CN105075306B

CN105075306B - The method and the network equipment of the safety certification of mobile communication system

Info

Publication number: CN105075306B
Application number: CN201380070865.9A
Authority: CN
Inventors: 陈璟; 靳维生
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2013-01-22
Filing date: 2013-01-22
Publication date: 2019-05-28
Anticipated expiration: 2033-01-22
Also published as: WO2014113921A1; CN105075306A

Abstract

The embodiment of the invention discloses a kind of method of the safety certification of mobile communication system and the network equipments.A kind of method of the safety certification of mobile communication system, HSS receive the request for the special Ciphering Key of requirement that access network elements are sent, and send after the request of the requirement Ciphering Key for requiring the request of special Ciphering Key to receive SGSN transmission by the access network elements；The HSS requires the request of special Ciphering Key according to this, generates special Ciphering Key；The special Ciphering Key is sent to the access network elements by the HSS, so that the access network elements, SGSN the and LTE UE complete safety certification.The method and the network equipment of the safety certification of mobile communication system disclosed by the embodiments of the present invention can make LTE UE use 2G/3G network.

Description

The method and the network equipment of the safety certification of mobile communication system

Technical field

The present embodiments relate to the methods and network of the communications field more particularly to the safety certification of mobile communication system to set It is standby.

Background technique

Long term evolution (Long Term Evolution, referred to as " LTE ")/System Architecture Evolution (System Architecture Evolution, referred to as " SAE ") network is normal structure third generation partner program (3rd Generation Partnership Project, referred to as " 3GPP ") formulate new mobile communication system.This network will Be it is existing include wideband code division multiple access (Wideband Code Division Multiple Access, referred to as " WCDMA ") network, Time Division-Synchronous Code Division Multiple Access (Time Division-Synchronous Code Division Multiple Access, referred to as " TD-SCDMA ") network, CDMA 2000 (Code Division Multiple Access 2000, referred to as " CDMA2000 ") 3G network including network next step evolution tendency.At present in certain countries, The LTE/SAE network for having had business to dispose is currently running.Safety is the essential characteristic of mobile communication system commercial operation, Certification is a key property in security feature.Universal Mobile Communication System (Universal Mobile Telecommunication System, referred to as " UMTS ") network and LTE/SAE network formulated Authentication and Key Agreement (Authentication and Key Agreement, referred to as " AKA ") mechanism two-way is recognized execute between UE and network Card.The bidirectional authentication mechanism of UMTS network is known as UMTS AKA, and the bidirectional authentication mechanism of LTE/SAE network is known as evolution grouping system Unite (Evolved Packet System, referred to as " EPS ") AKA.Under certain special screnes, there is LTE user equipmenies The case where (User Equipment, referred to as " UE ") accesses net access 2G/3G core net by LTE.Due to 2G/3G core net UMTS AV can only be obtained from HSS, and LTE UE can refuse to be authenticated using UMTS AV when accessing by LTE network, because This LTE UE can not access net access 2G/3G core net by LTE.

Summary of the invention

In view of this, the embodiment of the invention provides a kind of methods of the safety certification of mobile communication system and network to set It is standby, LTE UE can be made to use 2G/3G network.

In a first aspect, providing a kind of safety certifying method of mobile communication system, comprising:

HSS receives the request for the special Ciphering Key of requirement that access network elements are sent, this requires asking for special Ciphering Key It is sent after asking the request for the requirement Ciphering Key for receiving SGSN transmission by the access network elements；

The HSS requires the request of special Ciphering Key according to this, generates special Ciphering Key；

The special Ciphering Key is sent to the access network elements by the HSS, so as to the access network elements, the SGSN and LTE UE completes safety certification.

In the first possible implementation, it is that the SGSN is receiving the access net that this, which requires the request of Ciphering Key, It is sent after the UMTS attach request message that network element is sent, which is the access net net Attach request message is converted gained by member, which is sent by the LTE UE.

In the second possible implementation, with reference to first aspect or the first possible realization side of first aspect Formula is somebody's turn to do so that the access network elements, SGSN and LTE UE completion safety certification include:

The special Ciphering Key is sent to the SGSN by the access network elements, the SGSN send UMTS AKA authentication challenge to The access network elements, the access network elements are sent to this after the UMTS AKA authentication challenge is converted into LTE AKA authentication challenge LTE UE, the LTE UE are verified and are generated RES and key K according to the LTE AKA authentication challenge_ASMEAfterwards, which will LTE AKA authentication response comprising the RES is sent to the access network elements, so as to the access network elements, the SGSN and the LTE UE further completes safety certification.

In the third possible implementation, with reference to first aspect or first aspect the first to second it is possible Implementation includes XRES, CK, IK in the special Ciphering Key；

Should include: so that the access network elements, the SGSN and the LTE UE further complete safety certification

The LTE AKA authentication response is converted to UMTS AKA authentication response and recognizes the UMTS AKA by the access network elements Card response is sent to the SGSN, which compares the RES and whether the XRES is identical, should when the comparison result is identical The CK and/or IK are sent to the access network elements by SGSN, which generates K according to the CK and/or IK_ASME, the access Network element and the LTE UE share the K_ASME。

In the fourth possible implementation, with reference to first aspect the third possible implementation, the SGSN ratio Compared with the RES and whether the XRES is identical further includes, and when the comparison result is not identical, stops to carry out safety certification.

In a fifth possible implementation, with reference to first aspect or first to fourth any possibility of first aspect Implementation, this require the request of special Ciphering Key by the access network elements receive SGSN transmission requirement Ciphering Key Request after send include:

The access network elements receive the SGSN transmission this require the request of Ciphering Key；

It is LTE UE access 2G or 3G network that the access network elements, which identify,；

Instruction information is added in the Ciphering Key and generates the request for requiring special Ciphering Key for the access network elements, should Instruction information is used to indicate the HSS and generates the special Ciphering Key.

In a sixth possible implementation, with reference to first aspect or first to the 5th any possibility of first aspect Implementation, which requires the request of special Ciphering Key according to this, and generating special Ciphering Key includes:

The HSS is that the LTE UE generates EPS AV；

The EPS AV is converted into UMTS AV format by the HSS, which is that this is special Ciphering Key.

In the 7th kind of possible implementation, the 6th kind of possible implementation with reference to first aspect, which should EPS AV is converted into UMTS AV format

The HSS makees the AUTN in the EPS AV for the RAND in the EPS AV as the RAND of the UMTS AV, the HSS For the AUTN of the UMTS AV, the HSS is using the XRES in the EPS AV as the XRES of the UMTS AV, and the HSS is by the EPS AV In K_ASMETwo parts are split as, respectively as the CK and the IK of the UMTS AV.

In the 8th kind of possible implementation, third with reference to first aspect to the 7th any possible realization side Formula, the access network elements generate K according to the CK and/or IK_ASMEInclude:

The access network elements are according to create-rule K_ASME=CK | | IK generates the K according to the CK and/or IK_ASME。

Second aspect provides a kind of safety certifying method of mobile communication system, comprising:

SGSN receives access network elements and sends UMTS attach request message, which disappears Breath is the attach request message conversion gained that the access network elements send LTE UE；

The SGSN sends the request for requiring Ciphering Key to the access network elements, wants so that the access network elements receive this After the request for seeking Ciphering Key, the request for requiring special Ciphering Key is sent, and then to HSS so that the HSS is according to requirement spy The request of different Ciphering Key is sent to the access network elements after generating the special Ciphering Key；

The SGSN receive after the special Ciphering Key of the access network elements, send UMTS AKA authentication challenge to The access network elements, so that the SGSN, the access network elements and the LTE UE complete safety certification.

In the first possible implementation, safety should be completed so as to the SGSN, the access network elements and the LTE UE Certification includes:

The access network elements are sent to the LTE after the UMTS AKA authentication challenge is converted into LTE AKA authentication challenge UE, the LTE UE are verified and are generated RES and key K according to the LTE AKA authentication challenge_ASMEAfterwards, which will include The LTE AKA authentication response of the RES is sent to the access network elements, so as to the access network elements, the SGSN and the LTE UE into One step completes safety certification.

In the second possible implementation, in conjunction with the possible realization side of the first of second aspect or second aspect Formula, the special Ciphering Key include XRES, CK, IK；

In the third possible implementation, second of possible implementation of second aspect is tied, which compares The RES and whether the XRES is identical further includes, when the comparison result is not identical, stops to carry out safety certification.

In the fourth possible implementation, in conjunction with the first of second aspect or second aspect to the third it is any can The implementation of energy, after should receiving the request for requiring Ciphering Key so as to the access network elements, it is special to require to HSS transmission The request of Ciphering Key includes:

In a fifth possible implementation, in conjunction with the first of second aspect or second aspect to the 4th kind it is possible Implementation, this include: so that the HSS requires the request of special Ciphering Key to generate the special Ciphering Key according to this

The HSS is that the LTE UE generates EPS AV；

In a sixth possible implementation, in conjunction with the 5th kind of possible implementation of second aspect, which should EPS AV is converted into UMTS AV format

In the 7th kind of possible implementation, in conjunction with second to the 6th kind any possible realization side of second aspect Formula, the access network elements generate K according to the CK and/or IK_ASMEInclude:

The third aspect provides a kind of safety certifying method of mobile communication system, comprising:

Access network elements will be converted to UMTS attach request from the attach request message of LTE UE Message；

The UMTS attach request message is sent to SGSN by the access network elements, so that the SGSN receives this Sending after UMTS attach request message requires the request of Ciphering Key to give the access network elements；

Transmission requires the request of special Ciphering Key to this after the access network elements receive the request for requiring Ciphering Key HSS, so that the HSS is according to requiring the request of special Ciphering Key to generate the special Ciphering Key, and then so that the HSS is by the spy Different Ciphering Key is sent to the access net network element；

The access network elements receive UMTS AKA authentication challenge, which is that the access network elements should Special Ciphering Key is sent after being sent to the SGSN by the SGSN；

The access network elements are sent to the LTE after the UMTS AKA authentication challenge is converted into LTE AKA authentication challenge UE, so that the access network elements, the SGSN and the LTE UE complete safety certification.

In the first possible implementation, safety should be completed so as to the access network elements, the SGSN and the LTE UE Certification includes:

The LTE UE generates RES and key K after verifying the LTE AKA authentication challenge_ASME；

The access network elements receive the LTE AKA authentication response comprising the RES of LTE UE transmission, so as to the access net Network element, the SGSN and the LTE UE further complete safety certification.

In the second possible implementation, in conjunction with the possible realization side of the first of the third aspect or the third aspect Formula, the special Ciphering Key include XRES, CK and IK；

LTE AKA authentication response comprising the RES is converted to the certification of the UMTS AKA comprising the RES by the access network elements Response, which is sent to the SGSN for the UMTS AKA authentication response for including the RES, so that the SGSN compares this Whether RES and the XRES are identical, and when the comparison result is identical, which is sent to the access net net for the CK and/or IK Member；

The access network elements generate K according to the CK and/or IK_ASME, the access network elements and the LTE UE share the K_ASME。

In the third possible implementation, in conjunction with second of possible implementation of the third aspect, the SGSN ratio Compared with the RES and whether the XRES is identical further includes, and when the comparison result is not identical, stops to carry out safety certification.

In the fourth possible implementation, in conjunction with the third aspect or the third aspect first to any possibility of third Implementation, the access network elements receive send after the request for requiring Ciphering Key require the request of special Ciphering Key to The HSS includes:

In a fifth possible implementation, in conjunction with the third aspect or first to fourth any possibility of the third aspect Implementation, should include: according to requiring the request of special Ciphering Key to generate the special Ciphering Key so as to the HSS

The HSS is that the LTE UE generates EPS AV；

In a sixth possible implementation, in conjunction with the 5th kind of possible implementation of the third aspect, which should EPS AV is converted into UMTS AV format

In the 7th kind of possible implementation, in conjunction with second to the 6th any possible realization side of the third aspect Formula, the access network elements generate K according to the CK and/or IK_ASMEInclude:

Fourth aspect provides a kind of HSS, comprising: receiving module, processing module, sending module；

The receiving module is used to receive the request of the special Ciphering Key of requirement of access network elements transmission, this requires special to recognize The request of syndrome vector by the access network elements receive SGSN transmission requirement Ciphering Key request after send；

The processing module is used to require the request of special Ciphering Key according to this, generates special Ciphering Key；

The sending module is used to the special Ciphering Key being sent to the access network elements, so as to the access network elements, is somebody's turn to do SGSN and LTE UE completes safety certification.

In the second possible implementation, in conjunction with the possible realization side of the first of fourth aspect or fourth aspect Formula is somebody's turn to do so that the access network elements, SGSN and LTE UE completion safety certification include:

In the third possible implementation, in conjunction with the first of fourth aspect or fourth aspect to second it is possible Implementation includes XRES, CK, IK in the special Ciphering Key；

In the fourth possible implementation, in conjunction with the third possible implementation of fourth aspect, the SGSN ratio Compared with the RES and whether the XRES is identical further includes, and when the comparison result is not identical, stops to carry out safety certification.

In a fifth possible implementation, in conjunction with fourth aspect or first to fourth any possibility of fourth aspect Implementation, this require the request of special Ciphering Key by the access network elements receive SGSN transmission requirement Ciphering Key Request after send include:

In a sixth possible implementation, in conjunction with fourth aspect or first to the 5th any possibility of fourth aspect Implementation, which is used to require the request of special Ciphering Key according to this, and generating special Ciphering Key includes:

The processing module is used to generate EPS AV for the LTE UE；

The processing module is used to the EPS AV being converted into UMTS AV format, this is converted to the EPS AV of UMTS AV format For the special Ciphering Key.

In the 7th kind of possible implementation, in conjunction with the 6th kind of possible implementation of fourth aspect, the processing mould Block is used to the EPS AV being converted into UMTS AV format

The processing module is used for using the RAND in the EPS AV as the RAND of the UMTS AV, which is used for will AUTN of the AUTN as the UMTS AV in the EPS AV, the processing module are used for using the XRES in the EPS AV as this The XRES of UMTS AV, the processing module are used for the K in the EPS AV_ASMETwo parts are split as, respectively as the UMTS AV The CK and the IK.

In the 8th kind of possible implementation, in conjunction with fourth aspect third to the 7th any possible realization side Formula, the access network elements generate K according to the CK and/or IK_ASMEInclude:

5th aspect, provides a kind of SGSN, comprising: receiving module；Sending module；

The receiving module is used to receive the UMTS attach request message of access network elements transmission, the UMTS Attach request message is the attach request message conversion gained that the access network elements send LTE UE；

The sending module is used to send the request for requiring Ciphering Key to the access network elements, so that the access network elements connect After receiving the request for requiring Ciphering Key, sent to HSS and require the request of special Ciphering Key, so so as to the HSS according to This is sent to the access network elements after requiring the request of special Ciphering Key to generate the special Ciphering Key；

The receiving module is also used to receive the special Ciphering Key from the access network elements, which also uses UMTS AKA authentication challenge is sent after the receiving module receives the special Ciphering Key and gives the access network elements, so as to this SGSN, the access network elements and the LTE UE complete safety certification.

In the second possible implementation, in conjunction with the first possible realization side of the 5th aspect or the 5th aspect Formula, the SGSN further include processing module；

The special Ciphering Key includes XRES, CK, IK；

The LTE AKA authentication response is converted to UMTS AKA authentication response and recognizes the UMTS AKA by the access network elements Card response is sent to the receiving module, and whether the processing module is identical for comparing the RES and the XRES, when the comparison result is When identical, which is sent to the access network elements for the CK and/or IK, and the access network elements are raw according to the CK and/or IK At K_ASME, the CK and/or IK send by the sending module, and the access network elements and the LTE UE share the K_ASME。

In the third possible implementation, second of possible implementation of the 5th aspect of knot, the processing module For comparing the RES and whether the XRES is identical further includes, when the comparison result is not identical, stop to carry out safety certification.

In the fourth possible implementation, in conjunction with the 5th aspect or the 5th aspect the first to the third it is any can The implementation of energy, after should receiving the request for requiring Ciphering Key so as to the access network elements, it is special to require to HSS transmission The request of Ciphering Key includes:

In a fifth possible implementation, in conjunction with the 5th aspect or the 5th aspect the first to the 4th kind it is possible Implementation, this include: so that the HSS requires the request of special Ciphering Key to generate the special Ciphering Key according to this

The HSS is that the LTE UE generates EPS AV；

In a sixth possible implementation, in conjunction with the 5th kind of possible implementation of the 5th aspect, which should EPS AV is converted into UMTS AV format

In the 7th kind of possible implementation, in conjunction with second to the 6th kind any possible realization side of the 5th aspect Formula, the access network elements generate K according to the CK and/or IK_ASMEInclude:

6th aspect, provides a kind of access network elements, comprising: receiving module, processing module, sending module；

The receiving module is for receiving the attach request message from LTE UE；The processing module is used for should Attach request message is converted to UMTS attach request message；

The sending module is used to the UMTS attach request message being sent to SGSN, so that the SGSN receives this Sending after UMTS attach request message requires the request of Ciphering Key to give the receiving module；The sending module is also used to Sending after the receiving module receives the request for requiring Ciphering Key requires the request of special Ciphering Key to give the HSS, so as to The HSS according to requiring the request of special Ciphering Key to generate the special Ciphering Key, and then so as to the HSS by this it is special authenticate to Amount is sent to the receiving module；

The receiving module is also used to receive UMTS AKA authentication challenge, which will for the sending module The special Ciphering Key is sent after being sent to the SGSN by the SGSN；The processing module is also used to the UMTS AKA authentication challenge It is converted into LTE AKA authentication challenge, which is also used to the LTE AKA authentication challenge being sent to the LTE UE, so as to The access network elements, the SGSN and the LTE UE complete safety certification.

The receiving module is used to receive the LTE AKA authentication response comprising the RES of LTE UE transmission, so as to the access Network element, the SGSN and the LTE UE further complete safety certification.

In the second possible implementation, in conjunction with the first possible realization side of the 6th aspect or the 6th aspect Formula, the special Ciphering Key include XRES, CK and IK；

The processing module is also used to the LTE AKA authentication response comprising the RES being converted to the UMTS AKA comprising the RES Authentication response, which is also used to should include that the UMTS AKA authentication response of the RES is sent to the SGSN, so as to this SGSN compares the RES and whether the XRES is identical, and when the comparison result is identical, which is sent to this for the CK and/or IK Access network elements；

The processing module is also used to generate K according to the CK and/or IK_ASME, the access network elements and the LTE UE are shared and are somebody's turn to do K_ASME。

In the third possible implementation, in conjunction with second of possible implementation of the 6th aspect, the SGSN ratio Compared with the RES and whether the XRES is identical further includes, and when the comparison result is not identical, stops to carry out safety certification.

In the fourth possible implementation, in conjunction with the 6th aspect or the 6th aspect first to any possibility of third Implementation, the sending module be also used to after the receiving module receives the request for requiring Ciphering Key send require it is special The request of Ciphering Key includes: to the HSS

The receiving module be used for receive the SGSN transmission this require the request of Ciphering Key；

It is LTE UE access 2G or 3G network that the processing module goes out for identification；

The processing module, which is also used to be added in the Ciphering Key, indicates that information generates this and requires asking for special Ciphering Key It asks, which is used to indicate the HSS and generates the special Ciphering Key.

In a fifth possible implementation, in conjunction with the 6th aspect or first to fourth any possibility of the 6th aspect Implementation, should include: according to requiring the request of special Ciphering Key to generate the special Ciphering Key so as to the HSS

The HSS is that the LTE UE generates EPS AV；

In a sixth possible implementation, in conjunction with the 5th kind of possible implementation of the 6th aspect, which should EPS AV is converted into UMTS AV format

The HSS makees the AUTN in the EPS AV for the RAND in the EPS AV as the RAND of the UMTS AV, the HSS For the AUTN of the UMTS AV, the HSS is using the XRES in the EPS AV as the XRES of the UMTS AV, and the HSS is by the EPS AV In K_ASME(256bits) is split as two parts, respectively as the CK and the IK of the UMTS AV.

In the 7th kind of possible implementation, in conjunction with second to the 6th any possible realization side of the 6th aspect Formula, the processing module are further used for according to create-rule K_ASME=CK | | IK generates the K according to the CK and/or IK_ASME。

Through the above scheme, LTE UE can be made to use 2G/3G network.

Detailed description of the invention

In order to illustrate the technical solution of the embodiments of the present invention more clearly, will make below to required in the embodiment of the present invention Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for For those of ordinary skill in the art, without creative efforts, it can also be obtained according to these attached drawings other Attached drawing.

Fig. 1 is the schematic flow chart of the authentication method of mobile communication system according to an embodiment of the present invention；

Fig. 2 is the signal map flow chart of the authentication method of mobile communication system according to another embodiment of the present invention；

Fig. 3 is the schematic flow chart of the authentication method of mobile communication system according to another embodiment of the present invention；

Fig. 4 is the schematic flow chart of the authentication method of mobile communication system according to another embodiment of the present invention；

Fig. 5 is the schematic block diagram of home subscriber server according to an embodiment of the present invention；

Fig. 6 is the schematic block diagram of GPRS Service support node according to an embodiment of the present invention；

Fig. 7 is the schematic block diagram of access network elements according to an embodiment of the present invention；

Fig. 8 is the schematic block diagram of home subscriber server according to another embodiment of the present invention；

Fig. 9 is the schematic block diagram of GPRS Service support node according to another embodiment of the present invention；

Figure 10 is the schematic block diagram of access network elements according to another embodiment of the present invention.

Specific embodiment

Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiment is a part of the embodiments of the present invention, rather than whole embodiments.Based on this hair Embodiment in bright, those of ordinary skill in the art's every other reality obtained without creative labor Example is applied, all should belong to the scope of protection of the invention.

It should be understood that the technical solution of the embodiment of the present invention can be applied to various 2G or 3G communication systems, and such as: the whole world is moved Dynamic communication (Global System of Mobile communication, referred to as " GSM ") system, CDMA (Code Division Multiple Access, referred to as " CDMA ") system, wideband code division multiple access (Wideband Code Division Multiple Access, referred to as " WCDMA ") system, General Packet Radio Service (General Packet Radio Service, referred to as " GPRS "), Universal Mobile Communication System (Universal Mobile Telecommunication System, referred to as " UMTS "), global interconnection inserting of microwave (Worldwide Interoperability for Microwave Access, referred to as " WiMAX ") communication system etc..

Access network elements in the embodiment of the present invention are a kind of access network elements of enhancing, for supporting LTE UE access 2G/3G core net.In inventing all embodiments, access network elements can have following function: the function of LTE eNB, LTE UE It can not need to modify and access 2G/3G core net by the access network elements, and LTE UE is made to think that it is being accessed Be LTE network, rather than 2G/3G core net；Access network elements in the embodiment of the present invention can also realize part mobility The function of management entity (Mobility Management Entity, referred to as " MME "), such as to the safeguard protection of NAS signaling Function.

Fig. 1 shows the schematic stream of the method 100 of the safety certification of mobile communication system according to an embodiment of the present invention Cheng Tu.As shown in Figure 1, this method 100 includes:

S110, HSS receive the request for the special Ciphering Key of requirement that access network elements are sent, this requires special Ciphering Key Request by the access network elements receive SGSN transmission requirement Ciphering Key request after send；

S120, the HSS require the request of special Ciphering Key according to this, generate special Ciphering Key；

The special Ciphering Key is sent to the access network elements by S130, the HSS, so as to the access network elements, the SGSN Safety certification is completed with LTE UE.

In embodiments of the present invention, in order to make LTE UE be able to use 2G or 3G network, identifying in access network elements is After LTE UE access 2G/3G network, HSS is that the LTE UE generates special Ciphering Key, so as to the SGSN, the access network elements and The LTE UE completes safety certification, makes LTE UE that 2G or 3G core net can be used.

Optionally, it is the SGSN in the UMTS for receiving access network elements transmission that this, which requires the request of Ciphering Key, It is sent after attach request message, which is the access network elements by attach Request message conversion gained, the attach request message are sent by the LTE UE.

Optionally, should include: so that the access network elements, SGSN the and LTE UE complete safety certification

It optionally, include XRES, CK, IK in the special Ciphering Key；

Optionally, should include: so that the access network elements, the SGSN and the LTE UE further complete safety certification

Optionally, which compares the RES and whether the XRES is identical further includes, when the comparison result is not identical, Stop to carry out safety certification.

Optionally, this requires the request of special Ciphering Key to be authenticated by the requirement that the access network elements receive SGSN transmission It is sent after the request of vector and includes:

Optionally, which requires the request of special Ciphering Key according to this, generates special Ciphering Key and includes:

The HSS is that the LTE UE generates EPS AV；

Optionally, which is converted into UMTS AV format for the EPS AV and includes:

Optionally, which generates K according to the CK and/or IK_ASMEInclude:

In the embodiment of the present invention, message transmitted by LTE UE is converted to suitable for 2G or 3G by the access network elements The message of network, after the scene that LTE UE passes through access network elements access 2G or 3G network is identified by access network elements, HSS Special Ciphering Key is generated, the safety certification between LTE UE and network is completed by the access network elements, SGSN.It does not need LTE UE is made an amendment, allow LTE UE through this embodiment in access network elements access 2G or 3G core net, complete Safety certification simultaneously uses 2G or 3G resources of core network.

Fig. 2 shows the schematic streams of the method 200 of the safety certification of mobile communication system according to an embodiment of the present invention Cheng Tu.Fig. 2 and its revealed method of explanation, can be based on Fig. 1 of the embodiment of the present invention and based on disclosed in Fig. 1 of the embodiment of the present invention Method.As shown in Fig. 2, this method 200 includes:

S210, SGSN receive access network elements and send UMTS attach request message, the UMTS attach Request is the attach request message conversion gained that the access network elements send LTE UE；

S220, the SGSN send the request for requiring Ciphering Key to the access network elements, so as to access network elements reception After the request for requiring Ciphering Key to this, the request for requiring special Ciphering Key is sent, and then to HSS so that the HSS is according to this It is required that the request of special Ciphering Key is sent to the access network elements after generating the special Ciphering Key；

S230, the SGSN are received after the special Ciphering Key of the access network elements, send UMTS AKA certification It challenges and gives the access network elements, so that the SGSN, the access network elements and the LTE UE complete safety certification.

In embodiments of the present invention, after the scene that LTE UE access 2G or 3G core net is identified by access network elements, Access network elements generate special Ciphering Key according to the request of SGSN, make to the special Ciphering Key of HSS request, HSS SGSN, access network elements and the LTE UE complete safety certification, and being implemented without under conditions of modifying to LTE UE makes LTE UE uses 2G or 3G core net.

Optionally, should include: so that the SGSN, the access network elements and the LTE UE complete safety certification

Optionally, which includes XRES, CK, IK；

Optionally, it after the request for requiring Ciphering Key should being received so as to the access network elements, is sent to HSS and requires spy The request of different Ciphering Key includes:

Instruction information is added in the Ciphering Key and generates the request for requiring special Ciphering Key for the access network elements, should Instruction information is used to indicate the HSS and generates the special Ciphering Key.Optionally, special certification should be required according to this so as to the HSS The request of vector generates the special Ciphering Key

The HSS is that the LTE UE generates EPS AV；

Optionally, which is converted into UMTS AV format for the EPS AV and includes:

Optionally, which generates K according to the CK and/or IK_ASMEInclude:

Fig. 3 shows the schematic stream of the method 300 of the safety certification of mobile communication system according to an embodiment of the present invention Cheng Tu.Fig. 3 and its revealed method of explanation based on Fig. 1 of the embodiment of the present invention to Fig. 2 and can be based on figure of the embodiment of the present invention 1 to Fig. 2 revealed method.As shown in figure 3, this method 300 includes:

S310, access network elements will be converted to UMTS attach from the attach request message of LTE UE Request message；

S320, which is sent to SGSN for the UMTS attach request message, so that the SGSN is received Sending after the UMTS attach request message requires the request of Ciphering Key to give the access network elements；

S330, the access network elements send the request for requiring special Ciphering Key after receiving the request for requiring Ciphering Key The HSS is given, so that the HSS is according to requiring the request of special Ciphering Key to generate the special Ciphering Key, and then so that the HSS will The special Ciphering Key is sent to the access net network element；

S340, the access network elements receive UMTS AKA authentication challenge, which is the access net net The special Ciphering Key is sent to after the SGSN and is sent by the SGSN by member；

S350, the access network elements are sent to this after the UMTS AKA authentication challenge is converted into LTE AKA authentication challenge LTE UE, so that the access network elements, the SGSN and the LTE UE complete safety certification.

In embodiments of the present invention, the LTE UE information sent is converted to suitable for 2G or 3G net by access network elements The information of network system identifies the scene for LTE UE access 2G or 3G network by access network elements, and it is special to be generated by HSS Ciphering Key enables access network elements, SGSN and LTE UE to complete safety certification so that LTE UE can be used existing 2G or 3G core net.

Optionally, the access network elements, the SGSN and LTE UE completion safety certification include:

Optionally, which includes XRES, CK and IK；

Optionally, which compares the RES and whether the XRES is identical further includes, when the comparison result is not identical, Stop to carry out safety certification.Optionally, which receives to send after the request for requiring Ciphering Key and requires special to recognize The request of syndrome vector includes: to the HSS

Optionally, should include: according to requiring the request of special Ciphering Key to generate the special Ciphering Key so as to the HSS

The HSS is that the LTE UE generates EPS AV；

Optionally, which is converted into UMTS AV format for the EPS AV and includes:

Optionally, which generates K according to the CK and/or IK_ASMEInclude:

In the embodiment of the present invention, message transmitted by LTE UE is converted to suitable for 2G or 3G by the access network elements The message of network, after identifying scene of the LTE UE by access network elements access 2G or 3G core net by access network elements, HSS generates special Ciphering Key, and the safety certification between LTE UE and network is completed by the access network elements, SGSN.No Need to make an amendment LTE UE, allow LTE UE through this embodiment in access network elements access 2G or 3G core net, It completes safety certification and uses 2G or 3G resources of core network.

Fig. 4 shows the schematic stream of the method 400 of the safety certification of mobile communication system according to an embodiment of the present invention Cheng Tu.Fig. 1 of the embodiment of the present invention to Fig. 3 and be respectively from different angles based on the revealed method of Fig. 1 of the embodiment of the present invention to Fig. 3 It spends description to method disclosed in the embodiment of the present invention, implementation example figure 1 to Fig. 3 and is based on Fig. 1 of the embodiment of the present invention to Fig. 3 institute The method of announcement can refer to Fig. 4 and its revealed method of explanation.As shown in figure 4, this method 400 includes:

Optionally, LTE UE is linked into 2G/3G core net by access network elements, builds between LTE UE and access network elements Vertical RRC connection.

LTE UE sends attach request message to access network elements, and access network elements will receive from LTE UE The attach request message is converted to the identifiable UMTS attach of 2G/3G core net SGSN in UMTS system UMTS attach request message after conversion is sent to SGSN by request message, access network elements.

SGSN transmission requires the request of Ciphering Key to give the access network elements, which receives SGSN transmission This requires the request of Ciphering Key；

It is LTE UE access 2G or 3G network that access network elements, which identify, and further, access network elements can identify By the UE type of the access network elements, i.e. access network elements can recognize that LTE UE access 2G or 3G network；

Instruction information is added in the Ciphering Key and generates the request for requiring special Ciphering Key for access network elements, this refers to Show that information is used to indicate the HSS and generates the special Ciphering Key.The special Ciphering Key that the HSS is sent according to the access network elements Request in instruction information identify this scene be LTE UE access 2G/3G network scene.The HSS generates the special certification Vector, comprising:

Optionally, which is that the LTE UE generates EPS AV；

Further,

0th bit in the AMF of authentication management domain is set as 1 to indicate this Ciphering Key as EPS AV by HSS；

HSS generates RAND, AUTN, CK, IK and XRES；

HSS deduces to obtain KASME according to CK and IK, and rule of inference can be K_ASME=KDF (CK, IK), KDF pushes away for key Drill function；

EPS AV is by K_ASME, AUTN, XRES, RAND composition, wherein the value of the 0th of the AMF parameter in AUTN bit is 1。

Optionally, which is converted into UMTS AV format for the EPS AV, so that EPS AV can be by existing UMTS authentication response be sent to SGSN.The method that EPS AV is converted into UMTS AV format include: by EPS AV RAND, RAND, AUTN and the XRES of AUTN and XRES as UMTS AV, by the K in EPS AV_ASME(256bits) is split as two parts, Respectively as the CK (128bits) and IK (128bits) of UMTS AV.After the EPS AV is converted into UMTS AV format, The value of the 0th bit of AMF in AUTN remains as 1.Resulting vector is to be somebody's turn to do after the EPS AV is converted into UMTS AV format Special Ciphering Key.

The special Ciphering Key is transferred to the access network elements by the HSS, and access network elements are again by the special Ciphering Key It is sent to the SGSN；

The SGSN executes UMTS AKA identifying procedure according to the special Ciphering Key received from the access network elements.SGSN UMTS AKA authentication challenge is sent to access network elements, includes RAND and AUTN in the UMTS AKA authentication challenge.

The UMTS AKA authentication challenge received is converted into LTE AKA authentication challenge by access network elements.UMTS AKA recognizes RAND and AUTN in card challenge are placed in LTE AKA authentication challenge and are sent to LTE UE.

LTE UE verifies AUTN.Further, since the value of the 0th bit of AMF in AUTN is 1, LTE UE meeting Pass through the inspection to AMF.LTE UE generates RES and key K_ASME。

LTE UE sends LTE AKA authentication response to access network elements, includes RES in the LTE AKA authentication response.

LTE AKA authentication response is converted to UMTS AKA authentication response by access network elements, will be in LTE AKA authentication response The RES be placed in UMTS AKA authentication response and be sent to SGSN.

SGSN compares the RES and whether the XRES is identical.

Optionally, if comparison result is that the RES and the XRES be not identical, stop to carry out safety certification；

Optionally, if comparison result is that the RES is identical with the XRES, SGSN initiates safety mode process, in safety In mode process, CK and/or IK are sent to access network elements.

Optionally, access network elements generate K according to CK and/or IK_ASME.Optionally, access network elements are raw according to CK and/or IK At K_ASMECreate-rule be K_ASME=CK | | IK, " | | " indicate series connection, i.e., IK is added in behind CK.

Access network elements and LTE UE shared key K_ASME。

Optionally, LTE NAS SMC process is executed between access network elements and LTE UE and LTE AS SMC process is established LTE eats dishes without rice or wine safety.

In the embodiment of the present invention, message transmitted by LTE UE is converted to suitable for 2G or 3G by the access network elements The message of network, after identifying scene of the LTE UE by access network elements access 2G or 3G core net by SGSN, HSS is generated Special Ciphering Key completes the safety certification between LTE UE and network by the access network elements, SGSN.It does not need pair LTE UE makes an amendment, allow LTE UE through this embodiment in access network elements access 2G or 3G core net, complete peace It is complete to authenticate and use 2G or 3G resources of core network.

Fig. 5 shows the home subscriber server 500 of the safety certification of mobile communication system according to an embodiment of the present invention Schematic block diagram.Fig. 5 and its revealed device of explanation, can be based on Fig. 1 to Fig. 4 of the embodiment of the present invention and based on the present invention The revealed method of embodiment Fig. 1 to Fig. 4.As shown in figure 5, home subscriber server HSS500 includes: receiving module 510, Processing module 520, sending module 530；

The receiving module 510 is used to receive the request of the special Ciphering Key of requirement of access network elements transmission, and the requirement is special The request of different Ciphering Key is sent after receiving the request of the requirement Ciphering Key of SGSN transmission by the access network elements；

The processing module 520 is used to require the request of special Ciphering Key according to this, generates special Ciphering Key；

The sending module 530 is used to the special Ciphering Key being sent to the access network elements, so as to the access network elements, SGSN the and LTE UE completes safety certification.

In embodiments of the present invention, in order to make LTE UE be able to use 2G or 3G network, identifying in access network elements is After LTE UE access 2G/3G core net, HSS is that the LTE UE generates special Ciphering Key, so as to the SGSN, the access network elements Safety certification is completed with the LTE UE, makes LTE UE that 2G or 3G core net can be used.

Optionally,

Should include: so that the access network elements, SGSN the and LTE UE complete safety certification

It optionally, include XRES, CK, IK in the special Ciphering Key；

Optionally, which is used to require the request of special Ciphering Key according to this, generates special Ciphering Key Include:

The processing module 520 is used to generate EPS AV for the LTE UE；

Further,

The processing module 520 is used to the 0th bit in the AMF of authentication management domain being set as 1 to indicate this Ciphering Key as EPS AV；

The processing module 520 is for generating RAND, AUTN, CK, IK and XRES；

For the processing module 520 for being deduced to obtain KASME according to CK and IK, rule of inference can be K_ASME=KDF (CK, IK), KDF is secret key deduction function；

Optionally, which is used to the EPS AV being converted into UMTS AV format, so that EPS AV SGSN can be sent to by existing UMTS authentication response.The method that EPS AV is converted into UMTS AV format includes: by EPS RAND, AUTN and the XRES of RAND, AUTN and XRES as UMTS AV in AV, by the K in EPS AV_ASME(256bits) is torn open It is divided into two parts, respectively as the CK (128bits) and IK (128bits) of UMTS AV.The EPS AV is converted into UMTS AV lattice After formula format, the value of the 0th bit of the AMF in AUTN remains as 1.After the EPS AV is converted into UMTS AV format Resulting vector is the special Ciphering Key.Optionally, which generates K according to the CK and/or IK_ASMEInclude:

The access network elements are according to create-rule K_ASME=CK | | IK generates the K according to the CK and/or IK_ASME." | | " indicate IK, i.e., be added in behind CK by series connection.In the embodiment of the present invention, message transmitted by LTE UE is converted by the access network elements For the message suitable for 2G or 3G network, identify that LTE UE accesses 2G or 3G net by the access network elements by access network elements After the scene of network, HSS generates special Ciphering Key, is completed between LTE UE and network by the access network elements, SGSN Safety certification.Do not need to make an amendment LTE UE, allow LTE UE through this embodiment in access network elements access 2G Or 3G core net, it completes safety certification and uses 2G or 3G resources of core network.

Fig. 6 shows the GPRS Service support node of the safety certification of mobile communication system according to an embodiment of the present invention 600 schematic block diagram.Fig. 6 and its revealed device of explanation, can be based on Fig. 1 to Fig. 4 of the embodiment of the present invention and based on this The revealed method of inventive embodiments Fig. 1 to Fig. 4 can also be based on the revealed device of Fig. 5 and Fig. 5 of the embodiment of the present invention. As shown in fig. 6, GPRS Service support node SGSN600 includes: receiving module 610；Sending module 620；

The receiving module 610 is used to receive the UMTS attach request message of access network elements transmission, the UMTS Attach request message is the attach request message conversion gained that the access network elements send LTE UE；

The sending module 620 is used to send the request for requiring Ciphering Key to the access network elements, so as to the access net net After member receives the request for requiring Ciphering Key, the request for requiring special Ciphering Key is sent, and then to HSS so as to the HSS The access network elements are sent to after requiring the request of special Ciphering Key to generate the special Ciphering Key according to this；

The receiving module 610 is also used to receive the special Ciphering Key from the access network elements, the sending module 620, which are also used to transmission UMTS AKA authentication challenge after the receiving module 610 receives the special Ciphering Key, gives the access net net Member, so that the SGSN, the access network elements and the LTE UE complete safety certification.

In embodiments of the present invention, it after the scene that LTE UE access 2G or 3G network are identified by access network elements, connects Network element generates special Ciphering Key according to the request to the special Ciphering Key of HSS request, HSS, makes SGSN, access net Network element and the LTE UE complete safety certification, be implemented without under conditions of modifying to LTEUE make LTE UE using 2G or 3G core net.

Optionally, which further includes processing module 630；

Optionally, which includes XRES, CK, IK；

The LTE AKA authentication response is converted to UMTS AKA authentication response and recognizes the UMTS AKA by the access network elements Card response is sent to the receiving module 610, and whether the processing module 630 is identical for comparing the RES and the XRES, when this compares When being as a result identical, which is sent to the access network elements for the CK and/or IK, and the access network elements are according to the CK And/or IK generates K_ASME, the CK and/or IK send by the sending module 620, and the access network elements and the LTE UE share the K_ASMF。

Optionally, the processing module 630 is for comparing the RES and whether the XRES is identical further includes, when the comparison result When being not identical, stop to carry out safety certification.

Optionally, should include: so that the HSS requires the request of special Ciphering Key to generate the special Ciphering Key according to this

The HSS is that the LTE UE generates EPS AV；

Optionally, which is converted into UMTS AV format for the EPS AV and includes:

Optionally, which generates K according to the CK and/or IK_ASMEInclude:

Fig. 7 shows showing for the access network elements 700 of the safety certification of mobile communication system according to an embodiment of the present invention Meaning property block diagram.Fig. 7 and its revealed device of explanation can be implemented based on Fig. 1 to Fig. 4 of the embodiment of the present invention and based on the present invention The example revealed method of Fig. 1 to Fig. 4, can also be based on the revealed dress of Fig. 5 of the embodiment of the present invention to Fig. 6 and Fig. 5 to Fig. 6 It sets.As shown in fig. 7, the access network elements 700 include: receiving module 710, processing module 720, sending module 730；

The receiving module 710 is for receiving the attach request message from LTE UE；The processing module 720 is used for The attach request message is converted into UMTS attach request message；

The sending module 730 is used to the UMTS attach request message being sent to SGSN, so that the SGSN is received Sending after the UMTS attach request message requires the request of Ciphering Key to give the receiving module 710；The sending module 730 are also used to send the request for requiring special Ciphering Key after the receiving module 710 receives the request for requiring Ciphering Key The HSS is given, so that the HSS is according to requiring the request of special Ciphering Key to generate the special Ciphering Key, and then so that the HSS will The special Ciphering Key is sent to the receiving module 710；

The receiving module 710 is also used to receive UMTS AKA authentication challenge, which is the transmission mould The special Ciphering Key is sent to after the SGSN and is sent by the SGSN by block 730；The processing module 720 is also used to the UMTS AKA authentication challenge is converted into LTE AKA authentication challenge, which is also used to for the LTE AKA authentication challenge being sent to The LTE UE, so that the access network elements, the SGSN and the LTE UE complete safety certification.

The receiving module 710 is used to receive the LTE AKA authentication response comprising the RES of LTE UE transmission, so as to this Access network elements, the SGSN and the LTE UE further complete safety certification.

Optionally, which includes XRES, CK and IK；

The processing module 720 is also used to the LTE AKA authentication response comprising the RES being converted to the UMTS comprising the RES AKA authentication response, the sending module 730 are also used to should include that the UMTS AKA authentication response of the RES is sent to the SGSN, with Just the SGSN compares the RES and whether the XRES is identical, and when the comparison result is identical, which sends the CK and/or IK Give the access network elements；

The processing module 720 is also used to generate K according to the CK and/or IK_ASME, the access network elements and the LTE UE are shared The K_ASME。

Optionally, which is also used to send out after the receiving module 710 receives the request for requiring Ciphering Key The request for requiring special Ciphering Key is sent to include: to the HSS

The receiving module 710 be used for receive the SGSN transmission this require the request of Ciphering Key；

It is LTE UE access 2G or 3G network that the processing module 720 goes out for identification；

The processing module 720, which is also used to be added in the Ciphering Key, indicates that information generates this and requires special Ciphering Key Request, the instruction information are used to indicate the HSS and generate the special Ciphering Key.

The HSS is that the LTE UE generates EPS AV；

Optionally, which is converted into UMTS AV format for the EPS AV and includes:

Optionally, which is further used for according to create-rule K_ASME=CK | | IK, according to the CK and/or IK Generate the K_ASME." | | " indicate series connection, i.e., IK is added in behind CK.

Fig. 8 shows the user attaching server 800 of the safety certification of mobile communication system according to an embodiment of the present invention Schematic block diagram.Fig. 8 and its revealed device of explanation, can be based on Fig. 1 to Fig. 4 of the embodiment of the present invention and based on the present invention The revealed method of embodiment Fig. 1 to Fig. 4, and based on Fig. 5 of the embodiment of the present invention to Fig. 7 and it is based on figure of the embodiment of the present invention 5 to Fig. 7 revealed devices.As shown in figure 8, user attaching server HSS800 includes: receiver 810, processor 820, Transmitter 830；

The receiver 810 is used to receive the request of the special Ciphering Key of requirement of access network elements transmission, this requires special The request of Ciphering Key by the access network elements receive SGSN transmission requirement Ciphering Key request after send；

The processor 820 is used to require the request of special Ciphering Key according to this, generates special Ciphering Key；

The transmitter 830 is used to the special Ciphering Key being sent to the access network elements, so as to the access network elements, is somebody's turn to do SGSN and LTE UE completes safety certification.

Optionally,

It optionally, include XRES, CK, IK in the special Ciphering Key；

Optionally, which is used to require the request of special Ciphering Key according to this, generates special Ciphering Key packet It includes:

The processor 820 is used to generate EPS AV for the LTE UE；

Further,

The processor 820 is used to the 0th bit in the AMF of authentication management domain being set as 1 to indicate this Ciphering Key as EPS AV；

The processor 820 is for generating RAND, AUTN, CK, IK and XRES；

For the processor 820 for being deduced to obtain KASME according to CK and IK, rule of inference can be K_ASME=KDF (CK, IK), KDF is secret key deduction function；

Optionally, which is used to the EPS AV being converted into UMTS AV format, so that EPS AV can To be sent to SGSN by existing UMTS authentication response.The method that EPS AV is converted into UMTS AV format includes: by EPS AV In RAND, AUTN and XRES as UMTS AV of RAND, AUTN and XRES, by the K in EPS AV_ASME(256bits) is split For two parts, respectively as the CK (128bits) and IK (128bits) of UMTS AV.The EPS AV is converted into UMTS AV format After format, the value of the 0th bit of the AMF in AUTN remains as 1.The EPS AV is converted into institute after UMTS AV format The vector obtained is the special Ciphering Key.Optionally, which generates K according to the CK and/or IK_ASMEInclude:

Fig. 9 shows the GPRS Service support node of the safety certification of mobile communication system according to an embodiment of the present invention 900 schematic block diagram.Fig. 9 and its revealed device of explanation, can be based on Fig. 1 to Fig. 4 of the embodiment of the present invention and based on this The revealed method of inventive embodiments Fig. 1 to Fig. 4 can also be based on the revealed device of Fig. 5 and Fig. 8 of the embodiment of the present invention. As shown in figure 9, GPRS Service support node SGSN900 includes: receiver 910；Transmitter 920；

The receiver 910 is used to receive the UMTS attach request message of access network elements transmission, the UMTS Attach request message is the attach request message conversion gained that the access network elements send LTE UE；

The transmitter 920 is used to send the request for requiring Ciphering Key to the access network elements, so as to the access network elements After receiving the request for requiring Ciphering Key, the request for requiring special Ciphering Key is sent, and then to HSS so as to the HSS root The access network elements are sent to after requiring the request of special Ciphering Key to generate the special Ciphering Key according to this；

The receiver 910 is also used to receive the special Ciphering Key from the access network elements, and the transmitter 920 is also Transmission UMTS AKA authentication challenge gives the access network elements after receiving the special Ciphering Key for the receiver 910, so as to The SGSN, the access network elements and the LTE UE complete safety certification.

Optionally, which further includes processor 930；

Optionally, which includes XRES, CK, IK；

The LTE AKA authentication response is converted to UMTS AKA authentication response and recognizes the UMTS AKA by the access network elements Card response is sent to the receiver 910, and whether the processor 930 is identical for comparing the RES and the XRES, when the comparison result When being identical, which is sent to the access network elements for the CK and/or IK, and the access network elements are according to the CK and/or IK Generate K_ASME, the CK and/or IK send by the transmitter 920, and the access network elements and the LTE UE share the K_ASME。

Optionally, the processor 930 is for comparing the RES and whether the XRES is identical further includes, when the comparison result is When not identical, stop to carry out safety certification.

The HSS is that the LTE UE generates EPS AV；

Optionally, which is converted into UMTS AV format for the EPS AV and includes:

Optionally, which generates K according to the CK and/or IK_ASMEInclude:

Figure 10 shows the access network elements 1000 of the safety certification of mobile communication system according to an embodiment of the present invention Schematic block diagram.Figure 10 and its revealed device of explanation, can be based on Fig. 1 to Fig. 4 of the embodiment of the present invention and based on the present invention The revealed method of embodiment Fig. 1 to Fig. 4, can also be revealed based on Fig. 5 of the embodiment of the present invention to Fig. 9 and Fig. 5 to Fig. 9 Device.As shown in Figure 10, which includes: receiver 1010, processor 1020, transmitter 1030；

The receiver 1010 is for receiving the attach request message from LTE UE；The processor 1020 is used for will The attach request message is converted to UMTS attach request message；

The transmitter 1030 is used to the UMTS attach request message being sent to SGSN, so that the SGSN is received Sending after the UMTS attach request message requires the request of Ciphering Key to give the receiver 1010；The transmitter 1030 Being also used to send after the receiver 1010 receives the request for requiring Ciphering Key requires the request of special Ciphering Key to this HSS, so that the HSS is according to requiring the request of special Ciphering Key to generate the special Ciphering Key, and then so that the HSS is by the spy Different Ciphering Key is sent to the receiver 1010；

The receiver 1010 is also used to receive UMTS AKA authentication challenge, which is the transmitter The special Ciphering Key is sent to after the SGSN and is sent by the SGSN by 1030；The processor 1020 is also used to the UMTS AKA Authentication challenge is converted into LTE AKA authentication challenge, which is also used to the LTE AKA authentication challenge being sent to this LTE UE, so that the access network elements, the SGSN and the LTE UE complete safety certification.

The receiver 1010 is used to receive the LTE AKA authentication response comprising the RES of LTE UE transmission, so that this connects Network element, the SGSN and the LTE UE further complete safety certification.

Optionally, which includes XRES, CK and IK；

The processor 1020 is also used to the LTE AKA authentication response comprising the RES being converted to the UMTS comprising the RES AKA authentication response, the transmitter 1030 are also used to should include that the UMTS AKA authentication response of the RES is sent to the SGSN, with Just the SGSN compares the RES and whether the XRES is identical, and when the comparison result is identical, which sends the CK and/or IK Give the access network elements；

The processor 1020 is also used to generate K according to the CK and/or IK_ASME, the access network elements and the LTE UE are shared and are somebody's turn to do K_ASME。

Optionally, which is also used to send after the receiver 1010 receives the request for requiring Ciphering Key It is required that the request of special Ciphering Key includes: to the HSS

The receiver 1010 be used for receive the SGSN transmission this require the request of Ciphering Key；

It is LTE UE access 2G or 3G network that the processor 1020 goes out for identification；

The processor 1020, which is also used to be added in the Ciphering Key, indicates that information generates this and requires special Ciphering Key Request, the instruction information are used to indicate the HSS and generate the special Ciphering Key.

The HSS is that the LTE UE generates EPS AV；

Optionally, which is converted into UMTS AV format for the EPS AV and includes:

The HSS makees the AUTN in the EPS AV for the RAND in the EPS AV as the RAND of the UMTS AV, the HSS For the AUTN of the UMTS AV, the HSS is using the XRES in the EPS AV as the XRES of the UMTS AV, and the HSS is by the EPS AV In K_ASME

(256bits) is split as two parts, respectively as the CK and the IK of the UMTS AV.

Through the above description of the embodiments, it is apparent to those skilled in the art that the present invention can be with It is realized with hardware realization or firmware realization or their combination mode.It when implemented in software, can be by above-mentioned function Storage in computer-readable medium or as on computer-readable medium one or more instructions or code transmitted.Meter Calculation machine readable medium includes computer storage media and communication media, and wherein communication media includes convenient for from a place to another Any medium of a place transmission computer program.Storage medium can be any usable medium that computer can access.With For this but be not limited to: computer-readable medium may include RAM, ROM, EEPROM, CD-ROM or other optical disc storages, disk Storage medium or other magnetic storage apparatus or can be used in carry or store have instruction or data structure form expectation Program code and can be by any other medium of computer access.Furthermore.Any connection appropriate can become computer Readable medium.For example, if software is using coaxial cable, optical fiber cable, twisted pair, Digital Subscriber Line (DSL) or such as The wireless technology of infrared ray, radio and microwave etc is transmitted from website, server or other remote sources, then coaxial electrical The wireless technology of cable, optical fiber cable, twisted pair, DSL or such as infrared ray, wireless and microwave etc includes in affiliated medium In fixing.As used in the present invention, disk (Disk) and dish (disc) are logical including compression optical disc (CD), laser disc, optical disc, number With optical disc (DVD), floppy disk and Blu-ray Disc, the usually magnetic replicate data of which disk, and dish is then with laser come optical duplication Data.Combination above should also be as including within the protection scope of computer-readable medium.

In short, being not intended to limit of the invention the foregoing is merely the preferred embodiment of technical solution of the present invention Protection scope.All within the spirits and principles of the present invention, any modification, equivalent replacement, improvement and so on should be included in Within protection scope of the present invention.

Claims

1. a kind of safety certifying method of mobile communication system characterized by comprising

Home subscriber server HSS receive access network elements send the special Ciphering Key of requirement request, it is described require it is special The request of Ciphering Key is received the requirement Ciphering Key of GPRS Service support node SGSN transmission by the access network elements It is sent after request；

The HSS generates special Ciphering Key according to the request for requiring special Ciphering Key；

The special Ciphering Key is sent to the access network elements by the HSS, so as to the access network elements, the SGSN Safety certification is completed with LTE UE.

2. the method according to claim 1, wherein the request for requiring Ciphering Key is that the SGSN is connecing It is sent after receiving the UMTS attach request message that the access network elements are sent, the UMTS attach request attach Request message, which is the access network elements, converts gained, the attach for attach request attach request message Request message is sent by the LTE UE.

3. method according to claim 1 or 2, which is characterized in that it is described so as to the access network elements, the SGSN and LTE UE completes safety certification

The special Ciphering Key is sent to the SGSN by the access network elements, and the SGSN sends UMTS AKA certification and chooses It fights to the access network elements, the UMTS AKA authentication challenge is converted into LTE AKA authentication challenge by the access network elements After be sent to the LTE UE, the LTE UE is verified according to the LTE AKA authentication challenge and is generated RES and key K_ASMEAfterwards, the LTE AKA authentication response comprising the RES is sent to the access network elements by the LTE UE, so as to described Access network elements, the SGSN and the LTE UE further complete safety certification.

4. method according to claim 1 or 2, which is characterized in that

It include XRES, CK, IK in the special Ciphering Key；

It is described to include: so that the access network elements, the SGSN and the LTE UE further complete safety certification

The LTE AKA authentication response is converted to UMTS AKA authentication response and by the UMTS AKA by the access network elements Authentication response is sent to the SGSN, and whether the SGSN RES and XRES is identical, when the comparison result is When identical, the CK and/or IK are sent to the access network elements by the SGSN, the access network elements according to the CK and Or IK generates K_ASME, the access network elements and the LTE UE share the K_ASME。

5. according to the method described in claim 4, it is characterized in that, the SGSN RES and the XRES whether phase It is same to further include, when the comparison result is not identical, stop to carry out safety certification.

6. the method according to claim 1, wherein the request for requiring special Ciphering Key is by the access Network element receive SGSN transmission requirement Ciphering Key request after send include:

The access network elements receive the request for requiring Ciphering Key that the SGSN is sent；

Instruction information is added in the Ciphering Key and generates the request for requiring special Ciphering Key for the access network elements, The instruction information is used to indicate the HSS and generates the special Ciphering Key.

7. according to the method described in claim 4, it is characterized in that, the HSS requires asking for special Ciphering Key according to described It asks, generating special Ciphering Key includes:

The HSS is that the LTE UE generates EPS AV；

The EPS AV is converted into UMTS AV format by the HSS, and the EPS AV for being converted to UMTS AV format is described Special Ciphering Key.

8. the method according to the description of claim 7 is characterized in that the EPS AV is converted into UMTS AV format by the HSS Include:

For the HSS using the RAND in the EPS AV as the RAND of the UMTS AV, the HSS will be in the EPS AV AUTN of the AUTN as the UMTS AV, the HSS is using the XRES in the EPS AV as the XRES of the UMTS AV, institute HSS is stated by the K in the EPS AV_ASMETwo parts are split as, respectively as the CK and the IK of the UMTS AV.

9. according to the method described in claim 4, it is characterized in that, the access network elements are generated according to the CK and/or IK K_ASMEInclude:

10. a kind of safety certifying method of mobile communication system characterized by comprising

SGSN receives access network elements and sends UMTS attach request message, the UMTS attach request message It is the attach request message conversion gained that the access network elements send LTE UE；

The SGSN sends the request for requiring Ciphering Key to the access network elements, so that the access network elements receive institute After stating the request for requiring Ciphering Key, the request for requiring special Ciphering Key is sent, and then to HSS so that the HSS is according to institute It states and is sent to the access network elements after requiring the request of special Ciphering Key to generate the special Ciphering Key；

The SGSN is received after the special Ciphering Key of the access network elements, sends UMTS AKA authentication challenge To the access network elements, so that the SGSN, the access network elements and the LTE UE complete safety certification.

11. according to the method described in claim 10, it is characterized in that, it is described so as to the SGSN, the access network elements and The LTE UE completes safety certification

The access network elements are sent to the LTE after the UMTS AKA authentication challenge is converted into LTE AKA authentication challenge UE, the LTE UE are verified and are generated RES and key K according to the LTE AKA authentication challenge_ASMEAfterwards, the LTE UE LTE AKA authentication response comprising the RES is sent to the access network elements, so as to access network elements, described SGSN and the LTE UE further complete safety certification.

12. method described in 0 or 11 according to claim 1, which is characterized in that

The special Ciphering Key includes XRES, CK, IK；

13. according to the method for claim 12, which is characterized in that whether the SGSN RES and XRES It is identical to further include, when the comparison result is not identical, stop to carry out safety certification.

14. according to the method described in claim 10, it is characterized in that, described so that the access network elements receive described want After the request for seeking Ciphering Key, the request for requiring special Ciphering Key to HSS transmission includes:

15. according to the method for claim 12, which is characterized in that described so that the HSS requires special to recognize according to described The request of syndrome vector generates the special Ciphering Key

The HSS is that the LTE UE generates EPS AV；

16. according to the method for claim 15, which is characterized in that the EPS AV is converted into UMTS AV lattice by the HSS Formula includes:

17. according to the method for claim 12, which is characterized in that the access network elements are generated according to the CK and/or IK K_ASMEInclude:

18. a kind of safety certifying method of mobile communication system characterized by comprising

Access network elements will be converted to UMTS attach request from the attach request message of LTE UE and disappear Breath；

The UMTS attach request message is sent to SGSN by the access network elements, so that the SGSN receives institute Transmission requires the request of Ciphering Key to the access network elements after stating UMTS attach request message；

The access network elements receive send after the request for requiring Ciphering Key require the request of special Ciphering Key to HSS, so that the HSS generates the special Ciphering Key according to the request for requiring special Ciphering Key, and then with toilet It states HSS and the special Ciphering Key is sent to the access net network element；

The access network elements receive UMTS AKA authentication challenge, and the UMTS AKA authentication challenge will for the access network elements The special Ciphering Key is sent after being sent to the SGSN by the SGSN；

19. according to the method for claim 18, which is characterized in that it is described so as to the access network elements, the SGSN and The LTE UE completes safety certification

The access network elements receive the LTE AKA authentication response comprising the RES that the LTE UE is sent, and connect so as to described Network element, the SGSN and the LTE UE further complete safety certification.

20. method described in 8 or 19 according to claim 1, which is characterized in that

The special Ciphering Key includes XRES, CK and IK；

LTE AKA authentication response comprising the RES is converted to the UMTS AKA comprising the RES by the access network elements to be recognized Card response, the UMTS AKA authentication response comprising the RES is sent to the SGSN by the access network elements, with toilet Whether identical state the SGSN RES and the XRES, when the comparison result is identical, the SGSN by the CK and Or IK is sent to the access network elements；

The access network elements generate K according to the CK and/or IK_ASME, the access network elements and the LTE UE are shared described K_ASME。

21. according to the method for claim 20, which is characterized in that whether the SGSN RES and XRES It is identical to further include, when the comparison result is not identical, stop to carry out safety certification.

22. according to the method for claim 18, which is characterized in that the access network elements, which receive, described requires Ciphering Key Request after send and require the request of special Ciphering Key to include: to the HSS

23. according to the method for claim 20, which is characterized in that it is described so as to the HSS according to require it is special authenticate to The request of amount generates the special Ciphering Key

The HSS is that the LTE UE generates EPS AV；

24. according to the method for claim 23, which is characterized in that the EPS AV is converted into UMTS AV lattice by the HSS Formula includes:

25. according to the method for claim 20, which is characterized in that the access network elements are generated according to the CK and/or IK K_ASMEInclude:

26. a kind of HSS characterized by comprising receiving module, processing module, sending module；

The receiving module is used to receive the request of the special Ciphering Key of requirement of access network elements transmission, described to require special to recognize The request of syndrome vector by the access network elements receive SGSN transmission requirement Ciphering Key request after send；

The processing module is used to generate special Ciphering Key according to the request for requiring special Ciphering Key；

The sending module is used to the special Ciphering Key being sent to the access network elements, so as to the access net net First, the described SGSN and LTE UE completes safety certification.

27. HSS according to claim 26, which is characterized in that the request for requiring Ciphering Key is that the SGSN exists It is sent after receiving the UMTS attach request message that the access network elements are sent, the UMTS attach Request message is the access network elements by attach request message conversion gained, and the attach request disappears Breath is sent by the LTE UE.

28. the HSS according to claim 26 or 27, which is characterized in that described so as to the access network elements, the SGSN Completing safety certification with LTE UE includes:

29. the HSS according to claim 26 or 27, which is characterized in that

It include XRES, CK, IK in the special Ciphering Key；

30. HSS according to claim 29, which is characterized in that the SGSN RES and XRES whether phase It is same to further include, when the comparison result is not identical, stop to carry out safety certification.

31. HSS according to claim 26, which is characterized in that the request for requiring special Ciphering Key is connect by described Network element receive SGSN transmission requirement Ciphering Key request after send include:

32. HSS according to claim 29, which is characterized in that the processing module is used to require special to recognize according to described The request of syndrome vector, generating special Ciphering Key includes:

The processing module is used to generate EPS AV for the LTE UE；

The processing module is used to the EPS AV being converted into UMTS AV format, the EPS for being converted to UMTS AV format AV is the special Ciphering Key.

33. HSS according to claim 32, which is characterized in that the processing module is for the EPS AV to be converted into UMTS AV format includes:

The processing module is used for using the RAND in the EPS AV as the RAND of the UMTS AV, and the processing module is used In using the AUTN in the EPS AV as the AUTN of the UMTS AV, the processing module is used for will be in the EPS AV XRES of the XRES as the UMTS AV, the processing module are used for the K in the EPS AV_ASMETwo parts are split as, point Not as the CK and the IK of the UMTS AV.

34. HSS according to claim 29, which is characterized in that the access network elements are generated according to the CK and/or IK K_ASMEInclude:

35. a kind of SGSN characterized by comprising receiving module；Sending module；

The sending module is used to send the request for requiring Ciphering Key to the access network elements, so as to the access network elements After receiving the request for requiring Ciphering Key, the request for requiring special Ciphering Key is sent, and then to HSS so as to described HSS is sent to the access network elements after generating the special Ciphering Key according to the request for requiring special Ciphering Key；

The receiving module is also used to receive the special Ciphering Key from the access network elements, the sending module It is also used to send UMTS AKA authentication challenge to the access net net after the receiving module receives the special Ciphering Key Member, so that the SGSN, the access network elements and the LTE UE complete safety certification.

36. SGSN according to claim 35, which is characterized in that it is described so as to the SGSN, the access network elements and The LTE UE completes safety certification

37. the SGSN according to claim 35 or 36, which is characterized in that the SGSN further includes processing module；

The special Ciphering Key includes XRES, CK, IK；

The LTE AKA authentication response is converted to UMTS AKA authentication response and by the UMTS AKA by the access network elements Authentication response is sent to the receiving module, and whether the processing module is identical for the RES and XRES, works as institute State comparison result be it is identical when, the CK and/or IK are sent to the access network elements, the access net by the sending module Network element generates K according to the CK and/or IK_ASME, the CK and/or IK send by the sending module, the access network elements and The LTE UE shares the K_ASME。

38. the SGSN according to claim 37, which is characterized in that the processing module is for the RES and described Whether XRES is identical to further include, and when the comparison result is not identical, stops to carry out safety certification.

39. SGSN according to claim 35, which is characterized in that described so that the access network elements receive described want After the request for seeking Ciphering Key, the request for requiring special Ciphering Key to HSS transmission includes:

40. the SGSN according to claim 37, which is characterized in that described so that the HSS requires special to recognize according to described The request of syndrome vector generates the special Ciphering Key

The HSS is that the LTE UE generates EPS AV；

41. SGSN according to claim 40, which is characterized in that the EPS AV is converted into UMTS AV lattice by the HSS Formula includes:

42. the SGSN according to claim 37, which is characterized in that the access network elements are generated according to the CK and/or IK K_ASMEInclude:

43. a kind of access network elements characterized by comprising receiving module, processing module, sending module；

The receiving module is for receiving the attach request message from LTE UE；The processing module is used for will be described Attach request message is converted to UMTS attach request message；

The sending module is used to the UMTS attach request message being sent to SGSN, so that the SGSN is received Sending after the UMTS attach request message requires the request of Ciphering Key to the receiving module；The transmission mould Block is also used to send the request for requiring special Ciphering Key after the receiving module receives the request for requiring Ciphering Key To HSS, so that the HSS is according to the request generation special Ciphering Key for requiring special Ciphering Key, and then so as to described The special Ciphering Key is sent to the receiving module by HSS；

The receiving module is also used to receive UMTS AKA authentication challenge, and the UMTS AKA authentication challenge is the sending module The special Ciphering Key is sent to after the SGSN and is sent by the SGSN；The processing module is also used to the UMTS AKA authentication challenge is converted into LTE AKA authentication challenge, and the sending module is also used to send the LTE AKA authentication challenge To the LTE UE, so that the access network elements, the SGSN and the LTE UE complete safety certification.

44. access network elements according to claim 43, which is characterized in that it is described so as to the access network elements, it is described The SGSN and LTE UE completes safety certification

The receiving module is used to receive the LTE AKA authentication response comprising the RES that the LTE UE is sent, so as to described Access network elements, the SGSN and the LTE UE further complete safety certification.

45. the access network elements according to claim 43 or 44, which is characterized in that

The special Ciphering Key includes XRES, CK and IK；

The processing module is also used to the LTE AKA authentication response comprising the RES being converted to the UMTS comprising the RES AKA authentication response, the sending module are also used to for the UMTS AKA authentication response comprising the RES being sent to described SGSN, it is described when the comparison result is identical so that whether the SGSN RES and the XRES are identical The CK and/or IK are sent to the access network elements by SGSN；

The processing module is also used to generate K according to the CK and/or IK_ASME, the access network elements and the LTE UE are shared The K_ASME。

46. access network elements according to claim 45, which is characterized in that the SGSN RES and described Whether XRES is identical to further include, and when the comparison result is not identical, stops to carry out safety certification.

47. access network elements according to claim 43, which is characterized in that the sending module is also used in the reception Module, which receives to send after the request for requiring Ciphering Key, requires the request of special Ciphering Key to include: to the HSS

The receiving module is used to receive the request for requiring Ciphering Key that the SGSN is sent；

The processing module, which is also used to be added instruction information in the Ciphering Key and generates, described requires special Ciphering Key Request, the instruction information are used to indicate the HSS and generate the special Ciphering Key.

48. access network elements according to claim 45, which is characterized in that described special according to requiring so as to the HSS The request of Ciphering Key generates the special Ciphering Key

The HSS is that the LTE UE generates EPS AV；

49. access network elements according to claim 48, which is characterized in that the EPS AV is converted by the HSS UMTS AV format includes:

For the HSS using the RAND in the EPS AV as the RAND of the UMTS AV, the HSS will be in the EPS AV AUTN of the AUTN as the UMTS AV, the HSS is using the XRES in the EPS AV as the XRES of the UMTS AV, institute HSS is stated by the K in the EPS AV_ASME(256bits) is split as two parts, respectively as the UMTS AV the CK and The IK.

50. access network elements according to claim 45, which is characterized in that

The processing module is further used for according to create-rule K_ASME=CK | | IK, according to the CK and/or IK generation K_ASME。