CN101741551A - Method, network equipment, user equipment and communication system for ensuring forward security - Google Patents
Method, network equipment, user equipment and communication system for ensuring forward security Download PDFInfo
- Publication number
- CN101741551A CN101741551A CN200810176046A CN200810176046A CN101741551A CN 101741551 A CN101741551 A CN 101741551A CN 200810176046 A CN200810176046 A CN 200810176046A CN 200810176046 A CN200810176046 A CN 200810176046A CN 101741551 A CN101741551 A CN 101741551A
- Authority
- CN
- China
- Prior art keywords
- consultation parameter
- parameter
- subscriber equipment
- consultation
- access layer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The embodiment of the invention discloses a method, network equipment, user equipment and a communication system for ensuring forward security. The method for ensuring the forward secrecy comprises the following steps of: receiving a first negotiation parameter sent by the user equipment through a source base station; selecting a second negotiation parameter; sending the second negotiation parameter to the user equipment through the source base station; and acquiring an access layer key according to the first negotiation parameter and the second negotiation parameter. The network equipment comprises a first receiving module, a selecting module, a sending module and an access layer key acquiring module. The user equipment comprises a generation module, a first sending module, a receiving module and an acquiring module. The communication system comprises the user equipment, the source base station and a target base station. The embodiment of the invention effectively solves the problem of forward insecurity in the process of the user equipment switching eNB and also simplifies the process of the traditional scheme.
Description
Technical field
The present invention relates to communication technical field, particularly a kind of method, the network equipment, subscriber equipment and communication system of guaranteeing forward secrecy.
Background technology
SAE (System Architecture Evolution; System Architecture Evolution)/LTE (Long Term Evolution; Long Term Evolution) in the network; no matter be at AS (Access Stratum; Access Layer) still be NAS (Non Access Stratum; Non-Access Stratum), all need to deduce corresponding key, to the transmission signaling and data are encrypted or integrity protection.UE (UserEquipment, subscriber equipment) eNB (EvolvedNode B, the base station of evolution) occurs through regular meeting and switches in the SAE/LTE network, we claim source eNB the eNB before switching, and the eNB after the switching claims target eNB.Switch to a target eNB from source eNB, will deduce the key on the target eNB.Because before switching not success, it all is to transmit by source eNB that UE and target eNB are deduced the new used parameter of key, so source eNB knows all information of target eNB secret key deduction.In existing scheme, if the assailant has broken through source eNB, the assailant just can deduce the key that uses on all target eNB when obtaining follow-up the switching so.Here it is, and forward direction is dangerous.
When source eNB and target eNB switching, MME (Mobility Managent Entity, Mobility Management Entity) participates in calculating a fresh parameter N ext-Hop-K
ENB, be used for the key after target eNB is deduced switching.
In realizing process of the present invention, the inventor finds that above-mentioned prior art has following shortcoming at least:
Do not solve the forward direction unsafe problems fully, and the participation of MME makes scheme complicated more.
Summary of the invention
In order to solve the forward direction unsafe problems that exists in the handoff procedure, the embodiment of the invention provides a kind of method, the network equipment, subscriber equipment and communication system of guaranteeing forward secrecy.Described technical scheme is as follows:
A kind of method of guaranteeing forward secrecy comprises:
Receive first consultation parameter that subscriber equipment sends by source base station;
Select second consultation parameter;
Described second consultation parameter is sent to described subscriber equipment by described source base station;
Obtain described Access Layer key according to described first consultation parameter and described second consultation parameter, described Access Layer key is used for communicating with described subscriber equipment.
A kind of network equipment comprises:
First receiver module is used to receive first consultation parameter that subscriber equipment sends by source base station;
Select module, be used to select second consultation parameter;
Sending module is used for described second consultation parameter is sent to described subscriber equipment by described source base station;
Access Layer key acquisition module is used for obtaining described Access Layer key according to described first consultation parameter and described second consultation parameter, and described Access Layer key is used for communicating with described subscriber equipment.
A kind of subscriber equipment comprises:
Generation module is used to generate first consultation parameter;
First sending module is used to send described first consultation parameter;
Receiver module is used for second consultation parameter that the receiving target base station sends by source base station;
Acquisition module is used for obtaining the Access Layer key according to described first consultation parameter and described second consultation parameter, and described Access Layer key is used for communicating with described target BS.
A kind of communication system is characterized in that, comprises target BS, source base station and subscriber equipment;
Described subscriber equipment is used for switching to described target BS from described source base station;
Described target BS is used to receive first consultation parameter that subscriber equipment sends by source base station; Select second consultation parameter; Described second consultation parameter is sent to described subscriber equipment by described source base station; Obtain described Access Layer key according to described first consultation parameter and described second consultation parameter, described Access Layer key is used for communicating with described subscriber equipment.
The technical scheme that the embodiment of the invention provides possesses following beneficial effect at least:
Obtain the Access Layer key by the method that provides first consultation parameter, target BS that second consultation parameter is provided by subscriber equipment, subscriber equipment and target BS use this Access Layer cipher key communication, efficiently solve the forward direction unsafe problems that subscriber equipment exists in switching the eNB process, simplified the flow process of existing scheme simultaneously.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the method flow diagram of guaranteeing forward secrecy that the embodiment of the invention 1 provides;
Fig. 2 is the method flow diagram of guaranteeing forward secrecy that the embodiment of the invention 2 provides;
Fig. 3 is the method flow diagram of guaranteeing forward secrecy that the embodiment of the invention 3 provides;
Fig. 4 is the network equipment structural representation that the embodiment of the invention 4 provides;
Fig. 5 is the user device architecture schematic diagram that the embodiment of the invention 5 provides;
Fig. 6 is the communication system architecture schematic diagram that the embodiment of the invention 6 provides.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
The network type of the embodiment of the invention can comprise: GSM (Global System for Mobile Communications, global system for mobile communications) network, CDMA (Code Division Multiple Access, code division multiple access) network, WCDMA (Wideband Code Division Multiple Access, Wideband Code Division Multiple Access (WCDMA)) network, Wimax (WorldwideInteroperability for Microwave Access, worldwide interoperability for microwave inserts) network, TD-SCDMA (TimeDivision-Synchronous Code Division Multiple Access, the code division multiple access that time-division is synchronous) network, LTE (LongTerm Evolution, Long Term Evolution) network etc.
The type of base station comprises various base stations, as LTE base station, Home eNodeB, femto cell Pico, UMTS AP, and WiMAXFemto base station, WiMAX macro base station etc., perhaps base station controller, and other access devices.
The subscriber equipment of the embodiment of the invention can comprise various types of terminals, as mobile phone, notebook computer, and perhaps other forwarding units etc.
For making the purpose, technical solutions and advantages of the present invention clearer, embodiment of the present invention is described further in detail below in conjunction with accompanying drawing.
Embodiment one
Referring to Fig. 1, the embodiment of the invention provides a kind of method of guaranteeing forward secrecy, and this method can comprise:
101: receive first consultation parameter that subscriber equipment sends by source base station;
The executive agent of this step can be a target BS.
102: select second consultation parameter;
The executive agent of this step can be a target BS.
103: second consultation parameter is sent to subscriber equipment by source base station; Second consultation parameter utilizes first consultation parameter and second consultation parameter to deduce out the Access Layer key after can receiving second consultation parameter for subscriber equipment;
The executive agent of this step can be a target BS.
104: obtain the Access Layer key according to first consultation parameter and second consultation parameter, the Access Layer key can be used for when switching and subscriber equipment communicates.
The executive agent of this step can be a target BS.
Wherein, 104 specifically can comprise:
Deduce out the secret key deduction parameter according to this first consultation parameter and second consultation parameter;
According to this Access Layer key of this secret key deduction parameter acquiring.
When this subscriber equipment and this target BS support elliptic curve cryptosystem, first consultation parameter can be xP, and second consultation parameter can be yP, and the secret key deduction parameter can be xyP;
Perhaps,
When this subscriber equipment and this target BS support discrete logarithm cryptographic system, first consultation parameter can be g
x, second consultation parameter can be g
y, the secret key deduction parameter can be g
Xy
Perhaps,
When this subscriber equipment and this target BS were supported mobile trusted module, first consultation parameter can be g
xOr xP, second consultation parameter can be g
yOr yP, the secret key deduction parameter can be g
XyOr xyP.
Can have one in first consultation parameter and second consultation parameter at least through digital signature.
The embodiment of the invention is by in switching the eNB process, obtain the Access Layer key by the method that provides first consultation parameter, target BS that second consultation parameter is provided by subscriber equipment, subscriber equipment and target BS use this Access Layer cipher key communication, and first consultation parameter and/or second consultation parameter carried out digital signature, efficiently solve the forward direction unsafe problems that subscriber equipment exists in switching the eNB process, simplified the flow process of existing scheme simultaneously.
Embodiment two
The embodiment of the invention provides a kind of method of guaranteeing forward secrecy, the scene that this method is suitable for can be: user equipment (UE) and eNB support ECC (Ellipse Curve Cryptosystems, elliptic curve cryptosystem), as shown in Figure 2, this method specifically can comprise:
201: after receiving the message that will switch eNB as UE, UE sends the signature of the Measurement report (tolerance report) and the first consultation parameter xP to source eNB.
202: source eNB receives the tolerance report of UE transmission and the signature of xP, the intensity of the current state of the UE that carries in reporting according to tolerance and the service signal of each eNB that UE detects, the target eNB of decision switching.
203: source eNB sends handoff request message to target eNB;
In handoff request message, can carry the signature of current RRC (Radio Resource Control, Radio Resource control)/UP (UserPlane, user's face) algorithm and xP.
204: target eNB is after the handoff request message that receives source eNB transmission, can distribute new C-RNTI (Cell Radio Network Temporary Identity for UE, the cellular radio temporary identity), can select the second consultation parameter yP at random according to the employed RRC/UP algorithm selection of source eNB RRC/UP algorithm.
205: target eNB sends switching response message to source eNB.
In switching response message, carry the selected RRC/UP algorithm of target eNB, new C-RNTI and the signature of the second consultation parameter yP.
206: the secret key deduction parameter x yP that target eNB consults the first consultation parameter xP and the second consultation parameter yP to calculate is as K
ENB, K here
ENBThe expression key; According to K
ENBDeduce out the RRC/UP key.
207: source eNB receives the switching response message that target eNB sends, and sends switching command to UE, in switching command, carries the selected RRC/UP algorithm of target eNB, new C-RNTI and the signature of yP.
208:UE consults to calculate secret key deduction parameter x yP according to the first consultation parameter xP and the second consultation parameter yP that receives, and deduces out as K according to xyP and new C-RNTI
ENBAccording to K
ENBDeduce out the RRC/UP key.
209:UE sends to switch to target eNB and confirms.
210: target eNB sends handoff completion message to network side as EPC (Evolved Packet Core, the block core network entity of evolution).
211:EPC sends to switch to target eNB and finishes response.
212: target eNB sends to source eNB and discharges message related to resources.
Described in embodiments of the present invention deduction all can be the calculating that utilizes KDF (Key Derive Function, secret key deduction function) to carry out.
Here it is pointed out that when cryptographic system that UE and eNB supported not simultaneously, employed public key system also is different.For example, when UE and eNB support ECC, employed first consultation parameter is xP, and second consultation parameter is yP, and the secret key deduction parameter is xyP; When UE and eNB support discrete logarithm cryptographic system, employed first consultation parameter is g
x, second consultation parameter is g
y, the secret key deduction parameter is g
XyWhen UE and eNB support MTM (Mobile Trusted Module, mobile trusted module), employed first consultation parameter is g
xOr xP, second consultation parameter is g
yOr yP, the secret key deduction parameter is g
XyOr xyP, g
xOr the signature form of xP is shown SIG
AIK(g
x/ xP), wherein, SIG represents signature, AIK represents key.The signature of consultation parameter can be deciphered by UE and target eNB, and source eNB is infeasible on calculating, so can't decipher the signature of consultation parameter.
Here it should be noted that in the present embodiment the first consultation parameter xP and the second consultation parameter yP have carried out digital signature simultaneously.In order to raise the efficiency, reduce time-delay, in the method for present embodiment, also can take the folk prescription digital signature, promptly UE side or eNB side carry out digital signature to consultation parameter.If this moment, source eNB was subjected to man-in-the-middle attack, eNB can send to switch and find internuncial attack (because the key of consulting is inconsistent) when confirming at UE, just stops this time switching if find repeatedly to consult identification.Therefore also can solve the forward security problem of UE in the intra-MME handoff procedure by the folk prescription digital signature.
Here it is emphasized that; though only having provided the scene of Intra-MME switching, the embodiment of the invention carries out the protection of forward secrecy; but when switching owing to inter-MME; source eNB can directly not send message to target eNB; but send to source MME earlier by source eNB; be transmitted to target MME by source MME again, be transmitted to target eNB by target MME at last.That is to say, compare, had more the forwarding of source MME and target MME with flow process given in the present embodiment.So the embodiment of the invention is equally applicable to the scene that Inter-MME switches, idiographic flow no longer describes in detail.
The embodiment of the invention is by in the eNB handoff procedure, by provide the first consultation parameter xP, target BS to provide the method for the second consultation parameter yP to obtain the Access Layer key by subscriber equipment, subscriber equipment and target BS use this Access Layer cipher key communication, and the first consultation parameter xP and the second consultation parameter yP carried out digital signature, efficiently solve the forward direction unsafe problems that subscriber equipment exists in switching the eNB process, simplified the flow process of existing scheme simultaneously.
Embodiment three
Referring to Fig. 3, the embodiment of the invention provides a kind of method of guaranteeing forward secrecy, and the scene that this method is suitable for can be: UE and eNB support ECC, and this method specifically can comprise:
301: after receiving the message that will switch eNB as UE, UE sends the signature of the Measurement report and the first consultation parameter xP to source eNB.
302: source eNB receives the tolerance report of UE transmission and the signature of xP, the intensity of the current state of the UE that carries in reporting according to tolerance and the service signal of each eNB that UE detects, the target eNB of decision UE switching;
And source eNB is according to the key K of UE and the current use of source eNB
ENBWith the Cell ID (cell ID) of target cell, utilize KDF to deduce and calculate K
ENB *
303: source eNB sends handoff request message to target eNB;
In handoff request message, carry K
ENB *, the RRC/UP algorithm that uses of source eNB and the signature of xP;
304: target eNB can distribute new C-RNTI, can determine the RRC/UP algorithm of self, select the second consultation parameter yP at random according to the RRC/UP algorithm that source eNB sends after receiving the handoff request message that source eNB sends for UE;
305: send switching response message to source eNB, the K that in switching response message, carries new C-RNTI, the selected RRC/UP algorithm of target eNB, yP and receive
ENB *
306: target eNB is according to new C-RNTI, K
ENB *, and, utilize KDF to deduce the K that makes new advances by the first consultation parameter xP and the second consultation parameter yP secret key deduction parameter x yP through consulting to calculate
ENBAgain according to new K
ENBDeduce out the RRC/UP key;
307: source eNB sends switching command to UE;
Carry the selected RRC/UP algorithm of target eNB in 305, new C-RNTI and the signature of the second consultation parameter yP in the switching command;
308:UE receives switching command, utilizes KDF, according to current key K
ENBDeduce out K with the Cell ID of target cell
ENB *
According to K
ENB *, new C-RNTI and by the first consultation parameter xP and the second consultation parameter yP secret key deduction parameter x yP through consulting to calculate, deduce the K that makes new advances
ENB
According to new K
ENBDeduce out the RRC/UP key;
309:UE sends to switch to target eNB and confirms;
310: target eNB sends handoff completion message to EPC;
311:EPC sends to switch to target eNB and finishes response;
312: target eNB sends to source eNB and discharges message related to resources.
Described in embodiments of the present invention deduction all can be the calculating that utilizes KDF to carry out.
Here it is pointed out that when cryptographic system that UE and eNB supported not simultaneously, employed public key system also can be different.For example, when UE and eNB support ECC, employed first consultation parameter is xP, and second consultation parameter is yP, and the secret key deduction parameter is xyP; When UE and eNB support discrete logarithm cryptographic system, employed first consultation parameter is g
x, second consultation parameter is g
y, the secret key deduction parameter is g
XyWhen UE and eNB support MTM, employed first consultation parameter is g
xOr xP, second consultation parameter is g
yOr yP, the secret key deduction parameter is g
XyOr xyP, g
xOr the signature form of xP is shown SIG
AIK(g
x/ xP), wherein SIG represents signature, AIK represents key.The signature of consultation parameter can be deciphered by UE and target eNB, source eNB is because infeasible on calculating, so can't decipher the signature of consultation parameter.
Here it should be noted that in the present embodiment the first consultation parameter xP and the second consultation parameter yP have carried out digital signature simultaneously.In order to raise the efficiency, reduce time-delay, in the method for present embodiment, also can take the folk prescription digital signature, promptly UE side or eNB side carry out digital signature to consultation parameter.If this moment, source eNB was subjected to man-in-the-middle attack, eNB can send to switch and find internuncial attack (because the key of consulting is inconsistent) when confirming at UE, just stops this time switching if find repeatedly to consult identification.Therefore also can solve the forward security problem of UE in switching the eNB process by the folk prescription digital signature.
In addition; here it is emphasized that; the embodiment of the invention has provided the scene of Intra-MME switching and has carried out the protection of forward secrecy; but when switching owing to inter-MME; source eNB can directly not send message to target eNB; but send to source MME earlier by source eNB, and be transmitted to target MME by source MME again, be transmitted to target eNB by target MME at last.That is to say, compare, had more the forwarding of source MME and target MME with flow process given in the present embodiment.So the embodiment of the invention is equally applicable to the scene that Inter-MME switches, idiographic flow no longer describes in detail.
The embodiment of the invention is by in the eNB handoff procedure, by provide the first consultation parameter xP, target BS to provide the method for the second consultation parameter yP to obtain the Access Layer key by subscriber equipment, subscriber equipment and target BS use this Access Layer cipher key communication, and the first consultation parameter xP and the second consultation parameter yP carried out digital signature, efficiently solve the forward direction unsafe problems that subscriber equipment exists in switching the eNB process, simplified the flow process of existing scheme simultaneously.
Embodiment four
Referring to Fig. 4, the embodiment of the invention provides a kind of network equipment, can be the base station, comprising:
Select module 402, be used to select second consultation parameter;
Sending module 403 is used for second consultation parameter is sent to subscriber equipment by source base station, and this second consultation parameter utilizes first consultation parameter and second consultation parameter to deduce out the Access Layer key after can receiving second consultation parameter for subscriber equipment;
Access Layer key acquisition module 404 is used for obtaining the Access Layer key according to first consultation parameter and second consultation parameter, and this Access Layer key is used for communicating with subscriber equipment.
Wherein, inserting side key acquisition module 404 comprises:
Deduce the unit, be used for deducing out the secret key deduction parameter according to first consultation parameter and second consultation parameter;
Acquiring unit is used for according to this Access Layer key of secret key deduction parameter acquiring of deducing the unit.
Further, this network equipment also comprises:
Wherein, can at least one process digital signature in first consultation parameter and second consultation parameter.
The types of network equipment of the embodiment of the invention can comprise various base stations, as LTE base station, Home eNodeB, femto cell Pico, UMTS AP, and WiMAX Femto base station, WiMAX macro base station etc., perhaps base station controller, and other access devices.
The embodiment of the invention is by in switching the eNB process, obtain the Access Layer key by the method that provides first consultation parameter, target BS that second consultation parameter is provided by subscriber equipment, subscriber equipment and target BS use this Access Layer cipher key communication, and first consultation parameter and/or second consultation parameter carried out digital signature, efficiently solve the forward direction unsafe problems that subscriber equipment exists in switching the eNB process, simplified the flow process of existing scheme simultaneously.
Embodiment five
Referring to Fig. 5, the embodiment of the invention provides a kind of subscriber equipment, can comprise:
First sending module 502 is used to send first consultation parameter;
Further, this subscriber equipment also comprises:
Wherein, at least one process digital signature in first consultation parameter and second consultation parameter.
The subscriber equipment of the embodiment of the invention can comprise various types of terminals, as mobile phone, notebook computer, and perhaps other forwarding units etc.
The embodiment of the invention is by in switching the eNB process, obtain the Access Layer key by the method that provides first consultation parameter, target BS that second consultation parameter is provided by subscriber equipment, subscriber equipment and target BS use this Access Layer cipher key communication, and first consultation parameter and/or second consultation parameter carried out digital signature, efficiently solve the forward direction unsafe problems that subscriber equipment exists in switching the eNB process, simplified the flow process of existing scheme simultaneously.
Embodiment six
Referring to Fig. 6, the embodiment of the invention provides a kind of communication system, can comprise: target BS 601, source base station 602 and subscriber equipment 603;
Subscriber equipment 603 is used for switching to target BS 601 from source base station 602;
Target BS 601 is used for carrying out the negotiation of key by source base station 602 and subscriber equipment 603, and the negotiations process of key comprises: target BS 601 receives first consultation parameter that subscriber equipment 603 sends by source base station 602; Select second consultation parameter; Second consultation parameter is sent to subscriber equipment 603 by source base station 602; Obtain the Access Layer key according to first consultation parameter and second consultation parameter, this Access Layer key is used for when subscriber equipment 603 switches target BS 601 and communicates with subscriber equipment 603.
Wherein, can at least one process digital signature in first consultation parameter and second consultation parameter.
The embodiment of the invention is by in switching the eNB process, obtain the Access Layer key by the method that provides first consultation parameter, target BS that second consultation parameter is provided by subscriber equipment, subscriber equipment and target BS use this Access Layer cipher key communication, and first consultation parameter and/or second consultation parameter carried out digital signature, efficiently solve the forward direction unsafe problems that subscriber equipment exists in switching the eNB process, simplified the flow process of existing scheme simultaneously.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by hardware, also can realize by the mode that software adds necessary general hardware platform.Based on such understanding, technical scheme of the present invention can embody with the form of software product, it (can be CD-ROM that this software product can be stored in a non-volatile memory medium, USB flash disk, portable hard drive etc.) in, comprise some instructions with so that computer equipment (can be personal computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (13)
1. a method of guaranteeing forward secrecy is characterized in that, comprising:
Receive first consultation parameter that subscriber equipment sends by source base station;
Select second consultation parameter;
Described second consultation parameter is sent to described subscriber equipment by described source base station;
Obtain the Access Layer key according to described first consultation parameter and described second consultation parameter, described Access Layer key is used for communicating with described subscriber equipment.
2. the method for guaranteeing forward secrecy as claimed in claim 1 is characterized in that, describedly obtains the Access Layer key according to described first consultation parameter and described second consultation parameter and comprises:
Deduce out the secret key deduction parameter according to described first consultation parameter and second consultation parameter;
According to the described Access Layer key of described secret key deduction parameter acquiring.
3. the method for guaranteeing forward secrecy as claimed in claim 2, it is characterized in that when described subscriber equipment and described target BS support elliptic curve cryptosystem, described first consultation parameter is xP, described second consultation parameter is yP, and described secret key deduction parameter is xyP;
Perhaps,
When described subscriber equipment and described target BS support discrete logarithm cryptographic system, described first consultation parameter is g
x, described second consultation parameter is g
y, described secret key deduction parameter is g
Xy
Perhaps,
When described subscriber equipment and described target BS were supported mobile trusted module, described first consultation parameter was g
xOr xP, described second consultation parameter is g
yOr yP, described secret key deduction parameter is g
XyOr xyP.
4. the described method of guaranteeing forward secrecy of arbitrary as described above claim is characterized in that, at least one is through digital signature in described first consultation parameter and described second consultation parameter.
5. a network equipment is characterized in that, comprising:
First receiver module is used to receive first consultation parameter that subscriber equipment sends by source base station;
Select module, be used to select second consultation parameter;
Sending module is used for described second consultation parameter is sent to described subscriber equipment by described source base station;
Access Layer key acquisition module is used for obtaining the Access Layer key according to described first consultation parameter and described second consultation parameter, and described Access Layer key is used for communicating with described subscriber equipment.
6. the network equipment as claimed in claim 5 is characterized in that, described access side key acquisition module comprises:
Deduce the unit, be used for deducing out the secret key deduction parameter according to described first consultation parameter and described second consultation parameter;
Acquiring unit is used for according to the described Access Layer key of the secret key deduction parameter acquiring of described deduction unit.
7. the network equipment as claimed in claim 5 is characterized in that, the described network equipment also comprises:
Second receiver module is used to receive the switch acknowledgment message from described subscriber equipment, and described switch acknowledgment message is to send after described subscriber equipment obtains described Access Layer key.
8. the described network equipment of arbitrary as described above claim is characterized in that, at least one is through digital signature in described first consultation parameter and described second consultation parameter.
9. a subscriber equipment is characterized in that, comprising:
Generation module is used to generate first consultation parameter;
First sending module is used to send described first consultation parameter;
Receiver module is used for second consultation parameter that the receiving target base station sends by source base station;
Acquisition module is used for obtaining the Access Layer key according to described first consultation parameter and described second consultation parameter, and described Access Layer key is used for communicating with described target BS.
10. subscriber equipment as claimed in claim 9 is characterized in that, described subscriber equipment also comprises:
Second sending module is used for after described acquisition module gets access to described Access Layer key, sends switch acknowledgment message to described target BS.
11., it is characterized in that at least one is through digital signature in described first consultation parameter and described second consultation parameter as claim 9 or 10 described subscriber equipmenies.
12. a communication system is characterized in that, comprises target BS, source base station and subscriber equipment;
Described subscriber equipment is used for switching to described target BS from described source base station;
Described target BS is used to receive first consultation parameter that subscriber equipment sends by source base station; Select second consultation parameter; Described second consultation parameter is sent to described subscriber equipment by described source base station; Obtain described Access Layer key according to described first consultation parameter and described second consultation parameter, described Access Layer key is used for communicating with described subscriber equipment.
13. communication system as claimed in claim 12 is characterized in that, at least one is through digital signature in described first consultation parameter and described second consultation parameter.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101760463A CN101741551B (en) | 2008-11-07 | 2008-11-07 | Method, network equipment, user equipment and communication system for ensuring forward security |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101760463A CN101741551B (en) | 2008-11-07 | 2008-11-07 | Method, network equipment, user equipment and communication system for ensuring forward security |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101741551A true CN101741551A (en) | 2010-06-16 |
| CN101741551B CN101741551B (en) | 2012-02-22 |
Family
ID=42464492
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008101760463A Active CN101741551B (en) | 2008-11-07 | 2008-11-07 | Method, network equipment, user equipment and communication system for ensuring forward security |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101741551B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015062239A1 (en) * | 2013-11-04 | 2015-05-07 | 华为技术有限公司 | Method and device for key negotiation processing |
| CN108307392A (en) * | 2016-08-12 | 2018-07-20 | 苹果公司 | Secure connection discharges and network redirection |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101167380A (en) * | 2005-04-26 | 2008-04-23 | 摩托罗拉公司 | Method and apparatus for generating session keys |
| CN1997213B (en) * | 2006-01-05 | 2010-11-24 | 华为技术有限公司 | Method for security information acquisition of the switched target base station in the wireless communication system |
| CN101022647B (en) * | 2006-02-15 | 2010-09-08 | 华为技术有限公司 | Realizing method and device for determining safe consultation parameter in switching process |
| CN101212798B (en) * | 2006-12-26 | 2011-07-20 | 中兴通讯股份有限公司 | Pre-authentication process that supports quick switching |
-
2008
- 2008-11-07 CN CN2008101760463A patent/CN101741551B/en active Active
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015062239A1 (en) * | 2013-11-04 | 2015-05-07 | 华为技术有限公司 | Method and device for key negotiation processing |
| CN104618103A (en) * | 2013-11-04 | 2015-05-13 | 华为技术有限公司 | Key agreement processing method and device |
| CN104618103B (en) * | 2013-11-04 | 2018-05-29 | 华为技术有限公司 | Cipher key agreement processes method and apparatus |
| US10320917B2 (en) | 2013-11-04 | 2019-06-11 | Huawei Technologies Co., Ltd. | Key negotiation processing method and apparatus |
| CN108307392A (en) * | 2016-08-12 | 2018-07-20 | 苹果公司 | Secure connection discharges and network redirection |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101741551B (en) | 2012-02-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9667413B2 (en) | Encryption realization method and system | |
| US9049594B2 (en) | Method and device for key generation | |
| CN101232731B (en) | Method and system for UE to generate cryptographic key switching from UTRAN to EUTRAN | |
| CN101600205B (en) | Method and related device for accessing SIM card user equipment to evolution network | |
| CN101516089B (en) | Switching method and system | |
| CN106134231B (en) | Key generation method, equipment and system | |
| CN101610506B (en) | Method and device for preventing network safety from desynchronizing | |
| EP2034658B1 (en) | Method and system for distributing key in wireless network | |
| CN112154624A (en) | User identity privacy protection for pseudo base stations | |
| EP3654684A1 (en) | Key derivation method, device, and system | |
| EP2854329B1 (en) | Method, system, and device for securely establishing wireless local area network | |
| WO2006131826A2 (en) | Exchange of key material | |
| CN101257723A (en) | Method, apparatus and system for generating cipher key | |
| CN101931953A (en) | Method and system for generating safety key bound with device | |
| EP2648437B1 (en) | Method, apparatus and system for key generation | |
| CN101552983A (en) | Key generating method, key generating device, mobile management entity and user equipment | |
| WO2020056433A2 (en) | SECURE COMMUNICATION OF RADIO RESOURCE CONTROL (RRC) REQUEST OVER SIGNAL RADIO BEARER ZERO (SRBo) | |
| WO2019028698A1 (en) | Subscriber identity privacy protection | |
| CN101645877A (en) | Method, system and network node for consulting cipher key derivative function | |
| CN101741551B (en) | Method, network equipment, user equipment and communication system for ensuring forward security | |
| CN102325321B (en) | Secret key obtaining method in evolution wireless communication network and user equipment | |
| CN102318259B (en) | Method and apparatus for traffic count key management and key count management | |
| CN110169103A (en) | A kind of key generation method and relevant device | |
| KR102593167B1 (en) | Operation method of a communication network system | |
| CN102065420B (en) | Method, system and device for determining secret key |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |