CN110149630A - A kind of negotiation of security algorithm, sending method and device - Google Patents
A kind of negotiation of security algorithm, sending method and device Download PDFInfo
- Publication number
- CN110149630A CN110149630A CN201810142555.8A CN201810142555A CN110149630A CN 110149630 A CN110149630 A CN 110149630A CN 201810142555 A CN201810142555 A CN 201810142555A CN 110149630 A CN110149630 A CN 110149630A
- Authority
- CN
- China
- Prior art keywords
- terminal
- security
- security algorithm
- base station
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
- H04W12/106—Packet or message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/0005—Control or signalling for completing the hand-off
- H04W36/0011—Control or signalling for completing the hand-off for data sessions of end-to-end connection
- H04W36/0033—Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
- H04W36/0038—Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information of security context information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/20—Manipulation of established connections
- H04W76/27—Transitions between radio resource control [RRC] states
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The application provides negotiation, sending method and the device of a kind of security algorithm.This method comprises: when terminal is moved to target BS, terminal sends connection recovery request message to target BS, then used first security algorithm when being communicated between terminal is reselected according to the security capabilities of the terminal carried in connection recovery request message by target BS.If terminal does not receive the first security algorithm, shielded RRC information, the security algorithm that the second security algorithm is negotiated between terminal and source base station are generated using the second security algorithm.If terminal receives the first security algorithm, shielded RRC information is generated using the first security algorithm.On the one hand, security algorithm used in communicating between flexible choice terminal and target BS is realized.On the other hand, since what the base station of terminal connection occurred changes, thus new security algorithm is used, can be improved the safety of communication.
Description
Technical field
This application involves mobile communication technology field more particularly to a kind of negotiations of security algorithm, sending method and device.
Background technique
In long term evolution (long term evolution, LTE), hanging up and restoring process can be used for narrowband-Internet of Things
The terminal of (narrowband internet of things, NB-IoT), i.e., the Internet of Things that mobility is lower or power consumption is low are set
It is standby, such as intellectual water meter.
When base station notifies terminal release is current to connect in a manner of hanging up, terminal and source base station will be deleted part access layer
Context, and can also reserve part be tapped into the context of layer, such as access layer secret key, the security capabilities of terminal is current to select
Security algorithm etc..It, can fast quick-recovery connection when terminal wishes to restore the connection with target BS.
In 5th generation (5th generation, 5G) system and the communication system in future, above-mentioned service procedure can be extended,
It will hang up and recovery process is applied to the terminal for enhancing movement bandwidth (enhanced mobile broadband, eMBB), such as intelligence
It can mobile phone.
Since the mobility of terminal is higher, thus the frequency of the base station of terminal change access is higher.In this case, such as
What improve terminal when being restored to connected state from inactive state or Radio Access Network (radio access network,
RAN safety and flexibility when) notification area updates, then be problem to be solved.
Summary of the invention
The application provides negotiation, sending method and the device of a kind of security algorithm, extensive from inactive state to improve terminal
Safety when arriving connected state again or when Radio Access Network (radio access network, RAN) notification area updates
And flexibility.
In a first aspect, the application provides a kind of machinery of consultation of security algorithm, the terminal request applied to inactive state is extensive
The process that the multiply-connected process connect or Radio Access Network RAN notification area update, comprising: terminal sends connection to target BS and restores
Request message, connection recovery request message restore wireless heterogeneous networks (radio resource control, RRC) for requesting
Connection, connection recovery request message include the security capabilities of terminal, and the security capabilities of terminal is for the first peace of target BS selection
Full algorithm, the security algorithm that the first security algorithm is negotiated between terminal and target BS;If terminal does not receive from target
First security algorithm of base station obtains shielded RRC information, wherein second then according to the second security algorithm and RRC information
The security algorithm that security algorithm is negotiated between terminal and source base station;Alternatively, if terminal receives first from target BS
Security algorithm obtains shielded RRC information then according to the first security algorithm and RRC information;Terminal to target BS send by
The RRC information of protection.
The above method, when terminal is moved to target BS, terminal sends connection recovery request message to target BS, so
It is reselected and is carried out between terminal according to the security capabilities of the terminal carried in connection recovery request message by target BS afterwards
Used first security algorithm when communication.Target BS is if it is determined that the first security algorithm is identical as the second security algorithm, then not
First security algorithm of selection is sent to terminal, correspondingly, terminal if it is determined that not receiving the first security algorithm, then uses the
Two security algorithms generate shielded RRC information, wherein the safety that the second security algorithm is negotiated between terminal and source base station
Algorithm.First security algorithm is then sent to terminal if it is determined that the first security algorithm is different from the second security algorithm by target BS,
Correspondingly, terminal then uses the first security algorithm, generates shielded RRC information if it is determined that receive the first security algorithm.One
Aspect realizes security algorithm used in communicating between flexible choice terminal and target BS.On the other hand, since terminal connects
What the base station that connects occurred changes, thus uses new security algorithm, and the safety of communication can be improved.In another aspect, target
Base station is that the security capabilities of the terminal sent according to terminal selects the first security algorithm, due to the safe energy for the terminal that terminal is sent
The safety of power is higher, it is not easy to be tampered, thus can promote the safety of secure algorithm negotiation.
In one possible implementation, connection recovery request message further includes message authentication code, and message authentication code is used
In the legitimacy of source base station certification terminal, then further comprise: terminal generates message authentication according to the security capabilities of terminal
Code.
The above method, terminal generate message authentication code according to the security capabilities of terminal, which is used for source base station
Authenticate the legitimacy of terminal.Thus, when the security capabilities of terminal is tampered, then source base station can verify the safe energy of the terminal
Power is tampered, so that the negotiation process of termination of security algorithm, is conducive to the safety for promoting secure algorithm negotiation process.
In one possible implementation, before terminal sends connection recovery request message to target BS, further includes:
Terminal determines the network formats for the cell that terminal is currently located according to measurement report;Wherein, the security capabilities of terminal is worked as with terminal
The network formats of the cell at preceding place are corresponding.In this way, the cell that the security capabilities and terminal of the terminal that terminal is sent are currently located
Network formats it is corresponding, so as to save expense when terminal sends the security capabilities of terminal.For example, in a kind of implementation
In, the network formats for the cell that terminal is currently located are the 5th generation 5G network, and the security capabilities of terminal includes the 5G that terminal is supported
Security algorithm;Alternatively, the network formats for the cell that terminal is currently located are forth generation 4G network, the security capabilities of terminal includes eventually
Hold the 4G security algorithm supported.
Second aspect, the application provide a kind of machinery of consultation of security algorithm, and the terminal request applied to inactive state is extensive
The process that the multiply-connected process connect or Radio Access Network RAN notification area update, comprising: terminal sends connection to target BS and restores
Request message, connection recovery request message restore radio resource control RRC connection for requesting, and connection recovery request message includes
The security capabilities of the security capabilities of terminal, terminal selects security algorithm for target BS, and security algorithm is terminal and target base
The security algorithm negotiated between standing;Terminal obtains the security algorithm from target BS.
The above method, when terminal is moved to target BS, terminal sends connection recovery request message to target BS, so
It is reselected and is carried out between terminal according to the security capabilities of the terminal carried in connection recovery request message by target BS afterwards
Used security algorithm when communication, and the security algorithm is sent to terminal.On the one hand, flexible choice terminal and mesh are realized
Mark security algorithm used in communicating between base station.On the other hand, since what the base station of terminal connection occurred changes, thus make
With new security algorithm, the safety of communication can be improved.In another aspect, target BS is the peace of the terminal sent according to terminal
All-round power selects security algorithm, since the safety of the security capabilities of the terminal of terminal transmission is higher, it is not easy to it is tampered, thus
The safety of secure algorithm negotiation can be promoted.
In one possible implementation, connection recovery request message further includes message authentication code, and message authentication code is used
In the legitimacy of source base station certification terminal, further comprise: terminal generates message authentication code according to the security capabilities of terminal.
In one possible implementation, before terminal sends connection recovery request message to target BS, further includes:
Terminal determines the network formats for the cell that terminal is currently located according to measurement report;Wherein, the security capabilities of terminal is worked as with terminal
The network formats of the cell at preceding place are corresponding.
In one possible implementation, the network formats for the cell that terminal is currently located are the 5th generation 5G network, eventually
The security capabilities at end includes the 5G security algorithm that terminal is supported;Alternatively, the network formats for the cell that terminal is currently located are the 4th
For 4G network, the security capabilities of terminal includes the 4G security algorithm that terminal is supported.
The third aspect, the application provide a kind of machinery of consultation of security algorithm, and the terminal request applied to inactive state is extensive
The process that the multiply-connected process connect or Radio Access Network RAN notification area update, comprising: target BS receives the connection for carrying out self terminal
Recovery request message, connection recovery request message restore radio resource control RRC connection for requesting, connect recovery request message
The first security capabilities including terminal;Target BS selects the first security algorithm according to the first security capabilities of terminal;If first
Security algorithm is identical as the second security algorithm, then target BS sends connection recovery response message to terminal, and connection restores response
Message is used to indicate terminal and restores RRC connection;And the shielded RRC information for carrying out self terminal is received, and according to shielded
RRC information and the second security algorithm, obtain RRC information;Alternatively, if the first security algorithm is different from the second security algorithm, mesh
It marks base station and sends the first security algorithm to terminal;And the shielded RRC information for carrying out self terminal is received, and according to protected
RRC information and the first security algorithm, obtain RRC information;Wherein, the first security algorithm is negotiated between terminal and target BS
Security algorithm, the security algorithm that the second security algorithm is negotiated between terminal and source base station.
The above method, when terminal is moved to target BS, terminal sends connection recovery request message to target BS, so
It is reselected and is carried out between terminal according to the security capabilities of the terminal carried in connection recovery request message by target BS afterwards
Used first security algorithm when communication.Target BS is if it is determined that the first security algorithm is identical as the second security algorithm, then not
First security algorithm of selection is sent to terminal, correspondingly, terminal if it is determined that not receiving the first security algorithm, then uses the
Two security algorithms generate shielded RRC information, wherein the safety that the second security algorithm is negotiated between terminal and source base station
Algorithm.First security algorithm is then sent to terminal if it is determined that the first security algorithm is different from the second security algorithm by target BS,
Correspondingly, terminal then uses the first security algorithm, generates shielded RRC information if it is determined that receive the first security algorithm.One
Aspect realizes security algorithm used in communicating between flexible choice terminal and target BS.On the other hand, since terminal connects
What the base station that connects occurred changes, thus uses new security algorithm, and the safety of communication can be improved.In another aspect, target
Base station is that the security capabilities of the terminal sent according to terminal selects the first security algorithm, due to the safe energy for the terminal that terminal is sent
The safety of power is higher, it is not easy to be tampered, thus can promote the safety of secure algorithm negotiation.
In one possible implementation, further comprise: target BS receives the of the terminal from source base station
Two security capabilities.If the second security capabilities of terminal is different from the first security capabilities of terminal, target BS notifies mobility
Second security capabilities of managed network element terminal and the first security capabilities of terminal are different.
In one possible implementation, target BS notice mobile management network element terminal the second security capabilities with
First security capabilities of terminal is different, comprising: target BS sends the first notification message, the first notice to mobile management network element
Message includes the mark of the cell of source base station, second security capabilities and end of first notification message for the terminal on notifying cell
First security capabilities at end is different;Alternatively, target BS sends the cell of instruction information and source base station to mobile management network element
Mark, instruction information be used to indicate the terminal in cell the second security capabilities it is different from the first security capabilities of terminal.
In one possible implementation, further comprise: target BS receives the of the terminal from source base station
Two security capabilities;Target BS sends second notification message to mobile management network element, and second notification message includes source base station
Second security capabilities of the terminal in the mark and cell of cell.
In one possible implementation, connection recovery request message further includes message authentication code, and message authentication code is
It is generated according to the first security capabilities of terminal, legitimacy of the message authentication code for source base station certification terminal;Further also wrap
Include: target BS sends request message to source base station, and request message is used for the context of request terminal, and request message includes
Message authentication code.
In one possible implementation, request message further includes the first security capabilities of terminal, the first peace of terminal
The legitimacy of all-round power and message authentication code for source base station certification terminal.
Fourth aspect, the application provide a kind of machinery of consultation of security algorithm, which is characterized in that applied to inactive state
The process that terminal request restores the process of connection or Radio Access Network RAN notification area updates, comprising: target BS reception comes from
The connection recovery request message of terminal, connection recovery request message are restored radio resource control RRC connection for requesting, are connected extensive
Multiple request message includes the first security capabilities of terminal;Target BS selects security algorithm according to the first security capabilities of terminal;
Target BS sends security algorithm to terminal.
The above method, when terminal is moved to target BS, terminal sends connection recovery request message to target BS, so
It is reselected and is carried out between terminal according to the security capabilities of the terminal carried in connection recovery request message by target BS afterwards
Used security algorithm when communication, and the security algorithm is sent to terminal.On the one hand, flexible choice terminal and mesh are realized
Mark security algorithm used in communicating between base station.On the other hand, since what the base station of terminal connection occurred changes, thus make
With new security algorithm, the safety of communication can be improved.In another aspect, target BS is the peace of the terminal sent according to terminal
All-round power selects security algorithm, since the safety of the security capabilities of the terminal of terminal transmission is higher, it is not easy to it is tampered, thus
The safety of secure algorithm negotiation can be promoted.
In one possible implementation, further comprise: target BS receives the of the terminal from source base station
Two security capabilities;If the second security capabilities of terminal is different from the first security capabilities of terminal, target BS notifies mobility
Second security capabilities of managed network element terminal and the first security capabilities of terminal are different.
In one possible implementation, target BS notice mobile management network element terminal the second security capabilities with
First security capabilities of terminal is different, comprising: target BS sends third notice message, third notice to mobile management network element
Message includes the mark of the cell of source base station, second security capabilities and end of the third notice message for the terminal on notifying cell
First security capabilities at end is different;Alternatively, target BS sends the cell of instruction information and source base station to mobile management network element
Mark, instruction information be used to indicate the terminal in cell the second security capabilities it is different from the first security capabilities of terminal.
In one possible implementation, further comprise: target BS receives the of the terminal from source base station
Two security capabilities;Target BS sends the 4th notification message to mobile management network element, and the 4th notice message package includes source base station
Second security capabilities of the terminal in the mark and cell of cell.
In one possible implementation, connection recovery request message further includes message authentication code, and message authentication code is
It is generated according to the first security capabilities of terminal, legitimacy of the message authentication code for source base station certification terminal;Further also wrap
Include: target BS sends request message to source base station, and request message is used for the context of request terminal, and request message includes
Message authentication code.
In one possible implementation, request message further includes the first security capabilities of terminal, the first peace of terminal
The legitimacy of all-round power and message authentication code for source base station certification terminal.
5th aspect, the application provide a kind of machinery of consultation of security algorithm, and the terminal request applied to inactive state is extensive
The process that the multiply-connected process connect or Radio Access Network RAN notification area update, comprising: target BS receives the connection for carrying out self terminal
Recovery request message, connection recovery request message restore radio resource control RRC connection for requesting, connect recovery request message
The first security capabilities including terminal;Target BS is if it is determined that the second security algorithm is priority in the security algorithm being locally stored
Highest security algorithm, then using the second security algorithm as the first security algorithm;Alternatively, target BS is if it is determined that the second safety is calculated
The security algorithm of highest priority in the security algorithm that method is not stored locally, then according to the first security capabilities of terminal, selection
First security algorithm;If the first security algorithm is identical as the second security algorithm, target BS sends connection to terminal and restores to ring
Message is answered, connection restores response message and is used to indicate terminal recovery RRC connection;And receive the shielded RRC for carrying out self terminal
Message, and according to shielded RRC information and the second security algorithm, obtain RRC information;Alternatively, if the first security algorithm and
Two security algorithms are different, then target BS sends the first security algorithm to terminal;And it receives and carrys out the shielded of self terminal
RRC information, and according to shielded RRC information and the first security algorithm, obtain RRC information;Wherein, the first security algorithm is eventually
The security algorithm negotiated between end and target BS, the security algorithm that the second security algorithm is negotiated between terminal and source base station.
6th aspect, the application provide a kind of machinery of consultation of security algorithm, and the terminal request applied to inactive state is extensive
The process that the multiply-connected process connect or Radio Access Network RAN notification area update, comprising: target BS receives the connection for carrying out self terminal
Recovery request message, connection recovery request message restore radio resource control RRC connection for requesting, connect recovery request message
The first security capabilities including terminal;Target BS is if it is determined that the second security algorithm is priority in the security algorithm being locally stored
Highest security algorithm, then using the second security algorithm as the first security algorithm;Alternatively, target BS is if it is determined that the second safety is calculated
The security algorithm of highest priority in the security algorithm that method is not stored locally, then according to the first security capabilities of terminal, selection
First security algorithm;Target BS sends the first security algorithm to terminal;Wherein, the first security algorithm is terminal and target BS
Between the security algorithm negotiated, the security algorithm that the second security algorithm is negotiated between terminal and source base station.
7th aspect, the application provide a kind of sending method of security algorithm, comprising: source base station, which receives, comes from target BS
Request message, request message be used for request terminal context, request message includes message authentication code, message authentication code
It is to be generated according to the first security capabilities of terminal, legitimacy of the message authentication code for source base station certification terminal;Source base station school
Test message authentication code;If verification is correct, source base station sends security algorithm to target BS, and security algorithm is terminal and source base station
Between the security algorithm negotiated, the context of terminal includes security algorithm.
In one possible implementation, source base station verification message authentication code, comprising: request message further includes terminal
First security capabilities, first security capabilities of the source base station according to terminal, verification message authentication code;Alternatively, source base station is according to terminal
The second security capabilities, verification message authentication code, the second security capabilities of terminal is the security capabilities of the terminal on source base station.
Eighth aspect, the application provide a kind of device, which can be terminal, are also possible to chip.The device has
Realize the function of each embodiment of above-mentioned first aspect.The function can also execute phase by hardware by hardware realization
The software realization answered.The hardware or software include one or more modules corresponding with above-mentioned function.
9th aspect, the application provide a kind of device, comprising: processor and memory;The memory for storing instruction,
When the apparatus is operative, which executes the instruction of memory storage so that the device execute above-mentioned first aspect or
The machinery of consultation of security algorithm in any implementation method of first aspect.It should be noted that the memory can integrate in
In processor, it is also possible to independently of except processor.
Tenth aspect, the application provide a kind of device, which includes processor, and the processor is used for and memory coupling
It closes, and reads the instruction in memory and execute any implementation method of above-mentioned first aspect or first aspect according to described instruction
In security algorithm machinery of consultation.
Tenth on the one hand, and the application provides a kind of device, which can be terminal, be also possible to chip.Device tool
There is the function for each embodiment for realizing above-mentioned second aspect.The function can also be executed by hardware realization by hardware
Corresponding software realization.The hardware or software include one or more modules corresponding with above-mentioned function.
12nd aspect, the application provide a kind of device, comprising: processor and memory;The memory refers to for storing
It enables, when the apparatus is operative, which executes the instruction of memory storage, so that the device executes above-mentioned second aspect
Or the machinery of consultation of the security algorithm in any implementation method of second aspect.It should be noted that the memory can integrate
In processor, it is also possible to independently of except processor.
13rd aspect, the application provide a kind of device, which includes processor, and the processor is used for and memory
Coupling, and read the instruction in memory and execute any realization side of above-mentioned second aspect or second aspect according to described instruction
The machinery of consultation of security algorithm in method.
Fourteenth aspect, the application provide a kind of device, which can be target BS, are also possible to chip.The dress
Set each embodiment for having the function of realizing the above-mentioned third aspect.The function can also pass through hardware by hardware realization
Execute corresponding software realization.The hardware or software include one or more modules corresponding with above-mentioned function.
15th aspect, the application provide a kind of device, comprising: processor and memory;The memory refers to for storing
It enables, when the apparatus is operative, which executes the instruction of memory storage, so that the device executes the above-mentioned third aspect
Or the machinery of consultation of the security algorithm in any implementation method of the third aspect.It should be noted that the memory can integrate
In processor, it is also possible to independently of except processor.
16th aspect, the application provide a kind of device, which includes processor, and the processor is used for and memory
Coupling, and read the instruction in memory and execute any realization side of the above-mentioned third aspect or the third aspect according to described instruction
The machinery of consultation of security algorithm in method.
17th aspect, the application provide a kind of device, which can be target BS, be also possible to chip.The dress
Set each embodiment for having the function of realizing above-mentioned fourth aspect.The function can also pass through hardware by hardware realization
Execute corresponding software realization.The hardware or software include one or more modules corresponding with above-mentioned function.
18th aspect, the application provide a kind of device, comprising: processor and memory;The memory refers to for storing
It enables, when the apparatus is operative, which executes the instruction of memory storage, so that the device executes above-mentioned fourth aspect
Or the machinery of consultation of the security algorithm in any implementation method of fourth aspect.It should be noted that the memory can integrate
In processor, it is also possible to independently of except processor.
19th aspect, the application provide a kind of device, which includes processor, and the processor is used for and memory
Coupling, and read the instruction in memory and execute any realization side of above-mentioned fourth aspect or fourth aspect according to described instruction
The machinery of consultation of security algorithm in method.
20th aspect, the application provide a kind of device, which can be target BS, be also possible to chip.The dress
Set each embodiment realize with above-mentioned 5th aspect.The function can also pass through hardware by hardware realization
Execute corresponding software realization.The hardware or software include one or more modules corresponding with above-mentioned function.
20th on the one hand, and the application provides a kind of device, comprising: processor and memory;The memory is for storing
Instruction, when the apparatus is operative, the processor execute the instruction of memory storage, so that the device executes above-mentioned 5th side
The machinery of consultation of the security algorithm in face.It should be noted that the memory can integrate in processor, be also possible to independently of
Except processor.
22nd aspect, the application provide a kind of device, which includes processor, and the processor is used for and storage
Device coupling, and read the instruction in memory and execute the negotiation side of the security algorithm of above-mentioned 5th aspect according to described instruction
Method.
23rd aspect, the application provide a kind of device, which can be target BS, be also possible to chip.It should
Device has the function of realizing each embodiment of above-mentioned 6th aspect.The function can be by hardware realization, can also be by hard
Part executes corresponding software realization.The hardware or software include one or more modules corresponding with above-mentioned function.
Twenty-fourth aspect, the application provide a kind of device, comprising: processor and memory;The memory is for storing
Instruction, when the apparatus is operative, the processor execute the instruction of memory storage, so that the device executes above-mentioned 6th side
The machinery of consultation of the security algorithm in face.It should be noted that the memory can integrate in processor, be also possible to independently of
Except processor.
25th aspect, the application provide a kind of device, which includes processor, and the processor is used for and storage
Device coupling, and read the instruction in memory and execute the negotiation side of the security algorithm of above-mentioned 6th aspect according to described instruction
Method.
26th aspect, the application provide a kind of device, which can be source base station, be also possible to chip.The dress
Set each embodiment realize with above-mentioned 7th aspect.The function can also pass through hardware by hardware realization
Execute corresponding software realization.The hardware or software include one or more modules corresponding with above-mentioned function.
27th aspect, the application provide a kind of device, comprising: processor and memory;The memory is for storing
Instruction, when the apparatus is operative, the processor execute the instruction of memory storage, so that the device executes above-mentioned 7th side
The sending method of security algorithm in any implementation method of face or the 7th aspect.It should be noted that the memory can collect
At in processor, it is also possible to independently of except processor.
Twenty-eighth aspect, the application provide a kind of device, which includes processor, and the processor is used for and storage
Device coupling, and read the instruction in memory and execute any realization of above-mentioned 7th aspect or the 7th aspect according to described instruction
The sending method of security algorithm in method.
29th aspect, the application also provide a kind of computer readable storage medium, the computer-readable storage medium
Instruction is stored in matter, when run on a computer, so that computer executes method described in above-mentioned various aspects.
30th aspect, the application also provides a kind of computer program product comprising instruction, when it is transported on computers
When row, so that computer executes method described in above-mentioned various aspects.
30th on the one hand, and the application also provides a kind of system, which includes base station, and the base station can be used in execution
State the step of third aspect to the 6th aspect and the third aspect is executed into either the 6th aspect method by target BS.?
In one possible design, the system can also include another base station, and another base station can be used for executing above-mentioned 7th side
The step of being executed in the method for either face and the 7th aspect or in scheme provided in an embodiment of the present invention by source base station.At one
In possible design, the system can also include scheme provided in an embodiment of the present invention in the target BS and/or source base station
Other equipment, such as terminal for interacting, etc..
Detailed description of the invention
Fig. 1 is a kind of possible network architecture schematic diagram provided by the present application;
Fig. 2 is the process schematic that terminal provided by the present application enters inactive state from connected state;
Fig. 3 is a kind of machinery of consultation schematic diagram of security algorithm provided by the present application;
Fig. 4 is the machinery of consultation schematic diagram of another security algorithm provided by the present application;
Fig. 5 is a kind of schematic device provided by the present application;
Fig. 6 is a kind of terminal schematic diagram provided by the present application;
Fig. 7 is another schematic device provided by the present application;
Fig. 8 is a kind of base station schematic diagram provided by the present application.
Specific embodiment
The application is described in further detail below in conjunction with attached drawing.Concrete operation method in embodiment of the method
It can be applied in Installation practice or system embodiment.Wherein, in the description of the present application, unless otherwise indicated, " multiple "
It is meant that two or more.
The application is described in further detail below in conjunction with attached drawing.Concrete operation method in embodiment of the method
It can be applied in Installation practice or system embodiment.Wherein, in the description of the present application, unless otherwise indicated, " multiple "
It is meant that two or more.
As shown in Figure 1, being a kind of possible network architecture schematic diagram of the application.Including terminal, source base station and target base
It stands.Terminal is communicated by wireless interface with source base station, target BS.It can be by wired between source base station and target BS
Connection is communicated, and such as by X2 interface, Xn interface is communicated, or can also be communicated by way of eating dishes without rice or wine.
In the application, terminal it is mobile etc. due to, terminal may be moved to target BS from source base station.Source base station is
The base station that terminal formerly accesses, target BS are after terminal is mobile, in the base station of rear access.
Wherein, terminal is a kind of equipment with radio transmission-receiving function, can be deployed in land, including indoor or room
Outside, hand-held or vehicle-mounted;(such as steamer) can also be deployed on the water surface;It can also dispose and (such as aircraft, balloon and defend in the sky
On star etc.).The terminal may include various types of user equipmenies (user equipment, UE), mobile phone (mobile
Phone), tablet computer (pad), the computer with radio transmission-receiving function, wireless data card, virtual reality (virtual
Reality, VR) terminal, augmented reality (augmented reality, AR) terminal, Industry Control (industrial
Control the wireless terminal in), the wireless terminal in unmanned (self driving), tele-medicine (remote
Medical the wireless terminal in wireless terminal, smart grid (smart grid), transportation safety (transportation in)
Safety the wireless terminal in wireless terminal, smart city (smart city) in), in wisdom family (smart home)
Wireless terminal and wearable device (such as smartwatch, Intelligent bracelet, pedometer etc.) etc..It is wirelessly connect using different
Entering in the system of technology, the title for having the equipment of similar wireless communication function may be different, only for convenience of description,
In the application, the above-mentioned equipment with wireless receiving and dispatching communication function is referred to as the so-called terminal of terminal the application.
Base station, be it is a kind of provide the equipment of wireless communication function for terminal, including but not limited to: the next-generation base station in 5G
(gnodeB, gNB), evolved node B (evolved node B, eNB), radio network controller (radio
Networkcontroller, RNC), node B (node B, NB), base station controller (base station controller,
BSC), base transceiver station (base transceiver station, BTS), Home eNodeB are (for example, home evolved
NodeB or home node B, HNB), Base Band Unit (BaseBand Unit, BBU), transfer point (transmitting and
Receiving point, TRP), launch point (transmitting point, TP), mobile switching centre etc..
The application, under normal circumstances, tool is there are three types of state, i.e. connection (connected) state for terminal, idle (idle) state and
Inactive (inactive) state.
Wherein, when terminal is in connected state, terminal is in the state worked normally.It can be sent out between network side and terminal
Send and receive user data.
When terminal enters Idle state from connected state, terminal and base station generally will be deleted whole access layers of terminal
(access stratum, AS) context.In a kind of special situation, in 4G, when network side is to hang up reason release eventually
When the connection at end, terminal can also enter Idle state from connected state, but at this point, terminal and base station will be deleted part AS context, with
And retain part AS context, such as access layer secret key (KeNB is properly termed as in 4G) can be retained, the security capabilities of terminal, eventually
The security algorithm (including protection algorithm integrallty and Encryption Algorithm) communicated between end and the source base station of terminal access.Wherein, eventually
The security capabilities at end refers to that the security algorithm that terminal is supported, the integrity protection of Encryption Algorithm and support including support are calculated
Method.
In 5G, introduce inactive state, when terminal enters inactive state from connected state, base station by held terminal, this
When, part AS context is deleted in terminal and base station, and retains part AS context, such as can retain access layer secret key (5G
In be properly termed as KgNB), the security capabilities of terminal, terminal and terminal access source base station between communicate security algorithm (including
Protection algorithm integrallty and Encryption Algorithm).Wherein, the security capabilities of terminal refers to the security algorithm that terminal is supported, including branch
The protection algorithm integrallty of the Encryption Algorithm and support held.
When terminal is in inactive state, due to remaining part AS context in terminal, compared to terminal from sky
Not busy state enters connected state, and terminal enters connected state from inactive state can more quickly.
Furthermore, it is contemplated that the mobility of terminal, when terminal is restored to connected state from inactive state, terminal may need more
Change base station.That is, terminal first establishes connection with source base station, then for some reason, such as network side notice, terminal is in source base station
Into inactive state.When terminal wishes to be restored to connected state, if terminal has moved to the coverage area of target BS, eventually
End will be restored to connected state from inactive state in target BS.
Certainly, when the application is equally also suitable terminal and is restored to connected state from inactive state, the target BS of access and source
The base station of the identical scene in base station, i.e. terminal access can not also change, and be still the same base station.
The application mainly discusses, needs to enter connected state from inactive state when terminal determines, that is, restore with target BS it
Between connection when or terminal RAN notification area update during, how to realize that being adapted to some of target BS wants
It asks, to achieve the purpose that flexible, secure connection.
Before specifically introducing the machinery of consultation of security algorithm of the application, first introduce terminal from connected state enter it is inactive
The process of state.
As shown in Fig. 2, entering the process schematic of inactive state from connected state for terminal provided by the present application, including following
Step:
Step 201, base station determine the RRC connection of held terminal.
For example, then determining to hang the RRC connection of terminal when base station does not receive the data of terminal transmission in for a period of time
It rises.
Step 202, base station send message on hold to terminal.
Message on hold enters inactive state for notifying terminal to discharge RRC connection.Message on hold, which for example can be, to be had
The RRC connection release message of special instruction.
In the concrete realization, message on hold can carry recovery mark etc., and it is small that recovery mark for example can be inactive state-
Area's radio network temporary identifier (INACTIVE-cell radio network temporary identifier, I-RNTI).
Restoring mark is required parameter when SS later enters connected state from inactive state, restores mark and may include
The information such as mark, the mark of terminal of source base station.
Optionally, message on hold can also carry cause parameter releaseCause, and releaseCause is for notifying end
End executes pending operation and enters inactive state.Such as releaseCause can be set to " RRC Suspend " or
"RRCInactive".When terminal gets releaseCause parameter, determine that the value of releaseCause is " RRC
Suspend " or when " RRC Inactive ", then execute the relevant operation of terminal hang-up.
Optionally, base station can also notify the control plane network element releasing bearing of core net, such as release signaling radio bearer
(signaling radio bearer, SRB), Data Radio Bearer (data radio bearer, DRB).
Step 203, terminal enter inactive state.
Terminal, which saves, deletes part AS context, and retains part AS context.The part AS context of reservation includes
Access layer secret key, the security capabilities of terminal, between terminal and the source base station of terminal access the protection algorithm integrallty that communicates and plus
Close algorithm etc..
Terminal also saves the parameters such as the recovery mark of base station transmission.
Terminal hangs up carrying, for example, Signaling Radio Bearer, Data Radio Bearer are hung up, subsequently into inactive state.
It can be seen that from above-mentioned terminal from the process that connected state enters inactive state, terminal enters after inactive state, terminal
On preserve part AS context and from the received parameter in base station, thus, it is subsequent when terminal wishes to be restored to company from inactive state
When connecing state, these parameters will be helpful to terminal realization and quickly be restored to connected state from inactive state.
The process that terminal is restored to connected state from inactive state is described below, in this process includes terminal and target BS
Between security algorithm machinery of consultation.
In the application, when terminal is moved to target BS, target BS can according to the ability of target BS itself and
It is required that reselecting security algorithm, and communicated using between security algorithm and terminal, rather than continues to use terminal and source
The security algorithm of base station communication.Thus, the application method, on the one hand, target BS can reselect security algorithm, more clever
It is living;On the other hand, due to having used new security algorithm, thus the safety of communication can be improved.
For convenience of description, in the application, the security algorithm negotiated between terminal and target BS, the referred to as first safety is calculated
Method.First security algorithm for example may include the first Encryption Algorithm and the first protection algorithm integrallty, wherein the first Encryption Algorithm
The Encryption Algorithm negotiated between terminal and target BS, the first protection algorithm integrallty are negotiated between terminal and target BS
Protection algorithm integrallty.The security algorithm negotiated between terminal and source base station, referred to as the second security algorithm.Second security algorithm
It such as may include the second Encryption Algorithm and the second protection algorithm integrallty, wherein the second Encryption Algorithm is terminal and source base station
Between the Encryption Algorithm negotiated, the protection algorithm integrallty that the second protection algorithm integrallty is negotiated between terminal and source base station.
It should be noted that the first security algorithm that target BS reselects is identical as the second security algorithm possibility,
It may be different.
It is a kind of machinery of consultation of security algorithm provided by the present application, the terminal request applied to inactive state with reference to Fig. 3
Restore the process of connection, comprising the following steps:
Step 301, terminal send connection recovery request message to target BS.
Correspondingly, target BS receives the connection recovery request message for carrying out self terminal.
The connection recovery request message that terminal is sent restores RRC connection for requesting.I.e. terminal request is extensive from inactive state
Connected state is arrived again.
Connection recovery request message includes the security capabilities of terminal, and the security capabilities of the terminal is referred to as the of terminal
One security capabilities refers to the security capabilities of terminal stored in terminal.First security capabilities of terminal includes what terminal was supported
Security algorithm.By taking security algorithm includes Encryption Algorithm and protection algorithm integrallty as an example, as an example, the first peace of terminal
All-round power is for example including { Encryption Algorithm 1, Encryption Algorithm 2, Encryption Algorithm 3, protection algorithm integrallty 1, protection algorithm integrallty
2}.It then can also be into one by taking the terminal supports 4G security algorithm simultaneously and supports 5G security algorithm as an example as another example
Security algorithm is divided into 4G security algorithm and 5G security algorithm by step, such as the first security capabilities of terminal includes that { 4G encryption is calculated
Method Isosorbide-5-Nitrae G Encryption Algorithm 2,5G Encryption Algorithm 3,5G Encryption Algorithm 4,4G protection algorithm integrallty Isosorbide-5-Nitrae G protection algorithm integrallty 2,
5G protection algorithm integrallty 3 }.
First security capabilities of the terminal can be used for target BS and select the first security algorithm.
As a kind of implementation, recovery mark can also be carried by connecting in recovery request message.
Further, message authentication code can also be carried by connecting in recovery request message, which is used for source base
The legitimacy for certification terminal of standing.Such as the message authentication code can be the verifying SMS code (short for integrality
Message authentication code for integrity, shortMAC-I).As a kind of implementation, the message
Authentication code, which can be, to be generated according to the first security capabilities of terminal by terminal.Specifically, as a kind of implementation, terminal can
To generate message authentication code according to the first security capabilities of terminal, tegrity protection key and the second protection algorithm integrallty.It should
The key that tegrity protection key uses between terminal and source base station, the tegrity protection key can restore institute with the last time
The tegrity protection key used is identical, is also possible to regenerate.Second protection algorithm integrallty is terminal and source base
The protection algorithm integrallty negotiated between standing.
Optionally, the parameter for generating message authentication code can also include source cell radio network temporary identifier (cell
Radio network temporary identifier, C-RNTI), source Physical Cell Identifier (physical cell
Identifier, PCI), Target cell ID.
Optionally, reason instruction can also be carried by connecting in recovery request message, reason instruction is used to indicate terminal initiation
The reason of connecting recovery request, when reason indicates that initiating RAN notification area updates, GC group connector initiates RAN notification area and updates stream
Journey.
Step 302, target BS sends request message to source base station.
Correspondingly, source base station receives the request message from target BS.
It include message authentication code in the request message, source base station can be to the message authentication code as a kind of implementation
It is verified.
For example, source base station can verify message authentication code according to one of following methods:
Method one, first security capabilities of the source base station according to terminal, verification message authentication code.
For example, further including the first security capabilities of terminal, source base station in the request message that target BS is sent to source base station
The first security capabilities of terminal is got from request message, and a message is then generated according to the first security capabilities of terminal and is recognized
Demonstrate,prove code.If the message authentication code carried in message authentication code and request message that source base station generates is identical, source base station is to message
It is correct to authenticate code check;If the message authentication code carried in message authentication code and request message that source base station generates is not identical,
Source base station is to message authentication code check errors.
Method two, second security capabilities of the source base station according to terminal, verification message authentication code.
The second security capabilities of terminal is stored in source base station.Thus, source base station can get the second of terminal from local
Then security capabilities generates a message authentication code according to the second security capabilities of terminal.If the message authentication that source base station generates
Code is identical as the message authentication code carried in request message, then source base station verifies message authentication code correct;If source base station generates
Message authentication code and request message in the message authentication code that carries it is not identical, then source base station is to message authentication code check errors.
By the above method one or the above method two, source base station can verify message authentication code, if verification is correct,
The access layer context of source base station acquisition terminal.
Specifically, base station can be according to the first security capabilities of terminal or the second peace of terminal as a kind of implementation
All-round power, tegrity protection key and the second protection algorithm integrallty, verification message authentication code.The tegrity protection key is eventually
The key negotiated between end and source base station, the key can be identical as tegrity protection key used in last time recovery,
It can be and regenerate.The protection algorithm integrallty that second protection algorithm integrallty is negotiated between terminal and source base station.
Optionally, the parameter for generating verification authentication code can also include source cell radio network temporary identifier (cell
Radio network temporary identifier, C-RNTI), source Physical Cell Identifier (physical cell
Identifier, PCI), Target cell ID.
For example, target BS can get recovery mark from connection recovery request message as a kind of implementation,
It according to the mark for restoring the source base station in mark, determines that before terminal connect with source base station, is then asked to source base station transmission
Message is sought, which for example can be context request message, which is used for the context of request terminal.
Message authentication code is carried in request message, and can also carry recovery mark.
After source base station receives target BS transmission request message, first by the above method to the message in request message
Authentication code is verified, if verification is correct, according to the mark of the terminal in the recovery mark in request message, obtains the terminal
Access layer context for example including the second security algorithm negotiated between terminal and source base station further include terminal optionally
Second security capabilities.Second security capabilities of the terminal refers to the security capabilities of the terminal stored in source base station.Ordinary circumstance
Under, the second security capabilities of terminal and the first security capabilities of terminal are identical.Certainly, if source base station is attacked, terminal
Second security capabilities may be tampered, and the first security capabilities of the second security capabilities and terminal so as to cause terminal may not
Together.
Step 303, source base station sends the second security algorithm to target BS.
Correspondingly, target BS receives the second security algorithm from source base station.
Further, the second security capabilities of terminal can also be sent to target BS by source base station.
As a kind of implementation, the second security algorithm can be carried in context response information and be sent to by source base station
Target BS.It optionally, further include the second security capabilities of terminal in context response information.
It should be noted that above-mentioned steps 302 and step 303 are optional step.Target BS can also pass through its other party
Formula gets the second security algorithm, such as can be and the second security algorithm is sent to target BS by terminal.
Step 304, target BS selects the first security algorithm.
Wherein, target BS can select the first security algorithm according to following methods.
Method one, target BS select the first security algorithm according to the first security capabilities of terminal.
After target BS receives connection recovery request message, the first security capabilities of terminal is therefrom got, then root
According to the first security capabilities of terminal, the first security algorithm is selected.As a kind of implementation, target BS can be according to terminal
The priority of security algorithm and the security algorithm being locally stored that first security capabilities, target BS are locally stored selects first
Security algorithm.
For example, the first security capabilities of terminal includes that { 4G Encryption Algorithm Isosorbide-5-Nitrae G Encryption Algorithm 2,5G Encryption Algorithm 3,5G adds
Close algorithm 4,4G protection algorithm integrallty Isosorbide-5-Nitrae G protection algorithm integrallty 2,5G protection algorithm integrallty 3,5G integrity protection are calculated
Method 4,5G protection algorithm integrallty 5 }, which is the base station 5G, and the security algorithm that the target BS is locally stored is { 4G
Encryption Algorithm 1,5G Encryption Algorithm 3,5G Encryption Algorithm 4,4G protection algorithm integrallty Isosorbide-5-Nitrae G protection algorithm integrallty 2,5G is complete
Property protection algorism 6,5G protection algorithm integrallty 4,5G protection algorithm integrallty 5 }, and the Encryption Algorithm that target BS is locally stored
Priority from high to low successively are as follows: 5G Encryption Algorithm 3,5G Encryption Algorithm 4,4G Encryption Algorithm 1, what target BS was locally stored
The priority of protection algorithm integrallty is from high to low successively are as follows: 5G protection algorithm integrallty 6,5G protection algorithm integrallty 4,5G is complete
Whole property protection algorism 5,4G protection algorithm integrallty Isosorbide-5-Nitrae G protection algorithm integrallty 2.Then target BS is according to the first of terminal the peace
All can power, the priority of the security algorithm that target BS is locally stored and the security algorithm being locally stored, selection first safety
Algorithm is { 5G Encryption Algorithm 3,5G protection algorithm integrallty 4 }.
Method two, target BS select the first security algorithm according to the second security algorithm or the first security capabilities of terminal.
Target BS first determines whether the second security algorithm is priority in security algorithm that target BS is locally stored
Highest security algorithm.If the second security algorithm is that the safety of highest priority in security algorithm that target BS is locally stored is calculated
Method, then using second security algorithm as the first security algorithm.That is, the first security algorithm and end of terminal and target BS negotiation
It holds identical as the second security algorithm negotiated between source base station.
If the second security algorithm is not the security algorithm of highest priority in security algorithm that target BS is locally stored,
Target BS selects the first security algorithm according to the first security capabilities of terminal.Specific implementation can be with above-mentioned implementation method
One is identical, i.e., target BS can be according to the security algorithm and local that the first security capabilities, the target BS of terminal are locally stored
The priority of the security algorithm of storage selects the first security algorithm, such as the first security algorithm selected is the first security capabilities
In highest priority security algorithm.
Step 305, target BS judges whether the first security algorithm is identical as the second security algorithm.If they are the same, then it goes to
Step 306- step 309 goes to step 310- step 313 if not identical.
It should be noted that the step 305 is optional step.
When target BS selects the first security algorithm using method one in above-mentioned steps 304, then the step 305 is executed.
When target BS selects the first security algorithm using method two in above-mentioned steps 304, then do not need to execute the step
Rapid 305.Specifically, if in above-mentioned steps 304, target BS is calculated in method two using the second security algorithm as the first safety
Method then continues to execute step 306- step 309 after the step 304.If in above-mentioned steps 304, target BS in method two,
Not instead of using the second security algorithm as the first security algorithm, calculated according to the first safety of the first security capabilities of terminal selection
Method then continues to execute step 310- step 313 after the step 304.
Step 306, target BS sends connection recovery response message to terminal.
Correspondingly, terminal receives the connection recovery response message from target BS.
The connection restores response message and is used to indicate terminal recovery RRC connection.
Since the first security algorithm is identical as the second security algorithm, target BS can not send first to terminal
Security algorithm.
It should be noted that when terminal initiates RAN notification area more new technological process, i.e., when the present processes are applied in RAN
When during notification area update, then the step 306 could alternatively be: target BS sends response message, the response to terminal
Message is used to indicate terminal and continues to keep inactive state.
Step 307, terminal obtains shielded RRC information according to the second security algorithm and RRC information.
Since terminal does not receive the first security algorithm from target BS, terminal directly uses the second safety to calculate
Method is as the security algorithm negotiated between terminal and target BS.And according to the second security algorithm and RRC information, obtain protected
RRC information.As a kind of implementation, which for example can be connection and restores to complete message, which restores to complete
Message is used to indicate RRC connection and restores to complete.The RRC information can also be that terminal restores other RRC informations after connection, such as
RRC, which is reconfigured, completes message etc..
Step 308, terminal sends shielded RRC information to target BS.
Correspondingly, target BS receives the shielded RRC information for carrying out self terminal.
Step 309, target BS obtains RRC information according to shielded RRC information and the second security algorithm.
Process terminates.
Step 310, target BS sends the first security algorithm to terminal.
Correspondingly, terminal receives the first security algorithm from target BS.
As a kind of implementation, which can be carried by connection and restore to be sent to end in response message
End.
Since the first security algorithm and the second security algorithm be not identical, target BS calculates the first safety of selection
Method is sent to terminal.
It should be noted that when terminal initiates RAN notification area more new technological process, i.e., when the present processes are applied in RAN
When during notification area update, which be could alternatively be: target BS sends response message to terminal, which disappears
Breath includes the first security algorithm, and the terminal that the response message is used to indicate continues to keep inactive state.
Step 311, terminal obtains shielded RRC information according to the first security algorithm and RRC information.
Since terminal receives the first security algorithm from target BS, terminal use the first security algorithm as
The security algorithm negotiated between terminal and target BS.And according to the first security algorithm and RRC information, shielded RRC is obtained
Message.As a kind of implementation, which for example can be connection and restores to complete message, which restores to complete message
RRC connection is used to indicate to restore to complete.The RRC information can also be that terminal restores other RRC informations after connection, such as RRC weight
Message etc. is completed in configuration.
Step 312, terminal sends shielded RRC information to target BS.
Correspondingly, target BS receives the shielded RRC information for carrying out self terminal.
Step 313, target BS obtains RRC information according to shielded RRC information and the first security algorithm.
Process terminates.
The above method, when terminal is moved to target BS, terminal sends connection recovery request message to target BS, so
It is reselected and is carried out between terminal according to the security capabilities of the terminal carried in connection recovery request message by target BS afterwards
Used first security algorithm when communication.Target BS is if it is determined that the first security algorithm is identical as the second security algorithm, then not
First security algorithm of selection is sent to terminal, correspondingly, terminal if it is determined that not receiving the first security algorithm, then uses the
Two security algorithms generate shielded RRC information, wherein the safety that the second security algorithm is negotiated between terminal and source base station
Algorithm.First security algorithm is then sent to terminal if it is determined that the first security algorithm is different from the second security algorithm by target BS,
Correspondingly, terminal then uses the first security algorithm, generates shielded RRC information if it is determined that receive the first security algorithm.One
Aspect realizes security algorithm used in communicating between flexible choice terminal and target BS.On the other hand, since terminal connects
What the base station that connects occurred changes, thus uses new security algorithm, and the safety of communication can be improved.In another aspect, target
Base station is that the security capabilities of the terminal sent according to terminal selects the first security algorithm, due to the safe energy for the terminal that terminal is sent
The safety of power is higher, it is not easy to be tampered, thus can promote the safety of secure algorithm negotiation.
Further, before above-mentioned steps 301, following steps are can also be performed in terminal: terminal is according to measurement report, really
Determine the network formats for the cell that terminal is currently located.Wherein, the security capabilities of terminal (refers here to the first safe energy of terminal
Power) it is corresponding with the network formats for the cell that terminal is currently located.For example, if the network formats for the cell that terminal is currently located are 5G
Network, then the first security capabilities of the terminal in connection recovery request message that terminal is sent to target BS in step 301
The 5G security algorithm supported including terminal.For another example, if the network formats for the cell that terminal is currently located are 4G network, terminal
First security capabilities of the terminal in connection recovery request message sent in step 301 to target BS includes that terminal is supported
4G security algorithm.This method, terminal only sends the Partial security algorithm in the security algorithm of terminal support, so as to save
Expense.
Further, it as a kind of implementation, any time after above-mentioned steps 303, can also be performed following
Step A- step B:
Step A, target BS judge terminal the first security capabilities and terminal the second security capabilities it is whether identical, if phase
Together, then process terminates, if not identical, thens follow the steps B.
Step B, target BS notify mobile management network element: the second security capabilities of terminal and the first safe energy of terminal
Power is different.
By above step, target BS is in the second security capabilities and terminal storage for determining the terminal of source base station storage
When the first security capabilities difference of terminal, then mobile management network element is notified, consequently facilitating mobile management network element is further
Network management system is reported to, the second security capabilities of the terminal of source base station storage and the terminal of terminal storage are known in order to administrator
The first security capabilities it is different, so that it is determined that source base station can suffer from attacking, and then source base station is checked again.
As a kind of implementation, in step B, target BS notifies the second safe energy of mobile management network element terminal
Power is different from the first security capabilities of terminal, specifically there is following implemented method.
Method one, target BS send the first notification message to mobile management network element, which includes source
The mark of the cell of base station, the first notification message be used to notify terminal in the cell the second security capabilities and terminal first
Security capabilities is different.
As a kind of implementation, which can be path switching request message, the path switching request
Message can be used to switching base station for requesting toggle path.
In this method, the second security capabilities of terminal is stored in the cell of source base station, since target BS determines the source
The first security capabilities of terminal stored on the second security capabilities and terminal of the terminal stored in the cell of base station is different, therefore
The first notification message is sent to mobile management network element, includes the mark of the cell of source base station in first notification message, and should
First notification message is for notifying mobile management network element: the second security capabilities of the terminal stored in the cell of the source base station with
First security capabilities of the terminal stored in terminal is different.
Method two, target BS send the mark of the cell of instruction information and source base station, instruction to mobile management network element
The second security capabilities that information is used to indicate the terminal in the cell is different from the first security capabilities of terminal.
It is sent for example, the mark of above-mentioned instruction information and the cell of source base station can be carried in the switching request message of path
To mobile management network element.
As another implementation, above-mentioned steps B can also be replaced by following steps B ':
Step B ', target BS send second notification message to mobile management network element, and second notification message includes source base
Second security capabilities of the terminal in the mark for the cell stood and the cell.
As a kind of implementation, which is also possible to path switching request message.
By above step B ', the second security capabilities of the terminal that source base station stores is reported to mobility pipe by target BS
Manage network element, consequently facilitating mobile management network element further judge mobile management network element storage terminal security capabilities with
Whether the security capabilities of the terminal of source base station storage is identical.If it is different, then mobile management network element reports to network management system, so as to
The security capabilities for the terminal that the security capabilities of the terminal of source base station storage and mobile management network element store is known not in administrator
Together, so that it is determined that source base station can suffer from attacking, and then source base station is checked again.
As shown in figure 4, for the machinery of consultation of another security algorithm provided by the present application.Security algorithm shown in Fig. 4
The main distinction of machinery of consultation and the machinery of consultation of security algorithm shown in Fig. 3 is: the negotiation side of security algorithm shown in Fig. 4
In method, the first security algorithm is directly sent to terminal after selecting the first security algorithm by target BS.
Correspondingly, terminal receive target BS transmission the first security algorithm after, will directly receive first
Security algorithm is as the security algorithm communicated between terminal and target BS.
It is specifically described below, as shown in Figure 4, comprising the following steps:
Step 401- step 404, it is identical as above-mentioned steps 301- step 304, it can refer to foregoing description, it is no longer superfluous here
It states.
It should be noted that above-mentioned steps 402 and step 403 are optional step.If step 404 selects the first security algorithm
When need to use the second security algorithm, then need to be implemented step 402 and step 403;If step 404 selects the first security algorithm
It does not need to use the second security algorithm, then can not execute step 402 and step 403.
Step 405, target BS sends the first security algorithm to terminal.
Correspondingly, terminal receives the first security algorithm from target BS.
For example, the first security algorithm can be carried on connection recovery response and disappeared by target BS as a kind of implementation
Terminal is sent in breath.The connection restores response message and is used to indicate terminal recovery RRC connection.
The above method, when terminal is moved to target BS, terminal sends connection recovery request message to target BS, so
It is reselected and is carried out between terminal according to the security capabilities of the terminal carried in connection recovery request message by target BS afterwards
Used security algorithm when communication, and the security algorithm is sent to terminal.On the one hand, flexible choice terminal and mesh are realized
Mark security algorithm used in communicating between base station.On the other hand, since what the base station of terminal connection occurred changes, thus make
With new security algorithm, the safety of communication can be improved.In another aspect, target BS is the peace of the terminal sent according to terminal
All-round power selects security algorithm, since the safety of the security capabilities of the terminal of terminal transmission is higher, it is not easy to it is tampered, thus
The safety of secure algorithm negotiation can be promoted.
Further, after above-mentioned steps 405, can with the following steps are included:
Step 406, terminal obtains shielded RRC information according to the first security algorithm and RRC information.
Restore to complete message for example, the RRC information can be connection.
Step 407, terminal sends shielded RRC information to target BS.
Correspondingly, target BS receives the shielded RRC information for carrying out self terminal.
Step 408, target BS obtains RRC information according to shielded RRC information and the first security algorithm.
Process terminates.
It should be noted that in the embodiment shown in fig. 4, before step 401, following step is can also be performed in terminal
Rapid: terminal determines the network formats for the cell that terminal is currently located according to measurement report.For example, if terminal be currently located it is small
The network formats in area are 5G network, then the end in connection recovery request message that terminal is sent to target BS in step 401
First security capabilities at end includes the 5G security algorithm that terminal is supported.For another example, if the network system for the cell that terminal is currently located
Formula is 4G network, then the first peace of the terminal in connection recovery request message that terminal is sent to target BS in step 401
All can power include terminal support 4G security algorithm.This method, terminal only send the part peace in the security algorithm of terminal support
Full algorithm, so as to save expense.
Further, it as a kind of implementation, any time after above-mentioned steps 403, can also be performed above-mentioned
The step A and step B of embodiment, or execute the step A and step B ' of above-described embodiment.Foregoing description is specifically referred to, this
In repeat no more.
It should be noted that above-mentioned Fig. 3 or embodiment shown in Fig. 4, the terminal that can be applied to inactive state restores connection
Process, can also be applied to RAN notification area update (RAN-based notification update) process.
It should be noted that the connection recovery request message, connection in above-described embodiment restore response message, connection restores
Completing message, context request message, context response information etc. is only a name, and name does not constitute limit to message itself
It is fixed.In 5G network and following other networks, connection recovery request message, connection restore response message, connection has restored
It is also possible to other names at message, context request message, context response information, the embodiment of the present application does not make this to have
Body limits.For example, connection recovery request message disappears it is also possible to being replaced by request message, recovery request message, connection request
Breath etc., the connection restore response message it is also possible to being replaced by response message, restoring response message, connection response message etc.,
The connection restores completion message and completes message it is also possible to being replaced by, restores to complete message, connection completion message etc., this is upper and lower
Literary request message is it is also possible to be replaced by request message etc., and the context response information is it is also possible to be replaced by response message
Deng.
It is above-mentioned that mainly scheme provided by the present application is described from the angle of interaction between each network element.It is understood that
, in order to realize the above functions, it comprises execute the corresponding hardware configuration of each function and/or soft for above-mentioned each network element of realization
Part module.Those skilled in the art should be readily appreciated that, described in conjunction with the examples disclosed in the embodiments of the present disclosure
Unit and algorithm steps, the present invention can be realized with the combining form of hardware or hardware and computer software.Some function is studied carefully
Unexpectedly it is executed in a manner of hardware or computer software driving hardware, the specific application and design constraint depending on technical solution
Condition.Professional technician can use different methods to achieve the described function each specific application, but this
Kind is realized and be should not be considered as beyond the scope of the present invention.
Using integrated unit, what Fig. 5 showed a kind of device involved in the embodiment of the present invention can
The exemplary block diagram of energy, the device 500 can exist in the form of software, or terminal can also be the core in terminal
Piece.Device 500 includes: processing unit 502 and communication unit 503.Processing unit 502 is for controlling the movement of device 500
Tubulation reason, for example, processing unit 502 is used to support the step 307 and step 311 in the execution of device 500 Fig. 3, the step in Fig. 4
406, and/or for other processes of techniques described herein.Communication unit 503 is for supporting device 500 and other networks
The communication of entity (such as target BS, source base station).For example, the step supported in the execution of device 500 Fig. 3 of communication unit 503
301, step 306, step 308, step 310 and step 312, step 401, step 405 and step 407 in Fig. 4.Device 500
It can also include storage unit 501, program code and data for storage device 500.
Wherein, processing unit 502 can be processor or controller, such as can be general central processor (central
Processing unit, CPU), general processor, Digital Signal Processing (digital signal processing, DSP),
Specific integrated circuit (application specific integrated circuits, ASIC), field programmable gate array
It is (field programmable gate array, FPGA) or other programmable logic device, transistor logic, hard
Part component or any combination thereof.It may be implemented or execute to combine and various illustratively patrol described in the disclosure of invention
Collect box, module and circuit.The processor is also possible to realize the combination of computing function, such as includes one or more micro- places
Manage device combination, DSP and the combination of microprocessor etc..Communication unit 503 can be communication interface, transceiver or transmission circuit
Deng.Storage unit 501 can be memory.
When processing unit 502 is processor, communication unit 503 is transceiver, when storage unit 501 is memory, this hair
Device 500 involved in bright embodiment can be terminal shown in fig. 6.
Fig. 6 shows a kind of rough schematic view of possible design structure of terminal involved in the embodiment of the present invention.
The terminal 600 includes transmitter 601, receiver 602 and processor 603.Wherein, processor 603 or controller, figure
" controller/processor 603 " is expressed as in 6.Optionally, the terminal 600 can also include modem processor 605,
In, modem processor 605 may include encoder 606, modulator 607, decoder 606 and demodulator 609.
In one example, transmitter 601 adjusts (for example, analog-converted, filtering, amplification and up-conversion etc.) output sampling
And uplink signal is generated, which is transmitted to target BS described in above-described embodiment via antenna.?
On downlink, antenna receives the down link signal that target BS emits in above-described embodiment.The adjusting of receiver 602 (for example,
Filtering, amplification, down coversion and digitlization etc.) from antenna received signal and provide input sample.In modem processor
In 605, encoder 606 receives the business datum to send on uplink and signaling message, and to business datum and signaling
Message is handled (for example, format, encode and interweave).Modulator 607 is further processed (for example, symbol mapping and modulation)
Business datum and signaling message after coding simultaneously provide output sampling.The input sample is simultaneously for the processing of demodulator 609 (for example, demodulation)
Sign estimation is provided.Decoder 606, which handles (for example, deinterleaving and decoding) sign estimation and provides, is sent to terminal 600
Decoded data and signaling message.Encoder 606, modulator 607, demodulator 609 and decoder 606 can be by the tune that synthesize
Demodulation processor 605 processed is realized.Wireless access technology that these units are used according to wireless access network (for example, LTE and other
The access technology of evolution system) it is handled.It should be noted that when terminal 600 does not include modem processor 605
When, the above-mentioned function of modem processor 605 can also be completed by processor 603.
Processor 603 carries out control management to the movement of terminal 600, for executing in the embodiments of the present invention by terminal
600 treatment processes carried out.For example, processor 603 is also used to execute the treatment process of terminal involved in method shown in Fig. 3-Fig. 4
And/or other processes of technical solution described herein.
Further, terminal 600 can also include memory 604, and memory 604 is used to store the journey for terminal 600
Sequence code and data.
Using integrated unit, what Fig. 7 showed a kind of device involved in the embodiment of the present invention can
The exemplary block diagram of energy, the device 700 can exist in the form of software, or base station can also be the core in base station
Piece.Device 700 includes: processing unit 702 and communication unit 703.Processing unit 702 is for controlling the movement of device 700
Tubulation reason.Communication unit 703 is for supporting device 700 and other network entities (such as terminal, mobile management network element or other
Base station) communication.Device 700 can also include storage unit 701, program code and data for storage device 700.
Wherein, processing unit 702 can be processor or controller, such as can be CPU, general processor, DSP,
ASIC, FPGA or other programmable logic device, transistor logic, hardware component or any combination thereof.It can be with
It realizes or executes and combine various illustrative logic blocks, module and circuit described in the disclosure of invention.The processing
Device is also possible to realize the combination of computing function, such as combines comprising one or more microprocessors, the group of DSP and microprocessor
Close etc..Communication unit 703 can be communication interface, transceiver or transmission circuit etc., wherein and the communication interface is to be referred to as,
It in the specific implementation, the communication interface may include multiple interfaces, such as may include: between base station and mobile management network element
Interface, the interface between base station and other base stations, interface and/or other interfaces between base station and terminal.Storage unit 701
It can be memory.
Above-mentioned device shown in Fig. 7 700 can be source base station involved in the application, or can be involved by the application
Target BS.
When device 700 is above-mentioned source base station, processing unit 702 can support device 700 to execute above each method and show
The movement of source base station in example.Communication unit 703 can support the communication between device 700 and target BS or other network elements, example
Such as, communication unit 703 be used for support device 700 execute Fig. 3 in step 302 and step 303 and Fig. 4 in step 402 and
Step 403.
When device 700 is above-mentioned target BS, processing unit 702 can support device 700 to execute above each method
The movement of target BS in example, for example, processing unit 702 can support device 700 to execute the step 304 in Fig. 3, step
305, step 309 and step 313 and step 404 and step 408 in Fig. 4.Communication unit 703 can support device 700 with
Communication between source base station, mobile management network element, terminal or other network elements.For example, communication unit 703 can support device
700 execute step 301, step 302, step 303, step 306, step 308, step 310 and the step 312 in Fig. 3, and
Step 401, step 402, step 403, step 405 and step 407 in Fig. 4.
When processing unit 702 is processor, communication unit 703 is communication interface, when storage unit 701 is memory, this
Device 700 involved in inventive embodiments can be base station 800 shown in Fig. 8.
Fig. 8 shows a kind of possible structural schematic diagram of base station provided in an embodiment of the present invention.Base station 800 includes processing
Device 802 and communication interface 804.Wherein, processor 802 may be controller, be expressed as " controller/processor in Fig. 8
802".Communication interface 804 is for supporting base station to be communicated with other network elements (such as mobile management network element or other base stations).
Further, base station 800 can also include emitter/receiver 801.The emitter/receiver 801 for support base station with
Radio communication is carried out between terminal in above-described embodiment.The processor 802 can execute various for communicating with terminal
Function.In uplink, the uplink signal for carrying out self terminal is received via antenna, demodulated by receiver 801 (such as
High-frequency signal is demodulated into baseband signal), and further handled by processor 802 to restore the business datum of terminal transmission
And signaling information.On the uplink, business datum and signaling message are handled by processor 802, and by transmitter 801 into
Row modulation (such as by modulates baseband signals be high-frequency signal) is transmitted to terminal via antenna to generate down link signal.
It should be noted that the function of above-mentioned demodulation or modulation can also be completed by processor 802.
For example, processor 802 is also used to execute the processing of target BS involved in method shown in Fig. 3 and Fig. 4 or source base station
Other processes of process and/or technical solution described herein.
Further, base station 800 can also include memory 803, and memory 803 is used to store the program generation of base station 800
Code and data.
It is designed it is understood that Fig. 8 illustrate only simplifying for base station 800.In practical applications, base station 800 can be with
Comprising any number of transmitter, receiver, processor, controller, memory, communication unit etc., and all this may be implemented
The base station of inventive embodiments is all within the protection scope of the embodiment of the present invention.
In the above-described embodiments, can come wholly or partly by software, hardware, firmware or any combination thereof real
It is existing.When implemented in software, it can entirely or partly realize in the form of a computer program product.The computer program
Product includes one or more computer instructions.When loading on computers and executing the computer program instructions, all or
It partly generates according to process or function described in the embodiment of the present invention.The computer can be general purpose computer, dedicated meter
Calculation machine, computer network or other programmable devices.The computer instruction can store in computer readable storage medium
In, or from a computer readable storage medium to the transmission of another computer readable storage medium, for example, the computer
Instruction can pass through wired (such as coaxial cable, optical fiber, number from a web-site, computer, server or data center
User's line (DSL)) or wireless (such as infrared, wireless, microwave etc.) mode to another web-site, computer, server or
Data center is transmitted.The computer readable storage medium can be any usable medium that computer can access or
It is comprising data storage devices such as one or more usable mediums integrated server, data centers.The usable medium can be with
It is magnetic medium, (for example, floppy disk, hard disk, tape), optical medium (for example, DVD) or semiconductor medium (such as solid state hard disk
(Solid State Disk, SSD)) etc..
Various illustrative logic units and circuit described in the embodiment of the present application can be by general processors, number
Word signal processor, specific integrated circuit (ASIC), field programmable gate array (FPGA) or other programmable logic devices, from
Door or transistor logic are dissipated, discrete hardware components or above-mentioned any combination of design carry out implementation or operation described function.It is logical
It can be microprocessor with processor, optionally, which may be any traditional processor, controller, micro-
Controller or state machine.Processor can also be realized by the combination of computing device, such as digital signal processor and Wei Chu
Device, multi-microprocessor are managed, one or more microprocessors combine a digital signal processor core or any other like
Configuration is to realize.
The step of method described in the embodiment of the present application or algorithm can be directly embedded into hardware, processor execute it is soft
The combination of part unit or the two.Software unit can store in RAM memory, flash memory, ROM memory, EPROM storage
Other any form of storaging mediums in device, eeprom memory, register, hard disk, moveable magnetic disc, CD-ROM or this field
In.Illustratively, storaging medium can be connect with processor, so that processor can read information from storaging medium, and
It can be to storaging medium stored and written information.Optionally, storaging medium can also be integrated into the processor.Processor and storaging medium can
To be set in asic, ASIC be can be set in terminal device.Optionally, processor and storaging medium also can be set in end
In different components in end equipment.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
Although in conjunction with specific features and embodiment, invention has been described, it is clear that, do not departing from this hair
In the case where bright spirit and scope, it can be carry out various modifications and is combined.Correspondingly, the specification and drawings are only institute
The exemplary illustration of the invention that attached claim is defined, and be considered as covered in the scope of the invention any and all and repair
Change, change, combining or equivalent.Obviously, those skilled in the art various changes and modifications can be made to the invention without
It is detached from the spirit and scope of the present invention.If in this way, these modifications and changes of the present invention belong to the claims in the present invention and its
Within the scope of equivalent technologies, then the present invention is also intended to include these modifications and variations.
Claims (28)
1. a kind of machinery of consultation of security algorithm, which is characterized in that restore the mistake of connection applied to the terminal request of inactive state
The process that journey or Radio Access Network RAN notification area update, comprising:
Terminal sends connection recovery request message to target BS, and the connection recovery request message restores wireless money for requesting
Source controls RRC connection, and the connection recovery request message includes the security capabilities of the terminal, and the security capabilities of the terminal is used
The first security algorithm is selected in the target BS, first security algorithm is assisted between the terminal and the target BS
The security algorithm of quotient;
If the terminal does not receive first security algorithm from the target BS, according to the second security algorithm and
RRC information obtains shielded RRC information, wherein negotiates between second security algorithm terminal and source base station
Security algorithm;Alternatively, if the terminal receives first security algorithm from the target BS, according to described
One security algorithm and RRC information obtain shielded RRC information;
The terminal sends the shielded RRC information to the target BS.
2. the method according to claim 1, wherein the connection recovery request message further includes message authentication
Code, the message authentication code authenticate the legitimacy of the terminal for the source base station, the method also includes:
The terminal generates the message authentication code according to the security capabilities of the terminal.
3. method according to claim 1 or 2, which is characterized in that the terminal sends connection to target BS and restores to ask
Before seeking message, further includes:
The terminal determines the network formats for the cell that the terminal is currently located according to measurement report;Wherein, the terminal
Security capabilities is corresponding with the network formats for the cell that the terminal is currently located.
4. according to the method described in claim 3, it is characterized in that, the network formats for the cell that the terminal is currently located are the
Five generation 5G networks, the security capabilities of the terminal include the 5G security algorithm that the terminal is supported;Alternatively,
The network formats for the cell that the terminal is currently located are forth generation 4G network, and the security capabilities of the terminal includes described
The 4G security algorithm that terminal is supported.
5. a kind of machinery of consultation of security algorithm, which is characterized in that restore the mistake of connection applied to the terminal request of inactive state
The process that journey or Radio Access Network RAN notification area update, comprising:
Target BS receives the connection recovery request message for carrying out self terminal, and the connection recovery request message restores nothing for requesting
The RRC connection of line resources control, the connection recovery request message include the first security capabilities of the terminal;
The target BS selects the first security algorithm according to the first security capabilities of the terminal;
If first security algorithm is identical as the second security algorithm, the target BS sends connection to the terminal and restores
Response message, the connection restore response message and are used to indicate the terminal recovery RRC connection;And it receives and comes from institute
The shielded RRC information of terminal is stated, and according to shielded RRC information and second security algorithm, obtains the RRC and disappears
Breath;Alternatively,
If first security algorithm is different from the second security algorithm, the target BS sends described first to the terminal
Security algorithm;And the shielded RRC information from the terminal is received, and according to shielded RRC information and described the
One security algorithm obtains the RRC information;
Wherein, the security algorithm that first security algorithm is negotiated between the terminal and the target BS, described second
The security algorithm that security algorithm is negotiated between the terminal and source base station.
6. according to the method described in claim 5, it is characterized in that, the method also includes:
The target BS receives the second security capabilities of the terminal from the source base station;
If the second security capabilities of the terminal is different from the first security capabilities of the terminal, the target BS notice is moved
Second security capabilities of terminal described in mobility management network element and the first security capabilities of the terminal are different.
7. according to the method described in claim 6, it is characterized in that, described in target BS notice mobile management network element eventually
Second security capabilities at end is different from the first security capabilities of the terminal, comprising:
The target BS sends the first notification message to the mobile management network element, and first notification message includes described
The mark of the cell of source base station, first notification message are used to notify the second security capabilities of the terminal in the cell
It is different from the first security capabilities of the terminal;Alternatively,
The target BS sends the mark of the cell of instruction information and the source base station to the mobile management network element, described
Indicate information be used to indicate the terminal in the cell the second security capabilities and the terminal the first security capabilities not
Together.
8. according to the method described in claim 5, it is characterized in that, the method also includes:
The target BS receives the second security capabilities of the terminal from the source base station;
The target BS sends second notification message to mobile management network element, and the second notification message includes the source base
Second security capabilities of the terminal in the mark for the cell stood and the cell.
9. the method according to any one of claim 6 to 8, which is characterized in that the connection recovery request message is also wrapped
Message authentication code is included, the message authentication code is generated according to the first security capabilities of the terminal, the message authentication code
The legitimacy of the terminal is authenticated for the source base station;
The method also includes:
The target BS sends request message to the source base station, and the request message is for terminal described in request
Hereafter, the request message includes the message authentication code.
10. according to the method described in claim 9, it is characterized in that, the request message further includes the first peace of the terminal
All-round power, the first security capabilities and the message authentication code of the terminal authenticate the legal of the terminal for the source base station
Property.
11. a kind of sending method of security algorithm characterized by comprising
Source base station receives the request message from target BS, and the request message is used for the context of request terminal, institute
Stating request message includes message authentication code, and the message authentication code is generated according to the first security capabilities of the terminal, institute
State the legitimacy that message authentication code authenticates the terminal for source base station;
The source base station verifies the message authentication code;
If verification is correct, the source base station sends security algorithm to the target BS, and the security algorithm is the terminal
The security algorithm negotiated between the source base station, the context of the terminal include the security algorithm.
12. according to the method for claim 11, which is characterized in that the source base station verifies the message authentication code, comprising:
The request message further includes the first security capabilities of the terminal, and the source base station is according to the first safety of the terminal
Ability verifies the message authentication code;Alternatively,
The source base station verifies the message authentication code, the second peace of the terminal according to the second security capabilities of the terminal
All-round power is the security capabilities of the terminal on the source base station.
13. a kind of device is applied to terminal, which is characterized in that restore the process of connection applied to the terminal request of inactive state
Or the process that Radio Access Network RAN notification area updates, comprising:
Communication unit, for sending connection recovery request message to target BS, the connection recovery request message is for requesting
Restore radio resource control RRC connection, the connection recovery request message includes the security capabilities of the terminal, the terminal
Security capabilities selects the first security algorithm for the target BS, and first security algorithm is the terminal and the target
The security algorithm negotiated between base station;
Processing unit, if not receiving first security algorithm from the target BS for the communication unit,
According to the second security algorithm and RRC information, shielded RRC information is obtained, wherein second security algorithm is the terminal
The security algorithm negotiated between source base station;Alternatively, if the terminal receives first peace from the target BS
Full algorithm obtains shielded RRC information then according to first security algorithm and RRC information;
The communication unit is also used to send the shielded RRC information to the target BS.
14. device according to claim 13, which is characterized in that the connection recovery request message further includes message authentication
Code, the message authentication code authenticate the legitimacy of the terminal for the source base station, and the processing unit is also used to according to institute
The security capabilities for stating terminal generates the message authentication code.
15. device described in 3 or 14 according to claim 1, which is characterized in that the processing unit is also used to, in the communication
Before unit sends connection recovery request message to the target BS, determine what the terminal was currently located according to measurement report
The network formats of cell;Wherein, the security capabilities of the terminal is corresponding with the network formats for the cell that the terminal is currently located.
16. device according to claim 15, which is characterized in that the network formats for the cell that the terminal is currently located are
5th generation 5G network, the security capabilities of the terminal include the 5G security algorithm that the terminal is supported;Alternatively,
The network formats for the cell that the terminal is currently located are forth generation 4G network, and the security capabilities of the terminal includes described
The 4G security algorithm that terminal is supported.
17. a kind of device, is applied to base station, the base station is target BS, which is characterized in that the terminal applied to inactive state
The process that request restores the process of connection or Radio Access Network RAN notification area updates, comprising:
Communication unit, for receiving the connection recovery request message for carrying out self terminal, the connection recovery request message is for requesting
Restore radio resource control RRC connection, the connection recovery request message includes the first security capabilities of the terminal;
Processing unit selects the first security algorithm for the first security capabilities according to the terminal;
If first security algorithm is identical as the second security algorithm, the communication unit, which is also used to send to the terminal, to be connected
Recovery response message is connect, the connection restores response message and is used to indicate the terminal recovery RRC connection;And it receives
Shielded RRC information from the terminal, and according to shielded RRC information and second security algorithm, obtain institute
State RRC information;Alternatively,
If first security algorithm is different from the second security algorithm, the communication unit is also used to send institute to the terminal
State the first security algorithm;And receive the shielded RRC information from the terminal, and according to shielded RRC information and
First security algorithm, obtains the RRC information;
Wherein, the security algorithm that first security algorithm is negotiated between the terminal and the target BS, described second
The security algorithm that security algorithm is negotiated between the terminal and source base station.
18. device according to claim 17, which is characterized in that the communication unit is also used to:
Receive the second security capabilities of the terminal from the source base station;
If the second security capabilities of the terminal is different from the first security capabilities of the terminal, mobile management network element is notified
Second security capabilities of the terminal and the first security capabilities of the terminal are different.
19. device according to claim 18, which is characterized in that the communication unit is specifically used for:
The first notification message is sent to the mobile management network element, first notification message includes the cell of the source base station
Mark, first notification message be used to notifying the terminal in the cell the second security capabilities and the terminal
First security capabilities is different;Alternatively,
The mark of the cell of instruction information and the source base station is sent to the mobile management network element, the instruction information is used for
The second security capabilities for indicating the terminal in the cell is different from the first security capabilities of the terminal.
20. device according to claim 17, which is characterized in that the communication unit is also used to:
Receive the second security capabilities of the terminal from the source base station;
Second notification message is sent to mobile management network element, the second notification message includes the mark of the cell of the source base station
Know the second security capabilities with the terminal in the cell.
21. device described in any one of 8 to 20 according to claim 1, which is characterized in that the connection recovery request message is also
Including message authentication code, the message authentication code is generated according to the first security capabilities of the terminal, the message authentication
Code authenticates the legitimacy of the terminal for the source base station;
The communication unit is also used to send request message to the source base station, and the request message is for described in request
The context of terminal, the request message include the message authentication code.
22. device according to claim 21, which is characterized in that the request message further includes the first peace of the terminal
All-round power, the first security capabilities and the message authentication code of the terminal authenticate the legal of the terminal for the source base station
Property.
23. a kind of device, is applied to base station, the base station is source base station characterized by comprising
Communication unit, for receiving the request message from target BS, the request message is for request terminal
Hereafter, the request message includes message authentication code, and the message authentication code is raw according to the first security capabilities of the terminal
At, the message authentication code authenticates the legitimacy of the terminal for source base station;
Processing unit, for verifying the message authentication code;
If the processing unit verification is correct, the communication unit is also used to send security algorithm, institute to the target BS
The security algorithm that security algorithm is negotiated between the terminal and the source base station is stated, the context of the terminal includes the peace
Full algorithm.
24. device according to claim 23, which is characterized in that the request message further includes the first peace of the terminal
All-round power, the processing unit are specifically used for the first security capabilities according to the terminal, verify the message authentication code;Or
Person,
The processing unit is specifically used for the second security capabilities according to the terminal, verifies the message authentication code, the end
Second security capabilities at end is the security capabilities of the terminal on the source base station.
25. a kind of terminal, which is characterized in that including the device as described in any one of claim 13 to 16.
26. a kind of base station, which is characterized in that including the device as described in any one of claim 17 to 24.
27. a kind of computer readable storage medium, which is characterized in that instruction is stored in the computer readable storage medium,
When run on a computer, so that method described in any one of computer perform claim requirement 1 to 12.
28. a kind of computer program product, which is characterized in that include instruction in the computer program product, when it is being calculated
When being run on machine, so that method described in any one of computer perform claim requirement 1 to 12.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810142555.8A CN110149630A (en) | 2018-02-11 | 2018-02-11 | A kind of negotiation of security algorithm, sending method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810142555.8A CN110149630A (en) | 2018-02-11 | 2018-02-11 | A kind of negotiation of security algorithm, sending method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110149630A true CN110149630A (en) | 2019-08-20 |
Family
ID=67588945
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810142555.8A Pending CN110149630A (en) | 2018-02-11 | 2018-02-11 | A kind of negotiation of security algorithm, sending method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110149630A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2021056563A1 (en) * | 2019-09-29 | 2021-04-01 | 华为技术有限公司 | Communication method and communication apparatus |
CN113455032A (en) * | 2020-05-29 | 2021-09-28 | 华为技术有限公司 | Communication method and device |
US11252566B2 (en) * | 2018-02-23 | 2022-02-15 | Guangdong Oppo Mobile Telecommunications Corp., Ltd. | Method and device for determining security algorithm, and computer storage medium |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102083063A (en) * | 2009-11-30 | 2011-06-01 | 大唐移动通信设备有限公司 | Method, system and equipment for confirming AS key |
CN102137400A (en) * | 2010-01-23 | 2011-07-27 | 中兴通讯股份有限公司 | Safety treatment method and system when re-establishing RRC (radio resource control) connection |
CN102264064A (en) * | 2010-05-27 | 2011-11-30 | 中兴通讯股份有限公司 | Method and system for synchronizing access stratum (AS) security algorithms |
CN102348217A (en) * | 2010-07-28 | 2012-02-08 | 中兴通讯股份有限公司 | Method for determining object network element in switching process and system thereof |
CN102413528A (en) * | 2010-09-21 | 2012-04-11 | 中兴通讯股份有限公司 | Switch failure processing method and user equipment |
CN102448060A (en) * | 2010-09-30 | 2012-05-09 | 华为技术有限公司 | Secret key management method, authorization checking method and device |
CN107046735A (en) * | 2016-02-05 | 2017-08-15 | 中兴通讯股份有限公司 | Connection processing method and device between terminal and network |
CN107294723A (en) * | 2016-03-31 | 2017-10-24 | 中兴通讯股份有限公司 | The generation of message integrity authentication information and verification method, device and checking system |
CN109729524A (en) * | 2017-10-31 | 2019-05-07 | 华为技术有限公司 | A kind of RRC connection restoration methods and device |
CN109803258A (en) * | 2017-11-16 | 2019-05-24 | 华为技术有限公司 | A kind of request restores the method and device of connection |
-
2018
- 2018-02-11 CN CN201810142555.8A patent/CN110149630A/en active Pending
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102083063A (en) * | 2009-11-30 | 2011-06-01 | 大唐移动通信设备有限公司 | Method, system and equipment for confirming AS key |
CN102137400A (en) * | 2010-01-23 | 2011-07-27 | 中兴通讯股份有限公司 | Safety treatment method and system when re-establishing RRC (radio resource control) connection |
CN102264064A (en) * | 2010-05-27 | 2011-11-30 | 中兴通讯股份有限公司 | Method and system for synchronizing access stratum (AS) security algorithms |
CN102348217A (en) * | 2010-07-28 | 2012-02-08 | 中兴通讯股份有限公司 | Method for determining object network element in switching process and system thereof |
CN102413528A (en) * | 2010-09-21 | 2012-04-11 | 中兴通讯股份有限公司 | Switch failure processing method and user equipment |
CN102448060A (en) * | 2010-09-30 | 2012-05-09 | 华为技术有限公司 | Secret key management method, authorization checking method and device |
CN107046735A (en) * | 2016-02-05 | 2017-08-15 | 中兴通讯股份有限公司 | Connection processing method and device between terminal and network |
CN107294723A (en) * | 2016-03-31 | 2017-10-24 | 中兴通讯股份有限公司 | The generation of message integrity authentication information and verification method, device and checking system |
CN109729524A (en) * | 2017-10-31 | 2019-05-07 | 华为技术有限公司 | A kind of RRC connection restoration methods and device |
CN109803258A (en) * | 2017-11-16 | 2019-05-24 | 华为技术有限公司 | A kind of request restores the method and device of connection |
Non-Patent Citations (4)
Title |
---|
3GPP: "3GPP TS 36.300 version 14.2.0 Release 14", 《ETSI TS 136 300 V14.2.0》 * |
HUAWEI, HISILICON: "pCR to TS 33.501:Security Handling atTransition from RRC-INACTIVE to RRC-CONNECTED transition", 《3GPP》 * |
HUAWEI, HISILICON: "R2-1710569 Remaining issues on State transition between RRC CONNECTED and INACTIVE", 《3GPP R2-1710569》 * |
VALTTERI NIEMI,KAISA NYBERG: "《UMTS安全》", 30 November 2005 * |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11252566B2 (en) * | 2018-02-23 | 2022-02-15 | Guangdong Oppo Mobile Telecommunications Corp., Ltd. | Method and device for determining security algorithm, and computer storage medium |
US11882450B2 (en) | 2018-02-23 | 2024-01-23 | Guangdong Oppo Mobile Telecommunications Corp., Ltd. | Method and device for determining security algorithm, and computer storage medium |
WO2021056563A1 (en) * | 2019-09-29 | 2021-04-01 | 华为技术有限公司 | Communication method and communication apparatus |
US11889310B2 (en) | 2019-09-29 | 2024-01-30 | Huawei Technologies Co., Ltd. | Communication method and communication apparatus |
CN113455032A (en) * | 2020-05-29 | 2021-09-28 | 华为技术有限公司 | Communication method and device |
CN113455032B (en) * | 2020-05-29 | 2023-06-27 | 华为技术有限公司 | Communication method, communication device, and computer-readable medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109803259A (en) | A kind of request restores the method and device of connection | |
JP6852184B2 (en) | Fault handling methods, handover methods, terminal devices, and network devices | |
JP6170122B2 (en) | Method for simultaneous communication with a plurality of base stations and related communication devices | |
CN109729524B (en) | RRC (radio resource control) connection recovery method and device | |
US11589220B2 (en) | Communications method and apparatus for secure communication when a terminal is in a radio resource control inactive state | |
CN110149630A (en) | A kind of negotiation of security algorithm, sending method and device | |
US20210045050A1 (en) | Communications method and apparatus | |
CN111542088B (en) | Method and apparatus for transmitting timing offset | |
CN110024331A (en) | The guard method of data, device and system | |
WO2019096171A1 (en) | Method and apparatus for requesting recovery of connection | |
CN110505627A (en) | A kind of authentication method and device based on access node group | |
CN114071452B (en) | Method and device for acquiring user subscription data | |
WO2019149168A1 (en) | Message protection method and device | |
JP2023052294A (en) | Security context obtaining method and apparatus, and communication system | |
CN109819492A (en) | A kind of method and apparatus of determining security capabilities | |
CN108631921A (en) | A kind of method and apparatus handled for SN length | |
CN109936444B (en) | Key generation method and device | |
CN110505662A (en) | A kind of policy control method, apparatus and system | |
CN108810889A (en) | Communication means, apparatus and system | |
US11510257B2 (en) | Communications method and apparatus | |
TW201929571A (en) | Network redirection method and terminal, access network device, mobile management device | |
CN112788795B (en) | Connection recovery method and device | |
WO2020164510A1 (en) | Communication method, communication apparatus, and computer-readable storage medium | |
CN110933607B (en) | Method, device and equipment for transmitting positioning information | |
CN113950121A (en) | Context recovery method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190820 |