CN103929735B - Method, device and the user equipment of safe context are updated in user equipment - Google Patents
Method, device and the user equipment of safe context are updated in user equipment Download PDFInfo
- Publication number
- CN103929735B CN103929735B CN201410138502.0A CN201410138502A CN103929735B CN 103929735 B CN103929735 B CN 103929735B CN 201410138502 A CN201410138502 A CN 201410138502A CN 103929735 B CN103929735 B CN 103929735B
- Authority
- CN
- China
- Prior art keywords
- security context
- network
- storage unit
- updating
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 66
- 230000015654 memory Effects 0.000 claims abstract description 26
- 230000004044 response Effects 0.000 claims description 14
- 230000002401 inhibitory effect Effects 0.000 claims description 11
- 230000007774 longterm Effects 0.000 claims description 9
- 238000010295 mobile communication Methods 0.000 claims description 7
- 238000004891 communication Methods 0.000 abstract description 6
- 238000005516 engineering process Methods 0.000 abstract 1
- 230000002159 abnormal effect Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000006467 substitution reaction Methods 0.000 description 2
- 238000004590 computer program Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000011022 operating instruction Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000004904 shortening Methods 0.000 description 1
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The embodiment of the invention discloses method, device and user equipment that safe context is updated in a kind of user equipment, it is related to communication technical field, is invented to reduce unnecessary write operation.The method that safe context is updated in UE includes:Send network attachment message to network, and during network attachment using memory cell in effective safe context message is finished in whole property protection and encryption at least one;Mark safe context is invalid information, and forbids the safe context to being identified as invalid information in the memory cell to do updating.When the instruction of Client-initiated pass hull closure is received, the safe context of invalid information will be identified as in currently valid safe context write storage unit to update.The present invention can be used in network technology.
Description
Technical Field
The present invention relates to the field of communications, and in particular, to a method and an apparatus for updating a security context in a user equipment, and a user equipment.
Background
Currently, when a UE (User Equipment) accesses a wireless communication network, such as an LTE (Long term evolution) network, a negotiation with a network side server, such as an MME (Mobility Management Entity), is required. In order to maintain the integrity and security of the messages during the negotiation process, a security context is typically stored in the UE's identity card or non-volatile memory.
In the prior art, it is considered that a UE encounters a network anomaly when accessing or attaching to a network, or the UE may receive a network detach message after the UE successfully attaches to the network, and these situations may cause a security context in an identification card or a nonvolatile memory to be updated. These updates are not, however, very necessary. In the following, how an EPS (evolved Packet system) security context is updated when the UE accesses a network is described by taking an example in which the EPS security context is stored in a USIM (Universal subscriber identity Module) card of the UE.
Specifically, after the UE is powered on, the UE is in an unregistered state (EMM (EPS Mobility Management) -DEREGISTERED), and when an attach condition is satisfied, a NAS (Non access stratum) of the UE initiates a network attach procedure and enters an initiate registration (EMM-REGISTERED-INITIATED) state. At this time, the NAS notifies a Radio Resource Control (RRC) layer to establish a link with the network. At the same time, the security context in the USIM card is used, so that the validity of the security context in the USIM card is updated, i.e. the security context is identified as invalid. If abnormal conditions such as cell access prohibition or UE access refused by the network occur in the process of chain establishment, the chain establishment will fail. After learning that the link establishment fails, the NAS may return to the unregistered state. A new valid security context is written in the USIM card. In this case, the NAS initiates the attach procedure again when the registration timer times out or the user triggers. Re-entering the registration initiation state. It will be appreciated that this step will result in the security context in the USIM card being updated again, i.e. the security context is again identified as invalid.
It can be seen from the above manner that after the UE is powered on, as long as the UE does not successfully access the network, the security context in the card is continuously updated, that is, the number of times of writing the card is increased, thereby shortening the service life of the card.
Disclosure of Invention
The invention provides a method and a device for updating a security context in user equipment and the user equipment, which can reduce unnecessary write operations on a storage unit storing the security context.
In a first aspect of the present invention, a method for updating a security context in a UE is provided, where the method includes:
sending a network attachment message to the network, and using the effective security context in the storage unit to perform at least one of integrity protection and encryption on the message in the network attachment process;
identifying the security context as invalid information;
disabling updating of the security context identified as invalid information in the storage unit;
when a user-initiated device closing instruction is received, writing the currently valid security context into the storage unit to update the security context identified as invalid information.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the prohibiting, in the storage unit, the updating of the security context identified as invalid information includes:
inhibiting receipt of exception messages to avoid updating the security context identified as invalid information; or, if an exception message is received, generating a first security context in response to the exception message, and forbidding writing the first security context in the storage unit;
wherein the exception message includes any one of: cell access is barred; rejected by the network; the random access fails.
With reference to the first aspect or the first possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, the prohibiting, in the storage unit, the updating of the security context identified as invalid information further includes:
disabling reception of network detach messages to avoid updating the security context identified as invalid information; or, if the network detach message is received, generating a second security context in response to the network detach message, and prohibiting writing the second security context in the storage unit.
In a third possible implementation manner of the first aspect, the sending the network attach message to the network includes:
sending a network attachment message to a global system for mobile communications (GSM) or Universal Mobile Telecommunications System (UMTS) network in the network;
said inhibiting updating in said storage unit said security context identified as invalid information comprises: prohibiting updating, in the storage unit, the security context identified as invalid information when the UE resides from the GSM or UMTS network to a Long term evolution, LTE, network in a network.
With reference to the first possible implementation manner of the first aspect, the second possible implementation manner of the first aspect, or the third possible implementation manner of the first aspect, in a fourth possible implementation manner of the first aspect, the prohibiting writing of the security context in the storage unit includes: setting an indicator indicating a write state of the memory cell to invalid.
With reference to the first possible implementation manner of the first aspect, the second possible implementation manner of the first aspect, the third possible implementation manner of the first aspect, or the fourth possible implementation manner of the first aspect, in a fifth possible implementation manner of the first aspect, when receiving a user-initiated device shutdown instruction, the writing the currently valid security context into the storage unit includes:
when receiving a device closing instruction initiated by a user, acquiring the current latest security context;
determining whether the obtained current latest security context is valid;
and if the current latest security context is determined to be valid, writing the current latest security context into the storage unit.
With reference to the fifth possible implementation manner of the first aspect, in a sixth possible implementation manner of the first aspect, the obtaining a current latest security context includes:
after the UE interacts information with the network, updating the security context in the network, and taking the updated security context as the current latest security context; or,
and when a new security context is generated after a new authentication negotiation process is performed between the UE and the network, taking the newly generated security context as the current latest security context.
With reference to the first aspect or any one of the foregoing possible implementation manners of the first aspect, in a seventh possible implementation manner of the first aspect, the storage unit is a subscriber identity module.
In a second aspect of the present invention, an apparatus for updating a security context in a user equipment UE is provided, including:
a sending unit, configured to send a network attach message to a network, and perform at least one of integrity protection and encryption on the message by using the effective security context in the storage unit in the network attach process;
an identification unit, configured to identify the security context as invalid information;
a prohibiting unit configured to prohibit updating of the security context identified as invalid information in the storage unit;
and the writing unit is used for writing the currently effective security context into the storage unit to update the security context identified as invalid information when receiving a device closing instruction initiated by a user.
With reference to the second aspect, in a first possible implementation manner of the second aspect, the prohibiting unit is specifically configured to: inhibiting receipt of exception messages to avoid updating the security context identified as invalid information; or, if an exception message is received, generating a first security context in response to the exception message, and forbidding writing the first security context in the storage unit; wherein the exception message includes any one of: cell access is barred; rejected by the network; the random access fails.
With reference to the second aspect or the first possible implementation manner of the second aspect, in a second possible implementation manner of the second aspect, the prohibiting unit is further configured to: disabling reception of network detach messages to avoid updating the security context identified as invalid information; or, if the network detach message is received, generating a second security context in response to the network detach message, and prohibiting writing the second security context in the storage unit.
In a third possible implementation manner of the second aspect, the sending unit is further configured to: sending a network attachment message to a global system for mobile communications (GSM) or Universal Mobile Telecommunications System (UMTS) network in the network; at this time, the prohibiting unit is specifically configured to: prohibiting updating, in the storage unit, the security context identified as invalid information when the UE resides from the GSM or UMTS network to a Long term evolution, LTE, network in a network.
With reference to the first possible implementation manner of the second aspect, the second possible implementation manner of the second aspect, or the third possible implementation manner of the second aspect, in a fourth possible implementation manner of the second aspect, the writing unit specifically includes: the acquisition module is used for acquiring the current latest security context when receiving a device closing instruction initiated by a user; a determining module, configured to determine whether the current latest security context acquired by the acquiring module is valid; a write module, configured to write the security context into the storage unit if the determination module determines that the current latest security context is valid.
With reference to the fourth possible implementation manner of the second aspect, in a fifth possible implementation manner of the second aspect, the obtaining module is specifically configured to: after the UE interacts information with the network, updating the security context in the network, and taking the updated security context as the current latest security context; or, after a new authentication negotiation process is performed between the UE and the network, a new security context is generated, and the newly generated security context is used as the current latest security context.
With reference to the second aspect or any one of the foregoing possible implementations of the second aspect, in a sixth possible implementation of the second aspect, the storage unit is a subscriber identity module.
In a third aspect of the present invention, a UE is provided, where the UE includes the apparatus for updating a security context of the second aspect.
The invention provides a method for updating a security context in User Equipment (UE), wherein a storage unit for storing the security context is arranged in the UE. Firstly, a network attachment message is sent to a network, at least one of integrity protection and encryption is carried out on the message by using the effective security context in the storage unit in the network attachment process, the security context is identified as invalid information, and the security context identified as the invalid information is prohibited from being updated in the storage unit. Then, when the UE receives a user-initiated device shutdown instruction, the currently valid security context is written into the storage unit to update the security context identified as invalid information. Therefore, the method for updating the security context only when the command for closing the device initiated by the user is received avoids the problem that new content is continuously written in the storage unit due to frequent change of the security context. Therefore, the mode can reduce unnecessary writing operation on the storage unit and relatively prolong the service life of the storage unit.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
Fig. 1 is a flowchart illustrating a method for updating security context in a UE according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating a method for updating security context in UE according to a second embodiment of the present invention;
fig. 3 is a flowchart illustrating a method for updating security context in UE according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of an apparatus for updating security context in UE according to a third embodiment of the present invention;
fig. 5 is a schematic structural diagram of an apparatus for updating security context in UE according to a fourth embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example one
The embodiment of the invention provides a method for updating a security context in User Equipment (UE). A storage unit for storing the security context is provided at the UE, wherein, optionally, the storage unit may be a subscriber identity module, such as a USIM card. As shown in fig. 1, the method comprises the steps of:
s101, sending a network attachment message to a network, and using the effective security context in the storage unit to perform at least one of integrity protection and encryption on the message in the network attachment process.
For example, when the UE receives a device opening command initiated by a user, the UE starts a device opening procedure, where the network is a wireless communication network, and may include at least one of a GSM (Global System For Mobile Communications), UMTS (Universal Mobile Telecommunications System), and LTE (long term evolution) network. The opening procedure includes, for example, triggering the UE to re-access the LTE network. And under the condition of meeting the LTE network attachment condition, the UE initiates a network attachment process, sends a request for establishing a link to the LTE network and carries the effective security context of the UE in the request.
Wherein the security context is used for integrity protection and/or encryption of the message. Specifically, when the security context is used for integrity protection and encryption of a message, it includes a key for integrity protection and encryption, a message count, an integrity algorithm, an encryption algorithm, and the like. In addition, the security context also includes a KSI (Key Set Identifier) parameter, which is used to indicate validity and invalidity of the security context. Specifically, the KSI can visually indicate whether the security context is valid or invalid by taking different values. For example, it is set that the security context has validity when the KSI corresponds to any one of values 0x01, 0x02, … 0x08, and 0x 09; when the value corresponding to the KSI is not the above value, the security context has invalidity. Understandably, a security context valid indicates that the security context is waiting to be used, and a security context invalid indicates that the security context has been used.
S102, the security context is marked as invalid information.
For example, according to the step S101 in which the UE initiates a network attach procedure and sends a description of a request for establishing a link to the LTE network, if it is determined that the security context valid in the storage unit is used during the process of establishing a link between the UE and the LTE network, the validity of the security context is updated in the following manner: the value of the KSI parameter in the security context is altered such that the security context is identified as invalid information. The security context is identified as invalid information, i.e., indicating that the security context has been used.
In the above manner, the security context used in establishing the link may be made to be "considered" by the UE as invalid information. Understandably, in this way the security context can be re-identified as valid under certain condition triggers.
S103, the updating of the security context marked as invalid information in the storage unit is forbidden.
Specifically, it is considered that an abnormal situation, such as cell access being prohibited, or rejected by the network, or random access failure, occurs during the process of establishing a link between the UE and the network. In the prior art, when the above abnormal situations occur, the UE receives information about the abnormal situations, considers that the link establishment process fails, and then returns to the unregistered state, and writes a new valid security context in the storage unit. In the embodiment of the present invention, in order to prevent the security context from being changed even if an exception occurs during the link establishment process, the security context identified as invalid information is prohibited from being updated in the storage unit.
Optionally, in an embodiment of the present invention, the step S103 may specifically be:
prohibiting the UE from receiving exception messages to avoid updating the security context identified as invalid information. Or, if the UE receives the exception message, the UE generates the first security context in response to the exception message, and prohibits writing the first security context in the storage unit, that is, the currently valid security context is the new valid security context, which is not written in the storage unit, and therefore does not replace the original used security context. Wherein, the exception message includes any one of the following: cell access is barred; rejected by the network; the random access fails.
It should be noted that, similar to the above method, when the UE initiates a TAU (tracking area update) or SR (scheduling request) procedure, if an abnormal situation rejected by the network occurs, the UE is prohibited from receiving a message of the abnormal situation to avoid updating the security context identified as invalid information; or, if the UE receives the exception message, generating the first security context in response to the exception message, and prohibiting writing the currently valid security context in the storage unit.
Further, the UE may also receive a detach message from the network after the network attach is successful, so that the security context in the storage unit is updated. Therefore, optionally, in an embodiment of the present invention, the step S103 may further specifically be:
prohibiting the UE from receiving a network detach message to avoid updating the security context identified as invalid information; or, if the UE receives the network detach message, generating a second security context in response to the network detach message, and prohibiting writing the second security context in the storage unit.
In addition, optionally, in a specific embodiment of the present invention, when the UE sends the network attach message to a global system for mobile communications GSM or a universal mobile telecommunications system UMTS network in the network, the step S103 may further specifically be:
prohibiting updating, in a storage unit, the security context identified as invalid information when the UE resides from the GSM or UMTS network to a Long term evolution, LTE, network in a network.
From the above, it can be seen that this embodiment avoids the problem of rewriting in a memory location when camping from a GSM/UMTS network to an LTE network. Therefore, the method can reduce unnecessary write operation on the storage unit storing the security context, and relatively prolong the service life of the storage unit.
In the foregoing embodiments, optionally, the prohibiting writing of the security context in the storage unit may specifically be setting an identifier indicating a write status of the storage unit to be invalid. That is, even if the UE receives an exception message and thus acquires a currently valid security context, the acquired security context cannot be written into the storage unit.
S104, when receiving a device closing instruction initiated by a user, writing the currently valid security context into the storage unit to update the security context identified as invalid information.
Specifically, in a specific embodiment of the present invention, an instruction to close the device initiated by the user is received, and before the user device is closed, the step S103 may be further specifically divided into the following steps:
1031, when receiving an instruction of closing the device initiated by the user, acquiring the current latest security context;
1032, determining whether the obtained current latest security context is valid;
1033, if the current latest security context is determined to be valid, writing the current latest security context into the storage unit.
Further, in an embodiment of the present invention, the obtaining of the current latest security context in step 1031 may further be specifically:
after the UE interacts information with the network, updating the security context in the network, and taking the updated security context as the current latest security context; or,
and when a new security context is generated after a new authentication negotiation process is carried out between the UE and the network, taking the newly generated security context as the current latest security context.
The embodiment of the invention provides a method for updating a security context in User Equipment (UE), wherein a storage unit for storing the security context is arranged in the UE. Firstly, a network attachment message is sent to a network, at least one of integrity protection and encryption is carried out on the message by using the effective security context in the storage unit in the network attachment process, the security context is identified as invalid information, and the security context identified as the invalid information is prohibited from being updated in the storage unit. Then, when the UE receives a user-initiated device shutdown instruction, the currently valid security context is written into the storage unit to update the security context identified as invalid information. Therefore, the method for updating the security context only when the command for closing the device initiated by the user is received avoids the problem that new content is continuously written in the storage unit due to frequent change of the security context. Therefore, the mode can reduce unnecessary writing operation on the storage unit and relatively prolong the service life of the storage unit.
Example two
In order to better understand the technical solution of the method for updating a security context provided by the embodiment of the present invention, in the second embodiment of the present invention, a method for updating a security context in a UE provided by the present invention is described in detail by taking an example that a storage unit is specifically a USIM card and the UE is powered on to access a network.
As shown in fig. 2, the UE includes NAS, RRC, and USIM. The security context may be specifically an EPS security context in an embodiment of the present invention. Thus, the method of updating a security context comprises the steps of:
in step 201, the NAS receives a UE start instruction initiated by a user.
Step 202, after receiving the UE start instruction, the NAS initiates a network attach procedure when the network attach condition is satisfied.
In step 203, the NAS notifies the RRC to establish a link with the NW (network).
Wherein the EPS security context within the USIM is used when the NAS notifies the RRC to establish a link with the NW.
In step 204, the RRC initiates a request to establish a link to the NW.
In step 205, when the EPS security context is used, the NAS notifies the USIM to identify the EPS security context as invalid information.
In step 206, the USIM identifies the EPS security context as invalid information.
In step 207, the NAS receives a UE shutdown indication initiated by the user.
Step 208, before the UE is closed, the NAS acquires the current and latest EPS security context.
At step 209, the NAS determines that the current latest EPS security context is a valid security context.
At step 210, the USIM rewrites the new valid EPS security context.
Wherein, between step 206 and step 207, it may be set to prohibit the NAS from receiving any information that results in a new EPS security context being rewritten in the USIM; alternatively, after receiving the information, the write operation may also be prohibited by the EMM, upon determining that the information will result in a new EPS security context being rewritten in the USIM. The information includes abnormal information such as cell access is forbidden, network refusal or random access failure, and the detach message.
EXAMPLE III
Corresponding to the first embodiment, a third embodiment of the present invention provides an apparatus 40 for updating a security context in a UE, where the UE is provided with a storage unit for storing the security context. As shown in fig. 3, the apparatus includes:
a sending unit 401, configured to send a network attach message to a network, and perform at least one of integrity protection and encryption on the message by using an effective security context in a storage unit in a network attach process;
an identifying unit 402, configured to identify the security context as invalid information;
a prohibiting unit 403, configured to prohibit updating of the security context identified as invalid information in the storage unit;
a writing unit 404, configured to, when receiving a device shutdown instruction initiated by a user, write a currently valid security context into a storage unit to update the security context identified as invalid information.
The third embodiment of the present invention provides an apparatus 40 for updating security context. The sending unit 401 sends the network attach message to the network, and performs at least one of integrity protection and encryption on the message by using the security context valid in the storage unit during the network attach process. The identifying unit 402 identifies the security context as invalid information, and the prohibiting unit 403 prohibits updating of the security context identified as invalid information in the storage unit. Then, when receiving a user-initiated command to close the device, the writing unit 404 writes the currently valid security context into the storage unit. Therefore, the device for updating the security context only when receiving the command of closing the device initiated by the user avoids the problem that the security context is frequently changed so as to continuously write new content in the storage unit. Therefore, the device can reduce unnecessary writing operation in the storage unit and relatively prolong the service life of the storage unit.
Optionally, in an embodiment of the present invention, the prohibiting unit 403 is specifically configured to: inhibiting receipt of exception messages to avoid updating the security context identified as invalid information; or, if an exception message is received, generating a first security context in response to the exception message, and forbidding writing the first security context in the storage unit; wherein the exception message includes any one of: cell access is barred; rejected by the network; the random access fails.
Further, in an embodiment of the present invention, after the network attach is successful, the prohibiting unit 403 is further configured to: disabling reception of network detach messages to avoid updating the security context identified as invalid information; or generating a second security context in response to the network detach message if the network detach message is received, and prohibiting writing the second security context in the storage unit.
Optionally, in an embodiment of the present invention, the sending unit 401 is specifically configured to: sending a network attachment message to a global system for mobile communications (GSM) or Universal Mobile Telecommunications System (UMTS) network in the network;
in this case, the prohibiting unit 403 is specifically configured to: prohibiting updating, in a storage unit, the security context identified as invalid information when the UE resides from the GSM or UMTS network to a Long term evolution, LTE, network in a network.
Optionally, in an embodiment of the present invention, as shown in fig. 4, the writing unit 404 specifically includes: an obtaining module 4041, configured to obtain a current latest security context when receiving an instruction to close the device initiated by a user; a determining module 4042, configured to determine whether the current latest security context acquired by the acquiring module 4041 is valid; a writing module 4043, configured to write the security context into a storage unit if the determining module 4042 determines that the current latest security context is valid.
Further, in an embodiment of the present invention, the obtaining module 4041 is specifically configured to:
after the UE interacts information with the network, updating the security context in the network, and taking the updated security context as the current latest security context; or, after a new authentication negotiation process is performed between the UE and the network, a new security context is generated, and the newly generated security context is used as the current latest security context.
It should be noted that for specific functions of each structural unit of the device for updating security context 40 in the UE provided by the third embodiment of the present invention, please refer to the foregoing method embodiments, which are not described herein again.
Example four
Fig. 5 is a diagram illustrating another embodiment of an apparatus for updating security context in a UE according to a fourth embodiment of the present invention, and a sixth embodiment of the present invention corresponds to the fourth embodiment. As shown in fig. 5, the apparatus 60 for updating security context in UE according to the fourth embodiment includes a processor 601, a memory 602, a transmitter 603, and a receiver 604. Wherein:
the memory 602 is used to store executable program code, including computer operating instructions. In an embodiment of the present invention, memory 602 is also used to store security contexts. Optionally, the memory may be a subscriber identity module, such as a non-volatile memory or some kind of identification card.
The transmitter 603 sends a network attach message to the network and uses the security context valid in the memory 602 during the network attach procedure.
The processor 601 runs a program corresponding to the executable program code by reading the executable program code stored in the memory 602, for: the security context is identified as invalid information and updates to the security context identified as invalid information are prohibited from being made in memory 602.
Further, when the receiver 604 receives a user-initiated close device instruction, the processor 601 writes the currently valid security context to the memory 602 to update the security context identified as invalid information.
The fourth embodiment of the present invention provides an apparatus 60 for updating security context. The transmitter 603 sends a network attach message to the network and uses the security context valid in the memory 602 during the network attach procedure; processor 601 is configured to identify the security context as invalid information and to disable updates to the security context identified as invalid information in memory 602. Then, when the receiver 604 receives a user-initiated close device instruction, the processor 601 writes the currently valid security context into the memory 602 to update the security context identified as invalid information. It can be seen that the apparatus 60 for updating the security context only when receiving a user-initiated command to close the device avoids the problem of frequent changes to the security context, which leads to continuous writing of new content in the storage unit. The apparatus is therefore capable of reducing unnecessary write operations in the memory 602, and relatively extending the life of the memory cells.
Optionally, in an embodiment of the present invention, the processor 601 is specifically configured to: disabling the receiver 604 from receiving exception messages to avoid updating the security context identified as invalid information; alternatively, if the receiver 604 receives an exception message, the first security context is generated in response to the exception message, and the first security context is prohibited from being written in the memory 602; wherein the exception message includes any one of: cell access is barred; rejected by the network; the random access fails.
Optionally, in an embodiment of the present invention, after the network attachment is successful, the processor 601 is further configured to: disabling reception of network detach messages to avoid updating the security context identified as invalid information; alternatively, if the receiver 604 receives a network detach message, a second security context is generated in response to the network detach message, and writing of the second security context in the memory 602 is prohibited.
Optionally, in an embodiment of the present invention, the transmitter 603 is further configured to send a network attach message to a GSM or UMTS network in the network;
in this case, the processor 601 is specifically configured to: prohibiting updating, in the storage unit, the security context identified as invalid information when the UE resides from the GSM or UMTS network to a Long term evolution, LTE, network in a network.
Optionally, in an embodiment of the present invention, when the receiver 604 receives a command to close the device initiated by a user, the processor 601 obtains a current latest security context, and determines whether the obtained current latest security context is valid; if the current, up-to-date security context is determined to be valid, the security context is written to memory 602.
Further, in an embodiment of the present invention, the processor 601 is specifically configured to: after the UE interacts information with the network, updating the security context in the network, and taking the updated security context as the current latest security context; or, after a new authentication negotiation process is performed between the UE and the network, a new security context is generated, and the newly generated security context is used as the current latest security context.
The processor 601 may be a Central Processing Unit (CPU), an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits configured to implement embodiments of the present invention.
The processor 601 is further configured to perform any steps involved in embodiments of the method of the present invention, which are not described in detail herein.
In addition, the present invention also provides a UE, where the UE includes the apparatus described in the third embodiment, or the UE includes the apparatus described in the fourth embodiment.
The UE may be a mobile internet access device such as a mobile phone, a laptop, a tablet computer, and a personal digital assistant.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus embodiment, since it is substantially similar to the method embodiment, it is relatively simple to describe, and reference may be made to some descriptions of the method embodiment for relevant points.
It should be noted that the above-described device embodiments are merely illustrative, where the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. In addition, in the drawings of the embodiment of the apparatus provided by the present invention, the connection relationship between the modules indicates that there is a communication connection between them, and may be specifically implemented as one or more communication buses or signal lines. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that the present invention may be implemented by software plus necessary general hardware, and may also be implemented by special hardware including special integrated circuits, special CPUs, special memories, special components and the like. Generally, functions performed by computer programs can be easily implemented by corresponding hardware, and specific hardware structures for implementing the same functions may be various, such as analog circuits, digital circuits, or dedicated circuits. However, the implementation of a software program is a more preferable embodiment for the present invention. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a readable storage medium, such as a floppy disk, a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk of a computer, and includes instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.
Claims (14)
1. A method for updating security context in a user equipment, comprising:
sending a network attachment message to the network, and using the effective security context in the storage unit to perform at least one of integrity protection and encryption on the message in the network attachment process;
identifying the security context as invalid information;
disabling updating of the security context identified as invalid information in the storage unit;
when receiving a command of closing the equipment initiated by a user, writing the currently effective security context into the storage unit to update the security context identified as invalid information;
when receiving a user-initiated device shutdown instruction, writing the currently valid security context into the storage unit includes: when receiving a device closing instruction initiated by a user, acquiring the current latest security context; determining whether the obtained current latest security context is valid; and if the current latest security context is determined to be valid, writing the current latest security context into the storage unit.
2. The method of claim 1, wherein said inhibiting the updating of the security context identified as invalid information in the storage unit comprises:
inhibiting receipt of exception messages to avoid updating the security context identified as invalid information;
or, if an exception message is received, generating a first security context in response to the exception message, and forbidding writing the first security context in the storage unit;
wherein the exception message includes any one of:
cell access is barred; rejected by the network; the random access fails.
3. The method of claim 1 or 2, wherein said inhibiting updating the security context identified as invalid information in the storage unit further comprises:
disabling reception of network detach messages to avoid updating the security context identified as invalid information; or,
and if the network detach message is received, responding to the network detach message to generate a second security context, and forbidding writing the second security context in the storage unit.
4. The method of claim 1, wherein sending a network attach message to a network comprises:
sending a network attachment message to a global system for mobile communications (GSM) or Universal Mobile Telecommunications System (UMTS) network in the network;
said inhibiting updating in said storage unit said security context identified as invalid information comprises: prohibiting updating, in the storage unit, the security context identified as invalid information when the UE resides from the GSM or UMTS network to a Long term evolution, LTE, network in a network.
5. The method of claim 2, wherein said inhibiting writing of a security context in the storage unit comprises: setting an indicator indicating a write state of the memory cell to invalid.
6. The method of claim 1, wherein obtaining the current and latest security context comprises:
after the UE interacts information with the network, updating the security context in the network, and taking the updated security context as the current latest security context; or,
and when a new security context is generated after a new authentication negotiation process is carried out between the UE and the network, taking the newly generated security context as the current latest security context.
7. The method of claim 1, wherein the storage unit is a subscriber identity module.
8. An apparatus for updating security context in a User Equipment (UE), comprising:
a sending unit, configured to send a network attach message to a network, and perform at least one of integrity protection and encryption on the message by using the effective security context in the storage unit in the network attach process;
an identification unit, configured to identify the security context as invalid information;
a prohibiting unit configured to prohibit updating of the security context identified as invalid information in the storage unit;
a writing unit, configured to write a currently valid security context into the storage unit to update the security context identified as invalid information when receiving a device shutdown instruction initiated by a user;
wherein, the write unit specifically includes: the acquisition module is used for acquiring the current latest security context when receiving a device closing instruction initiated by a user; a determining module, configured to determine whether the current latest security context acquired by the acquiring module is valid; a write module, configured to write the security context into the storage unit if the determination module determines that the current latest security context is valid.
9. The apparatus of claim 8,
the prohibiting unit is specifically configured to:
inhibiting receipt of exception messages to avoid updating the security context identified as invalid information;
or, if an exception message is received, generating a first security context in response to the exception message, and forbidding writing the first security context in the storage unit;
wherein the exception message includes any one of:
cell access is barred; rejected by the network; the random access fails.
10. The apparatus according to claim 8 or 9,
the inhibiting unit is further configured to:
disabling reception of network detach messages to avoid updating the security context identified as invalid information;
or, if the network detach message is received, generating a second security context in response to the network detach message, and prohibiting writing the second security context in the storage unit.
11. The apparatus of claim 8,
the sending unit is further configured to: sending a network attachment message to a global system for mobile communications (GSM) or Universal Mobile Telecommunications System (UMTS) network in the network;
the prohibiting unit is specifically configured to: prohibiting updating, in the storage unit, the security context identified as invalid information when the UE resides from the GSM or UMTS network to a Long term evolution, LTE, network in a network.
12. The apparatus of claim 9, wherein the obtaining module is specifically configured to:
after the UE interacts information with the network, updating the security context in the network, and taking the updated security context as the current latest security context; or,
and when a new security context is generated after a new authentication negotiation process is carried out between the UE and the network, taking the newly generated security context as the current latest security context.
13. The apparatus of claim 9, wherein the storage unit is a subscriber identity module.
14. A UE, characterized in that the UE comprises the apparatus for updating security context of any of claims 8-13.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410138502.0A CN103929735B (en) | 2014-04-08 | 2014-04-08 | Method, device and the user equipment of safe context are updated in user equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410138502.0A CN103929735B (en) | 2014-04-08 | 2014-04-08 | Method, device and the user equipment of safe context are updated in user equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103929735A CN103929735A (en) | 2014-07-16 |
| CN103929735B true CN103929735B (en) | 2017-06-20 |
Family
ID=51147784
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410138502.0A Active CN103929735B (en) | 2014-04-08 | 2014-04-08 | Method, device and the user equipment of safe context are updated in user equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103929735B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101521873A (en) * | 2009-03-16 | 2009-09-02 | 中兴通讯股份有限公司 | Method for enabling local security context |
| CN101600205A (en) * | 2009-07-10 | 2009-12-09 | 华为技术有限公司 | The method and the relevant device of SIM card subscriber equipment cut-in evolution network |
| CN101815288A (en) * | 2010-02-25 | 2010-08-25 | 苏州汉明科技有限公司 | Method for accessing encryption protection between user and wireless access point by using E-CARD |
| CN101873586A (en) * | 2009-04-24 | 2010-10-27 | 华为技术有限公司 | Synchronizing method of safety context of non-access layer and relevant equipment |
| CN103141055A (en) * | 2011-01-25 | 2013-06-05 | 三洋电机株式会社 | Communication device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| SE527662C2 (en) * | 2003-10-02 | 2006-05-02 | Smarttrust Ab | Method and mobile telecommunication network for detecting device information |
-
2014
- 2014-04-08 CN CN201410138502.0A patent/CN103929735B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101521873A (en) * | 2009-03-16 | 2009-09-02 | 中兴通讯股份有限公司 | Method for enabling local security context |
| CN101873586A (en) * | 2009-04-24 | 2010-10-27 | 华为技术有限公司 | Synchronizing method of safety context of non-access layer and relevant equipment |
| CN101600205A (en) * | 2009-07-10 | 2009-12-09 | 华为技术有限公司 | The method and the relevant device of SIM card subscriber equipment cut-in evolution network |
| CN101815288A (en) * | 2010-02-25 | 2010-08-25 | 苏州汉明科技有限公司 | Method for accessing encryption protection between user and wireless access point by using E-CARD |
| CN103141055A (en) * | 2011-01-25 | 2013-06-05 | 三洋电机株式会社 | Communication device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103929735A (en) | 2014-07-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11470111B2 (en) | Method and apparatus for managing non-integrity protected message | |
| US20220094716A1 (en) | Method and system for operating and monitoring permissions for applications in an electronic device | |
| US10772033B2 (en) | Avoiding reselection of a fake cell in a wireless communication network | |
| US9325704B2 (en) | Data access method and device | |
| CN104967997A (en) | Wireless network accessing method, Wi-Fi equipment, terminal equipment and system | |
| CN109963320B (en) | Service access control method and device | |
| CN112806073A (en) | Communication processing method, communication processing device, mobile terminal and storage medium | |
| CN107005842B (en) | Authentication method, related device and system in wireless communication network | |
| CN112566215A (en) | Method and device for controlling service bearing congestion | |
| RU2767991C1 (en) | Information processing method, terminal device and data medium | |
| CN111726850A (en) | Network access control method, device, terminal and readable storage medium | |
| CN111107541B (en) | Method and apparatus for wireless communication | |
| CN105379323B (en) | Method, equipment and system for controlling total amount of online attached users | |
| CN113709729B (en) | Data processing method, device, network equipment and terminal | |
| CN112703755B (en) | Pseudo base station processing method, pseudo base station processing device, mobile terminal and storage medium | |
| CN103929735B (en) | Method, device and the user equipment of safe context are updated in user equipment | |
| US9794773B2 (en) | Mobile device management | |
| CN104683981A (en) | Safety capability verification method, safety capability verification equipment and safety capability verification system | |
| CN108616967A (en) | A kind of update method, relevant device and the system of network side notification area | |
| EP3403387B1 (en) | Flexible selection of security features in mobile networks | |
| CN107889109B (en) | Method and device for detecting network access result and computer storage medium | |
| CN114173336A (en) | Processing method, device, terminal and network side equipment for authentication failure | |
| KR101521476B1 (en) | Device apparatus and computer-readable recording medium for protective of device | |
| CN115209400B (en) | Control method, device, equipment and readable storage medium | |
| CN107949003B (en) | Detection method, detection device and computer storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |