CN101977378A - Information transmission method, network side and relay node - Google Patents
Information transmission method, network side and relay node Download PDFInfo
- Publication number
- CN101977378A CN101977378A CN2010105079558A CN201010507955A CN101977378A CN 101977378 A CN101977378 A CN 101977378A CN 2010105079558 A CN2010105079558 A CN 2010105079558A CN 201010507955 A CN201010507955 A CN 201010507955A CN 101977378 A CN101977378 A CN 101977378A
- Authority
- CN
- China
- Prior art keywords
- key
- network side
- management interface
- safe
- binding
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses an information transmission method, a network side and a terminal. The method comprises the following steps that: the network side acquires safety relevant information of a management interface from a management network unit after the management network element and a relay node (RN) establish the safety connection at the management interface; the network side binds keys by using the safety relevant information of the management interface and a safety key of EPS (Evolution Group System); and the network side informs the RN and the safety key of the EPS of binding the key and transmits the information by using the bound key. According to the invention, the safety performance between the network side and the RN can be improved.
Description
Technical field
The present invention relates to the communications field, in particular to a kind of information transferring method, network side and via node.
Background technology
Long Term Evolution (Long Term Evolution, abbreviate LTE as) network, Fig. 1 is the schematic diagram according to the LTE network architecture of correlation technique, as shown in Figure 1, by evolution Universal Terrestrial Radio Access Network (Evolved Universal Terrestrial Radio Access Network, abbreviate E-UTRAN as) and evolution packet switching center (Evolved Packet Core abbreviates EPC as) composition, this network presents flattening.EUTRAN links to each other with EPC by the S1 interface.Wherein, EUTRAN is made up of a plurality of interconnective evolution base stations (Evolved NodeB abbreviates eNB as), connects by X2 interface between each eNB; EPC is made up of Mobility Management Entity (Mobility Management Entity abbreviates MME as) and service gateway entity (Serving Gateway abbreviates S-GW as).In addition, in system architecture, also has a Home Environment (Home Environment, abbreviate HE as), be home subscriber server (Home Subscriber Server, abbreviate HSS as) or attaching position register (Home Location Register, abbreviate HLR as), as customer data base.This customer data base comprises user profile, carries out user's authentication and mandate, and the information etc. of relevant user's physical location can be provided.
In order to satisfy the demand that growing big bandwidth high-speed mobile inserts, third generation partnership project (Third Generation Partnership Projects, abbreviate 3GPP as) release senior Long Term Evolution (Long-Term Evolution advance abbreviates LTE-Advanced as) standard.LTE-Advanced has kept the core of LTE for the evolution of LTE system, adopts a series of technology that frequency domain, spatial domain are expanded on this basis, improves the availability of frequency spectrum to reach, increases purposes such as power system capacity.Wireless relay (Relay) technology promptly is one of technology among the LTE-Advanced, is intended to the coverage of Extended Cell, reduces the area, dead angle in the communication, balanced load, shift the business of hot zones, saving subscriber equipment (User Equipment abbreviates UE as) is the transmitting power of terminal.Fig. 2 is the schematic diagram according to the access network framework behind the introducing via node of correlation technique, as shown in Figure 2, in the existing network architecture, increase a kind of new via node (Relay-Node, abbreviate RN as), use wireless connections between this newly-increased RN and the alms giver's evolution base station (Donor-eNB).Wherein, the interface between Donor-eNB and the RN is called the Un mouth, and Radio Link between the two is called back haul link (backhaul link); Interface between RN and the subscriber equipment is called the Uu mouth, and Radio Link therebetween is called access link (access link).Downlink data arrives Donor-eNB earlier, passes to RN then, and RN transfers to UE again, otherwise up.The alms giver's evolution base station DeNB unification that in the following description RN is connected is described as evolution base station eNB.
Be wireless connections between network side and the RN, in order to guarantee that data normally send on above-mentioned back haul link and the Uu mouth, need configuration and the DeNB jurisdiction district, host base station of RN to adapt, the configuration that is RN may timely modification, wherein Yi Bufen configuration parameter can be adjusted and sends to RN by eat dishes without rice or wine (being the Un mouth) according to self configuration by DeNB, but some configuration needs the operator of special delegated authority and does unified planning, such as the certificates identified of RN equipment, the perhaps frequency used of RN and power or the like.And this task generally is to be finished by operation management maintain (Operator Administration Maintenance abbreviates OAM as) network element by operator.OAM is present in core net (being EPC) inside or is present in the interior management entity of Ethernet.But for the legitimacy that guarantees to dispose, prevent that external attacker from illegally disposing or revising equipment, and prevent access of illegal RN equipment etc., when OAM is configured RN, need to guarantee RN and OAM both sides' legitimacy, need on the management interface between RN and the OAM, set up the connection of a safety for this reason, such as Transport Layer Security (Transport Layer Security, abbreviate TLS as) connect or Internet protocol safety (IP Security, abbreviate IPsec as) connect or SSL (Security Socket Layer, abbreviate SSL as) connect etc., utilize above-mentioned safety to connect the process of setting up and realize that OAM is to the authentication of RN and the RN authentication to OAM.The legitimacy of OAM and RN equipment has also been represented in the successful foundation that safety on the management interface connects.
Accordingly, in wireless communication procedure, as RN during as a terminal equipment, RN can be as common UE access of radio network.Common UE network side when inserting can carry out user's authentication and cryptographic key agreement (Authentication and Key Agreement to this its, abbreviate AKA as), this process is also referred to as evolved packet system (Evolved Packet System) AKA, i.e. EPS AKA in the LTE system.
Need to prove, UE is meant mobile device (Mobile Equipment in the above-mentioned verification process, abbreviate ME as) and global Subscriber Identity Module (Universal Subscriber Identity Module, USIM) general name, said process is actual to be finished by USIM, this process has been finished the authentication of USIM, i.e. authentification of user.After said process is finished, USIM can send to ME according to root key K generation IK and CK, ME generates intermediate key KASME according to IK and CK, finished USIM authentication (or the title signatory authentication of network by said process to terminal, subscription Authentication) and cryptographic key agreement, need to prove the usim card of saying here represent the Universal Integrated Circuit Card of broad sense (Universal Integrated Circuit Card, UICC).By authentification of user, UE and network side can send to ME according to root key K generation IK and CK, and ME generates intermediate key K according to IK and CK
ASME, use other new keys of this key derivation then, respectively to the protection of the communication data of realizing Access Layer (Acesss Stratum abbreviates AS as) and Non-Access Stratum (Non-access Stratum abbreviates NAS as).Wherein Access Layer safeguard protection key is (such as Radio Resource control (Radio Resource Control; abbreviate RRC as) connection encryption key KRRCenc and RRC integrity protection key K RRCint; the encryption key KUPenc of user's face) derives from according to algorithms of different by key K eNB respectively; and KeNB can be by MME according to KASME or next jumping value (Next Hop; abbreviate NH as) derive from; also can be by eNB according to the old KeNB of current use or next jumping value (Next Hop of preservation; abbreviate NH as) derive from, wherein next jumping value NH is derived from according to KASME or old NH by MME.The key derivation algorithm (Key Derivation Function abbreviate KDF) of algorithm that concrete derivation is used for arranging.
RN is the general name of via node equipment (or being called RN platform) and usim card (or claiming the UICC card), and RN can finish the USIM authentication of RN according to said process.If but RN at first needed to guarantee the legitimacy of this base station as the base station before this base station services UE,, then may threaten the subscriber equipment of its service because if this base station is an illegality equipment.
In addition, even RN is a legitimate device, also there is following security threat, Fig. 3 is the rogue attacks schematic diagram according to correlation technique, as shown in Figure 3, if there is rogue attacks person (Attacker) that legal usim card is inserted illegal RN equipment, simultaneously illegal usim card is inserted in the legal RN equipment, the assailant uses legal USIM and RN to finish corresponding authentification of user and device authentication respectively when authentication.In the practical communication process; illegal RN equipment can get access to the Access Layer safeguard protection key that legal usim card authentication produces; and the part communication data between RN and the network side adopts the safeguard protection cryptographic key protection of Access Layer, and the assailant just may distort or eavesdrop Content of Communication between RN and the DeNB by illegal RN equipment.
Summary of the invention
Main purpose of the present invention is to provide a kind of information transferring method, via node and networking side, and the assailant uses the RN and the network side safety that get access to protect key to distort or steal the problem of RN and DeNB Content of Communication in the above-mentioned correlation technique to solve.
To achieve these goals, according to an aspect of the present invention, provide a kind of information transferring method.
Information transferring method according to the present invention comprises: network side is set up after safety is connected at management interface at managed network element and via node RN, obtains the management interface security related information from managed network element; Network side use and management interface security related information and evolved packet system EPS safe key carry out the binding of key; Network side notice RN and EPS safe key carry out the binding of key, and use the key after the binding to carry out message transmission.
To achieve these goals, according to a further aspect in the invention, provide a kind of network side.
Network side according to the present invention comprises: acquisition module, be used for setting up after safety is connected at management interface at managed network element and via node RN, and obtain the management interface security related information from managed network element; The key bindings module is used for use and management interface security related information and evolved packet system EPS safe key carries out the binding of key; Notification module is used to notify RN to carry out carrying out with the EPS safe key binding of key; Transport module is used to use the key after the binding to carry out message transmission.
To achieve these goals, according to another aspect of the invention, provide a kind of via node.
Via node according to the present invention comprises: generation module, be used to use EPS safe key and management interface security related information to generate and key K _ RN:K_RN=KDF (EPS safe key of management interface secure binding according to following formula, safe join dependency information, Y), wherein, KDF is predetermined key derivation algorithm, and Y is an optional parameters, and it is one of following that optional parameters comprises: the random number that the parameter that RN and network side are shared, RN or network side generate; Binding module is used to use key K _ RN as one of the following key bindings that carries out: new intermediate key; New AS layer and/or new NAS layer key.
By the present invention; adopt network side to set up after safety connects at managed network element at RN; safe join dependency information and EPS safe key that use gets access to carry out the binding of key; and use the key of this binding to carry out message transmission; solve RN that assailant's use gets access in the correlation technique and network side safety and protected key to distort or steal the problem of RN and DeNB Content of Communication, and then reached the effect that improves the security performance of communicating by letter between network side and the RN.
Description of drawings
Accompanying drawing described herein is used to provide further understanding of the present invention, constitutes the application's a part, and illustrative examples of the present invention and explanation thereof are used to explain the present invention, do not constitute improper qualification of the present invention.In the accompanying drawings:
Fig. 1 is the schematic diagram according to the LTE network architecture of correlation technique;
Fig. 2 is the schematic diagram according to the access network framework behind the introducing via node of correlation technique;
Fig. 3 is the rogue attacks schematic diagram according to correlation technique;
Fig. 4 is the flow chart according to the information transferring method of the embodiment of the invention;
Fig. 5 is the flow chart one of key bindings method according to the preferred embodiment of the invention;
Fig. 6 is the flowchart 2 of key bindings method according to the preferred embodiment of the invention;
Fig. 7 is the flow chart 3 of key bindings method according to the preferred embodiment of the invention;
Fig. 8 is the flow chart four of key bindings method according to the preferred embodiment of the invention;
Fig. 9 is that key generates schematic diagram according to the preferred embodiment of the invention;
Figure 10 is the structured flowchart of network side according to the preferred embodiment of the invention;
Figure 11 is a network side preferred construction block diagram according to the preferred embodiment of the invention; And
Figure 12 is the structured flowchart of RN according to the preferred embodiment of the invention.
Embodiment
Need to prove that under the situation of not conflicting, embodiment and the feature among the embodiment among the application can make up mutually.Describe the present invention below with reference to the accompanying drawings and in conjunction with the embodiments in detail.
Present embodiment provides a kind of information transferring method, and Fig. 4 is the flow chart according to the information transferring method of the embodiment of the invention, and as shown in Figure 4, this method comprises:
Step S402: network side is set up after safety is connected at management interface at managed network element and RN, obtains the management interface security related information from managed network element.
Step S404: network side use and management interface security related information and EPS safe key carry out the binding of key.
Step S406: network side notice RN and EPS safe key carry out the binding of key, and use the key after the binding to carry out message transmission.
Pass through above-mentioned steps; network side and RN set up after safety is connected at RN and managed network element; management interface security related information and EPS safe key that use gets access to carry out the binding of key; and use the key of this binding to carry out the protection of message transmission; overcome RN that assailant's use gets access in the correlation technique and network side safety and protected key to distort or steal RN and network side (such as DeNB) Content of Communication, improved the reliability of communicating by letter between network side and the RN.
Preferably, the management interface security related information comprises one of following: the TLS that sets up with management interface is connected, the security parameter of IPsec connection, SSL join dependency.
Preferably, set up before safety is connected at management interface at managed network element and RN, said method also comprises: network side and RN carry out EPS AKA, and generation EPS safe key, and wherein, the EPS safe key comprises: intermediate key K
ASMEOr the Access Layer AS key and/or the Non-Access Stratum NAS key that use intermediate key to generate, the AS key comprise following one of at least: key K
ENB, next jumping value NH, AS layer RRC connect encryption key K
RRCenc, the integrity protection key K
RRCint, user's face encryption key
KUPencThe NAS key comprises: NAS encryption key K
NASencWith NAS integrity protection key K
NASintBy the generation step of the preferred embodiment, RN generates the EPS safe key, has guaranteed the legitimacy of RN as a terminal use.
To step S404 one preferred embodiment describes below.Network side uses EPS safe key and management interface security related information according to key K _ RN:K_RN=KDF (the EPS safe key of following formula generation with the management interface secure binding, the management interface security related information, Y), wherein, KDF is predetermined key derivation algorithm, Y is an optional parameters, and it is one of following that optional parameters comprises: the random number that the parameter that RN and network side are shared, RN or network side generate; Network side uses key K _ RN as one of the following key bindings that carries out: new intermediate key; New AS layer and/or new NAS layer key.By the generation step of the preferred embodiment, network side is according to the EPS safe key and the management interface security related information generates and the key of management interface secure binding, has improved the fail safe of communicating by letter between RN and the network side.
The processing that network side use and management interface security related information and EPS safe key carry out key bindings also can occur in notice RN and carry out after key bindings handles.
Preferably, network side obtains the management interface security related information from managed network element and comprises: network side one of in the following manner obtains the management interface security related information from managed network element: directly obtain the management interface security related information by the message that managed network element sends; Network side by its place sends a request message to managed network element, and managed network element sends to network side by response message with safe join dependency information; Obtain safe join dependency information indirectly by the network element transfer or from predetermined network element.By the preferred embodiment, network side obtains the management interface security related information by direct or indirect mode, has improved the flexibility that network side obtains the management interface security related information.
Preferably, the network side notice RN binding of carrying out carrying out with the EPS safe key key comprises: network side carries out the binding of key by one of following message notice RN and EPS safe key: existing NAS, AS message; Newly-increased NAS or AS layer message, the indication information that wherein carries key bindings in the message is used to indicate RN to manage interface security related information and the binding of EPS safe key information and/or the employed algorithm identification information of key bindings and is used to indicate corresponding binding algorithm.By the preferred embodiment, use above-mentioned message informing RN and EPS safe key to carry out key bindings, improved the reliability of key bindings.
Preferably, after the step S406, also comprise: RN uses EPS safe key and management interface security related information according to key K _ RN:K_RN=KDF (the EPS safe key of following formula generation with the management interface secure binding, safe join dependency information, Y), wherein, KDF is predetermined key derivation algorithm, Y is an optional parameters, and it is one of following that optional parameters comprises: the random number that the parameter that RN and network side are shared, RN or network side generate; RN uses key K _ RN as one of the following key bindings that carries out: new intermediate key; New AS layer and/or new NAS layer key.By the preferred embodiment, RN carries out key bindings, has improved the reliability of communication.
Preferably, network side comprises one of following: mobile management unit (MME) or evolution base station (eNB); It is one of following that managed network element comprises: operation management maintain OAM or be used to manages the network element that the management interface safety of RN connects.By the preferred embodiment, improved the flexibility of key bindings method.
Embodiment one
Step 1: managed network element is successfully set up at management interface with RN and after safety is connected the management interface security related information is notified to network side.
Preferably; above-mentioned safety connection is meant the interface channel that is subjected to safeguard protection that managed network element and RN set up on management interface; such as current Transport Layer Security (Transport Layer Security; abbreviate TLS as) connect or Internet protocol safety (IP Security abbreviates IPsec as) connects etc.
Preferably, above-mentioned management interface security related information is meant: with the security parameter information of above-mentioned safe join dependency, such as the safe key that is used to protect safety to connect, perhaps RN and managed network element are connected the security parameter shared etc. by safety.
Preferably, managed network element is notified to network side with the management interface security related information one of can be in the following ways:
(1) directly is notified to network side by managed network element by message, perhaps initiates to obtain request process by network side.
(2) the indirect network side that is notified to, such as by other middle network element transfers, perhaps managed network element is stored in special network element with the management interface security related information, is initiatively obtained by network side etc.
Step 2: with EPS safe key and the binding of management interface security related information, generate new key after network side is received with the management interface secure binding.
Preferably, above-mentioned EPS safe key is meant that RN and network side authenticate the intermediate key K of back agreement to the user by EPS AKA in being connected the process of foundation
ASME, perhaps use intermediate key K
ASMEOne or more in AS that derives from and/or the NAS key.NAS layer key comprises: NAS encryption key K
NASenc, NAS integrity protection key K
NASintThe Access Layer key comprises: key K
ENB, next jumping value NH, AS layer RRC connect encryption key K
RRCencWith the integrity protection key K
RRCint, user's face encryption key K
UPencDeng.
Preferably, above-mentioned network side comprises the method for EPS safe key and the binding of management interface security related information:
Use EPS safe key and management interface security related information as input, new and the key management interface secure binding that key derivation algorithm according to a preconcerted arrangement generates, that is: with the key=key derivation algorithm (EPS safe key, management interface security related information) of management interface secure binding.
Wherein, can be used as new intermediate key with the key of management interface secure binding, perhaps new AS layer and/or NAS layer key, different is, this moment, new key was with the binding of management interface security-related parameters.RN and network side can use new key, or are used to protect communication security between RN and the network side by other key that new key derives from.
Preferably, can also use other the ginseng of going in this generation computational process, the parameter of for example using RN and network side to share is perhaps used the random number of RN and/or network side generation etc.
Step 3: network side is received the back to RN initiation security key change process, and notice RN carries out identical key bindings to be handled.
Preferably, above-mentioned security key change process can multiplexing current existence NAS or AS message, such as: NAS safe mode command (NAS security mode command, NASSMC) or wireless resource control connection reconfiguration (Radio Resource Control Connection Reconfiguration, abbreviate RRC Connection Reconfiguration as) message, also can be by newly-increased NAS or AS layer message.In message, carry key bindings indication information and or the employed algorithm identification information of key bindings, be respectively applied for indication RN and manage the binding of interface security related information and EPS safe key information and bind algorithm accordingly.
Preferably, managed network element is meant OAM, also can be other be used to manage the network element that the management interface safety of RN connects, for example security gateway (Security Gateway abbreviates SeGW as).Network side comprise MME and eNB.In specific implementation process, MME or eNB can be singly referred to, also MME and eNB can be meant.
Alternatively, in the above-mentioned steps, the key bindings process of network side, promptly step 2 also can occur in after the step 3.Be that network side earlier carries out the binding of safe key by security key change process notice RN, wait the key bindings that carries out network side after the response of receiving RN again to handle.
Need to prove that the agreement key derivation algorithm in the foregoing description is the cipher key calculation method that RN and network side consult, and can adopt existing known method, does not repeat them here.
By this preferred embodiment, RN and the identical and key management interface secure binding that network side all generates can be used to protect the communication data safety between RN and the network side with these keys as new EPS safe key; Perhaps utilize these keys to derive from other AS layer or NAS layer key information, the fail safe that has improved the communication data between RN and the network side as new EPS safe key.
Embodiment two
Present embodiment combines the foregoing description and preferred implementation wherein, present embodiment provides a kind of key bindings method, in the present embodiment, RN sets up safety with managed network element and is connected, and the management interface security information is notified to MME, does key bindings by MME, and notice RN also carries out the generation of new key, Fig. 5 is the flow chart one of key bindings method according to the preferred embodiment of the invention, and as shown in Figure 5, this method comprises the steps:
Step 501:RN and MME carry out EPS AKA process and carry out authentification of user, and agreement intermediate key K
ASME, and utilize intermediate key K
ASMEOther AS layers or the cryptographic key protection RN of NAS layer and the wireless connections between eNB and the MME derived from.
Step 503: based on the wireless connections carrying of RN and network side, RN foundation is set up TLS safety with corresponding managed network element OAM and is connected, obtain the key information Ktls of safe join dependency by the Handshake Protocol of TLS connection, optionally, the Ktls here connects other shared parameter informations safely by this.
Step 505:OAM sends to the MME that is connected with RN with the key information Ktls of safe join dependency.
Step 507:MME utilizes existing intermediate key KASME and the Ktls that receives as parameter, according to a preconcerted arrangement key derivation algorithm generates new and key K ASME ' the management interface secure binding=KDF (KASME, Ktls), Fig. 9 is that key generates schematic diagram according to the preferred embodiment of the invention, and said process as shown in Figure 9.
Preferably, in this computational process, can also introduce other and go into ginseng, such as the shared parameter of network identity (for example PLMN id) or other RN and MME etc.
Preferably, also can generate new key K eNB, and/or next jumping NH, and/or NAS layer key, for example:
K
ENB'=KDF (K
ASME, Ktls, X), wherein X is for can be selected into ginseng, such as current up NAS count value Uplink NAS COUNT.
NH '=KDF (K
ASME, Ktls, Y), wherein Y jumps NH for can be selected into ginseng such as current next.
K '
NAsencOr K '
NASint=KDF (K
ASME, Ktls, Z), wherein Z is for can be selected into ginseng, such as algorithm identification information etc.
Step 509:MME to RN send the NAS safe mode command (Security Mode Command, SMC) message is wherein carried the key bindings indication information, this information can be indication information element independently, and/or the algorithm sign of key bindings etc.
Preferably, MME also can carry out key bindings by other NAS message informings RN; Accordingly, the response of follow-up RN will be used and the corresponding response message of this request message.
After step 511:RN receives, adopt the binding method identical to generate new and the key management interface secure binding with MME;
Step 513:RN replys the NAS safe mode to MME and finishes (Security Mode Complete abbreviates SMC Complete as) message.
By this preferred embodiment, the identical and key management interface secure binding that RN and network side all generate.Utilize this key or communicate, improved the communications security of RN and network side by other keys of this key derivation.
Embodiment three
Present embodiment combines the foregoing description and preferred implementation wherein; present embodiment provides a kind of key bindings method; in the present embodiment; setting up the user between RN and the managed network element protects the IPsec of management interface safety to be connected; and by managed network element will with the relevant information of this management interface safety notice MME; carry out binding with the safe key of Access Layer by MME; initiate the security key change process by message trigger eNB then; Fig. 6 is the flowchart 2 of key bindings method according to the preferred embodiment of the invention; as shown in Figure 6, this method comprises following step:
Step 601:RN and MME carry out EPS AKA process and carry out authentification of user, and agreement intermediate key K
ASME, and utilize intermediate key K
ASMEDerive key K
ENB, preferably, also have next to jump NH value and other the AS layer or the key of NAS layer, be used to protect the wireless connections between RN and eNB and the MME.
Step 603: based on the wireless connections carrying of RN and network side, RN foundation is set up IPsec safety with corresponding managed network element OAM and is connected, obtain the key information Kipsec of safe join dependency by the IKEv2 agreement, preferably, Kipsec herein connects other shared parameter informations safely by this.
Step 605:OAM sends to the MME that is connected with RN with the key information Kipsec of safe join dependency; Concrete can be that OAM directly notifies MME, also can be by other network element transfer.
Step 607:MME utilizes existing key K
ENBWith the Kipsec that receives as parameter, Fig. 9 is that key generates schematic diagram according to the preferred embodiment of the invention, as shown in Figure 9, key derivation algorithm according to a preconcerted arrangement generates new and the key K management interface secure binding
ENB'=KDF (K
ENB, Kipsec).
Preferably, in this computational process, can also introduce other and go into ginseng, such as the shared parameter of device identification or other RN and MME etc.
Preferably, also can generate new key K according to next jumping value
ENB', and/or generate next new jumping NH ', for example:
K
ENB(X), wherein X is for optionally other go into ginseng, such as next current hop-count value (NH chaining count abbreviates NCC as) for NH, Kipsec for '=KDF.
NH '=KDF (NH/K
ENB, Ktls, Y), wherein Y is for optionally other go into ginseng, such as intermediate key K
ASME
Step 609:MME sends customer equipment context to the service eNB of RN and revises request (UE Context Modification Request) message, wherein has newly-generated and the key management interface secure binding; Preferably, in order to distinguish common key, can also increase extra indication information in the message.
Optionally, MME also can send above-mentioned information by other known S1 mouth message, can also use newly-increased message to replace above-mentioned UE contextual modifications request message.Accordingly, follow-up response message also will use and the corresponding message of request message.
Step 611:eNB receives that the back sends wireless resource control connection reconfiguration (Radio Resource Control Connection Reconfiguration to RN, RRC Connection Reconfiguration) message wherein has the indication information that indication RN carries out key bindings.Optionally, indication information can be an indication information element independently, and/or the algorithm sign of key bindings etc.
Alternatively, eNB also can send above-mentioned indication information by other RRC message, also can use newly-increased RRC message to transmit above-mentioned binding indication information; The response of corresponding subsequent RN also will be used corresponding response message.
After step 613:RN receives, adopt the binding method identical to generate new and the key management interface secure binding with MME.
Step 615:RN replys RRC connection reprovision to eNB and finishes (RRC Reconfiguration Complete) message.
Step 617:eNB receives that the back sends UE contextual modifications response (UE Context Modification Response) message to MME.
By this preferred embodiment, the identical and key management interface secure binding that RN and network side all generate.Utilize this key or communicate, improved the communications security of RN and network side by other keys of this key derivation.
Embodiment four
Present embodiment combines the foregoing description and preferred implementation wherein, present embodiment provides a kind of key bindings method, in the present embodiment, RN and managed network element are set up is used to protect safe connection of corresponding management interface can also be that SSL safety connects, wherein the managed network element here also can be that outer other of OAM are used to set up the network element that management interface safety connects, such as can be security gateway (Security Gateway, SeGW); The parameter information that managed network element is relevant with management interface safety sends to eNB by MME simultaneously, carries out the binding change of key by eNB, and eNB triggers security key change process notice RN then.Fig. 7 is the flow chart 3 of key bindings method according to the preferred embodiment of the invention, and as shown in Figure 7, this method comprises the steps:
Step 701:RN and MME carry out EPS AKA process and carry out authentification of user, and agreement intermediate key K
ASME, and utilize intermediate key K
ASMEDerive from the key of other AS layers or NAS layer, comprised key K
ENB, RRC integrity protection key K
RRCint, RRC encryption key K
RRCencDeng, optionally, also have next to jump NH value, and can set up between RN and the eNB by the wireless connections of AS layer cryptographic key protection.
Step 703:RN foundation is set up SSL safety with corresponding managed network element (such as SeGW) and is connected, obtain the key information Kssl of safe join dependency by ssl handshake protocol, optionally, the Kssl here connects other shared parameter informations safely by this.
Step 705:SeGW sends to the MME that is connected with RN with the key information Kssl of safe join dependency; Concrete can be that SeGW directly notifies MME, also can be by other network element transfers.
Step 707:MME sends customer equipment context to eNB and revises request (UE Context Modification Request) message, wherein has the parameter information Kssl of safe join dependency.
Preferably, MME also can send above-mentioned information by other known S1 mouth message, can also use newly-increased message to replace above-mentioned UE contextual modifications request message.Correspondingly, follow-up response message also will use and the corresponding message of request message.
Step 709:eNB utilizes existing key K
ENBWith the Kssl that receives as parameter, according to a preconcerted arrangement key derivation algorithm generates new and the key K management interface secure binding
ENB'=KDF (K
ENB, Kssl), Fig. 9 is that key generates schematic diagram according to the preferred embodiment of the invention, said process is as shown in Figure 9.
Preferably, in this computational process, can also introduce other and go into ginseng, such as the Physical Cell Identifier PCI of sub-district and/or the downstream frequency information EARFCN-DL of sub-district, the perhaps parameter that other RN and eNB are shared etc.
Preferably, also can generate new key K according to next jumping value NH
ENB', or generate encryption/integrity protection key of new RRC or user's face UP, for example:
K
ENB(X), wherein X is for optionally other go into ginseng, than the Physical Cell Identifier PCI of sub-district and/or the downstream frequency information EARFCN-DL of sub-district for NH, Kssl for '=KDF.
K '
RRCencOr K '
RRCintOr K '
UPenc=KDF (K
ENB/ NH, Kssl, Y), wherein Y is for optionally other go into ginseng, such as algorithm identification information and or algorithm types information etc.
Step 711:eNB sends the RRC connection to RN and reshuffles (RRC Connection Reconfiguration) message, wherein, has the indication information that indication RN carries out key bindings.Preferably, indication information can be an indication information element independently, and/or the algorithm sign of key bindings etc.
Preferably, eNB also can send above-mentioned indication information by other RRC message, also can use newly-increased RRC message to transmit above-mentioned binding indication information; The response of corresponding subsequent RN also will be used corresponding response message.
After step 713:RN receives, adopt the binding method identical to generate new and the key management interface secure binding with eNB.
Step 715:RN replys RRC connection reprovision to eNB and finishes (RRC Reconfiguration Complete) message.
Step 717:eNB receives that the back sends UE contextual modifications response (UE Context Modification Response) message to MME.
Embodiment five
Present embodiment combines the foregoing description and preferred implementation wherein; present embodiment provides a kind of key bindings method; in the present embodiment; RN is connected the safety that is used to protect the equipment control interface with the safety that managed network element is set up other types; the parameter information (such as safety join dependency information) that managed network element directly will be relevant with management interface safety sends to eNB simultaneously; eNB triggers security key change flow process notice RN and binds; Fig. 8 is the flow chart four of key bindings method according to the preferred embodiment of the invention; as shown in Figure 8, this method comprises:
Step 801:RN and MME carry out EPS AKA process and carry out authentification of user, and agreement intermediate key K
ASME, and utilize intermediate key K
ASMEDerive from corresponding AS layer safe key, comprised K
ENB, NH, K
RRCint, K
RRCenc, K
UPenc, set up shielded wireless connections between RN and the eNB;
Step 803:RN foundation is set up certain with corresponding managed network element (such as OAM) and is connected safely, connect the relevant parameter information Ksec of acquisition management interface safety safely by this, optionally, the Ksec here connects other shared parameter informations safely by this.
Step 805:OAM sends to the eNB that is connected with RN with the key information Ksec of safe join dependency; Concrete can be that SeGW directly notifies MME, also can be by other network element transfers.
Step 807:eNB utilizes key K
ENBWith the downstream frequency information EARFCN-DL of the Physical Cell Identifier PCI of Ksec that receives and sub-district and sub-district as parameter, key derivation algorithm according to a preconcerted arrangement generates new and the key K management interface secure binding
ENB'=KDF (K
ENB, Ksec, PCI, EARFCN-DL), as shown in Figure 8.
Preferably, the downstream frequency information EARFCN-DL of the Physical Cell Identifier PCI of the parameter sub-district in this computational process and sub-district is an optional parameters.
Preferably, in this computational process, can also introduce other and go into ginseng, the arbitrary parameter of sharing such as RN and eNB, the perhaps random number of RN and/or eNB generation etc.
Preferably, also can generate new key K according to next jumping value NH
ENB', or generate encryption/integrity protection key of new RRC or user's face UP, such as:
K
ENB(X), wherein X is for optionally other go into ginseng, than the Physical Cell Identifier PCI of sub-district and/or the downstream frequency information EARFCN-DL of sub-district for NH, Ksec for '=KDF.
K
RRCencOr K
RRCintOr K
UPenc=KDF (K
ENB/ NH, Ksec, Y), wherein Y is for optionally other go into ginseng, such as algorithm identification information and or algorithm types information etc.
Step 809:eNB sends RRC to RN and connects reprovision (RRC Connection Reconfiguration) message, wherein carries the key bindings indication information, and this information can be indication information element independently, and/or the algorithm sign of key bindings etc.
Preferably, eNB also can send above-mentioned indication information by other RRC message, also can use newly-increased RRC message to transmit above-mentioned binding indication information; The response of corresponding subsequent RN also will be used corresponding response message.
After step 811:RN receives, adopt the binding method identical to generate new and the key management interface secure binding with eNB.
Step 813:RN replys RRC connection reprovision to eNB and finishes (RRC Connection Reconfiguration Complete) message.
Need to prove that agreement key derivation algorithm is the cipher key calculation method that RN and network side consult among above-mentioned five embodiment, can adopt existing known method, does not repeat them here.
Preferably; pass through said method; identical and the key management interface secure binding that RN and network side all generate; can be with these keys as new EPS safe key; be used to protect the communication data safety between RN and the network side; also can be according to the new NAS layer of these key derivations or the key information of AS layer, concrete derived method can be consistent with the derived method of current EPS safe key, such as utilizing newly-generated K
ENB' can derive from the encryption and the integrity protection key of new RRC or user's face:
K
RRCenc/K
RRCint/K
UPenc=KDF(K
eNB’,Algorithm?Type?Distinguisher,Algorithm?identity)
Wherein, Algorithm Type Distinguisher is respectively with Algorithm identity and derives from employed algorithm types of different keys and algorithm identification information;
Preferably, use newly-generated K
ENB' or the new key K of next jumping value NH ' generation
ENB*:
K
ENB*=KDF (K
ENB'/NH ', PCI, EARFCN-DL), wherein, PCI and EARFCN-DL are respectively the downstream frequency information of current service cell corresponding physical cell ID and sub-district.
Need to prove, can in computer system, carry out in the step shown in the flow chart of accompanying drawing such as a set of computer-executable instructions, and, though there is shown logical order in flow process, but in some cases, can carry out step shown or that describe with the order that is different from herein.
The embodiment of the invention provides a kind of network side, and this RN can be used to realize above-mentioned information transferring method.Figure 10 is the structured flowchart of network side according to the preferred embodiment of the invention, and as shown in figure 10, this RN comprises: acquisition module 102, key bindings module 104, notification module 106 and transport module 108 are described in detail said structure below:
Acquisition module 102 is used for setting up after safety is connected at management interface at managed network element and RN, obtains the management interface security related information from managed network element.Key bindings module 104 is connected to acquisition module 102, and the management interface security related information and the EPS safe key that are used to use acquisition module 102 to get access to carry out the binding of key; Notification module 106 is used to notify RN to carry out carrying out with the EPS safe key binding of key; Transport module 108 is connected to key bindings module 104, is used to use the key after key bindings module 104 is bound to carry out message transmission.
Preferably, the management interface security related information comprises one of following: the Transport Layer Security TLS that sets up with management interface is connected, procotol fail safe IPsec connects, the security parameter of SSL SSL connection.
Figure 11 is the structured flowchart of network side according to the preferred embodiment of the invention, and as shown in figure 11, this network side also comprises: EPS AKA module 112, EPS safe key generation module 114; Key bindings module 104 comprises: key generates submodule 1042 and key bindings submodule 1044, below said structure is elaborated.
EPS AKA module 112 is used for carrying out EPS authentication and cryptographic key agreement AKA with RN; EPS safe key generation module 114, be connected to EPS AKA module 112, be used to generate the EPS safe key, wherein, the EPS safe key comprises: intermediate key KASME or the Access Layer AS key and/or the Non-Access Stratum NAS key that use intermediate key to generate, AS key comprise following one of at least: the RRC of key K eNB, next jumping value NH, AS layer connects the encryption key KUPenc of encryption key KRRCenc, integrity protection key K RRCint, user's face; The NAS key comprises: NAS encryption key KNASenc and NAS integrity protection key K NASint.
Key bindings module 104 comprises: key generates submodule 1042, be used to use EPS safe key and management interface relevant information to generate and key K _ RN:K_RN=KDF (EPS safe key of management interface secure binding according to following formula, safe join dependency information, Y), wherein, KDF is predetermined key derivation algorithm, and Y is an optional parameters, and it is one of following that optional parameters comprises: the random number that the parameter that RN and network side are shared, RN or network side generate; Key bindings submodule 1044 is connected to key and generates submodule 1042, is used to use key to generate key K _ RN that submodule 1042 generates as one of the following key bindings that carries out: new intermediate key; New AS layer and/or new NAS layer key.
Acquisition module 102 one of in the following manner obtains the management interface security related information from managed network element: directly obtain the management interface security related information by the message that managed network element sends; Network side by its place sends a request message to managed network element, and managed network element sends to network side by response message with safe join dependency information; Obtain safe join dependency information indirectly by the network element transfer or from predetermined network element.
Notification module 106 carries out carrying out with the EPS safe key binding of key by one of following message notice RN: existing NAS, AS message; Newly-increased NAS or AS layer message, the indication information that wherein carries key bindings in the message is used to indicate RN to manage interface security related information and the binding of EPS safe key information and/or the employed algorithm identification information of key bindings and is used to indicate corresponding binding algorithm.
The embodiment of the invention provides a kind of RN, and this EN can be used to realize above-mentioned information transferring method.Figure 12 is the structured flowchart of RN according to the preferred embodiment of the invention, and as shown in figure 12, this network side comprises: generation module 122 and binding module 124 are elaborated to said structure below:
Generation module 122, be used to use EPS safe key and management interface security related information to generate and key K _ RN:K_RN=KDF (EPS safe key of management interface secure binding according to following formula, safe join dependency information, Y), wherein, KDF is predetermined key derivation algorithm, and Y is an optional parameters, and it is one of following that optional parameters comprises: the random number that the parameter that RN and network side are shared, RN or network side generate;
Binding module 124 is connected to generation module 122, is used to use key K _ RN that generation module 122 generates as one of the following key bindings that carries out: new intermediate key; New AS layer and/or new NAS layer key.
Need to prove that network side of describing in the foregoing description and RN are corresponding to above-mentioned method embodiment, its concrete implementation procedure had been carried out detailed description in method embodiment, do not repeat them here.
In sum, pass through the foregoing description, network side is after managed network element is connected with RN foundation is safe, safe join dependency information and EPS safe key that use gets access to carry out the binding of key, and use the key of this binding to carry out message transmission, rogue attacks person can't learn with management interface on the security parameter of safe join dependency, thereby can't derive or crack final generation and the safe key management interface secure binding, and then can prevent that rogue attacks to the eavesdropping of communication data between RN and the network side and distort, having guaranteed the safety of whole communication network.It is necessary step that while is set up process owing to the safety on the management interface connects, and uses this process safe parameter information can avoid network side to initiate the extra identifying procedure to equipment again.In addition, be relatively stable because the safety on the management interface of RN connects, can not change because of moving of RN, therefore also reduced the security key change that the frequent change because of interface causes, improved the stability of key bindings.
Obviously, those skilled in the art should be understood that, above-mentioned each module of the present invention or each step can realize with the general calculation device, they can concentrate on the single calculation element, perhaps be distributed on the network that a plurality of calculation element forms, alternatively, they can be realized with the executable program code of calculation element, thereby, they can be stored in the storage device and carry out by calculation element, and in some cases, can carry out step shown or that describe with the order that is different from herein, perhaps they are made into each integrated circuit modules respectively, perhaps a plurality of modules in them or step are made into the single integrated circuit module and realize.Like this, the present invention is not restricted to any specific hardware and software combination.
The above is the preferred embodiments of the present invention only, is not limited to the present invention, and for a person skilled in the art, the present invention can have various changes and variation.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (15)
1. an information transferring method is characterized in that, comprising:
Network side is set up after safety is connected at management interface at managed network element and via node RN, obtains the management interface security related information from described managed network element;
Network side uses described management interface security related information and evolved packet system EPS safe key to carry out the binding of key;
Network side notifies described RN and described EPS safe key to carry out the binding of key, and uses the key after the binding to carry out message transmission.
2. method according to claim 1 is characterized in that,
It is one of following that described management interface security related information comprises: the Transport Layer Security TLS that sets up with management interface is connected, the security parameter of procotol fail safe IPsec connection, SSL SSL join dependency.
3. method according to claim 1 is characterized in that, sets up before safety is connected at management interface at managed network element and RN, also comprises:
Described network side and described RN carry out EPS authentication and cryptographic key agreement AKA, and generate described EPS safe key, and wherein, described EPS safe key comprises: intermediate key K
ASMEOr the Access Layer AS key and/or the Non-Access Stratum NAS key that use described intermediate key to generate, described AS key comprise following one of at least: key K
ENB, next jumping value NH, AS layer RRC connect encryption key K
RRCenc, the integrity protection key K
RRCint, user's face encryption key K
UPencDescribed NAS key comprises: NAS encryption key K
NASencWith NAS integrity protection key K
NASint
4. method according to claim 3 is characterized in that, the binding that network side uses described management interface security related information and EPS safe key to carry out key comprises:
Described network side uses described EPS safe key and described management interface security related information according to key K _ RN:K_RN=KDF (the EPS safe key of following formula generation with the management interface secure binding, safe join dependency information, Y), wherein, KDF is predetermined key derivation algorithm, Y is an optional parameters, and it is one of following that described optional parameters comprises: the random number that the parameter that described RN and described network side are shared, described RN or described network side generate;
Described network side uses described key K _ RN as one of the following key bindings that carries out: new intermediate key; New AS layer and/or new NAS layer key.
5. method according to claim 1 is characterized in that, described network side obtains the management interface security related information from described managed network element and comprises:
Described network side one of in the following manner obtains described management interface security related information from described managed network element: directly obtain described management interface security related information by the message that described managed network element sends; Network side by its place sends a request message to described managed network element, and described managed network element sends to described network side by response message with described safe join dependency information; Obtain described safe join dependency information indirectly by the network element transfer or from predetermined network element.
6. method according to claim 1 is characterized in that, the binding that described network side notifies described RN to carry out carrying out key with described EPS safe key comprises:
Described network side notifies described RN to carry out carrying out with the EPS safe key binding of key by one of following message: existing NAS, AS message; Newly-increased NAS or AS layer message, the indication information that carries key bindings in the wherein said message are used to indicate RN to manage interface security related information and the binding of described EPS safe key information and/or the employed algorithm identification information of key bindings and are used to indicate corresponding binding algorithm.
7. method according to claim 1 is notified after described RN carries out carrying out the binding of key with described EPS safe key at network side, also comprises:
Described RN uses described EPS safe key and described management interface security related information according to key K _ RN:K_RN=KDF (the EPS safe key of following formula generation with the management interface secure binding, safe join dependency information, Y), wherein, KDF is predetermined key derivation algorithm, Y is an optional parameters, and it is one of following that described optional parameters comprises: the random number that the parameter that described RN and described network side are shared, described RN or described network side generate;
Described RN uses described key K _ RN as one of the following key bindings that carries out: new intermediate key; New AS layer and/or new NAS layer key.
8. according to each described method in the claim 1 to 7, it is characterized in that,
It is one of following that described network side comprises: mobile management unit MME or evolution base station eNB;
It is one of following that described managed network element comprises: operation management maintain OAM network element or be used to is managed the network element that the management interface safety of RN connects.
9. a network side is characterized in that, comprising:
Acquisition module is used for setting up after safety is connected at management interface at managed network element and via node RN, obtains the management interface security related information from described managed network element;
The key bindings module is used to use described management interface security related information and evolved packet system EPS safe key to carry out the binding of key;
Notification module is used to notify described RN to carry out carrying out the binding of key with described EPS safe key;
Transport module is used to use the key after the binding to carry out message transmission.
10. network side according to claim 9 is characterized in that,
It is one of following that described management interface security related information comprises: the Transport Layer Security TLS that sets up with management interface is connected, procotol fail safe IPsec connects, the security parameter of SSL SSL connection.
11. network side according to claim 9 is characterized in that, also comprises:
EPS AKA module is used for carrying out EPS authentication and cryptographic key agreement AKA with described RN;
EPS safe key generation module is used to generate the EPS safe key, and wherein, described EPS safe key comprises: intermediate key K
ASMEOr the Access Layer AS key and/or the Non-Access Stratum NAS key that use described intermediate key to generate, described AS key comprise following one of at least: key K
ENB, next jumping value NH, AS layer RRC connect encryption key K
RRCenc, the integrity protection key K
RRCint, user's face encryption key K
UPencDescribed NAS key comprises: NAS encryption key K
NASencWith NAS integrity protection key K
NASint
12. network side according to claim 9 is characterized in that, described key bindings module comprises:
Key generates submodule, be used to use described EPS safe key and described management interface relevant information to generate and key K _ RN:K_RN=KDF (EPS safe key of management interface secure binding according to following formula, safe join dependency information, Y), wherein, KDF is predetermined key derivation algorithm, and Y is an optional parameters, and it is one of following that described optional parameters comprises: the random number that the parameter that described RN and described network side are shared, described RN or described network side generate;
The key bindings submodule is used to use described key K _ RN as one of the following new intermediate key of key bindings of carrying out; New AS layer and/or new NAS layer key.
13. network side according to claim 9 is characterized in that, also comprises:
Described acquisition module one of in the following manner obtains described management interface security related information from described managed network element: directly obtain described management interface security related information by the message that described managed network element sends; Network side by its place sends a request message to described managed network element, and described managed network element sends to described network side by response message with described safe join dependency information; Obtain described safe join dependency information indirectly by the network element transfer or from predetermined network element.
14. network side according to claim 9 is characterized in that,
Described notification module notifies described RN to carry out carrying out with the EPS safe key binding of key by one of following message: existing NAS, AS message; Newly-increased NAS or AS layer message, the indication information that carries key bindings in the wherein said message are used to indicate RN to manage interface security related information and the binding of described EPS safe key information and/or the employed algorithm identification information of key bindings and are used to indicate corresponding binding algorithm.
15. a via node RN is characterized in that, comprising:
Generation module, be used to use EPS safe key and management interface security related information to generate and key K _ RN:K_RN=KDF (EPS safe key of management interface secure binding according to following formula, safe join dependency information, Y), wherein, KDF is predetermined key derivation algorithm, and Y is an optional parameters, and it is one of following that described optional parameters comprises: the random number that the parameter that described RN and described network side are shared, described RN or described network side generate;
Binding module is used to use described key K _ RN as one of the following key bindings that carries out: new intermediate key; New AS layer and/or new NAS layer key.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010507955.8A CN101977378B (en) | 2010-09-30 | 2010-09-30 | Information transferring method, network side and via node |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010507955.8A CN101977378B (en) | 2010-09-30 | 2010-09-30 | Information transferring method, network side and via node |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101977378A true CN101977378A (en) | 2011-02-16 |
| CN101977378B CN101977378B (en) | 2015-08-12 |
Family
ID=43577218
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010507955.8A Expired - Fee Related CN101977378B (en) | 2010-09-30 | 2010-09-30 | Information transferring method, network side and via node |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101977378B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2012130085A1 (en) * | 2011-03-29 | 2012-10-04 | 华为技术有限公司 | Method and device for establishing connection with network management system, and communication system |
| CN103929740A (en) * | 2013-01-15 | 2014-07-16 | 中兴通讯股份有限公司 | Safe data transmission method and LTE access network system |
| WO2015100974A1 (en) * | 2013-12-31 | 2015-07-09 | 华为技术有限公司 | Terminal authentication method, device and system |
| WO2018120150A1 (en) * | 2016-12-30 | 2018-07-05 | 华为技术有限公司 | Method and apparatus for connection between network entities |
| CN109936444A (en) * | 2017-12-18 | 2019-06-25 | 华为技术有限公司 | A kind of key generation method and device |
| CN109981273A (en) * | 2016-07-01 | 2019-07-05 | 华为技术有限公司 | Safe consultation method, security function entity, core network element and user equipment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101500230A (en) * | 2008-01-30 | 2009-08-05 | 华为技术有限公司 | Method for establishing security association and communication network system |
| CN101500229A (en) * | 2008-01-30 | 2009-08-05 | 华为技术有限公司 | Method for establishing security association and communication network system |
-
2010
- 2010-09-30 CN CN201010507955.8A patent/CN101977378B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101500230A (en) * | 2008-01-30 | 2009-08-05 | 华为技术有限公司 | Method for establishing security association and communication network system |
| CN101500229A (en) * | 2008-01-30 | 2009-08-05 | 华为技术有限公司 | Method for establishing security association and communication network system |
Non-Patent Citations (1)
| Title |
|---|
| ZTE: "7.1 Relay Node Securities", 《3GPP TSG-SA3 (SECURITY) MEETING –SA3 AD HOC S3-101063》 * |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2012130085A1 (en) * | 2011-03-29 | 2012-10-04 | 华为技术有限公司 | Method and device for establishing connection with network management system, and communication system |
| CN102724102A (en) * | 2011-03-29 | 2012-10-10 | 华为技术有限公司 | Method and apparatus for establishing connection with network management system and communication system |
| CN102724102B (en) * | 2011-03-29 | 2015-04-08 | 华为技术有限公司 | Method and apparatus for establishing connection with network management system and communication system |
| US9131473B2 (en) | 2011-03-29 | 2015-09-08 | Huawei Technologies Co., Ltd. | Method, device, and communication system for establishing connection with network management system |
| CN103929740A (en) * | 2013-01-15 | 2014-07-16 | 中兴通讯股份有限公司 | Safe data transmission method and LTE access network system |
| CN103929740B (en) * | 2013-01-15 | 2017-05-10 | 中兴通讯股份有限公司 | Safe data transmission method and LTE access network system |
| WO2015100974A1 (en) * | 2013-12-31 | 2015-07-09 | 华为技术有限公司 | Terminal authentication method, device and system |
| US10588015B2 (en) | 2013-12-31 | 2020-03-10 | Huawei Technologies Co., Ltd. | Terminal authenticating method, apparatus, and system |
| CN109981273A (en) * | 2016-07-01 | 2019-07-05 | 华为技术有限公司 | Safe consultation method, security function entity, core network element and user equipment |
| US10880744B2 (en) | 2016-07-01 | 2020-12-29 | Huawei Technologies Co., Ltd. | Security negotiation method, security function entity, core network element, and user equipment |
| WO2018120150A1 (en) * | 2016-12-30 | 2018-07-05 | 华为技术有限公司 | Method and apparatus for connection between network entities |
| CN109936444A (en) * | 2017-12-18 | 2019-06-25 | 华为技术有限公司 | A kind of key generation method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101977378B (en) | 2015-08-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210135878A1 (en) | Authentication Mechanism for 5G Technologies | |
| US20230353379A1 (en) | Authentication Mechanism for 5G Technologies | |
| US10887295B2 (en) | System and method for massive IoT group authentication | |
| CN101945387B (en) | The binding method of a kind of access layer secret key and equipment and system | |
| CN101931955B (en) | Authentication method, device and system | |
| CN101945386B (en) | A kind of method and system realizing safe key synchronous binding | |
| CN102823282B (en) | Key authentication method for binary CDMA | |
| CN109076079A (en) | The Non-Access Stratum safety of enhancing | |
| CN101931953B (en) | Generate the method and system with the safe key of apparatus bound | |
| US8605908B2 (en) | Method and device for obtaining security key in relay system | |
| CN101500229A (en) | Method for establishing security association and communication network system | |
| CN101951590B (en) | Authentication method, device and system | |
| CN101977378B (en) | Information transferring method, network side and via node | |
| CN102595395A (en) | Relay node authentication method and system | |
| EP3311599B1 (en) | Ultra dense network security architecture and method | |
| CN102595403A (en) | Authentication method and authentication device for relay node binding |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20150812 Termination date: 20200930 |