CN101771990B - Key acquisition method, equipment and system - Google Patents

Key acquisition method, equipment and system Download PDF

Info

Publication number
CN101771990B
CN101771990B CN200810220776.9A CN200810220776A CN101771990B CN 101771990 B CN101771990 B CN 101771990B CN 200810220776 A CN200810220776 A CN 200810220776A CN 101771990 B CN101771990 B CN 101771990B
Authority
CN
China
Prior art keywords
network
key
period
user terminal
utran
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN200810220776.9A
Other languages
Chinese (zh)
Other versions
CN101771990A (en
Inventor
庄小君
陈璟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN200810220776.9A priority Critical patent/CN101771990B/en
Publication of CN101771990A publication Critical patent/CN101771990A/en
Application granted granted Critical
Publication of CN101771990B publication Critical patent/CN101771990B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a key acquisition method, equipment and a system. The method includes that: in the moving process of the user terminal from a first network to a second network, a mobility management entity converts the first network encryption key cycle to the second network key cycle; wherein, the first network key cycle is the key cycle which is used by the user terminal in the first network, the second network key cycle is the key cycle which is used by the user terminal in the second network. The mobility management entity sends the second network key cycle to the user terminal so that the user terminal can deduct the second network key according to the second network key cycle. By using the proposal which is provided by the embodiment of the invention, the key cycle of original network can be considered when the user terminal is moved in network, and the continuity of the key cycle in the network moving is ensured, the safety of system is increased.

Description

A kind of key acquisition method, equipment and system
Technical field
The present invention relates to field of mobile communication, relate in particular to a kind of key acquisition method, equipment and system.
Background technology
Development along with the communication technology, UE (User Equipment, user terminal) may be linked in the core net of operator by following any access way and go, such as GERAN (Global System forMobile communications/Enhanced Data rates for GSM Evolution Radio AccessNetwork, global system for mobile communications/enhanced data rates global system for mobile communications Radio Access Network), UTRAN (Universal Mobile Telecommunication System Terrestrial RadioAccess Network, the universal mobile telecommunications system land radio access web) and E-UTRAN (evolvedUTRAN, the UTRAN of evolution) etc.
Simultaneously, the user also may move around between a plurality of Access Networks.For dual-mode terminal, may in UTRAN/GERAN and E-UTRAN, registration be arranged simultaneously.When UE moves to E-UTRAN from UTRAN/GERAN, MME among UE and the E-UTRAN (Mobility ManagementEntity, Mobility Management Entity) can be according to (the Ciphering Key of the CK among the UTRAN/GERAN, the confidentiality key)/IK (Integrity Key, Integrity Key) deduces the key K asme that uses in the E-UTRAN network, deduce NAS (non Access Stratum according to Kasme again, Non-Access Stratum) and AS (AccessStratum, Access Layer) key claims these security parameters to be mapping context (mapped context) usually.After UE moves to objective network, can use mapped context to carry out data protection.At present, UE can be mobile between UTRAN/GERAN and E-UTRAN under idle condition (Idle attitude) or state of activation.In following description, will come the unified representation both of these case with Network Mobility.
In realizing process of the present invention, the inventor finds, at least there are the following problems in the prior art: when carrying out above-mentioned Network Mobility, it is the key of the network after going out to move according to the secret key deduction that moves front network by UE/MME, the freshness that keeps the key behind the Network Mobility is unfavorable for guaranteeing occuring the Security of the system behind the Network Mobility.
Summary of the invention
The embodiment of the invention provides a kind of key acquisition method, equipment and system, can consider the period of key of the network before moving when user terminal moves between network, guarantees the continuity of period of key in Network Mobility, improves Security of the system.
On the one hand, embodiments of the invention provide a kind of key acquisition method, comprise: at user terminal from the process that first network moves to second network, Mobility Management Entity is converted to the second network period of key with the first network period of key, wherein, the period of key that this first network period of key uses in first network for this user terminal, the period of key that this second network period of key will use in second network for this user terminal; Mobility Management Entity is sent to this second network period of key and carries out this user terminal, so that this user terminal is deduced the second network key according to this second network period of key.
Simultaneously, embodiments of the invention provide a kind of management entity device, comprise: converting unit, for the process that moves from first network to second network at user terminal, Mobility Management Entity is converted to the second network period of key with the first network period of key, wherein, the period of key that this first network period of key uses in first network for this user terminal, the period of key that this second network period of key will use in second network for this user terminal; Transmitting element is used for this second network period of key is sent to this user terminal, so that this user terminal is deduced the second network key according to this second network period of key.
On the other hand; the embodiment of the invention also provides a kind of network system; comprise the mobile management entity device that can communicate with user terminal; when this user terminal carries out in the moving process between this network system and other network systems; this mobile management entity device obtains the mobile front netkey cycle; and this netkey periodic conversion is the netkey cycle after mobile, so that the netkey cycle of this user terminal after moving after moving according to this protected the data of transmission.
The technical scheme that adopts the embodiment of the invention to provide, because user terminal is mobile and considered period of key when carrying out secret key deduction between two different network systems, netkey periodic conversion before mobile is the netkey cycle after mobile, and when secret key deduction with period of key as one of parameter of deducing.Be conducive to like this to keep freshness and the continuity of the key behind the Network Mobility, be conducive to improve the Security of the system behind the Network Mobility.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, the below will do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art, apparently, accompanying drawing in the following describes only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is an idiographic flow schematic diagram of key acquisition method in the embodiment of the invention;
Fig. 2 is another idiographic flow schematic diagram of key acquisition method in the embodiment of the invention;
Fig. 3 is another idiographic flow schematic diagram of key acquisition method in the embodiment of the invention;
Fig. 4 is the idiographic flow schematic diagram that the UE under the idle condition moves to E-UTRAN in the embodiment of the invention from UTRAN/GERAN;
Fig. 5 is the idiographic flow schematic diagram that the UE under the idle condition moves to UTRAN/GERAN in the embodiment of the invention from E-UTRAN;
Fig. 6 is the idiographic flow schematic diagram that the UE under the activated state switches to E-UTRAN in the embodiment of the invention from UTRAN/GERAN;
Fig. 7 is the idiographic flow schematic diagram that the UE under the activated state switches to UTRAN/GERAN in the embodiment of the invention from E-UTRAN;
Fig. 8 is a concrete schematic diagram that forms of network system in the embodiment of the invention;
Fig. 9 is a concrete schematic diagram that forms of management entity device in the embodiment of the invention;
Figure 10 is the composition schematic diagram of a specific embodiment of converting unit among Fig. 9;
Figure 11 is another concrete schematic diagram that forms of management entity device in the embodiment of the invention;
Figure 12 is the composition schematic diagram of a specific embodiment of converting unit among Fig. 9.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that obtains under the creative work prerequisite.
From aforementioned description as can be known, in the prior art, when user terminal carried out Network Mobility, MME generally can only obtain the key before the Network Mobility, thereby deduced out the key behind the Network Mobility.Its parameter of carrying out secret key deduction when carrying out the parameter of secret key deduction and not having Network Mobility when Network Mobility is not just the same, does not consider the continuity of period of key, thereby is unfavorable for guaranteeing Security of the system.Based on this, in the scheme that the embodiment of the invention provides, at user terminal in the process that heterogeneous networks moves, when carrying out secret key deduction, introducing period of key deduces, and the period of key of network before will moving is converted to the period of key of the network after mobile, to guarantee the continuity of period of key.Then do not carry out this conversion for the network that does not have period of key, only when secret key deduction, adopt period of key as the ginseng that enters of secret key deduction.Like this after user terminal carries out Network Mobility, the period of key of deducing key out can reach maximum as early as possible, thereby upgrade deduction key out with new key in the network after movement as soon as possible, can reduce the impact of safety problem in the network before the mobile network after on movement.
Following each embodiment of concrete scheme ginseng.Referring to Fig. 1, be an idiographic flow schematic diagram of key acquisition method in the embodiment of the invention.Comprise:
101, at user terminal from the process that first network moves to second network, Mobility Management Entity is converted to the second network period of key with the first network period of key, wherein, the period of key that the first network period of key uses in first network for this user terminal, the period of key that the second network period of key will use in second network for this user terminal;
102, Mobility Management Entity is sent to above-mentioned user terminal with above-mentioned second network period of key, so that above-mentioned user terminal is deduced the second network key according to above-mentioned second network period of key.Like this, user terminal just can be protected the data of transmitting in second network according to this second network key in second network.
Wherein, according to the difference of network before and after mobile, above-mentioned flow process can be divided into two kinds of situations.As shown in Figure 2, for the network (being first network) before mobile is UTRAN or GERAN, the network (being second network) after moving is the flow process in the situation of E-UTRAN, comprising:
201, Mobility Management Entity obtains the Network Mobility request of the network equipment transmission of user terminal or first network, comprises above-mentioned first network period of key in the above-mentioned Network Mobility request.Wherein, according to the difference of User Status, the source of Network Mobility request etc. are also corresponding different.As, when User Status was Idle state, the Network Mobility request can be position renewal (Tracking Area Update, TAU) message that user terminal sends; When User Status was activated state, the Network Mobility request can be the re-positioning request that the network equipment among UTRAN or the GERAN sends
202, Mobility Management Entity is converted to the second network period of key with above-mentioned first network period of key.
Specifically can comprise the period of key that represents with first network period of key form, be converted to the period of key that represents with second network period of key form.As, the START value among UTRAN or the GERAN is converted into NAS downlink COUNT value.Because the START value is generally the 20bit position, and NAS downlinkCOUNT value is generally the 32bit position, the form disunity of the two, the numerical value that therefore need to be expressed as START value form is converted to the numerical value that is expressed as NAS downlink COUNT value.
If user terminal once adhered to the UTRAN network, when being attached to GERAN again, the former START value that exists in the UTRAN network can't be deleted, therefore, when moving to E-UTRAN again from GERAN, the START value of originally using in UTRAN will report MME, and the conversion of this START value is with above-mentioned the same.
But, the network that initially adheres to when user terminal is GERAN, and when moving to E-UTRAN from GERAN, owing to there is not the parameter of computation key life cycle among the GERAN, namely be similar to the parameter of START value, be default maximum so in this case, NAS downlink COUNT value can be set directly.
203, Mobility Management Entity is sent to the user terminal that carries out above-mentioned Network Mobility with above-mentioned second network period of key; so that above-mentioned user terminal is deduced the second network key according to above-mentioned second network period of key, and according to above-mentioned second network key the data of transmitting in second network are protected.
204, Mobility Management Entity is deduced the second network key according to above-mentioned second network period of key, and according to above-mentioned second network key the data of transmitting in second network is protected.
Wherein, do not have inevitable sequencing between step 203 and the step 204, the concrete condition during on transfer of data is decided.
As shown in Figure 3, be mobile front network (first network is E-UTRAN), the network (being second network) after moving is the flow process in the situation of UTRAN, comprising:
301, when portable terminal moves to second network from first network, Mobility Management Entity obtains the local first network period of key of preserving.Similar previous embodiment, according to the difference of User Status, this Network Mobility request can be that (Routing Area Update, RAU) message is upgraded in the route position, also can be handover request message.
302, Mobility Management Entity is converted to the second network period of key with above-mentioned first network period of key.As, NAS downlink COUNT value is converted into the START value.Because the START value is generally the 20bit position, and NAS downlink COUNT value is generally the 32bit position, the form disunity of the two, the numerical value that therefore need to be expressed as NAS downlink COUNT value form is converted to the numerical value that is expressed as START value form.
303, Mobility Management Entity is sent to the user terminal that carries out above-mentioned Network Mobility with above-mentioned second network period of key; so that above-mentioned user terminal is deduced the second network key according to above-mentioned second network period of key, and according to above-mentioned second network key the data of transmitting in second network are protected.According to the difference of User Status, the idiographic flow of its transmission is also different, does not do herein and gives unnecessary details, can be referring to other specific embodiments of the application.
In this example, do not relate to the situation that E-UTRAN moves to GERAN, this is owing to there is not the parameter (such as START value etc.) of computation key life cycle among the GERAN, so do not need the MME in the E-UTRAN network to carry out period of key conversion and transmission.
Below respectively take concrete network and scene as example, the technical scheme in the embodiment of the invention is carried out further detailed description.
As shown in Figure 4, the described embodiment of corresponding above-mentioned Fig. 2, for the UE under the idle condition moves to the situation of second network E-UTRAN from first network UTRAN/GERAN, idiographic flow comprises:
401, UE sends TAU message by eNB (evaluation Node B, the Node B of evolution) to MME, comprises the START value that UE preserves in TAU message; Perhaps, also can be that UE sends START value by eNB to MME with independent message.Followingly all be described as an example of last situation example.
402, after MME receives TAU message from UE, SGSN (the Serving GPRS Support Node that in UTRAN/GERAN, adheres to according to the information acquisition UE in the TAU message, the gprs service support point) information, and to SGSN transmission context request message.
MME can preserve in this locality the START value in the TAU message.
403, SGSN generates context response after receiving the context request message that MME sends, and returns context response to MME, can comprise the key parameter that UE uses in UTRAN/GERAN in this response, such as the key among the UTRAN/GERAN: CK, IK.
404, after MME receives context response from SGSN, at first the START value is changed into NASdownlink COUNT value, then according to formula: Kasme=KDF (CK, IK, NAS downlink COUNT) deduce acquisition Kasme, Kasme is the key among the E-UTRAN.
Wherein, because the START value is generally the 20bit position, and NAS downlink COUNT value is generally the 32bit position, the form disunity of the two, therefore upward the START value is converted into NAS downlink COUNT value and refers to, the numerical value that is expressed as START value form is converted to the numerical value that is expressed as NAS downlink COUNT value.
Input parameter when need to prove the deduction of Kasme is not limited to listed input parameter in the bracket of above-mentioned formula the right.
405, MME selects the NAS algorithm.Wherein, the NAS algorithm refers to such an extent that be the algorithm of NAS message encryption and integrity protection.The NAS algorithm need to be included among the NAS SMC (Security Mode Command, safe mode command) and tell UE, so which algorithm UE knows according to come NAS message is protected.
406, MME sends NAS SMC message to UE, can comprise the encryption of MME selection and sign and the NAS downlink COUNT value of integral algorithm in this message.
407, after UE receives NAS SMC message, CK according to this locality preservation, IK and the NASdownlink COUNT that receives use deduction method and the parameter identical with the MME place to deduce Kasme, and the NAS algorithm of then selecting according to MME calculates encryption key and Integrity Key.
After finishing above-mentioned steps, UE sends NAS Security Mode Complete (the NAS safe mode is finished) message to MME, after MME receives that the NAS safe mode is finished message, sends TAUaccept message to UE.UE sends TAU Complete message to MME, upgrades (Tracking Area Update, TAU) process to this whole position and finishes.
Need to prove, in above-mentioned steps, because general contracted user's identity module (Universal Subscriber Identity Module, USIM) card can be preserved the START value in UTRAN, even when moving to GERAN from UTRAN, the START value in the usim card can not deleted yet.Therefore, when moving to E-UTRAN from GERAN, GERAN will pass to MME to CK/IK and START value etc. from BSS.
But also exist a kind of situation to be exactly, what UE initially adhered to is the GERAN network, and then moves to E-UTRAN, is not used for the parameter of computation key life cycle this moment in GERAN, namely is similar to the parameter of START value.That is to say that MME receives in the step 404 from may not having the START value in the context response of SGSN.At this moment, MME can automatically arrange NAS downlink COUNT value and be default maximum, be that MME can select default enough large value to be assigned to NASdownlink COUNT automatically, or with reference to the value that affects the key access times of local storage NASdownlink COUNT value be set.As, can this NASdownlink COUNT value be set with reference to the NAS COUNT value of this locality storage, above-mentioned NAS COUNT value is sending the count value of NAS SMC order number of times, namely sends a NAS SMC order, and NAS COUNT value adds one.
In order to prevent Replay Attack, MME can produce a random number in 404 steps, sends to UE by the 406th SMC message that goes on foot.
As shown in Figure 5, the described embodiment of corresponding above-mentioned Fig. 3, for the UE under the idle condition moves to the schematic flow sheet of UTRAN/GERAN from E-UTRAN, this flow process comprises:
501, UE sends RAU (Routing Area Update, the route position is upgraded) message by RNC (Radio Network Controller, radio network controller)/BSS (BaseStation System, base station sub-system) to SGSN.
502, after SGSN receives RAU message from UE, the information of the MME that in E-UTRAN, adheres to according to the information acquisition UE in the RAU message, and send context request message to MME.
503, after MME receives context request message from SGSN, MME uses local NAS downlink COUNT value of preserving, and the local Kasme that preserves deduces ciphering key K and the IK that uses among the UTRAN/GERAN, i.e. CK/IK=KDF (Kasme, NAS downlink COUNT).Or MME also can use the START value that obtains such as following mode, and the local Kasme that preserves deduces ciphering key K and the IK that uses among the UTRAN/GERAN, i.e. CK/IK=KDF (Kasme, START).
The ginseng of entering when need to prove the deduction of CK/IK is not limited to and lists in the above-mentioned formula.
When UE moved from E-UTRAN to UTRAN, MME also can change into the START value with NAS downlink COUNT value.When UE is when moving from E-UTRAN to GERAN, because be not used for the parameter of computation key life cycle among the GERAN, namely be similar to the parameter of START value, so MME from SGSN know UE access be GERAN the time, MME does not just need to do the mutual conversion between NAS downlinkCOUNT value and the START value, need to not transmit the START value in message accordingly in subsequent step yet.
504, MME returns context response to SGSN, in this response, to comprise the key parameter that UE uses or also comprise the START value in UTRAN/GERAN: if UE moves to UTRAN from E-UTRAN, then comprise the START value in the above-mentioned context response, if UE moves to GERAN from E-UTRAN, then do not comprise the START value.In following flow process unless otherwise noted, use " also comprising the START value " all available above-mentioned lexical or textual analysis explanations.
505, SGSN receives context response, if comprise START value in the context response, then SGSN preserves START value, and selects the admissible encryption of network and protection algorithm integrallty, accordingly generation and to RNC/BSS transmission NAS SMC message.In this message, to comprise encryption and the integral algorithm of permission or also comprise the START value.
506, select a kind of encryption and integral algorithm the encryption of the permission that sends from SGSN of RNC/BSS and the integral algorithm, and send NAS SMC message to UE, comprise the sign of encryption that RNC/BSS selects and integral algorithm in this NAS SMC message or also comprise the START value.
RNC/BSS also can produce a random number and be contained in the NAS SMC message to be used for anti-replay-attack.
507, after UE receives NAS SMC message, will adopt the algorithm identical with MME to deduce CK and IK according to Kasme and the NASdownlink COUNT that preserve this locality, i.e. CK/IK=KDF (Kasme, NAS downlink COUNT); Or, also can use the START value that obtains such as following mode accordingly, and the local Kasme that preserves deduces ciphering key K and the IK that uses among the UTRAN/GERAN, i.e. CK/IK=KDF (Kasme, START).If also receive the START value, then the START value is kept at this locality.Simultaneously, also preserve the encryption of RNC/BSS selection and the sign of integral algorithm, in order in UTRAN/GERAN, carry out accordingly data protection.
Afterwards, UE sends Security Mode Complete (safe mode is finished) message to RNC/BSS; RNC/BSS transmits Security Mode Complete message to SGSN; Then SGSN sends RAU accept message by RNC/BSS to UE; UE sends RAU Complete message by RNC/BSS to SGSN again, finishes to this whole RAU process.
As shown in Figure 6, the described embodiment of corresponding above-mentioned Fig. 2, for the UE under the activated state switches to the idiographic flow schematic diagram of E-UTRAN from UTRAN/GERAN, this flow process comprises:
601, source RNC/BSS will carry out switching according to the measurement report decision UE that UE reports.
602, source RNC/BSS sends re-positioning request to SGSN.
603, source SGSN finds target MME according to the information in the RELOCATION REQUEST message of receiving, and transmits RELOCATION REQUEST message to this MME, comprises CK and IK that UE uses in UTRAN/GERAN in this message, and the START value.
604, after target MME receives RELOCATION REQUEST message, the similar mode of describing in employing and the previous embodiment changes into the START value first NAS downlink COUNT value, then calculating K asme, i.e. Kasme=KDF (CK, IK, NAS downlink COUNT).The ginseng of entering when need to prove the deduction of CK/IK is not limited to and lists in the above-mentioned formula.
605, target MME sends handover request to target eNB.
606, target eNB is returned switching request response to target MME.
607, after target MME receives switching request response, send relocation response to source SGSN, can in this response, carry the NAS downlink COUNT value that conversion obtains in 604 steps.
608, after source SGSN receives the relocation response of target MME transmission, send relocation response to source RNC/BSS.
609, after source RNC/BSS receives relocation response, send switching command to UE.Can in this order, carry NAS downlink COUNT value.
610, after UE receives switching command, use the method identical with target MME to deduce out Kasme according to NAS downlink COUNT, CK and IK.
Afterwards, UE sends handoff completion message to target eNB, and eNB receives rear notification target MME, and then target MME sends to UE by eNB and switches notice message.So far finish whole flow process.
Usim card need to prove: owing to can be preserved the START value in UTRAN, even when switching to GERAN, the START value can not deleted yet, then in this case (be UE initially adhere to be UTRAN), when moving to E-UTRAN from GERAN, GERAN will pass to MME to CK/IK and START value etc. from BSS; But also exist a kind of situation be exactly UE initially adhere to be GERAN and then switch to E-UTRAN owing to be not used for the parameter of computation key life cycle among the GERAN, namely be similar to the parameter of START value.So for the situation that does not have the START value, MME can arrange a large value and be used as NAS downlink COUNT.MME can arrange this large value with reference to the NAS COUNT value of this locality storage, also can think that enough large value is assigned to NASdownlink COUNT according to one of the policy selection of oneself.
As shown in Figure 7, the described embodiment of corresponding above-mentioned Fig. 3, for the UE under the activated state switches to the concrete schematic flow sheet of UTRAN/GERAN from E-UTRAN, this flow process comprises:
701, the measurement report that reports according to UE of source eNB determines UE is switched on Target RNC/BSS.
702, source eNB sends handover request message to source MME.
703, after source MME receives handover request message, deduce ciphering key K and the IK that uses among the UTRAN/GERAN according to Kasme and NAS downlink COUNT, concrete secret key deduction enters ginseng and is not limited to Kasme and NAS downlink COUNT.
And if target access network is UTRAN, so MME also to adopt with previous embodiment in similarly mode NAS downlink COUNT value is changed into the START value of using in UTRAN, if target access network is GERAN, MME transforms with regard to it goes without doing so, because be not used for the parameter of computation key life cycle among the GERAN, namely be similar to the parameter of START value.For the convenience of describing, in following steps, be example take target access network as UTRAN.
704, source MME sends redirect request to target SGSN.CK and the IK that in this request, can comprise deduction, and NAS downlink COUNT and START.
705, target SGSN receives that the backward Target RNC of re-positioning request/BSS sends re-positioning request.
706, Target RNC/BSS returns the re-positioning request response to target SGSN.
707, after target SGSN is received relocation response, transmit the re-positioning request response to source MME.
708, source MME sends switching command message to source eNB.In this message, can comprise NASdownlink COUNT and START value.
709, source eNB transmits above-mentioned switching command message to UE.
710, after UE receives switching command message, use the algorithm identical with source MME to deduce CK and IK according to the NAS downlink COUNT that receives and local Kasme.Preserve the START value, and use as the START value among the UTRAN, namely inherit the key life cycle in E-UTRAN.
Afterwards, UE returns handoff completion message to Target RNC/BSS; After Target RNC/BSS receives handoff completion message, send reorientation to target SGSN and finish message.
From the description of above embodiment as can be known, when user terminal moves between two different network systems, period of key to the system before mobile is changed, the period of key of the system after obtaining to move, the continuity that has well kept period of key is conducive to improve the Security of the system behind the Network Mobility.Simultaneously, period of key is continued, can be after user terminal carries out Network Mobility, when keeping the period of key continuity, make it reach as early as possible maximum, thereby use new key in the network as soon as possible after movement, can reduce the impact of safety problem in the network before the mobile network after on movement.
Accordingly; as shown in Figure 8; the embodiment of the invention also provides a kind of network system; it comprises mobile management entity device; when the user terminal of above-mentioned network system moves between above-mentioned network system and other network systems; above-mentioned mobile management entity device obtains the mobile front netkey cycle; and above-mentioned netkey periodic conversion is the netkey cycle after mobile, so that the netkey cycle of the above-mentioned user terminal after moving after according to above-mentioned movement protected the data of transmission.Wherein above-mentioned network system can be the E-UTRAN network system.
As shown in Figure 9, be the concrete composition schematic diagram of management entity device 1, this management entity device can be above-mentioned mobile management entity device, comprising:
Converting unit 10, for the process that moves from first network to second network at user terminal, Mobility Management Entity is converted to the second network period of key with the first network period of key, wherein, the period of key that this first network period of key uses in first network for this user terminal, the period of key that this second network period of key will use in second network for this user terminal;
Transmitting element 12 is used for above-mentioned second network period of key is sent to above-mentioned user terminal, so that above-mentioned user terminal is deduced the second network key according to above-mentioned second network period of key.User terminal is just protected the data of transmitting in second network according to above-mentioned second network key like this.
Wherein, as shown in figure 10, when first network is UTRAN or GERAN, when above-mentioned second network is E-UTRAN, converting unit 10 can comprise: the first acquisition module 100, Network Mobility request for the network equipment that obtains above-mentioned user terminal or first network sends comprises above-mentioned first network period of key in the above-mentioned Network Mobility request; The first modular converter 102 is used for above-mentioned first network period of key is converted to the second network period of key.This first modular converter 102 can also can be used for the period of key that represents with above-mentioned first network period of key form, is converted to the period of key that represents with second network period of key form, and wherein, above-mentioned first network is UTRAN or GERAN.
As shown in figure 11, this equipment also can comprise: data protection unit 14 is used for deducing the second network key according to above-mentioned second network period of key, and according to above-mentioned second network key the data of transmitting in second network is protected.
As shown in figure 12, when second network is UTRAN, first network is E-UTRAN, and converting unit 10 comprises:
The second acquisition module 101 is used for when above-mentioned portable terminal moves to second network from first network, obtains the local first network period of key of preserving;
The second modular converter 103 is used for above-mentioned first network period of key is converted to the second network period of key.
In the technical scheme that the embodiment of the invention provides, because when user terminal moves between two different network systems, period of key to the system before mobile is changed, the period of key of the system after obtaining to move, the continuity that has well kept period of key is conducive to improve the Security of the system behind the Network Mobility.
Through the above description of the embodiments, those skilled in the art can be well understood to each execution mode and can realize by the mode that software adds essential general hardware platform, can certainly pass through hardware.Based on such understanding, the part that technique scheme contributes to prior art in essence in other words can embody with the form of software product, this computer software product can be stored in the computer-readable recording medium, such as ROM/RAM, magnetic disc, CD etc., comprise that some instructions are with so that a computer equipment (can be personal computer, server, perhaps network equipment etc.) carry out the method for some part of each embodiment or embodiment.
Above-described execution mode does not consist of the restriction to this technical scheme protection range.Any at above-mentioned execution mode spirit and principle within do modification, be equal to and replace and improvement etc., all should be included within the protection range of this technical scheme.

Claims (12)

1. a key acquisition method is characterized in that, described method comprises:
At user terminal from the process that first network moves to second network, Mobility Management Entity is converted to the second network period of key with the first network period of key, wherein, described first network period of key is the period of key that described user terminal uses in first network, and described second network period of key is the period of key that described user terminal will use in second network;
Mobility Management Entity sends to described user terminal with described second network period of key, so that described user terminal is deduced the second network key according to described second network period of key.
2. the method for claim 1, it is characterized in that, described first network is universal mobile telecommunications system land radio access web UTRAN or global system for mobile communications/enhanced data rates global system for mobile communications Radio Access Network GERAN, described second network is the universal mobile telecommunications system land radio access web E-UTRAN of evolution, described Mobility Management Entity is converted to the second network period of key with the first network period of key, comprising:
Obtain the Network Mobility request of the network equipment transmission of described user terminal or first network, comprise described first network period of key in the described Network Mobility request;
Described first network period of key is converted to the second network period of key.
3. method as claimed in claim 2 is characterized in that, described first network is UTRAN or GERAN, describedly described first network period of key is converted to the second network period of key comprises:
The period of key that will represent with described first network period of key form is converted to the period of key that represents with second network period of key form.
4. the method for claim 1 is characterized in that, described second network is UTRAN, and described first network is E-UTRAN, and described Mobility Management Entity is converted to the second network period of key with the first network period of key and comprises:
Mobility Management Entity obtains the local first network period of key of preserving;
Mobility Management Entity is converted to the second network period of key with described first network period of key.
5. method as claimed in claim 4 is characterized in that, described Mobility Management Entity is converted to the second network period of key with described first network period of key and comprises:
The period of key that Mobility Management Entity will represent with described first network period of key form is converted to the period of key that represents with second network period of key form.
6. a mobile management entity device is characterized in that, described equipment comprises:
Converting unit, for the process that moves from first network to second network at user terminal, Mobility Management Entity is converted to the second network period of key with the first network period of key, wherein, described first network period of key is the period of key that described user terminal uses in first network, and described second network period of key is the period of key that described user terminal will use in second network;
Transmitting element is used for described second network period of key is sent to described user terminal, so that described user terminal is deduced the second network key according to described second network period of key.
7. equipment as claimed in claim 6 is characterized in that, described first network is UTRAN or GERAN, and described second network is E-UTRAN, and described converting unit comprises:
The first acquisition module, the Network Mobility request for the network equipment that obtains described user terminal or first network sends comprises described first network period of key in the described Network Mobility request;
The first modular converter is used for described first network period of key is converted to the second network period of key.
8. equipment as claimed in claim 7, it is characterized in that described the first modular converter also is used for the period of key that will represent with described first network period of key form, is converted to the period of key that represents with second network period of key form, wherein, described first network is UTRAN or GERAN.
9. equipment as claimed in claim 6 is characterized in that, described second network is UTRAN, and described first network is E-UTRAN, and described converting unit comprises:
The second acquisition module is used for when portable terminal moves to second network from first network, obtains the local first network period of key of preserving;
The second modular converter is used for described first network period of key is converted to the second network period of key.
10. such as each described equipment in the claim 6 to 9, it is characterized in that described equipment is the mobile management entity device among the E-UTRAN.
11. a network system, described system comprise the mobile management entity device that can communicate with user terminal, it is characterized in that,
When described user terminal carries out in the moving process between described network system and other network systems; described mobile management entity device obtains the mobile front netkey cycle; and described netkey periodic conversion is the netkey cycle after mobile, so that the netkey cycle of the described user terminal after moving after according to described movement protected the data of transmission.
12. network system as claimed in claim 11 is characterized in that, described network system is the E-UTRAN network system.
CN200810220776.9A 2008-12-31 2008-12-31 Key acquisition method, equipment and system Active CN101771990B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200810220776.9A CN101771990B (en) 2008-12-31 2008-12-31 Key acquisition method, equipment and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200810220776.9A CN101771990B (en) 2008-12-31 2008-12-31 Key acquisition method, equipment and system

Publications (2)

Publication Number Publication Date
CN101771990A CN101771990A (en) 2010-07-07
CN101771990B true CN101771990B (en) 2013-03-20

Family

ID=42504515

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200810220776.9A Active CN101771990B (en) 2008-12-31 2008-12-31 Key acquisition method, equipment and system

Country Status (1)

Country Link
CN (1) CN101771990B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109874139B (en) * 2017-05-05 2020-02-07 华为技术有限公司 Anchor key generation method, device and system
CN110913393B (en) * 2018-09-15 2021-09-07 华为技术有限公司 Switching method and terminal equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1040599A1 (en) * 1997-12-10 2000-10-04 Ericsson Inc. Key transforms to discriminate between beams in a multi-beam satellite communication system
CN1428966A (en) * 2001-12-27 2003-07-09 联想(北京)有限公司 Key automatically-matching method of communication network equipment
CN101247630A (en) * 2007-02-14 2008-08-20 中国移动通信集团公司 System and method for implementing multimedia broadcasting service cryptographic key negotiation
CN101299666A (en) * 2008-06-16 2008-11-05 中兴通讯股份有限公司 Method and system for generating cryptographic-key identification identifier

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1040599A1 (en) * 1997-12-10 2000-10-04 Ericsson Inc. Key transforms to discriminate between beams in a multi-beam satellite communication system
CN1428966A (en) * 2001-12-27 2003-07-09 联想(北京)有限公司 Key automatically-matching method of communication network equipment
CN101247630A (en) * 2007-02-14 2008-08-20 中国移动通信集团公司 System and method for implementing multimedia broadcasting service cryptographic key negotiation
CN101299666A (en) * 2008-06-16 2008-11-05 中兴通讯股份有限公司 Method and system for generating cryptographic-key identification identifier

Also Published As

Publication number Publication date
CN101771990A (en) 2010-07-07

Similar Documents

Publication Publication Date Title
US10362519B2 (en) Handover apparatus and method
CN101291536B (en) Switching method for load rebalance of mobility management entity
CN101267668B (en) Key generation method, Apparatus and system
CN101647299B (en) Method, apparatus and computer program product for handover failure recovery
CN105450663B (en) Method for updating UE ability information in the mobile communication network
CN102550086B (en) Receive the information about the radio access technology capability of mobile radio station
CN101399767B (en) Method, system and apparatus for security capability negotiation during terminal moving
CN101772106B (en) Method and system for controlling data transmission path, mobility management network element and terminal
EP2290875B1 (en) Generating method and system for key identity identifier at the time when user device transfers
CN101400059A (en) Cipher key updating method and device under active state
CN102264027B (en) Method and device for transmitting user equipment position information
CN104219722A (en) Double-connection radio bearer migration treatment method, double-connection radio bearer migration method and double-connection radio bearer migration device
CN111432443A (en) Wireless communication method, device and system
CN101304311A (en) Method and system for generating cryptographic key
CN111491338A (en) Context storage method and device
CN102448144A (en) Method and device for accessing MTC equipment into network
CN101534500B (en) Addressing method, network element equipment and network system
CN103167471A (en) Method and device for transmitting data of client moving between different APs (access points)
CN111770586A (en) Session processing method, communication device and communication system
CN101594608A (en) Method, mobile management network element and the mobile communication system of safe context are provided
CN101553011B (en) Method for confirming default bearing and mobile management entity
CN113163458A (en) User equipment and method for multiple radio access technology coordination
CN101296496B (en) Method for preventing false resource release in tracing section updating or switching course
CN101771990B (en) Key acquisition method, equipment and system
CN102647691B (en) The sending method of note, Apparatus and system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant