CN108293223A - A kind of data transmission method, user equipment and network side equipment - Google Patents

A kind of data transmission method, user equipment and network side equipment Download PDF

Info

Publication number
CN108293223A
CN108293223A CN201580084940.6A CN201580084940A CN108293223A CN 108293223 A CN108293223 A CN 108293223A CN 201580084940 A CN201580084940 A CN 201580084940A CN 108293223 A CN108293223 A CN 108293223A
Authority
CN
China
Prior art keywords
data packet
network side
key
side equipment
mark
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201580084940.6A
Other languages
Chinese (zh)
Other versions
CN108293223B (en
Inventor
刘菁
黄敏
舒兵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
XFusion Digital Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of CN108293223A publication Critical patent/CN108293223A/en
Application granted granted Critical
Publication of CN108293223B publication Critical patent/CN108293223B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/106Packet or message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/08Access restriction or access information delivery, e.g. discovery data delivery

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention provides a kind of data transmission method, user equipment and network side equipments, wherein this method includes:Data packet is encrypted using encryption key and tegrity protection key for user equipment (UE) and integrity protection; wherein; the encryption key and the tegrity protection key are the UE according to the UE the first random numbers generated or the second generating random number received from network side equipment, and the data packet includes the mark and user data of the UE;The UE do not set up connect with the radio resource control RRC of base station when, by encryption and integrity protection after the data packet be sent to network side equipment.Implement the present invention, the safe transmission for realizing data when RRC connections can not be set up between UE and base station, reduces signaling overheads.

Description

A kind of data transmission method, user equipment and network side equipment Technical field
The present invention relates to field of communication technology more particularly to a kind of data transmission methods, user equipment and network side equipment.
Background technique
For 3-G (Generation Three mobile communication system) (3rd Generation, 3G) and its long term evolution (Long Term Evolution, LTE) system, in order to ensure the safety of data transmission, user equipment (User Equipment, UE) before transmitting data to network side, it has to carry out the safety certification and cipher key agreement process between UE and network side, grouping system (the Evolved Packet System of evolution is used in LTE system at present, EPS) Authentication and Key Agreement (Authentication and Key Agreement, AKA) agreement completes the safety certification and cipher key agreement process between UE and network side.And before carrying out safety certification and cipher key agreement process between UE and network side, need to carry out wireless heterogeneous networks (the Radio Resource Control between UE and base station, RRC connection establishment process), control plane connection/the carrying for needing to establish between UE and base station, and after establishing RRC connection procedure, also need the control plane established between base station and core net connection and user plane bearer, and the user plane bearer between UE and base station, after establishing these connection/carryings, user data could be sent to network side by user plane bearer by UE.
Machine To Machine (Machine-to-Machine in recent years, M2M) as a kind of novel communication theory, extensive concern and a large amount of application have been obtained in daily life, M2M technology is the integration of wireless communication and information technology, for two-way communication, it is suitable for the fields such as safety monitoring, automatic vending machine, cargo tracking, payment system (ATM supports terminal and parking timing and charging table etc.) and vehicle remote control (such as fleet management, toll collection, vehicle restore and according to driving situation payment of premium).M2M can be divided for Machine To Machine, machine to mobile terminal (such as user remotely monitors) and mobile terminal according to the object of communication to three kinds of communication patterns of machine (such as user remotely controls).In M2M communication, the M2M equipment for accessing to network is also referred to as machine type communication (Machine Type Communication, MTC) equipment.MTC is not necessarily to manual intervention, can directly be communicated between machine and machine.In recent years MTC as a kind of novel communication theory, MTC using more and more abundant, while MTC is also a kind of trend of the following intelligent development, therefore MTC function is needed support in LTE system.And for MTC service, MTC device is usually every time small bag data (usually tens arriving several hundred bytes) to the data that network side is sent.If using data transfer mode in the prior art, before then UE sends above-mentioned small bag data to network side every time, require to establish the control plane connection and user plane bearer between control plane connection, eNB and the core net between UE and eNB, and the user plane bearer process between UE and eNB, when establishing these connection/load bearing process, there are a large amount of Signalling exchanges, therefore biggish signaling overheads can be generated, causes system effectiveness lower.
Summary of the invention
The embodiment of the present invention provides a kind of data transmission method, user equipment and network side equipment, so as to reduce establish control plane connection and user plane bearer needed for signal resource, improve system effectiveness.
In a first aspect, the embodiment of the invention provides a kind of user equipment, including processor, receiver and transmitter;Wherein, the processor is used to that the data distributing program code of memory storage to be called to perform the following operations: being encrypted using encryption key and tegrity protection key to data packet and integrity protection; wherein; the encryption key and the tegrity protection key are user equipment (UE) according to the UE the first random number generated or the second generating random number received from network side equipment, and the data packet includes the mark and user data of the UE;When the UE does not set up and connect with the radio resource control RRC of base station, it will be encrypted by the transmitter and be sent to network side equipment with the data packet after integrity protection.UE is not in the case where establishing RRC with base station and connecting; it can be according to the first random number or the second generating random number encryption key received from network side equipment that itself generate and tegrity protection key; and then safe handling is carried out to data packet to be transmitted; data packet after safe handling is sent to network side equipment; the safety of data transmission is ensured; and signal resource needed for establishing control plane connection and user plane bearer can be reduced, system effectiveness is improved.
With reference to first aspect, in the first possible implementation of the first aspect, the data packet further includes first random number, first random number for the network side equipment determine to the data packet be decrypted and integrity verification used in decruption key and integrity verification key.When the UE has user data to need to send, the random number that home signature user server HSS is generated and issued derivative key is eliminated the reliance on, but changes the first random number for generating derivative key by the UE, and pass through first random number Encryption key and the tegrity protection key for carrying out encryption and integrity protection to data packet to be transmitted are generated, to carry out safe handling to data packet, therefore the safety of data transmission has been ensured, has improved data transmission efficiency.
With reference to first aspect, or the first possible implementation of first aspect, in second of possible implementation of first aspect, the data packet further includes the selected security algorithm instruction information of the UE, the security algorithm instruction information for the network side equipment determine to the data packet be decrypted and integrity verification used in decipherment algorithm and integrity verification algorithm.When the UE has user data to need to send; eliminate the reliance on the security algorithm (including Encryption Algorithm and protection algorithm integrallty) that network side equipment is selected and issued; but change the security algorithm for carrying out safe handling to data packet to be transmitted by UE selection; to carry out safe handling to data packet; therefore the safety for having ensured data transmission, improves data transmission efficiency.
With reference to first aspect, in the third possible implementation of first aspect, it is described using encryption key and tegrity protection key to data packet encrypt and integrity protection before, the processor is also used to perform the following operations: through the transmitter when the UE does not establish the RRC with the base station and connect, certification request is sent to home signature user server HSS by the network side equipment, the certification request includes the mark of the UE, the certification request for trigger the HSS generate second random number and according to the mark of the UE and second random number determine the network side equipment to the data packet be decrypted and integrity verification used in decruption key and integrity verification key;The response message that the HSS is sent by the network side equipment is received by the receiver, the response message includes second random number;Integrity verification is carried out to the response message using the tegrity protection key.UE requests to authenticate when not setting up RRC connection to network side equipment, encryption key and the tegrity protection key of safe handling are carried out to data packet to be transmitted by the second generating random number received from network side equipment, the safety that data are transmitted when without RRC connection is ensured, reduce the signaling overheads for establishing control plane connection and user plane bearer, improve system effectiveness, and the safety certification to network side equipment can be realized by the response message progress integrity verification sent to network side equipment by UE, eliminate the reliance on the Ciphering Key that HSS is generated and issued, UE is simplified to the safety certification process of network side equipment.
With reference to first aspect, or any one possible implementation of first aspect, in a fourth possible implementation of the first aspect, the processor is also used to execute: receiving the network side equipment in the confirmation message for carrying out sending after integrity verification success to the data packet by the receiver;Using described complete Confirmation message described in whole property protection key pair carries out integrity verification.The safety certification to network side equipment can be realized by the confirmation message progress integrity verification sent to network side equipment in UE, eliminates the reliance on HSS and generates and issue Ciphering Key, simplifies UE to the safety certification process of network side equipment.
The 4th kind of possible implementation with reference to first aspect, in the fifth possible implementation of the first aspect, the data packet further includes the third random number that the UE is generated, and the third random number is updated the mark of the UE after carrying out integrity verification success to the data packet for the network side equipment;The processor is also used to execute: after carrying out integrity verification success to the confirmation message, being updated according to the third random number to the mark of the UE.UE and network side equipment synchronize update to the mark of UE, and the crypticity of UE can be enhanced, and avoid the whereabouts of the exposure UE in data transmission procedure, further increase the safety of data transmission.
With reference to first aspect or any one possible implementation of first aspect, in the sixth possible implementation of the first aspect, the network side equipment includes base station or gateway.
The 6th kind of possible implementation with reference to first aspect, in a seventh possible implementation of the first aspect, the data packet further includes the mark of destination server, the mark of the destination server is established transmission control protocol TCP with the destination server for gateway and is connect, and the user data is sent to the destination server by the TCP connection.
The 6th kind of possible implementation with reference to first aspect, or the 7th kind of possible implementation of first aspect, in the 8th kind of possible implementation of first aspect, when the network side equipment includes the gateway, the data packet further includes the mark of the gateway, and the data packet is sent to the gateway for base station by the mark of the gateway.
The 6th kind of possible implementation with reference to first aspect; or the 7th kind of possible implementation of first aspect; or the 8th kind of possible implementation of first aspect; in the 9th kind of possible implementation of first aspect; it is described by the transmitter will encrypt and integrity protection after the data packet be sent to network side equipment, comprising: will encrypt to connect by random access preamble message or RRC with the data packet after integrity protection by the transmitter and establish request message and be sent to base station.UE by random access preamble message or RRC connection establish in request message or base station be the UE distribution other resources in carry the data packet, and then the data packet is sent to network side equipment, reduce signal resource needed for establishing control plane connection and user plane bearer, improves system effectiveness.
Second aspect, the embodiment of the invention provides a kind of network side equipment, including processor, receiver and Transmitter;Wherein, the processor is used to that the data distributing program code of the memory storage to be called to perform the following operations: receiving the data packet that user equipment (UE) is sent when not setting up and connecting with the radio resource control RRC of base station by the receiver; the data packet includes the mark and user data of the UE, and the data packet is that the UE carries out the data packet obtained after encryption and integrity protection;The corresponding decruption key of the UE and integrity verification key are determined according to the mark of the UE;It is decrypted using data packet described in the decruption key and the integrity verification key pair and integrity verification;After carrying out integrity verification success to the data packet, the user data is sent to by destination server by the transmitter.Network side equipment receives the data packet that UE is sent when not setting up and connecting with the RRC of base station, and it is determined and data packet is decrypted and the decruption key of integrity verification and integrity verification key according to the mark of the UE, by carrying out integrity verification realization to the safety certification of UE to data packet, network side equipment is simplified to the safety certification process of UE, reduce the signaling overheads for establishing control plane connection and user plane bearer simultaneously, improves system effectiveness.
In conjunction with second aspect, in the first possible implementation of the second aspect, the data packet further includes the first random number that the UE is generated;The mark according to the UE determines the corresponding decruption key of the UE and integrity verification key, it include: that the mark of the UE and first random number are sent to home signature user server HSS, the intermediate key of the UE is generated by the HSS, and the corresponding decruption key of the UE and integrity verification key are generated according to the intermediate key that the HSS is generated, and store the mark and the corresponding relationship of the decruption key and the integrity verification key of the UE.
In conjunction with second aspect, or the first possible implementation of second aspect, in a second possible implementation of the second aspect, the data packet further includes the selected security algorithm instruction information of the UE, the security algorithm instruction information for the network side equipment determine to the data packet be decrypted and integrity verification used in decipherment algorithm and integrity verification algorithm.
In conjunction with second aspect, in the third possible implementation of the second aspect, before the data packet sent by receiver reception user equipment (UE) when not setting up and being connect with the radio resource control RRC of base station, the processor is also used to execute: receiving the UE not establishing the certification request sent when the RRC is connect, the certification request with the base station by the receiver includes the mark of the UE;The certification request is sent to home signature user server HSS by the transmitter, the certification request generates the second random number and according to the mark of the UE and described second for triggering the HSS The intermediate key of UE described in generating random number, the network side equipment generates decruption key and integrity verification key according to the intermediate key that the HSS is generated, and stores the mark and the corresponding relationship of the decruption key and the integrity verification key of the UE;Response message is sent to the UE by the transmitter, the response message includes second random number, and second random number generates for the UE and carries out encryption key and tegrity protection key used in encryption and integrity protection to the data packet.Network side equipment receives the certification request that UE is sent when not setting up and connecting with the RRC of base station, the second random number of derivative key is generated by HSS, and it is determined and data packet is decrypted and the decruption key of integrity verification and integrity verification key according to the intermediate key of the HSS UE generated, by carrying out integrity verification realization to the safety certification of UE to data packet, network side equipment is simplified to the safety certification process of UE, reduce the signaling overheads for establishing control plane connection and user plane bearer simultaneously, improves system effectiveness.
In conjunction with second aspect; or any one possible implementation of second aspect; in the fourth possible implementation of the second aspect; the processor is also used to execute: after carrying out integrity verification success to the data packet; confirmation message is sent to the UE by the transmitter, the confirmation message carries out integrity verification to the confirmation message using the tegrity protection key of the UE for the UE.
In conjunction with the 4th kind of possible implementation of second aspect, in a fifth possible implementation of the second aspect, the data packet further includes the third random number that the UE is generated, and the third random number is updated the mark of the UE after carrying out integrity verification success to the confirmation message for the UE;The processor is also used to execute: after carrying out integrity verification success to the data packet, the mark of the UE is updated according to the third random number, and the mark and the corresponding relationship of the decruption key and the integrity verification key of the store-updated UE.Network side equipment and UE synchronize update to the mark of UE, and the crypticity of UE can be enhanced, and avoid the whereabouts of the exposure UE in data transmission procedure, further increase the safety of data transmission.
In conjunction with the possible implementation of any one of second aspect or second aspect, in the sixth possible implementation of the second aspect, the network side equipment includes base station or gateway.
In conjunction with the 6th kind of possible implementation of second aspect, in the 7th kind of possible implementation of second aspect, the data packet further includes the mark of destination server;It is described that the user data is sent to by destination server by the transmitter, it include: to establish transmission control protocol TCP with the destination server according to the mark of the destination server to connect, and the user data is sent to the destination server by the TCP connection.Therefore, DNS name resolution process is no longer triggered by UE, i.e., it is logical without UE Cross the TCP connection process for occupying a large amount of interface-free resources foundation and destination server, but the UE is replaced to trigger DNS process by gateway, the gateway and the destination server establish TCP connection, and then the user data after decryption is sent to the destination server by TCP connection, therefore, reduce the signal resource for establishing TCP connection.
In conjunction with the 6th kind of possible implementation of second aspect, or the 7th kind of possible implementation of second aspect, in the 8th kind of possible implementation of second aspect, when the network side equipment includes the gateway, the data packet further includes the mark of the gateway, and the data packet is sent to the gateway for base station by the mark of the gateway.
In conjunction with the 6th kind of possible implementation of second aspect, or the 7th kind of possible implementation of second aspect, or the 8th kind of possible implementation of second aspect, in the 9th kind of possible implementation of second aspect, it is described that the data packet that user equipment (UE) is sent when not setting up and connecting with the radio resource control RRC of base station is received by the receiver, comprising: user equipment (UE) is received by the receiver and is not establishing the data packet for establishing request message transmission when radio resource control RRC is connect by random access preamble message or RRC connection with base station.
The third aspect; the embodiment of the invention provides a kind of data transmission methods; the safe transmission of data is realized when not setting up the radio resource control RRC between base station and connecting for user equipment (UE); the described method includes: UE is encrypted using encryption key and tegrity protection key to data packet and integrity protection; wherein; the encryption key and the tegrity protection key are the UE according to the UE the first random number generated or the second generating random number received from network side equipment, and the data packet includes the mark and user data of the UE;The UE do not set up connect with the RRC of base station when, by encryption and integrity protection after the data packet be sent to network side equipment.
In conjunction with the third aspect, in the first possible implementation of the third aspect, the data packet further includes first random number, first random number for the network side equipment determine to the data packet be decrypted and integrity verification used in decruption key and integrity verification key.
In conjunction with the third aspect, or the first possible implementation of the third aspect, in the second possible implementation of the third aspect, the data packet further includes the selected security algorithm instruction information of the UE, the security algorithm instruction information for the network side equipment determine to the data packet be decrypted and integrity verification used in decipherment algorithm and integrity verification algorithm.
In conjunction with the third aspect, in the third possible implementation of the third aspect, the UE, which is used, to be added Key and tegrity protection key to data packet encrypt and integrity protection before; further include: the UE is not when establishing the RRC with the base station and connecting; certification request is sent to home signature user server HSS by the network side equipment; the certification request includes the mark of the UE, the certification request for trigger the HSS generate second random number and according to the mark of the UE and second random number determine the network side equipment to the data packet be decrypted and integrity verification used in decruption key and integrity verification key;The UE receives the response message that the HSS is sent by the network side equipment, and the response message includes second random number;The UE carries out integrity verification to the response message using the tegrity protection key.
In conjunction with the third aspect, or any one possible implementation of the above third aspect, in the fourth possible implementation of the third aspect, further includes: the UE receives the network side equipment in the confirmation message for carrying out sending after integrity verification success to the data packet;The UE carries out integrity verification to the confirmation message using the tegrity protection key.
In conjunction with the 4th kind of possible implementation of the third aspect, in the 5th kind of possible implementation of the third aspect, the data packet further includes the third random number that the UE is generated, and the third random number is updated the mark of the UE after carrying out integrity verification success to the data packet for the network side equipment;The method also includes: after the UE carries out integrity verification success to the confirmation message, the mark of the UE is updated according to the third random number.
In conjunction with any one possible implementation of the third aspect, or the above third aspect, in the 6th kind of possible implementation of the third aspect, the network side equipment includes base station or gateway.
In conjunction with the 6th kind of possible implementation of the third aspect, in the 7th kind of possible implementation of the third aspect, the data packet further includes the mark of destination server, the mark of the destination server is established transmission control protocol TCP with the destination server for gateway and is connect, and the user data is sent to the destination server by the TCP connection.
In conjunction with the 6th kind of possible implementation of the third aspect, or the 7th kind of possible implementation of the third aspect, in the 8th kind of possible implementation of the third aspect, when the network side equipment includes the gateway, the data packet further includes the mark of the gateway, and the data packet is sent to the gateway for base station by the mark of the gateway.
In conjunction with the 6th kind of possible implementation of the third aspect or the 8th kind of possible implementation of the 7th kind of possible implementation of the third aspect or the third aspect, in the 9th kind of possible realization of the third aspect It is described that the data packet after encryption and integrity protection is sent to network side equipment in mode, comprising: encryption is connected with the data packet after integrity protection by random access preamble message or RRC and establishes request message and is sent to base station.
Fourth aspect; the embodiment of the invention provides a kind of data transmission methods; it include: that network side equipment receives the data packet that user equipment (UE) is sent when not setting up and connecting with the radio resource control RRC of base station; the data packet includes the mark and user data of the UE, and the data packet is that the UE carries out the data packet obtained after encryption and integrity protection;The network side equipment determines the corresponding decruption key of the UE and integrity verification key according to the mark of the UE;The network side equipment is decrypted using data packet described in the decruption key and the integrity verification key pair and integrity verification;The user data is sent to destination server after carrying out integrity verification success to the data packet by the network side equipment.
In conjunction with fourth aspect, in the first possible implementation of the fourth aspect, the data packet further includes the first random number that the UE is generated;The network side equipment determines the corresponding decruption key of the UE and integrity verification key according to the mark of the UE, it include: that the mark of the UE and first random number are sent to home signature user server HSS by the network side equipment, the intermediate key of the UE is generated by the HSS, and the corresponding decruption key of the UE and integrity verification key are generated according to the intermediate key that the HSS is generated, and store the mark and the corresponding relationship of the decruption key and the integrity verification key of the UE.
In conjunction with fourth aspect, or the first possible implementation of fourth aspect, in the second possible implementation of the fourth aspect, the data packet further includes the selected security algorithm instruction information of the UE, the security algorithm instruction information for the network side equipment determine to the data packet be decrypted and integrity verification used in decipherment algorithm and integrity verification algorithm.
In conjunction with fourth aspect, in the third possible implementation of the fourth aspect, the network side equipment receives before the data packet that user equipment (UE) is sent when not setting up and connecting with the radio resource control RRC of base station, further include: it includes the mark of the UE that the network side equipment, which receives the UE not establishing the certification request sent when the RRC is connect, the certification request with the base station,;The certification request is sent to home signature user server HSS by the network side equipment, the certification request is used to trigger the intermediate key that the HSS generates the second random number and the UE according to the mark of the UE and second generating random number, the network side equipment generates decruption key and integrity verification key according to the intermediate key that the HSS is generated, and stores the mark and the decruption key and the integrity verification of the UE The corresponding relationship of key;The network side equipment sends response message to the UE, and the response message includes second random number, and second random number generates for the UE and carries out encryption key and tegrity protection key used in encryption and integrity protection to the data packet.
In conjunction with fourth aspect; or any one possible implementation of the above fourth aspect; in the fourth possible implementation of the fourth aspect; further include: the network side equipment is after carrying out integrity verification success to the data packet; confirmation message is sent to the UE, the confirmation message carries out integrity verification to the confirmation message using the tegrity protection key of the UE for the UE.
In conjunction with the 4th kind of possible implementation of fourth aspect, in the 5th kind of possible implementation of fourth aspect, the data packet further includes the third random number that the UE is generated, and the third random number is updated the mark of the UE after carrying out integrity verification success to the confirmation message for the UE;The method also includes: the network side equipment is after carrying out integrity verification success to the data packet, the mark of the UE is updated according to the third random number, and the mark and the corresponding relationship of the decruption key and the integrity verification key of the store-updated UE.
In conjunction with any one possible implementation of fourth aspect, or the above fourth aspect, in the 6th kind of possible implementation of fourth aspect, the network side equipment includes base station or gateway.
In conjunction with the 6th kind of possible implementation of fourth aspect, in the 7th kind of possible implementation of fourth aspect, the data packet further includes the mark of destination server;It is described that the user data is sent to destination server, it include: that gateway is established transmission control protocol TCP with the destination server according to the mark of the destination server and connect, and the user data is sent to the destination server by the TCP connection.
In conjunction with the 6th kind of possible implementation of fourth aspect, or the 7th kind of possible implementation of fourth aspect, in the 8th kind of possible implementation of fourth aspect, when the network side equipment includes the gateway, the data packet further includes the mark of the gateway, and the data packet is sent to the gateway for base station by the mark of the gateway.
In conjunction with the 6th kind of possible implementation of fourth aspect, or the 7th kind of possible implementation of fourth aspect, or the 8th kind of possible implementation of fourth aspect, in the 9th kind of possible implementation of fourth aspect, the network side equipment receives the data packet that user equipment (UE) is sent when not setting up and connect with the radio resource control RRC of base station, comprising: base station receives user equipment (UE) and passes through random access preamble message when radio resource control RRC connect or request message transmission is established in RRC connection not establishing with the base station Data packet.
5th aspect, the embodiment of the invention provides a kind of user equipmenies, the user equipment is for executing the above-mentioned third aspect, or the data transmission method in any one possible implementation of the third aspect, the user equipment includes the module or unit for executing any one data transmission method of the above-mentioned third aspect or the third aspect.
6th aspect, the embodiment of the invention provides a kind of network side equipments, the network side equipment is for executing above-mentioned fourth aspect, or the data transmission method in any one possible implementation of fourth aspect, the network side equipment includes the module or unit for executing any one data transmission method of above-mentioned fourth aspect or fourth aspect.
7th aspect, the embodiment of the invention provides a kind of data transmission systems, including user equipment and network side equipment, wherein the user equipment is above-mentioned in a first aspect, or the user equipment in any one possible implementation of first aspect;
The network side equipment is the network side equipment in any one possible implementation of above-mentioned second aspect or second aspect.
Eighth aspect, the embodiment of the invention provides a kind of computer program, the computer program includes program code, when user equipment (UE) runs the computer program, said program code executes any one data transmission method such as the above-mentioned third aspect or the third aspect.
9th aspect, the embodiment of the invention provides a kind of computer program, the computer program includes program code, when network side equipment runs the computer program, said program code executes any one data transmission method such as above-mentioned fourth aspect or fourth aspect.
Aforementioned aspect of the present invention can be more succinct understandable in the description of following multiple embodiments.
Detailed description of the invention
In order to illustrate the technical solution of the embodiments of the present invention more clearly, the drawings to be used in the description of the embodiments or prior art will be briefly described below, it should be apparent that, drawings in the following description are some embodiments of the invention.
Figure 1A is a kind of network architecture schematic diagram of LTE system;
Figure 1B is the signaling process schematic diagram of AKA safety certification and cipher key agreement process;
Fig. 2 is connection/loading establishing process signaling process schematic diagram before data are sent;
Fig. 3 is a kind of network architecture schematic diagram of LTE system provided in an embodiment of the present invention;
Fig. 4 A is a kind of flow diagram of data transmission method provided in an embodiment of the present invention;
Fig. 4 B is the flow diagram of another data transmission method provided in an embodiment of the present invention;
Fig. 4 C is the flow diagram of another data transmission method provided in an embodiment of the present invention;
Fig. 4 D is the flow diagram of another data transmission method provided in an embodiment of the present invention;
Fig. 4 E is the flow diagram of another data transmission method provided in an embodiment of the present invention;
Fig. 4 F is the flow diagram of another data transmission method provided in an embodiment of the present invention;
Fig. 4 G is the flow diagram of another data transmission method provided in an embodiment of the present invention;
Fig. 5 is a kind of structural schematic diagram of user equipment provided in an embodiment of the present invention;
Fig. 6 is a kind of structural schematic diagram of network side equipment provided in an embodiment of the present invention;
Fig. 7 A is the structural schematic diagram of another user equipment provided in an embodiment of the present invention;
Fig. 7 B is the structural schematic diagram of another user equipment provided in an embodiment of the present invention;
Fig. 7 C is the structural schematic diagram of another user equipment provided in an embodiment of the present invention;
Fig. 7 D is the structural schematic diagram of another user equipment provided in an embodiment of the present invention;
Fig. 8 A is the structural schematic diagram of another network side equipment provided in an embodiment of the present invention;
Fig. 8 B is the structural schematic diagram of another network side equipment provided in an embodiment of the present invention;
Fig. 8 C is the structural schematic diagram of another network side equipment provided in an embodiment of the present invention;
Fig. 8 D is the structural schematic diagram of another network side equipment provided in an embodiment of the present invention;
Fig. 8 E is the structural schematic diagram of another network side equipment provided in an embodiment of the present invention.
Specific embodiment
A kind of data transmission method, user equipment and network side equipment that embodiment provides for a better understanding of the present invention, connection/loading establishing process before first sending below to the network architecture of LTE system, AKA safety certification and cipher key agreement process and data are described.
A referring to Figure 1, Figure 1A are a kind of network architecture schematic diagrams of LTE system.It mainly include base station (the EUTRAN Node B of UE, evolution in the LTE system network architecture, eNB), mobile management entity (Mobility Management Entity, MME), gateway (Serving Gateway, S-GW), packet data gateway (Packet Data Network Gateway,) and home signature user server (Home Subscriber Server P-GW, HSS), wherein, eNB is the common file dialog network (Evolved of evolution Universal Terrestrial Radio Access Network, EUTRAN) in network element, MME, S-GW, P-GW and HSS be packet core network (Evolved Packet Core, EPC) in network element.Wireless communication is realized by Uu interface between UE and eNB, the communication interface between eNB and MME is S1-MME, and the communication interface between eNB and S-GW is S1-U.The design method that user face is separated with control plane is used for the ease of the development of new business, in LTE system.Wherein, plane signaling is controlled in the corresponding core net of LTE system to be responsible for by independent network element MME and S-GW respectively with user plane bearer.
Specifically, the major function of MME includes the foundation of Non-Access Stratum (Non Access Stratum, NAS) signaling, NAS signaling safety, signaling foundation, follow-up service (when UE is in IDLE mode), roaming service, authorization and bearer management across core net etc..
The critical point point of critical point point, forwarding 2G/3G when S-GW is eNB switching and other systems business, the buffering, some initial works, defined interception for completing downstream packets are listened to, wrap routing and forwarding etc..In addition, P-GW is for the execution of strategy, packet filtering, defined interception, the distribution of the IP address of UE, billing function, packet reproduction etc..
It should be noted that the control signaling between UE, eNB and core net is handled by MME;User data is transferred to P-GW by S-GW, then all kinds of access point name (the Access Point Name of external (for operator) is transferred to by P-GW, APN) node, such as public data network (Public Data Network, PDN) etc..
B referring to Figure 1, Figure 1B are the signaling process schematic diagrames of AKA safety certification and cipher key agreement process.Safety certification is participated in LTE system and the entity of cipher key agreement process includes: UE, MME and HSS.Safety certification and cipher key agreement process are completed based on symmetric key; that is a root key K is shared between UE and HSS in advance; specifically; in universal subscriber identity module (the Universal Subscriber Identity Module of UE; USIM)/Subscriber Identity Module (Subscriber Identity Module; SIM a permanent symmetrical root key K is shared on) and on the HSS of operator's maintenance; this K is the one-time write when manufacturing USIM/SIM; and it is protected, can not be read by the security mechanism of USIM/SIM.The safety certification and cipher key agreement process include the following steps.
S101, UE send certification request to MME; the information such as the IDHSS mark of the international mobile subscriber identifier (International Mobile Subscriber Identity, IMSI) of UE, the ability (Encryption Algorithm and protection algorithm integrallty that UE is supported) of UE and HSS are carried in the message.
S102, MME forward the certification request of UE to HSS, carry IMSI, this clothes in the message The contents such as the network identity (Serving Network ID, SNID) of business net and service network type (Network Type).After HSS receives certification request, IMSI and SNID is searched in Local Data library, verifies the legitimacy of the two entities.If being verified, the corresponding root key K of UE is then found according to IMSI, and a random parameter RAND is randomly generated, then the corresponding Ciphering Key of the UE (Authentication Vector is generated according to RAND, the sequence number of authentification SQN itself currently saved, key K and other information, AV), wherein AV includes RAND, authentication token (Authentication Token, AUTN), desired number of responses (Expected response, XRES) and shared key KASME(for generating the foundation key of Non-Access Stratum and access layer secret key).
S103, HSS are responded to MME return authentication, and the Ciphering Key AV, MME that the UE is carried in the message save the Ciphering Key of the UE received.
S104, MME send certification request to UE, and it is key K that corresponding RAND and AUTN and MME in the UE Ciphering Key is carried in the messageASMEOne key identification KSI of distributionASME
After S105, UE receive certification request, according to the RAND and AUTN received, it is verified, it include: that an AUTN ' is calculated according to the SQN in RAND, AUTN and the root key K shared with network side jointly, and whether compare the AUTN ' consistent with the AUTN received, if unanimously, UE passes through the safety certification of network side, a response (Response, RES) is then calculated jointly using RAND and root key K is sent to MME.UE is according to KASMEFurther generate air interface key KeNB
The RES received is compared by S106, MME with the XRES in Ciphering Key AV, and if they are the same, then MME passes through the safety certification of UE, and with KASMEAir interface key K is further generated for basic keyeNB, and by KeNBAnd the ability of UE is sent to eNB.
S107, eNB are according to the ability of UE and the Encryption Algorithm itself supported and protection algorithm integrallty; determine the Encryption Algorithm and protection algorithm integrallty of eat dishes without rice or wine user face data and control plane signaling; and pass through safe mode command (Security Mode Command; SMC) selected Encryption Algorithm and protection algorithm integrallty are sent to UE by message; at this point, UE and eNB can be each with air interface key KeNBAnd the key algorithm of agreement further generates the key KUP for eat dishes without rice or wine encryption and integrity protectionenc、KRRCencAnd KRRCint, wherein KUPencFor ciphering user data key, for ensureing the confidentiality of upstream data between UE and eNB, KRRCencFor access layer RRC signaling encryption key, for ensureing the confidentiality of RRC signaling between UE and eNB, KRRCintFor access layer RRC signaling tegrity protection key, for ensureing the integrality of RRC signaling between UE and eNB.
In existing LTE system, UE and network side carry out before above-mentioned safety certification and cipher key agreement process, firstly the need of wireless heterogeneous networks (the Radio Resource Control carried out between UE and eNB, RRC connection establishment process), control plane connection/the carrying for needing to establish between UE and eNB, and after establishing RRC connection, also need the control plane established between eNB and core net connection and user plane bearer, and the user plane bearer between UE and eNB, after establishing these connection/carryings, user data could be sent to network side by user plane bearer by UE.
Please also refer to connection/loading establishing process signaling process schematic diagram that Fig. 2, Fig. 2 are before data are sent.In LTE system, there is no signaling connection between UE and network side in idle (IDLE) state, in a network not for UE distributing radio resource and network side does not establish UE context, S1 connection between UE and network side between RRC connection and eNB and core net is released, therefore when the UE in IDLE state needs to send if there is data, the signaling process in connection/loading establishing process before data transmission is as follows.
S201, when UE has data to need to send, according to the random access resource information of system configuration, wait Physical Random Access Channel (Physical Random Access Channel, PRACH) dispatching cycle, and random access preamble (Random Access Preamble is sent to eNB, Preamble) message, a random access leader sequence preamble comprising UE selection in Preamble message.
S202, eNB send random access response to UE in random access response window after the preamble for receiving UE transmission.Wherein, accidental access response message can the random access request (preamble) to multiple UE respond.
Random access response is by radio network temporary identifier (Radio Network Temporary Identity, RA-RNTI) scrambled Physical Downlink Control Channel (Physical Downlink Control Channel, PDCCH Downlink Control Information (the Downlink Control Information carried in), DCI it) is scheduled, and RA-RNTI is determined by the PRACH running time-frequency resource position for sending preamble.Content in random access response includes: retract (backoff) parameter, preamble corresponding with Preamble message mark, uplink transmission time lead (Timing Advance, TA), ascending resource, the Cell Radio Network Temporary Identifier/Identity, Cell-RNTI (Cell Radio Network Temporary Identity, C-RNTI) etc. of the distribution of Article 3 message are sent for UE.Wherein, if backoff parameter is used to indicate this random access failure, UE initiates the time delay mean value of random access next time.
Further, UE can be identified by the preamble in RA-RNTI and random access response and be determined ENB is sent to the random access response of oneself, if the preamble in random access response identify include in corresponding preamble oneself initiate random access when preamble, then think oneself to be successfully received accidental access response message, it is subsequent that Article 3 message will be sent to network side.If UE is not properly received random access response, the time delay limitation according to backoff parameter determines the time delay for initiating random access next time, and in addition selection random access resource initiates random access next time.After reaching largest random access number, UE media access control layer (Media Access Control, MAC) reports random access problems to rrc layer, triggers Radio Link Failure process.
S203, UE send Article 3 message after receiving random access response on the ascending resource of eNB distribution.It wherein, include different contents in Article 3 message for different scenes.For example, carrying the RRC connection that rrc layer generates when UE is initially accessed in Article 3 message and establishing request message.
S204, eNB and UE complete final contention resolved by Article 4 message.
Wherein, Article 4 message content is corresponding with the content of Article 3 message.When being initially accessed, UE contention resolved mark MAC layer control unit (Contention Resolution Identity MAC CE) is carried in Article 4 message, after UE receives the MAC CE, the user identifier of carrying in the user identifier and Article 3 message of MAC CE carrying is compared, if completely the same, the UE is it is known that oneself is competed successfully.
In addition, message can also be established comprising RRC connection in Article 4 message, for establishing the Signaling Radio Bearer 1 (SRB1) of UE.
S205, UE establish Signaling Radio Bearer 1 (SRB1) after the completion of contention resolved, according to the information that RRC connection is established in message, send RRC connection setup complete message to network.
Wherein, NAS service request (service request) message can incidentally be sent when sending RRC connection setup complete message to network side.
S206, eNB are after receiving RRC connection setup complete message, NAS business request information incidentally is sent to MME, the relevant connection (connect with the control plane of MME and carry with the S1 of S-GW) for requesting MME to establish between the corresponding eNB of UE and core network element.
The information that UE is correspondingly connected with by S207, MME notifies eNB.
S208, eNB send safe mode command (SMC) and RRC connection reconfiguration message to UE, for activating the safety of UE and establishing Data Radio Bearer (DRB) and other Signaling Radio Bearers (SRB2) for UE.
It should be noted that safe mode command (SMC) before transmitting, needs to carry out integrity protection processing, and RRC connection reconfiguration message is before transmitting, carries out encryption and integrity protection processing.
S209, after the completion of security activation and DRB, SRB2 are configured, UE sends that safe mode completes message and RRC connection reconfiguration completes message to network side.
S210, after the above process, the user face data of UE is by the DRB between UE and eNB, and S1 carrying between eNB and SGW is sent to PGW;The control signaling of UE and core net is sent to MME by the SRB between the UE and eNB and S1AP between eNB and MME.
In the application scenarios of many MTC services, MTC device only sends small data quantity data to network side, and the period of usually data transmission is also very long, can be second grade unit, or as unit of day, or even as unit of the moon etc..Such as: the data of intelligent metering device (such as: intelligent electric meter, intellectual water meter, intelligent gas meter) report, wireless point-of-sale information control system (Point Of Sales, POS) machine sends consumption information etc..If using existing data transfer mode, it will generate biggish signaling overheads (for example, above-mentioned data send before signaling process in related signaling expense), it is lower so as to cause system effectiveness.
Regarding to the issue above, the embodiment of the present invention provides the transmission method, user equipment and network side equipment of a kind of data, to realize (control plane connection and user plane bearer are not set up) in the case where UE does not set up and connect with the RRC of base station, UE can transmit data to network side, and it can ensure the safety of data transmission, so as to reduce establish control plane and the connection of user face needed for signaling, reduce signaling overheads, and improve system effectiveness.
Following will be combined with the drawings in the embodiments of the present invention, and technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It should be noted that the term used in embodiments of the present invention is only to be not intended to limit the invention merely for for the purpose of describing particular embodiments.It is also intended to including most forms, unless the context clearly indicates other meaning in the embodiment of the present invention and the "an" of singular used in the attached claims, " described " and "the".It is also understood that term "and/or" used herein refers to and includes listing any or all of project and may combining for one or more mutually bindings.
User equipment (UE) in following inventive embodiments includes but is not limited to MTC device and mobile broadband (Mobile Broadband, MBB) equipment, wherein, for MTC service (parcel data transmission service, the user data of transmission is typically not greater than a kilobytes) terminal be known as MTC device, MTC device can be the UE with MTC characteristic, such as meter reading terminal, mobile phone, tablet computer, laptop, the palm Upper computer, mobile internet device (Mobile Internet Device, MID), wearable device (such as smartwatch, Intelligent bracelet, intelligent glasses etc.) or other installation and deployment have the terminal device or communication module of USIM/SIM card.MTC device can access global system for mobile communications (Global System for Mobile Communication, GSM), general packet radio service technology (General Packet Radio Service, GPRS), Universal Mobile Communication System (Universal Mobile Telecommunications System, UMTS), universal land radio access web (the UMTS Terrestrial Radio Access Network of evolution, UTRAN), the networks such as EUTRAN, it is communicated, is realized with MTC server or other MTC devices MTC application.Terminal for MBB business (such as transmission services of the small bag data such as wechat) is known as MBB equipment, such as mobile phone, tablet computer, laptop, palm PC, MID, wearable device (such as smartwatch, Intelligent bracelet, intelligent glasses etc.) or other installation and deployment have the terminal device or communication module of USIM/SIM card.
Fig. 3 is referred to, Fig. 3 is a kind of network architecture schematic diagram of LTE system provided in an embodiment of the present invention.It mainly include UE in the LTE system network architecture, base station eNB and core net, wherein, the network element that core net mainly includes has: S-GW (such as MTC-GW in MTC service), HSS and P-GW, wherein, P-GW can be individually present, the function of P-GW can also be integrated into S-GW and be realized, the repertoire of existing S-GW and P-GW are realized by individual S-GW, wireless communication is realized by Uu interface between UE and eNB, data transmission is realized by S1-U interface between eNB and S-GW, data transmission is realized by the S-HSS interface newly increased between S-GW and HSS, the interface name that the S-HSS is newly increased between S-GW and HSS, the interface newly increased between S-GW and HSS Title can also be other titles, and the embodiment of the present invention is not especially limited, and eNB can be carried out data transmission by S-GW and HSS.User data is transferred to P-GW by S-GW, is then transferred to destination server Server or S-GW directly for user data transmission to Server by P-GW.
Fig. 4 A is referred to, Fig. 4 A is a kind of flow diagram of data transmission method provided in an embodiment of the present invention, and this method includes but is not limited to following steps.
S401, user equipment (UE) is encrypted using encryption key and tegrity protection key to data packet and integrity protection.
Specifically; when user equipment (UE) in IDEL state has user data to need to send to network side equipment, the UE carries out safe handling (including encryption and integrity protection are handled) to data packet to be transmitted according to its encryption key and tegrity protection key.Wherein, the UE includes but is not limited to MTC Equipment or MBB equipment include but is not limited to the mark and UE user data to be transmitted of the UE in the data packet.Wherein, the user data is small bag data, that is small data quantity user data, such as, for MTC service, MTC device is every time small bag data (usually tens arriving several hundred bytes) to the user data that network side equipment transmits, for smart meter reading business, UE can with the every month in period by ammeter/water meter information reporting to network side equipment, ammeter/water meter information is uploaded to destination server (such as cell amr server) by network side equipment and carries out statistical disposition, the ammeter wherein reported/corresponding data volume of water meter information is smaller, usually several crossed joints.For another example MBB equipment is every time to an a wechat user data usually not more than kilobytes for network side equipment transmission for the wechat business in MBB business.
As a kind of optional embodiment; the UE generates the first random number of derivative key, and generates the key information of the UE step by step according to first random number (including carrying out encryption key and tegrity protection key used in encryption and integrity protection to the data packet of transmission);As another optional embodiment, HSS generates the second random number of derivative key, and is handed down to the UE by the network side equipment, then the UE generates the key information of the UE according to second random number that the network side equipment issues step by step.The UE generates the key information and is specifically as follows: the UE is handled according to the key algorithm that the UE and the network side equipment consult using the root key K of first random number (or described second random number) and the UE as ginseng is entered and is generated the key information step by step.Therefore, it can be understood that, the network side equipment can also using first random number (or described second random number), the UE root key as enter ginseng, handled according to the key algorithm generate step by step the corresponding key information of the UE (including to the data packet of transmission be decrypted and integrity verification used in decruption key and integrity verification key).Wherein, the decruption key that the encryption key that the UE is generated and the network side equipment generate is identical; the integrity verification key that the tegrity protection key that the UE is generated and the network side equipment generate is identical; the network side equipment includes but is not limited to base station (such as eNB) and gateway (such as S-GW; for MTC service, gateway MTC-GW).It should be noted that, key algorithm can be consulted between the UE and the network side equipment in advance, such as, the UE can choose a kind of key algorithm, the key algorithm is sent to the network side equipment again, alternatively, the network side equipment selects a kind of key algorithm, the key algorithm is sent to the UE again, the embodiment of the present invention is not especially limited.During generating the key information of the UE other cipher generating parameters can also be added to generate the key information of the UE in the UE and the network side equipment, For example, the mark etc. of the UE.
Specifically; the UE encrypts the user data in the data packet according to the encryption key; obtain encryption user data; the UE carries out integrity protection to the parameter information (mark of the including but not limited to described UE) in the data packet according to the tegrity protection key; obtain integrity protection information; that is full message authentication code (Message Authentication Code for Interity, MAC-I).The UE sends the encryption user data, parameter information and the MAC-I that encrypt with obtain after integrity protection processing as data packet to be transmitted.Such as; the UE is using the user data and the encryption key as entering ginseng; then it is handled by Encryption Algorithm (it is considered that algorithm is exactly a hash function); it can be obtained by encryption user data; the UE is using the mark of the UE and the tegrity protection key as entering ginseng; then it is handled by protection algorithm integrallty (hash function), so that it may obtain full message authentication code MAC-I.
Such as; the UE's is identified as A; the user data is B; the encryption user data that the UE is obtained after being encrypted using the encryption key to user data B is B '; obtained MAC-I is a after the UE carries out integrity protection to A using the tegrity protection key, then carried in the data packet in have: A, B ' and a.
Optionally, the user data can also participate in the integrity protection process, i.e., the described UE carries out integrity protection to the parameter information and the user data according to the corresponding tegrity protection key of the UE, obtains MAC-I.Similarly, in the parameter information in addition to the mark of the UE other parts parameter (such as, network side equipment does not need the parameter directly used before the data packet received is decrypted) ciphering process can also be participated in, encryption parameter is obtained, therefore includes encryption user data, encryption parameter, unencryption parameter and the MAC-I in the data packet.
It should be noted that; if user data described in the data packet is only involved in ciphering process and is not involved in integrity protection process; and the parameter information is only involved in integrity protection process and is not involved in ciphering process; then the UE carries out encryption and carries out the two processes of integrity protection to the parameter information to carry out simultaneously to the user data; it can also be carried out with timesharing; and when timesharing progress, the embodiment of the present invention is to sequencing without limiting.If user data described in the data packet both participates in ciphering process; integrity protection process is participated in again; the parameter information had both participated in integrity protection process; and the partial parameters in the parameter information participate in ciphering process again; then the UE carries out integrity protection processing to the user data and the parameter information first; the MAC-I is obtained, then the user data is encrypted, and to the portion Point parameter is encrypted, wherein carries out encryption to the user data and the partial parameters are carried out encrypting the two ciphering process and can be carried out simultaneously, can also be carried out with timesharing, and when timesharing carries out, the embodiment of the present invention is to sequencing without limiting.
Optionally, for the UE generates this embodiment of the first random number, parameter information in the data packet further includes the selected security algorithm instruction information of the UE, security algorithm instruction information includes the corresponding encryption algorithm identification of Encryption Algorithm (such as EPS Encryption Algorithm (the Encryption Algoritym that the UE is used, EEA the EEA0 (empty algorithm) in), EEA1 (canonical algorithm based on 3G network), EEA2 (enhancement Encryption Algorithm) or EEA3 (Zu Chongzhi's algorithm) etc.) and the corresponding protection algorithm integrallty mark of the protection algorithm integrallty that uses of the UE (such as EPS Integrity Algorithm (Integrity Algoritym, EIA EIA0 (the empty algorithm in) ), EIA1 (canonical algorithm based on 3G network), EIA2 (enhancement Encryption Algorithm) or EIA3 (Zu Chongzhi's algorithm) etc.); the Encryption Algorithm encrypts the data packet for the UE; the protection algorithm integrallty carries out integrity protection to the data packet for the UE; the security algorithm instruction information participates in integrity protection process, is not involved in ciphering process.Specifically; the Encryption Algorithm is that the UE encrypts the user data; and used algorithm when being encrypted to the partial parameters in the parameter information, the protection algorithm integrallty is the UE used algorithm when carrying out integrity protection processing to the parameter information.It should be noted that, the security algorithm instruction information is only carried in the UE into first data packet that the network side equipment is sent, after the network side equipment obtains the security algorithm instruction information by received data packet, when subsequent UE sends data packet to the network side equipment again, the security algorithm instruction information can be carried or not carry, the embodiment of the present invention is not especially limited.
Optionally, the parameter information in the data packet further includes the mark of destination server.
Specifically, the mark of the destination server includes but is not limited to uniform resource locator (Uniform Resource Locator, URL).The mark of the destination server participates in integrity protection process, and the mark of the destination server can also participate in ciphering process.
Optionally, if the network side equipment is gateway, the parameter information in the data packet further includes the mark of the gateway.
Specifically, after the UE is transmitted across a data packet to the gateway, the gateway can send its identification to the UE, then when the UE to the gateway sends the data packet again next time, the parameter information in the data packet further includes the mark of the gateway.The gateway Mark participates in integrity protection process, is not involved in ciphering process.
Specifically; if the network side equipment is base station; then the UE carries out encryption to the data packet and integrity protection process is realized in Packet Data Convergence Protocol (Packet Data Convergence Protocol, PDCP) layer in the second layer (data link layer) of wireless interface;If the network side equipment is gateway, a reciprocity protocol sublayers are needed between the UE and the gateway, therefore the UE carries out encryption to the data packet and integrity protection process is realized in the protocol sublayers of the equity.Wherein, which can be newly-increased protocol sublayers, be also possible to the expansion to some existing protocol sublayer function.
S403, the UE do not set up connect with the radio resource control RRC of base station when, by encryption and integrity protection after the data packet be sent to network side equipment.
Specifically; the UE do not set up connect with the RRC of base station in the case where; the data packet obtained after encryption and integrity protection processing is sent to network side equipment, network side equipment receives the progress that the UE is sent when not setting up and connecting with the RRC of the base station data packet of encryption and integrity protection.Wherein, the network side equipment includes but is not limited to base station and gateway, i.e., the described network side equipment can be base station, or gateway can also be base station and gateway.If the network side equipment is base station; then the data packet is sent to base station by the UE; base station receives the data packet and executes step S405; and the message or data transmitted between base station and gateway carry out safeguard protection by agreements such as Internet protocol safety (Internet Protocol Security, IPsec);If the network side equipment is gateway, then the data packet is sent to base station by the UE, the base station receives the data packet, and the data packet is passed through the gateway, and the gateway receives the data packet that base station is sent and executes step S405.
Optionally, the UE will be encrypted and is sent to network side equipment with the data packet after integrity protection, comprising:
The UE will encrypt and the data packet after integrity protection by random access preamble message (i.e. Preamble message) either RRC is connected and is established request message or other described base stations and be sent to the base station for the UE resource distributed.
Specifically, if the network side equipment is the base station, then the UE by the preamble sequence in Preamble message or RRC connection establish in the resource in request message or other described base stations be the UE distribution resource in carry the data packet, the data packet is sent to the base station The base station receives the data packet that user equipment (UE) is sent when not setting up RRC connection by the preamble sequence in Preamble message or the resource established in request message by RRC connection or other described base stations for the resource of UE distribution;If the network side equipment is gateway, then the UE by the preamble sequence in Preamble message or RRC connection establish in the resource in request message or other described base stations be the UE distribution resource in carry the data packet, the data packet is sent to the base station, the base station receives the data packet, and the data packet is passed through the gateway.Since Preamble message is connected with RRC, to establish request message the two message be that the forward direction base station for establishing RRC connection in UE is sent, the control plane that UE does not set up between network side equipment also at this time is connect and user plane bearer, therefore can reduce and establish the required signal resource of these carryings.
S405, the network side equipment determine the corresponding decruption key of the UE and integrity verification key according to the mark of the UE.
Specifically, determining the corresponding decruption key of the UE and integrity verification key according to the mark of the UE carried in the data packet after the network side equipment receives the data packet that the UE is sent.Wherein, the encryption key that the decruption key that the network side equipment generates and the UE are generated is identical, and the tegrity protection key that the integrity verification key that the network side equipment generates and the UE are generated is identical.For the UE itself generates this embodiment of the first random number, the network side equipment determines the corresponding decruption key of the UE and integrity verification key according to the mark of the UE specifically: the network side equipment searches whether to be stored with key information corresponding to the mark of the UE in local terminal according to the mark of the UE, if having, the data packet that the received excessively described UE is sent before then showing the network side equipment, and the corresponding key information of the UE has also been got in this process, therefore the network side equipment this receive the data packet after directly can get the key information of the UE in local terminal;If not having, then show that the network side equipment receives the data packet that the UE is sent for the first time, therefore the first random number that the UE is generated is carried in the data packet, the network side equipment needs the mark of the UE received and first random number being further transmitted to HSS, as the intermediate key of HSS UE according to the mark of the UE and first generating random number, the intermediate key is further transmitted to the network side equipment by the HSS, the key information of the UE is further generated by the network side equipment, and store the mark and the corresponding relationship of the key information of the UE.It should be noted that the network side equipment can be stored with the key information of the UE, therefore the subsequent UE is sent out to the network side equipment again after the UE is transmitted across a data packet to the network side equipment When sending data packet, the network side equipment directly can search the key information of the UE in local terminal.
Second random number is generated for the HSS, and second random number is handed down to for this embodiment of the UE by the network side equipment, the network side equipment determines the corresponding decruption key of the UE and integrity verification key according to the mark of the UE specifically: the HSS pre-generates the second random number, and the intermediate key of the UE according to the mark of the UE and second generating random number, then the intermediate key is sent the network side equipment by the HSS, the key information of UE is further generated by the network side equipment, and store the mark and the corresponding relationship of the key information of the UE, therefore, the network side equipment is after receiving the data packet that the UE is sent, the U directly can be found in local terminal according to the mark of the UE The key information of E.
S407, the network side equipment is decrypted using data packet described in the decruption key and the integrity verification key pair and integrity verification.
Specifically, the data packet received is decrypted using the key information of the UE for the network side equipment and integrity verification.In specific implementation; the network side equipment is decrypted the encryption user data using the decruption key got; and integrity verification is carried out to the integrity protection information (the i.e. described MAC-I) carried in the data packet using the parameter information carried in the integrity verification key and the data packet got, to realize the safety certification to the UE.Such as, the network side equipment using in the data packet encryption user data and the decruption key as enter ginseng, then pass through a decipherment algorithm (hash function, for the algorithm for inversion of the UE Encryption Algorithm used) processing, encryption user data can be decrypted, obtain the user data of plaintext, the network side equipment is using the mark of the UE and the integrity verification key as entering ginseng, then pass through an integrity verification algorithm (hash function, it is identical as the protection algorithm integrallty that the UE is used) processing, it can be obtained by a full message authentication code MAC-I ', by judging the MAC-I carried in the MAC-I ' and the data packet whether unanimously come the integrity verification of complete paired data packet, if consistent, then integrity verification of the network side equipment to the data packet Success.If integrity verification success of the network side equipment to the MAC-I, then show that data and/or parameter in the data packet are complete, the i.e. described data packet is distorted or is inserted into without third party in transmission process, and it could also indicate that the network side equipment can successfully obtain the key information of the UE according to the mark of the UE, therefore the UE is authenticated to be legitimate user.
For example, the data packet that the UE is sent include in have: A, B ' and a, then the network side equipment is decrypted to obtain user data B according to the decruption key got to user data B ' is encrypted, described Network side equipment verifies the integrality of a according to the mark A of the integrity verification key and UE that get.
It should be noted that; if the user data is only encrypted without integrity protection processing in the UE; and integrity protection processing is only carried out to the parameter information without encryption; then the encryption user data, which is decrypted, in the network side equipment and the network side equipment carries out the two processes of integrity verification to the parameter information to carry out simultaneously; it can also be carried out with timesharing; and when timesharing progress, the embodiment of the present invention is to sequencing without limiting.If the UE has not only carried out the user data to encrypt but also has carried out integrity protection processing; and the UE has also carried out encryption to the partial parameters in the parameter information; then the network side equipment needs that first the encryption user data and the encryption parameter is decrypted using the decruption key, carries out integrity verification to the MAC-I further according to the user data after the integrity verification key, decryption, the parameter after decryption.It should be noted that; it can be in advance to the data or parameter for participating in ciphering process between the UE and the network side equipment; and the data or parameter of participation integrity protection process are held consultation; to guarantee the encrypted object of the UE and the decryption object one-to-one correspondence of the network side equipment, and guarantee that the integrity protection object of the UE and the integrity verification object of the network side equipment correspond.
Optionally, for the UE itself generates this embodiment of the first random number, parameter information in the data packet further includes the selected security algorithm instruction information of the UE, security algorithm instruction information for the network side equipment determine to the data packet be decrypted and integrity verification used in decipherment algorithm and integrity verification algorithm, the security algorithm instruction information includes the corresponding encryption algorithm identification of Encryption Algorithm used in the UE and the corresponding protection algorithm integrallty mark of protection algorithm integrallty, usually, the security algorithm that network side equipment is supported covers the security algorithm of each UE itself support, therefore the network side equipment can determine which Encryption Algorithm the UE uses according to the encryption algorithm identification, and then the Encryption Algorithm by using the UE carries out Inverse operation obtains the decipherment algorithm that data packet is decrypted, while determining integrity verification algorithm according to the protection algorithm integrallty that the UE is used, and the integrity verification algorithm is identical as the protection algorithm integrallty that the UE is used.The decipherment algorithm is decrypted data packet for the network side equipment, the integrity verification algorithm carries out integrity verification to data packet for the network side equipment, after the network side equipment receives the data packet, the data packet is decrypted according to the decruption key of the UE got, the decipherment algorithm, and integrality is carried out to the data packet according to the integrity verification key of the UE got, the integrity verification algorithm Verifying.
Specifically, the data packet is decrypted in the base station and integrity verification procedures are realized in the PDCP layer in the second layer of wireless interface if the network side equipment is base station;If the network side equipment is gateway, the UE and the gateway need a reciprocity protocol sublayers, and the data packet is decrypted in the gateway and integrity verification procedures are realized in the protocol sublayers of the equity.Wherein, the protocol sublayers of the equity can be a newly-increased protocol sublayers, or the expansion to some existing protocol sublayer function.
The user data is sent to destination server after carrying out integrity verification success to the data packet by S409, the network side equipment.
Optionally, refer to Fig. 4 B, the flow diagram of Fig. 4 B another data transmission method provided in an embodiment of the present invention, the network side equipment of the embodiment of the present invention is illustrated by taking base station as an example in figure 4b, step S401-S407 in Fig. 4 B please refers to the associated description in Fig. 4 A illustrated embodiment, and details are not described herein again.For Fig. 4 B compared with Fig. 4 A, the user data is sent to destination server by the network side equipment described in step S409 specifically:
The base station is after carrying out integrity verification success to the data packet, the mark of the user data and the destination server after decryption is sent to the gateway, the gateway establishes transmission control protocol (Transmission Control Protocol according to the mark and the destination server of the destination server, TCP it) connects, and the user data is sent to by the destination server by the TCP connection.
Specifically, after the base station carries out integrity verification success to the data packet, the mark (such as URL) of user data and the destination server after decryption is sent to gateway, the gateway receives the user data and the URL, the gateway triggers DNS (Domain Name System, domain name system) resolving, from dns server (name server, preserve the domain name of All hosts and corresponding Internet protocol (Internet Protocol in the network, IP) address, and have and domain name be converted to the server of IP address function) in obtain the corresponding IP address of URL of the destination server, and TCP connection is established according to the IP address of the destination server and the destination server.
Optionally, refer to Fig. 4 C, Fig. 4 C is the flow diagram of another data transmission method provided in an embodiment of the present invention, the network side equipment of the embodiment of the present invention is illustrated by taking gateway as an example in figure 4 c, step S401-S407 in Fig. 4 C please refers to the associated description in Fig. 4 A illustrated embodiment Details are not described herein again.For Fig. 4 C compared with Fig. 4 A, the user data is sent to destination server by the network side equipment described in step S409 specifically:
Gateway establishes TCP connection according to the mark of the destination server and the destination server, and the user data after decryption is sent to the destination server by the TCP connection after the integrity verification success to the data packet.
Specifically, after the gateway carries out integrity verification success to the data packet, DNS name resolution process is triggered, the corresponding IP address of URL of the destination server is obtained from dns server, and TCP connection is established according to the IP address of the destination server and the destination server.
In the embodiment of the present invention, DNS name resolution process is no longer triggered by UE, the TCP connection process with destination server is established by a large amount of interface-free resources of occupancy without UE, but the UE is replaced to trigger DNS process by gateway, the gateway and the destination server establish TCP connection, and then the user data after decryption is sent to the destination server by TCP connection, therefore, reduce the signal resource for establishing TCP connection.
By executing above-mentioned steps S401-S409; UE do not set up connect with base station RRC in the case where; encryption and integrity protection are carried out to data packet to be transmitted according to its key information; and then it is sent to network side equipment; network side equipment data packet can be decrypted in turn according to the key information for getting UE and integrity verification; to ensure the safety of data transmission, reduces the signaling overheads for establishing control plane connection and user plane bearer, improve system effectiveness.
Further; refer to Fig. 4 D; Fig. 4 D is the flow diagram of another data transmission method provided in an embodiment of the present invention; before executing the step S401 in Fig. 4 A or Fig. 4 B or Fig. 4 C illustrated embodiment; it can also realize that the UE itself generates the first random number of derivative key, and then the encryption key of the UE according to the first generating random number and tegrity protection key by executing step S4001.The embodiment of the present invention is illustrated so that the step S401 of step S4001 in Figure 4 A is executed before as an example, and the step S401-S409 in Fig. 4 D please refers to the associated description in Fig. 4 A illustrated embodiment, and details are not described herein again.Wherein, step S4001 in Fig. 4 D is described in detail as follows.
S4001, the UE generate first random number, and the encryption key according to first generating random number and the tegrity protection key.
Specifically, the UE itself generates the first random number, and according to first random number and described The root key of UE generates the key information of the UE step by step, when the UE in IDEL state has data to need to send, can carry out encryption to data packet to be transmitted according to the key information and integrity protection is handled.And the parameter information in the data packet further includes first random number, first random number participates in integrity protection process, is not involved in ciphering process.
It should be noted that, when the UE sends the data packet to the network side equipment for the first time, need to carry first random number, after the UE has sent a data packet to the network side equipment, later again to the network side equipment send data packet when, first random number can be carried or not carry, specifically determine depending on key situation, once the UE generates the first new random number at random, and use the first newly-generated random number derivative key information, then the safe handling that the key information send data is reused, UE needs to carry the first newly-generated random number when sending data packet at this time, other situation embodiment of the present invention are not especially limited.
For Fig. 4 D compared with Fig. 4 A or Fig. 4 B or Fig. 4 C, the network side equipment described in step S405 determines the corresponding decruption key of the UE and integrity verification key according to the mark of the UE specifically:
The mark of the UE and first random number are sent to home signature user server HSS by the network side equipment, the intermediate key of the UE is generated by the HSS, and the corresponding decruption key of the UE and integrity verification key are generated according to the intermediate key that the HSS is generated, and store the mark and the corresponding relationship of the decruption key and the integrity verification key of the UE.
Specifically, the HSS is stored with the root key of the UE, after the HSS receives the mark and first random number of the UE that the network side equipment is sent, according to the root key of UE described in the identifier lookup of the UE, and the corresponding intermediate key of UE according to the root key of the UE and first generating random number, the intermediate key of the UE is sent to the network side equipment by the HSS, the network side equipment receives the intermediate key of the UE, further generates the corresponding decruption key of the UE and integrity verification key.
Optionally, after the UE transmits the data packet of predetermined number to the network side equipment, can the key information to the UE once updated, and key updating can be triggered by the UE, it can also be triggered by the network side equipment, it after key updating is triggered by a side, needs to send key updating and is indicated to another party, so that both sides complete the update of key.This embodiment of first random number is generated for the UE itself, when needing to carry out key updating, the UE regenerates the first random number, and according to new First random number generated generates the key information of the UE step by step, and the UE sends newly-generated first random number to the network side equipment, after the network side equipment receives the first newly-generated random number, the mark of the UE and newly-generated first random number are sent to HSS, the root key of HSS UE according to the identifier lookup of the UE, and the intermediate key of the UE is regenerated according to newly-generated first random number of the root key of the UE and the UE, and the intermediate key of the UE is sent to the network side equipment, the network side equipment regenerates the key information of the UE according to the intermediate key of the UE, it is updated with the key information to the UE, and store the UE mark and updated key information Corresponding relationship.The is generated and random number for the HSS, and second random number is sent to by this embodiment of the UE by the network side equipment, when needing to carry out key updating, the HSS regenerates the second random number, and the intermediate key of the UE according to newly-generated second generating random number, and the second newly-generated random number and newly-generated intermediate key are sent to the network side equipment, the network side equipment further generates the key information of the UE according to newly-generated intermediate key, and store the mark of the UE and the corresponding relationship of updated key information, and second random number is sent to the UE, the UE generates the key information of the UE according to the second newly-generated random number step by step.Wherein, the predetermined number can be 2,5,10 etc..The key negotiated between the UE and the network side equipment can be cracked to avoid third party by carrying out key updating, further improved the safety of data transmission, ensured the information security of communicating pair.
By executing above-mentioned steps S4001, when UE has data to need to send, eliminate the reliance on the random number that HSS is generated and issued derivative key, but changes and random number is generated by UE, and then the key information of UE is derived from according to the random number of generation, to carry out safe handling to data packet to be transmitted, therefore the safety of data transmission has been ensured, improve data transmission efficiency, and the safety certification to UE can be realized according to the data packet that UE is transmitted for network side equipment, Ciphering Key is generated and issued without relying on HSS, simplifies network side equipment to the safety certification process of UE.
Further; refer to Fig. 4 E; Fig. 4 E is the flow diagram of another data transmission method provided in an embodiment of the present invention; before executing the step S401 in Fig. 4 A or Fig. 4 B or Fig. 4 C illustrated embodiment; it can also realize that the UE requests to authenticate to network side equipment by executing step S4003-S4009; to obtain the second random number of the derivative key that network side equipment is sent, and then the encryption key of the UE according to the second generating random number and tegrity protection key.The embodiment of the present invention is being schemed with step S4001 It is illustrated for being executed before step S401 in 4A, the step S401-S409 in Fig. 4 E please refers to the associated description in Fig. 4 A illustrated embodiment, and details are not described herein again.Wherein, step S4003-S4009 in Fig. 4 E is described in detail as follows.
S4003, the UE send certification request to home signature user server HSS when not establishing the RRC with the base station and connecting, through the network side equipment.
Specifically, when UE in IDLE state has data to need to send, the UE is not in the case where setting up RRC connection, certification request is sent to home signature user server HSS by the network side equipment, the network side equipment receives the UE and is not establishing the certification request sent when the RRC is connect with the base station, the certification request includes the mark of the UE, and the certification request can also include the ability of the UE.
Optionally, if the network side equipment is base station, then the UE can be by and then being sent to the base station in the preamble sequence in Preamble message or RRC connection establishes in the resource that in the resource in request message or other described base stations are UE distribution and carries the certification request;If the network side equipment is gateway, then the UE can be by the preamble sequence in Preamble message or RRC connection establishes in the resource that the resource in request message or other described base stations are UE distribution and carries the certification request, and then it is sent to the base station, the certification request is sent to the gateway by the base station.
The certification request is sent to home signature user server HSS by S4005, the network side equipment, the certification request is used to trigger the intermediate key that the HSS generates the second random number and the UE according to the mark of the UE and second generating random number, the network side equipment generates decruption key and integrity verification key according to the intermediate key that the HSS is generated, and stores the mark and the corresponding relationship of the decruption key and the integrity verification key of the UE.
Specifically, the certification request is sent to HSS by the network side equipment, the HSS receives the certification request, and the second random number is generated according to the certification request, and the root key of the UE according to the identifier lookup of the UE, and the intermediate key of the UE according to the root key of the UE and second generating random number, the intermediate key of second random number and the UE is sent to the network side equipment by the HSS, the network side equipment receives the intermediate key of second random number and the UE, further generate the decruption key and integrity verification key.
It should be noted that if the network side equipment receives in the UE that the HSS is sent Between key, then show that the HSS is stored with root key corresponding to the mark of the UE, thus show the UE be legitimate user, to realize the network side equipment to the safety certification of the UE.
It should be noted that, the UE only sends certification request to the network side equipment when first time sending data, once the network side equipment generates according to certification request and store the key information of UE, the subsequent UE can directly send the data after safe handling to the network side equipment.
S4007, the network side equipment send response message to the UE.
Specifically; after the network side equipment generates the key information of the UE according to the mark of the UE; response message is sent to the UE; the response message includes second random number, and the response message network side equipment obtains after carrying out integrity protection according to the integrity verification key.The UE receives the response message that the HSS is sent by the network side equipment.
Optionally, the network side equipment is gateway, it may include the mark of the gateway in the response message, then the UE receives the mark that the gateway is saved after the mark of the gateway, next time again to the gateway send data packet when, it further include the mark of the gateway in parameter information in the data packet, the data packet is sent to base station by the UE, the base station receives the data packet, according to the mark of the gateway carried in the data packet, the data packet is sent to gateway corresponding to the mark of the gateway, and (the i.e. described UE is in upper primary transmission data packet, the base station is the gateway of UE distribution, the gateway after receiving the data packet that the UE is sent for the first time, it can generate and store the close of the UE Key information), so that the base station does not change into the UE and provides the gateway of service, i.e., the described base station is not that the UE selects new gateway, continues to use old gateway, therefore reduce the resource that gateway is occupied in switching, and reduce delay.
Optionally; it may include the selected security algorithm instruction information of the network side equipment in the response message; specifically; the ability of the Encryption Algorithm priority list of itself and the UE is taken intersection by the network side equipment; choose the Encryption Algorithm of highest priority; and the ability of the protection algorithm integrallty priority list of itself and UE is taken into intersection, that chooses highest priority adds protection algorithm integrallty.The security algorithm instruction information includes encryption algorithm identification (such as EEA0, EEA1, EEA2 or EEA3 etc.) and protection algorithm integrallty mark (such as EIA0, EIA1, EIA2 or EIA3 etc.).After the network side equipment determines the decruption key and integrity verification key according to the certification request, determine that the safety shared between the UE and the network side equipment is calculated according to the ability of the UE and the security algorithm itself supported Method; and then selected security algorithm is indicated that information is sent to the UE by the response message; the UE encrypts the data packet using the corresponding Encryption Algorithm of security algorithm that the encryption key of the UE and the network side equipment are sent, and the UE carries out integrity protection to the data packet using the corresponding protection algorithm integrallty of the security algorithm that the tegrity protection key of the UE and the network side equipment are sent.After the network side equipment receives the data packet, the data packet is decrypted according to the decruption key, the security algorithm corresponding decipherment algorithm, and integrity verification is carried out to the data packet according to the integrity verification key of the UE, the corresponding integrity verification algorithm of the security algorithm.
S4009, the UE encryption key according to second generating random number and the tegrity protection key, and integrity verification is carried out to the response message using the tegrity protection key.
Specifically, UE encryption key according to second generating random number carried in the response message and the tegrity protection key, and it is verified according to integrality of the tegrity protection key to the response message, to realize the UE to the safety certification of the network side equipment, if integrity verification success of the UE to the response message, then show that the response message is complete, the i.e. described response message is distorted or is inserted into without third-party, and show that the network side equipment has correctly received the certification request, therefore the network side equipment is authenticated to be legal.So far, it completes and is mutually authenticated between the UE and the network side equipment.After the integrity verification success for the response message that the UE sends the network side equipment, the data packet can be sent to the network side equipment.
By executing above-mentioned steps S4003-S4009, UE requests to authenticate when not setting up RRC connection to network side equipment, obtain the random number of derivative key that HSS is generated and issued, the key information of UE is derived from according to the random number, the safety certification to network side equipment can be realized by the response message progress integrity verification sent to network side equipment by UE, the Ciphering Key that HSS is generated and issued is eliminated the reliance on, reduces the signaling overheads for establishing control plane connection and user plane bearer, improves system effectiveness.
Further, refer to Fig. 4 F, Fig. 4 F is the flow diagram of another data transmission method provided in an embodiment of the present invention, after having executed data transmission method described in the step S401-S409 in above-mentioned Fig. 4 A, Fig. 4 B, Fig. 4 C, Fig. 4 D or Fig. 4 E, UE can also be realized to the safety certification of network side equipment by executing step S411 and S413.The embodiment of the present invention is illustrated so that the step S409 of step S411 and S413 in Figure 4 A is executed later as an example, and the step S411 and S413 in Fig. 4 F please refer to the associated description in Fig. 4 A illustrated embodiment, and details are not described herein again.Wherein, step S411 and S413 Be described in detail as follows.
S411, the UE receive the network side equipment in the confirmation message for carrying out sending after integrity verification success to the data packet.
Specifically, the confirmation message includes but is not limited to confirm to obtain after character (Acknowledgement, ACK) message, the confirmation message network side equipment carry out integrity protection according to the tegrity protection key.
Optionally, the network side equipment is gateway, it include the mark of the gateway in the confirmation message that the gateway is sent to the UE, then the UE receives the mark that the gateway is saved after the mark of the gateway, next time again to the gateway send data packet when, also need to carry the mark of the gateway, the data packet is sent to base station by the UE, the base station receives the data packet, according to the mark of the gateway carried in the data packet, the data packet is sent to gateway corresponding to the mark of the gateway, so that the base station does not change into the UE and provides the gateway of service, the i.e. described base station is not that the UE selects new gateway, continue to use old gateway, therefore reduce gateway to account in switching Resource, and reduce delay.
It should be noted that, after the network side equipment is to the integrity verification success of the data packet, being sent to the destination server and send described the two processes of confirmation message to the UE user data can carry out simultaneously, it can also be carried out with timesharing, and when timesharing progress, the embodiment of the present invention is to sequencing without limiting.
S413, the UE carry out integrity verification to the confirmation message using the tegrity protection key.
Specifically, after the integrity verification success of network side equipment data packet according to the integrity verification key pair, confirmation message is sent to the UE, the UE receives the confirmation message that the network side equipment is sent after the integrity verification success to the data packet, integrity verification is carried out to the confirmation message using the tegrity protection key, to realize the UE to the safety certification of the network side equipment, if integrity verification success of the UE to the confirmation message, then show that the confirmation message is complete, the i.e. described confirmation message is distorted or is inserted into without third-party, and show that the network side equipment has correctly received the data packet, therefore the network side equipment is legal.
By executing above-mentioned steps S411 and S413, the safety certification to network side equipment can be realized according to the confirmation message that network side equipment is sent, eliminate the reliance on HSS and generate and issue Ciphering Key by UE, simplify Safety certification process of the UE to network side equipment.
Further, refer to Fig. 4 G, Fig. 4 G is the flow diagram of another data transmission method provided in an embodiment of the present invention, after having executed the step S413 in above-mentioned Fig. 4 F, can also be updated by executing step S415 and S417 realization to the mark of the UE.Step S401-S409 in Fig. 4 G please refers to the associated description in Fig. 4 A illustrated embodiment, and the step S411 and S413 in Fig. 4 G please refer to the associated description in Fig. 4 F illustrated embodiment, and details are not described herein again.Wherein, step S415 and S417 is described in detail as follows.
After S415, the UE carry out integrity verification success to the confirmation message, the mark of the UE is updated according to the third random number that the UE is generated.
Specifically, when the UE sends the data packet to the network side equipment for the first time, the IMSI for being identified as the UE of the UE, IMSI is that the UE is uniquely identified, referred to as permanent identification, if UE uses permanent identification when sending data to network side equipment every time, it is likely that the whereabouts of UE can be exposed.The third party of " harboring evil designs " can be by the data of intercepting and capturing air interface to track the same IMSI, that is, the same UE, and then track to the action of UE.It in order to avoid the whereabouts of exposure user, needs to hide the permanent identification of user, that is, needs to be updated the mark of UE, UE need not send permanent identification every time, and be replaced with updated temporary identifier (Temp ID).Temp ID plays the role of hiding UE whereabouts, and Temp ID is only effective to the network side equipment for providing service for UE, and network side equipment maintains the mapping of Temp ID to permanent identification.The UE receives the network side equipment in the confirmation message for carrying out sending after integrity verification success to the data packet, and after succeeding to the integrity verification of the confirmation message, the UE is updated the mark of the UE according to the mark of the UE and the third random number, therefore, when the UE sends user data to the network side equipment next time, the mark of the UE carried in data packet is the mark of updated UE.The UE is updated the mark of the UE according to the mark of the UE and the third random number specifically: the UE generates the new logo of the UE according to the old mark of the UE, the third random number and default mark more new algorithm, it is consulted in advance between the default mark more new algorithm UE and the network side equipment, therefore, it is understood that the network side equipment can also generate the new logo of the UE according to the old mark of the UE, the third random number and default mark more new algorithm.Specifically, the third random number participates in integrity protection process, the third random number may also participate in ciphering process.
S417, the network side equipment are after carrying out integrity verification success to the data packet, the mark of the UE is updated according to the third random number, and the mark and the corresponding relationship of the decruption key and the integrity verification key of the store-updated UE.
Specifically, the network side equipment is updated the mark of the UE according to the mark of the UE and the third random number, the network side equipment saves the mark and the decruption key of the UE and the corresponding relationship of the integrity verification key of updated UE, and the network side equipment also preserves the IMSI of the UE and the mapping relations of updated mark.So far, the UE and the network side equipment complete the update to UE mark.
It should be noted that, the update of the mark of the UE can carry out once after a UE data packet of every transmission, it can also be carried out after the data packet that the UE has sent preset times primary, the embodiment of the present invention is not especially limited, wherein, the preset times can for 1 time, 2 times, it is 5 inferior.When the UE needs more new logo, the third random number that the mark of current UE and the UE generate is sent to the network side equipment by the UE, the network side equipment once receives the third random number that the UE is sent, it will be after carrying out integrity verification success to the data packet, the mark of the UE is updated, the network side equipment sends confirmation message to the UE simultaneously, after the UE is to the integrity verification success of the confirmation message, the mark of the UE is updated, wherein, the network side equipment is updated the mark of the UE and sends the sequence of the confirmation message without limiting to the UE.
By executing above-mentioned steps S415 and S417, UE and network side equipment synchronize update to the mark of UE, the crypticity of UE can be enhanced, and avoid the whereabouts of the exposure UE in data transmission procedure, further increase the safety of data transmission.
Fig. 5 is referred to, Fig. 5 is a kind of structural schematic diagram of user equipment 50 provided in an embodiment of the present invention.The user equipment 50 includes modem (Modem) 501.Wherein, the modem 501 includes that (processor can be Digital Signal Processing (Digital Signal Processing to processor 5011; DSP) chip; comprising carrying out encryption and integrity protection to the data packet of transmission in the dsp chip; and the PDCP entity or other corresponding entities of newly-increased protocol sublayers of integrity verification are carried out to the message that receives), memory 5012, receiver 5013 and transmitter 5014; wherein; receiver 5013 is to receive circuit, and transmitter 5014 is transmitting line.Wherein, receiver 5013 is specifically as follows antenna, can be received by antenna Radiofrequency signal, transmitter 5014 are specifically as follows antenna, send radiofrequency signal by antenna.In some embodiments of the invention, processor 5011, memory 5012, receiver 5013, transmitter 5014 can be connected by bus or other way, wherein in Fig. 5 for being connected by bus 5015.It will be appreciated by those skilled in the art that, 50 structure of user equipment shown in Fig. 5 does not constitute the restriction to user equipment, it may include than illustrating more or fewer components, or the certain components of combination, or different component layout, although being not shown, user equipment 50 can also include: at least one amplifier, tuner, one or more oscillators, SIM card etc., and details are not described herein again.
Transmission code, the data distributing program code that the processor 5011 is used to that the memory 5012 to be called to store carry out the safe transmission of data to realize user equipment (UE) in the case where not setting up and connecting with the RRC of base station to the memory 5012 for storing data.
The processor 5011 is encrypted using encryption key and tegrity protection key to data packet and integrity protection; wherein; the encryption key and the tegrity protection key are user equipment (UE) according to the UE the first random number generated or the second generating random number received from network side equipment, and the data packet includes the mark and user data of the UE;Wherein, the encryption key and the integrity protection password can store in the memory 5012, the processor 5011 by the PDCP entity or other corresponding entity of newly-increased protocol sublayers is using the encryption key and the tegrity protection key encrypts to the data packet and integrity protection.
When the UE does not set up and connect with the radio resource control RRC of base station, it will be encrypted by the transmitter 5014 and be sent to network side equipment with the data packet after integrity protection.Optionally, the data packet further includes first random number, first random number for the network side equipment determine to the data packet be decrypted and integrity verification used in decruption key and integrity verification key.
Optionally, the data packet further includes first random number, first random number for the network side equipment determine to the data packet be decrypted and integrity verification used in decruption key and integrity verification key.
Optionally, the data packet further includes the selected security algorithm instruction information of the UE, the security algorithm instruction information for the network side equipment determine to the data packet be decrypted and integrity verification used in decipherment algorithm and integrity verification algorithm.
Optionally, the processor 5011 using encryption key and tegrity protection key to data packet encrypt and integrity protection before, the processor 5011 is also used to perform the following operations:
Through the transmitter 5014 when the UE does not establish the RRC with the base station and connect, certification request is sent to home signature user server HSS by the network side equipment, the certification request includes the mark of the UE, the certification request for trigger the HSS generate second random number and according to the mark of the UE and second random number determine the network side equipment to the data packet be decrypted and integrity verification used in decruption key and integrity verification key;
The response message that the HSS is sent by the network side equipment is received by the receiver 5013, the response message includes second random number;
Integrity verification is carried out to the response message using the tegrity protection key.Specifically, the processor 5011 carries out integrity verification to the response message using the tegrity protection key by the PDCP entity or other corresponding entities of newly-increased protocol sublayers.
Optionally, the processor 5011 is also used to execute:
The network side equipment is received in the confirmation message for carrying out sending after integrity verification success to the data packet by the receiver 5013;
Integrity verification is carried out to the confirmation message using the tegrity protection key.Specifically, the processor 5011 carries out integrity verification to the confirmation message using the tegrity protection key by the PDCP entity or other corresponding entities of newly-increased protocol sublayers.
Optionally, the data packet further includes the third random number that the UE is generated, and the third random number is updated the mark of the UE after carrying out integrity verification success to the data packet for the network side equipment;The processor 5011 is also used to execute:
After carrying out integrity verification success to the confirmation message, the mark of the UE is updated according to the third random number.
Optionally, the network side equipment includes base station or gateway.
Optionally, the data packet further includes the mark of destination server, the mark of the destination server is established transmission control protocol TCP with the destination server for gateway and is connect, and the user data is sent to the destination server by the TCP connection.
Optionally, when the network side equipment includes the gateway, the data packet further includes the mark of the gateway, and the data packet is sent to the gateway for base station by the mark of the gateway.
Optionally, described to be encrypted and the data packet after integrity protection by the transmitter 5014 It is sent to network side equipment, comprising:
It will encrypt to connect by random access preamble message or RRC with the data packet after integrity protection by the transmitter 5014 and establish request message and be sent to base station.Specifically; encryption is added to random access preamble message with the data packet after integrity protection with the processor 5011 or RRC is connected and established in request message; and the random access preamble message is sent to by Physical Random Access Channel by base station by transmitter 5014, or the RRC connection is established by request message by transmitter 5014, the base station is sent to by the ascending resource that base station is UE distribution.
It should be noted that the function of each functional module can be implemented according to the method for relative user equipment UE in above method embodiment in user equipment 50 described in the embodiment of the present invention, details are not described herein again.
Fig. 6 is referred to, Fig. 6 is a kind of structural schematic diagram of network side equipment 60 provided in an embodiment of the present invention.The network side equipment 60 includes modem (Modem) 601.Wherein, the modem 601 includes that (processor can be Digital Signal Processing (Digital Signal Processing to processor 6011; DSP) chip; for base station; comprising the data packet received being decrypted and integrity verification in the dsp chip, and the PDCP entity of integrity protection is carried out to the message of transmission;For gateway; comprising the data packet received being decrypted and integrity verification in the DSP; and the corresponding entity of newly-increased protocol sublayers of integrity protection is carried out to the message of transmission), memory 6012, receiver 6013 and transmitter 6014; wherein; receiver 6013 is to receive circuit, and transmitter 6014 is transmitting line.Wherein, receiver 6013 is specifically as follows antenna, and radiofrequency signal is received by antenna, and transmitter 6014 is specifically as follows antenna, sends radiofrequency signal by antenna.In some embodiments of the invention, processor 6011, memory 6012, receiver 6013, transmitter 6014 can be connected by bus or other way, wherein in Fig. 6 for being connected by bus 6015.It will be understood by those skilled in the art that 60 structure of user equipment shown in Fig. 6 does not constitute the restriction to user equipment, it may include perhaps combining certain components or different component layouts than illustrating more or fewer components.
Transmission code, the processor 6011 are used to that the data distributing program code of the storage of memory 6012 to be called to realize that network side equipment receives the user data that user equipment (UE) is transmitted in the case where not setting up and connecting with the RRC of base station the memory 6012 for storing data.
The processor 6011 receives the data packet that user equipment (UE) is sent when not setting up and connecting with the radio resource control RRC of base station by the receiver 6013, and the data packet includes the mark of the UE And user data, the data packet are that the UE carries out the data packet obtained after encryption and integrity protection;
The corresponding decruption key of the UE and integrity verification key are determined according to the mark of the UE;
It is decrypted using data packet described in the decruption key and the integrity verification key pair and integrity verification;Specifically, the processor 6011 is by the PDCP entity or other corresponding entities of newly-increased protocol sublayers are decrypted using data packet described in the decruption key and the integrity verification key pair and integrity verification.
After carrying out integrity verification success to the data packet, the user data is sent to destination server.
Optionally, the data packet further includes the first random number that the UE is generated;
The mark according to the UE determines the corresponding decruption key of the UE and integrity verification key, comprising:
The mark of the UE and first random number are sent to home signature user server HSS, the intermediate key of the UE is generated by the HSS, and the corresponding decruption key of the UE and integrity verification key are generated according to the intermediate key that the HSS is generated, and store the mark and the corresponding relationship of the decruption key and the integrity verification key of the UE.
Optionally, the data packet further includes the selected security algorithm instruction information of the UE, the security algorithm instruction information for the network side equipment determine to the data packet be decrypted and integrity verification used in decipherment algorithm and integrity verification algorithm.
Optionally, before the data packet sent by the receiver 6013 reception user equipment (UE) when not setting up and connecting with the radio resource control RRC of base station, the processor is also used to execute:
Receiving the UE not establishing the certification request sent when the RRC is connect, the certification request with the base station by the receiver 6013 includes the mark of the UE;
The certification request is sent to home signature user server HSS, the certification request is used to trigger the intermediate key that the HSS generates the second random number and the UE according to the mark of the UE and second generating random number, the network side equipment generates decruption key and integrity verification key according to the intermediate key that the HSS is generated, and stores the mark and the corresponding relationship of the decruption key and the integrity verification key of the UE;
Response message is sent to the UE by the transmitter 6014, the response message includes second random number, and second random number generates for the UE and carries out encryption and complete to the data packet Property protect used in encryption key and tegrity protection key.
Optionally, the processor 6011 is also used to execute:
After carrying out integrity verification success to the data packet, confirmation message is sent to the UE by the transmitter 6014, the confirmation message carries out integrity verification to the confirmation message using the tegrity protection key of the UE for the UE.
Optionally, the data packet further includes the third random number that the UE is generated, and the third random number is updated the mark of the UE after carrying out integrity verification success to the confirmation message for the UE;The processor is also used to execute:
After carrying out integrity verification success to the data packet, the mark of the UE is updated according to the third random number, and the mark and the corresponding relationship of the decruption key and the integrity verification key of the store-updated UE.
Optionally, the network side equipment includes base station or gateway.
Optionally, the data packet further includes the mark of destination server;
It is described that the user data is sent to destination server, comprising:
Transmission control protocol TCP is established with the destination server according to the mark of the destination server to connect, and the user data is sent to by the destination server by the TCP connection.
Optionally, when the network side equipment includes the gateway, the data packet further includes the mark of the gateway, and the data packet is sent to the gateway for base station by the mark of the gateway.
It is optionally, described that the data packet that user equipment (UE) is sent when not setting up and connecting with the radio resource control RRC of base station is received by the receiver 6013, comprising:
User equipment (UE), which is received, by the receiver 6013 is not establishing the data packet for establishing request message transmission when radio resource control RRC is connect by random access preamble message or RRC connection with base station.
It should be noted that the function of each functional module can be implemented according to the method for corresponding network side apparatus in above method embodiment in network side equipment 60 described in the embodiment of the present invention, details are not described herein again.
Fig. 7 A is referred to, Fig. 7 A is a kind of structural schematic diagram of user equipment provided in an embodiment of the present invention.As shown in Figure 7 A, user equipment 70 may include secure processing units 701 and transmission unit 703, wherein Each unit is described in detail as follows.
Secure processing units 701; encryption key and tegrity protection key for using user equipment (UE) are encrypted to data packet and integrity protection; wherein; the encryption key and the tegrity protection key are the UE according to the UE the first random number generated or the second generating random number received from network side equipment, and the data packet includes the mark and user data of the UE;
Transmission unit 703, for when the UE does not set up and connect with the radio resource control RRC of base station, the data packet after encryption and integrity protection to be sent to network side equipment.
Fig. 7 B is referred to, Fig. 7 B is the structural schematic diagram of another user equipment provided in an embodiment of the present invention.User equipment 70 shown in Fig. 7 B is that the user equipment 70 as shown in Fig. 7 A optimizes.Compared with Fig. 7 A, user equipment 70 shown in Fig. 7 B can also include the first receiving unit 705 and the first authentication unit 707 other than including above-mentioned secure processing units 701 and transmission unit 703, wherein
Transmission unit 703, be also used to encrypt data packet using the encryption key and tegrity protection key of user equipment (UE) in the secure processing units 701 and integrity protection before, and when the UE does not establish the RRC with the base station and connect, certification request is sent to home signature user server HSS by the network side equipment, the certification request includes the mark of the UE, the certification request for trigger the HSS generate second random number and according to the mark of the UE and second random number determine the network side equipment to the data packet be decrypted and integrity verification used in decruption key and integrity verification key;
First receiving unit 705, the response message sent for receiving the HSS by the network side equipment, the response message include second random number;
First authentication unit 707, for carrying out integrity verification to the response message using the tegrity protection key.
Fig. 7 C is referred to, Fig. 7 C is the structural schematic diagram of another user equipment provided in an embodiment of the present invention.User equipment 70 shown in Fig. 7 C is that the user equipment 70 as shown in Fig. 7 A optimizes.Compared with Fig. 7 A, user equipment 70 shown in Fig. 7 C can also include the second receiving unit 709 and the second authentication unit 711 other than including above-mentioned secure processing units 701 and transmission unit 703, wherein
Second receiving unit 709, for receiving the network side equipment in the confirmation message for carrying out sending after integrity verification success to the data packet;
Second authentication unit 711, for having been carried out using the tegrity protection key to the confirmation message Integrity verification.
Optionally, above-mentioned user equipment 70 can also include secure processing units 701, transmission unit 703, the first receiving unit 705, the first authentication unit 707, the second receiving unit 709 and the second authentication unit 711 simultaneously, the specific implementation of each unit is referred to the description of same unit in above scheme, and details are not described herein again.
Fig. 7 D is referred to, Fig. 7 D is the structural schematic diagram of another user equipment provided in an embodiment of the present invention.User equipment 70 shown in Fig. 7 D is that the user equipment 70 as shown in Fig. 7 C optimizes.Compared with Fig. 7 C, user equipment 70 shown in Fig. 7 D can also include updating unit 713 other than including above-mentioned secure processing units 701, transmission unit 703, the second receiving unit 709 and the second authentication unit 711, wherein
Updating unit 713 is updated the mark of the UE according to the third random number after carrying out integrity verification success to the confirmation message.
Optionally, above-mentioned user equipment 70 can also include secure processing units 701, transmission unit 703, the first receiving unit 705, the first authentication unit 707, the second receiving unit 709, the second authentication unit 711 and updating unit 713 simultaneously, the specific implementation of each unit is referred to the description of same unit in above scheme, and details are not described herein again.
It should be noted that the function of each functional unit can be implemented according to the method for relative user equipment UE in above method embodiment in user equipment 70 described in above-described embodiment, details are not described herein again.
Fig. 8 A is referred to, Fig. 8 A is a kind of structural schematic diagram of network side equipment provided in an embodiment of the present invention.As shown in Figure 8 A, network side equipment 80 may include receiving unit 801, key determination unit 803, secure processing units 805 and the first transmission unit 807, wherein each unit is described in detail as follows.
Receiving unit 801; the data packet sent for receiving user equipment (UE) when not setting up and being connect with the radio resource control RRC of base station; the data packet includes the mark and user data of the UE, and the data packet is that the UE carries out the data packet obtained after encryption and integrity protection;
Key determination unit 803, for determining the corresponding decruption key of the UE and integrity verification key according to the mark of the UE;
Secure processing units 805, for being decrypted using data packet described in the decruption key and the integrity verification key pair and integrity verification;
First transmission unit 807, for after the secure processing units carry out integrity verification success to the data packet, the user data to be sent to destination server.
Fig. 8 B is referred to, Fig. 8 B is the structural schematic diagram of another network side equipment provided in an embodiment of the present invention.Network side equipment 80 shown in Fig. 8 B is that the network side equipment 80 as shown in Fig. 8 A optimizes.Compared with Fig. 8 A, key determination unit 803 shown in Fig. 8 B includes: the second transmission unit 8031 and first key generation unit 8033, wherein
Second transmission unit 8031 generates the intermediate key of the UE by the HSS for the mark of the UE and first random number to be sent to home signature user server HSS;
First key generation unit 8033, the intermediate key for being generated according to the HSS generate the corresponding decruption key of the UE and integrity verification key, and store the mark and the corresponding relationship of the decruption key and the integrity verification key of the UE.
Fig. 8 C is referred to, Fig. 8 C is the structural schematic diagram of another network side equipment provided in an embodiment of the present invention.Network side equipment 80 shown in Fig. 8 C is that the network side equipment 80 as shown in Fig. 8 A optimizes.Compared with Fig. 8 A, the packet of network side equipment 80 shown in Fig. 8 C is other than including above-mentioned receiving unit 801, key determination unit 803, secure processing units 805 and the first transmission unit 807, it can also include third transmission unit 809, the second Key generating unit 811 and the 4th transmission unit 813, wherein
Receiving unit 801 is also used to before receiving the data packet that user equipment (UE) is sent, and receiving the UE not establishing the certification request sent when the RRC is connect, the certification request with the base station includes the mark of the UE;
Third transmission unit 809, for the certification request to be sent to home signature user server HSS, the certification request is used to trigger the intermediate key that the HSS generates the second random number and the UE according to the mark of the UE and second generating random number;
Second Key generating unit 811, the intermediate key for being generated according to the HSS generate decruption key and integrity verification key, and store the mark and the corresponding relationship of the decruption key and the integrity verification key of the UE;
4th transmission unit 813; for sending response message to the UE; the response message includes second random number, and second random number generates for the UE and carries out encryption key and tegrity protection key used in encryption and integrity protection to the data packet.
Fig. 8 D is referred to, Fig. 8 D is that the structure of another network side equipment provided in an embodiment of the present invention is shown It is intended to.Network side equipment 80 shown in Fig. 8 D is that the network side equipment 80 as shown in Fig. 8 A optimizes.Compared with Fig. 8 A, the packet of network side equipment 80 shown in Fig. 8 D can also include the 5th transmission unit 815 other than including above-mentioned receiving unit 801, key determination unit 803, secure processing units 805 and the first transmission unit 807, wherein
5th transmission unit 815; for after the secure processing units 805 carry out integrity verification success to the data packet; confirmation message is sent to the UE, the confirmation message carries out integrity verification to the confirmation message using the tegrity protection key of the UE for the UE.
Optionally, above-mentioned network side equipment 80 can also include receiving unit 801, the second transmission unit 8031, first key generation unit 8033, secure processing units 805, the first transmission unit 807 and the 5th transmission unit 815 simultaneously, the specific implementation of each unit is referred to the description of same unit in above scheme, and details are not described herein again.
Optionally, above-mentioned network side equipment 80 can also include receiving unit 801, key determination unit 803, secure processing units 805, the first transmission unit 807, third transmission unit 809, the second Key generating unit 811, the 4th transmission unit 813 and the 5th transmission unit 815 simultaneously, the specific implementation of each unit is referred to the description of same unit in above scheme, and details are not described herein again.
Fig. 8 E is referred to, Fig. 8 E is the structural schematic diagram of another network side equipment provided in an embodiment of the present invention.Network side equipment 80 shown in Fig. 8 E is that the network side equipment 80 as shown in Fig. 8 D optimizes.Compared with Fig. 8 D, the packet of network side equipment 80 shown in Fig. 8 E can also include updating unit 817 other than including above-mentioned receiving unit 801, key determination unit 803, secure processing units 805, the first transmission unit 807 and the 5th transmission unit 815, wherein
Updating unit 817, for after the secure processing units 805 carry out integrity verification success to the data packet, the mark of the UE is updated according to the third random number, and the mark and the corresponding relationship of the decruption key and the integrity verification key of the store-updated UE.
Optionally, above-mentioned network side equipment 80 can also include receiving unit 801, the second transmission unit 8031, first key generation unit 8033, secure processing units 805, the first transmission unit 807, the 5th transmission unit 815 and updating unit 817 simultaneously, the specific implementation of each unit is referred to the description of same unit in above scheme, and details are not described herein again.
Optionally, above-mentioned network side equipment 80 can also include receiving unit 801, key determination unit 803, secure processing units 805, the first transmission unit 807, third transmission unit 809, the second key simultaneously Generation unit 811, the 4th transmission unit 813, the 5th transmission unit 815 and updating unit 817, the specific implementation of each unit are referred to the description of same unit in above scheme, and details are not described herein again.
It should be noted that the function of each functional module can be implemented according to the method for corresponding network side apparatus in above method embodiment in network side equipment 80 described in the embodiment of the present invention, details are not described herein again.
In conclusion UE is not in the case where establishing RRC with base station and connecting by implementing the embodiment of the present invention, data can be transmitted to network side, and can ensure data transmission safety, so as to reduce establish control plane connection and user plane bearer needed for signal resource, improve system effectiveness.Further, the data packet or message between UE and network side equipment by transmission realize the safety certification process to opposite end, eliminate the reliance on the Ciphering Key that HSS is generated and issued, simplify the safety certification process between UE and network side equipment.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, there is no the part being described in detail in some embodiment, reference can be made to the related descriptions of other embodiments.
Those of ordinary skill in the art will appreciate that: realize that all or part of the steps of above method embodiment can be completed by the relevant hardware of process control terminal device, program above-mentioned can be stored in a computer readable storage medium, the program when being executed, executes step including the steps of the foregoing method embodiments;And storage medium above-mentioned includes: the various media that can store program code such as disk, CD, flash disk, read-only memory (Read-Only Memory, ROM), random access device (Random Access Memory, RAM).
A kind of data transmission method provided in an embodiment of the present invention, user equipment and network side equipment are described in detail above, used herein a specific example illustrates the principle and implementation of the invention, and the above description of the embodiment is only used to help understand the method for the present invention and its core ideas;At the same time, for those skilled in the art, according to the thought of the present invention, there will be changes in the specific implementation manner and application range, in conclusion the contents of this specification are not to be construed as limiting the invention.

Claims (40)

  1. A kind of user equipment, which is characterized in that including processor, receiver and transmitter;
    Wherein, the processor is used to that the data distributing program code of the memory storage to be called to perform the following operations:
    Data packet is encrypted using encryption key and tegrity protection key and integrity protection; wherein; the encryption key and the tegrity protection key are user equipment (UE) according to the UE the first random number generated or the second generating random number received from network side equipment, and the data packet includes the mark and user data of the UE;
    When the UE does not set up and connect with the radio resource control RRC of base station, it will be encrypted by the transmitter and be sent to network side equipment with the data packet after integrity protection.
  2. User equipment according to claim 1, it is characterized in that, the data packet further includes first random number, first random number for the network side equipment determine to the data packet be decrypted and integrity verification used in decruption key and integrity verification key.
  3. User equipment according to claim 1 or 2, it is characterized in that, the data packet further includes the selected security algorithm instruction information of the UE, the security algorithm instruction information for the network side equipment determine to the data packet be decrypted and integrity verification used in decipherment algorithm and integrity verification algorithm.
  4. User equipment according to claim 1, which is characterized in that it is described using encryption key and tegrity protection key to data packet encrypt and integrity protection before, the processor is also used to perform the following operations:
    Through the transmitter when the UE does not establish the RRC with the base station and connect, certification request is sent to home signature user server HSS by the network side equipment, the certification request includes the mark of the UE, the certification request for trigger the HSS generate second random number and according to the mark of the UE and second random number determine the network side equipment to the data packet be decrypted and integrity verification used in decruption key and integrity verification key;
    The response message that the HSS is sent by the network side equipment is received by the receiver, the response message includes second random number;
    Integrity verification is carried out to the response message using the tegrity protection key.
  5. User equipment according to claim 1-4, which is characterized in that the processor is also used to execute:
    The network side equipment is received in the confirmation message for carrying out sending after integrity verification success to the data packet by the receiver;
    Integrity verification is carried out to the confirmation message using the tegrity protection key.
  6. User equipment according to claim 5, it is characterized in that, the data packet further includes the third random number that the UE is generated, and the third random number is updated the mark of the UE after carrying out integrity verification success to the data packet for the network side equipment;The processor is also used to execute:
    After carrying out integrity verification success to the confirmation message, the mark of the UE is updated according to the third random number.
  7. User equipment according to claim 1-6, which is characterized in that the network side equipment includes base station or gateway.
  8. User equipment according to claim 7, it is characterized in that, the data packet further includes the mark of destination server, the mark of the destination server is established transmission control protocol TCP with the destination server for gateway and is connect, and the user data is sent to the destination server by the TCP connection.
  9. User equipment according to claim 7 or 8, it is characterized in that, when the network side equipment includes the gateway, the data packet further includes the mark of the gateway, and the data packet is sent to the gateway for base station by the mark of the gateway.
  10. According to the described in any item user equipmenies of claim 7-9, which is characterized in that described to pass through institute State transmitter will encrypt and integrity protection after the data packet be sent to network side equipment, comprising:
    It will encrypt to connect by random access preamble message or RRC with the data packet after integrity protection by the transmitter and establish request message and be sent to base station.
  11. A kind of network side equipment, which is characterized in that including processor, receiver and transmitter;
    Wherein, the processor is used to that the data distributing program code of the memory storage to be called to perform the following operations:
    The data packet that user equipment (UE) is sent when not setting up and connecting with the radio resource control RRC of base station is received by the receiver; the data packet includes the mark and user data of the UE, and the data packet is that the UE carries out the data packet obtained after encryption and integrity protection;
    The corresponding decruption key of the UE and integrity verification key are determined according to the mark of the UE;
    It is decrypted using data packet described in the decruption key and the integrity verification key pair and integrity verification;
    After carrying out integrity verification success to the data packet, the user data is sent to destination server.
  12. Network side equipment according to claim 11, which is characterized in that the data packet further includes the first random number that the UE is generated;
    The mark according to the UE determines the corresponding decruption key of the UE and integrity verification key, comprising:
    The mark of the UE and first random number are sent to home signature user server HSS, the intermediate key of the UE is generated by the HSS, and the corresponding decruption key of the UE and integrity verification key are generated according to the intermediate key that the HSS is generated, and store the mark and the corresponding relationship of the decruption key and the integrity verification key of the UE.
  13. Network side equipment according to claim 11 or 12, it is characterized in that, the data packet further includes the selected security algorithm instruction information of the UE, the security algorithm instruction information for the network side equipment determine to the data packet be decrypted and integrity verification used in decipherment algorithm and integrity verification algorithm.
  14. Network side equipment according to claim 11, which is characterized in that before the data packet sent by receiver reception user equipment (UE) when not setting up and connecting with the radio resource control RRC of base station, the processor is also used to execute:
    Receiving the UE not establishing the certification request sent when the RRC is connect, the certification request with the base station by the receiver includes the mark of the UE;
    The certification request is sent to home signature user server HSS, the certification request is used to trigger the intermediate key that the HSS generates the second random number and the UE according to the mark of the UE and second generating random number, the network side equipment generates decruption key and integrity verification key according to the intermediate key that the HSS is generated, and stores the mark and the corresponding relationship of the decruption key and the integrity verification key of the UE;
    Response message is sent to the UE by the transmitter, the response message includes second random number, and second random number generates for the UE and carries out encryption key and tegrity protection key used in encryption and integrity protection to the data packet.
  15. The described in any item network side equipments of 1-14 according to claim 1, which is characterized in that the processor is also used to execute:
    After carrying out integrity verification success to the data packet, confirmation message is sent to the UE by the transmitter, the confirmation message carries out integrity verification to the confirmation message using the tegrity protection key of the UE for the UE.
  16. Network side equipment according to claim 15, it is characterized in that, the data packet further includes the third random number that the UE is generated, and the third random number is updated the mark of the UE after carrying out integrity verification success to the confirmation message for the UE;The processor is also used to execute:
    After carrying out integrity verification success to the data packet, the mark of the UE is updated according to the third random number, and the mark and the corresponding relationship of the decruption key and the integrity verification key of the store-updated UE.
  17. The described in any item network side equipments of 1-16 according to claim 1, which is characterized in that the net Network side apparatus includes base station or gateway.
  18. Network side equipment according to claim 17, which is characterized in that the data packet further includes the mark of destination server;
    It is described that the user data is sent to destination server, comprising:
    Transmission control protocol TCP is established with the destination server according to the mark of the destination server to connect, and the user data is sent to by the destination server by the TCP connection.
  19. Network side equipment described in 7 or 18 according to claim 1, it is characterized in that, when the network side equipment includes the gateway, the data packet further includes the mark of the gateway, and the data packet is sent to the gateway for base station by the mark of the gateway.
  20. The described in any item network side equipments of 7-19 according to claim 1, which is characterized in that described that the data packet that user equipment (UE) is sent when not setting up and connecting with the radio resource control RRC of base station is received by the receiver, comprising:
    User equipment (UE), which is received, by the receiver is not establishing the data packet for establishing request message transmission when radio resource control RRC is connect by random access preamble message or RRC connection with base station.
  21. A kind of data transmission method characterized by comprising
    User equipment (UE) is encrypted using encryption key and tegrity protection key to data packet and integrity protection; wherein; the encryption key and the tegrity protection key are the UE according to the UE the first random number generated or the second generating random number received from network side equipment, and the data packet includes the mark and user data of the UE;
    The UE do not set up connect with the radio resource control RRC of base station when, by encryption and integrity protection after the data packet be sent to network side equipment.
  22. According to the method for claim 21, it is characterized in that, the data packet further includes first random number, first random number for the network side equipment determine to the data packet be decrypted and integrity verification used in decruption key and integrity verification key.
  23. The method according to claim 21 or 22, it is characterized in that, the data packet further includes the selected security algorithm instruction information of the UE, the security algorithm instruction information for the network side equipment determine to the data packet be decrypted and integrity verification used in decipherment algorithm and integrity verification algorithm.
  24. According to the method for claim 21, which is characterized in that the user equipment (UE) using encryption key and tegrity protection key to data packet encrypt and integrity protection before, further includes:
    The UE is not when establishing the RRC with the base station and connecting, certification request is sent to home signature user server HSS by the network side equipment, the certification request includes the mark of the UE, the certification request for trigger the HSS generate second random number and according to the mark of the UE and second random number determine the network side equipment to the data packet be decrypted and integrity verification used in decruption key and integrity verification key;
    The UE receives the response message that the HSS is sent by the network side equipment, and the response message includes second random number;
    The UE carries out integrity verification to the response message using the tegrity protection key.
  25. According to the described in any item methods of claim 21-24, which is characterized in that further include:
    The UE receives the network side equipment in the confirmation message for carrying out sending after integrity verification success to the data packet;
    The UE carries out integrity verification to the confirmation message using the tegrity protection key.
  26. According to the method for claim 25, it is characterized in that, the data packet further includes the third random number that the UE is generated, and the third random number is updated the mark of the UE after carrying out integrity verification success to the data packet for the network side equipment;The method also includes:
    After the UE carries out integrity verification success to the confirmation message, the mark of the UE is updated according to the third random number.
  27. According to the described in any item methods of claim 21-26, which is characterized in that the network side is set Standby includes base station or gateway.
  28. According to the method for claim 27, it is characterized in that, the data packet further includes the mark of destination server, the mark of the destination server is established transmission control protocol TCP with the destination server for gateway and is connect, and the user data is sent to the destination server by the TCP connection.
  29. The method according to claim 27 or 28, it is characterized in that, when the network side equipment includes the gateway, the data packet further includes the mark of the gateway, and the data packet is sent to the gateway for base station by the mark of the gateway.
  30. According to the described in any item methods of claim 27-29, which is characterized in that the data packet by after encryption and integrity protection is sent to network side equipment, comprising:
    Encryption is connected with the data packet after integrity protection by random access preamble message or RRC and establishes request message and is sent to base station.
  31. A kind of data transmission method characterized by comprising
    Network side equipment receives the data packet that user equipment (UE) is sent when not setting up and connecting with the radio resource control RRC of base station; the data packet includes the mark and user data of the UE, and the data packet is that the UE carries out the data packet obtained after encryption and integrity protection;
    The network side equipment determines the corresponding decruption key of the UE and integrity verification key according to the mark of the UE;
    The network side equipment is decrypted using data packet described in the decruption key and the integrity verification key pair and integrity verification;
    The user data is sent to destination server after carrying out integrity verification success to the data packet by the network side equipment.
  32. According to the method for claim 31, which is characterized in that the data packet further includes the first random number that the UE is generated;
    The network side equipment determines the corresponding decruption key of the UE and integrity verification key according to the mark of the UE, comprising:
    The mark of the UE and first random number are sent to home signature user server HSS by the network side equipment, the intermediate key of the UE is generated by the HSS, and the corresponding decruption key of the UE and integrity verification key are generated according to the intermediate key that the HSS is generated, and store the mark and the corresponding relationship of the decruption key and the integrity verification key of the UE.
  33. The method according to claim 31 or 32, it is characterized in that, the data packet further includes the selected security algorithm instruction information of the UE, the security algorithm instruction information for the network side equipment determine to the data packet be decrypted and integrity verification used in decipherment algorithm and integrity verification algorithm.
  34. According to the method for claim 31, which is characterized in that the network side equipment receives before the data packet that user equipment (UE) is sent when not setting up and connecting with the radio resource control RRC of base station, further includes:
    It includes the mark of the UE that the network side equipment, which receives the UE not establishing the certification request sent when the RRC is connect, the certification request with the base station,;
    The certification request is sent to home signature user server HSS by the network side equipment, the certification request is used to trigger the intermediate key that the HSS generates the second random number and the UE according to the mark of the UE and second generating random number, the network side equipment generates decruption key and integrity verification key according to the intermediate key that the HSS is generated, and stores the mark and the corresponding relationship of the decruption key and the integrity verification key of the UE;
    The network side equipment sends response message to the UE, and the response message includes second random number, and second random number generates for the UE and carries out encryption key and tegrity protection key used in encryption and integrity protection to the data packet.
  35. According to the described in any item methods of claim 31-34, which is characterized in that further include:
    The network side equipment is after carrying out integrity verification success to the data packet, and Xiang Suoshu UE sends confirmation message, and the confirmation message is for the UE using the tegrity protection key of the UE to described Confirmation message carries out integrity verification.
  36. According to the method for claim 35, which is characterized in that the data packet further includes the third random number that the UE is generated, and the third random number is updated the mark of the UE after carrying out integrity verification success to the confirmation message for the UE;The method also includes:
    The network side equipment is after carrying out integrity verification success to the data packet, the mark of the UE is updated according to the third random number, and the mark and the corresponding relationship of the decruption key and the integrity verification key of the store-updated UE.
  37. According to the described in any item methods of claim 31-36, which is characterized in that the network side equipment includes base station or gateway.
  38. According to the method for claim 37, which is characterized in that the data packet further includes the mark of destination server;
    It is described that the user data is sent to destination server, comprising:
    Gateway is established transmission control protocol TCP with the destination server according to the mark of the destination server and is connect, and the user data is sent to the destination server by the TCP connection.
  39. The method according to claim 37 or 38, it is characterized in that, when the network side equipment includes the gateway, the data packet further includes the mark of the gateway, and the data packet is sent to the gateway for base station by the mark of the gateway.
  40. According to the described in any item methods of claim 37-39, which is characterized in that the network side equipment receives the data packet that user equipment (UE) is sent when not setting up and connecting with the radio resource control RRC of base station, comprising:
    Base station receives user equipment (UE) and is not establishing the data packet for establishing request message transmission when radio resource control RRC is connect by random access preamble message or RRC connection with the base station.
CN201580084940.6A 2015-11-30 2015-11-30 Data transmission method, user equipment and network side equipment Active CN108293223B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2015/096035 WO2017091959A1 (en) 2015-11-30 2015-11-30 Data transmission method, user equipment and network side device

Publications (2)

Publication Number Publication Date
CN108293223A true CN108293223A (en) 2018-07-17
CN108293223B CN108293223B (en) 2020-11-17

Family

ID=58796141

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201580084940.6A Active CN108293223B (en) 2015-11-30 2015-11-30 Data transmission method, user equipment and network side equipment

Country Status (2)

Country Link
CN (1) CN108293223B (en)
WO (1) WO2017091959A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111431839A (en) * 2019-01-09 2020-07-17 中兴通讯股份有限公司 Processing method and device for hiding user identification
CN111586076A (en) * 2020-05-26 2020-08-25 清华大学 Remote control and telemetry information tamper-proof encryption and decryption method and system based on mixed password
CN112487408A (en) * 2020-12-24 2021-03-12 潍柴动力股份有限公司 Safe access method and system for ECU in vehicle and storage medium
CN112788594A (en) * 2020-06-03 2021-05-11 中兴通讯股份有限公司 Data transmission method, device and system, electronic equipment and storage medium
CN113282910A (en) * 2021-04-22 2021-08-20 中国科学院软件研究所 Root key protection method for trusted computing trust root
CN115277200A (en) * 2022-07-27 2022-11-01 北京国领科技有限公司 Multi-node key automatic negotiation management method for link layer transparent encryption system
CN115720160A (en) * 2022-11-09 2023-02-28 中创通信技术(深圳)有限公司 Data communication method and system based on quantum key

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110858992A (en) * 2018-08-23 2020-03-03 华为技术有限公司 Routing method, device and system
CN111212424B (en) * 2018-11-22 2023-03-24 展讯通信(上海)有限公司 Method and system for authenticating UE during interoperation from EPS to 5GS
CN111327583B (en) * 2019-08-22 2022-03-04 刘高峰 Identity authentication method, intelligent equipment and authentication server
CN110830396B (en) * 2019-10-29 2021-05-28 西安交通大学 Physical layer key-based IMSI privacy protection method and device
CN113329399A (en) * 2020-02-28 2021-08-31 阿里巴巴集团控股有限公司 Data transmission, distribution network and management method, device, system and storage medium
CN114513860B (en) * 2020-10-23 2023-05-05 中国移动通信有限公司研究院 Terminal attachment method, device and storage medium
CN114521013A (en) * 2020-11-20 2022-05-20 深圳市中兴微电子技术有限公司 Terminal positioning method, system, storage medium and electronic device
CN115694599B (en) * 2021-07-31 2024-06-18 华为技术有限公司 Transmission method, system and related device
CN113836546B (en) * 2021-08-30 2024-02-13 广东浪潮智慧计算技术有限公司 Key management method, device, equipment and storage medium
CN113839958B (en) * 2021-09-29 2023-05-26 广州河东科技有限公司 Communication encryption method, device, control system and storage medium for smart home
CN114095150B (en) * 2021-11-12 2024-01-26 微位(深圳)网络科技有限公司 Identity authentication method, device, equipment and readable storage medium
CN116803133A (en) * 2021-12-07 2023-09-22 北京小米移动软件有限公司 System information verification method, device and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1602091A (en) * 2003-09-22 2005-03-30 华为技术有限公司 Method of transmitting data in cluster business
CN101141250A (en) * 2007-10-10 2008-03-12 北京握奇数据系统有限公司 Instrument equipment, data safety access method, device and system
CN101197673A (en) * 2006-12-05 2008-06-11 中兴通讯股份有限公司 Fixed network access into IMS bidirectional authentication and key distribution method
CN101426190A (en) * 2007-11-01 2009-05-06 华为技术有限公司 Service access authentication method and system
WO2014169451A1 (en) * 2013-04-17 2014-10-23 华为技术有限公司 Method and device for data transmission
WO2015024260A1 (en) * 2013-08-23 2015-02-26 华为技术有限公司 Data transmission method, user equipment and proxy equipment
CN104969578A (en) * 2013-04-17 2015-10-07 华为技术有限公司 Data transmission method, device and system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060195402A1 (en) * 2002-02-27 2006-08-31 Imagineer Software, Inc. Secure data transmission using undiscoverable or black data
KR101520617B1 (en) * 2007-04-17 2015-05-15 삼성전자주식회사 Method for encrypting message for keeping integrity of message and apparatus and Method for decrypting message for keeping integrity of message and apparatus

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1602091A (en) * 2003-09-22 2005-03-30 华为技术有限公司 Method of transmitting data in cluster business
CN101197673A (en) * 2006-12-05 2008-06-11 中兴通讯股份有限公司 Fixed network access into IMS bidirectional authentication and key distribution method
CN101141250A (en) * 2007-10-10 2008-03-12 北京握奇数据系统有限公司 Instrument equipment, data safety access method, device and system
CN101426190A (en) * 2007-11-01 2009-05-06 华为技术有限公司 Service access authentication method and system
WO2014169451A1 (en) * 2013-04-17 2014-10-23 华为技术有限公司 Method and device for data transmission
CN104969578A (en) * 2013-04-17 2015-10-07 华为技术有限公司 Data transmission method, device and system
WO2015024260A1 (en) * 2013-08-23 2015-02-26 华为技术有限公司 Data transmission method, user equipment and proxy equipment

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111431839A (en) * 2019-01-09 2020-07-17 中兴通讯股份有限公司 Processing method and device for hiding user identification
CN111586076A (en) * 2020-05-26 2020-08-25 清华大学 Remote control and telemetry information tamper-proof encryption and decryption method and system based on mixed password
CN111586076B (en) * 2020-05-26 2021-12-07 清华大学 Remote control and telemetry information tamper-proof encryption and decryption method and system based on mixed password
CN112788594A (en) * 2020-06-03 2021-05-11 中兴通讯股份有限公司 Data transmission method, device and system, electronic equipment and storage medium
CN112788594B (en) * 2020-06-03 2023-06-27 中兴通讯股份有限公司 Data transmission method, device and system, electronic equipment and storage medium
CN112487408A (en) * 2020-12-24 2021-03-12 潍柴动力股份有限公司 Safe access method and system for ECU in vehicle and storage medium
CN113282910A (en) * 2021-04-22 2021-08-20 中国科学院软件研究所 Root key protection method for trusted computing trust root
CN115277200A (en) * 2022-07-27 2022-11-01 北京国领科技有限公司 Multi-node key automatic negotiation management method for link layer transparent encryption system
CN115277200B (en) * 2022-07-27 2023-08-15 北京国领科技有限公司 Multi-node key auto-negotiation management method for link layer transparent encryption system
CN115720160A (en) * 2022-11-09 2023-02-28 中创通信技术(深圳)有限公司 Data communication method and system based on quantum key
CN115720160B (en) * 2022-11-09 2023-09-01 中创通信技术(深圳)有限公司 Data communication method and system based on quantum key

Also Published As

Publication number Publication date
CN108293223B (en) 2020-11-17
WO2017091959A1 (en) 2017-06-08

Similar Documents

Publication Publication Date Title
CN108293223A (en) A kind of data transmission method, user equipment and network side equipment
Cao et al. A survey on security aspects for 3GPP 5G networks
CN108432206B (en) Stateless access stratum security for cellular internet of things
KR101961301B1 (en) Integrated authentication for integrated small cell and WI-FI networks
JP6759232B2 (en) Authentication and key sharing with complete forward secrecy
EP3499840B1 (en) User-plane security for next generation cellular networks
JP6574238B2 (en) Associating a device with another device's network subscription
CN107251522B (en) Network token is used for the efficient strategy implement of Service controll face method
TWI713614B (en) Methods and apparatus for wireless communication using a security model to support multiple connectivity and service contexts
CN107710801A (en) Exempt from method, user equipment, access network equipment and the equipment of the core network of authorized transmissions
EP2903322B1 (en) Security management method and apparatus for group communication in mobile communication system
CN109716810A (en) Authority checking method and apparatus
CN110235423A (en) Auxiliary certification to user equipment
CN107736047A (en) Safe Architecture For eNet for honeycomb Internet of Things
WO2019096075A1 (en) Method and apparatus for message protection
CN109691154B (en) On-demand network function re-authentication based on key refresh
KR20230054421A (en) Privacy of Repeater Selection in Cellular Sliced Networks
WO2013118096A1 (en) Method, apparatus and computer program for facilitating secure d2d discovery information
CN101931953A (en) Method and system for generating safety key bound with device
CN101945387A (en) Method and system of binding access layer secret key and device
Zhang et al. Dynamic group based authentication protocol for machine type communications
CN109155915A (en) Communication means, network side equipment and user equipment
CN107295507A (en) A kind of private network cut-in method, apparatus and system
CN101977378A (en) Information transmission method, network side and relay node
Zhang et al. Group-based authentication and key agreement for machine-type communication

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20211221

Address after: 450046 Floor 9, building 1, Zhengshang Boya Plaza, Longzihu wisdom Island, Zhengdong New Area, Zhengzhou City, Henan Province

Patentee after: xFusion Digital Technologies Co., Ltd.

Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd.

TR01 Transfer of patent right