CN101674578B - Method and system for safely accessing femtocell into network - Google Patents

Method and system for safely accessing femtocell into network Download PDF

Info

Publication number
CN101674578B
CN101674578B CN200810216090A CN200810216090A CN101674578B CN 101674578 B CN101674578 B CN 101674578B CN 200810216090 A CN200810216090 A CN 200810216090A CN 200810216090 A CN200810216090 A CN 200810216090A CN 101674578 B CN101674578 B CN 101674578B
Authority
CN
China
Prior art keywords
user plane
home enodeb
gateway
security association
mme
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN200810216090A
Other languages
Chinese (zh)
Other versions
CN101674578A (en
Inventor
宗在峰
王卫斌
刘霖
方敏
朱进国
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN200810216090A priority Critical patent/CN101674578B/en
Publication of CN101674578A publication Critical patent/CN101674578A/en
Application granted granted Critical
Publication of CN101674578B publication Critical patent/CN101674578B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention aims at providing a method for safely accessing a femtocell into a network, wherein the method is applied in the network comprising a femtocell gateway and an evolutionary packet system EPS and comprises the following steps: accessing the femtocell into the network, carrying out access authentication on the femtocell by the femtocell gateway, generating femtocell secret key information in the authentication process and transmitting the femtocell secret key information into an MME; generating a user-interface security alliance between the femtocell and a service gateway according to the femtocell secret key information by the MME, and transmitting the user-interface security alliance into the femtocell and the service gateway; and accessing the femtocell into the service gateway by utilizing the user-interface security alliance. The invention also provides a system for safely accessing the femtocell into the network. By adopting the method, the femtocell is ensured to access into the network safely, and meanwhile, the hop count of the user interface is reduced.

Description

A kind of method and system of safely accessing femtocell into network
Technical field
The present invention relates to communication field, particularly, the present invention relates to a kind of method and system of safely accessing femtocell into network.
Background technology
The grouping system of 3GPP evolution (EPS, Evolved Packet System) is by UTRAN (E-UTRAN, the Evolved Universal Terrestrial Radio AccessNetwork of evolution; The land radio access web of evolution), MME (mobility management unit; MobilityManagement Entity), S-GW (gateway, Serving Gateway), PDNGW (P-GW, Packet Data Network GateWay; Data network gateway), reaching other support nodes forms.Wherein MME is responsible for the processing of mobile management, Non-Access Stratum signaling, user's chain of command related works such as the contextual management of mobile management; S-GW is the accessing gateway equipment that links to each other with E-UTRAN, between E-UTRAN and PDN GW, transmits data, and is responsible for pending datas such as paging are carried out buffer memory.P-GW then is the grouping system (EPS, Evolved Packet System) of 3GPP evolution and the borde gateway of PDN (Packet Data Network) network, is responsible for the access of PDN, between EPS and PDN, transmits function such as data.
According to security needs, eNodeB (Evolved NodeB, the node of evolution) generally is placed on safe position, it is generally acknowledged that promptly eNodeB is trusty, and be difficult for being attacked.But in order to increase wireless coverage and wireless bandwidth, the notion of a kind of Home eNodeB (Home eNodeB) is suggested.This Home eNodeB can be used as focus and covers, and is placed on the public place, like market, airport and other places, or directly is placed in the resident family as home gateway, to increase user's impression.In the above-mentioned scene, Home eNodeB does not belong to operator, and the safety of HomeeNodeB becomes problem.In order to prevent the access of illegal Home eNodeB, operator need carry out authentication to it, and in order to prevent malicious attack, operator must guarantee that all data of receiving from Home eNodeB are all safe and reliable.What deserves to be mentioned is that the path from HomeeNodeB to the carrier network also is commonly referred to be unsafe (being linked into carrier network through Internet usually).How to solve Home eNodeB safety access network and become the problem that waits to solve.
Summary of the invention
To the problem that exists in the prior art, the invention provides a kind of method and system of safely accessing femtocell into network.
The method of a kind of safely accessing femtocell into network provided by the invention is:
A kind of method of safely accessing femtocell into network is applied in the network that the grouping system EPS by femto gateway, evolution forms, and this method comprises:
Home eNodeB inserts said network, and femto gateway carries out access authentication to Home eNodeB, in said verification process, produces the Home eNodeB key information, and said Home eNodeB key information is sent to Mobility Management Entity MME;
MME generates the user plane Security Association between Home eNodeB and gateway according to said Home eNodeB key information, and said user plane Security Association is sent to Home eNodeB and gateway;
Said Home eNodeB utilizes said user plane Security Association to insert said gateway.
Further, wherein, said femto gateway inserts said network, and femto gateway comprises said Home eNodeB access authentication:
Home eNodeB is selected femto gateway, sets up the IP secure tunnel between initiation and the femto gateway, sets up in the IP secure tunnel process said, and the authentication accounting server carries out authentication to Home eNodeB.
Further; Wherein, The authentication accounting server carries out in the verification process Home eNodeB, generates root key, and said root key is sent to femto gateway; Said femto gateway generates the Home eNodeB key information according to said root key, and said Home eNodeB key information comprises the user plane root key.
Further, wherein, said MME generates the user plane Security Association between Home eNodeB and gateway according to said Home eNodeB key information, and said user plane Security Association is sent to Home eNodeB and gateway comprises:
MME calculates according to the said user plane root key that receives and generates the user plane key, and is that Home eNodeB and gateway are selected to generate the user plane Security Association, and said user plane Security Association is sent to gateway; And
MME sends to said Home eNodeB with the user plane resource information of said user plane Security Association and said gateway.
Further, after said user plane Security Association is sent to Home eNodeB and gateway, further comprise:
Gateway generates security policy database and Security Association storehouse according to user plane Security Association and user plane resource information;
Home eNodeB generates required security policy database and the Security Association storehouse of user plane secure tunnel according to said user plane Security Association and said user plane resource information.
Further, if said MME upgrades said user plane Security Association after generating said user plane Security Association, it is characterized in that said method comprises:
Said user plane Security Association is upgraded in said MME decision, and the new user plane Security Association after the said renewal is sent to Home eNodeB; Home eNodeB regenerates required security policy database of said user plane secure tunnel and Security Association storehouse according to said new user plane Security Association;
Said MME sends to gateway with said new user plane Security Association; Gateway regenerates required security policy database of said user plane secure tunnel and Security Association storehouse according to said new user plane Security Association.
Further, said MME receives the said user plane Security Association of user plane root key renewal request back decision renewal of said femto gateway transmission, and said Home eNodeB upgrades request to said MME transmission user plane root key and comprises:
If the Security Association between said Home eNodeB and the femto gateway is overtime, said femto gateway sends the user plane root key to the related MME of said Home eNodeB and upgrades request.
Further, said MME receives said user plane key root newly asks the back to upgrade said user plane Security Association, and said Home eNodeB or gateway request are upgraded the user plane key and comprised:
Home eNodeB or gateway be through controlling the user plane secure tunnel, reach the predetermined control condition after, Home eNodeB sends user plane key updating request to MME.
The present invention also provides a kind of system of safely accessing femtocell into network, and said system comprises:
Authentication module is arranged in femto gateway, is used for Home eNodeB is carried out access authentication, in said verification process, produces the Home eNodeB key information, and said Home eNodeB key information is sent to MME;
User plane Security Association constructing module is arranged in MME, is used for generating the user plane Security Association between Home eNodeB and gateway according to said Home eNodeB key information, and said user plane Security Association is sent to Home eNodeB and gateway;
Above-mentioned system; Wherein, Said user plane Security Association constructing module also is used for upgrading the said user plane Security Association of request back decision renewal according to the user plane root key that receives said femto gateway transmission; Perhaps, said user plane Security Association constructing module receives said user plane key root and newly asks the said user plane Security Association of back renewal.
Use method of the present invention, guaranteed that Home eNodeB safety has inserted network, simultaneously, reduced the jumping figure of user plane, promptly user plane can directly insert Serving Gateway and need not pass through intermediate node Home eNodeB Gateway from Home eNodeB.
Description of drawings
Fig. 1 is the applied system architecture diagram of the present invention;
Fig. 2 is Home eNodeB authentication and register flow path figure;
Fig. 3 is the flow chart of UE initial registration;
Fig. 4 is the flow chart that MME upgrades the user plane Security Association;
Fig. 5 is the renewal flow chart of user plane root key;
Fig. 6 is that user plane key flow chart is upgraded in Home eNodeB or Serving Gateway request.
Embodiment
Do further detailed description below in conjunction with accompanying drawing to inventing described method and system.
The applied system architecture diagram of the present invention is as shown in Figure 1, and it mainly comprises:
202 Home eNodeB: do not belong to the eNodeB of operator, before the access carrier network, must carry out authentication it, with core net interactive signaling and data must encipherment protection.
204 Home eNodeB Gateway (femto gateway): the management function to HomeeNodeB is provided, comprises encryption, the forwarding of chain of command signaling, the generation of user plane Security Association of authentication to Home eNodeB, chain of command signaling etc.When supporting the load sharing of S1 interface, Home eNodeB Gateway also has the selection function of MME.
206 SEGW (security gateway module): be arranged in the security gateway module of 204 logic entities, be responsible for to the authentication of Home eNodeB, the encryption of chain of command signaling, the generation of user plane Security Association.
208 HBS-C (Home Base Station Controller, Home eNodeB controller): be arranged in the Home eNodeB administration module of 204 logic entities, be responsible for registration, the management of Home eNodeB, be responsible for the selection of MME.
210 MME (Mobility Management entity, Mobility Management Entity): its function comprises functions such as authentication to the user, context management, mobile management, session management, bearer management.In addition, this entity also is responsible for the distribution of user plane Security Association.
212 Serving Gateway (S-GW, gateway): its function comprises function such as data encryption between forwarding, bearer management and the Home eNodeB of user face data.
214 SEGW: be arranged in 212 security gateway module, be responsible for the data encryption between Home eNodeB and Serving Gateway.
216 HSS (home subscriber server): be used to keep user contracting data, generate functions such as safe vector.
218 aaa servers or agency (AAA Server/Proxy): certificate server, to be responsible for Home eNodeB and UE are carried out authentication, it obtains the required information such as safe vector of authentication from 216.
Each interface is described below:
The IuH interface: be the interface between Home eNodeB and Home eNodeB Gateway, this interface provides functions such as the transmission of the administrative messag of the authentication function of Home eNodeB, Home eNodeB, S1 interface message and encryptions.
The S1-AP interface: be the logic interfacing between Home eNodeB and MME, this interface is used to transmit control signaling and the non-access layer information (NAS message, None Access Stratum) between Home eNodeB and MME.
S1-AP *Interface: be the interface between Home eNodeB Gateway and MME, this interface provides the distribution of user plane Security Association, the functions such as transmission of S1-AP message.
The S1-UP interface: be the interface in the user plane between Home eNodeB and Serving Gateway, this interface provides the encryption of user face data.
S11 *Interface: be the interface between MME and Serving Gateway, this interface also provides the functions such as transmission of control signaling between distribution function, MME and the Serving Gateway of user plane Security Association.
Wm interface: be the security gateway (SEGW) that is arranged in Home eNodeB Gateway and the interface between aaa server/agency, be used to accomplish functions such as authorization identifying to Home eNodeB.
D '/Gr ' interface: the interface between aaa server/agency and HSS is used for download, renewal of Ciphering Key and subscription data etc.
Embodiment one
Fig. 2 is Home eNodeB authentication and register flow path figure.As Home eNodeB first during access network, Home eNodeB Gateway carries out authentication to it, and sets up ipsec security alliance with it.After the foundation of accomplishing ipsec security alliance, Home eNodeB is initiated to the register flow path of Home eNodeB Gateway.Realization between aaa server and HSS does not influence the present invention, therefore, in the present embodiment aaa server and HSS is placed in the same entity, and the interface that present embodiment is not described in detail between aaa server and HSS is realized.Each step is described in detail as follows:
402 Home eNodeB are (as just powering on or reset etc.) first during access network, and Home eNodeB selects suitable Home eNodeBGateway according to configuration or dns resolution.Set up IPSec (IP Security, IP safety) secure tunnel between Home eNodeB initiation and Home eNodeB Gateway.In setting up the process of secure tunnel, HomeeNodeB Gateway carries out authentication to Home eNodeB.If authentication protocol is EAP (Extensible Authentication Protocol, an Extensible Authentication Protocol), then the entity to the HomeeNodeB authentication is an aaa server.Aaa server obtains information such as Ciphering Key, user contracting data as required from HSS.If Home eNodeB Gateway and aaa server can not direct interfaces, then can between them, transmit message through the AAA acting server.After authentication is accomplished, aaa server will generate root key, and this root key through aaa protocol the Gateway to Home eNodeB is taken place.Home eNodeB Gateway calculates the user plane root key according to this root key.
404 all IP that between Home eNodeB and Home eNodeB Gateway, transmits bags comprise that S1-AP message, Home eNodeB administrative messag etc. all need in above-mentioned secure tunnel, to encrypt transmission.
406 Home eNodeB are initiated to the registration of Home eNodeB Gateway.
Embodiment two
Fig. 3 is the flow chart of UE initial registration.In the UE registration process; Home eNodeBGateway will select MME for this UE; And generate the user plane Security Association; HomeeNodeB Gateway takes place the user plane root key to MME, and MME generates the user plane Security Association according to this user plane root key, and it is distributed to Home eNodeB and ServingGateway.
In this flow chart, the user plane Security Association is incidentally given HomeeNodeB through S1-AP message, incidentally gives Serving Gateway through creating bearing request message.
Embodiment two detailed process are described below:
602 UE send Attach Request message to Home eNodeB, and this Attach Request message is through RRC (Radio Resource Control, Radio Resource control) message transmission.
604 Home eNodeB send to Home eNodeB Gateway with this Attach Request message through S1-AP message.
606 Home eNodeB Gateway select MME for this UE.
608 if do not connect with Home eNodeB Gateway before this MME, and then Home eNodeB Gateway calculates the required user plane root key of customer side encryption according to the root key that produces during step 402 authentication among the embodiment one.This process is accomplished by security gateway module among the Home eNodeBGateway and the cooperation of HBS-C module.
The Attach Request message and 608 that 610 Home eNodeB Gateway receive step 604 goes on foot the user plane root key that generates, and takes place to selected MME through S1-AP* message.
612 MME carry out authentication to this UE after receiving Attach Request message, and MME obtains Ciphering Key and user signing contract information from HSS in this process, and MME registers this UE service as to HSS simultaneously.
614 MME select suitable Serving Gateway for this UE.
The user plane root key that 616 MME use step 610 to receive as required calculates the required user plane key of customer side encryption.
According to strategy; This user plane safety can be the UE level other; It is the secure tunnel between corresponding Home eNodeB of each UE and Serving Gateway; Also can be NE-level other, promptly between a pair of Home eNodeB and Serving Gateway, set up a secure tunnel, for all are shared by this UE to Home eNodeB and Serving Gateway service.If secure tunnel is the network element rank; Then MME judges whether set up secure tunnel between selected eNodeB and the ServingGateway; If secure tunnel does not exist, or the key of secure tunnel is expired, and then MME recomputates new user plane key according to the user plane root key; Otherwise MME need not calculate the user plane key.If secure tunnel is a user class, then in attaching process, MME always need calculate new user plane key.
MME is that secure tunnel between them is selected suitable security algorithm, safe mode (like integrity protection, encryption, tunnel mode or transmission mode etc.), encryption scope (like UE rank or network element rank) etc. according to eNodeB and Serving Gateway ability, and MME forms the user plane Security Association with information such as user plane key, security algorithm, safe mode, encryption scopes.
MME sends to selected Serving Gateway and creates the request of carrying, and MME sends to Serving Gateway with above-mentioned user plane Security Association.
618 Serving Gateway are this UE distributing user face resource.Serving Gateway preserves the user plane Security Association.According to user plane Security Association and user plane resource information, Serving Gateway generates required security policy database and the Security Association storehouse of secure tunnel.Serving Gateway sends to MME with corresponding user plane resource information like information such as the up TEID of GTP tunnel, up IP addresses.
620 MME send to Home eNodeB and create the request of carrying, and in this message, MME sends to Home eNodeB with the user plane resource information that Serving Gateway in user plane safety alliance information and the step 618 distributes.Home eNodeB generates required security policy database and the Security Association storehouse of user plane secure tunnel according to this information.Home eNodeB is this UE distributing radio resource and S1-UP interface resource.
The Gateway to Serving takes place with S1-UP interface resource information through bearer update message in 622 Home eNodeB.
Serving Gateway keeps S1-UP interface resource information, and upgrades local user plane security policy database and Security Association storehouse according to this resource information.The bearer update acknowledge message takes place to Home eNodeB in Serving Gateway.
Message in this step is all passed through the MME transfer, and MME is recorded in local data base with S1-UP interface resource information wherein.
624 so far, between Home eNodeB and Serving GW, created user plane, and set up the user plane secure tunnel.
626 MME adhere to acknowledge message to UE.The UE attachment flow finishes.
Embodiment three
Fig. 4 is the flow chart that MME upgrades the user plane Security Association.This flow process is applicable to other user plane safety of UE level and other user plane safety of NE-level, and details are as follows for flow chart:
802 MME decisions need to upgrade the user plane Security Association.Such as, MME receives that the user plane root key from Home eNodeB Gateway upgrades request.MME generates new customer side encryption key according to the user plane root key.MME can determine whether to change other parameters in the Security Association as required, like security algorithm etc.MME generates new user plane Security Association.
The eNodeB to Home takes place with new user plane Security Association in 804 MME.
806 Home eNodeB receive that according to step 804 new user plane Security Association and existing user plane Security Association generate new user plane policy library and user plane Security Association storehouse.Home eNodeB preserves new enciphered message and old enciphered message simultaneously.Home eNodeB still uses old enciphered message to the upstream data packet encryption; Home eNodeB attempts the deciphering of new and old two cover enciphered messages to downlink data packet, and which overlaps is successfully overlapped with for which.Receive the downlink data packet of the new enciphered message encryption of use as Home eNodeB after, Home eNodeB launches new enciphered message and encrypts the upstream data bag, and at this moment, Home eNodeB can delete old enciphered message.
808 MME send new user plane Security Association to Serving GW.
810 Serving GW receive that according to step 808 new user plane Security Association and existing user plane Security Association generate new user plane policy library and user plane Security Association storehouse.ServingGateway preserves new enciphered message and old enciphered message simultaneously.Serving Gateway makes new enciphered message to the downlink data packet encryption; Serving Gateway attempts the deciphering of new and old two cover enciphered messages to the upstream data bag.Receive the upstream data bag of the new enciphered message encryption of use as Serving Gateway after, Serving Gateway deletes old enciphered message.
Embodiment four
Fig. 5 is the renewal flow chart of user plane root key.After Home eNodeB Gateway is to Home eNodeB authentication again, Home eNodeB Gateway according to strategy decision whether need to this Home eNodeB related MME upgrade the user plane root key.This flow process is the flow process that Home eNodeB Gateway decision will be upgraded the user plane root key.In Home eNodeB Gateway, need to preserve Home eNodeB the tabulation of related MME, the MME in this tabulation is that a certain UE that resides among this Home eNodeB serves.
The detailed step of embodiment four is described below:
Security Association between 1002 Home eNodeB and Home eNodeB Gateway upgrades.Soon overtime when Security Association, can trigger this process by Home eNodeB or Home eNodeBGateway.After this process finishes, Home eNodeB Gateway be this Home eNodeB the related new user plane root key of each MME calculating.
1004 Home eNodeB Gateway to this Home eNodeB related each MME send user plane root key updating message.
1006 MME use embodiment three described flow processs to upgrade the user plane Security Association among Home eNodeB and the ServingGateway after receiving from the user plane root key updating message of Home eNodeB Gateway.
Embodiment five
Fig. 6 is that user plane key flow chart is upgraded in Home eNodeB or Serving Gateway request.Home eNodeB or Serving Gateway can be according to processes from the number-of-packet decision of this user plane secure tunnel to MME that initiate to upgrade the user plane key through.The detailed step of embodiment five is described below:
1202a Home eNodeB counts each packet through the user plane secure tunnel, if counter surpasses a certain threshold values, Home eNodeB upgrades the user plane key message to the MME request of sending.Home eNodeB also can start timer, if when useful life of user plane key surpassing certain time length, Home eNodeB also can upgrade the user plane key message to the MME request of sending.
1202b is same, and Serving Gateway also possibly initiate to upgrade the user plane key request.The trigger condition of the similar Home eNodeB of trigger condition.
1204 MME initiate the embodiment three more new technological process of user plane Security Association of describing after receiving and upgrading the user plane secret key request message, and the user plane key is upgraded.
System embodiment:
The present invention also provides a kind of system of safely accessing femtocell into network, and said system comprises:
Authentication module is arranged in femto gateway, is used for Home eNodeB is carried out access authentication, in said verification process, produces the Home eNodeB key information, and said Home eNodeB key information is sent to MME;
User plane Security Association constructing module is arranged in MME, is used for generating the user plane Security Association between Home eNodeB and gateway according to said Home eNodeB key information, and said user plane Security Association is sent to Home eNodeB and gateway.
In this system; Said user plane Security Association constructing module also is used for upgrading the said user plane Security Association of request back decision renewal according to the user plane root key that receives said femto gateway transmission; Perhaps, said user plane Security Association constructing module receives said user plane key root and newly asks the said user plane Security Association of back renewal.
The above is merely the preferred embodiments of the present invention, is not limited to the present invention, and for a person skilled in the art, the present invention can have various changes and variation.All within spirit of the present invention and principle, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (10)

1. the method for a safely accessing femtocell into network is applied to it is characterized in that said method comprises in the network that the grouping system EPS by femto gateway, evolution forms:
Home eNodeB inserts said network, and femto gateway carries out access authentication to Home eNodeB, in said verification process, produces the Home eNodeB key information, and said Home eNodeB key information is sent to Mobility Management Entity MME;
MME generates the user plane Security Association between Home eNodeB and gateway according to said Home eNodeB key information, and said user plane Security Association is sent to Home eNodeB and gateway;
Said Home eNodeB utilizes said user plane Security Association to insert said gateway.
2. method according to claim 1 is characterized in that said Home eNodeB inserts said network, and femto gateway comprises said Home eNodeB access authentication:
Home eNodeB is selected femto gateway, sets up the IP secure tunnel between initiation and the femto gateway, sets up in the IP secure tunnel process said, and the authentication accounting server carries out authentication to Home eNodeB.
3. method according to claim 2; It is characterized in that; The authentication accounting server carries out in the verification process Home eNodeB, generates root key, and said root key is sent to femto gateway; Said femto gateway generates the Home eNodeB key information according to said root key, and said Home eNodeB key information comprises the user plane root key.
4. method according to claim 3; It is characterized in that; Said MME generates the user plane Security Association between Home eNodeB and gateway according to said Home eNodeB key information, and said user plane Security Association is sent to Home eNodeB and gateway comprises:
MME calculates according to the said user plane root key that receives and generates the user plane key, and is that Home eNodeB and gateway are selected to generate the user plane Security Association, and said user plane Security Association is sent to gateway; And
MME sends to said Home eNodeB with the user plane resource information of said user plane Security Association and said gateway.
5. method according to claim 4 is characterized in that, after said user plane Security Association is sent to Home eNodeB and gateway, further comprises:
Gateway generates security policy database and Security Association storehouse according to user plane Security Association and user plane resource information;
Home eNodeB generates required security policy database and the Security Association storehouse of user plane secure tunnel according to said user plane Security Association and said user plane resource information.
6. method according to claim 5 if said MME upgrades said user plane Security Association after generating said user plane Security Association, is characterized in that said method comprises:
Said user plane Security Association is upgraded in said MME decision, and the new user plane Security Association after the said renewal is sent to Home eNodeB; Home eNodeB regenerates required security policy database of said user plane secure tunnel and Security Association storehouse according to said new user plane Security Association;
Said MME sends to gateway with said new user plane Security Association; Gateway regenerates required security policy database of said user plane secure tunnel and Security Association storehouse according to said new user plane Security Association.
7. method according to claim 6; It is characterized in that; Said MME receives the said user plane Security Association of user plane root key renewal request back decision renewal of said femto gateway transmission, and said femto gateway upgrades request to said MME transmission user plane root key and comprises:
If the Security Association between said Home eNodeB and the femto gateway is overtime, said femto gateway sends the user plane root key to the related MME of said Home eNodeB and upgrades request.
8. method according to claim 6 is characterized in that, said MME upgrades said user plane Security Association after receiving the user plane key updating request that said Home eNodeB or gateway send; Said Home eNodeB or gateway send said user plane key updating request to said MME and comprise:
Said Home eNodeB or gateway be through controlling the user plane secure tunnel, reach the predetermined control condition after, said Home eNodeB or gateway send said user plane key updating request to MME.
9. the system of a safely accessing femtocell into network is characterized in that, said system comprises:
Authentication module is arranged in femto gateway, is used for Home eNodeB is carried out access authentication, in said verification process, produces the Home eNodeB key information, and said Home eNodeB key information is sent to MME;
User plane Security Association constructing module is arranged in MME, is used for generating the user plane Security Association between Home eNodeB and gateway according to said Home eNodeB key information, and said user plane Security Association is sent to Home eNodeB and gateway.
10. system according to claim 9; It is characterized in that; Said user plane Security Association constructing module also is used for upgrading the said user plane Security Association of request back decision renewal according to the user plane root key that receives said femto gateway transmission; Perhaps, said user plane Security Association constructing module upgrades said user plane Security Association after receiving the user plane key updating request that said Home eNodeB or gateway send.
CN200810216090A 2008-09-12 2008-09-12 Method and system for safely accessing femtocell into network Expired - Fee Related CN101674578B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200810216090A CN101674578B (en) 2008-09-12 2008-09-12 Method and system for safely accessing femtocell into network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200810216090A CN101674578B (en) 2008-09-12 2008-09-12 Method and system for safely accessing femtocell into network

Publications (2)

Publication Number Publication Date
CN101674578A CN101674578A (en) 2010-03-17
CN101674578B true CN101674578B (en) 2012-09-26

Family

ID=42021508

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200810216090A Expired - Fee Related CN101674578B (en) 2008-09-12 2008-09-12 Method and system for safely accessing femtocell into network

Country Status (1)

Country Link
CN (1) CN101674578B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102026405A (en) * 2010-12-29 2011-04-20 中兴通讯股份有限公司 Connection processing method and system
CN103999544B (en) * 2012-12-04 2018-06-26 华为技术有限公司 A kind of household base station gateway and its method for sending message
CN104349317A (en) * 2013-07-31 2015-02-11 中兴通讯股份有限公司 Mobile network access method, UE, security service gateway, and system
CN103475699A (en) * 2013-08-27 2013-12-25 北京创毅讯联科技股份有限公司 Enterprise network agent device and method for enterprise network to communicate with public network
CN103686910B (en) * 2013-11-29 2016-08-17 西安电子科技大学 The changing method of Home eNodeB alliance
CN106533659A (en) * 2015-09-14 2017-03-22 北京中质信维科技有限公司 Secret key updating method and system
SG11201802201YA (en) 2015-09-18 2018-04-27 Huawei Tech Co Ltd Method for accessing local network, and related device

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1905452A (en) * 2006-08-15 2007-01-31 中国电信股份有限公司 Automatic configuration system and method of IPSec safety tactis in domestic gateway
EP1786222A1 (en) * 2005-11-15 2007-05-16 Nortel Networks Limited Access network, gateway and management server for a cellular wireless communication system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1786222A1 (en) * 2005-11-15 2007-05-16 Nortel Networks Limited Access network, gateway and management server for a cellular wireless communication system
CN1905452A (en) * 2006-08-15 2007-01-31 中国电信股份有限公司 Automatic configuration system and method of IPSec safety tactis in domestic gateway

Also Published As

Publication number Publication date
CN101674578A (en) 2010-03-17

Similar Documents

Publication Publication Date Title
US11122405B2 (en) MTC key management for key derivation at both UE and network
CN104285422B (en) For the secure communication of the computing device using adjacent service
CN101455025B (en) Encryption method for secure packet transmission
CN101674578B (en) Method and system for safely accessing femtocell into network
EP3300408B1 (en) Secure method for mtc device triggering
CN103096311B (en) The method and system of Home eNodeB secure accessing
CN101931953B (en) Generate the method and system with the safe key of apparatus bound
US20110305339A1 (en) Key Establishment for Relay Node in a Wireless Communication System
JP6922963B2 (en) Group gateway and communication method
EP3700127B1 (en) Method and system for key distribution in a wireless communication network
CN102948185A (en) Method for establishing a secure and authorized connection between a smart card and a device in a network
EP2208375B1 (en) Method for authenticating mobile units attached to a femtocell in communication with a secure core network such as an ims
WO2012031510A1 (en) Method and system for implementing synchronous binding of security key
CN105376737A (en) Machine-to-machine cellular communication security
CN105376214A (en) Machine-to-machine cellular communication security
CN106211100A (en) The cellular communication safety of machine to machine
CN106797560B (en) Method, server, base station and communication system for configuring security parameters
JP6700371B1 (en) Management device, communication system, program and control method
Broustis et al. Detecting and preventing machine-to-machine hijacking attacks in cellular networks
Saedy et al. Machine-to-machine communications and security solution in cellular systems

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120926

Termination date: 20190912