WO2007121669A1 - Method and device and system for establishing wireless connection - Google Patents

Method and device and system for establishing wireless connection Download PDF

Info

Publication number
WO2007121669A1
WO2007121669A1 PCT/CN2007/001301 CN2007001301W WO2007121669A1 WO 2007121669 A1 WO2007121669 A1 WO 2007121669A1 CN 2007001301 W CN2007001301 W CN 2007001301W WO 2007121669 A1 WO2007121669 A1 WO 2007121669A1
Authority
WO
WIPO (PCT)
Prior art keywords
network device
security
access network
wireless connection
parameters
Prior art date
Application number
PCT/CN2007/001301
Other languages
French (fr)
Chinese (zh)
Inventor
Jing Chen
Binsong Tang
Zongjie Wang
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2007121669A1 publication Critical patent/WO2007121669A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/02Terminal devices

Definitions

  • the present invention relates to a wireless connection technology in a mobile communication system, and more particularly to a method, device and system for establishing a wireless connection. Background of the invention
  • UMTS Global System for Mobile Communications
  • UE User Equipment
  • UTRAN Global Terrestrial Radio Access Network
  • Figure 1 shows a flow chart of a prior art wireless connection establishment method.
  • the UE in steps 101-103, the UE first sends an RRC connection request to the UTRAN through the air interface, and the UTRAN returns an RRC connection setup message to the UE, and then the UE sends an RRC connection setup completion indicating that the connection establishment is successful to the UTRAN. Message.
  • the UE and the core network device such as the serving general packet radio service support node (SGSN) are saved.
  • An encryption key and an integrity key for protecting communication between the UE and the RNC are saved.
  • the UE reports its own security capabilities, such as encryption algorithms, integrity algorithms, and the like, to the wireless network control in the UTRAN.
  • RNC The UE then sends its identity, encryption key, and integrity key identifier to the core network device in core network signaling.
  • Embodiments of the present invention provide a method, device, and system for establishing a wireless connection, which can reduce access delay.
  • a method for establishing a wireless connection comprising:
  • a method for establishing a wireless connection comprising:
  • the access network device After receiving the wireless connection establishment request from the user equipment, the access network device interacts with the core network device that stores the security parameter of the user equipment, and obtains the security parameter of the user equipment; and determines according to the security parameter of the user equipment. Protecting the security association of the current wireless connection, instructing the user equipment to use the security association to protect communications.
  • a wireless connection establishing system includes: The user equipment UE is configured to request the access network device to establish a wireless connection, and the core network device is configured to save the security parameter of the UE, interact with the access network device, and provide the security parameter of the UE to the access network device;
  • a core network device including:
  • a protection information storage unit configured to save a security parameter of the user equipment UE
  • a receiving unit configured to receive a wireless connection establishment request of the user equipment UE
  • a determining and indicating unit configured to determine, according to the security parameter of the UE, a security association for protecting the current connection, and instruct the UE to use the corresponding security association to protect the communication.
  • the time delay of the UE in the process of accessing the core network can be reduced.
  • the UE and the core network device both store the security parameters of the UE, and the current wireless connection establishment process uses the saved security parameters of the UE to secure the wireless signaling without renegotiating all the Security parameters, which greatly reduce the amount of information that needs to be transmitted during the access process.
  • the negotiation of the security association of the wireless connection security protection is completed during the establishment of the wireless connection, the delay of the access process is effectively shortened, and the wireless connection establishment process can be protected.
  • FIG. 3 is a signaling flowchart of a method for establishing a wireless connection according to Embodiment 2 of the present invention
  • FIG. 4 is a signaling flowchart of a method for establishing a wireless connection according to Embodiment 3 of the present invention
  • FIG. 5 is a flowchart for establishing a wireless connection according to Embodiment 4 of the present invention
  • FIG. 6 is a signaling flowchart of a wireless connection establishment method according to Embodiment 5 of the present invention
  • FIG. 7 is a schematic structural diagram of a wireless connection establishment system according to Embodiment 6 of the present invention. Mode for carrying out the invention
  • the UE and the core network device pre-store the security parameters of the UE, and the current wireless connection establishment process uses the security parameters of the saved UE to secure the wireless signaling.
  • Fig. 2 is a flow chart showing a method of establishing a wireless connection in Embodiment 1 of the present invention.
  • the security parameter information of the UE is pre-stored in the UE and the core network device.
  • the method for establishing a wireless connection in the present invention includes:
  • step 201 the UE requests the access network device to establish a wireless connection
  • step 202 the access network device and the UE are saved in the last wireless connection.
  • the full-threshold core network device interacts to obtain the security parameters of the UE;
  • step 204 the UE sends an acknowledgement message to the access network device.
  • the pre-saved security parameter is all security parameters of the security association used in the last wireless connection, that is, the protection information set includes all the security parameters such as a key for protecting the security of the wireless connection communication, a security algorithm, and the like.
  • FIG. 3 shows a signaling flow chart of the method for establishing a wireless connection in this embodiment.
  • the method for establishing a wireless connection in this embodiment includes:
  • step 301 the UE sends a wireless connection establishment request message carrying the identity identifier of the UE, the protection information set identifier, and the information about the AGW to the BS, requesting to establish a wireless connection.
  • the network architecture in this embodiment uses a resource pool, that is, the BS is connected to multiple AGWs. Therefore, information about the AGW is needed in this step to help the BS find the security parameters of the UE stored in the last wireless connection.
  • AGW the correspondence between the UE and the AGW may be set in advance, so that the BS finds the AGW corresponding to the UE in the preset correspondence according to the received identity of the UE, and therefore the wireless connection in this step. It is not necessary to carry information about the AGW in the setup request message.
  • the protection information set identifier is required to be carried in the wireless connection establishment request message in this step, because a UE can correspond to multiple protection information sets.
  • This protection information set identifier can be an identifier of a key.
  • This key can be a key that protects the wireless connection or a root key used to derive the key that protects the wireless connection.
  • the BS sends a protection information set request message carrying the UE identity identifier and the protection information set identifier to the AGW, and the AGW carries the corresponding protection information set according to the received UI identity and the protection information set identifier.
  • the protection information set response message is returned to the BS. That is, the AGW sends the key, algorithm and other parameters used to protect the security of the wireless connection communication to the BS.
  • the identity identifier of the UE is sent to the determined AGW.
  • the AGW parses the identity identifier and the protection information set identifier of the UE from the message, and searches for the protection corresponding to the UE according to the identity identifier and the protection information set identifier of the UE.
  • the information set, and the protected information set response message is returned to the BS by the set of protection information.
  • step 304 the BS selects a security parameter supported by itself from the received protection information set, obtains a security association for protecting the communication in the current wireless connection, and instructs the UE to use the corresponding security association pair by using a wireless connection establishment message. Communication is protected.
  • the BS determines whether to continue using the received protection information set according to the lifetime of the protection information set and whether it supports the security algorithm in the protection information set. In the case of determining to continue to use the protection information set, the BS determines the security parameter in the protection information set as the security parameter used to protect the wireless signaling during the wireless connection process, in other words, the security association in the current wireless connection process. To protect all security parameters in the information set. That is, the security parameters such as the key and algorithm used in this wireless connection are the same as those used in the previous wireless connection.
  • step 305 after successfully verifying the integrity of the wireless connection message, the UE sends a wireless connection establishment confirmation message, which is protected by the received security parameter, to the BS, indicating the wireless connection.
  • the connection is completed.
  • the BS can report the security association used in the wireless connection to the AGW for storage.
  • the pre-saved security parameters include security key information in the last wireless connection.
  • the UE moves into a different access network control range, and the BS cannot directly communicate with the AGW that holds the security key information in the last wireless connection.
  • the AGW directly connected to the BS is AGWnew, and the AGW that stores the security key information in the last wireless connection is AGWold, and the BS cannot directly connect to the AGWold.
  • UE and The AGWold shared key K is used to derive the security key for protecting the wireless connection signaling in the wireless connection.
  • step 401 the UE sends a wireless connection establishment request message carrying the identity identifier of the UE, the protection information set identifier, the information about the AGWold, and the security algorithm supported by the UE to the BS, requesting to establish a wireless connection.
  • the BS is only connected to one AGWnew, and then communicates with AGWold through AGWnew. Therefore, this step does not need to carry AGWnew information.
  • the information about AGWold may be the identifier of AGWold, and the help BS finds AGWold storing the security association information of the UE in the last wireless connection.
  • the correspondence between the UE and the AGWold may be set in advance, so that the BS finds the AGWold corresponding to the UE in the preset correspondence according to the received identity of the UE, and therefore the wireless connection establishment request in this step.
  • the message may not carry the information about the AGWold.
  • the wireless connection setup request message in this step also carries the security capability of the UE, such as the security algorithm supported by the UE, and the purpose is to facilitate the BS to determine the current wireless connection in the subsequent steps.
  • the security algorithm used in Since each UE can support more than one type of security algorithm, it can be performed by means of a list of security algorithms.
  • the BS sends a protection information set request message carrying the UE identity, the protection information set identifier, and the information about the AGWold to the AGWnew, requesting to obtain the security parameter in the last wireless connection.
  • the BS parses the identity identifier of the UE, the protection information set identifier, the information about the AGWold, and the security algorithm supported by the UE from the radio connection setup request message from the UE, and after saving the security algorithm supported by the UE, UE identity,
  • the protection information set identifier and the information about the AGWold are placed in the protection information set request message and sent to AGWnew.
  • the AGWnew sends a protection information set request message carrying the identity identifier of the UE and the protection information set identifier to the corresponding AGWold according to the protection information set request message from the BS; the AGWold according to the received message, The device searches for the corresponding protection information set, and returns the found protection information set to AGWnew through the protection information set response message.
  • AGWnew determines the corresponding AGWokL according to the information about the AGWold carried in the protection information set request message from the BS.
  • the protection information set in the last wireless connection is protected in the protection information set saved by the AGWold or can be derived from the previous wireless.
  • the root key of the security key in the connection so the AGWold carries the security key corresponding to the UE in the protection information set response message returned to the AGWnew.
  • the security key here contains the shared key K shared by the UE and AGWold.
  • AGWnew may also not generate the first random number RAND.
  • deriving a new encryption key and/or integrity key may use a variable such as a BS identity as an input parameter, because the UE may correspond to different The base station, the base station is replaced, and the BS identity also changes. If the AGWnew does not generate the first random number, or generates a new encryption key and/or the integrity key does not use a parameter that the UE does not know, the protection information set response returned to the BS does not carry the UE does not know. , the parameters required to generate the encryption key and/or integrity key.
  • AGWnew may also derive the intermediate key Kbs based on the shared key K and other parameters such as the random number RAND, BS ID, and the like. AGWnew sends Kbs and the parameters used by Kbs to the BS without knowing the parameters.
  • the BS selects a self-supported security algorithm from the security algorithm from the UE, and generates a second random number FRESH as one of the parameters of the integrity algorithm, and then selects the selected security algorithm, second.
  • the random number FRESH and the first random number RAND are carried in the wireless connection setup message protected by the integrity key, and are sent to the UE.
  • the AGWnew does not generate the first random number RAND, the first random number does not need to be sent to the UE.
  • the BS derives the key to protect the wireless connection according to Kbs and other parameters, such as the integrity key and/or the encryption key, which will derive the intermediate key Kbs and protect the wireless connection.
  • the parameters required by the key, but not known by the UE, are sent to the UE.
  • the UE After successfully verifying the integrity of the wireless connection message, the UE sends a wireless connection establishment confirmation message indicating that the wireless connection establishment is completed, using the received security parameter (such as an algorithm) and the derived protected wireless connection key for protection.
  • the BS selects the security algorithm received in step 401 according to its own characteristics, selects the security algorithm supported by the BS, and uses the selected security algorithm as the security algorithm used in the current wireless connection.
  • the second random number FRESH generated by the BS acts as an input parameter to the integrity algorithm.
  • the UE derives the same intermediate key Kbs as in the BS according to the parameters such as the shared key K, and derives the key for protecting the wireless connection according to the intermediate key Kbs.
  • the UE uses the integrity key for integrity verification, which may require the participation of a second random number FRESH.
  • the UE performs integrity protection on the wireless connection confirmation message by using the integrity algorithm in the received security parameter and the integrity key of the protected wireless connection directly derived by the UE or derived from the intermediate key Kbs.
  • the confidentiality protection is protected by an encryption key and an encryption algorithm that protect the wireless connection. This message can also be only integrity protected without confidentiality protection.
  • the BS can report the security association used in this wireless connection to AGWnew for future wireless connection.
  • the UE when receiving the wireless connection message of the BS, the UE performs integrity verification on the message to ensure that the message has not been tampered with, and indicates to the BS that the wireless connection confirmation message is received when the wireless connection establishment is completed. Security is secured, so the security of the wireless connection is effectively improved.
  • the difference from the embodiment 2 is that all interactions between the BS and the AGWold are performed by AGWnew.
  • the specific difference is that, in steps 302-303, the BS sends a protection information set request message carrying the UE identity to the AGWold through the AGWnew, and the AGWold carries the corresponding protection information set in the protection information set according to the received UE identity identifier. In the response message, it is returned to the BS through AGWnew.
  • the AGWnew and the UE may perform the update of the encryption key and the integrity secret month, or may only update the encryption key or the integrity key.
  • the function of AGWnew to generate an encryption key and/or an integrity key or an intermediate key Kbs may also be performed by AGWold.
  • the AGWnew carries the identity of the BS in the protection information set request and sends it to the AGWold.
  • the AGWold generates or does not generate the first random number RAND, and generates an encryption key according to parameters such as the first random number RAND and/or the identity of the BS. Integrity key.
  • the access gateway directly connected to the base station only plays the role of forwarding during the negotiation of the key.
  • the method of negotiating a key in this embodiment is also suitable for the case where the BS is directly connected to the AGW that holds the security parameters in the last wireless connection.
  • AGWold and AGWnew are combined into one, which becomes the AGW directly connected to the BS.
  • Example 4 the BS can directly communicate with the AGW that saves the security parameters in the last wireless connection, and the security parameters stored in the UE and the AGW are all parameters (algorithms, keys, etc.) in the security association.
  • the security capability information of the UE is also stored in the AGW.
  • FIG. 5 shows a signaling flow chart of the method for establishing a wireless connection in this embodiment.
  • the method for establishing a wireless connection in this embodiment includes:
  • step 501 the UE sends a wireless connection establishment request message carrying the identity identifier of the UE, the protection information set identifier, and the information about the AGW to the BS, requesting to establish a wireless connection.
  • the BS sends a protection information set request message carrying the UE identity to the AGW, and the AGW carries the corresponding protection information set and the security capability information of the UE together with the protection information according to the received UE identity identifier.
  • the collection response message it is returned to the BS.
  • the security capabilities herein include security related information such as security algorithms supported by the UE.
  • the identity of the UE is sent to the determined AGW.
  • the AGW parses the identity of the UE from the message, and then finds the protection information set and security capability corresponding to the UE from itself, and uses the protection information set response message to The found protection information set is returned to the BS.
  • the AGW When the AGW does not save the key to protect the wireless connection, but only saves the root key of the key that can be derived to protect the wireless connection, the AGW needs to derive the key or intermediate key Kbs for protecting the wireless connection and send it to BS.
  • the specific process is as shown in Embodiment 3.
  • step 504 the BS negotiates the algorithm according to the received protection information set response message.
  • the BS parses the protection information set and the security capability information of the UE from the received protection information set response message, and according to the lifetime of the protection information set and itself Whether to support the security algorithm and the like in the protection information set, determine whether to continue using the received protection information set.
  • the BS determines that it does not support the algorithm in the protection information set, for example, when the BS determines that it does not support the encryption algorithm in the protection information set
  • the BS selects, according to the parsed security capability information of the UE, the encryption algorithm supported by the BS.
  • a suitable encryption algorithm for both the UE and the BS A suitable encryption algorithm for both the UE and the BS.
  • the security association in this wireless connection consists of the selected algorithm and other security parameters in the protection information set.
  • the BS carries the selected algorithm and other security parameters from the AGW in the radio connection setup message, and sends the message to the UE. After successfully verifying the integrity of the radio connection setup request message, the UE sends the adoption to the BS.
  • the received wireless connection establishment confirmation message of the security parameter indicates that the wireless connection establishment is completed.
  • the UE parses the algorithm from the received radio connection setup message and performs integrity verification on the strip message. After passing the verification, the UE performs integrity protection on the wireless connection confirmation message by using the received integrity algorithm and the integrity key saved or derived by the UE, and uses the encryption key and the encryption algorithm for confidentiality protection. This message can also be only integrity protected without confidentiality protection.
  • the BS can report the security association used in the wireless connection to the AGW for storage.
  • the BS can save the security association information used in the last wireless connection.
  • the AGW directly communicates, and all security parameters in the protection information set are saved in the AGW, but the BS does not support the encryption algorithm in the protection information set. Therefore, only the negotiation of the encryption algorithm is performed during the establishment of the wireless connection, and other security parameters are directly retrieved from the AGW, thereby effectively shortening the access delay.
  • the UE when receiving the wireless connection message of the BS, the UE performs integrity verification on the message to ensure that the message has not been tampered with, and indicates to the BS that the wireless connection is received using the received security parameter. The confirmation message is secured, so the security of the wireless connection is effectively improved.
  • the BS can directly communicate with the AGW that holds the security association information used in the last wireless connection, but only some of the security parameters are stored in the AGW. In this case, the BS needs to determine whether the security parameters in the protection information set are supported, and the unsupported security parameters and the security parameters that are not saved in the AGW are used as security parameters to be negotiated, and interact with the UE to complete the security parameters that need to be negotiated.
  • Negotiation the BS needs to determine whether the security parameters in the protection information set are supported, and the unsupported security parameters and the security parameters that are not saved in the AGW are used as security parameters to be negotiated, and interact with the UE to complete the security parameters that need to be negotiated.
  • FIG. 6 shows a signaling flow chart of the method for establishing a wireless connection in this embodiment.
  • the method for establishing a wireless connection in this embodiment includes:
  • step 601 the UE sends a wireless connection establishment request message carrying the identity identifier of the UE, the protection information set identifier, and the information about the AGW to the BS, requesting to establish a wireless connection.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method for establishing wireless connection includes: a UE requests a access network device to establish wireless connection; the access network device alternates with a core network device that stores the security parameter of the UE, and obtains the security parameter of the UE; the access network device obtains security relationship of current wireless connection according to the received security parameter, and indicates the UE to protect communication by using the security relationship. The present invention also comprises device and system for establishing wireless connection. The present invention can effectively reduce access time delay and increase the security during the wireless connection establishment.

Description

无线连接建立方法、 设备与系统  Wireless connection establishment method, device and system
技术领域 Technical field
本发明涉及移动通信系统中的无线连接技术, 尤其涉及无线连接建 立的方法、 设备与系统。 发明背景  The present invention relates to a wireless connection technology in a mobile communication system, and more particularly to a method, device and system for establishing a wireless connection. Background of the invention
在全球移动通信系统 ( UMTS ) 中, 为了建立用户设备 ( UE )与核 心网之间的信令连接,首先要建立 UE和全球陆地无线接入网( UTRAN ) 在空中接口上的无线资源控制协议(RRC )连接。  In the Global System for Mobile Communications (UMTS), in order to establish a signalling connection between a User Equipment (UE) and a core network, a radio resource control protocol for the UE and the Global Terrestrial Radio Access Network (UTRAN) over the air interface is first established. (RRC) connection.
图 1示出了现有的无线连接建立方法的流程图。 如图 1所示, 在步 骤 101 ~ 103中, UE首先通过空中接口向 UTRAN发送 RRC连接请求, UTRAN向 UE返回 RRC连接建立消息, 然后, UE再向 UTRAN发送 表明连接建立成功的 RRC连接建立完成消息。  Figure 1 shows a flow chart of a prior art wireless connection establishment method. As shown in FIG. 1, in steps 101-103, the UE first sends an RRC connection request to the UTRAN through the air interface, and the UTRAN returns an RRC connection setup message to the UE, and then the UE sends an RRC connection setup completion indicating that the connection establishment is successful to the UTRAN. Message.
为了保证通信过程的安全性,在 UE未与 UTRAN建立 R C连接之 前, 即 UE处于空闲 (Idle )状态时, UE和诸如服务通用分组无线业务 支持节点 (SGSN )之类的核心网设备均保存用于保护 UE和 RNC之间 通信的加密密钥和完整性密钥。 当成功建立 UE与 UTRAN之间的 RRC 连接并且 UE需要与核心网建立连接时, UE将自身的安全能力,例如加 密算法、 完整性算法等 ΌΕ支持的安全算法, 上报给 UTRAN中的无线 网络控制器 RNC。 然后 UE将其身份标识、 加密密钥和完整性密钥的标 识符在核心网信令中发送给核心网设备。 核心网设备找到对应的加密密 钥和完整性密钥后, 再将所找到的密钥发送给 RNC。核心网设备同时将 允许该用户使用的安全算法列表发送给 RNC。 RNC根据自身支持的算 法情况, 结合从核心网设备接收到的安全算法列表以及从 UE接收到的 UE 支持的安全算法, 选择决定所使用的安全算法, 然后通过安全模式 命令, 向 UE指出所选择的安全算法并指示安全保护开始。 一些其他的 安全参数, 如加密激活时间等也在安全模式过程中发送给 UE。 通过这 样的过程, UE和 RNC完成了保护 UE和 R C之间通信安全所需的所 有参数的协商。 我们将所有的安全参数的集合称为安全关联。 In order to ensure the security of the communication process, before the UE establishes an RC connection with the UTRAN, that is, when the UE is in the idle (Idle) state, the UE and the core network device such as the serving general packet radio service support node (SGSN) are saved. An encryption key and an integrity key for protecting communication between the UE and the RNC. When the RRC connection between the UE and the UTRAN is successfully established and the UE needs to establish a connection with the core network, the UE reports its own security capabilities, such as encryption algorithms, integrity algorithms, and the like, to the wireless network control in the UTRAN. RNC. The UE then sends its identity, encryption key, and integrity key identifier to the core network device in core network signaling. After the core network device finds the corresponding encryption key and integrity key, it sends the found key to the RNC. The core network device also sends a list of security algorithms that the user is allowed to send to the RNC. The RNC combines the list of security algorithms received from the core network device and the received from the UE according to the algorithm supported by the RNC. The security algorithm supported by the UE selects the security algorithm used for the decision, and then indicates the selected security algorithm to the UE through the security mode command and indicates the start of the security protection. Some other security parameters, such as encryption activation time, etc., are also sent to the UE during the secure mode process. Through such a process, the UE and the RNC complete the negotiation of all parameters required to secure communication between the UE and the RC. We refer to the collection of all security parameters as security associations.
由上述的过程可见,每次在 UE接入核心网时, UE和 UTRAN中的 RNC都要执行一次安全算法的协商, 即建立安全关联, 这使得接入过程 中需要传输的信息量较大, 并且需要交互的信令数量也较多, 因此, 接 入的时间延迟较长。 发明内容  It can be seen from the above process that each time the UE accesses the core network, the RNC in the UE and the UTRAN must perform a security algorithm negotiation, that is, establish a security association, which makes the amount of information to be transmitted in the access process large. Moreover, the number of signalings that need to be exchanged is also large, and therefore, the access time delay is long. Summary of the invention
本发明的实施例提供了无线连接建立方法、 设备与系统, 能够减少 接入时延。  Embodiments of the present invention provide a method, device, and system for establishing a wireless connection, which can reduce access delay.
一种无线连接建立方法, 包括:  A method for establishing a wireless connection, comprising:
用户设备 UE请求接入网设备建立无线连接;  The user equipment UE requests the access network device to establish a wireless connection;
接入网设备与保存该 UE在上一次无线连接中的安全参数的核心网 设备交互, 获得该 UE的安全参数;  The access network device interacts with the core network device that saves the security parameters of the UE in the last wireless connection, and obtains the security parameters of the UE;
接入网设备根据接收到的安全参数确定保护本次无线连接的安全关 联, 指示 UE使用对应的安全关联保护通信。  The access network device determines to protect the security association of the current wireless connection according to the received security parameter, and instructs the UE to use the corresponding security association to protect the communication.
一种无线连接建立方法, 包括:  A method for establishing a wireless connection, comprising:
接入网设备接收到来自用户设备的无线连接建立请求后, 与保存有 所述用户设备的安全参数的核心网设备交互, 获得所述用户设备的安全 参数; 根据所述用户设备的安全参数确定保护本次无线连接的安全关 联, 指示用户设备使用所述安全关联保护通信。  After receiving the wireless connection establishment request from the user equipment, the access network device interacts with the core network device that stores the security parameter of the user equipment, and obtains the security parameter of the user equipment; and determines according to the security parameter of the user equipment. Protecting the security association of the current wireless connection, instructing the user equipment to use the security association to protect communications.
一种无线连接建立系统, 包括: 用户设备 UE, 用于请求接入网设备建立无线连接; 核心网设备, 用于保存 UE的安全参数, 与接入网设备进行交互, 将 UE的安全参数提供给接入网设备; A wireless connection establishing system includes: The user equipment UE is configured to request the access network device to establish a wireless connection, and the core network device is configured to save the security parameter of the UE, interact with the access network device, and provide the security parameter of the UE to the access network device;
接入网设备, 用于与核心网设备交互, 获得 UE的安全参数, 根据 所述安全参数确定保护本次无线连接的安全关联, 指示 UE使用对应的 安全关联保护通信。  The access network device is configured to interact with the core network device to obtain a security parameter of the UE, determine, according to the security parameter, a security association for protecting the current wireless connection, and instruct the UE to use the corresponding security association to protect the communication.
一种核心网设备, 包括:  A core network device, including:
保护信息存储单元, 用于保存用户设备 UE的安全参数;  a protection information storage unit, configured to save a security parameter of the user equipment UE;
判断查询单元, 用于当接收到接入网设备发来的安全参数请求时从 保护信息存储单元中查找到与所述请求对应的 UE的安全参数, 并将所 述 UE的安全参数发送给接入网设备。  The determining query unit is configured to: when receiving the security parameter request sent by the access network device, find the security parameter of the UE corresponding to the request from the protection information storage unit, and send the security parameter of the UE to the Network access equipment.
一种接入网设备, 包括:  An access network device, including:
接收单元, 用于接收用户设备 UE的无线连接建立请求;  a receiving unit, configured to receive a wireless connection establishment request of the user equipment UE;
安全参数获取单元, 用于在接收单元接收到所述无线连接建立请求 后, 与保存所述 UE的安全参数的核心网设备交互, 获得所述 UE的安 全参数;  a security parameter obtaining unit, configured to: after the receiving unit receives the wireless connection establishment request, interact with a core network device that saves the security parameter of the UE, to obtain a security parameter of the UE;
确定和指示单元, 用于根据所述 UE的安全参数确定保护本次连接 的安全关联, 指示 UE使用对应的安全关联保护通信。  And a determining and indicating unit, configured to determine, according to the security parameter of the UE, a security association for protecting the current connection, and instruct the UE to use the corresponding security association to protect the communication.
应用本发明, 能够减少 UE在接入核心网过程中的时间延迟。 具体 而言, 在本发明中 , UE和核心网设备均保存有 UE的安全参数, 本次无 线连接建立过程使用所保存的 UE 的安全参数对无线信令进行安全保 护, 而无需重新协商全部的安全参数, 这使得接入过程中需要传输的信 息量大大减少。 此外, 在无线连接建立过程中就完成无线连接安全保护 的安全关联的协商, 有效地缩短了接入过程的时延, 并可以对无线连接 建立过程进行保护。 附图简要说明 By applying the invention, the time delay of the UE in the process of accessing the core network can be reduced. Specifically, in the present invention, the UE and the core network device both store the security parameters of the UE, and the current wireless connection establishment process uses the saved security parameters of the UE to secure the wireless signaling without renegotiating all the Security parameters, which greatly reduce the amount of information that needs to be transmitted during the access process. In addition, the negotiation of the security association of the wireless connection security protection is completed during the establishment of the wireless connection, the delay of the access process is effectively shortened, and the wireless connection establishment process can be protected. BRIEF DESCRIPTION OF THE DRAWINGS
下面将通过参照附图详细描述本发明的示例性实施例, 使本领域的 普通技术人员更清楚本发明的上述及其它特征和优点, 附图中:  The above and other features and advantages of the present invention will become more apparent to those skilled in the <
图 1为现有的 R C连接建立方法的流程图;  1 is a flow chart of a conventional R C connection establishment method;
图 2为本发明实施例 1中无线连接建立的方法流程图;  2 is a flowchart of a method for establishing a wireless connection according to Embodiment 1 of the present invention;
图 3为本发明实施例 2中无线连接建立方法的信令流程图; 图 4为本发明实施例 3中无线连接建立方法的信令流程图; 图 5为本发明实施例 4中无线连接建立方法的信令流程图; 图 6为本发明实施例 5中无线连接建立方法的信令流程图; 图 7为本发明实施例 6中无线连接建立系统结构示意图。 实施本发明的方式  3 is a signaling flowchart of a method for establishing a wireless connection according to Embodiment 2 of the present invention; FIG. 4 is a signaling flowchart of a method for establishing a wireless connection according to Embodiment 3 of the present invention; FIG. 5 is a flowchart for establishing a wireless connection according to Embodiment 4 of the present invention; FIG. 6 is a signaling flowchart of a wireless connection establishment method according to Embodiment 5 of the present invention; FIG. 7 is a schematic structural diagram of a wireless connection establishment system according to Embodiment 6 of the present invention. Mode for carrying out the invention
为使本发明的目的、 技术方案和优点更加清楚明白, 以下举具体实 施例并参照附图, 对本发明作进一步详细说明。  The present invention will be further described in detail below with reference to the accompanying drawings.
根据本发明中无线连接建立方法的实施例, UE和核心网设备预先保 存该 UE的安全参数, 本次的无线连接建立过程使用所保存的 UE的安 全参数对无线信令进行安全保护。  According to the embodiment of the method for establishing a wireless connection in the present invention, the UE and the core network device pre-store the security parameters of the UE, and the current wireless connection establishment process uses the security parameters of the saved UE to secure the wireless signaling.
在移动通信网络中, 安全关联是指用于保护通信的全部安全参数的 集合,这里的安全参数包括例如安全算法、密钥以及安全关联生命期等。 核心网设备中所保存的安全参数的集合被称为是保护信息集合。  In a mobile communication network, a security association refers to a collection of all security parameters used to protect communications, such as security algorithms, keys, and security association lifetimes. The set of security parameters held in the core network device is referred to as a set of protection information.
图 2示出了本发明实施例 1中无线连接建立方法的流程图。 UE和核 心网设备中预先保存 UE的安全参数信息, 参见图 2, 本发明中的无线 连接建立方法包括:  Fig. 2 is a flow chart showing a method of establishing a wireless connection in Embodiment 1 of the present invention. The security parameter information of the UE is pre-stored in the UE and the core network device. Referring to FIG. 2, the method for establishing a wireless connection in the present invention includes:
在步骤 201中, UE请求接入网设备建立无线连接;  In step 201, the UE requests the access network device to establish a wireless connection;
在步骤 202中, 接入网设备与保存该 UE在上一次无线连接中的安 全参数的核心网设备交互, 获得该 UE的安全参数; In step 202, the access network device and the UE are saved in the last wireless connection. The full-threshold core network device interacts to obtain the security parameters of the UE;
在步驟 203中, 接入网设备根据接收到的安全参数获得保护本次无 线连接的安全关联, 并指示 UE使用对应的安全关联保护通信;  In step 203, the access network device obtains a security association that protects the wireless connection according to the received security parameter, and instructs the UE to use the corresponding security association to protect the communication;
在步驟 204中, UE发送确认消息给接入网设备。  In step 204, the UE sends an acknowledgement message to the access network device.
下面以核心网设备为演进 UTRAN中的接入网关 (AGW )、 接入网 设备为基站(BS )为例, 对上述无线连接建立方法进行详细描述。  The following describes the wireless connection establishment method in the following, taking the core network device as the access gateway (AGW) in the evolved UTRAN and the access network device as the base station (BS) as an example.
实施例 2  Example 2
在本实施例中, 预先保存的安全参数为上一次无线连接中所使用的 安全关联的全部安全参数, 即保护信息集合中包含保护无线连接通信安 全的密钥, 安全算法等全部安全参数。  In this embodiment, the pre-saved security parameter is all security parameters of the security association used in the last wireless connection, that is, the protection information set includes all the security parameters such as a key for protecting the security of the wireless connection communication, a security algorithm, and the like.
图 3示出了本实施例中无线连接建立方法的信令流程图。 如图 3所 示, 本实施例中无线连接建立的方法包括:  FIG. 3 shows a signaling flow chart of the method for establishing a wireless connection in this embodiment. As shown in FIG. 3, the method for establishing a wireless connection in this embodiment includes:
在步骤 301中, UE向 BS发送携带有该 UE的身份标识、 保护信息 集合标识以及有关 AGW的信息的无线连接建立请求消息, 请求建立无 线连接。  In step 301, the UE sends a wireless connection establishment request message carrying the identity identifier of the UE, the protection information set identifier, and the information about the AGW to the BS, requesting to establish a wireless connection.
本实施例中的网络架构采用资源池( pool )方式,即 BS与多个 AGW 相连, 因此, 本步骤中需要有关 AGW的信息, 来帮助 BS找到存储有 UE在上一次无线连接中的安全参数的 AGW。 另外, 本实施例也可以预 先设置 UE与 AGW之间的对应关系, 这样, BS根据接收到的 UE的身 份标识, 在预先设置的对应关系中找到该 UE对应的 AGW, 因此本步 驟的无线连接建立请求消息中不必携带有关 AGW的信息。由于一个 UE 可以对应多个保护信息集合, 所以本步骤中的无线连接建立请求消息中 需要携带保护信息集合标识。 此保护信息集合标识可以是一个密钥的标 识符。 此密钥可以是保护无线连接的密钥, 也可以是用于推演保护无线 连接的密钥的根密钥。 在步骤 302~303中, BS向 AGW发送携带有 UE身份标识及保护信 息集合标识的保护信息集合请求消息, AGW根据接收到的 ΌΕ身份标 识及保护信息集合标识, 将对应的保护信息集合携带于保护信息集合响 应消息中 ,返回给 BS。 即 AGW将上一次用于保护无线连接通信安全的 密钥, 算法等参数都发送给 BS。 The network architecture in this embodiment uses a resource pool, that is, the BS is connected to multiple AGWs. Therefore, information about the AGW is needed in this step to help the BS find the security parameters of the UE stored in the last wireless connection. AGW. In addition, in this embodiment, the correspondence between the UE and the AGW may be set in advance, so that the BS finds the AGW corresponding to the UE in the preset correspondence according to the received identity of the UE, and therefore the wireless connection in this step. It is not necessary to carry information about the AGW in the setup request message. The protection information set identifier is required to be carried in the wireless connection establishment request message in this step, because a UE can correspond to multiple protection information sets. This protection information set identifier can be an identifier of a key. This key can be a key that protects the wireless connection or a root key used to derive the key that protects the wireless connection. In the steps 302-303, the BS sends a protection information set request message carrying the UE identity identifier and the protection information set identifier to the AGW, and the AGW carries the corresponding protection information set according to the received UI identity and the protection information set identifier. The protection information set response message is returned to the BS. That is, the AGW sends the key, algorithm and other parameters used to protect the security of the wireless connection communication to the BS.
具体为, 在 BS根据接收到的无线连接建立请求消息确定保存安全 参数的 AGW之后, 将 UE的身份标识发送给所确定的 AGW。 AGW接 收到来自于 BS的保护信息集合请求消息后, 从该消息中解析出 UE的 身份标识及保护信息集合标识后, 根据 UE的身份标识及保护信息集合 标识从自身查找到该 UE对应的保护信息集合, 并通过保护信息集合响 应消息, 将查找到的保护信息集合返回给 BS。  Specifically, after the BS determines the AGW that saves the security parameter according to the received wireless connection establishment request message, the identity identifier of the UE is sent to the determined AGW. After receiving the protection information set request message from the BS, the AGW parses the identity identifier and the protection information set identifier of the UE from the message, and searches for the protection corresponding to the UE according to the identity identifier and the protection information set identifier of the UE. The information set, and the protected information set response message is returned to the BS by the set of protection information.
在步骤 304中, BS从接收到的保护信息集合中选择自身支持的安全 参数, 获得本次无线连接中用于保护通信的安全关联, 并通过无线连接 建立消息来指示 UE使用对应的安全关联对通信进行保护。  In step 304, the BS selects a security parameter supported by itself from the received protection information set, obtains a security association for protecting the communication in the current wireless connection, and instructs the UE to use the corresponding security association pair by using a wireless connection establishment message. Communication is protected.
本步骤中, BS根据保护信息集合的生命期以及自身是否支持该保护 信息集合中的安全算法等, 确定是否继续使用接收到的保护信息集合。 在确定继续使用该保护信息集合的情况下, BS 将保护信息集合中的安 全参数确定为本次无线连接过程中用于保护无线信令的安全参数, 换言 之, 本次无线连接过程中的安全关联为保护信息集合中的全部安全参 数。 即, 本次无线连接使用的密钥, 算法等安全参数和上一次无线连接 使用的安全参数相同。 而后, BS 通过无线连接建立消息, 将保护信息 集合中 UE所需的安全参数, 如算法, 发送给 UE, 并通知 UE使用上一 次无线连接的安全参数对本次无线连接进行保护。  In this step, the BS determines whether to continue using the received protection information set according to the lifetime of the protection information set and whether it supports the security algorithm in the protection information set. In the case of determining to continue to use the protection information set, the BS determines the security parameter in the protection information set as the security parameter used to protect the wireless signaling during the wireless connection process, in other words, the security association in the current wireless connection process. To protect all security parameters in the information set. That is, the security parameters such as the key and algorithm used in this wireless connection are the same as those used in the previous wireless connection. Then, the BS establishes a message through the wireless connection, and sends a security parameter, such as an algorithm, required by the UE in the protection information set to the UE, and notifies the UE to protect the current wireless connection by using the security parameter of the previous wireless connection.
在步骤 305中, UE在成功验证无线连接消息的完整性之后, 向 BS 发送釆用接收到的安全参数保护的无线连接建立确认消息, 指明无线连 接建立完成。 In step 305, after successfully verifying the integrity of the wireless connection message, the UE sends a wireless connection establishment confirmation message, which is protected by the received security parameter, to the BS, indicating the wireless connection. The connection is completed.
本步骤中, UE从接收到的无线连接建立消息中解析出全部安全参 数, 并对这些安全参数进行完整性验证, 以确定该条消息未被篡改。 在 通过验证之后, 采用接收到的安全参数中的完整性算法和 UE保存的完 整性密钥对无线连接确认消息进行完整性保护, 并采用加密密钥和加密 算法进行机密性保护。 此条消息也可以只进行完整性保护, 而不进行机 密性保护。  In this step, the UE parses all security parameters from the received wireless connection setup message, and performs integrity verification on the security parameters to determine that the message has not been tampered with. After the verification, the integrity verification algorithm in the received security parameters and the integrity key saved by the UE are used to integrity protect the wireless connection confirmation message, and the encryption key and the encryption algorithm are used for confidentiality protection. This message can also be only integrity protected without confidentiality protection.
至此, 完成本实施例中无线连接建立的流程。  So far, the flow of establishing the wireless connection in this embodiment is completed.
完成无线连接建立后, BS可以将本次无线连接中使用的安全关联上 报给 AGW保存, 以备下一次无线连接使用。  After the wireless connection is established, the BS can report the security association used in the wireless connection to the AGW for storage.
本实施例中采用资源池的方式, 即 BS可以与保存上一次无线连接 中使用的安全参数的 AGW直接通信, 并且 AGW中保存了安全关联中 的全部安全参数, 因此本次无线连接建立过程中 BS直接从 AGW中取 回了用于保护上一次无线连接的所有安全参数(密钥, 算法等), 而无 需执行安全参数协商的操作, 有效地缩短了接入时延。 另外, UE接收 到 BS的无线连接消息时, 对该消息进行完整性险证, 以确保该消息未 被篡改过, 并且向 BS指明无线连接建立完成时, 采用接收到的安全参 数对无线连接确认消息进行安全保护, 因此无线连接的安全性得到了有 效的提高。  In this embodiment, the resource pool is used, that is, the BS can directly communicate with the AGW that saves the security parameters used in the last wireless connection, and all the security parameters in the security association are saved in the AGW, so the wireless connection is established. The BS directly retrieves all security parameters (keys, algorithms, etc.) used to protect the last wireless connection from the AGW without performing security parameter negotiation operations, effectively reducing the access delay. In addition, when receiving the wireless connection message of the BS, the UE performs an integrity insurance certificate on the message to ensure that the message has not been tampered with, and indicates to the BS that the wireless connection is established, and uses the received security parameter to confirm the wireless connection. The message is secured, so the security of the wireless connection is effectively improved.
实施例 3  Example 3
在本实施例中, 预先保存的安全参数包括上一次无线连接中的安全 密钥信息。 并且, UE移动到不同的接入网控制范围之内, BS无法与保 存上一次无线连接中的安全密钥信息的 AGW直接通信。 本实施例中, 与 BS直接相连的 AGW为 AGWnew, 而保存上一次无线连接中的安全 密钥信息的 AGW为 AGWold, BS不能直接与 AGWold相连。 UE与 AGWold共享密钥 K, 用于推导出本次无线连接中保护无线连接信令的 安全密钥。 In this embodiment, the pre-saved security parameters include security key information in the last wireless connection. Moreover, the UE moves into a different access network control range, and the BS cannot directly communicate with the AGW that holds the security key information in the last wireless connection. In this embodiment, the AGW directly connected to the BS is AGWnew, and the AGW that stores the security key information in the last wireless connection is AGWold, and the BS cannot directly connect to the AGWold. UE and The AGWold shared key K is used to derive the security key for protecting the wireless connection signaling in the wireless connection.
图 4示出了本实施例中无线连接建立方法的信令流程图。 参见图 4, 本实施例的无线连接建立方法包括:  FIG. 4 shows a signaling flow chart of the method for establishing a wireless connection in this embodiment. Referring to FIG. 4, the method for establishing a wireless connection in this embodiment includes:
在步骤 401中, UE 向 BS发送携带有该 UE的身份标识、保护信息 集合标识、 有关 AGWold的信息以及 UE支持的安全算法的无线连接建 立请求消息, 请求建立无线连接。  In step 401, the UE sends a wireless connection establishment request message carrying the identity identifier of the UE, the protection information set identifier, the information about the AGWold, and the security algorithm supported by the UE to the BS, requesting to establish a wireless connection.
本实施例中 BS 只与一个 AGWnew相连, 再通过 AGWnew 与 AGWold进行通信。 因此, 本步骤无需携带 AGWnew的信息。 另外, 本 步骤中, 有关 AGWold的信息可以为 AGWold的标识, 帮助 BS找到存 储有 UE在上一次无线连接中的安全关联信息的 AGWold。 本实施例也 可以预先设置 UE与 AGWold之间的对应关系,这样, BS根据接收到的 UE的身份标识, 在预先设置的对应关系中找到该 UE对应的 AGWold, 因此本步骤的无线连接建立请求消息中可以不必携带有关 AGWold的信 另夕卜,本步骤中的无线连接建立请求消息还携带有 UE的安全能力, 如 UE支持的安全算法, 其目的在于便于后续步骤中 BS确定本次无线 连接中使用的安全算法。 由于每个 UE能够支持多于一种的安全算法, 因此可以通过安全算法列表的方式来进行上才艮。  In this embodiment, the BS is only connected to one AGWnew, and then communicates with AGWold through AGWnew. Therefore, this step does not need to carry AGWnew information. In addition, in this step, the information about AGWold may be the identifier of AGWold, and the help BS finds AGWold storing the security association information of the UE in the last wireless connection. In this embodiment, the correspondence between the UE and the AGWold may be set in advance, so that the BS finds the AGWold corresponding to the UE in the preset correspondence according to the received identity of the UE, and therefore the wireless connection establishment request in this step. The message may not carry the information about the AGWold. The wireless connection setup request message in this step also carries the security capability of the UE, such as the security algorithm supported by the UE, and the purpose is to facilitate the BS to determine the current wireless connection in the subsequent steps. The security algorithm used in . Since each UE can support more than one type of security algorithm, it can be performed by means of a list of security algorithms.
在步骤 402中, BS向 AGWnew发送携带有 UE身份标识、 保护信 息集合标识以及有关 AGWold的信息的保护信息集合请求消息, 请求获 得上一次无线连接中的安全参数。  In step 402, the BS sends a protection information set request message carrying the UE identity, the protection information set identifier, and the information about the AGWold to the AGWnew, requesting to obtain the security parameter in the last wireless connection.
本步骤中, BS从来自于 UE的无线连接建立请求消息中解析出 UE 的身份标识、 保护信息集合标识、 有关 AGWold的信息以及 UE支持的 安全算法, 对 UE支持的安全算法进行保存之后, 将 UE的身份标识、 保护信息集合标识和有关 AGWold的信息都放入保护信息集合请求消息 之中, 发送给 AGWnew。 In this step, the BS parses the identity identifier of the UE, the protection information set identifier, the information about the AGWold, and the security algorithm supported by the UE from the radio connection setup request message from the UE, and after saving the security algorithm supported by the UE, UE identity, The protection information set identifier and the information about the AGWold are placed in the protection information set request message and sent to AGWnew.
在步驟 403 ~ 404中, AGWnew根据来自于 BS的保护信息集合请求 消息, 向对应的 AGWold发送携带有 UE的身份标识和保护信息集合标 识的保护信息集合请求消息; AGWold根据接收到的消息, 在自身查找 对应的保护信息集合, 并通过保护信息集合响应消息, 将查找到的保护 信息集合返回给 AGWnew。  In steps 403-404, the AGWnew sends a protection information set request message carrying the identity identifier of the UE and the protection information set identifier to the corresponding AGWold according to the protection information set request message from the BS; the AGWold according to the received message, The device searches for the corresponding protection information set, and returns the found protection information set to AGWnew through the protection information set response message.
AGWnew按照来自于 BS 的保护信息集合请求消息中携带的有关 AGWold的信息, 确定对应的 AGWokL 由于 AGWold所保存的保护信 息集合中保护有上一次无线连接中的安全密钥或可以推演得到上一次 无线连接中的安全密钥的根密钥, 因此 AGWold在向 AGWnew返回的 保护信息集合响应消息中携带有与该 UE对应的安全密钥。 此处的安全 密钥中包含有 UE和 AGWold共享的共享密钥 K。  AGWnew determines the corresponding AGWokL according to the information about the AGWold carried in the protection information set request message from the BS. The protection information set in the last wireless connection is protected in the protection information set saved by the AGWold or can be derived from the previous wireless. The root key of the security key in the connection, so the AGWold carries the security key corresponding to the UE in the protection information set response message returned to the AGWnew. The security key here contains the shared key K shared by the UE and AGWold.
在步骤 405 ~ 406中, AGWnew ^^据接收到的共享密钥 K及生成新 的保护无线连接的加密密钥和 /或完整.性密钥需要的参数推导出加密密 钥和 /或完整性密钥, 或根据接收到的共享密钥 K及其他参数推导得出 中间密钥, 并通过保护信息集合响应消息, 将新的加密密钥和 /或完整性 密钥及 UE不知道的、 生成加密密钥和 /或完整性密钥需要的参数发送给 BS, 或者将中间密钥及 UE不知道的、 生成中间密钥需要的参数发送给 BS。  In steps 405-406, AGWnew derives the encryption key and/or integrity based on the received shared key K and the parameters needed to generate a new encrypted wireless connection's encryption key and/or integrity key. Key, or derive the intermediate key according to the received shared key K and other parameters, and generate a new encryption key and/or integrity key and the UE does not know by the protection information set response message. The parameters required for the encryption key and/or the integrity key are sent to the BS, or the intermediate key and parameters that are not known by the UE and required to generate the intermediate key are sent to the BS.
在步骤 405 ~ 406中, AGWnew首先判断是否需要更新保护信息集 合中的加密密钥和 /或完整性密钥, 如果需要更新, AGWnew可以生成 一个第一随机数 RAND, 然后再利用密钥推演函数 KDF及所述第一随 机数 RAND及 BS身份标识( BS ID )推导出加密密钥和 /或完整性密钥, 即 = 500? ( 88 10, RAND, K, 其他参数)。 以通过常用的 SHA-1算 法进行推导为例, 具体的推导方法为: 加密密钥 = SHA-1("加密密钥 ( cipher key )", BS ID, RAND, K,其他参数);完整性密钥 = SHA-1("完 整性密钥 ( integrity key ) ", BS ID, RAND, K, 其他参数)。 其中的 K 为 UE和 AGWold所共享的密钥 K,其他参数可以是 UE的身份标识等。 In steps 405-406, AGWnew first determines whether it is necessary to update the encryption key and/or the integrity key in the protection information set. If updating is required, AGWnew may generate a first random number RAND, and then use the key derivation function. The KDF and the first random number RAND and the BS identity (BS ID) derive an encryption key and/or an integrity key, ie = 500? (88 10, RAND, K, other parameters). In order to pass the commonly used SHA-1 The method is deduced as an example. The specific derivation method is: encryption key = SHA-1 ("cipher key", BS ID, RAND, K, other parameters); integrity key = SHA-1 ( "integrity key", BS ID, RAND, K, other parameters). The K is the key K shared by the UE and the AGWold, and other parameters may be the identity of the UE.
在步骤 405 ~ 406中, AGWnew也可以不生成第一随机数 RAND, 此时推导新的加密密钥和 /或完整性密钥可以釆用 BS身份标识等变量作 为输入参数, 因为 UE可以对应不同的基站, 更换了基站, BS身份标识 也发生变化。 如果 AGWnew不生成第一随机数, 或者说生成新的加密 密钥和 /或完整性密钥中没有使用 UE不知道的参数, 向 BS返回的保护 信息集合响应中不携带所述 UE不知道的、 生成加密密钥和 /或完整性密 钥需要的参数。  In steps 405-406, AGWnew may also not generate the first random number RAND. At this time, deriving a new encryption key and/or integrity key may use a variable such as a BS identity as an input parameter, because the UE may correspond to different The base station, the base station is replaced, and the BS identity also changes. If the AGWnew does not generate the first random number, or generates a new encryption key and/or the integrity key does not use a parameter that the UE does not know, the protection information set response returned to the BS does not carry the UE does not know. , the parameters required to generate the encryption key and/or integrity key.
在步骤 405 - 406中, AGWnew也可以根据共享密钥 K及其他参数 如随机数 RAND, BS ID等推导得到中间密钥 Kbs。 AGWnew将 Kbs及 推演 Kbs使用的参数中 UE不知道的参数发送给 BS。  In steps 405-406, AGWnew may also derive the intermediate key Kbs based on the shared key K and other parameters such as the random number RAND, BS ID, and the like. AGWnew sends Kbs and the parameters used by Kbs to the BS without knowing the parameters.
在步骤 407 ~ 409中, BS从来自于 UE的安全算法中选择自身支持 的安全算法, 并生成作为完整性算法的参数之一的第二随机数 FRESH, 而后将所选择的安全算法、 第二随机数 FRESH以及第一随机数 RAND 携带于由完整性密钥保护的无线连接建立消息中, 发送给 UE; 此处, 当 AGWnew不生成第一随机数 RAND时, 不需要向 UE发送第一随机 数 RAND; 当 AGWnew推演得到中间密钥 Kbs时, BS根据 Kbs和其他 参数推演得到保护无线连接的密钥, 如完整性密钥和 /或加密密钥, 将推 演中间密钥 Kbs和保护无线连接的密钥所需的, 但是 UE不知道的参数 发送给 UE。 UE在成功验证无线连接消息的完整性之后, 向 BS发送采 用接收到的安全参数(如算法)和推演得到的保护无线连接的密钥进行 保护的表示无线连接建立完成的无线连接建立确认消息。 BS根据自身的特性, 在步骤 401中接收到的安全算法中进行选择, 选出该 BS支持的安全算法, 并将所选定的安全算法作为本次无线连接 中使用的安全算法。 另外, BS所生成的第二随机数 FRESH的作用在于 作为完整性算法的输入参数。 In steps 407-409, the BS selects a self-supported security algorithm from the security algorithm from the UE, and generates a second random number FRESH as one of the parameters of the integrity algorithm, and then selects the selected security algorithm, second. The random number FRESH and the first random number RAND are carried in the wireless connection setup message protected by the integrity key, and are sent to the UE. Here, when the AGWnew does not generate the first random number RAND, the first random number does not need to be sent to the UE. Number RAND; When AGWnew derives the intermediate key Kbs, the BS derives the key to protect the wireless connection according to Kbs and other parameters, such as the integrity key and/or the encryption key, which will derive the intermediate key Kbs and protect the wireless connection. The parameters required by the key, but not known by the UE, are sent to the UE. After successfully verifying the integrity of the wireless connection message, the UE sends a wireless connection establishment confirmation message indicating that the wireless connection establishment is completed, using the received security parameter (such as an algorithm) and the derived protected wireless connection key for protection. The BS selects the security algorithm received in step 401 according to its own characteristics, selects the security algorithm supported by the BS, and uses the selected security algorithm as the security algorithm used in the current wireless connection. In addition, the second random number FRESH generated by the BS acts as an input parameter to the integrity algorithm.
UE在接收到无线连接建立消息后,从该消息中解析出安全算法、第 二随机数 FRESH和第一随机数 RAND, 并通过解析出来的第一随机数 RAND以及自身保存的密钥 K, 推导出与 BS中相同的加密密钥和完整 性密钥。如果 AGWnew不生成第一随机数, 则 UE可以根据自身保存的 共享密钥 K、 BS的身份标识等参数, 按照和 AGWnew相同的方法推导 出与 BS 中相同的加密密钥和 /或完整性密钥。 如果需要推演中间密钥 Kbs, 则 UE根据共享密钥 K等参数推演得到和 BS中相同的中间密钥 Kbs, 并根据中间密钥 Kbs推演出保护无线连接的密钥。 而后, UE利用 完整性密钥进行完整性验证, 验证过程可能需要第二随机数 FRESH的 参与。 UE在通过验证之后, 采用接收到的安全参数中的完整性算法和 UE直接推导得到的或根据中间密钥 Kbs推演得到的保护无线连接的完 整性密钥对无线连接确认消息进行完整性保护, 并采用保护无线连接的 加密密钥和加密算法进行机密性保护。 此条消息也可以只进行完整性保 护, 而不进行机密性保护。  After receiving the wireless connection establishment message, the UE parses the security algorithm, the second random number FRESH, and the first random number RAND from the message, and derives the first random number RAND and the saved key K. The same encryption key and integrity key as in the BS. If the AGWnew does not generate the first random number, the UE may derive the same encryption key and/or integrity key as in the BS according to the same method as the AGWnew according to the parameters of the shared key K, the identity identifier of the BS, and the like. key. If the intermediate key Kbs needs to be deduced, the UE derives the same intermediate key Kbs as in the BS according to the parameters such as the shared key K, and derives the key for protecting the wireless connection according to the intermediate key Kbs. The UE then uses the integrity key for integrity verification, which may require the participation of a second random number FRESH. After verifying, the UE performs integrity protection on the wireless connection confirmation message by using the integrity algorithm in the received security parameter and the integrity key of the protected wireless connection directly derived by the UE or derived from the intermediate key Kbs. The confidentiality protection is protected by an encryption key and an encryption algorithm that protect the wireless connection. This message can also be only integrity protected without confidentiality protection.
至此, 结束本实施例中的无线连接建立流程。  So far, the wireless connection establishment procedure in this embodiment is ended.
完成无线连接建立后, BS可以将本次无线连接中使用的安全关联上 报给 AGWnew保存, 以备下一次无线连接使用。  After the wireless connection is established, the BS can report the security association used in this wireless connection to AGWnew for future wireless connection.
本实施例中,作为 UE在步骤 401中向 BS发送安全算法的替代方式, 可以由 BS在步骤 406中通过无线连接建立消息,将该 BS支持的安全算 法下发给 UE, UE根据自身的特性进行选择之后, 在步骤 407中通过无 线连接建立确认消息, 将所选择的安全算法返回给 BS。 BS 通过 AGWnew 与保存上一次无线连接中使用的安全参数的 AGWold进行通信, 虽然 AGWold中只保存了保护信息集合中的安全密 钥, 但是本实施例仅执行部分安全参数的协商, 因此能够有效地缩短接 入时延。 另外, UE接收到 BS的无线连接消息时, 对该消息进行完整性 验证, 以确保该消息未被篡改过, 并且向 BS指明无线连接建立完成时, 采用接收到的安全参数对无线连接确认消息进行安全保护 , 因此无线连 接的安全性得到了有效的提高。 In this embodiment, as an alternative manner for the UE to send the security algorithm to the BS in step 401, the BS may send a message to the UE by using the wireless connection establishment message in step 406, and the UE according to its own characteristics. After the selection is made, an acknowledgment message is established via the wireless connection in step 407, and the selected security algorithm is returned to the BS. The BS communicates with the AGWold that holds the security parameters used in the last wireless connection through AGWnew. Although only the security key in the protection information set is saved in the AGWold, this embodiment only performs the negotiation of partial security parameters, so it can effectively Reduce access latency. In addition, when receiving the wireless connection message of the BS, the UE performs integrity verification on the message to ensure that the message has not been tampered with, and indicates to the BS that the wireless connection confirmation message is received when the wireless connection establishment is completed. Security is secured, so the security of the wireless connection is effectively improved.
另外, 在本实施例中, 如果 UE和 AGWold中保存了全部安全参数, 则与实施例 2 的区别在于: BS 与 AGWold之间的所有交互都要通过 AGWnew来进行。具体的区别为:在步骤 302〜303中 , BS通过 AGWnew 向 AGWold发送携带有 UE身份标识的保护信息集合请求消息, AGWold 根据接收到的 UE身份标识, 将对应的保护信息集合携带于保护信息集 合响应消息中, 通过 AGWnew返回给 BS。  In addition, in this embodiment, if all the security parameters are saved in the UE and the AGWold, the difference from the embodiment 2 is that all interactions between the BS and the AGWold are performed by AGWnew. The specific difference is that, in steps 302-303, the BS sends a protection information set request message carrying the UE identity to the AGWold through the AGWnew, and the AGWold carries the corresponding protection information set in the protection information set according to the received UE identity identifier. In the response message, it is returned to the BS through AGWnew.
本实施例中, AGWnew和 UE可以执行所述加密密钥和完整性密月 的更新, 也可以只更新加密密钥或完整性密钥。  In this embodiment, the AGWnew and the UE may perform the update of the encryption key and the integrity secret month, or may only update the encryption key or the integrity key.
本实施例中, AGWnew生成加密密钥和 /或完整性密钥或中间密钥 Kbs的功能也可以由 AGWold完成。 AGWnew将 BS的身份标识携带在 保护信息集合请求中发送给 AGWold, AGWold生成或不生成第一随机 数 RAND,根据第一随机数 RAND和 /或 BS的身份标识等参数生成加密 密钥和 /或完整性密钥。这种情况下, 与基站直接相连的接入网关在对密 钥进行协商的过程中只起转发作用。  In this embodiment, the function of AGWnew to generate an encryption key and/or an integrity key or an intermediate key Kbs may also be performed by AGWold. The AGWnew carries the identity of the BS in the protection information set request and sends it to the AGWold. The AGWold generates or does not generate the first random number RAND, and generates an encryption key according to parameters such as the first random number RAND and/or the identity of the BS. Integrity key. In this case, the access gateway directly connected to the base station only plays the role of forwarding during the negotiation of the key.
本实施例中对密钥的协商方法同样适于 BS与保存上一次无线连接 中的安全参数的 AGW 直接相连的情况。 在此情况下, AGWold 和 AGWnew合并为一体, 成为与 BS直接相连的 AGW。  The method of negotiating a key in this embodiment is also suitable for the case where the BS is directly connected to the AGW that holds the security parameters in the last wireless connection. In this case, AGWold and AGWnew are combined into one, which becomes the AGW directly connected to the BS.
实施例 4 本实施例中, BS 能够直接与保存上一次无线连接中的安全参数的 AGW进行通信, UE和 AGW中保存的安全参数为安全关联中的全部参 数(算法, 密钥等)。 另外, AGW中还保存有 UE的安全能力信息。 Example 4 In this embodiment, the BS can directly communicate with the AGW that saves the security parameters in the last wireless connection, and the security parameters stored in the UE and the AGW are all parameters (algorithms, keys, etc.) in the security association. In addition, the security capability information of the UE is also stored in the AGW.
图 5示出了本实施例中无线连接建立方法的信令流程图。 参见图 5, 本实施例的无线连接建立方法包括:  FIG. 5 shows a signaling flow chart of the method for establishing a wireless connection in this embodiment. Referring to FIG. 5, the method for establishing a wireless connection in this embodiment includes:
在步骤 501中, UE向 BS发送携带有该 UE的身份标识、 保护信息 集合标识以及有关 AGW的信息的无线连接建立请求消息, 请求建立无 线连接。  In step 501, the UE sends a wireless connection establishment request message carrying the identity identifier of the UE, the protection information set identifier, and the information about the AGW to the BS, requesting to establish a wireless connection.
在步骤 502〜503中, BS向 AGW发送携带有 UE身份标识的保护信 息集合请求消息, AGW根据接收到的 UE身份标识, 将对应的保护信 息集合以及该 UE 的安全能力信息一起携带于保护信息集合响应消息 中, 返回给 BS。 此处的安全能力包括诸如 UE所支持的安全算法之类的 安全相关信息。  In the steps 502-503, the BS sends a protection information set request message carrying the UE identity to the AGW, and the AGW carries the corresponding protection information set and the security capability information of the UE together with the protection information according to the received UE identity identifier. In the collection response message, it is returned to the BS. The security capabilities herein include security related information such as security algorithms supported by the UE.
在 BS 根据接收到的无线连接建立请求消息确定保存安全参数的 AGW之后, 将 UE的身份标识发送给所确定的 AGW。 AGW接收到来 自于 BS的保护信息集合请求消息后, 从该消息中解析出 UE的身份标 识, 而后从自身查找到该 UE对应的保护信息集合以及安全能力, 并通 过保护信息集合响应消息, 将查找到的保护信息集合返回给 BS。  After the BS determines the AGW that saves the security parameter according to the received wireless connection setup request message, the identity of the UE is sent to the determined AGW. After receiving the protection information set request message from the BS, the AGW parses the identity of the UE from the message, and then finds the protection information set and security capability corresponding to the UE from itself, and uses the protection information set response message to The found protection information set is returned to the BS.
在 AGW不保存保护无线连接的密钥, 而仅仅保存可推演得到保护 无线连接的密钥的根密钥时, AGW 需要推演得到保护无线连接的密钥 或中间密钥 Kbs, 并将其发送给 BS。 具体过程如实施例 3所示。  When the AGW does not save the key to protect the wireless connection, but only saves the root key of the key that can be derived to protect the wireless connection, the AGW needs to derive the key or intermediate key Kbs for protecting the wireless connection and send it to BS. The specific process is as shown in Embodiment 3.
在步骤 504中, BS根据接收到的保护信息集合响应消息,对算法进 行协商。  In step 504, the BS negotiates the algorithm according to the received protection information set response message.
本步骤中, BS从接收到的保护信息集合响应消息中解析出保护信息 集合和 UE的安全能力信息, 并根据保护信息集合的生命期以及自身是 否支持该保护信息集合中的安全算法等, 确定是否继续使用接收到的保 护信息集合。 在 BS确定自身不支持保护信息集合中的算法时, 例如, BS确定自身不支持保护信息集合中的加密算法时, BS根据解析出的 UE 的安全能力信息,从 BS支持的加密算法中选择对于 UE和该 BS均适合 的加密算法。 此时, 本次无线连接中的安全关联由所选择的算法和保护 信息集合中的其他安全参数组成。 In this step, the BS parses the protection information set and the security capability information of the UE from the received protection information set response message, and according to the lifetime of the protection information set and itself Whether to support the security algorithm and the like in the protection information set, determine whether to continue using the received protection information set. When the BS determines that it does not support the algorithm in the protection information set, for example, when the BS determines that it does not support the encryption algorithm in the protection information set, the BS selects, according to the parsed security capability information of the UE, the encryption algorithm supported by the BS. A suitable encryption algorithm for both the UE and the BS. At this time, the security association in this wireless connection consists of the selected algorithm and other security parameters in the protection information set.
在步骤 505 ~ 506中, BS将所选择的算法以及来自于 AGW的其他 安全参数携带于无线连接建立消息中, 发送给 UE; UE成功验证无线连 接建立请求消息的完整性之后, 向 BS发送采用接收到的安全参数保护 的无线连接建立确认消息, 指明无线连接建立完成。  In steps 505-506, the BS carries the selected algorithm and other security parameters from the AGW in the radio connection setup message, and sends the message to the UE. After successfully verifying the integrity of the radio connection setup request message, the UE sends the adoption to the BS. The received wireless connection establishment confirmation message of the security parameter indicates that the wireless connection establishment is completed.
此处, UE从接收到的无线连接建立消息中解析出算法,并对该条消 息进行完整性验证。 在通过验证之后, UE 采用接收到的完整性算法和 UE保存的或推演得到的完整性密钥对无线连接确认消息进行完整性保 护, 并釆用加密密钥和加密算法进行机密性保护。 此条消息也可以只进 行完整性保护, 而不进行机密性保护。  Here, the UE parses the algorithm from the received radio connection setup message and performs integrity verification on the strip message. After passing the verification, the UE performs integrity protection on the wireless connection confirmation message by using the received integrity algorithm and the integrity key saved or derived by the UE, and uses the encryption key and the encryption algorithm for confidentiality protection. This message can also be only integrity protected without confidentiality protection.
至此, 完成本实施例中无线连接建立的流程。  So far, the flow of establishing the wireless connection in this embodiment is completed.
完成无线连接建立后, BS可以将本次无线连接中使用的安全关联上 报给 AGW保存, 以备下一次无线连接使用。  After the wireless connection is established, the BS can report the security association used in the wireless connection to the AGW for storage.
在 AGW未保存 UE的安全能力信息时, AGW发送给 BS的保护信 息集合响应消息中则不存在 UE的安全能力。 UE可以通过步骤 501中的 无线连接建立请求消息, 将自身的安全能力上报给 BS, 并且 BS再在步 骤 504中确定对于 UE和该 BS均适合的加密算法, 并在步骤 505的无 线连接建立消息中向 UE指明使用对应的安全关联保护本次无线连接。 另外, 也可以在步骤 503之后通过与 UE的交互, 进行安全参数协商。  When the AGW does not save the security capability information of the UE, the security information of the UE does not exist in the protection information set response message sent by the AGW to the BS. The UE may report the security capability of the UE to the BS through the wireless connection setup request message in step 501, and the BS determines, in step 504, an encryption algorithm suitable for both the UE and the BS, and establishes a wireless connection setup message in step 505. The medium indicates to the UE that the current wireless connection is protected using the corresponding security association. In addition, security parameter negotiation may also be performed by interaction with the UE after step 503.
本实施例中, BS可以与保存上一次无线连接中使用的安全关联信息 的 AGW直接通信, AGW中保存了保护信息集合中的全部安全参数, 但是 BS不支持保护信息集合中的加密算法。 因此本次无线连接建立过 程中仅执行加密算法的协商, 其他安全参数均直接从 AGW中取回, 从 而有效地缩短了接入时延。 另夕卜, UE接收到 BS的无线连接消息时, 对 该消息进行完整性验证, 以确保该消息未被篡改过, 并且向 BS指明无 线连接建立完成时, 采用接收到的安全参数对无线连接确认消息进行安 全保护, 因此无线连接的安全性得到了有效的提高。 In this embodiment, the BS can save the security association information used in the last wireless connection. The AGW directly communicates, and all security parameters in the protection information set are saved in the AGW, but the BS does not support the encryption algorithm in the protection information set. Therefore, only the negotiation of the encryption algorithm is performed during the establishment of the wireless connection, and other security parameters are directly retrieved from the AGW, thereby effectively shortening the access delay. In addition, when receiving the wireless connection message of the BS, the UE performs integrity verification on the message to ensure that the message has not been tampered with, and indicates to the BS that the wireless connection is received using the received security parameter. The confirmation message is secured, so the security of the wireless connection is effectively improved.
实施例 5  Example 5
在本实施例中, BS可以与保存上一次无线连接中使用的安全关联信 息的 AGW直接通信, 但是 AGW中只保存了部分安全参数。 此时, BS 需要确定是否支持保护信息集合中的安全参数, 将不支持的安全参数与 AGW中未保存的安全参数作为需要协商的安全参数, 并与 UE进行交 互, 完成对需要协商的安全参数的协商。  In this embodiment, the BS can directly communicate with the AGW that holds the security association information used in the last wireless connection, but only some of the security parameters are stored in the AGW. In this case, the BS needs to determine whether the security parameters in the protection information set are supported, and the unsupported security parameters and the security parameters that are not saved in the AGW are used as security parameters to be negotiated, and interact with the UE to complete the security parameters that need to be negotiated. Negotiation.
图 6示出了本实施例中无线连接建立方法的信令流程图。 参见图 6, 本实施例的无线连接建立方法包括:  FIG. 6 shows a signaling flow chart of the method for establishing a wireless connection in this embodiment. Referring to FIG. 6, the method for establishing a wireless connection in this embodiment includes:
在步驟 601中, UE向 BS发送携带有该 UE的身份标识、 保护信息 集合标识以及有关 AGW的信息的无线连接建立请求消息, 请求建立无 线连接。  In step 601, the UE sends a wireless connection establishment request message carrying the identity identifier of the UE, the protection information set identifier, and the information about the AGW to the BS, requesting to establish a wireless connection.
在步骤 602〜603中, BS向 AGW发送携带有 UE身份标识的保护信 息集合请求消息, AGW根据接收到的 UE身份标识, 将对应的保护信 息集合携带于保护信息集合响应消息中, 返回给 BS。  In the steps 602-603, the BS sends a protection information set request message carrying the UE identity to the AGW, and the AGW carries the corresponding protection information set in the protection information set response message according to the received UE identity identifier, and returns the message to the BS. .
在步骤 604中, BS将不支持的安全参数和保护信息集合中不存在的 安全参数作为需要协商的安全参数, 并与 UE交互, 进行安全参数的协 商, 确定本次无线连接中的安全关联。  In step 604, the BS uses the unsupported security parameters and the security parameters that are not in the protection information set as the security parameters to be negotiated, and interacts with the UE to perform security negotiation to determine the security association in the current wireless connection.
在步骤 605 ~ 606中, BS通过无线连接建立消息, 向 UE指明使用 与 BS相对应的安全关联保护通信; UE成功验证无线连接建立请求消息 的完整性之后, 向 BS发送采用接收到的安全参数保护的无线连接建立 确认消息, 指明无线连接建立完成。 In steps 605-606, the BS establishes a message through the wireless connection, indicating the use to the UE. The security association protection communication corresponding to the BS; after successfully verifying the integrity of the wireless connection establishment request message, the UE transmits a wireless connection establishment confirmation message protected by the received security parameter to the BS, indicating that the wireless connection establishment is completed.
完成无线连接建立后, BS可以将本次无线连接中使用的安全关联上 报给 AGW保存, 以备下一次无线连接使用。  After the wireless connection is established, the BS can report the security association used in the wireless connection to the AGW for storage.
在本实施例中, UE可以通过步骤 601中的无线连接建立请求消息上 报自身支持的安全参数, 则 BS在步驟 604中无需与 UE交互, 而是根 据该 BS的特性, 在接收到的 UE支持的安全参数中进行选择, 完成需 要协商的安全参数的确定。  In this embodiment, the UE may report the security parameter supported by the UE through the wireless connection establishment request message in step 601, and the BS does not need to interact with the UE in step 604, but supports the received UE according to the characteristics of the BS. The selection of the security parameters completes the determination of the security parameters that need to be negotiated.
本实施例中, UE和 AGW中仅保存了部分安全参数, 并且 BS不支 持该部分安全参数中的某些安全参数, 则本次无线连接建立过程中仅对 需要协商的安全参数执行协商过程,从而有效地缩短了接入时延。另夕卜, UE接收到 BS的无线连接消息时, 对该消息进行完整性验证, 以确保该 消息未被篡改过, 并且向 BS指明无线连接建立完成时, 采用接收到的 安全参数对无线连接确认消息进行安全保护 , 因此无线连接的安全性得 到了有效的提高。  In this embodiment, only a part of the security parameters are saved in the UE and the AGW, and the BS does not support some of the security parameters in the part of the security parameters. In this wireless connection establishment process, the negotiation process is performed only on the security parameters that need to be negotiated. Thereby effectively reducing the access delay. In addition, when receiving the wireless connection message of the BS, the UE performs integrity verification on the message to ensure that the message has not been tampered with, and indicates to the BS that the wireless connection is received using the received security parameter. The confirmation message is secured, so the security of the wireless connection is effectively improved.
从以上描述可以看出, UE在接入核心网时,根据预先保存 UE的安 全参数确定本次连接所使用的安全关联, 无需对安全参数进行协商或只 需对部分安全参数进行协商, 从而有效缩短了接入时延。  As can be seen from the above description, when accessing the core network, the UE determines the security association used in the current connection according to the security parameters of the pre-stored UE, and does not need to negotiate the security parameters or only negotiate some of the security parameters, thereby effectively Reduced access latency.
附加的,在现有技术中, 由于安全关联的建立过程在 R C连接建立 之后执行, 无法对 RRC连接建立过程中的信令提供安全保护, 攻击者 可以通过修改 RRC连接建立消息中的内容, 来使得用户按照错误的配 置建立 RRC连接, 从而影响用户享受到的服务质量; 攻击者也可以通 过伪造 R C连接拒绝消息来实施拒绝服务攻击, 使得合法的用户无法 享受到网络侧提供的服务。 而在本发明中, 在 UE接收到核心网设备关 于本次无线连接的安全参数的消息后, UE对该条消息执行完整性验证, 并在验证成功的情况下执行后续的流程 , 能够有效地避免无线连接建立 过程中的恶意攻击, 为合法用户享受网絡服务提供保障。 进一步, UE 和核心网设备确定全部的安全参数之后, 采用安全参数对无线连接建立 过程中的后续信令进行安全保护, 从而有效地提高了无线连接建立过程 的安全性。 In addition, in the prior art, since the establishment process of the security association is performed after the RC connection is established, the signaling in the RRC connection establishment process cannot be provided with security protection, and the attacker can modify the content in the RRC connection establishment message. The RRC connection is established according to the wrong configuration, which affects the quality of service that the user enjoys. The attacker can also perform the denial of service attack by forging the RC connection rejection message, so that the legitimate user cannot enjoy the service provided by the network side. In the present invention, the core network device is received at the UE. After the message of the security parameter of the wireless connection, the UE performs the integrity verification on the message, and performs the subsequent process if the verification succeeds, which can effectively avoid the malicious attack during the establishment of the wireless connection, and is a legitimate user. Enjoy the protection of network services. Further, after the UE and the core network device determine all the security parameters, the security parameters are used to secure the subsequent signaling in the wireless connection establishment process, thereby effectively improving the security of the wireless connection establishment process.
实施例 6  Example 6
本实施例将参照附图对本发明提供的无线连接建立系统进行详细说 明。  The present embodiment will be described in detail with reference to the accompanying drawings to a wireless connection establishing system provided by the present invention.
图 7示出了本实施例所述无线连接建立系统的结构示意图。 参见图 7, 本实施例所述系统包括用户设备 UE、 核心网设备及接入网设备, 其 中:  FIG. 7 is a schematic structural diagram of a wireless connection establishing system according to this embodiment. Referring to FIG. 7, the system in this embodiment includes a user equipment UE, a core network device, and an access network device, where:
用户设备 UE用于向接入网设备请求建立无线连接;  The user equipment UE is configured to request the access network device to establish a wireless connection;
核心网设备用于保存 UE的安全参数, 与接入网设备进行交互, 将 UE的安全参数发送给接入网设备;  The core network device is configured to save the security parameters of the UE, interact with the access network device, and send the security parameters of the UE to the access network device.
接入网设备用于与核心网设备进行交互,获得用户设备的安全参数, 根据所述安全参数确定保护本次无线连接的安全关联, 指示用户设备使 用所述安全关联保护通信。  The access network device is configured to interact with the core network device, obtain security parameters of the user equipment, determine a security association for protecting the current wireless connection according to the security parameter, and instruct the user equipment to use the security association to protect communication.
UE包括连接建立单元,用于向所述接入网设备发送携带有 UE的身 份标识和保护信息集合标识的无线连接建立请求消息, 请求建立无线连 接;  The UE includes a connection establishing unit, configured to send, to the access network device, a wireless connection establishment request message carrying the identity identifier of the UE and the protection information set identifier, requesting to establish a wireless connection;
UE还用于保存 UE身份标识、 保护信息集合标识、 保存 UE安全参 数的核心网设备的信息及 UE的安全能力, 需要时可以将保存 UE安全 参数的核心网设备的信息及 UE的安全能力携带在无线连接建立请求消 息中发送给接入网设备。 UE还可以包括验证单元, 该验证单元用于对从接入网设备接收到 的安全关联进行完整性验证,验证成功后,向接入网设备发送确认消息。 The UE is further configured to save the UE identity, the protection information set identifier, the information of the core network device that saves the UE security parameter, and the security capability of the UE. If necessary, the information of the core network device that stores the UE security parameter and the security capability of the UE may be carried. The information is sent to the access network device in a wireless connection setup request message. The UE may further include a verification unit, configured to perform integrity verification on the security association received from the access network device, and send an acknowledgement message to the access network device after the verification succeeds.
核心网设备用于根据接收到的保护信息集合请求查找到与 UE的身 份标识对应的保护信息集合, 并将所述保护信息集合携带在保护信息集 合响应中返回给接入网设备。  The core network device is configured to search for a protection information set corresponding to the identity identifier of the UE according to the received protection information set request, and carry the protection information set in the protection information collection response to the access network device.
核心网设备包括保护信息存储单元和判断查询单元。  The core network device includes a protection information storage unit and a judgment inquiry unit.
保护信息存储单元用于保存 UE的安全参数, 如 UE在上一次无线 连接建立请求中所使用的安全关联对应的安全参数, 即保护信息集合。 保护信息集合存储单元还可以保存 UE的安全能力, 在需要时, 将 UE 的安全能力提供给判断查询单元。  The protection information storage unit is configured to save the security parameters of the UE, such as the security parameter corresponding to the security association used by the UE in the last wireless connection establishment request, that is, the protection information set. The protection information set storage unit may also save the security capability of the UE, and provide the security capability of the UE to the judgment query unit when needed.
判断查询单元用于根据接收到的保护信息集合请求中的 UE的身份 标识和保护信息集合标识从保护信息存储单元中查找到与 UE的保护信 息集合, 并将所述保护信息集合携带在保护信息集合响应中返回给接入 网设备; 当保护信息存储单元保存了 UE的安全能力时, 还可以进一步 将 UE的安全能力携带在保护信息集合响应中返回给接入网设备。  The determining query unit is configured to search for the protection information set with the UE from the protection information storage unit according to the identity identifier and the protection information set identifier of the UE in the received protection information set request, and carry the protection information set in the protection information. The set response is returned to the access network device. When the protection information storage unit saves the security capability of the UE, the security capability of the UE may be further carried in the protection information set response and returned to the access network device.
接入网设备用于将接收到的 UE的身份标识和保护信息集合标识携 带在保护信息集合请求中, 发送给核心网设备; 还用于从核心网设备接 收到保护信息集合响应后, 根据获得的保护信息集合确定用于本次无线 连接的安全关联, 指示 UE使用所述安全关联保护通信。  The access network device is configured to: carry the identifier of the received UE and the protection information set identifier in the protection information set request, and send the information to the core network device; and further, after receiving the protection information set response from the core network device, according to the obtained The set of protection information determines a security association for the current wireless connection, instructing the UE to use the security association to secure communications.
接入网设备包括接收单元、 安全参数获取单元及确定和指示单元; 其中:  The access network device includes a receiving unit, a security parameter obtaining unit, and a determining and indicating unit; wherein:
接收单元用于接收用户设备的无线连接建立请求;  The receiving unit is configured to receive a wireless connection establishment request of the user equipment;
安全参数获取单元在接收单元接收到无线连接建立请求后, 与保存 用户设备的安全参数的核心网设备交互, 获得用户设备的安全参数; 确定和指示单元用于根据用户设备的安全参数确定保护本次无线连 接的安全关联, 指示用户设备使用对应的安全关联保护通信。 After receiving the wireless connection establishment request, the security parameter obtaining unit interacts with the core network device that saves the security parameter of the user equipment to obtain the security parameter of the user equipment; the determining and indicating unit is configured to determine the protection version according to the security parameter of the user equipment. Secondary wireless connection The security association is instructed to indicate that the user equipment uses the corresponding security association to protect the communication.
该接入网设备还可以包括判断单元, 该判断单元用于判断用户设备 的安全参数是否能够得到接入网设备的支持; 此时确定和指示单元在判 断单元判断出用户设备的安全参数能够得到接入网设备的支持后, 将用 户设备的安全参数确定为保护本次无线连接的安全关联。  The access network device may further include a determining unit, configured to determine whether the security parameter of the user equipment is supported by the access network device; and the determining and indicating unit determines, at the determining unit, that the security parameter of the user equipment is obtained. After the access network device is supported, the security parameter of the user equipment is determined to protect the security association of the wireless connection.
该接入网设备还可以包括协商单元, 该协商单元用于在所述判断单 元判断出所述用户设备的安全参数中存在需要协商的安全参数时, 对需 要协商的安全参数进行协商; 此时由确定和指示单元将 UE的安全参数 中不需要协商的安全参数和协商得到的安全参数确定为本次无线连接 的安全关联。  The access network device may further include a negotiating unit, where the negotiating unit is configured to negotiate the security parameters that need to be negotiated when the determining unit determines that the security parameter of the user equipment is required to be negotiated; The security parameter that does not need to be negotiated in the security parameters of the UE and the negotiated security parameter are determined by the determining and indicating unit as the security association of the wireless connection.
本实施例中,接入网设备可以为基站,核心网设备可以为接入网关。 利用本实施例所述系统, 核心网设备预先保存了 UE的安全参数, 在 UE接入核心网时, 接入网设备可以根据从核心网设备获得的 UE的 安全参数确定本次无线连接的安全关联, 无需对所有安全参数进行协 商, 从而有效减少了接入时延。 另外, UE 可以对从接入网设备接收到 的安全关联进行完整性验证, 提高了无线连接建立过程中的安全性。  In this embodiment, the access network device may be a base station, and the core network device may be an access gateway. With the system in this embodiment, the core network device pre-stores the security parameters of the UE. When the UE accesses the core network, the access network device can determine the security of the wireless connection according to the security parameters of the UE obtained from the core network device. Association, no need to negotiate all security parameters, thus effectively reducing the access delay. In addition, the UE can perform integrity verification on the security association received from the access network device, thereby improving security during the establishment of the wireless connection.
以上所述仅为本发明的较佳实施例而已, 并不用以限制本发明, 凡 在本发明的精神和原则之内所做的任何修改、 等同替换和改进等, 均应 包含在本发明的保护范围之内。  The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the present invention. Within the scope of protection.

Claims

权利要求书 Claim
1、 一种无线连接建立方法, 其特征在于, 该方法包括: A method for establishing a wireless connection, the method comprising:
用户设备 UE请求接入网设备建立无线连接;  The user equipment UE requests the access network device to establish a wireless connection;
接入网设备与保存该 UE在上一次无线连接中的安全参数的核心网 设备交互, 获得该 UE的安全参数;  The access network device interacts with the core network device that saves the security parameters of the UE in the last wireless connection, and obtains the security parameters of the UE;
接入网设备根据接收到的安全参数确定保护本次无线连接的安全关 联, 指示 UE使用对应的安全关联保护通信。  The access network device determines to protect the security association of the current wireless connection according to the received security parameter, and instructs the UE to use the corresponding security association to protect the communication.
2、 如权利要求 1所述的方法, 其特征在于, 所述 UE请求接入网设 备建立无线连接为:  2. The method according to claim 1, wherein the UE requests the access network device to establish a wireless connection as:
UE向接入网设备发送携带有该 UE的身份标识、保护信息集合标识 的无线连接建立请求消息, 请求建立无线连接。  The UE sends a wireless connection establishment request message carrying the identity identifier of the UE and the protection information set identifier to the access network device, requesting to establish a wireless connection.
3、如权利要求 2所述的方法, 其特征在于, 所述接入网设备与保存 该 UE的安全参数的核心网设备交互, 获得该 UE的安全参数包括: 接入网设备向保存该 UE 的安全参数的核心网设备发送携带有 UE 身份标识和保护信息集合标识的保护信息集合请求消息, 保存该 UE的 安全参数的核心网设备根据接收到的 UE 身份标识及保护信息集合标 识, 将对应的保护信息集合携带于保护信息集合响应消息中, 返回给接 入网设备。  The method of claim 2, wherein the access network device interacts with a core network device that stores security parameters of the UE, and obtaining security parameters of the UE includes: the access network device saves the UE The core network device of the security parameter sends a protection information set request message carrying the UE identity identifier and the protection information set identifier, and the core network device that saves the security parameter of the UE according to the received UE identity identifier and the protection information set identifier will correspond to The protection information set is carried in the protection information set response message and returned to the access network device.
4、如权利要求 3所述的方法, 其特征在于, 所述接入网设备根据接 收到的安全参数确定保护本次无线连接的安全关联, 指示 UE使用对应 的安全关联保护通信为:  The method of claim 3, wherein the access network device determines to protect the security association of the current wireless connection according to the received security parameter, and instructs the UE to use the corresponding security association to protect the communication as:
接入网设备根据接收到的保护信息集合, 确定本次无线连接中用于 保护通信的安全关联, 并通过无线连接建立消息来指示 UE使用对应的 安全关联对通信进行保护。 The access network device determines, according to the received protection information set, the security association used to protect the communication in the current wireless connection, and instructs the UE to use the corresponding security association to protect the communication through the wireless connection establishment message.
5、 如权利要求 4所述的方法, 其特征在于, 所述确定本次无线连接 中用于保护通信的安全关联为: 5. The method according to claim 4, wherein the determining the security association used to protect the communication in the current wireless connection is:
在接入网设备确定继续使用所述保护信息集合时, 将保护信息集合 中的安全参数作为本次无线连接过程中用于保护无线信令的安全关联。  When the access network device determines to continue to use the protection information set, the security parameter in the protection information set is used as a security association for protecting wireless signaling in the current wireless connection process.
6、 如权利要求 3所述的方法, 其特征在于, 所述接入网设备根据接 收到的安全参数确定保护本次无线连接的安全关联, 指示 UE使用对应 的安全关联保护通信为:  The method according to claim 3, wherein the access network device determines to protect the security association of the current wireless connection according to the received security parameter, and instructs the UE to use the corresponding security association to protect the communication as:
接入网设备从接收到的保护信息集合响应消息中解析出保护信息集 合, 在接入网设备判定存在需要协商的安全参数时, 接入网设备与 UE 交互, 对需要协商的安全参数进行协商, 并将所述经过协商的安全参数 和该接入网设备支持的安全参数组成本次无线连接的安全关联, 通过无 线连接建立消息指示 UE使用对应的安全关联对通信进行保护。  The access network device parses the protection information set from the received protection information set response message. When the access network device determines that there is a security parameter to be negotiated, the access network device interacts with the UE to negotiate the security parameters to be negotiated. And the negotiated security parameter and the security parameter supported by the access network device form a security association of the current wireless connection, and the wireless connection establishment message is used to instruct the UE to use the corresponding security association to protect the communication.
7、 如权利要求 3所述的方法, 其特征在于, 所述无线连接建立请求 消息中进一步包括: UE的安全能力信息;  The method according to claim 3, wherein the wireless connection establishment request message further includes: security capability information of the UE;
所述接入网设备根据接收到的安全参数确定保护本次无线连接的安 全关联, 指示 UE使用对应的安全关联保护通信为:  The access network device determines to protect the security association of the current wireless connection according to the received security parameter, and instructs the UE to use the corresponding security association to protect the communication as:
接入网设备从接收到的保护信息集合响应消息中解析出保护信息集 合, 在接入网设备判定存在需要协商的安全参数时, 根据该接入网设备 的特性和 UE的安全能力, 选择对于接入网设备和 UE均适合的安全参 数, 并将所选择的安全参数和该接入网设备支持的安全参数组成本次无 线连接的安全关联, 通过无线连接建立消息指示 UE使用对应的安全关 联对通信进行保护。  The access network device parses the protection information set from the received protection information set response message. When the access network device determines that there is a security parameter to be negotiated, according to the characteristics of the access network device and the security capability of the UE, A security parameter suitable for both the access network device and the UE, and the selected security parameter and the security parameter supported by the access network device form a security association of the current wireless connection, and the wireless connection establishment message is used to instruct the UE to use the corresponding security association. Protect communications.
8、 如权利要求 3所述的方法, 其特征在于, 所述保存该 UE的安全 参数的核心网设备进一步保存该 UE的安全能力信息, 则所述保护信息 集合响应消息进一步包括: UE的安全能力信息; 所述接入网设备根据接收到的安全参数确定保护本次无线连接的安 全关联, 指示 UE使用对应的安全关联保护通信为: The method of claim 3, wherein the core network device that holds the security parameter of the UE further saves the security capability information of the UE, and the protection information set response message further includes: Capability information; The access network device determines, according to the received security parameter, the security association that protects the current wireless connection, and instructs the UE to use the corresponding security association to protect the communication as:
接入网设备从接收到的保护信息集合响应消息中解析出保护信息集 合和 UE的安全能力信息, 在接入网设备判定存在需要协商的安全参数 时, 根据该接入网设备的特性和 UE的安全能力, 选择对于接入网设备 和 UE均适合的安全参数, 并将所选择的安全参数和该接入网设备支持 的安全参数组成本次无线连接的安全关联, 通过无线连接建立消息指示 UE使用对应的安全关联对通信进行保护。  The access network device parses the protection information set and the security capability information of the UE from the received protection information set response message, and when the access network device determines that there is a security parameter to be negotiated, according to the characteristics of the access network device and the UE Security capability, selecting security parameters suitable for both the access network device and the UE, and forming the security association of the selected security parameter and the security parameters supported by the access network device to form a security association of the current wireless connection, and establishing a message indication through the wireless connection The UE protects the communication using the corresponding security association.
9、 如权利要求 6、 7或 8所述的方法, 其特征在于, 所述保护信息 集合中包含上一次无线连接中的全部安全参数; 则所述接入网设备判定 存在需要协商的安全参数为: 在存在接入网设备不支持的安全参数时 , 将接入网设备不支持的安全参数作为需要协商的安全参数。  The method according to claim 6, 7 or 8, wherein the protection information set includes all security parameters in the last wireless connection; and the access network device determines that there are security parameters that need to be negotiated. If the security parameters are not supported by the access network device, the security parameters that are not supported by the access network device are used as security parameters to be negotiated.
10、 如权利要求 6、 7或 8所述的方法, 其特征在于, 所述保护信息 集合中仅包含上一次无线连接中的部分安全参数; 则所述接入网设备判 定存在需要协商的安全参数为: 在存在接入网设备不支持的安全参数 时, 将接入网设备不支持的安全参数以及所述保护信息集合中未包含的 安全参数作为需要协商的安全参数; 在接入网设备支持所述保护信息集 合中的全郜安全参数时, 将所述保护信息集合中未包含的安全参数作为 需要协商的安全参数。  The method according to claim 6, 7 or 8, wherein the protection information set includes only part of the security parameters in the last wireless connection; and the access network device determines that there is security to be negotiated. The parameter is: when there is a security parameter that is not supported by the access network device, the security parameter that is not supported by the access network device and the security parameter that is not included in the protection information set are used as security parameters to be negotiated; When the full security parameter in the protection information set is supported, the security parameter not included in the protection information set is used as a security parameter to be negotiated.
11、 如权利要求 4、 5、 6、 7或 8所述的方法, 其特征在于, 所述通 过无线连接建立消息来指示 UE使用对应的安全关联对通信进行保护 为:  The method according to claim 4, 5, 6, 7, or 8, wherein the establishing a message by using a wireless connection to instruct the UE to protect the communication by using a corresponding security association is:
接入网设备通过无线连接建立消息, 将 UE所需的安全参数发送给 UE , 并通知 UE使用对应的安全参数对本次无线连接进行保护。  The access network device establishes a message through the wireless connection, sends the security parameters required by the UE to the UE, and notifies the UE to protect the current wireless connection by using the corresponding security parameter.
12、 如权利要求 3、 4、 5、 6、 7或 8所述的方法, 其特征在于, 在 所述向接入网设备返回保护信息集合响应消息之前, 该方法进一步包 括: 12. The method of claim 3, 4, 5, 6, 7 or 8 wherein Before the returning the protection information set response message to the access network device, the method further includes:
保存该 ΌΕ的安全参数的核心网设备根据自身保存的安全密钥中的 共享密钥及生成加密密钥和 /或完整性密钥需要的参数推导出加密密钥 和 /或完整性密钥;  The core network device storing the security parameter of the UI derives the encryption key and/or the integrity key according to the shared key in the security key saved by itself and the parameters required to generate the encryption key and/or the integrity key;
所述向接入网设备返回保护信息集合响应消息为: 保存该 ΌΈ的安 全参数的核心网设备将加密密钥和 /或完整性密钥及所述生成加密密钥 和 /或完整性密钥需要的参数中 UE不知道的参数携带于保护信息集合响 应消息中, 发送给接入网设备。  The returning the protection information set response message to the access network device is: the core network device storing the security parameter of the network encrypts the key and/or the integrity key and the generated encryption key and/or integrity key The parameters that are not known by the UE in the required parameters are carried in the protection information set response message and sent to the access network device.
13、如权利要求 12所述的方法, 其特征在于, 所述接入网设备根据 接收到的安全参数确定保护本次无线连接的安全关联, 并指示 UE使用 对应的安全关联保护通信包括:  The method according to claim 12, wherein the access network device determines to protect the security association of the current wireless connection according to the received security parameter, and instructs the UE to use the corresponding security association to protect the communication, including:
接入网设备将生成加密密钥和 /或完整性密钥需要的参数中 UE不知 道的参数携带在无线连接建立消息中, 发送给 UE;  The access network device carries the parameters that are not required by the UE in the parameters required for generating the encryption key and/or the integrity key, and the parameters are not carried by the UE, and are sent to the UE;
该方法进一步包括:  The method further includes:
UE从无线连接建立消息中解析出所述生成加密密钥和 /或完整性密 钥需要的参数中 UE 不知道的参数并根据解析出来的生成加密密钥和 / 或完整性密钥需要的参数中 UE 不知道的参数以及自身保存的共享密 钥, 推导出与接入网设备中相同的加密密钥和 /或完整性密钥。  The UE parses out, from the wireless connection setup message, the parameters that are not known by the UE in the parameters required to generate the encryption key and/or the integrity key, and according to the parsed parameters required to generate the encryption key and/or the integrity key. The parameters that are not known by the UE and the shared key that is saved by itself are derived from the same encryption key and/or integrity key as in the access network device.
14、 如权利要求 3、 4、 5、 6、 7或 8所述的方法, 其特征在于, 在 所述向接入网设备返回保护信息集合响应消息之前, 该方法进一步包 括:  The method according to claim 3, 4, 5, 6, 7, or 8, wherein before the returning the protection information set response message to the access network device, the method further includes:
保存该 UE的安全参数的核心网设备根据自身保存的安全密钥中的 根密钥及推演中间密钥需要的参数推演得到中间密钥;  The core network device that saves the security parameters of the UE derives the intermediate key according to the root key in the security key saved by itself and the parameter required for deriving the intermediate key;
所述向接入网设备返回保护信息集合响应消息为: 保存该 UE的安 全参数的核心网设备将中间密钥及推演中间密钥需要的参数中 UE不知 道的参数携带于保护信息集合响应消息中, 发送给接入网设备。 The returning the protection information set response message to the access network device is: saving the UE security The parameter-based core network device carries the intermediate key and the parameters that are not known by the UE in the parameters required by the intermediate key in the protection information set response message, and sends the parameters to the access network device.
15、 如权利要求 14所述的方法, 其特征在于, 所述接入网设备根据 接收到的安全参数确定保护本次无线连接的安全关联, 并指示 UE使用 对应的安全关联保护通信包括:  The method of claim 14, wherein the access network device determines to protect the security association of the current wireless connection according to the received security parameter, and indicates that the UE uses the corresponding security association to protect the communication, including:
接入网设备根据中间密钥, 推演得到保护无线连接的加密密钥和 / 或完整性密钥,并将推演中间密钥和加密密钥和 /或完整性密钥的参数中 UE不知道的参数携带在无线连接建立消息中, 发送给 UE;  The access network device derives an encryption key and/or an integrity key for protecting the wireless connection according to the intermediate key, and the UE does not know the parameters of the intermediate key and the encryption key and/or the integrity key. The parameter is carried in the wireless connection setup message and sent to the UE;
该方法进一步包括:  The method further includes:
UE从无线连接建立消息中解析出所述推演中间密钥和加密密钥和 / 或完整性密钥需要的参数中 UE不知道的参数, 并根据推演中间密钥需 要的参数以及自身保存的根密钥, 推导出中间密钥, 然后根据中间密钥' 及推演加密密钥和 /或完整性密钥需要的参数推导出加密密钥和 /或完整 性密钥。  The UE parses out, from the wireless connection setup message, parameters that are not known by the UE in the parameters required for deriving the intermediate key and the encryption key and/or the integrity key, and according to parameters required for deriving the intermediate key and roots saved by itself The key, the intermediate key is derived, and then the encryption key and/or integrity key is derived from the intermediate key' and the parameters needed to derive the encryption key and/or the integrity key.
16、 如权利要求 3、 4、 5、 6、 7或 8所述的方法, 其特征在于, 所 述保存该 UE的安全参数的核心网设备与接入网设备直接相连。  The method according to claim 3, 4, 5, 6, 7, or 8, wherein the core network device that holds the security parameters of the UE is directly connected to the access network device.
17、 如权利要求 16所述的方法, 其特征在于, 所述无线连接建立请 求消息中进一步包括: 核心网设备的信息; 则所述接入网设备向核心网 设备发送保护信息集合请求消息之前, 该方法进一步包括:  The method according to claim 16, wherein the wireless connection establishment request message further includes: information of a core network device; and before the access network device sends a protection information set request message to the core network device , the method further includes:
接入网设备根据所述无线连接建立请求消息中的核心网设备的信 息, 确定保存所述安全参数的核心网设备。  The access network device determines, according to the information of the core network device in the wireless connection establishment request message, the core network device that saves the security parameter.
18、 如权利要求 3、 4、 5、 6、 7或 8所述的方法, 其特征在于, 所 述保存该 UE的安全参数的核心网设备通过与接入网设备直接相连的核 心网设备与接入网设备通信;  The method according to claim 3, 4, 5, 6, 7, or 8, wherein the core network device that stores the security parameters of the UE is connected to the core network device directly connected to the access network device. Access network device communication;
所述接入网设备向保存该 UE的安全参数的核心网设备发送保护信 息集合请求消息, 保存该 UE的安全参数的核心网设备将保护信息集合 响应返回给接入网设备包括: The access network device sends a protection letter to a core network device that saves security parameters of the UE And the core network device that saves the security parameter of the UE returns the protection information set response to the access network device, including:
接入网设备向与接入网设备直接相连的核心网设备发送携带有 UE 身份标识和保护信息集合标识的保护信息集合请求消息, 与接入网设备 直接相连的核心网设备将所述保护信息集合请求消息转发给保存该 UE 的安全参数的核心网设备, 保存该 UE的安全参数的核心网设备将保护 信息集合响应发送给与接入网设备直接相连的核心网设备, 与接入网设 备直接相连的核心网设备向接入网设备返回保护信息集合响应。  The access network device sends a protection information set request message carrying the UE identity identifier and the protection information set identifier to the core network device directly connected to the access network device, and the core network device directly connected to the access network device uses the protection information. The aggregate request message is forwarded to the core network device that saves the security parameter of the UE, and the core network device that saves the security parameter of the UE sends the protection information set response to the core network device directly connected to the access network device, and the access network device The directly connected core network device returns a protection information set response to the access network device.
19、如权利要求 18所述的方法, 其特征在于, 所述无线连接建立请 求消息中进一步包括: 保存该 UE的安全参数的核心网设备的信息; 所述接入网设备向与接入网设备直接相连的核心网设备发送保护信 息集合请求消息的同时, 该方法进一步包括:  The method according to claim 18, wherein the wireless connection establishment request message further includes: information of a core network device that stores a security parameter of the UE; and the access network device to the access network While the core network device directly connected to the device sends the protection information set request message, the method further includes:
接入网设备将保存该 UE的安全参数的核心网设备的信息发送给与 接入网设备直接相连的核心网设备;  The access network device sends the information of the core network device that saves the security parameter of the UE to the core network device directly connected to the access network device;
所述与接入网设备直接相连的核心网设备将所述保护信息集合请求 消息转发给保存该 UE的安全参数的核心网设备之前, 该方法进一步包 括:  Before the core network device directly connected to the access network device forwards the protection information set request message to the core network device that saves the security parameter of the UE, the method further includes:
与接入网设备直接相连的核心网设备根据所述保存该 UE的安全参 数的核心网设备的信息确定保存所述安全参数的核心网设备。  The core network device directly connected to the access network device determines the core network device that saves the security parameter according to the information of the core network device that stores the security parameter of the UE.
20、 如权利要求 18所述的方法, 其特征在于, 在所述向接入网设备 返回保护信息集合响应消息之前, 该方法进一步包括:  The method according to claim 18, wherein before the returning the protection information set response message to the access network device, the method further includes:
与接入网设备直接相连的核心网设备根据接收到的安全密钥中的共 享密钥及生成加密密钥和 /或完整性密钥需要的参数推导出加密密钥和 / 或完整性密钥;  The core network device directly connected to the access network device derives the encryption key and/or the integrity key according to the shared key in the received security key and the parameters needed to generate the encryption key and/or the integrity key. ;
所述向接入网设备返回保护信息集合响应消息为: 与接入网设备直 接相连的核心网设备将加密密钥和 /或完整性密钥及所述生成加密密钥 和 /或完整性密钥需要的参数中 UE不知道的参数携带于保护信息集合响 应消息中, 发送给接入网设备。 The returning the protection information set response message to the access network device is: The connected core network device carries the encryption key and/or the integrity key and the parameters that are not known by the UE in the parameters required to generate the encryption key and/or the integrity key in the protection information set response message, and sends Give access network equipment.
21、 如权利要求 20所述的方法, 其特征在于, 所述接入网设备才艮据 接收到的安全参数确定保护本次无线连接的安全关联, 并指示 UE使用 对应的安全关联保护通信包括:  The method according to claim 20, wherein the access network device determines to protect a security association of the current wireless connection according to the received security parameter, and instructs the UE to use the corresponding security association protection communication, including :
接入网设备将生成加密密钥和 /或完整性密钥需要的参数中 UE不知 道的参数携带在无线连接建立消息中, 发送给 UE;  The access network device carries the parameters that are not required by the UE in the parameters required for generating the encryption key and/or the integrity key, and the parameters are not carried by the UE, and are sent to the UE;
该方法进一步包括:  The method further includes:
UE从无线连接建立消息中解析出所述生成加密密钥和 /或完整性密 钥需要的参数中 UE 不知道的参数并根据解析出来的生成加密密钥和 / 或完整性密钥需要的参数中 UE 不知道的参数以及自身保存的共享密 钥, 推导出与接入网设备中相同的加密密钥和 /或完整性密钥。  The UE parses out, from the wireless connection setup message, the parameters that are not known by the UE in the parameters required to generate the encryption key and/or the integrity key, and according to the parsed parameters required to generate the encryption key and/or the integrity key. The parameters that are not known by the UE and the shared key that is saved by itself are derived from the same encryption key and/or integrity key as in the access network device.
22、 如权利要求 18所述的方法, 其特征在于, 在所述向接入网设备 返回保护信息集合响应消息之前, 该方法进一步包括:  The method of claim 18, wherein before the returning the protection information set response message to the access network device, the method further includes:
与接入网设备直接相连的核心网设备根据接收到的安全密钥中的根 密钥及推演中间密钥需要的参数推演得到中间密钥;  The core network device directly connected to the access network device derives the intermediate key according to the root key in the received security key and the parameters required for deriving the intermediate key;
所述向接入网设备返回保护信息集合响应消息为: 与接入网设备直 接相连的核心网设备将中间密钥及推演中间密钥需要的参数中 UE不知 道的参数携带于保护信息集合响应消息中, 发送给接入网设备。  The returning the protection information set response message to the access network device is: the core network device directly connected to the access network device carries the intermediate key and the parameter that is not known by the UE in the parameters required for deriving the intermediate key to the protection information set response. In the message, it is sent to the access network device.
23、 如权利要求 22所述的方法, 其特征在于, 所述接入网设备根据 接收到的安全参数确定保护本次无线连接的安全关联, 并指示 UE使用 对应的安全关联保护通信包括:  The method of claim 22, wherein the access network device determines to protect the security association of the current wireless connection according to the received security parameter, and instructs the UE to use the corresponding security association to protect the communication, including:
接入网设备根据中间密钥, 推演得到保护无线连接的加密密钥和 / 或完整性密钥,并将推演中间密钥和加密密钥和 /或完整性密钥的参数中 UE不知道的参数携带在无线连接建立消息中, 发送给 UE; The access network device derives an encryption key and/or an integrity key for protecting the wireless connection according to the intermediate key, and deduces the parameters of the intermediate key and the encryption key and/or the integrity key. The parameter that the UE does not know is carried in the wireless connection setup message and sent to the UE.
该方法进一步包括:  The method further includes:
UE从无线连接建立消息中解析出所述推演中间密钥和加密密钥和 / 或完整性密钥需要的参数中 UE不知道的参数, 并根据推演中间密钥需 要的参数及 UE保存的根密钥推导出中间密钥, 然后根据中间密钥及推 导加密密钥和 /或完整性密钥需要的参数推导出加密密钥和 /或完整性密 钥。  The UE parses out, from the wireless connection setup message, parameters that are not known by the UE in the parameters required for deriving the intermediate key and the encryption key and/or the integrity key, and according to the parameters required for deriving the intermediate key and the root saved by the UE The key derives the intermediate key and then derives the encryption key and/or integrity key based on the intermediate key and the parameters needed to derive the encryption key and/or the integrity key.
24、 如权利要求 1所述的方法, 其特征在于, 所述接入网设备指示 UE使用对应的安全关联保护通信为:  The method according to claim 1, wherein the access network device instructs the UE to use the corresponding security association to protect the communication as:
接入网设备向 UE发送采用所述安全关联保护的无线连接建立消 息, 指示 UE使用对应的安全关联保护通信。  The access network device sends a wireless connection setup message with the security association protection to the UE, instructing the UE to use the corresponding security association to protect the communication.
25、 如权利要求 1至 8中任一权利要求所述的方法, 其特征在于, 在接入网设备指示 UE使用对应的安全关联保护通信之后 , 该方法进一 步包括:  The method according to any one of claims 1 to 8, wherein after the access network device instructs the UE to use the corresponding security association to protect the communication, the method further comprises:
所述 UE发送确认消息给接入网设备。  The UE sends an acknowledgement message to the access network device.
26、 如权利要求 25所述的方法, 其特征在于, 所述 UE发送确认消 息给接入网设备包括:  The method of claim 25, wherein the sending, by the UE, the acknowledgement message to the access network device comprises:
UE 向接入网设备发送采用所述安全关联保护的无线连接建立确认 消息, 指明无线连接建立完成。  The UE sends a wireless connection setup confirmation message with the security association protection to the access network device, indicating that the wireless connection establishment is completed.
27、 如权利要求 1至 8中任一权利要求所述的方法, 其特征在于, 所述接入网设备为基站, 所述核心网设备为接入网关。  The method according to any one of claims 1 to 8, wherein the access network device is a base station, and the core network device is an access gateway.
28、 一种无线连接建立方法, 其特征在于, 该方法包括:  28. A method of establishing a wireless connection, the method comprising:
接入网设备接收到来自用户设备的无线连接建立请求后, 与保存有 所述用户设备的安全参数的核心网设备交互, 菽得所述用户设备的安全 参数; 根据所述用户设备的安全参数确定保护本次无线连接的安全关 联, 指示用户设备使用所述安全关联保护通信。 After receiving the wireless connection establishment request from the user equipment, the access network device interacts with the core network device that stores the security parameter of the user equipment, and obtains the security parameter of the user equipment; according to the security parameter of the user equipment Determine the security of this wireless connection And instructing the user equipment to use the security association to protect communications.
29、如权利要求 28所述的方法, 其特征在于, 在指示用户设备使用 所述安全关联保护通信之后, 该方法进一步包括:  The method of claim 28, after the user equipment is instructed to use the security association to protect communications, the method further comprising:
接入网设备接收来自用户设备的确认消息。  The access network device receives an acknowledgment message from the user equipment.
30、 一种无线连接建立系统, 其特征在于, 该系统包括: 用户设备 UE、 核心网设备及接入网设备; 其中  30. A wireless connection establishing system, the system comprising: a user equipment UE, a core network device, and an access network device;
所述 UE用于请求接入网设备建立无线连接;  The UE is configured to request an access network device to establish a wireless connection;
所述核心网设备用于保存 UE的安全参数,与接入网设备进行交互, 将 UE的安全参数提供给接入网设备;  The core network device is configured to save security parameters of the UE, interact with the access network device, and provide security parameters of the UE to the access network device;
所述接入网设备用于与核心网设备交互, 获得 UE的安全参数, 根 据所述安全参数确定保护本次无线连接的安全关联, 指示 UE使用对应 的安全关联保护通信。  The access network device is configured to interact with the core network device to obtain a security parameter of the UE, determine a security association for protecting the current wireless connection according to the security parameter, and instruct the UE to use the corresponding security association to protect the communication.
31、 如权利要求 30所述的系统, 其特征在于, 所述 UE用于向接入 网设备发送携带有 UE的身份标识和保护信息集合标识的无线连接建立 请求消息, 请求建立无线连接;  The system according to claim 30, wherein the UE is configured to send, to the access network device, a wireless connection establishment request message carrying the identity identifier of the UE and the protection information set identifier, requesting to establish a wireless connection;
所述核心网设备用于根据接收到的保护信息集合请求查找到与 UE 的身份标识对应的保护信息集合, 并将所述保护信息集合携带在保护信 息集合响应中返回给接入网设备;  The core network device is configured to search for a protection information set corresponding to the identity of the UE according to the received protection information set request, and carry the protection information set in the protection information set response to the access network device;
所述接入网设备用于将接收到的所述 UE的身份标识和保护信息集 合标识携带在保护信息集合请求中, 发送给核心网设备; 根据核心网设 备返回的保护信息集合确定本次无线连接使用的安全关联, 指示 UE使 用对应的安全关联保护通信。  The access network device is configured to carry the received identity identifier and the protection information set identifier of the UE in a protection information set request, and send the message to the core network device; and determine the current wireless according to the protection information set returned by the core network device. The security association used by the connection instructs the UE to use the corresponding security association to protect the communication.
32、 如权利要求 31所述的系统, 其特征在于, 所述 UE进一步包括 验证单元, 用于对从接入网设备接收到的安全关联进行完整性验证, 完 整性验证通过后, 向接入网设备发送确认消息。 The system according to claim 31, wherein the UE further comprises a verification unit, configured to perform integrity verification on the security association received from the access network device, and after the integrity verification is passed, accessing the system The network device sends a confirmation message.
33、 如权利要求 30或 31所述的系统, 其特征在于, 所述接入网设 备为基站, 所述核心网设备为接入网关。 The system according to claim 30 or 31, wherein the access network device is a base station, and the core network device is an access gateway.
34、 一种核心网设备, 其特征在于, 该核心网设备包括: 保护信息存储单元, 用于保存用户设备 UE的安全参数;  A core network device, the core network device includes: a protection information storage unit, configured to save a security parameter of the user equipment UE;
判断查询单元, 用于当接收到接入网设备发来的安全参数请求时从 保护信息存储单元中查找到与所述请求对应的 UE的安全参数, 并将所 述 UE的安全参数发送给接入网设备。  The determining query unit is configured to: when receiving the security parameter request sent by the access network device, find the security parameter of the UE corresponding to the request from the protection information storage unit, and send the security parameter of the UE to the Network access equipment.
35、 如权利要求 34所述的核心网设备, 其特征在于, 所述保护信息 存储单元还用于保存 UE的安全能力;  The core network device according to claim 34, wherein the protection information storage unit is further configured to save a security capability of the UE;
所述判断查询单元进一步将 UE的安全能力发送给接入网设备。 The determining query unit further sends the security capability of the UE to the access network device.
36、 一种接入网设备, 其特征在于, 该接入网设备包括: 接收单元, 用于接收用户设备 UE的无线连接建立请求; 36. An access network device, where the access network device includes: a receiving unit, configured to receive a wireless connection establishment request of the user equipment UE;
安全参数获取单元 , 用于在接收单元接收到所述无线连接建立请求 后, 与保存所述 UE的安全参数的核心网设备交互, 获得所述 UE的安 全参数;  a security parameter obtaining unit, configured to: after the receiving unit receives the wireless connection establishment request, interact with a core network device that saves the security parameter of the UE, to obtain a security parameter of the UE;
确定和指示单元, 用于根据所述 UE的安全参数确定保护本次连接 的安全关联, 指示 UE使用对应的安全关联保护通信。  And a determining and indicating unit, configured to determine, according to the security parameter of the UE, a security association for protecting the current connection, and instruct the UE to use the corresponding security association to protect the communication.
37、如权利要求 36所述的接入网设备, 其特征在于, 还包括判断单 元, 用于判断所述 UE的安全参数是否能够得到接入网设备的支持; 所 述确定和指示单元在判断单元判断出所述 UE的安全参数能够得到接入 网设备的支持后, 将所述 UE的安全参数确定为保护本次无线连接的安 全关联。  The access network device according to claim 36, further comprising: a determining unit, configured to determine whether the security parameter of the UE is supported by the access network device; the determining and indicating unit is determining After the unit determines that the security parameter of the UE can be supported by the access network device, the security parameter of the UE is determined to be a security association for protecting the current wireless connection.
38、如权利要求 37所述的接入网设备, 其特征在于, 所述接入网设 备进一步包括:  The access network device of claim 37, wherein the access network device further comprises:
协商单元, 用于在所述判断单元判断出所述 UE的安全参数中存在 需要协商的安全参数时, 对需要协商的安全参数进行协商; a negotiating unit, configured to determine, in the determining, the security parameter of the UE When the security parameters to be negotiated are required, the security parameters that need to be negotiated are negotiated.
所述确定和指示单元用于将 UE的安全参数中不需要协商的安全参 数和协商得到的安全参数确定为保护本次无线连接的安全关联。  The determining and indicating unit is configured to determine, in the security parameter of the UE, the security parameter that is not required to be negotiated and the negotiated security parameter, to protect the security association of the current wireless connection.
PCT/CN2007/001301 2006-04-20 2007-04-20 Method and device and system for establishing wireless connection WO2007121669A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2006100764364A CN101060712B (en) 2006-04-20 2006-04-20 Wireless connecting establishment method
CN200610076436.4 2006-04-20

Publications (1)

Publication Number Publication Date
WO2007121669A1 true WO2007121669A1 (en) 2007-11-01

Family

ID=38624550

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/001301 WO2007121669A1 (en) 2006-04-20 2007-04-20 Method and device and system for establishing wireless connection

Country Status (2)

Country Link
CN (1) CN101060712B (en)
WO (1) WO2007121669A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190036694A1 (en) * 2010-12-21 2019-01-31 Koninklijke Kpn N.V. Operator-Assisted Key Establishment

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101355809B (en) * 2008-09-12 2013-03-20 中兴通讯股份有限公司 Method and system for negotiating and initiating safety context
CN102158854A (en) * 2009-01-15 2011-08-17 华为技术有限公司 Method and device for sending, transmitting and receiving data as well as method and device for building local area network
CN102055721B (en) * 2009-11-02 2014-06-11 中兴通讯股份有限公司 Access control method and device
CN102821385B (en) * 2011-06-10 2017-03-22 中兴通讯股份有限公司 Methods and network entity for sending public warning system (PWS) key information to terminal
WO2013103010A1 (en) * 2012-01-06 2013-07-11 富士通株式会社 Base station, wireless terminal, wireless communication system, and wireless communication method
CN103517271A (en) * 2012-06-28 2014-01-15 中国移动通信集团公司 Data transmission method and device and terminal
CN103813308B (en) * 2012-11-13 2017-11-10 电信科学技术研究院 A kind of uplink data transmission method, apparatus and system
CN103841547B (en) * 2012-11-27 2017-11-10 电信科学技术研究院 A kind of downlink data transmission method, apparatus and system
CN105306448A (en) * 2015-09-22 2016-02-03 深圳前海华视移动互联有限公司 Method for accessing extranet data, car-mounted multimedia terminal and kernel Netfilter module of car-mounted multimedia terminal
CN106954210B (en) * 2016-01-06 2020-02-14 华为技术有限公司 Protection method and device for air interface identifier
WO2021056563A1 (en) * 2019-09-29 2021-04-01 华为技术有限公司 Communication method and communication apparatus
EP4149048A4 (en) * 2020-05-29 2023-06-28 Huawei Technologies Co., Ltd. Key negotiation method, apparatus and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1553610A (en) * 2003-05-30 2004-12-08 ��Ϊ�������޹�˾ Authentication for roaming between CDMA to GSM
CN1553730A (en) * 2003-05-30 2004-12-08 华为技术有限公司 Key consulting method for switching mobile station in wireless local network
US20040250069A1 (en) * 2001-09-25 2004-12-09 Rauno Kosamo Adapting securityparameters of services provided for a user terminal in a communication network and correspondingly secured data communication

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040250069A1 (en) * 2001-09-25 2004-12-09 Rauno Kosamo Adapting securityparameters of services provided for a user terminal in a communication network and correspondingly secured data communication
CN1553610A (en) * 2003-05-30 2004-12-08 ��Ϊ�������޹�˾ Authentication for roaming between CDMA to GSM
CN1553730A (en) * 2003-05-30 2004-12-08 华为技术有限公司 Key consulting method for switching mobile station in wireless local network

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190036694A1 (en) * 2010-12-21 2019-01-31 Koninklijke Kpn N.V. Operator-Assisted Key Establishment
US11799650B2 (en) * 2010-12-21 2023-10-24 Koninklijke Kpn N.V. Operator-assisted key establishment

Also Published As

Publication number Publication date
CN101060712B (en) 2011-08-24
CN101060712A (en) 2007-10-24

Similar Documents

Publication Publication Date Title
WO2007121669A1 (en) Method and device and system for establishing wireless connection
TWI497965B (en) Method and apparatus to implement security in a long term evolution wireless device
US8787572B1 (en) Enhanced association for access points
AU2007232622B2 (en) System and method for optimizing authentication procedure during inter access system handovers
AU2010201991B2 (en) Method and apparatus for security protection of an original user identity in an initial signaling message
WO2009030155A1 (en) Method, system and apparatus for negotiating the security ability when a terminal is moving
US8881305B2 (en) Methods and apparatus for maintaining secure connections in a wireless communication network
WO2006131061A1 (en) Authentication method and corresponding information transmission method
WO2008131689A1 (en) Method and system for realizing an emergency communication service and corresponding apparatuses thereof
WO2006022469A1 (en) Method for security association negociation with extensible authentication protocol in wireless portable internet system
WO2015100974A1 (en) Terminal authentication method, device and system
WO2009043278A1 (en) A method, system and device for negotiating about safety ability while a terminal is moving
WO2011127791A1 (en) Method and system for establishing enhanced key when terminal moves to enhanced universal terrestrial radio access network(utran)
WO2010083671A1 (en) Network security hypertext transfer protocol negotiation method and correlated devices
WO2008006312A1 (en) A realizing method for push service of gaa and a device
WO2011127774A1 (en) Method and apparatus for controlling mode for user terminal to access internet
WO2013174267A1 (en) Method, system, and device for securely establishing wireless local area network
WO2010069202A1 (en) Authentication negotiation method and the system thereof, security gateway, home node b
WO2012083873A1 (en) Method, apparatus and system for key generation
WO2010028603A1 (en) Key generation method and system when a tracking area is updated
WO2007041933A1 (en) An updating method of controlled secret keys and the apparatus thereof
JP5043928B2 (en) Method and apparatus for processing keys used for encryption and integrity
WO2011143977A1 (en) Method and system for establishing enhanced keys when terminal moves to enhanced universal terrestrial radio access network (utran)
WO2007025484A1 (en) Updating negotiation method for authorization key and device thereof
CA2708898C (en) Methods and apparatus for maintaining secure connections in a wireless communication network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07720874

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07720874

Country of ref document: EP

Kind code of ref document: A1