CN102869007B - The method of secure algorithm negotiation, device and network system - Google Patents
The method of secure algorithm negotiation, device and network system Download PDFInfo
- Publication number
- CN102869007B CN102869007B CN201210351794.7A CN201210351794A CN102869007B CN 102869007 B CN102869007 B CN 102869007B CN 201210351794 A CN201210351794 A CN 201210351794A CN 102869007 B CN102869007 B CN 102869007B
- Authority
- CN
- China
- Prior art keywords
- security algorithm
- user terminal
- mark
- base station
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
Abstract
The invention discloses a kind of method of secure algorithm negotiation, in system evolved framework/long evolving system, the method comprises: receive the security algorithm information that user terminal can be supported; According to described security algorithm information, select security algorithm; The mark representing described security algorithm is sent to described user terminal.Meanwhile, the invention also discloses device and the network system of secure algorithm negotiation, use technical scheme provided by the invention, Non-Access Stratum security algorithm and Access Layer security algorithm can be negotiated in SAE/LTE system.
Description
Technical field
The present invention relates to communication technical field, particularly the method for secure algorithm negotiation, device and network system.
Background technology
At universal mobile telecommunications system (UniversalMobileTelecommunicationSystem; UMTS) in; need radio network controller (RadioNetworkController; and user terminal (UserEquipment RNC); UE) encrypt/decrypt and integrity protection operation is performed; namely provide Confidentiality protection to the data of UE, the signaling between UE and RNC provides confidentiality and integrity to protect.The encrypt/decrypt supported due to different UEs is different with integral algorithm, therefore, before encrypt/decrypt and integrity protection, needs to consult encryption/decryption algorithm and integral algorithm.Because UMTS system only need provide protection at access (AccessStratum, AS) layer, therefore, UMTS system has consulted encrypt/decrypt and integral algorithm between UE and RNC.
At system evolved framework (SystemArchitectureEvolution, SAE)/Long Term Evolution (LongTermEvolution, LTE) in system, as shown in Figure 1, core net comprises: Mobility Management Entity (MobilityManagementEntity, MME), user entity (UserPlaneEntity, UPE) anchor point (InterAccessSystemAnchor and between connecting system, IASA), wherein, MME is used for the mobile management being responsible for chain of command, comprise user's context and mobile status management, distributing user temporary identifications, security information etc., UPE is downlink data initiation paging under being responsible for idle condition, and IP bearing parameter and network internal information etc. are preserved in management, IASA is as anchor point between the user between different system, and Access Network is made up of evolution base station (EvolvedNodeBase, eNodeB), within the system, the safety of the Access Layer signaling of signaling plane terminates on eNodeB, the safety of the Non-Access Stratum of signaling plane, and namely the safety in core network signalling face terminates on MME, and the safety in user face terminates on UPE.Therefore; the safe destination node of signaling plane has: eNodeB; MME; and safe destination node is before performing corresponding safeguard protection to data or signaling; need to consult the security algorithm that this safe destination node and user terminal (UserEquipment, UE) are all supported, namely need between eNodeB and UE to consult Access Layer AS security algorithm; need between MME and UE to consult Non-Access Stratum (NoneAccessStratum, NAS) security algorithm.
Security algorithm cannot be negotiated, i.e. Access Layer AS security algorithm and Non-Access Stratum NAS security algorithm in existing SAE/LTE system.
Summary of the invention
The object of the embodiment of the present invention is to provide a kind of method of secure algorithm negotiation, device and network system, can negotiate security algorithm in SAE/LTE system.
For solving the problems of the technologies described above, the object of the embodiment of the present invention is achieved through the following technical solutions:
A method for secure algorithm negotiation, in system evolved framework/long evolving system, the method comprises:
Receive the security algorithm information that user terminal can be supported;
According to described security algorithm information, select security algorithm;
The mark representing described security algorithm is sent to described user terminal.
A device for secure algorithm negotiation, in system evolved framework/long evolving system, this device comprises:
Information receiving unit, for receiving the security algorithm information that user terminal can be supported;
Security algorithm selected cell, for according to described security algorithm information, selects security algorithm;
Transmitting element, for sending the mark representing described security algorithm to described user terminal.
A kind of network system, this system comprises: evolution base station, Mobility Management Entity, wherein,
Described evolution base station, for sending the security algorithm information that user terminal is supported to described Mobility Management Entity; The first mark from described Mobility Management Entity is sent to described user terminal;
Described Mobility Management Entity, for the algorithm information allowing user to use according to described security algorithm information and network, selects Non-Access Stratum security algorithm, exports the first mark representing described Non-Access Stratum security algorithm.
Above technical scheme can be found out, the security algorithm information of the embodiment of the present invention by supporting according to user terminal, select security algorithm, and send the mark of the security algorithm selected by representing to user terminal, security algorithm can be consulted in SAE/LTE system.
Accompanying drawing explanation
Fig. 1 is SAE/LTE system construction drawing in prior art;
The method flow diagram of the secure algorithm negotiation that Fig. 2 provides for the embodiment of the present invention one;
The method flow diagram of the secure algorithm negotiation that Fig. 3 provides for the embodiment of the present invention two;
The method flow diagram of the secure algorithm negotiation that Fig. 4 provides for the embodiment of the present invention three;
The method flow diagram of the secure algorithm negotiation that Fig. 5 provides for the embodiment of the present invention four;
The method flow diagram of the secure algorithm negotiation that Fig. 6 provides for the embodiment of the present invention five;
The method flow diagram of the secure algorithm negotiation that Fig. 7 provides for the embodiment of the present invention six;
The method flow diagram of the secure algorithm negotiation that Fig. 8 provides for the embodiment of the present invention seven;
The method flow diagram of the secure algorithm negotiation that Fig. 9 provides for the embodiment of the present invention eight;
The structure drawing of device of the secure algorithm negotiation that Figure 10 provides for the embodiment of the present invention nine;
The network architecture figure that Figure 11 provides for the embodiment of the present invention ten.
Embodiment
With reference to the accompanying drawings, embodiments of the invention are described in detail.
Consult Fig. 2, the method for the secure algorithm negotiation that embodiments of the invention one provide comprises:
Implement middle level 3 message for initiation layer 3 message, initiation layer 3 message connects (RadioResourceConnection at Radio Resource, RRC) carry in request message, initiation layer 3 response message is set up in message at RRC and carries, select NAS security algorithm by MME, eNodeB selects AS security algorithm;
Step 201, UE send Radio Resource to eNodeB and connect RRC request message, and this request message comprises: AS security capabilities and initiation layer 3 message, and initiation layer 3 message carries NAS security capabilities; Wherein, AS security capabilities is the AS security algorithm information that UE can support, the i.e. list of AS security algorithm, and NAS security capabilities is the NAS security algorithm information that UE can support, the i.e. list of NAS security algorithm;
Step 202, eNodeB preserve AS security capabilities;
Step 203, eNodeB send RANAP message to MME, carry initiation layer 3 message, carry the NAS security capabilities of UE in initiation layer 3 message in this message;
The algorithm information that step 204, MME allow user to use according to the NAS security capabilities of UE and network, selects NAS security algorithm; Or, allow the algorithm information of user's use and the CAMEL-Subscription-Information of user according to NAS security capabilities, network, select NAS security algorithm; Wherein, the algorithm information that network allows user to use at least comprises the AS security algorithm information and NAS security algorithm information that allow user to use, and wherein, the AS security algorithm information that network allows user to use comprises: the algorithm information that this eNodeB self supports;
Step 205, MME create NAS safe mode command and an AS safe mode command, RANAP message is sent to eNodeB, initiation layer 3 response message is carried in this RANAP message, NAS safe mode command and an AS safe mode command, wherein, NAS safe mode command carries the first mark representing the NAS security algorithm selected, and an AS safe mode command carries the algorithm information that network allows user to use;
The algorithm information self supported that step 206, eNodeB prestore according to AS security capabilities and this eNodeB, select AS security algorithm, or, according to AS security capabilities, with the algorithm information that the eNodeB self in the algorithm information that network allows user to use supports, select AS security algorithm;
Step 207, eNodeB create the 2nd AS safe mode command, 2nd AS safe mode command comprises the second mark of the AS security algorithm selected by expression, send RRC to UE and set up message, carry AS safe mode command in this message, NAS safe mode command and initiation layer 3 response message;
Step 208, UE send RRC acknowledge message to eNodeB, carrying layer 3 acknowledge message in this message, and NAS safe mode command responds, the 2nd AS safe mode command response;
Step 209, eNodeB send RANAP message to MME, carrying layer 3 acknowledge message and the response of NAS safe mode command in this message.
Wherein, the algorithm that UE supports can not distinguish AS algorithm and NAS algorithm, and the algorithm that not only UE supports is AS algorithm but also NAS algorithm, and so NAS security capabilities and AS security capabilities are identical, are commonly referred to as the security capabilities of UE.When algorithm that UE supports does not distinguish AS algorithm and NAS algorithm, the RRC request message in this step 201 can comprise: UE security capabilities and initiation layer 3 message, carries UE security capabilities, only can carry an IE in UE security capabilities in initiation layer 3 message; Step 202 can be the security capabilities of eNodeB preservation UE; Or initiation layer 3 message in step 201 does not carry UE security capabilities, the RANAP message that the eNodeB of step 203 sends to MME comprises: the security capabilities of initiation layer 3 message and UE.
Consult Fig. 3, the method for the secure algorithm negotiation that embodiments of the invention two provide comprises:
Initiation layer 3 message implemented in two is carried in RRC request message, selects NAS security algorithm by MME, and eNodeB selects AS security algorithm;
Wherein, step 301-step 303 is identical with the step 201-step 203 in embodiment one;
Step 304, MME create an AS safe mode command, send RANAP message, carry an AS safe mode command in this message to eNodeB, carry the algorithm information that network allows user to use in an AS safe mode command;
The algorithm information self supported that step 305, eNodeB prestore according to AS security capabilities and this eNodeB, select AS security algorithm, or, according to AS security capabilities, with the algorithm information that the eNodeB self in the algorithm information that network allows user to use supports, select AS security algorithm;
Step 306, eNodeB create the 2nd AS safe mode command, send RRC and set up message, carry the 2nd AS safe mode command in this message to UE, the second mark containing the AS security algorithm selected by expression in the 2nd AS safe mode command;
Step 307, UE send RRC acknowledge message to eNodeB, carry the 2nd AS safe mode command response in this message;
The algorithm information that step 308, MME allow user to use according to the NAS security capabilities of UE and network, selects NAS security algorithm; Or, allow the algorithm information of user's use and the CAMEL-Subscription-Information of user according to NAS security capabilities, network, select NAS security algorithm;
Step 309, MME create NAS safe mode command, send RANAP message, carry NAS safe mode command in this RANAP message to eNodeB, and this NAS safe mode command carries the first mark of the NAS security algorithm selected by expression;
Step 310, eNodeB send RRC information to UE, carry NAS safe mode command in this message, and this NAS safe mode command carries the first mark of the NAS security algorithm selected by expression;
Step 311, UE send RRC information to eNodeB, carry the response of NAS safe mode command in this message;
Step 312, eNodeB send RANAP message to MME, carry the response of NAS safe mode command in this message;
Step 313, MME send RANAP message to eNodeB, carry initiation layer 3 response message in this message;
Step 314, eNodeB send RRC information to UE, carry initiation layer 3 response message in this message.
Wherein, initiation layer 3 response message in step 313 and step 314, can send together with the NAS safe mode command in step 309 with step 310; Or, send together with the AS safe mode command in step 304 with step 306; Or step 309 can send with the NAS safe mode command in step 310 together with the AS safe mode command in step 304 with step 306, does not affect realization of the present invention.
Consult Fig. 4, the method for the secure algorithm negotiation that embodiments of the invention three provide comprises:
Initiation layer 3 message implementing three is carried in RRC request message, selects NAS security algorithm by MME, and eNodeB selects AS security algorithm;
Wherein, step 401-step 404 is identical with the step 201-step 204 in embodiment one;
Step 405, MME send RANAP message to eNodeB, carry initiation layer 3 response message in this message, carry the first mark of the NAS security algorithm selected by expression in initiation layer 3 response message;
Step 406, eNodeB send RRC to UE and set up message, and this message comprises: initiation layer 3 response message carrying the first mark;
Step 407, MME create an AS safe mode command, send RANAP message, carry an AS safe mode command in this message to eNodeB, carry the algorithm information that network allows user to use in an AS safe mode command;
The algorithm information self supported that step 408, eNodeB prestore according to AS security capabilities and this eNodeB, select AS security algorithm, or, according to AS security capabilities, with the algorithm information that the eNodeB self in the algorithm information that network allows user to use supports, select AS security algorithm;
Step 409, eNodeB create the 2nd AS safe mode command, send RRC information, carry the 2nd AS safe mode command in this message to UE, carry the first mark of the AS security algorithm selected by expression in the 2nd AS safe mode command;
Step 410, UE send RRC information to eNodeB, carry the 2nd AS safe mode command response in this message.
Consult Fig. 5, the method for the secure algorithm negotiation that embodiments of the invention four provide comprises:
Initiation layer 3 message implementing four is carried in RRC request message, initiation layer 3 response message is set up in message at RRC and carries, and selects NAS security algorithm and AS security algorithm by MME;
Step 501, UE send RRC request message to eNodeB, and this request message comprises: initiation layer 3 message, and initiation layer 3 message carries NAS security capabilities and AS security capabilities; Namely in initiation layer 3 message, need definition two IE, transmit AS security capabilities and NAS security capabilities respectively;
The algorithm that UE supports can not distinguish AS algorithm and NAS algorithm, and so NAS security capabilities and AS security capabilities are identical, are commonly referred to as the security capabilities of UE.When algorithm that UE supports does not distinguish AS algorithm and NAS algorithm, in initiation layer 3 message, carry UE security capabilities, in UE security capabilities, only can carry an IE;
Step 502, eNodeB send RANAP message to MME, carry initiation layer 3 message in this message, and also may carry the algorithm information self supported, this initiation layer 3 message carries NAS security capabilities and AS security capabilities, or UE security capabilities;
The algorithm that step 503, MME allow user to use according to the NAS security capabilities of UE and network, selects NAS security algorithm, or, allow the algorithm of user's use and the CAMEL-Subscription-Information of user to select NAS security algorithm according to NAS security capabilities, network; According to the algorithm information that the eNodeB self in the RANAP message of AS security capabilities and reception supports, select AS security algorithm, or, according to AS security capabilities, with the algorithm information that the eNodeB self in the algorithm information that network allows user to use supports, select AS security algorithm;
Step 504, MME create NAS safe mode command and the 3rd AS safe mode command, RANAP message is sent to eNodeB, initiation layer 3 response message is carried in this RANAP message, NAS safe mode command and the 3rd AS safe mode command, wherein, NAS safe mode command carries the first mark representing the NAS security algorithm selected, and the 3rd AS safe mode command carries the second mark representing the AS security algorithm selected;
The second mark that step 505, eNodeB carry according to the 3rd AS safe mode command knows selected AS security algorithm;
Step 506, eNodeB create the 4th AS safe mode command, and send RRC to UE and set up message, this message comprises: the 4th AS safe mode command, NAS safe mode command and initiation layer 3 response message; Wherein, the 4th AS safe mode command carries the second mark;
Step 507, UE send RRC acknowledge message to eNodeB, carrying layer 3 acknowledge message in this message, and NAS safe mode command responds, the 4th AS safe mode command response;
Step 508, eNodeB send RANAP message to MME, carrying layer 3 acknowledge message and the response of NAS safe mode command in this message.
Wherein, in step 502, eNodeB sends the algorithm information that can not carry in RANAP message and self support to MME, and the algorithm information that eNodeB self supports can directly be configured on MME;
In like manner, for embodiment two and embodiment three, also can adopt and select NAS security algorithm and AS security algorithm to realize secure algorithm negotiation by MME, not affect realization of the present invention.
Consult Fig. 6, the method for the secure algorithm negotiation that embodiments of the invention five provide comprises:
Implement the connection that five first carry out wireless access network, namely RRC connects, then carries out the connection of core net, selects NAS security algorithm by MME, and eNodeB selects AS security algorithm;
Step 601, UE send RRC request message to eNodeB, carry the security capabilities of UE in this RRC request message;
Step 602, eNodeB preserve the security capabilities of UE;
Step 603, eNodeB send RRC to UE and set up message;
Step 604, UE send RRC to eNodeB and complete message;
Step 605, UE send out initiation layer 3 message to eNodeB;
Step 606, eNodeB send RANAP message to MME, and eNodeB needs to add UE security capabilities in RANAP message, and therefore this message comprises: initiation layer 3 message, the security capabilities of UE;
The algorithm information that step 607, MME allow user to use according to the security capabilities of UE and network, selects NAS security algorithm, or the CAMEL-Subscription-Information according to the security capabilities of UE, algorithm information that network allows user to use and user selects NAS security algorithm;
Step 608, MME send RANAP message to eNodeB, carry: initiation layer 3 response message in this message, carry the first mark of the NAS security algorithm selected by expression in this initiation layer 3 response message;
Step 609, eNodeB send initiation layer 3 response message to UE, carry the first mark in this initiation layer 3 response message;
Step 610-step 613 is identical with the step 407-step 410 in embodiment three;
Consult Fig. 7, the method for the secure algorithm negotiation that embodiments of the invention six provide comprises:
Implement the connection that six first carry out wireless access network, namely RRC connects, then carries out the connection of core net, selects NAS security algorithm by MME, and eNodeB selects AS security algorithm; Difference from Example 5 is, initiation layer 3 response message and AS safe mode command are merged into a piece of news and send by this enforcement, and is separately send in embodiment 5;
Step 701-step 707 is identical with step 601-step 607;
Step 708, MME create safe mode command, RANAP message is sent to eNodeB, carry in this message: initiation layer 3 response message, first Security Mode Command message, wherein, the first mark of the NAS security algorithm selected by expression and the algorithm information of network permission user use is carried in the first Security Mode Command message;
The algorithm information that step 709, eNodeB support according to the security capabilities of UE and the eNodeB self that prestores, select AS security algorithm, or, according to the algorithm information that the eNodeB self in the algorithm information that security capabilities and the network of UE allow user to use supports, select AS security algorithm;
Step 710, eNodeB send RRC information to UE, carry in this message: initiation layer 3 response message and the second safe mode command, and wherein, the second safe mode command carries the second mark of the first mark and the AS security algorithm selected by expression;
Step 711, UE send RRC information to eNodeB, carry the second safe mode command response in this message;
Step 712, eNodeB send RANAP message to MME, carry the first safe mode command response in this message.
Consult Fig. 8, the method for the secure algorithm negotiation that embodiments of the invention seven provide comprises:
Implement the connection that seven first carry out wireless access network, namely RRC connects, then carries out the connection of core net, selects NAS security algorithm by MME, and eNodeB selects AS security algorithm;
Step 801-step 806 is identical with step 601-step 606;
Step 807, MME allow the algorithm of user's employing and the security capabilities of UE according to network, also can consider the CAMEL-Subscription-Information of user simultaneously, select NAS security algorithm;
Step 808, MME send RANAP message to eNodeB, carry in this message: the algorithm information that initiation layer 3 response message, network allow user to adopt, and wherein carry the first mark of the NAS security algorithm selected by expression in initiation layer 3 response message;
The algorithm information that step 809, eNodeB support according to the security capabilities of UE and the eNodeB self that prestores, select AS security algorithm, or, according to the algorithm information that the eNodeB self in the algorithm information that security capabilities and the network of UE allow user to use supports, select AS security algorithm;
Step 810, eNodeB send RRC information to UE, carry in this RRC information: the second mark and initiation layer 3 response message of the AS security algorithm selected by expression, carry the first mark in this initiation layer 3 response message.
Consult Fig. 9, the method for the secure algorithm negotiation that embodiments of the invention eight provide comprises:
Implement the connection that eight first carry out wireless access network, namely RRC connects, then carries out the connection of core net, selects NAS security algorithm and AS security algorithm by MME;
Step 901, UE send RRC request message to eNodeB;
Step 902, eNodeB send RRC to UE and set up message;
Step 903, UE send RRC to eNodeB and complete message;
Step 904, UE send initiation layer 3 message to eNodeB; This message comprises: the security capabilities of UE;
Step 905, eNodeB send RANAP message to MME, and this message comprises: the algorithm information that initiation layer 3 message and eNodeB self support, wherein carry the security capabilities of UE in initiation layer 3 message;
The algorithm that step 906, MME allow user to use according to the security capabilities of UE and network, selects NAS security algorithm, or the CAMEL-Subscription-Information according to the security capabilities of UE, algorithm that network allows user to use and user selects NAS security algorithm; According to the algorithm information that the eNodeB self in the security capabilities of UE and RANAP message supports, select AS security algorithm, or, according to the algorithm information that the eNodeB self in the algorithm information that security capabilities and the network of UE allow user to use supports, select AS security algorithm;
Step 907, MME send RANAP message to eNodeB, carry in this message: the second mark of initiation layer 3 response message and the AS security algorithm selected by expression; The first mark of the NAS security algorithm selected by expression is carried in initiation layer 3 response message;
Step 908, eNodeB know AS security algorithm according to the second mark;
Step 909, eNodeB send RRC information to UE, and this RRC information comprises: initiation layer 3 response message and the second mark; The first mark is carried in initiation layer 3 response message.
Wherein, in step 905, eNodeB sends the algorithm information that can not carry in RANAP message and self support to MME, and the algorithm information that eNodeB self supports can directly be configured on MME;
In like manner, for embodiment six and embodiment seven, also can adopt and select NAS security algorithm and AS security algorithm to realize secure algorithm negotiation by MME, not affect realization of the present invention.
Wherein, the security capabilities of UE can not carry in RRC request message, can send RRC complete in message and carry at UE to eNodeB; Or, when the security capabilities of UE divides into AS security capabilities and NAS security capabilities, the AS security capabilities of UE can complete in message at RRC request message or RRC and carry, and carries, do not affect realization of the present invention in initiation layer 3 message that the NAS security capabilities of UE can send to eNodeB at UE.
Consult Figure 10, embodiments of the invention nine provide a kind of device of secure algorithm negotiation, and in system evolved framework/long evolving system, this device comprises:
Information receiving unit 1001, for receiving the security algorithm information that user terminal can be supported;
Security algorithm selected cell 1002, for according to security algorithm information in information receiving unit 1001, selects security algorithm;
Transmitting element 1003, for sending the mark of the security algorithm represented selected by security algorithm selected cell 1002 to user terminal.
Wherein, information receiving unit 1001, security algorithm selected cell 1002 and transmitting element 1003 are positioned at Mobility Management Entity, for consulting Non-Access Stratum security algorithm, now,
Information receiving unit 1001, for receiving the security algorithm information that user terminal can be supported, this security algorithm information can be Non-Access Stratum security algorithm information, and this security algorithm information can be carried by initiation layer 3 message;
Security algorithm selected cell 1002, for the algorithm information allowing user to use according to security algorithm information and networking, also can consider the information that user contracts, select Non-Access Stratum security algorithm;
Transmitting element 1003, for sending the first mark of the Non-Access Stratum security algorithm represented selected by security algorithm selected cell 1002 to user terminal, this first mark can be carried in initiation layer 3 response message, also can carry in NAS mode command;
Wherein, information receiving unit 1001, security algorithm selected cell 1002 and transmitting element 1003 are positioned at Mobility Management Entity, for consulting Access Layer security algorithm, this device also comprises: evolution base station algorithm information receiving element 1004, evolution base station algorithm information dispensing unit 1005, wherein
Information receiving unit 1001, for receiving the security algorithm information that user terminal can be supported, this security algorithm information can be Access Layer security algorithm information, and this security algorithm information can be carried in initiation layer 3 message;
Security algorithm selected cell 1002, for the algorithm information supported according to security algorithm information and evolution base station, selects Access Layer security algorithm;
Transmitting element 1003, for sending the second mark of the Access Layer security algorithm represented selected by security algorithm selected cell 1002, this second mark can be carried in the 3rd NAS safe mode command;
Evolution base station algorithm information receiving element 1004, for receiving the algorithm information of evolution base station support and outputting to security algorithm selected cell 1002;
Evolution base station algorithm information dispensing unit 1005, for configuring the algorithm information of evolution base station support and outputting to security algorithm selected cell 1002.
Wherein, information receiving unit 1001, security algorithm selected cell 1002 and transmitting element 1003 are positioned at evolution base station, for consulting Access Layer security algorithm,
Information receiving unit 1001, for receiving the security algorithm information that user terminal can be supported, this security algorithm information can be Access Layer security algorithm information, and this security algorithm information can be carried in RRC request message;
Security algorithm selected cell 1002, for the algorithm information supported according to security algorithm information and evolution base station, selects Access Layer security algorithm;
Transmitting element 1003, for sending the second mark representing Access Layer security algorithm to user terminal.
Consult Figure 11, embodiments of the invention ten provide a kind of network system, and this system comprises:
Evolution base station 1101, for sending the security algorithm information that user terminal is supported to Mobility Management Entity 1102; The first mark from Mobility Management Entity 1102 is sent to user terminal;
Mobility Management Entity 1102, for the algorithm information allowing user to use according to security algorithm information and network, selects Non-Access Stratum security algorithm, exports the first mark representing Non-Access Stratum security algorithm.
When this network system also will consult Access Layer security algorithm, evolution base station 1101, also for the second mark from Mobility Management Entity 1102 is sent to user terminal, and obtains Access Layer algorithm according to the second mark; Mobility Management Entity 1102, the algorithm information also for supporting according to security algorithm information and evolution base station 1101 self, selects Access Layer security algorithm, exports the second mark of the Access Layer security algorithm selected by representing.
When this network system also will consult Access Layer security algorithm, and when security algorithm information is Non-Access Stratum security algorithm information, evolution base station 1101, also for receiving Access Layer security algorithm information and being forwarded to Mobility Management Entity 1102, the second mark from Mobility Management Entity 1102 is sent to user terminal, and obtains Access Layer algorithm according to the second mark; Mobility Management Entity 1102, the algorithm information also for supporting according to Access Layer security algorithm information and evolution base station 1101 self, selects Access Layer security algorithm, exports the second mark representing Access Layer security algorithm.
When this network system also will consult Access Layer security algorithm, evolution base station 1101, also for the algorithm information according to security algorithm information and self support, selects Access Layer security algorithm, will represent that the second mark of Access Layer security algorithm sends to user terminal.
When this network system also will consult Access Layer security algorithm, and when security algorithm information is Non-Access Stratum security algorithm information, evolution base station 1101, also for receiving Access Layer security algorithm information, according to the algorithm information that Access Layer security algorithm information is supported with self, select Access Layer security algorithm, will represent that the second mark of Access Layer security algorithm sends to user terminal.
More than analyze and can find out, the algorithm information that the NAS security capabilities that in embodiments of the invention, MME can support according to UE and network allow user to use, select NAS security algorithm, and the first mark of the NAS security algorithm selected by representing is sent to user terminal, NAS security algorithm can be negotiated in SAE/LTE system; The AS security capabilities that in embodiments of the invention, MME or eNodeB can support according to UE and the algorithm information that eNodeB self supports, select AS security algorithm, and UE and eNodeB obtains the second mark of the AS security algorithm selected by representing, reaches the object of consulting AS security algorithm in SAE/LTE system; Embodiments of the invention adopt in RRC request message, carry initiation layer 3 message, NAS security capabilities can be carried in initiation layer 3 message, set up in message at RRC and carry initiation layer 3 response message and the first mark, simplify flow process, saved and consulted the security algorithm time used.
Above the method for the secure algorithm negotiation that the embodiment of the present invention provides, device and network system are described in detail, apply specific case herein to set forth the principle of the embodiment of the present invention and execution mode, the explanation of above embodiment is just for helping the method understanding the embodiment of the present invention; Meanwhile, for one of ordinary skill in the art, according to the thought of the embodiment of the present invention, all will change in specific embodiments and applications, in sum, this description should not be construed as the restriction to the embodiment of the present invention.
Claims (19)
1. a method for secure algorithm negotiation, in system evolved framework/long evolving system, it is characterized in that, the method comprises:
User terminal sends the security algorithm information that this user terminal can be supported;
Mobility Management Entity receives the security algorithm information that described user terminal can be supported;
The algorithm information that described Mobility Management Entity allows user to use according to described security algorithm information and network, selects Non-Access Stratum security algorithm; Or, according to the algorithm information that described security algorithm information and evolution base station are supported, select Access Layer security algorithm;
Described Mobility Management Entity sends the first mark representing described Non-Access Stratum security algorithm or the second mark representing described Access Layer security algorithm to described user terminal;
Described user terminal receives described first mark or described second mark.
2. method according to claim 1, is characterized in that: described Mobility Management Entity sends described first to described user terminal and is designated:
Send described first mark to described evolution base station, described evolution base station sends described first mark to described user terminal.
3. method according to claim 2, is characterized in that:
Described evolution base station sends described first mark to described user terminal and is specially:
Described evolution base station sends Radio Resource connection establishment message to described user terminal, carries Non-Access Stratum safe mode command in described Radio Resource connection establishment message, carries described first mark in described Non-Access Stratum safe mode command.
4. method according to claim 2, is characterized in that:
Described evolution base station sends described first mark to described user terminal and is specially:
Described evolution base station sends Radio Resource connection establishment message to described user terminal, carries initiation layer 3 response message in described Radio Resource connection establishment message, carries described first mark in described initiation layer 3 response message.
5. method according to claim 1, is characterized in that:
Described security algorithm information is Non-Access Stratum security algorithm information.
6. method according to claim 1, is characterized in that:
At the algorithm information that Mobility Management Entity is supported according to described security algorithm information and evolution base station self, before selecting Access Layer security algorithm, the method also comprises:
Described Mobility Management Entity receives the algorithm information that the described evolution base station self from described evolution base station is supported.
7. method according to claim 1, is characterized in that:
At the algorithm information that Mobility Management Entity is supported according to described security algorithm information and evolution base station self, before selecting Access Layer security algorithm, the method also comprises:
Described Mobility Management Entity configures the algorithm information that described evolution base station self is supported.
8. method according to claim 1, is characterized in that: described Mobility Management Entity sends described second to described user terminal and is designated:
Send described second mark to described evolution base station, described evolution base station knows described Access Layer security algorithm according to described second mark, and sends described second mark to described user terminal.
9. method according to claim 8, is characterized in that:
Described mark to described evolution base station transmission described second is specially: send the 3rd Access Layer safe mode command of carrying described second mark to described evolution base station;
Described evolution base station sends described second mark to described user terminal and is specially:
Described evolution base station sends the 4th Access Layer safe mode command of carrying described second mark to described user terminal.
10., according to the method one of claim 1-9 Suo Shu, it is characterized in that:
The security algorithm information that described reception user terminal can be supported is specially:
Receive initiation layer 3 message from described user terminal, described initiation layer 3 message carries the security algorithm information that described user terminal can be supported.
11. methods according to claim 10, is characterized in that:
Described reception is specially from initiation layer 3 message of described user terminal:
Described evolution base station receives the Radio Resource connection request message from described user terminal, carries described initiation layer 3 message in described Radio Resource connection request message;
Described Mobility Management Entity receives described initiation layer 3 message from described evolution base station.
The method of 12. 1 kinds of secure algorithm negotiations, in system evolved framework/long evolving system, it is characterized in that, the method comprises:
User terminal sends the security algorithm information that this user terminal can be supported;
Evolution base station receives the security algorithm information that described user terminal can be supported;
The algorithm information that described evolution base station is supported according to described security algorithm information and described evolution base station self, selects Access Layer security algorithm;
Described evolution base station sends the second mark representing described Access Layer security algorithm to described user terminal;
Described user terminal receives described second mark.
13. methods according to claim 12, is characterized in that:
Described transmission to described user terminal represents that the second mark of described Access Layer security algorithm is specially:
The second Access Layer safe mode command of carrying described second mark is sent to described user terminal.
14. methods according to claim 12, is characterized in that:
The security algorithm information that described reception user terminal can be supported is specially:
Receive the security capabilities of user terminal, described security capabilities carries described Access Layer security algorithm information and Non-Access Stratum security algorithm information, and distinguishes described Access Layer security algorithm information and described Non-Access Stratum security algorithm information by mark.
15. 1 kinds of network systems, is characterized in that, this system comprises: Mobility Management Entity, user terminal, wherein,
Described Mobility Management Entity comprises:
Information receiving unit, for receiving the security algorithm information that user terminal can be supported;
Security algorithm selected cell, for the algorithm information allowing user to use according to described security algorithm information and network, selects Non-Access Stratum security algorithm; Or, for the algorithm information supported according to described security algorithm information and evolution base station, select Access Layer security algorithm;
Transmitting element, for sending the first mark representing described Non-Access Stratum security algorithm or the second mark representing described Access Layer security algorithm to described user terminal; And
Described user terminal, for sending the security algorithm information that this user terminal can be supported; Also for receiving described first mark or the second mark.
16. systems according to claim 15, is characterized in that:
Described system also comprises evolution base station, for the second mark from described Mobility Management Entity is sent to described user terminal, and obtains described Access Layer algorithm according to described second mark.
17. systems according to claim 15, when described security algorithm information is Non-Access Stratum security algorithm information, is characterized in that:
Described system also comprises evolution base station, for receiving Access Layer security algorithm information and being forwarded to described Mobility Management Entity, the second mark from described Mobility Management Entity is sent to described user terminal, and obtains described Access Layer algorithm according to described second mark.
18. 1 kinds of network systems, is characterized in that, this system comprises: evolution base station, user terminal, wherein,
Described evolution base station, comprising:
Information receiving unit, for receiving the security algorithm information that user terminal can be supported;
Security algorithm selected cell, for the algorithm information supported according to described security algorithm information and described evolution base station self, selects Access Layer security algorithm;
Transmitting element, for sending the second mark representing described Access Layer security algorithm to described user terminal; And
Described user terminal, for sending the security algorithm information that this user terminal can be supported; Also for receiving the second mark of described Access Layer security algorithm.
19. systems according to claim 18, is characterized in that:
Second of described Access Layer security algorithm is designated: the second Access Layer safe mode command.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210351794.7A CN102869007B (en) | 2007-02-05 | 2007-02-05 | The method of secure algorithm negotiation, device and network system |
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210351794.7A CN102869007B (en) | 2007-02-05 | 2007-02-05 | The method of secure algorithm negotiation, device and network system |
| CN200710003493A CN101242630B (en) | 2007-02-05 | 2007-02-05 | Method, device and network system for secure algorithm negotiation |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200710003493A Division CN101242630B (en) | 2007-02-05 | 2007-02-05 | Method, device and network system for secure algorithm negotiation |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102869007A CN102869007A (en) | 2013-01-09 |
| CN102869007B true CN102869007B (en) | 2015-12-09 |
Family
ID=39681275
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210351794.7A Active CN102869007B (en) | 2007-02-05 | 2007-02-05 | The method of secure algorithm negotiation, device and network system |
| CN200710003493A Active CN101242630B (en) | 2007-02-05 | 2007-02-05 | Method, device and network system for secure algorithm negotiation |
Family Applications After (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200710003493A Active CN101242630B (en) | 2007-02-05 | 2007-02-05 | Method, device and network system for secure algorithm negotiation |
Country Status (2)
| Country | Link |
|---|---|
| CN (2) | CN102869007B (en) |
| WO (1) | WO2008095428A1 (en) |
Families Citing this family (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101378591B (en) | 2007-08-31 | 2010-10-27 | 华为技术有限公司 | Method, system and device for negotiating safety capability when terminal is moving |
| GB2462615A (en) | 2008-08-12 | 2010-02-17 | Nec Corp | Optional Access Stratum security activation depending on purpose of request or message parameter in an evolved UTRAN communication network. |
| CN101686233B (en) * | 2008-09-24 | 2013-04-03 | 电信科学技术研究院 | Method, system and device for processing mismatching of user equipment (UE) and network security algorithm |
| CN101686463B (en) * | 2008-09-28 | 2013-10-09 | 华为技术有限公司 | Method for protecting ability of user terminal, device and system |
| CN101841807B (en) * | 2009-03-19 | 2013-01-23 | 电信科学技术研究院 | Execution method and system of security process |
| CN102083063B (en) * | 2009-11-30 | 2013-07-10 | 电信科学技术研究院 | Method, system and equipment for confirming AS key |
| CN102264065A (en) * | 2010-05-27 | 2011-11-30 | 中兴通讯股份有限公司 | Method and system for synchronizing access stratum security algorithms |
| CN102448058B (en) | 2011-01-10 | 2014-04-30 | 华为技术有限公司 | Method and device for protecting data on Un interface |
| CN102833742B (en) * | 2011-06-17 | 2016-03-30 | 华为技术有限公司 | The machinery of consultation of equipment for machine type communication group algorithm and equipment |
| CN103931214B (en) * | 2012-11-08 | 2018-06-15 | 华为技术有限公司 | A kind of method and apparatus for obtaining public key |
| CN104244247B (en) * | 2013-06-07 | 2019-02-05 | 华为技术有限公司 | Non-Access Stratum, access layer security algorithm processing method and equipment |
| US10624005B2 (en) | 2013-08-08 | 2020-04-14 | Nokia Technologies Oy | Method and apparatus for proxy algorithm identity selection |
| WO2018132952A1 (en) * | 2017-01-17 | 2018-07-26 | 华为技术有限公司 | Wireless communication method and apparatus |
| WO2021196167A1 (en) * | 2020-04-03 | 2021-10-07 | Oppo广东移动通信有限公司 | Information processing method and apparatus, device and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1571540A (en) * | 2004-04-23 | 2005-01-26 | 中兴通讯股份有限公司 | Method for selecting aerial interface encryption algorithm by negotiation |
| CN1601943A (en) * | 2003-09-25 | 2005-03-30 | 华为技术有限公司 | Method of selecting safety communication algorithm |
| CN1859422A (en) * | 2006-03-16 | 2006-11-08 | 华为技术有限公司 | Method for processing user terminal cut-in evolution network |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7213144B2 (en) * | 2001-08-08 | 2007-05-01 | Nokia Corporation | Efficient security association establishment negotiation technique |
-
2007
- 2007-02-05 CN CN201210351794.7A patent/CN102869007B/en active Active
- 2007-02-05 CN CN200710003493A patent/CN101242630B/en active Active
-
2008
- 2008-01-16 WO PCT/CN2008/070116 patent/WO2008095428A1/en active Application Filing
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1601943A (en) * | 2003-09-25 | 2005-03-30 | 华为技术有限公司 | Method of selecting safety communication algorithm |
| CN1571540A (en) * | 2004-04-23 | 2005-01-26 | 中兴通讯股份有限公司 | Method for selecting aerial interface encryption algorithm by negotiation |
| CN1859422A (en) * | 2006-03-16 | 2006-11-08 | 华为技术有限公司 | Method for processing user terminal cut-in evolution network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101242630B (en) | 2012-10-17 |
| CN102869007A (en) | 2013-01-09 |
| WO2008095428A1 (en) | 2008-08-14 |
| CN101242630A (en) | 2008-08-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102869007B (en) | The method of secure algorithm negotiation, device and network system | |
| EP3820181B1 (en) | Secure conversation method and device | |
| EP3557840B1 (en) | Security implementation method, device and system | |
| ES2801325T3 (en) | Method and apparatus for transmitting / receiving data in a mobile communication system | |
| KR101583234B1 (en) | Methods and apparatuses for enabling non-access stratum(nas) security in lte mobile units | |
| US20200228977A1 (en) | Parameter Protection Method And Device, And System | |
| KR102460648B1 (en) | Method and apparatus for implementing bearer specific changes as part of connection reconfiguration affecting the security keys used | |
| US20150092696A1 (en) | Method and apparatus for managing radio bearer for user equipment | |
| WO2013118096A1 (en) | Method, apparatus and computer program for facilitating secure d2d discovery information | |
| CN112351431B (en) | Security protection mode determining method and device | |
| CN108605225A (en) | A kind of security processing and relevant device | |
| WO2019158117A1 (en) | System and method for providing security in a wireless communications system with user plane separation | |
| CN101925050B (en) | Generation method and device of security context | |
| CN104969578A (en) | Data transmission method, device and system | |
| CN113841443B (en) | Data transmission method and device | |
| CN102612028B (en) | Method, system and device for configuration transmission and data transmission | |
| US11722890B2 (en) | Methods and systems for deriving cu-up security keys for disaggregated gNB architecture | |
| CN102833739B (en) | Method, device and system for transmitting initial non access stratum messages | |
| CN101867931A (en) | Device and method for realizing non access stratum in wireless communication system | |
| CN113395697B (en) | Method and communication device for transmitting paging information | |
| CN115484595A (en) | Method, device and system for isolating public and private network services | |
| JP6167229B2 (en) | Method for selecting air interface security algorithm in wireless communication system and MME | |
| CN103200191B (en) | Communicator and wireless communications method | |
| CN110830421A (en) | Data transmission method and device | |
| CN114208240B (en) | Data transmission method, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230424 Address after: Unit 04-06, Unit 1, Unit 2101, Building 1, No.1 East Third Ring Middle Road, Chaoyang District, Beijing, 100020 Patentee after: Beijing Heyi Management Consulting Co.,Ltd. Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| CP03 | Change of name, title or address |
Address after: Unit 03, Room 1501, 15th Floor, Unit 1, Building 1, No.1 East Third Ring Middle Road, Chaoyang District, Beijing, 100020 Patentee after: Beijing Jingshi Intellectual Property Management Co.,Ltd. Address before: Unit 04-06, Unit 1, Unit 2101, Building 1, No.1 East Third Ring Middle Road, Chaoyang District, Beijing, 100020 Patentee before: Beijing Heyi Management Consulting Co.,Ltd. |
|
| CP03 | Change of name, title or address |