CN104244247A

CN104244247A - Non-access layer safe algorithm processing method, access layer safe algorithm processing method and equipment thereof

Info

Publication number: CN104244247A
Application number: CN201310226174.5A
Authority: CN
Inventors: 许怡娴; 崔洋; 陈璟
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2013-06-07
Filing date: 2013-06-07
Publication date: 2014-12-24
Anticipated expiration: 2033-06-07
Also published as: WO2014194787A1; CN104244247B

Abstract

An embodiment of the invention provides a non-access layer safe algorithm processing method, an access layer safe algorithm processing method and equipment thereof. The access layer safe algorithm processing method comprises the steps of: determining a home area of user equipment UE by a mobility management entity MME according to an identification of the UE; and determining an available encryption algorithm and/or an integrity protecting algorithm of the UE according to the home area of the UE and safety capability information of the UE. The non-access layer safe algorithm processing method, the access layer safe algorithm processing method and the equipment provided by the embodiment of the invention can provide a safe protecting mechanism for the user equipment.

Description

Non-Access Stratum, Access Layer security algorithm processing method and equipment

Technical field

The embodiment of the present invention relates to the communication technology, particularly relates to a kind of Non-Access Stratum, Access Layer security algorithm processing method and equipment.

Background technology

In communication system, the fail safe of data all realizes based on algorithm, and various algorithm can provide the protection of confidentiality and integrity for data.

3G (Third Generation) Moblie partnership (3rd Generation Partnership Project, be called for short: 3GPP) algorithm of tissue accreditation mainly comprises three kinds, be respectively Advanced Encryption Standard (advanced encryption standard, AES) algorithm, SNOW3G algorithm and Zu Chongzhi algorithm (ZUC), wherein ZUC algorithm is alternative algorithms.

But; in prior art; due to subscriber equipment (User Equipment; being called for short UE) cryptographic algorithm supported and protection algorithm integrallty differ greatly; particularly part UE does not support preset security algorithm; cause mobile management entity (Mobility Management Entity is called for short MME) or base station cannot provide safe protection mechanism for all UE.

Summary of the invention

The embodiment of the present invention provides a kind of Non-Access Stratum, Access Layer security algorithm processing method and equipment, for subscriber equipment provides safe protection mechanism.

First aspect, the embodiment of the present invention provides a kind of Non-Access Stratum security algorithm processing method, comprising:

Mobile management entity MME determines the attributed region of described UE according to the mark of user equipment (UE);

Described MME according to the security capability information of the attributed region of described UE and described UE judge described UE can cryptographic algorithm and/or protection algorithm integrallty.

In conjunction with first aspect, in the first possible implementation of first aspect, described MME according to the security capability information of the attributed region of described UE and described UE judge described UE can cryptographic algorithm and/or protection algorithm integrallty, comprising:

Described MME judges that the attributed region of described UE is predeterminable area, then judge whether described UE supports preset security algorithm according to the security capability information of described UE, if not, protection algorithm integrallty is selected according to default protection algorithm integrallty priority, and/or according to predetermined encryption algorithm priority Choice encryption algorithm, or, if described MME judges that the attributed region of described UE is non-predeterminable area, then judge whether described UE supports preset security algorithm according to the security capability information of described UE, if not, protection algorithm integrallty is selected according to default protection algorithm integrallty priority, and/or select empty algorithm as cryptographic algorithm, or

According to described security capability information, described MME judges that described UE does not support preset security algorithm; whether the attributed region then judging described UE is predeterminable area; if; then select protection algorithm integrallty according to presetting protection algorithm integrallty priority; and/or according to predetermined encryption algorithm priority Choice encryption algorithm; if not, then select protection algorithm integrallty according to presetting protection algorithm integrallty priority, and/or select empty algorithm as cryptographic algorithm.

In conjunction with first aspect, or the first possible implementation of first aspect, in the implementation that the second of first aspect is possible, described mobile management entity MME also comprises before determining the attributed region of described UE according to the mark of user equipment (UE):

Described MME receives the Redirection Request message that SGSN sends, and described Redirection Request message comprises mark and the security capability information of described UE; Or

Described MME receives the Attach Request message that user equipment (UE) sends, and described Attach Request message comprises mark and the security capability information of described UE; Or

Described MME receives the location update request message that user equipment (UE) sends, and described location update request message comprises mark and the security capability information of described UE.

In conjunction with first aspect, in the third possible implementation of first aspect, described mobile management entity MME also comprises before determining the attributed region of described UE according to the mark of user equipment (UE):

Described MME receives the Redirection Request message that SGSN sends, described Redirection Request message comprises the mark of described UE, or described MME receives the location update request message that user equipment (UE) sends, described location update request message comprises the mark of described UE

Described MME according to the attributed region of described UE and described security capability information judge described UE can cryptographic algorithm and/or protection algorithm integrallty, comprising:

Described MME judges not comprise described security capability information in described Redirection Request message or described location update request message, and the attributed region of described UE is predeterminable area, then described MME selects protection algorithm integrallty according to default protection algorithm integrallty priority, and/or according to predetermined encryption algorithm priority Choice encryption algorithm; Or

Described MME judges not comprise described security capability information in described Redirection Request message or described location update request message; and the attributed region of described UE is non-predeterminable area; then described MME selects protection algorithm integrallty according to default protection algorithm integrallty priority, and/or selects empty algorithm as cryptographic algorithm.

In conjunction with first aspect, first aspect the first to the third any one possible implementation, in the 4th kind of possible implementation of first aspect, described MME determines the attributed region of described UE according to described mark, comprising:

Be designated international mobile subscriber identity IMSI described in described MME determines, then obtain MNC and MCC according to described IMSI, judge the attributed region of described UE according to described MNC and described MCC; Or

Described MME determines that described identification code is temporary mark, then obtain the IMSI that described temporary mark is corresponding, and obtains MNC and MCC according to described IMSI, judges the attributed region of described UE according to described MNC and described MCC; Or

Be designated mobile subscriber number MSISDN described in described MME determines, then determine the attributed region of described UE according to described MSISDN; Or

Described MME sends to network entity device and identifies request message, described identification request message comprises described mark, and receive the identification response message of described network entity device transmission, described identification response message comprises the attributed region of described UE, or described identification response message comprises identifiable design mark, determine the attributed region of described UE to make described MME according to described identifiable design mark.

Second aspect, the embodiment of the present invention provides a kind of Access Layer security algorithm processing method, comprising:

Base station obtains the attributed region of user equipment (UE) and the security capability information of described UE, or obtains the security algorithm information of UE;

Described base station according to the security capability information of the attributed region of described UE and described UE, or according to described security algorithm information judge described UE can cryptographic algorithm and/or protection algorithm integrallty;

Wherein, described security algorithm information comprise UE security capability information, algorithms selection instruction, UE can cryptographic algorithm and protection algorithm integrallty in arbitrary or its combination.

In conjunction with second aspect, in the first possible implementation of second aspect, described base station according to the security capability information of the attributed region of described UE and described UE judge described UE can cryptographic algorithm and/or protection algorithm integrallty, comprising:

Described base station judges that the attributed region of described UE is predeterminable area, then judge whether described UE supports preset security algorithm according to the security capability information of described UE, if not, protection algorithm integrallty is selected according to default protection algorithm integrallty priority, and/or according to predetermined encryption algorithm priority Choice encryption algorithm, or, if described base station judges that the attributed region of described UE is non-predeterminable area, then judge whether described UE supports preset security algorithm according to the security capability information of described UE, if not, protection algorithm integrallty is selected according to default protection algorithm integrallty priority, and/or select empty algorithm as cryptographic algorithm, or

According to the security capability information of described UE, described base station judges that described UE does not support preset security algorithm; whether the attributed region then judging described UE is predeterminable area; if; then select protection algorithm integrallty according to presetting protection algorithm integrallty priority; and/or according to predetermined encryption algorithm priority Choice encryption algorithm; if not, then select protection algorithm integrallty according to presetting protection algorithm integrallty priority, and/or select empty algorithm as cryptographic algorithm.

In conjunction with second aspect, or the first possible implementation of second aspect, in the implementation that the second of second aspect is possible, described base station obtains the attributed region of user equipment (UE) and the security capability information of described UE, comprising:

Described base station receives attaching information and the security capability information of the described UE that mobile management entity MME sends, and determines the attributed region of described UE according to the region instruction in described attaching information; Or

Described base station receives the handover request message that described MME sends, and described handoff request message draws together the security capability information of described UE and the attributed region of described UE.

In conjunction with second aspect, in the third possible implementation of second aspect, described base station obtains the security algorithm information of UE, according to the security algorithm information of described UE judge described UE can cryptographic algorithm and/or protection algorithm integrallty, comprising:

If the attributed region of described UE is non-predeterminable area, described UE does not support preset security algorithm, described base station receive described UE that mobile management entity MME sends can protection algorithm integrallty and/or cryptographic algorithm, described protection algorithm integrallty is protection algorithm integrallty included in the security capability information of described UE, and described cryptographic algorithm is empty algorithm; Or

If the attributed region of described UE is non-predeterminable area, described UE does not support preset security algorithm, described base station receives the first algorithms selection instruction that mobile management entity MME sends, described first algorithms selection instruction is in order to indicate described base station selected empty algorithm as cryptographic algorithm, and/or select protection algorithm integrallty according to default protection algorithm integrallty priority, or described first algorithms selection instruction selects protection algorithm integrallty in order to indicate described base station according to default protection algorithm integrallty priority, and/or the cryptographic algorithm of forbidding beyond described base station selected empty algorithm.

In conjunction with second aspect, in the 4th kind of possible implementation of second aspect, described base station obtains the security algorithm information of UE, according to the security algorithm information of described UE judge described UE can cryptographic algorithm and/or protection algorithm integrallty, comprising:

If the attributed region of described UE is predeterminable area, described base station receives the security capability information of the described UE that mobile management entity MME sends, and judge whether described UE supports preset security algorithm according to the security capability information of described UE, if not, protection algorithm integrallty is selected according to default protection algorithm integrallty priority in described base station, and/or according to predetermined encryption algorithm priority Choice encryption algorithm; Or

If the attributed region of described UE is predeterminable area, described UE does not support preset security algorithm, described base station receives the second algorithms selection instruction that mobile management entity MME sends, described second algorithms selection instruction selects protection algorithm integrallty in order to indicate described base station according to default protection algorithm integrallty priority, and/or according to predetermined encryption algorithm priority Choice encryption algorithm; Or

If the attributed region of described UE is predeterminable area; described UE supports preset security algorithm; described base station receives the 3rd algorithms selection instruction that mobile management entity MME sends, and described 3rd algorithms selection instruction is in order to indicate described base station according to preset security algorithm determination protection algorithm integrallty and/or cryptographic algorithm.

In conjunction with the third or the 4th kind of possible implementation of second aspect, in the 5th kind of possible implementation of second aspect, described method also comprises:

Described base station sends the security capability information of described base station to described MME, with the security algorithm information making described MME determine described UE.

The third aspect, the embodiment of the present invention provides a kind of mobile management entity, comprising:

Determination module, for determining the attributed region of described UE according to the mark of user equipment (UE);

Judge module, for judge according to the attributed region of described UE and the security capability information of described UE described UE can cryptographic algorithm and/or protection algorithm integrallty.

In conjunction with the third aspect, in the first possible implementation of the third aspect, described judge module specifically for:

Judge that the attributed region of described UE is predeterminable area, then judge whether described UE supports preset security algorithm according to the security capability information of described UE, if not, protection algorithm integrallty is selected according to default protection algorithm integrallty priority, and/or according to predetermined encryption algorithm priority Choice encryption algorithm, or, judge that the attributed region of described UE is non-predeterminable area, then judge whether described UE supports preset security algorithm according to the security capability information of described UE, if not, protection algorithm integrallty is selected according to default protection algorithm integrallty priority, and/or select empty algorithm as cryptographic algorithm, or

Judge that described UE does not support preset security algorithm according to described security capability information; whether the attributed region then judging described UE is predeterminable area; if; then select protection algorithm integrallty according to presetting protection algorithm integrallty priority; and/or according to predetermined encryption algorithm priority Choice encryption algorithm; if not, then select protection algorithm integrallty according to presetting protection algorithm integrallty priority, and/or select empty algorithm as cryptographic algorithm.

In conjunction with the third aspect, or the first possible implementation of the third aspect, in the implementation that the second of the third aspect is possible, also comprise the first receiver module, for before the attributed region determining described UE according to the mark of user equipment (UE),

Receive the Redirection Request message that SGSN sends, described Redirection Request message comprises mark and the security capability information of described UE; Or

Receive the Attach Request message that user equipment (UE) sends, described Attach Request message comprises mark and the security capability information of described UE; Or

Receive the location update request message that user equipment (UE) sends, described location update request message comprises mark and the security capability information of described UE.

In conjunction with the third aspect, in the third possible implementation of the third aspect, also comprise the second receiver module, for before the attributed region determining described UE according to the mark of user equipment (UE),

Receive the Redirection Request message that SGSN sends, described Redirection Request message comprises the mark of described UE, or described MME receives the location update request message that user equipment (UE) sends, and described location update request message comprises the mark of described UE,

Described judge module specifically for: judge not comprise described security capability information in described Redirection Request message or described location update request message, and the attributed region of described UE is predeterminable area, then select protection algorithm integrallty according to presetting protection algorithm integrallty priority, and/or according to predetermined encryption algorithm priority Choice encryption algorithm; Or

Judge not comprise described security capability information in described Redirection Request message or described location update request message; and the attributed region of described UE is non-predeterminable area; then described MME selects protection algorithm integrallty according to default protection algorithm integrallty priority, and/or selects empty algorithm as cryptographic algorithm.

In conjunction with the third aspect, the third aspect the first to the third any one possible implementation, in the 4th kind of possible implementation of the third aspect, described determination module specifically for:

Be designated international mobile subscriber identity IMSI described in determining, then obtain MNC and MCC according to described IMSI, judge the attributed region of described UE according to described MNC and described MCC; Or

Determine that described identification code is temporary mark, then obtain the IMSI that described temporary mark is corresponding, and obtain MNC and MCC according to described IMSI, judge the attributed region of described UE according to described MNC and described MCC; Or

Be designated mobile subscriber number MSISDN described in determining, then determine the attributed region of described UE according to described MSISDN; Or

Send to network entity device and identify request message, described identification request message comprises described mark, and receive the identification response message of described network entity device transmission, described identification response message comprises the attributed region of described UE, or described identification response message comprises identifiable design mark, determine the attributed region of described UE to make described MME according to described identifiable design mark.

Fourth aspect, the embodiment of the present invention provides a kind of base station, comprising:

Acquisition module, for the security capability information of the attributed region and described UE that obtain user equipment (UE), or obtains the security algorithm information of UE;

Judge module, for according to the attributed region of described UE and the security capability information of described UE, or according to described security algorithm information judge described UE can cryptographic algorithm and/or protection algorithm integrallty;

In conjunction with fourth aspect, in the first possible implementation of fourth aspect, described judge module specifically for:

Judge that described UE does not support preset security algorithm according to the security capability information of described UE; whether the attributed region then judging described UE is predeterminable area; if; then select protection algorithm integrallty according to presetting protection algorithm integrallty priority; and/or according to predetermined encryption algorithm priority Choice encryption algorithm; if not, then select protection algorithm integrallty according to presetting protection algorithm integrallty priority, and/or select empty algorithm as cryptographic algorithm.

In conjunction with fourth aspect, or the first possible implementation of fourth aspect, in the implementation that the second of fourth aspect is possible, described acquisition module specifically for:

Receive attaching information and the security capability information of the described UE that mobile management entity MME sends, and determine the attributed region of described UE according to the region instruction in described attaching information; Or

Receive the handover request message that described MME sends, described handoff request message draws together the security capability information of described UE and the attributed region of described UE.

In conjunction with fourth aspect, in the third possible implementation of fourth aspect, described judge module specifically for:

If the attributed region of described UE is non-predeterminable area, described UE does not support preset security algorithm, receive mobile management entity MME send described UE can protection algorithm integrallty and/or cryptographic algorithm, described protection algorithm integrallty is protection algorithm integrallty included in the security capability information of described UE, and described cryptographic algorithm is empty algorithm; Or

If the attributed region of described UE is non-predeterminable area; described UE does not support preset security algorithm; receive the first algorithms selection instruction that mobile management entity MME sends; described first algorithms selection instruction is in order to indicate described base station selected empty algorithm as cryptographic algorithm; and/or select protection algorithm integrallty according to default protection algorithm integrallty priority; or described first algorithms selection instruction selects protection algorithm integrallty in order to indicate described base station according to default protection algorithm integrallty priority, and/or forbids the cryptographic algorithm beyond described base station selected empty algorithm.

In conjunction with fourth aspect, in the 4th kind of possible implementation of fourth aspect, described judge module specifically for: if the attributed region of described UE is predeterminable area, described base station receives the security capability information of the described UE that mobile management entity MME sends, and judge whether described UE supports preset security algorithm according to the security capability information of described UE, if not, protection algorithm integrallty is selected according to default protection algorithm integrallty priority, and/or according to predetermined encryption algorithm priority Choice encryption algorithm; Or

If the attributed region of described UE is predeterminable area, described UE does not support preset security algorithm, receive the second algorithms selection instruction that mobile management entity MME sends, described second algorithms selection instruction selects protection algorithm integrallty in order to indicate described base station according to default protection algorithm integrallty priority, and/or according to predetermined encryption algorithm priority Choice encryption algorithm; Or

If the attributed region of described UE is predeterminable area; described UE supports preset security algorithm; receive the 3rd algorithms selection instruction that mobile management entity MME sends, described 3rd algorithms selection instruction is in order to indicate described base station according to preset security algorithm determination protection algorithm integrallty and/or cryptographic algorithm.

In conjunction with the third or the 4th kind of possible implementation of fourth aspect, in the 5th kind of possible implementation of fourth aspect, also comprise:

Sending module, for sending the security capability information of described base station to described MME, with the security algorithm information making described MME determine described UE.

The Non-Access Stratum that the embodiment of the present invention provides, Access Layer security algorithm processing method and equipment.This Access Layer security algorithm processing method, comprising: mobile management entity MME determines the attributed region of described UE according to the mark of user equipment (UE); Described MME according to the security capability information of the attributed region of described UE and described UE judge described UE can cryptographic algorithm and/or protection algorithm integrallty.The Non-Access Stratum that the present embodiment provides, Access Layer security algorithm processing method and equipment, can provide safe protection mechanism for subscriber equipment.

Accompanying drawing explanation

In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.

Fig. 1 is the flow chart of Non-Access Stratum security algorithm processing method embodiment one of the present invention;

Fig. 2 is the signaling process figure of Non-Access Stratum security algorithm processing method embodiment one of the present invention;

Fig. 3 is the flow chart of Access Layer security algorithm processing method embodiment one of the present invention;

Fig. 4 is the signaling process figure mono-of Access Layer security algorithm processing method embodiment one of the present invention;

Fig. 5 is the signaling process figure bis-of Access Layer security algorithm processing method embodiment one of the present invention;

Fig. 6 is the structural representation of mobile management entity embodiment one of the present invention;

Fig. 7 is the structural representation of mobile management entity embodiment two of the present invention;

Fig. 8 is the structural representation of base station embodiment one of the present invention;

Fig. 9 is the structural representation of base station embodiment two of the present invention.

Embodiment

For making the object of the embodiment of the present invention, technical scheme and advantage clearly, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.

The security algorithm processing method of the embodiment of the present invention to Non-Access Stratum and Access Layer is described in detail.Wherein, the flow process of Access Layer and the flow process of Non-Access Stratum, actual is from the angle of protocol stack.In protocol stack, wireless heterogeneous networks (Radio Resource Control, RRC) and wireless access network applying portion (Radio Access Network Application Part be called for short:, being called for short RANAP) layer and following protocol layer thereof be called Access Layer, session management (Session Management on them, SM), Call-Control1 (Call Control be called for short:, SMS) etc. be called for short: CC), (Short Message Service is called for short: be called Non-Access Stratum in short message service.Briefly, the flow process of Access Layer, namely refers to that (Radio Network Controller is called for short: RNC), UMTS base station (UMTS Base Station, be called for short NodeB) need to participate in the flow process of process for the equipment radio network controller of radio access layer.The flow process of Non-Access Stratum, just refer to only have UE and core net (Core Network, is called for short: CN) need signaling process to be processed, Radio Access Network RNC, NodeB be do not need to be processed.

Fig. 1 is the flow chart of Non-Access Stratum security algorithm processing method embodiment one of the present invention.As shown in Figure 1, the executive agent of the present embodiment is mobile management entity (Mobility Management Entity is called for short MME), and this MME can pass through software and/or hardware implementing.The Non-Access Stratum security algorithm processing method that the present embodiment provides comprises:

Step 101, mobile management entity MME determine the attributed region of described UE according to the mark of user equipment (UE);

Step 102, described MME according to the security capability information of the attributed region of described UE and described UE judge described UE can cryptographic algorithm and/or protection algorithm integrallty.

In a communications system; MME and subscriber equipment (User Equipment; be called for short UE) between Non-Access Stratum (Non-Access Stratum; be called for short NAS) signaling connect in; there is NAS security mechanism; once security process is set up, all NAS layer signalings all by safeguard protection, can comprise encryption and integrity protection.

In specific implementation process, by MME Choice encryption algorithm (EPS Enerption Algorithm is called for short EEA) and/or protection algorithm integrallty (EPS Integrity Algorithm is called for short EIA).In 3 gpp, SNOW3G, aes algorithm and ZUC algorithm comprise each self-corresponding EEA and EIA respectively, and wherein, SNOW3G algorithm comprises EEA1 and EIA1, and aes algorithm comprises EEA2 and EIA2, and ZUC algorithm comprises EEA3 and EIA3.

In a step 101, MME determines the attributed region of described UE according to the mark of UE.In specific implementation process, according to mark, MME determines that the attributed region of UE comprises following possible implementation.

A kind of possible implementation for: be designated IMSI International Mobile Subscriber Identity (International Mobile Subscriber Identity described in MME determines, be called for short: IMSI), then obtain mobile network code (Mobile Network Code according to described IMSI, be called for short MNC) and Mobile Country Code MCC (Mobile Country Code, be called for short MCC), the attributed region of described UE is judged according to described MNC and described MCC.

Particularly, MME can parse MNC and MCC according to IMSI, and MCC uniquely can identify the country belonging to mobile subscriber, distinguish each user from country, therefore can realize international roaming.In same country, if there is multiple Mobile Network Operator, can be distinguished by MNC.Therefore, can judge the attributed region of UE according to MNC and MCC, can determine that the attributed region of UE is predeterminable area or non-predeterminable area, wherein, predeterminable area can be external, and non-predeterminable area can be domestic.Such as, according to MCC, MME determines that this UE is Foreign User, or determine that this UE is domestic user according to MCC, determines this UE Mobile Network Operator according to MNC.

Another kind of possible implementation for: be designated temporary mark described in described MME determines, then obtain the IMSI that described temporary mark is corresponding, and obtain MNC and MCC according to described IMSI, judge the attributed region of described UE according to described MNC and described MCC.

Particularly, MME determines to be designated temporary mark, such as, this temporary mark is interim identity (Temporary Mobile Subscriber Identity, be called for short TMSI), then MME is according to the corresponding relation of TMSI and IMSI, determines the IMSI that this TMSI is corresponding, then obtain MNC and MCC according to IMSI, and judge the attributed region of UE.This temporary mark can also be global unique temporary identity symbol (Globally Unique Temporary Identifier, be called for short GUTI), MME is according to the corresponding relation of GUTI and IMSI, determine the IMSI that this GUTI is corresponding, then obtain MNC and MCC according to IMSI, and judge the attributed region of UE.

Another possible implementation for: be designated mobile subscriber number (Mobile Subscriber International ISDN/PSTN number, be called for short MSISDN) described in described MME determines, then determine the attributed region of described UE according to described MSISDN.

Particularly, MME determines that identification code is MSISDN, according to the corresponding relation of MSISDN and attributed region, determines the attributed region of UE.

Another possible implementation is: described MME sends to network entity device and identifies request message, described identification request message comprises described mark, and receiving the identification response message of described network entity device transmission, described identification response message comprises the attributed region of described UE.

Particularly, the determination of the attributed region of UE, determined by other network entity device, MME does not judge.MME can send to network entity device and identify response message, and this identification response message comprises mark, and this network entity device judges according to the attributed region of this mark to UE.Then network entity device sends to MME and identifies response message, and this identification response message comprises the attributed region of UE.It will be understood by those skilled in the art that the mode of network entity device according to the attributed region of mark interpretation UE, similar according to the mode identifying the attributed region determining UE with MME, the present embodiment repeats no more herein.

The security capability information of UE refers to the security algorithm that UE supports, the security algorithm that different UE supports is different, such as, UE supports preset security algorithm, and this preset security algorithm is Zu Chongzhi algorithm (ZUC), or this UE does not support ZUC algorithm, support SNOW3G, aes algorithm, again or, this UE supports ZUC algorithm, supports SNOW3G, aes algorithm.

In a step 102, MME according to the attributed region of UE and security capability information determine UE can cryptographic algorithm and/or protection algorithm integrallty.Namely MME not only considers the security capability information of UE, also according to the attributed region of UE determine UE can cryptographic algorithm and/or protection algorithm integrallty.Such as; when UE does not support preset security algorithm; if the attributed region of UE is predeterminable area; then select protection algorithm integrallty according to presetting protection algorithm integrallty priority; according to predetermined encryption algorithm priority Choice encryption algorithm; if when the attributed region of UE is non-predeterminable area, then selects protection algorithm integrallty according to presetting protection algorithm integrallty priority, and select empty algorithm as cryptographic algorithm.It will be appreciated by those skilled in the art that; MME can only according to attributed region and security capability information judge UE can cryptographic algorithm; the protection algorithm integrallty of UE is determined according to prior art; or; MME can only according to attributed region and security capability information judge UE can protection algorithm integrallty; determine the cryptographic algorithm of UE according to prior art, or, MME according to attributed region and security capability information judge UE can cryptographic algorithm and protection algorithm integrallty.

After step 102; MME sends Security Mode Command message to UE; Security Mode Command message comprise UE can cryptographic algorithm and protection algorithm integrallty; the protection algorithm integrallty that UE uses MME to specify; calculation of integrity protection algorism key also carries out integrity protection check to message, if check successfully, UE sends safe mode to MME and completes message; the safe mode that MME receives described UE transmission completes message, sets up Non-Access Stratum NAS security process.NAS signaling afterwards all will use this cryptographic algorithm and protection algorithm integrallty to carry out safeguard protection.

The Non-Access Stratum security algorithm processing method that the embodiment of the present invention provides, mobile management entity MME determines the attributed region of described UE according to the mark of user equipment (UE); Described MME according to the security capability information of the attributed region of described UE and described UE judge described UE can cryptographic algorithm and/or protection algorithm integrallty, safe protection mechanism can be provided for all UE.

Determine the mark of UE and the different modes of security capability information according to MME below, adopt several specific embodiment, the Non-Access Stratum security algorithm processing method in the embodiment of the present invention is described in detail.

In a kind of possible implementation, before described mobile management entity MME determines the attributed region of described UE according to the mark of user equipment (UE), MME can obtain mark and the security capability information of UE simultaneously.

Concrete, MME determines mark and the security capability information of UE by following situation.

A possible situation, under the redirected scene of UE, MME receives the Redirection Request message that SGSN sends, and described Redirection Request message comprises mark and the security capability information of described UE.

Another kind of possible situation, when UE sets up network connection, described MME receives the Attach Request message that user equipment (UE) sends, and described Attach Request message comprises mark and the security capability information of described UE.

Another possible situation, when UE carries out location updating, described MME receives the location update request message that user equipment (UE) sends, and described location update request message comprises mark and the security capability information of described UE.

After the mark getting UE at MME and security capability information; MME determines the attributed region of UE according to the mark of UE; then MME according to the attributed region of described UE and described security capability information judge described UE can cryptographic algorithm and/or protection algorithm integrallty, specifically comprise following possible situation.

A kind of possible situation is that MME first judges the attributed region of UE, then determines cryptographic algorithm and/or the protection algorithm integrallty of UE according to security capability information, shown in specific as follows:

If described MME judges that the attributed region of described UE is predeterminable area; then judge whether described UE supports preset security algorithm according to the security capability information of described UE; if not; protection algorithm integrallty is selected according to default protection algorithm integrallty priority, and/or according to predetermined encryption algorithm priority Choice encryption algorithm.

In specific implementation process, when MME judges that the attributed region of UE is predeterminable area, then continue to judge whether UE supports preset security algorithm according to the security capability information of UE, if support, then adopt the cryptographic algorithm that preset security algorithm is corresponding and protection algorithm integrallty.Such as, when preset security algorithm is ZUC, then UE can use EEA3 and EIA3.When UE does not support preset security algorithm, select protection algorithm integrallty according to default protection algorithm integrallty priority, and/or according to predetermined encryption algorithm priority Choice encryption algorithm.

If described MME judges that the attributed region of described UE is non-predeterminable area; then judge whether described UE supports preset security algorithm according to the security capability information of described UE; if not; select protection algorithm integrallty according to default protection algorithm integrallty priority, and/or select empty algorithm as cryptographic algorithm.

In specific implementation process, when MME judges that the attributed region of UE is non-predeterminable area, then continue to judge whether UE supports preset security algorithm according to the security capability information of UE, if support, then adopt the cryptographic algorithm that preset security algorithm is corresponding and protection algorithm integrallty.When UE does not support preset security algorithm, select protection algorithm integrallty according to default protection algorithm integrallty priority, and/or select empty algorithm as cryptographic algorithm, empty algorithm and unreal applying close.

Another kind of possible situation, MME first judges security capability information, then judges the attributed region of UE, specific as follows:

Particularly, according to security capability information, MME first judges that UE does not support preset security algorithm, then judge whether the attributed region of UE is predeterminable area.If predeterminable area, then MME selects protection algorithm integrallty according to default protection algorithm integrallty priority, and/or according to predetermined encryption algorithm priority Choice encryption algorithm.If non-predeterminable area, then MME selects protection algorithm integrallty according to default protection algorithm integrallty priority, and/or selects empty algorithm as cryptographic algorithm.

In the implementation that another kind is possible, MME only obtains security capability information, and does not get the mark of UE.Specific as follows:

Described MME receives the Redirection Request message that SGSN sends, and described Redirection Request message comprises the mark of described UE; Or described MME receives the location update request message that user equipment (UE) sends, and described location update request message comprises the mark of described UE.

Now, described MME judges not comprise described security capability information in described Redirection Request message or described location update request message, and the attributed region of described UE is predeterminable area, then described MME selects protection algorithm integrallty according to default protection algorithm integrallty priority, and/or according to predetermined encryption algorithm priority Choice encryption algorithm; Or

In above-mentioned each possible implementation, when preset security algorithm is ZUC algorithm, for predetermined encryption algorithm priority, the priority of EEA3 is higher than EEA1 and EEA2, and the priority of EEA1, may higher than EEA2, also may lower than EEA2, the present embodiment is not particularly limited at this.When the priority height of EEA1, then select EEA1, when the priority height of EEA2, then select EEA2.For default protection algorithm integrallty priority, the priority of EIA3 is higher than EIA1 and EIA2, and the priority of EIA1, may higher than EIA2, also may lower than EIA2, and the present embodiment is not particularly limited at this.When the priority height of EIA1, then select EIA1, when the priority height of EIA2, then select EIA2.It will be understood by those skilled in the art that the priority of EEA3 can lower than the priority of EEA1 and EEA2, EIA3 lower than EIA1 and EIA2 when preset security algorithm is for other algorithm.For the priority that preset security algorithm is other algorithm, EEA3, EEA1, EEA2, the priority of EIA3, EIA1, EIA2, the present embodiment is not particularly limited.

Fig. 2 is the signaling process figure of Non-Access Stratum security algorithm processing method embodiment one of the present invention.The signaling process of the present embodiment to Non-Access Stratum security algorithm processing method is described.

Step 201, UE send Attach Request message to MME;

It will be understood by those skilled in the art that UE not only can send Attach Request message to MME, location update request message can also be sent to MME.Or, Redirection Request message can also be sent for SGSN to MME.MME can according to the mark of above-mentioned three kinds of message determination user equipment (UE)s and security capability information.Concrete determination mode, can embodiment shown in Figure 1.

Step 202, MME determine the attributed region of UE according to mark, according to the attributed region of UE and security capability information judge UE can cryptographic algorithm and/or protection algorithm integrallty;

MME judge UE can cryptographic algorithm and/or the process of protection algorithm integrallty, specifically can embodiment shown in Figure 1.

Step 203, MME send Security Mode Command message to UE;

Step 204, UE send safe mode to MME and complete message.

Fig. 3 is the flow chart of Access Layer security algorithm processing method embodiment one of the present invention.As shown in Figure 3, the executive agent of the present embodiment is base station, and software and/or hardware implementing can be passed through in this base station.The Access Layer security algorithm processing method that the present embodiment provides comprises:

Step 301, base station obtain the attributed region of user equipment (UE) and the security capability information of described UE, or obtain the security algorithm information of UE;

Step 302, described base station according to the security capability information of the attributed region of described UE and described UE, or according to described security algorithm information judge described UE can cryptographic algorithm and/or protection algorithm integrallty.

Due to the One's name is legion of base station deployment, distribution area is wide, between Access Layer, each network entity is from geographical position or be all in high degree of dispersion in logic, operator cannot carry out in safe collection it and control, each base station is in insecure area, so each base station all needs the security algorithm selecting for Access Layer security mechanism between each UE according to the security capabilities of UE.

In step 301, base station obtains the attributed region of user equipment (UE) and security capability information and comprises following two kinds of possible situations.

Possible situation is: described base station receives attaching information and a security capability information of the described UE that mobile management entity MME sends, and determines the attributed region of described UE according to the region instruction in described attaching information.

Particularly, the implementation of the region instruction in attaching information has multiple, and such as region instruction can represent with " 0 " or " 1 ", and wherein 0 represents non-predeterminable area, can be domestic, and 1 represents predeterminable area, can be external; Or region instruction character representation, as represented non-predeterminable area with " domestic ", can be domestic, representing predeterminable area with " international ", can be external.

Another kind of possible situation is: described base station receives the handover request message that described MME sends, and described handoff request message draws together the security capability information of described UE and the attributed region of described UE.

Under handoff scenario, base station receives the handover request message that MME sends, and handoff request message draws together the security capability information of described UE and the attributed region of described UE.

Secondly, base station can receive the UE security algorithm information that MME sends, wherein, the security algorithm information of UE comprise the security capability information of UE, algorithms selection instruction, UE can cryptographic algorithm and protection algorithm integrallty in arbitrary.

In step 302, base station according to the attributed region of described UE and security capability information judge described UE can cryptographic algorithm and/or protection algorithm integrallty.

It will be appreciated by those skilled in the art that; base station can only according to attributed region and security capability information judge base station can cryptographic algorithm; the protection algorithm integrallty of UE is determined according to prior art; or; base station can only according to attributed region and security capability information judge UE can protection algorithm integrallty; determine the cryptographic algorithm of UE according to prior art, or, base station according to attributed region and security capability information judge UE can cryptographic algorithm and protection algorithm integrallty.Specifically can comprise following possible situation.

A possible situation, base station first judges the attributed region of UE, then determines cryptographic algorithm and/or the protection algorithm integrallty of UE according to security capability information, shown in specific as follows:

If described base station judges that the attributed region of described UE is predeterminable area, then judge whether described UE supports preset security algorithm according to the security capability information of described UE, if not, protection algorithm integrallty is selected according to default protection algorithm integrallty priority, and/or according to predetermined encryption algorithm priority Choice encryption algorithm;

In specific implementation process, when base station judges that the attributed region of UE is predeterminable area, then continue to judge whether UE supports preset security algorithm according to the security capability information of UE, if support, then adopt the cryptographic algorithm that preset security algorithm is corresponding and protection algorithm integrallty.Such as, when preset security algorithm is ZUC, then UE can use EEA3 and EIA3.When UE does not support preset security algorithm, select protection algorithm integrallty according to default protection algorithm integrallty priority, and/or according to predetermined encryption algorithm priority Choice encryption algorithm.It will be understood by those skilled in the art that the security algorithm that base station is supported comprises ZUC, AES, SNOW3G.

If described base station judges that the attributed region of described UE is non-predeterminable area; then judge whether described UE supports preset security algorithm according to the security capability information of described UE; if not; select protection algorithm integrallty according to default protection algorithm integrallty priority, and/or select empty algorithm as cryptographic algorithm.

Particularly, when base station judges that the attributed region of UE is non-predeterminable area, then continue to judge whether UE supports preset security algorithm according to the security capability information of UE, if support, then adopt the cryptographic algorithm that preset security algorithm is corresponding and protection algorithm integrallty.When UE does not support preset security algorithm, select protection algorithm integrallty according to default protection algorithm integrallty priority, and/or select empty algorithm as cryptographic algorithm, empty algorithm and unreal applying close.

Another kind of possible situation, base station first judges the security capability information of UE, then attributed region, then determines cryptographic algorithm and/or the protection algorithm integrallty of UE according to security capability information, shown in specific as follows:

Particularly; according to the security capability information of UE, base station first judges that described UE does not support preset security algorithm; whether the attributed region then judging UE is predeterminable area; if predeterminable area; then select protection algorithm integrallty according to presetting protection algorithm integrallty priority, and/or according to predetermined encryption algorithm priority Choice encryption algorithm, if non-predeterminable area; then according to predetermined encryption algorithm priority Choice encryption algorithm, and/or select empty algorithm as cryptographic algorithm.

Base station according to security algorithm information determine UE can cryptographic algorithm and/or protection algorithm integrallty.In specific implementation process; base station can receive UE that MME directly sends can protection algorithm integrallty and/or cryptographic algorithm; or base station can according to the security capability information of UE determine UE can protection algorithm integrallty and/or cryptographic algorithm; again or, base station can according to algorithms selection instruction determine UE can protection algorithm integrallty and/or cryptographic algorithm.

After the available algorithm determining UE in base station and/or cryptographic algorithm; Security Mode Command message is sent to UE; Security Mode Command message comprise UE can cryptographic algorithm and protection algorithm integrallty; the protection algorithm integrallty that UE uses base station to specify; calculation of integrity protection algorism key also carries out integrity protection check to message, if check successfully, UE sends safe mode and completes message to base station; the safe mode that base station receives described UE transmission completes message, sets up Access Layer AS security process.AS signaling afterwards all will use this cryptographic algorithm and protection algorithm integrallty to carry out safeguard protection.

The method that the embodiment of the present invention provides, base station obtains the attributed region of user equipment (UE) and the security capability information of described UE, or obtains the security algorithm information of UE; Described base station according to the security capability information of the attributed region of described UE and described UE, or according to described security algorithm information judge described UE can cryptographic algorithm and/or protection algorithm integrallty, safe protection mechanism can be provided for UE.

Fig. 4 is the signaling process figure mono-of Access Layer security algorithm processing method embodiment one of the present invention.The signaling process of the present embodiment to Access Layer security algorithm processing method is described.

Step 401, MME determine attaching information and the security capability information of UE;

Wherein, the attaching information that MME determines comprises the attributed region of UE.

Step 402, MME send attaching information and the security capability information of UE to base station;

Or MME can also send handover request message to base station, handoff request message draws together the security capability information of UE and the attributed region of described UE.Especially, MME determines the attributed region of UE and the mode of security capability information, can see Non-Access Stratum security algorithm embodiment.

Step 403, base station according to the attributed region of UE and the security capability information of UE judge UE can cryptographic algorithm and/or protection algorithm integrallty.

Base station determine UE can cryptographic algorithm and/or the concrete mode of protection algorithm integrallty, can see Fig. 3 embodiment.

Step 404, base station send Security Mode Command message to UE;

The safe mode that step 405, UE receive base station transmission completes message.

The embodiment of the present invention obtains attributed region and the security capability information of user equipment (UE) by base station; Described base station according to the attributed region of described UE and security capability information judge described UE can cryptographic algorithm and/or protection algorithm integrallty, safe protection mechanism can be provided for UE.

In the Access Layer security algorithm processing method that the present embodiment provides, also comprise the security capabilities that MME revises UE, or MME indicates the method for the specific security algorithm of base station selection.Specifically can as shown in Figure 5, Fig. 5 is the signaling process figure bis-of Access Layer security algorithm processing method embodiment one of the present invention.As shown in Figure 5, comprise the following steps:

Step 501, MME obtain the security capability information of base station.

In specific implementation process, MME obtains the security capability information of base station first in the following manner:

Base station sends the security capability information of base station to MME, and the security capability information of the machine can be added in base station in the Attach Request message of UE, or increases a piece of news newly after request set up in context, and this message comprises the security capability information of base station; Or

By the mode of the security capability information of default base station, MME obtains the security capability information of base station; Or

Sent the security capability information of base station to MME by Provider Equipment.

Step 502, MME determine attaching information and the security capability information of UE.

It will be understood by those skilled in the art that step 501 and step 502 do not have strict sequential relationship.

Step 503, MME according to the security capability information of the attributed region of UE, security capability information and base station, the security capabilities of amendment UE, and determine that algorithms selection indicates.

Step 504, MME send security capabilities and the algorithms selection instruction of amended UE to base station.

MME, for the different attributed regions of UE, sends amended cryptographic algorithm and/or protection algorithm integrallty to base station, or algorithms selection instruction.

Step 505, base station according to the security capabilities of amended UE and algorithms selection instruction, determine UE can cryptographic algorithm and protection algorithm integrallty.

506, base station sends Security Mode Command message to UE.

507, UE sends safe mode and completes message to base station.

In specific implementation process, step 503 is specific as follows to the implementation procedure of step 505:

A possible implementation, if MME determines that the attributed region of UE is non-predeterminable area, UE does not support preset security algorithm.It will be understood by those skilled in the art that MME determines that the attributed region of UE is non-predeterminable area, UE does not support preset security algorithm, and the two does not have strict sequential relationship.Then MME determines the security capability information of UE, and sends security capability information to base station.Specifically comprise following situation:

A possible situation, MME sends the protection algorithm integrallty of UE and/or cryptographic algorithm to base station, and wherein protection algorithm integrallty is the protection algorithm integrallty that the security capability information of UE comprises, and cryptographic algorithm is empty algorithm.

Base station receives protection algorithm integrallty and/or the cryptographic algorithm of the described UE that mobile management entity MME sends, and described protection algorithm integrallty is protection algorithm integrallty included in the security capability information of described UE, and described cryptographic algorithm is empty algorithm.

Another kind of possible situation, MME sends the first algorithms selection instruction to base station.

Base station receives the first algorithms selection instruction that mobile management entity MME sends.Wherein, described first algorithms selection instruction is in order to indicate described base station selected empty algorithm as cryptographic algorithm; and/or preset protection algorithm integrallty priority selection protection algorithm integrallty according to base station; or described first algorithms selection instruction selects protection algorithm integrallty in order to indicate described base station according to default protection algorithm integrallty priority, and/or forbids the cryptographic algorithm beyond described base station selected empty algorithm.

Another kind of possible implementation, if MME determines that the attributed region of UE is predeterminable area.Then MME determines the security capability information of UE, and sends security capability information to base station.Specifically comprise following situation:

A kind of possible situation: MME sends the security capability information of UE to base station.

Base station receives the security capability information of the described UE that mobile management entity MME sends; and judge whether described UE supports preset security algorithm according to the security capability information of described UE; if not; protection algorithm integrallty is selected according to default protection algorithm integrallty priority in described base station, and/or according to predetermined encryption algorithm priority Choice encryption algorithm.

Another kind of possible situation: when MME determines that UE does not support preset security algorithm, MME sends the second selection algorithm and selects instruction to base station.It will be understood by those skilled in the art that and determine not support preset security algorithm and MME to determine by UE by MME the attributed region of described UE is predeterminable area, there is no strict sequential relationship.

Base station receives the second algorithms selection instruction that MME sends, and described second algorithms selection instruction selects protection algorithm integrallty in order to indicate described base station according to default protection algorithm integrallty priority, and/or according to predetermined encryption algorithm priority Choice encryption algorithm.

Another possible situation, when MME determines UE support preset security algorithm, MME sends the 3rd algorithms selection instruction to base station.It will be understood by those skilled in the art that MME determines that UE supports that preset security algorithm and MME determine that the attributed region of described UE is predeterminable area, there is no strict sequential relationship.

Base station receives the 3rd algorithms selection instruction that mobile management entity MME sends, and described 3rd algorithms selection instruction is in order to indicate described base station according to preset security algorithm determination protection algorithm integrallty and/or cryptographic algorithm.

The method that the embodiment of the present invention provides, is received security capabilities or the algorithms selection instruction of the UE of MME amendment, is not only UE and provides safe protection base station, also reduce the treating capacity of base station by base station.

Fig. 6 is the structural representation of mobile management entity embodiment one of the present invention.As shown in Figure 6, the mobile management entity 60 that the present embodiment provides comprises determination module 601, judge module 602.

Wherein, determination module 601, for determining the attributed region of described UE according to the mark of user equipment (UE);

Judge module 602, for judge according to the attributed region of described UE and the security capability information of described UE described UE can cryptographic algorithm and/or protection algorithm integrallty.

The mobile management entity of the present embodiment, may be used for the technical scheme performing embodiment of the method shown in Fig. 1, it realizes principle and technique effect is similar, repeats no more herein.

Fig. 7 is the structural representation of mobile management entity embodiment two of the present invention.The present embodiment realizes on the basis of Fig. 6 embodiment, specific as follows:

Alternatively, described judge module 602 specifically for:

Alternatively, also comprise the first receiver module 603, for before the attributed region determining described UE according to the mark of user equipment (UE),

Alternatively, also comprise the second receiver module 604, for before the attributed region determining described UE according to the mark of user equipment (UE),

Described judge module 602 specifically for: judge not comprise described security capability information in described Redirection Request message or described location update request message, and the attributed region of described UE is predeterminable area, then select protection algorithm integrallty according to presetting protection algorithm integrallty priority, and/or according to predetermined encryption algorithm priority Choice encryption algorithm; Or

Alternatively, described determination module 601 specifically for:

The mobile management entity of the present embodiment, may be used for the technical scheme performing said method embodiment, it realizes principle and technique effect is similar, repeats no more herein.

Fig. 8 is the structural representation of base station embodiment one of the present invention.As shown in Figure 8, the base station 80 that the embodiment of the present invention provides comprises: acquisition module 801, judge module 802.

Wherein, acquisition module 801, for the security capability information of the attributed region and described UE that obtain user equipment (UE), or obtains the security algorithm information of UE;

Judge module 802, for according to the attributed region of described UE and the security capability information of described UE, or according to described security algorithm information judge described UE can cryptographic algorithm and/or protection algorithm integrallty;

The base station of the present embodiment, may be used for the technical scheme performing embodiment of the method shown in Fig. 3, it realizes principle and technique effect is similar, repeats no more herein.

Fig. 9 is the structural representation of base station embodiment two of the present invention.The present embodiment realizes on the basis of Fig. 8 embodiment, specific as follows:

Alternatively, described judge module 802 specifically for:

Alternatively, described acquisition module 801 specifically for:

Alternatively, described judge module 802 specifically for:

Alternatively, described judge module 802 specifically for: if the attributed region of described UE is predeterminable area, described base station receives the security capability information of the described UE that mobile management entity MME sends, and judge whether described UE supports preset security algorithm according to the security capability information of described UE, if not, protection algorithm integrallty is selected according to default protection algorithm integrallty priority, and/or according to predetermined encryption algorithm priority Choice encryption algorithm; Or

Alternatively, also comprise:

Sending module 803, for sending the security capability information of described base station to described MME, with the security algorithm information making described MME determine described UE.

The base station of the present embodiment, may be used for the technical scheme performing said method embodiment, it realizes principle and technique effect is similar, repeats no more herein.

One of ordinary skill in the art will appreciate that: all or part of step realizing above-mentioned each embodiment of the method can have been come by the hardware that program command is relevant.Aforesaid program can be stored in a computer read/write memory medium.This program, when performing, performs the step comprising above-mentioned each embodiment of the method; And aforesaid storage medium comprises: ROM, RAM, magnetic disc or CD etc. various can be program code stored medium.

Last it is noted that above each embodiment is only in order to illustrate technical scheme of the present invention, be not intended to limit; Although with reference to foregoing embodiments to invention has been detailed description, those of ordinary skill in the art is to be understood that: it still can be modified to the technical scheme described in foregoing embodiments, or carries out equivalent replacement to wherein some or all of technical characteristic; And these amendments or replacement, do not make the essence of appropriate technical solution depart from the scope of various embodiments of the present invention technical scheme.

Claims

1. a Non-Access Stratum security algorithm processing method, is characterized in that, comprising:

2. method according to claim 1, is characterized in that, described MME according to the security capability information of the attributed region of described UE and described UE judge described UE can cryptographic algorithm and/or protection algorithm integrallty, comprising:

3. method according to claim 1 and 2, is characterized in that, described mobile management entity MME also comprises before determining the attributed region of described UE according to the mark of user equipment (UE):

4. method according to claim 1, is characterized in that, described mobile management entity MME also comprises before determining the attributed region of described UE according to the mark of user equipment (UE):

5. the method according to any one of Claims 1-4, is characterized in that, described mobile management entity MME determines the attributed region of described UE according to the mark of user equipment (UE), comprising:

6. an Access Layer security algorithm processing method, is characterized in that, comprising:

7. method according to claim 6, is characterized in that, described base station according to the security capability information of the attributed region of described UE and described UE judge described UE can cryptographic algorithm and/or protection algorithm integrallty, comprising:

8. the method according to claim 6 or 7, is characterized in that, described base station obtains the attributed region of user equipment (UE) and the security capability information of described UE, comprising:

9. method according to claim 6, is characterized in that, described base station obtains the security algorithm information of UE, according to the security algorithm information of described UE judge described UE can cryptographic algorithm and/or protection algorithm integrallty, comprising:

10. method according to claim 6, is characterized in that, described base station obtains the security algorithm information of UE, according to the security algorithm information of described UE judge described UE can cryptographic algorithm and/or protection algorithm integrallty, comprising:

11. methods according to claim 9 or 10, it is characterized in that, described method also comprises:

12. 1 kinds of mobile management entities, is characterized in that, comprising:

13. mobile management entities according to claim 12, is characterized in that, described judge module specifically for:

14. mobile management entities according to claim 12 or 13, is characterized in that, also comprise the first receiver module, for before the attributed region determining described UE according to the mark of user equipment (UE),

15. mobile management entities according to claim 12, is characterized in that, also comprise the second receiver module, for before the attributed region determining described UE according to the mark of user equipment (UE),

16., according to claim 12 to the mobile management entity described in 15 any one, is characterized in that, described determination module specifically for:

17. 1 kinds of base stations, is characterized in that, comprising:

18. base stations according to claim 17, is characterized in that, described judge module specifically for:

19. base stations according to claim 17 or 18, is characterized in that, described acquisition module specifically for:

20. base stations according to claim 17, is characterized in that, described judge module specifically for:

21. base stations according to claim 17, it is characterized in that, described judge module specifically for: if the attributed region of described UE is predeterminable area, described base station receives the security capability information of the described UE that mobile management entity MME sends, and judge whether described UE supports preset security algorithm according to the security capability information of described UE, if not, select protection algorithm integrallty according to default protection algorithm integrallty priority, and/or according to predetermined encryption algorithm priority Choice encryption algorithm; Or

22. base stations according to claim 20 or 21, is characterized in that, also comprise: