CN105532026A - Method and device for providing and acquiring security context - Google Patents

Method and device for providing and acquiring security context Download PDF

Info

Publication number
CN105532026A
CN105532026A CN201380079475.8A CN201380079475A CN105532026A CN 105532026 A CN105532026 A CN 105532026A CN 201380079475 A CN201380079475 A CN 201380079475A CN 105532026 A CN105532026 A CN 105532026A
Authority
CN
China
Prior art keywords
equipment
core network
nas message
message
context
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201380079475.8A
Other languages
Chinese (zh)
Inventor
张丽佳
陈璟
张万强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of CN105532026A publication Critical patent/CN105532026A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
    • H04W8/08Mobility data transfer

Landscapes

  • Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Disclosed are a method and device for providing and acquiring a security context, used for allowing a core network device in a specific network to acquire a security context. The providing method comprises: a first core network device receives an NAS message from a UE; when rerouting of the NAS message to a second core network device in a specific network is determined to be needed, the first core network device transmits a rerouting command to an access network device, where the rerouting command comprises the NAS message and information used for determining the second core network device; the first core network device receives a context request transmitted by the second core network device, where the context request comprises a rerouting indication, an UE identifier, and a key set identifier, and the first core network device looks up a corresponding security context on the basis of the UE identifier and of the key set identifier and transmits the security context to the second core network device, where the root key is a root key in the security context.

Description

Method and device for providing and acquiring security context
A kind of offer of safe context, acquisition methods and equipment technical field
The present invention relates to communication technical field, more particularly to a kind of offer of safe context, acquisition methods and equipment.Background technology
Version(Release, R) user equipment (User Equipment, UE) after 10 and R10 has and reports low access priority to indicate(Low Access Priority Indicator, LAPI) give evolved base station(Evolved NodeB, eNB ability), what so eNB can be reported according to UE is designated as UE selection particular networks, so as to prevent the influence that the UE for carrying out specific transactions is brought to general network, such as network congestion that a large amount of low priority UE access networks are brought.Wherein, the specific transactions, such as machine type communication(Machine Type Communication, MTC ).Particular network is the network for serving specific transactions, such as machine type communication network, special service is all linked into this network and communicated in machine type communication, all equipment for machine type communication, the impact that can prevent machine type communication from being brought to general network.The network architecture of particular network is as general network, simply network entity functionally some changes.
UE before the R10 being widely used at present does not support this function, and in order to realize this function under the premise of existing UE is not changed, prior art proposes the scheme based on network side so that the UE before R10 can also select to be communicated in particular network.Specific method is referring to Fig. 1, and UE initiates attach request or position updating request to network side, and mobility management entity (Mobile Management Entity, MME) is to home subscriber server(Home Subscriber Server, HSS) request subscription data, when in subscription data comprising UE in the instruction that particular network communicates when, MME is by eNB by Non-Access Stratum(Non Access Stratum, NAS) message be transmitted to it is specific(Specific) MME, wherein, the NAS message, such as attach request or position updating request, the specific MME, i.e. MME in particular network.
Before MME obtains subscription data to HSS, security association is had been set up between UE and MME, the behavior that network side reselects specific MME is unknowable, specific MME for UE Need to obtain safe context at MME, so as to securely communicate with UE using the safe context.Another sunset is foretold, if the NAS message is integrity-protected, it is necessary to consider how specific MME carry out completeness check to the NAS message of heavy-route (reroute).
Tracking area update of the prior art(Tracking Area Update, TAU) process is as follows, it is assumed that when UE initiates TAU, there is no available safe context, it is necessary to be asked for old MME (MMEo) on new MME (MMEn).Referring to Fig. 2, specifically include:
MMEn sends the request message of safe context to MMEo, and it is the global unique temporary identity that UE is distributed that the request message, which includes MMEo,(Globally Unique Temporary UE Identity, GUTI), i.e., old GUTI (GUTIo), the request message also includes the whole TAU message received at UE;
MMEo retrieves user data according to GUTIo from database, utilize the integrality of the safe context checking TAU requests retrieved, and authentication data (authentication data) and UE International Mobile Subscriber are known into another ll codes (International Mobile Subscriber Identification Number, IMSI) it is sent to MMEn, wherein, safe context is included in the authentication data, MMEn preserves the safe context received.
In summary, under MME gravity treatment scenes, prior art can not solve the problem of how specific MME obtain UE safe context, cause specific MME to be securely communicated with UE.The content of the invention
The present invention provides a kind of offer of safe context, acquisition methods and equipment, and the equipment of the core network to realize under particular network can obtain UE safe context, so that the equipment of the core network under particular network can be securely communicated with UE.
In a first aspect, a kind of method that safe context is provided provided in an embodiment of the present invention, including:First equipment of the core network receives the non access stratum NAS message that user equipment (UE) is sent;
When it is determined that the NAS message needs to be re-routed to the second equipment of the core network in particular network, first equipment of the core network sends heavy-route order to access network equipment, and NAS message and the information for determining second equipment of the core network are included in the heavy-route order; First equipment of the core network receives the context request that second equipment of the core network is sent, the context request includes UE mark and key set identifier, first equipment of the core network is according to the mark and key set identifier of the UE, corresponding safe context is searched, and the safe context is sent to second equipment of the core network.
With reference in a first aspect, in the first possible implementation, the first equipment of the core network is sent to access network equipment before heavy-route order, and this method also includes:
The NAS message received is reconstructed first equipment of the core network, the NAS message included in the heavy-route order, for the NAS message of reconstruct.
With reference to the first possible implementation of first aspect, in second of possible implementation, the NAS message from the UE received is reconstructed the first equipment of the core network, including:
First equipment of the core network utilizes the key set identifier in current security context, replaces the key set identifier in the NAS message of UE transmissions;And/or,
First equipment of the core network is worth the message authentication code MAC cells IE in the NAS message sent as the UE according to current security context calculation of integrity protective calibration value, and using the integrity protection check.
With reference to second of possible implementation of first aspect, in the third possible implementation, the integrity protection check is worth to the message authentication code MAC cell IE in the NAS message sent as the UE, including:
Integrity protection check's value is filled into the message authentication code MAC cells IE in the NAS message that the UE is sent;Or
The integrity protection check is worth to the message authentication code MAC replaced in the NAS message that the UE is sent.
With reference to second of possible implementation of first aspect, in the 4th kind of possible implementation, the NAS message from the UE received is reconstructed the first equipment of the core network, in addition to:The mark of UE in the NAS message that first equipment of the core network receives the mark replacement that the first equipment of the core network is UE distribution from the UE.
With reference in a first aspect, in the 5th kind of possible implementation, the key set identifier is included in the context request;Or, The key set identifier is included in NAS message, and the NAS message is included in the context request.With reference in a first aspect, in the 6th kind of possible implementation, the first equipment of the core network is determined after current safe context, the safe context is sent to before the second equipment of the core network, this method also includes:First equipment of the core network verifies the integrality of the NAS message carried in the context request using current safe context;
Then, the step of safe context is sent to the second equipment of the core network by first equipment of the core network, performs when described be proved to be successful.
With reference to the 6th kind of possible implementation of first aspect, in the 7th kind of possible implementation, the first equipment of the core network verifies the integrality of the NAS message carried in the context request using safe context currently shared with the UE, including:
First equipment of the core network verifies integrity protection check's value or message authentication code MAC value in the NAS message carried in the context request;Or
First equipment of the core network verifies integrity protection check's value in the context request.
With reference in a first aspect, in the 8th kind of possible implementation, also including in the heavy-route order:Key set identifier and/or integrity protection check's value and/or UE mark.
With reference in a first aspect, in the 9th kind of possible implementation, also including in the context request:Heavy-route indicates and/or integrity protection check's value that the heavy-route is indicated for indicating that NAS message is re-routed to the second equipment of the core network.
Second aspect, a kind of method for obtaining safe context provided in an embodiment of the present invention, including:Second equipment of the core network receives the particular message that access network equipment is sent, and the particular message includes non access stratum NAS message;
Second equipment of the core network determines the first equipment of the core network according to the particular message, and sends context request to the first equipment of the core network, and the context request includes UE mark and key set identifier;Second equipment of the core network receives the context response that the first equipment of the core network is sent, and therefrom obtains safe context, and the safe context is the first equipment of the core network UE according to the context request Equipment of the core network is the mark that the UE is distributed, and the second equipment of the core network determines the first equipment of the core network according to the mark.
With reference to second aspect, in second of possible implementation, the identification information of the first equipment of the core network is also included in the particular message, the second equipment of the core network determines the first equipment of the core network according to the identification information of first equipment of the core network.
With reference to second aspect, in the third possible implementation, the key set identifier is included in the context request;Or,
The key set identifier is included in NAS message, and the NAS message is included in the context request.With reference to second of possible implementation, the third possible implementation with reference to second aspect of the first possible implementation or combination second aspect of second aspect or combination second aspect; in the 4th kind of possible implementation; in the safe context for the UE that second equipment of the core network is obtained, AES and protection algorithm integrallty used in the first equipment of the core network protection NAS message are included.
With reference to the 4th kind of possible implementation of second aspect, in the 5th kind of possible implementation, the second equipment of the core network greenbrier is taken after the safe context of the UE, and this method also includes:
When the second equipment of the core network needs to select new algorithm, the second equipment of the core network derives new NAS keys using new algorithm, and sends NAS Security Mode Command messages to UE, wherein including the mark of new algorithm;Wherein, the new algorithm includes AES and/or protection algorithm integrallty;
Second equipment of the core network receives the NAS safe mode completion messages of UE feedbacks.
With reference to second aspect, in the 6th kind of possible implementation, also include in the context request:Heavy-route indicates and/or integrity protection check's value that the heavy-route is indicated for indicating that NAS message is re-routed to the second equipment of the core network.
With reference to second aspect, in the 7th kind of possible implementation, also include in the particular message:Key set identifier and/or integrity protection check's value and/or UE mark.
The third aspect, a kind of receiving handling method of heavy-route order provided in an embodiment of the present invention, including:Access network equipment receives the heavy-route order that the first equipment of the core network is sent, wherein including Non-Access Stratum
NAS message and the configured information for determining the second equipment of the core network;
Access network equipment determines second equipment of the core network according to the configured information, and to described Two equipments of the core network send the particular message for carrying the NAS message.
With reference to the third aspect, in the first possible implementation, also include in the particular message:Heavy-route indicates that the heavy-route is indicated for indicating that NAS message is re-routed to the second equipment of the core network.
With reference to the third aspect, or the first possible implementation of the third aspect is combined, in second of possible implementation, also included in the particular message:
The identification information of first equipment of the core network, second equipment of the core network determines the first equipment of the core network according to the identification information of first equipment of the core network.
With reference to the third aspect, in the third possible implementation, the NAS message is the NAS message after the UE received the NAS messages sent are reconstructed first equipment of the core network.
With reference to the third aspect, in the 4th kind of possible implementation, also include in the heavy-route order:Key set identifier and/or integrity protection check's value and/or UE mark.
With reference to the third aspect, in the 5th kind of possible implementation, also include in the particular message:Key set identifier and/or integrity protection check's value and/or UE mark.
Fourth aspect, a kind of equipment that safe context is provided provided in an embodiment of the present invention, including:NAS message unit is received, the non access stratum NAS message for receiving user equipment (UE) transmission;Send heavy-route order unit, for when it is determined that the NAS message needs to be re-routed to the second equipment of the core network in particular network, heavy-route order is sent to access network equipment, NAS message and the information for determining second equipment of the core network are included in the heavy-route order;
Safe context provides unit, for receiving the context request that second equipment of the core network is sent, the context request includes UE mark and key set identifier, according to the mark of the UE and key set identifier, corresponding safe context is searched, and the safe context is sent to second equipment of the core network.
With reference to fourth aspect, in the first possible implementation, the transmission heavy-route order unit is additionally operable to:
Before heavy-route order is sent to access network equipment, the NAS message received is reconstructed, the NAS message included in the heavy-route order, for the NAS message of reconstruct. With reference to the first possible implementation of fourth aspect, in second of possible implementation, when the NAS message from the UE received is reconstructed the transmission heavy-route order unit, specifically for:
Using the key set identifier in current security context, the key set identifier in the NAS message of UE transmissions is replaced;And/or,
It is worth the message authentication code MAC cells IE in the NAS message sent as the UE according to current security context calculation of integrity protective calibration value, and using the integrity protection check.
With reference to second of possible implementation of fourth aspect; in the third possible implementation; when the integrity protection check is worth the message authentication code MAC cell IE in the NAS message sent as the UE by the transmission heavy-route order unit, specifically for:
Integrity protection check's value is filled into the message authentication code MAC cells IE in the NAS message that the UE is sent;Or
The integrity protection check is worth to the message authentication code MAC replaced in the NAS message that the UE is sent.
With reference to second of possible implementation of fourth aspect, in the 4th kind of possible implementation, the transmission heavy-route order unit is additionally operable to:
The mark of UE during the mark that first equipment of the core network is UE distribution is replaced into the NAS message received from the UE.
With reference to fourth aspect, in the 5th kind of possible implementation, the key set identifier is included in the context request;Or,
The key set identifier is included in NAS message, and the NAS message is included in the context request.With reference to fourth aspect, in the 6th kind of possible implementation, the safe context provides unit and is additionally operable to:
It is determined that after current safe context, the safe context being sent to before the second equipment of the core network, the integrality of the NAS message carried in the context request is verified using current safe context;
Shellfish is when described be proved to be successful, and the safe context is sent to the second equipment of the core network by the safe context. With reference to the 6th kind of possible implementation of fourth aspect, in the 7th kind of possible implementation, when the safe context provides unit using currently the integrality of the NAS message carried in the context request is verified with the UE safe contexts shared, specifically for:
Verify the integrity protection check's value or message authentication code MAC value in the NAS message carried in the context request;Or
Verify integrity protection check's value in the context request.
With reference to fourth aspect, in the 8th kind of possible implementation, also include in the heavy-route order:Key set identifier and/or integrity protection check's value and/or UE mark.
With reference to fourth aspect, in the 9th kind of possible implementation, also include in the context request:Heavy-route indicates and/or integrity protection check's value that the heavy-route is indicated for indicating that NAS message is re-routed to the second equipment of the core network.
5th aspect, a kind of equipment for obtaining safe context provided in an embodiment of the present invention, including:Particular message receiving unit, the particular message for receiving access network equipment transmission, particular message includes non access stratum NAS message;
Context request unit, for determining the first equipment of the core network according to the particular message, and sends context request, the context request includes UE mark and key set identifier to the first equipment of the core network;
Context acquiring unit, for receiving the context response that the first equipment of the core network is sent, and safe context is therefrom obtained, the safe context is that the first equipment of the core network UE mark according to the context request and key set identifier are determined.
With reference to the 5th aspect, in the first possible implementation, comprising the mark that the first equipment of the core network is UE distribution in the NAS message, the second equipment of the core network determines the first equipment of the core network according to the mark.
With reference to the 5th aspect, in second of possible implementation, the identification information of the first equipment of the core network is also included in the particular message, the second equipment of the core network determines the first equipment of the core network according to the identification information of first equipment of the core network.
With reference to the 5th aspect, in the third possible implementation, the key set identifier is included in institute State in context request;Or,
The key set identifier is included in NAS message, and the NAS message is included in the context request.With reference to the 5th aspect or combine the 5th aspect the first possible implementation or combine the 5th aspect second of possible implementation or combine the 5th aspect the third possible implementation; in the 4th kind of possible implementation; in the safe context, AES and protection algorithm integrallty used in the first equipment of the core network protection NAS message are included.
With reference to the 4th kind of possible implementation of the 5th aspect, in the 5th kind of possible implementation, when needing to select new algorithm, new NAS keys are derived using new algorithm, and NAS Security Mode Command messages are sent to UE, wherein including the mark of new algorithm;Wherein, the new algorithm includes AES and/or protection algorithm integrallty;
Receive the NAS safe mode completion messages of UE feedbacks.
With reference to the 5th aspect, in the 6th kind of possible implementation, also include in the context request:Heavy-route indicates and/or integrity protection check's value that the heavy-route is indicated for indicating that NAS message is re-routed to the second equipment of the core network.
With reference to the 5th aspect, in the 7th kind of possible implementation, also include in the particular message:Key set identifier and/or integrity protection check's value and/or UE mark.
6th aspect, a kind of receiving and processing equipment of heavy-route order provided in an embodiment of the present invention, including:Heavy-route order receiving unit, for receiving the heavy-route order that the first equipment of the core network is sent, wherein the configured information comprising non access stratum NAS message and for the second equipment of the core network of determination;
Particular message transmitting element, for according to the configured information, determining second equipment of the core network, and sends the particular message for carrying the NAS message to second equipment of the core network.
With reference to the 6th aspect, in the first possible implementation, also include in the particular message:Heavy-route indicates that the heavy-route is indicated for indicating that NAS message is re-routed to the second equipment of the core network.
With reference to the 6th aspect or the first possible implementation of the aspect of combination the 6th, in second of possible implementation, also include in the particular message: The identification information of one equipment of the core network, second equipment of the core network determines the first equipment of the core network according to the identification information of first equipment of the core network.
With reference to the 6th aspect, in the third possible implementation, the NAS message is the NAS message after the UE received the NAS messages sent are reconstructed first equipment of the core network.
With reference to the 6th aspect, in the 4th kind of possible implementation, also include in the heavy-route order:Key set identifier and/or integrity protection check's value and/or UE mark.
With reference to the 6th aspect, in the 5th kind of possible implementation, also include in the particular message:Key set identifier and/or integrity protection check's value and/or UE mark.
A kind of 7th aspect, equipment for providing safe context provided in an embodiment of the present invention, equipment includes processor and transceiver, wherein,
The non access stratum NAS message that transceiver user equipment (UE) is sent;
When processor determines that the NAS message needs to be re-routed to the second equipment of the core network in particular network, heavy-route order is sent to access network equipment by transceiver, NAS message and the information for determining second equipment of the core network are included in the heavy-route order;
The context request that second equipment of the core network described in transceiver is sent, the context request includes UE mark and key set identifier, processor is according to the mark and key set identifier of the UE, corresponding safe context is searched, the safe context is sent to second equipment of the core network by transceiver.
With reference to the 7th aspect, in the first possible implementation, transceiver to access network equipment before heavy-route order is sent, and processor is additionally operable to that the NAS message received is reconstructed, the NAS message included in the heavy-route order, for the NAS message of reconstruct.
With reference to the first possible implementation of the 7th aspect, in second of possible implementation, when the NAS message received is reconstructed processor, specifically for:
Using the key set identifier in current security context, the key set identifier in the NAS message of UE transmissions is replaced;And/or,
It is worth the message authentication code MAC cells IE in the NAS message sent as the UE according to current security context calculation of integrity protective calibration value, and using the integrity protection check.
With reference to second of possible implementation of the 7th aspect, in the third possible implementation, When the integrity protection check to be worth to processor the message authentication code MAC cell IE in the NAS message sent as the UE, specifically for:
Integrity protection check's value is filled into the message authentication code MAC cells IE in the NAS message that the UE is sent;Or
The integrity protection check is worth to the message authentication code MAC replaced in the NAS message that the UE is sent.
With reference to second of possible implementation of the 7th aspect, in the 4th kind of possible implementation, when the NAS message received is reconstructed processor, it is additionally operable to:
The mark of UE during the mark that first equipment of the core network is UE distribution is replaced into the NAS message received from the UE.
With reference to the 7th aspect, in the 5th kind of possible implementation, the key set identifier is included in the context request;Or,
The key set identifier is included in NAS message, and the NAS message is included in the context request.With reference to the 7th aspect, in the 6th kind of possible implementation, processor is determined after current safe context, and the safe context is sent to before the second equipment of the core network by transceiver, and processor is additionally operable to:The integrality of the NAS message carried in the context request is verified using current safe context;Shellfish is when described be proved to be successful, and the safe context is sent to the second equipment of the core network by transceiver.With reference to the 6th kind of possible implementation of the 7th aspect, in the 7th kind of possible implementation, when processor with the UE safe contexts shared using currently the integrality of the NAS message carried in the context request is verified, specifically for:
Verify the integrity protection check's value or message authentication code MAC value in the NAS message carried in the context request;Or
Verify integrity protection check's value in the context request.
With reference to the 7th aspect, in the 8th kind of possible implementation, also include in the heavy-route order:Key set identifier and/or integrity protection check's value and/or UE mark.
With reference to the 7th aspect, in the 9th kind of possible implementation, also include in the context request:Heavy-route indicates and/or integrity protection check's value that the heavy-route indicates to be used to indicate NAS message It is re-routed to the second equipment of the core network.
A kind of eighth aspect, equipment for obtaining safe context provided in an embodiment of the present invention, equipment includes transceiver and processor, wherein:
The particular message that transceiver access network equipment is sent, the particular message includes Non-Access Stratum
NAS message;
Processor determines the first equipment of the core network according to the particular message, and transceiver sends context request to the first equipment of the core network, and the context request includes UE mark and key set identifier;
The context response that the equipment of the core network of transceiver first is sent, processor therefrom obtains safe context, and the safe context is that the first equipment of the core network UE mark according to the context request and key set identifier are determined.
With reference to eighth aspect, in the first possible implementation, comprising the mark that the first equipment of the core network is UE distribution in the NAS message, the second equipment of the core network determines the first equipment of the core network according to the mark.
With reference to eighth aspect, in second of possible implementation, the identification information of the first equipment of the core network is also included in the particular message, the second equipment of the core network determines the first equipment of the core network according to the identification information of first equipment of the core network.
With reference to eighth aspect, in the third possible implementation, the key set identifier is included in the context request;Or,
The key set identifier is included in NAS message, and the NAS message is included in the context request.With reference to second of possible implementation or the third possible implementation of combination eighth aspect of the first possible implementation or combination eighth aspect of eighth aspect or combination eighth aspect; in the 4th kind of possible implementation; in the safe context, AES and protection algorithm integrallty used in the first equipment of the core network protection NAS message are included.
With reference to the 4th kind of possible implementation of eighth aspect, in the 5th kind of possible implementation, the processor is obtained after the safe context of the UE, is additionally operable to:When needing to select new algorithm, new NAS keys are derived using new algorithm, and NAS Security Mode Command messages are sent to UE by transceiver, wherein including the mark of new algorithm;Wherein, the new algorithm include AES and/or Protection algorithm integrallty;
The NAS safe mode completion messages of transceiver UE feedbacks.
With reference to eighth aspect, in the 6th kind of possible implementation, also include in the context request:Heavy-route indicates and/or integrity protection check's value that the heavy-route is indicated for indicating that NAS message is re-routed to the second equipment of the core network.
With reference to eighth aspect, in the 7th kind of possible implementation, also include in the particular message:Key set identifier and/or integrity protection check's value and/or UE mark.
A kind of 9th aspect, receiving and processing equipment of heavy-route order provided in an embodiment of the present invention, equipment includes transceiver and processor, wherein:
The heavy-route order that the equipment of the core network of transceiver first is sent, wherein the configured information comprising Non-Access Stratum NAS message and for the second equipment of the core network of determination;
Processor determines second equipment of the core network, and send the particular message for carrying the NAS message to second equipment of the core network by transceiver according to the configured information.
With reference to the 9th aspect, in the first possible implementation, also include in the particular message:Heavy-route indicates that the heavy-route is indicated for indicating that NAS message is re-routed to the second equipment of the core network.
With reference to the 9th aspect, or the first possible implementation of the 9th aspect is combined, in second of possible implementation, also included in the particular message:
The identification information of first equipment of the core network, second equipment of the core network determines the first equipment of the core network according to the identification information of first equipment of the core network.
With reference to the 9th aspect, in the third possible implementation, the NAS message is the NAS message after the UE received the NAS messages sent are reconstructed first equipment of the core network.
With reference to the 9th aspect, in the 4th kind of possible implementation, also include in the heavy-route order:Key set identifier and/or integrity protection check's value and/or UE mark.
With reference to the 9th aspect, in the 5th kind of possible implementation, also include in the particular message:Key set identifier and/or integrity protection check's value and/or UE mark.
The present invention receives the non access stratum NAS message that user equipment (UE) is sent by the first equipment of the core network; When it is determined that the NAS message needs to be re-routed to the second equipment of the core network in particular network, first equipment of the core network sends heavy-route order to access network equipment, and NAS message and the information for determining second equipment of the core network are included in the heavy-route order;First equipment of the core network receives the context request that second equipment of the core network is sent, the context request includes UE mark and key set identifier, first equipment of the core network is according to the mark and key set identifier of the UE, corresponding safe context is searched, and the safe context is sent to second equipment of the core network.So as to so that the second equipment of the core network that the first equipment of the core network can be into particular network provides UE safe context.
The present invention receives the particular message that access network equipment is sent by the second equipment of the core network, and the particular message includes non access stratum NAS message;Second equipment of the core network determines the first equipment of the core network according to the particular message, and sends context request to the first equipment of the core network, and the context request includes UE mark and key set identifier;Second equipment of the core network receives the context response that the first equipment of the core network is sent, and therefrom obtains safe context, and the safe context is that the first equipment of the core network UE mark according to the context request and key set identifier are determined.So that the second equipment of the core network in particular network can obtain the UE of the first equipment of the core network offer safe context so that the equipment of the core network under particular network can be securely communicated with UE.Brief description of the drawings
Fig. 1 is MME reuse adoption process schematic diagram in the prior art;
Fig. 2 asks for the process schematic of safe context for MMEn during TAU in the prior art to MMEo;
Fig. 3 is that NAS message provided in an embodiment of the present invention is not integrity-protected scheme schematic diagram;Fig. 4 is that NAS message of the embodiment of the present invention is not integrity-protected the schematic diagram of scheme 2;
Fig. 5 is the schematic diagram that NAS message of the embodiment of the present invention was integrity-protected and be not present on MME available safe context scheme one;
Fig. 6 is the schematic diagram that NAS message of the embodiment of the present invention was integrity-protected and be not present on MME available safe context scheme two;
Fig. 7 is that NAS message of the embodiment of the present invention is integrity-protected and is not present on MME in available safety The hereafter schematic diagram of scheme three;
Fig. 8 is the first calculation of integrity protective calibration value provided in an embodiment of the present invention(Token values)Method schematic diagram;
Fig. 9 is the method schematic diagram of second provided in an embodiment of the present invention calculating Token value;
Figure 10 is a kind of schematic flow sheet of the offer method of safe context provided in an embodiment of the present invention;Figure 11 is a kind of schematic flow sheet of the acquisition methods of safe context provided in an embodiment of the present invention;Figure 12 is a kind of schematic flow sheet of the receiving handling method of heavy-route order provided in an embodiment of the present invention;
Figure 13 is a kind of structural representation of the offer equipment of safe context provided in an embodiment of the present invention;Figure 14 is a kind of structural representation of the acquisition equipment of safe context provided in an embodiment of the present invention;Figure 15 is a kind of structural representation of the receiving and processing equipment of heavy-route order provided in an embodiment of the present invention.Embodiment
The embodiments of the invention provide a kind of offer of safe context, acquisition methods and equipment, to reality
MME and UE can be securely communicated.
In addition, technical scheme provided in an embodiment of the present invention can also be to heavy-route(Reroute NAS message) carries out completeness check.
Heretofore described equipment of the core network, can be the equipment such as MME or SGSN.Heretofore described access network equipment, can be the equipment such as eNB or radio network controller (Radio Network Controller, RNC).Heretofore described NAS message, can be Attach Request message or tracking area update request message etc..
It is below MME with equipment of the core network, access network equipment is eNB, exemplified by NAS message is Attach Request message, provides the introduction of the specific embodiment of the invention.
The embodiment of the present invention one:
The present embodiment is for NAS message not by safeguard protection(Including integrity protection and Confidentiality protection) Scene, such as UE is attached to network for the first time(That is access network first)On.Idiographic flow is as shown in figure 3, including step:
301. UE initiate attach request for the first time to the first MME(Or tracking area update request);The attach request(Or tracking area update request)In E-UTRAN (E-UTRAN) key set identifier (Key Set Identifier in E-UTRAN, eKSI all bits) are set to 1, that is UE does not have available safe context, the attach request(Or tracking area update request)Not by safeguard protection.
Wherein, described eKSI is used to identify the different safe contexts under the UE, and specifically, eKSI is the key set identifier in safe context, because the root key in different safe contexts is different, therefore key set mark for marking safe context can be used.The blunt keys of ^ ^ are Kasme.
302. UE and the first MME are authenticated and key agreement, the NAS security associations set up between UE and the first MME;
This step is to establish the safe context shared between UE and the first MME.
303. the oneth MME initiate more new position request to HSS;
304. HSS inquire about database, that is, search UE subscription data, and whether determine UE is to need to perform specific transactions(Such as MTC service)UE, whether need UE accessing corresponding particular network, and the information included in renewal location confirmation, the renewal location confirmation message using particular network is returned, the information is such as type of service and its type information of the particular network of access including the UE.
305. the oneth MME are received after the information instruction using particular network, to attach request(Or tracking area update request) be reconstructed(Re-stmcture the eKSI in attach request), i.e., is replaced using the eKSI currently associated with the UE safe contexts shared.
Wherein, the eKSI of safe context association, i.e. key set identifier in the safe context.
306. the oneth MME send heavy-route order to eNB, and the heavy-route order includes the attach request of reconstruct(Or the tracking area update request of reconstruct), use the information of particular network.
Wherein, the information for using particular network, the i.e. information for determining the 2nd MME.
2nd MME, i.e. MME in particular network, i.e., the specific MME described in background technology. 307. eNB are received after heavy-route order, select the 2nd MME of particular network for UE according to the information using particular network, and send particular message to the 2nd MME, and the particular message includes the attach request of reconstruct(Or reconstruct tracking area update request), heavy-route indicate and the first MME identification information.
Wherein, the first MME identification information can be MME ID or GUTI etc..
Wherein, eNB according to using particular network information for UE select particular network the 2nd MME, for example including:
The corresponding relation list that eNB is identified according to the network type being pre-configured with and the 2nd MME, the 2nd MME of corresponding particular network is determined by the type information of particular network.
308. the 2nd MME find the first MME according to the first MME identification information, and initiate context request message to the first MME, wherein IMSI, eKSI comprising UE and heavy-route are indicated.
309. the oneth MME are received after context request message, IMSI, the eKSI and heavy-route for therefrom obtaining UE are indicated, first MME indicates that determination requires to look up safe context according to heavy-route, and then finds corresponding safe context according to IMSI and eKSI.Wherein, UE is determined with IMSI, the safe context under the UE is determined with eKSI.
Safe context currently shared with the first MME UE is issued the 2nd MME by 3010. the oneth MME by context response information, and root key is included in the safe context(), Kasme AES(Algorithm for anti-monitoring)And protection algorithm integrallty(The algorithm changed for anti-tomb).
If 3011. the 2nd MME need to reselect the algorithm used during with the UE communication, if the algorithm of such as the 2nd MME selections(Including AES and/or protection algorithm integrallty)Algorithm in safe context is different, then the 2nd MME derives new NAS keys using the algorithm newly selected, and the new algorithm selected in NAS Security Mode Command messages, the message comprising the 2nd MME is sent to UE.Wherein, the new algorithm of the 2nd MME selections, including AES and/or protection algorithm integrallty.
Wherein, the 2nd MME derives new NAS keys using the algorithm newly selected, including:Utilize the AES and/or the mark of protection algorithm integrallty newly selected(And root key Kasme), ID new NAS keys are derived.This is prior art, is stated herein without praising.
3012. UE derive new NAS keys according to the integral algorithm mark and encryption algorithm identification that are carried in NAS safe mode commands, and send N AS safe mode completion messages to the 2nd MME. For the embodiment, following five aspects can be further expanded:
First:If before heavy-route, first MME is assigned with mark to UE, for example it is assigned with GUTI (wherein including the first MME mark, can be used for searching corresponding first MME), then also need to replace attach request with the GUTI of distribution in 305 steps(Or tracking area update request) in IMSI (or P-TMSI or GUTI), it is not IMSI but GUTI that need not carry carried in the first MME identification information, 308 steps in such 307 step.
Second:The instruction carried in 308 steps and 309 step context requests is optional, it is not necessary to the instruction of carrying.When carrying heavy-route instruction in context request, the heavy-route during based on context the first MME asks indicates to know attach request(Or tracking area update request) be re-routed on the 2nd MME.
3rd:The NAS security mode command procedures of 3011 steps and 3012 steps are optional, are that UE just initiates this process when have selected new integral algorithm and/or AES only in the 2nd MME.
4th:The attach request of reconstruct can also be carried in 308 step context requests(Or the tracking area update request of reconstruct), without directly carrying eKSI, the first MME is according to IMSI and the attach request of reconstruct(Or the tracking area update request of reconstruct)In eKSI obtain safe context, the first MME need not be to the attach request of reconstruct(Or the tracking area update request of reconstruct)Carry out integrity verification, it is only necessary to indicate the safe context issuing the 2nd MME according to heavy-route.
5th:Not to attach request in 305 steps(Or tracking area update request)It is reconstructed, then what is used in subsequent step is all the attach request that UE is sent(Or tracking area update request).Therefore the eKSI associated by the safe context that the first MME currently shares with UE is also included in 306 step heavy-route orders.Also include the eKSI in step 307 particular message.Can also be carried in 308 step context requests attach request (or tracking area update request).
The embodiment of the present invention two:
The present embodiment is not for NAS message by the scene of safeguard protection, and such as UE is attached on network for the first time.Embodiment adds to attach request(Or tracking area update request).Integrity protection, improve security.Idiographic flow as shown in figure 4, including:
401. UE initiate attach request for the first time to the first MME(Or tracking area update request).;Message authentication code (Message Authentication Code, MAC Μ speech members (Information therein Element, IE) be sky, i.e., it is not integrity-protected.
402. UE are authenticated and key agreement with network side, the NAS security associations set up between UE and the first MME;
This step is to establish the safe context shared between UE and the first MME.
403. the oneth MME initiate more new position request to HSS;
404. HSS inquire about database, that is, search UE subscription data, and whether see UE is to need to perform specific transactions(Such as MTC service)UE, whether need UE accessing corresponding particular network, and the information included in renewal location confirmation, the renewal location confirmation message using particular network is returned, the information is such as type of service and its type information of the particular network of access including the UE.
405. the oneth MME are received after the information instruction using particular network, to the Attach Request message received originally(Or tracking area update request) be reconstructed, i.e. the first MME is based on the safe context computational token currently shared with UE(Token) value, and the Token values are filled into the MAC IE of Attach Request message, use the eKSI associated with current security context to replace the eKSI. in attach request
Wherein, the Token values, i.e. integrity protection check are worth.
406. the oneth MME to eNB send heavy-route order, the order include reconstruct attach request (or reconstruct tracking area update ask;), use the information of particular network.
Wherein, the information for using particular network, the i.e. information for determining the 2nd MME.
2nd MME, i.e. MME in particular network, i.e., the specific MME described in background technology.
407. eNB are received after heavy-route order, select the 2nd MME of particular network for UE according to the information using particular network, and send particular message to the 2nd MME, and the particular message includes the attach request of reconstruct(Or reconstruct tracking area update request), heavy-route indicate and the first MME identification information.
Wherein, the first MME identification information can be MME ID or GUTI etc..
Wherein, eNB according to using particular network information for UE select particular network the 2nd MME, for example including:
The corresponding relation list that eNB is identified according to the network type being pre-configured with and the 2nd MME, the 2nd MME of corresponding particular network is determined by the type information of particular network. 408. the 2nd MME find the first MME according to the first MME identification information, and initiate context request message to the first MME, wherein the IMSI comprising UE, the attach request of reconstruct and heavy-route are indicated.
409. the oneth MME find corresponding safe context according to IMSI and eKSI, and verify the Token values in attach request using the safe context.
Wherein, the first MME verifies the Token values in attach request using the safe context, i.e. the first MME will be calculated using the safe context and be obtained Token values, and will be compared, unanimously then 3 demonstrate,prove successfully entirely with the Token values in attach request.
If 4010. are proved to be successful, then safe context currently shared with the first MME UE is issued the 2nd MME by the first MME by context response context response information, and root key is included in the safe context(), Kasme AES(Algorithm for anti-monitoring)And protection algorithm integrallty(The algorithm changed for anti-tomb).
If 4011. the 2nd MME need to reselect the algorithm used during with the UE communication, if the algorithm of such as the 2nd MME selections(Including AES and/or protection algorithm integrallty)Algorithm in safe context is different, then the 2nd MME derives new NAS keys using the algorithm newly selected, and the new algorithm selected in NAS Security Mode Command messages, the message comprising the 2nd MME is sent to UE.Wherein, the new algorithm of the 2nd MME selections, including AES and/or protection algorithm integrallty.
Wherein, the 2nd MME derives new NAS keys using the algorithm newly selected, including:Utilize the AES and/or the mark of protection algorithm integrallty newly selected(And root key Kasme), ID new NAS keys are derived.This is prior art, is stated herein without praising.
4012. UE derive new NAS keys according to the integral algorithm mark and encryption algorithm identification that are carried in NAS safe mode commands, and send N AS safe mode completion messages to the 2nd MME.
For the embodiment, in terms of following four can be further expanded:
First:If before heavy-route, first MME is assigned with mark to UE, for example it is assigned with GUTI (wherein including the first MME mark, can be used for searching corresponding first MME), then also need to replace attach request with the GUTI of distribution in 405 steps(Or tracking area update request) in IMSI (or P-TMSI or GUTI), it is not IMSI but GUTI that need not carry carried in the first MME identification information, 408 steps in such 407 step. Second:It is optional that the heavy-route carried in 408 steps and 409 step context requests, which is indicated, it is not necessary to the instruction of carrying.When carrying heavy-route instruction in context request, the heavy-route during based on context the first MME asks indicates to know attach request(Or tracking area update request)It is re-routed on the 2nd MME, the first MME receives the attach request(Or tracking area update request)And verify Token values.
3rd:The NAS security mode command procedures of 4011 steps and 4012 steps are optional, are that UE just initiates this process when have selected new integral algorithm and/or AES only in the 2nd MME.
4th:Not to attach request in 405 steps(Or tracking area update request)It is reconstructed, only calculates Token values, then what is used in subsequent step is all the attach request that UE is sent(Or tracking area update request).Therefore, the eKSI associated by the safe context that the first MME currently shares with UE and the Token values calculated are also included in 406 step heavy-route orders.Also include the eKSI and the Token values calculated in step 407 particular message.Also include Token values in step 408 context request.The MME of step 409 the oneth needs to verify the Token values in safe context.
The embodiment of the present invention three:
The scene of available safe context is not present for NAS message for the present embodiment in safeguard protection and the first MME, such as when UE initiates attach request or tracking area update request, idiographic flow is as shown in figure 5, including step:
501. UE initiate attach request to the first MME(Or tracking area update request), the attach request (or tracking area update request)It is integrity-protected;
Available safe context is not present on 502. the oneth MME, the first MME utilizes attach request(Or tracking area update request) in GUTIo search the 3rd MME so as to the 3rd MME initiate context request;
Wherein, the GUTIo is old GUTI, that is, the 3rd MME is the GUTI that UE is distributed.
The attach request that 503. the 3rd MME checkings are received(Or tracking area update request)Integrality.
If 504. are proved to be successful, the 3rd MME sends context response to the first MME, wherein including safe context.
505. the oneth MME initiate more new position request to HSS;
506. HSS inquire about database, that is, search UE subscription data, and whether see UE is to need execution specific Business(Such as MTC service)UE, whether need UE accessing corresponding particular network, and the information included in renewal location confirmation, the renewal location confirmation message using particular network is returned, the information is such as type of service and its type information of the particular network of access including the UE.
507. the oneth MME are received after the information instruction using particular network, to the attach request received originally(Or tracking area update request)Message is reconstructed, if i.e. the first MME is assigned with GUTI for UE, and the first MME is by attach request(Or tracking area update request)It is the GUTI that UE is distributed that GUTIo in message, which replaces with the first MME,;If the first MME distributes GUTI for UE, the first MME is by attach request(Or tracking area update request)GUTIo in message replaces with IMSI.First MME calculates Token values based on the safe context currently shared with UE, and the Token values are replaced into attach request(Or tracking area update request) message MAC IE;
508. the oneth MME to eNB send heavy-route order, the order include reconstruct attach request (or reconstruct tracking area update ask)And use the information of particular network.
Wherein, the information for using particular network, the i.e. information for determining the 2nd MME.
2nd MME, i.e. MME in particular network, i.e., the specific MME described in background technology.
509. eNB are received after heavy-route order, select the 2nd MME of particular network for UE according to the information using particular network, and send particular message to the 2nd MME, and the particular message includes the attach request of reconstruct(Or the tracking area update request of reconstruct)And heavy-route is indicated.
Wherein, eNB according to using particular network information for UE select particular network the 2nd MME, for example including:
The corresponding relation list that eNB is identified according to the network type being pre-configured with and the 2nd MME, the 2nd MME of corresponding particular network is determined by the type information of particular network.
5010. the 2nd MME are according to the attach request of reconstruct(Or the tracking area update request of reconstruct)In GUTI find the first MME, and initiate context request message to the first MME, wherein include the first MME be UE distribute GUTI, the attach request of reconstruct(Or the tracking area update request of reconstruct)Indicated with heavy-route.
5011. the oneth MME indicate to know the attach request of the reconstruct according to heavy-route(Or the tracking of reconstruct Area update is asked) it is heavy-route, the first MME receives the attach request of the reconstruct(Or the tracking area update request of reconstruct), and corresponding safe context is found according to GUTI (or IMSI) and eKSI, and verify attach request using the safe context(Or tracking area update request)In Token values.
Wherein, the first MME finds corresponding safe context according to GUTI (or IMSI) and eKSI, including:First MME determines corresponding UE according to GUTI (or IMSI), and determines according to eKSI the corresponding safe context under the UE.
First MME verifies the attach request of reconstruct using the safe context(Or reconstruct tracking area update request) in Token values, i.e. the first MME will using the safe context calculating obtain Token values, the attach request with reconstruct(Or the tracking area update request of reconstruct)In Token values be compared, unanimously then 3 demonstrate,prove successfully entirely.
If 5012. are proved to be successful, then the current safe contexts of UE are issued the 2nd MME by the first MME, root key is included in the safe context(Kasme), AES(Algorithm for anti-monitoring)And protection algorithm integrallty(The algorithm changed for anti-tomb).
If 5013. the 2nd MME need to reselect the algorithm used during with the UE communication, if the algorithm of such as the 2nd MME selections(Including AES and/or protection algorithm integrallty)Algorithm in safe context is different, then the 2nd MME derives new NAS keys using the algorithm newly selected, and the new algorithm selected in NAS Security Mode Command messages, the message comprising the 2nd MME is sent to UE.Wherein, the new algorithm of the 2nd MME selections, including AES and/or protection algorithm integrallty.Wherein, the 2nd MME derives new NAS keys using the algorithm newly selected, including:Utilize the AES and/or the mark of protection algorithm integrallty newly selected(And root key Kasme), ID new NAS keys are derived.This is prior art, is stated herein without praising.
5014. UE derive new NAS keys according to the integral algorithm mark and encryption algorithm identification that are carried in NAS safe mode commands, and send N AS safe mode completion messages to the 2nd MME.
For the embodiment, following two aspects can be further expanded:
First:If GUTIo is replaced with into IMSI in 507 steps, then need to carry the first MME identification information in 609 steps, so that the 2nd MME can find corresponding first MME according to the first MME identification information asks for safe context. Second:5013 steps and 5014 step NAS security mode command procedures are optional, are that UE just initiates this process when have selected new integral algorithm and/or AES only in the 2nd MME.
The embodiment of the present invention four:
The scene of available safe context is not present for NAS message for the present embodiment in safeguard protection and the first MME, such as when UE initiates attach request or tracking area update request, idiographic flow is as shown in fig. 6, including step:
601. UE initiate attach request to the first MME(Or tracking area update request), the attach request (or tracking area update request)It is integrity-protected;
Available safe context is not present on 602. the oneth MME, the first MME utilizes attach request(Or tracking area update request) in GUTIo search the 3rd MME so as to the 3rd MME initiate context request;
Wherein, the GUTIo is old GUTI, that is, the 3rd MME is the GUTI that UE is distributed.
The attach request that 603. the 3rd MME checkings are received(Or tracking area update request)Integrality.
If 604. are proved to be successful, the 3rd MME sends context response to the first MME, wherein including safe context.
605. the oneth MME initiate more new position request to HSS;
606. HSS inquire about database, that is, search UE subscription data, and whether see UE is to need to perform specific transactions(Such as MTC service)UE, whether need UE accessing corresponding particular network, and the information included in renewal location confirmation, the renewal location confirmation message using particular network is returned, the information is such as type of service and its type information of the particular network of access including the UE.
607. the oneth MME are received after the information instruction using particular network, send heavy-route order to eNB, the order includes attach request(Or tracking area update request), UE mark and using particular network information.
Wherein, the information for using particular network, the i.e. information for determining the 2nd MME.
2nd MME, i.e. MME in particular network, i.e., the specific MME described in background technology.
Wherein, the mark of the UE can be that the first MME is the GUTI or IMSI that UE is distributed. Alternatively, if having carried out re-authentication between the first MME and UE, then eKSI can also be included in the heavy-route order.
609. eNB are received after heavy-route order, the 2nd MME of particular network is selected for UE according to the information using particular network, and send particular message to the 2nd MME, the particular message includes attach request (or tracking area update request), and UE mark and heavy-route are indicated.
Wherein, eNB according to using particular network information for UE select particular network the 2nd MME, for example including:
The corresponding relation list that eNB is identified according to the network type being pre-configured with and the 2nd MME, the 2nd MME of corresponding particular network is determined by the type information of particular network.
Wherein, the mark of the UE can be that the first MME is the GUTI or IMSI that UE is distributed.Alternatively, when UE mark is IMSI, the first MME identification information can also be included in the particular message, so that the 2nd MME can find corresponding first according to the first MME identification information
MME。
Alternatively, if having carried out re-authentication between the first MME and UE, then eKSI can also be included in the particular message.
GUTIs or first MME of 6010. the 2nd MME in particular message identification information find the first MME, and initiate context request message to the first MME, wherein mark, attach request comprising UE(Or tracking area update request)Indicated with heavy-route.
Wherein, the mark of the UE can be that the first MME is the GUTI or IMSI that UE is distributed.Alternatively, if having carried out re-authentication between the first MME and UE, then eKSI can also be included in the particular message.
6011. the oneth MME indicate to know the attach request according to heavy-route(Or tracking area update request) it is heavy-route, the first MME receives the attach request(Or tracking area update request), and according to GUTI
(or IMSI) and eKSI find corresponding safe context, and nearly demonstrate,prove attach request using the safe context(Or tracking area update request).
Wherein, the first MME finds corresponding safe context according to GUTI (or IMSI) and eKSI, including:First MME determines corresponding UE according to GUTI (or IMSI), and determines the UE according to eKSI Under corresponding safe context.
First MME verifies attach request using the safe context(Or tracking area update request) in, i.e. the first MME will be calculated using the safe context and be obtained MAC value, with attach request(Or tracking area update request)In MAC value be compared, be unanimously then proved to be successful.
If 6012. are proved to be successful, then the current safe contexts of UE are issued the 2nd MME by the first MME, root key is included in the safe context(Kasme), AES(Algorithm for anti-monitoring)And protection algorithm integrallty(The algorithm changed for anti-tomb).
If 6013. the 2nd MME need to reselect the algorithm used during with the UE communication, if the algorithm of such as the 2nd MME selections(Including AES and/or protection algorithm integrallty)Algorithm in safe context is different, then the 2nd MME derives new NAS keys using the algorithm newly selected, and the new algorithm selected in NAS Security Mode Command messages, the message comprising the 2nd MME is sent to UE.Wherein, the new algorithm of the 2nd MME selections, including AES and/or protection algorithm integrallty.Wherein, the 2nd MME derives new NAS keys using the algorithm newly selected, including:Utilize the AES and/or the mark of protection algorithm integrallty newly selected(And root key Kasme), ID new NAS keys are derived.This is prior art, is stated herein without praising.
6014. UE derive new NAS keys according to the integral algorithm mark and encryption algorithm identification that are carried in NAS safe mode commands, and send N AS safe mode completion messages to the 2nd MME.
For the embodiment, following one side can be further expanded:
First:6013 steps and 6014 step NAS security mode command procedures are optional, are that UE just initiates this process when have selected new integral algorithm and/or AES only in the 2nd MME.
The embodiment of the present invention five:
The scene of available safe context is not present for NAS message for the present embodiment in safeguard protection and the first MME, such as when UE initiates attach request or tracking area update request, idiographic flow is as shown in fig. 7, comprises step:
701. UE initiate attach request to the first MME(Or tracking area update request), the attach request (or tracking area update request)It is integrity-protected;
Available safe context is not present on 702. the oneth MME, the first MME utilizes attach request(Or Tracking area update ask) in GUTIo search the 3rd MME so as to the 3rd MME initiate context request;
Wherein, the GUTIo is old GUTI, that is, the 3rd MME is the GUTI that UE is distributed.
The attach request that 703. the 3rd MME checkings are received(Or tracking area update request)Integrality.
If 704. are proved to be successful, the 3rd MME sends context response to the first MME, wherein the information comprising safe context and use particular network.
705. the oneth MME are received after the information instruction using particular network, send heavy-route order to eNB, the order includes attach request(Or tracking area update request)And use the information of particular network.
Wherein, the information for using particular network, the i.e. information for determining the 2nd MME.
2nd MME, i.e. MME in particular network, i.e., the specific MME described in background technology.
706. eNB are received after heavy-route order, select the 2nd MME of particular network for UE according to the information using particular network, and send particular message to the 2nd MME, and the particular message includes attach request
(or tracking area update request)And heavy-route is indicated.
Wherein, eNB according to using particular network information for UE select particular network the 2nd MME, for example including:
The corresponding relation list that eNB is identified according to the network type being pre-configured with and the 2nd MME, the 2nd MME of corresponding particular network is determined by the type information of particular network.
707. the 2nd MME are according to attach request(Or tracking area update request)In GUTI find the 3rd MME, and context request message is initiated to the 3rd MME, wherein including GUTI, attach request(Or tracking area update request)Indicated with heavy-route.
708. the 3rd MME indicate to know the attach request according to heavy-route(Or tracking area update request)It is heavy-route, the 3rd MME receives the attach request(Or tracking area update request), and corresponding safe context is found according to GUTI and eKSI, and verify attach request using the safe context(Or tracking area update request).
Wherein, the 3rd MME finds corresponding safe context according to GUTI and eKSI, including:3rd MME determines corresponding UE according to GUTI, and determines according to eKSI the corresponding safe context under the UE.
3rd MME verifies attach request using the safe context(Or tracking area update request)In, i.e. the 3rd MME will be calculated using the safe context and be obtained MAC value, with attach request(Or tracking area update request)In MAC value be compared, be unanimously then proved to be successful.
If 709. are proved to be successful, then the current safe contexts of UE are issued the 2nd MME by the 3rd MME, root key is included in the safe context(Kasme), AES(Algorithm for anti-monitoring)And protection algorithm integrallty(The algorithm changed for anti-tomb).
If 7010. the 2nd MME need to reselect the algorithm used during with the UE communication, if the algorithm of such as the 2nd MME selections(Including AES and/or protection algorithm integrallty)Algorithm in safe context is different, then the 2nd MME derives new NAS keys using the algorithm newly selected, and the new algorithm selected in NAS Security Mode Command messages, the message comprising the 2nd MME is sent to UE.Wherein, the new algorithm of the 2nd MME selections, including AES and/or protection algorithm integrallty.Wherein, the 2nd MME derives new NAS keys using the algorithm newly selected, including:Utilize the AES and/or the mark of protection algorithm integrallty newly selected(And root key Kasme), ID new NAS keys are derived.This is prior art, is stated herein without praising.
7011. UE derive new NAS keys according to the integral algorithm mark and encryption algorithm identification that are carried in NAS safe mode commands, and send N AS safe mode completion messages to the 2nd MME.
For the embodiment, following one side can be further expanded:
First:7010 steps and 7011 step NAS security mode command procedures are optional, are that UE just initiates this process when have selected new integral algorithm and/or AES only in the 2nd MME.
The Token of the present embodiment offer computational methods are provided below in conjunction with accompanying drawing.
Method one:
Referring to Fig. 8, using KEY, MESSAGE, COUNT, BEARER mark, DIRECTION values are calculated by EIA algorithms and obtain Token values.
Wherein, count(COUNT) value is the count value of NAS message, the specific count value shared using UE and the first MME; Message(MESSAGE) it is NAS message;
EIA is integral algorithm;
Key(KEY) it is set to KNASint;
Carrying(BEARER) identify all bits to use as default, such as 1;
Direction(DIRECTION) value bit uses as default, and such as 1;
Method two:
Referring to Fig. 9, only with AS layers of Integrity Key of count value and N of NAS message and NAS message, calculated with hash function and obtain Token values.
In summary, in the first equipment of the core network side, referring to Figure 10, a kind of method for obtaining safe context provided in an embodiment of the present invention, including step:
901st, the first equipment of the core network receives the non access stratum NAS message that user equipment (UE) is sent;
902nd, when it is determined that the NAS message needs to be re-routed to the second equipment of the core network in particular network, first equipment of the core network sends heavy-route order to access network equipment, and NAS message and the information for determining second equipment of the core network are included in the heavy-route order;
903rd, the first equipment of the core network receives the context request that second equipment of the core network is sent, the context request includes UE mark and key set identifier, first equipment of the core network is according to the mark and key set identifier of the UE, corresponding safe context is searched, and the safe context is sent to second equipment of the core network.
It is preferred that before the first equipment of the core network sends heavy-route order to access network equipment, this method also includes:
The NAS message received is reconstructed first equipment of the core network, the NAS message included in the heavy-route order, for the NAS message of reconstruct.
It is preferred that the NAS message from the UE received is reconstructed the first equipment of the core network, including:
First equipment of the core network utilizes the key set identifier in current security context, replaces the key set identifier in the NAS message of UE transmissions;And/or,
First equipment of the core network incites somebody to action described according to current security context calculation of integrity protective calibration value Integrity protection check's value is used as the message authentication code MAC cells IE in the NAS message of UE transmissions.
It is preferred that the integrity protection check is worth to the message authentication code MAC cell IE in the NAS message sent as the UE, including:
Integrity protection check's value is filled into the message authentication code MAC cells IE in the NAS message that the UE is sent;Or
The integrity protection check is worth to the message authentication code MAC replaced in the NAS message that the UE is sent.
It is preferred that the NAS message from the UE received is reconstructed the first equipment of the core network, in addition to:
The mark of UE in the NAS message that first equipment of the core network receives the mark replacement that the first equipment of the core network is UE distribution from the UE.
It is preferred that the key set identifier is included in the context request;Or,
The key set identifier is included in NAS message, and the NAS message is included in the context request.
It is preferred that the first equipment of the core network is determined after current safe context, the safe context is sent to before the second equipment of the core network, this method also includes:
First equipment of the core network verifies the integrality of the NAS message carried in the context request using current safe context;
Then, the step of safe context is sent to the second equipment of the core network by first equipment of the core network, performs when described be proved to be successful.
It is preferred that the first equipment of the core network is using the integrality that the NAS message carried in the context request is currently verified with the UE safe contexts shared, including:
First equipment of the core network verifies integrity protection check's value or message authentication code MAC value in the NAS message carried in the context request;Or
First equipment of the core network verifies integrity protection check's value in the context request
It is preferred that also including in the heavy-route order: Key set identifier and/or integrity protection check's value and/or UE mark.
It is preferred that also including in the context request:
Heavy-route indicates and/or integrity protection check's value that the heavy-route is indicated for indicating that NAS message is re-routed to the second equipment of the core network.
Correspondingly, referring to Figure 11, in the second equipment of the core network side, a kind of method for obtaining safe context provided in an embodiment of the present invention, including:
101st, the second equipment of the core network receives the particular message that access network equipment is sent, and the particular message includes non access stratum NAS message;
102nd, the second equipment of the core network determines the first equipment of the core network according to the particular message, and sends context request to the first equipment of the core network, and the context request includes UE mark and key set identifier;
103rd, the second equipment of the core network receives the context response that the first equipment of the core network is sent, and safe context is therefrom obtained, the safe context is that the first equipment of the core network UE mark according to the context request and key set identifier are determined.
It is preferred that comprising the mark that the first equipment of the core network is UE distribution in the NAS message, the second equipment of the core network determines the first equipment of the core network according to the mark.
It is preferred that also including the identification information of the first equipment of the core network in the particular message, the second equipment of the core network determines the first equipment of the core network according to the identification information of first equipment of the core network.
It is preferred that the key set identifier is included in the context request;Or,
The key set identifier is included in NAS message, and the NAS message is included in the context request.
It is preferred that in the safe context for the UE that the second equipment of the core network is obtained, including AES and protection algorithm integrallty used in the first equipment of the core network protection NAS message.
It is preferred that the second equipment of the core network is obtained after the safe context of the UE, this method also includes:When the second equipment of the core network needs to select new algorithm, the second equipment of the core network derives new NAS keys using new algorithm, and sends NAS Security Mode Command messages to UE, wherein including the mark of new algorithm;Wherein, the new algorithm includes AES and/or protection algorithm integrallty; Second equipment of the core network receives the NAS safe mode completion messages of UE feedbacks.It is preferred that also including in the context request:
Heavy-route indicates and/or integrity protection check's value that the heavy-route is indicated for indicating that NAS message is re-routed to the second equipment of the core network.
It is preferred that also including in the particular message:
Key set identifier and/or integrity protection check's value and/or UE mark.
Correspondingly, in access network equipment side, referring to Figure 12, a kind of receiving handling method of heavy-route order provided in an embodiment of the present invention, including:
111st, access network equipment receives the heavy-route order that the first equipment of the core network is sent, wherein the configured information comprising non access stratum NAS message and for the second equipment of the core network of determination;
112nd, access network equipment determines second equipment of the core network, and the particular message for carrying the NAS message is sent to second equipment of the core network according to the configured information.
It is preferred that also including in the particular message:
Heavy-route indicates that the heavy-route is indicated for indicating that NAS message is re-routed to the second equipment of the core network.
It is preferred that also including in the particular message:
The identification information of first equipment of the core network, second equipment of the core network determines the first equipment of the core network according to the identification information of first equipment of the core network.
It is preferred that the NAS message is first equipment of the core network NAS message that the UE that receives is sent is reconstructed after NAS message.
It is preferred that also including in the heavy-route order:
Key set identifier and/or integrity protection check's value and/or UE mark.
It is preferred that also including in the particular message:
Key set identifier and/or integrity protection check's value and/or UE mark.
Referring to Figure 13, a kind of equipment that safe context is provided provided in an embodiment of the present invention, including:NAS message unit 131 is received, the non access stratum NAS message for receiving user equipment (UE) transmission; Send heavy-route order unit 132, for when it is determined that the NAS message needs to be re-routed to the second equipment of the core network in particular network, heavy-route order is sent to access network equipment, NAS message and the information for determining second equipment of the core network are included in the heavy-route order;
Safe context provides unit 133, for receiving the context request that second equipment of the core network is sent, the context request includes UE mark and key set identifier, according to the mark of the UE and key set identifier, corresponding safe context is searched, and the safe context is sent to second equipment of the core network.
It is preferred that the transmission heavy-route order unit is additionally operable to:
Before heavy-route order is sent to access network equipment, the NAS message received is reconstructed, the NAS message included in the heavy-route order, for the NAS message of reconstruct.
It is preferred that when the NAS message from the UE received is reconstructed the transmission heavy-route order unit, specifically for:
Using the key set identifier in current security context, the key set identifier in the NAS message of UE transmissions is replaced;And/or,
It is worth the message authentication code MAC cells IE in the NAS message sent as the UE according to current security context calculation of integrity protective calibration value, and using the integrity protection check.
It is preferred that when the integrity protection check is worth the message authentication code MAC cell IE in the NAS message sent as the UE by the transmission heavy-route order unit, specifically for:
Integrity protection check's value is filled into the message authentication code MAC cells IE in the NAS message that the UE is sent;Or
The integrity protection check is worth to the message authentication code MAC replaced in the NAS message that the UE is sent.
It is preferred that the transmission heavy-route order unit, is additionally operable to:
The mark of UE during the mark that first equipment of the core network is UE distribution is replaced into the NAS message received from the UE.
It is preferred that the key set identifier is included in the context request;Or,
The key set identifier is included in NAS message, and the NAS message please included in the context Ask.
It is additionally operable to it is preferred that the safe context provides unit:
It is determined that after current safe context, the safe context being sent to before the second equipment of the core network, the integrality of the NAS message carried in the context request is verified using current safe context;
Shellfish is when described be proved to be successful, and the safe context is sent to the second equipment of the core network by the safe context.
It is preferred that when the safe context provides unit using currently the integrality of the NAS message carried in the context request is verified with the UE safe contexts shared, specifically for:
Verify the integrity protection check's value or message authentication code MAC value in the NAS message carried in the context request;Or
Verify integrity protection check's value in the context request.
It is preferred that also including in the heavy-route order:
Key set identifier and/or integrity protection check's value and/or UE mark.
It is preferred that also including in the context request:
Heavy-route indicates and/or integrity protection check's value that the heavy-route is indicated for indicating that NAS message is re-routed to the second equipment of the core network.
Equipment shown in Figure 13 can be equipment of the core network, such as MME.
Referring to Figure 14, a kind of equipment for obtaining safe context provided in an embodiment of the present invention, including:Particular message receiving unit 141, the particular message for receiving access network equipment transmission, particular message includes non access stratum NAS message;
Context request unit 142, for determining the first equipment of the core network according to the particular message, and sends context request, the context request includes UE mark and key set identifier to the first equipment of the core network;
Context acquiring unit 143, for receiving the context response that the first equipment of the core network is sent, and safe context is therefrom obtained, the safe context is that the first equipment of the core network UE mark according to the context request and key set identifier are determined.
It is preferred that comprising the mark that the first equipment of the core network is UE distribution in the NAS message, Second equipment of the core network determines the first equipment of the core network according to the mark.
It is preferred that also including the identification information of the first equipment of the core network in the particular message, the second equipment of the core network determines the first equipment of the core network according to the identification information of first equipment of the core network.
It is preferred that the key set identifier is included in the context request;Or,
The key set identifier is included in NAS message, and the NAS message is included in the context request.
It is preferred that in the safe context, including AES and protection algorithm integrallty used in the first equipment of the core network protection NAS message.When needing to select new algorithm, new NAS keys are derived using new algorithm, and NAS Security Mode Command messages are sent to UE, wherein including the mark of new algorithm;Wherein, the new algorithm includes AES and/or protection algorithm integrallty;
Receive the NAS safe mode completion messages of UE feedbacks.
It is preferred that also including in the context request:
Heavy-route indicates and/or integrity protection check's value that the heavy-route is indicated for indicating that NAS message is re-routed to the second equipment of the core network.
It is preferred that also including in the particular message:
Key set identifier and/or integrity protection check's value and/or UE mark.
Equipment shown in Figure 14 can be equipment of the core network, and the equipment can be same equipment of the core network, such as MME with the equipment of the core network shown in Figure 13.
Referring to Figure 15, a kind of receiving and processing equipment of heavy-route order provided in an embodiment of the present invention, including:Heavy-route order receiving unit 151, for receiving the heavy-route order that the first equipment of the core network is sent, wherein the configured information comprising non access stratum NAS message and for the second equipment of the core network of determination;
Particular message transmitting element 152, for according to the configured information, determining second equipment of the core network, and sends the particular message for carrying the NAS message to second equipment of the core network.
It is preferred that also including in the particular message:
Heavy-route indicates that the heavy-route indicates to be used to indicate that NAS message is to be re-routed to the second core net Equipment.
It is preferred that also including in the particular message:
The identification information of first equipment of the core network, second equipment of the core network determines the first equipment of the core network according to the identification information of first equipment of the core network.
It is preferred that the NAS message is first equipment of the core network NAS message that the UE that receives is sent is reconstructed after NAS message.
It is preferred that also including in the heavy-route order:
Key set identifier and/or integrity protection check's value and/or UE mark.
It is preferred that also including in the particular message:
Key set identifier and/or integrity protection check's value and/or UE mark.
Equipment shown in Figure 15, can be access network equipment, such as eNB.
A kind of equipment for providing safe context provided in an embodiment of the present invention, the equipment includes processor and transceiver, wherein,
The non access stratum NAS message that transceiver user equipment (UE) is sent;
When processor determines that the NAS message needs to be re-routed to the second equipment of the core network in particular network, heavy-route order is sent to access network equipment by transceiver, NAS message and the information for determining second equipment of the core network are included in the heavy-route order;
The context request that second equipment of the core network described in transceiver is sent, the context request includes UE mark and key set identifier, processor is according to the mark and key set identifier of the UE, corresponding safe context is searched, the safe context is sent to second equipment of the core network by transceiver.
It is preferred that transceiver to access network equipment before heavy-route order is sent, processor is additionally operable to that the NAS message received is reconstructed, the NAS message included in the heavy-route order, for the NAS message of reconstruct.
It is preferred that when the NAS message received is reconstructed processor, specifically for:
Using the key set identifier in current security context, the key set identifier in the NAS message of UE transmissions is replaced;And/or,
According to current security context calculation of integrity protective calibration value, and by the integrity protection check It is worth the message authentication code MAC cells IE in the NAS message sent as the UE.
It is preferred that when the integrity protection check to be worth to processor the message authentication code MAC cell IE in the NAS message sent as the UE, specifically for:
Integrity protection check's value is filled into the message authentication code MAC cells IE in the NAS message that the UE is sent;Or
The integrity protection check is worth to the message authentication code replaced in the NAS message that the UE is sent
MAC。
It is preferred that when the NAS message received is reconstructed processor, being additionally operable to:
The mark of UE during the mark that first equipment of the core network is UE distribution is replaced into the NAS message received from the UE.
It is preferred that the key set identifier is included in the context request;Or,
The key set identifier is included in NAS message, and the NAS message is included in the context request.
It is preferred that processor is determined after current safe context, the safe context is sent to before the second equipment of the core network by transceiver, and processor is additionally operable to:
The integrality of the NAS message carried in the context request is nearly demonstrate,proved using current safe context;Shellfish is when described be proved to be successful, and the safe context is sent to the second equipment of the core network by transceiver.It is preferred that when processor with the UE safe contexts shared using currently the integrality of the NAS message carried in the context request is verified, specifically for:
Verify the integrity protection check's value or message authentication code MAC value in the NAS message carried in the context request;Or
Verify integrity protection check's value in the context request.
It is preferred that also including in the heavy-route order:
Key set identifier and/or integrity protection check's value and/or UE mark.
It is preferred that also including in the context request:
Heavy-route indicates and/or integrity protection check's value that the heavy-route is indicated for indicating that NAS message is re-routed to the second equipment of the core network. A kind of equipment for obtaining safe context provided in an embodiment of the present invention, the equipment includes transceiver and processor, wherein:
The particular message that transceiver access network equipment is sent, the particular message includes Non-Access Stratum
NAS message;
Processor determines the first equipment of the core network according to the particular message, and transceiver sends context request to the first equipment of the core network, and the context request includes UE mark and key set identifier;The context response that the equipment of the core network of transceiver first is sent, processor therefrom obtains safe context, and the safe context is that the first equipment of the core network UE mark according to the context request and key set identifier are determined.
It is preferred that comprising the mark that the first equipment of the core network is UE distribution in the NAS message, the second equipment of the core network determines the first equipment of the core network according to the mark.
It is preferred that also including the identification information of the first equipment of the core network in the particular message, the second equipment of the core network determines the first equipment of the core network according to the identification information of first equipment of the core network.
It is preferred that the key set identifier is included in the context request;Or,
The key set identifier is included in NAS message, and the NAS message is included in the context request.
It is preferred that in the safe context, including AES and protection algorithm integrallty used in the first equipment of the core network protection NAS message.
It is preferred that the processor is obtained after the safe context of the UE, it is additionally operable to:When needing to select new algorithm, new NAS keys are derived using new algorithm, and NAS Security Mode Command messages are sent to UE by transceiver, wherein including the mark of new algorithm;Wherein, the new algorithm includes AES and/or protection algorithm integrallty;
The NAS safe mode completion messages of transceiver UE feedbacks.
It is preferred that also including in the context request:
Heavy-route indicates and/or integrity protection check's value that the heavy-route is indicated for indicating that NAS message is re-routed to the second equipment of the core network.
It is preferred that also including in the particular message: Key set identifier and/or integrity protection check's value and/or UE mark.
A kind of receiving and processing equipment of heavy-route order provided in an embodiment of the present invention, the equipment includes transceiver and processor, wherein:
The heavy-route order that the equipment of the core network of transceiver first is sent, wherein the configured information comprising Non-Access Stratum NAS message and for the second equipment of the core network of determination;
Processor determines second equipment of the core network, and send the particular message for carrying the NAS message to second equipment of the core network by transceiver according to the configured information.
It is preferred that also including in the particular message:
Heavy-route indicates that the heavy-route is indicated for indicating that NAS message is re-routed to the second equipment of the core network.
It is preferred that also including in the particular message:
The identification information of first equipment of the core network, second equipment of the core network determines the first equipment of the core network according to the identification information of first equipment of the core network.
It is preferred that the NAS message is first equipment of the core network NAS message that the UE that receives is sent is reconstructed after NAS message.
It is preferred that also including in the heavy-route order:
Key set identifier and/or integrity protection check's value and/or UE mark.
It is preferred that also including in the particular message:
Key set identifier and/or integrity protection check's value and/or UE mark.
As can be seen here, the embodiment of the present invention is by the way that NAS message is reconstructed, allow the NAS message for being re-routed to particular network by completeness check, also allow the equipment of the core network of particular network to obtain safe context, so as to be securely communicated with UE.
It should be understood by those skilled in the art that, embodiments of the invention can be provided as method, system or computer program product.Therefore, the form of the embodiment in terms of the present invention can use complete hardware embodiment, complete software embodiment or combine software and hardware.Moreover, the present invention can be used (includes but is not limited to magnetic disk storage, CD-ROM, optical memory etc. in one or more computer-usable storage mediums for wherein including computer usable program code)The form of the computer program product of upper implementation. The present invention is with reference to method according to embodiments of the present invention, equipment(System)And the flow chart and/or block diagram of computer program product are described.It should be understood that can by the flow in each flow and/or square frame and flow chart and/or block diagram in computer program instructions implementation process figure and/or block diagram and/or square frame combination.These computer program instructions can be provided to the processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing devices to produce a machine so that produce the device for being used for realizing the function of specifying in one flow of flow chart or multiple flows and/or one square frame of block diagram or multiple square frames by the instruction of the computing device of computer or other programmable data processing devices.
These computer program instructions may be alternatively stored in the computer-readable memory that computer or other programmable data processing devices can be guided to work in a specific way, so that the instruction being stored in the computer-readable memory, which is produced, includes the manufacture of command device, the command device realizes the function of being specified in one flow of flow chart or multiple flows and/or one square frame of block diagram or multiple square frames.
These computer program instructions can be also loaded into computer or other programmable data processing devices, so that series of operation steps is performed on computer or other programmable devices to produce computer implemented processing, so that the instruction performed on computer or other programmable devices provides the step of being used to realize the function of specifying in one flow of flow chart or multiple flows and/or one square frame of block diagram or multiple square frames.
Although preferred embodiments of the present invention have been described, but those skilled in the art once know basic creative concept, then other change and modification can be made to these embodiments.So, appended claims are intended to be construed to include preferred embodiment and fall into having altered and changing for the scope of the invention.Depart from the spirit and scope of the embodiment of the present invention.So, if these modifications and variations of the embodiment of the present invention belong within the scope of the claims in the present invention and its equivalent technologies, then the present invention is also intended to comprising including these changes and modification.

Claims (69)

  1. Claim
    1st, a kind of method that safe context is provided, it is characterised in that this method includes:
    First equipment of the core network receives the non access stratum NAS message that user equipment (UE) is sent;
    When it is determined that the NAS message needs to be re-routed to the second equipment of the core network in particular network, first equipment of the core network sends heavy-route order to access network equipment, and NAS message and the information for determining second equipment of the core network are included in the heavy-route order;
    First equipment of the core network receives the context request that second equipment of the core network is sent, the context request includes UE mark and key set identifier, first equipment of the core network is according to the mark and key set identifier of the UE, corresponding safe context is searched, and the safe context is sent to second equipment of the core network.
    2nd, according to the method described in claim 1, it is characterised in that the first equipment of the core network is sent to access network equipment before heavy-route order, and this method also includes:
    The NAS message received is reconstructed first equipment of the core network, the NAS message included in the heavy-route order, for the NAS message of reconstruct.
    3rd, method according to claim 2, it is characterised in that the NAS message from the UE received is reconstructed the first equipment of the core network, including:
    First equipment of the core network utilizes the key set identifier in current security context, replaces the key set identifier in the NAS message of UE transmissions;And/or,
    First equipment of the core network is worth the message authentication code MAC cells IE in the NAS message sent as the UE according to current security context calculation of integrity protective calibration value, and using the integrity protection check.
    4th, method according to claim 3, it is characterised in that the integrity protection check is worth to the message authentication code MAC cell IE in the NAS message sent as the UE, including:
    Integrity protection check's value is filled into the message authentication code MAC cells IE in the NAS message that the UE is sent;Or
    The integrity protection check is worth to the message authentication code replaced in the NAS message that the UE is sent MAC。
    5th, method according to claim 3, it is characterised in that the NAS message from the UE received is reconstructed the first equipment of the core network, in addition to:
    The mark of UE in the NAS message that first equipment of the core network receives the mark replacement that the first equipment of the core network is UE distribution from the UE.
    6th, the method according to claim 1, it is characterised in that the key set identifier is included in the context request;Or,
    The key set identifier is included in NAS message, and the NAS message is included in the context request.
    7th, according to the method described in claim 1, it is characterised in that the first equipment of the core network is determined after current safe context, the safe context is sent to before the second equipment of the core network, this method also includes:First equipment of the core network verifies the integrality of the NAS message carried in the context request using current safe context;
    Then, the step of safe context is sent to the second equipment of the core network by first equipment of the core network, performs when described be proved to be successful.
    8th, method according to claim 7, it is characterised in that the first equipment of the core network verifies the integrality of the NAS message carried in the context request using safe context currently shared with the UE, including:
    First equipment of the core network verifies integrity protection check's value or message authentication code MAC value in the NAS message carried in the context request;Or
    First equipment of the core network verifies integrity protection check's value in the context request.
    9th, according to the method described in claim 1, it is characterised in that also include in the heavy-route order:Key set identifier and/or integrity protection check's value and/or UE mark.
    10th, the method according to claim 1, it is characterised in that also include in the context request:
    Heavy-route indicates and/or integrity protection check's value that the heavy-route is indicated for indicating that NAS message is re-routed to the second equipment of the core network. 11st, a kind of method for obtaining safe context, it is characterised in that this method includes:Second equipment of the core network receives the particular message that access network equipment is sent, and the particular message includes non access stratum NAS message;
    Second equipment of the core network determines the first equipment of the core network according to the particular message, and sends context request to the first equipment of the core network, and the context request includes UE mark and key set identifier;Second equipment of the core network receives the context response that the first equipment of the core network is sent, and therefrom obtains safe context, and the safe context is that the first equipment of the core network UE mark according to the context request and key set identifier are determined.
    12nd, method according to claim 11, it is characterised in that comprising the mark that the first equipment of the core network is UE distribution in the NAS message, the second equipment of the core network determines the first equipment of the core network according to the mark.
    13rd, method according to claim 11, it is characterised in that also include the identification information of the first equipment of the core network in the particular message, the second equipment of the core network determines the first equipment of the core network according to the identification information of first equipment of the core network.
    14th, the method according to claim 11, it is characterised in that the key set identifier is included in the context request;Or,
    The key set identifier is included in NAS message, and the NAS message is included in the context request.
    15th, the method according to any claim of claim 11 to 14; it is characterized in that; in the safe context for the UE that second equipment of the core network is obtained, AES and protection algorithm integrallty used in the first equipment of the core network protection NAS message are included.
    16th, method according to claim 15, it is characterised in that the second equipment of the core network is obtained after the safe context of the UE, and this method also includes:
    When the second equipment of the core network needs to select new algorithm, the second equipment of the core network derives new NAS keys using new algorithm, and sends NAS Security Mode Command messages to UE, wherein including the mark of new algorithm;Wherein, the new algorithm includes AES and/or protection algorithm integrallty;
    Second equipment of the core network receives the NAS safe mode completion messages of UE feedbacks. 17th, method according to claim 11, it is characterised in that also include in the context request:
    Heavy-route indicates and/or integrity protection check's value that the heavy-route is indicated for indicating that NAS message is re-routed to the second equipment of the core network.
    18th, method according to claim 11, it is characterised in that also include in the particular message:Key set identifier and/or integrity protection check's value and/or UE mark.
    19th, a kind of receiving handling method of heavy-route order, it is characterised in that this method includes:Access network equipment receives the heavy-route order that the first equipment of the core network is sent, wherein the configured information comprising non access stratum NAS message and for the second equipment of the core network of determination;
    Access network equipment determines second equipment of the core network, and the particular message for carrying the NAS message is sent to second equipment of the core network according to the configured information.
    20th, method according to claim 19, it is characterised in that also include in the particular message:Heavy-route indicates that the heavy-route is indicated for indicating that NAS message is re-routed to the second equipment of the core network.
    21st, the method according to claim 19 or 20, it is characterised in that also include in the particular message:
    The identification information of first equipment of the core network, second equipment of the core network determines the first equipment of the core network according to the identification information of first equipment of the core network.
    22nd, method according to claim 19, it is characterised in that the NAS message is the NAS message after the UE received the NAS messages sent are reconstructed first equipment of the core network.
    23rd, method according to claim 19, it is characterised in that also include in the heavy-route order:
    Key set identifier and/or integrity protection check's value and/or UE mark.
    24th, method according to claim 19, it is characterised in that also include in the particular message:Key set identifier and/or integrity protection check's value and/or UE mark.
    25th, a kind of equipment that safe context is provided, it is characterised in that the equipment includes:
    NAS message unit is received, the non access stratum NAS message for receiving user equipment (UE) transmission; Send heavy-route order unit, for when it is determined that the NAS message needs to be re-routed to the second equipment of the core network in particular network, heavy-route order is sent to access network equipment, NAS message and the information for determining second equipment of the core network are included in the heavy-route order;
    Safe context provides unit, for receiving the context request that second equipment of the core network is sent, the context request includes UE mark and key set identifier, according to the mark of the UE and key set identifier, corresponding safe context is searched, and the safe context is sent to second equipment of the core network.
    26th, equipment according to claim 25, it is characterised in that the transmission heavy-route order unit is additionally operable to:
    Before heavy-route order is sent to access network equipment, the NAS message received is reconstructed, the NAS message included in the heavy-route order, for the NAS message of reconstruct.
    27th, equipment according to claim 26, it is characterised in that when the NAS message from the UE received is reconstructed the transmission heavy-route order unit, specifically for:
    Using the key set identifier in current security context, the key set identifier in the NAS message of UE transmissions is replaced;And/or,
    It is worth the message authentication code MAC cells IE in the NAS message sent as the UE according to current security context calculation of integrity protective calibration value, and using the integrity protection check.
    28th, equipment according to claim 27, it is characterised in that when the integrity protection check to be worth to the transmission heavy-route order unit message authentication code MAC cell IE in the NAS message sent as the UE, specifically for:
    Integrity protection check's value is filled into the message authentication code MAC cells IE in the NAS message that the UE is sent;Or
    The integrity protection check is worth to the message authentication code MAC replaced in the NAS message that the UE is sent.
    29th, equipment according to claim 27, it is characterised in that the transmission heavy-route order unit, is additionally operable to:
    It is that the mark replacement that the UE is distributed disappears from the UE NAS received by the first equipment of the core network The mark of UE in breath.
    30th, equipment according to claim 25, it is characterised in that the key set identifier is included in the context request;Or,
    The key set identifier is included in NAS message, and the NAS message is included in the context request.
    31st, equipment according to claim 25, it is characterised in that the safe context provides unit and is additionally operable to:
    It is determined that after current safe context, the safe context being sent to before the second equipment of the core network, the integrality of the NAS message carried in the context request is verified using current safe context;
    Shellfish is when described be proved to be successful, and the safe context is sent to the second equipment of the core network by the safe context.
    32nd, equipment according to claim 31, it is characterised in that when the safe context provides unit using currently the integrality of the NAS message carried in the context request is verified with the UE safe contexts shared, specifically for:
    Verify the integrity protection check's value or message authentication code MAC value in the NAS message carried in the context request;Or
    Verify integrity protection check's value in the context request.
    33rd, equipment according to claim 25, it is characterised in that also include in the heavy-route order:
    Key set identifier and/or integrity protection check's value and/or UE mark.
    34th, equipment according to claim 25, it is characterised in that also include in the context request:
    Heavy-route indicates and/or integrity protection check's value that the heavy-route is indicated for indicating that NAS message is re-routed to the second equipment of the core network.
    35th, a kind of equipment for obtaining safe context, it is characterised in that the equipment includes:
    Particular message receiving unit, the particular message for receiving access network equipment transmission, particular message includes non access stratum NAS message; Context request unit, for determining the first equipment of the core network according to the particular message, and sends context request, the context request includes UE mark and key set identifier to the first equipment of the core network;
    Context acquiring unit, for receiving the context response that the first equipment of the core network is sent, and safe context is therefrom obtained, the safe context is that the first equipment of the core network UE mark according to the context request and key set identifier are determined.
    36th, equipment according to claim 35, it is characterised in that comprising the mark that the first equipment of the core network is UE distribution in the NAS message, the second equipment of the core network determines the first equipment of the core network according to the mark.
    37th, equipment according to claim 35, it is characterised in that also include the identification information of the first equipment of the core network in the particular message, the second equipment of the core network determines the first equipment of the core network according to the identification information of first equipment of the core network.
    38th, equipment according to claim 35, it is characterised in that the key set identifier is included in the context request;Or,
    The key set identifier is included in NAS message, and the NAS message is included in the context request.
    39th, the equipment according to any claim of claim 35 to 38, it is characterised in that in the safe context, includes AES and protection algorithm integrallty used in the first equipment of the core network protection NAS message.
    40th, the equipment according to claim 39, it is characterised in that the context acquiring unit is obtained after the safe context of the UE, is additionally operable to:
    When needing to select new algorithm, new NAS keys are derived using new algorithm, and NAS Security Mode Command messages are sent to UE, wherein including the mark of new algorithm;Wherein, the new algorithm includes AES and/or protection algorithm integrallty;
    Receive the NAS safe mode completion messages of UE feedbacks.
    41st, equipment according to claim 35, it is characterised in that also include in the context request: Heavy-route indicates and/or integrity protection check's value that the heavy-route is indicated for indicating that NAS message is re-routed to the second equipment of the core network.
    42nd, equipment according to claim 35, it is characterised in that also include in the particular message:Key set identifier and/or integrity protection check's value and/or UE mark.
    43rd, a kind of receiving and processing equipment of heavy-route order, it is characterised in that the equipment includes:Heavy-route order receiving unit, for receiving the heavy-route order that the first equipment of the core network is sent, wherein the configured information comprising non access stratum NAS message and for the second equipment of the core network of determination;
    Particular message transmitting element, for according to the configured information, determining second equipment of the core network, and sends the particular message for carrying the NAS message to second equipment of the core network.
    44th, equipment according to claim 43, it is characterised in that also include in the particular message:Heavy-route indicates that the heavy-route is indicated for indicating that NAS message is re-routed to the second equipment of the core network.
    45th, the equipment according to claim 43 or 44, it is characterised in that also include in the particular message:
    The identification information of first equipment of the core network, second equipment of the core network determines the first equipment of the core network according to the identification information of first equipment of the core network.
    46th, equipment according to claim 43, it is characterised in that the NAS message is the NAS message after the UE received the NAS messages sent are reconstructed first equipment of the core network.
    47th, equipment according to claim 43, it is characterised in that also include in the heavy-route order:
    Key set identifier and/or integrity protection check's value and/or UE mark.
    48th, equipment according to claim 43, it is characterised in that also include in the particular message:Key set identifier and/or integrity protection check's value and/or UE mark.
    49th, a kind of equipment that safe context is provided, it is characterised in that the equipment includes processor and transceiver, wherein,
    The non access stratum NAS message that transceiver user equipment (UE) is sent;
    When processor determines that the NAS message needs to be re-routed to the second equipment of the core network in particular network When, heavy-route order is sent to access network equipment by transceiver, NAS message and the information for determining second equipment of the core network are included in the heavy-route order;
    The context request that second equipment of the core network described in transceiver is sent, the context request includes UE mark and key set identifier, processor is according to the mark and key set identifier of the UE, corresponding safe context is searched, the safe context is sent to second equipment of the core network by transceiver.
    50th, equipment according to claim 49, characterized in that, transceiver to access network equipment before heavy-route order is sent, processor is additionally operable to that the NAS message received is reconstructed, the NAS message included in the heavy-route order, for the NAS message of reconstruct.
    51st, equipment according to claim 50, it is characterised in that when the NAS message received is reconstructed processor, specifically for:
    Using the key set identifier in current security context, the key set identifier in the NAS message of UE transmissions is replaced;And/or,
    It is worth the message authentication code MAC cells IE in the NAS message sent as the UE according to current security context calculation of integrity protective calibration value, and using the integrity protection check.
    52nd, equipment according to claim 51, it is characterised in that when the integrity protection check to be worth to processor the message authentication code MAC cell IE in the NAS message sent as the UE, specifically for:
    Integrity protection check's value is filled into the message authentication code MAC cells IE in the NAS message that the UE is sent;Or
    The integrity protection check is worth to the message authentication code MAC replaced in the NAS message that the UE is sent.
    53rd, equipment according to claim 51, it is characterised in that when the NAS message received is reconstructed processor, be additionally operable to:
    The mark of UE during the mark that first equipment of the core network is UE distribution is replaced into the NAS message received from the UE.
    54th, equipment according to claim 49, it is characterised in that the key set identifier is included in the context request;Or, The key set identifier is included in NAS message, and the NAS message is included in the context request.
    55th, equipment according to claim 49, it is characterised in that processor determines after current safe context that the safe context is sent to before the second equipment of the core network by transceiver, and processor is additionally operable to:The integrality of the NAS message carried in the context request is nearly demonstrate,proved using current safe context;Shellfish is when described be proved to be successful, and the safe context is sent to the second equipment of the core network by transceiver.
    56th, the equipment according to claim 55, it is characterised in that when processor with the UE safe contexts shared using currently the integrality of the NAS message carried in the context request is verified, specifically for:
    Verify the integrity protection check's value or message authentication code MAC value in the NAS message carried in the context request;Or
    Verify integrity protection check's value in the context request.
    57th, equipment according to claim 49, it is characterised in that also include in the heavy-route order:
    Key set identifier and/or integrity protection check's value and/or UE mark.
    58th, equipment according to claim 49, it is characterised in that also include in the context request:
    Heavy-route indicates and/or integrity protection check's value that the heavy-route is indicated for indicating that NAS message is re-routed to the second equipment of the core network.
    59th, a kind of equipment for obtaining safe context, it is characterised in that the equipment includes transceiver and processor, wherein:
    The particular message that transceiver access network equipment is sent, the particular message includes non access stratum NAS message;
    Processor determines the first equipment of the core network according to the particular message, and transceiver sends context request to the first equipment of the core network, and the context request includes UE mark and key set identifier;
    The context response that the equipment of the core network of transceiver first is sent, processor therefrom obtains safe context, and the safe context is the first equipment of the core network UE according to context request mark And the determination of key set identifier.
    60th, equipment according to claim 59, it is characterised in that comprising the mark that the first equipment of the core network is UE distribution in the NAS message, the second equipment of the core network determines the first equipment of the core network according to the mark.
    61st, equipment according to claim 59, it is characterised in that also include the identification information of the first equipment of the core network in the particular message, the second equipment of the core network determines the first equipment of the core network according to the identification information of first equipment of the core network.
    62nd, equipment according to claim 59, it is characterised in that the key set identifier is included in the context request;Or,
    The key set identifier is included in NAS message, and the NAS message is included in the context request.
    63rd, the equipment according to any claim of claim 59 to 62, it is characterised in that in the safe context, includes AES and protection algorithm integrallty used in the first equipment of the core network protection NAS message.
    64th, the equipment according to claim 63, it is characterised in that the processor is obtained after the safe context of the UE, is additionally operable to:When needing to select new algorithm, new NAS keys are derived using new algorithm, and NAS Security Mode Command messages are sent to UE by transceiver, wherein including the mark of new algorithm;Wherein, the new algorithm includes AES and/or protection algorithm integrallty;The NAS safe mode completion messages of transceiver UE feedbacks.
    65th, equipment according to claim 59, it is characterised in that also include in the context request:
    Heavy-route indicates and/or integrity protection check's value that the heavy-route is indicated for indicating that NAS message is re-routed to the second equipment of the core network.
    66th, equipment according to claim 59, it is characterised in that also include in the particular message:Key set identifier and/or integrity protection check's value and/or UE mark.
    67th, a kind of receiving and processing equipment of heavy-route order, it is characterised in that the equipment includes transceiver and processor, wherein: The heavy-route order that the equipment of the core network of transceiver first is sent, wherein the configured information comprising Non-Access Stratum NAS message and for the second equipment of the core network of determination;
    Processor determines second equipment of the core network, and send the particular message for carrying the NAS message to second equipment of the core network by transceiver according to the configured information.
    68th, equipment according to claim 67, it is characterised in that also include in the particular message:Heavy-route indicates that the heavy-route is indicated for indicating that NAS message is re-routed to the second equipment of the core network.
    69th, the equipment according to claim 67 or 68, it is characterised in that also include in the particular message:
    The identification information of first equipment of the core network, second equipment of the core network determines the first equipment of the core network according to the identification information of first equipment of the core network.
    70th, equipment according to claim 67, it is characterised in that the NAS message is the NAS message after the UE received the NAS messages sent are reconstructed first equipment of the core network.
    71st, equipment according to claim 67, it is characterised in that also include in the heavy-route order:
    Key set identifier and/or integrity protection check's value and/or UE mark.
    72nd, equipment according to claim 67, it is characterised in that also include in the particular message:Key set identifier and/or integrity protection check's value and/or UE mark.
CN201380079475.8A 2013-10-28 2013-10-28 Method and device for providing and acquiring security context Pending CN105532026A (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2013/086088 WO2015061951A1 (en) 2013-10-28 2013-10-28 Method and device for providing and acquiring security context

Publications (1)

Publication Number Publication Date
CN105532026A true CN105532026A (en) 2016-04-27

Family

ID=53003086

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201380079475.8A Pending CN105532026A (en) 2013-10-28 2013-10-28 Method and device for providing and acquiring security context

Country Status (2)

Country Link
CN (1) CN105532026A (en)
WO (2) WO2015061951A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018196705A1 (en) * 2017-04-25 2018-11-01 华为技术有限公司 Network security protection method, device and system
CN108924826A (en) * 2017-03-24 2018-11-30 北京三星通信技术研究有限公司 The control method and equipment of data transmission
CN110351722A (en) * 2018-04-08 2019-10-18 华为技术有限公司 A kind of method for sending information, key generation method and device
CN110536298A (en) * 2018-08-10 2019-12-03 中兴通讯股份有限公司 Indicating means, device, AMF equipment, terminal and the medium of non-access layer information safety
CN111937297A (en) * 2018-05-14 2020-11-13 欧姆龙株式会社 Motor control device
CN112087297A (en) * 2019-06-14 2020-12-15 华为技术有限公司 Method, system and equipment for obtaining security context
CN112930691A (en) * 2018-09-24 2021-06-08 诺基亚技术有限公司 System and method for security protection of NAS messages

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108156645A (en) * 2016-12-06 2018-06-12 中国移动通信有限公司研究院 Access processing method, base station and mobile communication terminal

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101114927A (en) * 2006-07-24 2008-01-30 华为技术有限公司 System and method for implementing load balancing
CN101594608A (en) * 2008-05-30 2009-12-02 华为技术有限公司 Method, mobile management network element and the mobile communication system of safe context are provided

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101500270B (en) * 2008-02-02 2010-12-08 华为技术有限公司 Method and apparatus for load balance
CN102348201B (en) * 2010-08-05 2014-02-19 华为技术有限公司 Method and device for acquiring security context
CN103002521B (en) * 2011-09-08 2015-06-03 华为技术有限公司 Context transmission method and mobility management entity

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101114927A (en) * 2006-07-24 2008-01-30 华为技术有限公司 System and method for implementing load balancing
CN101594608A (en) * 2008-05-30 2009-12-02 华为技术有限公司 Method, mobile management network element and the mobile communication system of safe context are provided

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108924826A (en) * 2017-03-24 2018-11-30 北京三星通信技术研究有限公司 The control method and equipment of data transmission
CN108924826B (en) * 2017-03-24 2023-04-14 北京三星通信技术研究有限公司 Data transmission control method and device
WO2018196705A1 (en) * 2017-04-25 2018-11-01 华为技术有限公司 Network security protection method, device and system
CN110351722A (en) * 2018-04-08 2019-10-18 华为技术有限公司 A kind of method for sending information, key generation method and device
CN110351722B (en) * 2018-04-08 2024-04-16 华为技术有限公司 Information sending method, key generation method and device
CN111937297A (en) * 2018-05-14 2020-11-13 欧姆龙株式会社 Motor control device
CN110536298A (en) * 2018-08-10 2019-12-03 中兴通讯股份有限公司 Indicating means, device, AMF equipment, terminal and the medium of non-access layer information safety
CN110536298B (en) * 2018-08-10 2023-11-03 中兴通讯股份有限公司 Non-access stratum message security indication method and device, AMF (advanced mobile communication) equipment, terminal and medium
CN112930691A (en) * 2018-09-24 2021-06-08 诺基亚技术有限公司 System and method for security protection of NAS messages
CN112087297A (en) * 2019-06-14 2020-12-15 华为技术有限公司 Method, system and equipment for obtaining security context

Also Published As

Publication number Publication date
WO2015062488A1 (en) 2015-05-07
WO2015061951A1 (en) 2015-05-07

Similar Documents

Publication Publication Date Title
CN105532026A (en) Method and device for providing and acquiring security context
US10958631B2 (en) Method and system for providing security from a radio access network
EP3258718B1 (en) Gprs system key enhancement method, sgsn device, ue, hlr/hss and gprs system
US9713001B2 (en) Method and system for generating an identifier of a key
US20230292388A1 (en) Connection Resume Request Method and Apparatus
CN113225176B (en) Key obtaining method and device
CN102905265B (en) A kind of method and device realizing mobile device attachment
JP2019068416A (en) Security in inter-system movement
CN102685730B (en) Method for transmitting context information of user equipment (UE) and mobility management entity (MME)
US20110135095A1 (en) Method and system for generating key identity identifier when user equipment transfers
WO2015097223A1 (en) Method and system for providing security from a radio access network
CN107113608B (en) Method and apparatus for generating multiple shared keys using key expansion multipliers
CN102480727A (en) Group authentication method and system in machine-to-machine (M2M) communication
CN104247328A (en) Method and device for data transmission
EP4329392A1 (en) Registration method and apparatus for terminal ue, electronic device, and storage medium
CN109803262A (en) A kind of transmission method and device of network parameter
CN102611553A (en) Method for realizing digital signature, user equipment and core network node equipment
CN102892114A (en) Method and device for checking equipment validity
WO2011150808A1 (en) Method and device for obtaining security context
EP4016950A1 (en) Communication method, device, and system
CN110891270B (en) Selection method and device of authentication algorithm
JP6067101B2 (en) Method and system for authenticating at least one terminal requesting access to at least one resource
CN101938743A (en) Generation method and device of safe keys
CN106304050A (en) A kind of wireless roaming method and device
CN105340319B (en) Method and equipment for providing and acquiring security context

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20160427

WD01 Invention patent application deemed withdrawn after publication