CN101926151B - Method and communication network system for establishing security conjunction - Google Patents
Method and communication network system for establishing security conjunction Download PDFInfo
- Publication number
- CN101926151B CN101926151B CN200980102466.XA CN200980102466A CN101926151B CN 101926151 B CN101926151 B CN 101926151B CN 200980102466 A CN200980102466 A CN 200980102466A CN 101926151 B CN101926151 B CN 101926151B
- Authority
- CN
- China
- Prior art keywords
- relay station
- base station
- terminal
- key
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 37
- 238000004891 communication Methods 0.000 title claims abstract description 22
- 238000004422 calculation algorithm Methods 0.000 claims description 103
- 230000004044 response Effects 0.000 claims description 17
- 230000005540 biological transmission Effects 0.000 claims description 16
- 238000010200 validation analysis Methods 0.000 claims description 16
- 238000009795 derivation Methods 0.000 claims description 7
- 230000007246 mechanism Effects 0.000 abstract description 9
- 238000010586 diagram Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 230000006870 function Effects 0.000 description 5
- 238000010295 mobile communication Methods 0.000 description 5
- 238000012795 verification Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 2
- 230000007774 longterm Effects 0.000 description 2
- CSRZQMIRAZTJOY-UHFFFAOYSA-N trimethylsilyl iodide Substances C[Si](C)(C)I CSRZQMIRAZTJOY-UHFFFAOYSA-N 0.000 description 2
- 238000004846 x-ray emission Methods 0.000 description 2
- 230000004913 activation Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002787 reinforcement Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/162—Implementing security features at a particular protocol layer at the data link layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
Abstract
A method for establishing security conjunction is provided, comprising: receiving the access request message which is transmitted by the terminal and transferred by the relay station (201); obtaining the share root key after the authentication to the terminal according to the access request message (202); selecting the security arithmetic, which is supported by both the terminal and the network side (203); and deriving the base station key according to the share root key (204); transmitting the security mode command to the terminal through the relay station, the security mode command includes the security arithmetic (205). A communication network system is also provided. Application of the solution of the present invention solves the problem of establishing security conjunction between the terminal and the network after introducing the relay station in the LTE system, and the security mechanism of the LTE is inherited, in the case of without increasing the complicacy of the system, the security and the wieldy capability of the system is ensured.
Description
The application requires in submission on January 30th, 2008 Patent Office of the People's Republic of China, application number is 200810065263.5, denomination of invention is the priority of the Chinese patent application of " setting up method and the communications network system of security association ", and its full content is by reference in conjunction with in this application.
Technical field
The present invention relates to wireless communication field, relate in particular to a kind of method and communications network system of setting up security association.
Background technology
In order to improve the covering of link budget and cellular system, user terminal can receive service by relay station, the introducing of the relay station new function of air interface of having derived, and further strengthened the distributed treatment characteristic of system.The deployment of relay station can elevator system the wireless access performance, can cover the shadow region, enlarge wired covering radius of base station, strengthen the specific region data rate.
In the further evolution after Long Term Evolution (Long Term Evolution, LTE) system, wireless access technology self is carried out multi-faceted reinforcement, and wherein, radio repeater station is one of them important directions.Owing to introduced relay station in the LTE system, therefore, the process of setting up security association between terminal and the network relates to relay station inevitably.Safeguard protection in the LTE system is divided into Access Network and core net two parts, and therefore, needs guarantee complexity and the fail safe of the LTE system behind the introducing relay station, and utilize the superperformance of relay system, realize good mobile communication system.
As shown in Figure 1, in institute of electrical and electronic engineers (Institute of Electrical andElectronics Engineers, IEEE) 16j standard set up the method for security association about terminal by relaying and network side, specific as follows:
Terminal is carried out synchronously and registration to network side by relay station, by the public key management agreement, obtains basic key sequence (Master Session Key, MSK) with authentication server;
Authentication server sends to the base station to MSK, and the base station is derived from according to this MSK and obtained KI (Authentication Key, AK);
The base station sends to terminal by relay station with this KI;
Terminal and relay station derive from the encryption key (KeyEncryption Key, KEK) that obtains data encryption key (Traffic Encryption Key, TEK) by the synchronous AK of mode of three-way handshake according to AK, and TEK is produced by the base station;
Obtain TEK by the TEK request process between terminal and the relay station.
In realizing process of the present invention, the inventor finds that there is following problem at least in prior art: in existing LTE system, the key of LTE system is more than the safe key in the IEEE 16j system, and the process more complicated of key generation, therefore, after the LTE system introduces relay station, the method for setting up the security association between terminal and the network that is not fit to, also inapplicable employing safe procedures of the prior art is set up the security association between terminal and the network.
Summary of the invention
The embodiment of the invention provides a kind of terminal method network side related with network side safety of setting up, and behind the introducing relay station, sets up security association between terminal and network in the LTE evolution system.
The embodiment of the invention provides a kind of terminal method related with network side safety of setting up, and comprising: receive the access request message that is sent by relay station transmitting terminal; According to described access request message root key is shared in the rear acquisition of terminal authentication authentication; Select security algorithm, described security algorithm is the algorithm that described terminal and network side are supported; And according to described shared root key derivation base station key; Send safe mode command by described relay station to described terminal, comprise described security algorithm in the described safe mode command.
The embodiment of the invention also discloses a kind of communications network system, comprising: the first receiving element is used for receiving the access request message that is sent by relay station transmitting terminal; Key acquiring unit, the access request message that is used for receiving according to described the first receiving element is shared root key to the rear acquisition of terminal authentication authentication; Selected cell is used for selecting security algorithm, and described security algorithm is the algorithm that described terminal and network side are all supported; Derive from the unit, be used for deriving from base station key according to the shared root key that described key acquiring unit obtains; The first transmitting element is used for sending safe mode command by described relay station to terminal, comprises the security algorithm that described selected cell is selected in the described safe mode command.
Compared with prior art, the embodiment of the invention has the following advantages:
The scheme that provides according to the embodiment of the invention, network side is after receiving the access request of terminal by the relay station transmission, select to be used for setting up the security algorithm of security association, and send safe mode command by relay station to described terminal, in described safe mode command, comprise selected security algorithm, terminal is after obtaining security algorithm, set up security association with network side, solved in the LTE system introduce relay station after, set up the problem of security association between terminal and the network side, and the technical scheme that the embodiment of the invention provides has been inherited LTE security of system mechanism, substantially do not changing under the existing security mechanism and do not increasing under the prerequisite of system complexity, guaranteeing to add the fail safe of the mobile communication system behind the relay station.
Description of drawings
Figure 1 shows that in the prior art that terminal and network side in the IEEE 16j standard set up the method schematic diagram of security association;
Figure 2 shows that terminal and network side in the first embodiment of the invention set up the method schematic diagram of security association;
Figure 3 shows that terminal and network side in the second embodiment of the invention set up the method schematic diagram of security association;
Figure 4 shows that terminal and network side in the third embodiment of the invention set up the method schematic diagram of security association;
Figure 5 shows that terminal and network side in the fourth embodiment of the invention set up the method schematic diagram of security association;
Figure 6 shows that terminal and network side in the fifth embodiment of the invention set up the method schematic diagram of security association;
Fig. 7 is the structural representation of a kind of communications network system in the sixth embodiment of the invention.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that obtains under the creative work prerequisite.
In order to make concrete technical scheme of the present invention, goal of the invention clearer, be described further below in conjunction with specific embodiment and accompanying drawing.
With reference to Fig. 2, introduce first embodiment of the invention, about a kind of terminal method related with network side safety of setting up, the method priority application is in LTE system and evolution system thereof.Specifically comprise:
Step 201: receive the access request message that is sent by relay station transmitting terminal.
Step 202: root key is shared in the rear acquisition of terminal authentication authentication according to described access request message.
Step 203: select security algorithm, described security algorithm is the algorithm that described terminal and network side are supported.
Step 204: derive from base station key according to described shared root key.
Step 205: send safe mode command by described relay station to described terminal, comprise described security algorithm in the described safe mode command.
The method that provides by present embodiment, network side is after receiving the access request of terminal by the relay station transmission, select to be used for setting up the security algorithm of security association, and send safe mode command by relay station to described terminal, in described safe mode command, comprise selected security algorithm, terminal is after obtaining security algorithm, just can set up security association with network side, solved in the LTE system introduce relay station after, set up the problem of security association between terminal and the network side, and the technical scheme that the embodiment of the invention provides has been inherited LTE security of system mechanism, substantially do not changing under the existing security mechanism and do not increasing under the prerequisite of system complexity, guaranteeing to add the fail safe of the mobile communication system behind the relay station.
With reference to Fig. 3, introduce second embodiment of the invention, about a kind of terminal method related with network side safety of setting up.In this embodiment, terminal is first access network (detached toactive), and detailed process comprises:
Step 301: terminal sends access request message to relay station, comprises terminal capability and terminal identity in this access request message.
Terminal capability can comprise the algorithm that terminal self is supported.Terminal identity can be temporarily moved subscriber identification number (Temporary Mobile Subscriber Identify, TMSI) or the sign of the expression such as international mobile subscriber identification number (International Mobile Subscriber Identity, IMSI) terminal identity.
Step 302: relay station sends to the base station with the access request message that terminal sends.
Step 303: the base station is transmitted to mobile management entity with this access request message after receiving the access request message of relay station transmission; Mobile management entity can also be informed with the base station ability of base station self in the base station when transmitting, base station ability can comprise the algorithm that base station self is supported.
Step 304: mobile management entity sends to home subscriber server with the sign of the relaying in the access request message that receives.
Step 305: home subscriber server generates authentication vector according to terminal identity, this authentication vector is used for the interactive authentication between terminal and the network side, comprise random parameter RAND, Expected Response XRES (EXpected user RESponse), authentication symbol AUTN (AUTN=SQNIIAMFIIMAC), share root key (Key Access System ManagementEntity, Kasme).
Step 306: home subscriber server sends to mobile management entity with authentication vector after generating authentication vector.
Step 307: mobile management entity sends to the base station with random parameter RAND and authentication symbol AUTN.
Step 308: the base station sends to relay station with random parameter RAND and the authentication symbol AUTN that receives.
Step 309: relay station sends to terminal with random parameter RAND and the authentication symbol AUTN that receives.
Step 310: terminal checking AUTN, terminal calculation expectation completeness check code XMAC=f (SQNIIRANDIIAMF), if equal the completeness check code MAC among the AUTN, and sequence number SQN is in effective range, then think to the network authentication success, if be proved to be successful, then calculate response RES according to RAND.
Step 311: terminal sends response message to relay station, comprises RES in the response message.
Step 312: relay station sends to the base station with the response message that terminal sends.
Step 313: the base station sends to mobile management entity with the response message that receives.
Step 314: whether mobile management entity checking RES is identical with XRES in the authentication vector, if identical, then by the authentication to terminal, terminal and mobile management entity obtain to share root key Kasme.
Step 315: mobile management entity is according to terminal capability and base station ability, select security algorithm, described security algorithm is the algorithm that described terminal and network side are all supported, comprise the Access Layer security algorithm, the Access Layer security algorithm can comprise Radio Resource control (Radio ResourceControl, RRC) algorithm and user's face (User Plane, UP) algorithm etc.; Can obtain base station key according to security algorithm and the shared root key Kasme derivation that mobile management entity is selected.
Described security algorithm can also comprise: Non-Access Stratum (Non-Access Stratum, NAS) algorithm.
Step 316: mobile management entity sends security algorithm and base station key.
Described security algorithm and base station key can be included in the message that mobile management entity sends to the base station.
Step 317: the base station sends security algorithm and completeness check code sends to relay station.
Described security algorithm and completeness check code can be included in the safe mode command.
The base station can by base station key to the content that sends be carried out safeguard protection, generate completeness check code, and this completeness check code is sent to relay station when sending security algorithm.
Step 318: relay station sends to terminal with security algorithm and the completeness check code that receives.
Step 319: after terminal receives security algorithm and completeness check code, the message that relay station is transmitted is carried out integrity verification, after being proved to be successful, send demonstration validation message to relay station.
Step 320: the demonstration validation message that relay station sends and receives to the base station.
Step 321: the base station sends to mobile management entity with the demonstration validation message that receives.
Step 322: after mobile management entity receives demonstration validation message, so far, finished secure algorithm negotiation and key agreement between terminal and the base station, finished the foundation of security association.
In the present embodiment, optional, in step 302, relay station is when sending access request message, the relay capabilities of self can be sent to mobile management entity, then in step 315, mobile management entity can be selected security algorithm according to terminal capability, relay capabilities and base station ability.
In the scheme that present embodiment step 301 to step 322 provides, relay station does not have the security association between terminal and the base station, and also not about any information of terminal, relay station only transmits the message between terminal and the network side pellucidly.Present embodiment can further include following steps, can be so that the relay station in the present embodiment can obtain the security association between terminal and the base station, to set up the security association between terminal and the relay station, so that the communication between terminal and the relay station is safer.
Step 323: the base station is to safety associated key (such as RRC key and UP key) and the security algorithm (such as RRC algorithm and UP algorithm) of relay station transmitting terminal and base station foundation, and this safety associated key is generated by the base station; The message that sends between relay station and the base station can be protected by the security association between relay station and the base station; security association between relay station and the base station is to be pre-existing between relay station and the base station; established behind access network by relay station, in order to protect the safety that sends information between base station and the relay station.
Step 324: after relay station is received the key and related algorithm that the base station sends, use the security association of setting up between relay station and base station to do verification, return acknowledge message to the base station.
In the present embodiment, if relay station has the function of generation Cell Radio Network Temporary Identifier/Identity, Cell-RNTI (RadioNetwork Temporary Identifier, C-RNTI), then in the step 323, the base station can send base station key and security algorithm to relay station, such as RRC algorithm and UP algorithm; The message that sends between relay station and the base station can be protected by the security association between relay station and the base station.In step 324; after relay station receives the base station key and algorithm of base station transmission; obtain safety associated key according to base station key and C-RNTI derivation; such as RRC key and UP key, the message that sends between relay station and the base station can be protected by the security association between relay station and the base station.In this case, relay station obtain from terminal between the security association set up different with the security association between base station and the relay station, when relay station receives the message of terminal transmission, relay station needs at first to be decrypted according to the security association between relay station and the terminal, then utilize the security association between relay station and the base station to carry out re-encrypted, transmit again; Equally, when relay station receives the message of base station transmission, at first be decrypted according to the security association between relay station and the base station, then utilize the security association between relay station and the terminal to be encrypted, send to again terminal.
In step 323 and the step 324, relay station is passively from the base station receipt message, and the security association of acquisition terminal and network side, in the method, relay station can initiatively obtain the associated safety association to base station requests, therefore, step 323 and step 324 can be respectively step 323 ' and step 324 ', specific as follows:
Step 323 ': relay station is to base station transmitting terminal security association request; the security association relevant information that request base station transmitting terminal and base station have established, the message that sends between relay station and the base station can be protected by the security association between relay station and the base station.
Step 324 ': the base station sends request to relay station and receives the response, and comprises security algorithm in this message, such as RRC algorithm and UP algorithm, and the safety associated key of base station generation, such as RRC key and UP key; If this relay station can produce C-RNTI, the base station can directly not send RRC key and UP key, and comprises security algorithm and base station key in this is receiveed the response.Relay station can obtain the security association information between terminal and the base station according to the information that receives.
With reference to Fig. 4, the below introduces third embodiment of the invention, about setting up the terminal method related with network side safety, in the present embodiment, terminal has been passed through initial access network, is in the process (idle to active) that idle condition enters state of activation, and the method comprises:
Step 401: terminal sends access request message by relay station to network side, comprise TMSI and shared root key identifier (Key Set Identifier Access SystemManagement Entity in this message, KSIasme), because terminal had accessed network, network equipment has all been known the terminal capability of terminal, therefore, in access request message, can not comprise terminal capability, unless terminal capability is changed.
Step 402 to step 414 can be with reference to the content of step 302 among the second embodiment to step 314 description.
Step 415: mobile management entity derives from base station key according to sharing root key.
Step 416: mobile management entity sends to the base station with base station key.
Step 417: the base station sends safe mode command to relay station, and comprises security algorithm and completeness check code in this order.
Step 418: relay station sends to terminal with security algorithm and the completeness check code that receives.
Step 419: terminal is carried out integrity verification to the message that relay station is transmitted after receiving the security algorithm and completeness check code of relay station transmission, and after being proved to be successful, terminal sends demonstration validation message to relay station.
Step 420: relay station is transmitted demonstration validation message to the base station.
Step 421: after the base station receives demonstration validation message, carry out safety check, then finished security algorithm and key agreement between terminal and the base station.
Step 422: the base station sends acknowledge message to mobile management entity, informs its security association foundation.
In the scheme that present embodiment step 401 to step 422 provides, there is not the security association between terminal and the base station in relay station, and relay station only transmits the message between terminal and the base station pellucidly.Present embodiment can further include following steps, can be so that the relay station in the present embodiment can obtain the security association between terminal and the base station:
Step 423: the base station sends the safety associated key that base station self generates to relay station, such as RRC key and UP key, and security algorithm, such as RRC algorithm and UP algorithm; The message that sends between relay station and the base station can be protected by the security association between relay station and the base station.
Step 424: after relay station is received the key and algorithm that the base station sends, use the security association of setting up between relay station and base station to do verification, return confirmation to the base station.
In the present embodiment, if relay station has the function that produces C-RNTI, then in the step 423, the base station can send base station key and security algorithm to relay station, such as RRC algorithm and UP algorithm; The message that sends between relay station and the base station can be protected by the security association between relay station and the base station.In step 424; after relay station receives the base station key and algorithm of base station transmission; obtain safety associated key according to base station key and C-RNTI derivation; such as RRC key and UP key, the message that sends between relay station and the base station can be protected by the security association between relay station and the base station.In this case, relay station obtain from terminal between the security association set up different with the security association between base station and the relay station, when relay station receives the message of terminal transmission, relay station needs at first to be decrypted according to the security association between relay station and the terminal, then utilize the security association between relay station and the base station to carry out re-encrypted, transmit again; Equally, when relay station receives the message of base station transmission, at first be decrypted according to the security association between relay station and the base station, then utilize the security association between relay station and the terminal to be encrypted, send to again terminal.
In step 423 and the step 424, relay station is passively from the base station receipt message, and the Access Layer security association information of acquisition terminal and network side, in the method, relay station can initiatively obtain the associated safety association to base station requests, therefore, step 423 and step 424 can be respectively step 423 ' and step 424 ', specific as follows:
Step 423 ': relay station is to base station transmitting terminal security association request; the safety associated key that request base station transmitting terminal and base station have established, the message that sends between relay station and the base station can be protected by the security association between relay station and the base station.
Step 424 ': the base station sends request to relay station and receives the response, and comprises security algorithm in this message, such as RRC algorithm and UP algorithm, and the safety associated key of base station generation, such as RRC key and UP key; If this relay station can produce C-RNTI, the base station can directly not send safety associated key, and comprises security algorithm and base station key in this is receiveed the response.Relay station derives from according to base station key and C-RNTI and obtains safety associated key, such as RRC key and UP key, thereby can obtain and terminal between security association.
The below introduces fourth embodiment of the invention, as shown in Figure 5, set up the method for security association about terminal and base station, the technical scheme that provides according to present embodiment, can accelerate whole system and set up the time of security association, present embodiment comprises step 501 to step 522, basic identical to step 322 with the step 301 among the second embodiment, difference is in step 517, the base station is when sending to relay station with security algorithm and completeness check code, safety associated key with base station self generates such as RRC key and UP key, sends to relay station; In step 520, when relay station transmitting terminal is confirmed order, also send the affirmation message that relay station receives the terminal security association.
If this relay station possesses the function that produces C-RNTI, then in step 517, when the base station sends to relay station with security algorithm and completeness check code, base station key is sent to relay station, relay station can derive from according to base station key and C-RNTI obtain safety associated key; In step 520, when relay station transmitting terminal is confirmed order, also send the affirmation message that relay station receives the terminal security association.
In the present embodiment, realize setting up between terminal and the base station security association simultaneously, also realized the foundation of security association between terminal and the relay station, therefore, saved the time that whole system is set up security association.
The below introduces fifth embodiment of the invention, as shown in Figure 6, present embodiment comprises step 601 to step 622, basic identical to step 422 with the step 401 among the 3rd embodiment, difference is that in step 617 base station is when sending safe mode command, the safety associated key of base station self generation, such as RRC key and UP key, send to relay station; In step 620, when relay station transmitting terminal is confirmed order, also send the affirmation message that relay station receives the terminal security related information.
If this relay station possesses the function that produces C-RNTI, then in step 617, the base station sends to relay station with base station key when sending safe mode command, and relay station can obtain safety associated key according to base station key and C-RNTI derivation; In step 620, when relay station transmitting terminal is confirmed order, also send the affirmation message that relay station receives the terminal security association.
In the present embodiment, realize setting up between terminal and the base station security association simultaneously, also realized the foundation of security association between terminal and the relay station, therefore, saved the time that whole system is set up security association.
The technical scheme that the embodiment of the invention provides, solved in the LTE system introduce relay station after, terminal realizes the problem of the foundation of security association through relay station and base station, not only can be so that terminal be set up security association by relay station and base station, further, can set up the security association between terminal and the relay station, thereby so that the communication of whole system is safer, simultaneously, can also save the time of in the LTE relay system, setting up security association.In addition, the technical scheme that the embodiment of the invention provides has been inherited LTE security of system mechanism, substantially do not changing under the existing security mechanism, forwarding feature and the distributed nature of relay station have been merged, under the prerequisite that does not increase system complexity, guaranteed to add the fail safe of the mobile communication system behind the relay station.
Sixth embodiment of the invention with reference to Fig. 7, about a kind of communications network system 700, comprises the first receiving element 701, is used for receiving the access request message that is sent by relay station transmitting terminal; Key acquiring unit 702, the access request message that is used for receiving according to described the first receiving element 701 is shared root key to the rear acquisition of terminal authentication authentication; Selected cell 703 is used for selecting security algorithm, and described security algorithm is the algorithm that described terminal and base station are all supported; Derive from unit 704, be used for deriving from base station key according to the shared root key that described key acquiring unit 702 obtains; The first transmitting element 705 is used for sending safe mode command by relay station to terminal, comprises the security algorithm that selected cell 703 is selected in the described safe mode command.
Further, the first receiving element 701 also is used for the demonstration validation message that receiving terminal sends by relay station.
In the scheme that above embodiment provides, relay station does not have the security association between terminal and the base station, and also not about any information of terminal, relay station only transmits the message between terminal and the base station pellucidly, preferably, this communications network system also comprises the second transmitting element and the second receiving element; Derive from the unit and also be used for generating network side safety associated key;
The second transmitting element is used for after the first receiving element receives the demonstration validation message of terminal transmission, sends security algorithm and network side safety associated key to relay station;
The second receiving element be used for to receive the affirmation message that relay station sends, and described acknowledge message is described relay station according to security algorithm, safety associated key, obtain and terminal between the affirmation message that sends of the backward network side of safety associated key.
Like this, can be so that the relay station in the present embodiment can obtain the security association between terminal and the base station, to set up the security association between terminal and the relay station, so that the communication between terminal and the relay station is safer.
If relay station can produce C-RNTI, then when the security association of setting up between relay station and the terminal, preferred, this communications network system can also comprise the 3rd transmitting element and the 3rd receiving element,
The 3rd transmitting element is used for after the first receiving element receives the demonstration validation message of terminal transmission, sends security algorithm and base station key to relay station, and described relay station produces C-RNTI;
The 3rd receiving element be used for to receive the affirmation message that relay station sends, described acknowledge message be described relay station according to C-RNTI and the base station key that receives and security algorithm obtains and described terminal between safety associated key after the affirmation message that sends to network side.
Relay station is except the associated safety related information that the received communication network system sends passively, can also be on one's own initiative to communications network system request associated safety related information, preferably, this communications network system also comprises the 4th transmitting element and the 4th receiving element;
The 4th receiving element is used for receiving the related request of terminal security that relay station sends; Derive from the unit and also be used for generating network side safety associated key;
The 4th transmitting element is used for sending request to relay station receives the response, and this message comprises the safety associated key of security algorithm and network side.
When relay station can produce C-RNTI, when communications network system receives the request of relay station, can directly not send safety associated key, but send base station key, preferred, this communications network system also comprises the 5th transmitting element and the 5th receiving element;
The 5th receiving element is used for receiving the related request of terminal security that relay station sends to network side;
The 5th transmitting element is used for sending request to relay station receives the response, and this message comprises security algorithm and base station key;
The 5th receiving element also be used for to receive relay station in the affirmation message that obtains according to C-RNTI and the base station key that receives and security algorithm sending to the base station behind the safety associated key of terminal.
Provide communications network system by the embodiment of the invention, can be so that realize that in the LTE evolution system terminal is by setting up security association between relay station and the network side, and further can set up the security association between terminal and the relay station, so that communication is safer, in addition, the technical scheme that the embodiment of the invention provides has been inherited LTE security of system mechanism, substantially do not changing under the existing security mechanism and do not increasing under the prerequisite of system complexity, guaranteeing to add the fail safe of the mobile communication system behind the relay station.
By the description of above embodiment, those skilled in the art can be well understood to the present invention, can realize by hardware, also can realize by the mode that software adds necessary general hardware platform.Based on such understanding, technical scheme of the present invention can embody with the form of software product, it (can be CD-ROM that this software product can be stored in a non-volatile memory medium, USB flash disk, portable hard drive etc.) in, comprise some instructions with so that computer equipment (can be personal computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
In a word, the above is preferred embodiment of the present invention only, is not for limiting protection scope of the present invention.All any modifications of doing within the spirit and principles in the present invention, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (6)
1. a method of setting up security association is characterized in that, comprising:
The access request message that reception is sent by relay station transmitting terminal;
According to described access request message root key is shared in the rear acquisition of terminal authentication authentication;
Select security algorithm, described security algorithm is the algorithm that described terminal and network side are supported;
Derive from base station key according to described shared root key;
Send described security algorithm by described relay station to described terminal;
Receive the demonstration validation message that described relay station transmitting terminal sends;
Wherein, when described access request message is initial access request message, describedly send described security algorithm by described relay station to described terminal, comprising:
Mobile management entity sends safe mode command to the base station;
After the base station receives described safe mode command, send described safe mode command by relay station to terminal, comprise described security algorithm in the described security command.
2. set up as claimed in claim 1 the method for security association, it is characterized in that, after the demonstration validation message that receives described relay station transmitting terminal transmission, also comprise:
Described base station sends safe mode command to described relay station, and described safe mode command comprises described security algorithm, and the safety associated key that is generated by described base station; Described base station receives the affirmation message that described relay station sends, and described acknowledge message is described relay station according to described security algorithm, safety associated key, obtain and described terminal between the message that sends of the backward base station of safety associated key; Or
Described base station receives the related request of terminal security that relay station sends; Described base station sends request to relay station and receives the response, and this message comprises the safety associated key that security algorithm and base station generate.
3. set up as claimed in claim 1 the method for security association, it is characterized in that, when described relay station produces Cell Radio Network Temporary Identifier/Identity, Cell-RNTI C-RNTI, after the demonstration validation message that receives described relay station transmitting terminal transmission, also comprise:
Described base station sends base station key and safe mode command, and described safe mode command comprises described security algorithm, gives described relay station; Described base station receives the affirmation message that described relay station sends, described acknowledge message be described relay station according to described C-RNTI and the base station key that receives and security algorithm obtains and described terminal between safety associated key after the message that sends to the base station; Or
Described base station receives the related request of terminal security that described relay station sends to the base station; Described base station sends request to described relay station and receives the response, and this message comprises security algorithm and base station key; Described base station receives the affirmation message that described relay station sends, described acknowledge message be described relay station according to described C-RNTI and the base station key that receives and security algorithm obtains and described terminal between safety associated key after the message that sends to the base station.
4. set up as claimed in claim 1 the method for security association, it is characterized in that, when described base station sends safe mode command by described relay station to terminal, also send the safety associated key that described base station generates.
5. set up as claimed in claim 1 the method for security association, it is characterized in that, when described relay station produces C-RNTI, when described base station sends safe mode command by described relay station to terminal, also send base station key.
6. a communications network system is characterized in that, comprising:
The first receiving element is used for receiving the access request message that is sent by relay station transmitting terminal, also is used for receiving the demonstration validation message that described terminal sends by described relay station;
Key acquiring unit, the access request message that is used for receiving according to described the first receiving element is shared root key to the rear acquisition of terminal authentication authentication;
Selected cell is used for selecting security algorithm, and described security algorithm is the algorithm that described terminal and network side are all supported;
Derive from the unit, be used for deriving from base station key according to the shared root key that described key acquiring unit obtains;
The first transmitting element is used for sending the security algorithm that described selected cell is selected by described relay station to terminal;
Wherein:
Described system also comprises the second transmitting element and the second receiving element; Described derivation unit also is used for generating safety associated key;
Described the second transmitting element is used for sending safe mode command after described the first receiving element receives the demonstration validation message of described terminal transmission, and described safe mode command comprises described security algorithm, and safety associated key is given described relay station;
Described the second receiving element is used for receiving the affirmation message that described relay station sends, described acknowledge message is described relay station according to described security algorithm, safety associated key, obtain and described terminal between the message that sends of the backward network side of safety associated key;
And/or,
Described system also comprises the 3rd transmitting element and the 3rd receiving element;
Described the 3rd transmitting element is used for after described the first receiving element receives the demonstration validation message of described terminal transmission, send safe mode command, described safe mode command comprises described security algorithm, and base station key is given described relay station, described relay station generation C-RNTI;
Described the 3rd receiving element is used for receiving the affirmation message that described relay station sends, described acknowledge message be described relay station according to described C-RNTI and the base station key that receives and security algorithm obtains and described terminal between safety associated key after the message that sends to network side;
And/or,
Described system also comprises the 4th transmitting element and the 4th receiving element;
Described the 4th receiving element is used for receiving the related request of terminal security that described relay station sends; Described derivation unit also is used for generating network side safety associated key;
Described the 4th transmitting element is used for sending request to described relay station receives the response, and this message comprises the safety associated key of security algorithm and network side;
And/or,
Described system also comprises the 5th transmitting element and the 5th receiving element;
Described the 5th receiving element is used for receiving the related request of terminal security that described relay station sends to network side;
Described the 5th transmitting element is used for sending request to described relay station receives the response, and this message comprises security algorithm and base station key.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200980102466.XA CN101926151B (en) | 2008-01-30 | 2009-01-22 | Method and communication network system for establishing security conjunction |
Applications Claiming Priority (4)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810065263.5 | 2008-01-30 | ||
| CN2008100652635A CN101500229B (en) | 2008-01-30 | 2008-01-30 | Method for establishing security association and communication network system |
| CN200980102466.XA CN101926151B (en) | 2008-01-30 | 2009-01-22 | Method and communication network system for establishing security conjunction |
| PCT/CN2009/070273 WO2009094942A1 (en) | 2008-01-30 | 2009-01-22 | Method and communication network system for establishing security conjunction |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101926151A CN101926151A (en) | 2010-12-22 |
| CN101926151B true CN101926151B (en) | 2013-01-02 |
Family
ID=40912286
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008100652635A Expired - Fee Related CN101500229B (en) | 2008-01-30 | 2008-01-30 | Method for establishing security association and communication network system |
| CN200980102466.XA Expired - Fee Related CN101926151B (en) | 2008-01-30 | 2009-01-22 | Method and communication network system for establishing security conjunction |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008100652635A Expired - Fee Related CN101500229B (en) | 2008-01-30 | 2008-01-30 | Method for establishing security association and communication network system |
Country Status (2)
| Country | Link |
|---|---|
| CN (2) | CN101500229B (en) |
| WO (1) | WO2009094942A1 (en) |
Families Citing this family (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010124474A1 (en) | 2009-04-30 | 2010-11-04 | 华为技术有限公司 | Method and device for establishing security mechanism of air interface link |
| US8605904B2 (en) | 2009-08-14 | 2013-12-10 | Industrial Technology Research Institute | Security method in wireless communication system having relay node |
| TWI430674B (en) * | 2009-08-14 | 2014-03-11 | Ind Tech Res Inst | Security method in wireless communication method having relay node |
| CN102056160B (en) * | 2009-11-03 | 2013-10-09 | 华为技术有限公司 | Method, device and system for generating key |
| US8904167B2 (en) * | 2010-01-22 | 2014-12-02 | Qualcomm Incorporated | Method and apparatus for securing wireless relay nodes |
| CN101951554A (en) * | 2010-08-25 | 2011-01-19 | 中兴通讯股份有限公司 | Method and system for realizing pre-access of encrypted conference call |
| CN101931955B (en) * | 2010-09-03 | 2015-01-28 | 中兴通讯股份有限公司 | Authentication method, device and system |
| CN101945386B (en) * | 2010-09-10 | 2015-12-16 | 中兴通讯股份有限公司 | A kind of method and system realizing safe key synchronous binding |
| CN101945387B (en) * | 2010-09-17 | 2015-10-21 | 中兴通讯股份有限公司 | The binding method of a kind of access layer secret key and equipment and system |
| CN101931953B (en) * | 2010-09-20 | 2015-09-16 | 中兴通讯股份有限公司 | Generate the method and system with the safe key of apparatus bound |
| CN101977378B (en) * | 2010-09-30 | 2015-08-12 | 中兴通讯股份有限公司 | Information transferring method, network side and via node |
| CN103297958B (en) * | 2012-02-22 | 2017-04-12 | 华为技术有限公司 | Security context establishing method, device and system |
| WO2014075238A1 (en) * | 2012-11-14 | 2014-05-22 | 华为技术有限公司 | Security processing method for mobile communication, macro base station, micro base station and user equipment |
| WO2014139109A1 (en) * | 2013-03-13 | 2014-09-18 | 华为技术有限公司 | Data transmission method, apparatus and system |
| CN104581710B (en) * | 2014-12-18 | 2018-11-23 | 中国科学院信息工程研究所 | It is a kind of in the method and system of upper safe transmission LTE user IMSI of eating dishes without rice or wine |
| EP3396981B1 (en) * | 2016-02-04 | 2020-04-08 | Huawei Technologies Co., Ltd. | Security parameter transmission method and related device |
| WO2018126452A1 (en) * | 2017-01-06 | 2018-07-12 | 华为技术有限公司 | Authorization verification method and device |
| CN109842881B (en) * | 2017-09-15 | 2021-08-31 | 华为技术有限公司 | Communication method, related equipment and system |
| CN109561429B (en) * | 2017-09-25 | 2020-11-17 | 华为技术有限公司 | Authentication method and device |
| CN110381608B (en) * | 2018-04-13 | 2021-06-15 | 华为技术有限公司 | Data transmission method and device of relay network |
| CN111866884B (en) * | 2019-04-26 | 2022-05-24 | 华为技术有限公司 | Safety protection method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1601943A (en) * | 2003-09-25 | 2005-03-30 | 华为技术有限公司 | Method of selecting safety communication algorithm |
| CN1764195A (en) * | 2005-11-15 | 2006-04-26 | 中兴通讯股份有限公司 | Non peer-to-peer entity safety grade arranging method |
| CN1773904A (en) * | 2004-11-08 | 2006-05-17 | 中兴通讯股份有限公司 | Universal safety grade consulting method |
| CN1921379A (en) * | 2005-08-25 | 2007-02-28 | 华为技术有限公司 | Method for object discriminator/key supplier to get key |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006096017A1 (en) * | 2005-03-09 | 2006-09-14 | Electronics And Telecommunications Research Institute | Authentication method and key generating method in wireless portable internet system |
-
2008
- 2008-01-30 CN CN2008100652635A patent/CN101500229B/en not_active Expired - Fee Related
-
2009
- 2009-01-22 CN CN200980102466.XA patent/CN101926151B/en not_active Expired - Fee Related
- 2009-01-22 WO PCT/CN2009/070273 patent/WO2009094942A1/en active Application Filing
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1601943A (en) * | 2003-09-25 | 2005-03-30 | 华为技术有限公司 | Method of selecting safety communication algorithm |
| CN1773904A (en) * | 2004-11-08 | 2006-05-17 | 中兴通讯股份有限公司 | Universal safety grade consulting method |
| CN1921379A (en) * | 2005-08-25 | 2007-02-28 | 华为技术有限公司 | Method for object discriminator/key supplier to get key |
| CN1764195A (en) * | 2005-11-15 | 2006-04-26 | 中兴通讯股份有限公司 | Non peer-to-peer entity safety grade arranging method |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2009094942A1 (en) | 2009-08-06 |
| CN101926151A (en) | 2010-12-22 |
| CN101500229B (en) | 2012-05-23 |
| CN101500229A (en) | 2009-08-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101926151B (en) | Method and communication network system for establishing security conjunction | |
| CN108293185B (en) | Wireless device authentication method and device | |
| CN108781366B (en) | Authentication mechanism for 5G technology | |
| US11178584B2 (en) | Access method, device and system for user equipment (UE) | |
| CN101500230B (en) | Method for establishing security association and communication network | |
| EP2827630B1 (en) | Systems and methods of performing link setup and authentication | |
| CN101931955B (en) | Authentication method, device and system | |
| CN108347420B (en) | Network key processing method, related equipment and system | |
| CN102685741B (en) | Access authentication processing method and system, terminal as well as network equipment | |
| CN109644134A (en) | System and method for the certification of large-scale Internet of Things group | |
| EP1972125A2 (en) | Apparatus and method for protection of management frames | |
| CN103688563A (en) | Performing a group authentication and key agreement procedure | |
| CN109768861B (en) | Massive D2D anonymous discovery authentication and key agreement method | |
| CN101951590B (en) | Authentication method, device and system | |
| CN103391540A (en) | Method and system for generating secret key information, terminal device and access network device | |
| CN104602229A (en) | Efficient initial access authentication method for WLAN and 5G integration networking application scenarios | |
| CN103096307A (en) | Secret key verification method and device | |
| CN103763697A (en) | Wireless access point multi-secret key support system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130102 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |