WO2007104259A1 - method for implementing secure assurance in an Enhanced Access Network and the system thereof - Google Patents

method for implementing secure assurance in an Enhanced Access Network and the system thereof Download PDF

Info

Publication number
WO2007104259A1
WO2007104259A1 PCT/CN2007/000813 CN2007000813W WO2007104259A1 WO 2007104259 A1 WO2007104259 A1 WO 2007104259A1 CN 2007000813 W CN2007000813 W CN 2007000813W WO 2007104259 A1 WO2007104259 A1 WO 2007104259A1
Authority
WO
WIPO (PCT)
Prior art keywords
access network
counter
agw
evolved
base station
Prior art date
Application number
PCT/CN2007/000813
Other languages
French (fr)
Chinese (zh)
Inventor
Binsong Tang
Jing Chen
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2007104259A1 publication Critical patent/WO2007104259A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity

Definitions

  • the present invention relates to network and communication technologies, and more particularly to the field of network security technologies, and in particular, to a method and system for implementing security assurance in an evolved access network. Background technique
  • LTE Long Term Evolution
  • SAE System Architecture Evolution
  • FIG. 1 shows the architecture of the LTE/SAE access network.
  • the aGW E-UTRAN Access Gateway
  • the ingress gateway is located in a secure physical location.
  • the eNodeB or the evolved Node B is an evolved base station in the E-UTRAN, which is in an insecure physical location and is highly likely to be attacked.
  • the channel on the air interface is an extremely unstable channel, the possibility of packet loss on this channel is very high; in addition, due to the wireless nature of the air interface, an attacker can easily initiate packet insertion on the air interface.
  • the eNodeB is in an insecure physical location and is highly vulnerable to malicious attacks. Therefore, it is not necessary to provide a security guarantee in E-UTRAN to ensure user terminals (UE, User Equipment). ) The amount of upstream and downstream data is consistent with E-UTRAN. Summary of the invention
  • An embodiment of the present invention provides a method and a system for implementing security assurance in an evolved access network, and checking whether the amount of data transmitted between the UE and the access network is consistent, so as to further determine an evolved access network according to the check result. safety.
  • Embodiments of the present invention provide a method for implementing security assurance in an evolved access network, which is used by The client and the network side are respectively provided with at least one counter for counting the amount of data transmitted between the UE and the evolved access network, and the method includes the following steps:
  • the embodiment of the invention further provides a system for implementing security guarantee in an evolved access network, including:
  • a first counter configured on the user side, for counting the amount of data transmitted between the UE and the access network
  • a second counter configured on the network side, for counting the amount of data transmitted between the UE and the access network
  • a determining unit configured to compare data volume values transmitted between the UE and the access network calculated by the first and second counters
  • the processing unit performs corresponding processing according to the comparison result of the determining unit.
  • the UE and the evolved access network respectively maintain one or more counters, where the counter value is used to indicate the amount of data transmitted between the ⁇ and the evolved access network, and the evolved access network is in the
  • the data volume check is initiated to the UE, and the UE or the evolved access network compares the counter value provided by the peer end with the counter value maintained by the peer, and the evolved access network performs subsequent processing according to the comparison result of the counter value, to Determine the security of the evolved access network.
  • the information or signaling and the message transmitted between the UE and the evolved access network are integrity-protected by using a key shared between the UE and the evolved access network, and the periodic local authentication is further implemented by the integrity protection.
  • FIG. 1 is a schematic diagram of an LTE/SAE access network architecture
  • 2A is a flowchart of a method for detecting, by the UE side, whether the amount of received data is consistent with the amount of data sent by the network side to implement security guarantee in the embodiment of the present invention
  • 2B is a flowchart of a method for detecting, by a network side, whether the amount of received data is consistent with the amount of data sent by the network side to implement security guarantee in another embodiment of the present invention
  • FIG. 3 is a flowchart of a method for implementing security assurance in a first embodiment of the present invention
  • FIG. 4 is a flowchart of a method for implementing security assurance in a second embodiment of the present invention
  • FIG. 5 is a third embodiment of the present invention
  • FIG. 6B is a schematic diagram of a UE performing handover between different aGWs according to an embodiment of the present invention
  • FIG. 7 is a schematic structural diagram of a system for implementing security guarantee according to an embodiment of the present invention.
  • the UE and the evolved access network respectively maintain one or more counters, and the counter is used to count the amount of data transmitted between the UE and the evolved access network, that is, the counter value.
  • the evolved access network initiates a data volume check to the UE when the set condition is met, and the UE or the evolved access network provides the counter value provided by the peer end.
  • the counter values of the own are compared, and the evolved access network performs subsequent processing according to whether the counter value is the same or not.
  • the counter may be a counter, the counter value is used to indicate the amount of all data transmitted; it may be an uplink counter and a downlink counter, the uplink counter value is used to indicate the number of uplink data transmitted, and the downlink counter value is used to indicate the transmission.
  • the number of downlink data may also be a context counter, the context counter value is used to indicate the amount of data transmitted on a certain context; may also be a context uplink counter and a context downlink counter, and the context uplink counter value is used to represent a certain context.
  • the number of uplink data transmitted, the context downlink counter value is used to indicate the amount of downlink data transmitted on a certain context.
  • the setting conditions described above may be such that the set period expires, or one or more counter values reach the set value, or an inspection command is received, and the like.
  • the user end of the evolved access network has an inconsistent value with its corresponding network side counter.
  • the follow-up process specifically includes:
  • the progress access network may end the current data volume checking process
  • the evolved access network may release the connection between the UE and the evolved access network, or report an error to the upper layer.
  • FIG. 2A is a schematic diagram of a first implementation manner of the present invention.
  • the UE and the evolved access network respectively maintain one or more counters, and the counter value is used to indicate that the UE and the evolved access network are transmitted.
  • the actual amount of data including the following steps:
  • Step 201a The evolved access network provides the UE with a counter value maintained by itself when the set condition is met. If there are multiple UE related counters maintained in the evolved access network and multiple counters need to be checked, the evolved access network may simultaneously provide some or all of the UE related counter values to the UE.
  • Step 202a After receiving the counter value provided by the evolved access network, the UE compares the received counter value with its own counter value to determine whether the counter value is consistent. If the evolved access network simultaneously provides multiple counters to the UE, the UE compares the received counter value with its corresponding counter value. For example, the evolved access network simultaneously provides the uplink counter and the downlink counter to the UE, and the UE will The received uplink counter value is compared with its own uplink counter value, and the received downlink counter value is compared with its own downlink counter value.
  • Step 203a The UE provides a check result to the evolved access network. Specifically, if the counter value is consistent, the UE may send an empty message to the evolved access network to notify the evolved access network that there is no counter with a value inconsistency; Inconsistent counters provide counters with inconsistent values to the evolved access network.
  • Step 204a After receiving the check result, the evolved access network performs subsequent processing according to whether there is a counter with a value inconsistency.
  • the evolved access network may perform operations such as disconnection, 'reporting errors, etc. for counters with inconsistent values; Counter, no other processing is possible.
  • 2B a schematic view of a second implementation of the present invention, 2, UE and an evolved B shown in FIG.
  • the access network maintains one or more counters respectively, and the counter value is used to indicate the amount of data transmitted between the UE and the evolved access network.
  • the specific implementation includes the following steps:
  • Step 201b The evolved access network initiates a check of the amount of data to the UE when the set condition is met.
  • Step 202b After obtaining the check of the amount of data initiated by the evolved access network, the UE provides its own counter value to the evolved access network. If multiple counters are maintained in the UE and multiple counters are currently required to be checked, the UE may simultaneously provide some or all of the counter values to the evolved access network.
  • Step 203b After receiving the counter value provided by the UE, the evolved access network compares the received counter value with its counter value to determine whether the counter value of the evolved access network is consistent with the counter value of the UE. If the UE simultaneously provides multiple counters to the evolved access network, the evolved access network compares the received counter with the corresponding counter maintained by itself, for example, the UE simultaneously provides an uplink counter and a downlink counter to the evolved access network. The evolved access network compares the received uplink counter with its own maintained uplink counter, and compares the received downlink counter with its own downlink counter.
  • Step 204b The evolved access network performs subsequent processing according to whether the counter value of the UE is consistent with the counter value of the UE.
  • the evolved access network may perform subsequent operations such as disconnection, reporting error, and the like, and may not perform counters with consistent values. Other processing.
  • the UE and the evolved access network may respectively provide the peer with a counter maintained by the peer, and then the peer will receive the counter.
  • the counter is compared with the counter maintained by itself, and then the UE returns the check result to the evolved access network, and the evolved access network determines whether the received check result is consistent with the check result obtained by itself, if they are consistent, and there is a counter with an inconsistent value.
  • the evolved access network may perform subsequent operations such as disconnecting related connections and reporting errors for counters with inconsistent values. If the counters are inconsistent and there are counters with inconsistent values, the evolved access network may check the amount of data transmitted by the UE again. .
  • the UE and the eNodeB respectively maintain one One or more counters, the counter value is used to indicate the amount of data transmitted between the UE and the eNodeB, and the specific implementation includes the following steps:
  • Step 301 The eNodeB sends a data volume check request to the UE when the set condition is met, where the data volume check request carries the counter value maintained by the eNodeB. If the eNodeB maintains multiple counters and currently needs to check multiple counters, the data volume check request may carry multiple counter values.
  • Step 302 After receiving the data volume check request, the UE compares the counter value carried in the data amount check request with its own counter value to determine whether the counter value is consistent.
  • Step 303 The UE returns a data volume check response to the eNodeB. If the corresponding two counter values are consistent, the data volume check response may be a message that does not carry any content, to notify the evolved access network that the corresponding two counter values are consistent. If the corresponding two counter values are inconsistent, the data amount check response carries a counter with a value inconsistency to notify the evolved access network.
  • Step 304 After receiving the data volume check response, the eNodeB performs subsequent processing according to whether there is a counter with a value inconsistency.
  • the UE and the aGW respectively maintain one or more counters, and the counter value is used to indicate the amount of data transmitted between the UE and the aGW.
  • the specific implementation includes the following steps:
  • Step 401 When the setting condition is satisfied, the aGW sends a data amount check request to the UE, and starts checking the data amount.
  • Step 402 After receiving the data volume check request, the UE returns a data volume check response to the aGW, where the data volume check response carries the counter value maintained by the UE. If there are multiple counters maintained in the UE and multiple counters need to be checked currently, the data volume check response carries some or all of the counter values.
  • Step 403 After receiving the data volume check response, the aGW compares the counter value carried in the data amount check response with the counter value maintained by itself, and determines whether there is a counter with a value inconsistency.
  • Step 404 The aGW performs subsequent processing according to whether there is a counter with inconsistent values.
  • the implementation of the present embodiment is described as being implemented by using the second implementation manner. In actual applications, the first implementation manner may also be implemented.
  • the aGW may report the UE abnormality to the core network (CN, Core Network), and the CN may load the corresponding UE into the blacklist and reject the UE from accessing the network.
  • One of the times is to check the counter once, and the counter value is inconsistent, and the number of times may be continuously accumulated or may be discontinuously accumulated.
  • the manners in the first embodiment and the second embodiment may be combined to perform the check of the amount of data transmitted between the UE and the eNodeB, and the check of the amount of data transmitted between the UE and the aGW, and then the aGW is configured according to Two check results analyze the state of the eNodeB and the connection.
  • the UE and the eNodeB respectively maintain one or more counters, such as an N-Coimter, and the corresponding counter value is used to indicate the amount of data transmitted between the UE and the eNodeB
  • UE and The aGW maintains one or more counters respectively, such as a G-Counter, and the corresponding counter value is used to indicate the amount of data transmitted between the UE and the aGW.
  • the specific implementation includes the following steps:
  • Step 501 According to the first implementation manner or the second implementation manner, the aGW checks the data volume transmitted between the UE and the aGW, and the aGW obtains the G-Counter check result.
  • Step 502 to step 503 According to the first implementation manner or the second implementation manner, the eNodeB checks the data volume transmitted between the UE and the eNodeB, and the eNodeB obtains the N-Counter check result, and then the eNodeB reports the N-Counter to the aGW. Inspection results.
  • Step 501 and step 502 to step 503 have no obvious execution order.
  • Step 501 may be performed first, and then steps 502 to 503 may be performed.
  • Steps 502 to 503 may be performed first, and then step 501 is performed; 501 and steps 502 to 503.
  • Step 504 It is determined whether the connection between the UE and the eNodeB is normal by checking the -Counter. By checking the G-Counter, it can be determined whether the connection between the eNodeB or the eNodeB and the aGW is normal. Therefore, the aGW can be The results of the -Counter and G-Counter check the status of the eNodeB and the connection. The specific analysis is as follows:
  • N-Counter and G-Counter are the same, it indicates eNodeB, The connection between the UE and the eNodeB, and the connection between the eNodeB and the aGW are normal. If the N-Counter check result is consistent and the G-Counter check result is inconsistent, the connection between the UE and the eNodeB is normal, and the eNodeB or eNodeB is The connection between the aGWs is abnormal; since the N-Counter reflects the amount of data transmitted between the UE and the eNodeB over the air interface, the G-Counter reflects the amount of data transmitted between the UE and the aGW, and includes the air interface data transmission.
  • the check results of the N-Counter and the G-Counter are inconsistent, it indicates that the eNodeB, or the connection between the UE and the eNodeB, or the connection between the eNodeB and the aGW is abnormal.
  • the aGW may determine the subsequent operation according to the analysis result. For example, if the analysis result is an eNodeB abnormality, the aGW may notify the UE or the eNodeB to release the connection between the UE and the eNodeB, and further enable the UE to select another eNodeB to perform communication; if the analysis result is If the connection between the eNodeB and the aGW is abnormal, the connection with the eNodeB is released.
  • the aGW may report to the CN, and the CN may carry the corresponding UE. Blacklisting is denied, and the UE is denied access to the network.
  • the information or signaling and the message transmitted between the UE and the evolved access network are used for integrity protection by using a key shared between the UE and the evolved access network, and the periodic protection can be further implemented by the integrity protection. That is, the evolved access network or the UE sends the signaling to the peer to use the shared key for integrity protection. If the information of the peer matches the integrity-protected information, the peer passes the current local authentication.
  • the UE when the UE performs handover between different eNodeBs or different aGWs, the UE is guaranteed.
  • the counters maintained between the switched eNodeBs, or between the a and the switched aGWs are consistent, and the maintenance scheme for the counters is also proposed in the present invention.
  • the UE is switched from the source eNodeB to the target eNodeB, and the counters maintained by the target NodeB and the UE can be consistently implemented in three ways:
  • a processing method is that the target eNodeB requests the source eNodeB to provide a counter related to the UE that is maintained by the source eNodeB, and after receiving the request, the source eNodeB provides the target eNodeB with a counter related to the UE that is maintained by itself;
  • Another processing method is that the target eNodeB requests the UE to provide a counter maintained by the UE, and after receiving the request, the UE provides the target eNodeB with a counter maintained by itself;
  • the third processing method is that after the UE completes the handover of the eNodeB, it actively provides the counter to the target eNodeB for maintenance, and the counters maintained by the target eNodeB and the UE can be consistent under the normal conditions.
  • the information or signaling and the message transmitted between the source eNodeB and the target eNodeB and between the UE and the target eNodeB are integrity protected by using a key shared between the two.
  • the UE is switched from the source aGW to the target aGW, so that the target aGW is
  • the counters maintained by the UE can be consistent and can be implemented in three ways:
  • a processing method is that the target aGW requests the source aGW to provide a counter related to the UE that is maintained by the source aGW. After receiving the request, the source aGW provides the target aGW with a counter related to the UE that is maintained by itself;
  • Another processing method is that the target aGW requests the UE to provide a counter maintained by the UE, and after receiving the request, the UE provides a counter maintained by the target aGW;
  • the third processing method is that after the UE completes the aGW handover, the UE actively provides a counter for maintaining the maintenance of the target aGW.
  • the process described above enables the target aGW and the counter maintained by the UE to be consistent under normal conditions.
  • the information or signaling and the message transmitted between the source aGW and the target aGW and between the UE and the target aGW are integrity protected by using a key shared between the two.
  • an evolved access network to which an evolved access network is located is referred to as an eNodeB, and an actual application may also be referred to as an evolved Node B.
  • the function is the same whether it is called an eNodeB or an evolved Node B.
  • the embodiment of the present invention further provides a system for implementing security assurance in an access network, including:
  • a second counter 702 configured on the network side, for counting the amount of data transmitted between the UE and the access network
  • the set condition such as: the set period expires, the counter value reaches the set value, and the check command is received, and the amount of data transmitted between the UE and the access network is started to be counted, and the first counter and the second counter are counted.
  • Counted as Countl, Count2.
  • the determining unit 703 is configured to compare data volume values transmitted between the UE and the access network calculated by the first and second counters;
  • the processing unit 704 performs corresponding processing according to the comparison result of the determining unit.
  • the processing unit 704 disconnects the current connection or reports an error to the upper layer.
  • the network performs the corresponding processing.
  • the first and second counters use the shared key of both for integrity protection.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method for implementing security assurance in an Enhanced Access Network includes: a UE and the Enhanced Access Network set at least one counter respectively, wherein the counter is used to count the data stream transmitted between the UE and the Enhanced Access Network; the Enhanced Access Network initiates the data stream checking when the set conditions are satisfied; the UE or the Enhanced Access Network compares the counter value maintained by itself with the counter value provided by the opposite terminal; the Enhanced Access Network performs the proceeding process according to whether the checking result of the counters whose values are conflicting exists, which can assure the security of the Enhanced Access Network according to the checking result. There is also the corresponding system. Furthermore, the information, signaling, or message transmitted between the UE and the Enhanced Access Network all use the secret key shared between the UE and the Enhanced Access Network to perform the integrality protection, and the periodical local authentication is further achieved through the integrality protection.

Description

一种在演进接入网络中实现安全性保证的方法及系统 本申请要求于 2006 年 03 月 16 日提交中国专利局、 申请号为 200610057590.7、发明名称为 "一种在演进接入网络中实现安全性保证的 方法" 的中国专利申请的优先权, 其全部内容通过引用结合在本申请中。 技术领域  Method and system for realizing security guarantee in evolved access network This application claims to be submitted to the Chinese Patent Office on March 16, 2006, with the application number of 200610057590.7, and the invention name is "A security in an evolved access network." The priority of the Chinese Patent Application for the Method of Sexual Assurance, the entire contents of which is hereby incorporated by reference. Technical field
本发明涉及网络及通信技术, 特别是涉及网络安全技术领域, 具体 地说, 涉及一种在演进接入网络中实现安全性保证的方法及系统。 背景技术  The present invention relates to network and communication technologies, and more particularly to the field of network security technologies, and in particular, to a method and system for implementing security assurance in an evolved access network. Background technique
为了保持第三代合作伙伴计划 ( 3GPP , 3rd Generation Partnership Project )接入系统的竟争力, 正在进行网络演进方面的长期演进( LTE, Long Term Evolution ) 和系统架构演进 ( SAE , System Architecture Evolution )的研究。网络演进的目标是简化网络结构、降低接入时间延迟。  In order to maintain the competitiveness of the 3GPP (3GPP) 3rd Generation Partnership Project access system, LTE (Long Term Evolution) and System Architecture Evolution (SAE) are underway. Research. The goal of network evolution is to simplify the network structure and reduce the access time delay.
图 1 示出了 LTE/SAE接入网絡架构示意图, 如图 1 所示, aGW ( E-UTRAN Access Gateway )是演进全球陆地无线接入网络( E-UTRAN, Enhanced Universal Terrestrial Radio Access Network )的接入网关,位于安 全的物理位置, eNodeB或演进节点 B是 E-UTRAN中的演进基站, 处于 不安全的物理位置, 极有可能受到攻击。  Figure 1 shows the architecture of the LTE/SAE access network. As shown in Figure 1, the aGW (E-UTRAN Access Gateway) is an E-UTRAN (Enhanced Universal Terrestrial Radio Access Network). The ingress gateway is located in a secure physical location. The eNodeB or the evolved Node B is an evolved base station in the E-UTRAN, which is in an insecure physical location and is highly likely to be attacked.
由于空中接口的信道是极其不稳定的信道, 在此信道上发生数据包 丢失的可能性非常大; 另外, 由于空中接口所具有的无线特性, 攻击者 可以很容易地在空中接口上发起包插入、 包删除等攻击; 此外, eNodeB 处于不安全的物理位置,极易受人恶意攻击, 这样, 在 E-UTRAN中亟需 提供能够实现安全性保证的方案,以保证用户终端(UE, User Equipment ) 与 E-UTRAN之间的上、 下行数据量一致。 发明内容  Since the channel on the air interface is an extremely unstable channel, the possibility of packet loss on this channel is very high; in addition, due to the wireless nature of the air interface, an attacker can easily initiate packet insertion on the air interface. In addition, the eNodeB is in an insecure physical location and is highly vulnerable to malicious attacks. Therefore, it is not necessary to provide a security guarantee in E-UTRAN to ensure user terminals (UE, User Equipment). ) The amount of upstream and downstream data is consistent with E-UTRAN. Summary of the invention
本发明实施例提供一种在演进接入网络中实现安全性保证的方法及 系统,对 UE与接入网络之间传输的数据量是否一致进行检查, 以进一步 根据检查结果确定演进接入网络的安全性。  An embodiment of the present invention provides a method and a system for implementing security assurance in an evolved access network, and checking whether the amount of data transmitted between the UE and the access network is consistent, so as to further determine an evolved access network according to the check result. safety.
本发明实施例提供一种在演进接入网络中实现安全性保证的方法,用 户端和网絡侧分别设置有至少一个计数器,用于对 UE与演进接入网络之 间传输的数据量进行计数, 该方法包括以下步骤: Embodiments of the present invention provide a method for implementing security assurance in an evolved access network, which is used by The client and the network side are respectively provided with at least one counter for counting the amount of data transmitted between the UE and the evolved access network, and the method includes the following steps:
在用户端和网络侧分別对用户终端 UE 与接入网络之间传输的数据 量进行计数;  Counting the amount of data transmitted between the user terminal UE and the access network at the user end and the network side, respectively;
比较用户端与网络侧计数器所计的用户终端 UE 与接入网络之间传 输的数据量值;  Comparing the amount of data transmitted between the user terminal UE and the access network counted by the UE and the network side counter;
根据比较结果进行相应处理。  Corresponding processing is performed according to the comparison result.
本发明实施例还提供一种在演进接入网络中实现安全性保证的系统, 包括:  The embodiment of the invention further provides a system for implementing security guarantee in an evolved access network, including:
第一计数器, 设置在用户侧, 用于对 UE与接入网络之间传输的数据 量进行计数;  a first counter, configured on the user side, for counting the amount of data transmitted between the UE and the access network;
第二计数器, 设置在网络侧, 用于对 UE与接入网络之间传输的数据 量进行计数;  a second counter, configured on the network side, for counting the amount of data transmitted between the UE and the access network;
判断单元,用于比较所述第一和第二计数器所计的 UE与接入网络之 间传输的数据量值;  a determining unit, configured to compare data volume values transmitted between the UE and the access network calculated by the first and second counters;
处理单元, 根据判断单元的比较结果进行相应处理。  The processing unit performs corresponding processing according to the comparison result of the determining unit.
本发明实施例提供的技术方案中, UE和演进接入网络分别维护有 一个或多个计数器,所述计数器值用于表示 ΌΈ与演进接入网络之间传输 的数据量, 演进接入网络在设定条件满足时, 向 UE发起数据量检查, UE或演进接入网络将对端提供的计数器值与自身维护的计数器值进行 比较, 演进接入网络根据计数器值的比较结果进行后续处理, 以确定演 进接入网络的安全性。  In the technical solution provided by the embodiment of the present invention, the UE and the evolved access network respectively maintain one or more counters, where the counter value is used to indicate the amount of data transmitted between the ΌΈ and the evolved access network, and the evolved access network is in the When the setting condition is met, the data volume check is initiated to the UE, and the UE or the evolved access network compares the counter value provided by the peer end with the counter value maintained by the peer, and the evolved access network performs subsequent processing according to the comparison result of the counter value, to Determine the security of the evolved access network.
另外, UE与演进接入网絡之间传输的信息或信令、 消息均使用 UE 与演进接入网络之间共享的密钥进行完整性保护, 通过该完整性保护进 一步实现了周期性本地认证。 附图说明  In addition, the information or signaling and the message transmitted between the UE and the evolved access network are integrity-protected by using a key shared between the UE and the evolved access network, and the periodic local authentication is further implemented by the integrity protection. DRAWINGS
附图用来提供对本发明的进一步理解, 构成本申请的一部分, 在附 图中  The accompanying drawings are included to provide a further understanding of the invention
图 1 为 LTE/SAE接入网絡架构示意图; 图 2A为本发明的实施例中在 UE侧检测所接收的数据量与网络侧发 出的数据量是否一致以实现安全性保证的方法流程图; FIG. 1 is a schematic diagram of an LTE/SAE access network architecture; 2A is a flowchart of a method for detecting, by the UE side, whether the amount of received data is consistent with the amount of data sent by the network side to implement security guarantee in the embodiment of the present invention;
图 2B为本发明的另一实施例中在网絡侧检测所接收的数据量与网络 侧发出的数据量是否一致以实现安全性保证的方法流程图;  2B is a flowchart of a method for detecting, by a network side, whether the amount of received data is consistent with the amount of data sent by the network side to implement security guarantee in another embodiment of the present invention;
图 3为本发明中第一实施例中实现安全性保证的方法流程图; 图 4为本发明中第二实施例中实现安全性保证的方法流程图; 图 5为本发明中第三实施例中实现安全性保证的方法流程图; 图 6B为本发明的实施例中 UE在不同 aGW之间进行切换示意图; 图 7为本发明实施例中实现安全性保证的系统架构示意图。 具体实施方式  3 is a flowchart of a method for implementing security assurance in a first embodiment of the present invention; FIG. 4 is a flowchart of a method for implementing security assurance in a second embodiment of the present invention; FIG. 5 is a third embodiment of the present invention; FIG. 6B is a schematic diagram of a UE performing handover between different aGWs according to an embodiment of the present invention; FIG. 7 is a schematic structural diagram of a system for implementing security guarantee according to an embodiment of the present invention. detailed description
为使本发明的目的、 技术方案和优点更加清楚, 下面结合附图对本 发明作进一步的详细描述。  In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be further described in detail with reference to the accompanying drawings.
本发明实施例所提供的技术方案中, UE和演进接入网络分别维护有 一个或多个计数器,所述计数器用于对 UE与演进接入网络之间传输的数 据量进行计数,即计数器值随 UE与演进接入网络之间传输的数据量的变 化而变化, 演进接入网络在设定条件满足时, 向 UE发起数据量检查, UE或演进接入网络将对端提供的计数器值与自身的计数器值进行比较, 演进接入网络根据计数器值相同与否进行后续处理。  In the technical solution provided by the embodiment of the present invention, the UE and the evolved access network respectively maintain one or more counters, and the counter is used to count the amount of data transmitted between the UE and the evolved access network, that is, the counter value. As the amount of data transmitted between the UE and the evolved access network changes, the evolved access network initiates a data volume check to the UE when the set condition is met, and the UE or the evolved access network provides the counter value provided by the peer end. The counter values of the own are compared, and the evolved access network performs subsequent processing according to whether the counter value is the same or not.
所述计数器可为一个计数器, 该计数器值用于表示传输的所有数据 的数量; 可为上行计数器和下行计数器, 上行计数器值用于表示传输的 上行数据的数量, 下行计数器值用于表示传输的下行数据的数量; 也可 为上下文计数器, 该上下文计数器值用于表示某一上下文上传输的数据 的数量; 还可为上下文上行计数器和上下文下行计数器, 上下文上行计 数器值用于表示某一上下文上传输的上行数据的数量, 上下文下行计数 器值用于表示某一上下文上传输的下行数据的数量。  The counter may be a counter, the counter value is used to indicate the amount of all data transmitted; it may be an uplink counter and a downlink counter, the uplink counter value is used to indicate the number of uplink data transmitted, and the downlink counter value is used to indicate the transmission. The number of downlink data; may also be a context counter, the context counter value is used to indicate the amount of data transmitted on a certain context; may also be a context uplink counter and a context downlink counter, and the context uplink counter value is used to represent a certain context. The number of uplink data transmitted, the context downlink counter value is used to indicate the amount of downlink data transmitted on a certain context.
以上所述设定条件满足可为设定周期到期、 或一个或多个计数器值 达到设定值、 或收到检查命令, 等等。  The setting conditions described above may be such that the set period expires, or one or more counter values reach the set value, or an inspection command is received, and the like.
以上所述演进接入网络中用户端与其对应的网絡侧计数器值不一致 时, 进行后续处理具体包括: The user end of the evolved access network has an inconsistent value with its corresponding network side counter. When the follow-up process specifically includes:
如果 UE维护的计数器值与演进接入网络维护的计数器值一致,则演 进接入网络可结束当前数据量检查流程;  If the counter value maintained by the UE is consistent with the counter value maintained by the evolved access network, the progress access network may end the current data volume checking process;
如果 UE维护的计数器值与演进接入网络维护的计数器值不一致,则 演进接入网络可释放 UE 与演进接入网络之间的连接、 或向上层报告错 误。  If the counter value maintained by the UE is inconsistent with the counter value maintained by the evolved access network, the evolved access network may release the connection between the UE and the evolved access network, or report an error to the upper layer.
图 2A为本发明中第一种实现方式示意图, 如图 2A所示, UE和演 进接入网络分别维护有一个或多个计数器,所述计数器值用于表示 UE与 演进接入网络之间传榆的数据量, 具体实现包括以下步驟:  2A is a schematic diagram of a first implementation manner of the present invention. As shown in FIG. 2A, the UE and the evolved access network respectively maintain one or more counters, and the counter value is used to indicate that the UE and the evolved access network are transmitted. The actual amount of data, including the following steps:
步骤 201a: 演进接入网络在满足设定条件时, 向 UE提供自身维护 的计数器值。如果演进接入网络中维护有多个与 UE相关的计数器, 并且 当前需要对多个计数器进行检查,则演进接入网络可同时向 UE提供部分 或所有与 UE相关的计数器值。  Step 201a: The evolved access network provides the UE with a counter value maintained by itself when the set condition is met. If there are multiple UE related counters maintained in the evolved access network and multiple counters need to be checked, the evolved access network may simultaneously provide some or all of the UE related counter values to the UE.
步骤 202a: UE收到演进接入网络提供的计数器值后, 将收到的计数 器值与自身的计数器值进行比较, 确定计数器值是否一致。 如果演进接 入网络同时向 UE提供多个计数器, 则 UE将收到的计数器值与自身相对 应的计数器值进行比较,例如, 演进接入网络同时向 UE提供了上行计数 器和下行计数器, UE将收到的上行计数器值与自身的上行计数器值进行 比较, 将收到的下行计数器值与自身的下行计数器值进行比较。  Step 202a: After receiving the counter value provided by the evolved access network, the UE compares the received counter value with its own counter value to determine whether the counter value is consistent. If the evolved access network simultaneously provides multiple counters to the UE, the UE compares the received counter value with its corresponding counter value. For example, the evolved access network simultaneously provides the uplink counter and the downlink counter to the UE, and the UE will The received uplink counter value is compared with its own uplink counter value, and the received downlink counter value is compared with its own downlink counter value.
步骤 203a: UE向演进接入网络提供检查结果, 具体可为如果计数器 值一致, 则 UE可向演进接入网络发送一条空消息, 以通知演进接入网络 不存在值不一致的计数器; 如果存在值不一致的计数器, 则向演进接入 网络提供值不一致的计数器。  Step 203a: The UE provides a check result to the evolved access network. Specifically, if the counter value is consistent, the UE may send an empty message to the evolved access network to notify the evolved access network that there is no counter with a value inconsistency; Inconsistent counters provide counters with inconsistent values to the evolved access network.
步骤 204a: 演进接入网络收到检查结果后, 根据是否存在值不一致 的计数器进行后续处理。  Step 204a: After receiving the check result, the evolved access network performs subsequent processing according to whether there is a counter with a value inconsistency.
如果演进接入网络向 UE提供了多个计数器,并且 UE确定存在值不 一致的部分计数器, 则演进接入网洛可针对值不一致的计数器, 进行断 开连接、'上报错误等操作; 对于值一致的计数器, 可不进行其他处理。  If the evolved access network provides multiple counters to the UE, and the UE determines that there are partial counters with inconsistent values, the evolved access network may perform operations such as disconnection, 'reporting errors, etc. for counters with inconsistent values; Counter, no other processing is possible.
图 2B为本发明中第二种实现方式示意图,如图 2B所示, UE和演进 接入网络分别维护有一个或多个计数器,所述计数器值用于表示 UE与演 进接入网络之间传输的数据量, 具体实现包括以下步骤: 2B a schematic view of a second implementation of the present invention, 2, UE and an evolved B shown in FIG. The access network maintains one or more counters respectively, and the counter value is used to indicate the amount of data transmitted between the UE and the evolved access network. The specific implementation includes the following steps:
步骤 201b: 演进接入网络在设定条件满足时, 向 UE发起数据量的 检查。  Step 201b: The evolved access network initiates a check of the amount of data to the UE when the set condition is met.
步骤 202b: UE获知演进接入网络发起数据量的检查后, 向演进接入 网络提供自身的计数器值。如果 UE中维护有多个计数器, 并且当前需要 对多个计数器进行检查,则 UE可同时向演进接入网络提供部分或所有计 数器值。  Step 202b: After obtaining the check of the amount of data initiated by the evolved access network, the UE provides its own counter value to the evolved access network. If multiple counters are maintained in the UE and multiple counters are currently required to be checked, the UE may simultaneously provide some or all of the counter values to the evolved access network.
步骤 203b: 演进接入网络收到 UE提供的计数器值后, 将收到的计 数器值与自身的计数器值进行比较, 确定演进接入网络的计数器值与 UE 的计数器值是否一致。如果 UE同时向演进接入网络提供多个计数器, 则 演进接入网絡将收到的计数器与自身维护的相对应的计数器进行比较, 例如, UE同时向演进接入网络提供了上行计数器和下行计数器, 演进接 入网络将收到的上行计数器与自身维护的上行计数器进行比较, 将收到 的下行计数器与自身的下行计数器进行比较。  Step 203b: After receiving the counter value provided by the UE, the evolved access network compares the received counter value with its counter value to determine whether the counter value of the evolved access network is consistent with the counter value of the UE. If the UE simultaneously provides multiple counters to the evolved access network, the evolved access network compares the received counter with the corresponding counter maintained by itself, for example, the UE simultaneously provides an uplink counter and a downlink counter to the evolved access network. The evolved access network compares the received uplink counter with its own maintained uplink counter, and compares the received downlink counter with its own downlink counter.
步骤 204b: 演进接入网络根据自身的计数器值与 UE的计数器值是 否一致进行后续处理。  Step 204b: The evolved access network performs subsequent processing according to whether the counter value of the UE is consistent with the counter value of the UE.
如果演进接入网络向 UE提供了多个计数器, 并且 UE确定有部分计 数器值不一致, 则演进接入网絡可相应地进行断开连接、 上报错误等后 续操作, 而对于值一致的计数器, 可不进行其他处理。  If the evolved access network provides multiple counters to the UE, and the UE determines that some of the counter values are inconsistent, the evolved access network may perform subsequent operations such as disconnection, reporting error, and the like, and may not perform counters with consistent values. Other processing.
另夕卜,演进接入网络对 UE与演进接入网络之间传输的数据量是否一 致进行检查时, UE和演进接入网络可分别向对端提供自身维护的计数 器, 然后对端将收到的计数器与自身维护的计数器进行比较, 然后 UE向 演进接入网络返回检查结果, 演进接入网络确定收到的检查结果与自身 得到的检查结果是否一致, 如果一致, 且存在值不一致的计数器, 则演 进接入网络可针对值不一致的计数器, 进行断开相关连接、 上报错误等 后续操作; 如果不一致, 且存在值不一致的计数器, 则演进接入网络可 再次和 UE进行传输的数据量的检查。  In addition, when the evolved access network checks whether the amount of data transmitted between the UE and the evolved access network is consistent, the UE and the evolved access network may respectively provide the peer with a counter maintained by the peer, and then the peer will receive the counter. The counter is compared with the counter maintained by itself, and then the UE returns the check result to the evolved access network, and the evolved access network determines whether the received check result is consistent with the check result obtained by itself, if they are consistent, and there is a counter with an inconsistent value, The evolved access network may perform subsequent operations such as disconnecting related connections and reporting errors for counters with inconsistent values. If the counters are inconsistent and there are counters with inconsistent values, the evolved access network may check the amount of data transmitted by the UE again. .
如图 3所示, 本发明的第一实施例中, UE和 eNodeB分别维护有一 个或多个计数器, 所述计数器值用于表示 UE与 eNodeB之间传输的数据 量, 具体实现包括以下步骤: As shown in FIG. 3, in the first embodiment of the present invention, the UE and the eNodeB respectively maintain one One or more counters, the counter value is used to indicate the amount of data transmitted between the UE and the eNodeB, and the specific implementation includes the following steps:
步骤 301 : eNodeB在设定条件满足时, eNodeB向 UE发送数据量检 查请求, 该数据量检查请求中携带有 eNodeB 维护的计数器值。 如果 eNodeB维护有多个计数器, 并且当前需要对多个计数器进行检查, 则数 据量检查请求中可携带有多个计数器值。  Step 301: The eNodeB sends a data volume check request to the UE when the set condition is met, where the data volume check request carries the counter value maintained by the eNodeB. If the eNodeB maintains multiple counters and currently needs to check multiple counters, the data volume check request may carry multiple counter values.
步骤 302: UE收到数据量检查请求后, 将携带在数据量检查请求中 的计数器值与自身的计数器值进行比较, 确定计数器值是否一致。  Step 302: After receiving the data volume check request, the UE compares the counter value carried in the data amount check request with its own counter value to determine whether the counter value is consistent.
步骤 303: UE向 eNodeB返回数据量检查响应, 如果相对应的两计 数器值一致, 则该数据量检查响应可为一条不携带任何内容的消息, 以 通知演进接入网络相对应的两计数器值一致; 如果相对应的两计数器值 不一致时, 则该数据量检查响应中携带有值不一致的计数器, 以通知演 进接入网络。  Step 303: The UE returns a data volume check response to the eNodeB. If the corresponding two counter values are consistent, the data volume check response may be a message that does not carry any content, to notify the evolved access network that the corresponding two counter values are consistent. If the corresponding two counter values are inconsistent, the data amount check response carries a counter with a value inconsistency to notify the evolved access network.
步驟 304: eNodeB收到数据量检查响应后, 根据是否存在值不一致 的计数器进行后续处理。  Step 304: After receiving the data volume check response, the eNodeB performs subsequent processing according to whether there is a counter with a value inconsistency.
以上描述的本实施例是通过第一种实现方式实现, 实际应用中, 也 可通过第二种实现方式来实现。  The embodiment described above is implemented by the first implementation manner, and may be implemented by the second implementation manner in practical applications.
如图 4所示, 本发明的第二实施例中, UE和 aGW分别维护有一个 或多个计数器, 所述计数器值用于表示 UE与 aGW之间传输的数据量, 具体实现包括以下步骤:  As shown in FIG. 4, in the second embodiment of the present invention, the UE and the aGW respectively maintain one or more counters, and the counter value is used to indicate the amount of data transmitted between the UE and the aGW. The specific implementation includes the following steps:
步驟 401: aGW在设定条件满足时, 向 UE发送数据量检查请求, 发 起数据量的检查。  Step 401: When the setting condition is satisfied, the aGW sends a data amount check request to the UE, and starts checking the data amount.
步驟 402: UE收到数据量检查请求后,向 aGW返回数据量检查响应, 该数据量检查响应中携带有 UE维护的计数器值。如果 UE中维护有多个 计数器, 并且当前需要对多个计数器进行检查, 则该数据量检查响应中 携带有部分或所有计数器值。  Step 402: After receiving the data volume check request, the UE returns a data volume check response to the aGW, where the data volume check response carries the counter value maintained by the UE. If there are multiple counters maintained in the UE and multiple counters need to be checked currently, the data volume check response carries some or all of the counter values.
步骤 403: aGW收到数据量检查响应后, 将携带在数据量检查响应 中的计数器值与自身维护的计数器值进行比较, 确定是否存在值不一致 的计数器。 步骤 404: aGW根据是否存在值不一致的计数器进行后续处理。 以上对本实施例的实现方式描述为通过第二种实现方式实现, 实际 应用中, 也可通过第一种实现方式来实现。 Step 403: After receiving the data volume check response, the aGW compares the counter value carried in the data amount check response with the counter value maintained by itself, and determines whether there is a counter with a value inconsistency. Step 404: The aGW performs subsequent processing according to whether there is a counter with inconsistent values. The implementation of the present embodiment is described as being implemented by using the second implementation manner. In actual applications, the first implementation manner may also be implemented.
如果检查结果出现计数器值不一致的次数达到设定值时, aGW可向 核心网络( CN, Core Network )上报 UE异常, CN可将相应 UE载入黑 名单,拒绝该 UE接入网络。所述次数中的一次为进行一次计数器的检查、 且出现计数器值不一致, 该次数可为连续累计的, 也可为不连续累计的。  If the number of times the counter value is inconsistent in the check result reaches the set value, the aGW may report the UE abnormality to the core network (CN, Core Network), and the CN may load the corresponding UE into the blacklist and reject the UE from accessing the network. One of the times is to check the counter once, and the counter value is inconsistent, and the number of times may be continuously accumulated or may be discontinuously accumulated.
实际应用中还可将第一实施例和第二实施例中的方式结合起来, 分 别进行 UE与 eNodeB之间传输的数据量的检查、 UE与 aGW之间传输的 数据量的检查, 然后 aGW根据两个检查结果对 eNodeB和连接的状态进 行分析。  In the actual application, the manners in the first embodiment and the second embodiment may be combined to perform the check of the amount of data transmitted between the UE and the eNodeB, and the check of the amount of data transmitted between the UE and the aGW, and then the aGW is configured according to Two check results analyze the state of the eNodeB and the connection.
如图 5所示, 本发明的第三实施例中, UE和 eNodeB分别维护有一 个或多个计数器, 如 N-Coimter, 相应计数器值用于表示 UE与 eNodeB 之间传输的数据量, UE 和 aGW分别维护有一个或多个计数器, 如 G-Counter, 相应计数器值用于表示 UE与 aGW之间传输的数据量, 具体 实现包括以下步骤:  As shown in FIG. 5, in the third embodiment of the present invention, the UE and the eNodeB respectively maintain one or more counters, such as an N-Coimter, and the corresponding counter value is used to indicate the amount of data transmitted between the UE and the eNodeB, UE and The aGW maintains one or more counters respectively, such as a G-Counter, and the corresponding counter value is used to indicate the amount of data transmitted between the UE and the aGW. The specific implementation includes the following steps:
步骤 501 : 根据第一种实现方式或第二种实现方式, aGW对 UE与 aGW之间传输的数据量的检查, aGW得到 G-Counter的检查结果。  Step 501: According to the first implementation manner or the second implementation manner, the aGW checks the data volume transmitted between the UE and the aGW, and the aGW obtains the G-Counter check result.
步驟 502~步骤 503:根据第一种实现方式或第二种实现方式, eNodeB 对 UE与 eNodeB之间传输的数据量的检查, eNodeB得到 N-Counter的检 查结果, 然后 eNodeB向 aGW上报 N-Counter的检查结果。  Step 502 to step 503: According to the first implementation manner or the second implementation manner, the eNodeB checks the data volume transmitted between the UE and the eNodeB, and the eNodeB obtains the N-Counter check result, and then the eNodeB reports the N-Counter to the aGW. Inspection results.
步驟 501与步骤 502〜步骤 503没有明显的执行顺序, 可先执行步骤 501, 然后再执行步骤 502〜步骤 503; 也可先执行步骤 502〜步驟 503 , 然 后再执行步骤 501; 还可同时执行步骤 501和步骤 502〜步骤 503。  Step 501 and step 502 to step 503 have no obvious execution order. Step 501 may be performed first, and then steps 502 to 503 may be performed. Steps 502 to 503 may be performed first, and then step 501 is performed; 501 and steps 502 to 503.
步骤 504: 由于通过对 -Counter的检查, 可确定 UE与 eNodeB之 间的连接是否正常,通过对 G-Counter的检查,可确定 eNodeB或 eNodeB 与 aGW之间的连接是否正常,因此, aGW可根据 -Counter和 G-Counter 的检查结果, 对 eNodeB和连接的状态进行分析。 具体分析如下:  Step 504: It is determined whether the connection between the UE and the eNodeB is normal by checking the -Counter. By checking the G-Counter, it can be determined whether the connection between the eNodeB or the eNodeB and the aGW is normal. Therefore, the aGW can be The results of the -Counter and G-Counter check the status of the eNodeB and the connection. The specific analysis is as follows:
如果 N-Counter和 G-Counter的检查结果均一致, 则表明 eNodeB、 UE与 eNodeB之间的连接、 eNodeB与 aGW之间的连接均正常; 如果 N-Counter的检查结果一致、 G-Counter的检查结果不一致, 则 表明 UE与 eNodeB之间的连接正常, eNodeB或 eNodeB与 aGW之间的 连接异常; 由于 N-Counter体现的是 UE与 eNodeB之间在空中接口上传 输的数据量, G-Counter体现的是 UE与 aGW之间传输的数据量, 是包 含空中接口数据传输量的网络数据传输量, 因此, 只要 N-Coimter的检查 结果不一致, G-Counter的检查结果必然不一致, 即使 G-Counter的检查 结果一致, 也视为由于网络出错而导致的, 这样, 只要 N-Counter的检查 结果不一致、 无论 G-Counter的检查结果是否一致, 都表明 UE、 或 UE 与 eNodeB之间的无线连接异常; If the check results of N-Counter and G-Counter are the same, it indicates eNodeB, The connection between the UE and the eNodeB, and the connection between the eNodeB and the aGW are normal. If the N-Counter check result is consistent and the G-Counter check result is inconsistent, the connection between the UE and the eNodeB is normal, and the eNodeB or eNodeB is The connection between the aGWs is abnormal; since the N-Counter reflects the amount of data transmitted between the UE and the eNodeB over the air interface, the G-Counter reflects the amount of data transmitted between the UE and the aGW, and includes the air interface data transmission. The amount of network data transmission, therefore, as long as the N-Coimter inspection results are inconsistent, the G-Counter inspection results are inconsistent, even if the G-Counter inspection results are consistent, it is considered to be due to network errors, so that only N -Counter check results are inconsistent, regardless of whether the G-Counter check results are consistent, indicating that the wireless connection between the UE, or the UE and the eNodeB is abnormal;
如果 N-Counter和 G-Counter的检查结果均不一致, 则表明 eNodeB、 或 UE与 eNodeB之间的连接、 或 eNodeB与 aGW之间的连接异常。  If the check results of the N-Counter and the G-Counter are inconsistent, it indicates that the eNodeB, or the connection between the UE and the eNodeB, or the connection between the eNodeB and the aGW is abnormal.
aGW可根据分析结果确定后续操作,例如,如果分析结果为 eNodeB 异常, 则 aGW可通知 UE或 eNodeB释放 UE与 eNodeB之间的连接, 并 可进一步使 UE选择另一 eNodeB进行通信; 如果分析结果为 eNodeB与 aGW之间的连接异常, 则释放与 eNodeB之间的连接。  The aGW may determine the subsequent operation according to the analysis result. For example, if the analysis result is an eNodeB abnormality, the aGW may notify the UE or the eNodeB to release the connection between the UE and the eNodeB, and further enable the UE to select another eNodeB to perform communication; if the analysis result is If the connection between the eNodeB and the aGW is abnormal, the connection with the eNodeB is released.
另外, 当 eNodeB 向 aGW 上报 N-Counter 的检查结果时, 如果 N-Counter或 G-Counter检查结果出现值不一致的计数器的次数达到设定 值时, aGW可向 CN上报, CN可将相应 UE载入黑名单, 拒绝该 UE接 入网络。  In addition, when the eNodeB reports the N-Counter check result to the aGW, if the number of counters in which the value of the N-Counter or the G-Counter check result is inconsistent reaches the set value, the aGW may report to the CN, and the CN may carry the corresponding UE. Blacklisting is denied, and the UE is denied access to the network.
以上描述中仅是采用 N-Counter和 G-Counter对 UE与 eNodeB之间 和 UE与 aGW之间维护的计数器进行区分,并非用于限定 eNodeB和 aGW 各自维护的计数器的名称。  In the above description, only the counters maintained between the UE and the eNodeB and between the UE and the aGW are distinguished by the N-Counter and the G-Counter, and are not used to define the names of the counters maintained by the eNodeB and the aGW.
所述 UE与演进接入网络之间传输的信息或信令、消息均使用 UE与 演进接入网络之间共享的密钥进行完整性保护, 通过该完整性保护可进 一步实现周期性本地认证,即演进接入网络或 UE向对端发送使用共享密 钥进行完整性保护的信令, 如果对端的信息与经过完整性保护的信息相 匹配 , 则对端通过当前的本地认证。  The information or signaling and the message transmitted between the UE and the evolved access network are used for integrity protection by using a key shared between the UE and the evolved access network, and the periodic protection can be further implemented by the integrity protection. That is, the evolved access network or the UE sends the signaling to the peer to use the shared key for integrity protection. If the information of the peer matches the integrity-protected information, the peer passes the current local authentication.
此外, UE在不同 eNodeB或不同 aGW之间进行切换时, 为保证 UE 与切换后的 eNodeB之间、 或 ΌΕ与切换后的 aGW之间维护的计数器保 持一致, 本发明中还提出了对计数器的维护方案。 In addition, when the UE performs handover between different eNodeBs or different aGWs, the UE is guaranteed. The counters maintained between the switched eNodeBs, or between the a and the switched aGWs are consistent, and the maintenance scheme for the counters is also proposed in the present invention.
如图 6A所示, UE由源 eNodeB切换至目标 eNodeB,为使目标 NodeB 与 UE维护的计数器能够保持一致, 可通过三种方式实现:  As shown in FIG. 6A, the UE is switched from the source eNodeB to the target eNodeB, and the counters maintained by the target NodeB and the UE can be consistently implemented in three ways:
一种处理方法是目标 eNodeB请求源 eNodeB提供其维护的、 与 UE 相关的计数器, 源 eNodeB收到该请求后, 向目标 eNodeB提供自身维护 的、 与 UE相关的计数器;  A processing method is that the target eNodeB requests the source eNodeB to provide a counter related to the UE that is maintained by the source eNodeB, and after receiving the request, the source eNodeB provides the target eNodeB with a counter related to the UE that is maintained by itself;
另一种处理方法是目标 eNodeB请求 UE提供其维护的计数器, UE 收到该请求后, 向目标 eNodeB提供自身维护的计数器;  Another processing method is that the target eNodeB requests the UE to provide a counter maintained by the UE, and after receiving the request, the UE provides the target eNodeB with a counter maintained by itself;
第三种处理方法是 UE完成 eNodeB的切换后, 主动向目标 eNodeB 提供自身维护的计数器, 通过以上描述的处理使目标 eNodeB与 UE维护 的计数器在正常情况下能够保持一致。以上所述源 eNodeB与目标 eNodeB 之间、 UE与目标 eNodeB之间传输的信息或信令、 消息均使用二者之间 共享的密钥进行完整性保护。  The third processing method is that after the UE completes the handover of the eNodeB, it actively provides the counter to the target eNodeB for maintenance, and the counters maintained by the target eNodeB and the UE can be consistent under the normal conditions. The information or signaling and the message transmitted between the source eNodeB and the target eNodeB and between the UE and the target eNodeB are integrity protected by using a key shared between the two.
如图 6B所示, UE由源 aGW切换至目标 aGW, 为使目标 aGW与 As shown in FIG. 6B, the UE is switched from the source aGW to the target aGW, so that the target aGW is
UE维护的计数器能够保持一致, 可通过三种方式实现: The counters maintained by the UE can be consistent and can be implemented in three ways:
一种处理方法是目标 aGW请求源 aGW提供其维护的、 与 UE相关 的计数器, 源 aGW收到该请求后, 向目标 aGW提供自身维护的、 与 UE 相关的计数器;  A processing method is that the target aGW requests the source aGW to provide a counter related to the UE that is maintained by the source aGW. After receiving the request, the source aGW provides the target aGW with a counter related to the UE that is maintained by itself;
另一种处理方法是目标 aGW请求 UE提供其维护的计数器, UE收 到该请求后, 向目标 aGW提供自身维护的计数器;  Another processing method is that the target aGW requests the UE to provide a counter maintained by the UE, and after receiving the request, the UE provides a counter maintained by the target aGW;
第三种处理方法是 UE完成 aGW的切换后, 主动向目标 aGW提供 自身维护的计数器, 通过以上描述的处理使目标 aGW与 UE维护的计数 器在正常情况下能够保持一致。 以上所述源 aGW与目标 aGW之间、 UE 与目标 aGW之间传输的信息或信令、 消息均使用二者之间共享的密钥进 行完整性保护。  The third processing method is that after the UE completes the aGW handover, the UE actively provides a counter for maintaining the maintenance of the target aGW. The process described above enables the target aGW and the counter maintained by the UE to be consistent under normal conditions. The information or signaling and the message transmitted between the source aGW and the target aGW and between the UE and the target aGW are integrity protected by using a key shared between the two.
如果 UE在进行 aGW切换的同时, 还需要进行 eNodeB的切换, 为 保持目标 eNodeB与 UE维护的计数器的一致, 具体处理与上面对应于图 6A的描述相同。 本发明中将演进接入网给中的演进基站称为 eNodeB, 实际应用中也 可称为演进节点 B, 无论是称作 eNodeB还是称作演进节点 B, 其作用都 是相同的。 If the UE performs the aGW handover, the eNodeB needs to be switched. To keep the target eNodeB consistent with the counter maintained by the UE, the specific processing is the same as the description corresponding to FIG. 6A above. In the present invention, an evolved access network to which an evolved access network is located is referred to as an eNodeB, and an actual application may also be referred to as an evolved Node B. The function is the same whether it is called an eNodeB or an evolved Node B.
参照图 7,本发明实施例中还提供一种在接入网絡中实现安全性保证 的系统, 包括:  Referring to FIG. 7, the embodiment of the present invention further provides a system for implementing security assurance in an access network, including:
第一计数器 701, 设置在用户侧, 用于对 UE与接入网络之间传输的 数据量进行计数;  a first counter 701, configured on the user side, for counting the amount of data transmitted between the UE and the access network;
第二计数器 702, 设置在网络侧, 用于对 UE与接入网络之间传输的 数据量进行计数;  a second counter 702, configured on the network side, for counting the amount of data transmitted between the UE and the access network;
在满足设定条件时, 如: 设定周期到期、 计数器值达到设定值、 收到 检查命令, 开始对 UE与接入网络之间传输的数据量进行计数, 第一计数 器、 第二计数器分别计为 Countl , Count2。  When the set condition is met, such as: the set period expires, the counter value reaches the set value, and the check command is received, and the amount of data transmitted between the UE and the access network is started to be counted, and the first counter and the second counter are counted. Counted as Countl, Count2.
判断单元 703 , 用于比较所述第一和第二计数器所计的 UE与接入网 络之间传输的数据量值;  The determining unit 703 is configured to compare data volume values transmitted between the UE and the access network calculated by the first and second counters;
处理单元 704, 根据判断单元的比较结果进行相应处理。  The processing unit 704 performs corresponding processing according to the comparison result of the determining unit.
当所述第一和第二计数器所计的 UE与接入网络之间传输的数据量值 The amount of data transmitted between the UE and the access network counted by the first and second counters
Countl , Count2相同时则判断 UE与接入网络之间的数据传输正常; 当When Countl and Count2 are the same, it is judged that the data transmission between the UE and the access network is normal;
Countl , Count2不同时, 所述处理单元 704断开当前连接或向上层报告错 误。 网络进行相应的处理。 When Countl and Count2 are different, the processing unit 704 disconnects the current connection or reports an error to the upper layer. The network performs the corresponding processing.
更适宜地, 所述第一和第二计数器使用二者的共享密钥进行完整性 保护。  Preferably, the first and second counters use the shared key of both for integrity protection.
上述实施例是用于说明和解释本发明的原理的。 可以理解, 本发明 的具体实施方式不限于此。 对于本领域技术人员而言, 在不脱离本发明 的实质和范围的前提下进行的各种变更和修改均涵盖在本发明的保护范 围之内。 因此, 本发明的保护范围由权利要求确定。  The above embodiments are intended to illustrate and explain the principles of the invention. It is to be understood that the specific embodiments of the present invention are not limited thereto. Various changes and modifications may be made without departing from the spirit and scope of the invention. Accordingly, the scope of the invention is defined by the claims.

Claims

权 利 要 求 Rights request
1、 一种在演进接入网络中实现安全性保证的方法, 其特征在于, 用 户端和网络侧分別设置有至少一个计数器,用于对 UE与演进接入网络之 间传输的数据量进行计数, 该方法包括以下步骤:  A method for implementing security assurance in an evolved access network, wherein the user end and the network side are respectively provided with at least one counter for counting the amount of data transmitted between the UE and the evolved access network. , the method includes the following steps:
在用户端和网络侧分别对用户终端 UE 与接入网络之间传输的数据 量进行计数;  Counting the amount of data transmitted between the user terminal UE and the access network at the user end and the network side, respectively;
比较用户端与网络侧计数器所计的用户终端 UE 与接入网络之间传 输的数据量值;  Comparing the amount of data transmitted between the user terminal UE and the access network counted by the UE and the network side counter;
根据比较结果进行相应处理。  Corresponding processing is performed according to the comparison result.
2、 根据权利要求 1所述的方法, 其特征在于, 所述比较用户端 UE 与网络侧计数器所计的 UE与接入网络之间传输的数据量值的步骤,具体 包括:  The method according to claim 1, wherein the step of comparing the amount of data transmitted between the UE and the access network calculated by the UE and the network side counter includes:
演进接入网络在满足设定条件时, 向 UE发起数据量的检查请求; The evolved access network initiates a data volume check request to the UE when the set condition is met;
UE向演进接入网络提供自身维护的计数器值, 演进接入网络将收到 的计数器值与自身维护的计数器值进行比攀, 确定计数器值是否一致; 或 The UE provides the counter value of the maintenance to the evolved access network, and the evolved access network compares the received counter value with the counter value maintained by itself to determine whether the counter value is consistent; or
在满足设定条件时, 所述接入网络向 UE提供自身维护的计数器值; UE将收到的计数器值与自身的计数器值进行比较, 确定计数器值是 否一致的, 并向演进接入网络返回检查结果。  When the set condition is met, the access network provides the UE with a counter value maintained by itself; the UE compares the received counter value with its own counter value, determines whether the counter value is consistent, and returns to the evolved access network. test result.
3、 根据权利要求 2所述的方法, 其特征在于, 所述计数器值携带在 数据量检查请求中; 所述检查结果携带在数据量检查响应中。  3. The method according to claim 2, wherein the counter value is carried in a data amount check request; and the check result is carried in a data amount check response.
4、 根据权利要求 2所述的方法, 其特征在于, 所述向 UE发起数据 量的检查的步骤包括:  The method according to claim 2, wherein the step of initiating the checking of the amount of data to the UE comprises:
向 UE发送数据量检查请求; 所述 UE向演进接入网络提供自身的计 数器值携带在数据量检查响应中。  Sending a data volume check request to the UE; the UE providing its own counter value to the evolved access network is carried in the data amount check response.
5、 才艮据权利要求 1或 2所述的方法, 其特征在于, 所述演进接入网 络包括演进基站和接入网关 aGW;  5. The method according to claim 1 or 2, wherein the evolved access network comprises an evolved base station and an access gateway aGW;
所述演进接入网络中,相对应的 UE和演进基站分別维护的计数器为 第一对计数器,相对应的 UE和 aGW分别维护的计数器为笫二对计数器, 该方法进一步包括: 演进基站比较所述第一对计数器的值, 并将比较结果发送给所述 aGW; In the evolved access network, the counters respectively maintained by the corresponding UE and the evolved base station are the first pair of counters, and the counters respectively maintained by the corresponding UE and the aGW are two pairs of counters, and the method further includes: The evolved base station compares the value of the first pair of counters, and sends the comparison result to the aGW;
在满足设定条件时,所述 aGW向 U 发起数据量检查请求,或将 aGW 维护的计数器值与相应 UE的计数器值进行比较, aGW得到第二对计数 器的比较结果, aGW根据所述第一对计数器和第二对计数器的比较结果, 对演进基站和连接状态进行分析、 判断:  When the set condition is met, the aGW initiates a data volume check request to the U, or compares the counter value maintained by the aGW with the counter value of the corresponding UE, and the aGW obtains a comparison result of the second pair of counters, the aGW according to the first Comparing the counter and the second pair of counters, analyzing and judging the evolved base station and the connection status:
若所述第一对计数器值一致且第二对计数器的值一致,则所述 UE与 演进基站之间的连接、 演进基站与 aGW之间的连接均正常;  If the first pair of counter values are consistent and the values of the second pair of counters are consistent, the connection between the UE and the evolved base station, and the connection between the evolved base station and the aGW are normal;
若第一对计数器的值一致, 则所述 UE与演进基站之间的连接正常, 否则 UE与演进基站之间的无线连接异常;  If the values of the first pair of counters are consistent, the connection between the UE and the evolved base station is normal, otherwise the wireless connection between the UE and the evolved base station is abnormal;
若第二计数器的值一致,则所述演进基站与 aGW之间的连接均正常; 否则演进基站与 aGW之间的连接异常。  If the values of the second counter are consistent, the connection between the evolved base station and the aGW is normal; otherwise, the connection between the evolved base station and the aGW is abnormal.
6、 根据权利要求 5所述的方法, 其特征在于, 进一步包括: 所述分析结果为演进基站异常时 , 所述 aGW指示 UE或演进基站断 开当前连接; 或所述 aGW指示 UE或演进基站断开当前连接, 并使 UE 选择另一演进基站进行通信; 或  The method according to claim 5, further comprising: when the analysis result is that the evolved base station is abnormal, the aGW instructs the UE or the evolved base station to disconnect the current connection; or the aGW indicates the UE or the evolved base station Disconnect the current connection and have the UE select another evolved base station to communicate; or
所述分析结果为演进基站与 aGW之间的连接异常时,断开与 eNodeB 之间的連接。  The analysis result is that when the connection between the evolved base station and the aGW is abnormal, the connection with the eNodeB is disconnected.
7、 根据权利要求 5所述的方法, 其特征在于, 进一步包括: 所述第一对计数器或第二对计数器的检查结果中出现值不一致的计 数器的次数达到设定次数时, aGW向核心网络 CN上报 UE异常。  The method according to claim 5, further comprising: aGW to the core network when the number of counters in which the values of the first pair of counters or the second pair of counters are inconsistent reaches a set number of times The CN reported that the UE is abnormal.
8、 根据权利要求 5所述的方法, 其特征在于, 进一步包括:  8. The method according to claim 5, further comprising:
UE由源演进基站切换至目标演进基站时, 源演进基站根据目标演进 基站的请求, 向目标演进基站提供其维护的计数器值,或 UE向目标演进 基站提供其维护的计数器值;  When the UE is handed over from the source evolved base station to the target evolved base station, the source evolved base station provides the counter value of the maintenance to the target evolved base station according to the request of the target evolved base station, or the UE provides the target evolved base station with the counter value maintained by the target evolved base station;
UE由源 aGW切换至目标 aGW时, 源 aGW根据目标 aGW的请求, 向目标 aGW提供其维护的计数器值, 或 UE向目标 aGW提供其维护的 计数器值。  When the UE is handed over to the target aGW by the source aGW, the source aGW provides the target aGW with its maintained counter value according to the request of the target aGW, or the UE provides the target aGW with the counter value it maintains.
9、 根据权利要求 8所述的方法, 其特征在于, 所述计数器使用二者 的共享密钥进行完整性保护。 9. The method according to claim 8, wherein the counter uses the shared key of both to perform integrity protection.
10、 根据权利要求 1或 2所述的方法, 其特征在于, 所述 UE与演进 接入网络之间交互的信息使用二者的共享密钥进行完整性保护。 The method according to claim 1 or 2, wherein the information exchanged between the UE and the evolved access network uses the shared key of both to perform integrity protection.
11、 根据权利要求 2或 5所迷的方法, 其特征在于, 所述设定条件为 下述条件至少之一:  A method according to claim 2 or 5, wherein said setting condition is at least one of the following conditions:
设定周期到期、 计数器值达到设定值、 收到检查命令。  The set period expires, the counter value reaches the set value, and the check command is received.
12、 一种在演进接入网络中实现安全性保证的系统, 其特征在于, 包 括:  12. A system for implementing security assurance in an evolved access network, characterized in that:
第一计数器, 设置在用户侧, 用于对 UE与接入网络之间传输的数据 量进行计数;  a first counter, configured on the user side, for counting the amount of data transmitted between the UE and the access network;
第二计数器, 设置在网络侧, 用于对 UE与接入网络之间传输的数据 量进行计数;  a second counter, configured on the network side, for counting the amount of data transmitted between the UE and the access network;
判断单元,用于比较所述第一和第二计数器所计的 UE与接入网络之 间传输的数据量值;  a determining unit, configured to compare data volume values transmitted between the UE and the access network calculated by the first and second counters;
处理单元, 根据判断单元的比较结果进行相应处理。  The processing unit performs corresponding processing according to the comparison result of the determining unit.
13、 根据权利要求 12所述的系统, 其特征在于, 所述处理单元根据 比较结果进行后续处理包括:  The system according to claim 12, wherein the processing unit performs subsequent processing according to the comparison result, including:
当所述第一和第二计数器所计的 UE与接入网络之间传输的数据量值 不同时, 则所述处理单元断开当前连接或向上层报告错误。  When the amount of data transmitted between the UE counted by the first and second counters and the access network is different, the processing unit disconnects the current connection or reports an error to the upper layer.
14、 根据权利要求 12所述的系统, 其特征在于, 所述第一和第二计 数器使用二者的共享密钥进行完整性保护。  14. The system of claim 12, wherein the first and second counters use the shared key of both for integrity protection.
PCT/CN2007/000813 2006-03-16 2007-03-14 method for implementing secure assurance in an Enhanced Access Network and the system thereof WO2007104259A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200610057590.7 2006-03-16
CN2006100575907A CN101039314B (en) 2006-03-16 2006-03-16 Method for realizing safety warranty in evolution accessing network

Publications (1)

Publication Number Publication Date
WO2007104259A1 true WO2007104259A1 (en) 2007-09-20

Family

ID=38509057

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/000813 WO2007104259A1 (en) 2006-03-16 2007-03-14 method for implementing secure assurance in an Enhanced Access Network and the system thereof

Country Status (2)

Country Link
CN (1) CN101039314B (en)
WO (1) WO2007104259A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101909337A (en) * 2009-06-04 2010-12-08 中兴通讯股份有限公司 Switching function-based information transmitting methods
WO2021066692A1 (en) * 2019-10-04 2021-04-08 Telefonaktiebolaget Lm Ericsson (Publ) Operating a data throughput counter in a wireless communications network

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010078724A1 (en) * 2009-01-08 2010-07-15 中兴通讯股份有限公司 Local authentication method in mobile communication system
CN102379137B (en) * 2009-04-20 2015-09-09 华为技术有限公司 A kind of processing method to message integrity protection inspection failure, equipment and system
CN102480747B (en) * 2010-11-25 2014-12-03 大唐移动通信设备有限公司 Service bearer counting check method and apparatus thereof
CN102572880B (en) * 2011-12-29 2019-01-04 上海中兴软件有限责任公司 Serial number detection method, apparatus and system
CN103974238B (en) * 2013-01-25 2018-09-28 中兴通讯股份有限公司 A kind of methods, devices and systems for realizing safety detection in heterogeneous network
CN104683981B (en) * 2013-12-02 2019-01-25 华为技术有限公司 A kind of method, equipment and system for verifying security capabilities
ES2703555T3 (en) * 2014-05-05 2019-03-11 Ericsson Telefon Ab L M Protection of exchange of WLCP messages between TWAG and UE
US10455414B2 (en) * 2014-10-29 2019-10-22 Qualcomm Incorporated User-plane security for next generation cellular networks
CN110943964B (en) * 2018-09-21 2022-07-22 华为技术有限公司 Data checking method, device and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6480471B1 (en) * 1998-12-21 2002-11-12 Hewlett-Packard Company Hardware sampler for statistical monitoring of network traffic
US20030140140A1 (en) * 2002-01-18 2003-07-24 Jesse Lahtinen Monitoring the flow of a data stream
CN1700784A (en) * 2004-05-20 2005-11-23 华为技术有限公司 Method for checking data transmission quantity consistency between uplink and downlink in mobile communication system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6480471B1 (en) * 1998-12-21 2002-11-12 Hewlett-Packard Company Hardware sampler for statistical monitoring of network traffic
US20030140140A1 (en) * 2002-01-18 2003-07-24 Jesse Lahtinen Monitoring the flow of a data stream
CN1700784A (en) * 2004-05-20 2005-11-23 华为技术有限公司 Method for checking data transmission quantity consistency between uplink and downlink in mobile communication system

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101909337A (en) * 2009-06-04 2010-12-08 中兴通讯股份有限公司 Switching function-based information transmitting methods
CN101909337B (en) * 2009-06-04 2014-08-13 中兴通讯股份有限公司 Switching function-based information transmitting methods
WO2021066692A1 (en) * 2019-10-04 2021-04-08 Telefonaktiebolaget Lm Ericsson (Publ) Operating a data throughput counter in a wireless communications network

Also Published As

Publication number Publication date
CN101039314B (en) 2012-02-22
CN101039314A (en) 2007-09-19

Similar Documents

Publication Publication Date Title
WO2007104259A1 (en) method for implementing secure assurance in an Enhanced Access Network and the system thereof
US10999065B2 (en) Method and apparatus for updating a key in an active state
JP7342920B2 (en) Terminals and terminal methods
US20220045899A1 (en) Method and apparatus for providing notification of detected error conditions in a network
JP7455220B2 (en) Wireless intrusion prevention system, wireless network system including the same, and method of operating the wireless network system
EP3070903B1 (en) System and method for detecting malicious attacks in a telecommunication network
US10469543B2 (en) Recovery from a potential proxy call session control function (P-CSCF) failure during call origination
US20170325139A1 (en) Operation of a serving node in a network
US10362043B2 (en) Method and apparatus for detecting man-in-the-middle attack
KR101461236B1 (en) Methods for performing an Authentication of entities during establishment of wireless call connection
US10834581B2 (en) Security verification when resuming an RRC connection
CN101632282A (en) Blacklisting of unlicensed mobile access (UMA) users via AAA policy database
WO2009152759A1 (en) Method and device for preventing loss of network security synchronization
KR20130073850A (en) Method and apparatus for identifying fake networks
KR20190018706A (en) Securing Ciphering and Integrity Protection
JP6651613B2 (en) Wireless communication
US8958336B2 (en) Condition detection by a call session control function (CSCF)
WO2017194161A1 (en) Method and system for loss mitigation during device to device communication mode switching
EP3228108B1 (en) Method, computer program and network node for ensuring security of service requests
WO2013062394A1 (en) Method and apparatus for single sign-on in a mobile communication system
WO2010078724A1 (en) Local authentication method in mobile communication system
US20240179529A1 (en) Message transmission method and communication apparatus
WO2022174729A1 (en) Method for protecting identity identification privacy, and communication apparatus
EP2232903B1 (en) Integrity check failure detection and recovery in radio communications system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07711084

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07711084

Country of ref document: EP

Kind code of ref document: A1