CN1988716B - Method for enshuring communication safety between mobile station and base station - Google Patents
Method for enshuring communication safety between mobile station and base station Download PDFInfo
- Publication number
- CN1988716B CN1988716B CN200510132070A CN200510132070A CN1988716B CN 1988716 B CN1988716 B CN 1988716B CN 200510132070 A CN200510132070 A CN 200510132070A CN 200510132070 A CN200510132070 A CN 200510132070A CN 1988716 B CN1988716 B CN 1988716B
- Authority
- CN
- China
- Prior art keywords
- mobile station
- base station
- authenticator
- authentication
- station
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 102
- 238000004891 communication Methods 0.000 title claims abstract description 22
- 230000008569 process Effects 0.000 claims abstract description 56
- 230000004044 response Effects 0.000 claims description 33
- 238000012545 processing Methods 0.000 claims description 13
- 230000003993 interaction Effects 0.000 claims description 4
- 230000000977 initiatory effect Effects 0.000 claims description 2
- VIEYMVWPECAOCY-UHFFFAOYSA-N 7-amino-4-(chloromethyl)chromen-2-one Chemical compound ClCC1=CC(=O)OC2=CC(N)=CC=C21 VIEYMVWPECAOCY-UHFFFAOYSA-N 0.000 description 18
- 238000000060 site-specific infrared dichroism spectroscopy Methods 0.000 description 4
- 101100083745 Caenorhabditis elegans pmk-2 gene Proteins 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention provides a method to guarantee the communication security between base station and mobile, which mainly includes: when the AK information of mobile stored in base station or mobile lose, the mobile service station where mobile locates or the mobile initiate the re-certification process. Using the methods can ensure the communication security when AK information of the mobile is lost.
Description
Technical Field
The present invention relates to the field of communications, and in particular, to a method for ensuring security of communications between a mobile station and a base station.
Background
IEEE802.16 is a point-to-multipoint wireless data access technology standard defined by the IEEE (institute of electrical and electronics engineers) organization. IEEE802.16 defines a wireless metropolitan area network standard for BWA (fixed broadband wireless access). The standard defines different physical layer technologies for different frequency bands. The standard has a range of applications mainly targeted to the residential, small office/home office, teleworker, and SME (small business user) markets.
The system defined by IEEE802.16 is composed of a BS (base station) and a plurality of SSs (mobile stations). The base station and the SS communicate with each other in units of radio frames. Since the wireless mobile communication system has the characteristics of openness and mobility, the communication of the mobile station is easy to monitor, and the communication system is also easy to attack, for example, an illegal hacker can imitate the identity of the mobile station to steal the network.
Therefore, almost all wireless communication systems have a complete set of security measures, which mainly include authentication and encryption. Authentication means that the identity of the mobile station is confirmed to ensure that the mobile station is a legal mobile station; encryption means that air interface data transmitted between a mobile station and a wireless communication system is encrypted to ensure the privacy of communication. Generally, in order to improve the dynamism of the key and further improve the security of the system, the key used for encryption is associated with an authentication process, and the key is dynamically generated and distributed through the authentication process.
In the IEEE802.16 system, if EAP (extensible authentication protocol) authentication is employed, the key generation and distribution process is as follows:
1. the EAP authentication procedure is completed between the mobile station and the authentication server, generating an MSK (master session key).
2. The authentication server passes the MSK to the Authenticator.
3. The Authenticator computes the PMK (pairwise master key) from the MSK as specified by the protocol. AK (authentication key) is then calculated from PMK, BSID (base station ID) and MSID (terminal ID).
4. The authenticator transmits the calculated AK to the base station.
5. The base station calculates other KEYs according to the received AK, including CMAC _ KEY _ U (for calculating the uplink message check code), CMAC _ KEY _ D (for calculating the downlink message check code) and KEK (KEY for encrypting TEK).
6. The base station generates a random number as the current TEK (key actually used for encryption) and then sends it to the MS after encrypting it with the KEK. The communication thereafter is encrypted with TEK.
7. And if the MS needs to update the TEK, sending a TEK request message to the base station.
8. And after receiving the TEK request message sent by the MS, the base station sends the new TEK to the MS through a TEK response message.
The above procedure is a procedure of generating a key when IEEE802.16 adopts EAP authentication. If IEEE802.16 adopts other authentication methods, the AK generation method will be different, but the same methods are used for generating CMAC KEY U (HMAC KEY U), CMAC KEY D (HMAC KEY D), KEK and TEK after AK generation by various authentication methods.
Currently, IEEE802.16 supports four types of authentication methods: RSA (public key cryptography, RSA being the abbreviation of the first letter of the names of three scientists, Rivest, Shamir and Adleman.), EAP, RSA + EAP and EAP + EAP.
1) For the RSA authentication method, after the authentication between the mobile station and the authentication server is completed, PAK is generated, and AK is calculated from the PAK, and the calculation formula is:
Dot16KDF(PAK,SSID|BSID|“AK”,160),
meanwhile, set AK Sequence Number as PAK Sequence Number
2) For EAP authentication, after authentication is completed between the mobile station and the authentication server, a PMK is generated, and AK is calculated from the PMK, and the calculation formula is:
Dot16KDF(PMK,SSID|BSID|“AK”,160)
meanwhile, set AK Sequence Number as PMK Sequence Number
3) For the RSA + EAP approach, the AK calculation formula is as follows, since the RSA process will generate PAK and the EAP process will generate PMK:
Dot16KDF(PAK PMK,SSID|BSID|PAK|″AK″,160)
and meanwhile, setting AK Sequence Number as PMK Sequence Number + PAKSsequence Number.
4) For the EAP + EAP mode, since each EAP authentication procedure generates a PMK, the AK formula is calculated as:
Dot 16KDF(PMK+PMK2,SSID|BSID|“AK”,160)
meanwhile, set AK Sequence Number as PMK2 Sequence Number
The PMK in the formula is the PMK generated by the first EAP authentication process, and the PMK2 is the PMK generated by the second authentication process.
The present invention refers to the period of time after the mobile station completes one authentication and before the next re-authentication as one authentication period.
In a wireless communication system, a mobile station is movable, and a base station is stationary, so as the mobile station moves, the mobile station will pass through coverage areas of different base stations, and the mobile station will continuously change the base station with which the mobile station communicates, so as to ensure the continuity of communication.
In the handover process, if the authentication is not performed again, the PMK or PAK of the mobile station will not change, but since the connected base station has changed, it can be known from the formula for calculating AK that the BSID changes and the corresponding AK also changes after the base station changes. Thus, during one authentication period, the mobile station will create and store AK and its context, including AK, AK-derived keys, AK's lifecycle, CMAC _ PN _ U and CMAC _ PN _ D, etc., for the different base stations with which it communicates, via the Authenticator. The AK and its context information are also stored in different corresponding base stations. A schematic diagram of a mobile station creating and storing AK contexts for different base stations in communication with the mobile station is shown in fig. 1.
If the mobile station returns to a base station again, the mobile station continues to use the context information stored for that base station, and the CMAC _ PN _ U and CMAC _ PN _ D (sequence numbers) of each message are calculated starting from the stored values. This ensures that different messages have different CMAC _ PN _ U and CMAC _ PN _ D under the same base station in one authentication period.
The relevant authentication operation flow of the mobile station in the handover process is shown in fig. 2, and includes the following steps:
2-1, after finishing authentication between the mobile station and the authentication server, generating AK of the current base station and context thereof. And updating the CMAC _ PN _ U and the CMAC _ PN _ D according to the protocol requirement when the current base station performs message interaction. The mobile station stores and retains the AK and context information of the current base station before switching to another base station.
2-2, after the mobile station is switched to the target base station, firstly judging whether the mobile station is connected with the target base station in the authentication period. If yes, turning to step 2-3; otherwise, establishing new AK for the base station and initializing the context thereof.
2-3, the mobile station continuously judges whether AK and context information are stored for the base station, if so, the mobile station continuously uses the AK and the context information; before re-authentication, the mobile station deletes all stored AK information of different base stations and context information thereof.
When the life cycle of a certain AK stored in the mobile station is expired or a certain timer is expired, the mobile station may delete the AK and its context.
The above related authentication operation flow of the mobile station in the prior art during the handover process has the following disadvantages: the flow does not consider how the base station storing the AK information processes the AK of a certain mobile station after losing the AK, and only mentions in IEEE802.16 e that the mobile station needs to be re-authenticated if the base station loses the AK of the certain mobile station. But does not define when and by whom the re-authentication process of the mobile station is initiated.
Disclosure of Invention
In view of the problems of the prior art, it is an object of the present invention to provide a method for securing communication between a mobile station and a base station, so that communication security between the mobile station and a target base station can be ensured after the mobile station or the base station loses the stored AK of the mobile station.
The purpose of the invention is realized by the following technical scheme:
a method for securing communications between a mobile station and a base station, comprising:
A. when the authentication key AK information of the mobile station stored in the base station is lost, the base station losing the AK information sends a re-authentication request message to an Authenticator, and the Authenticator receives the re-authentication request message and informs a service base station where the mobile station is located to initiate a re-authentication process of the mobile station;
or,
B. when the authentication AK information of the mobile station stored in the base station is lost, the base station losing the AK information sends a PMK failure message of the paired main key of the mobile station to an Authenticator, and after the Authenticator receives the PMK failure message, when the Authenticator determines that the AK needs to be generated by using the PMK, the Authenticator informs a service base station where the mobile station is located to initiate a re-authentication process of the mobile station.
The B also comprises:
when the mobile station is switched to the base station losing the AK, the base station sends an authentication failure message to the mobile station through an air interface, and the mobile station initiates a re-authentication process after receiving the message;
or,
when the mobile station is switched to the base station losing the AK, the base station informs the previous service base station to indicate the mobile station to switch and then immediately re-authenticate in the process of carrying out switching preparation interaction with the previous service base station of the mobile station through a backbone network;
or,
when the mobile station is switched to the base station losing the AK, the base station carries re-authentication indication information in a search response RNG-RSP message sent to the mobile station, and the mobile station initiates a re-authentication process in a network re-entry process after acquiring the indication information.
The B also comprises:
when the mobile station is handed over to another base station that is not a missing AK, if the other base station already stores an AK for the mobile station, the authentication procedure of the mobile station is not initiated, and the other base station still uses the AK stored for the mobile station and its context information.
The Authenticator in said B determining that AK needs to be generated using said PMK comprises:
when the mobile station is switched to other base stations which are not lost AK, if the other base stations do not store the AK for the mobile station, the other base stations request the AK of the mobile station from the Authenticator, and the Authenticator determines that the AK needs to be generated for the other base stations by using the PMK.
The method further comprises the following steps:
when the AK information of a certain previously accessed specific base station, which is stored by the mobile station, is lost, the mobile station issues a re-authentication process at the current service base station.
Said A or B comprising before:
C. when a certain base station has access of a mobile station, the certain base station sends a request message for requesting to obtain AK of the mobile station to an Authenticator;
D. after receiving the request message, the Authenticator returns a corresponding authentication message to the certain base station according to the authentication information of the mobile station and the base station stored in the Authenticator, and the certain base station performs corresponding processing according to the response message returned by the Authenticator.
The request message for requesting to obtain the AK of the mobile station, which is sent by the certain base station to the Authenticator, includes the identifier of the certain base station and the identifier of the mobile station.
The step D specifically comprises the following steps:
when the Authenticator does not store the authentication information of the mobile station, the Authenticator responds a response message for rejecting the request to the certain base station, and the certain base station initiates a re-authentication process of the mobile station after receiving the response message;
or,
when the Authenticator stores the authentication information of the mobile station, the Authenticator judges that the AK and the context information of the mobile station are created for the certain base station in the authentication period according to the stored authentication information, the Authenticator responds a response message of the provided AK information to the certain base station and records the information of the service base station where the mobile station is located currently, the certain base station inquires whether the AK and the context information of the mobile station are stored after receiving the response message, and if so, the AK and the context are continuously used; otherwise, initiating the re-authentication process of the mobile station;
or,
the Authenticator stores the authentication information of the mobile station, judges that the AK of the mobile station is not created for the certain base station in the authentication period according to the stored authentication information, and creates the AK and partial context information of the mobile station according to the stored authentication information of the mobile station and the mobile station identifier and the base station identifier obtained from the received request message, and transmits the AK and partial context information to the certain base station in the response message, and simultaneously, the Authenticator records the base station identifier for the mobile station.
The method further comprises the following steps:
after the serving enb initiates a re-authentication process of the ms, the Authenticator notifies all bss storing the AK and context information of the ms that the AK and AK context of the ms used before are no longer used, and/or deletes the AK and context information of the ms stored therein;
or,
after the certain base station receives the response message carrying the AK and AK context of the created mobile station, which is responded by the Authenticator, the Authenticator informs all base stations of not using the AK and AK context of the mobile station used before any more and/or deletes the AK and context information of the mobile station stored in the base stations.
It can be seen from the above technical solutions that the present invention explicitly describes a processing mechanism how a serving base station or a mobile station where the mobile station is located initiates a re-authentication process of the mobile station after a certain mobile station or a base station loses a stored AK of the mobile station in a handover process of the mobile station.
Drawings
Fig. 1 is a diagram illustrating a mobile station creating and storing AK contexts for different base stations with which it communicates;
FIG. 2 is a flowchart illustrating a related authentication operation of a mobile station during a handover process in the prior art;
FIG. 3 is a flow chart of a specific process of implementation 1 of the method of the present invention;
FIG. 4 is a flow chart of a specific process of implementation 2 of the method of the present invention;
fig. 5 is a specific processing flow diagram of implementation 3 of the method of the present invention.
Detailed Description
The invention provides a method for ensuring the communication safety between a mobile station and a base station, which has the core that: in the handover process of the mobile station, after a certain base station or the mobile station loses the stored AK of the mobile station, the Authenticator initiates the re-authentication process of the mobile station through the serving base station where the mobile station is currently located when appropriate. Alternatively, the mobile station initiates the re-authentication procedure itself.
The present invention provides four implementations of the method of the present invention, which are described in detail below.
The processing flow of the specific implementation manner of implementation scheme 1 is shown in fig. 3, and includes the following steps:
and step 3-1, when the mobile station is switched to access, the base station sends a request message for requesting to acquire the AK of the mobile station to the Authenticator.
In the scheme, when a mobile station is switched to access a certain base station, the base station sends a request message to an Authenticator storing mobile station authentication information regardless of whether the AK (possibly including partial context) information of the mobile station is stored, and requests to obtain the AK of the mobile station, wherein the request message includes an identifier of the base station and an identifier of the mobile station.
And 3-2, the base station performs corresponding processing according to the response message returned by the Authenticator.
After receiving the request message sent by the base station, the Authenticator knows the serving base station where the mobile station is currently located. Then, the Authenticator returns corresponding authentication information to the base station according to the authentication information of the mobile station and the base station stored in the Authenticator, and the base station performs corresponding processing according to the response information returned by the Authenticator.
In practical applications, this step includes the following three cases:
A. the Authenticator does not store the authentication information of the mobile station, the Authenticator responds a response message to the base station rejecting the request. After receiving the response message of 'refusing', the base station initiates the re-authentication process for the mobile station. Meanwhile, if the base station stores the AK and the context information of the mobile station at the moment, the information is outdated, and the message is deleted.
B. The Authenticator stores the authentication information of the mobile station, judges that the AK and part of the context of the mobile station have been created for the base station in the authentication period according to the stored authentication information, and then responds a response message of the provided AK information to the base station and records the information of the service base station where the mobile station is currently located, namely the information of the base station which sends the request message. When receiving the "provided" response message, the base station first queries whether the AK of the mobile station and the context thereof are stored. If yes, continuing to use the AK and the context; if not, indicating that the stored AK and context have been deleted, then a re-authentication procedure for the mobile station is initiated.
C. The Authenticator stores the authentication information of the mobile station, judges that the AK of the mobile station is not established for the base station in the authentication period according to the stored authentication information, then according to the mobile station authentication information, and the mobile station identification and the base station identification obtained from the received request message, the AK and partial context information of the mobile station are created, the Authenticator records the identity of the base station for the mobile station, indicating that the AK and partial context of the mobile station have been created for the base station, the base station uses the AK and partial context after receiving the response message containing the AK and context, and creates other contexts based on the AK, such as CMAC _ KEY _ U and CMAC _ KEY _ d.
And 3-3, after the AK of the mobile station stored by a certain base station is lost, sending a re-authentication request message to an Authenticator.
In the process of switching the mobile station, after a certain base station loses the stored AK of the mobile station, the base station immediately sends a re-authentication request message to an Authenticator to inform the Authenticator of the situation.
And 3-4, the Authenticator sends a re-authentication message to the service base station where the mobile station is currently located, and the service base station initiates a re-authentication process of the mobile station.
After receiving the re-authentication request message sent by the mobile station losing the AK, the Authenticator immediately sends a re-authentication message to the serving base station where the mobile station is currently located, and the base station where the mobile station is currently located immediately initiates the re-authentication process of the mobile station.
The processing flow of the specific implementation of implementation scheme 2 is shown in fig. 4, and includes the following steps:
and step 4-1, when the mobile station is switched to access, the base station sends a request message for requesting to acquire the AK of the mobile station to the Authenticator.
In the scheme, when a mobile station is switched to access a certain base station, the base station sends a request message to an Authenticator storing mobile station authentication information regardless of whether the AK (possibly including partial context) information of the mobile station is stored, and requests to obtain the AK of the mobile station, wherein the request message includes an identifier of the base station and an identifier of the mobile station.
And 4-2, the base station performs corresponding processing according to the response message returned by the Authenticator.
After receiving the request message sent by the base station, the Authenticator knows the serving base station where the mobile station is currently located. Then, the Authenticator returns corresponding authentication information to the base station according to the authentication information of the mobile station and the base station stored in the Authenticator, and the base station performs corresponding processing according to the response information returned by the Authenticator.
In practical applications, this step includes the following three cases:
A. the Authenticator does not store the authentication information of the mobile station, the Authenticator responds a response message to the base station rejecting the request. After receiving the response message of 'refusing', the base station initiates the re-authentication process for the mobile station. Meanwhile, if the base station stores the AK and the context information of the mobile station at the moment, the information is outdated, and the message is deleted.
B. The Authenticator stores the authentication information of the mobile station, judges that the AK and part of the context of the mobile station have been created for the base station in the authentication period according to the stored authentication information, and then responds a response message of the provided AK information to the base station and records the information of the service base station where the mobile station is currently located, namely the information of the base station which sends the request message. When receiving the "provided" response message, the base station first queries whether the AK of the mobile station and the context thereof are stored. If yes, continuing to use the AK and the context; if not, indicating that the stored AK and context have been deleted, then a re-authentication procedure for the mobile station is initiated.
C. The Authenticator stores the authentication information of the mobile station, judges that the AK of the mobile station is not established for the base station in the authentication period according to the stored authentication information, then according to the mobile station authentication information, and the mobile station identification and the base station identification obtained from the received request message, the AK and partial context information of the mobile station are created, the Authenticator records the identity of the base station for the mobile station, indicating that the AK and partial context of the mobile station have been created for the base station, the base station uses the AK and partial context after receiving the response message containing the AK and context, and creates other contexts based on the AK, such as CMAC _ KEY _ U and CMAC _ KEY _ d.
And 4-3, after AK of the mobile station stored by a certain base station is lost, sending a PMK failure message of the mobile station to an Authenticator.
In the process of switching the mobile station, after a certain base station loses the stored AK of the mobile station, the base station immediately sends a PMK failure message of the mobile station to an Authenticator, and the situation is informed.
And 4-4, when the mobile station is switched to the base station losing the AK, the mobile station initiates a re-authentication process, or when the Authenticator needs to utilize the PMK to generate the AK for a new base station, the Authenticator initiates the re-authentication process of the mobile station through the service base station where the mobile station is currently located.
After receiving the PMK failure message sent by the AK-lost mobile station, the Authenticator does not immediately send a re-authentication message to the serving base station where the mobile station is currently located.
When the mobile station is switched to the base station which loses the AK, the base station performs the following operations:
the base station sends Authentication invaid (Authentication failure) information to the mobile station through an air interface, and the mobile station initiates a re-Authentication process after receiving the information;
or,
the base station informs the previous service base station to indicate the mobile station to switch and then immediately re-authenticate in the process of switching preparation interaction with the previous service base station of the mobile station through a backbone network. The previous serving base station may carry the information indicating re-authentication in a handover response message sent to the mobile station over the air interface;
or,
the base station carries re-authentication indication information in an RNG-RSP (please provide Chinese) message sent to the mobile station, and the mobile station initiates a re-authentication process in a network re-entry process after acquiring the indication information.
When the mobile station is switched to other target base stations, if the other target base stations already store AK for the mobile station, the mobile station does not need to be authenticated again, and the other target base stations still continue to use the AK and the context information thereof stored for the mobile station.
If the other target base station does not have an AK stored for the mobile station, the Authenticator needs to generate a new AK and context information for the mobile station under that base station. At this time, since the Authenticator has been notified that the PMK corresponding to the mobile station is valid before, the Authenticator immediately sends a re-authentication message to the serving base station where the mobile station is currently located, and the base station where the mobile station is currently located immediately initiates a re-authentication process of the mobile station. In a specific implementation, the information that needs to be re-authenticated may be carried in a handover optimization indication message sent to the mobile station.
The processing flow of the specific implementation of implementation 3 is shown in fig. 5, and includes the following steps:
and step 5-1, when AK of the mobile station stored in a certain base station is lost, the base station does not send a message to an Authenticator.
In this scheme, the Authenticator does not need to know the serving base station where the mobile station is currently located, and therefore, when the mobile station is switched to access a certain base station, the base station does not send a request message to the Authenticator.
When the AK stored by a certain base station is lost, the base station does not send a message to the Authenticator. The Authenticator may still use the PMK corresponding to the mobile station.
And step 5-2, when the mobile station is switched to the base station losing the AK, the base station immediately initiates a re-authentication process of the mobile station.
When a mobile station is handed over to a base station that has lost AK, the base station immediately initiates a re-authentication procedure for the mobile station.
When the mobile station is switched to other target base stations, if the other target base stations already store AK for the mobile station, the mobile station does not need to be authenticated again, and the other target base stations still continue to use the AK and the context information thereof stored for the mobile station.
If the other target base station does not store an AK for the mobile station, the mobile station does not need to be re-authenticated. The Authenticator then needs to generate new AK and context information for the mobile station under the base station. The Authenticator still uses the PMK corresponding to the mobile station to generate the AK and context information of the mobile station under the base station.
The processing procedure of the implementation scheme 4 is as follows: when the AK information of the mobile station for a specific base station, which is stored by the mobile station, is lost, the mobile station issues a re-authentication process at the current service base station. Alternatively, when the mobile station moves under that particular base station, the mobile station initiates a re-authentication procedure.
When a mobile station is handed over to a base station that does not lose its AK information, if the base station has already stored AK for the mobile station, then the authentication procedure of the mobile station is not initiated, and the base station still uses the AK stored for the mobile station and its context information.
When a mobile station is handed over to a base station which does not lose its AK, if the base station does not store AK for the mobile station, the Authenticator uses the PMK corresponding to the mobile station to generate the AK of the mobile station under the base station and context information.
In this scheme, when the mobile station does not lose the stored AK information of the mobile station for a specific base station, when the mobile station switches to access, the above-mentioned request message for requesting to obtain the AK of the mobile station is also performed, and a corresponding processing procedure is performed according to the response message returned by the Authenticator.
In the above four implementation schemes, after the re-authentication process of the mobile station is initiated, all the base stations storing the AK of the mobile station need to delete the stored AK information. Alternatively, the AK and AK context of the mobile station that was used before are no longer used.
In particular implementations, the Authenticator may be used to inform all base stations that have generated keys using the mobile station's PMK that their stored AK information is deleted or no longer used. The better processing method is as follows: after the ms is handed over to a bs, regardless of whether the bs stores AK information of the ms, the bs knows the Authenticator before verifying HMAC/CMAC, and performs the procedure as described in embodiment 1. Therefore, the Authenticator can clearly know whether the AK currently used by the base station is effective under any condition, and simultaneously the Authenticator also knows the base station where the mobile station is currently located, so that when the AK is lost by a base station, if the PMK is required to be invalid at the moment, the Authenticator can clearly know the current service base station of the MS, and can inform the base station to enable the terminal to initiate a re-authentication request; meanwhile, the base station knows the Authenticator whether AK is reserved before HMAC/CMAC verification, so that AK generated before the invalid PMK is invalid, and new AK and AK context are not generated any more. Thereby also ensuring normal and secure communication between the base station and the MS.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (9)
1. A method for securing communications between a mobile station and a base station, comprising:
A. when the authentication key AK information of the mobile station stored in the base station is lost, the base station losing the AK information sends a re-authentication request message to an Authenticator, and the Authenticator receives the re-authentication request message and informs a service base station where the mobile station is located to initiate a re-authentication process of the mobile station;
or,
B. when the authentication AK information of the mobile station stored in the base station is lost, the base station losing the AK information sends a PMK failure message of the paired main key of the mobile station to an Authenticator, and after the Authenticator receives the PMK failure message, when the Authenticator determines that the AK needs to be generated by using the PMK, the Authenticator informs a service base station where the mobile station is located to initiate a re-authentication process of the mobile station.
2. The method of claim 1, wherein B further comprises:
when the mobile station is switched to the base station losing the AK, the base station sends an authentication failure message to the mobile station through an air interface, and the mobile station initiates a re-authentication process after receiving the message;
or,
when the mobile station is switched to the base station losing the AK, the base station informs the previous service base station to indicate the mobile station to switch and then immediately re-authenticate in the process of carrying out switching preparation interaction with the previous service base station of the mobile station through a backbone network;
or,
when the mobile station is switched to the base station losing the AK, the base station carries re-authentication indication information in a search response RNG-RSP message sent to the mobile station, and the mobile station initiates a re-authentication process in a network re-entry process after acquiring the indication information.
3. The method of claim 1, wherein B further comprises:
when the mobile station is handed over to another base station that is not a missing AK, if the other base station already stores an AK for the mobile station, the authentication procedure of the mobile station is not initiated, and the other base station still uses the AK stored for the mobile station and its context information.
4. The method of claim 1, wherein the determining that AK generation using the PMK is required by the Authenticator in B comprises:
when the mobile station is switched to other base stations which are not lost AK, if the other base stations do not store the AK for the mobile station, the other base stations request the AK of the mobile station from the Authenticator, and the Authenticator determines that the AK needs to be generated for the other base stations by using the PMK.
5. The method of claim 1, wherein the method further comprises:
when the AK information of a certain previously accessed specific base station, which is stored by the mobile station, is lost, the mobile station issues a re-authentication process at the current service base station.
6. Method for securing communications between a mobile station and a base station according to claims 1, 2, 3, 4 or 5, characterized in that said a or B is preceded by:
C. when a certain base station has access of a mobile station, the certain base station sends a request message for requesting to obtain AK of the mobile station to an Authenticator;
D. after receiving the request message, the Authenticator returns a corresponding authentication message to the certain base station according to the authentication information of the mobile station and the base station stored in the Authenticator, and the certain base station performs corresponding processing according to the response message returned by the Authenticator.
7. The method of claim 6, wherein the request message sent by the base station to the Authenticator for requesting to acquire the AK of the mobile station includes the identity of the base station and the identity of the mobile station.
8. The method as claimed in claim 7, wherein the step D specifically comprises:
when the Authenticator does not store the authentication information of the mobile station, the Authenticator responds a response message for rejecting the request to the certain base station, and the certain base station initiates a re-authentication process of the mobile station after receiving the response message;
or,
when the Authenticator stores the authentication information of the mobile station, the Authenticator judges that the AK and the context information of the mobile station are created for the certain base station in the authentication period according to the stored authentication information, the Authenticator responds a response message of the provided AK information to the certain base station and records the information of the service base station where the mobile station is located currently, the certain base station inquires whether the AK and the context information of the mobile station are stored after receiving the response message, and if so, the AK and the context are continuously used; otherwise, initiating the re-authentication process of the mobile station;
or,
the Authenticator stores the authentication information of the mobile station, judges that the AK of the mobile station is not created for the certain base station in the authentication period according to the stored authentication information, and creates the AK and partial context information of the mobile station according to the stored authentication information of the mobile station and the mobile station identifier and the base station identifier obtained from the received request message, and transmits the AK and partial context information to the certain base station in the response message, and simultaneously, the Authenticator records the base station identifier for the mobile station.
9. The method of claim 8, wherein the method further comprises:
after the serving enb initiates a re-authentication process of the ms, the Authenticator notifies all bss storing the AK and context information of the ms that the AK and AK context of the ms used before are no longer used, and/or deletes the AK and context information of the ms stored therein;
or,
after the certain base station receives the response message carrying the AK and AK context of the created mobile station, which is responded by the Authenticator, the Authenticator informs all base stations of not using the AK and AK context of the mobile station used before any more and/or deletes the AK and context information of the mobile station stored in the base stations.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200510132070A CN1988716B (en) | 2005-12-21 | 2005-12-21 | Method for enshuring communication safety between mobile station and base station |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200510132070A CN1988716B (en) | 2005-12-21 | 2005-12-21 | Method for enshuring communication safety between mobile station and base station |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1988716A CN1988716A (en) | 2007-06-27 |
| CN1988716B true CN1988716B (en) | 2010-05-05 |
Family
ID=38185310
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200510132070A Expired - Fee Related CN1988716B (en) | 2005-12-21 | 2005-12-21 | Method for enshuring communication safety between mobile station and base station |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1988716B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1337134A (en) * | 1999-01-08 | 2002-02-20 | 艾利森电话股份有限公司 | Reuse of security associations for improving hand-over performance |
-
2005
- 2005-12-21 CN CN200510132070A patent/CN1988716B/en not_active Expired - Fee Related
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1337134A (en) * | 1999-01-08 | 2002-02-20 | 艾利森电话股份有限公司 | Reuse of security associations for improving hand-over performance |
Non-Patent Citations (1)
| Title |
|---|
| IEEE.PMK context separation from AK context.IEEE 802.16 Broadband Wireless Access Working Group.2005,1-7. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1988716A (en) | 2007-06-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3576446B1 (en) | Key derivation method | |
| US11863982B2 (en) | Subscriber identity privacy protection against fake base stations | |
| CN108293223B (en) | Data transmission method, user equipment and network side equipment | |
| EP3761598B1 (en) | Generating keys for protection in next generation mobile networks | |
| EP2702741B1 (en) | Authenticating a device in a network | |
| CN101083839B (en) | Cipher key processing method for switching among different mobile access systems | |
| CN109922474B (en) | Method for triggering network authentication and related equipment | |
| EP1414262A1 (en) | Authentication method for fast handover in a wireless local area network | |
| CN100488281C (en) | Method for acquring authentication cryptographic key context from object base station | |
| WO2006044251A2 (en) | Method for performing authenticated handover in a wireless local area network | |
| CN102106111A (en) | Method of deriving and updating traffic encryption key | |
| AU1828001A (en) | Method and apparatus for performing a key update using update key | |
| US20110135095A1 (en) | Method and system for generating key identity identifier when user equipment transfers | |
| CN101102600A (en) | Secret key processing method for switching between different mobile access systems | |
| JP2012527203A (en) | Key generation method and system in switching process | |
| WO2011053680A2 (en) | Authenticator relocation method for wimax system | |
| CN1964259B (en) | A method to manage secret key in the course of switch-over | |
| CN101026866A (en) | AK context cache method for wireless communication system | |
| CN104507065B (en) | Non-repudiation charging method in heterogeneous wireless network | |
| CN101742492B (en) | Key processing method and system | |
| CN101610511A (en) | The guard method of terminal privacy and device | |
| WO2007025484A1 (en) | Updating negotiation method for authorization key and device thereof | |
| CN1988716B (en) | Method for enshuring communication safety between mobile station and base station | |
| CN111836262B (en) | Authentication method and device | |
| KR100330418B1 (en) | Authentication Method in Mobile Communication Environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100505 Termination date: 20141221 |
|
| EXPY | Termination of patent right or utility model |