for security context handling during an intersystem change | |
CN102595397B (en) | Method and device for avoiding out-of-step of network security |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110504 |
|
CF01 | Termination of patent right due to non-payment of annual fee |