CN101605324A - The method of negotiating algorithm, Apparatus and system - Google Patents

The method of negotiating algorithm, Apparatus and system Download PDF

Info

Publication number
CN101605324A
CN101605324A CNA2008101608521A CN200810160852A CN101605324A CN 101605324 A CN101605324 A CN 101605324A CN A2008101608521 A CNA2008101608521 A CN A2008101608521A CN 200810160852 A CN200810160852 A CN 200810160852A CN 101605324 A CN101605324 A CN 101605324A
Authority
CN
China
Prior art keywords
algorithm
information
subscriber equipment
hss
mme
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2008101608521A
Other languages
Chinese (zh)
Other versions
CN101605324B (en
Inventor
陈璟
庄小君
杨艳梅
张爱琴
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN2008101608521A priority Critical patent/CN101605324B/en
Priority to PCT/CN2009/072237 priority patent/WO2009149666A1/en
Publication of CN101605324A publication Critical patent/CN101605324A/en
Application granted granted Critical
Publication of CN101605324B publication Critical patent/CN101605324B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the invention discloses a kind of method of negotiating algorithm, according to this method, network side obtains that subscriber equipment can support is used to deduce key K ASMEThe information of algorithm; The information of the algorithm that can support according to subscriber equipment and ownership client server HSS, selection algorithm; With selected algorithm as being used to deduce key K between subscriber equipment and the HSS ASMEAlgorithm; Thereby realized between HSS and the subscriber equipment negotiation for the secret key deduction algorithm.The invention also discloses the Apparatus and system of negotiating algorithm.

Description

The method of negotiating algorithm, Apparatus and system
Technical field
The present invention relates to wireless communication technology, relate in particular to method, the Apparatus and system of negotiating algorithm.
Background technology
3GPP (Third Generation Partnership Project third generation partner program) has defined a kind of third generation cordless communication network technical standard UMTS (Universal Mobile TelecommunicationSystem universal mobile telecommunications system).In order to guarantee 3GPP in the competitiveness in future, at present in 3GPP, each active research EPS of manufacturer (grouping system of Evolved Packet System evolution).
In the key framework of EPS network, the AuC (Authentication Centre AUC) of USIM (UMTS SubscriberIdentity Module UMTS Subscriber Identity Module) and network side shares key K; USIM and AuC deduce based on shared key K and obtain ciphering key K and IK; AuC sends to HSS (Home Subscriber Server belongs to client server) with CK and IK.UE (User Equipment subscriber equipment) and HSS deduce K based on CK and IK ASMEDeduce K between UE and the HSS ASMEAlgorithm give tacit consent to, below will deduce K ASMEAlgorithm also abbreviate the secret key deduction algorithm as.
In realizing process of the present invention, the inventor finds that there are the following problems at least in the prior art: along with the upgrading of HSS and UE, the UE of HSS and different manufacturers production may support multiple safer deduction K ASMEAlgorithm, yet, deduce K between UE and the HSS in the prior art ASMEAlgorithm give tacit consent to, so be difficult to satisfy support the demand of multiple secret key deduction algorithm.
Summary of the invention
The embodiment of the invention provides a kind of method, Apparatus and system of negotiating algorithm, makes can hold consultation to the two employed secret key deduction algorithm between HSS and the subscriber equipment.
The embodiment of the invention discloses a kind of method of negotiating algorithm, comprising: network side obtains that subscriber equipment can support is used to deduce key K ASMEThe information of algorithm; The information of the algorithm that can support according to subscriber equipment and ownership client server HSS, selection algorithm; With selected algorithm as being used to deduce key K between subscriber equipment and the HSS ASMEAlgorithm.
The embodiment of the invention discloses a kind of network equipment, comprising: Transmit-Receive Unit is used to obtain that subscriber equipment can support is used to deduce key K ASMEThe information of algorithm; Selected cell is used for the information of the algorithm that can support according to subscriber equipment and ownership client server HSS, selection algorithm, and with chosen algorithm as being used to deduce key K between subscriber equipment and the HSS ASMEAlgorithm.
The embodiment of the invention discloses a kind of subscriber equipment of negotiating algorithm, comprising: Transmit-Receive Unit is used for being used to deduce key K to what network equipment sent that this subscriber equipment can support ASMEThe information of algorithm, and the information that receives the selected algorithm that above-mentioned network equipment sends behind selection algorithm.
The embodiment of the invention discloses a kind of network equipment of negotiating algorithm, comprising: Transmit-Receive Unit is used to obtain that subscriber equipment can support is used to deduce key K ASMEThe information of algorithm; Selected cell is used for the information of the algorithm that can support according to subscriber equipment and ownership client server HSS, selection algorithm; And with chosen algorithm as being used to deduce key K between subscriber equipment and the HSS ASMEAlgorithm.
The embodiment of the invention discloses a kind of system of negotiating algorithm, comprising: subscriber equipment: be used for being used to deduce key K to what network equipment sent that this subscriber equipment can support ASMEThe information of algorithm, and receive the information of the selected algorithm that network equipment sends behind selection algorithm; Network equipment: be used to obtain that subscriber equipment can support is used to deduce key K ASMEThe information of algorithm, the information of the algorithm that can support according to subscriber equipment is carried out algorithm and is selected, and sends the information of selected algorithm to subscriber equipment.
By relatively finding that a technical scheme in the technique scheme compared with prior art has following advantage or beneficial effect:
In the embodiment of the invention, be used to deduce key K by what network side obtained that subscriber equipment can support ASMEThe information of algorithm; The information of the algorithm that can support according to subscriber equipment and ownership client server HSS, selection algorithm; With selected algorithm as being used to deduce key K between subscriber equipment and the HSS ASMEAlgorithm; Thereby realized between HSS and the subscriber equipment negotiation of algorithm is convenient to the flexible selection to the secret key deduction algorithm.
Description of drawings
Fig. 1 is the flow chart of the method for the negotiating algorithm that the embodiment of the invention provided;
The method flow diagram of the negotiating algorithm that Fig. 2 is provided for the embodiment of the invention 1;
The method flow diagram of the negotiating algorithm that Fig. 3 is provided for the embodiment of the invention 2;
Fig. 4 is provided with selected algorithm for a kind of HSS in the embodiment of the invention 2 in AV mode schematic diagram;
The method flow diagram of the negotiating algorithm that Fig. 5 is provided for the embodiment of the invention 3;
The method flow diagram of the negotiating algorithm that Fig. 6 is provided for the embodiment of the invention 4;
Fig. 7 is the network architecture diagram under the embodiment of the invention 5 application scenarioss;
Fig. 8 is negotiating algorithm system and the installation drawing according to the embodiment of the invention;
Another kind of negotiating algorithm system and installation drawing that Fig. 9 provides for the foundation embodiment of the invention;
Figure 10 shows that the network equipment schematic diagram of realizing that the embodiment of the invention provided.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, various embodiments of the present invention are described in further detail below in conjunction with accompanying drawing.
The embodiment of the invention provides a kind of method of negotiating algorithm, specifically comprises:
Step a, network side obtain that subscriber equipment can support is used to deduce key K ASMEThe information of algorithm;
The information of step b, the algorithm that can support according to described subscriber equipment and ownership client server HSS, selection algorithm;
Step c, with chosen algorithm as being used to deduce key K between subscriber equipment and the HSS ASMEAlgorithm.
The embodiment of the invention provides a kind of method of negotiating algorithm, as shown in Figure 1:
In step 101, HSS obtains the information of the algorithm that subscriber equipment can support;
In step 102, the information of the algorithm that HSS can support according to subscriber equipment, selection algorithm;
In step 103, HSS sends the information of selected algorithm to described subscriber equipment.
The information of described algorithm is specifically as follows and is used to deduce K ASMEThe information of algorithm.Described HSS can obtain the information of the secret key deduction algorithm that subscriber equipment can support and send the information of selected algorithm by MME (Mobility Management Entity mobile management entity) and base station.
Figure 2 shows that the method flow of the negotiating algorithm that the embodiment of the invention 1 is provided, comprising:
Step 201, UE send Attach/TAU Request (adhering to/position updating request) to eNB (eNodeB evolution base station), carry the information of the secret key deduction algorithm of UE support in this Attacb/TAU Request.
The concrete mode of carrying can be: owing to carrying the temporary identity of UE in Attach/TAU Request, as UE Network Capability information such as (network capabilitiess of UE), therefore can in the capability information of described UE, carry the information of the secret key deduction algorithm of UE support.
After step 202, eNB receive Attach/TAU Request, give MME with this forwards.
Step 203, MME decision trigger AKA (Authentication and Key Agreed Authentication and Key Agreement) process.
Step 204, in carrying out the AKA process, MME sends Authentication DataRequest (authentication data request) to HSS, carries the information of the secret key deduction algorithm that UE supports in this Authentication Data Request.
The Authentication Information Request that MME sends to HSS includes the IE (Information Element information element) of RequestingNode Type.This IE mainly is the node type that is used to refer to the request authentication vector, such as: MME, SGSN, MME/SGSN etc.Can expand this IE, 4bit represents the algorithm that UE supports such as expansion, such as: 0001 expresses support for algorithm 1,0011 expresses support for algorithm 1 and algorithm 2,0111 expresses support for 3,1111 expressions of algorithm 1, algorithm 2, algorithm can support algorithm 1, algorithm 2, algorithm 3,4 four kinds of algorithms of algorithm.
Of particular note, above-mentioned algorithm 1, algorithm 2, algorithm 3, algorithm 4 are represented four kinds of different algorithms supported, only be to be illustrating that convenient understanding is carried out, can not limit embodiment of the invention applicable scope, promptly in some system, perhaps do not adopt above-mentioned algorithm kind and title, but, can not think thus that the technical scheme in the embodiment of the invention can not be applicable to these systems.
The secret key deduction algorithm that step 205, HSS select a kind of subscriber equipment to support.
Step 206, in carrying out the AKA process, the information of the algorithm selected in the step 205 is sent to MME by Authentication Data Response (verify data response) message.
Step 207, MME receive after the verify data response that HSS sends and UE carries out follow-up AKA process.
After step 208, the success of AKA process, set up NAS (Non-Access Stratum Non-Access Stratum) SMC (Security Mode Command safe mode command) process between MME and the UE.MME sends NAS SMC message by eNB to UE, carries the information of the secret key deduction algorithm of HSS selection in this message.
Step 209, eNB receive after the NAS SMC message of MME and UE sets up RRC (control of RadioResource Control Radio Resource) carrying, give UE by the RRC carrying with NAS SMC forwards; UE obtains the information of the secret key deduction algorithm of HSS selection from NAS SMC message.
What deserves to be mentioned is:, verify so be necessary the algorithm that UE supports returned to UE from network side because eNB might distort the algorithm of UE.The method of passback can be: in step 208, the algorithm that UE supported that MME will receive in step 202 is put into NAS SMC message and is sent UE to; Can also be, the algorithm that the UE that HSS utilizes any 4bit among the AMF (Authentication Management Field authentication management territory) among the AV (Authentication Vector Ciphering Key) to be illustrated in to receive from MME in the step 204 in step 205 supports sends UE to by step 206 and step 207.
Above-mentioned AMF is the authentication management territory that the AUTN (Authentication token authentication token) among the AV (Authentication Vector Ciphering Key) comprises, and it is comprised in the verify data response of step 206 and sends to MME.
In the present embodiment, UE reports HSS with the information of the secret key deduction algorithm of support, HSS makes a choice from described algorithm and feeds back to UE, thereby set up the negotiating algorithm mechanism between UE and the HSS, realized the flexible selection of secret key deduction algorithm, and less to the upstream Interface protocol modification between MME in the prior art and the HSS.
Figure 3 shows that the method flow of the negotiating algorithm that the embodiment of the invention 2 is provided, be with the main distinction of embodiment 1: HSS is used to carry the mode difference of the information of selected algorithm after selecting a kind of secret key deduction algorithm.Specifically comprise:
Step 301,302,303,304 respectively with embodiment 1 in step 201,202,203,204 corresponding identical, do not repeat them here.
After step 305, HSS select a kind of secret key deduction algorithm of UE support, the information of carrying selected algorithm with AV.
The mode of specifically carrying the information of selected algorithm can be: or several of the AMF that comprises with the AUTN among the AV represents the algorithm selected.
At present AMF has 16bit, has stipulated that the 0th is separation bit (separation bit), represents it is the AV of SAE with this set, and remaining 1 to 7bit is a standardization reserved place, and 8 to 15bit is to use for the purpose of proprietary (privately owned).Therefore can select a few positions in 8 to 15bit to represent the secret key deduction algorithm.HSS represents this algorithm by these algorithms are carried out set.Be illustrated below:
Be illustrated in figure 4 as the mode schematic diagram that a kind of HSS is provided with selected algorithm in the step 305 of the embodiment of the invention 2 in AV, comprise: suppose that UE supports A, B, four kinds of secret key deduction algorithms of C, D to select for HSS, and represent with 00,01,10,11 respectively with the HSS agreement; After then HSS makes a choice in four kinds of algorithms, the mode of selected algorithm with set is recorded among the AMF.For example: HSS has selected algorithm A, then can select with the 14th, 15 of AMF respectively set become 0,0 to represent selection result; If HSS with the 14th, 15 respectively set become 0,1, then algorithm B has been selected in expression.
It needs to be noted that: HSS can also be according to the factors such as algorithm kind quantity of UE, arrange other method for expressing, perhaps select other one or several of AMF to carry selection result with UE.
Step 306, in carrying out the AKA process, the AV that HSS will carry the information of selected algorithm sends to MME by Authentication Data Response (verify data response) message.
Step 307, in carrying out follow-up AKA process, MME and eNB are transmitted to UE with AV, what UE knew that HSS selects by the set situation of AMF among the AV is any algorithm.
Of particular note, to be HSS represent a kind of situation of selected algorithm by set to the Fig. 4 that relates in the embodiment of the invention 2, only is to be convenient the illustrating of carrying out of understanding.The kind of UE algorithm, title among Fig. 4, can not embodiment of the invention applicable scope be limited as A, B, C, D, 00,01,10,11 etc., promptly in some system, perhaps do not adopt above-mentioned algorithm kind and title, but, can not think thus that the technical scheme in the embodiment of the invention can not be applicable to these systems.
What deserves to be mentioned is:, verify so be necessary the algorithm that UE supports returned to UE from network side because eNB might distort the algorithm of UE.The method and the embodiment 2 of passback are roughly the same, do not repeat them here.
In the present embodiment, HSS is carried at a few bit representations of the information usefulness AMF of selected algorithm to send to subscriber equipment among the AUTN, has made full use of existing resource, has realized the flexible selection of secret key deduction algorithm.Simultaneously, allow HSS that the algorithm of selecting is informed to UE by the method to AMF set, this method is revised less to descending protocol.
Figure 5 shows that the method flow of the negotiating algorithm that the embodiment of the invention 3 is provided, be: by concrete which kind of the secret key deduction algorithm of selecting of MME decision with the main distinction of embodiment 1.Specifically comprise:
Step 501,502 respectively with embodiment 1 in step 201,202 corresponding identical, do not repeat them here.
AKA is carried out in step 503, MME decision, and according to the algorithm of UE and HSS support and the algorithm of local policy selection UE and HSS support.
Need to prove that MME knows that the method for the algorithm that HSS supports can be: disposing on MME in advance, also can be that HSS reports MME by newly-increased separately message with the algorithm of supporting before step 503.
Above-mentioned local policy can be: MME selects the highest algorithm of fail safe from the algorithm that UE and HSS support.
Step 504, MME send the authentication data request of carrying selected algorithm in the step 503 to HSS.
Step 505, HSS deduce out K according to the algorithm that MME selects from CK and IK ASME, and to MME transmission Authentication Data Response (verify data response) message.
Can carry the K that HSS deduces out among this Authentication Data Response ASME
Step 506, MME receive after the verify data response that HSS sends and UE carries out follow-up AKA process.
After step 507, the success of AKA process, set up NAS (Non-Access Stratum Non-Access Stratum) SMC (Security Mode Command safe mode command) process between MME and the UE.MME sends NAS SMC message, the information of carrying the secret key deduction algorithm of selection in this message by eNB to UE.
Step 508, eNB receive after the NAS SMC message of MME and UE sets up RRC (control of RadioResource Control Radio Resource) carrying, give UE by the RRC carrying with NAS SMC forwards; UE obtains the information of selected secret key deduction algorithm from NAS SMC message.
What deserves to be mentioned is: because eNB might distort the algorithm of UE, so MME is necessary the algorithm that UE supports returned to UE from network side and verifies in step 507.The method of the algorithm that MME passback UE supports among the method for passback and the embodiment 2 is roughly the same, does not repeat them here.
In the present embodiment, select to be used to deduce key K between UE and the HSS according to the secret key deduction algorithm of UE and HSS support by MME ASMEAlgorithm, thereby set up negotiating algorithm mechanism between UE and the HSS, realized the flexible selection of secret key deduction algorithm.
Figure 6 shows that the method flow of the negotiating algorithm that the embodiment of the invention 4 is provided, relate generally between the EPS network negotiating algorithm method between the UE and HSS under the handoff scenario.Specifically comprise:
Source, base station eNB decision in step 601, the current place of the UE network is carried out and is switched.
Step 602, source eNB send Handover Required (handoff request) to source MME.
Step 603, the source MME target MME in the switching target network sends Forward RelocationRequest (re-positioning request of forwarding), the information of carrying the secret key deduction algorithm of UE.
This Forward Relocation Request comprises the security capabilities of UE, and can comprise the secret key deduction algorithm that UE supports in the security capabilities of UE.
Optionally, source MME can give target MME by this message informing with the algorithm of HSS support.
Step 604-610 finishes follow-up handoff procedure.Wherein:
Step 604, target MME send handoff request to target eNB.
Step 605, target eNB send handoff request to target MME and reply.
Step 606, target MME transmit relocation response to source MME.
Step 607, source MME send switching command to source eNB.
Step 608, source eNB send switching command to UE.
Step 609, UE switch affirmation to target eNB.
Step 610, target eNB send to target MME switches announcement.
Behind step 611, the handover success, UE sends TAU (Tracking Area) position updating request to target eNB.
Step 612, target eNB are given target MME. with the TAU forwards
The AKA verification process is carried out in step 613, target MME decision; Target MME selects an algorithm according to local policy from the algorithm of UE and HSS support.
Because in step 603, target MME has been known the algorithm that UE supports, if target MME has also obtained the algorithm that HSS supports from step 603, target MME just can select algorithm between a UE and the HSS according to local policy so.If target MME does not obtain the algorithm that HSS supports from source MME in the step 603, MME knows that the method for the algorithm that HSS supports can be so: disposing on MME in advance, also can be that HSS reports MME by newly-increased separately message with the algorithm of supporting before step 613.
Step 614, target MME send authentication data request to HSS.Also to comprise the algorithm that MME selects in this authentication data request.That is, MME informs the algorithm of selecting in the step 613 to HSS by this message.
Step 615, HSS deduce out K according to the algorithm that MME selects from CK and IK ASME, and to MME transmission Authentication Data Response (verify data response) message.
Carry out follow-up AKA verification process between step 616, target MME and the UE.
After step 617, the success of AKA process, set up NAS (Non-AccessStratum Non-Access Stratum) SMC (Security Mode Command safe mode command) process between target MME and the UE.Target MME sends NAS SMC message, the information of carrying the secret key deduction algorithm of selection in this message by target eNB to UE.
Step 618, target eNB are received after the NAS SMC message of target MME and UE sets up the RRC carrying, give UE by the RRC carrying with NAS SMC forwards; UE obtains the information of selected secret key deduction algorithm from NAS SMC message.
What deserves to be mentioned is: because eNB might distort the algorithm of UE, so target MME is necessary the algorithm that UE supports returned to UE from network side and verifies in step 617.The method of the algorithm that MME passback UE supports among the method for passback and the embodiment 2 is roughly the same, does not repeat them here.
Present embodiment participates in algorithm by MME and selects, and has realized between the EPS network under the handoff scenario problem of the negotiating algorithm between UE and the HSS.
The method flow of the negotiating algorithm that the embodiment of the invention 5 is provided relates generally to EPS secret key deduction negotiating algorithm method between UE and the HSS under the 2G/3G network handoff scenario.
In the 2G/3G system, might operator not have enough time to upgrade HLR (Home LocationRegister Home Location Register) to the function that possesses HSS, so adopt IWF (InterworkingFunction Interworking Function) to realize the intercommunication of HLR and EPS system, promptly IWF and HLR join together to play the effect of HSS.At this moment, the secret key deduction negotiating algorithm will and be represented between the IWF of HSS partial function and carry out at UE between UE and the HSS, realizes that by IWF CK/IK is to K ASMEDeduction.The network architecture as shown in Figure 7.The specific algorithm machinery of consultation comprises:
IWF, UE report the algorithm of oneself supporting to give MME respectively, and report method reports the process of algorithm roughly corresponding identical with UE to MME with HSS among the embodiment 3, and the main distinction is to replace HSS execution algorithm negotiation functionality with IWF.MME determines algorithm between a kind of UE and the IWF according to local policy then, and this algorithm is informed to UE and IWF, and it informs that MME informs that behind selection algorithm the mode of UE and HSS is corresponding identical among process and the embodiment 3.
What deserves to be mentioned is:, verify so MME is necessary the algorithm that UE supports returned to UE from network side because eNB might distort the algorithm of UE.The method of the algorithm that MME passback UE supports among the method for passback and the embodiment 2 is roughly the same, does not repeat them here.
Present embodiment has solved the problem of EPS secret key deduction negotiating algorithm between UE and the HSS under the 2G/3G network handoff scenario.
One of ordinary skill in the art will appreciate that, all or part of step in the various embodiments described above can realize by the relevant hardware of program command, described program can be stored in the computer read/write memory medium, and described storage medium can be ROM/RAM, magnetic disc, CD etc.
Though will also be appreciated that in the above-mentioned explanation, for ease of understanding, the step of method has been adopted the succession description, should be pointed out that the strictness of restriction do not do to(for) the order of above-mentioned steps.
Figure 10 shows that the network equipment schematic diagram of realizing that the embodiment of the invention provided.This network equipment specifically comprises Transmit-Receive Unit 1001, selected cell 1002.Wherein Transmit-Receive Unit 1001, are used to obtain that subscriber equipment can support is used to deduce key K ASMEThe information of algorithm; Selected cell 1002 is used for the information of the algorithm that can support according to subscriber equipment and ownership client server HSS, selection algorithm; And with chosen algorithm as being used to deduce key K between subscriber equipment and the HSS ASMEAlgorithm.
This network equipment can be HSS or MME.
When this network equipment was HSS, above-mentioned Transmit-Receive Unit 1001 was further used for the algorithm that selected cell 1002 is selected is sent to UE.
When this network equipment was MME, above-mentioned Transmit-Receive Unit 1001 was further used for obtaining the algorithm information that HSS supports, and the algorithm that selected cell 1002 is selected sends to UE and HSS respectively.
Introduce the mobile communcations system embodiment that the embodiment of the invention relates to below, this system can realize as the step described in the above-mentioned method embodiment, be understandable that, this system in the embodiment of the invention can also comprise other numerous entities of realizing communication function, belong to normalized technology in the communications field for the technology that may disclose in other prior art, repeat no more details in the present embodiment; But, only pointed out major part in this system here in order to introduce the implementation in the embodiment of the invention.See also Fig. 8, this system 80 comprise subscriber equipment 81 and with the network equipment HSS 82 of its communication, wherein:
Subscriber equipment 81 comprises Transmit-Receive Unit 811, is used for sending to network equipment HSS 82 information of the algorithm that subscriber equipmenies can support, and the information of the selected algorithm that sends behind selection algorithm of reception HSS 82.
Network equipment HSS 82 comprises Transmit-Receive Unit 821 and selected cell 822, and wherein Transmit-Receive Unit 821, is used to obtain the information of 81 algorithms that can support of subscriber equipment, and the information of the algorithm that will be selected by selected cell 822 sends to subscriber equipment 81; Selected cell 822 is used for the information according to 81 algorithms that can support of subscriber equipment, selection algorithm; This selected cell 822 can be further used for the information of the described selected algorithm mode with set is set among the Ciphering Key AV.
Transmit-Receive Unit 821 can obtain the information of the algorithm that described subscriber equipment can support by the authentication data request message that MME sends, and the information of the algorithm that will be selected by described selected cell 822 sends to described MME by the verify data response message.
Figure 9 shows that another kind of system 90 that the embodiment of the invention provides comprise subscriber equipment 91 and with the network equipment MME 92 of its communication, wherein:
Subscriber equipment 91 comprises Transmit-Receive Unit 911, is used for sending to network equipment MME 92 information of the algorithm that subscriber equipmenies can support, and the information of the selected algorithm that sends behind selection algorithm of reception MME 92.
Network equipment MME 92 comprises Transmit-Receive Unit 921 and selected cell 922, wherein Transmit-Receive Unit 921, be used to obtain the information of the algorithm that subscriber equipment 91 and HSS can support, and the information of the algorithm that will be selected by selected cell 922 sends to HSS and subscriber equipment 91; Selected cell 922 is used for the information according to 91 algorithms that can support of subscriber equipment, selection algorithm.
Be understandable that, structure shown in the accompanying drawing only is schematic, the presentation logic structure, the wherein said unit that shows as separating component may or may not be physically to separate, the parts that show as the unit may be or may not be physical location, promptly can be positioned at a place or are distributed on several network element.
Accompanying drawing and associated description are not to be used to limit protection scope of the present invention just for principle of the present invention is described.For example, the message name in the various embodiments of the present invention can change to some extent according to the difference of network, and some message also can be omitted.Therefore, all any modifications of being done within the spirit and principles in the present invention, be equal to replacement, improvement etc., all be included in protection scope of the present invention.
Though by with reference to some preferred embodiment of the present invention, the present invention is illustrated and describes, those of ordinary skill in the art should be understood that and can do various changes to it in the form and details, and without departing from the spirit and scope of the present invention.

Claims (18)

1, a kind of method of negotiating algorithm is characterized in that, comprising:
Network side obtains that subscriber equipment can support is used to deduce key K ASMEThe information of algorithm;
The information of the algorithm that can support according to described subscriber equipment and ownership client server HSS, selection algorithm;
With selected algorithm as being used to deduce key K between described subscriber equipment and the described HSS ASMEAlgorithm.
2, the method for claim 1 is characterized in that,
Described network side obtains that subscriber equipment can support is used to deduce key K ASMEThe information of algorithm, specifically comprise:
Described HSS obtains that subscriber equipment can support is used to deduce key K ASMEThe information of algorithm;
Carry out the step of the Information Selection algorithm of the described algorithm that can support according to described subscriber equipment and HSS by described HSS.
3, method as claimed in claim 2 is characterized in that, described HSS obtains that subscriber equipment can support is used to deduce key K ASMEThe information of algorithm, specifically comprise:
Described HSS is used to deduce key K by what mobile management entity MME and base station obtained that described subscriber equipment can support ASMEThe information of algorithm.
4, method as claimed in claim 3 is characterized in that,
Described HSS obtains from the authentication data request message that described MME sends that described subscriber equipment can support is used to deduce key K ASMEThe information of algorithm;
And/or, the described subscriber equipment that described MME transmits from described base station adhere to or position updating request obtain that described subscriber equipment can support be used to deduce key K ASMEThe information of algorithm.
5, method as claimed in claim 2 is characterized in that, further comprises:
Described HSS sends the information of described selected algorithm to described subscriber equipment by MME and base station.
6, method as claimed in claim 5 is characterized in that,
Described HSS sends the verify data response message to described MME, and described verify data response message comprises the information of described selected algorithm;
And/or described MME sends Non-Access Stratum safe mode command NAS SMC by described base station to described subscriber equipment, and described Non-Access Stratum safe mode command NAS SMC comprises the information of described selected algorithm.
7, method as claimed in claim 2 is characterized in that, the information of described selected algorithm is specially:
The one or more expression of the authentication management territory AMF that comprises with the authentication token AUTN among the Ciphering Key AV.
8, method as claimed in claim 7 is characterized in that, further comprises:
Described HSS is in the process of carrying out Authentication and Key Agreement AKA, and the AV that will comprise the information of described selected algorithm by MME and base station sends to described subscriber equipment.
9, the method for claim 1 is characterized in that, the information at the described algorithm that can support according to described subscriber equipment and HSS before the selection algorithm, further comprises:
MME obtains the information of the algorithm of described HSS support;
Carry out the step of the Information Selection algorithm of the described algorithm that can support according to described subscriber equipment and ownership client server HSS by described MME.
10, method as claimed in claim 9 is characterized in that, further comprises:
Described MME sends the information of described selected algorithm respectively to described subscriber equipment and described HSS.
11, the method for claim 1 is characterized in that, further comprises:
Described network side is used to deduce key K with what described subscriber equipment can be supported ASMEThe information of algorithm return to UE and verify.
12, a kind of network equipment is characterized in that, comprising:
Transmit-Receive Unit: be used to obtain that subscriber equipment can support is used to deduce key K ASMEThe information of algorithm;
Selected cell: be used for the information of the algorithm that can support according to subscriber equipment and ownership client server HSS, selection algorithm; And with chosen algorithm as being used to deduce key K between subscriber equipment and the HSS ASMEAlgorithm.
13, as network equipment as described in the claim 12, it is characterized in that described network equipment is specially HSS or MME.
14, network equipment as claimed in claim 13 is characterized in that,
When described network equipment is HSS,
Described Transmit-Receive Unit is used for obtaining by the authentication data request message that MME sends the information of the algorithm that described subscriber equipment can support, the information that also is used for the algorithm that will be selected by described selected cell sends to described MME by the verify data response message.
15, network equipment as claimed in claim 13 is characterized in that,
When described network equipment is HSS,
Described selected cell is further used for the information of the described selected algorithm mode with set is set among the Ciphering Key AV;
Described Transmit-Receive Unit is used for obtaining by the authentication data request message that MME sends the information of the algorithm that described subscriber equipment can support, the AV that also is used for comprising the information of described selected algorithm sends to described MME by the verify data response message.
16, a kind of method of negotiating algorithm is characterized in that, comprising:
Subscriber equipment is used to deduce key K to what network side sent that this subscriber equipment can support ASMEThe information of algorithm;
Receive the information of the selected algorithm that described network side sends behind selection algorithm.
17, a kind of subscriber equipment is characterized in that, comprising:
Transmit-Receive Unit: be used for being used to deduce key K to what network equipment sent that this subscriber equipment can support ASMEThe information of algorithm, and the information that receives the selected algorithm that described network equipment sends behind selection algorithm.
18, a kind of system of negotiating algorithm is characterized in that, comprising:
Subscriber equipment: be used for being used to deduce key K to what network equipment sent that this subscriber equipment can support ASMEThe information of algorithm, and receive the information of the selected algorithm that network equipment sends behind selection algorithm;
Network equipment: be used to obtain that described subscriber equipment can support is used to deduce key K ASMEThe information of algorithm, the information of the algorithm that can support according to described subscriber equipment is carried out algorithm and is selected, and sends the information of selected algorithm to described subscriber equipment.
CN2008101608521A 2008-06-13 2008-09-12 Method, device and system for negotiating algorithm Active CN101605324B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN2008101608521A CN101605324B (en) 2008-06-13 2008-09-12 Method, device and system for negotiating algorithm
PCT/CN2009/072237 WO2009149666A1 (en) 2008-06-13 2009-06-11 Method, device and system for negotiating algorithm

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
CN200810067758 2008-06-13
CN200810067758.1 2008-06-13
CN2008101608521A CN101605324B (en) 2008-06-13 2008-09-12 Method, device and system for negotiating algorithm

Publications (2)

Publication Number Publication Date
CN101605324A true CN101605324A (en) 2009-12-16
CN101605324B CN101605324B (en) 2011-06-01

Family

ID=41416382

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2008101608521A Active CN101605324B (en) 2008-06-13 2008-09-12 Method, device and system for negotiating algorithm

Country Status (2)

Country Link
CN (1) CN101605324B (en)
WO (1) WO2009149666A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102595369A (en) * 2012-02-29 2012-07-18 大唐移动通信设备有限公司 Transmission method and device of non-access stratum (NAS) algorithm
CN104754577A (en) * 2013-12-31 2015-07-01 华为技术有限公司 Authentication algorithm selecting method, device and system
CN106664195A (en) * 2014-08-01 2017-05-10 华为技术有限公司 Data processing method, apparatus, and system
WO2021237724A1 (en) * 2020-05-29 2021-12-02 华为技术有限公司 Key negotiation method, apparatus and system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101039261A (en) * 2006-03-16 2007-09-19 华为技术有限公司 Method, system and apparatus for processing user terminal accessing network and loading establishing process
CN101064719A (en) * 2006-04-27 2007-10-31 华为技术有限公司 Cryptographic algorithm negotiating method in PON system
CN101001252A (en) * 2006-06-25 2007-07-18 华为技术有限公司 Registration method and consultation method and device of user safety algorithmic

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102595369A (en) * 2012-02-29 2012-07-18 大唐移动通信设备有限公司 Transmission method and device of non-access stratum (NAS) algorithm
WO2013127190A1 (en) * 2012-02-29 2013-09-06 大唐移动通信设备有限公司 Nas algorithm transmission method and device
CN102595369B (en) * 2012-02-29 2015-02-25 大唐移动通信设备有限公司 Transmission method and device of non-access stratum (NAS) algorithm
US9220009B2 (en) 2012-02-29 2015-12-22 Datang Mobile Communications Equipment Co., Ltd NAS algorithm transmission method and device
CN104754577A (en) * 2013-12-31 2015-07-01 华为技术有限公司 Authentication algorithm selecting method, device and system
CN104754577B (en) * 2013-12-31 2019-05-03 华为技术有限公司 A kind of method, apparatus and system selecting identifying algorithm
CN106664195A (en) * 2014-08-01 2017-05-10 华为技术有限公司 Data processing method, apparatus, and system
CN106664195B (en) * 2014-08-01 2020-05-15 广州小熊信息科技有限公司 Data processing method, device and system
WO2021237724A1 (en) * 2020-05-29 2021-12-02 华为技术有限公司 Key negotiation method, apparatus and system

Also Published As

Publication number Publication date
WO2009149666A1 (en) 2009-12-17
CN101605324B (en) 2011-06-01

Similar Documents

Publication Publication Date Title
US10873889B2 (en) Handover apparatus and method
US11889405B2 (en) Handling a UE that is in the idle state
CN102014381B (en) Encryption algorithm consultation method, network element and mobile station
JP6120865B2 (en) Method and apparatus for managing security key for communication authentication with terminal in wireless communication system
US20100172500A1 (en) Method of handling inter-system handover security in wireless communications system and related communication device
US20100130207A1 (en) Method of handling handover security configuration and related communication device
US10798082B2 (en) Network authentication triggering method and related device
CN102348206B (en) Secret key insulating method and device
CN103648135A (en) Method and apparatus to enable fallback to circuit switched domain from packet switched domain
CN104160730A (en) A fast-accessing method and apparatus
CN112219415A (en) User authentication in a first network using a subscriber identity module for a second, old network
CN109906624B (en) Method for supporting authentication in a wireless communication network, related network node and wireless terminal
JP2013081252A (en) Encryption in wireless telecommunications
CN103782628A (en) Communication method, apparatus and system
CN112637785B (en) Method and apparatus for multicast transmission
RU2552193C2 (en) Radio communication system, mtc device and gate
US20140233532A1 (en) Bearer switching method, home nodeb gateway, and home nodeb
US20170164244A1 (en) Path switching method, mobility anchor, and base station
US20220338071A1 (en) Method and device for performing communication in wireless communication system
CN101605324B (en) Method, device and system for negotiating algorithm
EP4024958A1 (en) Data transmission method and device
CN101645877A (en) Method, system and network node for consulting cipher key derivative function
US20140335864A1 (en) Radio communication system, radio base station, radio terminal and radio communication method
CN102790965A (en) Switching method, base station, user device and mobile management entity
US11343668B2 (en) Method and apparatus for performing the trace corresponding to a terminal in wireless communication system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20091216

Assignee: Apple Computer, Inc.

Assignor: Huawei Technologies Co., Ltd.

Contract record no.: 2015990000755

Denomination of invention: Method, device and system for negotiating algorithm

Granted publication date: 20110601

License type: Common License

Record date: 20150827

LICC Enforcement, change and cancellation of record of contracts on the licence for exploitation of a patent or utility model