CN101999240B - Communication method, device and communication system between base stations - Google Patents

Communication method, device and communication system between base stations Download PDF

Info

Publication number
CN101999240B
CN101999240B CN200980123374XA CN200980123374A CN101999240B CN 101999240 B CN101999240 B CN 101999240B CN 200980123374X A CN200980123374X A CN 200980123374XA CN 200980123374 A CN200980123374 A CN 200980123374A CN 101999240 B CN101999240 B CN 101999240B
Authority
CN
China
Prior art keywords
base station
key
base stations
message
neighbor base
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN200980123374XA
Other languages
Chinese (zh)
Other versions
CN101999240A (en
Inventor
牟梦雅
夏林峰
李铮铮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of CN101999240A publication Critical patent/CN101999240A/en
Application granted granted Critical
Publication of CN101999240B publication Critical patent/CN101999240B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A communication method, device and communication system between base stations is disclosed. The communication method between base stations includes: after the broadcast message of the neighbor base station is detected, the key of the neighbor base station is obtained based on the broadcast message of the neighbor base station; the messages transmitted by the neighbor base station are authenticated using the key of the neighbor base station. By using the above technical solution, the base station can ensure the legality of identity of the opposite party communication base station, so the security of communication between base stations is improved.

Description

一种基站间通信方法、装置及通信系统Communication method, device and communication system between base stations

技术领域 technical field

本发明涉及通信技术领域,特别是涉及一种基站间通信方法、装置及通信系统。The present invention relates to the technical field of communication, in particular to a communication method, device and communication system between base stations.

背景技术 Background technique

随着移动通信用户数量的迅速增加以及用户需求的不断提高,移动通信系统设备也呈现出多样化的发展趋势。HNB(Home NodeB,家庭基站)或HeNB(Home Evolved NodeB,家庭演进基站)作为一种小型化的基站,针对的是家庭、学校、企业等应用场景。基于HNB或HeNB的网络系统,可以有效改善室内覆盖,提高室内接入速率,减少时延,满足各种用户应用需求,同时还能够减少宏基站的负荷,使宏基站容量主要服务于室外或运动中用户。With the rapid increase in the number of mobile communication users and the continuous improvement of user needs, mobile communication system equipment also presents a diversified development trend. HNB (Home NodeB, Home Base Station) or HeNB (Home Evolved NodeB, Home Evolved Base Station) is a miniaturized base station aimed at application scenarios such as homes, schools, and enterprises. The network system based on HNB or HeNB can effectively improve indoor coverage, increase indoor access rate, reduce delay, and meet various user application requirements. At the same time, it can also reduce the load of macro base stations, so that the capacity of macro base stations is mainly used for outdoor or sports. medium users.

现有技术中,如果H(e)NB希望和其他H(e)NB交互信息,H(e)NB将通过公共IP网络将交互信息传给核心网,然后核心网将信息转发给其他H(e)NB或者处于运营商专用网络的eNB(Evolved NodeB,演进基站)。这种H(e)NB间通信方式,其消息传输时延较大,很容易造成H(e)NB间的通信消息不及时;后端资源的浪费等问题。此外,H(e)NB还具有部署数量大的特点,如果所有H(e)NB之间的通信都通过核心网来转发,将会给核心网设备造成很大的负担。In the prior art, if the H(e)NB wishes to exchange information with other H(e)NBs, the H(e)NB will transmit the exchange information to the core network through the public IP network, and then the core network will forward the information to other H(e)NBs. e) NB or eNB (Evolved NodeB, evolved base station) in the operator's private network. This inter-H(e)NB communication method has a large message transmission delay, which can easily cause problems such as untimely communication messages between H(e)NBs and waste of back-end resources. In addition, H(e)NBs are also characterized by a large number of deployments. If the communication between all H(e)NBs is forwarded through the core network, it will cause a great burden on the core network equipment.

理论上,H(e)NB之间可以直接通过空口进行通信,以减少时延、减轻核心网负担。但是H(e)NB之间的通过空口直接通信会存在安全问题:由于H(e)NB无法确认通信对端的身份,并且不知道对方发送的消息是否可靠。因此,攻击者可以通过假冒H(e)NB的方式与合法的H(e)NB进行通信,从而对合法H(e)NB的正常资源配置、切换等操作造成影响。In theory, H(e)NBs can communicate directly through the air interface to reduce delay and reduce the burden on the core network. However, the direct communication between H(e)NBs through the air interface will have security problems: because the H(e)NB cannot confirm the identity of the communication peer, and does not know whether the message sent by the peer is reliable. Therefore, the attacker can communicate with the legitimate H(e)NB by impersonating the H(e)NB, thereby affecting the normal resource configuration, handover and other operations of the legitimate H(e)NB.

发明内容 Contents of the invention

本发明实施例提供了一种基站间通信方法、装置及通信系统,以提高H(e)NB之间的通信安全性,技术方案如下:Embodiments of the present invention provide a communication method, device, and communication system between base stations to improve communication security between H(e)NBs. The technical solution is as follows:

一种基站间通信方法,包括:在检测到邻居基站的广播消息后,A communication method between base stations, comprising: after detecting a broadcast message of a neighboring base station,

根据所述邻居基站的广播消息,从所述邻居基站的广播消息中,获得所述邻居基站的标识;Obtain the identity of the neighbor base station from the broadcast message of the neighbor base station according to the broadcast message of the neighbor base station;

向核心网发送密钥请求消息,所述密钥请求消息中携带所述邻居基站的标识;Sending a key request message to the core network, where the key request message carries the identity of the neighboring base station;

接收核心网发送的密钥响应消息,所述密钥响应消息中携带所述邻居基站的密钥;receiving a key response message sent by the core network, where the key response message carries the key of the neighboring base station;

使用所述邻居基站的密钥,对所述邻居基站发送的消息进行鉴权。The message sent by the neighbor base station is authenticated by using the key of the neighbor base station.

一种基站,包括:A base station, comprising:

标识符获得子单元,用于在检测到邻居基站的广播消息后,用于从所述邻居基站的广播消息中,获得所述邻居基站的标识;The identifier obtaining subunit is used to obtain the identifier of the neighbor base station from the broadcast message of the neighbor base station after the broadcast message of the neighbor base station is detected;

密钥请求子单元,用于向核心网发送密钥请求消息,所述密钥请求消息中携带所述邻居基站的标识;a key request subunit, configured to send a key request message to the core network, where the key request message carries the identity of the neighboring base station;

密钥接收子单元,用于接收核心网发送的密钥响应消息,所述密钥响应消息中携带所述邻居基站的密钥;A key receiving subunit, configured to receive a key response message sent by the core network, the key response message carrying the key of the neighboring base station;

消息鉴权单元,用于使用所述邻居基站的密钥,对所述邻居基站发送的消息进行鉴权。The message authentication unit is configured to use the key of the neighbor base station to authenticate the message sent by the neighbor base station.

一种通信系统,包括核心网和至少两个基站;A communication system comprising a core network and at least two base stations;

第二基站,用于在检测到相邻的第一基站的广播消息后,从所述第一基站的广播消息中,获得邻居基站的标识;向核心网发送密钥请求消息,所述密钥请求消息中携带所述第一基站的标识;The second base station is configured to, after detecting the broadcast message of the adjacent first base station, obtain the identity of the neighbor base station from the broadcast message of the first base station; send a key request message to the core network, and the key The request message carries the identifier of the first base station;

所述核心网,用于根据所述密钥请求消息,向所述第二基站发送密钥响应消息,所述密钥响应消息中携带所述第一基站的密钥;The core network is configured to send a key response message to the second base station according to the key request message, where the key response message carries the key of the first base station;

所述第二基站接收核心网发送的密钥响应消息,使用所述第一基站的密钥,对所述第一基站发送的消息进行鉴权。The second base station receives the key response message sent by the core network, and uses the key of the first base station to authenticate the message sent by the first base station.

应用本发明实施例所提供的技术方案,第二H(e)NB在与第一H(e)NB通信之前,首先根据第一H(e)NB的广播消息获得第一H(e)NB的密钥。当收到第一H(e)NB发送来的消息后,使用该密钥对消息进行鉴权,以确认发送方的身份及消息来源的可靠性。如果有攻击者假冒第一H(e)NB向第二H(e)NB发送消息,鉴权将无法通过,第二H(e)NB可以拒绝接收消息。进一步讲,网络中的每个H(e)NB都可以使用上述的机制确认通信对端的身份,从而提高H(e)NB之间的通信安全性。Applying the technical solution provided by the embodiment of the present invention, before the second H(e)NB communicates with the first H(e)NB, it first obtains the information of the first H(e)NB according to the broadcast message of the first H(e)NB. key. After receiving the message sent by the first H(e)NB, the key is used to authenticate the message to confirm the identity of the sender and the reliability of the source of the message. If an attacker impersonates the first H(e)NB to send a message to the second H(e)NB, the authentication will fail, and the second H(e)NB may refuse to receive the message. Furthermore, each H(e)NB in the network can use the above mechanism to confirm the identity of the communication peer, thereby improving communication security between H(e)NBs.

附图说明 Description of drawings

图1为本发明实施例一的方法流程图;Fig. 1 is the method flowchart of embodiment one of the present invention;

图2为本发明实施例二的方法流程图;Fig. 2 is the method flowchart of the second embodiment of the present invention;

图3为本发明实施例三的方法流程图;Fig. 3 is the method flowchart of the third embodiment of the present invention;

图4为本发明实施例基站的一种结构示意图;FIG. 4 is a schematic structural diagram of a base station according to an embodiment of the present invention;

图5为本发明实施例基站的另一种结构示意图;FIG. 5 is another schematic structural diagram of a base station according to an embodiment of the present invention;

图6为本发明实施例通信系统核心网的一种结构示意图;FIG. 6 is a schematic structural diagram of a core network of a communication system according to an embodiment of the present invention;

图7为本发明实施例通信系统核心网的另一种结构示意图。Fig. 7 is another schematic structural diagram of the core network of the communication system according to the embodiment of the present invention.

具体实施方式 Detailed ways

首先对本发明实施例的基站间通信方法进行说明,包括:First, the communication method between base stations in the embodiment of the present invention is described, including:

基站在在检测到邻居基站的广播消息后,根据所述邻居基站的广播消息,获得所述邻居基站的密钥;使用所述邻居基站的密钥,对所述邻居基站发送的消息进行鉴权。After detecting the broadcast message of the neighbor base station, the base station obtains the key of the neighbor base station according to the broadcast message of the neighbor base station; uses the key of the neighbor base station to authenticate the message sent by the neighbor base station .

其中,上述的基站可以是HNB或HeNB,应用上述技术方案,第二H(e)NB在与第一H(e)NB通信之前,首先根据第一H(e)NB的广播消息获得第一H(e)NB的密钥。当收到第一H(e)NB发送来的消息后,使用该密钥对消息进行鉴权,以确认发送方的身份。如果有攻击者假冒第一H(e)NB向第二H(e)NB发送消息,鉴权将无法通过,第二H(e)NB可以拒绝接收消息。进一步讲,网络中的每个H(e)NB都可以使用上述的机制确认通信对端的身份,从而提高H(e)NB之间的通信安全性。Wherein, the above-mentioned base station can be HNB or HeNB. Applying the above-mentioned technical solution, before the second H(e)NB communicates with the first H(e)NB, it first obtains the first H(e)NB's key. After receiving the message sent by the first H(e)NB, the key is used to authenticate the message to confirm the identity of the sender. If an attacker impersonates the first H(e)NB to send a message to the second H(e)NB, the authentication will fail, and the second H(e)NB may refuse to receive the message. Furthermore, each H(e)NB in the network can use the above mechanism to confirm the identity of the communication peer, thereby improving communication security between H(e)NBs.

为了使本技术领域的人员更好地理解本发明技术方案,下面将结合附图,对本发明的具体实施例方式作进一步的详细说明。In order to enable those skilled in the art to better understand the technical solutions of the present invention, specific embodiments of the present invention will be further described in detail below in conjunction with the accompanying drawings.

实施例一:Embodiment one:

图1所示为本发明实施例提供的一种基站间安全通信方法的实现流程图,包括以下步骤:FIG. 1 is a flow chart showing the implementation of a secure communication method between base stations provided by an embodiment of the present invention, including the following steps:

S101,基站2获得基站1的标识。S101, the base station 2 obtains the identity of the base station 1.

某个基站通过空口侦听邻居基站的广播消息,可以获得邻居基站的多种信息,例如载波配置信息、小区负荷状态等等。其中,基站可以是在刚刚启动时进行侦听,也可以是周期性地进行侦听。A certain base station listens to the broadcast messages of neighboring base stations through the air interface, and can obtain various information of neighboring base stations, such as carrier configuration information, cell load status, and so on. Wherein, the base station may listen when it is just started, or periodically.

本实施例中,假设基站1为基站2的邻居基站,基站2通过侦听基站1的广播消息,可以获得基站1的唯一标识符,例如基站ID、Cell ID等。In this embodiment, it is assumed that base station 1 is a neighbor base station of base station 2, and base station 2 can obtain the unique identifier of base station 1, such as base station ID, Cell ID, etc., by listening to the broadcast message of base station 1.

S102,基站2向核心网发送密钥请求消息。S102, the base station 2 sends a key request message to the core network.

当基站2侦听到基站1的广播消息之后,说明基站1已经处于可以与基站2直接通信的距离范围之内,为保证后续通话的安全性,基站2向核心网发送密钥请求消息,请求获得用于对基站1发送的消息进行鉴权的密钥。其中,在密钥请求消息中,携带有基站1的标识符。When base station 2 listens to the broadcast message from base station 1, it means that base station 1 is within the distance of direct communication with base station 2. To ensure the security of subsequent calls, base station 2 sends a key request message to the core network, requesting A key for authenticating the message sent by base station 1 is obtained. Wherein, the key request message carries the identifier of the base station 1 .

S103,核心网对基站1的身份进行验证。S103, the core network verifies the identity of the base station 1.

每个基站在接入核心网络之前,都需要与核心网络之间进行双向认证。因此,对于一个拥有合法身份的基站而言,在核心网将保存有其相关认证信息。Each base station needs to perform two-way authentication with the core network before accessing the core network. Therefore, for a base station with a legal identity, its relevant authentication information will be stored in the core network.

核心网收到密钥请求消息之后,根据其中携带的基站1的标识,对基站1的身份进行验证,即检查自身是否保存有基站1的相关认证信息,如果有,则认为基站1的身份是合法的,进一步查询基站1的密钥。After the core network receives the key request message, it verifies the identity of base station 1 according to the identity of base station 1 carried in it, that is, checks whether it has saved relevant authentication information of base station 1, and if so, considers that the identity of base station 1 is If legal, further query the key of base station 1.

优选地,核心网在收到密钥请求消息之后,还可以首先对消息的发送方(即基站2)的身份进行验证,确认基站2是否有权限获得基站1的密钥,以进一步提高安全性。Preferably, after the core network receives the key request message, it can first verify the identity of the sender of the message (i.e. base station 2) to confirm whether base station 2 has the authority to obtain the key of base station 1, so as to further improve security .

S104,核心网向基站2发送密钥响应消息。S104, the core network sends a key response message to the base station 2.

如果S103中的验证通过,核心网会向基站2发送密钥响应消息,并且将基站1的密钥携带于该消息中。如果验证未通过,则不会在响应消息中携带密钥。If the verification in S103 passes, the core network will send a key response message to base station 2, and carry the key of base station 1 in the message. If the authentication fails, the key will not be carried in the response message.

S105,基站2使用基站1的密钥对基站1发送的消息进行鉴权。S105, the base station 2 uses the key of the base station 1 to authenticate the message sent by the base station 1.

基站2接收核心网的发送的密钥响应消息,如果响应消息中没有携带密钥,说明基站1不具有合法的身份,基站2将拒绝接收基站1发送来的消息。Base station 2 receives the key response message sent by the core network. If the response message does not carry the key, it means that base station 1 does not have a legal identity, and base station 2 will refuse to receive the message sent by base station 1.

如果响应消息中携带有基站1的密钥,说明基站1的身份是合法的,可以与其进行通信。基站2将基站1的标识与所获得的密钥对应保存起来,后续如果收到基站1发送的消息,则使用基站1的密钥对消息进行鉴权,以确认消息的来源的可靠性。每个基站向外发送的消息都是经过自身的密钥处理过的签名消息,如果有攻击者假冒基站1向基站2发送消息,由于攻击者并不具有基站1的密钥,因此发送的消息将无法通过基站2的鉴权。If the key of the base station 1 is carried in the response message, it means that the identity of the base station 1 is legal and can communicate with it. Base station 2 stores the identity of base station 1 and the obtained key correspondingly. If it receives a message sent by base station 1, it uses the key of base station 1 to authenticate the message to confirm the reliability of the source of the message. The message sent by each base station is a signed message processed by its own key. If an attacker pretends to be base station 1 to send a message to base station 2, since the attacker does not have the key of base station 1, the message sent will fail to pass the authentication of base station 2.

本领域技术人员可以理解,上述方法流程,对于基站1和基站2都是分别适用的,即对于基站1而言,当侦听到基站2的广播消息后,可以使用同样的方法获得基站2的密钥,并使用基站2的密钥对基站2发送的消息进行鉴权。在实际应用中,每个基站都会维护一张网络邻居列表,基站可以从核心网获取该列表中每个邻居基站的密钥,并将所获取的密钥与网络邻居列表对应保存起来,当基站间相互通信时,分别使用相应的密钥对消息进行鉴权,就可以保证基站间通信的安全性。Those skilled in the art can understand that the above method flow is applicable to base station 1 and base station 2 respectively, that is, for base station 1, after listening to the broadcast message of base station 2, the same method can be used to obtain the information of base station 2. key, and use the key of base station 2 to authenticate the message sent by base station 2. In practical applications, each base station will maintain a network neighbor list, the base station can obtain the key of each neighbor base station in the list from the core network, and store the obtained key and the network neighbor list correspondingly, when the base station When the base stations communicate with each other, the corresponding keys are used to authenticate the messages, so as to ensure the security of the communication between the base stations.

需要说明的是,在本实施例中,是由各个基站主动向核心网获取其他基站的密钥,在实际应用中,也可以由核心网来触发基站执行获取密钥的流程,或者由核心网主动向基站提供密钥。例如,某个基站的密钥发生了变化,核心网可以向其他基站发送消息,指示其他基站重新获取更新后的密钥;或者,核心网也可以根据之前发送密钥响应消息的记录,直接向相关的基站发送更新后的密钥。It should be noted that, in this embodiment, each base station actively obtains keys of other base stations from the core network. Actively provide the key to the base station. For example, if the key of a certain base station changes, the core network can send a message to other base stations, instructing them to reacquire the updated key; The associated base station sends the updated key.

在本实施例中,基站通过向核心网发送密钥请求,以获得通信对端的密钥,并使用该密钥对对端发来的消息进行鉴权。相当于由核心网来确保通信双方基站身份的合法性,由基站自身来确保后续接收消息来源的可靠性。另一方面,对于核心网而言,收到密钥请求消息以后,只需检查自身是否保存有标识所对应的基站的相关认证信息,并不需要占用很大的资源。并且,基站间后续的消息交互也不需要核心网的参与,从而能够降低基站间的通信时延,同时减轻核心网的负担。In this embodiment, the base station obtains the key of the communication peer by sending a key request to the core network, and uses the key to authenticate the message sent by the peer. It is equivalent to the core network to ensure the legitimacy of the identities of the base stations of both communication parties, and the base station itself to ensure the reliability of the source of subsequent received messages. On the other hand, for the core network, after receiving the key request message, it only needs to check whether it has saved relevant authentication information of the base station corresponding to the identifier, and does not need to occupy a lot of resources. Moreover, the subsequent message exchange between the base stations does not require the participation of the core network, so that the communication delay between the base stations can be reduced, and the burden on the core network can be reduced at the same time.

实施例二:Embodiment two:

图2所示为本发明实施例提供的另一种基站间安全通信的实现流程图,包括以下步骤:FIG. 2 is a flow chart for implementing another secure communication between base stations provided by an embodiment of the present invention, including the following steps:

S201,基站2获得基站1的广播证书。S201, base station 2 obtains the broadcast certificate of base station 1.

本实施例中,仍然假设基站1为基站2的邻居基站,基站2通过侦听基站1的广播消息,可以获得基站1的广播证书。该广播证书中,携带有基站1的密钥,并且,该广播证书是由基站1以第三方签名密钥进行过签名处理的。In this embodiment, it is still assumed that the base station 1 is a neighbor base station of the base station 2, and the base station 2 can obtain the broadcast certificate of the base station 1 by listening to the broadcast message of the base station 1. The broadcast certificate carries the key of the base station 1, and the broadcast certificate is signed by the base station 1 with a third-party signature key.

其中,上述的第三方签名密钥,是由认证机构(例如核心网)所提供的,认证机构只对拥有合法身份的基站提供第三方签名密钥。该第三方签名密钥可以预先配置在基站中,也可以由基站实时向认证机构获取,或者由认证机构实时向基站下发。进一步而言,该第三方签名密钥可以是静态的,也可以是动态变化的。可以理解,动态变化的第三方签名密钥能够进一步提高安全性,这种情况下,需要由基站实时向认证机构获取,或者由认证机构实时向基站下发。Wherein, the above-mentioned third-party signature key is provided by a certification authority (such as a core network), and the certification authority only provides a third-party signature key to a base station with a legal identity. The third-party signature key may be pre-configured in the base station, or may be acquired by the base station from the certification authority in real time, or issued by the certification authority to the base station in real time. Further, the third-party signature key may be static or dynamically changing. It can be understood that the dynamically changing third-party signature key can further improve security. In this case, the base station needs to obtain it from the certification authority in real time, or the certification authority sends it to the base station in real time.

S202,基站2使用第三方签名密钥对基站1的广播证书进行鉴权。S202, base station 2 authenticates the broadcast certificate of base station 1 by using the third-party signature key.

基站2获得基站1的广播证书之后,使用第三方签名密钥对广播证书进行鉴权。由于认证机构只对拥有合法身份的基站提供第三方签名密钥,因此,基站1的广播证书进行鉴权,相当于验证基站1是否具有合法的身份。如果鉴权通过,则将广播证书中携带的基站1的密钥保存起来。After base station 2 obtains the broadcast certificate of base station 1, it uses the third-party signature key to authenticate the broadcast certificate. Since the certification authority only provides the third-party signature key to the base station with a legal identity, the authentication of the broadcast certificate of the base station 1 is equivalent to verifying whether the base station 1 has a legal identity. If the authentication passes, the key of the base station 1 carried in the broadcast certificate is saved.

S203,基站2使用基站1的密钥对基站1发送的消息进行鉴权。S203, the base station 2 uses the key of the base station 1 to authenticate the message sent by the base station 1.

本步骤与S105所述类似,这里不再重复说明。This step is similar to that described in S105, and will not be repeated here.

与实施例一类似,上述方法流程,对于基站1和基站2也都是分别适用的。在实际应用中,每个合法的基站都会用第三方签名密钥对自身的广播证书进行签名处理,并且获取每个邻居基站的广播证书,如果对广播证书的鉴权通过,则获取相应的密钥,并且与网络邻居列表对应保存起来,当基站间相互通信时,分别使用相应的密钥对消息进行鉴权,就可以保证基站间通信的安全性。Similar to Embodiment 1, the above method flow is also applicable to base station 1 and base station 2 respectively. In practical applications, each legitimate base station will use a third-party signature key to sign its own broadcast certificate and obtain the broadcast certificate of each neighboring base station. If the authentication of the broadcast certificate passes, the corresponding key will be obtained. key, and stored corresponding to the network neighbor list, when the base stations communicate with each other, use the corresponding key to authenticate the message, so as to ensure the security of the communication between the base stations.

在本实施例中,各个基站通过使用第三方签名密钥对其他基站的广播证书进行鉴权,相当于由基站自身来确保通信对端基站身份的合法性。与实施例一相比,可以进一步减轻核心网的负担。In this embodiment, each base station authenticates the broadcast certificates of other base stations by using the third-party signature key, which is equivalent to ensuring the legitimacy of the identity of the communication peer base station by the base station itself. Compared with Embodiment 1, the burden of the core network can be further reduced.

实施例三:Embodiment three:

上述两个实施例,介绍了在基站通信过程中,如何保证通信双方身份的合法性以及通信消息的可靠性。在以上方案的基础上,本实施例进一步提供一种基站间通信方法,以提高通信保密性。方法流程示意图可参见图3所示,以下假设基站1和基站2均为具有合法身份的基站,并且均已经获得对方的密钥(设基站1的密钥为key1,基站2的密钥为key2)。The above two embodiments describe how to ensure the legitimacy of the identities of the communication parties and the reliability of communication messages during the base station communication process. On the basis of the above solutions, this embodiment further provides a communication method between base stations, so as to improve communication confidentiality. The flow diagram of the method can be seen in Figure 3. The following assumes that both base station 1 and base station 2 are base stations with legal identities, and both have obtained the key of the other party (set the key of base station 1 as key1 and the key of base station 2 as key2 ).

S301,基站1使用key2对即将发送给基站2的消息进行加密。S301. Base station 1 encrypts a message to be sent to base station 2 using key2.

应用实施例一或实施例二的方案,基站1中已经保存有基站2的密钥key2,对于后续即将发送给基站2的消息,基站1可以先使用key2进行加密处理,得到密文消息。Applying the scheme of Embodiment 1 or Embodiment 2, base station 1 has stored the key key2 of base station 2, and for the message to be sent to base station 2, base station 1 can first use key2 to perform encryption processing to obtain the ciphertext message.

S302,基站1将加密后的消息发送给基站2。S302. Base station 1 sends the encrypted message to base station 2.

基站1将密文消息发送给基站2,结合实施例一或实施例二可知,基站1在发送消息时,会用自身的密钥key1对该密文消息再次进行签名处理。The base station 1 sends the ciphertext message to the base station 2. Based on the first or second embodiment, it can be seen that when the base station 1 sends the message, it will use its own key key1 to sign the ciphertext message again.

S303,基站2接收消息,使用key2对消息进行解密。S303, base station 2 receives the message, and uses key2 to decrypt the message.

基站2收到基站1发送的密文消息后,首先使用key1对消息进行鉴权,确认消息的来源的可靠性之后,再使用key2(或者与key2所对应的私有密钥)对密文消息进行解密。After base station 2 receives the ciphertext message sent by base station 1, it first uses key1 to authenticate the message, and after confirming the reliability of the source of the message, it uses key2 (or the private key corresponding to key2) to authenticate the ciphertext message. decrypt.

上述方法流程,对于基站1和基站2都是分别适用的。并且,本领域技术人员可以理解,基站1或基站2也可以预先确定一个通信专用密钥,使用对方的密钥进行加密后提供给对方,后续基站1和基站2将使用该通信专用密钥进行保密通信。The foregoing method flow is applicable to the base station 1 and the base station 2 respectively. Moreover, those skilled in the art can understand that base station 1 or base station 2 can also pre-determine a communication-specific key, use the other party's key to encrypt and provide it to the other party, and subsequent base station 1 and base station 2 will use the communication-specific key to conduct Confidential Communications.

本实施例与实施例一或实施例二相比,在保证通信双方身份的合法性以及通信消息的可靠性的基础上,进一步提高了通信的保密性,避免通信内容被第三方获取,并且,该过程不需要核心网的参与。Compared with Embodiment 1 or Embodiment 2, this embodiment further improves the confidentiality of communication on the basis of ensuring the legality of the identities of both parties in communication and the reliability of communication messages, and prevents the content of communication from being obtained by a third party, and, This process does not require the participation of the core network.

应用本发明实施例所提供的技术方案,能够保证H(e)NB之间直接进行通信的安全性。H(e)NB之间直接进行通信,除了可以减少时延、减轻核心网负担之外,还会辅助H(e)NB的自配置和自优化,对干扰协调,快速切换也会带来好处。例如,当H(e)NB启动时,可以通过获取周围信息来感知邻居的配置,如,通过读邻居的广播消息,获得周围小区的配置信息,如使用的载波数,载波使用情况,当前小区的负荷状态,邻区配置等信息,新启动的H(e)NB根据监听到的邻区信息完成自己的参数设置;在H(e)NB运行过程中,也可以通过实时监听周围小区的信息,从而进行资源调度和工作参数重新配置,以达到避免相互之间的干扰等目的。By applying the technical solutions provided by the embodiments of the present invention, the security of direct communication between H(e)NBs can be guaranteed. Direct communication between H(e)NBs can not only reduce the delay and reduce the burden on the core network, but also assist the self-configuration and self-optimization of H(e)NBs, which will also bring benefits to interference coordination and fast switching . For example, when the H(e)NB starts up, it can perceive the configuration of neighbors by obtaining surrounding information, for example, by reading the broadcast messages of neighbors, it can obtain the configuration information of surrounding cells, such as the number of carriers used, carrier usage, current cell The newly started H(e)NB completes its own parameter setting according to the monitored information of neighboring cells; during the operation of H(e)NB, it can also monitor the information of surrounding cells in real time , so as to perform resource scheduling and reconfiguration of working parameters to achieve the purpose of avoiding mutual interference.

以上介绍了本发明的几种具体实施例方式,需要说明的是,本发明技术方案是针对HNB或HeNB的应用环境而提出,但是方案的全部或部分也可以应用其他类似通信环境中以提高通信安全性能,这些也应包含在本发明的保护范围之内。Several specific embodiments of the present invention have been introduced above. It should be noted that the technical solution of the present invention is proposed for the application environment of HNB or HeNB, but all or part of the solution can also be applied in other similar communication environments to improve communication. Safety performance, these also should be included in the scope of protection of the present invention.

本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储于一计算机可读取存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:ROM(Read-Only Memory,只读存储记忆体)、RAM(Random AccessMemory,随机存储记忆体)、磁碟或者光盘等各种可以存储程序代码的介质。Those of ordinary skill in the art can understand that all or part of the steps for realizing the above-mentioned method embodiments can be completed by hardware related to program instructions, and the aforementioned program can be stored in a computer-readable storage medium. When the program is executed, the Comprise the steps of above-mentioned method embodiment; And aforementioned storage medium comprises: ROM (Read-Only Memory, read-only storage memory), RAM (Random AccessMemory, random storage memory), magnetic disk or optical disc etc. various can store program The medium of the code.

实施例四:Embodiment four:

相应于上面的方法实施例,本发明实施例还提供一种基站,参见图4所示,包括:Corresponding to the above method embodiment, the embodiment of the present invention also provides a base station, as shown in FIG. 4, including:

密钥获得单元410,用于在检测到邻居基站的广播消息后,根据所述邻居基站的广播消息,获得所述邻居基站的密钥;The key obtaining unit 410 is configured to obtain the key of the neighbor base station according to the broadcast message of the neighbor base station after detecting the broadcast message of the neighbor base station;

消息鉴权单元420,用于使用所述邻居基站的密钥,对所述邻居基站发送的消息进行鉴权。The message authentication unit 420 is configured to use the key of the neighbor base station to authenticate the message sent by the neighbor base station.

本发明实施例所提供的基站,使用邻居基站的密钥,对邻居基站发送的消息进行鉴权,以确保消息发送方的身份合法性。The base station provided by the embodiment of the present invention uses the key of the neighbor base station to authenticate the message sent by the neighbor base station, so as to ensure the legality of the message sender's identity.

进一步的,所述密钥获得单元410,可以包括:Further, the key obtaining unit 410 may include:

标识符获得子单元,用于从所述邻居基站的广播消息中,获得所述邻居基站的标识;an identifier obtaining subunit, configured to obtain the identifier of the neighbor base station from the broadcast message of the neighbor base station;

密钥请求子单元,用于向核心网发送密钥请求消息,所述密钥请求消息中携带所述邻居基站的标识;a key request subunit, configured to send a key request message to the core network, where the key request message carries the identity of the neighboring base station;

密钥接收子单元,用于接收核心网发送的密钥响应消息,所述密钥响应消息中携带所述邻居基站的密钥。The key receiving subunit is configured to receive a key response message sent by the core network, where the key response message carries the key of the neighboring base station.

上述基站通过向核心网发送密钥请求,以获得通信对端的密钥,并使用该密钥对对端发来的消息进行鉴权。相当于由核心网来确保通信双方基站身份的合法性,由基站自身来确保后续接收消息来源的可靠性。应用上述基站,对于核心网而言,收到密钥请求消息以后,只需检查自身是否保存有标识所对应的基站的相关认证信息,不需要占用很大的资源。并且,基站间后续的消息交互也不需要核心网的参与,从而能够降低基站间的通信时延,同时减轻核心网的负担。The above-mentioned base station obtains the key of the communication peer by sending a key request to the core network, and uses the key to authenticate the message sent by the peer. It is equivalent to the core network to ensure the legitimacy of the identities of the base stations of both communication parties, and the base station itself to ensure the reliability of the source of subsequent received messages. Applying the above-mentioned base station, for the core network, after receiving the key request message, it only needs to check whether it has stored the relevant authentication information of the base station corresponding to the identifier, and does not need to occupy a lot of resources. Moreover, the subsequent message exchange between the base stations does not require the participation of the core network, so that the communication delay between the base stations can be reduced, and the burden on the core network can be reduced at the same time.

所述密钥获得单元410,也可以包括:The key obtaining unit 410 may also include:

广播证书获得子单元,用于从所述邻居基站的广播消息中,获得所述邻居基站的广播证书,所述广播证书中携带所述邻居基站的密钥;The broadcast certificate obtaining subunit is configured to obtain the broadcast certificate of the neighbor base station from the broadcast message of the neighbor base station, and the broadcast certificate carries the key of the neighbor base station;

广播证书鉴权子单元,用于使用第三方签名密钥对所述邻居基站的广播证书进行鉴权,如果鉴权通过,则保存所述邻居基站的密钥;其中,所述第三方签名密钥由认证机构提供。The broadcast certificate authentication subunit is configured to use a third-party signature key to authenticate the broadcast certificate of the neighbor base station, and if the authentication passes, save the key of the neighbor base station; wherein the third-party signature key The key is provided by the certification authority.

应用上述基站,各个基站通过使用第三方签名密钥对其他基站的广播证书进行鉴权,相当于由基站自身来确保通信对端基站身份的合法性,从而进一步减轻核心网的负担。Applying the above-mentioned base stations, each base station authenticates the broadcast certificates of other base stations by using the third-party signature key, which is equivalent to the base station itself ensuring the legitimacy of the identity of the communication peer base station, thereby further reducing the burden on the core network.

图5所示为本发明实施例所提供的另一种基站的结构示意图,与图4相比,该基站进一步增加了消息解密单元430,用于在所述邻居基站发送的消息为密文消息时,使用自身的密钥对所述密文消息进行解密。FIG. 5 is a schematic structural diagram of another base station provided by an embodiment of the present invention. Compared with FIG. 4, the base station further adds a message decryption unit 430, which is used to send the message in the neighboring base station as a ciphertext message , use its own key to decrypt the ciphertext message.

应用上述基站,能够在保证通信双方身份的合法性以及通信消息的可靠性的基础上,进一步提高通信的保密性,避免通信内容被第三方获取,并且,该过程不需要核心网的参与。Applying the above base station can further improve the confidentiality of communication on the basis of ensuring the legitimacy of the identities of both parties in communication and the reliability of communication messages, and prevent the content of communication from being obtained by a third party. Moreover, the process does not require the participation of the core network.

实施例五:Embodiment five:

本发明实施例还提供一种通信系统,包括:核心网和至少两个基站;The embodiment of the present invention also provides a communication system, including: a core network and at least two base stations;

第二基站,用于在检测到相邻的第一基站的广播消息后,从所述第一基站的广播消息中,获得所述邻居基站的标识;向核心网发送密钥请求消息,所述密钥请求消息中携带所述第一基站的标识;The second base station is configured to, after detecting the broadcast message of the adjacent first base station, obtain the identity of the neighbor base station from the broadcast message of the first base station; send a key request message to the core network, and the The key request message carries the identifier of the first base station;

所述核心网,用于根据所述密钥请求消息,向所述第二基站发送密钥响应消息,所述密钥响应消息中携带所述第一基站的密钥;The core network is configured to send a key response message to the second base station according to the key request message, where the key response message carries the key of the first base station;

所述第二基站接收核心网发送的密钥响应消息,使用所述第一基站的密钥,对所述第一基站发送的消息进行鉴权。The second base station receives the key response message sent by the core network, and uses the key of the first base station to authenticate the message sent by the first base station.

参见图6所示,所述核心网,可以包括:Referring to Fig. 6, the core network may include:

第一验证单元610,用于在收到所述第二基站发送的密钥请求消息后,根据所述第一基站的标识,验证所述第一基站的身份;The first verification unit 610 is configured to verify the identity of the first base station according to the identity of the first base station after receiving the key request message sent by the second base station;

密钥发送单元620,用于在所述第一验证单元验证通过后,向所述第二基站发送密钥响应消息,所述密钥响应消息中携带所述第一基站的密钥。The key sending unit 620 is configured to send a key response message to the second base station after the first verification unit passes the verification, where the key response message carries the key of the first base station.

参见图7所示,所述核心网,还可以进一步包括第二验证单元630,用于在收到所述第二基站发送的密钥请求消息后,验证所述第二基站的身份;Referring to FIG. 7, the core network may further include a second verification unit 630, configured to verify the identity of the second base station after receiving the key request message sent by the second base station;

则所述第一验证单元620,在所述第二验证单元630验证通过后,根据所述第一基站的标识,验证所述第一基站的身份。Then the first verification unit 620 verifies the identity of the first base station according to the identity of the first base station after the second verification unit 630 passes the verification.

本实施例所提供的通信系统,由核心网来确保通信双方基站身份的合法性,由基站自身来确保后续接收消息来源的可靠性。对于核心网而言,收到密钥请求消息以后,只需检查自身是否保存有标识所对应的基站的相关认证信息,不需要占用很大的资源。并且,基站间后续的消息交互也不需要核心网的参与,从而能够降低基站间的通信时延,同时减轻核心网的负担。In the communication system provided by this embodiment, the core network ensures the legitimacy of the identities of the base stations of both communication parties, and the base station itself ensures the reliability of the source of subsequent received messages. For the core network, after receiving the key request message, it only needs to check whether it has saved relevant authentication information of the base station corresponding to the identifier, and does not need to occupy a lot of resources. Moreover, the subsequent message exchange between the base stations does not require the participation of the core network, so that the communication delay between the base stations can be reduced, and the burden of the core network can be reduced at the same time.

对于装置与系统实施例而言,由于其基本相应于方法实施例,所以描述得比较简单,相关之处参见方法实施例的部分说明即可。以上所描述的装置与系统实施例仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。本领域普通技术人员在不付出创造性劳动的情况下,即可以理解并实施。As for the device and system embodiments, since they basically correspond to the method embodiments, the description is relatively simple, and for related parts, please refer to the part of the description of the method embodiments. The device and system embodiments described above are only illustrative, and the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, It can be located in one place, or it can be distributed to multiple network elements. Part or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment. It can be understood and implemented by those skilled in the art without creative effort.

以上所述仅是本发明的具体实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也应视为本发明的保护范围。The foregoing is only a specific embodiment of the present invention. It should be pointed out that for those of ordinary skill in the art, some improvements and modifications can also be made without departing from the principle of the present invention. It should be regarded as the protection scope of the present invention.

Claims (11)

1. an inter base station communication method is characterized in that, after detecting the broadcast of neighbor base stations, the method comprises:
According to the broadcast of described neighbor base stations, from the broadcast of described neighbor base stations, obtain the sign of described neighbor base stations;
Send secret key request message, the sign of carrying described neighbor base stations in the described secret key request message to core net;
Receive the key response message that core net sends, carry the key of described neighbor base stations in the described key response message;
Use the key of described neighbor base stations, the message that described neighbor base stations sends is carried out authentication.
2. method according to claim 1 is characterized in that,
After core net is received described secret key request message, verify according to the sign of described neighbor base stations the identity of described neighbor base stations if the verification passes, then to send described key response message.
3. method according to claim 1 is characterized in that, the method also comprises:
From the broadcast of described neighbor base stations, obtain the broadcasting certificate of described neighbor base stations, carry the key of described neighbor base stations in the described broadcasting certificate;
Use third party's signature key that the broadcasting certificate of described neighbor base stations is carried out authentication, if authentication is passed through, then preserve the key of described neighbor base stations; Wherein, described third party's signature key is provided by certification authority.
4. method according to claim 3 is characterized in that, described third party's signature perhaps is to obtain from core net is instant for pre-configured.
5. according to claim 1 to 4 each described methods, it is characterized in that the message that described neighbor base stations sends is cipher-text message, then described method also comprises:
Use the key of self that described cipher-text message is decrypted.
6. a base station is characterized in that, comprising:
Identifier obtains subelement, is used for being used for the broadcast from described neighbor base stations after detecting the broadcast of neighbor base stations, obtains the sign of described neighbor base stations;
The key request subelement is used for sending secret key request message, the sign of carrying described neighbor base stations in the described secret key request message to core net;
The key reception subelement is used for receiving the key response message that core net sends, and carries the key of described neighbor base stations in the described key response message;
The message authentication unit for the key that uses described neighbor base stations, carries out authentication to the message that described neighbor base stations sends.
7. base station according to claim 6 is characterized in that, described key obtains the unit, comprising:
The broadcasting certificate obtains subelement, is used for the broadcast from described neighbor base stations, obtains the broadcasting certificate of described neighbor base stations, carries the key of described neighbor base stations in the described broadcasting certificate;
Broadcasting certificate authentication subelement is used for using third party's signature key that the broadcasting certificate of described neighbor base stations is carried out authentication, if authentication is passed through, then preserves the key of described neighbor base stations; Wherein, described third party's signature key is provided by certification authority.
8. each described base station is characterized in that according to claim 6-7, and described base station also comprises:
The decrypt messages unit is used for using the key of self that described cipher-text message is decrypted when the message that described neighbor base stations sends is cipher-text message.
9. a communication system is characterized in that, comprises core net and at least two base stations;
The second base station is used for after the broadcast that detects the first adjacent base station, from the broadcast of described the first base station, obtains the sign of neighbor base stations; Send secret key request message to core net, carry the sign of described the first base station in the described secret key request message;
Described core net is used for according to described secret key request message, sends key response message to described the second base station, carries the key of described the first base station in the described key response message;
Described the second base station receives the key response message that core net sends, and uses the key of described the first base station, and the message that described the first base station sends is carried out authentication.
10. communication system according to claim 9 is characterized in that, described core net comprises:
The first authentication unit is used for according to the sign of described the first base station, verifying the identity of described the first base station after receiving the secret key request message that described the second base station sends;
The key transmitting element is used for sending key response message to described the second base station after described the first authentication unit checking is passed through, and carries the key of described the first base station in the described key response message.
11. communication system according to claim 10 is characterized in that, described core net also comprises the second authentication unit, is used for verifying the identity of described the second base station after receiving the secret key request message that described the second base station sends; Described the first authentication unit after described the second authentication unit checking is passed through, according to the sign of described the first base station, is verified the identity of described the first base station.
CN200980123374XA 2009-05-22 2009-05-22 Communication method, device and communication system between base stations Active CN101999240B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2009/071926 WO2010133036A1 (en) 2009-05-22 2009-05-22 Communication method, device and communication system between base stations

Publications (2)

Publication Number Publication Date
CN101999240A CN101999240A (en) 2011-03-30
CN101999240B true CN101999240B (en) 2013-03-13

Family

ID=43125727

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200980123374XA Active CN101999240B (en) 2009-05-22 2009-05-22 Communication method, device and communication system between base stations

Country Status (2)

Country Link
CN (1) CN101999240B (en)
WO (1) WO2010133036A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108270560B (en) * 2017-01-03 2023-06-09 中兴通讯股份有限公司 Key transmission method and device
CN112105024B (en) * 2020-11-12 2021-03-23 新华三技术有限公司 Base station identity authentication method, device and equipment
CN114501513B (en) * 2022-02-25 2024-03-26 成都中科微信息技术研究院有限公司 Method and system for improving reliability of NG link between base station and core network

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20020083812A (en) * 2001-04-30 2002-11-04 주식회사 시큐어넥서스 Content service security system of broadcasting method and control method thereof
CN101291249B (en) * 2008-06-11 2011-05-25 中兴通讯股份有限公司 Method for configuring and displaying name of household base station, and name of internal customer group
CN100581169C (en) * 2008-08-21 2010-01-13 西安西电捷通无线网络通信有限公司 A method for distributing multicast key based on unicast session key and its updating method

Also Published As

Publication number Publication date
CN101999240A (en) 2011-03-30
WO2010133036A1 (en) 2010-11-25

Similar Documents

Publication Publication Date Title
EP3410758B1 (en) Wireless network connecting method and apparatus, and storage medium
CN102257842B (en) Enhanced security for direct link communications
US8838972B2 (en) Exchange of key material
KR101256887B1 (en) Ticket-based configuration parameters validation
RU2424634C2 (en) Method and apparatus for base station self-configuration
US9515824B2 (en) Provisioning devices for secure wireless local area networks
CN112119651B (en) Access technology agnostic service network authentication method and device
CN109076086A (en) Execute the security signaling before Authentication and Key Agreement
US20240080316A1 (en) Methods and apparatus for provisioning, authentication, authorization, and user equipment (ue) key generation and distribution in an on-demand network
CN101420686A (en) Industrial wireless network security communication implementation method based on cipher key
JP2024507208A (en) How to make a cellular network work
CN112887971B (en) Data transmission method and device
CN106465101A (en) System and method for wireless network access protection and security architecture
CN109768861A (en) Massive D2D anonymous discovery authentication and key agreement method
EP4278635A1 (en) Multicast containment in a multiple pre-shared key (psk) wireless local area network (wlan)
CN113872755A (en) Key exchange method and device
Sari et al. Addressing security challenges in WiMAX environment
CN105340353A (en) Device-to-device communication security
CN101999240B (en) Communication method, device and communication system between base stations
CN108882233A (en) A kind of encryption method of IMSI, core net and user terminal
Wang et al. An enhanced authentication protocol for WRANs in TV white space
Khan et al. Secure authentication and key management protocols for mobile multihop WiMAX networks
KR101431010B1 (en) Access point authentication apparatus and method using hardware authentication module
Fang Efficient and Flexible Solutions for 5G Wireless Network Security
CN118921662A (en) Secure access method and system of 6G full decoupling network

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant