Embodiment
With reference to the accompanying drawings, embodiments of the invention are described in detail.
Consult Fig. 2, the method for the secure algorithm negotiation that embodiments of the invention one provide comprises:
Implement middle level 3 message for initiation layer 3 message, initiation layer 3 message connects (RadioResourceConnection at Radio Resource, RRC) carry in request message, initiation layer 3 response message is set up in message at RRC and carries, select NAS security algorithm by MME, eNodeB selects AS security algorithm;
Step 201, UE send Radio Resource to eNodeB and connect RRC request message, and this request message comprises: AS security capabilities and initiation layer 3 message, and initiation layer 3 message carries NAS security capabilities; Wherein, AS security capabilities is the AS security algorithm information that UE can support, the i.e. list of AS security algorithm, and NAS security capabilities is the NAS security algorithm information that UE can support, the i.e. list of NAS security algorithm;
Step 202, eNodeB preserve AS security capabilities;
Step 203, eNodeB send RANAP message to MME, carry initiation layer 3 message, carry the NAS security capabilities of UE in initiation layer 3 message in this message;
The algorithm information that step 204, MME allow user to use according to the NAS security capabilities of UE and network, selects NAS security algorithm; Or, allow the algorithm information of user's use and the CAMEL-Subscription-Information of user according to NAS security capabilities, network, select NAS security algorithm; Wherein, the algorithm information that network allows user to use at least comprises the AS security algorithm information and NAS security algorithm information that allow user to use, and wherein, the AS security algorithm information that network allows user to use comprises: the algorithm information that this eNodeB self supports;
Step 205, MME create NAS safe mode command and an AS safe mode command, RANAP message is sent to eNodeB, initiation layer 3 response message is carried in this RANAP message, NAS safe mode command and an AS safe mode command, wherein, NAS safe mode command carries the first mark representing the NAS security algorithm selected, and an AS safe mode command carries the algorithm information that network allows user to use;
The algorithm information self supported that step 206, eNodeB prestore according to AS security capabilities and this eNodeB, select AS security algorithm, or, according to AS security capabilities, with the algorithm information that the eNodeB self in the algorithm information that network allows user to use supports, select AS security algorithm;
Step 207, eNodeB create the 2nd AS safe mode command, 2nd AS safe mode command comprises the second mark of the AS security algorithm selected by expression, send RRC to UE and set up message, carry AS safe mode command in this message, NAS safe mode command and initiation layer 3 response message;
Step 208, UE send RRC acknowledge message to eNodeB, carrying layer 3 acknowledge message in this message, and NAS safe mode command responds, the 2nd AS safe mode command response;
Step 209, eNodeB send RANAP message to MME, carrying layer 3 acknowledge message and the response of NAS safe mode command in this message.
Wherein, the algorithm that UE supports can not distinguish AS algorithm and NAS algorithm, and the algorithm that not only UE supports is AS algorithm but also NAS algorithm, and so NAS security capabilities and AS security capabilities are identical, are commonly referred to as the security capabilities of UE.When algorithm that UE supports does not distinguish AS algorithm and NAS algorithm, the RRC request message in this step 201 can comprise: UE security capabilities and initiation layer 3 message, carries UE security capabilities, only can carry an IE in UE security capabilities in initiation layer 3 message; Step 202 can be the security capabilities of eNodeB preservation UE; Or initiation layer 3 message in step 201 does not carry UE security capabilities, the RANAP message that the eNodeB of step 203 sends to MME comprises: the security capabilities of initiation layer 3 message and UE.
Consult Fig. 3, the method for the secure algorithm negotiation that embodiments of the invention two provide comprises:
Initiation layer 3 message implemented in two is carried in RRC request message, selects NAS security algorithm by MME, and eNodeB selects AS security algorithm;
Wherein, step 301-step 303 is identical with the step 201-step 203 in embodiment one;
Step 304, MME create an AS safe mode command, send RANAP message, carry an AS safe mode command in this message to eNodeB, carry the algorithm information that network allows user to use in an AS safe mode command;
The algorithm information self supported that step 305, eNodeB prestore according to AS security capabilities and this eNodeB, select AS security algorithm, or, according to AS security capabilities, with the algorithm information that the eNodeB self in the algorithm information that network allows user to use supports, select AS security algorithm;
Step 306, eNodeB create the 2nd AS safe mode command, send RRC and set up message, carry the 2nd AS safe mode command in this message to UE, the second mark containing the AS security algorithm selected by expression in the 2nd AS safe mode command;
Step 307, UE send RRC acknowledge message to eNodeB, carry the 2nd AS safe mode command response in this message;
The algorithm information that step 308, MME allow user to use according to the NAS security capabilities of UE and network, selects NAS security algorithm; Or, allow the algorithm information of user's use and the CAMEL-Subscription-Information of user according to NAS security capabilities, network, select NAS security algorithm;
Step 309, MME create NAS safe mode command, send RANAP message, carry NAS safe mode command in this RANAP message to eNodeB, and this NAS safe mode command carries the first mark of the NAS security algorithm selected by expression;
Step 310, eNodeB send RRC information to UE, carry NAS safe mode command in this message, and this NAS safe mode command carries the first mark of the NAS security algorithm selected by expression;
Step 311, UE send RRC information to eNodeB, carry the response of NAS safe mode command in this message;
Step 312, eNodeB send RANAP message to MME, carry the response of NAS safe mode command in this message;
Step 313, MME send RANAP message to eNodeB, carry initiation layer 3 response message in this message;
Step 314, eNodeB send RRC information to UE, carry initiation layer 3 response message in this message.
Wherein, initiation layer 3 response message in step 313 and step 314, can send together with the NAS safe mode command in step 309 with step 310; Or, send together with the AS safe mode command in step 304 with step 306; Or step 309 can send with the NAS safe mode command in step 310 together with the AS safe mode command in step 304 with step 306, does not affect realization of the present invention.
Consult Fig. 4, the method for the secure algorithm negotiation that embodiments of the invention three provide comprises:
Initiation layer 3 message implementing three is carried in RRC request message, selects NAS security algorithm by MME, and eNodeB selects AS security algorithm;
Wherein, step 401-step 404 is identical with the step 201-step 204 in embodiment one;
Step 405, MME send RANAP message to eNodeB, carry initiation layer 3 response message in this message, carry the first mark of the NAS security algorithm selected by expression in initiation layer 3 response message;
Step 406, eNodeB send RRC to UE and set up message, and this message comprises: initiation layer 3 response message carrying the first mark;
Step 407, MME create an AS safe mode command, send RANAP message, carry an AS safe mode command in this message to eNodeB, carry the algorithm information that network allows user to use in an AS safe mode command;
The algorithm information self supported that step 408, eNodeB prestore according to AS security capabilities and this eNodeB, select AS security algorithm, or, according to AS security capabilities, with the algorithm information that the eNodeB self in the algorithm information that network allows user to use supports, select AS security algorithm;
Step 409, eNodeB create the 2nd AS safe mode command, send RRC information, carry the 2nd AS safe mode command in this message to UE, carry the first mark of the AS security algorithm selected by expression in the 2nd AS safe mode command;
Step 410, UE send RRC information to eNodeB, carry the 2nd AS safe mode command response in this message.
Consult Fig. 5, the method for the secure algorithm negotiation that embodiments of the invention four provide comprises:
Initiation layer 3 message implementing four is carried in RRC request message, initiation layer 3 response message is set up in message at RRC and carries, and selects NAS security algorithm and AS security algorithm by MME;
Step 501, UE send RRC request message to eNodeB, and this request message comprises: initiation layer 3 message, and initiation layer 3 message carries NAS security capabilities and AS security capabilities; Namely in initiation layer 3 message, need definition two IE, transmit AS security capabilities and NAS security capabilities respectively;
The algorithm that UE supports can not distinguish AS algorithm and NAS algorithm, and so NAS security capabilities and AS security capabilities are identical, are commonly referred to as the security capabilities of UE.When algorithm that UE supports does not distinguish AS algorithm and NAS algorithm, in initiation layer 3 message, carry UE security capabilities, in UE security capabilities, only can carry an IE;
Step 502, eNodeB send RANAP message to MME, carry initiation layer 3 message in this message, and also may carry the algorithm information self supported, this initiation layer 3 message carries NAS security capabilities and AS security capabilities, or UE security capabilities;
The algorithm that step 503, MME allow user to use according to the NAS security capabilities of UE and network, selects NAS security algorithm, or, allow the algorithm of user's use and the CAMEL-Subscription-Information of user to select NAS security algorithm according to NAS security capabilities, network; According to the algorithm information that the eNodeB self in the RANAP message of AS security capabilities and reception supports, select AS security algorithm, or, according to AS security capabilities, with the algorithm information that the eNodeB self in the algorithm information that network allows user to use supports, select AS security algorithm;
Step 504, MME create NAS safe mode command and the 3rd AS safe mode command, RANAP message is sent to eNodeB, initiation layer 3 response message is carried in this RANAP message, NAS safe mode command and the 3rd AS safe mode command, wherein, NAS safe mode command carries the first mark representing the NAS security algorithm selected, and the 3rd AS safe mode command carries the second mark representing the AS security algorithm selected;
The second mark that step 505, eNodeB carry according to the 3rd AS safe mode command knows selected AS security algorithm;
Step 506, eNodeB create the 4th AS safe mode command, and send RRC to UE and set up message, this message comprises: the 4th AS safe mode command, NAS safe mode command and initiation layer 3 response message; Wherein, the 4th AS safe mode command carries the second mark;
Step 507, UE send RRC acknowledge message to eNodeB, carrying layer 3 acknowledge message in this message, and NAS safe mode command responds, the 4th AS safe mode command response;
Step 508, eNodeB send RANAP message to MME, carrying layer 3 acknowledge message and the response of NAS safe mode command in this message.
Wherein, in step 502, eNodeB sends the algorithm information that can not carry in RANAP message and self support to MME, and the algorithm information that eNodeB self supports can directly be configured on MME;
In like manner, for embodiment two and embodiment three, also can adopt and select NAS security algorithm and AS security algorithm to realize secure algorithm negotiation by MME, not affect realization of the present invention.
Consult Fig. 6, the method for the secure algorithm negotiation that embodiments of the invention five provide comprises:
Implement the connection that five first carry out wireless access network, namely RRC connects, then carries out the connection of core net, selects NAS security algorithm by MME, and eNodeB selects AS security algorithm;
Step 601, UE send RRC request message to eNodeB, carry the security capabilities of UE in this RRC request message;
Step 602, eNodeB preserve the security capabilities of UE;
Step 603, eNodeB send RRC to UE and set up message;
Step 604, UE send RRC to eNodeB and complete message;
Step 605, UE send out initiation layer 3 message to eNodeB;
Step 606, eNodeB send RANAP message to MME, and eNodeB needs to add UE security capabilities in RANAP message, and therefore this message comprises: initiation layer 3 message, the security capabilities of UE;
The algorithm information that step 607, MME allow user to use according to the security capabilities of UE and network, selects NAS security algorithm, or the CAMEL-Subscription-Information according to the security capabilities of UE, algorithm information that network allows user to use and user selects NAS security algorithm;
Step 608, MME send RANAP message to eNodeB, carry: initiation layer 3 response message in this message, carry the first mark of the NAS security algorithm selected by expression in this initiation layer 3 response message;
Step 609, eNodeB send initiation layer 3 response message to UE, carry the first mark in this initiation layer 3 response message;
Step 610-step 613 is identical with the step 407-step 410 in embodiment three;
Consult Fig. 7, the method for the secure algorithm negotiation that embodiments of the invention six provide comprises:
Implement the connection that six first carry out wireless access network, namely RRC connects, then carries out the connection of core net, selects NAS security algorithm by MME, and eNodeB selects AS security algorithm; Difference from Example 5 is, initiation layer 3 response message and AS safe mode command are merged into a piece of news and send by this enforcement, and is separately send in embodiment 5;
Step 701-step 707 is identical with step 601-step 607;
Step 708, MME create safe mode command, RANAP message is sent to eNodeB, carry in this message: initiation layer 3 response message, first Security Mode Command message, wherein, the first mark of the NAS security algorithm selected by expression and the algorithm information of network permission user use is carried in the first Security Mode Command message;
The algorithm information that step 709, eNodeB support according to the security capabilities of UE and the eNodeB self that prestores, select AS security algorithm, or, according to the algorithm information that the eNodeB self in the algorithm information that security capabilities and the network of UE allow user to use supports, select AS security algorithm;
Step 710, eNodeB send RRC information to UE, carry in this message: initiation layer 3 response message and the second safe mode command, and wherein, the second safe mode command carries the second mark of the first mark and the AS security algorithm selected by expression;
Step 711, UE send RRC information to eNodeB, carry the second safe mode command response in this message;
Step 712, eNodeB send RANAP message to MME, carry the first safe mode command response in this message.
Consult Fig. 8, the method for the secure algorithm negotiation that embodiments of the invention seven provide comprises:
Implement the connection that seven first carry out wireless access network, namely RRC connects, then carries out the connection of core net, selects NAS security algorithm by MME, and eNodeB selects AS security algorithm;
Step 801-step 806 is identical with step 601-step 606;
Step 807, MME allow the algorithm of user's employing and the security capabilities of UE according to network, also can consider the CAMEL-Subscription-Information of user simultaneously, select NAS security algorithm;
Step 808, MME send RANAP message to eNodeB, carry in this message: the algorithm information that initiation layer 3 response message, network allow user to adopt, and wherein carry the first mark of the NAS security algorithm selected by expression in initiation layer 3 response message;
The algorithm information that step 809, eNodeB support according to the security capabilities of UE and the eNodeB self that prestores, select AS security algorithm, or, according to the algorithm information that the eNodeB self in the algorithm information that security capabilities and the network of UE allow user to use supports, select AS security algorithm;
Step 810, eNodeB send RRC information to UE, carry in this RRC information: the second mark and initiation layer 3 response message of the AS security algorithm selected by expression, carry the first mark in this initiation layer 3 response message.
Consult Fig. 9, the method for the secure algorithm negotiation that embodiments of the invention eight provide comprises:
Implement the connection that eight first carry out wireless access network, namely RRC connects, then carries out the connection of core net, selects NAS security algorithm and AS security algorithm by MME;
Step 901, UE send RRC request message to eNodeB;
Step 902, eNodeB send RRC to UE and set up message;
Step 903, UE send RRC to eNodeB and complete message;
Step 904, UE send initiation layer 3 message to eNodeB; This message comprises: the security capabilities of UE;
Step 905, eNodeB send RANAP message to MME, and this message comprises: the algorithm information that initiation layer 3 message and eNodeB self support, wherein carry the security capabilities of UE in initiation layer 3 message;
The algorithm that step 906, MME allow user to use according to the security capabilities of UE and network, selects NAS security algorithm, or the CAMEL-Subscription-Information according to the security capabilities of UE, algorithm that network allows user to use and user selects NAS security algorithm; According to the algorithm information that the eNodeB self in the security capabilities of UE and RANAP message supports, select AS security algorithm, or, according to the algorithm information that the eNodeB self in the algorithm information that security capabilities and the network of UE allow user to use supports, select AS security algorithm;
Step 907, MME send RANAP message to eNodeB, carry in this message: the second mark of initiation layer 3 response message and the AS security algorithm selected by expression; The first mark of the NAS security algorithm selected by expression is carried in initiation layer 3 response message;
Step 908, eNodeB know AS security algorithm according to the second mark;
Step 909, eNodeB send RRC information to UE, and this RRC information comprises: initiation layer 3 response message and the second mark; The first mark is carried in initiation layer 3 response message.
Wherein, in step 905, eNodeB sends the algorithm information that can not carry in RANAP message and self support to MME, and the algorithm information that eNodeB self supports can directly be configured on MME;
In like manner, for embodiment six and embodiment seven, also can adopt and select NAS security algorithm and AS security algorithm to realize secure algorithm negotiation by MME, not affect realization of the present invention.
Wherein, the security capabilities of UE can not carry in RRC request message, can send RRC complete in message and carry at UE to eNodeB; Or, when the security capabilities of UE divides into AS security capabilities and NAS security capabilities, the AS security capabilities of UE can complete in message at RRC request message or RRC and carry, and carries, do not affect realization of the present invention in initiation layer 3 message that the NAS security capabilities of UE can send to eNodeB at UE.
Consult Figure 10, embodiments of the invention nine provide a kind of device of secure algorithm negotiation, and in system evolved framework/long evolving system, this device comprises:
Information receiving unit 1001, for receiving the security algorithm information that user terminal can be supported;
Security algorithm selected cell 1002, for according to security algorithm information in information receiving unit 1001, selects security algorithm;
Transmitting element 1003, for sending the mark of the security algorithm represented selected by security algorithm selected cell 1002 to user terminal.
Wherein, information receiving unit 1001, security algorithm selected cell 1002 and transmitting element 1003 are positioned at Mobility Management Entity, for consulting Non-Access Stratum security algorithm, now,
Information receiving unit 1001, for receiving the security algorithm information that user terminal can be supported, this security algorithm information can be Non-Access Stratum security algorithm information, and this security algorithm information can be carried by initiation layer 3 message;
Security algorithm selected cell 1002, for the algorithm information allowing user to use according to security algorithm information and networking, also can consider the information that user contracts, select Non-Access Stratum security algorithm;
Transmitting element 1003, for sending the first mark of the Non-Access Stratum security algorithm represented selected by security algorithm selected cell 1002 to user terminal, this first mark can be carried in initiation layer 3 response message, also can carry in NAS mode command;
Wherein, information receiving unit 1001, security algorithm selected cell 1002 and transmitting element 1003 are positioned at Mobility Management Entity, for consulting Access Layer security algorithm, this device also comprises: evolution base station algorithm information receiving element 1004, evolution base station algorithm information dispensing unit 1005, wherein
Information receiving unit 1001, for receiving the security algorithm information that user terminal can be supported, this security algorithm information can be Access Layer security algorithm information, and this security algorithm information can be carried in initiation layer 3 message;
Security algorithm selected cell 1002, for the algorithm information supported according to security algorithm information and evolution base station, selects Access Layer security algorithm;
Transmitting element 1003, for sending the second mark of the Access Layer security algorithm represented selected by security algorithm selected cell 1002, this second mark can be carried in the 3rd NAS safe mode command;
Evolution base station algorithm information receiving element 1004, for receiving the algorithm information of evolution base station support and outputting to security algorithm selected cell 1002;
Evolution base station algorithm information dispensing unit 1005, for configuring the algorithm information of evolution base station support and outputting to security algorithm selected cell 1002.
Wherein, information receiving unit 1001, security algorithm selected cell 1002 and transmitting element 1003 are positioned at evolution base station, for consulting Access Layer security algorithm,
Information receiving unit 1001, for receiving the security algorithm information that user terminal can be supported, this security algorithm information can be Access Layer security algorithm information, and this security algorithm information can be carried in RRC request message;
Security algorithm selected cell 1002, for the algorithm information supported according to security algorithm information and evolution base station, selects Access Layer security algorithm;
Transmitting element 1003, for sending the second mark representing Access Layer security algorithm to user terminal.
Consult Figure 11, embodiments of the invention ten provide a kind of network system, and this system comprises:
Evolution base station 1101, for sending the security algorithm information that user terminal is supported to Mobility Management Entity 1102; The first mark from Mobility Management Entity 1102 is sent to user terminal;
Mobility Management Entity 1102, for the algorithm information allowing user to use according to security algorithm information and network, selects Non-Access Stratum security algorithm, exports the first mark representing Non-Access Stratum security algorithm.
When this network system also will consult Access Layer security algorithm, evolution base station 1101, also for the second mark from Mobility Management Entity 1102 is sent to user terminal, and obtains Access Layer algorithm according to the second mark; Mobility Management Entity 1102, the algorithm information also for supporting according to security algorithm information and evolution base station 1101 self, selects Access Layer security algorithm, exports the second mark of the Access Layer security algorithm selected by representing.
When this network system also will consult Access Layer security algorithm, and when security algorithm information is Non-Access Stratum security algorithm information, evolution base station 1101, also for receiving Access Layer security algorithm information and being forwarded to Mobility Management Entity 1102, the second mark from Mobility Management Entity 1102 is sent to user terminal, and obtains Access Layer algorithm according to the second mark; Mobility Management Entity 1102, the algorithm information also for supporting according to Access Layer security algorithm information and evolution base station 1101 self, selects Access Layer security algorithm, exports the second mark representing Access Layer security algorithm.
When this network system also will consult Access Layer security algorithm, evolution base station 1101, also for the algorithm information according to security algorithm information and self support, selects Access Layer security algorithm, will represent that the second mark of Access Layer security algorithm sends to user terminal.
When this network system also will consult Access Layer security algorithm, and when security algorithm information is Non-Access Stratum security algorithm information, evolution base station 1101, also for receiving Access Layer security algorithm information, according to the algorithm information that Access Layer security algorithm information is supported with self, select Access Layer security algorithm, will represent that the second mark of Access Layer security algorithm sends to user terminal.
More than analyze and can find out, the algorithm information that the NAS security capabilities that in embodiments of the invention, MME can support according to UE and network allow user to use, select NAS security algorithm, and the first mark of the NAS security algorithm selected by representing is sent to user terminal, NAS security algorithm can be negotiated in SAE/LTE system; The AS security capabilities that in embodiments of the invention, MME or eNodeB can support according to UE and the algorithm information that eNodeB self supports, select AS security algorithm, and UE and eNodeB obtains the second mark of the AS security algorithm selected by representing, reaches the object of consulting AS security algorithm in SAE/LTE system; Embodiments of the invention adopt in RRC request message, carry initiation layer 3 message, NAS security capabilities can be carried in initiation layer 3 message, set up in message at RRC and carry initiation layer 3 response message and the first mark, simplify flow process, saved and consulted the security algorithm time used.
Above the method for the secure algorithm negotiation that the embodiment of the present invention provides, device and network system are described in detail, apply specific case herein to set forth the principle of the embodiment of the present invention and execution mode, the explanation of above embodiment is just for helping the method understanding the embodiment of the present invention; Meanwhile, for one of ordinary skill in the art, according to the thought of the embodiment of the present invention, all will change in specific embodiments and applications, in sum, this description should not be construed as the restriction to the embodiment of the present invention.