CN114650529A - Secret key processing method, device, equipment and storage medium under fault weakening scene - Google Patents

Secret key processing method, device, equipment and storage medium under fault weakening scene Download PDF

Info

Publication number
CN114650529A
CN114650529A CN202011507689.9A CN202011507689A CN114650529A CN 114650529 A CN114650529 A CN 114650529A CN 202011507689 A CN202011507689 A CN 202011507689A CN 114650529 A CN114650529 A CN 114650529A
Authority
CN
China
Prior art keywords
message
key
receiving
mme
rrc connection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011507689.9A
Other languages
Chinese (zh)
Inventor
刘胜国
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
TD Tech Ltd
Original Assignee
TD Tech Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by TD Tech Ltd filed Critical TD Tech Ltd
Priority to CN202011507689.9A priority Critical patent/CN114650529A/en
Publication of CN114650529A publication Critical patent/CN114650529A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W24/00Supervisory, monitoring or testing arrangements
    • H04W24/04Arrangements for maintaining operational condition
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/19Connection re-establishment

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The application provides a secret key processing method, a secret key processing device, secret key processing equipment and a storage medium in a failure weakening scene. And then, according to an encryption and integrity protection key generated by the ASU MME according to the stored basic key of the UE, carrying out an initial security activation process to establish an initial context for the UE. And then acquiring the wireless capability information of the UE and sending a security mode command to the UE. And finally, receiving a safety mode completion message returned by the UE and completing the attachment of the UE. In the method, the base station realizes the attachment to the UE by receiving the RRC connection setup complete message carrying the NAS message sent by the UE, reduces the risk of counterfeiting in the process of initializing the security activation and improves the security.

Description

Secret key processing method, device, equipment and storage medium under fault weakening scene
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method, an apparatus, a device, and a storage medium for processing a key in a scene of failure.
Background
The failure weakening scene refers to a scene in which, in a Long Term Evolution (LTE) Broadband Trunking Communication (BTrunC) system network, when Communication between a base station and a core network is interrupted or the core network fails, the base station can process registration and service requests of users in a coverage area of the base station, and support services such as single call and group call.
In the prior art, a failure weakening scene is mainly implemented by establishing connection between a base station and User Equipment (UE), initializing, activating safely, and then performing cluster registration on a User.
However, in the prior art, the null algorithm is carried in the process of initializing the security activation by the base station, so that the risk of counterfeiting exists, and the security is low.
Disclosure of Invention
The application provides a secret key processing method, a secret key processing device, secret key processing equipment and a storage medium under a fault weakening scene, and aims to solve the problems that in the prior art, a null algorithm is carried in an initialization safety activation process of a base station, so that a counterfeit risk exists, and the safety is low.
In a first aspect, an embodiment of the present application provides a key processing method in a scene of weakening obstacles, which is applied to a base station, where the base station includes an ASU MME, and the method includes:
receiving an RRC connection establishment completion message sent by UE (user equipment) under a scene of failure weakening, wherein the RRC connection establishment completion message carries an NAS message, and the NAS message comprises an attachment request;
performing an initial security activation process according to an encryption and integrity protection key generated by the ASU MME according to the stored basic key of the UE, and establishing an initial context for the UE;
acquiring wireless capability information of the UE;
sending a security mode command to the UE according to the wireless capability information, wherein the security mode command comprises the basic key;
and receiving a safety mode completion message returned by the UE, and completing the attachment of the UE.
In a possible design of the first aspect, the performing an initial security activation procedure according to an encryption and integrity protection key generated by the ASU MME according to the stored base key of the UE includes:
sending a security activation message to the UE, wherein the security activation message comprises the encryption and integrity protection key and an encryption and integrity protection algorithm; the encryption and integrity protection algorithm comprises any one of the following algorithms: AES, Snow3G, ZUC.
And receiving a security activation response message returned by the UE, and completing an initial security activation process.
In another possible design of the first aspect, before the RRC connection setup complete message sent by the UE, the method further includes:
receiving a key transmission message sent by an MME of a core network, wherein the key transmission message comprises an IMSI (International Mobile subscriber identity) of the UE and an encrypted basic key;
and sending the key transmission message to an ASU MME for decryption and storage.
In still another possible design of the first aspect, the method further includes:
sending an RRC connection reconfiguration message to the UE, wherein the RRC connection reconfiguration message comprises an attachment acceptance message;
receiving an RRC connection reconfiguration completion message returned by the UE;
and receiving an attachment completion message sent by the UE, and sending the attachment completion message to the ASU MME.
Optionally, the method further includes:
reallocating a GUTI for the UE; the RRC connection reconfiguration message further includes the GUTI.
In yet another possible design of the first aspect, the method further includes:
receiving a cluster registration request message sent by the UE;
and performing cluster registration according to the cluster registration request message, and sending a cluster registration receiving message to the UE.
Optionally, before receiving the RRC connection setup complete message sent by the UE, the method further includes:
receiving a random access lead code sent by the UE;
returning a random access response to the UE;
receiving an RRC connection establishment request message sent by the UE;
and returning an RRC connection establishment message to the UE.
In a second aspect, an embodiment of the present application provides a key processing method in a weakened scene, which is applied to an MME, and the method includes:
after the UE completes network access, acquiring a basic key of the UE, and encrypting according to a pre-configured encryption algorithm to obtain an encrypted basic key;
sending a key transmission message to a base station, the key transmission message including the IMSI of the UE and the encrypted base key.
In a third aspect, an embodiment of the present application provides a key processing apparatus in a scene of failure weakening, including: the device comprises a receiving module, an activating module, an acquiring module and a sending module;
the receiving module is configured to receive an RRC connection setup complete message sent by a UE in a scene of failure weakening, where the RRC connection setup complete message carries an NAS message, and the NAS message includes an attach request;
the activation module is configured to perform an initial security activation process according to an encryption and integrity protection key generated by the ASU MME according to the stored basic key of the UE, and establish an initial context for the UE;
the acquiring module is used for acquiring the wireless capability information of the UE;
the sending module is configured to send a security mode command to the UE according to the wireless capability information, where the security mode command includes the basic key;
the receiving module is further configured to receive a security mode completion message returned by the UE, and complete the attachment of the UE.
In a possible design of the third aspect, the activation module is specifically configured to:
sending a security activation message to the UE, wherein the security activation message comprises the encryption and integrity protection key and an encryption and integrity protection algorithm; the encryption and integrity protection algorithm comprises any one of the following algorithms: AES, Snow3G, ZUC.
And receiving a security activation response message returned by the UE, and completing an initial security activation process.
In another possible design of the third aspect, the receiving module is further configured to receive a key transmission message sent by an MME of a core network, where the key transmission message includes an IMSI and an encrypted basic key of the UE; the sending module is further configured to send the key transmission message to the ASU MME for decryption and storage.
In yet another possible design of the third aspect, the receiving module is further configured to send an RRC connection reconfiguration message to the UE, where the RRC connection reconfiguration message includes an attach accept message; the receiving module is further configured to receive an RRC connection reconfiguration complete message returned by the UE; the receiving module is further configured to receive an attach complete message sent by the UE, and send the attach complete message to the ASU MME.
Optionally, the key processing apparatus in the fail-soft scenario may further include: a distribution module;
the allocating module is configured to reallocate a GUTI for the UE; the RRC connection reconfiguration message further includes the GUTI.
In yet another possible design of the third aspect, the receiving module is further configured to receive a cluster registration request message sent by the UE; the sending module is further configured to perform cluster registration according to the cluster registration request message, and send a cluster registration reception message to the UE.
In yet another possible design of the third aspect, the receiving module is further configured to receive a random access preamble sent by the UE; the sending module is further configured to return a random access response to the UE; the receiving module is further configured to receive an RRC connection establishment request message sent by the UE; the sending module is further configured to return an RRC connection setup message to the UE.
In a fourth aspect, an embodiment of the present application provides a key processing apparatus in a scene of failure weakening, including: the device comprises an acquisition module and a sending module;
the obtaining module is used for obtaining a basic key of the UE after the UE completes network access, and encrypting the basic key according to a pre-configured encryption algorithm to obtain an encrypted basic key;
the sending module is configured to send a key transmission message to a base station, where the key transmission message includes the IMSI of the UE and the encrypted basic key.
In a fifth aspect, an embodiment of the present application provides an electronic device, including: a processor, a memory and computer program instructions stored on the memory and executable on the processor for implementing the method of the first aspect and each possible design when the processor executes the computer program instructions.
In a sixth aspect, embodiments of the present application may provide a computer-readable storage medium, in which computer-executable instructions are stored, and when executed by a processor, the computer-executable instructions are used to implement the methods provided by the first aspect, the second aspect, and various possible designs.
In a seventh aspect, embodiments of the present application provide a computer program product, which includes a computer program that, when executed by a processor, is configured to implement the methods provided in the first aspect, the second aspect, and various possible designs.
According to the key processing method, device, equipment and storage medium in the scene of failure weakening, in the method, an RRC connection establishment completion message sent by UE is received in the scene of failure weakening. And then, according to an encryption and integrity protection key generated by the ASU MME according to the stored basic key of the UE, carrying out an initial security activation process to establish an initial context for the UE. And then acquiring the wireless capability information of the UE and sending a security mode command to the UE. And finally, receiving a safety mode completion message returned by the UE and completing the attachment of the UE. In the method, the base station realizes the attachment to the UE by receiving the RRC connection establishment completion message carrying the NAS message sent by the UE, reduces the risk of counterfeiting in the process of initializing the security activation and improves the security.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.
Fig. 1 is a schematic flowchart of a first embodiment of a key processing method in a scene of failure weakening according to an embodiment of the present application;
fig. 2 is a schematic flowchart of another embodiment of a key processing method in a scene of weakening a fault according to the present application;
fig. 3 is a schematic structural diagram of a first embodiment of a key processing apparatus in a scene of failure weakening according to the present application;
fig. 4 is a schematic structural diagram of a second embodiment of a key processing apparatus in a scene of failure weakening provided in the embodiment of the present application;
fig. 5 is a schematic structural diagram of a third embodiment of a key processing apparatus in a scene of weakening a fault according to the present application;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
With the foregoing drawings in mind, certain embodiments of the disclosure have been shown and described in more detail below. The drawings and written description are not intended to limit the scope of the disclosed concepts in any way, but rather to illustrate the disclosed concepts to those skilled in the art by reference to specific embodiments.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Before introducing the embodiments of the present application, the background of the present application is explained first.
With the rapid development of the mobile internet, the trunking communication is widely applied in various industries, and is gradually entering the era of a new generation broadband multimedia trunking system. The LTE BTrunC system network consists of a core network, a base station and UE. The core network mainly provides UE connection, manages the UE, and carries the service, and serves as an interface for the bearer network to provide to an external network. The base station is an interface device for accessing the UE to the internet, and refers to a radio transceiver station for information transmission with a mobile phone terminal in a certain radio coverage area.
When a sudden disaster occurs or the cluster system is damaged by people, the cluster system fails to be used normally by users. In order to ensure the smooth use of users and reduce the public property loss caused by the faults of the cluster system, the cluster system needs a special survivability scene. The fail-soft scenario is one of the important survivability scenarios. The failure weakening scene refers to a scene that, in an LTE BTrunC system network, when communication between a base station and a core network is interrupted or the core network fails, the base station can process registration and service requests of users within a coverage area of the base station, and support services such as single call and group call.
In the prior art, the implementation of the scene of failure weakening is mainly performed by establishing connection between a base station and a UE for initial security activation, and then performing cluster registration on a user. However, in the prior art, the null algorithm is carried in the process of initializing the security activation by the base station, so that the risk of counterfeiting exists, and the security is low.
In view of the above problems, the inventive concept of the present application is as follows: for the implementation process of the failure weakening scene, in the current scheme, as the base station carries a null algorithm in the process of initializing the security activation, the risk of counterfeiting exists. Based on this, the inventor finds that if the basic key of the UE is encrypted and the process of initializing the security activation of the base station is protected by encryption, the problem of counterfeit risk in the prior art can be solved, and the purpose of improving the UE attachment security is achieved.
The technical solution of the present application will be described in detail below with reference to specific examples.
It should be noted that the following specific embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments.
Fig. 1 is a schematic flowchart of a first embodiment of a key processing method in a scene of failure weakening according to the present application. As shown in fig. 1, the key processing method in the fail-soft scenario may include the following steps:
s101: after the UE completes network access, the MME acquires a basic key of the UE and encrypts the basic key according to a pre-configured encryption algorithm to obtain an encrypted basic key.
In this embodiment, since the base station does not have the card opening information of the UE, the basic key cannot be obtained. Therefore, after the UE completes network access, a Mobility Management Entity (MME) of the core network needs to acquire a basic key of the UE. Meanwhile, in order to ensure the security of the basic key, the basic key needs to be encrypted according to a pre-configured encryption algorithm to obtain the encrypted basic key. It should be understood that the base station includes an enhanced Service Unit (ASU) MME.
Specifically, the UE needs to perform cell search first, and since the UE does not know the downlink configuration of the cell (unless the previously attached cell information is already stored), Synchronization signals, such as Primary Synchronization Signal (PSS) and Secondary Synchronization Signal (SSS), are needed to obtain downlink Synchronization. And according to the synchronization signal, the UE performs downlink synchronization and finds the physical cell identifier. Then, the terminal scans all frequency bands in the frequency band that it can support, and on each carrier, the UE searches the strongest signal cell and reads the system message to find the Public Land Mobile Network (PLMN) to which the cell belongs. The UE completes MME registration to the core network, i.e., UE network entry, using the information about PLMN selection stored in a Universal Subscriber Identity Module (USIM) card.
In this step, after the UE completes network access, the MME acquires the basic key of the UE according to the registration information of the UE, and encrypts the basic key according to the pre-configured encryption algorithm, thereby ensuring the security of the basic key in the subsequent transmission process and reducing the risk of the basic key being illegally acquired. And after the MME encrypts the basic key, acquiring the encrypted basic key so as to facilitate the base station to send the encrypted basic key.
Alternatively, encrypting the base key according to an encryption algorithm is a common security means. The pre-configured Encryption Algorithm may be a Data Encryption Standard (DES), or may also be other Encryption algorithms such as Triple Data Encryption Algorithm (TDEA), Advanced Encryption Standard Algorithm (AES), and the like, which is not limited in this embodiment.
S102: the MME sends a key transfer message to the base station.
In this step, since the base station needs to protect the key according to the basic key and the encryption and integrity, after the MME acquires the encrypted basic key, the MME needs to send a key transmission message including the basic key to the MME.
The key transmission message includes a Subscriber Identity (IMSI) of the UE and an encrypted basic key.
The IMSI may be an identification code that is not repeated in all cellular networks for distinguishing different users in the cellular networks, and is stored in a 64-bit field. The IMSI contains information about the user, such as the name of the user, the mobile phone number of the user, and the like.
Specifically, the MME acquires the encrypted basic key and the IMSI used when the UE registers, and sends a key transmission message to the base station, where the key transmission message carries the encrypted basic key and IMSI, so that the subsequent ASU MME can decrypt and store the key transmission message conveniently.
S103: and receiving an RRC connection establishment completion message sent by the UE under the scene of failure weakening.
In this step, before receiving a Radio Resource Control (RRC) connection setup complete message sent by the UE, the terminal further needs to receive a key transmission message sent by an MME of the core network, and send the key transmission message to the ASU MME for decryption and storage.
Specifically, after receiving a key transmission message sent by the MME, the base station sends the key transmission message to the ASU MME, where the key transmission message carries the encrypted basic key and the IMSI. After receiving the key transmission message, the ASU MME acquires the encrypted basic key and the IMSI carried by the ASU MME, decrypts the encrypted basic key according to a corresponding algorithm, and stores the decrypted basic key and the IMSI.
Further, after the UE completes the cell search, it indicates that the UE has completed the downlink synchronization, and at this time, the UE needs to perform the uplink synchronization, and only after the uplink synchronization is obtained, the UE can perform the uplink data transmission. Therefore, in a scene of failure weakening, the UE needs to send a random access preamble to the base station, and the base station needs to receive the random access preamble sent by the UE, allow the UE to access, and send a random access response to the UE.
And then, the UE receives a random access response sent by the base station, and sends an RRC connection establishment request message to the base station according to the parameters carried in the random access response, wherein the request comprises the IMSI and the reason for establishing connection with the RRC. The base station receives the RRC connection establishment request message, allows the UE to establish connection with the RRC, and sends the RRC connection establishment message to the UE, wherein the connection establishment message carries special radio resource configuration applied to the UE for configuration.
And finally, the UE configures the RRC according to the RRC connection establishment message sent by the base station, sends a connection establishment completion message to the base station after the configuration is completed, and requests for attachment so as to receive the service from the core network. And the base station receives a connection establishment completion message sent by the UE and sends the connection establishment completion message to the ASU MME.
The RRC connection setup complete message carries a Non-access stratum (NAS) message, and the NAS message includes an attach request.
S104: and performing an initial security activation process according to an encryption and integrity protection key generated by the ASU MME according to the stored basic key of the UE, and establishing an initial context for the UE.
In this step, in order to complete the attachment of the UE to the ASU MME, the ASU MME obtains an attachment request of the UE according to the connection establishment completion message sent by the UE, and performs an initial security activation process according to the attachment request to establish an initial context for the UE.
Specifically, the ASU MME generates an encryption and integrity protection key according to the stored base key of the UE and the encryption and integrity protection algorithm.
Wherein, the attach request carries encryption and integrity protection algorithms, and the encryption and integrity protection algorithms include any one of the following algorithms: AES, Snow3G, ZUC, which algorithm to use specifically is determined by the radio capability information of the UE and the configuration of the MME.
Specifically, the ASU MME sends a security activation message to the UE, where the security activation message includes a ciphering and integrity protection key and a ciphering and integrity protection algorithm. And the UE receives the security activation message, performs initial security activation on the UE according to the security activation message, and sends a security activation response message to the base station after the activation is finished.
Further, the base station receives a security activation response message returned by the UE, and sends the security activation response message to the ASU MME, thereby completing the initial security activation process.
In order to enable the UE to complete attachment at the ASU MME, the ASU MME needs to establish an initial context for the UE.
Specifically, the ASU MME sends a user authentication request to the UE, where the user authentication request carries an initial key, an authentication parameter, and a random sequence. In addition, the user authentication request includes encryption and integrity protection algorithms.
Wherein the initial key is used to decrypt the base key.
Next, the UE receives a user authentication request from the ASU MME, authenticates the UE according to the user authentication request, and sends corresponding information of user authentication to the ASU MME. Wherein, the corresponding information of user authentication comprises the user authentication result of the UE.
Further, the ASU MME sends an initial context setup request to the base station, requesting the base station to establish bearer resources. Wherein, the initial context setup request includes UE security (security).
And finally, the base station acquires the initial context setting request, inquires and updates user information according to the request and establishes the initial context.
S105: and acquiring the wireless capability information of the UE.
In this step, the base station needs to know the radio capability information of the UE to make a reasonable decision when making various event decisions or executing encryption and integrity protection algorithms. Therefore, the base station needs to acquire the radio capability information of the UE.
Specifically, the ASU MME sends a UE capability query to the UE, and the UE sends the wireless capability information of the UE to the ASU MME after receiving the capability query, so that the ASU MME makes a reasonable decision on the event subsequently.
S106: sending a security mode command to the UE based on the radio capability information
In this step, the ASU MME sends a security mode command to the UE through the air interface according to the acquired radio capability information of the UE.
The security mode command includes a basic key, and in addition, the security mode command may further include UE security capabilities (security capabilities), ciphering, and integrity protection algorithms.
Specifically, the security mode procedure is actually to confirm the ciphering and integrity protection algorithm and parameters between the UE and the ASU MME.
Further, after receiving the security mode command sent by the ASU MME, the UE performs integrity protection verification on the security mode command, and if the verification passes, sends security mode completion information to the ASU MME, and encrypts and performs integrity protection on the security mode completion information.
S107: and receiving a safety mode completion message returned by the UE and completing the attachment of the UE.
In this step, the ASU MME receives a security mode completion message returned by the UE, that is, the ASU MME performs an air interface security mode operation on the UE, and activates a security mechanism of a corresponding air interface of the UE.
Optionally, the ASU MME sends the attach request to the base station, and the base station sends the attach request to the UE, establishes a default bearer for the UE, and sends the connection reconfiguration message to the UE according to the attach request.
Wherein, the RRC connection reconfiguration message includes an attach accept message.
In a specific implementation manner, the base station reallocates a Globally Unique Temporary Identity (GUTI) to the UE, and the RRC connection reconfiguration message further includes the GUTI. The GUTI is used for uniquely identifying the UE, so that the exposure of user private parameters such as IMSI and the like in network transmission can be reduced. When the UE requests attachment for the first time, the attachment request carries the IMSI, and then the MME can carry out one correspondence between the IMSI and the GUTI to reallocate the GUTI for the UE.
Further, the UE receives the connection reconfiguration message, reconfigures the connection with the RRC, and sends an RRC connection reconfiguration complete message to the base station. And the base station receives the RRC connection reconfiguration completion message returned by the UE, receives the attachment completion message sent by the UE, and sends the attachment completion message to the ASU MME.
Further, the cluster may perform cluster registration for the UE.
Specifically, the UE sends a cluster registration request message to the ASU MME, so that the ASU MME performs cluster registration on the UE. After receiving the cluster registration request message, the ASU MME performs cluster registration on the UE according to the cluster registration request message. And after receiving the registration, the ASU MME sends a cluster registration receiving message to the UE.
Fig. 2 is a schematic flowchart of a key processing method in a scene of failure weakening according to another embodiment provided in the present application. As shown in fig. 2, the key processing method in the fail-soft scenario may include the following steps:
step 1: after the UE completes network access, the MME acquires a basic key of the UE and sends a key transmission message to the base station, wherein the key transmission message carries the encrypted basic key and the IMSI. After receiving the key transmission message sent by the MME, the base station sends the key transmission message to the ASU MME;
step 2: the UE sends a random access lead code to the base station;
and 3, step 3: the base station receives the random access lead code sent by the UE, allows the UE to access, and sends a random access response to the UE;
and 4, step 4: UE sends RRC connection establishment request message to base station;
and 5, step 5: the base station receives the RRC connection establishment request message, allows the UE to establish connection with the RRC, and sends the RRC connection establishment message to the UE;
and 6, step 6: the UE configures the RRC according to the RRC connection establishment message sent by the base station, sends a connection establishment completion message to the base station after the configuration is completed, and the base station receives the connection establishment completion message sent by the UE, sends the connection establishment completion message to an ASU (application Server) MME (mobility management entity) and performs an initial security activation process;
and 7, step 7: the ASU MME sends a user authentication request to the UE;
and 8, step 8: the UE receives a user authentication request of an ASU MME, authenticates the UE according to the user authentication request and sends user authentication response information to the ASU MME;
step 9: an ASU MME sends an initial context setting request to a base station, and the base station inquires and updates user information according to the request and establishes an initial context;
step 10: the ASU MME sends UE capability query to the UE;
and 11, step 11: after receiving the capability query, sending the wireless capability information of the UE to an ASU MME;
step 12: the ASU MME sends a security mode command to the UE through an air interface according to the acquired wireless capability information of the UE;
step 13: after receiving a security mode command sent by an ASU MME, UE carries out integrity protection verification on the security mode command, if the verification is passed, then sends security mode completion information to the ASU MME, and carries out encryption and integrity protection on the security mode completion information;
step 14: the ASU MME sends an attachment request to a base station, and the base station establishes a default bearer for the UE;
step 15: the base station sends an attachment request to the UE;
step 16: the UE receives the connection reconfiguration message, reconfigures the connection between the UE and the RRC and sends an RRC connection reconfiguration completion message to the base station;
step 17: the UE sends an attachment completion message to the base station, and the base station sends the attachment completion message to an ASU (application Server Unit) MME;
step 18: UE sends a cluster registration request message to an ASU MME;
step 19: after receiving the cluster registration request message, the ASU MME performs cluster registration on the UE according to the cluster registration request message. And after receiving the registration, the ASU MME sends a cluster registration receiving message to the UE.
It should be appreciated that the base station includes an ASU MME.
According to the key processing method in the scene of failure weakening provided by the embodiment of the application, the RRC connection establishment completion message sent by the UE is received in the scene of failure weakening. And then, according to an encryption and integrity protection key generated by the ASU MME according to the stored basic key of the UE, carrying out an initial security activation process to establish an initial context for the UE. And then acquiring the wireless capability information of the UE and sending a security mode command to the UE. And finally, receiving a safety mode completion message returned by the UE, and completing the attachment of the UE. The base station realizes the attachment to the UE by receiving the RRC connection establishment completion message carrying the NAS message and sent by the UE, reduces the risk of counterfeiting in the process of initializing the security activation and improves the security.
The following are embodiments of the apparatus of the present application that may be used to perform embodiments of the method of the present application. For details which are not disclosed in the embodiments of the apparatus of the present application, reference is made to the embodiments of the method of the present application.
Fig. 3 is a schematic structural diagram of a first embodiment of a key processing apparatus in a scene of failure weakening according to the present application. As shown in fig. 3, the key processing apparatus 30 in the fail-soft scenario may include: a receiving module 31, an activating module 32, an acquiring module 33, and a sending module 34.
A receiving module 31, configured to receive, in a scene of failure weakening, an RRC connection setup complete message sent by the UE, where the RRC connection setup complete message carries an NAS message, and the NAS message includes an attach request;
an activation module 32, configured to perform an initial security activation process according to an encryption and integrity protection key generated by the ASU MME according to the stored basic key of the UE, and establish an initial context for the UE;
an obtaining module 33, configured to obtain radio capability information of the UE;
a sending module 34, configured to send a security mode command to the UE according to the wireless capability information, where the security mode command includes a basic key;
in one possible design of the embodiment of the present application, the activation module 32 is specifically configured to:
sending a security activation message to the UE, wherein the security activation message comprises an encryption and integrity protection key and an encryption and integrity protection algorithm; the encryption and integrity protection algorithms include any one of the following: AES, Snow3G, ZUC.
And receiving a security activation response message returned by the UE to complete the initial security activation process.
In another possible design of the embodiment of the present application, the receiving module 31 is further configured to receive a key transmission message sent by an MME of a core network, where the key transmission message includes an IMSI of a UE and an encrypted basic key; the sending module 34 is further configured to send the key transmission message to the ASU MME for decryption and storage.
In another possible design of the embodiment of the present application, the receiving module 31 is further configured to send an RRC connection reconfiguration message to the UE, where the RRC connection reconfiguration message includes an attach accept message; the receiving module 31 is further configured to receive an RRC connection reconfiguration complete message returned by the UE; the receiving module 31 is further configured to receive an attach complete message sent by the UE, and send the attach complete message to the ASU MME.
In another possible design of the embodiment of the present application, the receiving module 31 is further configured to receive a cluster registration request message sent by the UE; the sending module 34 is further configured to perform cluster registration according to the cluster registration request message, and send a cluster registration receiving message to the UE.
In another possible design of the embodiment of the present application, the receiving module 31 is further configured to receive a random access preamble sent by the UE; a sending module 34, configured to return a random access response to the UE; a receiving module 31, further configured to receive an RRC connection setup request message sent by the UE; the sending module 34 is further configured to return an RRC connection setup message to the UE.
Fig. 4 is a schematic structural diagram of a second embodiment of a key processing apparatus in a fail-soft scenario provided in the embodiment of the present application, and as shown in fig. 4, on the basis of the foregoing embodiment, the key processing apparatus 30 in the fail-soft scenario further includes: a distribution module 35.
An allocation module 35, configured to reallocate the GUTI for the UE; the RRC connection reconfiguration message also includes a GUTI.
Fig. 5 is a schematic structural diagram of a third embodiment of a key processing apparatus in a scene of failure weakening provided in the embodiment of the present application. Referring to fig. 5, the key processing apparatus 50 in the fail-soft scenario may include: an acquisition module 51 and a transmission module 52.
An obtaining module 51, configured to obtain a basic key of the UE after the UE completes network access, and encrypt the basic key according to a pre-configured encryption algorithm to obtain an encrypted basic key;
a sending module 52, configured to send a key transmission message to the base station, where the key transmission message includes the IMSI of the UE and the encrypted basic key.
The apparatus provided in the embodiment of the present application may be configured to execute the key processing method in the scene of failure weakening in the foregoing embodiment, and the implementation principle and the technical effect of the apparatus are similar, which are not described herein again.
It should be noted that the division of the modules of the above apparatus is only a logical division, and the actual implementation may be wholly or partially integrated into one physical entity, or may be physically separated. And these modules can be realized in the form of software called by processing element; or may be implemented entirely in hardware; and part of the modules can be realized in the form of calling software by the processing element, and part of the modules can be realized in the form of hardware. In addition, all or part of the modules can be integrated together or can be independently realized. The processing element described herein may be an integrated circuit having signal processing capabilities. In implementation, each step of the above method or each module above may be implemented by an integrated logic circuit of hardware in a processor element or an instruction in the form of software.
Fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application. As shown in fig. 6, the electronic device may include: a processor 61, a memory 62, a communication interface 63 and computer program instructions stored on the memory and executable on the processor, which when executed by the processor implement the method of key handling in a fail-soft scenario provided by any of the preceding embodiments.
Optionally, the above devices of the electronic device may be connected by a system bus.
The memory 62 may be a separate memory unit or a memory unit integrated into the processor. The number of processors is one or more.
The communication interface 63 is used to enable communication between the database access device and other devices.
It should be understood that the Processor 61 may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in connection with the present application may be embodied directly in a hardware processor, or in a combination of the hardware and software modules in the processor.
The system bus may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The system bus may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus. The memory may comprise Random Access Memory (RAM), and may also include non-volatile memory, such as at least one disk memory.
All or a portion of the steps of implementing the above-described method embodiments may be performed by hardware associated with program instructions. The aforementioned program may be stored in a readable memory. When executed, the program performs steps comprising the method embodiments described above; and the aforementioned memory (storage medium) includes: read-only memory (ROM), RAM, flash memory, hard disk, solid state disk, magnetic tape, floppy disk, optical disk, and any combination thereof.
The electronic device provided in the embodiment of the present application may be configured to execute the key processing method in the scene of failure weakening provided in any one of the method embodiments, and the implementation principle and the technical effect are similar, which are not described herein again.
An embodiment of the present application provides a computer-readable storage medium, where a computer instruction is stored in the computer-readable storage medium, and when the computer instruction runs on a computer, the computer is enabled to execute a key processing method in the above-mentioned fail-soft scenario.
The computer-readable storage medium may be implemented by any type of volatile or non-volatile memory device or combination thereof, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disk. Readable storage media can be any available media that can be accessed by a general purpose or special purpose computer.
Alternatively, a readable storage medium may be coupled to the processor such that the processor can read information from, and write information to, the readable storage medium. Of course, the readable storage medium may also be an integral part of the processor. The processor and the readable storage medium may reside in an Application Specific Integrated Circuits (ASIC). Of course, the processor and the readable storage medium may also reside as discrete components in the apparatus.
An embodiment of the present application further provides a computer program product, where the computer program product includes a computer program, the computer program is stored in a computer-readable storage medium, and at least one processor can read the computer program from the computer-readable storage medium, and when the computer program is executed by the at least one processor, the at least one processor can implement the key processing method in the above-mentioned fail-safe scenario.
It will be understood that the present disclosure is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims (13)

1. A key processing method under a fault weakening scene is applied to a base station, wherein the base station comprises an enhanced service module (ASU) Mobility Management Entity (MME), and the method comprises the following steps:
receiving a Radio Resource Control (RRC) connection establishment completion message sent by User Equipment (UE) under a fault weakening scene, wherein the RRC connection establishment completion message carries a non-access stratum (NAS) message, and the NAS message comprises an attachment request;
performing an initial security activation process according to an encryption and integrity protection key generated by the ASU MME according to the stored basic key of the UE, and establishing an initial context for the UE;
acquiring wireless capability information of the UE;
sending a security mode command to the UE according to the wireless capability information, wherein the security mode command comprises the basic key;
and receiving a safety mode completion message returned by the UE, and completing the attachment of the UE.
2. The method of claim 1, wherein the performing an initial security activation procedure according to ciphering and integrity protection keys generated by the ASU MME according to the stored base key of the UE comprises:
sending a security activation message to the UE, wherein the security activation message comprises the encryption and integrity protection key and an encryption and integrity protection algorithm; the encryption and integrity protection algorithm comprises any one of the following algorithms: AES, Snow3G, ZUC.
And receiving a security activation response message returned by the UE to complete an initial security activation process.
3. The method of claim 1, wherein before the receiving the RRC connection setup complete message sent by the UE, the method further comprises:
receiving a key transmission message sent by an MME of a core network, wherein the key transmission message comprises a user identifier IMSI of the UE and an encrypted basic key;
and sending the key transmission message to an ASU MME for decryption and storage.
4. The method according to any one of claims 1 to 3, further comprising:
sending an RRC connection reconfiguration message to the UE, wherein the RRC connection reconfiguration message comprises an attachment acceptance message;
receiving an RRC connection reconfiguration completion message returned by the UE;
and receiving an attachment completion message sent by the UE, and sending the attachment completion message to the ASU MME.
5. The method of claim 4, further comprising:
re-allocating a Globally Unique Temporary Identity (GUTI) for the UE; the RRC connection reconfiguration message further includes the GUTI.
6. The method of claim 4, further comprising:
receiving a cluster registration request message sent by the UE;
and performing cluster registration according to the cluster registration request message, and sending a cluster registration receiving message to the UE.
7. The method according to any of claims 1 to 3, wherein before the receiving the RRC connection setup complete message sent by the UE, the method further comprises:
receiving a random access lead code sent by the UE;
returning a random access response to the UE;
receiving an RRC connection establishment request message sent by the UE;
and returning an RRC connection establishment message to the UE.
8. A key processing method under a failure weakening scene is applied to a Mobility Management Entity (MME), and the method comprises the following steps:
after User Equipment (UE) finishes network access, acquiring a basic key of the UE, and encrypting according to a pre-configured encryption algorithm to obtain an encrypted basic key;
and sending a key transmission message to a base station, wherein the key transmission message comprises the user identification IMSI of the UE and the encrypted basic key.
9. A key processing apparatus in a fail-soft scenario, comprising: the device comprises a receiving module, an activating module, an acquiring module and a sending module;
the receiving module is configured to receive a radio resource control RRC connection setup complete message sent by a user equipment UE in a scene of failure weakening, where the RRC connection setup complete message carries a non-access stratum NAS message, and the NAS message includes an attach request;
the activation module is used for performing an initial security activation process according to an encryption and integrity protection key generated by an enhanced service module ASU (application service Unit) Mobility Management Entity (MME) according to a stored basic key of the UE, and establishing an initial context for the UE;
the acquiring module is used for acquiring the wireless capability information of the UE;
the sending module is configured to send a security mode command to the UE according to the wireless capability information, where the security mode command includes the basic key;
the receiving module is further configured to receive a security mode completion message returned by the UE, and complete the attachment of the UE.
10. A key processing apparatus in a fail-soft scenario, comprising: the device comprises an acquisition module and a sending module;
the obtaining module is used for obtaining a basic key of User Equipment (UE) after the UE finishes network access, and encrypting the basic key according to a pre-configured encryption algorithm to obtain an encrypted basic key;
the sending module is configured to send a key transmission message to a base station, where the key transmission message includes the IMSI of the UE and the encrypted basic key.
11. An electronic device, comprising: processor, memory, communication interface and computer program instructions stored on the memory and executable on the processor, characterized in that the processor, when executing the computer program instructions, is adapted to implement the method of key handling in a fail-soft scenario according to any of claims 1 to 8.
12. A computer-readable storage medium having stored thereon computer-executable instructions for implementing the method of key processing in a fail-soft scenario as claimed in any one of claims 1 to 8 when executed by a processor.
13. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, is adapted to carry out the method of key handling in a fail-soft scenario according to any of the claims 1 to 8.
CN202011507689.9A 2020-12-18 2020-12-18 Secret key processing method, device, equipment and storage medium under fault weakening scene Pending CN114650529A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011507689.9A CN114650529A (en) 2020-12-18 2020-12-18 Secret key processing method, device, equipment and storage medium under fault weakening scene

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011507689.9A CN114650529A (en) 2020-12-18 2020-12-18 Secret key processing method, device, equipment and storage medium under fault weakening scene

Publications (1)

Publication Number Publication Date
CN114650529A true CN114650529A (en) 2022-06-21

Family

ID=81990803

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011507689.9A Pending CN114650529A (en) 2020-12-18 2020-12-18 Secret key processing method, device, equipment and storage medium under fault weakening scene

Country Status (1)

Country Link
CN (1) CN114650529A (en)

Similar Documents

Publication Publication Date Title
CN107018676B (en) Mutual authentication between user equipment and evolved packet core
CN107094127B (en) Processing method and device, and obtaining method and device of security information
CN109922474B (en) Method for triggering network authentication and related equipment
CN110476397B (en) User authentication method and device
US20220295269A1 (en) Network access authentication method and device
KR102173534B1 (en) Methods for providing information of mobile network operator and apparatus for performing the same
WO2019169679A1 (en) Terminal information transmission method and relevant products
CN110073681B (en) Method, apparatus and computer readable medium for internet of things device
KR19980056214A (en) Mobile communication terminal with smart card, subscriber authentication method and shared secret data update method
US20230179997A1 (en) Method, system, and apparatus for determining user plane security algorithm
CN111132305A (en) Method for 5G user terminal to access 5G network, user terminal equipment and medium
CN110730447B (en) User identity protection method, user terminal and core network
CN114189343A (en) Mutual authentication method and device
CN111093196B (en) Method for 5G user terminal to access 5G network, user terminal equipment and medium
CN112887965A (en) Method and device for sending user identification
WO2022174827A1 (en) Multicast or broadcast service data security protection method and apparatus
CN114650529A (en) Secret key processing method, device, equipment and storage medium under fault weakening scene
CN111770488B (en) EHPLMN updating method, related equipment and storage medium
CN112703772A (en) System and method for radio resource control management in a shared network
CN106888447B (en) Method and system for processing auxiliary USIM application information
CN114731513A (en) Method for controlling communication access, AP and communication equipment
JP6499315B2 (en) Mobile communication system and communication network
CN111372250A (en) Base station determination method and apparatus, storage medium, and electronic apparatus
EP3219066B1 (en) Radio device hardware security system for wireless spectrum usage
US20240137757A1 (en) Systems and methods for authorization of proximity based services

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination