CN105027495A - Key verification method, base station, user device and core network element - Google Patents

Key verification method, base station, user device and core network element Download PDF

Info

Publication number
CN105027495A
CN105027495A CN201480000891.9A CN201480000891A CN105027495A CN 105027495 A CN105027495 A CN 105027495A CN 201480000891 A CN201480000891 A CN 201480000891A CN 105027495 A CN105027495 A CN 105027495A
Authority
CN
China
Prior art keywords
prothetic group
user equipment
base station
key
group station
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201480000891.9A
Other languages
Chinese (zh)
Other versions
CN105027495B (en
Inventor
郭轶
戴明增
张宏平
曾清海
蔺波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of CN105027495A publication Critical patent/CN105027495A/en
Application granted granted Critical
Publication of CN105027495B publication Critical patent/CN105027495B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/061Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying further key derivation, e.g. deriving traffic keys from a pair-wise master key

Abstract

Provided are a key verification method, a base station, a user device and a core network element. Verification can be made as to whether keys between a user device and an auxiliary base station are correct, thereby avoiding data loss or even service interruption between the user device and the auxiliary base station caused by keys and corresponding algorithms being incorrect. The specific solution is: a user device sends verification information to a base station, the verification information being information obtained after the user device performs protection on preset data known to both the user device and the base station via a key derived by the user device and a preset algorithm, the preset algorithm comprising at least one of an encryption algorithm and an integrity protection algorithm; the base station receives the verification information, then obtains target data according to the same preset algorithm, a key derived by an auxiliary base station and the verification information, and it is determined, according to the preset data, the verification information and the target data, whether the key derived by the user device and the key derived by the base station are identical. The present invention is used for checking keys between a user device and a base station.

Description

Key verification method, base station, user device and core network element
A kind of method, base station, user equipment and the core network element technical field of inspection key
The present invention relates to the communications field, more particularly to a kind of method of check key, base station, user equipment and core network element.
Background technology
Long Term Evolution(Long Term Evolution, LTE) carrier aggregation of system can substantially be divided into cell aggregation etc. between inside of base station cell aggregation, base station.The cell aggregation of inside of base station is due to only by an evolution base station(Evolution Node B, eNB) control, it is comparatively fairly simple.The scheme of carrier aggregation is, for example, between base station, the different base station of non-ideal back haul link is realized dual link, i.e., how by the resource of two base stations data are transmitted to the terminal of connected state, to improve handling up for terminal.
Based on the scheme of carrier aggregation between base station, master base station is needed user equipment(User Equipment, UE) carrying set up on prothetic group station.But, above-mentioned master base station or prothetic group station can not know whether the related key in the prothetic group station that UE is derived is correct, when above-mentioned key is incorrect, can cause the service disconnection between UE and prothetic group station.
The content of the invention
Embodiments of the invention provide a kind of method of check key, base station, user equipment and core network element, whether the key that can be verified between user equipment and prothetic group station correct, can avoid due to key and corresponding algorithm it is incorrect caused by service disconnection between user equipment and prothetic group station.
To reach above-mentioned purpose, embodiments of the invention are adopted the following technical scheme that:
In a first aspect, embodiments of the invention provide a kind of base station, the base station includes:Receiving unit; check information for receiving user equipment transmission; the check information is the information obtained after the user equipment is protected to preset data by key, preset algorithm derived from the user equipment, and the preset algorithm includes at least one of AES, protection algorithm integrallty;
Acquiring unit, for key, the preset algorithm, institute according to derived from the base station State preset data and the check information obtains target data;
Judging unit, whether key key derived from the base station is identical derived from for judging the user equipment according to the preset data, the check information and the target data.
With reference in a first aspect, in the first possible implementation, the base station also includes:Reset cell, if being differed for key derived from the user equipment and key derived from the base station, makes the user equipment derivative key or the user equipment is deleted the base station again.
With reference in a first aspect, in second of possible implementation, the receiving unit specifically for:
The base station is received from master base station by X2 interfaces and adds completion message, the base station addition completion message carries the check information;Or
The medium access control message that the user equipment is sent is received, the medium access control message carries the check information;Or
The packet bag convergence protocol data that the user equipment is sent are received, the packet bag convergence protocol data carry the check information.
With reference in a first aspect, in the third possible implementation, the preset data includes at least one of following:
Cell ID under prothetic group station, Physical Cell Identifier under prothetic group station, the cell ID under Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, master base station under prothetic group station, mark data, master base station or the prothetic group station that Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, prothetic group station and user equipment under Physical Cell Identifier under master base station, master base station are stored are transmitted to the data of user equipment, optional network specific digit.
With reference in a first aspect, in the 4th kind of possible implementation, base station supplemented by the base station.
Second aspect, embodiments of the invention provide another base station, and the base station includes:Receiving unit; check information for receiving user equipment transmission; the check information is the information obtained after the user equipment is protected to preset data by key, preset algorithm derived from the user equipment, and the preset algorithm includes AES, integrality and protected Protect at least one of algorithm;
Acquiring unit, target data is obtained for key, the preset algorithm, the preset data and the check information according to derived from prothetic group station;
Whether judging unit, key derived from for judging the user equipment according to the preset data, the check information and the target data is identical with the derivative key at the prothetic group station, obtains judged result;
Transmitting element, for the judged result to be sent into the prothetic group station.
With reference to second aspect, in the first possible implementation, the base station also includes:Reset cell, if being differed for key derived from the user equipment and the derivative key at the prothetic group station, makes the user equipment delete the prothetic group station or make user equipment derivative key again.
With reference to second aspect, in second of possible implementation, the receiving unit specifically for:
The radio resource control information that the user equipment is sent is received, the radio resource control information carries the check information.
With reference to second aspect, in the third possible implementation, the preset data includes at least one of following:
Cell ID under prothetic group station, Physical Cell Identifier under prothetic group station, the cell ID under Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, master base station under prothetic group station, mark data, master base station or the prothetic group station that Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, prothetic group station and user equipment under Physical Cell Identifier under master base station, master base station are stored are transmitted to the data of user equipment, optional network specific digit.
The third aspect, embodiments of the invention provide a kind of user equipment, and the user equipment includes:
Decryption unit, the downlink data received is decrypted for key, preset algorithm according to derived from the user equipment;
Whether judging unit, key derived from for judging the user equipment according to the data after decryption is identical with key derived from prothetic group station, including:
Obtain the Internet protocol address and port numbers of the packet after the decryption; If the Internet protocol address and the port numbers can be recognized, determine that key derived from the user equipment is identical with key derived from the prothetic group station;Or,
If Internet protocol address described in None- identified and/or the port numbers, determine that key derived from the user equipment is differed with key derived from the prothetic group station;
Transmitting element, for sending the judged result to the prothetic group station.
With reference to the third aspect, in the first possible implementation, the user equipment also includes:
Notification unit, if being differed for key derived from the user equipment with key derived from the prothetic group station, notifies master base station to delete the prothetic group station;Or notify the master base station to add the prothetic group station again;Or the prothetic group station retriggered Reconfiguration Procedure is notified by the master base station;Or notify the prothetic group station to delete the prothetic group station by the master base station.
Fourth aspect, embodiments of the invention provide a kind of core network element, and the core network element includes:
Receiving unit, for receiving the data after the upstream data that prothetic group station key and preset algorithm according to derived from the prothetic group station are sent to user equipment is decrypted;
Whether judging unit, key derived from for judging the user equipment according to the data after the decryption is identical with key derived from the prothetic group station, including:
Obtain the Internet protocol address and port numbers of the packet after the decryption;If the Internet protocol address and the port numbers can be recognized, determine that key derived from the user equipment is identical with key derived from the prothetic group station;Or,
If Internet protocol address described in None- identified and/or the port numbers, determine that key derived from the user equipment is differed with key derived from the prothetic group station;
Transmitting element, the result for sending the judgement to the prothetic group station.
With reference to fourth aspect, in the first possible implementation, the core network element also includes:
Notification unit, if being differed for key derived from the user equipment with key derived from the prothetic group station, notifies master base station to delete the prothetic group station;Or notify the master base station to add the prothetic group station again;Or the prothetic group station retriggered Reconfiguration Procedure is notified by the master base station;Or notify the prothetic group station to delete the prothetic group station by the master base station. With reference to the first possible implementation of fourth aspect, in second of possible implementation, the notification unit specifically for:
The message that the key is differed is sent to mobility management entity, and the message that the key is differed is forwarded from the mobility management entity to the master base station, the prothetic group station is deleted after the message that the key is differed or the prothetic group station is added again so that the master base station is received;Or the prothetic group station retriggered Reconfiguration Procedure is notified by the master base station;Or notify the prothetic group station to delete the prothetic group station by the master base station.
5th aspect, embodiments of the invention provide a kind of method of check key, and methods described includes:
Prothetic group station receives the check information that user equipment is sent; the check information is the information obtained after the user equipment is protected to preset data by key, preset algorithm derived from the user equipment, and the preset algorithm includes at least one of AES, protection algorithm integrallty;
The prothetic group station key, the preset algorithm, the preset data and check information according to derived from the prothetic group station obtain target data;
Whether prothetic group station key according to derived from the preset data, the check information and the target data judge the user equipment is identical with key derived from the prothetic group station.
With reference to the 5th aspect, in the first possible implementation, methods described also includes:If key derived from the user equipment is differed with key derived from the prothetic group station, the user equipment is set derivative key or the user equipment is deleted the prothetic group station again.
With reference to the 5th aspect, in second of possible implementation, the check information for receiving user equipment transmission includes:
The base station is received from master base station by X2 interfaces and adds completion message, the base station addition completion message carries the check information;Or
The medium access control message that the user equipment is sent is received, the medium access control message carries the check information;Or
Receive the packet bag convergence protocol data that the user equipment is sent, the packet Bao Hui Poly- protocol data carries the check information.
With reference to the 5th aspect, in the third possible implementation, the preset data includes at least one of following:
Cell ID under prothetic group station, Physical Cell Identifier under prothetic group station, the cell ID under Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, master base station under prothetic group station, mark data, master base station or the prothetic group station that Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, prothetic group station and user equipment under Physical Cell Identifier under master base station, master base station are stored are transmitted to the data of user equipment, optional network specific digit.
6th aspect, embodiments of the invention provide a kind of method of check key, and methods described includes:
Master base station receives the check information that user equipment is sent; the check information is the information obtained after the user equipment is protected to preset data by key, preset algorithm derived from the user equipment, and the preset algorithm includes at least one of AES, protection algorithm integrallty;
The master base station key, the preset algorithm, the preset data and check information according to derived from prothetic group station obtain target data;
Whether master base station key according to derived from the preset data, the check information and the target data judge the user equipment is identical with the derivative key at the prothetic group station, obtains judged result;
The judged result is sent to the prothetic group station by the master base station.
With reference to the 6th aspect, in the first possible implementation, methods described also includes:If key derived from the user equipment and the derivative key at the prothetic group station are differed, the user equipment is set to delete the prothetic group station or make user equipment derivative key again.
With reference to the 6th aspect, in second of possible implementation, the check information for receiving user equipment transmission includes:
The radio resource control information that the user equipment is sent is received, the radio resource control information carries the check information.
With reference to the 6th aspect, in the third possible implementation, the preset data bag Include at least one of following:
Cell ID under prothetic group station, Physical Cell Identifier under prothetic group station, the cell ID under Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, master base station under prothetic group station, mark data, master base station or the prothetic group station that Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, prothetic group station and user equipment under Physical Cell Identifier under master base station, master base station are stored are transmitted to the data of user equipment, optional network specific digit.
7th aspect, embodiments of the invention provide a kind of method of check key, and methods described includes:
The downlink data received is decrypted for user equipment key, preset algorithm according to derived from the user equipment;
Whether user equipment key according to derived from the data after decryption judge the user equipment is identical with key derived from prothetic group station;
The user equipment sends the judged result to the prothetic group station;
Wherein, the key according to derived from the data after decryption judge the user equipment described in the user equipment it is whether identical with key derived from prothetic group station including:
The user equipment obtains the Internet protocol address and port numbers of the packet after the decryption;
If the Internet protocol address and the port numbers can be recognized, determine that key derived from the user equipment is identical with key derived from the prothetic group station;Or,
If Internet protocol address described in None- identified and/or the port numbers, determine that key derived from the user equipment is differed with key derived from the prothetic group station.
With reference to the 7th aspect, in the first possible implementation, if key derived from the user equipment is differed with key derived from the base station, methods described also includes:
Master base station is notified to delete the prothetic group station;Or
The master base station is notified to add the prothetic group station again;Or
The prothetic group station retriggered Reconfiguration Procedure is notified by the master base station;Or notify the prothetic group station to delete the prothetic group station by the master base station.
Eighth aspect, embodiments of the invention provide a kind of method of check key, and methods described includes: Core network element receives the data after the upstream data that is sent to user equipment of prothetic group station key and preset algorithm according to derived from the prothetic group station is decrypted;
Whether core network element key according to derived from the data after the decryption judge the user equipment is identical with key derived from the prothetic group station;
The core network element sends the result of the judgement to the prothetic group station;
Wherein, whether core network element key according to derived from the data after the decryption judge the user equipment is identical with key derived from the prothetic group station, including:
Obtain the Internet protocol address and port numbers of the packet after the decryption;
If the Internet protocol address and the port numbers can be recognized, determine that key derived from the user equipment is identical with key derived from the prothetic group station;Or,
If Internet protocol address described in None- identified and/or the port numbers, determine that key derived from the user equipment is differed with key derived from the prothetic group station.
With reference to eighth aspect, in the first possible implementation, if key derived from the user equipment is differed with key derived from the prothetic group station, methods described also includes:Master base station is notified to delete the prothetic group station;Or
The master base station is notified to add the prothetic group station again;Or
The prothetic group station retriggered Reconfiguration Procedure is notified by the master base station;Or notify the prothetic group station to delete the prothetic group station by the master base station.
With reference to the first possible implementation of eighth aspect, in second of possible implementation, the notice master base station deletes the prothetic group station or notifies the master base station to add the prothetic group station again and include:
The message that the key is differed is sent to mobility management entity, and the message that the key is differed is forwarded from the mobility management entity to the master base station, the prothetic group station is deleted after the message that the key is differed or the prothetic group station is added again so that the master base station is received.
9th aspect is there is provided a kind of base station, and the base station includes:Communication interface, memory, processor;The communication interface is used to communicate with network element, and the memory is used to store computer code;Computer code described in the computing device is used for:
The check information that user equipment is sent is received, the check information is the user equipment The information obtained after being protected to preset data by key, preset algorithm derived from the user equipment, the preset algorithm includes at least one of AES, protection algorithm integrallty;
Key, the preset algorithm, the preset data and the check information obtain target data according to derived from the base station;
Whether key key derived from the base station is identical according to derived from the preset data, the check information and the target data judge the user equipment.
With reference to the 9th aspect, in the first possible implementation, computer code described in the computing device is additionally operable to:
If key derived from the user equipment is differed with key derived from the base station, the user equipment is set derivative key or the user equipment is deleted the base station again.
With reference to the 9th aspect, in second of possible implementation, computer code described in the computing device is additionally operable to:
The base station is received from master base station by X2 interfaces and adds completion message, the base station addition completion message carries the check information;Or
The medium access control message that the user equipment is sent is received, the medium access control message carries the check information;Or
The packet bag convergence protocol data that the user equipment is sent are received, the packet bag convergence protocol data carry the check information.
With reference to the 9th aspect, in the third possible implementation, the preset data includes at least one of following:
Cell ID under prothetic group station, Physical Cell Identifier under prothetic group station, the cell ID under Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, master base station under prothetic group station, mark data, master base station or the prothetic group station that Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, prothetic group station and user equipment under Physical Cell Identifier under master base station, master base station are stored are transmitted to the data of user equipment, optional network specific digit.
With reference to the 9th aspect, in the 4th kind of possible implementation, base station supplemented by the base station.
Tenth aspect is there is provided a kind of base station, and the base station includes:Communication interface, memory, Processor;The communication interface is used to communicate with network element, and the memory is used to store computer code;Computer code described in the computing device is used for:
Receive the check information that user equipment is sent; the check information is the information obtained after the user equipment is protected to preset data by key, preset algorithm derived from the user equipment, and the preset algorithm includes at least one of AES, protection algorithm integrallty;
Key, the preset algorithm, the preset data and the check information obtain target data according to derived from prothetic group station;
Whether the key according to derived from the preset data, the check information and the target data judge the user equipment is identical with key derived from the prothetic group station, obtains judged result;
The judged result is sent to the prothetic group station.
With reference to the tenth aspect, in the first possible implementation, computer code described in the computing device is additionally operable to:
If key derived from the user equipment and the derivative key at the prothetic group station are differed, the user equipment is set to delete the prothetic group station or make user equipment derivative key again.
With reference to the tenth aspect, in second of possible implementation, computer code described in the computing device is additionally operable to:
The radio resource control information that the user equipment is sent is received, the radio resource control information carries the check information.
With reference to the tenth aspect, in the third possible implementation, the preset data includes at least one of following:
Cell ID under prothetic group station, Physical Cell Identifier under prothetic group station, the cell ID under Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, master base station under prothetic group station, mark data, master base station or the prothetic group station that Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, prothetic group station and user equipment under Physical Cell Identifier under master base station, master base station are stored are transmitted to the data of user equipment, optional network specific digit.
Tenth one side is there is provided a kind of user equipment, and the user equipment includes:Communication connects Mouth, memory, processor;The communication interface is used to communicate with network element, and the memory is used to store computer code;Computer code described in the computing device is used for:
The downlink data received is decrypted for key, preset algorithm according to derived from the user equipment;
Whether the key according to derived from the data after decryption judge the user equipment is identical with key derived from prothetic group station;
The judged result is sent to the prothetic group station;
Wherein, the data according to after decryption judge key derived from the user equipment it is whether identical with key derived from prothetic group station including:
Obtain the Internet protocol address and port numbers of the packet after the decryption;If the Internet protocol address and the port numbers can be recognized, determine that key derived from the user equipment is identical with key derived from the prothetic group station;Or,
If Internet protocol address described in None- identified and/or the port numbers, determine that key derived from the user equipment is differed with key derived from the prothetic group station.
With reference to the tenth on the one hand, in the first possible implementation, computer code described in the computing device is additionally operable to:
If key derived from the user equipment is differed with key derived from the prothetic group station, master base station is notified to delete the prothetic group station;Or notify the master base station to add the prothetic group station again;Or the prothetic group station retriggered Reconfiguration Procedure is notified by the master base station;Or notify the prothetic group station to delete the prothetic group station by the master base station.
12nd aspect is there is provided a kind of core network element, and the core network element includes:Communication interface, memory, processor;The communication interface is used to communicate with network element, and the memory is used to store computer code;Computer code described in the computing device is used for:Receive the data after the upstream data that is sent to user equipment of prothetic group station key and preset algorithm according to derived from the prothetic group station is decrypted;
Whether the key according to derived from the data after the decryption judge the user equipment is identical with key derived from the prothetic group station;
The result of the judgement is sent to the prothetic group station;
Wherein, the data according to after the decryption judge close derived from the user equipment Whether key is identical with key derived from the prothetic group station, including:
Obtain the Internet protocol address and port numbers of the packet after the decryption;If the Internet protocol address and the port numbers can be recognized, determine that key derived from the user equipment is identical with key derived from the prothetic group station;Or,
If Internet protocol address described in None- identified and/or the port numbers, determine that key derived from the user equipment is differed with key derived from the prothetic group station.
With reference to the 12nd aspect, in the first possible implementation, computer code described in the computing device is additionally operable to:
If key derived from the user equipment is differed with key derived from the prothetic group station, master base station is notified to delete the prothetic group station;Or notify the master base station to add the prothetic group station again;Or the prothetic group station retriggered Reconfiguration Procedure is notified by the master base station;Or notify the prothetic group station to delete the prothetic group station by the master base station.
With reference to the first possible implementation of the 12nd aspect, in second of possible implementation, computer code described in the computing device is additionally operable to:
The message that the key is differed is sent to mobility management entity, and the message that the key is differed is forwarded from the mobility management entity to the master base station, the prothetic group station is deleted after the message that the key is differed or the prothetic group station is added again so that the master base station is received.
Embodiments of the invention provide a kind of method of check key, base station, user equipment and core network element, user equipment sends check information to base station, the check information is that user equipment passes through key derived from user equipment to the known preset data of user equipment and base station, the information that preset algorithm is obtained after being protected, wherein, preset algorithm includes AES, at least one of protection algorithm integrallty, base station is received after the check information according to identical preset algorithm, key and check information obtain target data derived from prothetic group station, according to preset data, check information and target data judge whether key derived from user equipment is identical with key derived from base station;Or user equipment is set up with prothetic group station after being connected, user equipment is received after downlink data packet and downlink data packet to be decrypted using the key related with prothetic group station and corresponding security algorithm derived from user equipment, judge the packet obtained after decryption it is whether correct so as to judge the derivative key related to prothetic group station of user equipment whether with it is auxiliary Key is identical derived from base station;Or user equipment is set up with prothetic group station after being connected, core network element receives the data after the upstream data that is sent to user equipment of base station key and preset algorithm according to derived from base station is decrypted, and judges whether the packet obtained after decryption is whether correct identical with key derived from prothetic group station with the key of prothetic group station correlation derived from user equipment so as to judge.Whether the key that can be verified between user equipment and prothetic group station correct, can avoid due to key and corresponding algorithm it is incorrect caused by error in data between user equipment and prothetic group station even service disconnection.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, the required accompanying drawing used in embodiment or description of the prior art will be briefly described below, apparently, drawings in the following description are only some embodiments of the present invention, for those of ordinary skill in the art, on the premise of not paying creative work, other accompanying drawings can also be obtained according to these accompanying drawings.
A kind of structural representation one for base station that Fig. 1 provides for embodiments of the invention;Fig. 2 is the schematic flow sheet of LTE system derivative key;
A kind of structural representation two for base station that Fig. 3 provides for embodiments of the invention;The structural representation one for another base station that Fig. 4 provides for embodiments of the invention;The structural representation two for another base station that Fig. 5 provides for embodiments of the invention;A kind of flow of the method for check key that a kind of structural representation 2 10 for core network element that a kind of Fig. 9 of structural representation one for core network element that a kind of Fig. 8 of structural representation two for user equipment that a kind of Fig. 7 of structural representation one for user equipment that Fig. 6 provides for embodiments of the invention provides for embodiments of the invention provides for embodiments of the invention provides for embodiments of the invention provides for embodiments of the invention is shown
A kind of flow of the method for the check key provided for embodiments of the invention is shown
A kind of flow of the method for 12 check keys provided for embodiments of the invention is shown
A kind of flow of the method for the check key provided for embodiments of the invention is shown It is intended to four;
A kind of schematic flow sheet five of the method for check key that Figure 14 provides for embodiments of the invention;
A kind of schematic flow sheet six of the method for check key that Figure 15 provides for embodiments of the invention;
A kind of schematic flow sheet seven of the method for check key that Figure 16 provides for embodiments of the invention;
A kind of schematic flow sheet eight of the method for check key that Figure 17 provides for embodiments of the invention;
The structural representation for another base station that Figure 18 provides for embodiments of the invention;The structural representation for another base station that Figure 19 provides for embodiments of the invention;The structural representation for another user equipment that Figure 20 provides for embodiments of the invention;The structural representation for another core network element that Figure 21 provides for embodiments of the invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is only a part of embodiment of the invention, rather than whole embodiments.Based on the embodiment in the present invention, the every other embodiment that those of ordinary skill in the art are obtained under the premise of creative work is not made belongs to the scope of protection of the invention.
Embodiments of the invention provide a kind of base station 20, and the base station 20 can be as prothetic group station, as shown in Fig. 1, and the prothetic group station 20 includes:Receiving unit 21, acquiring unit 22 and judging unit 23.
Wherein, receiving unit 21; check information for receiving user equipment transmission; check information is the information obtained after user equipment is protected to preset data by key, preset algorithm derived from user equipment, and preset algorithm includes at least one of AES, protection algorithm integrallty.
Wherein, preset data can be at least one of following:
Under Physical Cell Identifier under cell ID under prothetic group station, prothetic group station, prothetic group station Cell ID under Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, master base station, mark data, master base station or the prothetic group station that Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, prothetic group station and user equipment under Physical Cell Identifier under master base station, master base station are stored are transmitted to the data of user equipment, optional network specific digit.
For convenience of describing, the secondary relationship of safe key in LTE system is briefly described below, wherein, LTE system UE sides and evolved packet system(Evolved Packet System, EPS) key of side is separate, and both sides cipher key derivative flow is identical, using cipher key derivation function (Key Derivation Functions, KDF) 4 han give birth to step by step, shown in mouth Fig. 2:
K is stored in Global Subscriber identification card(Universal Subscriber Identity Module, USIM) and authentication center(Authentication Center, AuC) inner key, it is to be permanently fixed key, is also the basis of all key schedules.
CK is the key for being used to encrypt as derived from K, and IK, which is that K is derivative, is used for the key of integrity protection.CK and IK are respectively positioned on UE and ownership place register(Home Subscriber Server, HSS) in.
KASMEIt is one and key derived from CK and IK is used as UE and HS S.
KeNBIt is by KASMEDerive or as derived from UE and eNB, the various keys for deriving Access Layer (Access Stratum, AS).
Next-hop (Next Hop, NH) is that UE and mobility management entity (Mobility Management Entity, MME) pass through KASMEThe key that ^i han lifes are obtained, is one kind of eNB keys.
The key of user plane business:
KUPencUE and eNB pass through KeNBAnd AES derives what is obtained, for protecting user plane business datum;
KUPintIt is that UE and eNB pass through KeNBAnd protection algorithm integrallty derives what is obtained, for protecting via node(Relay Node, RN) and host base station(Donor eNB, DeNB) between user data.
Radio resource control(Radio Resource Control, RRC) related key:
KRRCintIt is that UE and eNB are obtained by KeNB and protection algorithm integrallty derivative , for protecting RRC information;
KRRCEnc is that UE and eNB are obtained by KeNB and AES derivative, for protecting RRC information.
KNA SEnc is UE and the MME key according to derived from KASME, for Non-Access Stratum(Non-Access-Stratum, NAS) flow and protected using AES.
KNA S inT is UE and MME according to KASMEDerivative key, for being protected to NAS streams using protection algorithm integrallty.
Specifically, the key related to prothetic group station derived from user equipment can include following at least one: KeNB、 KuP enc、 KuP int.、 KRRCint、 RRCenc.
Exemplary, user equipment uses AES and K to the cell ID under prothetic group stationUPencCheck information is obtained after being protected.
Optionally, receiving unit 21 can be specifically for:
Base station is received from master base station by X2 interfaces and adds completion message, base station addition completion message carries check information;Or
The medium access control message that user equipment is sent is received, medium access control message carries check information;Or
The packet bag convergence protocol data that user equipment is sent are received, packet bag convergence protocol data carry check information.
Exemplary, check information is to may be embodied in the Radio Resource connection that UE sends to master base station to reconfigure in completion message (RRC Connection Reconfiguration Complete Message), and master base station, which receives to send in base station addition completion message to prothetic group station after the check information, carries the check information.
Can be by increasing safety verification information specifically, carrying check information in Radio Resource connection reconfigures completion message(SecurityConfirmation) realize.Exemplary, it can be realized by code below:
RRC Connection Reconfiguration Complete Message
-- ASN 1 START
RRCConnectionReconfigurationComplete:: rrc-Transactionldentifier RRC-Transactionldentifier criticalExtensions CHOICE {
rrcConnectionReconfigurationComplete-r8
RRCConnectionReconfigurationComplete-r8-IEs,
criticalExtensionsFuture SEQUENCE { }
}
}
RRCConnectionReconfigurationComplete-r8-IEs : := SEQUENCE
{
nonCriticalExtension
RRCConnectionReconfigurationComplete-v8aO-IEs OPTIONAL
}
RRCConnectionReconfigurationComplete-v8aO-IEs : :=
SEQUENCE {
lateNonCriticalExtension OCTET STRING
OPTIONAL,
nonCriticalExtension
RRCConnectionReconfigurationComplete-v l 020-IEs OPTIONAL }
RRCConnectionReconfigurationComplete-v l 020-IEs : :=
SEQUENCE {
rlf-InfoAvailable-r l O ENUMERATED {true }
OPTIONAL,
logMeasAvailable-rl O ENUMERATED {true }
OPTIONAL, nonCriticalExtension
RRCConnectionReconfigurationComplete-v l l 30-IEs OPTIONAL
}
RRCConnectionReconfigurationComplete-v l 130-IEs :: =
SEQUENCE {
connEstFaillnfoAvailable-r l 1 ENUMERATED {true }
OPTIONAL,
nonCriticalExtension
RRCConnectionReconfigurationComplete-v l 2xx-IEs
OPTIONAL
}
RRCConnectionReconfigurationComplete-v l 2xx-IEs : :=
SEQUENCE {
securityConfirmation OCTET STRING
OPTIONAL,
nonCriticalExtension SEQUENCE { }
OPTIONAL
}
- ASN 1 STOP
Wherein securityConfirmation can be byte stream(OCTET STRING) or bit string(BIT STRING (SIZE (xx)) form etc..
Exemplary, the preset data in selection securityConfirmation can be realized by code below: security Confirmationlnput::= SEQUENCE { cellldentity Cellldentity: physCellld PhysCellld c-RNTI C-RNTI
- ASN 1 STOP
Wherein UE produces securityConfirmation, can use protection algorithm integrallty and the integrity protection result of the cipher key calculation of protection algorithm integrallty to security Confirmationlnput;It can also be the result to securityConfirmationlnput using the encryption of AES and the cipher key calculation of AES;Either both combinations.
It is that UE uses the close algorithm of power mouthful and the K relevant with prothetic group station of ^ han lifes that 4 Jia, which set securityConfirmation,UPencThe result of calculating, master base station sends base station to prothetic group station by X2 interface and adds power mouthful completion message, and wherein base station adds power mouthful completion message carrying securityConfirmation, and prothetic group, which is accounted for, meets 4 deficient i'J securityConfirmation.
Or, exemplary, if check information is included in medium education (Medium Access Control, MAC) message of user equipment transmission, specifically can by MAC message reinforcement mouthful securityConfirmation realize.
For example, a Logic Channel Identifier can be introduced newly(Logical Channel Identify, LCID it is securityConfirmation that) value, which is specially represented, such as use 0,101 1, wherein L represents securityConfirmation length, here ^ mouthfuls of fruit securityConfirmation are regular lengths, securityConfirmation can be directly placed into without L.Current LCID values can also be reused, securityConfirmation is added in existing MAC message or securityConfirmation directly can also be treated as or by physical layer transmission by data transfer by UE.
Exemplary, the preset data in selection securityConfirmation can be realized by code below:
securityConfirmationlnput::= SEQUENCE { cellldentity Cellldentity,
physCellld PhysCellld, c-RNTI C-RNTI
- ASN 1 STOP
Wherein UE produces securityConfirmation, can use protection algorithm integrallty and the integrity protection result of the cipher key calculation of protection algorithm integrallty to securityConfirmationlnput;It can also be the result to securityConfirmationlnput using the encryption of the close algorithm of power mouthful and the cipher key calculation of the close algorithm of power mouthful;Either both combinations.
Assuming that securityConfirmation, which is UE, uses protection algorithm integrallty and the derivative K relevant with prothetic group stationUPintOr KRRCintThe result of calculating, securityConfirmation is added to UE and is sent in the MAC message at prothetic group station, and prothetic group station receives securityConfirmation.
Or, check information is further included in packet bag convergence protocol (Packet Data Convergence Protocol, PDCP) data of user equipment transmission.
Exemplary; check information can be securityConfirmation; preset data is securityConfirmationlnput; UE produces securityConfirmation, can with, be integrity protection result to securityConfirmationlnput using the cipher key calculation of protection algorithm integrallty and protection algorithm integrallty;It can also be the result to securityConfirmationlnput using the encryption of the close algorithm of power mouthful and the cipher key calculation of the close algorithm of power mouthful;Either both combinations.
Exemplary, the preset data in selection securityConfirmation can be realized by code below:
securityConfirmationlnput::= SEQUENCE { cellldentity Cellldentity,
physCellld PhysCellld,
c-RNTI C-RNTI
}
- ASN 1 STOP
It is that UE uses the close algorithm of power mouthful and ^ han lifes and prothetic group that 4 Jia, which set securityConfirmation, Stand relevant KUPencThe result of calculating, master base station sends base station to prothetic group station by X2 interface and adds power mouthful completion message, and wherein base station adds power mouthful completion message carrying securityConfirmation, and prothetic group, which is accounted for, meets 4 deficient i'J securityConfirmation.
Acquiring unit 22, target data is obtained for key, preset algorithm, preset data and check information according to derived from base station.
Exemplary, it is assumed that check information is securityConfirmation, and preset data is securityConfirmationlnput, and the check information is that UE uses the close algorithm of power mouthful and the derivative K relevant with prothetic group stationUPencThe result calculated securityConfirmationlnput, securityConfirmation is added to master base station and is sent in the base station at prothetic group station addition completion message, and prothetic group station is received after securityConfirmation according to AES and K derived from itselfUPenCalculating is decrypted to securityConfirmation and obtains new SecurityConfirmationlnpu
Or, exemplary, assuming that check information is securityConfirmation, preset data is securityConfirmationlnput, and the check information is that UE uses protection algorithm integrallty and the derivative K relevant with prothetic group stationUPintOr KRRCintThe result calculated securityConfirmationlnput; securityConfirmation is to add power mouthful to be sent in the MAC message at prothetic group station to UE, and prothetic group station is received after securityConfirmation according to protection algorithm integrallty and K derived from itselfUPintOr KRRCintIntegrity protection calculating is carried out to the securityConfirmationlnput itself preserved and obtains new securityConfirmation.
Or, exemplary, it is assumed that check information is securityConfirmation, preset data is securityConfirmationlnput, and check information UE uses power.Close algorithm and the derivative K relevant with prothetic group stationUPencThe result calculated securityConfirmationlnput, securityConfirmation is added to UE and is sent in the PDCP data at prothetic group station, and prothetic group station is received after securityConfirmation according to AES and K derived from itselfUPencCalculating is decrypted to check information and obtains new SecurityConfirmationlnpu
Judging unit 23, whether key and the derivative key of base station are identical derived from for judging user equipment according to preset data, check information and target data. Exemplary, it is assumed that check information is securityConfirmation, and preset data is securityConfirmationlnput, and the check information is that UE uses protection algorithm integrallty and the derivative K relevant with prothetic group stationUPintThe result calculated securityConfirmationlnput; securityConfirmationlnput is the cell identification data under the prothetic group station that UE and prothetic group station are stored, and prothetic group station is received after securityConfirmation according to protection algorithm integrallty and K derived from itselfUPintIntegrity protection calculating is carried out to securityConfirmationlnput and obtains new securityConfirmation, judge whether new securityConfirmation is identical with the securityConfirmation received, if the same illustrate relevant with prothetic group station derived from UE11111With K derived from prothetic group station itselfUPinS is same, otherwise differs.
Or, exemplary, it is assumed that check information is securityConfirmation, preset data is securityConfirmationlnput, and the check information is that UE uses protection algorithm integrallty and the derivative K relevant with prothetic group stationRRCintThe result calculated securityConfirmationlnput, securityConfirmationlnput is the cell identification data under the prothetic group station that UE and prothetic group station are stored, and prothetic group station is received after securityConfirmation according to protection algorithm integrallty and K derived from itselfRRCintIntegrity protection calculating is carried out to securityConfirmationlnput and obtains new securityConfirmation, judge whether new securityConfirmation is identical with meeting the securityConfirmation that ^ L are arrived, if the same illustrate K relevant with prothetic group station derived from UERRCintWith K derived from prothetic group station itselfRRCintIt is identical, otherwise differ.
Or, exemplary, it is assumed that check information is securityConfirmation, preset data is securityConfirmationlnput, and the check information is that UE uses protection algorithm integrallty and the derivative K relevant with prothetic group stationUPintTo obtaining intermediate variable securityConfirmationTemp after securityConfirmationlnput integrity protection, AES and the derivative K relevant with prothetic group station are reusedUPencJ securityConfirmation are obtained after securityConfirmationTem power mouthful is close.Prothetic group, which is accounted for, to be connect after ^L ^j securityConfirmation, and prothetic group station uses AES and itself derivative K firstUPencI'j securityConfirmationTem are obtained after being decrypted to securityConfirmation, then protection algorithm integrallty is used and derivative to the securityConfirmationlnput of itself storage KUPintNew securityConfirmationTemp is obtained after integrity protection, new securityConfirmationTem is judged and meets ^ $]] whether obtained securityConfirmationTemp identical after security Confirmation decryption, if identical shellfish1J illustrates the K relevant with prothetic group station of UE ^ [han lifesUPenc、 KUPintWith K derived from prothetic group station itselfUPenc、 KUPintCorrespondence is identical, otherwise differs.
Optionally, as shown in figure 3, the prothetic group station 20 also includes:
Reset cell 24, if the derivative key for key derived from user equipment and base station is differed, makes user equipment derivative key or user equipment is deleted the base station again.
Exemplary, it is assumed that the result judged according to judging unit 23 is different from meeting ^ i'J security Confirmation obtained after integrity protection the new security Confirmation of i'J, then illustrates relevant with prothetic group station derived from UE1^1111With 1^ derived from prothetic group station itself1111Differ, then, prothetic group station can notify UE to delete the prothetic group station or make the UE derivative keys related to the prothetic group station again.
Embodiments of the invention provide a kind of base station; receive the check information that user equipment is sent; check information is the information obtained after user equipment is protected to preset data by key, preset algorithm derived from user equipment, and preset algorithm includes at least one of AES, protection algorithm integrallty;Key, preset algorithm, preset data and check information obtain target data according to derived from base station;Whether key derived from key and base station is identical according to derived from preset data, check information and target data judge user equipment.Whether the key that can be verified between user equipment and prothetic group station correct, can avoid due to key and corresponding algorithm it is incorrect caused by service disconnection between user equipment and prothetic group station.
Embodiments of the invention also provide a kind of base station 30, and the base station 30 can be as master base station, as shown in figure 4, the master base station 30 includes:Receiving unit 31, acquiring unit 32, judging unit 33 and transmitting element 34.
Receiving unit 31; check information for receiving user equipment transmission; check information is the information obtained after user equipment is protected to preset data by key, preset algorithm derived from user equipment, and preset algorithm includes at least one of AES, protection algorithm integrallty.
Specifically, master base station receives the wireless heterogeneous networks for including check information that UE is sent Message.Wherein, exemplary, radio resource control information can be RRC Connection Reconfiguration Complete Message, wherein including check information.
Optionally, preset data includes at least one of following:
Cell ID under prothetic group station, Physical Cell Identifier under prothetic group station, the cell ID under Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, master base station under prothetic group station, mark data, master base station or the prothetic group station that Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, prothetic group station and user equipment under Physical Cell Identifier under master base station, master base station are stored are transmitted to the data of user equipment, optional network specific digit.
Acquiring unit 32, target data is obtained for key, preset algorithm, preset data and check information according to derived from prothetic group station.
Exemplary, master base station K according to derived from AES and prothetic group stationUPenc(K hereinUPencIt is to be used to obtain with prothetic group station identical cipher key derivative process by master base station)Target data is obtained the check information received from receiving unit 31 to be decrypted.
Judging unit 33, whether key and the derivative key at prothetic group station are identical derived from for judging user equipment according to preset data, check information and target data, obtain judged result.
Exemplary, it is assumed that target data is that UE uses K derived from user equipment to preset dataUPencData after being protected with AES, target data is master base station K according to derived from AES and prothetic group stationUPem;(K hereinUPem;It is to be used to obtain with prothetic group station identical cipher key derivative process by master base station)The check information received from receiving unit 31 to be decrypted obtained data, master base station judges target data and whether preset data is identical obtains judged result.
Transmitting element 34, for will determine that result is sent to prothetic group station.
Exemplary, master base station will determine that result notifies prothetic group station by X2 interface.
Optionally, as shown in figure 5, the master base station 30 also includes:
Reset cell 35, if being differed for key derived from user equipment and the derivative key at prothetic group station, makes user equipment delete prothetic group station or makes user equipment derivative key again.
Embodiments of the invention provide a kind of base station, receive the check information that user equipment is sent, and check information is that user equipment passes through key, pre- imputation derived from user equipment to preset data The information that method is obtained after being protected, preset algorithm includes at least one of AES, protection algorithm integrallty;Key, preset algorithm, preset data and check information obtain target data according to derived from prothetic group station;Whether key derived from key and prothetic group station is identical according to derived from preset data, check information and target data judge user equipment, obtains judged result;It will determine that result is sent to prothetic group station.Whether the key that can be verified between user equipment and prothetic group station correct, can avoid due to key and corresponding algorithm it is incorrect caused by service disconnection between user equipment and prothetic group station.
Embodiments of the invention also provide a kind of user equipment 40, as shown in fig. 6, the user equipment 40 includes:Decryption unit 41, judging unit 42 and transmitting element 43.
Decryption unit 41, the downlink data received is decrypted for key, preset algorithm according to derived from user equipment.
Exemplary, wherein, preset algorithm can be AES, and connection is had built up between UE and prothetic group station, UE downlink datas of the encryption of key, AES to being received from network side according to derived from itself are decrypted, and then obtain Internet protocol(Internet Protocol, IP) the blunt text of.
Whether judging unit 42, key derived from for judging user equipment according to the data after decryption is identical with key derived from prothetic group station.
Specifically, judging unit 42 is used for:
Obtain the Internet protocol address and port numbers of the packet after decryption;
The Internet protocol address and port numbers of identification data bag;
If Internet protocol address and port numbers can be recognized, determine that key derived from user equipment is identical with key derived from prothetic group station;Or,
If None- identified Internet protocol address and/or port numbers, determine that key derived from user equipment is differed with key derived from prothetic group station.
Exemplary, judging unit 42 receives IP messages from decryption unit 41, obtain the IP address and port numbers of IP texts, if the IP address can be recognized with the IP messages are issued into corresponding application if port numbers, while also illustrating that key related derived from the derivative keys related to prothetic group station of UE and prothetic group station is identical;Or,
IP messages are erroneous packets if the None- identified IP address and/or port numbers, while Illustrate that key related derived from the derivative keys related to prothetic group station of UE and prothetic group station is differed.
Transmitting element 43, for sending judged result to prothetic group station.
Exemplary, UE sends the judged result that judging unit 42 is obtained by master base station to prothetic group station.
Optionally, as shown in fig. 7, the user equipment 40 also includes:
Notification unit 44, if being differed for key derived from user equipment with key derived from prothetic group station, notifies master base station to delete the prothetic group station;Or notify master base station to add the prothetic group station again;Or the base station prothetic group station retriggered Reconfiguration Procedure is notified by master base station;Or notify the prothetic group station to delete the prothetic group station by master base station.
Exemplary, if the key related to the prothetic group station key related with derived from prothetic group station is differed derived from UE, user equipment 40 can notify that the prothetic group station that master base station is added is problematic, it can indicate which carrying at prothetic group station is out of joint simultaneously, carrying mark is carried i.e. in instruction, master base station determines to delete the prothetic group station after the prothetic group station is problematic or master base station is added the prothetic group station again;Or user equipment 40 can also notify the prothetic group station retriggered to reconfigure the connection with UE by master base station;Or user equipment 40 notifies the prothetic group station to delete the prothetic group station by master base station.
Embodiments of the invention provide a kind of user equipment, and the downlink data received is decrypted for key, preset algorithm according to derived from user equipment;Whether the key according to derived from the data after decryption judge user equipment is identical with key derived from prothetic group station;Judged result is sent to prothetic group station.Whether the key that can be verified between user equipment and prothetic group station correct, can avoid due to key and corresponding algorithm it is incorrect caused by service disconnection between user equipment and prothetic group station.
Embodiments of the invention provide a kind of core network element 50, as shown in figure 8, the core network element 50 includes:
Receiving unit 51, judging unit 52 and transmitting element 53.
Receiving unit 51, for receiving the data after the upstream data that prothetic group station key and preset algorithm according to derived from prothetic group station are sent to user equipment is decrypted.
Exemplary, wherein, preset data can be AES, between UE and prothetic group station Connection is had built up, prothetic group station key, AES according to derived from itself obtain Internet protocol to being decrypted from the upstream data of the UE encryptions received(Internet Protocol, IP) message, IP messages are sent into core network element, and then core network element receives IP messages.
Whether judging unit 52, key derived from for judging user equipment according to the data after decryption is identical with key derived from prothetic group station.
Specifically, judging unit 52 is used for:
Obtain the Internet protocol address and port numbers of the packet after decryption;
The Internet protocol address and port numbers of identification data bag;
Determine that key derived from user equipment is identical with key derived from prothetic group station if it can recognize Internet protocol address and port numbers;Or,
Determine that key derived from user equipment is differed with key derived from prothetic group station if None- identified Internet protocol address and/or port numbers.
Exemplary, judging unit 52 receives IP messages from receiving unit 51, obtain the IP address and port numbers of IP texts, the IP messages are correct if it can recognize the IP address and port numbers, while also illustrating that key related derived from the derivative keys related to prothetic group station of UE and prothetic group station is identical;Or,
IP messages are erroneous packets if the None- identified IP address and/or port numbers, while also illustrating that key related derived from the derivative keys related to prothetic group station of UE and prothetic group station is differed.
Optionally, as shown in figure 9, the core network element 50 also includes:
Notification unit 54, if being differed for key derived from user equipment with key derived from prothetic group station, core network element notifies master base station to delete the prothetic group station;Or core network element notifies master base station to add the prothetic group station again;Or core network element notifies the prothetic group station retriggered Reconfiguration Procedure by master base station;Or core network element notifies the prothetic group station to delete the prothetic group station by master base station.
Optionally, notification unit 54 can be specifically for:
The message that differs of key is sent to mobility management entity, and the message that the key is differed is forwarded from mobility management entity to master base station, differs so that master base station receives the key and obtains deleting the prothetic group station after message or add the prothetic group station again;Or it is logical by master base station Know the prothetic group station retriggered Reconfiguration Procedure;Or notify the prothetic group station to delete the prothetic group station by master base station.
Exemplary, if the key related to the prothetic group station key related with derived from prothetic group station is differed derived from UE, core network element 50 can be notified master base station by MME or directly notify that the prothetic group station that master base station is added is problematic, it can indicate which carrying at prothetic group station is out of joint simultaneously, carrying mark is carried i.e. in instruction, master base station determines to delete the prothetic group station after the prothetic group station is problematic or master base station is added the prothetic group station again;Or core network element 50 can also notify the prothetic group station retriggered to reconfigure the connection with UE;Or core network element 50 notifies the prothetic group station to delete the prothetic group station by master base station.
Embodiments of the invention provide a kind of core network element, receive the data after the upstream data that base station key and preset algorithm according to derived from base station send to user equipment is decrypted;Whether the key according to derived from the data after decryption judge user equipment is identical with key derived from prothetic group station;The result judged is sent to prothetic group station.Whether the key that can be verified between user equipment and prothetic group station correct, can avoid due to key and corresponding algorithm it is incorrect caused by service disconnection between user equipment and prothetic group station.
Embodiments of the invention provide a kind of method of check key, and based on prothetic group station, as shown in Figure 10, this method includes:
5 101, prothetic group station receives the check information that user equipment is sent.
Wherein, check information is the information obtained after user equipment is protected to preset data by key, preset algorithm derived from user equipment, and preset algorithm includes at least one of AES, protection algorithm integrallty.
5 102, prothetic group station key, preset algorithm, preset data and check information according to derived from prothetic group station itself obtains target data.
5 103, whether prothetic group station key derived from key and prothetic group station according to derived from preset data, check information and target data judge user equipment is identical.
Embodiments of the invention provide a kind of method of check key; prothetic group station receives the check information that user equipment is sent; check information is the information obtained after user equipment is protected to preset data by key, preset algorithm derived from user equipment, and preset algorithm includes at least one of AES, protection algorithm integrallty;Prothetic group station derives according to prothetic group station itself Key, preset algorithm, preset data and check information obtain target data;Whether prothetic group station key derived from key and prothetic group station itself according to derived from preset data, check information and target data judge user equipment is identical.Whether the key that can be verified between user equipment and prothetic group station correct, can avoid due to key and corresponding algorithm it is incorrect caused by service disconnection between user equipment and prothetic group station.
In order that those skilled in the art can be more clearly understood that technical scheme provided in an embodiment of the present invention, below by specific embodiment, the method that embodiments of the invention provide the check key based on prothetic group station is described in detail, as shown in Fig. 11, this method includes:
S201, prothetic group station receive the check information that user equipment is sent.
Wherein, check information is the information obtained after user equipment is protected to preset data by key, AES and/or protection algorithm integrallty derived from user equipment.
Preset data includes at least one of following:
Cell ID under prothetic group station, Physical Cell Identifier under prothetic group station, the cell ID under Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, master base station under prothetic group station, mark data, master base station or the prothetic group station that Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, prothetic group station and user equipment under Physical Cell Identifier under master base station, master base station are stored are transmitted to the data of user equipment, optional network specific digit.
Specifically, prothetic group station receives base station by X2 interface from master base station adds completion message, base station addition completion message carries check information;Or
Prothetic group station receives the medium access control message that user equipment is sent, and medium access control message carries check information;Or
The packet bag convergence protocol data that user equipment is sent are received, packet bag convergence protocol data carry the check information.
Exemplary, check information is may be embodied in the RRC Connection Reconfiguration Complete Message that UE is sent to master base station, and master base station, which receives to send in base station addition completion message to prothetic group station after the check information, carries the check information.
Specifically, carrying check information in Radio Resource connection reconfigures completion message can be realized by reinforcement mouthful securityConfirmation.Exemplary, it can be realized by code below: RRC Connection Reconfiguration Complete Message
- ASN 1 START
RRCConnectionReconfigurationComplete : := SEQUENCE { rrc-Transactionldentifier RRC-Transactionldentifier, criticalExtensions CHOICE {
rrcConnectionReconfigurationComplete-r8
RRCConnectionReconfigurationComplete-r8-IEs,
criticalExtensionsFuture SEQUENCE { }
}
}
RRCConnectionReconfigurationComplete-r8-IEs : := SEQUENCE
{
nonCriticalExtension
RRCConnectionReconfigurationComplete-v8aO-IEs OPTIONAL
}
RRCConnectionReconfigurationComplete-v8aO-IEs : :=
SEQUENCE {
lateNonCriticalExtension OCTET STRING
OPTIONAL,
nonCriticalExtension
RRCConnectionReconfigurationComplete-v l 020-IEs OPTIONAL }
RRCConnectionReconfigurationComplete-v l 020-IEs : :=
SEQUENCE { rlf-InfoAvailable-rlO ENUMERATED {true}
OPTIONAL,
logMeasAvailable-rlO ENUMERATED {true}
OPTIONAL,
nonCriticalExtension
RRCConnectionReconfigurationComplete-vll 30-IEs OPTIONAL
}
RRCConnectionReconfigurationComplete-vl 130-IEs : :=
SEQUENCE {
connEstFaillnfoAvailable-rl 1 ENUMERATED {true}
OPTIONAL,
nonCriticalExtension
RRCConnectionReconfigurationComplete-vl2xx-IEs
OPTIONAL
}
RRCConnectionReconfigurationComplete-vl2xx-IEs : SEQUENCE {
securityConfirmation OCTET STRING
OPTIONAL,
nonCriticalExtension SEQUENCE {}
OPTIONAL
}
- ASNISTOP
Wherein Security Confirmation can be OCTET STRING or BIT STRING (SIZE (xx) forms etc..
It is exemplary, preset data in selection securityConfirmation can by with Lower code is realized: SEQUENCE { cellldentity Cellldentity: physCellld PhysCellld c-RNTI C-RNTI
- ASN 1 STOP
Wherein UE produces securityConfirmation, can use protection algorithm integrallty and the integrity protection result of the cipher key calculation of protection algorithm integrallty to securityConfirmationlnput;It can also be the result to securityConfirmationlnput using the encryption of the close algorithm of power mouthful and the cipher key calculation of the close algorithm of power mouthful;Either both combinations.
It is that UE uses the close algorithm of power mouthful and the K relevant with prothetic group station of ^ han lifes that 4 Jia, which set securityConfirmation,UPencThe result of calculating, master base station sends base station to prothetic group station by X2 interface and adds power mouthful completion message, and wherein base station adds power mouthful completion message carrying securityConfirmation, and prothetic group, which is accounted for, meets 4 deficient i'J securityConfirmation.
Or, it is exemplary, if check information is included in the MAC message of user equipment transmission, specifically can by MAC message reinforcement mouthful securityConfirmation realize.
For example, a LCID value can newly be introduced and specially represent it is securityConfirmation, such as use 0,101 1, wherein L represents securityConfirmation length, here ^ mouthfuls of fruit securityConfirmation are regular lengths, securityConfirmation can be directly placed into without L.Current LCID values can also be reused, securityConfirmation is added in existing MAC message or securityConfirmation directly can also be treated as or by physical layer transmission by data transfer by UE. Exemplary, the preset data in selection securityConfirmation can be realized by code below:
securityConfirmationlnput:: SEQUENCE { cellldentity Cellldentity,
physCellld PhysCellld
c-RNTI C-RNTI
- ASN 1 STOP
Wherein UE produces securityConfirmation, can use protection algorithm integrallty and the integrity protection result of the cipher key calculation of protection algorithm integrallty to securityConfirmationlnput;It can also be the result to securityConfirmationlnput using the encryption of the close algorithm of power mouthful and the cipher key calculation of the close algorithm of power mouthful;Either both combinations.
Assuming that securityConfirmation, which is UE, uses protection algorithm integrallty and the derivative K relevant with prothetic group stationUPintOr KRRCintThe result of calculating, securityConfirmation is added to UE and is sent in the MAC message at prothetic group station, and prothetic group station receives securityConfirmation.
Or, check information is further included in packet bag convergence protocol (Packet Data Convergence Protocol, PDCP) data of user equipment transmission.
Exemplary, check information can be securityConfirmation, and UE produces securityConfirmation, can be that securityConfirmationlnput is used:The integrity protection result of the cipher key calculation of whole property protection algorism and protection algorithm integrallty;It can also be the result to securityConfirmationlnput using the encryption of the close algorithm of power mouthful and the cipher key calculation of the close algorithm of power mouthful;Either both combinations.
Exemplary, the preset data in selection securityConfirmation can be realized by code below:
securityConfirmationlnput::= SEQUENCE { cellldentity Cellldentity,
physCellld PhysCellld, c-RNTI C-RNTI
- ASN 1 STOP
It is that UE uses the close algorithm of power mouthful and the K relevant with prothetic group station of ^ han lifes that 4 Jia, which set securityConfirmation,UPencThe result of calculating, master base station sends base station to prothetic group station by X2 interface and adds power mouthful completion message, and wherein base station adds power mouthful completion message carrying securityConfirmation, and prothetic group, which is accounted for, meets 4 deficient i'J securityConfirmation.
S202, prothetic group station key, preset algorithm, preset data and check information according to derived from prothetic group station itself obtain target data.
Exemplary, it is assumed that check information is securityConfirmation, and preset data is securityConfirmationlnput, and the check information is that UE uses the close algorithm of power mouthful and the derivative K relevant with prothetic group stationUPencThe result calculated securityConfirmationlnput, securityConfirmation is added to master base station and is sent in the base station at prothetic group station addition completion message, and prothetic group station is received after securityConfirmation according to AES and K derived from itselfUPencCalculating is decrypted to securityConfirmation and obtains new SecurityConfirmationlnpu
Or, exemplary, assuming that check information is securityConfirmation, preset data is securityConfirmationlnput, and the check information is that UE uses protection algorithm integrallty and the derivative K relevant with prothetic group stationUPintOr KRRCintThe result calculated securityConfirmationlnput; securityConfirmation is to add power mouthful to be sent in the MAC message at prothetic group station to UE, and prothetic group station is received after securityConfirmation according to protection algorithm integrallty and K derived from itselfUPintOr KRRCintIntegrity protection calculating is carried out to the securityConfirmationlnput itself preserved and obtains new securityConfirmation.
Or, exemplary, it is assumed that check information is securityConfirmation, preset data is securityConfirmationlnput, and check information UE uses power.Close algorithm and the derivative K relevant with prothetic group stationUPencThe result calculated securityConfirmationlnput, securityConfirmation is added to UE and is sent in the PDCP data at prothetic group station, and prothetic group station is received after securityConfirmation according to derived from AES and itself KUPencCheck information is decrypted calculating and obtains new SecurityConfirmationlnput.
Whether S203, prothetic group the station key derived from key and prothetic group station itself according to derived from preset data, check information and target data judge user equipment are identical.
Exemplary, it is assumed that check information is securityConfirmation, and preset data is securityConfirmationlnput, and the check information is that UE uses protection algorithm integrallty and the derivative K relevant with prothetic group stationUPintThe result calculated securityConfirmationlnput; securityConfirmationlnput is the cell identification data under the prothetic group station that UE and prothetic group station are stored, and prothetic group station is received after securityConfirmation according to protection algorithm integrallty and K derived from itselfUPintSolution integrity protection calculating is carried out to securityConfirmationlnput and obtains new securityConfirmation; judge whether new securityConfirmation is identical with the securityConfirmation received, if it is illustrate K relevant with prothetic group station derived from UEUPintWith K derived from prothetic group station itselfUPinS is same, otherwise differs.
Or, exemplary, it is assumed that check information is securityConfirmation, preset data is securityConfirmationlnput, and the check information is that UE uses protection algorithm integrallty and the derivative K relevant with prothetic group stationRRCintThe result calculated securityConfirmationlnput, securityConfirmationlnput is the cell identification data under the prothetic group station that UE and prothetic group station are stored, and prothetic group station is received after securityConfirmation according to protection algorithm integrallty and K derived from itselfRRCintIntegrity protection calculating is carried out to securityConfirmationlnput and obtains new securityConfirmation, judge whether new securityConfirmation is identical with meeting the securityConfirmation that ^ L are arrived, if the same illustrate K relevant with prothetic group station derived from UERRCintWith K derived from prothetic group station itselfRRCintIt is identical, otherwise differ.
Or, exemplary, it is assumed that check information is securityConfirmation, preset data is securityConfirmationlnput, and the check information is that UE uses protection algorithm integrallty and the derivative K relevant with prothetic group stationUPintTo obtaining intermediate variable securityConfirmationTemp after securityConfirmationlnput integrity protection, AES and the derivative K relevant with prothetic group station are reusedUPencJ securityConfirmation are obtained after securityConfirmationTem power mouthful is close.Prothetic group, which is accounted for, meets ^L ^j securityConfirmation Afterwards, prothetic group station uses AES and itself derivative K firstUPencI'j securityConfirmationTem are obtained after being decrypted to securityConfirmation, then protection algorithm integrallty and derivative K are used to the securityConfirmationlnput of itself storageUPintNew securityConfirmationTemp is obtained after integrity protection; judge whether the securityConfirmationTemp that new securityConfirmationTem is obtained with connecing after ^ i'J securityConfirmation decryption is identical, if identical shellfish1J illustrates the K relevant with prothetic group station of UE ^ [han lifesUPenc、 KUPintWith K derived from prothetic group station itselfUPenc、 KUPintCorrespondence is identical, otherwise differs.
If key derived from key derived from S204, user equipment and prothetic group station itself is differed, prothetic group station makes user equipment delete the prothetic group station or makes user equipment derivative key again.
It is exemplary, it is assumed that the result judged according to step S203 then illustrates K relevant with prothetic group station derived from UE to obtain i'J r securityConfirmation by integrity protection and connecing that securityConfirmation is differentUPintWith 1^ derived from prothetic group station itself1111Differ, then, prothetic group station can notify UE to delete the prothetic group station or make the UE derivative keys related to the prothetic group station again.
Embodiments of the invention provide a kind of method of check key; prothetic group station receives the check information that user equipment is sent; check information is the information obtained after user equipment is protected to preset data by key, preset algorithm derived from user equipment, and preset algorithm includes at least one of AES, protection algorithm integrallty;Prothetic group station key, preset algorithm, preset data and check information according to derived from prothetic group station itself obtain target data;Whether prothetic group station key derived from key and prothetic group station itself according to derived from preset data, check information and target data judge user equipment is identical.Whether the key that can be verified between user equipment and prothetic group station correct, can avoid due to key and corresponding algorithm it is incorrect caused by service disconnection between user equipment and prothetic group station.
Embodiments of the invention provide a kind of method of check key, and based on master base station, as shown in figure 12, this method includes:
S301, master base station receive the check information that user equipment is sent.
Wherein, check information is obtained information after user equipment is protected to preset data by key, preset algorithm derived from user equipment, and preset algorithm includes AES, complete At least one of whole property protection algorism.
5302nd, master base station key, preset algorithm, preset data and check information according to derived from prothetic group station obtains target data.
5303rd, whether master base station key derived from key and prothetic group station according to derived from preset data, check information and target data judge user equipment is identical, obtains judged result.
5304th, master base station will determine that result is sent to prothetic group station.
Embodiments of the invention provide a kind of method of check key; master base station receives the check information that user equipment is sent; check information is the information obtained after user equipment is protected to preset data by key, preset algorithm derived from user equipment, and preset algorithm includes at least one of AES, protection algorithm integrallty;Master base station key, preset algorithm, preset data and check information according to derived from prothetic group station obtain target data;Whether master base station key derived from key and prothetic group station according to derived from preset data, check information and target data judge user equipment is identical, obtains judged result;Master base station will determine that result is sent to prothetic group station.Whether the key that can be verified between user equipment and prothetic group station correct, can avoid due to key and corresponding algorithm it is incorrect caused by error in data between user equipment and prothetic group station even service disconnection.
In order that those skilled in the art can be more clearly understood that technical scheme provided in an embodiment of the present invention, below by specific embodiment, the method that embodiments of the invention provide the check key based on master base station is described in detail, as shown in figure 13, this method includes:
S401, master base station receive the check information that user equipment is sent.
Wherein, check information is the information obtained after user equipment is protected to preset data by key, preset algorithm derived from user equipment, and preset algorithm includes at least one of AES, protection algorithm integrallty.
Preset data includes at least one of following:
Cell ID under prothetic group station, Physical Cell Identifier under prothetic group station, the cell ID under Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, master base station under prothetic group station, mark data, master base station or the prothetic group station that Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, prothetic group station and user equipment under Physical Cell Identifier under master base station, master base station are stored are transmitted to the data of user equipment, optional network specific digit. Specifically, master base station receives the radio resource control information for including check information that UE is sent.Wherein, exemplary, radio resource control information can be RRC Connection Reconfiguration Complete Message, wherein including check information.
Exemplary, during check information is the RRC Connection Reconfiguration Complete Message that can be sent comprising UE to master base station, master base station, which receives to send in base station addition completion message to prothetic group station after the check information, carries the check information.
Specifically, carrying check information in Radio Resource connection reconfigures completion message can be realized by reinforcement mouthful securityConfirmation.
Exemplary, it can be realized by code below:
RRC Connection Reconfiguration Complete Message
-- ASN 1 START
RRCConnectionReconfigurationComplete : := SEQUENCE { rrc-Transactionldentifier RRC-Transactionldentifier, criticalExtensions CHOICE {
rrcConnectionReconfigurationComplete-r8
RRCConnectionReconfigurationComplete-r8-IEs,
criticalExtensionsFuture SEQUENCE { }
}
}
RRCConnectionReconfigurationComplete-r8-IEs : := SEQUENCE
{
nonCriticalExtension
RRCConnectionReconfigurationComplete-v8aO-IEs OPTIONAL
}
RRCConnectionReconfigurationComplete-v8aO-IEs ::Two SEQUENCE {
lateNonCriticalExtension OCTET STRING
OPTIONAL,
nonCriticalEx tension
RRCConnectionReconfigurationComplete-vl020-IEs OPTIONAL
} CConnection econfigurationComplete-vl020-IEs SEQUENCE {
rlf-InfoAvailable-rlO ENUMERATED {true}
OPTIONAL,
logMeasAvailable-rlO ENUMERATED {true}
OPTIONAL,
nonCriticalExtension
RRCConnectionReconfigurationComplete-vll30-IEs OPTIONAL
}
RRCConnectionReconfigurationComplete-vl 130-IEs
SEQUENCE {
connEstFaillnfoAvailable-rl 1 ENUMERATED {true}
OPTIONAL,
nonCriticalExtension
RRCConnectionReconfigurationComplete-vl2xx-IEs
OPTIONAL
}
RRCConnection econfigurationComplete-vl2xx-IEs
SEQUENCE {
securityConfirmation OCTET STRING OPTIONAL
nonCriticalExtension SEQUENCE { }
OPTIONAL
}
- ASN 1 STOP
Wherein Security Confirmation can be OCTET STRING) or BIT STRING (SIZE (xx) forms etc..
Exemplary, the preset data in selection securityConfirmation can be realized by code below: securityConfirmationlnput::= SEQUENCE { cellldentity Cellldentity, physCellld PhysCellld, c-RNTI C-RNTI
}
- ASN 1 STOP
Wherein UE produces securityConfirmation, can use protection algorithm integrallty and the integrity protection result of the cipher key calculation of protection algorithm integrallty to securityConfirmationlnput;It can also be the result to securityConfirmationlnput using the encryption of the close algorithm of power mouthful and the cipher key calculation of the close algorithm of power mouthful;Either both combinations.
It is that UE uses the close algorithm of power mouthful and the K relevant with prothetic group station of ^ han lifes that 4 Jia, which set securityConfirmation,UPencThe result of calculating, UE sends RRC Connection Reconfiguration Complete Message to master base station, wherein RRC Connection Reconfiguration Complete Message carry securityConfirmation, and master base station receives securityConfirmation. 5402nd, master base station key, preset algorithm, preset data and check information according to derived from prothetic group station obtains target data.
Exemplary, it is assumed that check information is securityConfirmation, and preset data is securityConfirmationlnput, and the check information is that UE uses protection algorithm integrallty and the derivative K relevant with prothetic group stationUPintThe result calculated securityConfirmationlnput; securityConfirmation is to add power mouthful to be sent in the RRC Connection Reconfiguration Complete Message of master base station to UE, and master base station receives after securityConfirmation the K according to derived from protection algorithm integrallty and prothetic group station itselfUPint(K hereinUPintIt is to be used to obtain with prothetic group station identical cipher key derivative process by master base station) new securityConfirmation is obtained to securityConfirmationlnput progress integrity protection.
5403rd, whether master base station key derived from key and prothetic group station according to derived from preset data, target data and check information judge user equipment is identical, obtains judged result.
Exemplary, it is assumed that check information is securityConfirmation, and preset data is securityConfirmationlnput, and the check information is that UE uses protection algorithm integrallty and the derivative K relevant with prothetic group stationUPintThe result calculated securityConfirmationlnput; securityConfirmationlnput is the cell identification data under the prothetic group station that UE and prothetic group station are stored, and master base station receives after securityConfirmation the K according to derived from protection algorithm integrallty and prothetic group station itselfUPint(herein!^^^ is to be used to obtain with prothetic group station identical cipher key derivative process by master base station)Integrity protection calculating is carried out to securityConfirmationlnput and obtains new securityConfirmation; judge whether new securityConfirmation is identical with the securityConfirmation received, if the same illustrate relevant with prothetic group station derived from UE11111With K derived from prothetic group station itselfUPinS is same, otherwise differs.
5404th, master base station will determine that result is sent to prothetic group station.
Exemplary, the result that master base station judges step S303 is sent to prothetic group station by X2 interface.
If the 5405, key derived from user equipment and the derivative key at prothetic group station are differed, user equipment is deleted prothetic group station or make user equipment derivative key again. It is exemplary, it is assumed that the result that master base station judges to prothetic group station is:The K relevant with prothetic group station derived from UEUPintWith derived from prothetic group station itself!^^^ is differed, then, prothetic group station can notify UE to delete the prothetic group station or make the UE raw keys related to the prothetic group station again.
Embodiments of the invention provide a kind of method of check key; receive the check information that user equipment is sent; check information is the information obtained after user equipment is protected to preset data by key, preset algorithm derived from user equipment, and preset algorithm includes at least one of AES, protection algorithm integrallty;Key, preset algorithm, preset data and check information obtain target data according to derived from prothetic group station;Whether key derived from key and prothetic group station is identical according to derived from preset data, check information and target data judge user equipment, obtains judged result;It will determine that result is sent to prothetic group station.Whether the key that can be verified between user equipment and prothetic group station correct, can avoid due to key and corresponding algorithm it is incorrect caused by error in data between user equipment and prothetic group station even service disconnection.
Embodiments of the invention provide a kind of method of check key, and based on UE, as shown in Figure 14, this method includes:
The downlink data received is decrypted for S50 user equipmenies key, preset algorithm according to derived from user equipment.
Whether S 502, the user equipment key derived from key and prothetic group station according to derived from the data after decryption judge user equipment are identical.
Specifically, user equipment key according to derived from the data after decryption judge user equipment it is whether identical with key derived from prothetic group station including:
User equipment obtains the Internet protocol address and port numbers of the packet after decryption;If Internet protocol address and port numbers can be recognized, determine that key derived from user equipment is identical with key derived from prothetic group station;Or,
If None- identified Internet protocol address and/or port numbers, determine that key derived from user equipment is differed with key derived from prothetic group station.
S503, user equipment send judged result to prothetic group station.
Embodiments of the invention provide a kind of method of check key, and the downlink data received is decrypted for user equipment key, preset algorithm according to derived from user equipment;User sets Whether the standby key according to derived from the data after decryption judge user equipment is identical with key derived from prothetic group station;User equipment sends judged result to prothetic group station.Whether the key that can be verified between user equipment and prothetic group station correct, can avoid due to key and corresponding algorithm it is incorrect caused by error in data between user equipment and prothetic group station even service disconnection.
In order that those skilled in the art can be more clearly understood that technical scheme provided in an embodiment of the present invention, below by specific embodiment, the method that embodiments of the invention provide the check key based on UE is described in detail, as shown in figure 15, this method includes:
5601st, the downlink data received is decrypted user equipment key, preset algorithm according to derived from user equipment.
Exemplary, wherein, preset algorithm can be AES, and connection is had built up between UE and prothetic group station, and UE downlink datas of the encryption of key, AES to being received from network side according to derived from itself are decrypted, and then obtain IP messages.
5602nd, user equipment obtains the Internet protocol address and port numbers of the packet after decryption.
Exemplary, UE is parsed to the IP messages obtained after decryption, obtains the IP address and port numbers of the message.
5603rd, whether user equipment key derived from key and prothetic group station according to derived from the Internet protocol address and port numbers of packet judge user equipment is identical, obtains judged result.
Exemplary, UE occupies IP address and port numbers judge whether the key of UE lifes is identical with key derived from prothetic group station, if the IP address can be recognized with the IP messages are issued into corresponding application if port numbers, while also illustrating that key related derived from the derivative keys related to prothetic group station of UE and prothetic group station is identical;IP messages are erroneous packets if the None- identified IP address and/or port numbers, while also illustrating that key related derived from the derivative keys related to prothetic group station of UE and prothetic group station is differed.
5604th, user equipment sends judged result to prothetic group station.
Exemplary, the result that U E will determine that is sent to prothetic group station by master base station.
If the 5605, key derived from key derived from user equipment and prothetic group station is differed, notification of user equipment master base station deletes the prothetic group station;Or notification of user equipment master base station adds the prothetic group station again;Or user equipment notifies the prothetic group station retriggered to reconfigure stream by master base station Journey;Or user equipment notifies the prothetic group station to delete the prothetic group station by master base station.
Exemplary, if the key related to the prothetic group station key related with derived from prothetic group station is differed derived from UE, UE can notify that the prothetic group station that master base station is added is problematic, it can indicate which carrying at prothetic group station is out of joint simultaneously, carrying mark is carried i.e. in instruction, master base station determines to delete the prothetic group station after the prothetic group station is problematic or master base station is added the prothetic group station again;Or UE can also notify the prothetic group station retriggered to reconfigure the connection with UE by master base station;Or UE notifies the prothetic group station to delete the prothetic group station by master base station.
Embodiments of the invention provide a kind of method of check key, and the downlink data received is decrypted for user equipment key, preset algorithm according to derived from user equipment;Whether user equipment key according to derived from the data after decryption judge user equipment is identical with key derived from prothetic group station;Judged result is sent to prothetic group station.Whether the key that can be verified between user equipment and prothetic group station correct, can avoid due to key and corresponding algorithm it is incorrect caused by error in data between user equipment and prothetic group station even service disconnection.
Embodiments of the invention provide a kind of method of check key, and based on core network element, as shown in figure 16, this method includes:
S70 core network elements receive the data after the upstream data that is sent to user equipment of prothetic group station key and preset algorithm according to derived from prothetic group station is decrypted.
5702nd, whether core network element key derived from key and prothetic group station according to derived from the data after decryption judge user equipment is identical.
Specifically, core network element key according to derived from the data after decryption judge user equipment it is whether identical with key derived from prothetic group station including:
Obtain the Internet protocol address and port numbers of the packet after decryption;
If Internet protocol address and port numbers can be recognized, determine that key derived from user equipment is identical with key derived from prothetic group station;Or,
If None- identified Internet protocol address and/or port numbers, determine that key derived from user equipment is differed with key derived from prothetic group station.
5703rd, core network element sends the result judged to prothetic group station.
Embodiments of the invention provide a kind of method of check key, and core network element receives the upper line number that prothetic group station key and preset algorithm according to derived from prothetic group station are sent to user equipment According to the data after being decrypted;Whether core network element key according to derived from the data after decryption judge user equipment is identical with key derived from prothetic group station;Core network element sends the result judged to prothetic group station.Whether the key that can be verified between user equipment and prothetic group station correct, can avoid due to key and corresponding algorithm it is incorrect caused by error in data between user equipment and prothetic group station even service disconnection.
In order that those skilled in the art can be more clearly understood that technical scheme provided in an embodiment of the present invention, below by specific embodiment, the method that embodiments of the invention provide the check key based on core network element is described in detail, as shown in figure 17, this method includes:
5801st, the data after the upstream data that core network element reception prothetic group station key and preset algorithm according to derived from prothetic group station is sent to user equipment is decrypted.
Exemplary, wherein, preset data can be AES, connection is had built up between UE and prothetic group station, prothetic group station key, AES according to derived from itself obtain IP messages to being decrypted from the upstream data of the UE encryptions received, by IP messages be sent to core network element then core network element connect i arrive the blunt texts of IP ^.
5802nd, core network element obtains the Internet protocol address and port numbers of the packet after decryption.
Exemplary, core network element is parsed to the IP messages received, obtains the IP address and port numbers of the message.
5803rd, whether core network element key derived from key and prothetic group station according to derived from the Internet protocol address and port numbers of packet judge user equipment is identical, obtains judged result.
Exemplary, core network element occupies IP address and port numbers judge whether the key of the han of UE 4 lifes is identical with key derived from prothetic group station, if the IP address can be recognized with the IP messages are issued into corresponding application if port numbers, while also illustrating that key related derived from the derivative keys related to prothetic group station of UE and prothetic group station is identical;IP messages are erroneous packets if the None- identified IP address and/or port numbers, while also illustrating that key related derived from the derivative keys related to prothetic group station of UE and prothetic group station is differed.
5804th, core network element sends judged result to prothetic group station.
Exemplary, the result that core network element will determine that is sent to prothetic group station. If key derived from key derived from S 805, user equipment and prothetic group station is differed, core network element notifies master base station to delete the prothetic group station;Or core network element notifies master base station to add the prothetic group station again;Or core network element notifies the prothetic group station retriggered Reconfiguration Procedure by master base station;Or core network element notifies the prothetic group station to delete the prothetic group station by master base station.
Exemplary, if the key related to the prothetic group station key related with derived from prothetic group station is differed derived from UE, core network element can be notified master base station by MME or directly notify that the prothetic group station that master base station is added is problematic, it can indicate which carrying at prothetic group station is out of joint simultaneously, carrying mark is carried i.e. in instruction, master base station determines to delete the prothetic group station after the prothetic group station is problematic or master base station is added the prothetic group station again;Or core network element notifies the prothetic group station to delete the prothetic group station by master base station.
Embodiments of the invention provide a kind of method of check key, and core network element receives the data after the upstream data that prothetic group station key and preset algorithm according to derived from prothetic group station send to user equipment is decrypted;Whether core network element key according to derived from the data after decryption judge user equipment is identical with key derived from prothetic group station;Core network element sends the result judged to prothetic group station.Whether the key that can be verified between user equipment and prothetic group station correct, can avoid due to key and corresponding algorithm it is incorrect caused by error in data between user equipment and prothetic group station even service disconnection.
Embodiments of the invention provide a kind of base station 60, and as shown in Figure 18, the user equipment 60 includes:Bus 64;And the processor 61, memory 62 and interface 63 of bus 64 are connected to, the wherein interface 63 is used to communicate;The memory 62 is used to store computer code, and processor 61 is used for for performing the computer code:
Receive the check information that user equipment is sent; check information is the information obtained after user equipment is protected to preset data by key, preset algorithm derived from user equipment, and preset algorithm includes at least one of AES, protection algorithm integrallty;
Key, preset algorithm, preset data and check information obtain target data according to derived from base station;
Whether key derived from key and base station is identical according to derived from preset data, check information and target data judge user equipment.
Optionally, processor 61 performs the computer code and is additionally operable to: If key derived from user equipment is differed with key derived from base station, make user equipment again derivative key or make user equipment delete base station.
Optionally, processor 61 performs the check information that the computer code is used to receive user equipment transmission, specifically for:
Base station is received from master base station by X2 interfaces and adds completion message, base station addition completion message carries check information;Or
The medium access control message that user equipment is sent is received, medium access control message carries check information;Or
The packet bag convergence protocol data that user equipment is sent are received, packet bag convergence protocol data carry check information.
Optionally, preset data includes at least one of following:
Cell ID under prothetic group station, Physical Cell Identifier under prothetic group station, the cell ID under Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, master base station under prothetic group station, mark data, master base station or the prothetic group station that Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, prothetic group station and user equipment under Physical Cell Identifier under master base station, master base station are stored are transmitted to the data of user equipment, optional network specific digit.
Optionally, base station supplemented by the base station.
Embodiments of the invention provide a kind of base station; receive the check information that user equipment is sent; check information is the information obtained after user equipment is protected to preset data by key, preset algorithm derived from user equipment, and preset algorithm includes at least one of AES, protection algorithm integrallty;Key, preset algorithm, preset data and check information obtain target data according to derived from base station;Whether key derived from key and base station is identical according to derived from preset data, check information and target data judge user equipment.Whether the key that can be verified between user equipment and base station correct, can avoid due to key and corresponding algorithm it is incorrect caused by service disconnection between user equipment and prothetic group station.
Embodiments of the invention provide a kind of base station 70, and as shown in figure 19, the base station 70 includes:Bus 74;And the processor 71, memory 72 and interface 73 of bus 74 are connected to, the wherein interface 73 is used to communicate;The memory 72 is used to store computer code, and processor 71 is used for for performing the computer code: Receive the check information that user equipment is sent; check information is the information obtained after user equipment is protected to preset data by key, preset algorithm derived from user equipment, and preset algorithm includes at least one of AES, protection algorithm integrallty;
Key, preset algorithm, preset data and check information obtain target data according to derived from prothetic group station;
Whether key derived from key and prothetic group station is identical according to derived from preset data, check information and target data judge user equipment, obtains judged result;
For will determine that result is sent to prothetic group station.
Optionally, processor 71 performs the computer code and is additionally operable to:
If key derived from user equipment and the derivative key at prothetic group station are differed, user equipment is deleted prothetic group station or make user equipment derivative key again.
Optionally, processor 71 performs the check information that the computer code is used to receive user equipment transmission, specifically for:
The radio resource control information that user equipment is sent is received, radio resource control information carries check information.
Optionally, preset data includes at least one of following:
Cell ID under prothetic group station, Physical Cell Identifier under prothetic group station, the cell ID under Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, master base station under prothetic group station, mark data, master base station or the prothetic group station that Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, prothetic group station and user equipment under Physical Cell Identifier under master base station, master base station are stored are transmitted to the data of user equipment, optional network specific digit.
Embodiments of the invention provide a kind of base station; receive the check information that user equipment is sent; check information is the information obtained after user equipment is protected to preset data by key, preset algorithm derived from user equipment, and preset algorithm includes at least one of AES, protection algorithm integrallty;Key, preset algorithm, preset data and check information obtain target data according to derived from prothetic group station;Whether key derived from key and prothetic group station is identical according to derived from preset data, check information and target data judge user equipment, obtains judged result;It will determine that result is sent to prothetic group station.Whether the key that can be verified between user equipment and prothetic group station is correct, can avoid because key and corresponding algorithm are incorrect and cause User equipment and prothetic group station between error in data even service disconnection.
Embodiments of the invention provide a kind of user equipment 80, and as shown in Figure 20, the user equipment 80 includes:Bus 84;And the processor 81, memory 82 and interface 83 of bus 84 are connected to, the wherein interface 83 is used to communicate;The memory 82 is used to store computer code, and processor 81 is used for for performing the computer code:
The downlink data received is decrypted for key, preset algorithm according to derived from user equipment;
Whether the key according to derived from the data after decryption judge user equipment is identical with key derived from prothetic group station;
Judged result is sent to prothetic group station;
Wherein, the key according to derived from the data after decryption judge user equipment it is whether identical with key derived from prothetic group station including:
Obtain the Internet protocol address and port numbers of the packet after decryption;
If Internet protocol address and port numbers can be recognized, determine that key derived from user equipment is identical with key derived from prothetic group station;Or,
If None- identified Internet protocol address and/or port numbers, determine that key derived from user equipment is differed with key derived from prothetic group station.
Optionally, processor 81 performs the computer code and is additionally operable to:
If key derived from user equipment is differed with key derived from prothetic group station, master base station is notified to delete prothetic group station;Or notify master base station to add prothetic group station again;Or prothetic group station retriggered Reconfiguration Procedure is notified by master base station;Or notify prothetic group station to delete prothetic group station by master base station.
Embodiments of the invention provide a kind of user equipment, and the downlink data received is decrypted for user equipment key, preset algorithm according to derived from user equipment;Whether user equipment key according to derived from the data after decryption judge user equipment is identical with key derived from prothetic group station;User equipment sends judged result to prothetic group station.Whether the key that can be verified between user equipment and prothetic group station correct, can avoid due to key and corresponding algorithm it is incorrect caused by error in data between user equipment and prothetic group station even service disconnection.
Embodiments of the invention provide a kind of core network element 90, and as shown in Figure 21, the core network element 90 includes:Bus 94;And it is connected to the processor 91 of bus 94, storage Device 92 and interface 93, the wherein interface 93 are used to communicate;The memory 92 is used to store computer code, and processor 91 is used for for performing the computer code:
Receive the data after the upstream data that is sent to user equipment of prothetic group station key and preset algorithm according to derived from prothetic group station is decrypted;
Whether the key according to derived from the data after decryption judge user equipment is identical with key derived from prothetic group station;
The result judged is sent to prothetic group station;
Wherein, whether the key according to derived from the data after decryption judge user equipment is identical with key derived from prothetic group station, including:
Obtain the Internet protocol address and port numbers of the packet after decryption;
If Internet protocol address and port numbers can be recognized, determine that key derived from user equipment is identical with key derived from prothetic group station;Or,
If None- identified Internet protocol address and/or port numbers, determine that key derived from user equipment is differed with key derived from prothetic group station.
Optionally, processor 91 performs the computer code and is additionally operable to:
If key derived from user equipment is differed with key derived from prothetic group station, master base station is notified to delete prothetic group station;Or notify master base station to add prothetic group station again;Or prothetic group station retriggered Reconfiguration Procedure is notified by master base station;Or notify prothetic group station to delete prothetic group station by master base station.
Optionally, processor 91 performs the computer code and is used to notify master base station to delete prothetic group station or notifies master base station to add prothetic group station again, specifically for:
The message that key is differed is sent to mobility management entity, and the message that key is differed is forwarded from mobility management entity to master base station, so that master base station, which is received, deletes prothetic group station or again addition prothetic group station after the message that key is differed.
Embodiments of the invention provide a kind of core network element, receive the data after the upstream data that prothetic group station key and preset algorithm according to derived from prothetic group station send to user equipment is decrypted;Whether the key according to derived from the data after decryption judge user equipment is identical with key derived from prothetic group station;The result judged is sent to prothetic group station.Whether the key that can be verified between user equipment and prothetic group station correct, can avoid due to key and corresponding algorithm it is incorrect caused by error in data between user equipment and prothetic group station even service disconnection. Term in the present invention " and/or ", a kind of only incidence relation for describing affiliated partner, expression may have three kinds of relations, for example, A and/or B, can be represented:Individualism A, while there is A and B, these three situations of individualism B.In addition, character "/" herein, typically represent forward-backward correlation object be it is a kind of " or " relation.
Through the above description of the embodiments, it is apparent to those skilled in the art that, for convenience and simplicity of description, only it is illustrated with the division of above-mentioned each functional module, in practical application, it can as needed and by above-mentioned functions distribute and be completed by different functional modules, i.e., the internal structure of device is divided into different functional modules, to complete all or part of function described above.The specific work process of the system, apparatus, and unit of foregoing description, may be referred to the corresponding process in preceding method embodiment, will not be repeated here.
In several embodiments provided herein, it should be understood that disclosed system, apparatus and method can be realized by another way.For example, device embodiment described above is only schematical, for example, the division of the unit, it is only a kind of division of logic function, there can be other dividing mode when actually realizing, such as multiple units or component can combine or be desirably integrated into another system, or some features can be ignored, or do not perform.Another, it, by some interfaces, the INDIRECT COUPLING or communication connection of device or unit, can be electrical, machinery or other forms that shown or discussed coupling or direct-coupling or communication connection each other, which can be,.
The unit illustrated as separating component can be or may not be physically separate, the part shown as unit can be or may not be physical location, a place can be located at, or can also be distributed on multiple NEs.Some or all of unit therein can be selected to realize the purpose of this embodiment scheme according to the actual needs.
In addition, each functional unit in each of the invention embodiment can be integrated in a processing unit or the independent physics of unit includes, can also two or more units it is integrated in a unit.Above-mentioned integrated unit can both be realized in the form of hardware, it would however also be possible to employ hardware adds the form of SFU software functional unit to realize.
If the integrated unit is realized using in the form of SFU software functional unit and as independent Production marketing in use, can be stored in a computer read/write memory medium.Understood based on such, the part or all or part of the technical scheme that technical scheme substantially contributes to prior art in other words can be embodied in the form of software product, the computer software product is stored in a storage medium, including some instructions are to cause a computer equipment(Can be personal computer, server, or network equipment etc.)Or processor(Processor all or part of step of each embodiment methods described of the invention) is performed.And foregoing storage medium includes:U disks, mobile hard disk, read-only storage(ROM, Read-Only Memory), random access memory(RAM, Random Access Memory), magnetic disc or CD etc. are various can be with the medium of store program codes.
It is described above; only embodiment of the invention, but protection scope of the present invention is not limited thereto, any one skilled in the art the invention discloses technical scope in; change or replacement can be readily occurred in, should be all included within the scope of the present invention.Therefore, protection scope of the present invention should be based on the protection scope of the described claims.

Claims (41)

  1. Claims
    1st, a kind of base station, it is characterised in that including:
    Receiving unit; check information for receiving user equipment transmission; the check information is the information obtained after the user equipment is protected to preset data by key, preset algorithm derived from the user equipment, and the preset algorithm includes at least one of AES, protection algorithm integrallty;
    Acquiring unit, target data is obtained for key, the preset algorithm, the preset data and the check information according to derived from the base station;
    Judging unit, whether key key derived from the base station is identical derived from for judging the user equipment according to the preset data, the check information and the target data.
    2nd, base station according to claim 1, it is characterised in that the base station also includes:Reset cell, if being differed for key derived from the user equipment and key derived from the base station, makes the user equipment derivative key or the user equipment is deleted the base station again.
    3rd, the base station according to claim 1, it is characterised in that the receiving unit specifically for:
    The base station is received from master base station by X2 interface and adds completion message, the base station addition completion message carries the check information;Or
    The medium access control message that the user equipment is sent is received, the medium access control message carries the check information;Or
    The packet bag convergence protocol data that the user equipment is sent are received, the packet bag convergence protocol data carry the check information.
    4th, the base station according to claim 1, it is characterised in that the preset data includes at least one of following:
    Cell ID under prothetic group station, Physical Cell Identifier under prothetic group station, the cell ID under Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, master base station under prothetic group station, mark data, master base station or the prothetic group station that Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, prothetic group station and user equipment under Physical Cell Identifier under master base station, master base station are stored are transmitted to the data of user equipment, optional network specific digit.
    5th, the base station according to claim 1, it is characterised in that the base station is prothetic group Stand.
    6th, a kind of base station, it is characterised in that including:
    Receiving unit; check information for receiving user equipment transmission; the check information is the information obtained after the user equipment is protected to preset data by key, preset algorithm derived from the user equipment, and the preset algorithm includes at least one of AES, protection algorithm integrallty;
    Acquiring unit, target data is obtained for key, the preset algorithm, the preset data and the check information according to derived from prothetic group station;
    Whether judging unit, key derived from for judging the user equipment according to the preset data, the check information and the target data is identical with key derived from the prothetic group station, obtains judged result;
    Transmitting element, for the judged result to be sent into the prothetic group station.
    7th, base station according to claim 6, it is characterised in that the base station also includes:Reset cell, if being differed for key derived from the user equipment and the derivative key at the prothetic group station, makes the user equipment delete the prothetic group station or make user equipment derivative key again.
    8th, base station according to claim 6, it is characterised in that the receiving unit specifically for:
    The radio resource control information that the user equipment is sent is received, the radio resource control information carries the check information.
    9th, base station according to claim 6, it is characterised in that the preset data includes at least one of following:
    Cell ID under prothetic group station, Physical Cell Identifier under prothetic group station, the cell ID under Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, master base station under prothetic group station, mark data, master base station or the prothetic group station that Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, prothetic group station and user equipment under Physical Cell Identifier under master base station, master base station are stored are transmitted to the data of user equipment, optional network specific digit.
    10th, a kind of user equipment, it is characterised in that including:
    Decryption unit, the downlink data received is decrypted for key, preset algorithm according to derived from the user equipment; Whether judging unit, key derived from for judging the user equipment according to the data after decryption is identical with key derived from prothetic group station, including:
    Obtain the Internet protocol address and port numbers of the packet after the decryption;
    If the Internet protocol address and the port numbers can be recognized, determine that key derived from the user equipment is identical with key derived from the prothetic group station;Or,
    If Internet protocol address described in None- identified and/or the port numbers, determine that key derived from the user equipment is differed with key derived from the prothetic group station;
    Transmitting element, for sending the judged result to the prothetic group station.
    11, user equipment according to claim 10, it is characterised in that the user equipment also includes:
    Notification unit, if being differed for key derived from the user equipment with key derived from the prothetic group station, notifies master base station to delete prothetic group station described in the base station;Or notify the master base station to add prothetic group station described in the base station again;Or prothetic group station retriggered Reconfiguration Procedure described in the base station is notified by the master base station;Or notify prothetic group station described in the base station to delete prothetic group station described in the base station by the master base station.
    12nd, a kind of core network element, it is characterised in that including:
    Receiving unit, for receiving the data after the upstream data that prothetic group station key and preset algorithm according to derived from the prothetic group station are sent to user equipment is decrypted;
    Whether judging unit, key derived from for judging the user equipment according to the data after the decryption is identical with key derived from the prothetic group station, including:
    Obtain the Internet protocol address and port numbers of the packet after the decryption;
    If the Internet protocol address and the port numbers can be recognized, determine that key derived from the user equipment is identical with key derived from the prothetic group station;Or,
    If Internet protocol address described in None- identified and/or the port numbers, determine that key derived from the user equipment is differed with key derived from the prothetic group station;
    Transmitting element, the result for sending the judgement to the prothetic group station.
    13rd, core network element according to claim 12, it is characterised in that the core network element also includes:
    Notification unit, if for derived from key derived from the user equipment and the prothetic group station Key is differed, and notifies master base station to delete the prothetic group station;Or notify the master base station to add the prothetic group station again;Or the prothetic group station retriggered Reconfiguration Procedure is notified by the master base station;Or notify the prothetic group station to delete the prothetic group station by the master base station.
    14th, the core network element according to claim 13, it is characterised in that the notification unit specifically for:
    The message that the key is differed is sent to mobility management entity, and the message that the key is differed is forwarded from the mobility management entity to the master base station, the prothetic group station is deleted after the message that the key is differed or the prothetic group station is added again so that the master base station is received;Or the prothetic group station retriggered Reconfiguration Procedure is notified by the master base station;Or notify the prothetic group station to delete the prothetic group station by the master base station.
    15th, a kind of method of check key, it is characterised in that including:
    Prothetic group station receives the check information that user equipment is sent; the check information is the information obtained after the user equipment is protected to preset data by key, preset algorithm derived from the user equipment, and the preset algorithm includes at least one of AES, protection algorithm integrallty;
    The prothetic group station key, the preset algorithm, the preset data and check information according to derived from the prothetic group station obtain target data;
    Whether prothetic group station key according to derived from the preset data, the check information and the target data judge the user equipment is identical with key derived from the prothetic group station.
    16th, method according to claim 15, it is characterised in that methods described also includes:
    If key derived from the user equipment is differed with key derived from the prothetic group station, the user equipment is set derivative key or the user equipment is deleted the prothetic group station again.
    17th, method according to claim 15, it is characterised in that the check information that the reception user equipment is sent includes:
    The base station is received from master base station by X2 interface and adds completion message, the base station addition completion message carries the check information;Or
    The medium access control message that the user equipment is sent is received, the medium access control message carries the check information;Or The packet bag convergence protocol data that the user equipment is sent are received, the packet bag convergence protocol data carry the check information.
    18th, method according to claim 15, it is characterised in that the preset data includes at least one of following:
    Cell ID under prothetic group station, Physical Cell Identifier under prothetic group station, the cell ID under Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, master base station under prothetic group station, mark data, master base station or the prothetic group station that Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, prothetic group station and user equipment under Physical Cell Identifier under master base station, master base station are stored are transmitted to the data of user equipment, optional network specific digit.
    19th, a kind of method of check key, it is characterised in that including:
    Master base station receives the check information that user equipment is sent; the check information is the information obtained after the user equipment is protected to preset data by key, preset algorithm derived from the user equipment, and the preset algorithm includes at least one of AES, protection algorithm integrallty;
    The master base station key, the preset algorithm, the preset data and check information according to derived from prothetic group station obtain target data;
    Whether master base station key according to derived from the preset data, the check information and the target data judge the user equipment is identical with key derived from the prothetic group station, obtains judged result;
    The judged result is sent to the prothetic group station by the master base station.
    20th, method according to claim 19, it is characterised in that characterized in that, methods described also includes:
    If key derived from the user equipment and the derivative key at the prothetic group station are differed, the user equipment is set to delete the prothetic group station or make user equipment derivative key again.
    21st, method according to claim 19, it is characterised in that the check information that the reception user equipment is sent includes:
    The radio resource control information that the user equipment is sent is received, the radio resource control information carries the check information.
    22nd, method according to claim 19, it is characterised in that the preset data includes at least one of following: Cell ID under prothetic group station, Physical Cell Identifier under prothetic group station, the cell ID under Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, master base station under prothetic group station, mark data, master base station or the prothetic group station that Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, prothetic group station and user equipment under Physical Cell Identifier under master base station, master base station are stored are transmitted to the data of user equipment, optional network specific digit.
    23rd, a kind of method of check key, it is characterised in that including:
    The downlink data received is decrypted for user equipment key, preset algorithm according to derived from the user equipment;
    Whether user equipment key according to derived from the data after decryption judge the user equipment is identical with key derived from prothetic group station;
    The user equipment sends the judged result to the prothetic group station;
    Wherein, the key according to derived from the data after decryption judge the user equipment described in the user equipment it is whether identical with key derived from prothetic group station including:
    The user equipment obtains the Internet protocol address and port numbers of the packet after the decryption;
    If the Internet protocol address and the port numbers can be recognized, determine that key derived from the user equipment is identical with key derived from the prothetic group station;Or,
    If Internet protocol address described in None- identified and/or the port numbers, determine that key derived from the user equipment is differed with key derived from the prothetic group station.
    24th, the method according to claim 23, it is characterised in that if key derived from the user equipment is differed with key derived from the prothetic group station, methods described also includes:Master base station is notified to delete the prothetic group station;Or
    The master base station is notified to add the prothetic group station again;Or
    The prothetic group station retriggered Reconfiguration Procedure is notified by the master base station;Or notify the prothetic group station to delete the prothetic group station by the master base station.
    25th, a kind of method of check key, it is characterised in that including:
    Core network element receives the data after the upstream data that is sent to user equipment of prothetic group station key and preset algorithm according to derived from the prothetic group station is decrypted;
    Whether core network element key according to derived from the data after the decryption judge the user equipment is identical with key derived from the prothetic group station; The core network element sends the result of the judgement to the prothetic group station;Wherein, whether core network element key according to derived from the data after the decryption judge the user equipment is identical with key derived from the prothetic group station, including:
    Obtain the Internet protocol address and port numbers of the packet after the decryption;
    If the Internet protocol address and the port numbers can be recognized, determine that key derived from the user equipment is identical with key derived from the prothetic group station;Or,
    If Internet protocol address described in None- identified and/or the port numbers, determine that key derived from the user equipment is differed with key derived from the prothetic group station.
    26th, method according to claim 25, it is characterised in that if key derived from the user equipment is differed with key derived from the prothetic group station, methods described also includes:Master base station is notified to delete the prothetic group station;Or
    The master base station is notified to add the prothetic group station again;Or
    The prothetic group station retriggered Reconfiguration Procedure is notified by the master base station;Or notify the prothetic group station to delete the prothetic group station by the master base station.
    27th, method according to claim 26, it is characterised in that the notice master base station deletes the prothetic group station or notifies the master base station to add the prothetic group station again and include:
    The message that the key is differed is sent to mobility management entity, and the message that the key is differed is forwarded from the mobility management entity to the master base station, the prothetic group station is deleted after the message that the key is differed or the prothetic group station is added again so that the master base station is received.
    28th, a kind of base station, it is characterised in that the base station includes:Communication interface, memory, processor;The communication interface is used to communicate with network element, and the memory is used to store computer code;Computer code described in the computing device is used for:
    Receive the check information that user equipment is sent; the check information is the information obtained after the user equipment is protected to preset data by key, preset algorithm derived from the user equipment, and the preset algorithm includes at least one of AES, protection algorithm integrallty;Key, the preset algorithm, the preset data and the check information obtain target data according to derived from the base station;
    Described use is judged according to the preset data, the check information and the target data Whether key derived from the equipment of family is identical with key derived from the base station.
    29th, base station according to claim 28, it is characterised in that computer code described in the computing device is additionally operable to:
    If key derived from the user equipment is differed with key derived from the base station, the user equipment is set derivative key or the user equipment is deleted the base station again.
    30th, base station according to claim 28, it is characterised in that computer code described in the computing device is additionally operable to:
    The base station is received from master base station by X2 interface and adds completion message, the base station addition completion message carries the check information;Or
    The medium access control message that the user equipment is sent is received, the medium access control message carries the check information;Or
    The packet bag convergence protocol data that the user equipment is sent are received, the packet bag convergence protocol data carry the check information.
    31, base station according to claim 28, it is characterised in that the preset data includes at least one of following:
    Cell ID under prothetic group station, Physical Cell Identifier under prothetic group station, the cell ID under Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, master base station under prothetic group station, mark data, master base station or the prothetic group station that Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, prothetic group station and user equipment under Physical Cell Identifier under master base station, master base station are stored are transmitted to the data of user equipment, optional network specific digit.
    32nd, base station according to claim 28, it is characterised in that base station supplemented by the base station.
    33rd, a kind of base station, it is characterised in that the base station includes:Communication interface, memory, processor;The communication interface is used to communicate with network element, and the memory is used to store computer code;Computer code described in the computing device is used for:
    Receive the check information that user equipment is sent; the check information is the information obtained after the user equipment is protected to preset data by key, preset algorithm derived from the user equipment, and the preset algorithm includes at least one of AES, protection algorithm integrallty;Key, the preset algorithm, the preset data and the check information obtain target data according to derived from prothetic group station; Whether the key according to derived from the preset data, the check information and the target data judge the user equipment is identical with key derived from the prothetic group station, obtains judged result;
    For the judged result to be sent into the prothetic group station.
    34th, the base station according to claim 33, it is characterised in that computer code described in the computing device is additionally operable to:
    If key derived from the user equipment and the derivative key at the prothetic group station are differed, the user equipment is set to delete the prothetic group station or make user equipment derivative key again.
    35th, the base station according to claim 33, it is characterised in that computer code described in the computing device is additionally operable to:
    The radio resource control information that the user equipment is sent is received, the radio resource control information carries the check information.
    36th, the base station according to claim 33, it is characterised in that the preset data includes at least one of following:
    Cell ID under prothetic group station, Physical Cell Identifier under prothetic group station, the cell ID under Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, master base station under prothetic group station, mark data, master base station or the prothetic group station that Cell Radio Network Temporary Identifier/Identity, Cell-RNTI, prothetic group station and user equipment under Physical Cell Identifier under master base station, master base station are stored are transmitted to the data of user equipment, optional network specific digit.
    37th, a kind of user equipment, it is characterised in that the user equipment includes:Communication interface, memory, processor;The communication interface is used to communicate with network element, and the memory is used to store computer code;Computer code described in the computing device is used for:
    The downlink data received is decrypted for key, preset algorithm according to derived from the user equipment;
    Whether the key according to derived from the data after decryption judge the user equipment is identical with key derived from prothetic group station;
    The judged result is sent to the prothetic group station;
    Wherein, the data according to after decryption judge key derived from the user equipment it is whether identical with key derived from prothetic group station including:
    Obtain the Internet protocol address and port numbers of the packet after the decryption; If the Internet protocol address and the port numbers can be recognized, determine that key derived from the user equipment is identical with key derived from the prothetic group station;Or,
    If Internet protocol address described in None- identified and/or the port numbers, determine that key derived from the user equipment is differed with key derived from the prothetic group station.
    38th, the user equipment according to claim 37, it is characterised in that computer code described in the computing device is additionally operable to:
    If key derived from the user equipment is differed with key derived from the prothetic group station, master base station is notified to delete the prothetic group station;Or notify the master base station to add the prothetic group station again;Or the prothetic group station retriggered Reconfiguration Procedure is notified by the master base station;Or notify the prothetic group station to delete the prothetic group station by the master base station.
    39th, a kind of core network element, it is characterised in that the core network element includes:Communication interface, memory, processor;The communication interface is used to communicate with network element, and the memory is used to store computer code;Computer code described in the computing device is used for:
    Receive the data after the upstream data that is sent to user equipment of prothetic group station key and preset algorithm according to derived from the prothetic group station is decrypted;
    Whether the key according to derived from the data after the decryption judge the user equipment is identical with key derived from the prothetic group station;
    The result of the judgement is sent to the prothetic group station;
    Wherein, the data according to after the decryption judge whether key derived from the user equipment is identical with key derived from the prothetic group station, including:
    Obtain the Internet protocol address and port numbers of the packet after the decryption;
    If the Internet protocol address and the port numbers can be recognized, determine that key derived from the user equipment is identical with key derived from the prothetic group station;Or,
    If Internet protocol address described in None- identified and/or the port numbers, determine that key derived from the user equipment is differed with key derived from the prothetic group station.
    40th, the core network element according to claim 39, it is characterised in that computer code described in the computing device is additionally operable to:
    If key derived from the user equipment is differed with key derived from the prothetic group station, master base station is notified to delete the prothetic group station;Or notify the master base station to add the prothetic group station again; Or the prothetic group station retriggered Reconfiguration Procedure is notified by the master base station;Or notify the prothetic group station to delete the prothetic group station by the master base station.
    41st, core network element according to claim 40, it is characterised in that computer code described in the computing device is additionally operable to:
    The message that the key is differed is sent to mobility management entity, and the message that the key is differed is forwarded from the mobility management entity to the master base station, the prothetic group station is deleted after the message that the key is differed or the prothetic group station is added again so that the master base station is received.
CN201480000891.9A 2014-01-14 2014-01-14 A kind of method of check key, base station, user equipment and core network element Active CN105027495B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2014/070607 WO2015106387A1 (en) 2014-01-14 2014-01-14 Key verification method, base station, user device and core network element

Publications (2)

Publication Number Publication Date
CN105027495A true CN105027495A (en) 2015-11-04
CN105027495B CN105027495B (en) 2018-12-14

Family

ID=53542265

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201480000891.9A Active CN105027495B (en) 2014-01-14 2014-01-14 A kind of method of check key, base station, user equipment and core network element

Country Status (2)

Country Link
CN (1) CN105027495B (en)
WO (1) WO2015106387A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113132924A (en) * 2021-04-19 2021-07-16 北京达源环保科技有限公司 Information transmission method and system for high-deployment-density sludge anaerobic digestion monitoring terminal
CN113573423A (en) * 2018-05-30 2021-10-29 华为技术有限公司 Communication method and device
CN114069826A (en) * 2021-10-30 2022-02-18 国网湖南省电力有限公司 Method, system and medium for checking 5G communication security of spare power automatic switching device

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1859772A (en) * 2006-01-07 2006-11-08 华为技术有限公司 Safety service communication method based on general authentification frame
CN101102186A (en) * 2006-07-04 2008-01-09 华为技术有限公司 Method for implementing general authentication framework service push
CN101309503A (en) * 2007-05-17 2008-11-19 华为技术有限公司 Wireless switching method, base station and terminal
EP2028890A1 (en) * 2007-08-12 2009-02-25 LG Electronics Inc. Handover method with link failure recovery, wireless device and base station for implementing such method
CN101715188A (en) * 2010-01-14 2010-05-26 中兴通讯股份有限公司 Updating method and updating system of air interface key
CN102215485A (en) * 2010-04-04 2011-10-12 中兴通讯股份有限公司 Method for guaranteeing safety of multi-carrier switching or reconstructing in multi-carrier communication system
US20120155647A1 (en) * 2010-12-21 2012-06-21 General Instrument Corporation Cryptographic devices & methods
CN102625302A (en) * 2008-06-23 2012-08-01 华为技术有限公司 Key derivation method, equipment and system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101400059B (en) * 2007-09-28 2010-12-08 华为技术有限公司 Cipher key updating method and device under active state
US9002357B2 (en) * 2009-06-26 2015-04-07 Qualcomm Incorporated Systems, apparatus and methods to facilitate handover security

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1859772A (en) * 2006-01-07 2006-11-08 华为技术有限公司 Safety service communication method based on general authentification frame
CN101102186A (en) * 2006-07-04 2008-01-09 华为技术有限公司 Method for implementing general authentication framework service push
CN101309503A (en) * 2007-05-17 2008-11-19 华为技术有限公司 Wireless switching method, base station and terminal
EP2028890A1 (en) * 2007-08-12 2009-02-25 LG Electronics Inc. Handover method with link failure recovery, wireless device and base station for implementing such method
CN102625302A (en) * 2008-06-23 2012-08-01 华为技术有限公司 Key derivation method, equipment and system
CN101715188A (en) * 2010-01-14 2010-05-26 中兴通讯股份有限公司 Updating method and updating system of air interface key
CN102215485A (en) * 2010-04-04 2011-10-12 中兴通讯股份有限公司 Method for guaranteeing safety of multi-carrier switching or reconstructing in multi-carrier communication system
US20120155647A1 (en) * 2010-12-21 2012-06-21 General Instrument Corporation Cryptographic devices & methods

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113573423A (en) * 2018-05-30 2021-10-29 华为技术有限公司 Communication method and device
CN113573423B (en) * 2018-05-30 2024-01-16 华为技术有限公司 Communication method and device
CN113132924A (en) * 2021-04-19 2021-07-16 北京达源环保科技有限公司 Information transmission method and system for high-deployment-density sludge anaerobic digestion monitoring terminal
CN113132924B (en) * 2021-04-19 2022-01-21 北京达源环保科技有限公司 Information transmission method and system for high-deployment-density sludge anaerobic digestion monitoring terminal
CN114069826A (en) * 2021-10-30 2022-02-18 国网湖南省电力有限公司 Method, system and medium for checking 5G communication security of spare power automatic switching device

Also Published As

Publication number Publication date
CN105027495B (en) 2018-12-14
WO2015106387A1 (en) 2015-07-23

Similar Documents

Publication Publication Date Title
CN101836470B (en) Methods and apparatuses for enabling non-access stratum (nas) security in LTE mobile units
CN110121168B (en) Security negotiation method and device
CN102036256B (en) Data transmission method, device and system
CN104247328B (en) Data transmission method and device
CN102869007B (en) The method of secure algorithm negotiation, device and network system
CN103609154B (en) A kind of WLAN access authentication method, equipment and system
CN109729524B (en) RRC (radio resource control) connection recovery method and device
CN103167492B (en) Generate method and the equipment thereof of access layer secret key in a communications system
CN102404721B (en) Safety protecting method of Un interface, device and base station
CN109218325A (en) Data completeness protection method and device
WO2019096002A1 (en) Secure protection method and device
CN104936175A (en) Method for updating key in dual connection communication environment and device thereof
WO2009152755A1 (en) Method and system for generating an identity identifier of a key
CN111052701B (en) Communication method, apparatus, system, and computer-readable storage medium
CN114145032B (en) Method, device and communication system for acquiring security context
CN109246696B (en) Key processing method and related device
CN107801187A (en) Encipher-decipher method, apparatus and system
CN105704753A (en) Method, system and device for data transmission
CN108307456A (en) The recognition methods of message and device
CN102612028B (en) Method, system and device for configuration transmission and data transmission
WO2022151917A1 (en) Message processing method and apparatus, terminal, and network side device
CN105027495A (en) Key verification method, base station, user device and core network element
WO2016077090A1 (en) Techniques for encrypting fields of a frame header for wi-fi privacy
KR100968472B1 (en) Method and apparatus for configuring signaling radio bearer in a wireless communications system
KR102104844B1 (en) Data transmission method, first device and second device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant