CN109819492A - A kind of method and apparatus of determining security capabilities - Google Patents

A kind of method and apparatus of determining security capabilities Download PDF

Info

Publication number
CN109819492A
CN109819492A CN201711159236.XA CN201711159236A CN109819492A CN 109819492 A CN109819492 A CN 109819492A CN 201711159236 A CN201711159236 A CN 201711159236A CN 109819492 A CN109819492 A CN 109819492A
Authority
CN
China
Prior art keywords
message
security capabilities
base station
terminal
described
Prior art date
Application number
CN201711159236.XA
Other languages
Chinese (zh)
Inventor
潘凯
李�赫
陈中平
陈璟
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to CN201711159236.XA priority Critical patent/CN109819492A/en
Publication of CN109819492A publication Critical patent/CN109819492A/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements, e.g. access security or fraud detection; Authentication, e.g. verifying user identity or authorisation; Protecting privacy or anonymity ; Protecting confidentiality; Key management; Integrity; Mobile application security; Using identity modules; Secure pairing of devices; Context aware security; Lawful interception
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/08Reselecting an access point
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/02Terminal devices
    • H04W88/06Terminal devices adapted for operation in multiple networks or having at least two operational modes, e.g. multi-mode terminals

Abstract

The application provides a kind of method and apparatus of determining security capabilities, it is related to wireless communication technology field, to solve the problems, such as that master base station existing in the prior art can not obtain the security capabilities used between terminal and prothetic group station during terminal switches serving BS.This method comprises: first base station sends first message to terminal by the second base station, first message includes the first instruction, first instruction is used to indicate the first security capabilities of terminal reporting terminal support, and first message is used to indicate terminal and switches to first base station from the second base station;First base station receives the second message for carrying out self terminal, and second message is for determining the first security capabilities;First base station determines the first security capabilities according to second message.This method can be adapted for obtaining the first security capabilities during terminal switches serving BS.

Description

A kind of method and apparatus of determining security capabilities

Technical field

The present embodiments relate to wireless communication technology field, in particular to a kind of the method and dress of determining security capabilities It sets.

Background technique

Dual link (dual connectivity, DC) technology refers to terminal while being connected to two base stations, two bases One is used as master base station, base station supplemented by another in standing.Terminal receives the technology of downlink data from the two base stations.Compared to terminal The attainable downlink data receiving velocity of institute under single base station, the introducing of DC technology is so that receiving velocity has obtained substantially mentioning It rises.

In view of incremental deployment, in 5G communication system, master base station can be the 4th in two base stations that terminal is accessed It can be the base station the 5th generation (5th generation, 5G) for the base station (4th generation, 4G), prothetic group station, and the two Base station and long term evolution (long term evolution, LTE) evolution block core net (evolved packet core, EPC mobility management entity (mobility management entity, MME) connection).In general, terminal and different systems Base station between when communicating the security capabilities that uses it is different, for example, use 4G security capabilities between terminal and the base station 4G, terminal and 5G security capabilities is used between the base station 5G.Wherein, 4G security capabilities can be by the 4G security algorithm that terminal is supported, 5G safety energy Power can be by 5G security algorithm that terminal is supported.In such a scenario, terminal is connected to after master base station, master base station need by 5G security capabilities is sent to prothetic group station, so that terminal and prothetic group station establish connection, to form DC.

Master base station can usually obtain 5G security capabilities from MME, and therefore, MME needs to know by upgrading to have The function of other 5G security capabilities, but in the development process of mobile network, and not all MME upgrades, and just causes in this way The MME not upgraded may not have the function of identification 5G security capabilities.When terminal carries out the connected state switching for being related to MME change When (connected state handover), source MME (MME accessed before terminal switching by source base station) is needed terminal 4G security capabilities and 5G security capabilities pass to target MME (MME accessed after terminal switching by master base station), still, in source MME does not upgrade, and in the case where cannot identifying 5G security capabilities, 5G security capabilities can not usually be passed to target MME by source MME. Currently, usually terminal can pass through tracing section updating (tracking area after completing to be related to the connected state switching of MME change Update, TAU) process to master base station reports 5G security capabilities, so that master base station gets 5G security capabilities, specifically, eventually End can carry 4G security capabilities and 5G security capabilities in TAU request message.

However, in the prior art, master base station must could obtain prothetic group station and terminal by TAU process after completing switching Between the 5G security capabilities that uses, this makes the needs of the connection between prothetic group station and terminal just start to build after the completion of the handover It is vertical, so as to cause dual link to establish speed slower.

Summary of the invention

The application provides a kind of method and apparatus of determining security capabilities, to solve master base station existing in the prior art The problem of security capabilities used between terminal and prothetic group station can not be obtained during terminal switches serving BS.

In a first aspect, the embodiment of the present invention provides a kind of method of determining security capabilities, comprising: first base station passes through second Base station sends first message to terminal, and first message includes the first instruction, and the first instruction is used to indicate the support of terminal reporting terminal The first security capabilities, first message is used to indicate terminal and switches to first base station from the second base station;First base station reception comes from The second message of terminal, second message is for determining the first security capabilities;First base station determines the first safety according to second message Ability.

The application provides a kind of method of determining security capabilities, and first base station sends first to terminal by the second base station and disappears Breath, first message include the first instruction, and the first instruction is used to indicate the first security capabilities of terminal reporting terminal support, and first disappears Breath is used to indicate terminal and switches to first base station from the second base station;First base station receives the second message for carrying out self terminal, and second disappears Breath is for determining the first security capabilities;First base station determines the first security capabilities according to second message.In this way, working as first base station In when not having the first security capabilities, first base station can obtain the first security capabilities from terminal, and then, first base station can be with First security capabilities is sent to third base station, is so built by first security capabilities with third base station convenient for subsequent terminal Vertical dual link, on the other hand, when having security capabilities in first base station, first base station can be created first based on the security capabilities Then dual link determines whether the security capabilities having in first base station is tampered according to the first security capabilities that terminal is sent, When first base station determines that first base station is not tampered with according to the first security capabilities, can not have to modify established dual link, So that dual link can be established during terminal switches to first base station.

With reference to first aspect, in the first possible implementation of the first aspect, second message is that switching is completed to disappear Breath, handoff completion message include the first security capabilities, and first base station determines the first security capabilities according to second message, comprising: the One base station determines the first security capabilities from handoff completion message.In this case, first base station can switch in terminal Just got in journey the first security capabilities compared with the prior art in need to compare by TAU process after handover, can shift to an earlier date The time of the first security capabilities is obtained, so that the foundation of dual link shifts to an earlier date.

With reference to first aspect or second of possible implementation of first aspect, the possible realization of the third of first aspect In mode, before first base station sends first message to terminal by the second base station, method provided by the present application further include: first Base station receives the third message for being used to indicate first base station and obtaining the first security capabilities from the first management entity;First base station According to third message, the first instruction is determined.

With reference to first aspect any one of to the third possible implementation of first aspect, the of first aspect In four kinds of possible implementations, third message includes identification information, and identification information, which is used to indicate, obtains the first security capabilities, the One base station determines the first instruction according to third message, comprising: identification information is determined as the first instruction by first base station;Or, first Base station is based on identification information and generates the first instruction.

With reference to first aspect any one of to the 4th kind of possible implementation of first aspect, the of first aspect It is provided by the present application before first base station sends first message to terminal by the second base station in five kinds of possible implementations Method further include: first base station receives the 4th message from the first management entity, and the 4th message includes the second security capabilities;The One base station sends the second security capabilities to third base station, and the second security capabilities is used for the company established between terminal and third base station It connects.The second security capabilities is first sent to third base station by first base station, terminal can be made to first pass through the second security capabilities Connection is established with third base station, the establishment process of dual link can be made to carry out in handoff procedure based on this.

With reference to first aspect any one of to the 5th kind of possible implementation of first aspect, the of first aspect In six kinds of possible implementations, first base station is according to second message, after determining the first security capabilities, side provided by the present application Method further include: if the second security capabilities and the first security capabilities are inconsistent, first base station sends the 5th message to third base station, 5th message includes the first security capabilities.

With reference to first aspect any one of to the 6th kind of possible implementation of first aspect, the of first aspect In seven kinds of possible implementations, first is designated as the second security capabilities, and first base station determines the first safety according to second message Ability, comprising: the second security capabilities is determined as the first security capabilities according to the first instruction by first base station.

With reference to first aspect any one of to the 7th kind of possible implementation of first aspect, the of first aspect In eight kinds of possible implementations, first is designated as the second security capabilities, and second message includes the first security capabilities, first base station According to second message, determine that the first security capabilities, including first base station determine the first security capabilities from second message.

Second aspect, the application provide a kind of method of determining security capabilities, comprising: terminal reception first message, first Message includes the first instruction, and the first instruction is used to indicate the first security capabilities of terminal reporting terminal support, and first message is used for Instruction terminal switches to first base station from the second base station;Terminal according to first instruction, to first base station send second message, second Message is used to indicate first base station and determines the first security capabilities.

In conjunction with second aspect, second message is handoff completion message, and handoff completion message includes the first security capabilities.

In conjunction with the possible implementation of the first of second aspect or second aspect, second in first aspect is possible In implementation, first is designated as the second security capabilities, and the second security capabilities is used for the company established between terminal and third base station It connects, terminal sends second message according to the first instruction, to first base station, comprising: if the second security capabilities and the first security capabilities Inconsistent, then terminal sends second message to first base station, and second message includes the first security capabilities.

In conjunction with any one of second of possible implementation of second aspect to second aspect, the of first aspect In three kinds of possible implementations, first is designated as the second security capabilities, and the second security capabilities is for establishing terminal and third base Connection between standing, terminal send second message according to the first instruction, to first base station, comprising: if the second security capabilities and the One security capabilities is consistent, then terminal sends second message to first base station, and second message is specifically used for instruction for the second safe energy Power is determined as the first security capabilities.

In conjunction with any one of the third possible implementation of second aspect to second aspect, the of first aspect In four kinds of possible implementations, method provided by the present application further include: random access procedure of the terminal in access third base station In, the first security capabilities is sent to third base station.

In conjunction with any one of the 4th kind of possible implementation of second aspect to second aspect, the of first aspect In five kinds of possible implementations, the first security capabilities is related to Successor-generation systems, method provided by the present application further include: terminal Receive broadcast message;Terminal determines the service that Successor-generation systems are not present in the region where terminal according to broadcast message;Terminal Third message is sent to the second base station, third message does not include the first security capabilities.

Correspondingly, the third aspect, the application provides a kind of device of determining security capabilities, the device of the determination security capabilities The method that may be implemented to determine security capabilities described in any one of the first aspect to first aspect.For example, the determination is safe The device of ability can be base station, or for chip in a base station is arranged.It can be by software, hardware or by hard Part executes the corresponding software realization above method.

One kind is designed as, which includes: transmission unit, for sending first message to terminal by the second base station, the One message includes the first instruction, and the first instruction is used to indicate the first security capabilities of terminal reporting terminal support, and first message is used First base station is switched to from the second base station in instruction terminal;Receiving unit, for receiving the second message for carrying out self terminal, second disappears Breath is for determining the first security capabilities;Determination unit, for determining the first security capabilities according to second message.

In conjunction with the third aspect, in the first possible implementation of the third aspect, second message is that switching is completed to disappear Breath, handoff completion message include the first security capabilities, determination unit, for determining the first safe energy from handoff completion message Power.

In conjunction with second of possible implementation of the third aspect or the third aspect, the possible realization of the third of the third aspect In mode, receiving unit is also used to receive the third message from the first management entity, and third message is used to indicate first base station Obtain the first security capabilities;Determination unit is specifically used for determining the first instruction according to third message.

In conjunction with any one of the third possible implementation of the third aspect to the third aspect, the of the third aspect In four kinds of possible implementations, third message includes identification information, and identification information, which is used to indicate, obtains the first security capabilities, really Order member, for identification information to be determined as the first instruction;Or, determination unit, for generating the first instruction based on identification information.

In conjunction with any one of the 4th kind of possible implementation of the third aspect to the third aspect, the of the third aspect In five kinds of possible implementations, receiving unit is also used to receive the 4th message from the first management entity, the 4th message package Include the second security capabilities;Transmission unit is also used to send the second security capabilities to third base station, and the second security capabilities is for establishing Connection between terminal and third base station.

In conjunction with any one of the 5th kind of possible implementation of the third aspect to the third aspect, the of the third aspect In six kinds of possible implementations, transmission unit is also used to determine the second security capabilities and the first security capabilities in determination unit It is inconsistent, then the 5th message is sent to third base station, the 5th message includes the first security capabilities.

In conjunction with any one of the 6th kind of possible implementation of the third aspect to the third aspect, the of the third aspect In seven kinds of possible implementations, first is designated as the second security capabilities, and determination unit is specifically used for according to the first instruction, will Second security capabilities is determined as the first security capabilities.

In conjunction with any one of the 7th kind of possible implementation of the third aspect to the third aspect, the of the third aspect In eight kinds of possible implementations, first is designated as the second security capabilities, and second message includes the first security capabilities, determines single Member is specifically used for determining the first security capabilities from second message.

Fourth aspect, the device of the determination security capabilities may include at least one processor and communication interface.The processing Device is configured as that the device of the determination security capabilities is supported to execute described in any one of the above-mentioned first aspect to first aspect The relevant operation of the Message Processing or control that carry out in method in the device side of the determination security capabilities, the communication interface can be Transmission circuit, communication interface, for support the determination security capabilities device and other network elements (for example, equipment of the core network or Second base station) between communication.Wherein, transmission circuit is used to support the device of the determination security capabilities to execute above-mentioned first aspect Message sink and transmission are carried out in the device side of the determination security capabilities in method described in any one to first aspect Relevant operation;Wherein, memory, transceiver and at least one processor are interconnected by route.Optionally, the memory be used for At least one processor couples, and the necessary program of device (instruction) and data of the determination security capabilities are saved in memory.

5th aspect, the application provide a kind of device of determining security capabilities, and the device of the determination security capabilities can be real The method of security capabilities is determined described in existing any one of the second aspect to second aspect.For example, the determination security capabilities Device can be terminal, or for chip in the terminal is arranged.It can be executed by software, hardware or by hardware The corresponding software realization above method.

The application provides a kind of device of determining security capabilities, comprising: receiving unit, for receiving first message, and first Message includes the first instruction, and the first instruction is used to indicate the first security capabilities of terminal reporting terminal support, and first message is used for Instruction terminal switches to first base station from the second base station;Transmission unit, for sending second to first base station according to the first instruction Message, second message are used to indicate first base station and determine the first security capabilities.

In conjunction with the 5th aspect, in the first possible implementation of the 5th aspect, second message is that switching is completed to disappear Breath, handoff completion message include the first security capabilities.

In conjunction with the first possible implementation of the 5th aspect or the 5th aspect, second at the 5th aspect is possible In implementation, first is designated as the second security capabilities, and the second security capabilities is used for the company established between terminal and third base station It connects, terminal further includes determination unit, and transmission unit is used to determine the second security capabilities and the first security capabilities not in determination unit Unanimously, second message is sent to first base station, second message includes the first security capabilities.

In conjunction with the 5th aspect to any one of second of possible implementation of the 5th aspect, the of the 5th aspect In three kinds of possible implementations, first is designated as the second security capabilities, and the second security capabilities is for establishing terminal and third base Connection between standing, transmission unit are also used to when determination unit determines that the second security capabilities is consistent with the first security capabilities, to First base station sends second message, and second message is specifically used for instruction and the second security capabilities is determined as the first security capabilities.

In conjunction with the 5th aspect to any one of the third possible implementation of the 5th aspect, the of the 5th aspect In four kinds of possible implementations, transmission unit provided by the present application, be also used to in the random access procedure of third base station, The first security capabilities is sent to third base station.

In conjunction with any one of the 4th kind of possible implementation of the 5th aspect to fourth aspect, the of the 5th aspect In five kinds of possible implementations, receiving unit is also used to receive broadcast message;Transmission unit is also used in determination unit root According to broadcast message, determines in the region where terminal there is no when 5G service, send third message, third message to the second base station It does not include the first security capabilities.

Another aspect, the device of the determination security capabilities may include at least one processor and communication interface.The processing Device is configured as that the device of the determination security capabilities is supported to execute described in any one of the above-mentioned second aspect to second aspect The relevant operation of the Message Processing or control that carry out in method in the device side of the determination security capabilities, the communication interface can be Transmission circuit, communication interface, for support the determination security capabilities device and other network elements (for example, equipment of the core network or First base station) between communication.Wherein, transmission circuit is used to support the device of the determination security capabilities to execute above-mentioned second aspect Message sink and transmission are carried out in the device side of the determination security capabilities in method described in any one to second aspect Relevant operation;Wherein, memory, transceiver and at least one processor are interconnected by route.Optionally, the memory be used for At least one processor couples, and the necessary program of device (instruction) and data of the determination security capabilities are saved in memory.

6th aspect, the embodiment of the present invention provide a kind of method of determining security capabilities, comprising: the first management entity receives The first message that second management entity is sent, the first message include first identifier, and first identifier is used to indicate terminal unit contractual the One mode, the first management entity send second message according to first message, to first base station, and second message is used to indicate the first base It stands and obtains the first security capabilities, wherein the base station that first base station accesses after being switched by terminal.

In conjunction with the 6th aspect, in the first possible implementation of the 6th aspect, the first management entity is according to first Message sends second message to first base station, comprising: the first management entity is determined in first message and do not wrapped according to first identifier The first security capabilities is included, then the first management entity sends second message to first base station.

In conjunction with the first possible implementation of the 6th aspect or the 6th aspect, second at the 6th aspect is possible In implementation, the first management entity determines to include the first security capabilities, second message packet in first message according to first identifier The second instruction and third instruction are included, the second instruction is used to indicate first base station and obtains the first security capabilities, and third is indicated for referring to Whether the first security capabilities for showing that first base station determines that the first security capabilities and first base station obtain is consistent.

7th aspect, the application provides a kind of computer readable storage medium, when computer readable storage medium is applied to Instruction is stored in base station, in computer readable storage medium, when instruction is run on computers, so that computer executes State the method that security capabilities is determined described in any one of the first aspect to first aspect.

Eighth aspect, the application provide a kind of computer readable storage medium, when computer readable storage medium is applied to Instruction is stored in terminal, in computer readable storage medium, when instruction is run on computers, so that computer executes State the method that security capabilities is determined described in any one of the second aspect to second aspect.

9th aspect, the application provide a kind of chip system, are applied in base station, chip system includes at least one processing Device and interface circuit, interface circuit and at least one processor are interconnected by route, and processor is stored in chip system for running Instruction in system, to execute the method for determining security capabilities described in any one of the first aspect to first aspect.

Tenth aspect, the application provide a kind of chip system, are applied in terminal, chip system includes at least one processing Device and interface circuit, interface circuit and at least one processor are interconnected by route, and processor is stored in chip system for running Instruction in system, with execute second aspect to second aspect any one determination security capabilities method.

Optionally, the chip system in the application further includes at least one processor, is deposited in at least one processor Contain instruction.

Tenth on the one hand, and the application provides a kind of computer program product comprising instruction, deposits in computer program product Instruction is contained, when the instruction is run on base station, so that base station executes any one of above-mentioned first aspect or first aspect The method of determination security capabilities described in possible design.

12nd aspect, the application provide a kind of computer program product comprising instruction, deposit in computer program product Instruction is contained, when the instruction is run on the second base station terminal, so that terminal executes above-mentioned second aspect or second aspect The method of determination security capabilities described in any one possible design.

13rd aspect, the application provide a kind of communication system, which includes as described by the above-mentioned third aspect Base station, at least one terminal as described in fourth aspect.

In a possible design, the system can also include scheme provided in an embodiment of the present invention in base station, eventually The other equipment that end or equipment of the core network interact.

Detailed description of the invention

Fig. 1 is a kind of communication system architecture schematic diagram provided in an embodiment of the present invention;

Fig. 2 is a kind of communication scheme of determining security capabilities provided in an embodiment of the present invention;

Fig. 3 is another communication scheme for determining security capabilities provided in an embodiment of the present invention;

Fig. 4 is the communication scheme of another determination security capabilities provided in an embodiment of the present invention;

Fig. 5 is the communication scheme of another determination security capabilities provided in an embodiment of the present invention;

Fig. 6 is a kind of idiographic flow schematic diagram one of determining security capabilities method provided in an embodiment of the present invention;

Fig. 7 is a kind of idiographic flow schematic diagram two of determining security capabilities method provided in an embodiment of the present invention;

Fig. 8 is a kind of idiographic flow schematic diagram three of determining security capabilities method provided in an embodiment of the present invention;

Fig. 9 is a kind of idiographic flow schematic diagram four of determining security capabilities method provided in an embodiment of the present invention;

Figure 10 is a kind of structural schematic diagram one of base station provided in an embodiment of the present invention;

Figure 11 is a kind of structural schematic diagram two of base station provided in an embodiment of the present invention;

Figure 12 is a kind of structural schematic diagram three of base station provided in an embodiment of the present invention;

Figure 13 is a kind of structural schematic diagram one of terminal provided in an embodiment of the present invention;

Figure 14 is a kind of structural schematic diagram two of terminal provided in an embodiment of the present invention;

Figure 15 is a kind of structural schematic diagram three of terminal provided in an embodiment of the present invention;

Figure 16 is a kind of structural schematic diagram of chip system provided in an embodiment of the present invention.

Specific embodiment

Term " first ", " second " in the application etc. are merely to distinguish different objects, not to the progress of its sequence It limits.For example, first base station and the second base station do not limit its sequencing just for the sake of distinguishing different base stations It is fixed.

Term "and/or" in the application, only a kind of incidence relation for describing affiliated partner, indicates may exist three kinds Relationship, for example, A and/or B, can indicate: individualism A exists simultaneously A and B, these three situations of individualism B.In addition, this Character "/" in application typicallys represent the relationship that forward-backward correlation object is a kind of "or".

It should be noted that in the application, " illustrative " or " such as " etc. words make example, illustration for indicating or say It is bright.Described herein as " illustrative " or " such as " any embodiment or design scheme be not necessarily to be construed as than it His embodiment or design scheme more preferably or more advantage.Specifically, use " illustrative " or " such as " etc. words be intended to Related notion is presented in specific ways.

As shown in Figure 1, Fig. 1 shows a kind of communication system frame applied by acquisition security capabilities method provided by the present application Structure schematic diagram, as shown in Figure 1, comprising: the first core network control surface entity 100, the second core network control surface entity 500, wherein At least one master base station 200 (master base station is illustrated only in Fig. 1) for being connect with the first core network control surface entity 100, with At least one prothetic group station (a prothetic group station is illustrated only in Fig. 1) 300 that master base station 200 connects, and with master base station 200 and auxiliary One or more terminals 400 that base station 300 communicates.Wherein, the first core network control surface entity 100 and at least one master base station There is control plane connection between 200.Wherein, master base station can be the base station 4G, i.e. evolution node B (evolved NodeB, eNB), It is expressed as Master eNB or MeNB;Prothetic group station can be the base station 5G, be expressed as secondary gNB or SgNB.

Wherein, source base station 600 refers to that terminal 400 switches to the base station accessed before master base station 200.

Master base station 200 refers to the base station that terminal 400 is accessed after the switching of source base station 600, and master base station 200 is responsible for Control plane is established between the first core network control surface entity 100 to connect, and transmits signaling message, and decide whether prothetic group It stands, and selects prothetic group station 300 for terminal 400.

Prothetic group station 300, the base station except master base station 200, for providing the node of additional radio resource for terminal, with It is connected between one core network control surface entity 100 without direct control plane.

Before second core network control surface entity 500 refers to that terminal 400 switches, accessed by source base station 600 one Equipment of the core network, for example, can be the MME in 4G network.

First core network control surface entity 100 is a core being accessed by master base station 200 after terminal 400 switches Heart net equipment, be mainly responsible for mobile management, bearer management, the authentication of user, gateway (serving gateway, ) and the functions such as the selection of grouped data network gateway (packet data network gateway, PDN GW or PGW) SGW.

In addition, the first core network control surface entity 100 can also identify 5G security capabilities.

In framework shown in Fig. 1, under 5G scene, the first core network control surface entity 100 can be access and movement Property management function (access and mobility management function, AMF) node, master base station 200 can be 5G Base station, the interface (interface) between AMF node and any one base station 5G are known as N2 interface.Under 4G scene, the first core Network control surface entity 100 can be mobility management entity (mobility management entity, MME) 100, master base station 200 can be the base station 4G, and the interface between the base station MME and 4G is known as S1 interface.In (new radio, NR) and the new sky of newly eating dishes without rice or wine Mouthful dual link (NR-NR DC) scene or newly eat dishes without rice or wine under the dual link of LTE (NR-LTE DC) scene, master base station 200 and auxiliary Interface between base station 300 is known as Xn interface, for supporting the Signalling exchange between two base stations.No matter under which kind of DC scene, Between master base station 200 and terminal 400 establish have wireless interface (such as Uu interface), can be used for transmitting master base station 200 with User face data and control plane signaling between terminal 400.Meanwhile it also establishing to have between prothetic group station 300 and terminal 400 and wirelessly connect Mouthful, the application is not construed as limiting the title of the wireless interface, can be used for transmitting user face between prothetic group station 300 and terminal 400 Data and control plane signaling.That is, when connection is established simultaneously in terminal 400 and master base station 200 and prothetic group station 300, the end End 400 is in dual link architecture mode.Wherein, the user face prevailing transmission user data of wireless interface;Control plane transmission is related Various mobile communication wireless bearer services are established, reconfigure and discharged to signaling.

In addition, the interface between the first core network control surface entity 100 and the second core network control surface entity 500 is known as S10 interface, the interface between the second core network control surface entity 500 and master base station 200 are properly termed as S1-MME interface.

Base station (such as source base station, master base station or prothetic group station), which refers to, in the application provides the dress of wireless communication function for terminal Set, can be in WLAN (Wireless Local Area Network, WLAN) access point (Access Point, AP), global system for mobile communications (Global system for mobile communications, GSM) or CDMA connect Enter the base station (Base Transceiver Station, BTS) in (Code Division Multiple Access, CDMA), It is also possible to the base station in wideband code division multiple access (Wideband Code Division Multiple Access, WCDMA) (NodeB, NB), can also be evolved base station (evolved Node B, eNB or eNodeB) in LTE or relay station or The public land of access point or mobile unit, wearable device and base station (gNB) or the following evolution in future 5G network The network equipment etc. in ground mobile network (Public Land Mobile Network, PLMN) network.For convenience of description, the application In provide wireless communication function for terminal device be referred to as base station.

Terminal is referred to as terminal device, may include user equipment (user equipment, UE), access terminal, Subscriber unit, subscriber station, movement station, mobile station, remote station, remote terminal, mobile device, user terminal, terminal, wireless communication Equipment, user agent or user apparatus.Terminal device can be WLAN (Wireless Local Area Networks, WLAN) in website (station, STA), can be cellular phone, wireless phone, session initiation protocol (Session Initiation Protocol, SIP) phone, wireless local loop (Wireless Local Loop, WLL) It stands, personal digital assistant (Personal Digital Assistant, PDA) equipment, hand-held with wireless communication function set It is standby, calculate equipment or be connected to other processing equipments, mobile unit, wearable device and the next generation of radio modem Communication system, for example, the public affairs of terminal device or the following evolution in the 5th generation (fifth-Generation, 5G) communication network Terminal device etc. in land mobile network (Public Land Mobile Network, PLMN) network altogether.

As an example, in embodiments of the present invention, which can also be wearable device.Wearable device can also claim It is that intelligentized design is carried out to daily wearing using wearable technology, develops setting of can dressing for wearable intelligent equipment Standby general name, such as glasses, gloves, wrist-watch, dress ornament and shoes.Wearable device is directly worn, or is integrated into user Clothes or accessory a kind of portable device.Wearable device is not only a kind of hardware device, even more passes through software support And data interaction, cloud interaction are to realize powerful function.Broad sense wearable intelligent equipment includes that function is complete, size is big, can It does not depend on smart phone and realizes complete or partial function, such as: smartwatch or intelligent glasses etc., and only it is absorbed in Mr. Yu A kind of application function needs to be used cooperatively with other equipment such as smart phone, such as Intelligent bracelet, the intelligence of all kinds of carry out sign monitorings Energy jewellery etc..

Specifically, master base station and prothetic group station have different standards in the application.Illustratively, the master base station in the application It can be the evolved base station (Evolved Node B, eNB) in LTE standard, the i.e. base station 4G, the prothetic group station in the application can be with For the base station (gNB) in 5G system, the i.e. base station 5G;Or prothetic group station may be the future may appear other systems in base It stands.

It is understood that above-mentioned framework shown in FIG. 1 is only one kind of scene applied by method provided by the present application Example, does not constitute the limitation to the application, and technical solution provided by the present application also can be applied to other and need to establish doubly-linked In the communication scenes connect.Two kinds of systems involved in dual link can have other situations, such as can be 4G system and future can Can occur other systems, in another example can be 5G system and the future may appear other systems.

Below by based on it is recited above this application involves general character in terms of, it is further detailed to the scheme of the embodiment of the present application It describes in detail bright.

Fig. 2 is a kind of communication scheme of the method for determining security capabilities provided by the embodiments of the present application.As shown in Fig. 2, This method comprises: step S101~S103.

S101, first base station send first message to terminal by the second base station, which includes the first instruction, should First instruction is used to indicate the first security capabilities of terminal reporting terminal support, which is used to indicate terminal from the second base Station switches to first base station.

Specifically, the second base station is provides the base station of service before switching for terminal, first base station is that switching is later eventually End provides the base station of service.

Optionally, first base station can be sent by the second base station to terminal during instruction terminal switches over First message.

In one example, first message can be the message that instruction terminal switches over, or first base station refers to Show the signaling message redefined in terminal switching process, the application is to this without limiting.For example, the first message can Think switching command (handover command) message.Certainly, which can also be other message, and the application is to this Without limiting.

Illustratively, the first security capabilities in the application refers to is used when establishing connection between terminal and third base station Security capabilities.For example, third base station can be the base station 5G, the first security capabilities can be 5G security capabilities, the 5G safety energy Power can refer to the 5G security algorithm that terminal is supported, such as 5G Encryption Algorithm and/or 5G protection algorithm integrallty.Wherein, 5G is encrypted The title of algorithm can be NEA, 5G-EA (5G encryption algorithm), encryption algorithm for 5G or other titles;The title of 5G protection algorithm integrallty can be NIA, 5G-IA (5G integrity algorithm), Integrity algorithm for 5G or other titles.

Corresponding, terminal receives first message.Illustratively, terminal can be switched in first base station instruction terminal First message is received in the process.

S102, terminal send second message to first base station, which is used to indicate the first base according to the first instruction It stands and determines the first security capabilities.

In one example, terminal can be during showing that terminal switches to first base station to first base station, to One base station sends second message, can also be at this point, the second message can have switched to the message of first base station for instruction terminal To show newly define during terminal switches to first base station signaling message, the application is to this without limiting.

For example, second message can complete (handover complete) message for switching.

Corresponding, first base station receives the second message for carrying out self terminal, and the second message is for determining the first security capabilities.

S103, first base station determine the first security capabilities according to second message.

The application provides a kind of method of determining security capabilities, and first base station sends first to terminal by the second base station and disappears Breath, first message include the first instruction, and the first instruction is used to indicate the first security capabilities of terminal reporting terminal support, and first disappears Breath is used to indicate terminal and switches to first base station from the second base station;First base station receives the second message for carrying out self terminal, and second disappears Breath is for determining the first security capabilities;First base station determines the first security capabilities according to second message.So, on the one hand, when When not having the first security capabilities in one base station, first base station can be during terminal switches to first base station at terminal The first security capabilities is obtained, then, which can be sent to third base station by first base station, so convenient for subsequent Terminal establishes dual link by first security capabilities and third base station, and the foundation of dual link is shifted to an earlier date.On the other hand, When having security capabilities in first base station, first base station first can create dual link based on the security capabilities, then according to end The first security capabilities that end is sent determines whether the security capabilities having in first base station is tampered, when first base station is according to first When security capabilities determines that first base station is not tampered with, it can not have to modify established dual link, so that dual link can be with It is established during terminal switches to first base station.

Based on Fig. 2, Fig. 3 is the communication scheme of another method for determining security capabilities provided by the embodiments of the present application. In Fig. 3, content identical with Fig. 2 can be subsequent not repeat with reference to the description in Fig. 2.As shown in figure 3, method shown in Fig. 2 On the basis of, method provided by the present application can also include: before step S101

S104, the first management entity send third message to first base station, which is used to indicate first base station and obtains Take the first security capabilities.

Optionally, an identification information can be carried in the third message, which is used to indicate the first peace of acquisition All-round power.

Specifically, first management entity can be the equipment of the core network of first base station access, which can To identify the first security capabilities, illustratively, which can be to rise the MME of grade, i.e., can at least identify the The MME of one security capabilities.

Illustratively, which can request first base station to send during switching in the first management entity To first base station, for example, the third message can be sent to the switching request message of first base station, example for the first management entity Such as, handover request message, the mistake which can request first base station to switch over for the first management entity The signaling message newly defined between the first management entity and first base station in journey, the application is to this without limiting.

It, usually can also be with the second management entity (the before being switched over due to the first management entity request first base station The MME that two base stations are accessed) between there are a redirection process, be based on the redirection process, the first management entity can To determine the content of third message, for example, when first management entity can get the second safe energy from redirection process Power, then the identification information can be the second security capabilities, in this case, due to uncertain second safety of the first management entity Whether ability is tampered, therefore the second security capabilities first can be sent to first base station by the first management entity, and can be passed through First base station obtains the first security capabilities from terminal, verifies to second security capabilities.Another aspect, when first pipe It manages entity and determines terminal unit contractual option3 in redirection process, but the second management entity is not sent out to the first management entity The second security capabilities is sent, an identification information can be generated based on this first management entity.

Specifically, the redirection process is specific as follows: the second management entity is asked in the switching for receiving the transmission of the second base station After asking message (for example, handover required message), to the first management entity send Redirection Request message (for example, Forward relocation request message), which would generally include the complete safety of terminal or more Text, and first identifier is also contained in Redirection Request message, which is used to indicate whether the terminal contracts option3。

Wherein, option3 refers to a kind of implementation of dual link, i.e., two base stations that terminal is accessed are respectively LTE's The base station gNB of base station eNB (as master base station, referred to as Mater eNB, MeNB) and 5G are (as prothetic group station, referred to as Secondary GNB, SgNB), and the two base stations are connected to the evolution block core net (evolved packet core, EPC) of LTE simultaneously Mobility management entity (mobility management Entity).

Corresponding, first base station receives the third message from the first management entity.For example, first base station can be first Management entity request first base station receives third message during switching over.

S105, first base station determine the first instruction according to third message.

Specifically, step S105 can specifically be accomplished by the following way: identification information is determined as first by first base station Instruction;Or, first base station, which is based on identification information, generates the first instruction.

On the one hand, the first security capabilities of terminal can store in existing secure fields, for example, the first field, separately On the one hand, the first security capabilities of terminal also can store in the field for being different from existing secure fields at one, for example, second Field, wherein the first field and the second field.Based on this, two following scenes of the application have just been drawn:

Scene one, when the first security capabilities can store in existing secure fields, terminal pass through the second base station institute Second management entity of access can identify the first security capabilities, and therefore, the second management entity and the first management entity are executing In redirection process, the second management entity can (following can be with by the first security capabilities that the second management entity can identify The first security capabilities that second management entity can be identified is known as the second security capabilities) it is sent to the first management entity, still First management entity can not determine whether second security capabilities is tampered after receiving the second security capabilities, be based on this, Second security capabilities can be first sent to first base station by the first management entity, to be sent out second security capabilities by first base station Third base station is given, the connection between terminal and third base station is established, is established between terminal and third base station in this case The process of connection can be executed in terminal from the concurrent process that the second base station switches to first base station.

Based on scene one, the first instruction in the application can also be the second security capabilities, be designated as the second peace when first When all-round power, the second security capabilities may be consistent with the first security capabilities, it is also possible to and the first security capabilities is inconsistent, and second Whether security capabilities and the first security capabilities unanimously determine the content of second message, therefore, will introduce respectively below:

On the one hand, the step S102 in the application can specifically be realized with A in the following manner:

Mode A: terminal indicates to determine that the second security capabilities is consistent with the first security capabilities according to first, then terminal is according to the One indicates to send second message to first base station, which, which is used to indicate, is determined as the first safe energy for the second security capabilities Power.

Optionally, the message which can complete for instruction switching, such as handoff completion message, being based in this way should Handoff completion message first base station can determine that the second security capabilities is not tampered with, therefore first base station can be by the second peace All can power be determined as the first security capabilities, can not carry in this case, in second message be used to indicate by second safety Ability is determined as the instruction information of the first security capabilities.

Wherein, second instruction be used to indicate the second security capabilities it is consistent with the first security capabilities or this second instruction use The second security capabilities is determined as the first security capabilities in instruction.

Illustratively, which can be the first indicator, wherein the first indicator is used to indicate the second safe energy Power is consistent with the first security capabilities, for example, the first indicator is " 1 ", or " 0 ".

It should be noted that the second security capabilities is consistent with the first security capabilities in the application, the second security capabilities is indicated It is not tampered with, the second security capabilities and the first security capabilities are inconsistent, then it represents that the second security capabilities is tampered.

Certainly, when terminal indicates to determine that the second security capabilities is consistent with the first security capabilities according to first, this second disappears It can not also include the first security capabilities in breath.

When step S102 is realized by step mode A, step S103 can specifically be realized with B in the following manner:

Mode B: first base station is determined as the first security capabilities according to second message, by the second security capabilities.

On the other hand, the step S102 in the application can specifically be realized with pass-through mode C:

Mode C: terminal indicates that determining second security capabilities and the first security capabilities are inconsistent according to first, then first base station Second message is sent according to first base station, which includes the first security capabilities or second message includes the first peace All-round power and third instruction, wherein third instruction is used to indicate the second security capabilities and the first security capabilities is inconsistent.

Certainly, when terminal indicates to determine that the second security capabilities is consistent with the first security capabilities according to first, this second disappears It can not also include being used to indicate the second security capabilities and the inconsistent instruction information of the first security capabilities in breath, i.e. third refers to Show, third instruction can be the second indicator, which is used to indicate the second security capabilities and the first security capabilities Inconsistent, which can be " 0 " or " 1 ", and for the application to this without limiting, specifically used 1 or 0 can be by end Negotiate between end and base station.

When step S102 is realized by step mode C, step S103 can specifically be realized with D in the following manner:

Mode D: first base station will be determined as the first safety according to second message from security capabilities obtained in second message Ability.

Scene two, when the first security capabilities can store be different from existing secure fields field in when, second management Entity possibly can not identify first security capabilities, and therefore, the second management entity and the first management entity were redirected in execution Unrecognized first security capabilities of second management entity may not be sent to the first management reality by Cheng Zhong, the second management entity Body, therefore, the first management entity can indicate that first base station obtains the first security capabilities.

It can be realized based on the step S102 in scene two, the application with E in the following manner:

Mode E: terminal sends second message according to the first instruction, to first base station, which includes the first safety Ability.

When step S102 pass-through mode C is realized, step S103 specifically can realize that the application exists with D through the above way This is repeated no more.

In a kind of possible embodiment, it is based on above-mentioned scene one, is based on Fig. 2, Fig. 4 is provided by the embodiments of the present application Another determines the communication scheme of the method for security capabilities.In Fig. 4, content identical with Fig. 2 can be with reference to retouching in Fig. 2 It states, it is subsequent not repeat.As shown in figure 4, on the basis of method shown in Fig. 2, method provided by the present application step S101 it Before, can also include:

S106, the first management entity send the 4th message to first base station, and the 4th message includes the second security capabilities.

Specifically, after the first management entity sends the 4th message to first base station, further includes: first base station reception comes from 4th message of the first management entity.

Based on this, the second security capabilities got from the 4th message can be sent to third base by first base station It stands, such as step S107, so that terminal establishes connection according to second security capabilities and third base station.

S107, first base station to third base station send the second security capabilities, second security capabilities for establish terminal with Connection between third base station.

Optionally, first base station can increase request message by sending cell, as SgNB addition request disappears It ceases to third base station and sends the second security capabilities.

It should be noted that first base station can execute above-mentioned steps during first base station executes step S107 S101, at this point, the first instruction in step S101 can be the first security capabilities.

After step S107, third base station can also send the response for increasing request message for cell to first base station Message (for example, cell increases request confirmation message, such as SgNB addition request ACK), the response message is for referring to Show that connection is established with terminal in third base station, after first base station receives the handoff completion message of terminal transmission, the first base Standing can determine and establish connection between terminal and first base station and third base station, and so far, dual link is established.

In the application after third base station and terminal establish connection according to the second security capabilities, if terminal and first base station May determine that whether second security capabilities is consistent with the first security capabilities, and specific deterministic process may refer to above-mentioned implementation Example, the application repeat no more this.In addition, when second security capabilities and inconsistent the first security capabilities, first base station and Terminal can indicate that the configuration of established secondary cell group is modified in third base station, therefore, following to introduce respectively:

In the case where modifying the configuration of established secondary cell group by first base station instruction third base station, as shown in figure 4, On the basis of method shown in Fig. 2, method provided by the present application after step s 103, can also include:

S108, first base station determine that the first security capabilities and the second security capabilities are inconsistent, then send the to first base station Five message, the 5th message include the first security capabilities, and the 5th message is used to modify the configuration of secondary cell group.

Illustratively, the 5th message can modify request message for cell, such as SgNB modification request Message.

In the case where modifying the configuration of established secondary cell group by terminal instruction third base station, it is based on Fig. 2, Fig. 5 is The method of another determination security capabilities provided by the embodiments of the present application.In Fig. 5, content identical with Fig. 2 can be with reference in Fig. 2 Description, it is subsequent not repeat.As shown in figure 5, method provided by the present application is in step on the basis of method shown in Fig. 2 Before S101, can also include step S106 and S107, wherein step S106 and S107 in Fig. 4 S106 and S107 it is identical, It can be not repeated herein with reference to the detailed description in Fig. 4.On the basis of method shown in Fig. 2, method provided by the present application exists After step S102, step S103 is not executed, but further include:

S109, terminal send the 5th message to third base station, and the 5th message includes the first security capabilities.

Optionally, terminal can send the first safe energy to third base station with the random access procedure of third base station Power.

S110, third base station make comparisons the first security capabilities with the second security capabilities, determine the second security capabilities and One security capabilities is inconsistent, then modifies the configuration of secondary cell group.

It should be noted that during modifying the configuration of established secondary cell group by terminal instruction third base station, The first security capabilities can not be carried in second message in step S102.

Optionally, the first security capabilities is related to Successor-generation systems, wherein Successor-generation systems can be 5G system, can also Be the future may appear other systems.Method provided by the present application can also include:

(a), terminal receives broadcast message.

(b), terminal is according to broadcast message, determines the service that Successor-generation systems are not present in the region where terminal.

(c), terminal sends the 6th message to the second base station, and the 6th message does not include the first security capabilities.

For example, the 6th message can be attach message.

This application provides the method that the base station after a kind of switching of terminal for terminal service determines 5G security capabilities, this Shens Please in terminal can by broadcast message determine whether to report the first security capabilities to the second base station in initial access message, when Terminal determines that there is no 5G to service remaining the safe energy sent in addition to the first security capabilities to the second base station in the region at place Power, for example, 4G security capabilities, can not be tampered the first security capabilities play a protective role in this way, this is because if it is It cannot identify the MME of the first security capabilities, it will not be in subsequent Non-Access Stratum safe mode command (Non-Access Stratum Security Mode Command, NAS SMC) the first security capabilities is carried in message, terminal also can not just be learnt Whether the first security capabilities reported is tampered.

It, can be to further, it is to be appreciated that there are the service of Successor-generation systems in region where terminal determines Second base station sends the first security capabilities.

It is following by based on framework as shown in Figure 1, be MeNB with first base station, the second base station is source MME, and the first management is real Body is that purpose MME is discussed in detail provided by the present application one for the second management entity is source MME and third base station is SgNB The method that kind determines security capabilities.

Embodiment 1

As shown in fig. 6, Fig. 6 shows a kind of concrete methods of realizing of determining security capabilities provided by the present application, comprising:

S201, eNB send switching request message to source MME.

Wherein, eNB is referred to as source base station, for example, the switching request message by the base station accessed before UE switching It can be handover required message, the MME that source MME is accessed by eNB.

S202, source MME send Redirection Request message to purpose MME.

Purpose MME in the application can identify that 5G pacifies by the MME of the MeNB accessed after UE switching, purpose MME All-round power.

For example, the Redirection Request message can be forward relocation request message.

Specifically, source MME and purpose MME can send forward relocation by S10 interface between Request message.

S203, purpose MME send switching request message to MeNB, carry identification information in the switching request message, the mark Knowledge information is used to indicate MeNB notice UE and reports 5G security capabilities.

Purpose MME determines that identification information is carried in switching request message to be accomplished in several ways, for example, a kind of Possible implementation is, it is generally the case that can wrap in the forward relocation request message that source base station is sent Containing the complete safe context of UE, and it may also be contained in forward relocation request message and indicate that the UE is The second identifier of the no option3 that contracted, if purpose MME determines that second identifier indicates that the UE has contracted option3, but source MME does not send the 5G security capabilities of UE but to purpose MME, then purpose MME is just determined carries mark in switching request message Information.

It should be noted that can be stored in based on the 5G security capabilities of UE different from existing peace in the embodiment of the present application 1 In the newer field of full capable field, such source MME just can not identify the 5G security capabilities, and therefore, source MME is sent to purpose MME Redirection Request message in do not carry 5G security capabilities.

Wherein, MeNB refers to the base station that UE is accessed after source base station switching.

Third mark is added in a container between source base station and master base station by S204, MeNB.

For example, container can be transparent vessel (the target to source transparent of target to source container)。

It should be noted that target to source transparent container refers to that MeNB is sent to UE's One container, the particular content in the container, without identifying and handling, can be directly transmitted to source UE in intermediate network element.

MeNB can determine that third identifies in several ways in the application, such as, on the one hand, the third mark in the application Knowledge can be the identification information carried in step S203 namely MeNB and identification information be determined as third mark.On the other hand, should Third mark is also possible to what MeNB was generated according to identification information, and the application is to this without limiting.

S205, MeNB send switch acknowledgment message to purpose MME.

For example, the switch acknowledgment message can be handover ACK message.

S206, purpose MME send to source MME and redirect response message.

For example, redirecting response message can be forward relocation response message.

S207, source MME send switching command message to eNB.

For example, switching command message can be handover command message.

It should be noted that step S205 and step S206 contain the target to source in S204 transparent container。

S208, eNB send switching command message to UE, include target to source in the switching command message transparent container。

For example, switching command message can be handover command message.

S209, UE are according to the target to source transparent received from switching command message Container obtains third mark, sends handoff completion message to MeNB, which may include 5G safety energy Power.

For example, the handoff completion message can be handover complete message.

It should be noted that if UE does not carry 5G security capabilities, UE in the handoff completion message in step S209 5G security capabilities can also be sent to MeNB in TAU request message after the completion of switching.

Optionally, UE can be identified according to the third in switching command message, it is determined whether be taken in TAU request message Band 5G security capabilities.

It should be noted that can be so that UE and MeNB establish connection by step S201-S209 in the application.

S210, MeNB can initiate dual link after the 5G security capabilities for receiving UE, and MeNB is small to SgNB transmission SgNB Area increases request message.

Specifically, MeNB can get 5G security capabilities in the following manner, on the one hand, as the handover that UE is sent When carrying 5G security capabilities in complete message, MeNB obtains 5G security capabilities from handover complete message, separately On the one hand, if terminal does not carry 5G security capabilities in handover complete message, then terminal can be according to third mark Know and carry 5G security capabilities in TAU request message, terminal can be in TAU request message sink to 5G safety at this time Ability.

For example, it can be addition request message that SgNB cell, which increases request message,.

S211, SgNB reply cell to MeNB and increase request confirmation message.

For example, it can be SgNB addition request ACK message that the cell, which increases request confirmation message,.

It should be noted that terminal can be built according to 5G security capabilities with SgNB in the application after step S211 Vertical connection, can form DC framework at this time.

It should be noted that in the application when accessing network for the first time, UE can be according to the broadcast message decision received It is no that 5G security capabilities is being carried into the attach request message that network is sent, specifically, if UE is according to receiving There is no 5G coverings in the region to broadcast the message where determining UE, then the attach request message that UE is sent can not carry 5G Security capabilities, for example, can be taken in the attach request message when region where determining UE in UE is covered there is no 5G Band 4G security capabilities;There are 5G coverings in region where determining in UE, then UE takes in the attach request message of transmission Band 5G security capabilities, further, it is also possible to carry 4G security capabilities.5G covering is judged whether there is by UE in the application, thus Determine whether to carry 5G security capabilities in attach request message, just in attach when there is no 5G covering 5G security capabilities is not carried in request message, 5G security capabilities can not be tampered and be played a protective role, because if being It cannot identify the MME of 5G security capabilities, it will not be in subsequent Non-Access Stratum safe mode command (Non-Access Stratum Security Mode Command, NAS SMC) 5G security capabilities is carried in message, UE also can not just learn the 5G safety reported Whether ability is tampered.

S201-S211 can allow MeNB to obtain in the handoff completion message that UE is sent to the application through the above steps 5G security capabilities is obtained, and 5G security capabilities is sent to SgNB, so that UE passes through the company of foundation between 5G security capabilities and SgNB It connects, after UE and SgNB is successfully established connection, which just establishes simultaneously with MeNB and SgNB and connect, so as to form the UE Dual link, can just establish dual link so that in UE handoff procedure in this way, and do not have to carry out after the completion of switching TAU process obtain.

Embodiment 2

As shown in fig. 7, Fig. 7 shows another concrete methods of realizing for determining security capabilities provided by the present application, comprising:

S301, eNB send switching request message to source MME.

For example, the switching request message can be handover required message.

S302, source MME send Redirection Request message to purpose MME, which contains the first of UE 5G security capabilities.

It should be noted that the first 5G security capabilities of UE is placed on the field of existing security capabilities under embodiment 2 In, such source MME can identify the first 5G security capabilities, and the first 5G security capabilities is sent to purpose MME.But Purpose MME is after receiving the first 5G security capabilities, although the first 5G security capabilities can be identified, purpose MME It can not determine whether the first 5G security capabilities is tampered at this time.

For example, Redirection Request message can be for such as forward relocation request message.

S303, purpose MME send switching request message to MeNB, include the first 5G safety energy in the switching request message Power.

For example, the switching request message can be handover request message.

The first 5G security capabilities received from purpose MME is sent cell to SgNB and increases request message by S304, MeNB, It includes the first 5G security capabilities that the cell, which increases request message,.

Based on step S304, UE can establish connection according to the first 5G security capabilities and SgNB, be based in UE and SgNB First 5G security capabilities is successfully established after connection, and at this moment UE is just connected with SgNB and MeNB simultaneously, so far the doubly-linked of the UE Connect foundation.

In addition, scheme in the prior art, the application can be referred to by establishing the process of connection and method between UE and SgNB To this without limiting.

For example, it can be SgNB addition request message that the cell, which increases request message,.

S305, SgNB send cell to MeNB and increase request confirmation message.

For example, it can be SgNB addition request ACK message that the cell, which increases request confirmation message,.

During executing above-mentioned steps S305, MeNB can be by step S306-S311 in the handoff procedure of UE Instruction UE reports the 2nd 5G security capabilities itself having, and such MeNB can obtain the 2nd 5G safety that UE is reported from UE Ability.It should be noted that above-mentioned steps S301-S305 can obtain the 2nd 5G security capabilities that UE is reported with MeNB from UE Process it is synchronous carry out, namely executed in handoff procedure in UE and establish dual link.

Specifically, master base station can indicate that UE reports the 2nd 5G security capabilities itself having in the handoff procedure of UE Process may refer to above-mentioned steps S204-S209 namely step S306-S311 can be successively referring to step S204-S209, this Shen It please details are not described herein.

After S312, MeNB receive purpose security capabilities, the first 5G security capabilities is made comparisons with the 2nd 5G security capabilities, If MeNB determines that the first 5G security capabilities is consistent with the 2nd 5G security capabilities, the secondary cell group established before modification can not had to Configuration.

Optionally, MeNB can send the first instruction information to SgNB, which be used to indicate SgNB can be with Without the configuration for modifying secondary cell group.

Specifically, secondary cell group is multiple cells under prothetic group station.

S313, MeNB are if it is determined that the first 5G security capabilities and the 2nd 5G security capabilities are inconsistent, then MeNB is sent to SgNB Cell modifies request message, and it includes the 2nd 5G security capabilities in request message which, which modifies,.

Optionally, cell modification request message is used to indicate SgNB and modifies secondary cell group according to the 2nd 5G security capabilities Configuration, to modify the connection established between SgNB and UE.

It should be noted that if MeNB determines that the first 5G security capabilities and the 2nd 5G security capabilities are inconsistent, then it represents that The first 5G security capabilities that MeNB is received is tampered with.

S314, SgNB send cell to MeNB and modify request response.

For example, cell modification request response can be SgNB modification request ACK message, it should Cell modification request response is used to indicate the configuration for modifying secondary cell group according to the 2nd 5G security capabilities.

It should be noted that SgNB and UE can be again when the first 5G security capabilities and inconsistent the 2nd 5G security capabilities Negotiate the security algorithm used.

In the application scheme that S301-S314 is realized through the above steps, MeNB can just establish doubly-linked during switching It connects, and after establishing dual link, if judged according to the 2nd 5G security capabilities that UE is sent for establishing between SgNB and UE The first 5G security capabilities of connection whether be tampered, in the case that MeNB determines that the first 5G security capabilities is not tampered with, Just it is not necessary to modify the dual links built up by MeNB at this time, and in the case that the first 5G security capabilities of MeNB is tampered, MeNB can To notify SeNB according to the 2nd 5G security capabilities, the configuration of secondary cell group is modified, to modify established dual link.

Embodiment 3

As shown in figure 8, Fig. 8 shows the concrete methods of realizing of another determination security capabilities provided by the present application, specifically Description can be found in above content.Wherein, include following several stages in Fig. 8:

Wherein, the first stage establishes dual link according to the first 5G security capabilities got from purpose MME for MeNB Stage, including step S401-S405, each step can be corresponded to referring to the step in above-described embodiment in step S401-S405 S301-S305.Second stage are as follows: step S406.Phase III is the process that main base station requests UE reports 5G security capabilities, including Each step can be corresponded to referring to the step S307- in above-described embodiment in step S407-S410, step S407-S410 S310, the difference is that include in target to source transparent container is that MeNB is obtained from purpose The third mark being sent in the switching command message of UE in the first 5G security capabilities and step S410 obtained can be first 5G security capabilities.Fourth stage be UE according to the first 5G security capabilities received compared with the 2nd 5G security capabilities of itself Compared with, and determined according to comparison result to MeNB and send whether handoff completion message carries the 2nd 5G security capabilities.

First 5G security capabilities is added to target to source transparent container by S406, MeNB In.

Specific fourth stage may include steps of S411-S413:

S411, UE judge that the first 5G security capabilities and the 2nd 5G security capabilities of itself carried in switching command message is It is no consistent.If UE determines that the first 5G security capabilities is consistent with the 2nd 5G security capabilities of itself, S412 is executed, is otherwise executed S413。

S412, UE send handoff completion message to MeNB, carry an indicator, the indicator in the handoff completion message Be used to indicate the first 5G security capabilities and the 2nd 5G security capabilities is consistent or the handoff completion message in can not carry second 5G security capabilities.

S413, UE send handoff completion message to MeNB, carry the 2nd 5G security capabilities in the handoff completion message.

For example, the handoff completion message can be handover complete message.

Optionally, when MeNB determines the 2nd 5G security capabilities and inconsistent the first 5G security capabilities, Fig. 4 can also include The detailed process in the 5th stage, the 5th stage includes: S414, S415 and S4166.Wherein, S414 may refer to step S312, S415, which may refer to step S313 and S416, may refer to step S314 in above-described embodiment 2.

The application is that MeNB can just be built during switching by the implementation difference with the prior art of block diagram 8 Dual link is erected, if the first 5G security capabilities that purpose MME is sent is not tampered with, it is not necessary to modify the doubly-linkeds built up It connects, further, since the first 5G security capabilities obtained from purpose MME is issued UE by MeNB, allows UE to check whether and be tampered, UE When judging the first 5G security capabilities and inconsistent the 2nd 5G security capabilities, the 2nd 5G security capabilities can be sent to MeNB, UE in this way and MeNB can perceive 5G security capabilities and be tampered, to know the presence of attacker.In addition, when UE is judging the When one 5G security capabilities and consistent the 2nd 5G security capabilities, it can also indicate that the first 5G security capabilities of MeNB is not tampered with.

Embodiment 4

Based on Fig. 7, as shown in figure 9, present invention also provides the concrete methods of realizing that another determines security capabilities, with figure The difference of method shown in 7 is, uses after step S501-S510 (specifically may refer to S301-S310) in Fig. 9 Step S313 and step S314 in Fig. 7 is substituted in step S511-S513:

S511, UE send handoff completion message to MeNB.

S512, UE send the 2nd 5G security capabilities in establishing the random access procedure with SgNB, to SgNB.

Illustratively, UE can be sent out by Article 3 message Msg3 to SgNB in establishing the random access procedure with SgNB Send the 2nd 5G security capabilities.

S513, SgNB are by the 2nd 5G security capabilities that the UE received is sent and the first 5G security capabilities that obtains from MeNB Compare, determines whether the first 5G security capabilities is tampered.

Specifically, SgNB determines that the first 5G security capabilities and the 2nd 5G security capabilities are inconsistent, then SgNB and UE can be again Negotiate the security algorithm used, which may refer to the prior art, and details are not described herein by the application.

Method as shown in Figure 9, since connection having had been established between UE and SgNB, and UE also switches to MeNB from source base station In, therefore, DC framework is successfully established in UE handoff procedure, and then the 2nd 5G security capabilities is passed through random access procedure by UE It is sent to SgNB, SgNB determines the first 5G according to the 2nd 5G security capabilities received and the first 5G security capabilities received from MeNB Whether security capabilities is tampered, if the first 5G security capabilities is not tampered with, then it represents that the connection established between UE and SgNB It is not necessary to modify, namely it is not necessary to modify the dual links built up.

It is above-mentioned that mainly scheme provided by the embodiments of the present application is described from the angle of interaction between each network element.It can With understanding, each network element, such as base station and terminal.In order to realize the above functions, corresponding it comprises each function is executed Hardware configuration and/or software module.Those skilled in the art should be readily appreciated that, in conjunction with implementation disclosed herein Each exemplary unit and algorithm steps of example description, the application can be come with the combining form of hardware or hardware and computer software It realizes.Some function is executed in a manner of hardware or computer software driving hardware actually, spy depending on technical solution Fixed application and design constraint.Professional technician can retouch each specific application using distinct methods to realize The function of stating, but this realization is it is not considered that exceed scope of the present application.

The embodiment of the present application can carry out the division of functional module according to above method example to base station and terminal, for example, The each functional module of each function division can be corresponded to, two or more functions can also be integrated in a processing mould In block.Above-mentioned integrated module both can take the form of hardware realization, can also be realized in the form of software function module. It should be noted that be schematical, only a kind of logical function partition to the division of module in the embodiment of the present application, it is practical There may be another division manner when realization.It is said for using corresponding each each functional module of function division below It is bright:

Using integrated unit, Figure 10 shows a kind of possibility of base station involved in above-described embodiment Structural schematic diagram.Base station shown in Fig. 10 can execute the movement of first base station in above method embodiment.Base station includes: hair Send unit 101, receiving unit 102 and determination unit 103.For example, transmission unit 101 is for supporting base station to execute above-mentioned implementation Step S101, S107, S108, S205, S210, S304, S307, S313, S404, S407, S415, S504 and S507 in example. Receiving unit 102 for support base station execute step S102, S104 in above-described embodiment, S106, S203, S209, S211, S303, S305, S311, S314, S403, S405, S412, S413, S416, S503, S505 and S515.Determination unit 103 is used for Base station is supported to execute step S103, S105, S204, S312 in above-described embodiment, and/or for techniques described herein Other processes.All related contents for each step that above method embodiment is related to can quote the function of corresponding function module It can describe, details are not described herein.

On the basis of using hardware realization, the transmission unit 101 in the application can be the transmitter of base station, receive single Member 102 can be the receiver of base station, which can usually integrate with the receiver of base station as transceiver, tool The transceiver of body can also be known as communication interface, and determination unit 103 can integrate on the processor of base station.

Using integrated unit, Figure 11 shows a kind of possibility of base station involved in above-described embodiment Logical construction schematic diagram.Base station includes: processing module 112 and communication module 113.Processing module 112 is used to act base station Carry out control management.Base station can also include memory module 111, for storing the program code and data of base station.

Wherein, processing module 112 can be processor or controller, such as can be central processor unit, general place Manage device, digital signal processor, specific integrated circuit, field programmable gate array or other programmable logic device, crystal Pipe logical device, hardware component or any combination thereof.It, which may be implemented or executes, combines described in the disclosure of invention Various illustrative logic blocks, module and circuit.Processor is also possible to realize the combination of computing function, such as includes one Or multi-microprocessor combination, digital signal processor and the combination of microprocessor etc..Communication module 113 can be transmitting-receiving Device, transmission circuit or communication interface etc..Memory module 111 can be memory.

When processing module 112 is processor 120, and communication module 113 is communication interface 130 or transceiver, memory module 111 when being memory 140, and base station involved in the application can be equipment shown in Figure 12.

Wherein, communication interface 130, at least one processor 120 and memory 140 are connected with each other by bus 110;Always Line 110 can be pci bus or eisa bus etc..Bus can be divided into address bus, data/address bus, control bus etc..For just It is only indicated with a thick line in expression, Figure 12, it is not intended that an only bus or a type of bus.Wherein, it deposits Reservoir 140 is used to store the program code and data of base station.Communication interface 130 is for supporting base station and other equipment (for example, eventually End) communication, the program code and data that processor 120 is used to support to store in base station execution memory 140 are to realize the application A kind of method of the determining security capabilities provided.

Using integrated unit, Figure 13 shows a kind of possibility of terminal involved in above-described embodiment Structural schematic diagram.Terminal includes: receiving unit 201 and transmission unit 202.Wherein, receiving unit 201 is for supporting terminal to hold In row above-described embodiment the step of terminal side receives, for example, step S101, S208, S310, S410 and S510.Transmission unit 202 for support terminal execute step S102, S109, S209, S311, S412, S413, S511 in above-described embodiment and S512.In addition, the terminal in the application further include: determination unit 203, for supporting terminal to execute the judgement in above-described embodiment Process.And/or other processes for techniques described herein.All correlations for each step that above method embodiment is related to Content can quote the function description of corresponding function module, and details are not described herein.

On the basis of using hardware realization, the receiving unit 201 in the application can be the receiver of terminal, send single Member 202 can be the transmitter of terminal, which can usually integrate with the transmitter of terminal as transceiver, tool The transceiver of body can also be known as communication interface, and determination unit 203 can integrate on the processor of terminal.

Using integrated unit, Figure 14 shows a kind of possibility of terminal involved in above-described embodiment Logical construction schematic diagram.Terminal includes: processing module 212 and communication module 213.Processing module 212 is used for terminal action Carry out control management.Terminal can also include memory module 211, for storing the program code and data of terminal.Wherein, it handles Module 212 can be processor or controller, such as can be central processor unit, general processor, Digital Signal Processing Device, specific integrated circuit, field programmable gate array or other programmable logic device, transistor logic, Hardware Subdivision Part or any combination thereof.It, which may be implemented or executes, combines various illustrative logic sides described in the disclosure of invention Frame, module and circuit.Processor is also possible to realize the combination of computing function, such as includes one or more microprocessors group It closes, digital signal processor and the combination of microprocessor etc..Communication module 213 can be transceiver, transmission circuit or communication Interface etc..Memory module 211 can be memory.

When processing module 212 is processor 220, and communication module 213 is communication interface 230 or transceiver, memory module 211 when being memory 210, and terminal involved in the application can be equipment shown in figure 15.

Wherein, communication interface 230, at least one processor 220 and memory 210 are connected with each other by bus 200;Always Line 200 can be pci bus or eisa bus etc..Bus can be divided into address bus, data/address bus, control bus etc..For just It is only indicated with a thick line in expression, Figure 15, it is not intended that an only bus or a type of bus.Wherein, it deposits Reservoir 210 is used to store the program code and data of terminal.Communication interface 230 is for supporting terminal and other equipment (for example, base Stand) communication, the program code and data that processor 220 is used to support to store in terminal execution memory 210 are to realize the application A kind of method of the determining security capabilities provided.

Figure 16 is the structural schematic diagram of chip system 150 provided in an embodiment of the present invention.Chip system 150 includes at least one A processor 1510, memory 1540 and interface circuit 1530, memory 1540 may include read-only memory and arbitrary access Memory, and operational order and data are provided to processor 1510.The a part of of memory 1540 can also include non-volatile Random access memory (NVRAM).

In some embodiments, memory 1540 stores following element, executable modules or data structures, or Their subset of person or their superset:

In embodiments of the present invention, by calling the operational order of the storage of memory 1540, (operational order is storable in In operating system), execute corresponding operation.

A kind of possible implementation are as follows: the structure of chip system used in base station, terminal is similar, but different devices makes With different chip systems to realize respective function.

The operation of processor 1510 controlling terminal, base station, processor 1510 can also be known as CPU (Central Processing Unit, central processing unit).Memory 1540 may include read-only memory and random access memory, and Instruction and data is provided to processor 1510.The a part of of memory 1540 can also include nonvolatile RAM (NVRAM).It is coupled specifically, the various components of chip system 150 pass through bus system 1520, wherein bus system 1520 in addition to including data/address bus, can also include power bus, control bus and status signal bus in addition etc..But in order to clear For the sake of Chu's explanation, various buses are all designated as bus system 1520 in Figure 16.

The method that the embodiments of the present invention disclose can be applied in processor 1510, or real by processor 1510 It is existing.Processor 1510 may be a kind of IC chip, the processing capacity with signal.During realization, the above method Each step can be completed by the instruction of the integrated logic circuit of the hardware in processor 1510 or software form.Above-mentioned Processor 1510 can be general processor, digital signal processor (DSP), specific integrated circuit (ASIC), ready-made programmable Gate array (FPGA) either other programmable logic device, discrete gate or transistor logic, discrete hardware components.It can be with Realize or execute disclosed each method, step and the logic diagram in the embodiment of the present invention.General processor can be micro- place Reason device or the processor are also possible to any conventional processor etc..The step of method in conjunction with disclosed in the embodiment of the present invention Hardware decoding processor can be embodied directly in and execute completion, or in decoding processor hardware and software module combination hold Row is completed.Software module can be located at random access memory, flash memory, read-only memory, programmable read only memory or electrically erasable In the storage medium for writing this fields such as programmable storage, register maturation.The storage medium is located at memory 1540, processor 1510 read the information in memory 1540, in conjunction with the step of its hardware completion above method.

Optionally, interface circuit 1530 is for executing Fig. 2, Fig. 3, Fig. 4, Fig. 5, Fig. 6, Fig. 7, Fig. 8 and reality shown in Fig. 9 Apply the base station in example and the step of sending and receiving of terminal.

Processor 1510 is for executing in Fig. 2, Fig. 3, Fig. 4, Fig. 5, Fig. 6, Fig. 7, Fig. 8 and embodiment shown in Fig. 9 The step of processing of base station and terminal.

In the above-described embodiments, the instruction of memory storage executed for processor can be with the shape of computer program product Formula is realized.Computer program product can be write-in in advance and in memory, be also possible to download and be mounted in a software form In memory.

Computer program product includes one or more computer instructions.Load and execute on computers computer program When instruction, the process or function according to the embodiment of the present application are entirely or partly generated.Computer can be general purpose computer, specially With computer, computer network or other programmable devices.Computer instruction can store in computer readable storage medium In, or transmit from a computer readable storage medium to another computer readable storage medium, for example, computer instruction can To pass through wired (such as coaxial cable, optical fiber, Digital Subscriber Line from a web-site, computer, server or data center (DSL)) or wireless (such as infrared, wireless, microwave etc.) mode is into another web-site, computer, server or data The heart is transmitted.Computer readable storage medium can be any usable medium or include one that computer can store Or the data storage devices such as integrated server, data center of multiple usable mediums.Usable medium can be magnetic medium, (example Such as, floppy disk, hard disk, tape), optical medium (for example, DVD) or semiconductor medium (such as solid state hard disk Solid State Disk, SSD) etc..

On the other hand, a kind of computer storage medium is provided, instruction is stored in computer readable storage medium, when its When being run on base station, so that base station executes the movement that the first base station in embodiment of the method executes.

Another aspect provides a kind of computer storage medium, instruction is stored in computer readable storage medium, when its When being run in terminal, so that terminal executes the movement that the terminal in embodiment executes.

On the one hand, a kind of computer program product comprising instruction is provided, is stored with instruction in computer program product, when It on base station when running, so that base station executes the movement that the first base station in embodiment of the method executes.

In another aspect, providing a kind of computer program product comprising instruction, it is stored with instruction in computer program product, When it runs at the terminal, so that terminal executes the movement that the terminal in embodiment of the method executes.

Those of ordinary skill in the art may be aware that list described in conjunction with the examples disclosed in the embodiments of the present disclosure Member and algorithm steps can be realized with the combination of electronic hardware or computer software and electronic hardware.These functions are actually It is implemented in hardware or software, the specific application and design constraint depending on technical solution.Professional technician Each specific application can be used different methods to achieve the described function, but this realization is it is not considered that exceed Scope of the present application.

It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description, The specific work process of device and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.

In several embodiments provided herein, it should be understood that disclosed systems, devices and methods, it can be with It realizes by another way.For example, the apparatus embodiments described above are merely exemplary, for example, the division of unit, Only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components can be with In conjunction with or be desirably integrated into another system, or some features can be ignored or not executed.Another point, it is shown or discussed Mutual coupling, direct-coupling or communication connection can be through some interfaces, the INDIRECT COUPLING of device or unit or Communication connection can be electrical property, mechanical or other forms.

Unit may or may not be physically separated as illustrated by the separation member, shown as a unit Component may or may not be physical unit, it can and it is in one place, or may be distributed over multiple networks On unit.It can some or all of the units may be selected to achieve the purpose of the solution of this embodiment according to the actual needs.

It, can also be in addition, each functional unit in each embodiment of the application can integrate in one processing unit It is that each unit physically exists alone, can also be integrated in one unit with two or more units.

If function is realized in the form of SFU software functional unit and when sold or used as an independent product, can store In a computer readable storage medium.Based on this understanding, the technical solution of the application is substantially in other words to existing Having the part for the part or the technical solution that technology contributes can be embodied in the form of software products, the computer Software product is stored in a storage medium, including some instructions are used so that a computer equipment (can be personal meter Calculation machine, server or network equipment etc.) execute each embodiment method of the application all or part of the steps.And it is above-mentioned Storage medium includes: USB flash disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory The various media that can store program code such as (RAM, Random Access Memory), magnetic or disk.

More than, the only specific embodiment of the application, but the protection scope of the application is not limited thereto, and it is any to be familiar with Those skilled in the art within the technical scope of the present application, can easily think of the change or the replacement, and should all cover Within the protection scope of the application.Therefore, the protection scope of the application should be subject to the protection scope in claims.

Claims (30)

1. a kind of method of determining security capabilities characterized by comprising
First base station sends first message to terminal by the second base station, and the first message is indicated including first, and described first It indicates to be used to indicate the first security capabilities that the terminal reports the terminal to support, the first message is used to indicate the end End switches to the first base station from second base station;
The first base station receives the second message from the terminal, and the second message is for determining the described first safe energy Power;
The first base station determines first security capabilities according to the second message.
2. the method according to claim 1, wherein the second message is handoff completion message, the switching Completing message includes first security capabilities, and the first base station determines the described first safe energy according to the second message Power, comprising:
The first base station determines first security capabilities from the handoff completion message.
3. according to the method described in claim 2, it is characterized in that, the first base station sends the to terminal by the second base station Before one message, the method also includes:
The first base station receives the third message from the first management entity, and the third message is used to indicate first base It stands and obtains first security capabilities;
The first base station determines first instruction according to the third message.
4. according to the method described in claim 3, the mark is believed it is characterized in that, the third message includes identification information Breath, which is used to indicate, obtains first security capabilities, and the first base station determines first instruction according to the third message, Include:
The identification information is determined as first instruction by the first base station;
Or, the first base station, which is based on the identification information, generates first instruction.
5. method according to claim 1 or 2, which is characterized in that the first base station is sent out by the second base station to terminal Before sending first message, the method also includes:
The first base station receives the 4th message from the first management entity, and the 4th message includes the second security capabilities;
The first base station sends second security capabilities to third base station, and second security capabilities is for establishing the end Connection between end and the third base station.
6. according to the method described in claim 5, it is characterized in that, the first base station determines institute according to the second message After stating the first security capabilities, the method also includes:
If second security capabilities and first security capabilities are inconsistent, the first base station is sent out to the third base station The 5th message is sent, the 5th message includes first security capabilities.
7. described according to the method described in claim 5, it is characterized in that, described first is designated as second security capabilities First base station determines first security capabilities according to the second message, comprising:
The first base station is determined as first security capabilities according to the second message, by second security capabilities.
8. described according to the method described in claim 5, it is characterized in that, described first is designated as second security capabilities Second message includes first security capabilities, and the first base station determines the described first safe energy according to the second message Power, comprising:
The first base station determines first security capabilities from the second message.
9. a kind of method of determining security capabilities characterized by comprising
Terminal receives first message, and the first message includes the first instruction, and first instruction is used to indicate in the terminal The first security capabilities for reporting the terminal to support, the first message are used to indicate the terminal and switch to first from the second base station Base station;
The terminal sends second message according to first instruction, Xiang Suoshu first base station, and the second message is used to indicate The first base station determines first security capabilities.
10. according to the method described in claim 9, it is characterized in that, the second message is handoff completion message, the switching Completing message includes first security capabilities.
11. method according to claim 9 or 10, which is characterized in that described first is designated as the second security capabilities, described Second security capabilities is used for the connection established between the terminal and third base station, and the terminal is indicated according to described first, to First base station sends second message, comprising:
If second security capabilities and first security capabilities are inconsistent, the terminal sends institute to the first base station Second message is stated, the second message includes first security capabilities.
12. according to the method for claim 11, which is characterized in that the method also includes:
For the terminal with the random access procedure of the third base station, Xiang Suoshu third base station sends the first safe energy Power.
13. according to the method described in claim 9, it is characterized in that, described first is designated as the second security capabilities, described second Security capabilities is used for the connection established between the terminal and third base station, and the terminal is according to first instruction, Xiang Suoshu First base station sends second message, comprising:
If second security capabilities is consistent with first security capabilities, the terminal is to described in first base station transmission Second message, the second message are specifically used for instruction and second security capabilities are determined as first security capabilities.
14. according to the described in any item methods of claim 9-13, which is characterized in that first security capabilities and next-generation system System is related, the method also includes:
The terminal receives broadcast message;
The terminal determines the clothes that the Successor-generation systems are not present in the region where the terminal according to the broadcast message Business;
The terminal sends third message to second base station, and the third message does not include first security capabilities.
15. a kind of device characterized by comprising
Transmission unit, for sending first message to terminal by the second base station, the first message includes the first instruction, described First instruction is used to indicate the first security capabilities that the terminal reports the terminal to support, the first message is used to indicate institute It states terminal and switches to the first base station from second base station;
Receiving unit, for receiving the second message from the terminal, the second message is for determining first safety Ability;
Determination unit, for determining first security capabilities according to the second message.
16. device according to claim 15, which is characterized in that the second message is handoff completion message, described to cut Changing and completing message includes first security capabilities, and the determination unit is specifically used for determining from the handoff completion message First security capabilities.
17. device according to claim 16, which is characterized in that the receiving unit is also used to receive from the first pipe The third message of entity is managed, the third message is used to indicate the first base station and obtains first security capabilities;
The determination unit is specifically used for determining first instruction according to the third message.
18. device according to claim 17, which is characterized in that the third message includes identification information, the mark Information, which is used to indicate, obtains first security capabilities, the determination unit, specifically for the identification information is determined as institute State the first instruction;Or, the determination unit, is specifically used for generating first instruction based on the identification information.
19. device according to claim 15 or 16, which is characterized in that
The receiving unit, is also used to receive the 4th message from the first management entity, and the 4th message includes the second peace All-round power;
The transmission unit is also used to send second security capabilities to third base station, and second security capabilities is for building Stand the connection between the terminal and the third base station.
20. device according to claim 19, which is characterized in that if the determination unit determines second security capabilities Inconsistent, the transmission unit with first security capabilities, is also used to send the 5th message to the third base station, and described the Five message include first security capabilities.
21. device according to claim 19, which is characterized in that described first is designated as second security capabilities, institute Determination unit is stated, is specifically used for that second security capabilities is determined as first security capabilities according to the second message.
22. device according to claim 19, which is characterized in that described first is designated as second security capabilities, institute Stating second message includes first security capabilities, the determination unit, described in determining from the second message First security capabilities.
23. a kind of device characterized by comprising
Receiving unit, for receiving first message, the first message includes the first instruction, and first instruction is used to indicate institute The first security capabilities that terminal reports the terminal to support is stated, the first message is used to indicate the terminal and cuts from the second base station Shift to first base station;
Transmission unit, for according to first instruction, Xiang Suoshu first base station to send second message, and the second message is used for Indicate that the first base station determines first security capabilities.
24. device according to claim 23, which is characterized in that the second message is handoff completion message, described to cut Changing and completing message includes first security capabilities.
25. the device according to claim 23 or 24, which is characterized in that described first is designated as the second security capabilities, institute The second security capabilities is stated for establishing the connection between the terminal and third base station, the terminal further includes determination unit, if The determination unit determines that second security capabilities and first security capabilities are inconsistent, then the transmission unit is also used to Second message is sent to the first base station, the second message includes first security capabilities.
26. device according to claim 25, which is characterized in that the transmission unit is also used in described device and institute In the random access procedure for stating third base station, Xiang Suoshu third base station sends first security capabilities.
27. device according to claim 23, which is characterized in that described first is designated as the second security capabilities, and described Two security capabilities are used for the connection established between the terminal and third base station, and described device further includes determination unit, if described Determination unit determines that second security capabilities is consistent with first security capabilities, and the transmission unit is also used to described First base station sends the second message, and the second message is specifically used for indicating for second security capabilities to be determined as described First security capabilities.
28. the device according to claim 23 or 24, which is characterized in that first security capabilities and Successor-generation systems phase It closes, described device further includes determination unit;The receiving unit is also used to receive broadcast message;The determination unit is used for root According to the broadcast message, the service that Successor-generation systems are not present in the region where the terminal is determined;The transmission unit, also For sending third message to second base station, the third message does not include first security capabilities.
29. a kind of computer readable storage medium, which is characterized in that instruction is stored in the computer readable storage medium, When described instruction is run, so that computer executes the side of the described in any item determining security capabilities of the claims 1-14 Method.
30. a kind of chip system, which is characterized in that the chip system includes at least one processor and interface circuit, described Interface circuit and at least one described processor are interconnected by route, and the processor is used for operating instruction, are wanted with perform claim Seek the described in any item methods of 1-14.
CN201711159236.XA 2017-11-20 2017-11-20 A kind of method and apparatus of determining security capabilities CN109819492A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711159236.XA CN109819492A (en) 2017-11-20 2017-11-20 A kind of method and apparatus of determining security capabilities

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201711159236.XA CN109819492A (en) 2017-11-20 2017-11-20 A kind of method and apparatus of determining security capabilities
PCT/CN2018/116492 WO2019096329A1 (en) 2017-11-20 2018-11-20 Method and device for determining security capability

Publications (1)

Publication Number Publication Date
CN109819492A true CN109819492A (en) 2019-05-28

Family

ID=66538935

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711159236.XA CN109819492A (en) 2017-11-20 2017-11-20 A kind of method and apparatus of determining security capabilities

Country Status (2)

Country Link
CN (1) CN109819492A (en)
WO (1) WO2019096329A1 (en)

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014158206A1 (en) * 2013-03-29 2014-10-02 Intel Corp Hybrid beamforming for data transmission
KR20170011216A (en) * 2015-07-22 2017-02-02 삼성전자주식회사 User equipment in mobile communication system and control method thereof
CN108476489A (en) * 2016-03-31 2018-08-31 华为技术有限公司 Communication method and related device
CN107277850A (en) * 2016-04-01 2017-10-20 北京三星通信技术研究有限公司 Wireless LAN (Local Area Network) aggregation control method and related equipment

Also Published As

Publication number Publication date
WO2019096329A1 (en) 2019-05-23

Similar Documents

Publication Publication Date Title
CN105075334B (en) The switching of user equipment with non-GBR carrying
ES2612567T3 (en) Signaling of resource status information between base stations for load balancing
RU2477015C2 (en) Method to update information on ue capabilities in mobile telecommunication network
CN106028471B (en) Permanent online carrying for the small data transmission in LTE system
CA2389139C (en) Method for a handover between different nodes in a mobile communication system
CN104782167B (en) Power consumption configurations transmitting during switching
CA2438389A1 (en) Fast roaming system
WO2002089411A3 (en) Handoff in radio communication arrangements
CN204707282U (en) Communication equipment among mobile communication system
EP2375849A1 (en) Connection management for M2M device in a mobile communication network
JP6082129B2 (en) Master base station, secondary base station, and processor
US9839060B2 (en) Method and apparatus for managing dual connection establishment
US8359035B2 (en) Base station apparatus, mobile station and wireless communication controlling method
JP6120865B2 (en) Method and apparatus for managing security key for communication authentication with terminal in wireless communication system
CN104160730B (en) Fast access method and apparatus
CN105210410B (en) Wireless device, network node and its method that processing equipment is communicated to equipment (D2D) during switching in radio telecommunication network
JP5498199B2 (en) Information processing system, information processing apparatus, and communication method
CN102196389B (en) Method and apparatus for handling srvcc in an inter radio access technology handover
US9357573B2 (en) Method of providing service continuity between cellular communication and device to-device communication
WO2015131442A1 (en) Terminal and method for terminal automatically switching data link
CN104782175B (en) The pressure DRX during automatic neighbouring relations (ANR) in LTE
CN1283074C (en) Radio switch-in network and operating controlling method thereof
EP3032882A1 (en) Terminal multiple connection management method, device and system
JP2013504946A (en) Receive information on radio access technology capabilities of mobile stations
CN109560923A (en) Cipher key processing method and equipment under a kind of dual link mode

Legal Events

Date Code Title Description
PB01 Publication
SE01 Entry into force of request for substantive examination