CN106954210A - A kind of guard method of air interface identifier and device - Google Patents
A kind of guard method of air interface identifier and device Download PDFInfo
- Publication number
- CN106954210A CN106954210A CN201610006376.2A CN201610006376A CN106954210A CN 106954210 A CN106954210 A CN 106954210A CN 201610006376 A CN201610006376 A CN 201610006376A CN 106954210 A CN106954210 A CN 106954210A
- Authority
- CN
- China
- Prior art keywords
- wine
- rice
- dishes
- radio access
- access node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/041—Key generation or derivation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0431—Key distribution or pre-distribution; Key agreement
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0433—Key management protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
- Small-Scale Networks (AREA)
Abstract
The present invention discloses guard method and the device of a kind of air interface identifier, is related to wireless communication technology field, can solve because ID leakages of eating dishes without rice or wine cause the problem of privacy information and network security of user have risk.The embodiment of the present invention receives the networking connection request that UE is sent by upper layer network control node; networking connection request includes UE mark; obtain the UE corresponding root key of mark; upper layer network control node according to the UE corresponding root key of mark and the first parameter preset generation first eat dishes without rice or wine ID protection key; upper layer network control node by first eat dishes without rice or wine ID protection key be sent to radio access node; make it that radio access node is encrypted according to the first ID protection keys ID that eated dishes without rice or wine to first that eats dishes without rice or wine, the ID that eats dishes without rice or wine of first after encryption is sent to UE.Scheme provided in an embodiment of the present invention suitable for transmission eat dishes without rice or wine ID when use.
Description
Technical field
The present invention relates to wireless communication technology field, more particularly to a kind of air interface identifier guard method and
Device.
Background technology
In existing cordless communication network, wireless network access point can distribute for the user equipment of access
One ID that eats dishes without rice or wine (Identity, mark), and then wireless network access point can be eated dishes without rice or wine ID by this
To complete the data transfer between user equipment.When user equipment accessed in moving process it is different
During wireless network access nodes, new wireless network access nodes can distribute new eat dishes without rice or wine for user equipment
ID, and then new wireless network access nodes eat dishes without rice or wine ID and complete between user equipment according to new
Data transfer.
However, wireless network access nodes by space interface signaling message by eating dishes without rice or wine for being distributed for user equipment
ID is sent to user equipment, if attacker is long lasting for the ID that eats dishes without rice or wine for obtaining a certain user equipment,
Then the attacker ID that can be eated dishes without rice or wine based on this obtains the information, meeting such as motion track, service feature of user
The privacy information and network security of user are threatened.
The content of the invention
Embodiments of the invention provide a kind of method and device of the protection of air interface identifier, can solve by
In eating dishes without rice or wine, ID leakages cause the problem of privacy information and network security of user have risk.
First aspect present invention provides a kind of guard method of air interface identifier, and methods described includes:
Upper layer network control node receives the networking connection request that user equipment (UE) is sent, the networking
Connection request includes the mark of the UE;
The upper layer network control node obtains the corresponding root key of mark of the UE;
The upper layer network control node is default according to the corresponding root key of mark of the UE and first
Parameter generates the first air interface identifier ID protection keys, wherein first parameter preset includes the UE
Mark, network equipment ID, the public land mobile network PLMN ID belonging to the UE, safety
One in algorithm ID, random number or any combination, the network equipment ID are what the UE was accessed
The ID of the WAP respective base station of the ID of WAP respective cell or UE accesses;
The upper layer network control node by described first eat dishes without rice or wine ID protection key be sent to wireless access
Node, make it that the radio access node eats dishes without rice or wine ID protection keys to the first sky by described first
Mouthful ID is encrypted transmission, and described first ID that eats dishes without rice or wine is that the radio access node is that the UE divides
The ID that eats dishes without rice or wine matched somebody with somebody.
ID leakages cause the privacy information and network security of user to there is wind with eating dishes without rice or wine in the prior art
Danger compare, the present invention by upper layer network control node be first eat dishes without rice or wine ID generation first eat dishes without rice or wine ID guarantor
Protect key, radio access node can by first eat dishes without rice or wine ID protect key eated dishes without rice or wine to first ID carry out
Encryption so that first ID that eats dishes without rice or wine is transmitted in an encrypted form, it is to avoid ID continuation of eating dishes without rice or wine
Obtained by attacker, protect the privacy information and network security of user.
With reference to first aspect, it should be pointed out that in the upper layer network control node according to the UE
The corresponding root key of mark and the first parameter preset generation first eat dishes without rice or wine ID protection key after, institute
Stating method also includes:
The upper layer network control node by described first eat dishes without rice or wine ID protection key be sent to the UE.
With reference in a first aspect, optionally, entering for UE transmissions is received in the upper layer network control node
After net connection request, methods described also includes:
First parameter preset is sent to the UE by the upper layer network control node, to cause
UE is stated according to the corresponding root key of mark of the UE and first parameter preset generation described the
One eat dishes without rice or wine ID protection key.
On the basis of first aspect, optionally, when the radio access node of UE accesses is by original
When radio access node switches to new radio access node, methods described also includes:
The key request that the upper layer network control node receives the new radio access node transmission disappears
Breath, the secret key request message includes the mark of the UE;
The upper layer network control node according to the mark of the UE obtain described first eat dishes without rice or wine ID protection
Key;
The upper layer network control node sends described first to the new radio access node and eated dishes without rice or wine ID
Protect key, with cause the new radio access node by described first eat dishes without rice or wine ID protect key pair
Second ID that eats dishes without rice or wine is encrypted transmission, and described second ID that eats dishes without rice or wine is that the new radio access node is institute
State the ID that eats dishes without rice or wine of UE distribution.
With reference in a first aspect, optional, the WAP accessed as the UE is by former wireless access
When node switches to new radio access node, methods described also includes:
The key request that the upper layer network control node receives the new radio access node transmission disappears
Breath, the secret key request message includes the mark of the UE;
The upper layer network control node is eated dishes without rice or wine ID protection keys and second default according to described first
Parameter generation described second is eated dishes without rice or wine ID protection keys, and second parameter preset is newly wirelessly connect to be described
Access point ID, the carrier frequency of the new WAP respective cell, the second one of them eated dishes without rice or wine in ID
Or any combination, described second ID that eats dishes without rice or wine is that the new radio access node is what the UE was distributed
Eat dishes without rice or wine ID;
The upper layer network control node sends described second to the new radio access node and eated dishes without rice or wine ID
Protect key, with cause the new radio access node by described second eat dishes without rice or wine ID protect key pair
Transmission is encrypted in second ID that eats dishes without rice or wine.
ID leakages cause the privacy information and network security of user to there is wind with eating dishes without rice or wine in the prior art
Danger is compared, and the embodiment of the present invention is switched in UE after new radio access node, is still needed to be new wireless
Access node be UE distribute second eat dishes without rice or wine ID obtain first eat dishes without rice or wine ID protection key or generation second
Eat dishes without rice or wine ID protection keys so that second ID that eats dishes without rice or wine protects key or second empty by first ID that eats dishes without rice or wine
Mouth ID protection key encrypted transmissions, protect privacy of user and network security.In addition, of the invention
The cut-in method for the air interface identifier that embodiment is provided can be applied to the field that UE switches radio access node
Scape, is more suitable for the new network architecture, and distributes the ID that eats dishes without rice or wine by radio access node, by upper wire
Network control node generates ID protection keys of eating dishes without rice or wine so that transmission eats dishes without rice or wine ID with preferably ageing.
In the scheme that first aspect is described, when there is newly-increased radio access node in the UE, institute
Stating method also includes:
The upper layer network control node according to the mark of the UE obtain first eat dishes without rice or wine ID protection it is close
Key;
The upper layer network control node sends described first to the newly-increased radio access node and eated dishes without rice or wine
ID protect key, with cause the newly-increased radio access node by described first eat dishes without rice or wine ID protect it is close
The key ID that eated dishes without rice or wine to the 3rd is encrypted transmission, and the described 3rd eats dishes without rice or wine ID for the newly-increased wireless access section
The ID that eats dishes without rice or wine that point distributes for the UE.
Optionally, when the UE has newly-increased radio access node, methods described also includes:
The upper layer network control node is eated dishes without rice or wine ID protection keys and the 3rd default according to described first
Parameter generation the described 3rd eat dishes without rice or wine ID protection key, the 3rd parameter preset include the newly-increased nothing
Line access node ID, the carrier frequency of the newly-increased radio access node respective cell, the described 3rd eat dishes without rice or wine
One of them in ID or any combination, the described 3rd eats dishes without rice or wine ID for the newly-increased wireless access section
The ID that eats dishes without rice or wine that point distributes for the UE;
The upper layer network control node sends the described 3rd to the newly-increased radio access node and eated dishes without rice or wine
ID protect key, with cause the newly-increased radio access node by the described 3rd eat dishes without rice or wine ID protect it is close
Transmission is encrypted in the key ID that eated dishes without rice or wine to the 3rd.
ID leakages cause the privacy information and network security of user to there is wind with eating dishes without rice or wine in the prior art
Danger is compared, in technical scheme, when there is newly-increased radio access node, upper layer network control
Node processed obtains first and eats dishes without rice or wine ID protection keys or generation the 3rd is eated dishes without rice or wine ID protection keys so that the 3rd
Eat dishes without rice or wine ID by first eat dishes without rice or wine ID protect key or the 3rd eat dishes without rice or wine ID protect key encrypted transmission, together
When first eat dishes without rice or wine ID yet by first eat dishes without rice or wine ID protection key encrypted transmission, protect privacy of user with
And network security.
Optionally, when there are at least two wireless access point services in the UE, the upper strata
Described first ID protection keys of eating dishes without rice or wine are sent to radio access node and included by network control node:
Described first ID protection keys of eating dishes without rice or wine are sent to and serve institute by the upper layer network control node
State UE one of radio access node or at least two radio access nodes.
For technical scheme proposed by the present invention, when there are multiple wireless access point services in UE,
Top level control network by the first of generation eat dishes without rice or wine ID protection key be sent to multiple radio access nodes,
To allow these radio access nodes to protect key to be eated dishes without rice or wine to first ID by first ID that eats dishes without rice or wine
Transmission is encrypted, it is to avoid first eats dishes without rice or wine compromised ID situation.
The second aspect of the present invention provides a kind of protection device of air interface identifier, including:
Receiving unit, the networking connection request for receiving user equipment (UE) transmission, the networking connects
Connecing request includes the mark of the UE;
Acquiring unit, the corresponding root key of mark for taking the UE;
Generation unit, gives birth to for the corresponding root key of mark according to the UE and the first parameter preset
Key is protected into the first air interface identifier ID, wherein mark of first parameter preset including the UE,
Public land mobile network PLMN ID, security algorithm ID belonging to network equipment ID, the UE,
One in random number or any combination, the network equipment ID are the wireless access that the UE is accessed
The ID of the WAP respective base station of ID or the UE access of point respective cell;
Transmitting element, for by described first eat dishes without rice or wine ID protection key be sent to radio access node,
Make it that the radio access node protects the key ID that eated dishes without rice or wine to first to enter by described first ID that eats dishes without rice or wine
Row encrypted transmission, described first ID that eats dishes without rice or wine is that the radio access node is eating dishes without rice or wine for UE distribution
ID。
With reference to second aspect, it should be pointed out that the transmitting element, it is additionally operable to empty by described first
Mouth ID protection keys are sent to the UE;And first parameter preset is sent to the UE, with
So that the UE is generated according to the corresponding root key of mark of the UE and first parameter preset
Described first eat dishes without rice or wine ID protection key.
In second aspect, it is to be understood that when the radio access node of UE accesses is by original
When radio access node switches to new radio access node,
The receiving unit, the key request for being additionally operable to receive the new radio access node transmission disappears
Breath, the secret key request message includes the mark of the UE;
The acquiring unit, be additionally operable to according to the mark of the UE obtain described first eat dishes without rice or wine ID protection
Key;
The transmitting element, is additionally operable to send described first to the new radio access node and eats dishes without rice or wine ID
Protect key, with cause the new radio access node by described first eat dishes without rice or wine ID protect key pair
Second ID that eats dishes without rice or wine is encrypted transmission, and described second ID that eats dishes without rice or wine is that the new radio access node is institute
State the ID that eats dishes without rice or wine of UE distribution.
With reference to second aspect, optionally, when the radio access node that the UE is accessed wirelessly is connect by original
When ingress switches to new radio access node,
The receiving unit, the key request for being additionally operable to receive the new radio access node transmission disappears
Breath, the secret key request message includes the mark of the UE;
The generation unit, is additionally operable to eat dishes without rice or wine ID protection keys and second default according to described first
Parameter generation described second is eated dishes without rice or wine ID protection keys, and second parameter preset is newly wirelessly connect to be described
Access point ID, the carrier frequency of the new WAP respective cell, the second one of them eated dishes without rice or wine in ID
Or any combination, described second ID that eats dishes without rice or wine is that the new radio access node is what the UE was distributed
Eat dishes without rice or wine ID;
The transmitting element, is additionally operable to send described second to the new radio access node and eats dishes without rice or wine ID
Protect key, with cause the new radio access node by described second eat dishes without rice or wine ID protect key pair
Transmission is encrypted in second ID that eats dishes without rice or wine.
With reference to second aspect, optionally, when there is newly-increased radio access node in the UE,
The acquiring unit, be additionally operable to according to the mark of the UE obtain first eat dishes without rice or wine ID protection key;
The transmitting element, is additionally operable to send described first to the newly-increased radio access node and eats dishes without rice or wine ID
Protect key, with cause the newly-increased radio access node by described first eat dishes without rice or wine ID protect key
The ID that eated dishes without rice or wine to the 3rd is encrypted transmission, and the described 3rd eats dishes without rice or wine ID for the newly-increased radio access node
The ID that eats dishes without rice or wine distributed for the UE.
With reference to second aspect, optionally, when there is newly-increased radio access node in the UE,
The generation unit, is additionally operable to eat dishes without rice or wine ID protection keys and the 3rd default according to described first
Parameter generation the described 3rd eat dishes without rice or wine ID protection key, the 3rd parameter preset include the newly-increased nothing
Line access node ID, the carrier frequency of the newly-increased radio access node respective cell, the described 3rd eat dishes without rice or wine
One of them in ID or any combination, the described 3rd eats dishes without rice or wine ID for the newly-increased wireless access section
The ID that eats dishes without rice or wine that point distributes for the UE;
The transmitting element, is additionally operable to send the described 3rd to the newly-increased radio access node and eats dishes without rice or wine ID
Protect key, with cause the newly-increased radio access node by the described 3rd eat dishes without rice or wine ID protect key
Transmission is encrypted in the ID that eated dishes without rice or wine to the 3rd.
With reference to second aspect, optionally, when at least two wireless access point services of presence are in the UE
When,
The transmitting element, is additionally operable to be sent to and serve institute the described first ID protection keys of eating dishes without rice or wine
State UE one of radio access node or at least two radio access nodes.
The third aspect, the embodiment of the present invention provides a kind of protection device of air interface identifier, including:
Memory, includes the information of programmed instruction for storing;
Receiver, the networking connection request for receiving user equipment (UE) transmission, the networking connection
Request includes the mark of the UE;
Processor, is coupled with the memory, the receiver and hair transmitter, for controlling
The execution of programmed instruction is stated, the corresponding root key of mark specifically for obtaining the UE;According to institute
The corresponding root key of mark and generation the first air interface identifier ID protections of the first parameter preset for stating UE are close
Key, wherein mark of first parameter preset including the UE, network equipment ID, the UE
One or any in affiliated public land mobile network PLMN ID, security algorithm ID, random number
Combination, the network equipment ID be the UE access WAP respective cell ID or
The ID of the WAP respective base station of the UE accesses;
The transmitter, for by described first eat dishes without rice or wine ID protection key be sent to radio access node,
Make it that the radio access node protects the key ID that eated dishes without rice or wine to first to enter by described first ID that eats dishes without rice or wine
Row encrypted transmission, described first ID that eats dishes without rice or wine is that the radio access node is eating dishes without rice or wine for UE distribution
ID。
With reference to the third aspect, optionally, the transmitter is additionally operable to that described first eats dishes without rice or wine ID protections
Key is sent to the UE.The transmitter, is additionally operable to first parameter preset being sent to described
UE, to cause the UE according to the corresponding root key of mark and the first default ginseng of the UE
Number generation described first eat dishes without rice or wine ID protection key.
With reference to the third aspect, it is to be understood that when the radio access node of UE accesses is by original
When radio access node switches to new radio access node,
The receiver, is additionally operable to receive the secret key request message that the new radio access node is sent,
The secret key request message includes the mark of the UE;
The processor, be additionally operable to according to the mark of the UE obtain described first eat dishes without rice or wine ID protection it is close
Key;
The transmitter, is additionally operable to send described first ID that eats dishes without rice or wine to the new radio access node and protects
Key is protected, make it that the new radio access node protects key to the by described first ID that eats dishes without rice or wine
Two ID that eat dishes without rice or wine are encrypted transmission, and described second ID that eats dishes without rice or wine is that the new radio access node is described
The ID that eats dishes without rice or wine of UE distribution.
With reference to the third aspect, it is to be understood that when the WAP of UE accesses is by former nothing
When line access node switches to new radio access node,
The receiver, is additionally operable to receive the secret key request message that the new radio access node is sent,
The secret key request message includes the mark of the UE;
The processor, is additionally operable to eat dishes without rice or wine ID protection keys and the second default ginseng according to described first
Number generation described second eat dishes without rice or wine ID protection key, second parameter preset be the new wireless access
Point ID, the carrier frequency of the new WAP respective cell, second eat dishes without rice or wine in ID one of them or
Person is combined, and described second ID that eats dishes without rice or wine is sky that the new radio access node is UE distribution
Mouth ID;
The transmitter, is additionally operable to send described second ID that eats dishes without rice or wine to the new radio access node and protects
Key is protected, make it that the new radio access node protects key to the by described second ID that eats dishes without rice or wine
Transmission is encrypted in two ID that eat dishes without rice or wine.
With reference to the third aspect, it is to be understood that when the UE has newly-increased radio access node,
The processor, be additionally operable to according to the mark of the UE obtain first eat dishes without rice or wine ID protection key;
The transmitter, is additionally operable to send described first to the newly-increased radio access node and eats dishes without rice or wine ID
Protect key, with cause the newly-increased radio access node by described first eat dishes without rice or wine ID protect key
The ID that eated dishes without rice or wine to the 3rd is encrypted transmission, and the described 3rd eats dishes without rice or wine ID for the newly-increased radio access node
The ID that eats dishes without rice or wine distributed for the UE.
With reference to the third aspect, it is to be understood that when the UE has newly-increased radio access node,
The processor, is additionally operable to eat dishes without rice or wine ID protection keys and the 3rd default ginseng according to described first
Number generation the described 3rd is eated dishes without rice or wine ID protection keys, and the 3rd parameter preset includes described newly-increased wireless
Access node ID, the carrier frequency of the newly-increased radio access node respective cell, the described 3rd eat dishes without rice or wine ID
In one of them or any combination, the described 3rd eats dishes without rice or wine ID for the newly-increased radio access node
The ID that eats dishes without rice or wine distributed for the UE;
The transmitter, is additionally operable to send the described 3rd to the newly-increased radio access node and eats dishes without rice or wine ID
Protect key, with cause the newly-increased radio access node by the described 3rd eat dishes without rice or wine ID protect key
Transmission is encrypted in the ID that eated dishes without rice or wine to the 3rd.
With reference to the third aspect, it should be pointed out that when exist at least two wireless access point services in
During the UE,
The transmitter, is additionally operable to be sent to and serve described described first ID protection keys of eating dishes without rice or wine
UE one of radio access node or at least two radio access nodes.
The guard method of air interface identifier provided in an embodiment of the present invention and device, upper layer network control node
The networking connection request that UE is sent is received, networking connection request includes UE mark, upper layer network
Control node according to the UE corresponding root key of mark and the first parameter preset generation first eat dishes without rice or wine ID protect
Protect key, upper layer network control node by first eat dishes without rice or wine ID protection key be sent to radio access node,
Make it that radio access node is encrypted according to the first ID protection keys ID that eated dishes without rice or wine to first that eats dishes without rice or wine,
The ID that eats dishes without rice or wine of first after encryption is sent to UE.ID leakages cause user's with eating dishes without rice or wine in the prior art
There is risk and compare in privacy information and network security, the embodiment of the present invention controls to save by upper layer network
Point protects key for first ID that eats dishes without rice or wine of ID generations first that eats dishes without rice or wine, and radio access node can pass through first
The ID protection keys ID that eated dishes without rice or wine to first that eats dishes without rice or wine is encrypted so that the first shape for eating dishes without rice or wine ID to encrypt
Formula is transmitted, it is to avoid being obtained by attacker of ID continuation of eating dishes without rice or wine, protects the privacy of user
Information and network security.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be right
The accompanying drawing to be used needed for embodiment or description of the prior art is briefly described, it should be apparent that,
Drawings in the following description are only some embodiments of the present invention, for those of ordinary skill in the art
For, on the premise of not paying creative work, it can also be obtained according to these accompanying drawings other attached
Figure.
Fig. 1 illustrates for a kind of logical construction of protection system of air interface identifier provided in an embodiment of the present invention
Figure;
Fig. 2 is a kind of flow chart of the guard method of air interface identifier provided in an embodiment of the present invention;
Fig. 3 is the flow chart of the guard method of another air interface identifier provided in an embodiment of the present invention;
Fig. 4 is the flow chart of the guard method of another air interface identifier provided in an embodiment of the present invention;
Fig. 5 is the flow chart of the guard method of another air interface identifier provided in an embodiment of the present invention;
Fig. 6 illustrates for a kind of logical construction of protection device of air interface identifier provided in an embodiment of the present invention
Figure;
Fig. 7 for ID marks provided in an embodiment of the present invention of eating dishes without rice or wine guard method control node at the middle and upper levels
Logical construction schematic diagram.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is entered
Row is clearly and completely described, it is clear that described embodiment is only a part of embodiment of the invention,
Rather than whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not having
There is the every other embodiment made and obtained under the premise of creative work, belong to what the present invention was protected
Scope.
In order to solve because ID leakages of eating dishes without rice or wine cause the privacy information and network security of user to there is wind
Dangerous the problem of, the embodiment of the present invention provides a kind of protection system of air interface identifier, as shown in figure 1, should
System includes upper layer network control node, radio access node, HSS (Home Subscriber
Server, home subscriber server) and UE (User Equipment, user equipment).
Wherein, upper layer network control node can be by SDT (Software Defined Topology,
Software definition topology) unit or SDP (Software Defined Protocol, software definition association
View stack) being used for of constituting of unit manage the node of user apparatus service connectivity and travelling performance.
SDT units are used for after UE access networks, are defined as the radio access node of UE services.
SDP units are used for after UE access networks, realize the function of upper layer network control node.
Radio access node is radio access nodes of the UE by access of eating dishes without rice or wine.
Identical pre-share root key in each UE usim card is preserved in HSS, for participating in AKA
(Authentication and Key Agreement, certifiede-mail protocol agreement) certification.
UE is the terminal device of access wireless network.
In order to avoid ID leakages of eating dishes without rice or wine, the embodiment of the present invention provides a kind of guard method of air interface identifier,
In protection system applied to the air interface identifier shown in Fig. 1, as shown in Fig. 2 this method includes:
201st, upper layer network control node receives the networking connection request that UE is sent, networking connection request
Include UE mark.
Wherein, UE mark can be UE IMSI (International Mobile Subscriber
Identity, international mobile subscriber identity).
202nd, upper layer network control node obtains the UE corresponding root key of mark.
203rd, upper layer network control node is according to the UE corresponding root key of mark and the first parameter preset
Generation first eat dishes without rice or wine ID protection key.
Wherein, the mark of the first parameter preset including UE, network equipment ID, the PLMN belonging to UE
(Public Land Mobile Network, public land mobile network) ID, security algorithm ID,
One in random number or any combination, network equipment ID are that the WAP correspondence that UE is accessed is small
The ID of the WAP respective base station of ID or the UE access in area.First eat dishes without rice or wine ID protection key
For encryption key and/or complete secrecy key.
Can specifically be eated dishes without rice or wine ID protection keys using stochastic selection algorithm generation first, for example, K=KDF
(Key Derivation Function, cipher key derivation function) (Key, time), K=KDF (Key, ID,
T ime), K=KDF (Key, SN), K=KDF (Key, ID, SN), or K=KDF (Key, ID, SN,
t ime);Wherein, k represents random selection, and Key can be corresponding for random number or UE mark
Root key;ID can be UE mark, network equipment ID, PLMN ID, in security algorithm ID
One or combination.
204th, upper layer network control node by first eat dishes without rice or wine ID protection key be sent to radio access node,
Make it that radio access node protects the key ID that eated dishes without rice or wine to first that biography is encrypted by first ID that eats dishes without rice or wine
It is defeated.
Wherein, first eat dishes without rice or wine ID be radio access node be UE distribution the ID that eats dishes without rice or wine, first eats dishes without rice or wine
ID is used to identify UE in the identity eated dishes without rice or wine, and UE and radio access node are carried out by first ID that eats dishes without rice or wine
Data transfer.
The guard method of air interface identifier provided in an embodiment of the present invention, upper layer network control node receives UE
The networking connection request of transmission, networking connection request includes UE mark, upper layer network control section
Point according to the UE corresponding root key of mark and the first parameter preset generation first eat dishes without rice or wine ID protection it is close
Key, upper layer network control node by first eat dishes without rice or wine ID protection key be sent to radio access node, with
So that radio access node is encrypted according to the first ID protection keys ID that eated dishes without rice or wine to first that eats dishes without rice or wine, will
First after the encryption ID that eats dishes without rice or wine is sent to UE.Cause that user's is hidden with ID leakages of eating dishes without rice or wine in the prior art
Personal letter ceases and network security has risk and compared, and the embodiment of the present invention passes through upper layer network control node
Eated dishes without rice or wine ID protection keys for the first ID generations first of eating dishes without rice or wine, it is empty that radio access node can pass through first
Mouthful ID protection key ID that eated dishes without rice or wine to first is encrypted so that first eats dishes without rice or wine ID in an encrypted form
It is transmitted, it is to avoid being obtained by attacker for ID continuation of eating dishes without rice or wine, protects the privacy of user to believe
Breath and network security.
The method flow shown in system and Fig. 2 with reference to shown in Fig. 1, in upper layer network control node
Also need to be authenticated with UE after the networking connection request for receiving UE transmissions, in addition, in order that UE
The ID that can be eated dishes without rice or wine to first after encryption is decrypted, and also needs to make UE to know that first eats dishes without rice or wine ID protections
Key, so, in another implementation provided in an embodiment of the present invention, UE is initially accessed
The method for eating dishes without rice or wine to protect during one WAP is described, as shown in figure 3, in above-mentioned steps
201st, after the networking connection request that upper layer network control node reception UE is sent, also including step 205
With 206.
205th, upper layer network control node obtains UE certification according to networking connection request from HSS
Data message.
206th, upper layer network control node carries out two-way authentication operation by authentication data information and UE.
After two-way authentication success, step 202 is performed.
In addition, close according to UE corresponding of mark in above-mentioned steps 203, upper layer network control node
Key and the first parameter preset generation first are eated dishes without rice or wine after ID protection keys, and this method also includes step 207
With step 208.
207th, the first parameter preset is sent to UE by upper layer network control node.
Wherein, the first parameter preset is identical with the associated description in above-mentioned steps 202, no longer goes to live in the household of one's in-laws on getting married herein
State.
208th, UE eats dishes without rice or wine according to the UE corresponding root key of mark and the first parameter preset generation first
ID protects key.
In another implementation provided in an embodiment of the present invention, without performing step 207 and 208,
Upper layer network control node can directly by first eat dishes without rice or wine ID protection key be sent to UE.
, can be according to this it is understood that UE acquisitions or generation first are eated dishes without rice or wine after ID protection keys
The first ID protection keys ID that eated dishes without rice or wine to receive first that eats dishes without rice or wine is decrypted.
In addition, above-mentioned steps 204, upper layer network control node by first eat dishes without rice or wine ID protection key send
To radio access node, make it that radio access node eats dishes without rice or wine ID protection keys to first by first
The ID that eats dishes without rice or wine is encrypted transmission and is implemented as step 2041 to step 2042.
2041st, upper layer network control node by first eat dishes without rice or wine ID protection key be sent to wireless access section
Point.
2042nd, radio access node protects the key ID that eated dishes without rice or wine to first to be added by first ID that eats dishes without rice or wine
Close transmission.
Wherein, radio access node sends first ID that eats dishes without rice or wine to UE and specifically can be implemented as following four step.
The first step, radio access node have sent the negotiation message protected after operation, negotiation message to UE
Include security parameter.
Wherein, complete guarantor's operation refers to integrity protection, refers to handle negotiation message so that consult
Message can also be found that security parameter includes in time after can not being tampered or be tampered in transmission process
AES and complete guarantor's algorithm.
Second step, UE have verified guarantor's operation, and verify after security parameter, then can respond wireless access section
Point, security negotiation success, if authentication failed, refusal is consulted.
3rd step, radio access node eat dishes without rice or wine ID protection keys by the according to security parameter and first
One eats dishes without rice or wine ID encrypted transmissions to UE.
What the 4th step, UE received after encryption first eats dishes without rice or wine after ID, empty according to receive first
Mouthful ID protection key, or the first ID protection keys ID that eated dishes without rice or wine to first that eats dishes without rice or wine of itself generation enter
Row decryption, first eat dishes without rice or wine ID and the WAP is enabled in next operation and transmits data.
The guard method of air interface identifier provided in an embodiment of the present invention, upper layer network control node receives UE
The networking connection request of transmission, networking connection request includes UE mark, upper layer network control section
Point according to UE mark generation first eat dishes without rice or wine ID protection key, and by first eat dishes without rice or wine ID protection key
Or first parameter preset be sent to upper layer network control node so that UE obtain or generation first
Eat dishes without rice or wine ID protection key, then upper layer network control node by first eat dishes without rice or wine ID protection key be sent to
Radio access node, make it that radio access node eats dishes without rice or wine ID protection keys to the first sky according to first
Mouthful ID is encrypted, and the ID that eats dishes without rice or wine of first after encryption is sent into UE, and then UE is empty according to first
Mouthful ID protection key ID that eated dishes without rice or wine to first is decrypted.ID leakages cause with eating dishes without rice or wine in the prior art
There is risk and compare in the privacy information and network security of user, the embodiment of the present invention passes through upper layer network
Control node is eated dishes without rice or wine ID protection keys for the first ID generations first of eating dishes without rice or wine, and radio access node can lead to
Cross the first ID protection keys ID that eats dishes without rice or wine to first that eats dishes without rice or wine to be encrypted so that first eats dishes without rice or wine ID to add
Close form is transmitted, it is to avoid being obtained by attacker of ID continuation of eating dishes without rice or wine, protects user
Privacy information and network security.
With reference to above method flow, when UE is initially accessed wireless access point services set, that is, deposit
When at least two wireless access point services are in UE, in another reality provided in an embodiment of the present invention
In existing mode, above-mentioned steps 204, upper layer network control node send the first ID protection keys of eating dishes without rice or wine
Specifically it can be implemented as to radio access node:
First ID protection keys of eating dishes without rice or wine are sent to and serve wherein the one of UE by upper layer network control node
Individual radio access node or at least two radio access nodes.
For the embodiment of the present invention, when there are multiple wireless access point services in UE, upper strata control
Network processed by the first of generation eat dishes without rice or wine ID protection key be sent to multiple radio access nodes, to cause
These radio access nodes can protect the key ID that eated dishes without rice or wine to first to be added by first ID that eats dishes without rice or wine
Close transmission, it is to avoid first eats dishes without rice or wine situation compromised ID.
During UE is moved, it is possible to be moved to another cell from a cell, accordingly,
The WAP of UE connections can change, when UE WAP is cut by former WAP
When being changed to new WAP, in another implementation provided in an embodiment of the present invention, such as Fig. 4
Shown, on the basis of the method flow shown in Fig. 2 and Fig. 3, this method also includes:
401st, upper layer network control node receives the secret key request message that new radio access node is sent,
Secret key request message includes UE mark.
402nd, upper layer network control node according to UE mark obtain first eat dishes without rice or wine ID protection key.
This step specifically can be implemented as, and upper layer network control node obtains last time according to UE mark
Generation first eat dishes without rice or wine ID protection key.Or,
Upper layer network control node obtains the UE corresponding root key of mark and the according to UE mark
One parameter preset, and then according to the UE corresponding root key of mark and the first parameter preset generation first
Eat dishes without rice or wine ID protection key.
403rd, upper layer network control node to new radio access node send first eat dishes without rice or wine ID protection key,
Make it that new radio access node protects the key ID that eated dishes without rice or wine to second to be encrypted by first ID that eats dishes without rice or wine
Transmission.
Wherein, second eat dishes without rice or wine ID be new radio access node be UE distribution the ID that eats dishes without rice or wine.
It is understood that after UE switches to new radio access node from former radio access node,
Key is protected by second to eat dishes without rice or wine ID encrypted transmissions extremely by first ID that eats dishes without rice or wine by new radio access node
UE, former radio access node terminates the transmission for the ID that eated dishes without rice or wine to first.
It should be noted that in another implementation provided in an embodiment of the present invention, above-mentioned steps
402 could alternatively be:Upper layer network control node is eated dishes without rice or wine ID protection keys and second pre- according to first
Setting parameter generation second is eated dishes without rice or wine ID protection keys, and the second parameter preset is new WAP ID, new
The carrier frequency of WAP respective cell, second are eated dishes without rice or wine one of them in ID or any combination.
What deserves to be explained is, after ID protection keys are eated dishes without rice or wine in upper layer network control node generation second,
Upper layer network control node also need by second eat dishes without rice or wine ID protection key or the second parameter preset be sent to
UE, with cause UE obtain or generation second eat dishes without rice or wine ID protection key.If in the second parameter preset
Eated dishes without rice or wine ID including second, then the second parameter preset point can be sent to by UE by former wireless access section,
First need to be specifically used to eat dishes without rice or wine ID protection keys to the second parameter encrypted transmission.
If the second parameter preset is sent to UE, new radio access node by upper layer network control node
Also need to trigger UE and start the ID that eats dishes without rice or wine of generation second and protect the operation of key, for example, new wireless access section
Point can be triggered by transmitting specific counter parameter UE perform generation second eat dishes without rice or wine ID protection it is close
The operation of key.
Corresponding, above-mentioned steps 403 could alternatively be:Upper layer network control node is to new wireless access
Node sends second and eated dishes without rice or wine ID protection keys, make it that new radio access node is eated dishes without rice or wine ID by second
Transmission is encrypted in the protection key ID that eated dishes without rice or wine to second.
The cut-in method of air interface identifier provided in an embodiment of the present invention, upper layer network control node receives new
The secret key request message that radio access node is sent, upper layer network control node is obtained according to UE mark
Take first eat dishes without rice or wine ID protection key, upper layer network control node by first eat dishes without rice or wine ID protection key send
To new radio access node, make it that new radio access node protects key pair by first ID that eats dishes without rice or wine
Transmission is encrypted in second ID that eats dishes without rice or wine;Or upper layer network control node is corresponding according to UE mark
Root key and the second parameter preset generation second eat dishes without rice or wine ID protection key, by second eat dishes without rice or wine ID protection
Key is sent to new radio access node, with cause new radio access node by second eat dishes without rice or wine ID protect
Transmission is encrypted in the shield key ID that eated dishes without rice or wine to second.ID leakages cause user with eating dishes without rice or wine in the prior art
Privacy information and network security there is risk and compare, the embodiment of the present invention is switched to new nothing in UE
After line access node, still need to as new radio access node is UE distribution that second ID that eats dishes without rice or wine obtains the
One eats dishes without rice or wine ID protection keys or generation second is eated dishes without rice or wine ID protection keys so that second ID that eats dishes without rice or wine passes through
First eat dishes without rice or wine ID protection key or second eat dishes without rice or wine ID protection key encrypted transmission, protect privacy of user
And network security.In addition, the cut-in method of air interface identifier provided in an embodiment of the present invention can be applicable
Switch the scene of radio access node in UE, be more suitable for the new network architecture, and by wirelessly connecing
Ingress distributes the ID that eats dishes without rice or wine, and ID protection keys of eating dishes without rice or wine is generated by upper layer network control node so that pass
The defeated ID that eats dishes without rice or wine has preferably ageing.
In addition, when UE has newly-increased radio access node, provided in an embodiment of the present invention another
Plant in implementation, as shown in figure 5, on the basis of the method flow shown in Fig. 2 and Fig. 3, should
Method also includes:
501st, upper layer network control node obtain first eat dishes without rice or wine ID protection key.
This step specifically can be implemented as, and upper layer network control node directly obtains the first of last time generation
Eat dishes without rice or wine ID protection key.Or,
Upper layer network control node is generated according to the UE corresponding root key of mark and the first parameter preset
First eat dishes without rice or wine ID protection key.
502nd, upper layer network control node to newly-increased radio access node send first eat dishes without rice or wine ID protection it is close
Key, make it that newly-increased radio access node protects the key ID that eated dishes without rice or wine to the 3rd to enter by first ID that eats dishes without rice or wine
Row encrypted transmission.
Wherein, the 3rd ID that eats dishes without rice or wine is the ID that eats dishes without rice or wine that newly-increased radio access node is UE distribution.
It is understood that when there is newly-increased radio access node, newly-increased radio access node passes through
First eat dishes without rice or wine ID protection key eat dishes without rice or wine ID encrypted transmissions to UE by the 3rd, former radio access node still lead to
Cross the first ID protection keys of eating dishes without rice or wine and eat dishes without rice or wine ID encrypted transmissions to UE by first.
It should be noted that in another implementation provided in an embodiment of the present invention, above-mentioned steps
502 could alternatively be:Upper layer network control node is eated dishes without rice or wine ID protection keys and the 3rd pre- according to first
Setting parameter generation the 3rd is eated dishes without rice or wine ID protection keys, and the 3rd parameter preset includes newly-increased radio access node
ID, the carrier frequency of newly-increased radio access node respective cell, the 3rd eat dishes without rice or wine in ID one of them or
Any combination.
What deserves to be explained is, after protection key is eated dishes without rice or wine in upper layer network control node generation the 3rd, upper strata
Network control node also need by the 3rd eat dishes without rice or wine ID protection key or the 3rd parameter preset be sent to UE,
With cause UE obtain or generation the 3rd eat dishes without rice or wine ID protection key.When the 3rd parameter preset includes
Three eat dishes without rice or wine ID when, the 3rd parameter preset can be sent to by UE by former wireless access section, need to specifically made
ID protection keys are eated dishes without rice or wine to the 3rd parameter preset encrypted transmission with first.
If the 3rd parameter preset is sent to UE by upper layer network control node, wireless access section is increased newly
Point, which also needs to trigger UE and starts the ID that eats dishes without rice or wine of generation the 3rd, protects the operation of key, is wirelessly connect for example, newly-increased
Ingress can be triggered by transmitting specific counter parameter UE perform generation the 3rd eat dishes without rice or wine ID guarantor
Protect the operation of key.
Corresponding, above-mentioned steps 503 could alternatively be:Upper layer network control node wirelessly connects to newly-increased
Ingress sends the 3rd and eated dishes without rice or wine ID protection keys, make it that it is empty that newly-increased radio access node passes through the 3rd
Transmission is encrypted in mouthful ID protection key ID that eated dishes without rice or wine to the 3rd.
Now increase newly radio access node by the 3rd eat dishes without rice or wine ID protect key by the 3rd eat dishes without rice or wine ID encryption
Transmit to UE, former radio access node is eated dishes without rice or wine ID yet by the first ID protection keys of eating dishes without rice or wine by first
Encrypted transmission is to UE.
The cut-in method of air interface identifier provided in an embodiment of the present invention, upper layer network control node obtains the
One eat dishes without rice or wine ID protection key, by first eat dishes without rice or wine ID protection key be sent to newly-increased radio access node,
Make it that newly-increased radio access node protects the key ID that eated dishes without rice or wine to first to be added by first ID that eats dishes without rice or wine
Close transmission, or upper layer network control node are eated dishes without rice or wine ID protection keys and the 3rd default according to first
Parameter generation the 3rd eat dishes without rice or wine ID protection key, to newly-increased radio access node send the 3rd eat dishes without rice or wine ID protect
Key is protected, make it that newly-increased radio access node protects key to be eated dishes without rice or wine to the 3rd by the 3rd ID that eats dishes without rice or wine
Transmission is encrypted in ID.ID leakages cause the privacy information and net of user with eating dishes without rice or wine in the prior art
Network security presence risk is compared, and in the embodiment of the present invention when there is newly-increased radio access node, is obtained
First eat dishes without rice or wine ID protection key or generation the 3rd eat dishes without rice or wine ID protection key so that the 3rd eat dishes without rice or wine ID lead to
Cross first eat dishes without rice or wine ID protection key or the 3rd eat dishes without rice or wine ID protection key encrypted transmission, while first eats dishes without rice or wine
ID yet by first eat dishes without rice or wine ID protection key encrypted transmission, protect privacy of user and network security.
Corresponding to above method embodiment, in order to solve because ID leakages of eating dishes without rice or wine cause the privacy of user
The problem of information and network security have risk, the embodiment of the present invention provides a kind of guarantor of air interface identifier
Protection unit, the device is applied in upper layer network control node, as shown in fig. 6, the device includes:
Receiving unit 601, acquiring unit 602, generation unit 603, transmitting element 604.
Receiving unit 601, the networking connection request for receiving user equipment (UE) transmission, network connection
Request includes UE mark;
Acquiring unit 602, the corresponding root key of mark for obtaining the UE.
Generation unit 603, is generated for the corresponding root key of mark according to UE and the first parameter preset
First air interface identifier ID protects key, wherein the first parameter preset includes UE mark, the network equipment
One in public land mobile network PLMN ID, security algorithm ID, random number belonging to ID, UE
Or any combination, network equipment ID is the ID or UE for the WAP respective cell that UE is accessed
The ID of the WAP respective base station of access;
Transmitting element 604, first for generation unit 603 to be generated eat dishes without rice or wine ID protection key send
To radio access node, make it that radio access node eats dishes without rice or wine ID protection keys to first by first
Transmission is encrypted in the ID that eats dishes without rice or wine.
Wherein, first eat dishes without rice or wine ID be radio access node be UE distribution the ID that eats dishes without rice or wine.
In an alternative embodiment of the invention, transmitting element 604, be additionally operable to by first eat dishes without rice or wine ID protection it is close
Key is sent to UE.
In an alternative embodiment of the invention, transmitting element 604, are additionally operable to send the first parameter preset
To UE, to cause UE according to the UE corresponding root key of mark and the first parameter preset generation first
Eat dishes without rice or wine ID protection key.
In an alternative embodiment of the invention, when the radio access node of UE accesses is by former wireless access section
When point switches to new radio access node, receiving unit 601 is additionally operable to receive new radio access node
The secret key request message of transmission, secret key request message includes UE mark;
Acquiring unit 602, be additionally operable to according to UE mark obtain first eat dishes without rice or wine ID protection key;
Transmitting element 604, be additionally operable to new radio access node send first eat dishes without rice or wine ID protection key,
Make it that new radio access node protects the key ID that eated dishes without rice or wine to second to be encrypted by first ID that eats dishes without rice or wine
Transmission.
Wherein, second eat dishes without rice or wine ID be new radio access node be UE distribution the ID that eats dishes without rice or wine.
In an alternative embodiment of the invention, when the radio access node of UE accesses is by former wireless access section
When point switches to new radio access node, receiving unit 601 is additionally operable to receive new radio access node
The secret key request message of transmission, secret key request message includes UE mark;
Generation unit 603, be additionally operable to according to first eat dishes without rice or wine ID protection key and the second parameter preset life
Into second eat dishes without rice or wine ID protection key, the second parameter preset be new WAP ID, new wireless access
The carrier frequency of point respective cell, second are eated dishes without rice or wine one of them in ID or any combination;
Transmitting element 604, is additionally operable to send generation unit 603 is generated the to new radio access node
Two eat dishes without rice or wine ID protection key, with cause new radio access node by second eat dishes without rice or wine ID protect key pair
Transmission is encrypted in second ID that eats dishes without rice or wine.
In an alternative embodiment of the invention, when UE has newly-increased radio access node, acquiring unit
602, be additionally operable to according to UE mark obtain first eat dishes without rice or wine ID protection key;
Transmitting element 604, be additionally operable to newly-increased radio access node send first eat dishes without rice or wine ID protection it is close
Key, make it that newly-increased radio access node protects the key ID that eated dishes without rice or wine to the 3rd to enter by first ID that eats dishes without rice or wine
Row encrypted transmission.
Wherein, the 3rd ID that eats dishes without rice or wine is the ID that eats dishes without rice or wine that newly-increased radio access node is UE distribution.
In an alternative embodiment of the invention, when UE has newly-increased radio access node, generation unit
603, it is additionally operable to eat dishes without rice or wine ID protection keys according to first and the 3rd parameter preset generation the 3rd is eated dishes without rice or wine ID
Key is protected, the 3rd parameter preset includes newly-increased radio access node ID, newly-increased radio access node pair
The carrier frequency of cell, the 3rd is answered to eat dishes without rice or wine one of them in ID or any combination;
Transmitting element 604, be additionally operable to newly-increased radio access node send the 3rd eat dishes without rice or wine ID protection it is close
Key, make it that newly-increased radio access node protects the key ID that eated dishes without rice or wine to the 3rd to enter by the 3rd ID that eats dishes without rice or wine
Row encrypted transmission.
The protection device of air interface identifier provided in an embodiment of the present invention, receiving unit receives what UE was sent
Networking connection request, networking connection request includes UE mark, and acquiring unit obtains UE mark
Corresponding root key, generation unit is given birth to according to the UE corresponding root key of mark and the first parameter preset
Eated dishes without rice or wine ID protection keys into first, the first ID protection keys of eating dishes without rice or wine are sent to and wirelessly connect by transmitting element
Ingress, make it that radio access node enters according to the first ID protection keys ID that eated dishes without rice or wine to first that eats dishes without rice or wine
Row encryption, UE is sent to by the ID that eats dishes without rice or wine of first after encryption.ID leakages are led with eating dishes without rice or wine in the prior art
There is risk and compare in the privacy information and network security at family of applying, the embodiment of the present invention passes through upper wire
Network control node is eated dishes without rice or wine ID protection keys for the first ID generations first of eating dishes without rice or wine, and radio access node can be with
Protect the key ID that eated dishes without rice or wine to first to be encrypted by first ID that eats dishes without rice or wine so that first eat dishes without rice or wine ID with
The form of encryption is transmitted, it is to avoid being obtained by attacker of ID continuation of eating dishes without rice or wine, protects use
The privacy information and network security at family.
The embodiment of the present invention also provides a kind of device of signal transacting, as shown in fig. 7, the device is figure
The hardware architecture diagram of the upper layer network control node of 6 descriptions.Wherein, upper layer network control node
It may include memory 701, processor 702, receiver 703, transmitter 704, bus 1005.
Memory 701 can be ROM (Read Only Memory, read-only storage), static
Storage device, dynamic memory or RAM (Random Access Memory, arbitrary access
Memory).Memory 701 can be with storage program area and other application programs.By software or
Person's firmware is realized during technical scheme provided in an embodiment of the present invention, for realizing that the embodiment of the present invention is carried
The program code of the technical scheme of confession is stored in memory 701, and is performed by processor 702.
Receiver 703 be used for device and other equipment or communication network (such as, but not limited to Ethernet,
RAN Radio Access Network, wireless access network), WLAN (Wireless Local Area
Network, WLAN) etc.) between communication.
Processor 702 can using general central processing unit (Central Processing Unit,
CPU), microprocessor, application specific integrated circuit (Application Specific Integrated
Circuit, ASIC), or one or more integrated circuits, for performing relative program, to realize
The technical scheme that the embodiment of the present invention is provided.
Bus 1005 may include a path, in device all parts (such as memory 701, receiver
703rd, transmitter 704 and processor 702) between transmit information.
Although it should be noted that the hardware shown in Fig. 7 illustrate only memory 701, receiver 703,
Transmitter 704 and processor 702 and bus 704, but during implementing, this area
Technical staff should be understood that the device also comprising other devices necessary to realizing normal operation.Together
When, according to specific needs, other functions are realized it should be apparent to a person skilled in the art that can also include
Hardware device.
Specifically, the upper layer network control node shown in Fig. 7 is used to realize the dress shown in Fig. 6 embodiments
When putting, the receiver 703 in the device, the networking connection request for receiving user equipment (UE) transmission,
Networking connection request includes UE mark.
Processor 702, is coupled with memory 701, receiver 703 and transmitter 704, for controlling
The execution of programmed instruction processed, the corresponding root key of mark specifically for obtaining UE;According to UE mark
Know corresponding root key and the first parameter preset generates the first air interface identifier ID protection keys, wherein the
The mark of one parameter preset including UE, network equipment ID, the public land mobile network PLMN belonging to UE
One in ID, security algorithm ID, random number or any combination, network equipment ID are what UE was accessed
The ID of the WAP respective base station of ID or the UE access of WAP respective cell;
Transmitter 704, for by first eat dishes without rice or wine ID protection key be sent to radio access node so that
Radio access node protects the key ID that eated dishes without rice or wine to first that transmission is encrypted by first ID that eats dishes without rice or wine.
Wherein, first eat dishes without rice or wine ID be radio access node be UE distribution the ID that eats dishes without rice or wine.
In an alternative embodiment of the invention, transmitter 704, be additionally operable to by first eat dishes without rice or wine ID protection key
It is sent to UE.
In an alternative embodiment of the invention, transmitter 704, are additionally operable to the first parameter preset being sent to
UE, make it that UE is empty according to the UE corresponding root key of mark and the first parameter preset generation first
Mouth ID protection keys.
In an alternative embodiment of the invention, when the radio access node of UE accesses is by former wireless access section
When point switches to new radio access node,
Receiver 703, is additionally operable to receive the secret key request message that new radio access node is sent, key
Request message includes UE mark;
Processor 702, be additionally operable to according to UE mark obtain first eat dishes without rice or wine ID protection key;
Transmitter 704, be additionally operable to new radio access node send first eat dishes without rice or wine ID protection key, with
So that new radio access node protects the key ID that eated dishes without rice or wine to second that biography is encrypted by first ID that eats dishes without rice or wine
It is defeated.
Wherein, second eat dishes without rice or wine ID be new radio access node be UE distribution the ID that eats dishes without rice or wine.
In an alternative embodiment of the invention, when the WAP of UE accesses is by former radio access node
When switching to new radio access node,
Receiver 703, is additionally operable to receive the secret key request message that new radio access node is sent, key
Request message includes UE mark;
Processor 702, be additionally operable to according to first eat dishes without rice or wine ID protection key and the second parameter preset generation
Second eat dishes without rice or wine ID protection key, the second parameter preset be new WAP ID, new WAP
The carrier frequency of respective cell, second are eated dishes without rice or wine one of them in ID or any combination;
Transmitter 704, be additionally operable to new radio access node send second eat dishes without rice or wine ID protection key, with
So that new radio access node protects the key ID that eated dishes without rice or wine to second that biography is encrypted by second ID that eats dishes without rice or wine
It is defeated.
In an alternative embodiment of the invention, when UE has newly-increased radio access node, processor 702,
Be additionally operable to according to UE mark obtain first eat dishes without rice or wine ID protection key;
Transmitter 704, be additionally operable to newly-increased radio access node send first eat dishes without rice or wine ID protection key,
Make it that newly-increased radio access node protects the key ID that eated dishes without rice or wine to the 3rd to be added by first ID that eats dishes without rice or wine
Close transmission.
Wherein, the 3rd ID that eats dishes without rice or wine is the ID that eats dishes without rice or wine that newly-increased radio access node is UE distribution.
In an alternative embodiment of the invention, when UE has newly-increased radio access node, processor 702,
Be additionally operable to according to first eat dishes without rice or wine ID protection key and the 3rd parameter preset generation the 3rd eat dishes without rice or wine ID protection
Key, it is small that the 3rd parameter preset includes newly-increased radio access node ID, newly-increased radio access node correspondence
The carrier frequency in area, the 3rd eat dishes without rice or wine one of them in ID or any combination;
Transmitter 704, be additionally operable to newly-increased radio access node send the 3rd eat dishes without rice or wine ID protection key,
Make it that newly-increased radio access node protects the key ID that eated dishes without rice or wine to the 3rd to be added by the 3rd ID that eats dishes without rice or wine
Close transmission.
In an alternative embodiment of the invention, when there are at least two wireless access point services in UE,
Transmitter 704, be additionally operable to by first eat dishes without rice or wine ID protection key be sent to serve UE one of them
Radio access node or at least two radio access nodes.
The protection device of air interface identifier provided in an embodiment of the present invention, receiver receives entering for UE transmissions
Net connection request, networking connection request includes UE mark, and processor is according to UE mark correspondence
Root key and the first parameter preset generation first eat dishes without rice or wine ID protection keys, transmitter eats dishes without rice or wine first
ID protection keys are sent to radio access node, make it that radio access node is eated dishes without rice or wine ID according to first
The protection key ID that eated dishes without rice or wine to first is encrypted, and the ID that eats dishes without rice or wine of first after encryption is sent into UE.With
ID leakages of eating dishes without rice or wine in the prior art cause the privacy information and network security of user to there is risk to compare,
The embodiment of the present invention by upper layer network control node for first eat dishes without rice or wine ID generation first eat dishes without rice or wine ID protection
Key, radio access node can protect the key ID that eated dishes without rice or wine to first to be added by first ID that eats dishes without rice or wine
It is close so that first ID that eats dishes without rice or wine is transmitted in an encrypted form, it is to avoid the quilt for ID continuation of eating dishes without rice or wine
Attacker obtains, and protects the privacy information and network security of user.
Through the above description of the embodiments, it is apparent to those skilled in the art that
The present invention can add the mode of required common hardware to realize by software, naturally it is also possible to by hard
Part, but the former is more preferably embodiment in many cases.Understood based on such, skill of the invention
The part that art scheme substantially contributes to prior art in other words can be in the form of software product
Embody, the computer software product is stored in the storage medium that can be read, such as computer is soft
Disk, hard disk or CD etc., including some instructions are make it that a computer equipment (can be personal
Computer, server, or network equipment etc.) perform method described in each of the invention embodiment.
The foregoing is only a specific embodiment of the invention, but protection scope of the present invention not office
Be limited to this, any one skilled in the art the invention discloses technical scope in, can
Change or replacement are readily occurred in, should be all included within the scope of the present invention.Therefore, it is of the invention
Protection domain should be based on the protection scope of the described claims.
Claims (14)
1. a kind of guard method of air interface identifier, it is characterised in that including:
Upper layer network control node receives the networking connection request that user equipment (UE) is sent, and the networking connects
Connecing request includes the mark of the UE;
The upper layer network control node obtains the corresponding root key of mark of the UE;
The upper layer network control node is according to the corresponding root key of mark of the UE and the first default ginseng
Number generation the first air interface identifier ID protection keys, wherein first parameter preset includes the mark of the UE
Knowledge, network equipment ID, the public land mobile network PLMN ID belonging to the UE, security algorithm ID,
One in random number or any combination, the network equipment ID are the WAP that the UE is accessed
The ID of the WAP respective base station of the ID of respective cell or UE accesses;
The upper layer network control node by described first eat dishes without rice or wine ID protection key be sent to wireless access section
Point, make it that the radio access node protects key to be eated dishes without rice or wine to first ID by described first ID that eats dishes without rice or wine
It is encrypted transmission, described first ID that eats dishes without rice or wine is that the radio access node is eating dishes without rice or wine for the UE distribution
ID。
2. the guard method of air interface identifier according to claim 1, it is characterised in that described
Upper layer network control node is according to the corresponding root key of mark of the UE and the first parameter preset generation the
One eat dishes without rice or wine ID protection key after, methods described also includes:
The upper layer network control node by described first eat dishes without rice or wine ID protection key be sent to the UE.
3. the guard method of air interface identifier according to claim 1, it is characterised in that described
Upper layer network control node is received after the networking connection request that UE is sent, and methods described also includes:
First parameter preset is sent to the UE by the upper layer network control node, to cause
UE is stated according to the corresponding root key of mark of the UE and first parameter preset generation described first
Eat dishes without rice or wine ID protection key.
4. the guard method of the air interface identifier according to any one of claim 1-3, its feature exists
In when the UE radio access nodes accessed by former radio access node switch to new wireless access section
During point, methods described also includes:
The upper layer network control node receives the secret key request message that the new radio access node is sent,
The secret key request message includes the mark of the UE;
The upper layer network control node according to the mark of the UE obtain first eat dishes without rice or wine ID protection key;
The upper layer network control node sends described first ID that eats dishes without rice or wine to the new radio access node and protected
Key is protected, make it that the new radio access node eats dishes without rice or wine ID protection keys to second by described first
The ID that eats dishes without rice or wine is encrypted transmission, and described second ID that eats dishes without rice or wine is that the new radio access node is the UE
The ID that eats dishes without rice or wine of distribution.
5. the guard method of the air interface identifier according to any one of claim 1-3, its feature exists
In when the UE WAPs accessed by former radio access node switch to new radio access node
When, methods described also includes:
The upper layer network control node receives the secret key request message that the new radio access node is sent,
The secret key request message includes the mark of the UE;
The upper layer network control node is eated dishes without rice or wine ID protection keys and the second default ginseng according to described first
Number generation described second eat dishes without rice or wine ID protection key, second parameter preset be the new WAP
ID, the carrier frequency of the new WAP respective cell, second eat dishes without rice or wine one of them in ID or to appoint
Meaning combination, described second ID that eats dishes without rice or wine is the ID that eats dishes without rice or wine that the new radio access node is UE distribution;
The upper layer network control node sends described second ID that eats dishes without rice or wine to the new radio access node and protected
Key is protected, make it that the new radio access node eats dishes without rice or wine ID protection keys to second by described second
Transmission is encrypted in the ID that eats dishes without rice or wine.
6. the guard method of the air interface identifier according to any one of claim 1-3, its feature exists
In when the UE has newly-increased radio access node, methods described also includes:
The upper layer network control node obtains first and eated dishes without rice or wine ID protection keys;
The upper layer network control node sends described first to the newly-increased radio access node and eated dishes without rice or wine ID
Protect key, with cause the newly-increased radio access node by described first eat dishes without rice or wine ID protect key pair
3rd ID that eats dishes without rice or wine is encrypted transmission, and the described 3rd ID that eats dishes without rice or wine is that the newly-increased radio access node is institute
State the ID that eats dishes without rice or wine of UE distribution.
7. the guard method of the air interface identifier according to any one of claim 1-3, its feature exists
In when the UE has newly-increased radio access node, methods described also includes:
The upper layer network control node is eated dishes without rice or wine ID protection keys and the 3rd default ginseng according to described first
Number generation the described 3rd is eated dishes without rice or wine ID protection keys, and the 3rd parameter preset includes described newly-increased wirelessly connect
Ingress ID, the carrier frequency of the newly-increased radio access node respective cell, the described 3rd eat dishes without rice or wine in ID
One of them or any combination, the described 3rd ID that eats dishes without rice or wine is that the newly-increased radio access node is described
The ID that eats dishes without rice or wine of UE distribution;
The upper layer network control node sends the described 3rd to the newly-increased radio access node and eated dishes without rice or wine ID
Protect key, with cause the newly-increased radio access node by the described 3rd eat dishes without rice or wine ID protect key pair
Transmission is encrypted in 3rd ID that eats dishes without rice or wine.
8. a kind of protection device of air interface identifier, it is characterised in that including:
Receiving unit, the networking connection request for receiving user equipment (UE) transmission, the networking connection
Request includes the mark of the UE;
Acquiring unit, the corresponding root key of mark for taking the UE;
Generation unit, is generated for the corresponding root key of mark according to the UE and the first parameter preset
First air interface identifier ID protects key, wherein first parameter preset includes the mark of the UE, net
It is public land mobile network PLMN ID, security algorithm ID belonging to network device id, the UE, random
One in number or any combination, the network equipment ID are the WAP correspondence that the UE is accessed
The ID of the WAP respective base station of the ID of cell or UE accesses;
Transmitting element, for by described first eat dishes without rice or wine ID protection key be sent to radio access node, with
So that the radio access node protects the key ID that eated dishes without rice or wine to first to be added by described first ID that eats dishes without rice or wine
Close transmission, described first ID that eats dishes without rice or wine is the ID that eats dishes without rice or wine that the radio access node is UE distribution.
9. the protection device of air interface identifier according to claim 8, it is characterised in that
The transmitting element, be additionally operable to by described first eat dishes without rice or wine ID protection key be sent to the UE.
10. the protection device of air interface identifier according to claim 8, it is characterised in that
The transmitting element, is additionally operable to first parameter preset being sent to the UE, to cause
UE is stated according to the corresponding root key of mark of the UE and first parameter preset generation described first
Eat dishes without rice or wine ID protection key.
11. the protection device of the air interface identifier according to any one of claim 8-10, its feature
It is, when the UE radio access nodes accessed by former radio access node switch to new wireless access
During node,
The receiving unit, is additionally operable to receive the secret key request message that the new radio access node is sent,
The secret key request message includes the mark of the UE;
The acquiring unit, be additionally operable to according to the mark of the UE obtain described first eat dishes without rice or wine ID protection it is close
Key;
The transmitting element, is additionally operable to send described first ID that eats dishes without rice or wine to the new radio access node and protects
Key is protected, make it that the new radio access node eats dishes without rice or wine ID protection keys to second by described first
The ID that eats dishes without rice or wine is encrypted transmission, and described second ID that eats dishes without rice or wine is that the new radio access node is the UE
The ID that eats dishes without rice or wine of distribution.
12. the protection device of the air interface identifier according to any one of claim 8-10, its feature
It is, when the UE radio access nodes accessed by former radio access node switch to new wireless access
During node,
The receiving unit, is additionally operable to receive the secret key request message that the new radio access node is sent,
The secret key request message includes the mark of the UE;
The generation unit, is additionally operable to eat dishes without rice or wine ID protection keys and the second default ginseng according to described first
Number generation described second eat dishes without rice or wine ID protection key, second parameter preset be the new WAP
ID, the carrier frequency of the new WAP respective cell, second eat dishes without rice or wine one of them in ID or to appoint
Meaning combination, described second ID that eats dishes without rice or wine is the ID that eats dishes without rice or wine that the new radio access node is UE distribution;
The transmitting element, is additionally operable to send described second ID that eats dishes without rice or wine to the new radio access node and protects
Key is protected, make it that the new radio access node eats dishes without rice or wine ID protection keys to second by described second
Transmission is encrypted in the ID that eats dishes without rice or wine.
13. the protection device of the air interface identifier according to any one of claim 8-10, its feature
It is, when there is newly-increased radio access node in the UE,
The acquiring unit, be additionally operable to according to the mark of the UE obtain first eat dishes without rice or wine ID protection key;
The transmitting element, is additionally operable to send described first to the newly-increased radio access node and eats dishes without rice or wine ID
Protect key, with cause the newly-increased radio access node by described first eat dishes without rice or wine ID protect key pair
3rd ID that eats dishes without rice or wine is encrypted transmission, and the described 3rd ID that eats dishes without rice or wine is that the newly-increased radio access node is institute
State the ID that eats dishes without rice or wine of UE distribution.
14. the protection device of the air interface identifier according to any one of claim 8-10, its feature
It is, when there is newly-increased radio access node in the UE,
The generation unit, is additionally operable to eat dishes without rice or wine ID protection keys and the 3rd default ginseng according to described first
Number generation the described 3rd is eated dishes without rice or wine ID protection keys, and the 3rd parameter preset includes described newly-increased wirelessly connect
Ingress ID, the carrier frequency of the newly-increased radio access node respective cell, the described 3rd eat dishes without rice or wine in ID
One of them or any combination, the described 3rd ID that eats dishes without rice or wine is that the newly-increased radio access node is described
The ID that eats dishes without rice or wine of UE distribution;
The transmitting element, is additionally operable to send the described 3rd to the newly-increased radio access node and eats dishes without rice or wine ID
Protect key, with cause the newly-increased radio access node by the described 3rd eat dishes without rice or wine ID protect key pair
Transmission is encrypted in 3rd ID that eats dishes without rice or wine.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610006376.2A CN106954210B (en) | 2016-01-06 | 2016-01-06 | Protection method and device for air interface identifier |
| PCT/CN2016/110194 WO2017118269A1 (en) | 2016-01-06 | 2016-12-15 | Method and apparatus for protecting air interface identity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610006376.2A CN106954210B (en) | 2016-01-06 | 2016-01-06 | Protection method and device for air interface identifier |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106954210A true CN106954210A (en) | 2017-07-14 |
| CN106954210B CN106954210B (en) | 2020-02-14 |
Family
ID=59273216
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610006376.2A Active CN106954210B (en) | 2016-01-06 | 2016-01-06 | Protection method and device for air interface identifier |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN106954210B (en) |
| WO (1) | WO2017118269A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108769986A (en) * | 2018-06-08 | 2018-11-06 | 廊坊新奥燃气设备有限公司 | A kind of GPRS remote transmitting gas meters encryption communication method |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101060712A (en) * | 2006-04-20 | 2007-10-24 | 华为技术有限公司 | Wireless connecting establishment method |
| WO2009070453A1 (en) * | 2007-11-26 | 2009-06-04 | Motorola, Inc. | Method and apparatus for performing key management and key distribution in wireless networks |
| CN101883346A (en) * | 2009-05-04 | 2010-11-10 | 中兴通讯股份有限公司 | Safe consultation method and device based on emergency call |
| CN102143494A (en) * | 2011-03-25 | 2011-08-03 | 华为终端有限公司 | Data reporting method, data reporting device, and machine to machine (M2M) equipment |
| CN103167492A (en) * | 2011-12-15 | 2013-06-19 | 华为技术有限公司 | Method and device for generating access layer secret key in communication system |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102404721B (en) * | 2010-09-10 | 2014-09-03 | 华为技术有限公司 | Safety protecting method of Un interface, device and base station |
| CN103973658A (en) * | 2013-02-04 | 2014-08-06 | 中兴通讯股份有限公司 | Static user terminal authentication processing method and device |
-
2016
- 2016-01-06 CN CN201610006376.2A patent/CN106954210B/en active Active
- 2016-12-15 WO PCT/CN2016/110194 patent/WO2017118269A1/en active Application Filing
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101060712A (en) * | 2006-04-20 | 2007-10-24 | 华为技术有限公司 | Wireless connecting establishment method |
| WO2009070453A1 (en) * | 2007-11-26 | 2009-06-04 | Motorola, Inc. | Method and apparatus for performing key management and key distribution in wireless networks |
| CN101883346A (en) * | 2009-05-04 | 2010-11-10 | 中兴通讯股份有限公司 | Safe consultation method and device based on emergency call |
| CN102143494A (en) * | 2011-03-25 | 2011-08-03 | 华为终端有限公司 | Data reporting method, data reporting device, and machine to machine (M2M) equipment |
| CN103167492A (en) * | 2011-12-15 | 2013-06-19 | 华为技术有限公司 | Method and device for generating access layer secret key in communication system |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108769986A (en) * | 2018-06-08 | 2018-11-06 | 廊坊新奥燃气设备有限公司 | A kind of GPRS remote transmitting gas meters encryption communication method |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2017118269A1 (en) | 2017-07-13 |
| CN106954210B (en) | 2020-02-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11228442B2 (en) | Authentication method, authentication apparatus, and authentication system | |
| US11229023B2 (en) | Secure communication in network access points | |
| CN106134231B (en) | Key generation method, equipment and system | |
| CN108848112B (en) | Cut-in method, equipment and the system of user equipment (UE) | |
| CN102823282B (en) | Key authentication method for binary CDMA | |
| KR102349605B1 (en) | Method and apparatus for providing services based on identifier of user device | |
| CN109005540A (en) | Safety implementation method, relevant apparatus and system | |
| US10506430B2 (en) | Communication apparatus, communication method, and computer program product | |
| CN110087236A (en) | For establishing the agreement of secure communication session by wireless network and anonymous host | |
| CN107196920B (en) | A kind of key generation distribution method towards wireless communication system | |
| WO2018137351A1 (en) | Method, relevant device and system for processing network key | |
| CN108810884A (en) | Cipher key configuration method, apparatus and system | |
| CN104010297B (en) | Wireless terminal configuration method and device and wireless terminal | |
| US11909869B2 (en) | Communication method and related product based on key agreement and authentication | |
| CN105025472B (en) | A kind of WIFI access points enciphering hiding and the method and its system of discovery | |
| US10172003B2 (en) | Communication security processing method, and apparatus | |
| CN110943835A (en) | Distribution network encryption method and system for sending wireless local area network information | |
| CN107820239A (en) | Information processing method and device | |
| CN110475247A (en) | Message treatment method and device | |
| CN112806041B (en) | Key generation method, device and system | |
| CN112566119A (en) | Terminal authentication method and device, computer equipment and storage medium | |
| CN108737431B (en) | Confusion-based hierarchical distributed authentication method, device and system in IoT (Internet of things) scene | |
| CN108684040A (en) | A kind of connection method of wireless network and system | |
| CN108449758A (en) | A kind of binding method and system of Intelligent hardware | |
| CN110062381A (en) | A kind of method and device obtaining user identifier |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |