CN104244247B

CN104244247B - Non-Access Stratum, access layer security algorithm processing method and equipment

Info

Publication number: CN104244247B
Application number: CN201310226174.5A
Authority: CN
Inventors: 许怡娴; 崔洋; 陈璟
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2013-06-07
Filing date: 2013-06-07
Publication date: 2019-02-05
Anticipated expiration: 2033-06-07
Also published as: WO2014194787A1; CN104244247A

Abstract

The embodiment of the present invention provides a kind of Non-Access Stratum, access layer security algorithm processing method and equipment.The access layer security algorithm processing method, comprising: mobile management entity MME determines the attributed region of the UE according to the mark of user equipment (UE)；The MME judges the available Encryption Algorithm of the UE and/or protection algorithm integrallty according to the attributed region of the UE and the security capability information of the UE.Non-Access Stratum, access layer security algorithm processing method and equipment provided in this embodiment, can provide safe protection mechanism for user equipment.

Description

Non-Access Stratum, access layer security algorithm processing method and equipment

Technical field

The present embodiments relate to the communication technology more particularly to a kind of Non-Access Stratums, access layer security algorithm processing method And equipment.

Background technique

In communication system, the safety of data is all based on algorithm to realize, various algorithms can provide machine for data The protection of close property and integrality.

3G (Third Generation) Moblie partnership (3rd Generation Partnership Project, referred to as: 3GPP) Tissue approve algorithm mainly include three kinds, respectively Advanced Encryption Standard (advanced encryption standard, AES) algorithm, SNOW3G algorithm and Zu Chongzhi algorithm (ZUC), wherein ZUC algorithm is optional algorithm.

However, in the prior art, due to user equipment (User Equipment, abbreviation UE) Encryption Algorithm supported and complete Whole property protection algorism differs greatly, and especially part UE does not support default security algorithm, leads to mobile management entity (Mobility Management Entity, abbreviation MME) or base station safe protection mechanism can not be provided for all UE.

Summary of the invention

The embodiment of the present invention provides a kind of Non-Access Stratum, access layer security algorithm processing method and equipment, is user equipment The protection mechanism of safety is provided.

In a first aspect, the embodiment of the present invention provides a kind of Non-Access Stratum security algorithm processing method, comprising:

Mobile management entity MME determines the attributed region of the UE according to the mark of user equipment (UE)；

The MME judges the available encryption of the UE according to the attributed region of the UE and the security capability information of the UE Algorithm and/or protection algorithm integrallty.

With reference to first aspect, in the first possible implementation of the first aspect, the MME returning according to the UE The security capability information for belonging to region and the UE judges the available Encryption Algorithm of the UE and/or protection algorithm integrallty, comprising:

The MME judges that the attributed region of the UE for predeterminable area, then judges according to the security capability information of the UE Whether the UE supports default security algorithm, if it is not, selecting integrity protection to calculate according to default protection algorithm integrallty priority Method, and/or Encryption Algorithm is selected according to predetermined encryption algorithm priority, alternatively, if the MME judges the attributed region of the UE For non-predeterminable area, then judge whether the UE supports default security algorithm according to the security capability information of the UE, if it is not, root Protection algorithm integrallty is selected according to default protection algorithm integrallty priority, and/or selects empty algorithm as Encryption Algorithm；Or

The MME judges that the UE does not support default security algorithm according to the security capability information, then judges the UE Attributed region whether be predeterminable area, if so, according to default protection algorithm integrallty priority select integrity protection calculate Method, and/or Encryption Algorithm is selected according to predetermined encryption algorithm priority, if it is not, then preferential according to protection algorithm integrallty is preset Grade selection protection algorithm integrallty, and/or select empty algorithm as Encryption Algorithm.

With reference to first aspect or the first possible implementation of first aspect, second in first aspect are possible Implementation in, before the mobile management entity MME determines the attributed region of the UE according to the mark of user equipment (UE), Further include:

The MME receives the Redirection Request message that SGSN is sent, and includes the UE's in the Redirection Request message Mark and security capability information；Or

The MME receives the Attach Request message that user equipment (UE) is sent, and includes the UE in the Attach Request message Mark and security capability information；Or

The MME receives the location update request message that user equipment (UE) is sent, and wraps in the location update request message Include the mark and security capability information of the UE.

With reference to first aspect, in a third possible implementation of the first aspect, the mobile management entity MME root Before the attributed region for determining the UE according to the mark of user equipment (UE), further includes:

The MME receives the Redirection Request message that SGSN is sent, and includes the UE's in the Redirection Request message Mark, alternatively, the MME receives the location update request message that user equipment (UE) is sent, in the location update request message Mark including the UE,

The MME judges the available Encryption Algorithm of the UE according to the attributed region and the security capability information of the UE And/or protection algorithm integrallty, comprising:

The MME judges not include the safe energy in the Redirection Request message or the location update request message Force information, and the attributed region of the UE is predeterminable area, then the MME is selected according to default protection algorithm integrallty priority Protection algorithm integrallty, and/or Encryption Algorithm is selected according to predetermined encryption algorithm priority；Or

The MME judges not include the safe energy in the Redirection Request message or the location update request message Force information, and the attributed region of the UE is non-predeterminable area, then the MME is selected according to default protection algorithm integrallty priority Protection algorithm integrallty is selected, and/or selects empty algorithm as Encryption Algorithm.

With reference to first aspect, the first of first aspect is to the third any possible implementation, in first aspect The 4th kind of possible implementation in, the MME determines the attributed region of the UE according to the mark, comprising:

The MME is identified as international mobile subscriber identity IMSI described in determining, then according to the IMSI obtain MNC and MCC judges the attributed region of the UE according to the MNC and the MCC；Or

The MME determines that the identification code is temporary identifier, then obtains the corresponding IMSI of the temporary identifier, and according to institute It states IMSI and obtains MNC and MCC, the attributed region of the UE is judged according to the MNC and the MCC；Or

The MME is identified as mobile subscriber number MSISDN described in determining, then determines the UE's according to the MSISDN Attributed region；Or

The MME sends identification request message to network entity device, and the identification request message includes the mark, and The identification response message that the network entity device is sent is received, the identification response message includes the attributed region of the UE, Or the identification response message includes that can recognize mark, so that the MME determines the UE's according to the recognizable mark Attributed region.

Second aspect, the embodiment of the present invention provide a kind of access layer security algorithm processing method, comprising:

Base station obtains the attributed region of user equipment (UE) and the security capability information of the UE, or obtains the safety calculation of UE Method information；

It is calculated according to the attributed region of the UE and the security capability information of the UE, or according to the safety base station Method information judges the available Encryption Algorithm of the UE and/or protection algorithm integrallty；

Wherein, the security algorithm information includes the security capability information of UE, algorithms selection instruction, the available encryption calculation of UE It is any or combinations thereof in method and protection algorithm integrallty.

In conjunction with second aspect, in the first possible implementation of the second aspect, the base station is according to the UE's The security capability information of attributed region and the UE judge the available Encryption Algorithm of the UE and/or protection algorithm integrallty, packet It includes:

The base station judges that the attributed region of the UE for predeterminable area, then judges according to the security capability information of the UE Whether the UE supports default security algorithm, if it is not, selecting integrity protection to calculate according to default protection algorithm integrallty priority Method, and/or Encryption Algorithm is selected according to predetermined encryption algorithm priority, alternatively, if the base station judges the home zone of the UE Domain is non-predeterminable area, then judges whether the UE supports default security algorithm according to the security capability information of the UE, if it is not, Protection algorithm integrallty is selected according to default protection algorithm integrallty priority, and/or selects empty algorithm as Encryption Algorithm；Or Person

The base station judges that the UE does not support default security algorithm according to the security capability information of the UE, then judges institute Whether the attributed region for stating UE is predeterminable area, if so, selecting integrality to protect according to default protection algorithm integrallty priority Algorithm is protected, and/or Encryption Algorithm is selected according to predetermined encryption algorithm priority, if it is not, then according to default protection algorithm integrallty Priority selects protection algorithm integrallty, and/or selects empty algorithm as Encryption Algorithm.

In conjunction with the possible implementation of the first of second aspect or second aspect, second in second aspect may Implementation in, the base station obtains the attributed region of user equipment (UE) and the security capability information of the UE, comprising:

The base station receives the attaching information and security capability information for the UE that mobile management entity MME is sent, and root The attributed region of the UE is determined according to the region instruction in the attaching information；Or

The base station receives the switching request message that the MME is sent, and the handoff request message includes the peace of the UE The attributed region of all-round force information and the UE.

In conjunction with second aspect, in the third possible implementation of the second aspect, the base station obtains the safety of UE Algorithm information judges the available Encryption Algorithm of the UE and/or protection algorithm integrallty according to the security algorithm information of the UE, Include:

If the attributed region of the UE is non-predeterminable area, the UE does not support default security algorithm, and the base station receives The available protection algorithm integrallty of the UE and/or Encryption Algorithm that mobile management entity MME is sent, the integrity protection are calculated Method is protection algorithm integrallty included in the security capability information of the UE, and the Encryption Algorithm is empty algorithm；Or

If the attributed region of the UE is non-predeterminable area, the UE does not support default security algorithm, and the base station receives The first algorithms selection instruction that mobile management entity MME is sent, the first algorithms selection instruction is to indicate the base station choosing Sky algorithm is selected as Encryption Algorithm, and/or protection algorithm integrallty is selected according to default protection algorithm integrallty priority, or The first algorithms selection instruction is to indicate that the base station selects integrality to protect according to default protection algorithm integrallty priority Algorithm is protected, and/or forbids the Encryption Algorithm other than the base station selected empty algorithm.

In conjunction with second aspect, in the fourth possible implementation of the second aspect, the base station obtains the safety of UE Algorithm information judges the available Encryption Algorithm of the UE and/or protection algorithm integrallty according to the security algorithm information of the UE, Include:

If the attributed region of the UE is predeterminable area, the base station receives the UE that mobile management entity MME is sent Security capability information, and judge whether the UE supports default security algorithm according to the security capability information of the UE, if it is not, The base station selects protection algorithm integrallty according to default protection algorithm integrallty priority, and/or according to predetermined encryption algorithm Priority selects Encryption Algorithm；Or

If the attributed region of the UE is predeterminable area, the UE does not support default security algorithm, and the base station, which receives, to be moved The second algorithms selection instruction that dynamic management entity MME is sent, the second algorithms selection instruction to indicate the base station according to Default protection algorithm integrallty priority selects protection algorithm integrallty, and/or is added according to the selection of predetermined encryption algorithm priority Close algorithm；Or

If the attributed region of the UE is predeterminable area, the UE supports default security algorithm, and the base station receives movement The third algorithm that management entity MME is sent selects instruction, and the third algorithm selection instruction is to indicate the base station according to pre- If security algorithm determines protection algorithm integrallty and/or Encryption Algorithm.

In conjunction with the third or the 4th kind of possible implementation of second aspect, in the 5th kind of possible reality of second aspect In existing mode, the method also includes:

The base station sends the security capability information of the base station to the MME, so that the MME determines the peace of the UE Full algorithm information.

The third aspect, the embodiment of the present invention provide a kind of mobile management entity, comprising:

Determining module determines the attributed region of the UE for the mark according to user equipment (UE)；

Judgment module, for judging that the UE is available according to the attributed region of the UE and the security capability information of the UE Encryption Algorithm and/or protection algorithm integrallty.

In conjunction with the third aspect, in the first possible implementation of the third aspect, the judgment module is specifically used for:

Judge that the attributed region of the UE for predeterminable area, then judges that the UE is according to the security capability information of the UE It is no to support default security algorithm, if it is not, protection algorithm integrallty is selected according to default protection algorithm integrallty priority, and/or Select Encryption Algorithm according to predetermined encryption algorithm priority, alternatively, judge the attributed region of the UE for non-predeterminable area, then root Judge whether the UE supports default security algorithm according to the security capability information of the UE, if it is not, according to default integrity protection Algorithm priority selects protection algorithm integrallty, and/or selects empty algorithm as Encryption Algorithm；Or

Judge that the UE does not support default security algorithm according to the security capability information, then judges the home zone of the UE Whether domain is predeterminable area, if so, protection algorithm integrallty is selected according to default protection algorithm integrallty priority, and/or Encryption Algorithm is selected according to predetermined encryption algorithm priority, if it is not, then having selected according to default protection algorithm integrallty priority Whole property protection algorism, and/or select empty algorithm as Encryption Algorithm.

In conjunction with the possible implementation of the first of the third aspect or the third aspect, second in the third aspect may Implementation in, further include the first receiving module, for determining the home zone of the UE in the mark according to user equipment (UE) Before domain,

The Redirection Request message that SGSN is sent is received, includes the mark and peace of the UE in the Redirection Request message All-round force information；Or

Receive the Attach Request message that user equipment (UE) is sent, mark in the Attach Request message including the UE and Security capability information；Or

The location update request message that user equipment (UE) is sent is received, includes the UE in the location update request message Mark and security capability information.

Further include the second receiving module in the third possible implementation of the third aspect in conjunction with the third aspect, uses Before the attributed region in the determining UE of mark according to user equipment (UE),

The Redirection Request message that SGSN is sent is received, includes the mark of the UE in the Redirection Request message, or Person, the MME receive the location update request message that user equipment (UE) is sent, and include described in the location update request message The mark of UE,

The judgment module is specifically used for: judging in the Redirection Request message or the location update request message not Including the security capability information, and the attributed region of the UE is predeterminable area, then excellent according to protection algorithm integrallty is preset First grade selects protection algorithm integrallty, and/or selects Encryption Algorithm according to predetermined encryption algorithm priority；Or

Judge in the Redirection Request message or the location update request message not including the security capability information, And the attributed region of the UE is non-predeterminable area, then the MME is selected complete according to default protection algorithm integrallty priority Property protection algorism, and/or select empty algorithm as Encryption Algorithm.

In conjunction with the third aspect, the third aspect the first to the third any possible implementation, in the third aspect The 4th kind of possible implementation in, the determining module is specifically used for:

It is identified as international mobile subscriber identity IMSI described in determination, then MNC and MCC is obtained according to the IMSI, according to The MNC and MCC judges the attributed region of the UE；Or

It determines that the identification code is temporary identifier, then obtains the corresponding IMSI of the temporary identifier, and according to the IMSI MNC and MCC is obtained, the attributed region of the UE is judged according to the MNC and the MCC；Or

It is identified as mobile subscriber number MSISDN described in determination, then determines the home zone of the UE according to the MSISDN Domain；Or

Identification request message is sent to network entity device, the identification request message includes the mark, and receives institute The identification response message of network entity device transmission is stated, the identification response message includes the attributed region of the UE, Huo Zhesuo Stating identification response message includes that can recognize mark, so that the MME determines the home zone of the UE according to the recognizable mark Domain.

Fourth aspect, the embodiment of the present invention provide a kind of base station, comprising:

Module is obtained, for obtaining the attributed region of user equipment (UE) and the security capability information of the UE, or acquisition The security algorithm information of UE；

Judgment module, for according to the attributed region of the UE and the security capability information of the UE, or according to described Security algorithm information judges the available Encryption Algorithm of the UE and/or protection algorithm integrallty；

In conjunction with fourth aspect, in the first possible implementation of the fourth aspect, the judgment module is specifically used for:

Judge that the UE does not support default security algorithm according to the security capability information of the UE, then judges returning for the UE Belong to whether region is predeterminable area, if so, protection algorithm integrallty is selected according to default protection algorithm integrallty priority, And/or Encryption Algorithm is selected according to predetermined encryption algorithm priority, if it is not, then according to default protection algorithm integrallty priority choosing Protection algorithm integrallty is selected, and/or selects empty algorithm as Encryption Algorithm.

In conjunction with the possible implementation of the first of fourth aspect or fourth aspect, second in fourth aspect may Implementation in, the acquisition module is specifically used for:

The attaching information and security capability information of the UE that mobile management entity MME is sent are received, and is returned according to described Belong to the attributed region that the region instruction in information determines the UE；Or

The switching request message that the MME is sent is received, the handoff request message includes the security capabilities letter of the UE The attributed region of breath and the UE.

In conjunction with fourth aspect, in the third possible implementation of the fourth aspect, the judgment module is specifically used for:

If the attributed region of the UE is non-predeterminable area, the UE does not support default security algorithm, receives mobile management The available protection algorithm integrallty of the UE and/or Encryption Algorithm, the protection algorithm integrallty that entity MME is sent are described Included protection algorithm integrallty in the security capability information of UE, the Encryption Algorithm are empty algorithm；Or

If the attributed region of the UE is non-predeterminable area, the UE does not support default security algorithm, receives mobile management The first algorithms selection instruction that entity MME is sent, the first algorithms selection instruction is to indicate the base station selected empty algorithm Protection algorithm integrallty or described first is selected as Encryption Algorithm, and/or according to default protection algorithm integrallty priority Algorithms selection instruction to indicate the base station according to default protection algorithm integrallty priority selection protection algorithm integrallty, And/or forbid Encryption Algorithm other than the base station selected empty algorithm.

In conjunction with fourth aspect, in the fourth possible implementation of the fourth aspect, the judgment module is specifically used for: If the attributed region of the UE is predeterminable area, the base station receives the safe energy for the UE that mobile management entity MME is sent Force information, and judge whether the UE supports default security algorithm according to the security capability information of the UE, if it is not, according to default Protection algorithm integrallty priority selects protection algorithm integrallty, and/or selects encryption to calculate according to predetermined encryption algorithm priority Method；Or

If the attributed region of the UE is predeterminable area, the UE does not support default security algorithm, it is real to receive mobile management The second algorithms selection instruction that body MME is sent, the second algorithms selection instruction is to indicate the base station according to default complete Property protection algorism priority select protection algorithm integrallty, and/or according to predetermined encryption algorithm priority select Encryption Algorithm；Or Person

If the attributed region of the UE is predeterminable area, the UE supports default security algorithm, receives mobile management entity The third algorithm that MME is sent selects instruction, and the third algorithm selection instruction is to indicate that the base station is calculated according to default safety Method determines protection algorithm integrallty and/or Encryption Algorithm.

In conjunction with the third or the 4th kind of possible implementation of fourth aspect, in the 5th kind of possible reality of fourth aspect In existing mode, further includes:

Sending module, for sending the security capability information of the base station to the MME, so that described in the MME is determining The security algorithm information of UE.

Non-Access Stratum, access layer security algorithm processing method and equipment provided in an embodiment of the present invention.Access layer safety Algorithm process method, comprising: mobile management entity MME determines the attributed region of the UE according to the mark of user equipment (UE)；Institute State MME according to the attributed region of the UE and the security capability information of the UE judge the available Encryption Algorithm of the UE and/or Protection algorithm integrallty.Non-Access Stratum, access layer security algorithm processing method and equipment provided in this embodiment can be user Equipment provides the protection mechanism of safety.

Detailed description of the invention

In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is this hair Bright some embodiments for those of ordinary skill in the art without any creative labor, can be with It obtains other drawings based on these drawings.

Fig. 1 is the flow chart of Non-Access Stratum security algorithm processing method embodiment one of the present invention；

Fig. 2 is the signaling process figure of Non-Access Stratum security algorithm processing method embodiment one of the present invention；

Fig. 3 is the flow chart of access layer security algorithm processing method embodiment one of the present invention；

Fig. 4 is the signaling process figure one of access layer security algorithm processing method embodiment one of the present invention；

Fig. 5 is the signaling process figure two of access layer security algorithm processing method embodiment one of the present invention；

Fig. 6 is the structural schematic diagram of mobile management entity embodiment one of the present invention；

Fig. 7 is the structural schematic diagram of mobile management entity embodiment two of the present invention；

Fig. 8 is the structural schematic diagram of base station embodiment one of the present invention；

Fig. 9 is the structural schematic diagram of base station embodiment two of the present invention.

Specific embodiment

In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art Every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.

The security algorithm processing method of Non-Access Stratum and access layer is described in detail in the embodiment of the present invention.Wherein, it connects Enter the process of layer and the process of Non-Access Stratum, really from the angle of protocol stack.In protocol stack, wireless heterogeneous networks (Radio Resource Control, referred to as: RRC) and wireless access network application obscure portions (Radio Access Network Application Part, abbreviation RANAP) layer and its protocol layer below be known as access layer, the session management on them (Session Management, referred to as: SM), Call- Control1 (Call Control, referred to as: CC), short message service (Short Message Service, referred to as: SMS) etc. be known as Non-Access Stratum.Briefly, the process of access layer, that is, refer to and wirelessly connect Enter equipment radio network controller (Radio Network Controller, referred to as: RNC), the base station the UMTS (UMTS of layer Base Station, abbreviation NodeB) need participate in processing process.The process of Non-Access Stratum just refers to only UE and core net (Core Network, referred to as: CN) signaling process to be treated, Radio Access Network RNC, NodeB be not required to it is to be processed.

Fig. 1 is the flow chart of Non-Access Stratum security algorithm processing method embodiment one of the present invention.As shown in Figure 1, this implementation The executing subject of example is mobile management entity (Mobility Management Entity, abbreviation MME), which can pass through Software and or hardware realization.Non-Access Stratum security algorithm processing method provided in this embodiment includes:

Step 101, mobile management entity MME determine the attributed region of the UE according to the mark of user equipment (UE)；

Step 102, the MME judge that the UE can according to the attributed region of the UE and the security capability information of the UE Encryption Algorithm and/or protection algorithm integrallty.

In a communications system, the Non-Access Stratum (Non- between MME and user equipment (User Equipment, abbreviation UE) Access Stratum, abbreviation NAS) in signaling connection, there are NAS security mechanisms, once security process is established, all NAS Layer signaling all can be by safeguard protection, including encryption and integrity protection.

During specific implementation, Encryption Algorithm (EPS Enerption Algorithm, abbreviation EEA) is selected by MME And/or protection algorithm integrallty (EPS Integrity Algorithm, abbreviation EIA).In 3 gpp, SNOW3G, aes algorithm Corresponding EEA and EIA are respectively included with ZUC algorithm, wherein SNOW3G algorithm includes EEA1 and EIA1, and aes algorithm includes EEA2 and EIA2, ZUC algorithm include EEA3 and EIA3.

In a step 101, MME determines the attributed region of the UE according to the mark of UE.During specific implementation, MME It include following possible implementation according to the attributed region for determining UE is identified.

A kind of possible implementation are as follows: be identified as IMSI International Mobile Subscriber Identity (International described in MME is determining Mobile Subscriber Identity, referred to as: IMSI), then mobile network code (Mobile is obtained according to the IMSI Network Code, abbreviation MNC) and Mobile Country Code MCC (Mobile Country Code, abbreviation MCC), according to the MNC and The MCC judges the attributed region of the UE.

Specifically, MME can be parsed out MNC and MCC according to IMSI, and MCC can be with state belonging to unique identification mobile subscriber Family, distinguish each user from country, therefore international roaming may be implemented.In same country, if there is multiple Mobile Network Operator can be distinguished by MNC.Therefore, the attributed region that may determine that UE according to MNC and MCC, can To determine the attributed region of UE as predeterminable area or non-predeterminable area, wherein predeterminable area can be foreign countries, and non-predeterminable area can Think the country.For example, MME determines that the UE is Foreign User according to MCC, or determines that the UE is domestic user according to MCC, according to MNC determines the UE Mobile Network Operator.

Alternatively possible implementation are as follows: be identified as temporary identifier described in the MME is determining, then obtain the interim mark Know corresponding IMSI, and MNC and MCC is obtained according to the IMSI, the ownership of the UE is judged according to the MNC and the MCC Region.

Specifically, MME determination is identified as temporary identifier, for example, the temporary identifier is interim identity (Temporary Mobile Subscriber Identity, abbreviation TMSI), then MME determines the TMSI according to the corresponding relationship of TMSI and IMSI Then corresponding IMSI obtains MNC and MCC according to IMSI, and judges the attributed region of UE.The temporary identifier can also be the whole world Unique temporary identity accord with (Globally Unique Temporary Identifier, abbreviation GUTI), MME according to GUTI with The corresponding relationship of IMSI determines the corresponding IMSI of the GUTI, then obtains MNC and MCC according to IMSI, and judge the home zone of UE Domain.

Another possible implementation are as follows: be identified as mobile subscriber number (Mobile described in the MME is determining Subscriber International ISDN/PSTN number, abbreviation MSISDN), then institute is determined according to the MSISDN State the attributed region of UE.

Specifically, MME determines that identification code determines UE's according to the corresponding relationship of MSISDN and attributed region for MSISDN Attributed region.

Another possible implementation are as follows: the MME sends identification request message, the identification to network entity device Request message includes the mark, and receives the identification response message that the network entity device is sent, and the identification response disappears Breath includes the attributed region of the UE.

Specifically, the determination of the attributed region of UE is determined that MME is without judgement by other network entity devices.MME can Include mark in the identification response message to send identification response message to network entity device, the network entity device according to The mark judges the attributed region of UE.Then network entity device sends identification response message, identification response to MME Message includes the attributed region of UE.It will be understood by those skilled in the art that ownership of the network entity device according to mark interpretation UE The mode in region, according to identifying, the determining mode of attributed region of UE is similar, and details are not described herein again for the present embodiment with MME.

The security capability information of UE refers to the security algorithm that UE is supported, the security algorithm that different UE is supported is different, for example, UE supports default security algorithm, which is that Zu Chongzhi algorithm (ZUC) or the UE do not support ZUC algorithm, supports SNOW3G, aes algorithm, then alternatively, the UE supports ZUC algorithm, support SNOW3G, aes algorithm.

In a step 102, MME according to the attributed region and security capability information of UE determine the available Encryption Algorithm of UE and/ Or protection algorithm integrallty.That is MME not only considers the security capability information of UE, determines that UE is available also according to the attributed region of UE Encryption Algorithm and/or protection algorithm integrallty.For example, when UE does not support default security algorithm, if the attributed region of UE is pre- If region, then protection algorithm integrallty is selected according to default protection algorithm integrallty priority, it is preferential according to predetermined encryption algorithm Grade selection Encryption Algorithm, if the attributed region of UE is non-predeterminable area, according to default protection algorithm integrallty priority choosing Protection algorithm integrallty is selected, and selects empty algorithm as Encryption Algorithm.It will be understood by those skilled in the art that MME can only root The available Encryption Algorithm of UE is judged according to attributed region and security capability information, determines that the integrity protection of UE is calculated according to the prior art Method, alternatively, MME can judge the available protection algorithm integrallty of UE according only to attributed region and security capability information, according to existing There is technology to determine the Encryption Algorithm of UE, alternatively, MME judges the available Encryption Algorithm of UE according to attributed region and security capability information And protection algorithm integrallty.

After step 102, MME sends Security Mode Command message to UE, and Security Mode Command message includes UE available Encryption Algorithm and protection algorithm integrallty, the protection algorithm integrallty that UE uses MME to specify, calculation of integrity protection algorism is close Key simultaneously carries out integrity protection check to message, if examining successfully, UE sends safe mode to MME and completes message, and MME receives institute The safe mode for stating UE transmission completes message, establishes Non-Access Stratum NAS security process.NAS signaling afterwards will use should Encryption Algorithm and protection algorithm integrallty carry out safeguard protection.

Non-Access Stratum security algorithm processing method provided in an embodiment of the present invention, mobile management entity MME are set according to user The mark of standby UE determines the attributed region of the UE；The MME is according to the attributed region of the UE and the security capabilities of the UE Information judges the available Encryption Algorithm of the UE and/or protection algorithm integrallty, and safe protection can be provided for all UE Mechanism.

The mark of UE and the different modes of security capability information are determined below according to MME, using several specific embodiments, Non-Access Stratum security algorithm processing method in the embodiment of the present invention is described in detail.

In one possible implementation, the mobile management entity MME determines institute according to the mark of user equipment (UE) Before the attributed region for stating UE, MME can obtain the mark and security capability information of UE simultaneously.

Specifically, MME can determine the mark and security capability information of UE by following situation.

A kind of possible situation, under the redirection scene of UE, MME receives the Redirection Request message that SGSN is sent, institute State the mark and security capability information in Redirection Request message including the UE.

Alternatively possible situation, when UE is established and is connected to the network, the MME receives the attachment that user equipment (UE) is sent and asks Message is sought, includes the mark and security capability information of the UE in the Attach Request message.

Another possible situation, when UE carries out location updating, the MME receives the position of user equipment (UE) transmission more New request message includes the mark and security capability information of the UE in the location update request message.

After MME gets mark and the security capability information of UE, MME determines the home zone of UE according to the mark of UE Domain, then MME according to the attributed region and the security capability information of the UE judge the available Encryption Algorithm of the UE and/or Protection algorithm integrallty specifically includes following possible situation.

A kind of possible situation is that MME first judges the attributed region of UE, and the encryption of UE is determined further according to security capability information Algorithm and/or protection algorithm integrallty, specific as follows shown:

If the MME judges that the attributed region of the UE for predeterminable area, is sentenced according to the security capability information of the UE Whether the UE that breaks supports default security algorithm, if it is not, selecting integrity protection according to default protection algorithm integrallty priority Algorithm, and/or Encryption Algorithm is selected according to predetermined encryption algorithm priority.

During specific implementation, when MME judges that the attributed region of UE for predeterminable area, then continues the security capabilities according to UE Information judges whether UE supports to preset security algorithm, if supporting, using the default corresponding Encryption Algorithm of security algorithm and completely Property protection algorism.For example, then UE can use EEA3 and EIA3 when default security algorithm is ZUC.When UE does not support default security algorithm When, protection algorithm integrallty is selected according to default protection algorithm integrallty priority, and/or according to predetermined encryption algorithm priority Select Encryption Algorithm.

If the MME judges the attributed region of the UE for non-predeterminable area, according to the security capability information of the UE Judge whether the UE supports default security algorithm, if it is not, selecting integrality to protect according to default protection algorithm integrallty priority Algorithm is protected, and/or selects empty algorithm as Encryption Algorithm.

During specific implementation, when MME judges that the attributed region of UE for non-predeterminable area, then continues the safe energy according to UE Force information judges whether UE supports default security algorithm, if supporting, using the default corresponding Encryption Algorithm of security algorithm and complete Whole property protection algorism.When UE does not support default security algorithm, integrality is selected according to default protection algorithm integrallty priority Protection algorism, and/or select empty algorithm as Encryption Algorithm, empty algorithm is not implemented to encrypt.

Alternatively possible situation, MME first judge security capability information, then judge the attributed region of UE, specific as follows:

Specifically, MME first judges that UE does not support default security algorithm according to security capability information, then judges the ownership of UE Whether region is predeterminable area.If predeterminable area, then MME selects integrality to protect according to default protection algorithm integrallty priority Algorithm is protected, and/or Encryption Algorithm is selected according to predetermined encryption algorithm priority.If non-predeterminable area, then MME is according to having preset Whole property protection algorism priority selects protection algorithm integrallty, and/or selects empty algorithm as Encryption Algorithm.

In alternatively possible implementation, MME only obtains security capability information, the mark without getting UE. It is specific as follows:

The MME receives the Redirection Request message that SGSN is sent, and includes the UE's in the Redirection Request message Mark；Alternatively, the MME receives the location update request message that user equipment (UE) is sent, in the location update request message Mark including the UE.

At this point, the MME judges not include described in the Redirection Request message or the location update request message Security capability information, and the attributed region of the UE is predeterminable area, then the MME is preferential according to default protection algorithm integrallty Grade selection protection algorithm integrallty, and/or Encryption Algorithm is selected according to predetermined encryption algorithm priority；Or

In above-mentioned each possible implementation, when default security algorithm is ZUC algorithm, for predetermined encryption algorithm Priority, the priority of EEA3 are higher than EEA1 and EEA2, and the priority of EEA1, could possibly be higher than EEA2, it is also possible to it is lower than EEA2, The present embodiment is not particularly limited herein.When the priority of EEA1 is high, then EEA1 is selected, when the priority of EEA2 is high, then Select EEA2.For presetting protection algorithm integrallty priority, the priority of EIA3 is higher than EIA1 and EIA2, and EIA1's is preferential Grade, could possibly be higher than EIA2, it is also possible to be lower than EIA2, the present embodiment is not particularly limited herein.When the priority of EIA1 is high, then Selection EIA1 then selects EIA2 when the priority of EIA2 is high.It will be understood by those skilled in the art that when default security algorithm When for other algorithms, the priority of EEA3 can be lower than EEA1 and EEA2, and the priority of EIA3 is lower than EIA1 and EIA2.For pre- If security algorithm is other algorithms, the priority of EEA3, EEA1, EEA2, the priority of EIA3, EIA1, EIA2, the present embodiment is not It is particularly limited.

Fig. 2 is the signaling process figure of Non-Access Stratum security algorithm processing method embodiment one of the present invention.The present embodiment is to non- The signaling process of access layer security algorithm processing method is illustrated.

Step 201, UE send Attach Request message to MME；

It will be understood by those skilled in the art that UE not only can send Attach Request message to MME, can also be sent out to MME Send location update request message.Alternatively, Redirection Request message can also be sent to MME for SGSN.MME can be according to above-mentioned three Kind message determines the mark and security capability information of user equipment (UE).Specific method of determination, reference can be made to embodiment illustrated in fig. 1.

Step 202, MME sentence according to the attributed region for determining UE is identified according to the attributed region of UE and security capability information The disconnected available Encryption Algorithm of UE and/or protection algorithm integrallty；

MME judges the process of the available Encryption Algorithm of UE and/or protection algorithm integrallty, and for details, reference can be made to real shown in Fig. 1 Apply example.

Step 203, MME send Security Mode Command message to UE；

Step 204, UE send safe mode to MME and complete message.

Fig. 3 is the flow chart of access layer security algorithm processing method embodiment one of the present invention.As shown in figure 3, the present embodiment Executing subject be base station, which can pass through software and or hardware realization.Access layer security algorithm provided in this embodiment Processing method includes:

Step 301, base station obtain the attributed region of user equipment (UE) and the security capability information of the UE, or obtain UE Security algorithm information；

Step 302, the base station are according to the attributed region of the UE and the security capability information of the UE, or according to institute It states security algorithm information and judges the available Encryption Algorithm of the UE and/or protection algorithm integrallty.

Large number of due to base station deployment, distribution area is wide, and no matter each network entity is from geographical location between access layer On still in logic all in high degree of dispersion, operator can not carry out in safe collection it and control, and each base station is all in non- Safety zone, so each base station requires to be selected according to the security capabilities of UE between each UE for access layer security mechanism Security algorithm.

In step 301, base station obtains the attributed region of user equipment (UE) and security capability information includes that following two can The case where energy.

A kind of possible situation are as follows: the base station receive the UE that mobile management entity MME is sent attaching information and Security capability information, and according to the attributed region of the determining UE of region instruction in the attaching information.

Specifically, there are many implementations of the region instruction in attaching information, for example, region instruction can with " 0 " or " 1 " indicates, wherein 0 indicates non-predeterminable area, it can be the country, 1 indicates predeterminable area, can be foreign countries；Or region instruction With character representation, non-predeterminable area such as is indicated with " domestic ", can be the country, indicates default with " international " Region can be foreign countries.

Alternatively possible situation are as follows: the base station receives the switching request message that the MME is sent, the switching request Message includes the security capability information of the UE and the attributed region of the UE.

Under handoff scenario, base station receives the switching request message that MME is sent, and handoff request message includes the peace of the UE The attributed region of all-round force information and the UE.

Secondly, base station can receive the UE security algorithm information that MME is sent, wherein the security algorithm information of UE includes UE's Any in security capability information, algorithms selection instruction, the available Encryption Algorithm of UE and protection algorithm integrallty.

In step 302, base station according to the attributed region and security capability information of the UE judge the UE it is available plus Close algorithm and/or protection algorithm integrallty.

It will be understood by those skilled in the art that base station can judge that base station can according only to attributed region and security capability information Encryption Algorithm determines the protection algorithm integrallty of UE according to the prior art, alternatively, base station can according only to attributed region and Security capability information judges the available protection algorithm integrallty of UE, and the Encryption Algorithm of UE is determined according to the prior art, alternatively, base station The available Encryption Algorithm of UE and protection algorithm integrallty are judged according to attributed region and security capability information.Can specifically include with Lower possible situation.

A kind of possible situation, base station first judge the attributed region of UE, and the encryption of UE is determined further according to security capability information Algorithm and/or protection algorithm integrallty, specific as follows shown:

If the base station judges that the attributed region of the UE for predeterminable area, is sentenced according to the security capability information of the UE Whether the UE that breaks supports default security algorithm, if it is not, selecting integrity protection according to default protection algorithm integrallty priority Algorithm, and/or Encryption Algorithm is selected according to predetermined encryption algorithm priority；

During specific implementation, when base station judges that the attributed region of UE for predeterminable area, then continues the safe energy according to UE Force information judges whether UE supports default security algorithm, if supporting, using the default corresponding Encryption Algorithm of security algorithm and complete Whole property protection algorism.For example, then UE can use EEA3 and EIA3 when default security algorithm is ZUC.When UE does not support default safety to calculate When method, protection algorithm integrallty is selected according to default protection algorithm integrallty priority, and/or preferential according to predetermined encryption algorithm Grade selection Encryption Algorithm.It will be understood by those skilled in the art that the locally-supported security algorithm in base station include ZUC, AES, SNOW3G。

If the base station judges the attributed region of the UE for non-predeterminable area, according to the security capability information of the UE Judge whether the UE supports default security algorithm, if it is not, selecting integrality to protect according to default protection algorithm integrallty priority Algorithm is protected, and/or selects empty algorithm as Encryption Algorithm.

Specifically, when base station judges that the attributed region of UE for non-predeterminable area, then continues the security capability information according to UE Judge whether UE supports default security algorithm, if supporting, is protected using the default corresponding Encryption Algorithm of security algorithm and integrality Protect algorithm.When UE does not support default security algorithm, integrity protection is selected to calculate according to default protection algorithm integrallty priority Method, and/or select empty algorithm as Encryption Algorithm, empty algorithm is not implemented to encrypt.

Alternatively possible situation, base station first judges the security capability information of UE, then attributed region, further according to security capabilities Information determines the Encryption Algorithm and/or protection algorithm integrallty of UE, specific as follows shown:

Specifically, base station first judges that the UE does not support default security algorithm according to the security capability information of UE, then sentences Whether the attributed region of disconnected UE is predeterminable area, if predeterminable area, then according to default protection algorithm integrallty priority selection Protection algorithm integrallty, and/or Encryption Algorithm is selected according to predetermined encryption algorithm priority, if non-predeterminable area, then basis Predetermined encryption algorithm priority selects Encryption Algorithm, and/or selects empty algorithm as Encryption Algorithm.

Base station determines the available Encryption Algorithm of UE and/or protection algorithm integrallty according to security algorithm information.Specific implementation In the process, base station can receive the available protection algorithm integrallty of UE and/or Encryption Algorithm or base station that MME is directly transmitted The available protection algorithm integrallty of UE and/or Encryption Algorithm can be determined according to the security capability information of UE, then alternatively, base station can To be indicated to determine the available protection algorithm integrallty of UE and/or Encryption Algorithm according to algorithms selection.

After base station determines the available algorithm and/or Encryption Algorithm of UE, Security Mode Command message, safety are sent to UE Mode Command Message includes the available Encryption Algorithm of UE and protection algorithm integrallty, and UE is calculated using the integrity protection that base station is specified Method, calculation of integrity protection algorism key simultaneously carries out integrity protection check to message, if examining successfully, UE is sent to base station to be pacified Syntype completes message, and base station receives the safe mode that the UE is sent and completes message, establishes access layer AS security process.With AS signaling afterwards will use the Encryption Algorithm and protection algorithm integrallty to carry out safeguard protection.

Method provided in an embodiment of the present invention, base station obtain the attributed region of user equipment (UE) and the security capabilities of the UE Information, or obtain the security algorithm information of UE；The base station is according to the attributed region of the UE and the security capabilities of the UE Information, or the available Encryption Algorithm of the UE and/or protection algorithm integrallty are judged according to the security algorithm information, it can Safe protection mechanism is provided for UE.

Fig. 4 is the signaling process figure one of access layer security algorithm processing method embodiment one of the present invention.The present embodiment docking Enter a layer signaling process for security algorithm processing method to be illustrated.

Step 401, MME determine the attaching information and security capability information of UE；

Wherein, the attaching information that MME is determined includes the attributed region of UE.

Step 402, MME send the attaching information and security capability information of UE to base station；

Alternatively, MME can also send switching request message to base station, handoff request message includes the security capability information of UE And the attributed region of the UE.Particularly, MME determines the attributed region of UE and the mode of security capability information, reference can be made to non- Access layer security algorithm embodiment.

Step 403, base station according to the attributed region of UE and the security capability information of UE judge the available Encryption Algorithm of UE and/ Or protection algorithm integrallty.

Base station determines the concrete mode of the available Encryption Algorithm of UE and/or protection algorithm integrallty, reference can be made to Fig. 3 is implemented Example.

Step 404, base station send Security Mode Command message to UE；

Step 405, UE receive the safe mode that base station is sent and complete message.

The embodiment of the present invention obtains the attributed region and security capability information of user equipment (UE) by base station；The base station root The available Encryption Algorithm of the UE and/or protection algorithm integrallty are judged according to the attributed region and security capability information of the UE, Safe protection mechanism can be provided for UE.

It further include the security capabilities of MME modification UE in access layer security algorithm processing method provided in this embodiment, or The method of the person MME instruction specific security algorithm of base station selection.It specifically can be as shown in figure 5, Fig. 5 be that access layer of the present invention is calculated safely The signaling process figure two of method processing method embodiment one.As shown in Figure 5, comprising the following steps:

Step 501, MME obtain the security capability information of base station.

During specific implementation, MME obtains the security capability information of base station in the following manner first:

Base station sends the security capability information of base station to MME, and base station can add the machine in the Attach Request message of UE Security capability information, or increase a piece of news newly after context establishes request, include the security capabilities of base station in the message Information；Or

By way of presetting the security capability information of base station, MME obtains the security capability information of base station；Or

The security capability information of base station is sent from Provider Equipment to MME.

Step 502, MME determine the attaching information and security capability information of UE.

It will be understood by those skilled in the art that the sequential relationship that step 501 and step 502 be not stringent.

Step 503, MME modify UE's according to the attributed region of UE, security capability information and the security capability information of base station Security capabilities, and determine algorithms selection instruction.

Step 504, MME send security capabilities and the algorithms selection instruction of modified UE to base station.

MME is directed to the different attributed regions of UE, sends modified Encryption Algorithm to base station and/or integrity protection is calculated Method or algorithms selection instruction.

Step 505, base station are indicated according to the security capabilities and algorithms selection of modified UE, determine the available encryption of UE Algorithm and protection algorithm integrallty.

506, base station sends Security Mode Command message to UE.

507, UE sends safe mode to base station and completes message.

During specific implementation, the realization process of step 503 to step 505 is specific as follows:

A kind of possible implementation, if MME determines that the attributed region of UE is non-predeterminable area, UE does not support default safety Algorithm.It will be understood by those skilled in the art that MME determines that the attributed region of UE is non-predeterminable area, UE does not support default safety Algorithm, the not stringent sequential relationship of the two.Then MME determines the security capability information of UE, and sends security capabilities to base station Information.Specifically include following situations:

A kind of possible situation, MME sends the protection algorithm integrallty and/or Encryption Algorithm of UE to base station, wherein completely Property protection algorism be UE security capability information in include protection algorithm integrallty, Encryption Algorithm is empty algorithm.

Base station receives the protection algorithm integrallty and/or Encryption Algorithm for the UE that mobile management entity MME is sent, described Protection algorithm integrallty is protection algorithm integrallty included in the security capability information of the UE, and the Encryption Algorithm is sky Algorithm.

Alternatively possible situation, MME send the instruction of the first algorithms selection to base station.

Base station receives the first algorithms selection instruction that mobile management entity MME is sent.Wherein, first algorithms selection refers to Show that and/or according to base station to preset protection algorithm integrallty preferential to indicate the base station selected empty algorithm as Encryption Algorithm Grade selection protection algorithm integrallty or first algorithms selection instruction are to indicate that the base station is protected according to default integrality It protects algorithm priority and selects protection algorithm integrallty, and/or forbid the Encryption Algorithm other than the base station selected empty algorithm.

Alternatively possible implementation, if MME determines that the attributed region of UE is predeterminable area.Then MME determines UE's Security capability information, and security capability information is sent to base station.Specifically include following situations:

A kind of possible situation: MME sends the security capability information of UE to base station.

Base station receives the security capability information for the UE that mobile management entity MME is sent, and according to the safety of the UE Ability information judges whether the UE supports default security algorithm, if it is not, the base station is excellent according to default protection algorithm integrallty First grade selects protection algorithm integrallty, and/or selects Encryption Algorithm according to predetermined encryption algorithm priority.

Alternatively possible situation: when MME determines that UE does not support default security algorithm, MME sends the second choosing to base station Select algorithms selection instruction.It will be understood by those skilled in the art that MME determines that UE does not support default security algorithm and MME to determine institute The attributed region for stating UE is predeterminable area, not stringent sequential relationship.

Base station receives the second algorithms selection instruction that MME is sent, and the second algorithms selection instruction is to indicate the base It stands and protection algorithm integrallty is selected according to default protection algorithm integrallty priority, and/or according to predetermined encryption algorithm priority Select Encryption Algorithm.

Another possible situation, when MME determines that UE supports default security algorithm, MME sends third algorithm to base station Selection instruction.It will be understood by those skilled in the art that MME determines that UE supports default security algorithm and MME to determine returning for the UE Category region is predeterminable area, not stringent sequential relationship.

Base station receives the third algorithm that mobile management entity MME is sent and selects instruction, and the third algorithm selection instruction is used To indicate that the base station determines protection algorithm integrallty and/or Encryption Algorithm according to default security algorithm.

Method provided in an embodiment of the present invention receives the security capabilities of the UE of MME modification by base station or algorithms selection refers to Show, only UE does not provide safe protection base station, also reduces the treating capacity of base station.

Fig. 6 is the structural schematic diagram of mobile management entity embodiment one of the present invention.As shown in fig. 6, provided in this embodiment Mobile management entity 60 includes determining module 601, judgment module 602.

Wherein it is determined that module 601, the attributed region of the UE is determined for the mark according to user equipment (UE)；

Judgment module 602, for judging the UE according to the attributed region of the UE and the security capability information of the UE Available Encryption Algorithm and/or protection algorithm integrallty.

The mobile management entity of the present embodiment can be used for executing the technical solution of embodiment of the method shown in Fig. 1, realize Principle is similar with technical effect, and details are not described herein again.

Fig. 7 is the structural schematic diagram of mobile management entity embodiment two of the present invention.The present embodiment is on the basis of Fig. 6 embodiment Upper realization, specific as follows:

Optionally, the judgment module 602 is specifically used for:

It optionally, further include the first receiving module 603, for determining returning for the UE according to the mark of user equipment (UE) Before belonging to region,

It optionally, further include the second receiving module 604, for determining returning for the UE according to the mark of user equipment (UE) Before belonging to region,

The judgment module 602 is specifically used for: judging the Redirection Request message or the location update request message In do not include the security capability information, and the attributed region of the UE is predeterminable area, then calculates according to presetting integrity protection Method priority selects protection algorithm integrallty, and/or selects Encryption Algorithm according to predetermined encryption algorithm priority；Or

Optionally, the determining module 601 is specifically used for:

The mobile management entity of the present embodiment can be used for executing the technical solution of above method embodiment, realize former Reason is similar with technical effect, and details are not described herein again.

Fig. 8 is the structural schematic diagram of base station embodiment one of the present invention.As shown in figure 8, base station provided in an embodiment of the present invention 80 include: to obtain module 801, judgment module 802.

Wherein, module 801 is obtained, for obtaining the attributed region of user equipment (UE) and the security capability information of the UE, Or obtain the security algorithm information of UE；

Judgment module 802, for according to the attributed region of the UE and the security capability information of the UE, or according to institute It states security algorithm information and judges the available Encryption Algorithm of the UE and/or protection algorithm integrallty；

The base station of the present embodiment can be used for executing the technical solution of embodiment of the method shown in Fig. 3, realization principle and skill Art effect is similar, and details are not described herein again.

Fig. 9 is the structural schematic diagram of base station embodiment two of the present invention.The present embodiment realizes on the basis of Fig. 8 embodiment, It is specific as follows:

Optionally, the judgment module 802 is specifically used for:

Optionally, the acquisition module 801 is specifically used for:

Optionally, the judgment module 802 is specifically used for:

Optionally, the judgment module 802 is specifically used for: if the attributed region of the UE is predeterminable area, the base station The security capability information for the UE that mobile management entity MME is sent is received, and is judged according to the security capability information of the UE Whether the UE supports default security algorithm, if it is not, selecting integrity protection to calculate according to default protection algorithm integrallty priority Method, and/or Encryption Algorithm is selected according to predetermined encryption algorithm priority；Or

Optionally, further includes:

Sending module 803, for sending the security capability information of the base station to the MME, so that the MME determines institute State the security algorithm information of UE.

The base station of the present embodiment can be used for executing the technical solution of above method embodiment, realization principle and technology Effect is similar, and details are not described herein again.

Those of ordinary skill in the art will appreciate that: realize that all or part of the steps of above-mentioned each method embodiment can lead to The relevant hardware of program instruction is crossed to complete.Program above-mentioned can be stored in a computer readable storage medium.The journey When being executed, execution includes the steps that above-mentioned each method embodiment to sequence；And storage medium above-mentioned include: ROM, RAM, magnetic disk or The various media that can store program code such as person's CD.

Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present invention., rather than its limitations；To the greatest extent Pipe present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: its according to So be possible to modify the technical solutions described in the foregoing embodiments, or to some or all of the technical features into Row equivalent replacement；And these are modified or replaceed, various embodiments of the present invention technology that it does not separate the essence of the corresponding technical solution The range of scheme.

Claims

1. a kind of access layer security algorithm processing method characterized by comprising

The MME determines the security capability information of UE；

Attributed region, the security capability information of the UE and the security capability information of base station of the MME according to the UE, modification The security capabilities of UE, and determine algorithms selection instruction；

The MME sends the security algorithm information of UE to the base station, and the security algorithm information includes the peace of modified UE All-round power and/or algorithms selection instruction, judge the available Encryption Algorithm of UE according to the security algorithm information for the base station And protection algorithm integrallty.

2. the method according to claim 1, wherein the mobile management entity MME is according to user equipment (UE) Mark determines before the attributed region of the UE, further includes:

The MME receives the Redirection Request message that SGSN is sent, and includes the mark of the UE in the Redirection Request message And security capability information；Or

The MME receives the Attach Request message that user equipment (UE) is sent, and includes the mark of the UE in the Attach Request message Knowledge and security capability information；Or

The MME receives the location update request message that user equipment (UE) is sent, and includes institute in the location update request message State the mark and security capability information of UE.

3. method according to claim 1 or 2, which is characterized in that the mobile management entity MME is according to user equipment (UE) Mark determine the attributed region of the UE, comprising:

The MME is identified as international mobile subscriber identity IMSI described in determining, then obtains MNC and MCC, root according to the IMSI The attributed region of the UE is judged according to the MNC and the MCC；Or

The MME determines that the identification code is temporary identifier, then obtains the corresponding IMSI of the temporary identifier, and according to described IMSI obtains MNC and MCC, and the attributed region of the UE is judged according to the MNC and the MCC；Or

The MME is identified as mobile subscriber number MSISDN described in determining, then the ownership of the UE is determined according to the MSISDN Region；Or

The MME sends identification request message to network entity device, and the identification request message includes the mark, and is received The identification response message that the network entity device is sent, the identification response message include the attributed region of the UE, or The identification response message includes that can recognize mark, so that the MME determines the ownership of the UE according to the recognizable mark Region.

4. a kind of access layer security algorithm processing method characterized by comprising

Base station sends the security capability information of base station to mobile management entity MME；

The base station receives security capabilities and/or the algorithms selection instruction for the modified user equipment (UE) that MM is sent；

The base station judges that the available encryption of the UE is calculated according to the instruction of the security capabilities and algorithms selection of the modified UE Method and/or protection algorithm integrallty；

Wherein, the security capabilities of the modified UE and algorithms selection instruction be the MME according to the attributed region of the UE, What security capability information and the security capability information of base station determined.

5. according to the method described in claim 4, it is characterized in that, the base station obtains the security algorithm information of UE, according to institute The security algorithm information for stating UE judges the available Encryption Algorithm of the UE and/or protection algorithm integrallty, comprising:

If the attributed region of the UE is non-predeterminable area, the UE does not support default security algorithm, and the base station receives MME hair The available protection algorithm integrallty of the UE and/or Encryption Algorithm sent, the protection algorithm integrallty are the safety of the UE Included protection algorithm integrallty in ability information, the Encryption Algorithm are empty algorithm；Or

If the attributed region of the UE is non-predeterminable area, the UE does not support default security algorithm, and the base station receives movement The first algorithms selection instruction that management entity MME is sent, the first algorithms selection instruction is to indicate the base station selected sky Algorithm selects protection algorithm integrallty or described as Encryption Algorithm, and/or according to default protection algorithm integrallty priority The instruction of first algorithms selection is to indicate that the base station selects integrity protection to calculate according to default protection algorithm integrallty priority Method, and/or forbid the Encryption Algorithm other than the base station selected empty algorithm.

6. according to the method described in claim 4, it is characterized in that, the base station obtains the security algorithm information of UE, according to institute The security algorithm information for stating UE judges the available Encryption Algorithm of the UE and/or protection algorithm integrallty, comprising:

If the attributed region of the UE is predeterminable area, the base station receives the peace for the UE that mobile management entity MME is sent All-round force information, and judge whether the UE supports default security algorithm according to the security capability information of the UE, if it is not, described Base station selects protection algorithm integrallty according to default protection algorithm integrallty priority, and/or preferential according to predetermined encryption algorithm Grade selection Encryption Algorithm；Or

If the attributed region of the UE is predeterminable area, the UE does not support default security algorithm, and the base station receives moving tube The second algorithms selection instruction that entity MME is sent is managed, the second algorithms selection instruction is to indicate the base station according to default Protection algorithm integrallty priority selects protection algorithm integrallty, and/or selects encryption to calculate according to predetermined encryption algorithm priority Method；Or

If the attributed region of the UE is predeterminable area, the UE supports default security algorithm, and the base station receives mobile management The third algorithm that entity MME is sent selects instruction, and the third algorithm selection instruction is to indicate the base station according to default peace Full algorithm determines protection algorithm integrallty and/or Encryption Algorithm.

7. method according to claim 5 or 6, which is characterized in that the method also includes:

The base station sends the security capability information of the base station to the MME, so that the MME determines that the safety of the UE is calculated Method information.

8. a kind of mobile management entity characterized by comprising

The determining module is also used to: determining the security capability information of UE；

The determining module is also used to: according to the safety of the attributed region of the UE, the security capability information of the UE and base station Ability information modifies the security capabilities of UE, and determines algorithms selection instruction；

Sending module, for sending the security algorithm information of UE to the base station, the security algorithm information includes modified The security capabilities and/or algorithms selection of UE indicates, judges that UE is available according to the security algorithm information for the base station and adds Close algorithm and protection algorithm integrallty.

9. mobile management entity according to claim 8, which is characterized in that further include the first receiving module, in institute Before stating the attributed region that determining module determines the UE according to the mark of user equipment (UE),

Receive the Redirection Request message that SGSN is sent, mark and safe energy in the Redirection Request message including the UE Force information；Or

The Attach Request message that user equipment (UE) is sent is received, includes the mark and safety of the UE in the Attach Request message Ability information；Or

The location update request message that user equipment (UE) is sent is received, includes the mark of the UE in the location update request message Knowledge and security capability information.

10. mobile management entity according to claim 8 or claim 9, which is characterized in that the determining module is specifically used for:

It is identified as international mobile subscriber identity IMSI described in determination, then MNC and MCC is obtained according to the IMSI, according to described The MNC and MCC judges the attributed region of the UE；Or

It determines that the identification code is temporary identifier, then obtains the corresponding IMSI of the temporary identifier, and obtain according to the IMSI MNC and MCC judges the attributed region of the UE according to the MNC and the MCC；Or

It is identified as mobile subscriber number MSISDN described in determination, then determines the attributed region of the UE according to the MSISDN；Or Person

Identification request message is sent to network entity device, the identification request message includes the mark, and receives the net Network entity device send identification response message, it is described identification response message include the UE attributed region or the knowledge Holding your noise and answering message includes that can recognize mark, so that MME determines the attributed region of the UE according to the recognizable mark.

11. a kind of base station characterized by comprising

Sending module, for sending the security capability information of base station to mobile management entity MME；

Module is obtained, for receiving security capabilities and/or the algorithms selection instruction of the modified user equipment (UE) of MM transmission；

Judgment module adds for judging that the UE is available according to the instruction of the security capabilities and algorithms selection of the modified UE Close algorithm and/or protection algorithm integrallty；

12. base station according to claim 11, which is characterized in that the judgment module is specifically used for:

If the attributed region of the UE is non-predeterminable area, the UE does not support default security algorithm, receives mobile management entity The available protection algorithm integrallty of the UE and/or Encryption Algorithm that MME is sent, the protection algorithm integrallty are the UE's Included protection algorithm integrallty in security capability information, the Encryption Algorithm are empty algorithm；Or

If the attributed region of the UE is non-predeterminable area, the UE does not support default security algorithm, receives mobile management entity The first algorithms selection instruction that MME is sent, the first algorithms selection instruction is to indicate the base station selected empty algorithm conduct Encryption Algorithm, and/or protection algorithm integrallty or first algorithm are selected according to default protection algorithm integrallty priority Selection instruction to indicate the base station according to default protection algorithm integrallty priority selection protection algorithm integrallty, and/or Forbid the Encryption Algorithm other than the base station selected empty algorithm.

13. base station according to claim 11, which is characterized in that the judgment module is specifically used for:

If the attributed region of the UE is predeterminable area, the base station receives the peace for the UE that mobile management entity MME is sent All-round force information, and judge whether the UE supports default security algorithm according to the security capability information of the UE, if it is not, according to Default protection algorithm integrallty priority selects protection algorithm integrallty, and/or is added according to the selection of predetermined encryption algorithm priority Close algorithm；Or

If the attributed region of the UE is predeterminable area, the UE does not support default security algorithm, receives mobile management entity MME The the second algorithms selection instruction sent, the second algorithms selection instruction is to indicate the base station according to default integrity protection Algorithm priority selects protection algorithm integrallty, and/or selects Encryption Algorithm according to predetermined encryption algorithm priority；Or

If the attributed region of the UE is predeterminable area, the UE supports default security algorithm, receives mobile management entity MME hair The third algorithm selection instruction sent, the third algorithm selection instruction is to indicate that the base station is determined according to default security algorithm Protection algorithm integrallty and/or Encryption Algorithm.

14. base station according to claim 12 or 13, which is characterized in that further include:

Sending module, for sending the security capability information of the base station to the MME, so that the MME determines the UE's Security algorithm information.