WO2007124671A1 - A method, device and system of negotiating the encrypting algorithm between the user equipment and the network - Google Patents

A method, device and system of negotiating the encrypting algorithm between the user equipment and the network Download PDF

Info

Publication number
WO2007124671A1
WO2007124671A1 PCT/CN2007/001254 CN2007001254W WO2007124671A1 WO 2007124671 A1 WO2007124671 A1 WO 2007124671A1 CN 2007001254 W CN2007001254 W CN 2007001254W WO 2007124671 A1 WO2007124671 A1 WO 2007124671A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
network side
user equipment
network
encryption algorithm
Prior art date
Application number
PCT/CN2007/001254
Other languages
French (fr)
Chinese (zh)
Inventor
Wenfu Wu
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2007124671A1 publication Critical patent/WO2007124671A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response

Definitions

  • the invention belongs to the field of mobile communications, and in particular relates to a method, device and system for realizing data encryption between a user equipment and a network side. Background technique
  • FIG. 1 shows a network architecture of an evolved packet core network, including a Mobility Management Entity (MME), a User Plane Entity (UPE), and a user plane between different access systems.
  • MME Mobility Management Entity
  • UPE User Plane Entity
  • Inter AS Anchor Inter Access System Anchor
  • the MME is responsible for mobility management of the control plane, including user context and mobility state management, assigning user temporary identity, etc., corresponding to the current General Packet Radio Service (GPRS, General Packet Radio Service) / Universal Mobile Telecommunications System (UMTS, Universal) Mobile Telecommunications System)
  • GPRS General Packet Radio Service
  • UMTS Universal Mobile Telecommunications System
  • IP Internet Protocol
  • Information, etc. corresponds to the data plane part of the current GPRS/UMTS system internal SGSN and Gateway GPRS Supporting Node (GGSN); Inter AS Anchor acts as a user plane anchor between different access systems.
  • the Policy and Charging Rule Function is used for policy control decisions and flow accounting control functions.
  • the Home Subscriber Server (HSS) is used to store user subscription information.
  • Each network entity is connected through a corresponding interface.
  • the user equipment UE, User Equipment
  • MME Mobility Management
  • MM Mobility Management
  • a data bearer is established between the anchors to perform data services.
  • FIG. 2 shows the implementation flow of the user attachment specified in the existing protocol, as detailed below:
  • UE selects the access system and grid ( etwork Discovery and Access System Selection);
  • the UE sends an attach request message (Attach Request) to the MME;
  • the MME sends the original registration information message (Send old registration information) to the old MME to obtain the user information.
  • the old side MME sends the user information to the MME; 5.
  • the MME authenticates the UE;
  • the ME registers with the HSS Register MME/UPE
  • the old side MME deletes the user information ( Delete UE registration information );
  • the HSS confirms the registration of the MME ( Confirm Registration );
  • the MME selects a UPE/Inter AS Anchor ( Selection of Intersystem Mobility Anchor GW );
  • QoS Quality of Service
  • the MME sends an attach accept message (Attach Accept) to the UE, and allocates a temporary identifier of the UE;
  • the UE confirms the Attach Confirm.
  • FIG. 3 shows the implementation flow of user activation as specified in the existing protocol, as detailed below:
  • the UE sends an activation request message to the MME;
  • the MME selects a UPE/Inter AS Anchor ( Selection of UPE/Intersystem Mobility Anchor GW ); 3.
  • the UPE/Inter AS Anchor uses the assigned IP address of the UE to perform IP layer configuration, and the user plane between the UE and the UPE/Inter AS Anchor is established (User Plane Route Configuration);
  • the MME sends an activation acceptance message to the UE.
  • the message transmitted between the UE and the network side needs to be encrypted.
  • the encryption processing of messages in the GPRS system is performed between the UE and the SGSN.
  • the encryption processing of the message is performed between the UE and the Radio Network Controller (RNC).
  • RNC Radio Network Controller
  • both signaling encryption and data encryption are performed on the same entity on the network side.
  • the encryption process of the non-access stratum (NAS, NonAccess Stratum) signaling is performed in the existing protocol in the UE and the logical function entity MME, and the encryption process of the user plane is performed between the UE and the logical function entity UPE.
  • NAS non-access stratum
  • MME NonAccess Stratum
  • the inventor has found that the encryption inconsistency between the MME and the UPE network element can be solved by processing the signaling plane and the user plane encryption on different logical functional entities in the evolved packet core network. Because if the MME logical function entity and the UPE logical function entity are not implemented in the same network side network element, the cryptographic algorithm capabilities supported in the MME logical function entity and the UPE logical function entity may be inconsistent, in which case signaling Encryption of face and user planes cannot use the same encryption algorithm, but must be handled separately.
  • the existing implementation network only stipulates the principle of encryption processing in the evolved network, and does not specify a detailed implementation scheme in which the signaling plane and the data plane encryption are separately performed, and lacks implementability and operability. Summary of the invention
  • the embodiment of the invention provides a method, a device and a system for implementing encryption and negotiation between a user equipment and a network side, so that the signaling plane and the user plane encryption can be separately processed.
  • the present invention provides a method for implementing encryption and negotiation between a user equipment and a network side, including: when the user equipment is registered to the network, the user equipment negotiates a signaling plane encryption algorithm with the network side; when the user equipment and the network side establish a bearer, the user equipment Negotiate the data plane encryption algorithm with the network side.
  • the present invention provides an apparatus for implementing encryption negotiation between a user equipment and a network side, including: Receiving unit, receiving the encrypted information sent by the user equipment;
  • the signaling plane encryption processing unit determines the user equipment and the network side to negotiate a signaling plane encryption algorithm;
  • the data plane encryption processing unit is configured to determine that the user equipment and the network side negotiate a data plane encryption algorithm;
  • a sending unit sending the determined signaling plane and/or data plane encryption algorithm to the user equipment; when the user equipment is registered to the network, the signaling plane encryption processing unit negotiates according to the encrypted information received by the receiving unit a signaling plane encryption algorithm between the user equipment and the network side;
  • the data plane encryption processing unit negotiates a data plane encryption algorithm between the user equipment and the network side according to the encryption information received by the receiving unit and the encryption information of the user plane network element.
  • the embodiment of the invention provides a communication system, including: a user equipment, a signaling plane network element on the network side, and a user plane network element.
  • the user equipment When the user equipment registers with the network and reports the encrypted information of the user, the user equipment and the signaling plane network element on the network side negotiate a signaling plane encryption algorithm according to the encrypted information;
  • the user equipment and the network side establish and transmit a message carrying the encrypted information to the network side
  • the user plane network element determines the data plane of the user equipment and the network side according to the encryption information of the user equipment and the encryption information of the user plane network element. Encryption Algorithm.
  • the signaling plane encryption negotiation and the data plane encryption negotiation are separately processed.
  • the user equipment UE and the network side signaling plane network element such as The MME of the evolved network performs signaling plane encryption negotiation.
  • the bearer is set up between the user equipment UE and the network side
  • the user equipment UE and the network side data plane network element such as the user plane entity UPE of the evolved network, perform data planes. Encryption negotiation.
  • the data plane and the signaling plane are separately negotiated.
  • the user equipment negotiates the signaling plane encryption algorithm with the network side.
  • the encryption algorithm can ensure that the encryption between the UE and the core network can be processed normally after the MME/UPE separation, and is easy to implement and operate.
  • FIG. 1 is a network architecture diagram of an evolved packet core network in the prior art
  • 2 is a flowchart of an implementation of user attachment specified in a prior protocol
  • FIG. 3 is a flowchart of implementation of user activation specified in an existing protocol
  • FIG. 5 is a flowchart of implementing user attachment in an embodiment of the present invention.
  • FIG. 6 is a flowchart of an implementation of user attachment in another embodiment of the present invention.
  • FIG. 7 is a flowchart of implementing an update of a user tracking area in an embodiment of the present invention.
  • FIG. 8 is a flowchart of implementing user tracking area update in another embodiment of the present invention
  • FIG. 9 is a flowchart of implementing user activation in an embodiment of the present invention.
  • FIG. 10 is a flowchart of implementing user activation in an embodiment of the present invention.
  • FIG. 11 is a flowchart of implementing network side activation in the embodiment of the present invention.
  • FIG. 4 shows an implementation flow of user attachment in the embodiment of the present invention. For the convenience of description, only parts related to the present invention are shown:
  • the UE selects an access system and a network
  • the UE sends an attach request message (Attach Request) to the MME, and the request message carries the user's encrypted information, such as an encryption algorithm supported by the UE, and the user's encrypted information is carried in the MS network capability cell of the attach request message as an example.
  • Attach Request an attach request message
  • the example structure is as follows:
  • the MME sends the original registration information message (Send old registration information) to the old MME to retrieve the user information, and the old MME sends the user information to the MME.
  • Send old registration information the original registration information message
  • the MME authenticates the UE.
  • the UE and the UI negotiate a signaling plane encryption algorithm for signaling encryption between the UE and the UE: (1) Sending to the UE
  • the authentication request carries the signaling plane encryption algorithm negotiated according to the user's encryption information, and the example structure of the authentication request message carrying the signaling plane encryption algorithm is as follows:
  • the UE saves the encryption algorithm negotiated by the MME carried in the authentication request, and returns an authentication response to the MME.
  • the MME registers with the HSS (Register MME/UPE); 5.
  • the HSS confirms the registration of the MME ( Confirm Registration );
  • the MME selects a UPE/Inter AS Anchor ( Selection of Intersystem Mobility Anchor GW );
  • the MME sends a bearer setup request message to the UPE/Inter AS Anchor, where the message carries the user's encrypted information, such as an encryption algorithm supported by the UE.
  • the example structure is as follows:
  • the UPE sends an authentication request to the UE.
  • the authentication request carries the user plane encryption algorithm negotiated by the UPE according to the user's encryption information.
  • the example structure of the authentication request message carrying the user plane encryption algorithm is as follows:
  • the UE saves the data plane encryption algorithm negotiated by the UPE carried in the authentication request, and returns an authentication response to the UPE.
  • the UPE returns a Create Bearer Response message to the MME.
  • the MME sends an Attach Accept message to the UE, and allocates a temporary identifier of the UE;
  • the UE confirms the Attach Confirm.
  • Fig. 5 shows an implementation flow 2 of the user attachment provided by the present invention. For the convenience of description, only the parts related to the present invention are shown:
  • UE selects the access system and network (etwork Discovery and Access System Selection);
  • the UE sends an attach request message (Attach Request) to the MME, and the request message carries the user's encrypted information, such as an encryption algorithm supported by the UE, and the user's encrypted information is carried in the MS network capability cell of the attach request message as an example.
  • Attach Request an attach request message
  • the example structure is as follows:
  • the MME authenticates the UE, and during the authentication process, the UE and
  • the signaling plane encryption algorithm is negotiated between the MMEs for signaling encryption between the UE and the MME:
  • the MME sends an authentication request to the UE.
  • the authentication request carries the signaling plane encryption algorithm negotiated by the MME according to the user's encryption information.
  • the example structure of the authentication request message carrying the signaling plane encryption algorithm is as follows:
  • the UE saves the encryption algorithm negotiated by the MME carried in the authentication request, and returns an authentication response to the MME.
  • the HSS confirms the registration of the MME ( Confirm Registration );
  • the MME selects a UPE/Inter AS Anchor ( Selection of Intersystem Mobility Anchor GW );
  • the MME sends a Create Bearer Request message to the UPE/Inter AS Anchor.
  • the message carries the user's encrypted information, such as the encryption algorithm supported by the UE.
  • the user's encrypted information is carried in the MS network capabilit cell of the bearer setup request message.
  • the example structure is as follows:
  • the UPE negotiates the user plane encryption algorithm used between the UE and the UPE according to the encryption information of the user and the encryption information of the user, and then returns a Create Bearer Response message to the MME, where the message carries the negotiated user plane encryption.
  • the algorithm, the example structure of the created response message carrying the user plane encryption algorithm is as follows: 8 7 6 5 4 3 2 1
  • the MME sends an Attach Accept message to the UE, and allocates a temporary identifier of the UE, where the message carries the user plane encryption algorithm negotiated between the UE and the UPE, and the user plane encryption algorithm is used between the UE and the UPE. ;
  • the UE confirms the Attach Confirm.
  • Fig. 6 shows an implementation flow 3 of the user attachment provided by the present invention. For the convenience of description, only the parts related to the present invention are shown:
  • the UE selects an access system and a network
  • the UE sends an attach request message (Attach Request) to the MME, and the request message carries the user's encrypted information, such as an encryption algorithm supported by the UE, and the user's encrypted information is carried in the MS network capability cell of the attach request message as an example.
  • Attach Request an attach request message
  • the example structure is as follows:
  • the MME authenticates the UE.
  • the UE and the MME negotiate a signaling plane encryption algorithm for signaling encryption between the UE and the MME: (1)
  • the MME sends the UE to the UE.
  • the authentication request carries the signaling plane encryption algorithm negotiated by the MME according to the encrypted information of the user, and the example structure of the authentication request message carrying the signaling plane encryption algorithm is as follows:
  • the UE saves the encryption algorithm negotiated by the MME carried in the authentication request, and returns a weighted response to the MME.
  • the HSS confirms the registration of the MME ( Confirm Registration );
  • MME selects a UPE/Inter AS Anchor (Selection of Intersystem
  • Mobility Anchor GW Mobility Anchor GW
  • the MME forwards the attach request message of the user to the UPE/Inter AS Anchor;
  • Configuring QoS ( Configure IP Bearer QoS ) used by the default IP access bearer between the UPE/IASA and the evolved RAN network;
  • the UPE negotiates the user plane encryption algorithm used between the UE and the UPE according to the encryption information of the user and the encryption information of the user, and then sends an Attach Accept message to the MME, where the message carries the negotiated user plane encryption algorithm.
  • An example structure for creating a bearer response message carrying a user plane encryption algorithm is as follows:
  • the MME sends an Attach Accept message to the UE, and allocates a time identifier of the UE.
  • the message carries the user plane encryption algorithm negotiated between the UE and the UPE.
  • the user plane encryption algorithm is used between the UE and the UPE.
  • the UE confirms the Attach Confirm.
  • Fig. 7 shows an implementation flow 1 of the tracking area update provided by the present invention. For the convenience of description, only the parts related to the present invention are shown:
  • the UE sends a Tracking Area Update (TAU) Request to the MME, and the message carries the user's encrypted information, such as an encryption algorithm supported by the UE, and carries the tracking area update request message with the user's encrypted information.
  • TAU Tracking Area Update
  • the example structure is as follows:
  • the MME authenticates the UE.
  • the signaling plane encryption algorithm is negotiated between the MMEs for signaling encryption between the UE and the MME:
  • the MME sends an authentication request to the UE.
  • the authentication request carries the signaling plane encryption algorithm negotiated by the MME according to the user's encryption information.
  • the example structure of the authentication request message carrying the signaling plane encryption algorithm is as follows:
  • the UE saves the encryption algorithm negotiated by the MME carried in the authentication request, and returns an authentication response to the MME.
  • the MME selects a UPE (Selection of UPE);
  • the MME sends a Create Bearer Request message to the UPE, and the message carries the user's encrypted information, such as an encryption algorithm supported by the UE. Take the user's encrypted information in the MS network capability cell carrying the bearer setup request message as an example.
  • the example structure is shown below:
  • the UPE negotiates the UE and the UPE based on the user's encrypted information and its own encrypted information.
  • the user plane encryption algorithm used and then returns a Create Bearer Response message to the MME.
  • the message carries the negotiated user plane encryption algorithm.
  • the example structure of the bearer response message carrying the user plane encryption algorithm is as follows:
  • the MME sends a tracking area update accept message (TAU Accept) to the UE, and allocates a temporary identifier of the UE, where the message carries the user plane encryption algorithm negotiated between the UE and the UPE, and the user plane is used between the subsequent UE and the UPE.
  • TAU Accept tracking area update accept message
  • the UE confirms that the tracking area is updated successfully (TAU Confirm).
  • FIG. 8 shows an implementation flow 2 of the user tracking area update provided by the present invention. For the convenience of description, only parts related to the present invention are shown:
  • the UE sends a Tracking Area Update (TAU) Request to the MME, and the request message carries the user's encrypted information, such as an encryption algorithm supported by the UE, and the user's encrypted information is carried in the tracking area update request message.
  • TAU Tracking Area Update
  • the example structure is as follows:
  • the MME authenticates the UE, and during the authentication process, the UE and
  • the signaling plane encryption algorithm is negotiated between the MMEs for signaling encryption between the UE and the MME:
  • the MME sends an authentication request to the UE.
  • the authentication request carries the signaling plane encryption algorithm negotiated by the MME according to the user's encryption information.
  • the example structure of the authentication request message carrying the signaling plane encryption algorithm is as follows:
  • the UE saves the encryption algorithm negotiated by the MME carried in the authentication request, and returns an authentication response to the MME.
  • the MME selects a UPE (Selection of UPE);
  • the MME forwards the Tracking Area Update Request (TAU Request) message to the UPE.
  • TAU Request Tracking Area Update Request
  • Configuring QoS ( Configure IP Bearer QoS ) used by the default IP access bearer between the UPE and the evolved RAN network;
  • the UPE negotiates the user plane encryption algorithm used between the UE and the UPE according to the user's encryption information and its own encryption information, and then returns a tracking area update accept (TAU Accept) message to the MME, where the message carries the negotiated user plane encryption.
  • TAU Accept tracking area update accept
  • the algorithm, the example structure of the created response message carrying the user plane encryption algorithm is as follows:
  • the MME sends a tracking area update accept message (TAU Accept) to the UE, and allocates a temporary identifier of the UE, where the message carries the user plane encryption algorithm negotiated between the UE and the UPE, and the user plane is used between the subsequent UE and the UPE.
  • TAU Accept tracking area update accept message
  • the UE confirms that the tracking area is updated successfully (TAU Confirm).
  • FIG. 9 shows an implementation flow of user activation provided by the present invention. For the convenience of description, only the description is shown. The parts related to the present invention are:
  • the UE sends an activation request message to the MME;
  • the MME selects a UPE/Inter AS Anchor ( Selection of UPE/Intersystem Mobility Anchor GW );
  • UPE/Inter AS Anchor uses the assigned IP address of the UE for IP layer configuration.
  • the user plane between the UE and the UPE/Inter AS Anchor is established (User Plane Route Configuration):
  • the MME sends a Create Bearer Request message to the UPE/Inter AS Anchor.
  • the message carries the user's encrypted information, such as the encryption algorithm supported by the UE.
  • the user's encrypted information is carried in the MS network capability cell of the bearer setup request message.
  • the example structure is as follows:
  • the UPE sends an authentication request to the UE, where the authentication request carries the signaling plane encryption algorithm negotiated by the UPE according to the encryption algorithm supported by the UE, and the example structure of the authentication request message carrying the signaling plane encryption algorithm is as follows: :
  • the UE saves the data plane encryption algorithm negotiated by the UPE, and returns an authentication response to the UPE.
  • the data encryption between the subsequent UE and the UPE uses the negotiated encryption algorithm.
  • the MME sends an activation acceptance message to the UE.
  • FIG. 10 shows an implementation flow 2 of user activation provided by the present invention. For the convenience of description, only parts related to the present invention are shown:
  • the UE sends an activation request message to the MME;
  • the MME selects a UPE/Inter AS Anchor ( Selection of UPE/Intersystem Mobility Anchor GW );
  • the MME sends a Create Bearer Request message to the UPE, where the message carries the user's encrypted information, such as an encryption algorithm supported by the UE.
  • the example in which the user's encrypted information is carried in the MS network capability cell of the bearer setup request message is used as an example. As follows:
  • the UPE negotiates the user plane encryption algorithm used between the UE and the UPE based on the user's encryption information and its own encryption information, and then returns a Create Bearer Response message to the MME.
  • the message carries the negotiated user plane encryption.
  • the algorithm an example structure for creating a bearer response message carrying a user plane encryption algorithm is as follows:
  • Configuring QoS Configure IP Bearer QoS used by the default IP access bearer between the MME and the evolved RAN network;
  • the MME sends an activation acceptance message to the UE, where the message carries the negotiated user plane encryption algorithm, and the user plane encryption algorithm is used between the subsequent UE and the UPE.
  • FIG. 11 shows an implementation flow 1 of network side activation provided by the present invention. For the convenience of description, only parts related to the present invention are shown:
  • the UPE/IASA sends a Create Bearer Request message to the MME (Create Bearer Request).
  • the message carries the encrypted information of the UPE, such as the supported encryption algorithm. Take the user's encrypted information in the network capability cell carrying the bearer setup request message as an example.
  • the example structure is as follows:
  • the MME negotiates the user plane encryption algorithm used between the UE and the UPE according to the encryption information of the UE and the encryption information of the UPE.
  • the UE has sent its own encryption information to the MME in the process of the UE registering with the MME. Attachment process, this is no longer described).
  • the MME sends a bearer request message to the Evolved RAN (Bearer Request), and the message carries the user plane encryption algorithm negotiated between the UE and the UPE.
  • An example structure of a bearer request message carrying a user plane encryption algorithm is as follows: 8 7 6 5 4 3 2 1
  • the Evolved RAN sends a bearer request message to the UE (Bearer Request), where the message carries the user plane encryption algorithm between the UE and the UPE;
  • the UE returns a response message to Evolved RAN (Bearer Response);
  • the Evolved RAN returns a bearer response message to the MME (Bearer Response);
  • the MME sends a Create Bearer Response message to the UPE (Create Bearer Response), and the message carries the user plane encryption algorithm used between the negotiated UE and the UPE.
  • an embodiment of the present invention provides a device for implementing encryption and negotiation between a user equipment and a network side, where the device includes a receiving unit, a signaling plane encryption processing unit, a data plane encryption processing unit, and a sending unit, where the device is set on the network side.
  • the functional units of the device are distributed in different network element entities to implement corresponding functions.
  • the signaling plane encryption processing unit and the data plane encryption processing unit are respectively disposed on the signaling plane network element and the user.
  • the signaling plane network element in the evolved network, the signaling plane network element is an MME, and the user plane network element is a UPE.
  • Receiving unit receiving the encrypted information sent by the user equipment
  • a signaling plane encryption processing unit configured to determine that the user equipment and the network side negotiate a signaling plane encryption algorithm
  • a data plane encryption processing unit configured to determine that the user equipment negotiates a data plane encryption algorithm with the network side
  • a sending unit configured to send the determined signaling plane and/or data plane encryption algorithm to the user Prepared
  • the signaling plane encryption processing unit negotiates a signaling plane encryption algorithm between the user equipment and the network side according to the encryption information received by the receiving unit;
  • the data plane encryption processing unit negotiates a data plane encryption algorithm between the user equipment and the network side according to the encryption information received by the receiving unit and the encryption information of the user plane network element. As shown in step 3 and step 7 in Figure 4, the user equipment negotiates the encryption algorithm of the signaling plane and the data plane with the network side device respectively.
  • the encrypted information is carried in a user attach request message or a tracking area update request message sent by the user equipment to the network side.
  • the MME receives an attach request message that is sent by the user equipment and carries the user encrypted information.
  • a communication system is further provided in the embodiment of the present invention, including: a user equipment, a signaling plane network element on the network side, and a user plane network element.
  • the user equipment When the user equipment registers with the network and reports the encrypted information of the user, the user equipment and the signaling plane network element on the network side negotiate a signaling plane encryption algorithm according to the encrypted information;
  • the user equipment and the network side establish and transmit a message carrying the encrypted information to the network side
  • the user plane network element determines the data plane of the user equipment and the network side according to the encryption information of the user equipment and the encryption information of the user plane network element. Encryption Algorithm.
  • the encrypted information of the user is carried in a user attach request message or a tracking area update request message sent by the user equipment to the network side.
  • the signaling plane encryption algorithm is sent to the user equipment, and the signaling plane encryption algorithm is carried in an authentication request message sent by the network side to the user equipment.
  • the operation procedure between the user equipment and the network side signaling plane network element and the user plane network element in the communication system is basically the same as that described in the foregoing embodiment, and details are not described herein again.
  • the present invention describes an implementation of the encryption and negotiation separate processing of the data plane and the signaling plane by using an evolved network as an example, and can of course be applied to Other networks.
  • the present invention assumes that the MME is an entity in the evolved network architecture, and the UPE and the Inter AS Anchor are one entity, but do not limit other network architectures, such as MME/UPE/Inter AS Anchor. As an independent entity.

Abstract

A method of negotiating the encrypting algorithm between the user equipment and the network, and its device and system are disclosed. When registering, the UE negotiates the encrypting algorithm of the singling plane with the network. And the encrypting algorithm of the data plane is negotiated between the UE and the network when the traffic is established. The negotiating of the data plane and the singling plane can be divided, so the encrypting between the UE and the core network can be processed accurately after the MME and the UPE divided.

Description

一种实现用户设备与网络侧加密协商的方法、 装置及系统 本申请要求于 2006 年 04 月 30 日提交中国专利局、 申请号为 200610060555.0、发明名称为 "一种用户设备与网络侧实现加密协商的方 法" 的中国专利申请的优先权, 其全部内容通过引用结合在本申请中。 技术领域  Method, device and system for realizing user equipment and network side encryption negotiation The present application claims to be submitted to the Chinese Patent Office on April 30, 2006, the application number is 200610060555.0, and the invention name is "a kind of user equipment and network side to implement encryption negotiation. The priority of the Chinese Patent Application, the entire disclosure of which is hereby incorporated by reference. Technical field
本发明属于移动通信领域,尤其涉及用户设备与网络侧实现数据加密 的方法、 装置及系统。 背景技术  The invention belongs to the field of mobile communications, and in particular relates to a method, device and system for realizing data encryption between a user equipment and a network side. Background technique
第三代伙伴组织计划 ( 3GPP , Third Generation Partnership Projects ) 为了增强未来网络的竟争能力,正在研究一种全新的演进网絡架构, 包括 系统架构演进 ( SAE, System Architecture Evolution )和接入网的长期演 进(LTE, Long Term Evolution ) , 演进的接入网称为( E-UTRANEvolved Universal Terrestrial Radio Access Network )。 图 1示出了演进的分组核心 网絡的一种网络架构, 包括移动性管理实体(MME, Mobility Management Entity ) 、 用户面实体(UPE, User Plane Entity, ) 以及不同接入系统之 间的用户面错点 ( Inter AS Anchor, Inter Access System Anchor )三个 辑功能实体。 其中, MME负责控制面的移动性管理, 包括用户上下文和 移动状态管理,分配用户临时身份标识等,对应于当前通用分组无线业务 ( GPRS, General Packet Radio Service ) /通用移动通信系统(UMTS, Universal Mobile Telecommunications System ) 内部服务 GPRS支持节点 ( SGSN, Serving GPRS Supporting Node )的控制平面部分; UPE负责空 闲状态下为下行数据发起寻呼, 管理保存网絡协议(IP, Internet Protocol ) 承载参数和网络内路由信息等,对应于当前 GPRS/UMTS系统内部 SGSN 以及网关 GPRS支持节点 (GGSN, Gateway GPRS Supporting Node ) 的 数据平面部分; Inter AS Anchor则充当不同接入系统间的用户面锚点。策 略和计费规则功能实体( PCRF , Policy and Charging Rule Function )用于 策略控制决定和流计费控制功能。归属用户服务器( HSS, Home Subscriber Server )用于存储用户签约信息。 各网络实体之间通过相应的接口连接。 当用户接入网络时, 用户设备 ( UE, User Equipment )通过附着接入 到 MME, MME为其建立移动性管理(MM, Mobility Management )上 下文, 然后用户通过激活请求, 在用户与 UPE/Inter AS Anchor之间建立 数据承载, 从而进行数据业务。 Third Generation Partnership Projects (3GPP, Third Generation Partnership Projects) In order to enhance the competitiveness of future networks, a new evolutionary network architecture, including System Architecture Evolution (SAE) and long-term access network, is being studied. Evolution (LTE, Long Term Evolution), the evolved access network is called (E-UTRANEvolved Universal Terrestrial Radio Access Network). FIG. 1 shows a network architecture of an evolved packet core network, including a Mobility Management Entity (MME), a User Plane Entity (UPE), and a user plane between different access systems. Inter AS Anchor (Inter Access System Anchor) three functional entities. The MME is responsible for mobility management of the control plane, including user context and mobility state management, assigning user temporary identity, etc., corresponding to the current General Packet Radio Service (GPRS, General Packet Radio Service) / Universal Mobile Telecommunications System (UMTS, Universal) Mobile Telecommunications System) The control plane part of the internal service GPRS support node (SGSN); the UPE is responsible for paging the downlink data in idle state, managing the storage network protocol (IP, Internet Protocol) bearer parameters and intra-network routing. Information, etc., corresponds to the data plane part of the current GPRS/UMTS system internal SGSN and Gateway GPRS Supporting Node (GGSN); Inter AS Anchor acts as a user plane anchor between different access systems. The Policy and Charging Rule Function (PCRF) is used for policy control decisions and flow accounting control functions. The Home Subscriber Server (HSS) is used to store user subscription information. Each network entity is connected through a corresponding interface. When the user accesses the network, the user equipment (UE, User Equipment) accesses the MME through attachment, and the MME establishes a mobility management (MM, Mobility Management) context for the user, and then the user activates the request, and the user and the UPE/Inter AS A data bearer is established between the anchors to perform data services.
图 2示出了现有协议中规定的用户附着的实现流程, 详述如下: Figure 2 shows the implementation flow of the user attachment specified in the existing protocol, as detailed below:
1. UE选择接人系统和网格 ( etwork Discovery and Access System Selection ) ; 1. UE selects the access system and grid ( etwork Discovery and Access System Selection);
2. UE发送附着请求消息( Attach Request )到 MME;  2. The UE sends an attach request message (Attach Request) to the MME;
3.如果附着请求消息中携带旧侧 MME的注册信息, 则 MME发送原 注册信息消息 ( Send old registration information )到旧侧 MME获取用户 的信息;  3. If the attach request message carries the registration information of the old MME, the MME sends the original registration information message (Send old registration information) to the old MME to obtain the user information.
4.旧侧 MME向 MME发送用户信息 ( Send user information ) ; 5.MME对 UE进行鉴权 ( Authentication ) ;  4. The old side MME sends the user information to the MME; 5. The MME authenticates the UE;
6. ME注册到 HSS中 ( Register MME/UPE ) ;  6. The ME registers with the HSS ( Register MME/UPE);
7.旧侧 MME删除用户的信息( Delete UE registration information ) ; 7. The old side MME deletes the user information ( Delete UE registration information );
8. HSS证实 MME的注册( Confirm Registration ) ; 8. The HSS confirms the registration of the MME ( Confirm Registration );
9. MME 选择一个 UPE/Inter AS Anchor ( Selection of Intersystem Mobility Anchor GW ) ;  9. The MME selects a UPE/Inter AS Anchor ( Selection of Intersystem Mobility Anchor GW );
10. 建立 UE和 UPE/IASA之间的数据面;  10. Establish a data plane between the UE and UPE/IASA;
11. MME和演进的无线接入网珞 ( Evolved Radio Access Network, 11. MME and Evolved Radio Access Network (Evolved Radio Access Network,
Evolved RA )之间配置缺省的 IP接入承载所使用的业务质量( Quality of Service, QoS ) ( Configure IP Bearer QoS ) ; Configure the Quality of Service ( QoS ) used by the default IP access bearer between Evolved RAs;
12.MME向 UE发送附着接受消息 (Attach Accept ) , 并分配 UE的 临时标识;  12. The MME sends an attach accept message (Attach Accept) to the UE, and allocates a temporary identifier of the UE;
13.UE确认附着成功 ( Attach Confirm ) 。  13. The UE confirms the Attach Confirm.
图 3示出了现有协议中规定的用户激活的实现流程, 详述如下: Figure 3 shows the implementation flow of user activation as specified in the existing protocol, as detailed below:
1. UE发送激活请求消息到 MME; 1. The UE sends an activation request message to the MME;
2. MME选择一个 UPE/Inter AS Anchor ( Selection of UPE/Intersystem Mobility Anchor GW ) ; 3. UPE/Inter AS Anchor使用 UE的分配 IP地址进行 IP层配置, UE 和 UPE/Inter AS Anchor 间的用户平面被建立 (User Plane Route Configuration ) ; 2. The MME selects a UPE/Inter AS Anchor ( Selection of UPE/Intersystem Mobility Anchor GW ); 3. The UPE/Inter AS Anchor uses the assigned IP address of the UE to perform IP layer configuration, and the user plane between the UE and the UPE/Inter AS Anchor is established (User Plane Route Configuration);
4. MME 和 Evolved RAN之间配置 IP 接入 载所使用的 QoS ( Configure IP Bearer QoS ) ;  4. Configure the QoS ( Configure IP Bearer QoS ) used by the IP access between the MME and the Evolved RAN;
5. MME向 UE发送激活接受的消息。  5. The MME sends an activation acceptance message to the UE.
为了保证空口数据的安全,在 UE和网络侧之间传输的消息需进行加 密处理。目前,在 GPRS系统中消息的加密处理在 UE和 SGSN之间进行, 在 UMTS系统中消息的加密处理在 UE和无线网络控制器(RNC, Radio Network Controller )之间进行。 对 GPRS和 UMTS系统, 信令加密和数 据加密处理都在网络侧的同一个实体上。对于演进网络,现有协议中规定 非接入层(NAS, NonAccess Stratum )信令的加密处理在 UE和逻辑功能 实体 MME中进行, 用户面的加密处理在 UE和逻辑功能实体 UPE之间 进行。在研究过程中, 发明人发现,通过将信令面和用户面加密在演进分 组核心网中的不同逻辑功能实体上进行处理, 可以解决 MME和 UPE网 元中加密不一致的问题。 因为如果 MME逻辑功能实体和 UPE逻辑功能 实体不在同一个网络侧网元中实现的话, 则 MME逻辑功能实体和 UPE 逻辑功能实体中支持的加密算法能力就有可能不一致,在这种情况下信令 面和用户面的加密就不能使用同一个加密算法, 而必须分开处理。现有演 进网络中只是规定了演进网络中加密处理的原则,没有规定信令面和数据 面加密分开进行的详细实现方案, 缺乏可实施性和可操作性。 发明内容  In order to ensure the security of the air interface data, the message transmitted between the UE and the network side needs to be encrypted. At present, the encryption processing of messages in the GPRS system is performed between the UE and the SGSN. In the UMTS system, the encryption processing of the message is performed between the UE and the Radio Network Controller (RNC). For GPRS and UMTS systems, both signaling encryption and data encryption are performed on the same entity on the network side. For the evolved network, the encryption process of the non-access stratum (NAS, NonAccess Stratum) signaling is performed in the existing protocol in the UE and the logical function entity MME, and the encryption process of the user plane is performed between the UE and the logical function entity UPE. In the course of the research, the inventor has found that the encryption inconsistency between the MME and the UPE network element can be solved by processing the signaling plane and the user plane encryption on different logical functional entities in the evolved packet core network. Because if the MME logical function entity and the UPE logical function entity are not implemented in the same network side network element, the cryptographic algorithm capabilities supported in the MME logical function entity and the UPE logical function entity may be inconsistent, in which case signaling Encryption of face and user planes cannot use the same encryption algorithm, but must be handled separately. The existing implementation network only stipulates the principle of encryption processing in the evolved network, and does not specify a detailed implementation scheme in which the signaling plane and the data plane encryption are separately performed, and lacks implementability and operability. Summary of the invention
本发明实施例提供一种用户设备与网絡侧实现加密协商的方法、装置 及系统, 以使得信令面和用户面加密可分开处理。  The embodiment of the invention provides a method, a device and a system for implementing encryption and negotiation between a user equipment and a network side, so that the signaling plane and the user plane encryption can be separately processed.
本发明提供一种实现用户设备与网络侧加密协商的方法, 包括: 当用户设备注册到网络时, 用户设备与网络侧协商信令面加密算法; 当用户设备和网络侧建立承载时, 用户设备与网络侧协商数据面加密算 法。  The present invention provides a method for implementing encryption and negotiation between a user equipment and a network side, including: when the user equipment is registered to the network, the user equipment negotiates a signaling plane encryption algorithm with the network side; when the user equipment and the network side establish a bearer, the user equipment Negotiate the data plane encryption algorithm with the network side.
本发明提供一种实现用户设备与网络侧加密协商的装置, 包括: 接收单元, 接收用户设备发送的加密信息; The present invention provides an apparatus for implementing encryption negotiation between a user equipment and a network side, including: Receiving unit, receiving the encrypted information sent by the user equipment;
信令面加密处理单元, 确定用户设备与网络侧协商信令面加密算法; 数据面加密处理单元, 用于确定用户设备与网络侧协商数据面加密 算法;  The signaling plane encryption processing unit determines the user equipment and the network side to negotiate a signaling plane encryption algorithm; the data plane encryption processing unit is configured to determine that the user equipment and the network side negotiate a data plane encryption algorithm;
发送单元, 发送所确定的信令面和 /或数据面加密算法给用户设备; 当所述用户设备注册到网络时 , 所述信令面加密处理单元根据所述 接收单元接收到的加密信息协商所述用户设备与网络侧之间的信令面加 密算法;  a sending unit, sending the determined signaling plane and/or data plane encryption algorithm to the user equipment; when the user equipment is registered to the network, the signaling plane encryption processing unit negotiates according to the encrypted information received by the receiving unit a signaling plane encryption algorithm between the user equipment and the network side;
当用户设备和网络侧建立承载时,所述数据面加密处理单元根据所述 接收单元接收到的加密信息和用户面网元的加密信息协商用户设备与网 络侧之间的数据面加密算法。  When the user equipment and the network side establish a bearer, the data plane encryption processing unit negotiates a data plane encryption algorithm between the user equipment and the network side according to the encryption information received by the receiving unit and the encryption information of the user plane network element.
本发明实施例提供一种通信系统, 包括: 用户设备、 网络侧的信令 面网元和用户面网元,  The embodiment of the invention provides a communication system, including: a user equipment, a signaling plane network element on the network side, and a user plane network element.
当用户设备注册到网络并上报用户的加密信息 , 所述用户设备与网 络侧的信令面网元根据所述加密信息协商信令面加密算法;  When the user equipment registers with the network and reports the encrypted information of the user, the user equipment and the signaling plane network element on the network side negotiate a signaling plane encryption algorithm according to the encrypted information;
当用户设备和网络侧建立承载并发送的携带有加密信息的消息给网 络侧 ,所述用户面网元根据用户设备的加密信息和用户面网元的加密信息 确定用户设备和网络侧的数据面加密算法。  The user equipment and the network side establish and transmit a message carrying the encrypted information to the network side, and the user plane network element determines the data plane of the user equipment and the network side according to the encryption information of the user equipment and the encryption information of the user plane network element. Encryption Algorithm.
从上述本发明实施例中可以看出,在本发明中,信令面加密协商和数 据面加密协商分开处理,在用户注册到网络侧时, 用户设备 UE和网络侧 信令面网元, 如演进网络的 MME之间进行信令面加密协商,在用户设备 UE和网络侧之间建立承载时, 用户设备 UE与网络侧数据面网元, 如演 进网络的用户面实体 UPE之间进行数据面加密协商。 数据面和信令面的 加密协商分开处理, 当用户设备注册到网络时,用户设备与网络侧协商信 令面加密算法, 当用户设备和网络侧建立承载时,用户设备与网络侧协商 数据面加密算法,这样能够保证 MME/UPE分离后 UE和核心网之间的加 密能够正常处理, 易于实施和操作。 附图说明  As can be seen from the foregoing embodiments of the present invention, in the present invention, the signaling plane encryption negotiation and the data plane encryption negotiation are separately processed. When the user registers with the network side, the user equipment UE and the network side signaling plane network element, such as The MME of the evolved network performs signaling plane encryption negotiation. When the bearer is set up between the user equipment UE and the network side, the user equipment UE and the network side data plane network element, such as the user plane entity UPE of the evolved network, perform data planes. Encryption negotiation. The data plane and the signaling plane are separately negotiated. When the user equipment registers with the network, the user equipment negotiates the signaling plane encryption algorithm with the network side. When the user equipment and the network side establish a bearer, the user equipment negotiates the data plane with the network side. The encryption algorithm can ensure that the encryption between the UE and the core network can be processed normally after the MME/UPE separation, and is easy to implement and operate. DRAWINGS
图 1是现有技术中演进的分组核心网络的网络架构图; 图 2是现有协议中规定的用户附着的实现流程图; 图 3是现有协议中规定的用户激活的实现流程图; 1 is a network architecture diagram of an evolved packet core network in the prior art; 2 is a flowchart of an implementation of user attachment specified in a prior protocol; FIG. 3 is a flowchart of implementation of user activation specified in an existing protocol;
图 4是本发明实施例中的用户附着的实现流程图;  4 is a flowchart of an implementation of user attachment in an embodiment of the present invention;
图 5是本发明实施例中的用户附着的实现流程图;  FIG. 5 is a flowchart of implementing user attachment in an embodiment of the present invention;
图 6是本发明另一实施例中的用户附着的实现流程图;  6 is a flowchart of an implementation of user attachment in another embodiment of the present invention;
图 7是本发明实施例中的用户跟踪区更新的实现流程图;  7 is a flowchart of implementing an update of a user tracking area in an embodiment of the present invention;
图 8是本发明另一实施例中的用户跟踪区更新的实现流程图; 图 9是本发明实施例中的用户激活的实现流程图;  8 is a flowchart of implementing user tracking area update in another embodiment of the present invention; FIG. 9 is a flowchart of implementing user activation in an embodiment of the present invention;
图 10是本发明实施例中的用户激活的实现流程图;  FIG. 10 is a flowchart of implementing user activation in an embodiment of the present invention; FIG.
图 11是本发明实施例中的网络侧激活的实现流程图。  FIG. 11 is a flowchart of implementing network side activation in the embodiment of the present invention.
具体实施方式 detailed description
下面结合附图及实施例, 对本发明进行进一步详细说明。  The present invention will be further described in detail below with reference to the accompanying drawings and embodiments.
图 4示出了本发明实施例中用户附着的实现流程,为了便于描述,仅 示出了与本发明相关的部分:  FIG. 4 shows an implementation flow of user attachment in the embodiment of the present invention. For the convenience of description, only parts related to the present invention are shown:
1.UE选择接入系统和网络;  1. The UE selects an access system and a network;
2.UE发送附着请求消息(Attach Request )到 MME, 请求消息中携 带用户的加密信息, 如 UE支持的加密算法, 以用户的加密信息携带在附 着请求消息的 MS network capability信元中为例, 其示例结构如下所示:  2. The UE sends an attach request message (Attach Request) to the MME, and the request message carries the user's encrypted information, such as an encryption algorithm supported by the UE, and the user's encrypted information is carried in the MS network capability cell of the attach request message as an example. The example structure is as follows:
Figure imgf000007_0001
如果附着请求消息中携带旧侧 MME的注册信息,则 MME发送原注 册信息消息( Send old registration information )到旧侧 MME荻取用户的 信息, 旧侧 MME向 MME发送用户信息 ( Send user information ) ;
Figure imgf000007_0001
If the attach request message carries the registration information of the old MME, the MME sends the original registration information message (Send old registration information) to the old MME to retrieve the user information, and the old MME sends the user information to the MME.
3. MME对 UE进行鉴权 ( Authentication ) , 在鉴权过程中, UE和 ΜΜΕ之间协商信令面加密算法,用于后续 UE和 ΜΜΕ之间的信令加密: ( 1 ) ΜΜΕ向 UE发送鉴权请求,鉴权请求中携带有 ΜΜΕ根据用户的 加密信息所协商的信令面加密算法,携带信令面加密算法的鉴权请求消息 的示例结构如下所示:  3. The MME authenticates the UE. In the authentication process, the UE and the UI negotiate a signaling plane encryption algorithm for signaling encryption between the UE and the UE: (1) Sending to the UE For the authentication request, the authentication request carries the signaling plane encryption algorithm negotiated according to the user's encryption information, and the example structure of the authentication request message carrying the signaling plane encryption algorithm is as follows:
8 7 6 5 4 3 2 1 8 7 6 5 4 3 2 1
Ciphering algorithm 0 Type of Ciphering algorithm 0 Type of
IEI spare algorithm 其中 IEI为信元标识符 (Information Element Identifier)  IEI spare algorithm where IEI is the Information Element Identifier
Figure imgf000008_0001
Figure imgf000008_0001
( 2 ) UE保存鉴权请求中携带的 MME协商的加密算法, 向 MME返 回鉴权响应。  (2) The UE saves the encryption algorithm negotiated by the MME carried in the authentication request, and returns an authentication response to the MME.
4. MME注册到 HSS中 ( Register MME/UPE ) ; 5. HSS证实 MME的注册( Confirm Registration ) ; 4. The MME registers with the HSS (Register MME/UPE); 5. The HSS confirms the registration of the MME ( Confirm Registration );
6. MME 选择一个 UPE/Inter AS Anchor ( Selection of Intersystem Mobility Anchor GW ) ;  6. The MME selects a UPE/Inter AS Anchor ( Selection of Intersystem Mobility Anchor GW );
7. 建立 UEUE和 UPE/Inter AS Anchor间的用户面, 具体包括: 7. Establish user planes between UEUE and UPE/Inter AS Anchor, including:
( 1 ) MME发送承载建立请求消息到 UPE/Inter AS Anchor, 消息中 携带用户的加密信息, 如 UE支持的加密算法。 以用户的加密信息携 带在承载建立请求消息的 MS network capability信元中为例 , 其示例 结构如下所示: - . (1) The MME sends a bearer setup request message to the UPE/Inter AS Anchor, where the message carries the user's encrypted information, such as an encryption algorithm supported by the UE. Taking the encrypted information of the user in the MS network capability cell carrying the bearer setup request message as an example, the example structure is as follows:
Figure imgf000009_0001
Figure imgf000009_0001
( 2 ) UPE向 UE发送鉴权请求 , 鉴权请求中携带有 UPE根据用户的加 密信息所协商的用户面加密算法,携带用户面加密算法的鉴权请求消息的 示例结构如下所示:  (2) The UPE sends an authentication request to the UE. The authentication request carries the user plane encryption algorithm negotiated by the UPE according to the user's encryption information. The example structure of the authentication request message carrying the user plane encryption algorithm is as follows:
8 7 6 5 4 3 2 18 7 6 5 4 3 2 1
Ciphering algorithm 0 Type of Ciphering algorithm 0 Type of
IEI spare algorithm
Figure imgf000010_0001
IEI spare algorithm
Figure imgf000010_0001
( 3 )UE保存鉴权请求中携带的 UPE协商的数据面加密算法,向 UPE 返回鉴权响应。  (3) The UE saves the data plane encryption algorithm negotiated by the UPE carried in the authentication request, and returns an authentication response to the UPE.
( 4 ) 、 UPE回创建 7|载响应( Create Bearer Response )消息给 MME。  (4) The UPE returns a Create Bearer Response message to the MME.
8. MME和演进的 RAN 网络之间配置缺省的 IP接入承载所使用的 QoS ( Configure IP Bearer QoS ) ;  8. Configure the QoS (Configure IP Bearer QoS) used by the default IP access bearer between the MME and the evolved RAN network;
9. MME向 UE发送附着接受消息( Attach Accept ), 并分配 UE的临 时标识;  9. The MME sends an Attach Accept message to the UE, and allocates a temporary identifier of the UE;
10. UE确认附着成功 ( Attach Confirm ) 。  10. The UE confirms the Attach Confirm.
图 5示出了本发明提供的用户附着的实现流程 2, 为了便于描述, 仅 示出了与本发明相关的部分:  Fig. 5 shows an implementation flow 2 of the user attachment provided by the present invention. For the convenience of description, only the parts related to the present invention are shown:
1. UE选择接人系统和网络 ( etwork Discovery and Access System Selection ) ;  1. UE selects the access system and network ( etwork Discovery and Access System Selection);
2. UE发送附着请求消息 ( Attach Request )到 MME, 请求消息中携 带用户的加密信息, 如 UE支持的加密算法, 以用户的加密信息携带在附 着请求消息的 MS network capability信元中为例, 其示例结构如下所示:
Figure imgf000011_0001
2. The UE sends an attach request message (Attach Request) to the MME, and the request message carries the user's encrypted information, such as an encryption algorithm supported by the UE, and the user's encrypted information is carried in the MS network capability cell of the attach request message as an example. The example structure is as follows:
Figure imgf000011_0001
3. MME对 UE进行鉴权 ( Authentication ) , 在鉴权过程中, UE和 3. The MME authenticates the UE, and during the authentication process, the UE and
MME之间协商信令面加密算法,用于后续 UE和 MME之间的信令加密:The signaling plane encryption algorithm is negotiated between the MMEs for signaling encryption between the UE and the MME:
( 1 ) MME向 UE发送鉴权请求,鉴权请求中携带有 MME根据用户 的加密信息所协商的信令面加密算法,携带信令面加密算法的鉴权请求消 息的示例结构如下所示: (1) The MME sends an authentication request to the UE. The authentication request carries the signaling plane encryption algorithm negotiated by the MME according to the user's encryption information. The example structure of the authentication request message carrying the signaling plane encryption algorithm is as follows:
8 7 6 5 4 3 2 1
Figure imgf000011_0003
8 7 6 5 4 3 2 1
Figure imgf000011_0003
Figure imgf000011_0002
( 2 ) UE保存鉴权请求中携带的 MME协商的加密算法, 向 MME返 回鉴权响应。
Figure imgf000011_0002
(2) The UE saves the encryption algorithm negotiated by the MME carried in the authentication request, and returns an authentication response to the MME.
4. MME注册到 HSS中 ( Register MME/UPE ) ;  4. The MME registers with the HSS ( Register MME/UPE);
5. HSS证实 MME的注册( Confirm Registration ) ;  5. The HSS confirms the registration of the MME ( Confirm Registration );
6. MME 选择一个 UPE/Inter AS Anchor ( Selection of Intersystem Mobility Anchor GW ) ;  6. The MME selects a UPE/Inter AS Anchor ( Selection of Intersystem Mobility Anchor GW );
7. MME发送创建承载请求( Create Bearer Request )消息到 UPE/Inter AS Anchor, 消息中携带用户的加密信息, 如 UE支持的加密算法。 以用 户的加密信息携带在承载建立请求消息的 MS network capabilit 信元中为 例, 其示例结构如下所示:  7. The MME sends a Create Bearer Request message to the UPE/Inter AS Anchor. The message carries the user's encrypted information, such as the encryption algorithm supported by the UE. The user's encrypted information is carried in the MS network capabilit cell of the bearer setup request message. The example structure is as follows:
Figure imgf000012_0001
Figure imgf000012_0001
8. UPE根据用户的加密信息和自己的加密信息协商出 UE和 UPE之 间使用的用户面加密算法, 然后返回创建承载响应 ( Create Bearer Response ) 消息给 MME, 消息中携带协商出来的用户面加密算法, 携带 用户面加密算法的创建^载响应消息的示例结构如下所示: 8 7 6 5 4 3 2 1
Figure imgf000013_0002
8. The UPE negotiates the user plane encryption algorithm used between the UE and the UPE according to the encryption information of the user and the encryption information of the user, and then returns a Create Bearer Response message to the MME, where the message carries the negotiated user plane encryption. The algorithm, the example structure of the created response message carrying the user plane encryption algorithm is as follows: 8 7 6 5 4 3 2 1
Figure imgf000013_0002
Figure imgf000013_0001
Figure imgf000013_0001
9. MME和演进的 RAN网络之间配置缺省的 IP接入承载所使用的 QoS ( Configure IP Bearer QoS ) ;  9. Configure the QoS (Configure IP Bearer QoS) used by the default IP access bearer between the MME and the evolved RAN network;
10. MME向 UE发送附着接受消息( Attach Accept ) , 并分配 UE的 临时标识, 消息中携带 UE和 UPE之间协商出来的用户面加密算法, 后 续 UE和 UPE之间就使用这个用户面加密算法;  10. The MME sends an Attach Accept message to the UE, and allocates a temporary identifier of the UE, where the message carries the user plane encryption algorithm negotiated between the UE and the UPE, and the user plane encryption algorithm is used between the UE and the UPE. ;
11. UE确认附着成功 ( Attach Confirm ) 。  11. The UE confirms the Attach Confirm.
图 6示出了本发明提供的用户附着的实现流程 3, 为了便于描述, 仅 示出了与本发明相关的部分:  Fig. 6 shows an implementation flow 3 of the user attachment provided by the present invention. For the convenience of description, only the parts related to the present invention are shown:
1. UE选择接入系统和网络;  1. The UE selects an access system and a network;
2. UE发送附着请求消息( Attach Request )到 MME, 请求消息中携 带用户的加密信息, 如 UE支持的加密算法, 以用户的加密信息携带在附 着请求消息的 MS network capability信元中为例, 其示例结构如下所示:
Figure imgf000014_0001
2. The UE sends an attach request message (Attach Request) to the MME, and the request message carries the user's encrypted information, such as an encryption algorithm supported by the UE, and the user's encrypted information is carried in the MS network capability cell of the attach request message as an example. The example structure is as follows:
Figure imgf000014_0001
3. MME对 UE进行鉴权 ( Authentication ) , 在鉴权过程中, UE和 MME之间协商信令面加密算法,用于后续 UE和 MME之间的信令加密: ( 1 ) MME向 UE发送鉴权请求,鉴权请求中携带有 MME根据用户 的加密信息所协商的信令面加密算法,携带信令面加密算法的鉴权请求消 息的示例结构如下所示:  3. The MME authenticates the UE. In the authentication process, the UE and the MME negotiate a signaling plane encryption algorithm for signaling encryption between the UE and the MME: (1) The MME sends the UE to the UE. The authentication request carries the signaling plane encryption algorithm negotiated by the MME according to the encrypted information of the user, and the example structure of the authentication request message carrying the signaling plane encryption algorithm is as follows:
8 7 6 5 4 3 2 1
Figure imgf000014_0003
8 7 6 5 4 3 2 1
Figure imgf000014_0003
Figure imgf000014_0002
( 2 ) UE保存鉴权请求中携带的 MME协商的加密算法, 向 MME返 回簦权响应。
Figure imgf000014_0002
(2) The UE saves the encryption algorithm negotiated by the MME carried in the authentication request, and returns a weighted response to the MME.
4. MME注册到 HSS中 ( Register MME/UPE ) ;  4. The MME registers with the HSS ( Register MME/UPE);
5. HSS证实 MME的注册( Confirm Registration ) ;  5. The HSS confirms the registration of the MME ( Confirm Registration );
6. MME 选择一个 UPE/Inter AS Anchor ( Selection of Intersystem 6. MME selects a UPE/Inter AS Anchor (Selection of Intersystem
Mobility Anchor GW ) ; Mobility Anchor GW ) ;
7. MME转发用户的附着请求( Attach Request )消息到 UPE/Inter AS Anchor;  7. The MME forwards the attach request message of the user to the UPE/Inter AS Anchor;
8. UPE/IASA和演进的 RAN网络之间配置缺省的 IP接入承载所使用 的 QoS ( Configure IP Bearer QoS ) ;  8. Configuring QoS ( Configure IP Bearer QoS ) used by the default IP access bearer between the UPE/IASA and the evolved RAN network;
9. UPE根据用户的加密信息和自己的加密信息协商出 UE和 UPE之 间使用的用户面加密算法,然后回附着接受( Attach Accept )消息给 MME, 消息中携带协商出来的用户面加密算法,携带用户面加密算法的创建承载 响应消息的示例结构如下所示:  9. The UPE negotiates the user plane encryption algorithm used between the UE and the UPE according to the encryption information of the user and the encryption information of the user, and then sends an Attach Accept message to the MME, where the message carries the negotiated user plane encryption algorithm. An example structure for creating a bearer response message carrying a user plane encryption algorithm is as follows:
8 7 6 5 4 3 2 1
Figure imgf000015_0002
8 7 6 5 4 3 2 1
Figure imgf000015_0002
Figure imgf000015_0001
Figure imgf000015_0001
10.MME向 UE发送附着接受消息( Attach Accept ) , 并分配 UE的 时标识, 消息中携带 UE和 UPE之间协商出来的用户面加密算法, 后 续 UE和 UPE之间就使用这个用户面加密算法; 10. The MME sends an Attach Accept message to the UE, and allocates a time identifier of the UE. The message carries the user plane encryption algorithm negotiated between the UE and the UPE. The user plane encryption algorithm is used between the UE and the UPE.
11. UE确认附着成功 ( Attach Confirm ) 。  11. The UE confirms the Attach Confirm.
图 7示出了本发明提供的用卢跟踪区更新的实现流程 1 ,为了便于描 述, 仅示出了与本发明相关的部分:  Fig. 7 shows an implementation flow 1 of the tracking area update provided by the present invention. For the convenience of description, only the parts related to the present invention are shown:
1. UE发送跟踪区更新请求消息 (Tracking Area Update ( TAU ) Request )到 MME, 倩求消息中携带用户的加密信息, 如 UE支持的加密 算法, 以用户的加密信息携带在跟踪区更新请求消息的 MS network capability信元中为例, 其示例结构如下所示:  1. The UE sends a Tracking Area Update (TAU) Request to the MME, and the message carries the user's encrypted information, such as an encryption algorithm supported by the UE, and carries the tracking area update request message with the user's encrypted information. For example, in the MS network capability cell, the example structure is as follows:
Figure imgf000016_0001
Figure imgf000016_0001
2. MME对 UE进行鉴权(Authentication ) , 在鉴权过程中, UE和 2. The MME authenticates the UE. In the authentication process, the UE and the UE
MME之间协商信令面加密算法,用于后续 UE和 MME之间的信令加密:The signaling plane encryption algorithm is negotiated between the MMEs for signaling encryption between the UE and the MME:
( 1 ) MME向 UE发送鉴权请求,鉴权请求中携带有 MME根据用户 的加密信息所协商的信令面加密算法,携带信令面加密算法的鉴权请求消 息的示例结构如下所示: (1) The MME sends an authentication request to the UE. The authentication request carries the signaling plane encryption algorithm negotiated by the MME according to the user's encryption information. The example structure of the authentication request message carrying the signaling plane encryption algorithm is as follows:
8 7 6 5 4 3 2 18 7 6 5 4 3 2 1
Ciphering algorithm 0 Type of Ciphering algorithm 0 Type of
IEI spare algorithm
Figure imgf000017_0001
IEI spare algorithm
Figure imgf000017_0001
( 2 ) UE保存鉴权请求中携带的 MME协商的加密算法, 向 MME返 回鉴权响应。  (2) The UE saves the encryption algorithm negotiated by the MME carried in the authentication request, and returns an authentication response to the MME.
3. MME选择一个 UPE ( Selection of UPE );  3. The MME selects a UPE (Selection of UPE);
4. MME发送创建承载请求( Create Bearer Request )消息到 UPE, 消 息中携带用户的加密信息, 如 UE支持的加密算法。 以用户的加密信息携 带在承载建立请求消息的 MS network capability信元中为例, 其示例结构 口下所示:  4. The MME sends a Create Bearer Request message to the UPE, and the message carries the user's encrypted information, such as an encryption algorithm supported by the UE. Take the user's encrypted information in the MS network capability cell carrying the bearer setup request message as an example. The example structure is shown below:
Figure imgf000017_0002
Figure imgf000017_0002
5. UPE根据用户的加密信息和自己的加密信息协商出 UE和 UPE之 间使用的用户面加密算法, 然后返回创建承载响应 (Create Bearer Response ) 消息给 MME, 消息中携带协商出来的用户面加密算法, 携带 用户面加密算法的创建承载响应消息的示例结构如下所示: 5. The UPE negotiates the UE and the UPE based on the user's encrypted information and its own encrypted information. The user plane encryption algorithm used, and then returns a Create Bearer Response message to the MME. The message carries the negotiated user plane encryption algorithm. The example structure of the bearer response message carrying the user plane encryption algorithm is as follows:
8 7 6 5 4 3 2 1
Figure imgf000018_0002
8 7 6 5 4 3 2 1
Figure imgf000018_0002
Figure imgf000018_0001
Figure imgf000018_0001
6. MME和演进的 RAN网絡之间配置缺省的 IP接入承载所使用的 6. Configuring the default IP access bearer between the MME and the evolved RAN network
QoS ( Configure IP Bearer QoS ); QoS (Configure IP Bearer QoS);
7. MME向 UE发送跟踪区更新接受消息 (TAU Accept ) , 并分配 UE的临时标识,消息中携带 UE和 UPE之间协商出来的用户面加密算法, 后续 UE和 UPE之间就使用这个用户面加密算法;  7. The MME sends a tracking area update accept message (TAU Accept) to the UE, and allocates a temporary identifier of the UE, where the message carries the user plane encryption algorithm negotiated between the UE and the UPE, and the user plane is used between the subsequent UE and the UPE. Encryption Algorithm;
8. UE确认跟踪区更新成功 (TAU Confirm ) 。  8. The UE confirms that the tracking area is updated successfully (TAU Confirm).
图 8示出了本发明提供的用户跟踪区更新的实现流程 2,为了便于描 述, 仅示出了与本发明相关的部分:  FIG. 8 shows an implementation flow 2 of the user tracking area update provided by the present invention. For the convenience of description, only parts related to the present invention are shown:
1. UE发送跟踪区更新请求消息 (Tracking Area Update ( TAU ) Request )到 MME, 请求消息中携带用户的加密信息, 如 UE支持的加密 算法, 以用户的加密信息携带在跟踪区更新请求消息的 MS network capability信元中为例 , 其示例结构如下所示:
Figure imgf000019_0001
1. The UE sends a Tracking Area Update (TAU) Request to the MME, and the request message carries the user's encrypted information, such as an encryption algorithm supported by the UE, and the user's encrypted information is carried in the tracking area update request message. For example, in the MS network capability cell, the example structure is as follows:
Figure imgf000019_0001
2. MME对 UE进行鉴权 ( Authentication ) , 在鉴权过程中, UE和 2. The MME authenticates the UE, and during the authentication process, the UE and
MME之间协商信令面加密算法,用于后续 UE和 MME之间的信令加密:The signaling plane encryption algorithm is negotiated between the MMEs for signaling encryption between the UE and the MME:
( 1 ) MME向 UE发送鉴权请求,鉴权请求中携带有 MME根据用户 的加密信息所协商的信令面加密算法,携带信令面加密算法的鉴权请求消 息的示例结构如下所示: (1) The MME sends an authentication request to the UE. The authentication request carries the signaling plane encryption algorithm negotiated by the MME according to the user's encryption information. The example structure of the authentication request message carrying the signaling plane encryption algorithm is as follows:
8 7 6 5 4 3 2 1
Figure imgf000019_0003
8 7 6 5 4 3 2 1
Figure imgf000019_0003
Figure imgf000019_0002
( 2 ) UE保存鉴权请求中携带的 MME协商的加密算法, 向 MME返 回鉴权响应。
Figure imgf000019_0002
(2) The UE saves the encryption algorithm negotiated by the MME carried in the authentication request, and returns an authentication response to the MME.
3. MME选择一个 UPE ( Selection of UPE ) ; 3. The MME selects a UPE (Selection of UPE);
4. MME转发跟踪区更新请求( TAU Request ) 消息到 UPE。  4. The MME forwards the Tracking Area Update Request (TAU Request) message to the UPE.
5. UPE和演进的 RAN网络之间配置缺省的 IP接入承载所使用的 QoS ( Configure IP Bearer QoS ) ;  Configuring QoS ( Configure IP Bearer QoS ) used by the default IP access bearer between the UPE and the evolved RAN network;
6. UPE根据用户的加密信息和自己的加密信息协商出 UE和 UPE之 间使用的用户面加密算法, 然后返回跟踪区更新接受 (TAU Accept ) 消 息给 MME, 消息中携带协商出来的用户面加密算法, 携带用户面加密算 法的创建^载响应消息的示例结构如下所示:  6. The UPE negotiates the user plane encryption algorithm used between the UE and the UPE according to the user's encryption information and its own encryption information, and then returns a tracking area update accept (TAU Accept) message to the MME, where the message carries the negotiated user plane encryption. The algorithm, the example structure of the created response message carrying the user plane encryption algorithm is as follows:
8 7 6 5 4 3 2 18 7 6 5 4 3 2 1
Ciphering algorithm 0 Type of Ciphering algorithm 0 Type of
IEI spare Algorithm  IEI spare Algorithm
Figure imgf000020_0001
Figure imgf000020_0001
7. MME向 UE发送跟踪区更新接受消息(TAU Accept ) , 并分配 UE的临时标识,消息中携带 UE和 UPE之间协商出来的用户面加密算法, 后续 UE和 UPE之间就使用这个用户面加密算法;  7. The MME sends a tracking area update accept message (TAU Accept) to the UE, and allocates a temporary identifier of the UE, where the message carries the user plane encryption algorithm negotiated between the UE and the UPE, and the user plane is used between the subsequent UE and the UPE. Encryption Algorithm;
8. UE确认跟踪区更新成功 (TAU Confirm ) 。  8. The UE confirms that the tracking area is updated successfully (TAU Confirm).
图 9示出了本发明提供的用户激活的实现流程,为了便于描述,仅示 出了与本发明相关的部分: FIG. 9 shows an implementation flow of user activation provided by the present invention. For the convenience of description, only the description is shown. The parts related to the present invention are:
1. UE发送激活请求消息到 MME;  1. The UE sends an activation request message to the MME;
2. MME选择一个 UPE/Inter AS Anchor ( Selection of UPE/Intersystem Mobility Anchor GW ) ;  2. The MME selects a UPE/Inter AS Anchor ( Selection of UPE/Intersystem Mobility Anchor GW );
3. UPE/Inter AS Anchor使用 UE的分配 IP地址进行 IP层配置, UE 和 UPE/Inter AS Anchor 间的用户平面被建立 (User Plane Route Configuration ) :  3. UPE/Inter AS Anchor uses the assigned IP address of the UE for IP layer configuration. The user plane between the UE and the UPE/Inter AS Anchor is established (User Plane Route Configuration):
( 1 ) MME 发送承载建立请求 (Create Bearer Request ) 消息到 UPE/Inter AS Anchor, 消息中携带用户的加密信息, 如 UE支持的加密算 法。 以用户的加密信息携带在承载建立请求消息的 MS network capability 信元中为例, 其示例结构如下所示:  (1) The MME sends a Create Bearer Request message to the UPE/Inter AS Anchor. The message carries the user's encrypted information, such as the encryption algorithm supported by the UE. For example, the user's encrypted information is carried in the MS network capability cell of the bearer setup request message. The example structure is as follows:
Figure imgf000021_0001
Figure imgf000021_0001
( 2 ) UPE向 UE发送鉴权请求, 鉴权请求中携带有 UPE根据 UE支持 的加密算法所协商的信令面加密算法,携带信令面加密算法的鉴权请求消 息的示例结构如下所示:  (2) The UPE sends an authentication request to the UE, where the authentication request carries the signaling plane encryption algorithm negotiated by the UPE according to the encryption algorithm supported by the UE, and the example structure of the authentication request message carrying the signaling plane encryption algorithm is as follows: :
8 7 6 5 4 3 2 1 8 7 6 5 4 3 2 1
Ciphering algorithm 0 Type of Ciphering algorithm 0 Type of
IEI spare Algorithm
Figure imgf000022_0001
IEI spare Algorithm
Figure imgf000022_0001
( 3 ) UE保存 UPE协商的数据面加密算法, 向 UPE返回鉴权响应, 后续 UE和 UPE之间的数据加密就使用该协商的加密算法。 (3) The UE saves the data plane encryption algorithm negotiated by the UPE, and returns an authentication response to the UPE. The data encryption between the subsequent UE and the UPE uses the negotiated encryption algorithm.
4. MME和演进的 RAN 网络之间配置 IP接入承载所使用的 QoS ( Configure IP Bearer QoS );  4. Configuring QoS (Configure IP Bearer QoS) used by the IP access bearer between the MME and the evolved RAN network;
5. MME向 UE发送激活接受的消息。  5. The MME sends an activation acceptance message to the UE.
图 10示出了本发明提供的用户激活的实现流程 2, 为了便于描述, 仅示出了与本发明相关的部分:  FIG. 10 shows an implementation flow 2 of user activation provided by the present invention. For the convenience of description, only parts related to the present invention are shown:
1. UE发送激活请求消息到 MME;  1. The UE sends an activation request message to the MME;
2. MME选择一个 UPE/Inter AS Anchor ( Selection of UPE/Intersystem Mobility Anchor GW ) ;  2. The MME selects a UPE/Inter AS Anchor ( Selection of UPE/Intersystem Mobility Anchor GW );
3. MME发送创建承载请求( Create Bearer Request )消息到 UPE, 消 息中携带用户的加密信息, 如 UE支持的加密算法。 以用户的加密信息携 带在承载建立请求消息的 MS network capability信元中为例, 其示例结构 如下所示: 3. The MME sends a Create Bearer Request message to the UPE, where the message carries the user's encrypted information, such as an encryption algorithm supported by the UE. The example in which the user's encrypted information is carried in the MS network capability cell of the bearer setup request message is used as an example. As follows:
Figure imgf000023_0001
Figure imgf000023_0001
4. UPE根据用户的加密信息和自己的加密信息协商出 UE和 UPE之 间使用的用户面加密算法, 然后返回创建承载响应 ( Create Bearer Response ) 消息给 MME, 消息中携带协商出来的用户面加密算法, 携带 用户面加密算法的创建承载响应消息的示例结构如下所示:  4. The UPE negotiates the user plane encryption algorithm used between the UE and the UPE based on the user's encryption information and its own encryption information, and then returns a Create Bearer Response message to the MME. The message carries the negotiated user plane encryption. The algorithm, an example structure for creating a bearer response message carrying a user plane encryption algorithm is as follows:
8 7 6 5 4 3 2 1
Figure imgf000023_0003
8 7 6 5 4 3 2 1
Figure imgf000023_0003
Figure imgf000023_0002
5. MME和演进的 RAN网络之间配置缺省的 IP接入承载所使用的 QoS ( Configure IP Bearer QoS ) ;
Figure imgf000023_0002
5. Configuring QoS (Configure IP Bearer QoS) used by the default IP access bearer between the MME and the evolved RAN network;
6. MME向 UE发送激活接受的消息, 消息中携带协商出来的用户面 加密算法, 后续 UE和 UPE之间就使用这个用户面加密算法。  6. The MME sends an activation acceptance message to the UE, where the message carries the negotiated user plane encryption algorithm, and the user plane encryption algorithm is used between the subsequent UE and the UPE.
图 11示出了本发明提供的网络侧激活的实现流程 1 ,为了便于描述, 仅示出了与本发明相关的部分:  FIG. 11 shows an implementation flow 1 of network side activation provided by the present invention. For the convenience of description, only parts related to the present invention are shown:
1. UPE/IASA 发送创建承载请求消息到 MME ( Create Bearer Request ), 消息中携带 UPE的加密信息, 如支持的加密算法能力。 以用 户的加密信息携带在承载建立请求消息的 network capability信元中为例, 其示例结构如下所示:  1. The UPE/IASA sends a Create Bearer Request message to the MME (Create Bearer Request). The message carries the encrypted information of the UPE, such as the supported encryption algorithm. Take the user's encrypted information in the network capability cell carrying the bearer setup request message as an example. The example structure is as follows:
Figure imgf000024_0001
Figure imgf000024_0001
2. MME根据 UE的加密信息和 UPE的加密信息协商出 UE和 UPE 之间使用的用户面加密算法(在 UE注册到 MME的流程中 UE已将自己 的加密信息发给 MME,参见 UE发起的附着流程,这个不再描述)。 MME 发送承载请求消息给 Evolved RAN ( Bearer Request ) , 消息中携带 UE和 UPE之间协商的用户面加密算法。 携带用户面加密算法的承载请求消息 的示例结构如下所示: 8 7 6 5 4 3 2 1
Figure imgf000025_0002
2. The MME negotiates the user plane encryption algorithm used between the UE and the UPE according to the encryption information of the UE and the encryption information of the UPE. The UE has sent its own encryption information to the MME in the process of the UE registering with the MME. Attachment process, this is no longer described). The MME sends a bearer request message to the Evolved RAN (Bearer Request), and the message carries the user plane encryption algorithm negotiated between the UE and the UPE. An example structure of a bearer request message carrying a user plane encryption algorithm is as follows: 8 7 6 5 4 3 2 1
Figure imgf000025_0002
Figure imgf000025_0001
Figure imgf000025_0001
3. Evolved RAN发送承载请求消息给 UE ( Bearer Request ), 消息中 携带 UE和 UPE之间的用户面加密算法; ■  3. The Evolved RAN sends a bearer request message to the UE (Bearer Request), where the message carries the user plane encryption algorithm between the UE and the UPE;
4. UE返回 载响应消息给 Evolved RAN ( Bearer Response );  4. The UE returns a response message to Evolved RAN (Bearer Response);
5. Evolved RAN返回承载响应消息给 MME ( Bearer Response ); 5. The Evolved RAN returns a bearer response message to the MME (Bearer Response);
6. MME发送创建承载响应消息给 UPE ( Create Bearer Response ), 消 息中携带协商出来的 UE和 UPE之间使用的用户面加密算法。 6. The MME sends a Create Bearer Response message to the UPE (Create Bearer Response), and the message carries the user plane encryption algorithm used between the negotiated UE and the UPE.
另外, 本发明实施例中提供一种实现用户设备与网络侧加密协商的 装置,该装置包括接收单元、信令面加密处理单元、数据面加密处理单元 及发送单元,该装置设置在网络侧,通常装置的各功能单元分布式设置在 不同的网元实体中实现相应的功能, 具体地, 如, 所述信令面加密处理单 元和数据面加密处理单元分别设置在信令面网元和用户面网元中,在演进 网络中, 所述信令面网元为 MME, 所述用户面网元为 UPE。  In addition, an embodiment of the present invention provides a device for implementing encryption and negotiation between a user equipment and a network side, where the device includes a receiving unit, a signaling plane encryption processing unit, a data plane encryption processing unit, and a sending unit, where the device is set on the network side. Generally, the functional units of the device are distributed in different network element entities to implement corresponding functions. Specifically, for example, the signaling plane encryption processing unit and the data plane encryption processing unit are respectively disposed on the signaling plane network element and the user. In the network element, in the evolved network, the signaling plane network element is an MME, and the user plane network element is a UPE.
接收单元, 接收用户设备发送的加密信息;  Receiving unit, receiving the encrypted information sent by the user equipment;
信令面加密处理单元,用于确定用户设备与网络侧协商信令面加密算 法;  a signaling plane encryption processing unit, configured to determine that the user equipment and the network side negotiate a signaling plane encryption algorithm;
数据面加密处理单元, 用于确定用户设备与网络侧协商数据面加密 算法;  a data plane encryption processing unit, configured to determine that the user equipment negotiates a data plane encryption algorithm with the network side;
发送单元, 用于发送所确定的信令面和 /或数据面加密算法给用户设 备; a sending unit, configured to send the determined signaling plane and/or data plane encryption algorithm to the user Prepared
当所述用户设备注册到网络时, 所述信令面加密处理单元根据所述 接收单元接收到的加密信息协商所述用户设备与网络侧之间的信令面加 密算法;  When the user equipment is registered to the network, the signaling plane encryption processing unit negotiates a signaling plane encryption algorithm between the user equipment and the network side according to the encryption information received by the receiving unit;
当用户设备和网络侧建立承载时, 所述数据面加密处理单元根据所 述接收单元接收到的加密信息和用户面网元的加密信息协商用户设备与 网絡侧之间的数据面加密算法。 如参照图 4中的步骤 3和步骤 7, 用户设 备分别与网络侧设备协商信令面和数据面的加密算法。  When the user equipment and the network side establish a bearer, the data plane encryption processing unit negotiates a data plane encryption algorithm between the user equipment and the network side according to the encryption information received by the receiving unit and the encryption information of the user plane network element. As shown in step 3 and step 7 in Figure 4, the user equipment negotiates the encryption algorithm of the signaling plane and the data plane with the network side device respectively.
所述加密信息携带在用户设备向网络侧发送的用户附着请求消息或 跟踪区更新请求消息中, 例如, 参照图 4, MME接收用户设备发送的携 带有用户加密信息的附着请求消息。  The encrypted information is carried in a user attach request message or a tracking area update request message sent by the user equipment to the network side. For example, referring to FIG. 4, the MME receives an attach request message that is sent by the user equipment and carries the user encrypted information.
所述实现用户设备与网络侧加密协商的装置中各单元的操作流程,与 前述实施例中所描述的过程基本相同, 在此不再赘述。  The operation flow of each unit in the apparatus for implementing the encryption negotiation between the user equipment and the network side is substantially the same as that described in the foregoing embodiment, and details are not described herein again.
本发明实施例中还提供一种通信系统, 包括: 用户设备、 网络侧的 信令面网元和用户面网元,  A communication system is further provided in the embodiment of the present invention, including: a user equipment, a signaling plane network element on the network side, and a user plane network element.
当用户设备注册到网络并上报用户的加密信息 , 所述用户设备与网 络侧的信令面网元根据所述加密信息协商信令面加密算法;  When the user equipment registers with the network and reports the encrypted information of the user, the user equipment and the signaling plane network element on the network side negotiate a signaling plane encryption algorithm according to the encrypted information;
当用户设备和网络侧建立承载并发送的携带有加密信息的消息给网 络侧,所述用户面网元根据用户设备的加密信息和用户面网元的加密信息 确定用户设备和网络侧的数据面加密算法。  The user equipment and the network side establish and transmit a message carrying the encrypted information to the network side, and the user plane network element determines the data plane of the user equipment and the network side according to the encryption information of the user equipment and the encryption information of the user plane network element. Encryption Algorithm.
所述用户的加密信息携带在用户设备向网络侧发送的用户附着请求 消息或跟踪区更新请求消息中。  The encrypted information of the user is carried in a user attach request message or a tracking area update request message sent by the user equipment to the network side.
所述信令面加密算法下发给用户设备,所述信令面加密算法携带在网 络侧向用户设备发送的鉴权请求消息中。  The signaling plane encryption algorithm is sent to the user equipment, and the signaling plane encryption algorithm is carried in an authentication request message sent by the network side to the user equipment.
所述通信系统中用户设备与网络侧的信令面网元和用户面网元之间 的操作流程, 与前述实施例中所描述的过程基本相同, 在此不再赘述。  The operation procedure between the user equipment and the network side signaling plane network element and the user plane network element in the communication system is basically the same as that described in the foregoing embodiment, and details are not described herein again.
上述本发明实施例提供的流程与实际采用的流程可能会有差別,这种 差别不应视为是对本发明的限制。另夕卜,本发明以演进网絡为例对数据面 和信令面的加密协商分开处理的具体实现进行了描述,当然也可以应用到 其他网络。 同时, 为了更清楚的描述本发明, 本发明在演进网络架构中假 定 MME为一个实体, UPE和 Inter AS Anchor为一个实体, 但不限制其 它的网络架构, 例如 MME/UPE/Inter AS Anchor可以都为独立的实体。 The processes provided in the foregoing embodiments of the present invention may differ from the processes actually employed, and such differences are not to be construed as limiting the present invention. In addition, the present invention describes an implementation of the encryption and negotiation separate processing of the data plane and the signaling plane by using an evolved network as an example, and can of course be applied to Other networks. Meanwhile, in order to more clearly describe the present invention, the present invention assumes that the MME is an entity in the evolved network architecture, and the UPE and the Inter AS Anchor are one entity, but do not limit other network architectures, such as MME/UPE/Inter AS Anchor. As an independent entity.
以上所述仅为本发明的较佳实施例而已, 并不用以限制本发明, 凡 在本发明的精神和原则之内所作的任何修改、 等同替换和改进等, 均应包 含在本发明的保护范围之内。  The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the protection of the present invention. Within the scope.

Claims

权 利 要 求 Rights request
1、一种实现用户设备与网络侧加密协商的方法, 其特征在于, 包括: ' 当用户设备注册到网络时, 用户设备与网络侧协商信令面加密算法; 当用户设备和网络侧建立承载时 , 用户设备与网络侧协商数据面加 密算法。  A method for implementing encryption negotiation between a user equipment and a network side, comprising: 'When a user equipment registers with a network, the user equipment negotiates a signaling plane encryption algorithm with the network side; and when the user equipment and the network side establish a bearer The user equipment negotiates the data plane encryption algorithm with the network side.
2、 如权利要求 1所述的方法, 其特征在于, 所述用户设备与网络 侧协商信令面加密算法的步骤包括:  2. The method according to claim 1, wherein the step of the user equipment negotiating the signaling plane encryption algorithm with the network side comprises:
网络侧接收用户设备发起注册上报的用户的加密信息;  The network side receives the encrypted information of the user that the user equipment initiates registration and reporting;
网络侧根据用户的加密信息协商信令面加密算法, 并将所述信令面 加密算法下发给用户设备。  The network side negotiates the signaling plane encryption algorithm according to the encryption information of the user, and sends the signaling plane encryption algorithm to the user equipment.
3、 如权利要求 2所述的方法, 其特征在于, 通过下述步驟实现所述 用户设备与网络侧协商信令面加密算法:  3. The method according to claim 2, wherein the user equipment and the network side negotiate a signaling plane encryption algorithm by using the following steps:
网络侧接收所述用户设备发送的携带有加密信息的消息, 网络侧的 信令面网元对所述用户设备进行鉴权,并才艮据所述加密信息确定用户设备 和信令面网元之间的加密算法。  The network side receives the message carrying the encrypted information sent by the user equipment, and the signaling plane network element on the network side authenticates the user equipment, and determines the user equipment and the signaling plane network element according to the encrypted information. The encryption algorithm between.
4、 如权利要求 1所述的方法, 其特征在于, 通过下述步骤实现所述 用户设备与网络侧协商数据面加密算法:  4. The method according to claim 1, wherein the user equipment and the network side negotiate a data plane encryption algorithm by:
网络侧接收所述用户设备发送的携带有加密信息的消息,所述网络侧 在建立承载时 据用户设备的加密信息和用户面网元的加密信息确定用 户设备和用户面网元之间的加密算法。  The network side receives the message carrying the encrypted information sent by the user equipment, and the network side determines the encryption between the user equipment and the user plane network element according to the encryption information of the user equipment and the encryption information of the user plane network element when establishing the bearer. algorithm.
5、 如权利要求 2或 4所述的方法, 其特征在于, 所述用户的加密信 息携带在用户设备向网络侧发送的用户附着请求消息或跟踪区更新请求 消息中。  The method according to claim 2 or 4, wherein the encrypted information of the user is carried in a user attach request message or a tracking area update request message sent by the user equipment to the network side.
6、 如权利要求 2所述的方法, 其特征在于, 所述信令面加密算法携 带在网络侧向用户设备发送的鉴权请求消息中。  The method according to claim 2, wherein the signaling plane encryption algorithm is carried in an authentication request message sent by the network side to the user equipment.
7、 如权利要求 1所述的方法, 其特征在于, 所述用户设备与网络侧 协商数据面加密算法的步驟包括:  The method according to claim 1, wherein the step of the user equipment negotiating the data plane encryption algorithm with the network side comprises:
网络侧第一网元将用户的加密信息上报给网络侧第二网元; 网络侧第二网元根据用户的加密信息协商数据面加密算法, 并将所 述数据面加密算法下发给用户设备。 The first network element on the network side reports the encrypted information of the user to the second network element on the network side; the second network element on the network side negotiates the data plane encryption algorithm according to the encrypted information of the user, and The data plane encryption algorithm is sent to the user equipment.
8、 如权利要求 7所述的方法, 其特征在于, 所述用户的加密信息携 带在网络侧第一网元向网络侧第二网元发送的承载建立请求消息中。  The method according to claim 7, wherein the encrypted information of the user is carried in a bearer setup request message sent by the first network element on the network side to the second network element on the network side.
9、 如权利要求 7所述的方法, 其特征在于, 所述用户的加密信息携 带在网络侧第一网元向网络侧第二网元发送的附着请求消息中。  The method according to claim 7, wherein the encrypted information of the user is carried in an attach request message sent by the first network element on the network side to the second network element on the network side.
10、 如权利要求 7所述的方法, 其特征在于, 所述用户的加密信息 携带在网络侧第一网元向网絡侧第二网元发送的跟踪区更新请求消息中。  The method according to claim 7, wherein the encrypted information of the user is carried in a tracking area update request message sent by the first network element on the network side to the second network element on the network side.
11、 如权利要求 7所述的方法, 其特征在于, 所述数据面加密信息 携带在网络侧第二网元向用户设备发送的鉴权请求消息中。  The method according to claim 7, wherein the data plane encryption information is carried in an authentication request message sent by the second network element on the network side to the user equipment.
12、 如权利要求 7所述的方法, 其特征在于, 所述用户面加密算法 携带在网絡侧第二网元向网络侧第一网元发送的承载建立响应消息中,网 络侧第一网元在附着接受或跟踪区更新接受消息中携带所述用户面加密 算法给用户设备。  The method according to claim 7, wherein the user plane encryption algorithm carries a bearer setup response message sent by the second network element on the network side to the first network element on the network side, and the first network element on the network side The user plane encryption algorithm is carried in the attach accept or tracking area update accept message to the user equipment.
13、 如权利要求 1 所述的方法, 其特征在于, 所述用户设备与网络 侧协商用户面加密算法的步骤包括:  The method according to claim 1, wherein the step of the user equipment negotiating the user plane encryption algorithm with the network side comprises:
网络侧第二网元将加密信息上报给网络侧第一网元;  The second network element on the network side reports the encrypted information to the first network element on the network side;
网络侧第一网元才艮据用户的加密信息和网络侧第二网元的加密信息 协商用户面加密算法,并将所述用户面加密算法下发给用户设备和网絡侧 第二网元。  The first network element on the network side negotiates the user plane encryption algorithm according to the encryption information of the user and the encryption information of the second network element on the network side, and sends the user plane encryption algorithm to the user equipment and the second network element on the network side.
14、 如权利要求 14所述的方法, 其特征在于, 所述用户面加密信息 携带在网络侧第二网元向网络侧第一网元发送的承载建立请求消息中。  The method according to claim 14, wherein the user plane encryption information is carried in a bearer setup request message sent by the second network element on the network side to the first network element on the network side.
15、 如权利要求 2、 3或 5所述的方法, 其特征在于, 所述用户的加 密信息包括用户设备支持的加密算法信息。  The method of claim 2, 3 or 5, wherein the user's encryption information includes encryption algorithm information supported by the user equipment.
16、 如权利要求 2至 15中任一项所述的方法, 其特征在于, 所述数 据面网元的加密算法包括用户面网元支持的加密算法。  The method according to any one of claims 2 to 15, wherein the encryption algorithm of the data plane network element comprises an encryption algorithm supported by the user plane network element.
17、如权利要求 8至 15中所述的方法, 其特征在于, 在演进网络中, 所述网络侧第一网元为 MME, 所述网络侧第二网元为 UPE。  The method according to any one of claims 8 to 15, wherein in the evolved network, the first network element on the network side is an MME, and the second network element on the network side is a UPE.
18、如权利要求 3或 4所述的方法, 其特征在于, 在演进网络中, 所 述信令面网元为 MME, 所述用户面网元为 UPE。 The method according to claim 3 or 4, wherein in the evolved network, the signaling plane network element is an MME, and the user plane network element is a UPE.
19、 一种实现用户设备与网络侧加密协商的装置, 其特征在于, 包 括: 19. An apparatus for implementing encryption negotiation between a user equipment and a network side, characterized in that:
接收单元, 接收用户设备发送的加密信息;  Receiving unit, receiving the encrypted information sent by the user equipment;
信令面加密处理单元, 确定用户设备与网络侧协商信令面加密算法; 数据面加密处理单元, 用于确定用户设备与网络侧协商数据面加密 算法;  The signaling plane encryption processing unit determines the user equipment and the network side to negotiate a signaling plane encryption algorithm; the data plane encryption processing unit is configured to determine that the user equipment and the network side negotiate a data plane encryption algorithm;
发送单元, 用于发送所述信令面和 /或数据面加密算法给用户设备; 当所述用户设备注册到网络时, 所述信令面加密处理单元根据所述 接收单元接收到的加密信息协商所述用户设备与网络侧之间的信令面加 密算法;  a sending unit, configured to send the signaling plane and/or a data plane encryption algorithm to the user equipment; when the user equipment is registered to the network, the signaling plane encryption processing unit is configured according to the encrypted information received by the receiving unit Negotiating a signaling plane encryption algorithm between the user equipment and the network side;
当用户设备和网络侧建立承载时, 所述数据面加密处理单元根据所 述接收单元接收到的加密信息和用户面网元的加密信息协商用户设备与 网络侧之间的数据面加密算法。  When the user equipment and the network side establish a bearer, the data plane encryption processing unit negotiates a data plane encryption algorithm between the user equipment and the network side according to the encryption information received by the receiving unit and the encryption information of the user plane network element.
20、 如权利要求 19所述的装置, 其特征在于, 所述加密信息携带在 用户设备向网络侧发送的用户附着请求消息或跟踪区更新请求消息中。  The device according to claim 19, wherein the encrypted information is carried in a user attach request message or a tracking area update request message sent by the user equipment to the network side.
21、 一种通信系统, 包括: 用户设备、 网络侧的信令面网元和用户 面网元, 其特征在于,  A communication system, comprising: a user equipment, a signaling plane network element on the network side, and a user plane network element, wherein
当用户设备注册到网络并上报用户的加密信息, 所述用户设备与网 络侧的信令面网元根据所述加密信息协商信令面加密算法;  When the user equipment registers with the network and reports the encrypted information of the user, the user equipment and the signaling plane network element on the network side negotiate a signaling plane encryption algorithm according to the encrypted information;
当用户设备和网络侧建立承载并发送的携带有加密信息的消息给网 络侧,所述用户面网元根据用户设备的加密信息和用户面网元的加密信息 确定用户设备和网络侧的数据面加密算法。  The user equipment and the network side establish and transmit a message carrying the encrypted information to the network side, and the user plane network element determines the data plane of the user equipment and the network side according to the encryption information of the user equipment and the encryption information of the user plane network element. Encryption Algorithm.
22、 如权利要求 21所述的系统, 其特征在于, 所述用户的加密信息 携带在用户设备向网络侧发送的用户附着请求消息或跟踪区更新请求消 息中。  The system according to claim 21, wherein the encrypted information of the user is carried in a user attach request message or a tracking area update request message sent by the user equipment to the network side.
23、 如权利要求 21所述的系统, 其特征在于, 所述信令面加密算法 下发给用户设备,所述信令面加密算法携带在网络侧向用户设备发送的鉴 权请求消息中。  The system of claim 21, wherein the signaling plane encryption algorithm is sent to the user equipment, and the signaling plane encryption algorithm is carried in an authentication request message sent by the network side to the user equipment.
PCT/CN2007/001254 2006-04-30 2007-04-17 A method, device and system of negotiating the encrypting algorithm between the user equipment and the network WO2007124671A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN 200610060555 CN101064921B (en) 2006-04-30 2006-04-30 Method for realizing encrypted negotiation for user equipment and network side
CN200610060555.0 2006-04-30

Publications (1)

Publication Number Publication Date
WO2007124671A1 true WO2007124671A1 (en) 2007-11-08

Family

ID=38655063

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/001254 WO2007124671A1 (en) 2006-04-30 2007-04-17 A method, device and system of negotiating the encrypting algorithm between the user equipment and the network

Country Status (2)

Country Link
CN (1) CN101064921B (en)
WO (1) WO2007124671A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101494538B (en) * 2008-01-23 2014-04-02 华为技术有限公司 Data transmission control method and communication system and encipher control network element
CN102780558A (en) * 2012-04-28 2012-11-14 华为终端有限公司 Data encryption and transmission method, algorithm distribution method, equipment and system
WO2018201506A1 (en) * 2017-05-05 2018-11-08 华为技术有限公司 Communication method and related device
CN109699049B (en) * 2017-10-24 2022-03-08 成都鼎桥通信技术有限公司 Method and device for determining user plane protocol stack type

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1426200A (en) * 2002-11-06 2003-06-25 西安西电捷通无线网络通信有限公司 Sefe access of movable terminal in radio local area network and secrete data communication method in radio link
CN1491002A (en) * 2002-10-15 2004-04-21 宽联(上海)通信软件有限公司 IP video frequency terminal apparatus and interaction of signalling network
US20050149732A1 (en) * 2004-01-07 2005-07-07 Microsoft Corporation Use of static Diffie-Hellman key with IPSec for authentication
US20050198490A1 (en) * 2004-03-02 2005-09-08 Microsoft Corporation Dynamic negotiation of encryption protocols
US6975729B1 (en) * 2000-08-15 2005-12-13 Sun Microsystems, Inc. Method and apparatus for facilitating use of a pre-shared secret key with identity hiding
CN1722689A (en) * 2005-06-21 2006-01-18 中兴通讯股份有限公司 A protection method for access security of IP multimedia subsystem

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6975729B1 (en) * 2000-08-15 2005-12-13 Sun Microsystems, Inc. Method and apparatus for facilitating use of a pre-shared secret key with identity hiding
CN1491002A (en) * 2002-10-15 2004-04-21 宽联(上海)通信软件有限公司 IP video frequency terminal apparatus and interaction of signalling network
CN1426200A (en) * 2002-11-06 2003-06-25 西安西电捷通无线网络通信有限公司 Sefe access of movable terminal in radio local area network and secrete data communication method in radio link
US20050149732A1 (en) * 2004-01-07 2005-07-07 Microsoft Corporation Use of static Diffie-Hellman key with IPSec for authentication
US20050198490A1 (en) * 2004-03-02 2005-09-08 Microsoft Corporation Dynamic negotiation of encryption protocols
CN1722689A (en) * 2005-06-21 2006-01-18 中兴通讯股份有限公司 A protection method for access security of IP multimedia subsystem

Also Published As

Publication number Publication date
CN101064921A (en) 2007-10-31
CN101064921B (en) 2011-12-21

Similar Documents

Publication Publication Date Title
US11690130B2 (en) Network initiated release assistance information
US11737156B2 (en) Establishing a session or cellular Internet of Things packet transmission
US10834636B2 (en) Discovery and selection of UPF for uplink classifier
EP3881635B1 (en) Application triggering for a wireless device
US20100048161A1 (en) Method, system and apparatuses thereof for realizing emergency communication service
EP1881660B1 (en) A method, apparatus and system for wireless access
WO2008101392A1 (en) Method for transmitting qos during handover between systems and network system and destination network thereof
WO2014056445A1 (en) Method, system, and controller for routing forwarding
WO2011079634A1 (en) Traffic offload method, traffic offload function entity and traffic offload system
US9113436B2 (en) Method and system for information transmission
WO2013063783A1 (en) Data security channel processing method and device
WO2009043209A1 (en) A method for establishing a bearer to an user terminal in an idle mode
WO2007147345A1 (en) A method for selecting the user plane entity in network side and the control plane entity
WO2007131455A1 (en) Method, system and apparatus for realizing key synchronization between control plane and user plane
WO2007045177A1 (en) Method, system and appatatus for realizing mobile protocol deregistering
JP2010516072A (en) Mechanism for uniquely identifying and unifying packet bearer context user sets in mobile communication networks
WO2009046598A1 (en) A method for establishing a dedicated bearer for a user terminal
WO2010015134A1 (en) Method and system and user equipment for protocol configuration option transmission
US20230109272A1 (en) Network Slice
WO2010054560A1 (en) Method and system for implementing multi-access
WO2010139285A1 (en) Information synchronization method, communication system and devices thereof
WO2013104248A1 (en) Method and device for processing local access connection
WO2007124671A1 (en) A method, device and system of negotiating the encrypting algorithm between the user equipment and the network
WO2012146093A1 (en) Method and system for realizing service processing
WO2011032522A1 (en) System and method for implementing local access

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07720827

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07720827

Country of ref document: EP

Kind code of ref document: A1