CN101645877A - Method, system and network node for consulting cipher key derivative function - Google Patents
Method, system and network node for consulting cipher key derivative function Download PDFInfo
- Publication number
- CN101645877A CN101645877A CN200810134971A CN200810134971A CN101645877A CN 101645877 A CN101645877 A CN 101645877A CN 200810134971 A CN200810134971 A CN 200810134971A CN 200810134971 A CN200810134971 A CN 200810134971A CN 101645877 A CN101645877 A CN 101645877A
- Authority
- CN
- China
- Prior art keywords
- kdf
- terminal
- supported
- network node
- enb
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 48
- 238000012545 processing Methods 0.000 claims abstract description 7
- 238000009795 derivation Methods 0.000 claims description 41
- 230000008569 process Effects 0.000 abstract description 14
- 230000011664 signaling Effects 0.000 abstract description 6
- 230000004044 response Effects 0.000 description 11
- 238000010586 diagram Methods 0.000 description 8
- 230000005540 biological transmission Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a method, a system and a network node for consulting a cipher key derivative function. The method comprises the following steps: acquiring cipher key generating function KDF lists supported by a terminal by the network node; selecting a KDF supported by both the network node and the terminal according to the KDF list supported by the network node and the KDF list supportedby the terminal; and sending the selected KDF to the terminal. By applying the embodiment of the invention, when a new KDF is introduced in the process of upgrading a network, namely when the KDF lists supported by the network node and the terminal are different, a same KDF can be used between the network node and the terminal through consultation to perform derivative processing on a non-access signaling NAS cipher key, a radio resource control (RRC) cipher key, a user plane (UP) cipher key and the like, so the network node and the terminal which support different KDF lists can exist in the network.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method, a system, and a network node for negotiating a key derivation function.
Background
An existing 3GPP (Third Generation Partnership Project) wireless network is divided into 2G network GERAN, 3G network UTRAN and LTE (Long Term Evolution) network eutran according to types, and as shown in fig. 1, it is a schematic structural diagram of a 3GPP wireless network.
Taking 3G Network UTRAN and LTE Network EUTRAN as examples, in UTRAN, RNC (Radio Network Controller) and SGSN (serving GPRS Supporting Node) are entities related to Network security, and when UE (terminal) is switched to UTRAN, UE stores Key IK (integrity Key) and CK (Cipher Key) consistent with those in RNC; in EUTRAN, an eNB (base station) and an MME (mobile management entity) are entities related to network security, where the eNB is used to protect security of RRC (Radio resource control)/UP (user plane) signaling, and the MME is used to protect security of NAS signaling, and in order to ensure communication security in EUTRAN, a UE accessing EUTRAN needs to share the same RRC ciphering key, RRC integrity protection key, and UP ciphering key with the eNB; at the same time the UE also needs to share the same NAS (non access network signaling) ciphering key and NAS integrity protection key with the MME.
The derivation of the individual keys in EUTRAN is briefly described below: the method comprises the steps of storing an IK (integrity Key) and a CK (Cipher Key) at a UE side, deriving a root Key Kasme through the IK and the CK, deriving a KeNB according to the Kasme, deriving an RRC/UP Key containing K _ RRC _ enc, K _ RRC _ int and K _ UP _ enc according to the KeNB, and finally deriving an NAS Key containing K _ NAS _ enc and K _ NAS _ int according to the Kasme, wherein the derivation among the keys is realized through a KDF (Key derivation Function).
The inventor finds that the key derivation is carried out by adopting a uniform KDF in the existing network in the research process of the prior art, when a new KDF is introduced into a future network, network element equipment needs to be upgraded to support the new KDF, but the upgrade is a progressive process, namely, all network element equipment is difficult to be upgraded simultaneously, and only the network element equipment can be upgraded step by step; meanwhile, only the new UE can support the new KDF, and the old UE cannot support the new KDF due to the failure of upgrading. Therefore, it is possible that different KDF lists supported by the network device and the UE are different, which may eventually cause the network device and the UE to derive different keys (such as NAS key, RRC key, UP key, etc.) according to different KDFs, thereby failing to ensure security negotiation of the evolved network.
Disclosure of Invention
Embodiments of the present invention provide a method, a system, and a network node for negotiating a key derivation function, where the network node and a terminal can support the same KDF during an upgrade process of a network through KDF negotiation.
To achieve the purpose of the embodiment of the present invention, the embodiment of the present invention provides the following technical solutions:
a method of negotiating a key derivation function, comprising:
a network node acquires a key derivation function KDF list supported by a terminal;
selecting a KDF supported by the network node and the terminal together according to the KDF list supported by the network node and the KDF list supported by the terminal;
and sending the selected KDF to the terminal.
A system for negotiating a key derivation function, comprising: a terminal and a network node, wherein the terminal and the network node,
the terminal is used for providing a key derivation function KDF list supported by the terminal;
the network node is configured to obtain a KDF list supported by the terminal, select, according to the KDF list supported by the network node and the KDF list supported by the terminal, a KDF commonly supported by the network node and the terminal, and send the selected KDF to the terminal.
A network node, comprising:
the device comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring a key derivation function KDF list supported by a terminal;
a selecting unit, configured to select a KDF according to the KDF list supported by the network node and the KDF list supported by the terminal that is supported by both the network node and the terminal;
and the sending unit is used for sending the selected KDF to the terminal.
As can be seen from the above technical solutions provided by the embodiments of the present invention, in the embodiments of the present invention, a network node obtains a KDF list supported by a terminal, selects a KDF commonly supported according to the KDF list supported by the network node and the KDF list supported by the terminal, and sends the selected KDF to the terminal. By applying the embodiment of the invention, when a new KDF is introduced in the network upgrading process, even if the KDF lists supported by the network node and the terminal are different, the same KDF can be used for derivation processing of various keys such as a non-access signaling NAS key, a Radio Resource Control (RRC) key, a User Plane (UP) key and the like through negotiation between the network node and the terminal, so that the network node and the terminal supporting different KDF lists can exist in the network at the same time.
Drawings
FIG. 1 is a schematic diagram of a 3GPP wireless network;
FIG. 2 is a flowchart of one embodiment of a method for negotiating a key derivation function according to the present invention;
FIG. 3 is a flowchart of another embodiment of a method for negotiating a key derivation function according to the present invention;
FIG. 4 is a flowchart of another embodiment of a method for negotiating a key derivation function according to the present invention;
FIG. 5 is a flowchart of another embodiment of a method for negotiating a key derivation function according to the present invention;
FIG. 6 is a flowchart of another embodiment of a method for negotiating a key derivation function according to the present invention;
FIG. 7 is a flowchart of another embodiment of a method for negotiating a key derivation function according to the present invention;
FIG. 8 is a block diagram of an embodiment of a system for negotiating key derivation functions in accordance with the present invention;
FIG. 9 is a block diagram for one embodiment of a network node of the present invention;
FIG. 10 is a block diagram of another embodiment of a network node of the present invention;
fig. 11 is a block diagram of another embodiment of a network node of the present invention.
Detailed Description
The embodiment of the invention provides a negotiation method, a negotiation system and a network node of a key derivation function, wherein the network node acquires a KDF list supported by a terminal, selects a KDF supported together according to the KDF list supported by the network node and the KDF list supported by the terminal, and sends the selected KDF to the terminal.
So that those skilled in the art can better understand the concept of the present invention and can better understand the objects, features, and advantages of the present invention, the present invention will be described in detail with reference to the accompanying drawings and the detailed description.
Fig. 2 shows a flow of an embodiment of a negotiation method of a key derivation function according to the present invention:
step 201: the network node obtains a KDF list supported by the terminal.
The network node may be an evolved node b eNB, or a mobility management entity MME, or a home network subscriber server HSS.
Taking the network node as the eNB as an example, the eNB may obtain the KDF list supported by the terminal from the MME, and may also obtain the KDF list supported by the terminal from the source eNB.
Specifically, the eNB acquiring the KDF list supported by the terminal from the MME includes: when the terminal sends an attachment request message or a service request message, the eNB acquires a KDF list supported by the terminal from an MME; or, when the terminal is switched between evolved universal radio terrestrial access networks (EUTRANs), the eNB acquires a KDF list supported by the terminal from a target MME; or, when the terminal is switched to EUTRAN from other networks, the eNB acquires a KDF list supported by the terminal from a target MME.
Step 202: whether the network node acquires a KDF list supported by the terminal or not is judged, if yes, step 203 is executed; otherwise, step 206 is performed.
Step 203: if yes, executing step 206; otherwise, step 204 is performed.
Step 204: and selecting the KDF according to the KDF list supported by the network node and the KDF list supported by the terminal.
Specifically, a KDF list supported by the network node is preset in the network node, and all KDFs in the KDF list are arranged in the order of priority from high to low. After the network node obtains the non-empty KDF list supported by the terminal, the KDF lists supported by the network node and the KDF list supported by the terminal are determined according to the KDF lists supported by the network node and the KDF lists supported by the terminal, and then the network node selects at least one KDF from the KDF lists supported by the network node and the KDF lists supported by the terminal according to the priority.
Step 205: and sending the selected KDF to the terminal.
Specifically, when the terminal sends an attach request message or a service request message, the selected KDF is sent to the terminal through an access stratum security mode command message; or, when the terminal sends an attach request message, sending the selected KDF to the terminal through an attach accept message; or, when the terminal sends a service request message, sending the selected KDF to the terminal through a radio bearer setup message; or, when the terminal is switched between EUTRANs or from other networks to EUTRANs, the selected KDF is sent to the terminal through a switching command.
Step 206: the network node selects a default KDF.
In the above step 206, since the network node cannot acquire the KDF list supported by the terminal, or the acquired KDF list supported by the terminal is empty, it indicates that the terminal device is a terminal without upgrade, at this time, the network node selects a default KDF, so as to ensure the negotiation integrity of the entire network, where the default KDF is consistent with the default KDF supported by the terminal, for example, HMAC-SHA-246. The default KDF is a KDF which is used by a network node and a terminal in a default mode before system upgrading, and is preset in the network node, when a KDF list supported by the terminal is not acquired or the acquired KDF list supported by the terminal is empty, the default KDF before upgrading is selected to ensure that the network node and the terminal support the same KDF.
Fig. 3 shows a flow of another embodiment of the negotiation method of key derivation functions in the present invention, where a network node in this embodiment takes an eNB as an example, and shows a process of negotiating a KDF between a UE and an eNB in an attach request process:
step 301 to step 302: the UE sends an Attach Request message (Attach Request) to the MME through the eNB, wherein the Attach Request message carries a list of KDFs supported by the UE.
Step 303: after receiving the Attach request message, the MME sends a KDF list supported by the UE to the eNB through an Attach Accept message (Attach Accept).
Step 304: and the eNB selects at least one KDF from the KDF list supported by the eNB and the KDF list supported by the UE.
The method comprises the steps that a KDF list supported by the eNB is preset in the eNB, all KDFs in the KDF list are arranged in a descending order according to the priority, after the eNB acquires the KDF list supported by the UE, the KDF list supported by the eNB and the KDF list supported by the UE are determined according to the KDF list supported by the eNB and the KDF list supported by the UE, and then at least one KDF is selected from the KDF lists supported by the eNB and the KDF lists supported by the UE according to the priority.
Step 305: the eNB sends an access stratum security mode command message (AS SMC) to the UE, which contains the selected KDF.
The access stratum security mode command message may be an independent message or may be integrated into the attach accept message.
Fig. 4 shows a flow of another embodiment of a negotiation method of a key derivation function according to the present invention, where an eNB is taken as an example of a network node in this embodiment, and shows a process of negotiating a KDF between a UE and the eNB when the UE sends a service request message to an MME:
step 401 to step 402: the UE sends a Service Request message (Service Request) to the MME through the eNB, wherein the Service Request message carries a KDF list supported by the UE.
It should be noted that, if the service request message does not carry the KDF list supported by the UE, the MME may obtain the KDF list supported by the UE in the previous attach request or tracking area update TAU message.
Step 403: after receiving the service Request message, the MME sends the KDF list supported by the UE to the eNB through an Initial Context Setup Request message (Initial Context Setup Request).
Step 404: and the eNB selects at least one KDF from the KDF list supported by the eNB and the KDF list supported by the UE.
Step 405: the eNB sends an access stratum security mode command message (e.g., ASSMC message) to the UE, which includes the selected KDF.
The access stratum security mode command message may be an independent message, or may be integrated into a Radio Bearer Establishment message (e.g., a Radio Bearer Establishment message).
Fig. 5 shows another embodiment flow of a key derivation function negotiation method of the present invention, where a network node in this embodiment takes eNB as an example, and shows a process of negotiating KDF between UE and a target eNB when UE switches between EUTRANs, where the target eNB obtains a KDF list supported by UE from a source eNB through an X2 interface:
step 501: when the UE is handed over between EUTRANs, the source eNB sends a Handover Request message (e.g., Handover Request message) to the target eNB, where the Handover Request message carries a list of KDFs supported by the UE.
The KDF list carried in the handover request message is the KDF list acquired by the source eNB from the UE in the process of accessing the source eNB by the UE.
Step 502: and the target eNB selects at least one KDF from the KDF list supported by the target eNB and the KDF list supported by the UE.
Step 503: the target eNB sends a Handover Request response message (e.g., Handover Request Ack message) to the source eNB, where the Handover Request response message includes the KDF selected by the target eNB.
Step 504: the source eNB sends a handover command message (e.g., a handover command message) to the UE, which includes the selected KDF.
Fig. 6 shows a flow of another embodiment of a key derivation function negotiation method of the present invention, where a network node in this embodiment takes eNB as an example, and shows a process of negotiating KDF between UE and a target eNB when UE switches between EUTRANs, where the target eNB acquires a KDF list supported by UE from a target MME through an S1 interface.
Step 601: when the UE is handed over between EUTRANs, the source eNB sends a Handover request message (e.g., Handover Required message) to the source MME, where the Handover request message may carry a KDF list supported by the UE.
Step 602: the source MME sends a Forward Relocation Request message (e.g. a Forward Relocation Request message) to the target MME, wherein the Forward Relocation Request message carries a list of KDFs supported by the UE.
When the handover request message sent by the source eNB to the source MME does not carry the KDF list supported by the UE, the source MME acquires the KDF list supported by the UE from the attach request message or tracking area update TAU message sent by the previous UE.
In the TAU process, the UE sends a TAU message to the MME through the eNB, the TAU message carries a KDF list supported by the UE, the MME stores the KDF list after receiving the TAU message, and then returns a TAU receiving response message to the UE.
Step 603: the target MME sends a Handover Request message (e.g., Handover Request message) to the target eNB, where the Handover Request message includes a KDF list supported by the UE.
Step 604: and the target eNB selects at least one KDF from the KDF list supported by the target eNB and the KDF list supported by the UE.
Step 605: the target eNB sends a Handover Request response message (e.g., Handover Request Ack message) to the target MME, which includes the KDF selected by the target eNB.
Step 606: the target MME returns a Forward Relocation Response message (e.g. a Forward Relocation Response message) to the source MME, wherein the Forward Relocation Response message contains the selected KDF.
Step 607: the source MME sends a handover command message (e.g., a handover command message) to the source eNB, which includes the selected KDF.
Step 608: the source eNB forwards the handover command message containing the selected KDF to the UE.
Fig. 7 shows a flow of another embodiment of a key derivation function negotiation method of the present invention, where a network node in this embodiment takes eNB as an example, and shows a process of negotiating KDF between a UE and a target eNB when the UE switches from another network (e.g. 2G/3G network) to EUTRAN:
step 701: when the UE is switched to EUTRAN from other networks (such as 2G/3G networks), the source access network element sends a switching request message to the source SGSN.
When the source access network is 2G access network GERAN, a source access network element BSS sends a switching request message (for example, a PS Handover Required message) to a source SGSN; when the source access network is a 3G access network UTRAN, the source access network element RNC sends a handover request message (e.g., a Relocation Required message) to the source SGSN.
Step 702: the source SGSN sends a Forward Relocation Request message (e.g. a Forward Relocation Request message) to the target MME, wherein the Forward Relocation Request message carries a list of KDFs supported by the UE.
Wherein, the source SGSN acquires a KDF list supported by the UE from a network access procedure or a previous RAU (Route Area Update) procedure of the UE.
Step 703: the target MME sends a Handover Request message (e.g., Handover Request message) to the target eNB, where the Handover Request message includes a KDF list supported by the UE.
Step 704: and the target eNB selects at least one KDF from the KDF list supported by the target eNB and the KDF list supported by the UE.
Step 705: the target eNB sends a Handover Request response message (e.g., Handover Request Ack message) to the target MME, which includes the KDF selected by the target eNB.
Step 706: the target MME returns a Forward Relocation Response message (e.g. a Forward Relocation Response message) to the source SGSN, and the Forward Relocation Response message contains the selected KDF.
Step 707: and the source SGSN sends a switching command message to the source access network element, wherein the switching command message contains the selected KDF.
When the source access network is GERAN, the source SGSN sends a switching command message (for example, a PS HO Required Ack message) to a source access network element BS S;
when the source access network is UTRAN, the source SGSN sends a handover request message (e.g., Relocation Command message) to the source access network element RNC.
Step 708: and the source access network element forwards the switching command message containing the selected KDF to the UE.
When the source access network is GERAN, a source access network element BSS sends a switching Command message (for example, a PS Handover Command message) containing the selected KDF to the UE;
when the source access network is UTRAN, the source access network element RNC sends a handover request message (e.g., HO from UTRAN Command message) containing the selected KDF to the UE.
Corresponding to the embodiment of the negotiation method of the key derivation function, the invention also provides the embodiments of a negotiation system of the key derivation function and a network node.
Fig. 8 is a block diagram of an embodiment of a system for negotiating a key derivation function according to the present invention, the system including: a terminal 810 and a network node 820.
The terminal 810 is configured to provide a list of key derivation functions KDF supported by the terminal 810; the network node 820 is configured to obtain a KDF list supported by the terminal 810, select a KDF commonly supported by the network node 820 and the terminal 810 according to the KDF list supported by the network node 820 and the KDF list supported by the terminal 810, and send the selected KDF to the terminal 810.
Further, when the network node cannot acquire the KDF list supported by the terminal or the acquired KDF list supported by the terminal is empty, the network node 820 is further configured to select a default KDF, where the default KDF is consistent with the default KDF supported by the terminal 810, for example, HMAC-SHA-246.
The network node in the embodiment of the present invention may specifically be an eNB. Fig. 9 is a block diagram of an embodiment of a network node of the present invention, which includes: an acquisition unit 910, a selection unit 920, and a transmission unit 930.
The obtaining unit 910 obtains a key derivation function KDF list supported by the terminal; the selecting unit 920 selects a KDF commonly supported by the network node and the terminal according to the KDF list supported by the network node and the KDF list supported by the terminal; a transmitting unit 930 transmits the selected KDF to the terminal.
Another embodiment of a network node of the present invention is shown in fig. 10, and comprises: an acquisition unit 1010, a selection unit 1020, and a transmission unit 1030.
The obtaining unit 1010 obtains a key derivation function KDF list supported by the terminal; the selecting unit 1020 selects a KDF supported by the network node and the terminal together according to the KDF list supported by the network node and the KDF list supported by the terminal; the transmitting unit 1030 transmits the selected KDF to the terminal.
Specifically, the obtaining unit 1010 includes: a first obtaining unit 1011, configured to obtain, from a mobility management entity MME, a KDF list supported by the terminal; and/or a second obtaining unit 1012, configured to obtain, from the source network node, the KDF list supported by the terminal.
Specifically, the selecting unit 1020 includes: a KDF determining unit 1021, configured to determine, according to the KDF list supported by the network node and the KDF list supported by the terminal, a KDF list supported by both the network node and the terminal; a select KDF unit 1022 for selecting a KDF from the list of commonly supported KDFs according to priority.
Another embodiment of a network node of the present invention is shown in fig. 11, and comprises: an acquisition unit 1110, a selection unit 1120, a transmission unit 1130, and a default unit 1140.
The obtaining unit 1110 is configured to obtain a key derivation function KDF list supported by the terminal; the selecting unit 1120 is configured to select a KDF commonly supported by the network node and the terminal according to the KDF list supported by the network node and the KDF list supported by the terminal; a sending unit 1130 is configured to send the selected KDF to the terminal; the default unit 1140 is configured to, when the network node cannot acquire the KDF list supported by the terminal or the acquired KDF list supported by the terminal is empty, select a default KDF by the network node, where the default KDF is consistent with the default KDF supported by the terminal, for example, HMAC-SHA-246.
According to the description of the embodiment of the invention, when a new KDF is introduced in the network upgrading process, even if the KDF lists supported by the network node and the terminal are different, the same KDF can be used for derivation processing of various keys such as a non-access signaling NAS key, a Radio Resource Control (RRC) key, a User Plane (UP) key and the like through negotiation between the network node and the terminal, so that the network node and the terminal supporting different KDF lists can exist in the network at the same time; and when the terminal equipment is difficult to upgrade and the KDF list provided for the network node is empty, the network node can select to use the default KDF consistent with the KDF supported by the terminal, thereby ensuring the negotiation integrity of the whole network.
It will be understood by those skilled in the art that all or part of the steps in the method for implementing the above embodiments may be implemented by hardware related to instructions of a program, where the program may be stored in a computer readable storage medium, and when executed, the program includes the following steps: a network node acquires a key derivation function KDF list supported by a terminal; selecting a KDF supported by the network node and the terminal together according to the KDF list supported by the network node and the KDF list supported by the terminal; and sending the selected KDF to the terminal. The storage medium, such as: ROM/RAM, magnetic disk, optical disk, etc.
While the present invention has been described with respect to the embodiments, those skilled in the art will appreciate that there are numerous variations and permutations of the present invention without departing from the spirit of the invention, and it is intended that the appended claims cover such variations and modifications as fall within the true spirit of the invention.
Claims (14)
1. A method for negotiating a key derivation function, comprising:
a network node acquires a key derivation function KDF list supported by a terminal;
selecting a KDF supported by the network node and the terminal together according to the KDF list supported by the network node and the KDF list supported by the terminal;
and sending the selected KDF to the terminal.
2. The method of claim 1, wherein the network node comprises: an evolved base station eNB, or a mobility management entity MME, or a home network subscriber server HSS.
3. The method of claim 2, wherein the eNB obtaining the KDF list supported by the terminal comprises:
the eNB acquires a KDF list supported by the terminal from an MME; or
And the eNB acquires the KDF list supported by the terminal from the source eNB.
4. The method of claim 3, wherein the eNB obtaining the terminal-supported KDF list from the MME comprises:
when the terminal sends an attachment request message or a service request message, the eNB acquires a KDF list supported by the terminal from an MME; or,
when the terminal is switched between evolved universal wireless terrestrial access networks (EUTRANs), the eNB acquires a KDF list supported by the terminal from a target MME; or,
and when the terminal is switched to EUTRAN from other networks, the eNB acquires a KDF list supported by the terminal from a target MME.
5. The method of claim 3, wherein the eNB obtaining the KDF list supported by the terminal from the source eNB comprises:
and when the terminal is switched among EUTRANs, the eNB acquires a KDF list supported by the terminal from a source eNB.
6. The method of claim 2, wherein the selecting the KDF commonly supported by the eNB and the terminal according to the KDF list supported by the eNB and the KDF list supported by the terminal comprises:
determining a KDF list supported by the eNB and the terminal together according to the KDF list supported by the eNB and the KDF list supported by the terminal;
and the eNB selects the KDF from the commonly supported KDF list according to the priority.
7. The method of claim 2, wherein selecting the KDF commonly supported by the eNB and the terminal according to the KDF list supported by the eNB and the KDF list supported by the terminal further comprises:
and when the eNB cannot acquire the KDF list supported by the terminal or the acquired KDF list supported by the terminal is empty, the eNB selects a default KDF, and the default KDF is consistent with the default KDF supported by the terminal.
8. The method of claim 1, wherein sending the selected KDF to the terminal comprises:
when the terminal sends an attachment request message or a service request message, the selected KDF is sent to the terminal through an access layer security mode command message; or,
when the terminal sends an attachment request message, the selected KDF is sent to the terminal through an attachment acceptance message; or,
when the terminal sends a service request message, sending the selected KDF to the terminal through a wireless bearer establishment message; or,
and when the terminal is switched between EUTRANs or is switched to EUTRANs from other networks, sending the selected KDF to the terminal through a switching command.
9. A system for negotiating a key derivation function, comprising: a terminal and a network node, wherein the terminal and the network node,
the terminal is used for providing a key derivation function KDF list supported by the terminal;
the network node is configured to obtain a KDF list supported by the terminal, select, according to the KDF list supported by the network node and the KDF list supported by the terminal, a KDF commonly supported by the network node and the terminal, and send the selected KDF to the terminal.
10. The system according to claim 9, wherein the network node selects a default KDF when the KDF list provided by the terminal is empty, the default KDF coinciding with a default KDF supported by the terminal.
11. A network node, comprising:
the device comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring a key derivation function KDF list supported by a terminal;
a selecting unit, configured to select, according to the KDF list supported by the network node and the KDF list supported by the terminal, a KDF supported by both the network node and the terminal;
and the sending unit is used for sending the selected KDF to the terminal.
12. The network node according to claim 11, wherein the obtaining unit comprises:
a first obtaining unit, configured to obtain, from a mobility management entity MME, a KDF list supported by the terminal;
and the second acquisition unit is used for acquiring the KDF list supported by the terminal from the source network node.
13. The network node according to claim 11, wherein the selecting unit comprises:
a KDF determining unit, configured to determine, according to the KDF list supported by the network node and the KDF list supported by the terminal, a KDF list supported by both the network node and the terminal;
and the KDF selecting unit is used for selecting the KDF from the commonly supported KDF list according to the priority.
14. The network node of claim 11, further comprising:
and the default unit is used for selecting a default KDF by the network node when the KDF list supported by the terminal is empty, and the default KDF is consistent with the default KDF supported by the terminal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810134971A CN101645877A (en) | 2008-08-07 | 2008-08-07 | Method, system and network node for consulting cipher key derivative function |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810134971A CN101645877A (en) | 2008-08-07 | 2008-08-07 | Method, system and network node for consulting cipher key derivative function |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101645877A true CN101645877A (en) | 2010-02-10 |
Family
ID=41657597
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200810134971A Pending CN101645877A (en) | 2008-08-07 | 2008-08-07 | Method, system and network node for consulting cipher key derivative function |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101645877A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102264064A (en) * | 2010-05-27 | 2011-11-30 | 中兴通讯股份有限公司 | Method and system for synchronizing access stratum (AS) security algorithms |
| WO2014071585A1 (en) * | 2012-11-08 | 2014-05-15 | 华为技术有限公司 | Method and device for obtaining public key |
| WO2014169451A1 (en) * | 2013-04-17 | 2014-10-23 | 华为技术有限公司 | Method and device for data transmission |
| JP2017501626A (en) * | 2013-12-05 | 2017-01-12 | アルカテル−ルーセント | Security key generation for simultaneous multiple cell connections of mobile devices |
| WO2020090886A1 (en) * | 2018-11-02 | 2020-05-07 | Nec Corporation | Method, ue, and network for providing kdf negotiation |
| CN113455032A (en) * | 2020-05-29 | 2021-09-28 | 华为技术有限公司 | Communication method and device |
-
2008
- 2008-08-07 CN CN200810134971A patent/CN101645877A/en active Pending
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102264064A (en) * | 2010-05-27 | 2011-11-30 | 中兴通讯股份有限公司 | Method and system for synchronizing access stratum (AS) security algorithms |
| WO2011147153A1 (en) * | 2010-05-27 | 2011-12-01 | 中兴通讯股份有限公司 | Method and system for enabling access stratum (as) security algorithm synchronization |
| WO2014071585A1 (en) * | 2012-11-08 | 2014-05-15 | 华为技术有限公司 | Method and device for obtaining public key |
| CN104247328B (en) * | 2013-04-17 | 2017-06-06 | 华为技术有限公司 | Data transmission method and device |
| CN104247328A (en) * | 2013-04-17 | 2014-12-24 | 华为技术有限公司 | Method and device for data transmission |
| WO2014169451A1 (en) * | 2013-04-17 | 2014-10-23 | 华为技术有限公司 | Method and device for data transmission |
| US10320754B2 (en) | 2013-04-17 | 2019-06-11 | Huawei Technologies Co., Ltd. | Data transmission method and apparatus |
| JP2017501626A (en) * | 2013-12-05 | 2017-01-12 | アルカテル−ルーセント | Security key generation for simultaneous multiple cell connections of mobile devices |
| WO2020090886A1 (en) * | 2018-11-02 | 2020-05-07 | Nec Corporation | Method, ue, and network for providing kdf negotiation |
| US20210409939A1 (en) * | 2018-11-02 | 2021-12-30 | Nec Corporation | Method, ue, and network for providing kdf negotiation |
| US11962999B2 (en) * | 2018-11-02 | 2024-04-16 | Nec Corporation | Method, UE, and network for providing KDF negotiation |
| CN113455032A (en) * | 2020-05-29 | 2021-09-28 | 华为技术有限公司 | Communication method and device |
| WO2021237753A1 (en) * | 2020-05-29 | 2021-12-02 | 华为技术有限公司 | Communication method and apparatus |
| CN113455032B (en) * | 2020-05-29 | 2023-06-27 | 华为技术有限公司 | Communication method, communication device, and computer-readable medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102264718B1 (en) | Methods of implementing security, and related devices and systems | |
| CN101309500B (en) | Security negotiation method and apparatus when switching between different wireless access technologies | |
| US11240019B2 (en) | Method, device, and system for deriving keys | |
| EP2139175B1 (en) | Method, system and apparatus for negotiating the security ability when a terminal is moving | |
| EP2187561B1 (en) | Method, system and devices for negotiating security capabilities while a terminal is moving | |
| US8526617B2 (en) | Method of handling security configuration in wireless communications system and related communication device | |
| EP2192804B1 (en) | Method of handling handover security configuration and related communication device | |
| CN106134231B (en) | Key generation method, equipment and system | |
| CN115278658A (en) | Method for integrity protection of user plane data | |
| US8358627B2 (en) | Radio communication system, radio communication method, and mobile station | |
| US20100172500A1 (en) | Method of handling inter-system handover security in wireless communications system and related communication device | |
| CN101686233B (en) | Method, system and device for processing mismatching of user equipment (UE) and network security algorithm | |
| KR20100134758A (en) | Method, apparatus and system of key derivation | |
| CN110913393B (en) | Switching method and terminal equipment | |
| CN101645877A (en) | Method, system and network node for consulting cipher key derivative function | |
| EP2685751B1 (en) | Handover method, base station, user equipment and mobility management entity | |
| CN102209320B (en) | Safety negotiation method and device during switching among different wireless access technologies | |
| CN101917717A (en) | Method and system for creating secret key as interconnecting GERAN with enhanced UTRAN |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20100210 |