CN1794682A - Method of establishing safety channel in radio access network - Google Patents
Method of establishing safety channel in radio access network Download PDFInfo
- Publication number
- CN1794682A CN1794682A CN 200510116986 CN200510116986A CN1794682A CN 1794682 A CN1794682 A CN 1794682A CN 200510116986 CN200510116986 CN 200510116986 CN 200510116986 A CN200510116986 A CN 200510116986A CN 1794682 A CN1794682 A CN 1794682A
- Authority
- CN
- China
- Prior art keywords
- source
- target
- network identity
- authentication person
- service end
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
This invention discloses a method for setting up security channels in a wireless access network. When mobile user stations are switched, the method includes: a target base station gets the label of a source service end and asks for information of a cryptographic key accorcing to the label of the source service end to set up a security channel with the switched mobile user station.
Description
Technical field
The present invention relates to the technology that guarantees the wireless access software safety, specially refer to the method for in wireless access network, setting up escape way.
Background technology
Extensive use along with the flourish and wireless network of internet service, increasing security requirement has been proposed wireless access network, remove and adopt present widely used device authentication, subscription authentication and authorization of service or the like method improves outside the fail safe of radio communication, the foundation of escape way between mobile subscriber station (MSS) and base station (BS), the exchange of security information, and BS and authentication person (Authenticator), the foundation of the escape way between Authenticator and the authentication server (Authentication Server), exchange of security information or the like all is the problem that needs special concern at present.
Fig. 1 has shown the security network infrastructure system of present stage wireless access network.As shown in Figure 1, in the security network infrastructure of wireless access network, be mainly concerned with following network element: MSS, BS, Authenticator and Authentication Server.Wherein, the major function of MSS in described security architecture is to initiate authentication, authentication, produce the required information of root key with Authentication Server exchange, generate root key, produce according to root key air interface data is encrypted needed KI (AK, Authorization Key) and derived other key informations of being used for enciphered data and administrative messag consistency check etc. according to AK; The function of BS in above-mentioned security architecture is to provide the security system passage for BS and MSS, and air interface data is compressed and encrypted, and the security information between exchange BS and the MSS is for MSS provides escape way from BS to Authenticator etc.; The major function of Authenticator in above-mentioned security architecture is to provide agent functionality for the MSS authentication, the root key information of equity between that provide according to Authentication Server and the MSS, produce between BS and the MSS and set up the required AK of escape way, and AK is distributed to corresponding BS; The major function of AuthenticationServer comprises: for MSS carries out authentication, produce and the distribution root key information to Authenticator, the consequence that notice Authenticator and changes of other NE User information are in time produced when user profile changes.
When MSS inserts wireless access network for the first time, the authentication of MSS, authentication and and BS between escape way to set up process as follows:
A, MSS send the information relevant with authentication to Authentication Server by BS and Authenticator;
The authentication arithmetic that described here information relevant with authentication and MSS and Authentication Server select is relevant, generally include: the operator logo symbol (NAI) of MSS, the sign of the authentication arithmetic that uses, random number of subscriber identification module (SIM) card number sign indicating number or generation at random or the like, Authentication Server can carry out authentication to MSS according to these information;
B, Authentication Server carry out authentication according to the authentication information that receives to this MSS, and after authentication is passed through, set up the authentication charging key (AAA-Key) that is used to produce root key separately with MSS while algorithm by appointment;
C, Authentication server are handed down to Authenticator with AAA-Key, Authenticator uses identical each self-generating root key of algorithm with MSS according to AAA-Key, Authenticator and MSS generate AK according to root key again, and Authenticator further is handed down to BS with AK;
D, BS and MSS are according to AK, consult to produce according to the IKMP among the IEEE 802.16e (PKM) mechanism air interface data between MSS and the BS is encrypted and management information is carried out the required association key of consistency check, set up escape way on the interface aloft.
Like this, the data of transmitting on the air interface can both realize safe transmission by encrypting, and the administrative messag that transmits on the air interface also can be used for message authentication code (MAC, Message Authentication Code) the realization safe transmission of consistency check by use.
Because MSS is movably, therefore, in moving process, the scope that MSS covers from a BS probably moves to the scope that another BS covers, and in this case, MSS just need switch to the BS that another is called target BS from a BS who is called source BS.In above-mentioned handoff procedure, if source BS and target BS are subjected to the control of same Authenticator, then after switching, this Authenticator only needs the AK of current MSS is issued to target BS, and MSS and target BS just can have been set up escape way according to this AK.But, if the Authenticator of Controlling Source BS and target BS is different, the Authenticator migration has promptly taken place in the handoff procedure of MSS, then stipulate according to agreement, the Authenticator of management objectives BS, being called target Authenticator will be to the new root key of Authentication Server application, this will cause Authentication Server again MSS to be carried out as the complete procedure of above-mentioned steps A to the described authentication of D, mandate and key agreement, so that set up new escape way between MSS and target BS.
Like this, not only can increase the expense of data and signaling between BS and Authenticator and Authenticator and the Authentication Server, also will take more air interface resource, increase escape way and set up the required time.Particularly be present in physically under the situation in the network element at Authenticator and BS, the switching of MSS between BS must cause the migration of Authenticator, make that the migration of Authenticator is too frequent, finally cause the interruption of user conversation and the decline of quality of service.
Summary of the invention
In order to solve the problems of the technologies described above, the invention provides a kind of method of in wireless access network, setting up escape way, make when switching initiation Authenticator migration by MSS, target BS can in time obtain to set up the required key information of escape way, between MSS and target BS, set up escape way rapidly, and do not need to trigger the discrimination weight process of Authentication Server, guarantee the quality of service of user conversation.
The method of setting up escape way in wireless access network of the present invention comprises when mobile subscriber station switches:
A, target BS obtain source service end sign;
B, target BS are according to the source server end identification request key information that is obtained;
C, target BS are set up escape way according to described key information and the mobile subscriber station that switches.
Step B of the present invention comprises:
B11, target BS are uploaded to the object discriminator with the source service end sign that obtains;
B12, object discriminator determine source authentication person's network identity according to described source service end sign;
B13, object discriminator ask key information according to source authentication person's network identity to source authentication person, and will be handed down to target BS from the key information that source authentication person obtains.
The described target BS of steps A obtains source service end sign and comprises: receive the switching indication of mobile subscriber station transmission at source base station after, service end sign in source is sent to target BS; Target BS receives described source service end sign.
Source of the present invention service end is designated the network identity of source base station.
Source of the present invention service end is designated source authentication person's network identity.
Source of the present invention service end is designated the network identity of source base station;
The described target BS of steps A obtains the source service end and is designated: the network identity that obtains source base station the access message that the mobile subscriber station that target BS enters from switching sends.
Source of the present invention service end is designated source authentication person's network identity;
The described target BS of steps A obtains the source service end and is designated: the network identity that obtains source base station the access message that the mobile subscriber station that target BS enters from switching sends; Target BS is according to the network identity of the source base station network identity to source base station request source authentication person; The network identity that source base station will be controlled the source authentication person of self sends to target BS.
Step B12 is described to determine that according to described source service end sign source authentication person's network identity is: the object discriminator searches the source authentication person's of controlled source base station network identity according to the network identity of source base station and pre-configured base station and authentication person's control relation correspondence table.
Step B12 is described to determine that according to described source service end sign source authentication person's network identity is: the object discriminator directly is defined as the source authentication person's of reception network identity source authentication person's network identity.
The method of the invention further comprises after step B12: the object discriminator judges according to the source authentication person's who determines network identity whether authentication person's migration has taken place in the handoff procedure of described mobile subscriber station, if then continue execution in step B13; Otherwise the object discriminator directly issues the key information corresponding with the mobile subscriber station that switches to target BS, and target BS is set up escape way according to the key information and the described mobile subscriber station that switches that receive.
Source of the present invention service end is designated source authentication person's network identity;
The described target BS of steps A obtains the source service end and is designated: the network identity that obtains source base station the access message that the mobile subscriber station that target BS enters from switching sends; Target BS is according to the network identity of the source base station network identity to source base station request source authentication person; The network identity that source base station will be controlled the source authentication person of self sends to target BS;
Or after source base station receives the switching indication that mobile subscriber station sends, source authentication person's network identity is sent to target BS; Target BS receives described source authentication person's network identity.
Step B of the present invention comprises:
B21, target BS are directly asked key information to source authentication person according to source authentication person's network identity;
B22, source authentication person directly will set up the required delivering key of escape way and give target BS.
The method of the invention further comprises after steps A: target BS judges according to the source service end sign that obtains whether authentication person's migration has taken place in the handoff procedure of described mobile subscriber station, if then continue execution in step B; Otherwise target BS is asked the key information of described mobile subscriber station correspondence to the object discriminator, and the object discriminator directly is handed down to target BS with described key information, and target BS is set up escape way according to the key information and the described mobile subscriber station that receive.
Source of the present invention service end is designated the network identity of source base station;
Described being judged as: target BS is searched self storage, pre-configured, as to control all base stations that self authentication person can control list of network identifications, judge that the source base station network identity obtained is whether in this tabulation, if, authentication person's migration does not then take place; Otherwise, authentication person's migration has just taken place.
Source of the present invention service end is designated source authentication person's network identity;
Described judgement comprises: target BS is according to network identity self storage, pre-configured, that network identity that control self authentication person obtains the object discriminator; Whether the network identity of judging the source authentication person who is obtained is identical with described object discriminator's network identity, if identical, authentication person's migration do not take place then; Otherwise, authentication person's migration has taken place.
Key information of the present invention comprises at least: the sign of KI, this KI and the life cycle of this KI.
The escape way of setting up of the present invention is: target BS and mobile subscriber station derive according to identical key information and are used to the key encrypting air interface data and administrative messag is carried out consistency check, use derivative secret key encryption air interface data, and administrative messag is carried out consistency check.
This shows, method of the present invention is being switched by MSS under the situation that causes Authenticator that migration takes place, set up the required key information of escape way by between source Authenticator and target Authenticator, transmitting, can between MSS and target BS, set up escape way rapidly, do not initiate the discrimination weight process and do not need to trigger Authentication Server, this has saved the expense of data and signaling on the air interface on the one hand, on the other hand, significantly reduce the time of setting up escape way, improved user's quality of service.
Description of drawings
Fig. 1 has shown the security network infrastructure system of present stage wireless access network;
Fig. 2 has shown the embodiment 1 described method of setting up escape way in wireless access network;
Fig. 3 has shown the embodiment 2 described methods of setting up escape way in wireless access network;
Fig. 4 has shown the embodiment 3 described methods of setting up escape way in wireless access network;
Fig. 5 has shown the embodiment 4 described methods of setting up escape way in wireless access network;
Fig. 6 has shown the embodiment 5 described methods of setting up escape way in wireless access network.
Embodiment
When causing the Authenticator migration in order to switch at MSS, target BS can in time obtain to set up the required key information of escape way, the invention provides the method for in wireless access network, setting up escape way, can not trigger under the situation that Authentication Server carries out the discrimination weight process, make target BS in time obtain to set up the required key information of escape way, between MSS and target BS, set up escape way rapidly.
Method of the present invention is applicable to the security network infrastructure system of wireless access network shown in Figure 1.
For the purpose, technical scheme and the advantage that make invention is clearer, below with reference to the accompanying drawing embodiment that develops simultaneously, the present invention is described in further detail.
Embodiment 1:
Fig. 2 has shown the embodiment 1 described method of setting up escape way in wireless access network.As shown in Figure 2, this method mainly may further comprise the steps:
A1, source BS send to target BS with source service end sign after receiving the switching indication of MSS;
Described source service end is designated the network identity of source BS or the network identity of source Authenticator;
In this step, source BS can directly send to described BS with source service end sign by the interface between the BS, can also be by such as the interface between base station controller or the access service network gateway control network elements such as (ASN GW) service end sign in described source being forwarded to described target BS indirectly;
After A2, target BS receive source service end sign from source BS, to the Authenticator of control self, promptly target Authenticator sends a secret key request message, apply for the key information of this MSS correspondence, and in this secret key request message, carry the source service end sign that receives;
Owing in each BS, all store the network identity of the Authenticator of pre-configured control self, therefore, any one BS can both be addressed to the Authenticator of control self, sets up the required key information of escape way to this Authenticator application;
A3, target Authenticator are according to the network identity of the source service end sign acquisition source Authenticator in the secret key request message, judge according to the network identity of source Authenticator whether this handoff procedure the Authenticator migration has taken place again, judge promptly whether the self networks sign is identical with the network identity of the source Authenticator that receives, if the Authenticator migration does not take place, then execution in step A4; Otherwise, execution in step A5;
In this step, target Authenticator can obtain the network identity of source Authenticator in two ways according to the different mining of institute's reception sources service end sign: if described source service end is designated the network identity of source Authenticator, then target Authenticator can directly obtain the network identity of source Authenticator; If described source service end is designated the network identity of source BS, then target Authenticator will find out the network identity of the source Authenticator that controls described source BS according to self pre-configured BS and the control relation correspondence table of Authenticator;
Behind the network identity that obtains source Authenticator, whether target Authenticator is identical with the self networks sign with the network identity of reference source Authenticator, if identical, the Authenticator migration do not take place then; Otherwise, the Authenticator migration has just taken place;
A4, target Authenticator directly will set up the required key information of escape way and send to target BS, and target BS is set up escape way according to the key information and the MSS that receive, finish then;
A5, target Authenticator obtain from source Authenticator and set up the required key information of escape way, and the key information that obtains is handed down to target BS, and target BS is set up escape way according to the key information and the MSS that receive, finish then.
Owing to there is internal interface---the R6 interface of access service network between the Authenticator, therefore, target Authenticator asks and obtains described key information by self-defining key solicitation message to source Authenticator.In addition, the fail safe of the key information that transmits between source Authenticator and target Authenticator can guarantee by the security mechanism of transport layer/network layer, for example, use internet protocol secure (IPSec) or VPN technology such as (VPN) to guarantee.
In above-mentioned steps A4 and steps A 5, described key information comprises the life cycle of the AK of MSS, the sign of this AK (AKID) and this AK at least.Described key information can also comprise such as EAP integrity key (EIK, EAP Integrity Key) and waits other key informations.
After target BS has obtained the AK identical with MSS, just can use the algorithm identical to derive to be used to other association key of encrypting air interface data and administrative messag being carried out consistency check with MSS, use derivative secret key encryption air interface data, and administrative messag carried out consistency check, thereby set up the safe transmission that escape way is realized data and administrative messag on the air interface.
From the steps A 3 of the foregoing description 1 as can be seen, in the present embodiment, whether this handoff procedure the Authenticator migration has taken place is judged by target Authenticator, in the application of reality, can also judge whether to have taken place the Authenticator migration by target BS, referring to embodiment 2 described methods.
Embodiment 2:
Fig. 3 has shown the embodiment 2 described methods of setting up escape way in wireless access network.As shown in Figure 3, this method mainly may further comprise the steps:
B1, source BS send to target BS with source service end sign after receiving the switching indication of MSS;
Described source service end is designated the network identity of source BS or the network identity of source Authenticator;
In this step, source BS also can adopt the method identical with steps A 1 direct or indirect service end sign in source is sent to target BS;
B2, target BS judge whether to have taken place the Authenticator migration according to the source service end sign that receives, if the Authenticator migration has taken place, and execution in step B3 then; Otherwise, execution in step B5;
In this step, if described source service end is designated the network identity of source Authenticator, then target BS directly compares self network identity storage, Authenticator network identity pre-configured, that control self and described source Authenticator, if it is identical, the Authenticator migration does not then take place, otherwise, the Authenticator migration has just taken place;
If described source service end is designated the network identity of source BS, then target BS must store the tabulation of all BS network identities that Authenticator pre-configured, that control self can control, whether target BS judges whether to have taken place the Authenticator migration by the network identity of searching source BS in this tabulation, if in this tabulation, the Authenticator migration does not then take place, otherwise, the Authenticator migration has just taken place;
B3, target BS send to the Authenticator that controls self with the source service end sign that receives by secret key request message, and promptly target Authenticator applies for the key information of this MSS correspondence to target Authenticator;
B4, target Authenticator are according to the network identity of the source service end sign acquisition source Authenticator in the secret key request message, obtain from source Authenticator then and set up the required key information of escape way, and the key information that obtains is handed down to target BS, target BS is set up escape way according to the key information and the MSS that receive, finishes then;
The method of the network identity of the described acquisition of this step source Authenticator is identical with the described method of above-mentioned steps A3; The described method of obtaining key information from source Authenticator is identical with steps A 5 described methods;
B5, target BS are to target Authenticator, be source Authenticator, apply for the key information of this MSS correspondence, target Authenticator directly is handed down to target BS with the key information of this MSS, target BS is set up escape way according to the key information and the MSS that receive, finishes then.
In above-mentioned steps B4 and step B5, described key information also comprises the AK of MSS at least.
After target BS has obtained the AK identical with MSS, just can use the algorithm identical to derive to be used to other keys of encrypting air interface data and administrative messag being carried out consistency check with MSS, use derivative secret key encryption air interface data, and administrative messag carried out consistency check, thereby set up the safe transmission that escape way is realized data and administrative messag on the air interface.
From said process as can be seen, in above-mentioned two embodiment, target BS is from identifying from obtaining the source service end the switching message of source BS, but some the time, in the time of may appearing at MSS and switched target approach BS, target BS still can't obtain the situation of source service end sign from source BS, for example, because MSS has left the overlay area of source BS, the source BS of making can't receive the switching indication that MSS sends, thereby causes source BS service end sign in source can not sent to target BS.In this case, target BS can't be learnt source service end sign, thereby can't obtain the original key information that uses fast by target Authenticator.
The preferred embodiments of the present invention that will describe can address the above problem below.
Embodiment 3:
Fig. 4 has shown the embodiment 3 described methods of setting up escape way in wireless access network.As shown in Figure 4, described method may further comprise the steps after MSS switches target approach BS:
C1, target BS are obtained the network identity of source BS from the access message of MSS;
C2, target BS send the switching indication request that comprises the MSS sign according to the network identity of source BS to source BS, and the source BS of requirement provides the network identity of source Authenticator;
In this step, target BS can be by the interface between the BS directly to source BS request source service end sign, can also by such as the interface between the control network elements such as base station controller or ASN GW indirectly to the network identity of source BS request source Authenticator;
Behind the network identity of C3, acquisition source Authenticator, target BS sends to the network identity of source Authenticator the Authenticator of control self by secret key request message, be target Authenticator, apply for the key information of this MSS correspondence to target Authenticator;
C4, target Authenticator judge according to the network identity of the source Authenticator in the secret key request message whether the Authenticator migration has taken place in this handoff procedure, if the Authenticator migration does not take place, execution in step C5 then, otherwise execution in step C6;
C5, target Authenticator directly will set up the required delivering key of escape way and give target BS, and target BS is set up escape way according to the key information and the MSS that receive, finish then;
C6, target Authenticator obtain from source Authenticator and set up the required key information of escape way, and the key information that obtains is handed down to target BS, and target BS is set up escape way according to the key information and the MSS that receive, finish then.
This step is described, and obtain the method for key information from source Authenticator identical with embodiment 1 steps A 5 described methods.
The described key information of above-mentioned steps C5 and C6 also comprises the AK of source MSS at least.After target BS has obtained the AK identical with MSS, just can derive the safe transmission that other keys are realized data and administrative messag on air interfaces with MSS.
Those of ordinary skill in the art are appreciated that, also can be after target BS obtains the network identity of source Authenticator, judge according to the network identity of source Authenticator whether the Authenticator migration has taken place by target BS in this handoff procedure, its determination methods can adopt the described determination methods of embodiment 2 step B2, if the Authenticator migration has taken place, then the network identity with source Authenticator reports target Authenticator, obtain from source Authenticator by target Authenticator and to set up the required key information of escape way, thereby set up escape way; Otherwise, directly obtain key information and set up escape way from source Authenticator.
Embodiment 4:
Fig. 5 has shown the method for setting up escape way in the embodiment 4 described wireless access networks.As shown in Figure 5, described method may further comprise the steps after MSS switches target approach BS:
D1, target BS are obtained the network identity of source BS from the access message of MSS;
D2, target BS send to the Authenticator that controls self with the network identity of source BS by secret key request message, and promptly target Authenticator applies for the key information of this MSS correspondence to target Authenticator;
D3, target Authenticator search the BS and the Authenticator control relation correspondence table network identity that obtains source Authenticator of self storage according to the source BS network identity in the secret key request message, and judge according to the network identity of source Authenticator whether the Authenticator migration has taken place in this handoff procedure, if, execution in step D4 then, otherwise carry out D5;
D4, target Authenticator directly will set up the required delivering key of escape way and give target BS, and target BS is set up escape way according to the key information and the MSS that receive, finish then;
D5, target Authenticator obtain from source Authenticator and set up the required key information of escape way, and the key information that obtains is handed down to target BS, and target BS is set up escape way according to the key information and the MSS that receive, finish then.
The described key information of above-mentioned steps D4 and D5 also comprises the AK of this MSS at least.After target BS has obtained the AK identical with MSS, just can derive the safe transmission that other keys are realized data and administrative messag on air interfaces with MSS.
Identical with embodiment 3, also can be after target BS obtains the network identity of source BS in embodiment 4, the Authenticator that searches management self according to the network identity of source BS by target BS is managed all BS tabulations, whether judgement the Authenticator migration has taken place in this handoff procedure, its determination methods can adopt the described determination methods of embodiment 2 step B2, if the Authenticator migration has taken place, then the network identity with source BS reports target Authenticator, obtain from source Authenticator by target Authenticator and to set up the required key information of escape way, thereby set up escape way; Otherwise, directly obtain key information and set up escape way from source Authenticator.
Embodiment 5:
Ask key information if allow target BS directly arrive source Authenticator, and target BS can obtain the network identity of source Authenticator, just can further simplify the method for the foregoing description 1~4.
Fig. 6 has shown the method for setting up escape way in the embodiment 5 described wireless access networks.As shown in Figure 6, described method may further comprise the steps after MSS switches target approach BS:
E1, target BS are obtained the network identity of source BS from the access message of MSS;
E2, target BS send the switching indication request that comprises the MSS sign according to the network identity of source BS to source BS, and the source BS of requirement provides the network identity of source Authenticator;
Corresponding above-mentioned steps E1 and E2, target BS can also obtain the network identity of source Authenticator by the following method: after source base station receives the switching indication that mobile subscriber station sends, the network identity of source Authenticator is sent to target BS; Target BS receives the network identity of described source Authenticator.
E3, source BS are notified to target BS by conversational response message with the network identity of source Authenticator;
E4, behind the network identity that has obtained source Authenticator, target BS is directly applied for the key information of this MSS to source Authenticator according to the network identity of source Authenticator;
E5, source Authenticator directly will set up the required delivering key of escape way and give target BS, and target BS is set up escape way according to the key information and the MSS that receive, finish then.
The described key information of above-mentioned steps E5 comprises the AK of this MSS at least.After target BS has obtained the AK identical with MSS, just can derive the safe transmission that other keys are realized data and administrative messag on air interfaces with MSS.
From the foregoing description 1 to embodiment 5 described method as can be seen, switch under the situation that causes Authenticator that migration takes place at MSS, do not need to trigger Authentication Server and initiate the discrimination weight process, just can between MSS and target BS, set up escape way rapidly, saved the expense of data and signaling, significantly reduce the time of setting up escape way, improved user's quality of service.
If said process breaks down, target BS or target Authenticator occur and can't obtain setting up the required key information of escape way, target Authenticator just will restart in the prior art so, by MSS, target BS, target Authenticator and Authentication Server fellowship complete re-authenticate, process such as mandate and key information exchange, between MSS and target BS, to set up new root key, new AK and other association key reach the purpose of setting up new escape way.
Claims (17)
1, a kind of method of setting up escape way in wireless access network is characterized in that, described method comprises when mobile subscriber station switches:
A, target BS obtain source service end sign;
B, target BS are according to the source server end identification request key information that is obtained;
C, target BS are set up escape way according to described key information and the mobile subscriber station that switches.
2, the method for claim 1 is characterized in that, described step B comprises:
B11, target BS are uploaded to the object discriminator with the source service end sign that obtains;
B12, object discriminator determine source authentication person's network identity according to described source service end sign;
B13, object discriminator ask key information according to source authentication person's network identity to source authentication person, and will be handed down to target BS from the key information that source authentication person obtains.
3, method as claimed in claim 2 is characterized in that, the described target BS of steps A obtains source service end sign and comprises: receive the switching indication of mobile subscriber station transmission at source base station after, service end sign in source is sent to target BS; Target BS receives described source service end sign.
4, method as claimed in claim 3 is characterized in that, described source service end is designated the network identity of source base station.
5, method as claimed in claim 3 is characterized in that, described source service end is designated source authentication person's network identity.
6, method as claimed in claim 2 is characterized in that, described source service end is designated the network identity of source base station;
The described target BS of steps A obtains the source service end and is designated: the network identity that obtains source base station the access message that the mobile subscriber station that target BS enters from switching sends.
7, method as claimed in claim 2 is characterized in that, described source service end is designated source authentication person's network identity;
The described target BS of steps A obtains the source service end and is designated: the network identity that obtains source base station the access message that the mobile subscriber station that target BS enters from switching sends; Target BS is according to the network identity of the source base station network identity to source base station request source authentication person; The network identity that source base station will be controlled the source authentication person of self sends to target BS.
8, as claim 4 or 6 described methods, it is characterized in that step B12 is described to determine that according to described source service end sign source authentication person's network identity is: the object discriminator searches the source authentication person's of controlled source base station network identity according to the network identity of source base station and pre-configured base station and authentication person's control relation correspondence table.
9, as claim 5 or 7 described methods, it is characterized in that step B12 is described to determine that according to described source service end sign source authentication person's network identity is: the object discriminator directly is defined as the source authentication person's of reception network identity source authentication person's network identity.
10, method as claimed in claim 2, it is characterized in that, described method further comprises after step B12: the object discriminator judges according to the source authentication person's who determines network identity whether authentication person's migration has taken place in the handoff procedure of described mobile subscriber station, if then continue execution in step B13; Otherwise the object discriminator directly issues the key information corresponding with the mobile subscriber station that switches to target BS, and target BS is set up escape way according to the key information and the described mobile subscriber station that switches that receive.
11, the method for claim 1 is characterized in that, described source service end is designated source authentication person's network identity;
The described target BS of steps A obtains the source service end and is designated: the network identity that obtains source base station the access message that the mobile subscriber station that target BS enters from switching sends; Target BS is according to the network identity of the source base station network identity to source base station request source authentication person; The network identity that source base station will be controlled the source authentication person of self sends to target BS; Perhaps be
After source base station receives the switching indication that mobile subscriber station sends, source authentication person's network identity is sent to target BS; Target BS receives described source authentication person's network identity.
12, method as claimed in claim 11 is characterized in that, described step B comprises:
B21, target BS are directly asked key information to source authentication person according to source authentication person's network identity;
B22, source authentication person directly will set up the required delivering key of escape way and give target BS.
13, the method for claim 1, it is characterized in that, described method further comprises after steps A: target BS judges according to the source service end sign that obtains whether authentication person's migration has taken place in the handoff procedure of described mobile subscriber station, if then continue execution in step B; Otherwise target BS is asked the key information of described mobile subscriber station correspondence to the object discriminator, and the object discriminator directly is handed down to target BS with described key information, and target BS is set up escape way according to the key information and the described mobile subscriber station that receive.
14, method as claimed in claim 13 is characterized in that, described source service end is designated the network identity of source base station;
Described being judged as: target BS is searched self storage, pre-configured, as to control all base stations that self authentication person can control list of network identifications, judge that the source base station network identity obtained is whether in this tabulation, if, authentication person's migration does not then take place; Otherwise, authentication person's migration has just taken place.
15, method as claimed in claim 13 is characterized in that, described source service end is designated source authentication person's network identity;
Described judgement comprises: target BS is according to network identity self storage, pre-configured, that network identity that control self authentication person obtains the object discriminator; Whether the network identity of judging the source authentication person who is obtained is identical with described object discriminator's network identity, if identical, authentication person's migration do not take place then; Otherwise, authentication person's migration has taken place.
16, the method for claim 1 is characterized in that, described key information comprises at least: the sign of KI, this KI and the life cycle of this KI.
17, as claim 1,10 or 13 described methods, it is characterized in that, the described escape way of setting up is: target BS and mobile subscriber station derive according to identical key information and are used to the key encrypting air interface data and administrative messag is carried out consistency check, use derivative secret key encryption air interface data, and administrative messag is carried out consistency check.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB200510116986XA CN100563186C (en) | 2005-07-11 | 2005-10-28 | A kind of method of in wireless access network, setting up escape way |
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200510082882 | 2005-07-11 | ||
| CN200510082882.1 | 2005-07-11 | ||
| CNB200510116986XA CN100563186C (en) | 2005-07-11 | 2005-10-28 | A kind of method of in wireless access network, setting up escape way |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1794682A true CN1794682A (en) | 2006-06-28 |
| CN100563186C CN100563186C (en) | 2009-11-25 |
Family
ID=36805962
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB200510116986XA Active CN100563186C (en) | 2005-07-11 | 2005-10-28 | A kind of method of in wireless access network, setting up escape way |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100563186C (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008134986A1 (en) * | 2007-05-08 | 2008-11-13 | Huawei Technologies Co., Ltd. | A method, system and device for security function negotiation |
| WO2010000185A1 (en) * | 2008-06-30 | 2010-01-07 | 华为技术有限公司 | A method, apparatus, system and server for network authentication |
| CN101953191A (en) * | 2008-02-20 | 2011-01-19 | 阿尔卡特朗讯美国公司 | System and method for performing handovers, or key management while performing handovers in a wireless communication system |
| CN102413461A (en) * | 2007-05-08 | 2012-04-11 | 华为技术有限公司 | Method for negotiating safety capacity |
| US8363619B2 (en) | 2007-01-29 | 2013-01-29 | Huawei Technologies Co., Ltd. | Method, apparatus and system for establishing S1 signaling connection in an evolved network |
| CN101321396B (en) * | 2008-04-14 | 2014-03-12 | 中兴通讯股份有限公司 | Mobile station switch implementing method and method for constructing safety access service network |
| CN112469139A (en) * | 2020-12-02 | 2021-03-09 | 中国联合网络通信集团有限公司 | Network channel establishing system and method |
| US10965451B2 (en) * | 2018-10-30 | 2021-03-30 | Canon Kabushiki Kaisha | Authentication method, authentication device, authentication target device and image forming apparatus |
-
2005
- 2005-10-28 CN CNB200510116986XA patent/CN100563186C/en active Active
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8842638B2 (en) | 2007-01-29 | 2014-09-23 | Huawei Technologies Co., Ltd. | Method, apparatus and system for establishing S1 signaling connection in an evolved network |
| US10172042B2 (en) | 2007-01-29 | 2019-01-01 | Huawei Technologies Co., Ltd. | Method, apparatus and system for establishing signaling |
| US11129058B2 (en) | 2007-01-29 | 2021-09-21 | Huawei Technologies Co., Lid. | Method, apparatus, and system for establishing signaling connection in communication network |
| US8363619B2 (en) | 2007-01-29 | 2013-01-29 | Huawei Technologies Co., Ltd. | Method, apparatus and system for establishing S1 signaling connection in an evolved network |
| US10958692B2 (en) | 2007-05-08 | 2021-03-23 | Huawei Technologies Co., Ltd. | Security capability negotiation method, system, and equipment |
| CN102413461B (en) * | 2007-05-08 | 2014-06-04 | 华为技术有限公司 | Method for negotiating safety capacity |
| US9668182B2 (en) | 2007-05-08 | 2017-05-30 | Huawei Technologies Co., Ltd. | Security capability negotiation method, system, and equipment |
| CN102413461A (en) * | 2007-05-08 | 2012-04-11 | 华为技术有限公司 | Method for negotiating safety capacity |
| US8774759B2 (en) | 2007-05-08 | 2014-07-08 | Huawei Technologies Co., Ltd. | Security capability negotiation method, system, and equipment |
| US10383017B2 (en) | 2007-05-08 | 2019-08-13 | Hauwei Technologies Co., Ltd. | Security capability negotiation method, system, and equipment |
| WO2008134986A1 (en) * | 2007-05-08 | 2008-11-13 | Huawei Technologies Co., Ltd. | A method, system and device for security function negotiation |
| CN101953191A (en) * | 2008-02-20 | 2011-01-19 | 阿尔卡特朗讯美国公司 | System and method for performing handovers, or key management while performing handovers in a wireless communication system |
| CN101321396B (en) * | 2008-04-14 | 2014-03-12 | 中兴通讯股份有限公司 | Mobile station switch implementing method and method for constructing safety access service network |
| WO2010000185A1 (en) * | 2008-06-30 | 2010-01-07 | 华为技术有限公司 | A method, apparatus, system and server for network authentication |
| US10965451B2 (en) * | 2018-10-30 | 2021-03-30 | Canon Kabushiki Kaisha | Authentication method, authentication device, authentication target device and image forming apparatus |
| CN112469139A (en) * | 2020-12-02 | 2021-03-09 | 中国联合网络通信集团有限公司 | Network channel establishing system and method |
| CN112469139B (en) * | 2020-12-02 | 2023-04-28 | 中国联合网络通信集团有限公司 | Network channel establishment system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100563186C (en) | 2009-11-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1794682A (en) | Method of establishing safety channel in radio access network | |
| CN1604520A (en) | Control method for wireless communication system, wireless communication device, base station, and authentication device in communication system | |
| CN1557069A (en) | Radio information transmitting system, radio communication method, radio station, and radio terminal device | |
| CN1805333A (en) | Data security in wireless network system | |
| CN1623309A (en) | Method and system for connecting mobile client devices to the internet | |
| CN101060712A (en) | Wireless connecting establishment method | |
| CN1857024A (en) | Enhanced security design for cryptography in mobile communication systems | |
| CN101044782A (en) | Method and system to support fast hand-over of mobile subscriber stations in broadband wireless networks | |
| CN1682487A (en) | Radio lan access authentication system | |
| CN1930846A (en) | Divided MAC protocol structure, data transmission and reception method, and handover method and system using the structure in a wireless communication system | |
| CN1848994A (en) | Method for realizing right discrimination of microwave cut-in global interoperating system | |
| CN1874217A (en) | Method for determining route | |
| CN1645826A (en) | Method for building session connection to wireless local network user | |
| CN1645960A (en) | Interactive method for re-selecting operating network to wireless local network | |
| CN1929371A (en) | Method for negotiating key share between user and peripheral apparatus | |
| CN101043706A (en) | Terminal entering idle mode, network reentrance method | |
| CN1819698A (en) | Method for acquring authentication cryptographic key context from object base station | |
| CN1941695A (en) | Method and system for generating and distributing key during initial access network process | |
| CN1913475A (en) | Method and system for expanding 802.11 radio local network | |
| CN101047505A (en) | Method and system for setting safety connection in network application PUSH service | |
| CN1885770A (en) | Authentication method | |
| CN1976309A (en) | Method for wireless user inserting network service, inserting controller and server | |
| CN1642073A (en) | Group key consultation and updating method for wireless LAN | |
| CN1756428A (en) | Method for carrying out authentication for terminal user identification module in IP multimedia subsystem | |
| CN1859734A (en) | Controlled key updating method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |