CN106954210B

CN106954210B - Protection method and device for air interface identifier

Info

Publication number: CN106954210B
Application number: CN201610006376.2A
Authority: CN
Inventors: 祝建建; 甘露; 菲利普金兹伯格
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2016-01-06
Filing date: 2016-01-06
Publication date: 2020-02-14
Anticipated expiration: 2036-01-06
Also published as: WO2017118269A1; CN106954210A

Abstract

The invention discloses a method and a device for protecting an air interface identifier, relates to the technical field of wireless communication, and can solve the problems of privacy information of a user and risk of network security caused by air interface ID leakage. The method and the device for protecting the air interface ID of the UE in the wireless access network comprise the steps that an upper network control node receives an access network connection request sent by the UE, the access network connection request comprises the identification of the UE, a root key corresponding to the identification of the UE is obtained, the upper network control node generates a first air interface ID protection key according to the root key corresponding to the identification of the UE and a first preset parameter, and the upper network control node sends the first air interface ID protection key to the wireless access node, so that the wireless access node encrypts the first air interface ID according to the first air interface ID protection key and sends the encrypted first air interface ID to the UE. The scheme provided by the embodiment of the invention is suitable for being adopted when the empty port ID is transmitted.

Description

Protection method and device for air interface identifier

Technical Field

The present invention relates to the field of wireless communications technologies, and in particular, to a method and an apparatus for protecting an air interface identifier.

Background

In the existing wireless communication network, a wireless network access point allocates an empty ID (Identity) to an accessed ue, and the wireless network access point can complete data transmission with the ue through the empty ID. When the user equipment is accessed to different wireless network access nodes in the moving process, a new wireless network access node allocates a new air interface ID to the user equipment, and then the new wireless network access node completes data transmission with the user equipment according to the new air interface ID.

However, the radio network access node sends the air interface ID allocated to the user equipment through an air interface signaling message, and if an attacker continuously acquires the air interface ID of a certain user equipment for a long time, the attacker can acquire information such as a movement track and service characteristics of the user based on the air interface ID, which may threaten privacy information of the user and network security.

Disclosure of Invention

Embodiments of the present invention provide a method and an apparatus for protecting an air interface identifier, which can solve the problem that privacy information of a user and network security have risks due to leakage of an air interface ID.

A first aspect of the present invention provides a method for protecting an air interface identifier, where the method includes:

an upper network control node receives a network access connection request sent by User Equipment (UE), wherein the network access connection request comprises an identifier of the UE;

the upper network control node acquires a root key corresponding to the identity of the UE;

the upper network control node generates a first air interface Identification (ID) protection key according to a root key corresponding to the identification of the UE and a first preset parameter, wherein the first preset parameter comprises one or any combination of the identification of the UE, a network equipment ID, a Public Land Mobile Network (PLMN) ID to which the UE belongs, a security algorithm ID and a random number, and the network equipment ID is an ID of a cell corresponding to a wireless access point accessed by the UE or an ID of a base station corresponding to the wireless access point accessed by the UE;

and the upper network control node sends the first air interface ID protection key to a wireless access node, so that the wireless access node performs encrypted transmission on a first air interface ID through the first air interface ID protection key, wherein the first air interface ID is an air interface ID allocated to the UE by the wireless access node.

Compared with the prior art that private information of a user and network security risk are caused by air interface ID leakage, the method and the device have the advantages that the upper network control node generates the first air interface ID protection key for the first air interface ID, and the wireless access node can encrypt the first air interface ID through the first air interface ID protection key, so that the first air interface ID is transmitted in an encrypted form, continuous acquisition of the air interface ID by an attacker is avoided, and the private information and the network security of the user are protected.

With reference to the first aspect, it should be noted that, after the upper network control node generates the first air interface ID protection key according to the root key corresponding to the UE identifier and the first preset parameter, the method further includes:

and the upper network control node sends the first air interface ID protection key to the UE.

With reference to the first aspect, optionally, after the upper network control node receives the network access connection request sent by the UE, the method further includes:

and the upper network control node sends the first preset parameter to the UE, so that the UE generates the first air interface ID protection key according to a root key corresponding to the identity of the UE and the first preset parameter.

On the basis of the first aspect, optionally, when the radio access node accessed by the UE is switched from the original radio access node to a new radio access node, the method further includes:

the upper network control node receives a key request message sent by the new wireless access node, wherein the key request message comprises the identity of the UE;

the upper network control node acquires the first air interface ID protection key according to the identity of the UE;

and the upper network control node sends the first air interface ID protection key to the new wireless access node, so that the new wireless access node performs encrypted transmission on a second air interface ID through the first air interface ID protection key, wherein the second air interface ID is an air interface ID allocated to the UE by the new wireless access node.

With reference to the first aspect, optionally, when the wireless access point accessed by the UE is switched from the original wireless access node to a new wireless access node, the method further includes:

the upper network control node generates a second air interface ID protection key according to the first air interface ID protection key and a second preset parameter, wherein the second preset parameter is one or any combination of the new wireless access point ID, the carrier frequency of a cell corresponding to the new wireless access point and a second air interface ID, and the second air interface ID is an air interface ID allocated to the UE by the new wireless access node;

and the upper network control node sends the second air interface ID protection key to the new wireless access node, so that the new wireless access node performs encryption transmission on the second air interface ID through the second air interface ID protection key.

Compared with the prior art that the privacy information of the user and the network security risk are caused by the leakage of the air interface ID, after the UE is switched to the new wireless access node, the embodiment of the invention still needs to acquire the first air interface ID protection key or generate the second air interface ID protection key for the second air interface ID allocated by the new wireless access node for the UE, so that the second air interface ID is encrypted and transmitted through the first air interface ID protection key or the second air interface ID protection key, and the user privacy and the network security are protected. In addition, the access method of the air interface identifier provided by the embodiment of the invention is applicable to a scene that the UE switches the wireless access node, and is more applicable to a novel network architecture.

In the solution described in the first aspect, when there is a new wireless access node for the UE, the method further includes:

the upper network control node acquires a first air interface ID protection key according to the identity of the UE;

and the upper network control node sends the first air interface ID protection key to the newly added wireless access node so that the newly added wireless access node performs encrypted transmission on a third air interface ID through the first air interface ID protection key, wherein the third air interface ID is the air interface ID allocated to the UE by the newly added wireless access node.

Optionally, when there is a new wireless access node for the UE, the method further includes:

the upper network control node generates a third air interface ID protection key according to the first air interface ID protection key and a third preset parameter, wherein the third preset parameter comprises one or any combination of the ID of the newly-added wireless access node, the carrier frequency of a cell corresponding to the newly-added wireless access node and the ID of the third air interface, and the ID of the third air interface is the air interface ID allocated to the UE by the newly-added wireless access node;

and the upper network control node sends the third air interface ID protection key to the newly added wireless access node, so that the newly added wireless access node carries out encryption transmission on the third air interface ID through the third air interface ID protection key.

Compared with the prior art that private information of a user and network security risk are caused by air interface ID leakage, in the technical scheme of the invention, when a newly added wireless access node exists, an upper network control node acquires a first air interface ID protection key or generates a third air interface ID protection key, so that the third air interface ID is encrypted and transmitted through the first air interface ID protection key or the third air interface ID protection key, and meanwhile, the first air interface ID is encrypted and transmitted through the first air interface ID protection key, and the user privacy and the network security are protected.

Optionally, when there are at least two radio access nodes serving the UE, the sending, by the upper network control node, the first air interface ID protection key to a radio access node includes:

and the upper network control node sends the first air interface ID protection key to one wireless access node or at least two wireless access nodes serving the UE.

For the technical scheme provided by the invention, when a plurality of wireless access nodes serve the UE, the upper control network sends the generated first air interface ID protection key to the plurality of wireless access nodes, so that the wireless access nodes can encrypt and transmit the first air interface ID through the first air interface ID protection key, and the condition that the first air interface ID is leaked is avoided.

A second aspect of the present invention provides a protection device for an air interface identifier, including:

a receiving unit, configured to receive a network access connection request sent by a user equipment UE, where the network access connection request includes an identifier of the UE;

an obtaining unit, configured to obtain a root key corresponding to the UE identifier;

a generating unit, configured to generate a first air interface identifier ID protection key according to a root key corresponding to the identifier of the UE and a first preset parameter, where the first preset parameter includes one or any combination of an identifier of the UE, a network device ID, a public land mobile network PLMN ID to which the UE belongs, a security algorithm ID, and a random number, and the network device ID is an ID of a cell corresponding to a wireless access point to which the UE accesses or an ID of a base station corresponding to the wireless access point to which the UE accesses;

a sending unit, configured to send the first air interface ID protection key to a wireless access node, so that the wireless access node performs encryption transmission on a first air interface ID through the first air interface ID protection key, where the first air interface ID is an air interface ID allocated by the wireless access node to the UE.

With reference to the second aspect, it is noted that the sending unit is further configured to send the first air interface ID protection key to the UE; and sending the first preset parameter to the UE, so that the UE generates the first air interface ID protection key according to a root key corresponding to the identity of the UE and the first preset parameter.

In the second aspect, it can be understood that, when the radio access node accessed by the UE is switched from the original radio access node to the new radio access node,

the receiving unit is further configured to receive a key request message sent by the new radio access node, where the key request message includes an identifier of the UE;

the obtaining unit is further configured to obtain the first air interface ID protection key according to the identifier of the UE;

the sending unit is further configured to send the first air interface ID protection key to the new wireless access node, so that the new wireless access node performs encryption transmission on a second air interface ID through the first air interface ID protection key, where the second air interface ID is an air interface ID allocated by the new wireless access node to the UE.

With reference to the second aspect, optionally, when the radio access node accessed by the UE is switched from the original radio access node to a new radio access node,

the generating unit is further configured to generate a second air interface ID protection key according to the first air interface ID protection key and a second preset parameter, where the second preset parameter is one or any combination of the new wireless access point ID, a carrier frequency of a cell corresponding to the new wireless access point, and a second air interface ID, and the second air interface ID is an air interface ID allocated to the UE by the new wireless access node;

the sending unit is further configured to send the second air interface ID protection key to the new wireless access node, so that the new wireless access node performs encryption transmission on the second air interface ID through the second air interface ID protection key.

With reference to the second aspect, optionally, when there is a new wireless access node for the UE,

the obtaining unit is further configured to obtain a first air interface ID protection key according to the identifier of the UE;

the sending unit is further configured to send the first air interface ID protection key to the newly added wireless access node, so that the newly added wireless access node performs encryption transmission on a third air interface ID through the first air interface ID protection key, where the third air interface ID is an air interface ID allocated by the newly added wireless access node to the UE.

the generating unit is further configured to generate a third air interface ID protection key according to the first air interface ID protection key and a third preset parameter, where the third preset parameter includes one or any combination of the ID of the newly added wireless access node, a carrier frequency of a cell corresponding to the newly added wireless access node, and the third air interface ID is an air interface ID allocated by the newly added wireless access node to the UE;

the sending unit is further configured to send the third air interface ID protection key to the newly added wireless access node, so that the newly added wireless access node performs encryption transmission on the third air interface ID through the third air interface ID protection key.

In connection with the second aspect, optionally, when there are at least two radio access nodes serving the UE,

the sending unit is further configured to send the first air interface ID protection key to one or at least two radio access nodes serving the UE.

In a third aspect, an embodiment of the present invention provides a protection device for an air interface identifier, including:

a memory for storing information including program instructions;

the device comprises a receiver and a control unit, wherein the receiver is used for receiving a network access connection request sent by User Equipment (UE), and the network access connection request comprises an identifier of the UE;

a processor, coupled to the memory, the receiver, and the transmitter, configured to control execution of the program instructions, and in particular, to obtain a root key corresponding to an identity of the UE; generating a first air interface Identification (ID) protection key according to a root key corresponding to the identification of the UE and a first preset parameter, wherein the first preset parameter comprises one or any combination of the identification of the UE, a network equipment ID, a Public Land Mobile Network (PLMN) ID to which the UE belongs, a security algorithm ID and a random number, and the network equipment ID is the ID of a cell corresponding to a wireless access point accessed by the UE or the ID of a base station corresponding to the wireless access point accessed by the UE;

the transmitter is configured to send the first air interface ID protection key to a wireless access node, so that the wireless access node performs encryption transmission on a first air interface ID through the first air interface ID protection key, where the first air interface ID is an air interface ID allocated by the wireless access node to the UE.

With reference to the third aspect, optionally, the transmitter is further configured to send the first air interface ID protection key to the UE. The transmitter is further configured to transmit the first preset parameter to the UE, so that the UE generates the first air interface ID protection key according to a root key corresponding to the UE identifier and the first preset parameter.

In connection with the third aspect, it is to be understood that, when the radio access node accessed by the UE is switched from the original radio access node to a new radio access node,

the receiver is further configured to receive a key request message sent by the new radio access node, where the key request message includes an identifier of the UE;

the processor is further configured to obtain the first air interface ID protection key according to the identifier of the UE;

the transmitter is further configured to send the first air interface ID protection key to the new wireless access node, so that the new wireless access node performs encrypted transmission on a second air interface ID through the first air interface ID protection key, where the second air interface ID is an air interface ID allocated by the new wireless access node to the UE.

In connection with the third aspect, it is to be understood that, when the radio access point accessed by the UE is switched from the original radio access node to the new radio access node,

the processor is further configured to generate a second air interface ID protection key according to the first air interface ID protection key and a second preset parameter, where the second preset parameter is one or any combination of the new wireless access point ID, a carrier frequency of a cell corresponding to the new wireless access point, and a second air interface ID, and the second air interface ID is an air interface ID allocated to the UE by the new wireless access node;

the transmitter is further configured to send the second air interface ID protection key to the new wireless access node, so that the new wireless access node performs encryption transmission on the second air interface ID through the second air interface ID protection key.

In connection with the third aspect, it may be appreciated that, when the UE has a new wireless access node,

the processor is further configured to obtain a first air interface ID protection key according to the identifier of the UE;

the transmitter is further configured to send the first air interface ID protection key to the newly added wireless access node, so that the newly added wireless access node performs encrypted transmission on a third air interface ID through the first air interface ID protection key, where the third air interface ID is an air interface ID allocated by the newly added wireless access node to the UE.

the processor is further configured to generate a third air interface ID protection key according to the first air interface ID protection key and a third preset parameter, where the third preset parameter includes one or any combination of the ID of the newly added wireless access node, a carrier frequency of a cell corresponding to the newly added wireless access node, and the third air interface ID is an air interface ID allocated by the newly added wireless access node to the UE;

the transmitter is further configured to send the third air interface ID protection key to the newly added wireless access node, so that the newly added wireless access node performs encryption transmission on the third air interface ID through the third air interface ID protection key.

With reference to the third aspect, it is noted that, when there are at least two radio access nodes serving the UE,

the transmitter is further configured to send the first air interface ID protection key to one or at least two radio access nodes serving the UE.

According to the method and device for protecting the air interface identifier provided by the embodiment of the invention, an upper network control node receives an access connection request sent by UE, the access connection request comprises the identifier of the UE, the upper network control node generates a first air interface ID protection key according to a root key corresponding to the identifier of the UE and a first preset parameter, and sends the first air interface ID protection key to a wireless access node, so that the wireless access node encrypts the first air interface ID according to the first air interface ID protection key and sends the encrypted first air interface ID to the UE. Compared with the prior art that the private information of the user and the network security risk are caused by the leakage of the air interface ID, the embodiment of the invention generates the first air interface ID protection key for the first air interface ID through the upper network control node, and the wireless access node can encrypt the first air interface ID through the first air interface ID protection key, so that the first air interface ID is transmitted in an encrypted form, thereby avoiding the continuous acquisition of the air interface ID by an attacker and protecting the private information of the user and the network security.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.

Fig. 1 is a schematic logical structure diagram of a protection system for an air interface identifier according to an embodiment of the present invention;

fig. 2 is a flowchart of a method for protecting an air interface identifier according to an embodiment of the present invention;

fig. 3 is a flowchart of another protection method for an air interface identifier according to an embodiment of the present invention;

fig. 4 is a flowchart of another protection method for an air interface identifier according to an embodiment of the present invention;

fig. 5 is a flowchart of another protection method for an air interface identifier according to an embodiment of the present invention;

fig. 6 is a schematic logical structure diagram of a protection device for an air interface identifier according to an embodiment of the present invention;

fig. 7 is a schematic diagram of a logic structure of an upper control node in the method for protecting an air interface ID according to the embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

In order to solve the problem that the privacy information of the User and the network security are risky due to the leakage of the air interface ID, an embodiment of the present invention provides a system for protecting an air interface identifier, where, as shown in fig. 1, the system includes an upper network control node, a wireless access node, an HSS (Home Subscriber Server), and a UE (User Equipment).

The upper network control node may be a node for managing service connectivity and mobility of the user equipment, and the node may be composed of an SDT (Software Defined Topology) unit or an SDP (Software Defined Protocol) unit.

The SDT unit is used for determining a wireless access node serving the UE after the UE accesses the network.

The SDP unit is used for realizing the function of an upper network control node after the UE is accessed to the network.

The wireless access node is a wireless access node accessed by the UE through an air interface.

The HSS stores the same pre-shared root Key in the USIM card of each UE, and is used to participate in AKA (Authentication and Key Agreement) Authentication.

The UE is terminal equipment accessing to a wireless network.

To avoid leakage of an air interface ID, an embodiment of the present invention provides a method for protecting an air interface identifier, where the method is applied to a system for protecting an air interface identifier shown in fig. 1, and as shown in fig. 2, the method includes:

201. and the upper network control node receives a network access connection request sent by the UE, wherein the network access connection request comprises the identifier of the UE.

The UE id may be an IMSI (International Mobile Subscriber Identity) of the UE.

202. And the upper network control node acquires a root key corresponding to the identity of the UE.

203. And the upper network control node generates a first air interface ID protection key according to the root key corresponding to the UE identifier and the first preset parameter.

The first preset parameter includes one or any combination of an identifier of the UE, a Network device ID, a PLMN (Public land mobile Network) ID to which the UE belongs, a security algorithm ID, and a random number, where the Network device ID is an ID of a cell corresponding to a wireless access point to which the UE accesses or an ID of a base station corresponding to a wireless access point to which the UE accesses. The first air interface ID protection key is an encryption key and/or a complete protection key.

Specifically, a random selection algorithm may be used to generate the first air interface ID protection Key, for example, K ═ KDF (Key derivation Function) (Key, time), K ═ KDF (Key, ID, t ime), K ═ KDF (Key, SN), K ═ KDF (Key, ID, SN), or K ═ KDF (Key, ID, SN, t ime); wherein, k represents random selection, and Key can be a random number or a root Key corresponding to the identity of UE; the ID may be one or a combination of UE identity, network equipment ID, PLMN ID, security algorithm ID.

204. And the upper network control node sends the first air interface ID protection key to the wireless access node, so that the wireless access node encrypts and transmits the first air interface ID through the first air interface ID protection key.

The first air interface ID is an air interface ID allocated by the wireless access node to the UE, the first air interface ID is used for identifying the identity of the UE at an air interface, and the UE and the wireless access node perform data transmission through the first air interface ID.

In the method for protecting an air interface identifier provided in the embodiment of the present invention, an upper network control node receives an access connection request sent by a UE, where the access connection request includes an identifier of the UE, the upper network control node generates a first air interface ID protection key according to a root key corresponding to the identifier of the UE and a first preset parameter, and sends the first air interface ID protection key to a wireless access node, so that the wireless access node encrypts the first air interface ID according to the first air interface ID protection key, and sends the encrypted first air interface ID to the UE. Compared with the prior art that the private information of the user and the network security risk are caused by the leakage of the air interface ID, the embodiment of the invention generates the first air interface ID protection key for the first air interface ID through the upper network control node, and the wireless access node can encrypt the first air interface ID through the first air interface ID protection key, so that the first air interface ID is transmitted in an encrypted form, thereby avoiding the continuous acquisition of the air interface ID by an attacker and protecting the private information of the user and the network security.

With reference to the system shown in fig. 1 and the method flow shown in fig. 2, after receiving a network access connection request sent by a UE, an upper network control node needs to authenticate the UE, and in addition, in order to enable the UE to decrypt an encrypted first air interface ID, the UE needs to obtain a first air interface ID protection key, so in another implementation manner provided in the embodiment of the present invention, a method for air interface protection when the UE initially accesses a wireless access point is described, as shown in fig. 3, after the upper network control node receives the network access connection request sent by the UE in step 201, steps 205 and 206 are further included.

205. And the upper network control node acquires the authentication data information of the UE from the HSS according to the network access connection request.

206. And the upper network control node performs bidirectional authentication operation with the UE through the authentication data information.

After the mutual authentication is successful, step 202 is performed.

In addition, after the upper network control node generates the first air interface ID protection key according to the root key corresponding to the UE identifier and the first preset parameter in step 203, the method further includes step 207 and step 208.

207. And the upper network control node sends the first preset parameter to the UE.

The first preset parameter is the same as the related description in step 202, and is not described herein again.

208. And the UE generates a first air interface ID protection key according to the root key corresponding to the identity of the UE and the first preset parameter.

In another implementation manner provided in the embodiment of the present invention, the upper network control node may directly send the first air interface ID protection key to the UE without performing steps 207 and 208.

It can be understood that, after acquiring or generating the first air interface ID protection key, the UE may decrypt the received first air interface ID according to the first air interface ID protection key.

In addition, in step 204, the upper network control node sends the first air interface ID protection key to the wireless access node, so that the step 2041 to 2042 is specifically implemented when the wireless access node performs encryption transmission on the first air interface ID through the first air interface ID protection key.

2041. And the upper network control node sends the first air interface ID protection key to the wireless access node.

2042. And the wireless access node encrypts and transmits the first air interface ID through the first air interface ID protection key.

Specifically, the sending of the first air interface ID to the UE by the radio access node may be implemented as the following four steps.

Firstly, a wireless access node sends a negotiation message after the security operation to UE, wherein the negotiation message comprises security parameters.

Wherein, the integrity protection refers to integrity protection, and refers to processing the negotiation message, so that the negotiation message cannot be tampered in the sending process or can be timely discovered after being tampered, and the security parameters include an encryption algorithm and an integrity protection algorithm.

And secondly, after the UE verifies the security operation and verifies the security parameters, the UE can respond to the wireless access node, the security negotiation is successful, and if the verification fails, the negotiation is refused.

And thirdly, the wireless access node encrypts and transmits the first air interface ID to the UE according to the security parameter and the first air interface ID protection key.

And fourthly, after receiving the encrypted first air interface ID, the UE decrypts the first air interface ID according to the received first air interface ID protection key or the first air interface ID protection key generated by the UE, and starts the first air interface ID and the wireless access point to transmit data in the next operation.

In the method for protecting an air interface identifier provided in the embodiment of the present invention, an upper network control node receives an access connection request sent by a UE, where the access connection request includes an identifier of the UE, and the upper network control node generates a first air interface ID protection key according to the identifier of the UE, and sends the first air interface ID protection key or a first preset parameter to the upper network control node, so that the UE acquires or generates the first air interface ID protection key, and then the upper network control node sends the first air interface ID protection key to a wireless access node, so that the wireless access node encrypts the first air interface ID according to the first air interface ID protection key, sends the encrypted first air interface ID to the UE, and then the UE decrypts the first air interface ID according to the first air interface ID protection key. Compared with the prior art that the private information of the user and the network security risk are caused by the leakage of the air interface ID, the embodiment of the invention generates the first air interface ID protection key for the first air interface ID through the upper network control node, and the wireless access node can encrypt the first air interface ID through the first air interface ID protection key, so that the first air interface ID is transmitted in an encrypted form, thereby avoiding the continuous acquisition of the air interface ID by an attacker and protecting the private information of the user and the network security.

With reference to the above method flow, when the UE initially accesses the service set of the radio access node, that is, when there are at least two radio access nodes serving the UE, in another implementation manner provided in this embodiment of the present invention, step 204, where the upper network control node sends the first air interface ID protection key to the radio access node may specifically be implemented as:

For the embodiment of the present invention, when there are multiple wireless access nodes serving the UE, the upper control network sends the generated first air interface ID protection key to the multiple wireless access nodes, so that the wireless access nodes can perform encryption transmission on the first air interface ID through the first air interface ID protection key, thereby avoiding a situation that the first air interface ID is leaked.

In the process of moving the UE, there is a possibility that the UE moves from one cell to another cell, and accordingly, a wireless access point to which the UE is connected may change, and when the wireless access point of the UE is switched from an original wireless access point to a new wireless access point, in another implementation manner provided in the embodiment of the present invention, as shown in fig. 4, on the basis of the method flows shown in fig. 2 and fig. 3, the method further includes:

401. and the upper network control node receives a key request message sent by the new wireless access node, wherein the key request message comprises the identity of the UE.

402. And the upper network control node acquires the first air interface ID protection key according to the identity of the UE.

The step may be specifically implemented in that the upper network control node obtains the first air interface ID protection key generated last time according to the identifier of the UE. Alternatively, the first and second electrodes may be,

the upper network control node acquires a root key and a first preset parameter corresponding to the identity of the UE according to the identity of the UE, and then generates a first air interface ID protection key according to the root key and the first preset parameter corresponding to the identity of the UE.

403. And the upper network control node sends the first air interface ID protection key to the new wireless access node, so that the new wireless access node encrypts and transmits the second air interface ID through the first air interface ID protection key.

And the second air interface ID is the air interface ID allocated by the new wireless access node for the UE.

It can be understood that, after the UE is switched from the original radio access node to the new radio access node, the new radio access node encrypts and transmits the second air interface ID to the UE through the first air interface ID protection key, and the original radio access node terminates the transmission of the first air interface ID.

It should be noted that, in another implementation manner provided by the embodiment of the present invention, the step 402 may be replaced with: and the upper network control node generates a second air interface ID protection key according to the first air interface ID protection key and a second preset parameter, wherein the second preset parameter is one or any combination of a new wireless access point ID, a carrier frequency of a cell corresponding to the new wireless access point and a second air interface ID.

It should be noted that, after the upper network control node generates the second air interface ID protection key, the upper network control node also needs to send the second air interface ID protection key or the second preset parameter to the UE, so that the UE acquires or generates the second air interface ID protection key. If the second preset parameter includes a second air interface ID, the second preset parameter point may be sent to the UE through the original wireless access node, and specifically, the first air interface ID protection key is used to encrypt and transmit the second parameter.

If the upper network control node sends the second preset parameter to the UE, the new wireless access node further needs to trigger the UE to start generating the second air interface ID protection key, for example, the new wireless access node may trigger the UE to execute the operation of generating the second air interface ID protection key by transmitting a specific counter parameter.

Correspondingly, the step 403 may be replaced by: and the upper network control node sends a second air interface ID protection key to the new wireless access node, so that the new wireless access node encrypts and transmits the second air interface ID through the second air interface ID protection key.

In the access method of an air interface identifier provided in the embodiment of the present invention, an upper network control node receives a key request message sent by a new wireless access node, the upper network control node obtains a first air interface ID protection key according to an identifier of a UE, and the upper network control node sends the first air interface ID protection key to the new wireless access node, so that the new wireless access node performs encrypted transmission on a second air interface ID through the first air interface ID protection key; or the upper network control node generates a second air interface ID protection key according to the root key corresponding to the UE identifier and a second preset parameter, and sends the second air interface ID protection key to the new wireless access node, so that the new wireless access node encrypts and transmits the second air interface ID through the second air interface ID protection key. Compared with the prior art that the privacy information of the user and the network security risk are caused by the leakage of the air interface ID, after the UE is switched to the new wireless access node, the embodiment of the invention still needs to acquire the first air interface ID protection key or generate the second air interface ID protection key for the second air interface ID allocated by the new wireless access node for the UE, so that the second air interface ID is encrypted and transmitted through the first air interface ID protection key or the second air interface ID protection key, and the user privacy and the network security are protected. In addition, the access method of the air interface identifier provided by the embodiment of the invention is applicable to a scene that the UE switches the wireless access node, and is more applicable to a novel network architecture.

In addition, when there is a new wireless access node in the UE, in another implementation manner provided in the embodiment of the present invention, as shown in fig. 5, on the basis of the method flows shown in fig. 2 and fig. 3, the method further includes:

501. and the upper network control node acquires the first air interface ID protection key.

The step may be specifically implemented in that the upper network control node directly obtains the first air interface ID protection key generated last time. Alternatively, the first and second electrodes may be,

and the upper network control node generates a first air interface ID protection key according to the root key corresponding to the UE identifier and the first preset parameter.

502. And the upper network control node sends the first empty port ID protection key to the newly increased wireless access node so that the newly increased wireless access node encrypts and transmits the third empty port ID through the first empty port ID protection key.

And the third air interface ID is the air interface ID allocated by the new wireless access node for the UE.

It can be understood that, when there is a newly added wireless access node, the newly added wireless access node encrypts and transmits the third air interface ID to the UE through the first air interface ID protection key, and the original wireless access node still encrypts and transmits the first air interface ID to the UE through the first air interface ID protection key.

It should be noted that, in another implementation manner provided by the embodiment of the present invention, the step 502 may be replaced with: and the upper network control node generates a third air interface ID protection key according to the first air interface ID protection key and a third preset parameter, wherein the third preset parameter comprises one or any combination of a newly added wireless access node ID, a carrier frequency of a cell corresponding to the newly added wireless access node and a third air interface ID.

It should be noted that, after the upper network control node generates the third air interface protection key, the upper network control node also needs to send the third air interface ID protection key or the third preset parameter to the UE, so that the UE acquires or generates the third air interface ID protection key. When the third preset parameter includes a third air interface ID, the third preset parameter may be sent to the UE through the original wireless access node, and specifically, the third preset parameter needs to be encrypted and transmitted by using the first air interface ID protection key.

If the upper network control node sends the third preset parameter to the UE, the newly added wireless access node further needs to trigger the UE to start generating the third air interface ID protection key, for example, the newly added wireless access node may trigger the UE to execute the operation of generating the third air interface ID protection key by transmitting a specific counter parameter.

Correspondingly, the step 503 may be replaced by: and the upper network control node sends a third air interface ID protection key to the newly increased wireless access node so that the newly increased wireless access node encrypts and transmits the third air interface ID through the third air interface ID protection key.

At this time, the newly added wireless access node encrypts and transmits the third air interface ID to the UE through the third air interface ID protection key, and the original wireless access node encrypts and transmits the first air interface ID to the UE through the first air interface ID protection key.

In the access method of the air interface identifier provided in the embodiment of the present invention, the upper network control node obtains the first air interface ID protection key, and sends the first air interface ID protection key to the newly added wireless access node, so that the newly added wireless access node performs encrypted transmission on the first air interface ID through the first air interface ID protection key, or the upper network control node generates a third air interface ID protection key according to the first air interface ID protection key and a third preset parameter, and sends the third air interface ID protection key to the newly added wireless access node, so that the newly added wireless access node performs encrypted transmission on the third air interface ID through the third air interface ID protection key. Compared with the prior art that private information of a user and network security risk are caused by air interface ID leakage, in the embodiment of the invention, when a newly added wireless access node exists, a first air interface ID protection key is obtained or a third air interface ID protection key is generated, so that the third air interface ID is encrypted and transmitted through the first air interface ID protection key or the third air interface ID protection key, and meanwhile, the first air interface ID is encrypted and transmitted through the first air interface ID protection key, and the user privacy and the network security are protected.

Corresponding to the above method embodiment, in order to solve the problem that privacy information of a user and network security are at risk due to air interface ID leakage, an embodiment of the present invention provides a protection device for an air interface identifier, where the protection device is applied to an upper network control node, and as shown in fig. 6, the protection device includes: receiving section 601, acquiring section 602, generating section 603, and transmitting section 604.

A receiving unit 601, configured to receive a network access connection request sent by a user equipment UE, where the network access connection request includes an identifier of the UE;

an obtaining unit 602, configured to obtain a root key corresponding to the identity of the UE.

A generating unit 603, configured to generate a first air interface identifier ID protection key according to a root key corresponding to an identifier of the UE and a first preset parameter, where the first preset parameter includes one or any combination of an identifier of the UE, a network device ID, a public land mobile network PLMN ID to which the UE belongs, a security algorithm ID, and a random number, and the network device ID is an ID of a cell corresponding to a wireless access point to which the UE accesses or an ID of a base station corresponding to the wireless access point to which the UE accesses;

a sending unit 604, configured to send the first air interface ID protection key generated by the generating unit 603 to the wireless access node, so that the wireless access node performs encryption transmission on the first air interface ID through the first air interface ID protection key.

And the first air interface ID is the air interface ID allocated by the wireless access node for the UE.

In another embodiment of the present invention, the sending unit 604 is further configured to send the first air interface ID protection key to the UE.

In another embodiment of the present invention, the sending unit 604 is further configured to send the first preset parameter to the UE, so that the UE generates the first air interface ID protection key according to the root key corresponding to the identifier of the UE and the first preset parameter.

In another embodiment of the present invention, when a wireless access node to which a UE accesses is switched from an original wireless access node to a new wireless access node, the receiving unit 601 is further configured to receive a key request message sent by the new wireless access node, where the key request message includes an identifier of the UE;

an obtaining unit 602, further configured to obtain a first air interface ID protection key according to the identifier of the UE;

the sending unit 604 is further configured to send the first air interface ID protection key to the new wireless access node, so that the new wireless access node performs encryption transmission on the second air interface ID through the first air interface ID protection key.

the generating unit 603 is further configured to generate a second air interface ID protection key according to the first air interface ID protection key and a second preset parameter, where the second preset parameter is one or any combination of a new wireless access point ID, a carrier frequency of a cell corresponding to the new wireless access point, and a second air interface ID;

the sending unit 604 is further configured to send the second air interface ID protection key generated by the generating unit 603 to the new wireless access node, so that the new wireless access node performs encryption transmission on the second air interface ID through the second air interface ID protection key.

In another embodiment of the present invention, when the UE has a new wireless access node, the obtaining unit 602 is further configured to obtain a first air interface ID protection key according to an identifier of the UE;

the sending unit 604 is further configured to send the first air interface ID protection key to the newly added wireless access node, so that the newly added wireless access node performs encryption transmission on the third air interface ID through the first air interface ID protection key.

In another embodiment of the present invention, when the UE has a new wireless access node, the generating unit 603 is further configured to generate a third air interface ID protection key according to the first air interface ID protection key and a third preset parameter, where the third preset parameter includes one or any combination of an ID of the new wireless access node, a carrier frequency of a cell corresponding to the new wireless access node, and an ID of the third air interface;

the sending unit 604 is further configured to send a third air interface ID protection key to the newly added wireless access node, so that the newly added wireless access node performs encryption transmission on the third air interface ID through the third air interface ID protection key.

In the protection device for an air interface identifier provided in the embodiment of the present invention, the receiving unit receives a network access connection request sent by the UE, where the network access connection request includes an identifier of the UE, the obtaining unit obtains a root key corresponding to the identifier of the UE, the generating unit generates a first air interface ID protection key according to the root key corresponding to the identifier of the UE and a first preset parameter, and the sending unit sends the first air interface ID protection key to the wireless access node, so that the wireless access node encrypts the first air interface ID according to the first air interface ID protection key, and sends the encrypted first air interface ID to the UE. Compared with the prior art that the private information of the user and the network security risk are caused by the leakage of the air interface ID, the embodiment of the invention generates the first air interface ID protection key for the first air interface ID through the upper network control node, and the wireless access node can encrypt the first air interface ID through the first air interface ID protection key, so that the first air interface ID is transmitted in an encrypted form, thereby avoiding the continuous acquisition of the air interface ID by an attacker and protecting the private information of the user and the network security.

An embodiment of the present invention further provides a signal processing apparatus, and as shown in fig. 7, the apparatus is a schematic diagram of a hardware structure of an upper network control node described in fig. 6. The upper network control node may include a memory 701, a processor 702, a receiver 703, a transmitter 704, and a bus 1005.

The Memory 701 may be a ROM (Read Only Memory), a static Memory device, a dynamic Memory device, or a RAM (Random Access Memory). The memory 701 may store an operating system and other application programs. When the technical solution provided by the embodiment of the present invention is implemented by software or firmware, a program code for implementing the technical solution provided by the embodiment of the present invention is stored in the memory 701 and executed by the processor 702.

The receiver 703 is used for communication between the apparatus and other devices or communication networks (such as but not limited to ethernet, RAN radio access Network, radio access Network), WLAN (Wireless Local Area Network), etc.).

The processor 702 may be a general-purpose Central Processing Unit (CPU), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute related programs to implement the technical solutions provided by the embodiments of the present invention.

Bus 1005 may include a pathway to transfer information between various components of the device, such as memory 701, receiver 703, transmitter 704, and processor 702.

It should be noted that although the hardware shown in fig. 7 only shows the memory 701, the receiver 703, the transmitter 704 and the processor 702, as well as the bus 704, in a specific implementation, a person skilled in the art will understand that the apparatus also comprises other devices necessary for realizing normal operation. Also, hardware components for performing other functions may be included, as would be apparent to one skilled in the art, according to particular needs.

Specifically, when the upper network control node shown in fig. 7 is used to implement the apparatus shown in the embodiment of fig. 6, the receiver 703 in the apparatus is used to receive a network access connection request sent by a user equipment UE, where the network access connection request includes an identifier of the UE.

A processor 702, coupled to the memory 701, the receiver 703 and the transmitter 704, configured to control execution of program instructions, specifically to obtain a root key corresponding to an identity of the UE; generating a first air interface Identification (ID) protection key according to a root key corresponding to the identification of the UE and a first preset parameter, wherein the first preset parameter comprises one or any combination of the identification of the UE, a network equipment ID, a Public Land Mobile Network (PLMN) ID to which the UE belongs, a security algorithm ID and a random number, and the network equipment ID is the ID of a cell corresponding to a wireless access point accessed by the UE or the ID of a base station corresponding to the wireless access point accessed by the UE;

a transmitter 704, configured to send the first air interface ID protection key to the wireless access node, so that the wireless access node performs encryption transmission on the first air interface ID through the first air interface ID protection key.

In another embodiment of the present invention, the transmitter 704 is further configured to transmit the first air interface ID protection key to the UE.

In another embodiment of the present invention, the transmitter 704 is further configured to transmit the first preset parameter to the UE, so that the UE generates the first air interface ID protection key according to the root key corresponding to the UE identifier and the first preset parameter.

In another embodiment of the present invention, when the radio access node accessed by the UE is switched from the original radio access node to a new radio access node,

the receiver 703 is further configured to receive a key request message sent by the new radio access node, where the key request message includes an identifier of the UE;

the processor 702 is further configured to obtain a first air interface ID protection key according to the UE identifier;

the transmitter 704 is further configured to send the first air interface ID protection key to the new wireless access node, so that the new wireless access node performs encryption transmission on the second air interface ID through the first air interface ID protection key.

In another embodiment of the present invention, when the wireless access point accessed by the UE is switched from the original wireless access node to the new wireless access node,

the processor 702 is further configured to generate a second air interface ID protection key according to the first air interface ID protection key and a second preset parameter, where the second preset parameter is one or any combination of a new wireless access point ID, a carrier frequency of a cell corresponding to the new wireless access point, and a second air interface ID;

the transmitter 704 is further configured to send the second air interface ID protection key to the new wireless access node, so that the new wireless access node performs encryption transmission on the second air interface ID through the second air interface ID protection key.

In another embodiment of the present invention, when the UE has a new wireless access node, the processor 702 is further configured to obtain a first air interface ID protection key according to the UE identifier;

the transmitter 704 is further configured to send the first air interface ID protection key to the newly added wireless access node, so that the newly added wireless access node performs encryption transmission on the third air interface ID through the first air interface ID protection key.

In another embodiment of the present invention, when the UE has a new wireless access node, the processor 702 is further configured to generate a third air interface ID protection key according to the first air interface ID protection key and a third preset parameter, where the third preset parameter includes one or any combination of an ID of the new wireless access node, a carrier frequency of a cell corresponding to the new wireless access node, and an ID of the third air interface;

the transmitter 704 is further configured to send a third air interface ID protection key to the newly added wireless access node, so that the newly added wireless access node performs encryption transmission on the third air interface ID through the third air interface ID protection key.

In another embodiment of the present invention, when there are at least two radio access nodes serving the UE, the transmitter 704 is further configured to transmit the first over-the-air ID protection key to one of the radio access nodes or at least two radio access nodes serving the UE.

In the protection device for an air interface identifier provided in the embodiment of the present invention, the receiver receives a network access connection request sent by the UE, where the network access connection request includes an identifier of the UE, the processor generates a first air interface ID protection key according to a root key corresponding to the identifier of the UE and a first preset parameter, and the transmitter sends the first air interface ID protection key to the wireless access node, so that the wireless access node encrypts the first air interface ID according to the first air interface ID protection key, and sends the encrypted first air interface ID to the UE. Compared with the prior art that the private information of the user and the network security risk are caused by the leakage of the air interface ID, the embodiment of the invention generates the first air interface ID protection key for the first air interface ID through the upper network control node, and the wireless access node can encrypt the first air interface ID through the first air interface ID protection key, so that the first air interface ID is transmitted in an encrypted form, thereby avoiding the continuous acquisition of the air interface ID by an attacker and protecting the private information of the user and the network security.

Through the above description of the embodiments, those skilled in the art will clearly understand that the present invention may be implemented by software plus necessary general hardware, and certainly may also be implemented by hardware, but in many cases, the former is a better embodiment. Based on such understanding, the technical solutions of the present invention may be substantially implemented or a part of the technical solutions contributing to the prior art may be embodied in the form of a software product, which is stored in a readable storage medium, such as a floppy disk, a hard disk, or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.

The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.

Claims

1. A method for protecting an air interface identifier is characterized by comprising the following steps:

the upper network control node generates a first air interface Identification (ID) protection key according to a root key corresponding to the identification of the UE and first preset parameters, wherein the first preset parameters comprise a Public Land Mobile Network (PLMN) ID to which the UE belongs, a network equipment ID, an identification of the UE and a security algorithm ID, and the network equipment ID is an ID of a cell corresponding to a wireless access point accessed by the UE or an ID of a base station corresponding to the wireless access point accessed by the UE;

2. The method according to claim 1, wherein after the upper network control node generates a first air interface ID protection key according to a root key corresponding to the UE identifier and a first preset parameter, the method further includes:

3. The method according to claim 1, wherein after the upper network control node receives a network access connection request sent by the UE, the method further includes:

4. The method for protecting the air interface identifier according to any of claims 1 to 3, wherein when the radio access node to which the UE accesses is switched from an original radio access node to a new radio access node, the method further includes:

5. The method for protecting the air interface identifier according to any of claims 1 to 3, wherein when the wireless access point accessed by the UE is switched from an original wireless access node to a new wireless access node, the method further includes:

6. The method for protecting the air interface identifier according to any of claims 1 to 3, wherein when there is a new wireless access node in the UE, the method further comprises:

the upper network control node acquires a first air interface ID protection key;

7. The method for protecting the air interface identifier according to any of claims 1 to 3, wherein when there is a new wireless access node in the UE, the method further comprises:

the upper network control node generates a third air interface ID protection key according to the first air interface ID protection key and a third preset parameter, wherein the third preset parameter comprises one or any combination of the ID of the newly-added wireless access node, the carrier frequency of a cell corresponding to the newly-added wireless access node and the ID of the third air interface, and the ID of the third air interface is the air interface ID distributed by the newly-added wireless access node to the UE;

8. A protection device for an air interface identifier is characterized by comprising:

a generating unit, configured to generate a first air interface identifier ID protection key according to a root key corresponding to the identifier of the UE and a first preset parameter, where the first preset parameter includes a public land mobile network PLMN ID to which the UE belongs, a network device ID, an identifier of the UE, and a security algorithm ID, and the network device ID is an ID of a cell corresponding to a wireless access point to which the UE accesses or an ID of a base station corresponding to the wireless access point to which the UE accesses;

9. The apparatus for protecting air interface identifier according to claim 8,

the sending unit is further configured to send the first air interface ID protection key to the UE.

10. The apparatus for protecting air interface identifier according to claim 8,

the sending unit is further configured to send the first preset parameter to the UE, so that the UE generates the first air interface ID protection key according to the root key corresponding to the UE identifier and the first preset parameter.

11. The apparatus for protecting over-the-air identity according to any of claims 8-10, wherein when the radio access node accessed by the UE is switched from an original radio access node to a new radio access node,

12. The apparatus for protecting over-the-air identity according to any of claims 8-10, wherein when the radio access node accessed by the UE is switched from an original radio access node to a new radio access node,

13. The air interface identifier protection device according to any of claims 8-10, wherein when there is a new radio access node for the UE,

14. The air interface identifier protection device according to any of claims 8-10, wherein when there is a new radio access node for the UE,

the generating unit is further configured to generate a third air interface ID protection key according to the first air interface ID protection key and a third preset parameter, where the third preset parameter includes one or any combination of the ID of the newly added wireless access node, the carrier frequency of the cell corresponding to the newly added wireless access node, and the third air interface ID is an air interface ID allocated by the newly added wireless access node to the UE;