CN110149630A

CN110149630A - A kind of negotiation of security algorithm, sending method and device

Info

Publication number: CN110149630A
Application number: CN201810142555.8A
Authority: CN
Inventors: 胡力; 潘凯; 耿婷婷; 陈璟
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2018-02-11
Filing date: 2018-02-11
Publication date: 2019-08-20

Abstract

The application provides negotiation, sending method and the device of a kind of security algorithm.This method comprises: when terminal is moved to target BS, terminal sends connection recovery request message to target BS, then used first security algorithm when being communicated between terminal is reselected according to the security capabilities of the terminal carried in connection recovery request message by target BS.If terminal does not receive the first security algorithm, shielded RRC information, the security algorithm that the second security algorithm is negotiated between terminal and source base station are generated using the second security algorithm.If terminal receives the first security algorithm, shielded RRC information is generated using the first security algorithm.On the one hand, security algorithm used in communicating between flexible choice terminal and target BS is realized.On the other hand, since what the base station of terminal connection occurred changes, thus new security algorithm is used, can be improved the safety of communication.

Description

A kind of negotiation of security algorithm, sending method and device

Technical field

This application involves mobile communication technology field more particularly to a kind of negotiations of security algorithm, sending method and device.

Background technique

In long term evolution (long term evolution, LTE), hanging up and restoring process can be used for narrowband-Internet of Things The terminal of (narrowband internet of things, NB-IoT), i.e., the Internet of Things that mobility is lower or power consumption is low are set It is standby, such as intellectual water meter.

When base station notifies terminal release is current to connect in a manner of hanging up, terminal and source base station will be deleted part access layer Context, and can also reserve part be tapped into the context of layer, such as access layer secret key, the security capabilities of terminal is current to select Security algorithm etc..It, can fast quick-recovery connection when terminal wishes to restore the connection with target BS.

In 5th generation (5th generation, 5G) system and the communication system in future, above-mentioned service procedure can be extended, It will hang up and recovery process is applied to the terminal for enhancing movement bandwidth (enhanced mobile broadband, eMBB), such as intelligence It can mobile phone.

Since the mobility of terminal is higher, thus the frequency of the base station of terminal change access is higher.In this case, such as What improve terminal when being restored to connected state from inactive state or Radio Access Network (radio access network, RAN safety and flexibility when) notification area updates, then be problem to be solved.

Summary of the invention

The application provides negotiation, sending method and the device of a kind of security algorithm, extensive from inactive state to improve terminal Safety when arriving connected state again or when Radio Access Network (radio access network, RAN) notification area updates And flexibility.

In a first aspect, the application provides a kind of machinery of consultation of security algorithm, the terminal request applied to inactive state is extensive The process that the multiply-connected process connect or Radio Access Network RAN notification area update, comprising: terminal sends connection to target BS and restores Request message, connection recovery request message restore wireless heterogeneous networks (radio resource control, RRC) for requesting Connection, connection recovery request message include the security capabilities of terminal, and the security capabilities of terminal is for the first peace of target BS selection Full algorithm, the security algorithm that the first security algorithm is negotiated between terminal and target BS；If terminal does not receive from target First security algorithm of base station obtains shielded RRC information, wherein second then according to the second security algorithm and RRC information The security algorithm that security algorithm is negotiated between terminal and source base station；Alternatively, if terminal receives first from target BS Security algorithm obtains shielded RRC information then according to the first security algorithm and RRC information；Terminal to target BS send by The RRC information of protection.

The above method, when terminal is moved to target BS, terminal sends connection recovery request message to target BS, so It is reselected and is carried out between terminal according to the security capabilities of the terminal carried in connection recovery request message by target BS afterwards Used first security algorithm when communication.Target BS is if it is determined that the first security algorithm is identical as the second security algorithm, then not First security algorithm of selection is sent to terminal, correspondingly, terminal if it is determined that not receiving the first security algorithm, then uses the Two security algorithms generate shielded RRC information, wherein the safety that the second security algorithm is negotiated between terminal and source base station Algorithm.First security algorithm is then sent to terminal if it is determined that the first security algorithm is different from the second security algorithm by target BS, Correspondingly, terminal then uses the first security algorithm, generates shielded RRC information if it is determined that receive the first security algorithm.One Aspect realizes security algorithm used in communicating between flexible choice terminal and target BS.On the other hand, since terminal connects What the base station that connects occurred changes, thus uses new security algorithm, and the safety of communication can be improved.In another aspect, target Base station is that the security capabilities of the terminal sent according to terminal selects the first security algorithm, due to the safe energy for the terminal that terminal is sent The safety of power is higher, it is not easy to be tampered, thus can promote the safety of secure algorithm negotiation.

In one possible implementation, connection recovery request message further includes message authentication code, and message authentication code is used In the legitimacy of source base station certification terminal, then further comprise: terminal generates message authentication according to the security capabilities of terminal Code.

The above method, terminal generate message authentication code according to the security capabilities of terminal, which is used for source base station Authenticate the legitimacy of terminal.Thus, when the security capabilities of terminal is tampered, then source base station can verify the safe energy of the terminal Power is tampered, so that the negotiation process of termination of security algorithm, is conducive to the safety for promoting secure algorithm negotiation process.

In one possible implementation, before terminal sends connection recovery request message to target BS, further includes: Terminal determines the network formats for the cell that terminal is currently located according to measurement report；Wherein, the security capabilities of terminal is worked as with terminal The network formats of the cell at preceding place are corresponding.In this way, the cell that the security capabilities and terminal of the terminal that terminal is sent are currently located Network formats it is corresponding, so as to save expense when terminal sends the security capabilities of terminal.For example, in a kind of implementation In, the network formats for the cell that terminal is currently located are the 5th generation 5G network, and the security capabilities of terminal includes the 5G that terminal is supported Security algorithm；Alternatively, the network formats for the cell that terminal is currently located are forth generation 4G network, the security capabilities of terminal includes eventually Hold the 4G security algorithm supported.

Second aspect, the application provide a kind of machinery of consultation of security algorithm, and the terminal request applied to inactive state is extensive The process that the multiply-connected process connect or Radio Access Network RAN notification area update, comprising: terminal sends connection to target BS and restores Request message, connection recovery request message restore radio resource control RRC connection for requesting, and connection recovery request message includes The security capabilities of the security capabilities of terminal, terminal selects security algorithm for target BS, and security algorithm is terminal and target base The security algorithm negotiated between standing；Terminal obtains the security algorithm from target BS.

The above method, when terminal is moved to target BS, terminal sends connection recovery request message to target BS, so It is reselected and is carried out between terminal according to the security capabilities of the terminal carried in connection recovery request message by target BS afterwards Used security algorithm when communication, and the security algorithm is sent to terminal.On the one hand, flexible choice terminal and mesh are realized Mark security algorithm used in communicating between base station.On the other hand, since what the base station of terminal connection occurred changes, thus make With new security algorithm, the safety of communication can be improved.In another aspect, target BS is the peace of the terminal sent according to terminal All-round power selects security algorithm, since the safety of the security capabilities of the terminal of terminal transmission is higher, it is not easy to it is tampered, thus The safety of secure algorithm negotiation can be promoted.

In one possible implementation, connection recovery request message further includes message authentication code, and message authentication code is used In the legitimacy of source base station certification terminal, further comprise: terminal generates message authentication code according to the security capabilities of terminal.

In one possible implementation, before terminal sends connection recovery request message to target BS, further includes: Terminal determines the network formats for the cell that terminal is currently located according to measurement report；Wherein, the security capabilities of terminal is worked as with terminal The network formats of the cell at preceding place are corresponding.

In one possible implementation, the network formats for the cell that terminal is currently located are the 5th generation 5G network, eventually The security capabilities at end includes the 5G security algorithm that terminal is supported；Alternatively, the network formats for the cell that terminal is currently located are the 4th For 4G network, the security capabilities of terminal includes the 4G security algorithm that terminal is supported.

The third aspect, the application provide a kind of machinery of consultation of security algorithm, and the terminal request applied to inactive state is extensive The process that the multiply-connected process connect or Radio Access Network RAN notification area update, comprising: target BS receives the connection for carrying out self terminal Recovery request message, connection recovery request message restore radio resource control RRC connection for requesting, connect recovery request message The first security capabilities including terminal；Target BS selects the first security algorithm according to the first security capabilities of terminal；If first Security algorithm is identical as the second security algorithm, then target BS sends connection recovery response message to terminal, and connection restores response Message is used to indicate terminal and restores RRC connection；And the shielded RRC information for carrying out self terminal is received, and according to shielded RRC information and the second security algorithm, obtain RRC information；Alternatively, if the first security algorithm is different from the second security algorithm, mesh It marks base station and sends the first security algorithm to terminal；And the shielded RRC information for carrying out self terminal is received, and according to protected RRC information and the first security algorithm, obtain RRC information；Wherein, the first security algorithm is negotiated between terminal and target BS Security algorithm, the security algorithm that the second security algorithm is negotiated between terminal and source base station.

In one possible implementation, further comprise: target BS receives the of the terminal from source base station Two security capabilities.If the second security capabilities of terminal is different from the first security capabilities of terminal, target BS notifies mobility Second security capabilities of managed network element terminal and the first security capabilities of terminal are different.

In one possible implementation, target BS notice mobile management network element terminal the second security capabilities with First security capabilities of terminal is different, comprising: target BS sends the first notification message, the first notice to mobile management network element Message includes the mark of the cell of source base station, second security capabilities and end of first notification message for the terminal on notifying cell First security capabilities at end is different；Alternatively, target BS sends the cell of instruction information and source base station to mobile management network element Mark, instruction information be used to indicate the terminal in cell the second security capabilities it is different from the first security capabilities of terminal.

In one possible implementation, further comprise: target BS receives the of the terminal from source base station Two security capabilities；Target BS sends second notification message to mobile management network element, and second notification message includes source base station Second security capabilities of the terminal in the mark and cell of cell.

In one possible implementation, connection recovery request message further includes message authentication code, and message authentication code is It is generated according to the first security capabilities of terminal, legitimacy of the message authentication code for source base station certification terminal；Further also wrap Include: target BS sends request message to source base station, and request message is used for the context of request terminal, and request message includes Message authentication code.

In one possible implementation, request message further includes the first security capabilities of terminal, the first peace of terminal The legitimacy of all-round power and message authentication code for source base station certification terminal.

Fourth aspect, the application provide a kind of machinery of consultation of security algorithm, which is characterized in that applied to inactive state The process that terminal request restores the process of connection or Radio Access Network RAN notification area updates, comprising: target BS reception comes from The connection recovery request message of terminal, connection recovery request message are restored radio resource control RRC connection for requesting, are connected extensive Multiple request message includes the first security capabilities of terminal；Target BS selects security algorithm according to the first security capabilities of terminal； Target BS sends security algorithm to terminal.

In one possible implementation, further comprise: target BS receives the of the terminal from source base station Two security capabilities；If the second security capabilities of terminal is different from the first security capabilities of terminal, target BS notifies mobility Second security capabilities of managed network element terminal and the first security capabilities of terminal are different.

In one possible implementation, target BS notice mobile management network element terminal the second security capabilities with First security capabilities of terminal is different, comprising: target BS sends third notice message, third notice to mobile management network element Message includes the mark of the cell of source base station, second security capabilities and end of the third notice message for the terminal on notifying cell First security capabilities at end is different；Alternatively, target BS sends the cell of instruction information and source base station to mobile management network element Mark, instruction information be used to indicate the terminal in cell the second security capabilities it is different from the first security capabilities of terminal.

In one possible implementation, further comprise: target BS receives the of the terminal from source base station Two security capabilities；Target BS sends the 4th notification message to mobile management network element, and the 4th notice message package includes source base station Second security capabilities of the terminal in the mark and cell of cell.

5th aspect, the application provide a kind of machinery of consultation of security algorithm, and the terminal request applied to inactive state is extensive The process that the multiply-connected process connect or Radio Access Network RAN notification area update, comprising: target BS receives the connection for carrying out self terminal Recovery request message, connection recovery request message restore radio resource control RRC connection for requesting, connect recovery request message The first security capabilities including terminal；Target BS is if it is determined that the second security algorithm is priority in the security algorithm being locally stored Highest security algorithm, then using the second security algorithm as the first security algorithm；Alternatively, target BS is if it is determined that the second safety is calculated The security algorithm of highest priority in the security algorithm that method is not stored locally, then according to the first security capabilities of terminal, selection First security algorithm；If the first security algorithm is identical as the second security algorithm, target BS sends connection to terminal and restores to ring Message is answered, connection restores response message and is used to indicate terminal recovery RRC connection；And receive the shielded RRC for carrying out self terminal Message, and according to shielded RRC information and the second security algorithm, obtain RRC information；Alternatively, if the first security algorithm and Two security algorithms are different, then target BS sends the first security algorithm to terminal；And it receives and carrys out the shielded of self terminal RRC information, and according to shielded RRC information and the first security algorithm, obtain RRC information；Wherein, the first security algorithm is eventually The security algorithm negotiated between end and target BS, the security algorithm that the second security algorithm is negotiated between terminal and source base station.

6th aspect, the application provide a kind of machinery of consultation of security algorithm, and the terminal request applied to inactive state is extensive The process that the multiply-connected process connect or Radio Access Network RAN notification area update, comprising: target BS receives the connection for carrying out self terminal Recovery request message, connection recovery request message restore radio resource control RRC connection for requesting, connect recovery request message The first security capabilities including terminal；Target BS is if it is determined that the second security algorithm is priority in the security algorithm being locally stored Highest security algorithm, then using the second security algorithm as the first security algorithm；Alternatively, target BS is if it is determined that the second safety is calculated The security algorithm of highest priority in the security algorithm that method is not stored locally, then according to the first security capabilities of terminal, selection First security algorithm；Target BS sends the first security algorithm to terminal；Wherein, the first security algorithm is terminal and target BS Between the security algorithm negotiated, the security algorithm that the second security algorithm is negotiated between terminal and source base station.

7th aspect, the application provide a kind of sending method of security algorithm, comprising: source base station, which receives, comes from target BS Request message, request message be used for request terminal context, request message includes message authentication code, message authentication code It is to be generated according to the first security capabilities of terminal, legitimacy of the message authentication code for source base station certification terminal；Source base station school Test message authentication code；If verification is correct, source base station sends security algorithm to target BS, and security algorithm is terminal and source base station Between the security algorithm negotiated, the context of terminal includes security algorithm.

In one possible implementation, source base station verification message authentication code, comprising: request message further includes terminal First security capabilities, first security capabilities of the source base station according to terminal, verification message authentication code；Alternatively, source base station is according to terminal The second security capabilities, verification message authentication code, the second security capabilities of terminal is the security capabilities of the terminal on source base station.

Eighth aspect, the application provide a kind of device, which can be terminal, are also possible to chip.The device has Realize the function of each embodiment of above-mentioned first aspect.The function can also execute phase by hardware by hardware realization The software realization answered.The hardware or software include one or more modules corresponding with above-mentioned function.

9th aspect, the application provide a kind of device, comprising: processor and memory；The memory for storing instruction, When the apparatus is operative, which executes the instruction of memory storage so that the device execute above-mentioned first aspect or The machinery of consultation of security algorithm in any implementation method of first aspect.It should be noted that the memory can integrate in In processor, it is also possible to independently of except processor.

Tenth aspect, the application provide a kind of device, which includes processor, and the processor is used for and memory coupling It closes, and reads the instruction in memory and execute any implementation method of above-mentioned first aspect or first aspect according to described instruction In security algorithm machinery of consultation.

Tenth on the one hand, and the application provides a kind of device, which can be terminal, be also possible to chip.Device tool There is the function for each embodiment for realizing above-mentioned second aspect.The function can also be executed by hardware realization by hardware Corresponding software realization.The hardware or software include one or more modules corresponding with above-mentioned function.

12nd aspect, the application provide a kind of device, comprising: processor and memory；The memory refers to for storing It enables, when the apparatus is operative, which executes the instruction of memory storage, so that the device executes above-mentioned second aspect Or the machinery of consultation of the security algorithm in any implementation method of second aspect.It should be noted that the memory can integrate In processor, it is also possible to independently of except processor.

13rd aspect, the application provide a kind of device, which includes processor, and the processor is used for and memory Coupling, and read the instruction in memory and execute any realization side of above-mentioned second aspect or second aspect according to described instruction The machinery of consultation of security algorithm in method.

Fourteenth aspect, the application provide a kind of device, which can be target BS, are also possible to chip.The dress Set each embodiment for having the function of realizing the above-mentioned third aspect.The function can also pass through hardware by hardware realization Execute corresponding software realization.The hardware or software include one or more modules corresponding with above-mentioned function.

15th aspect, the application provide a kind of device, comprising: processor and memory；The memory refers to for storing It enables, when the apparatus is operative, which executes the instruction of memory storage, so that the device executes the above-mentioned third aspect Or the machinery of consultation of the security algorithm in any implementation method of the third aspect.It should be noted that the memory can integrate In processor, it is also possible to independently of except processor.

16th aspect, the application provide a kind of device, which includes processor, and the processor is used for and memory Coupling, and read the instruction in memory and execute any realization side of the above-mentioned third aspect or the third aspect according to described instruction The machinery of consultation of security algorithm in method.

17th aspect, the application provide a kind of device, which can be target BS, be also possible to chip.The dress Set each embodiment for having the function of realizing above-mentioned fourth aspect.The function can also pass through hardware by hardware realization Execute corresponding software realization.The hardware or software include one or more modules corresponding with above-mentioned function.

18th aspect, the application provide a kind of device, comprising: processor and memory；The memory refers to for storing It enables, when the apparatus is operative, which executes the instruction of memory storage, so that the device executes above-mentioned fourth aspect Or the machinery of consultation of the security algorithm in any implementation method of fourth aspect.It should be noted that the memory can integrate In processor, it is also possible to independently of except processor.

19th aspect, the application provide a kind of device, which includes processor, and the processor is used for and memory Coupling, and read the instruction in memory and execute any realization side of above-mentioned fourth aspect or fourth aspect according to described instruction The machinery of consultation of security algorithm in method.

20th aspect, the application provide a kind of device, which can be target BS, be also possible to chip.The dress Set each embodiment realize with above-mentioned 5th aspect.The function can also pass through hardware by hardware realization Execute corresponding software realization.The hardware or software include one or more modules corresponding with above-mentioned function.

20th on the one hand, and the application provides a kind of device, comprising: processor and memory；The memory is for storing Instruction, when the apparatus is operative, the processor execute the instruction of memory storage, so that the device executes above-mentioned 5th side The machinery of consultation of the security algorithm in face.It should be noted that the memory can integrate in processor, be also possible to independently of Except processor.

22nd aspect, the application provide a kind of device, which includes processor, and the processor is used for and storage Device coupling, and read the instruction in memory and execute the negotiation side of the security algorithm of above-mentioned 5th aspect according to described instruction Method.

23rd aspect, the application provide a kind of device, which can be target BS, be also possible to chip.It should Device has the function of realizing each embodiment of above-mentioned 6th aspect.The function can be by hardware realization, can also be by hard Part executes corresponding software realization.The hardware or software include one or more modules corresponding with above-mentioned function.

Twenty-fourth aspect, the application provide a kind of device, comprising: processor and memory；The memory is for storing Instruction, when the apparatus is operative, the processor execute the instruction of memory storage, so that the device executes above-mentioned 6th side The machinery of consultation of the security algorithm in face.It should be noted that the memory can integrate in processor, be also possible to independently of Except processor.

25th aspect, the application provide a kind of device, which includes processor, and the processor is used for and storage Device coupling, and read the instruction in memory and execute the negotiation side of the security algorithm of above-mentioned 6th aspect according to described instruction Method.

26th aspect, the application provide a kind of device, which can be source base station, be also possible to chip.The dress Set each embodiment realize with above-mentioned 7th aspect.The function can also pass through hardware by hardware realization Execute corresponding software realization.The hardware or software include one or more modules corresponding with above-mentioned function.

27th aspect, the application provide a kind of device, comprising: processor and memory；The memory is for storing Instruction, when the apparatus is operative, the processor execute the instruction of memory storage, so that the device executes above-mentioned 7th side The sending method of security algorithm in any implementation method of face or the 7th aspect.It should be noted that the memory can collect At in processor, it is also possible to independently of except processor.

Twenty-eighth aspect, the application provide a kind of device, which includes processor, and the processor is used for and storage Device coupling, and read the instruction in memory and execute any realization of above-mentioned 7th aspect or the 7th aspect according to described instruction The sending method of security algorithm in method.

29th aspect, the application also provide a kind of computer readable storage medium, the computer-readable storage medium Instruction is stored in matter, when run on a computer, so that computer executes method described in above-mentioned various aspects.

30th aspect, the application also provides a kind of computer program product comprising instruction, when it is transported on computers When row, so that computer executes method described in above-mentioned various aspects.

30th on the one hand, and the application also provides a kind of system, which includes base station, and the base station can be used in execution State the step of third aspect to the 6th aspect and the third aspect is executed into either the 6th aspect method by target BS.? In one possible design, the system can also include another base station, and another base station can be used for executing above-mentioned 7th side The step of being executed in the method for either face and the 7th aspect or in scheme provided in an embodiment of the present invention by source base station.At one In possible design, the system can also include scheme provided in an embodiment of the present invention in the target BS and/or source base station Other equipment, such as terminal for interacting, etc..

Detailed description of the invention

Fig. 1 is a kind of possible network architecture schematic diagram provided by the present application；

Fig. 2 is the process schematic that terminal provided by the present application enters inactive state from connected state；

Fig. 3 is a kind of machinery of consultation schematic diagram of security algorithm provided by the present application；

Fig. 4 is the machinery of consultation schematic diagram of another security algorithm provided by the present application；

Fig. 5 is a kind of schematic device provided by the present application；

Fig. 6 is a kind of terminal schematic diagram provided by the present application；

Fig. 7 is another schematic device provided by the present application；

Fig. 8 is a kind of base station schematic diagram provided by the present application.

Specific embodiment

The application is described in further detail below in conjunction with attached drawing.Concrete operation method in embodiment of the method It can be applied in Installation practice or system embodiment.Wherein, in the description of the present application, unless otherwise indicated, " multiple " It is meant that two or more.

As shown in Figure 1, being a kind of possible network architecture schematic diagram of the application.Including terminal, source base station and target base It stands.Terminal is communicated by wireless interface with source base station, target BS.It can be by wired between source base station and target BS Connection is communicated, and such as by X2 interface, Xn interface is communicated, or can also be communicated by way of eating dishes without rice or wine.

In the application, terminal it is mobile etc. due to, terminal may be moved to target BS from source base station.Source base station is The base station that terminal formerly accesses, target BS are after terminal is mobile, in the base station of rear access.

Wherein, terminal is a kind of equipment with radio transmission-receiving function, can be deployed in land, including indoor or room Outside, hand-held or vehicle-mounted；(such as steamer) can also be deployed on the water surface；It can also dispose and (such as aircraft, balloon and defend in the sky On star etc.).The terminal may include various types of user equipmenies (user equipment, UE), mobile phone (mobile Phone), tablet computer (pad), the computer with radio transmission-receiving function, wireless data card, virtual reality (virtual Reality, VR) terminal, augmented reality (augmented reality, AR) terminal, Industry Control (industrial Control the wireless terminal in), the wireless terminal in unmanned (self driving), tele-medicine (remote Medical the wireless terminal in wireless terminal, smart grid (smart grid), transportation safety (transportation in) Safety the wireless terminal in wireless terminal, smart city (smart city) in), in wisdom family (smart home) Wireless terminal and wearable device (such as smartwatch, Intelligent bracelet, pedometer etc.) etc..It is wirelessly connect using different Entering in the system of technology, the title for having the equipment of similar wireless communication function may be different, only for convenience of description, In the application, the above-mentioned equipment with wireless receiving and dispatching communication function is referred to as the so-called terminal of terminal the application.

Base station, be it is a kind of provide the equipment of wireless communication function for terminal, including but not limited to: the next-generation base station in 5G (gnodeB, gNB), evolved node B (evolved node B, eNB), radio network controller (radio Networkcontroller, RNC), node B (node B, NB), base station controller (base station controller, BSC), base transceiver station (base transceiver station, BTS), Home eNodeB are (for example, home evolved NodeB or home node B, HNB), Base Band Unit (BaseBand Unit, BBU), transfer point (transmitting and Receiving point, TRP), launch point (transmitting point, TP), mobile switching centre etc..

The application, under normal circumstances, tool is there are three types of state, i.e. connection (connected) state for terminal, idle (idle) state and Inactive (inactive) state.

Wherein, when terminal is in connected state, terminal is in the state worked normally.It can be sent out between network side and terminal Send and receive user data.

When terminal enters Idle state from connected state, terminal and base station generally will be deleted whole access layers of terminal (access stratum, AS) context.In a kind of special situation, in 4G, when network side is to hang up reason release eventually When the connection at end, terminal can also enter Idle state from connected state, but at this point, terminal and base station will be deleted part AS context, with And retain part AS context, such as access layer secret key (KeNB is properly termed as in 4G) can be retained, the security capabilities of terminal, eventually The security algorithm (including protection algorithm integrallty and Encryption Algorithm) communicated between end and the source base station of terminal access.Wherein, eventually The security capabilities at end refers to that the security algorithm that terminal is supported, the integrity protection of Encryption Algorithm and support including support are calculated Method.

In 5G, introduce inactive state, when terminal enters inactive state from connected state, base station by held terminal, this When, part AS context is deleted in terminal and base station, and retains part AS context, such as can retain access layer secret key (5G In be properly termed as KgNB), the security capabilities of terminal, terminal and terminal access source base station between communicate security algorithm (including Protection algorithm integrallty and Encryption Algorithm).Wherein, the security capabilities of terminal refers to the security algorithm that terminal is supported, including branch The protection algorithm integrallty of the Encryption Algorithm and support held.

When terminal is in inactive state, due to remaining part AS context in terminal, compared to terminal from sky Not busy state enters connected state, and terminal enters connected state from inactive state can more quickly.

Furthermore, it is contemplated that the mobility of terminal, when terminal is restored to connected state from inactive state, terminal may need more Change base station.That is, terminal first establishes connection with source base station, then for some reason, such as network side notice, terminal is in source base station Into inactive state.When terminal wishes to be restored to connected state, if terminal has moved to the coverage area of target BS, eventually End will be restored to connected state from inactive state in target BS.

Certainly, when the application is equally also suitable terminal and is restored to connected state from inactive state, the target BS of access and source The base station of the identical scene in base station, i.e. terminal access can not also change, and be still the same base station.

The application mainly discusses, needs to enter connected state from inactive state when terminal determines, that is, restore with target BS it Between connection when or terminal RAN notification area update during, how to realize that being adapted to some of target BS wants It asks, to achieve the purpose that flexible, secure connection.

Before specifically introducing the machinery of consultation of security algorithm of the application, first introduce terminal from connected state enter it is inactive The process of state.

As shown in Fig. 2, entering the process schematic of inactive state from connected state for terminal provided by the present application, including following Step:

Step 201, base station determine the RRC connection of held terminal.

For example, then determining to hang the RRC connection of terminal when base station does not receive the data of terminal transmission in for a period of time It rises.

Step 202, base station send message on hold to terminal.

Message on hold enters inactive state for notifying terminal to discharge RRC connection.Message on hold, which for example can be, to be had The RRC connection release message of special instruction.

In the concrete realization, message on hold can carry recovery mark etc., and it is small that recovery mark for example can be inactive state- Area's radio network temporary identifier (INACTIVE-cell radio network temporary identifier, I-RNTI).

Restoring mark is required parameter when SS later enters connected state from inactive state, restores mark and may include The information such as mark, the mark of terminal of source base station.

Optionally, message on hold can also carry cause parameter releaseCause, and releaseCause is for notifying end End executes pending operation and enters inactive state.Such as releaseCause can be set to " RRC Suspend " or "RRCInactive".When terminal gets releaseCause parameter, determine that the value of releaseCause is " RRC Suspend " or when " RRC Inactive ", then execute the relevant operation of terminal hang-up.

Optionally, base station can also notify the control plane network element releasing bearing of core net, such as release signaling radio bearer (signaling radio bearer, SRB), Data Radio Bearer (data radio bearer, DRB).

Step 203, terminal enter inactive state.

Terminal, which saves, deletes part AS context, and retains part AS context.The part AS context of reservation includes Access layer secret key, the security capabilities of terminal, between terminal and the source base station of terminal access the protection algorithm integrallty that communicates and plus Close algorithm etc..

Terminal also saves the parameters such as the recovery mark of base station transmission.

Terminal hangs up carrying, for example, Signaling Radio Bearer, Data Radio Bearer are hung up, subsequently into inactive state.

It can be seen that from above-mentioned terminal from the process that connected state enters inactive state, terminal enters after inactive state, terminal On preserve part AS context and from the received parameter in base station, thus, it is subsequent when terminal wishes to be restored to company from inactive state When connecing state, these parameters will be helpful to terminal realization and quickly be restored to connected state from inactive state.

The process that terminal is restored to connected state from inactive state is described below, in this process includes terminal and target BS Between security algorithm machinery of consultation.

In the application, when terminal is moved to target BS, target BS can according to the ability of target BS itself and It is required that reselecting security algorithm, and communicated using between security algorithm and terminal, rather than continues to use terminal and source The security algorithm of base station communication.Thus, the application method, on the one hand, target BS can reselect security algorithm, more clever It is living；On the other hand, due to having used new security algorithm, thus the safety of communication can be improved.

For convenience of description, in the application, the security algorithm negotiated between terminal and target BS, the referred to as first safety is calculated Method.First security algorithm for example may include the first Encryption Algorithm and the first protection algorithm integrallty, wherein the first Encryption Algorithm The Encryption Algorithm negotiated between terminal and target BS, the first protection algorithm integrallty are negotiated between terminal and target BS Protection algorithm integrallty.The security algorithm negotiated between terminal and source base station, referred to as the second security algorithm.Second security algorithm It such as may include the second Encryption Algorithm and the second protection algorithm integrallty, wherein the second Encryption Algorithm is terminal and source base station Between the Encryption Algorithm negotiated, the protection algorithm integrallty that the second protection algorithm integrallty is negotiated between terminal and source base station.

It should be noted that the first security algorithm that target BS reselects is identical as the second security algorithm possibility, It may be different.

It is a kind of machinery of consultation of security algorithm provided by the present application, the terminal request applied to inactive state with reference to Fig. 3 Restore the process of connection, comprising the following steps:

Step 301, terminal send connection recovery request message to target BS.

Correspondingly, target BS receives the connection recovery request message for carrying out self terminal.

The connection recovery request message that terminal is sent restores RRC connection for requesting.I.e. terminal request is extensive from inactive state Connected state is arrived again.

Connection recovery request message includes the security capabilities of terminal, and the security capabilities of the terminal is referred to as the of terminal One security capabilities refers to the security capabilities of terminal stored in terminal.First security capabilities of terminal includes what terminal was supported Security algorithm.By taking security algorithm includes Encryption Algorithm and protection algorithm integrallty as an example, as an example, the first peace of terminal All-round power is for example including { Encryption Algorithm 1, Encryption Algorithm 2, Encryption Algorithm 3, protection algorithm integrallty 1, protection algorithm integrallty 2}.It then can also be into one by taking the terminal supports 4G security algorithm simultaneously and supports 5G security algorithm as an example as another example Security algorithm is divided into 4G security algorithm and 5G security algorithm by step, such as the first security capabilities of terminal includes that { 4G encryption is calculated Method Isosorbide-5-Nitrae G Encryption Algorithm 2,5G Encryption Algorithm 3,5G Encryption Algorithm 4,4G protection algorithm integrallty Isosorbide-5-Nitrae G protection algorithm integrallty 2, 5G protection algorithm integrallty 3 }.

First security capabilities of the terminal can be used for target BS and select the first security algorithm.

As a kind of implementation, recovery mark can also be carried by connecting in recovery request message.

Further, message authentication code can also be carried by connecting in recovery request message, which is used for source base The legitimacy for certification terminal of standing.Such as the message authentication code can be the verifying SMS code (short for integrality Message authentication code for integrity, shortMAC-I).As a kind of implementation, the message Authentication code, which can be, to be generated according to the first security capabilities of terminal by terminal.Specifically, as a kind of implementation, terminal can To generate message authentication code according to the first security capabilities of terminal, tegrity protection key and the second protection algorithm integrallty.It should The key that tegrity protection key uses between terminal and source base station, the tegrity protection key can restore institute with the last time The tegrity protection key used is identical, is also possible to regenerate.Second protection algorithm integrallty is terminal and source base The protection algorithm integrallty negotiated between standing.

Optionally, the parameter for generating message authentication code can also include source cell radio network temporary identifier (cell Radio network temporary identifier, C-RNTI), source Physical Cell Identifier (physical cell Identifier, PCI), Target cell ID.

Optionally, reason instruction can also be carried by connecting in recovery request message, reason instruction is used to indicate terminal initiation The reason of connecting recovery request, when reason indicates that initiating RAN notification area updates, GC group connector initiates RAN notification area and updates stream Journey.

Step 302, target BS sends request message to source base station.

Correspondingly, source base station receives the request message from target BS.

It include message authentication code in the request message, source base station can be to the message authentication code as a kind of implementation It is verified.

For example, source base station can verify message authentication code according to one of following methods:

Method one, first security capabilities of the source base station according to terminal, verification message authentication code.

For example, further including the first security capabilities of terminal, source base station in the request message that target BS is sent to source base station The first security capabilities of terminal is got from request message, and a message is then generated according to the first security capabilities of terminal and is recognized Demonstrate,prove code.If the message authentication code carried in message authentication code and request message that source base station generates is identical, source base station is to message It is correct to authenticate code check；If the message authentication code carried in message authentication code and request message that source base station generates is not identical, Source base station is to message authentication code check errors.

Method two, second security capabilities of the source base station according to terminal, verification message authentication code.

The second security capabilities of terminal is stored in source base station.Thus, source base station can get the second of terminal from local Then security capabilities generates a message authentication code according to the second security capabilities of terminal.If the message authentication that source base station generates Code is identical as the message authentication code carried in request message, then source base station verifies message authentication code correct；If source base station generates Message authentication code and request message in the message authentication code that carries it is not identical, then source base station is to message authentication code check errors.

By the above method one or the above method two, source base station can verify message authentication code, if verification is correct, The access layer context of source base station acquisition terminal.

Specifically, base station can be according to the first security capabilities of terminal or the second peace of terminal as a kind of implementation All-round power, tegrity protection key and the second protection algorithm integrallty, verification message authentication code.The tegrity protection key is eventually The key negotiated between end and source base station, the key can be identical as tegrity protection key used in last time recovery, It can be and regenerate.The protection algorithm integrallty that second protection algorithm integrallty is negotiated between terminal and source base station.

Optionally, the parameter for generating verification authentication code can also include source cell radio network temporary identifier (cell Radio network temporary identifier, C-RNTI), source Physical Cell Identifier (physical cell Identifier, PCI), Target cell ID.

For example, target BS can get recovery mark from connection recovery request message as a kind of implementation, It according to the mark for restoring the source base station in mark, determines that before terminal connect with source base station, is then asked to source base station transmission Message is sought, which for example can be context request message, which is used for the context of request terminal. Message authentication code is carried in request message, and can also carry recovery mark.

After source base station receives target BS transmission request message, first by the above method to the message in request message Authentication code is verified, if verification is correct, according to the mark of the terminal in the recovery mark in request message, obtains the terminal Access layer context for example including the second security algorithm negotiated between terminal and source base station further include terminal optionally Second security capabilities.Second security capabilities of the terminal refers to the security capabilities of the terminal stored in source base station.Ordinary circumstance Under, the second security capabilities of terminal and the first security capabilities of terminal are identical.Certainly, if source base station is attacked, terminal Second security capabilities may be tampered, and the first security capabilities of the second security capabilities and terminal so as to cause terminal may not Together.

Step 303, source base station sends the second security algorithm to target BS.

Correspondingly, target BS receives the second security algorithm from source base station.

Further, the second security capabilities of terminal can also be sent to target BS by source base station.

As a kind of implementation, the second security algorithm can be carried in context response information and be sent to by source base station Target BS.It optionally, further include the second security capabilities of terminal in context response information.

It should be noted that above-mentioned steps 302 and step 303 are optional step.Target BS can also pass through its other party Formula gets the second security algorithm, such as can be and the second security algorithm is sent to target BS by terminal.

Step 304, target BS selects the first security algorithm.

Wherein, target BS can select the first security algorithm according to following methods.

Method one, target BS select the first security algorithm according to the first security capabilities of terminal.

After target BS receives connection recovery request message, the first security capabilities of terminal is therefrom got, then root According to the first security capabilities of terminal, the first security algorithm is selected.As a kind of implementation, target BS can be according to terminal The priority of security algorithm and the security algorithm being locally stored that first security capabilities, target BS are locally stored selects first Security algorithm.

For example, the first security capabilities of terminal includes that { 4G Encryption Algorithm Isosorbide-5-Nitrae G Encryption Algorithm 2,5G Encryption Algorithm 3,5G adds Close algorithm 4,4G protection algorithm integrallty Isosorbide-5-Nitrae G protection algorithm integrallty 2,5G protection algorithm integrallty 3,5G integrity protection are calculated Method 4,5G protection algorithm integrallty 5 }, which is the base station 5G, and the security algorithm that the target BS is locally stored is { 4G Encryption Algorithm 1,5G Encryption Algorithm 3,5G Encryption Algorithm 4,4G protection algorithm integrallty Isosorbide-5-Nitrae G protection algorithm integrallty 2,5G is complete Property protection algorism 6,5G protection algorithm integrallty 4,5G protection algorithm integrallty 5 }, and the Encryption Algorithm that target BS is locally stored Priority from high to low successively are as follows: 5G Encryption Algorithm 3,5G Encryption Algorithm 4,4G Encryption Algorithm 1, what target BS was locally stored The priority of protection algorithm integrallty is from high to low successively are as follows: 5G protection algorithm integrallty 6,5G protection algorithm integrallty 4,5G is complete Whole property protection algorism 5,4G protection algorithm integrallty Isosorbide-5-Nitrae G protection algorithm integrallty 2.Then target BS is according to the first of terminal the peace All can power, the priority of the security algorithm that target BS is locally stored and the security algorithm being locally stored, selection first safety Algorithm is { 5G Encryption Algorithm 3,5G protection algorithm integrallty 4 }.

Method two, target BS select the first security algorithm according to the second security algorithm or the first security capabilities of terminal.

Target BS first determines whether the second security algorithm is priority in security algorithm that target BS is locally stored Highest security algorithm.If the second security algorithm is that the safety of highest priority in security algorithm that target BS is locally stored is calculated Method, then using second security algorithm as the first security algorithm.That is, the first security algorithm and end of terminal and target BS negotiation It holds identical as the second security algorithm negotiated between source base station.

If the second security algorithm is not the security algorithm of highest priority in security algorithm that target BS is locally stored, Target BS selects the first security algorithm according to the first security capabilities of terminal.Specific implementation can be with above-mentioned implementation method One is identical, i.e., target BS can be according to the security algorithm and local that the first security capabilities, the target BS of terminal are locally stored The priority of the security algorithm of storage selects the first security algorithm, such as the first security algorithm selected is the first security capabilities In highest priority security algorithm.

Step 305, target BS judges whether the first security algorithm is identical as the second security algorithm.If they are the same, then it goes to Step 306- step 309 goes to step 310- step 313 if not identical.

It should be noted that the step 305 is optional step.

When target BS selects the first security algorithm using method one in above-mentioned steps 304, then the step 305 is executed.

When target BS selects the first security algorithm using method two in above-mentioned steps 304, then do not need to execute the step Rapid 305.Specifically, if in above-mentioned steps 304, target BS is calculated in method two using the second security algorithm as the first safety Method then continues to execute step 306- step 309 after the step 304.If in above-mentioned steps 304, target BS in method two, Not instead of using the second security algorithm as the first security algorithm, calculated according to the first safety of the first security capabilities of terminal selection Method then continues to execute step 310- step 313 after the step 304.

Step 306, target BS sends connection recovery response message to terminal.

Correspondingly, terminal receives the connection recovery response message from target BS.

The connection restores response message and is used to indicate terminal recovery RRC connection.

Since the first security algorithm is identical as the second security algorithm, target BS can not send first to terminal Security algorithm.

It should be noted that when terminal initiates RAN notification area more new technological process, i.e., when the present processes are applied in RAN When during notification area update, then the step 306 could alternatively be: target BS sends response message, the response to terminal Message is used to indicate terminal and continues to keep inactive state.

Step 307, terminal obtains shielded RRC information according to the second security algorithm and RRC information.

Since terminal does not receive the first security algorithm from target BS, terminal directly uses the second safety to calculate Method is as the security algorithm negotiated between terminal and target BS.And according to the second security algorithm and RRC information, obtain protected RRC information.As a kind of implementation, which for example can be connection and restores to complete message, which restores to complete Message is used to indicate RRC connection and restores to complete.The RRC information can also be that terminal restores other RRC informations after connection, such as RRC, which is reconfigured, completes message etc..

Step 308, terminal sends shielded RRC information to target BS.

Correspondingly, target BS receives the shielded RRC information for carrying out self terminal.

Step 309, target BS obtains RRC information according to shielded RRC information and the second security algorithm.

Process terminates.

Step 310, target BS sends the first security algorithm to terminal.

Correspondingly, terminal receives the first security algorithm from target BS.

As a kind of implementation, which can be carried by connection and restore to be sent to end in response message End.

Since the first security algorithm and the second security algorithm be not identical, target BS calculates the first safety of selection Method is sent to terminal.

It should be noted that when terminal initiates RAN notification area more new technological process, i.e., when the present processes are applied in RAN When during notification area update, which be could alternatively be: target BS sends response message to terminal, which disappears Breath includes the first security algorithm, and the terminal that the response message is used to indicate continues to keep inactive state.

Step 311, terminal obtains shielded RRC information according to the first security algorithm and RRC information.

Since terminal receives the first security algorithm from target BS, terminal use the first security algorithm as The security algorithm negotiated between terminal and target BS.And according to the first security algorithm and RRC information, shielded RRC is obtained Message.As a kind of implementation, which for example can be connection and restores to complete message, which restores to complete message RRC connection is used to indicate to restore to complete.The RRC information can also be that terminal restores other RRC informations after connection, such as RRC weight Message etc. is completed in configuration.

Step 312, terminal sends shielded RRC information to target BS.

Step 313, target BS obtains RRC information according to shielded RRC information and the first security algorithm.

Process terminates.

Further, before above-mentioned steps 301, following steps are can also be performed in terminal: terminal is according to measurement report, really Determine the network formats for the cell that terminal is currently located.Wherein, the security capabilities of terminal (refers here to the first safe energy of terminal Power) it is corresponding with the network formats for the cell that terminal is currently located.For example, if the network formats for the cell that terminal is currently located are 5G Network, then the first security capabilities of the terminal in connection recovery request message that terminal is sent to target BS in step 301 The 5G security algorithm supported including terminal.For another example, if the network formats for the cell that terminal is currently located are 4G network, terminal First security capabilities of the terminal in connection recovery request message sent in step 301 to target BS includes that terminal is supported 4G security algorithm.This method, terminal only sends the Partial security algorithm in the security algorithm of terminal support, so as to save Expense.

Further, it as a kind of implementation, any time after above-mentioned steps 303, can also be performed following Step A- step B:

Step A, target BS judge terminal the first security capabilities and terminal the second security capabilities it is whether identical, if phase Together, then process terminates, if not identical, thens follow the steps B.

Step B, target BS notify mobile management network element: the second security capabilities of terminal and the first safe energy of terminal Power is different.

By above step, target BS is in the second security capabilities and terminal storage for determining the terminal of source base station storage When the first security capabilities difference of terminal, then mobile management network element is notified, consequently facilitating mobile management network element is further Network management system is reported to, the second security capabilities of the terminal of source base station storage and the terminal of terminal storage are known in order to administrator The first security capabilities it is different, so that it is determined that source base station can suffer from attacking, and then source base station is checked again.

As a kind of implementation, in step B, target BS notifies the second safe energy of mobile management network element terminal Power is different from the first security capabilities of terminal, specifically there is following implemented method.

Method one, target BS send the first notification message to mobile management network element, which includes source The mark of the cell of base station, the first notification message be used to notify terminal in the cell the second security capabilities and terminal first Security capabilities is different.

As a kind of implementation, which can be path switching request message, the path switching request Message can be used to switching base station for requesting toggle path.

In this method, the second security capabilities of terminal is stored in the cell of source base station, since target BS determines the source The first security capabilities of terminal stored on the second security capabilities and terminal of the terminal stored in the cell of base station is different, therefore The first notification message is sent to mobile management network element, includes the mark of the cell of source base station in first notification message, and should First notification message is for notifying mobile management network element: the second security capabilities of the terminal stored in the cell of the source base station with First security capabilities of the terminal stored in terminal is different.

Method two, target BS send the mark of the cell of instruction information and source base station, instruction to mobile management network element The second security capabilities that information is used to indicate the terminal in the cell is different from the first security capabilities of terminal.

It is sent for example, the mark of above-mentioned instruction information and the cell of source base station can be carried in the switching request message of path To mobile management network element.

As another implementation, above-mentioned steps B can also be replaced by following steps B ':

Step B ', target BS send second notification message to mobile management network element, and second notification message includes source base Second security capabilities of the terminal in the mark for the cell stood and the cell.

As a kind of implementation, which is also possible to path switching request message.

By above step B ', the second security capabilities of the terminal that source base station stores is reported to mobility pipe by target BS Manage network element, consequently facilitating mobile management network element further judge mobile management network element storage terminal security capabilities with Whether the security capabilities of the terminal of source base station storage is identical.If it is different, then mobile management network element reports to network management system, so as to The security capabilities for the terminal that the security capabilities of the terminal of source base station storage and mobile management network element store is known not in administrator Together, so that it is determined that source base station can suffer from attacking, and then source base station is checked again.

As shown in figure 4, for the machinery of consultation of another security algorithm provided by the present application.Security algorithm shown in Fig. 4 The main distinction of machinery of consultation and the machinery of consultation of security algorithm shown in Fig. 3 is: the negotiation side of security algorithm shown in Fig. 4 In method, the first security algorithm is directly sent to terminal after selecting the first security algorithm by target BS.

Correspondingly, terminal receive target BS transmission the first security algorithm after, will directly receive first Security algorithm is as the security algorithm communicated between terminal and target BS.

It is specifically described below, as shown in Figure 4, comprising the following steps:

Step 401- step 404, it is identical as above-mentioned steps 301- step 304, it can refer to foregoing description, it is no longer superfluous here It states.

It should be noted that above-mentioned steps 402 and step 403 are optional step.If step 404 selects the first security algorithm When need to use the second security algorithm, then need to be implemented step 402 and step 403；If step 404 selects the first security algorithm It does not need to use the second security algorithm, then can not execute step 402 and step 403.

Step 405, target BS sends the first security algorithm to terminal.

Correspondingly, terminal receives the first security algorithm from target BS.

For example, the first security algorithm can be carried on connection recovery response and disappeared by target BS as a kind of implementation Terminal is sent in breath.The connection restores response message and is used to indicate terminal recovery RRC connection.

Further, after above-mentioned steps 405, can with the following steps are included:

Step 406, terminal obtains shielded RRC information according to the first security algorithm and RRC information.

Restore to complete message for example, the RRC information can be connection.

Step 407, terminal sends shielded RRC information to target BS.

Step 408, target BS obtains RRC information according to shielded RRC information and the first security algorithm.

Process terminates.

It should be noted that in the embodiment shown in fig. 4, before step 401, following step is can also be performed in terminal Rapid: terminal determines the network formats for the cell that terminal is currently located according to measurement report.For example, if terminal be currently located it is small The network formats in area are 5G network, then the end in connection recovery request message that terminal is sent to target BS in step 401 First security capabilities at end includes the 5G security algorithm that terminal is supported.For another example, if the network system for the cell that terminal is currently located Formula is 4G network, then the first peace of the terminal in connection recovery request message that terminal is sent to target BS in step 401 All can power include terminal support 4G security algorithm.This method, terminal only send the part peace in the security algorithm of terminal support Full algorithm, so as to save expense.

Further, it as a kind of implementation, any time after above-mentioned steps 403, can also be performed above-mentioned The step A and step B of embodiment, or execute the step A and step B ' of above-described embodiment.Foregoing description is specifically referred to, this In repeat no more.

It should be noted that above-mentioned Fig. 3 or embodiment shown in Fig. 4, the terminal that can be applied to inactive state restores connection Process, can also be applied to RAN notification area update (RAN-based notification update) process.

It should be noted that the connection recovery request message, connection in above-described embodiment restore response message, connection restores Completing message, context request message, context response information etc. is only a name, and name does not constitute limit to message itself It is fixed.In 5G network and following other networks, connection recovery request message, connection restore response message, connection has restored It is also possible to other names at message, context request message, context response information, the embodiment of the present application does not make this to have Body limits.For example, connection recovery request message disappears it is also possible to being replaced by request message, recovery request message, connection request Breath etc., the connection restore response message it is also possible to being replaced by response message, restoring response message, connection response message etc., The connection restores completion message and completes message it is also possible to being replaced by, restores to complete message, connection completion message etc., this is upper and lower Literary request message is it is also possible to be replaced by request message etc., and the context response information is it is also possible to be replaced by response message Deng.

It is above-mentioned that mainly scheme provided by the present application is described from the angle of interaction between each network element.It is understood that , in order to realize the above functions, it comprises execute the corresponding hardware configuration of each function and/or soft for above-mentioned each network element of realization Part module.Those skilled in the art should be readily appreciated that, described in conjunction with the examples disclosed in the embodiments of the present disclosure Unit and algorithm steps, the present invention can be realized with the combining form of hardware or hardware and computer software.Some function is studied carefully Unexpectedly it is executed in a manner of hardware or computer software driving hardware, the specific application and design constraint depending on technical solution Condition.Professional technician can use different methods to achieve the described function each specific application, but this Kind is realized and be should not be considered as beyond the scope of the present invention.

Using integrated unit, what Fig. 5 showed a kind of device involved in the embodiment of the present invention can The exemplary block diagram of energy, the device 500 can exist in the form of software, or terminal can also be the core in terminal Piece.Device 500 includes: processing unit 502 and communication unit 503.Processing unit 502 is for controlling the movement of device 500 Tubulation reason, for example, processing unit 502 is used to support the step 307 and step 311 in the execution of device 500 Fig. 3, the step in Fig. 4 406, and/or for other processes of techniques described herein.Communication unit 503 is for supporting device 500 and other networks The communication of entity (such as target BS, source base station).For example, the step supported in the execution of device 500 Fig. 3 of communication unit 503 301, step 306, step 308, step 310 and step 312, step 401, step 405 and step 407 in Fig. 4.Device 500 It can also include storage unit 501, program code and data for storage device 500.

Wherein, processing unit 502 can be processor or controller, such as can be general central processor (central Processing unit, CPU), general processor, Digital Signal Processing (digital signal processing, DSP), Specific integrated circuit (application specific integrated circuits, ASIC), field programmable gate array It is (field programmable gate array, FPGA) or other programmable logic device, transistor logic, hard Part component or any combination thereof.It may be implemented or execute to combine and various illustratively patrol described in the disclosure of invention Collect box, module and circuit.The processor is also possible to realize the combination of computing function, such as includes one or more micro- places Manage device combination, DSP and the combination of microprocessor etc..Communication unit 503 can be communication interface, transceiver or transmission circuit Deng.Storage unit 501 can be memory.

When processing unit 502 is processor, communication unit 503 is transceiver, when storage unit 501 is memory, this hair Device 500 involved in bright embodiment can be terminal shown in fig. 6.

Fig. 6 shows a kind of rough schematic view of possible design structure of terminal involved in the embodiment of the present invention. The terminal 600 includes transmitter 601, receiver 602 and processor 603.Wherein, processor 603 or controller, figure " controller/processor 603 " is expressed as in 6.Optionally, the terminal 600 can also include modem processor 605, In, modem processor 605 may include encoder 606, modulator 607, decoder 606 and demodulator 609.

In one example, transmitter 601 adjusts (for example, analog-converted, filtering, amplification and up-conversion etc.) output sampling And uplink signal is generated, which is transmitted to target BS described in above-described embodiment via antenna.? On downlink, antenna receives the down link signal that target BS emits in above-described embodiment.The adjusting of receiver 602 (for example, Filtering, amplification, down coversion and digitlization etc.) from antenna received signal and provide input sample.In modem processor In 605, encoder 606 receives the business datum to send on uplink and signaling message, and to business datum and signaling Message is handled (for example, format, encode and interweave).Modulator 607 is further processed (for example, symbol mapping and modulation) Business datum and signaling message after coding simultaneously provide output sampling.The input sample is simultaneously for the processing of demodulator 609 (for example, demodulation) Sign estimation is provided.Decoder 606, which handles (for example, deinterleaving and decoding) sign estimation and provides, is sent to terminal 600 Decoded data and signaling message.Encoder 606, modulator 607, demodulator 609 and decoder 606 can be by the tune that synthesize Demodulation processor 605 processed is realized.Wireless access technology that these units are used according to wireless access network (for example, LTE and other The access technology of evolution system) it is handled.It should be noted that when terminal 600 does not include modem processor 605 When, the above-mentioned function of modem processor 605 can also be completed by processor 603.

Processor 603 carries out control management to the movement of terminal 600, for executing in the embodiments of the present invention by terminal 600 treatment processes carried out.For example, processor 603 is also used to execute the treatment process of terminal involved in method shown in Fig. 3-Fig. 4 And/or other processes of technical solution described herein.

Further, terminal 600 can also include memory 604, and memory 604 is used to store the journey for terminal 600 Sequence code and data.

Using integrated unit, what Fig. 7 showed a kind of device involved in the embodiment of the present invention can The exemplary block diagram of energy, the device 700 can exist in the form of software, or base station can also be the core in base station Piece.Device 700 includes: processing unit 702 and communication unit 703.Processing unit 702 is for controlling the movement of device 700 Tubulation reason.Communication unit 703 is for supporting device 700 and other network entities (such as terminal, mobile management network element or other Base station) communication.Device 700 can also include storage unit 701, program code and data for storage device 700.

Wherein, processing unit 702 can be processor or controller, such as can be CPU, general processor, DSP, ASIC, FPGA or other programmable logic device, transistor logic, hardware component or any combination thereof.It can be with It realizes or executes and combine various illustrative logic blocks, module and circuit described in the disclosure of invention.The processing Device is also possible to realize the combination of computing function, such as combines comprising one or more microprocessors, the group of DSP and microprocessor Close etc..Communication unit 703 can be communication interface, transceiver or transmission circuit etc., wherein and the communication interface is to be referred to as, It in the specific implementation, the communication interface may include multiple interfaces, such as may include: between base station and mobile management network element Interface, the interface between base station and other base stations, interface and/or other interfaces between base station and terminal.Storage unit 701 It can be memory.

Above-mentioned device shown in Fig. 7 700 can be source base station involved in the application, or can be involved by the application Target BS.

When device 700 is above-mentioned source base station, processing unit 702 can support device 700 to execute above each method and show The movement of source base station in example.Communication unit 703 can support the communication between device 700 and target BS or other network elements, example Such as, communication unit 703 be used for support device 700 execute Fig. 3 in step 302 and step 303 and Fig. 4 in step 402 and Step 403.

When device 700 is above-mentioned target BS, processing unit 702 can support device 700 to execute above each method The movement of target BS in example, for example, processing unit 702 can support device 700 to execute the step 304 in Fig. 3, step 305, step 309 and step 313 and step 404 and step 408 in Fig. 4.Communication unit 703 can support device 700 with Communication between source base station, mobile management network element, terminal or other network elements.For example, communication unit 703 can support device 700 execute step 301, step 302, step 303, step 306, step 308, step 310 and the step 312 in Fig. 3, and Step 401, step 402, step 403, step 405 and step 407 in Fig. 4.

When processing unit 702 is processor, communication unit 703 is communication interface, when storage unit 701 is memory, this Device 700 involved in inventive embodiments can be base station 800 shown in Fig. 8.

Fig. 8 shows a kind of possible structural schematic diagram of base station provided in an embodiment of the present invention.Base station 800 includes processing Device 802 and communication interface 804.Wherein, processor 802 may be controller, be expressed as " controller/processor in Fig. 8 802".Communication interface 804 is for supporting base station to be communicated with other network elements (such as mobile management network element or other base stations). Further, base station 800 can also include emitter/receiver 801.The emitter/receiver 801 for support base station with Radio communication is carried out between terminal in above-described embodiment.The processor 802 can execute various for communicating with terminal Function.In uplink, the uplink signal for carrying out self terminal is received via antenna, demodulated by receiver 801 (such as High-frequency signal is demodulated into baseband signal), and further handled by processor 802 to restore the business datum of terminal transmission And signaling information.On the uplink, business datum and signaling message are handled by processor 802, and by transmitter 801 into Row modulation (such as by modulates baseband signals be high-frequency signal) is transmitted to terminal via antenna to generate down link signal. It should be noted that the function of above-mentioned demodulation or modulation can also be completed by processor 802.

For example, processor 802 is also used to execute the processing of target BS involved in method shown in Fig. 3 and Fig. 4 or source base station Other processes of process and/or technical solution described herein.

Further, base station 800 can also include memory 803, and memory 803 is used to store the program generation of base station 800 Code and data.

It is designed it is understood that Fig. 8 illustrate only simplifying for base station 800.In practical applications, base station 800 can be with Comprising any number of transmitter, receiver, processor, controller, memory, communication unit etc., and all this may be implemented The base station of inventive embodiments is all within the protection scope of the embodiment of the present invention.

In the above-described embodiments, can come wholly or partly by software, hardware, firmware or any combination thereof real It is existing.When implemented in software, it can entirely or partly realize in the form of a computer program product.The computer program Product includes one or more computer instructions.When loading on computers and executing the computer program instructions, all or It partly generates according to process or function described in the embodiment of the present invention.The computer can be general purpose computer, dedicated meter Calculation machine, computer network or other programmable devices.The computer instruction can store in computer readable storage medium In, or from a computer readable storage medium to the transmission of another computer readable storage medium, for example, the computer Instruction can pass through wired (such as coaxial cable, optical fiber, number from a web-site, computer, server or data center User's line (DSL)) or wireless (such as infrared, wireless, microwave etc.) mode to another web-site, computer, server or Data center is transmitted.The computer readable storage medium can be any usable medium that computer can access or It is comprising data storage devices such as one or more usable mediums integrated server, data centers.The usable medium can be with It is magnetic medium, (for example, floppy disk, hard disk, tape), optical medium (for example, DVD) or semiconductor medium (such as solid state hard disk (Solid State Disk, SSD)) etc..

Various illustrative logic units and circuit described in the embodiment of the present application can be by general processors, number Word signal processor, specific integrated circuit (ASIC), field programmable gate array (FPGA) or other programmable logic devices, from Door or transistor logic are dissipated, discrete hardware components or above-mentioned any combination of design carry out implementation or operation described function.It is logical It can be microprocessor with processor, optionally, which may be any traditional processor, controller, micro- Controller or state machine.Processor can also be realized by the combination of computing device, such as digital signal processor and Wei Chu Device, multi-microprocessor are managed, one or more microprocessors combine a digital signal processor core or any other like Configuration is to realize.

The step of method described in the embodiment of the present application or algorithm can be directly embedded into hardware, processor execute it is soft The combination of part unit or the two.Software unit can store in RAM memory, flash memory, ROM memory, EPROM storage Other any form of storaging mediums in device, eeprom memory, register, hard disk, moveable magnetic disc, CD-ROM or this field In.Illustratively, storaging medium can be connect with processor, so that processor can read information from storaging medium, and It can be to storaging medium stored and written information.Optionally, storaging medium can also be integrated into the processor.Processor and storaging medium can To be set in asic, ASIC be can be set in terminal device.Optionally, processor and storaging medium also can be set in end In different components in end equipment.

These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one The step of function of being specified in a box or multiple boxes.

Although in conjunction with specific features and embodiment, invention has been described, it is clear that, do not departing from this hair In the case where bright spirit and scope, it can be carry out various modifications and is combined.Correspondingly, the specification and drawings are only institute The exemplary illustration of the invention that attached claim is defined, and be considered as covered in the scope of the invention any and all and repair Change, change, combining or equivalent.Obviously, those skilled in the art various changes and modifications can be made to the invention without It is detached from the spirit and scope of the present invention.If in this way, these modifications and changes of the present invention belong to the claims in the present invention and its Within the scope of equivalent technologies, then the present invention is also intended to include these modifications and variations.

Claims

1. a kind of machinery of consultation of security algorithm, which is characterized in that restore the mistake of connection applied to the terminal request of inactive state The process that journey or Radio Access Network RAN notification area update, comprising:

Terminal sends connection recovery request message to target BS, and the connection recovery request message restores wireless money for requesting Source controls RRC connection, and the connection recovery request message includes the security capabilities of the terminal, and the security capabilities of the terminal is used The first security algorithm is selected in the target BS, first security algorithm is assisted between the terminal and the target BS The security algorithm of quotient；

If the terminal does not receive first security algorithm from the target BS, according to the second security algorithm and RRC information obtains shielded RRC information, wherein negotiates between second security algorithm terminal and source base station Security algorithm；Alternatively, if the terminal receives first security algorithm from the target BS, according to described One security algorithm and RRC information obtain shielded RRC information；

The terminal sends the shielded RRC information to the target BS.

2. the method according to claim 1, wherein the connection recovery request message further includes message authentication Code, the message authentication code authenticate the legitimacy of the terminal for the source base station, the method also includes:

The terminal generates the message authentication code according to the security capabilities of the terminal.

3. method according to claim 1 or 2, which is characterized in that the terminal sends connection to target BS and restores to ask Before seeking message, further includes:

The terminal determines the network formats for the cell that the terminal is currently located according to measurement report；Wherein, the terminal Security capabilities is corresponding with the network formats for the cell that the terminal is currently located.

4. according to the method described in claim 3, it is characterized in that, the network formats for the cell that the terminal is currently located are the Five generation 5G networks, the security capabilities of the terminal include the 5G security algorithm that the terminal is supported；Alternatively,

The network formats for the cell that the terminal is currently located are forth generation 4G network, and the security capabilities of the terminal includes described The 4G security algorithm that terminal is supported.

5. a kind of machinery of consultation of security algorithm, which is characterized in that restore the mistake of connection applied to the terminal request of inactive state The process that journey or Radio Access Network RAN notification area update, comprising:

Target BS receives the connection recovery request message for carrying out self terminal, and the connection recovery request message restores nothing for requesting The RRC connection of line resources control, the connection recovery request message include the first security capabilities of the terminal；

The target BS selects the first security algorithm according to the first security capabilities of the terminal；

If first security algorithm is identical as the second security algorithm, the target BS sends connection to the terminal and restores Response message, the connection restore response message and are used to indicate the terminal recovery RRC connection；And it receives and comes from institute The shielded RRC information of terminal is stated, and according to shielded RRC information and second security algorithm, obtains the RRC and disappears Breath；Alternatively,

If first security algorithm is different from the second security algorithm, the target BS sends described first to the terminal Security algorithm；And the shielded RRC information from the terminal is received, and according to shielded RRC information and described the One security algorithm obtains the RRC information；

Wherein, the security algorithm that first security algorithm is negotiated between the terminal and the target BS, described second The security algorithm that security algorithm is negotiated between the terminal and source base station.

6. according to the method described in claim 5, it is characterized in that, the method also includes:

The target BS receives the second security capabilities of the terminal from the source base station；

If the second security capabilities of the terminal is different from the first security capabilities of the terminal, the target BS notice is moved Second security capabilities of terminal described in mobility management network element and the first security capabilities of the terminal are different.

7. according to the method described in claim 6, it is characterized in that, described in target BS notice mobile management network element eventually Second security capabilities at end is different from the first security capabilities of the terminal, comprising:

The target BS sends the first notification message to the mobile management network element, and first notification message includes described The mark of the cell of source base station, first notification message are used to notify the second security capabilities of the terminal in the cell It is different from the first security capabilities of the terminal；Alternatively,

The target BS sends the mark of the cell of instruction information and the source base station to the mobile management network element, described Indicate information be used to indicate the terminal in the cell the second security capabilities and the terminal the first security capabilities not Together.

8. according to the method described in claim 5, it is characterized in that, the method also includes:

The target BS sends second notification message to mobile management network element, and the second notification message includes the source base Second security capabilities of the terminal in the mark for the cell stood and the cell.

9. the method according to any one of claim 6 to 8, which is characterized in that the connection recovery request message is also wrapped Message authentication code is included, the message authentication code is generated according to the first security capabilities of the terminal, the message authentication code The legitimacy of the terminal is authenticated for the source base station；

The method also includes:

The target BS sends request message to the source base station, and the request message is for terminal described in request Hereafter, the request message includes the message authentication code.

10. according to the method described in claim 9, it is characterized in that, the request message further includes the first peace of the terminal All-round power, the first security capabilities and the message authentication code of the terminal authenticate the legal of the terminal for the source base station Property.

11. a kind of sending method of security algorithm characterized by comprising

Source base station receives the request message from target BS, and the request message is used for the context of request terminal, institute Stating request message includes message authentication code, and the message authentication code is generated according to the first security capabilities of the terminal, institute State the legitimacy that message authentication code authenticates the terminal for source base station；

The source base station verifies the message authentication code；

If verification is correct, the source base station sends security algorithm to the target BS, and the security algorithm is the terminal The security algorithm negotiated between the source base station, the context of the terminal include the security algorithm.

12. according to the method for claim 11, which is characterized in that the source base station verifies the message authentication code, comprising:

The request message further includes the first security capabilities of the terminal, and the source base station is according to the first safety of the terminal Ability verifies the message authentication code；Alternatively,

The source base station verifies the message authentication code, the second peace of the terminal according to the second security capabilities of the terminal All-round power is the security capabilities of the terminal on the source base station.

13. a kind of device is applied to terminal, which is characterized in that restore the process of connection applied to the terminal request of inactive state Or the process that Radio Access Network RAN notification area updates, comprising:

Communication unit, for sending connection recovery request message to target BS, the connection recovery request message is for requesting Restore radio resource control RRC connection, the connection recovery request message includes the security capabilities of the terminal, the terminal Security capabilities selects the first security algorithm for the target BS, and first security algorithm is the terminal and the target The security algorithm negotiated between base station；

Processing unit, if not receiving first security algorithm from the target BS for the communication unit, According to the second security algorithm and RRC information, shielded RRC information is obtained, wherein second security algorithm is the terminal The security algorithm negotiated between source base station；Alternatively, if the terminal receives first peace from the target BS Full algorithm obtains shielded RRC information then according to first security algorithm and RRC information；

The communication unit is also used to send the shielded RRC information to the target BS.

14. device according to claim 13, which is characterized in that the connection recovery request message further includes message authentication Code, the message authentication code authenticate the legitimacy of the terminal for the source base station, and the processing unit is also used to according to institute The security capabilities for stating terminal generates the message authentication code.

15. device described in 3 or 14 according to claim 1, which is characterized in that the processing unit is also used to, in the communication Before unit sends connection recovery request message to the target BS, determine what the terminal was currently located according to measurement report The network formats of cell；Wherein, the security capabilities of the terminal is corresponding with the network formats for the cell that the terminal is currently located.

16. device according to claim 15, which is characterized in that the network formats for the cell that the terminal is currently located are 5th generation 5G network, the security capabilities of the terminal include the 5G security algorithm that the terminal is supported；Alternatively,

17. a kind of device, is applied to base station, the base station is target BS, which is characterized in that the terminal applied to inactive state The process that request restores the process of connection or Radio Access Network RAN notification area updates, comprising:

Communication unit, for receiving the connection recovery request message for carrying out self terminal, the connection recovery request message is for requesting Restore radio resource control RRC connection, the connection recovery request message includes the first security capabilities of the terminal；

Processing unit selects the first security algorithm for the first security capabilities according to the terminal；

If first security algorithm is identical as the second security algorithm, the communication unit, which is also used to send to the terminal, to be connected Recovery response message is connect, the connection restores response message and is used to indicate the terminal recovery RRC connection；And it receives Shielded RRC information from the terminal, and according to shielded RRC information and second security algorithm, obtain institute State RRC information；Alternatively,

If first security algorithm is different from the second security algorithm, the communication unit is also used to send institute to the terminal State the first security algorithm；And receive the shielded RRC information from the terminal, and according to shielded RRC information and First security algorithm, obtains the RRC information；

18. device according to claim 17, which is characterized in that the communication unit is also used to:

Receive the second security capabilities of the terminal from the source base station；

If the second security capabilities of the terminal is different from the first security capabilities of the terminal, mobile management network element is notified Second security capabilities of the terminal and the first security capabilities of the terminal are different.

19. device according to claim 18, which is characterized in that the communication unit is specifically used for:

The first notification message is sent to the mobile management network element, first notification message includes the cell of the source base station Mark, first notification message be used to notifying the terminal in the cell the second security capabilities and the terminal First security capabilities is different；Alternatively,

The mark of the cell of instruction information and the source base station is sent to the mobile management network element, the instruction information is used for The second security capabilities for indicating the terminal in the cell is different from the first security capabilities of the terminal.

20. device according to claim 17, which is characterized in that the communication unit is also used to:

Second notification message is sent to mobile management network element, the second notification message includes the mark of the cell of the source base station Know the second security capabilities with the terminal in the cell.

21. device described in any one of 8 to 20 according to claim 1, which is characterized in that the connection recovery request message is also Including message authentication code, the message authentication code is generated according to the first security capabilities of the terminal, the message authentication Code authenticates the legitimacy of the terminal for the source base station；

The communication unit is also used to send request message to the source base station, and the request message is for described in request The context of terminal, the request message include the message authentication code.

22. device according to claim 21, which is characterized in that the request message further includes the first peace of the terminal All-round power, the first security capabilities and the message authentication code of the terminal authenticate the legal of the terminal for the source base station Property.

23. a kind of device, is applied to base station, the base station is source base station characterized by comprising

Communication unit, for receiving the request message from target BS, the request message is for request terminal Hereafter, the request message includes message authentication code, and the message authentication code is raw according to the first security capabilities of the terminal At, the message authentication code authenticates the legitimacy of the terminal for source base station；

Processing unit, for verifying the message authentication code；

If the processing unit verification is correct, the communication unit is also used to send security algorithm, institute to the target BS The security algorithm that security algorithm is negotiated between the terminal and the source base station is stated, the context of the terminal includes the peace Full algorithm.

24. device according to claim 23, which is characterized in that the request message further includes the first peace of the terminal All-round power, the processing unit are specifically used for the first security capabilities according to the terminal, verify the message authentication code；Or Person,

The processing unit is specifically used for the second security capabilities according to the terminal, verifies the message authentication code, the end Second security capabilities at end is the security capabilities of the terminal on the source base station.

25. a kind of terminal, which is characterized in that including the device as described in any one of claim 13 to 16.

26. a kind of base station, which is characterized in that including the device as described in any one of claim 17 to 24.

27. a kind of computer readable storage medium, which is characterized in that instruction is stored in the computer readable storage medium, When run on a computer, so that method described in any one of computer perform claim requirement 1 to 12.

28. a kind of computer program product, which is characterized in that include instruction in the computer program product, when it is being calculated When being run on machine, so that method described in any one of computer perform claim requirement 1 to 12.