WO2007124671A1 - Procédé, dispositif et système de négociation de l'algorithme de chiffrement entre l'équipement d'utilisateur et le réseau - Google Patents

Procédé, dispositif et système de négociation de l'algorithme de chiffrement entre l'équipement d'utilisateur et le réseau Download PDF

Info

Publication number
WO2007124671A1
WO2007124671A1 PCT/CN2007/001254 CN2007001254W WO2007124671A1 WO 2007124671 A1 WO2007124671 A1 WO 2007124671A1 CN 2007001254 W CN2007001254 W CN 2007001254W WO 2007124671 A1 WO2007124671 A1 WO 2007124671A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
network side
user equipment
network
encryption algorithm
Prior art date
Application number
PCT/CN2007/001254
Other languages
English (en)
Chinese (zh)
Inventor
Wenfu Wu
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2007124671A1 publication Critical patent/WO2007124671A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response

Definitions

  • the invention belongs to the field of mobile communications, and in particular relates to a method, device and system for realizing data encryption between a user equipment and a network side. Background technique
  • FIG. 1 shows a network architecture of an evolved packet core network, including a Mobility Management Entity (MME), a User Plane Entity (UPE), and a user plane between different access systems.
  • MME Mobility Management Entity
  • UPE User Plane Entity
  • Inter AS Anchor Inter Access System Anchor
  • the MME is responsible for mobility management of the control plane, including user context and mobility state management, assigning user temporary identity, etc., corresponding to the current General Packet Radio Service (GPRS, General Packet Radio Service) / Universal Mobile Telecommunications System (UMTS, Universal) Mobile Telecommunications System)
  • GPRS General Packet Radio Service
  • UMTS Universal Mobile Telecommunications System
  • IP Internet Protocol
  • Information, etc. corresponds to the data plane part of the current GPRS/UMTS system internal SGSN and Gateway GPRS Supporting Node (GGSN); Inter AS Anchor acts as a user plane anchor between different access systems.
  • the Policy and Charging Rule Function is used for policy control decisions and flow accounting control functions.
  • the Home Subscriber Server (HSS) is used to store user subscription information.
  • Each network entity is connected through a corresponding interface.
  • the user equipment UE, User Equipment
  • MME Mobility Management
  • MM Mobility Management
  • a data bearer is established between the anchors to perform data services.
  • FIG. 2 shows the implementation flow of the user attachment specified in the existing protocol, as detailed below:
  • UE selects the access system and grid ( etwork Discovery and Access System Selection);
  • the UE sends an attach request message (Attach Request) to the MME;
  • the MME sends the original registration information message (Send old registration information) to the old MME to obtain the user information.
  • the old side MME sends the user information to the MME; 5.
  • the MME authenticates the UE;
  • the ME registers with the HSS Register MME/UPE
  • the old side MME deletes the user information ( Delete UE registration information );
  • the HSS confirms the registration of the MME ( Confirm Registration );
  • the MME selects a UPE/Inter AS Anchor ( Selection of Intersystem Mobility Anchor GW );
  • QoS Quality of Service
  • the MME sends an attach accept message (Attach Accept) to the UE, and allocates a temporary identifier of the UE;
  • the UE confirms the Attach Confirm.
  • FIG. 3 shows the implementation flow of user activation as specified in the existing protocol, as detailed below:
  • the UE sends an activation request message to the MME;
  • the MME selects a UPE/Inter AS Anchor ( Selection of UPE/Intersystem Mobility Anchor GW ); 3.
  • the UPE/Inter AS Anchor uses the assigned IP address of the UE to perform IP layer configuration, and the user plane between the UE and the UPE/Inter AS Anchor is established (User Plane Route Configuration);
  • the MME sends an activation acceptance message to the UE.
  • the message transmitted between the UE and the network side needs to be encrypted.
  • the encryption processing of messages in the GPRS system is performed between the UE and the SGSN.
  • the encryption processing of the message is performed between the UE and the Radio Network Controller (RNC).
  • RNC Radio Network Controller
  • both signaling encryption and data encryption are performed on the same entity on the network side.
  • the encryption process of the non-access stratum (NAS, NonAccess Stratum) signaling is performed in the existing protocol in the UE and the logical function entity MME, and the encryption process of the user plane is performed between the UE and the logical function entity UPE.
  • NAS non-access stratum
  • MME NonAccess Stratum
  • the inventor has found that the encryption inconsistency between the MME and the UPE network element can be solved by processing the signaling plane and the user plane encryption on different logical functional entities in the evolved packet core network. Because if the MME logical function entity and the UPE logical function entity are not implemented in the same network side network element, the cryptographic algorithm capabilities supported in the MME logical function entity and the UPE logical function entity may be inconsistent, in which case signaling Encryption of face and user planes cannot use the same encryption algorithm, but must be handled separately.
  • the existing implementation network only stipulates the principle of encryption processing in the evolved network, and does not specify a detailed implementation scheme in which the signaling plane and the data plane encryption are separately performed, and lacks implementability and operability. Summary of the invention
  • the embodiment of the invention provides a method, a device and a system for implementing encryption and negotiation between a user equipment and a network side, so that the signaling plane and the user plane encryption can be separately processed.
  • the present invention provides a method for implementing encryption and negotiation between a user equipment and a network side, including: when the user equipment is registered to the network, the user equipment negotiates a signaling plane encryption algorithm with the network side; when the user equipment and the network side establish a bearer, the user equipment Negotiate the data plane encryption algorithm with the network side.
  • the present invention provides an apparatus for implementing encryption negotiation between a user equipment and a network side, including: Receiving unit, receiving the encrypted information sent by the user equipment;
  • the signaling plane encryption processing unit determines the user equipment and the network side to negotiate a signaling plane encryption algorithm;
  • the data plane encryption processing unit is configured to determine that the user equipment and the network side negotiate a data plane encryption algorithm;
  • a sending unit sending the determined signaling plane and/or data plane encryption algorithm to the user equipment; when the user equipment is registered to the network, the signaling plane encryption processing unit negotiates according to the encrypted information received by the receiving unit a signaling plane encryption algorithm between the user equipment and the network side;
  • the data plane encryption processing unit negotiates a data plane encryption algorithm between the user equipment and the network side according to the encryption information received by the receiving unit and the encryption information of the user plane network element.
  • the embodiment of the invention provides a communication system, including: a user equipment, a signaling plane network element on the network side, and a user plane network element.
  • the user equipment When the user equipment registers with the network and reports the encrypted information of the user, the user equipment and the signaling plane network element on the network side negotiate a signaling plane encryption algorithm according to the encrypted information;
  • the user equipment and the network side establish and transmit a message carrying the encrypted information to the network side
  • the user plane network element determines the data plane of the user equipment and the network side according to the encryption information of the user equipment and the encryption information of the user plane network element. Encryption Algorithm.
  • the signaling plane encryption negotiation and the data plane encryption negotiation are separately processed.
  • the user equipment UE and the network side signaling plane network element such as The MME of the evolved network performs signaling plane encryption negotiation.
  • the bearer is set up between the user equipment UE and the network side
  • the user equipment UE and the network side data plane network element such as the user plane entity UPE of the evolved network, perform data planes. Encryption negotiation.
  • the data plane and the signaling plane are separately negotiated.
  • the user equipment negotiates the signaling plane encryption algorithm with the network side.
  • the encryption algorithm can ensure that the encryption between the UE and the core network can be processed normally after the MME/UPE separation, and is easy to implement and operate.
  • FIG. 1 is a network architecture diagram of an evolved packet core network in the prior art
  • 2 is a flowchart of an implementation of user attachment specified in a prior protocol
  • FIG. 3 is a flowchart of implementation of user activation specified in an existing protocol
  • FIG. 5 is a flowchart of implementing user attachment in an embodiment of the present invention.
  • FIG. 6 is a flowchart of an implementation of user attachment in another embodiment of the present invention.
  • FIG. 7 is a flowchart of implementing an update of a user tracking area in an embodiment of the present invention.
  • FIG. 8 is a flowchart of implementing user tracking area update in another embodiment of the present invention
  • FIG. 9 is a flowchart of implementing user activation in an embodiment of the present invention.
  • FIG. 10 is a flowchart of implementing user activation in an embodiment of the present invention.
  • FIG. 11 is a flowchart of implementing network side activation in the embodiment of the present invention.
  • FIG. 4 shows an implementation flow of user attachment in the embodiment of the present invention. For the convenience of description, only parts related to the present invention are shown:
  • the UE selects an access system and a network
  • the UE sends an attach request message (Attach Request) to the MME, and the request message carries the user's encrypted information, such as an encryption algorithm supported by the UE, and the user's encrypted information is carried in the MS network capability cell of the attach request message as an example.
  • Attach Request an attach request message
  • the example structure is as follows:
  • the MME sends the original registration information message (Send old registration information) to the old MME to retrieve the user information, and the old MME sends the user information to the MME.
  • Send old registration information the original registration information message
  • the MME authenticates the UE.
  • the UE and the UI negotiate a signaling plane encryption algorithm for signaling encryption between the UE and the UE: (1) Sending to the UE
  • the authentication request carries the signaling plane encryption algorithm negotiated according to the user's encryption information, and the example structure of the authentication request message carrying the signaling plane encryption algorithm is as follows:
  • the UE saves the encryption algorithm negotiated by the MME carried in the authentication request, and returns an authentication response to the MME.
  • the MME registers with the HSS (Register MME/UPE); 5.
  • the HSS confirms the registration of the MME ( Confirm Registration );
  • the MME selects a UPE/Inter AS Anchor ( Selection of Intersystem Mobility Anchor GW );
  • the MME sends a bearer setup request message to the UPE/Inter AS Anchor, where the message carries the user's encrypted information, such as an encryption algorithm supported by the UE.
  • the example structure is as follows:
  • the UPE sends an authentication request to the UE.
  • the authentication request carries the user plane encryption algorithm negotiated by the UPE according to the user's encryption information.
  • the example structure of the authentication request message carrying the user plane encryption algorithm is as follows:
  • the UE saves the data plane encryption algorithm negotiated by the UPE carried in the authentication request, and returns an authentication response to the UPE.
  • the UPE returns a Create Bearer Response message to the MME.
  • the MME sends an Attach Accept message to the UE, and allocates a temporary identifier of the UE;
  • the UE confirms the Attach Confirm.
  • Fig. 5 shows an implementation flow 2 of the user attachment provided by the present invention. For the convenience of description, only the parts related to the present invention are shown:
  • UE selects the access system and network (etwork Discovery and Access System Selection);
  • the UE sends an attach request message (Attach Request) to the MME, and the request message carries the user's encrypted information, such as an encryption algorithm supported by the UE, and the user's encrypted information is carried in the MS network capability cell of the attach request message as an example.
  • Attach Request an attach request message
  • the example structure is as follows:
  • the MME authenticates the UE, and during the authentication process, the UE and
  • the signaling plane encryption algorithm is negotiated between the MMEs for signaling encryption between the UE and the MME:
  • the MME sends an authentication request to the UE.
  • the authentication request carries the signaling plane encryption algorithm negotiated by the MME according to the user's encryption information.
  • the example structure of the authentication request message carrying the signaling plane encryption algorithm is as follows:
  • the UE saves the encryption algorithm negotiated by the MME carried in the authentication request, and returns an authentication response to the MME.
  • the HSS confirms the registration of the MME ( Confirm Registration );
  • the MME selects a UPE/Inter AS Anchor ( Selection of Intersystem Mobility Anchor GW );
  • the MME sends a Create Bearer Request message to the UPE/Inter AS Anchor.
  • the message carries the user's encrypted information, such as the encryption algorithm supported by the UE.
  • the user's encrypted information is carried in the MS network capabilit cell of the bearer setup request message.
  • the example structure is as follows:
  • the UPE negotiates the user plane encryption algorithm used between the UE and the UPE according to the encryption information of the user and the encryption information of the user, and then returns a Create Bearer Response message to the MME, where the message carries the negotiated user plane encryption.
  • the algorithm, the example structure of the created response message carrying the user plane encryption algorithm is as follows: 8 7 6 5 4 3 2 1
  • the MME sends an Attach Accept message to the UE, and allocates a temporary identifier of the UE, where the message carries the user plane encryption algorithm negotiated between the UE and the UPE, and the user plane encryption algorithm is used between the UE and the UPE. ;
  • the UE confirms the Attach Confirm.
  • Fig. 6 shows an implementation flow 3 of the user attachment provided by the present invention. For the convenience of description, only the parts related to the present invention are shown:
  • the UE selects an access system and a network
  • the UE sends an attach request message (Attach Request) to the MME, and the request message carries the user's encrypted information, such as an encryption algorithm supported by the UE, and the user's encrypted information is carried in the MS network capability cell of the attach request message as an example.
  • Attach Request an attach request message
  • the example structure is as follows:
  • the MME authenticates the UE.
  • the UE and the MME negotiate a signaling plane encryption algorithm for signaling encryption between the UE and the MME: (1)
  • the MME sends the UE to the UE.
  • the authentication request carries the signaling plane encryption algorithm negotiated by the MME according to the encrypted information of the user, and the example structure of the authentication request message carrying the signaling plane encryption algorithm is as follows:
  • the UE saves the encryption algorithm negotiated by the MME carried in the authentication request, and returns a weighted response to the MME.
  • the HSS confirms the registration of the MME ( Confirm Registration );
  • MME selects a UPE/Inter AS Anchor (Selection of Intersystem
  • Mobility Anchor GW Mobility Anchor GW
  • the MME forwards the attach request message of the user to the UPE/Inter AS Anchor;
  • Configuring QoS ( Configure IP Bearer QoS ) used by the default IP access bearer between the UPE/IASA and the evolved RAN network;
  • the UPE negotiates the user plane encryption algorithm used between the UE and the UPE according to the encryption information of the user and the encryption information of the user, and then sends an Attach Accept message to the MME, where the message carries the negotiated user plane encryption algorithm.
  • An example structure for creating a bearer response message carrying a user plane encryption algorithm is as follows:
  • the MME sends an Attach Accept message to the UE, and allocates a time identifier of the UE.
  • the message carries the user plane encryption algorithm negotiated between the UE and the UPE.
  • the user plane encryption algorithm is used between the UE and the UPE.
  • the UE confirms the Attach Confirm.
  • Fig. 7 shows an implementation flow 1 of the tracking area update provided by the present invention. For the convenience of description, only the parts related to the present invention are shown:
  • the UE sends a Tracking Area Update (TAU) Request to the MME, and the message carries the user's encrypted information, such as an encryption algorithm supported by the UE, and carries the tracking area update request message with the user's encrypted information.
  • TAU Tracking Area Update
  • the example structure is as follows:
  • the MME authenticates the UE.
  • the signaling plane encryption algorithm is negotiated between the MMEs for signaling encryption between the UE and the MME:
  • the MME sends an authentication request to the UE.
  • the authentication request carries the signaling plane encryption algorithm negotiated by the MME according to the user's encryption information.
  • the example structure of the authentication request message carrying the signaling plane encryption algorithm is as follows:
  • the UE saves the encryption algorithm negotiated by the MME carried in the authentication request, and returns an authentication response to the MME.
  • the MME selects a UPE (Selection of UPE);
  • the MME sends a Create Bearer Request message to the UPE, and the message carries the user's encrypted information, such as an encryption algorithm supported by the UE. Take the user's encrypted information in the MS network capability cell carrying the bearer setup request message as an example.
  • the example structure is shown below:
  • the UPE negotiates the UE and the UPE based on the user's encrypted information and its own encrypted information.
  • the user plane encryption algorithm used and then returns a Create Bearer Response message to the MME.
  • the message carries the negotiated user plane encryption algorithm.
  • the example structure of the bearer response message carrying the user plane encryption algorithm is as follows:
  • the MME sends a tracking area update accept message (TAU Accept) to the UE, and allocates a temporary identifier of the UE, where the message carries the user plane encryption algorithm negotiated between the UE and the UPE, and the user plane is used between the subsequent UE and the UPE.
  • TAU Accept tracking area update accept message
  • the UE confirms that the tracking area is updated successfully (TAU Confirm).
  • FIG. 8 shows an implementation flow 2 of the user tracking area update provided by the present invention. For the convenience of description, only parts related to the present invention are shown:
  • the UE sends a Tracking Area Update (TAU) Request to the MME, and the request message carries the user's encrypted information, such as an encryption algorithm supported by the UE, and the user's encrypted information is carried in the tracking area update request message.
  • TAU Tracking Area Update
  • the example structure is as follows:
  • the MME authenticates the UE, and during the authentication process, the UE and
  • the signaling plane encryption algorithm is negotiated between the MMEs for signaling encryption between the UE and the MME:
  • the MME sends an authentication request to the UE.
  • the authentication request carries the signaling plane encryption algorithm negotiated by the MME according to the user's encryption information.
  • the example structure of the authentication request message carrying the signaling plane encryption algorithm is as follows:
  • the UE saves the encryption algorithm negotiated by the MME carried in the authentication request, and returns an authentication response to the MME.
  • the MME selects a UPE (Selection of UPE);
  • the MME forwards the Tracking Area Update Request (TAU Request) message to the UPE.
  • TAU Request Tracking Area Update Request
  • Configuring QoS ( Configure IP Bearer QoS ) used by the default IP access bearer between the UPE and the evolved RAN network;
  • the UPE negotiates the user plane encryption algorithm used between the UE and the UPE according to the user's encryption information and its own encryption information, and then returns a tracking area update accept (TAU Accept) message to the MME, where the message carries the negotiated user plane encryption.
  • TAU Accept tracking area update accept
  • the algorithm, the example structure of the created response message carrying the user plane encryption algorithm is as follows:
  • the MME sends a tracking area update accept message (TAU Accept) to the UE, and allocates a temporary identifier of the UE, where the message carries the user plane encryption algorithm negotiated between the UE and the UPE, and the user plane is used between the subsequent UE and the UPE.
  • TAU Accept tracking area update accept message
  • the UE confirms that the tracking area is updated successfully (TAU Confirm).
  • FIG. 9 shows an implementation flow of user activation provided by the present invention. For the convenience of description, only the description is shown. The parts related to the present invention are:
  • the UE sends an activation request message to the MME;
  • the MME selects a UPE/Inter AS Anchor ( Selection of UPE/Intersystem Mobility Anchor GW );
  • UPE/Inter AS Anchor uses the assigned IP address of the UE for IP layer configuration.
  • the user plane between the UE and the UPE/Inter AS Anchor is established (User Plane Route Configuration):
  • the MME sends a Create Bearer Request message to the UPE/Inter AS Anchor.
  • the message carries the user's encrypted information, such as the encryption algorithm supported by the UE.
  • the user's encrypted information is carried in the MS network capability cell of the bearer setup request message.
  • the example structure is as follows:
  • the UPE sends an authentication request to the UE, where the authentication request carries the signaling plane encryption algorithm negotiated by the UPE according to the encryption algorithm supported by the UE, and the example structure of the authentication request message carrying the signaling plane encryption algorithm is as follows: :
  • the UE saves the data plane encryption algorithm negotiated by the UPE, and returns an authentication response to the UPE.
  • the data encryption between the subsequent UE and the UPE uses the negotiated encryption algorithm.
  • the MME sends an activation acceptance message to the UE.
  • FIG. 10 shows an implementation flow 2 of user activation provided by the present invention. For the convenience of description, only parts related to the present invention are shown:
  • the UE sends an activation request message to the MME;
  • the MME selects a UPE/Inter AS Anchor ( Selection of UPE/Intersystem Mobility Anchor GW );
  • the MME sends a Create Bearer Request message to the UPE, where the message carries the user's encrypted information, such as an encryption algorithm supported by the UE.
  • the example in which the user's encrypted information is carried in the MS network capability cell of the bearer setup request message is used as an example. As follows:
  • the UPE negotiates the user plane encryption algorithm used between the UE and the UPE based on the user's encryption information and its own encryption information, and then returns a Create Bearer Response message to the MME.
  • the message carries the negotiated user plane encryption.
  • the algorithm an example structure for creating a bearer response message carrying a user plane encryption algorithm is as follows:
  • Configuring QoS Configure IP Bearer QoS used by the default IP access bearer between the MME and the evolved RAN network;
  • the MME sends an activation acceptance message to the UE, where the message carries the negotiated user plane encryption algorithm, and the user plane encryption algorithm is used between the subsequent UE and the UPE.
  • FIG. 11 shows an implementation flow 1 of network side activation provided by the present invention. For the convenience of description, only parts related to the present invention are shown:
  • the UPE/IASA sends a Create Bearer Request message to the MME (Create Bearer Request).
  • the message carries the encrypted information of the UPE, such as the supported encryption algorithm. Take the user's encrypted information in the network capability cell carrying the bearer setup request message as an example.
  • the example structure is as follows:
  • the MME negotiates the user plane encryption algorithm used between the UE and the UPE according to the encryption information of the UE and the encryption information of the UPE.
  • the UE has sent its own encryption information to the MME in the process of the UE registering with the MME. Attachment process, this is no longer described).
  • the MME sends a bearer request message to the Evolved RAN (Bearer Request), and the message carries the user plane encryption algorithm negotiated between the UE and the UPE.
  • An example structure of a bearer request message carrying a user plane encryption algorithm is as follows: 8 7 6 5 4 3 2 1
  • the Evolved RAN sends a bearer request message to the UE (Bearer Request), where the message carries the user plane encryption algorithm between the UE and the UPE;
  • the UE returns a response message to Evolved RAN (Bearer Response);
  • the Evolved RAN returns a bearer response message to the MME (Bearer Response);
  • the MME sends a Create Bearer Response message to the UPE (Create Bearer Response), and the message carries the user plane encryption algorithm used between the negotiated UE and the UPE.
  • an embodiment of the present invention provides a device for implementing encryption and negotiation between a user equipment and a network side, where the device includes a receiving unit, a signaling plane encryption processing unit, a data plane encryption processing unit, and a sending unit, where the device is set on the network side.
  • the functional units of the device are distributed in different network element entities to implement corresponding functions.
  • the signaling plane encryption processing unit and the data plane encryption processing unit are respectively disposed on the signaling plane network element and the user.
  • the signaling plane network element in the evolved network, the signaling plane network element is an MME, and the user plane network element is a UPE.
  • Receiving unit receiving the encrypted information sent by the user equipment
  • a signaling plane encryption processing unit configured to determine that the user equipment and the network side negotiate a signaling plane encryption algorithm
  • a data plane encryption processing unit configured to determine that the user equipment negotiates a data plane encryption algorithm with the network side
  • a sending unit configured to send the determined signaling plane and/or data plane encryption algorithm to the user Prepared
  • the signaling plane encryption processing unit negotiates a signaling plane encryption algorithm between the user equipment and the network side according to the encryption information received by the receiving unit;
  • the data plane encryption processing unit negotiates a data plane encryption algorithm between the user equipment and the network side according to the encryption information received by the receiving unit and the encryption information of the user plane network element. As shown in step 3 and step 7 in Figure 4, the user equipment negotiates the encryption algorithm of the signaling plane and the data plane with the network side device respectively.
  • the encrypted information is carried in a user attach request message or a tracking area update request message sent by the user equipment to the network side.
  • the MME receives an attach request message that is sent by the user equipment and carries the user encrypted information.
  • a communication system is further provided in the embodiment of the present invention, including: a user equipment, a signaling plane network element on the network side, and a user plane network element.
  • the user equipment When the user equipment registers with the network and reports the encrypted information of the user, the user equipment and the signaling plane network element on the network side negotiate a signaling plane encryption algorithm according to the encrypted information;
  • the user equipment and the network side establish and transmit a message carrying the encrypted information to the network side
  • the user plane network element determines the data plane of the user equipment and the network side according to the encryption information of the user equipment and the encryption information of the user plane network element. Encryption Algorithm.
  • the encrypted information of the user is carried in a user attach request message or a tracking area update request message sent by the user equipment to the network side.
  • the signaling plane encryption algorithm is sent to the user equipment, and the signaling plane encryption algorithm is carried in an authentication request message sent by the network side to the user equipment.
  • the operation procedure between the user equipment and the network side signaling plane network element and the user plane network element in the communication system is basically the same as that described in the foregoing embodiment, and details are not described herein again.
  • the present invention describes an implementation of the encryption and negotiation separate processing of the data plane and the signaling plane by using an evolved network as an example, and can of course be applied to Other networks.
  • the present invention assumes that the MME is an entity in the evolved network architecture, and the UPE and the Inter AS Anchor are one entity, but do not limit other network architectures, such as MME/UPE/Inter AS Anchor. As an independent entity.

Abstract

La présente invention concerne un procédé de négociation de l'algorithme de chiffrement entre l'équipement d'utilisateur et le réseau, et le dispositif et système correspondants. Lors de l'enregistrement, l'équipement d'utilisateur négocie l'algorithme de chiffrement du plan de séparation avec le réseau. Et l'algorithme de chiffrement du plan de données est négocié entre l'équipement d'utilisateur et le réseau lors de l'établissement du trafic. La négociation du plan de données et du plan de séparation peut être divisée, de sorte que le chiffrement entre l'équipement d'utilisateur et le réseau principal puisse être traité avec précision suite à la division de l'entité de gestion de mobilité (MME) et de l'entité de plan d'utilisateur (UPE).
PCT/CN2007/001254 2006-04-30 2007-04-17 Procédé, dispositif et système de négociation de l'algorithme de chiffrement entre l'équipement d'utilisateur et le réseau WO2007124671A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN 200610060555 CN101064921B (zh) 2006-04-30 2006-04-30 一种用户设备与网络侧实现加密协商的方法
CN200610060555.0 2006-04-30

Publications (1)

Publication Number Publication Date
WO2007124671A1 true WO2007124671A1 (fr) 2007-11-08

Family

ID=38655063

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/001254 WO2007124671A1 (fr) 2006-04-30 2007-04-17 Procédé, dispositif et système de négociation de l'algorithme de chiffrement entre l'équipement d'utilisateur et le réseau

Country Status (2)

Country Link
CN (1) CN101064921B (fr)
WO (1) WO2007124671A1 (fr)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101494538B (zh) * 2008-01-23 2014-04-02 华为技术有限公司 一种数据传输控制方法及通讯系统以及加密控制网元
CN102780558A (zh) * 2012-04-28 2012-11-14 华为终端有限公司 数据加密、传输方法、算法分配方法、设备和系统
WO2018201506A1 (fr) 2017-05-05 2018-11-08 华为技术有限公司 Procédé de communication et dispositif associé
CN109699049B (zh) * 2017-10-24 2022-03-08 成都鼎桥通信技术有限公司 用户面协议栈类型的确定方法和装置

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1426200A (zh) * 2002-11-06 2003-06-25 西安西电捷通无线网络通信有限公司 无线局域网移动终端的安全接入与无线链路的数据保密通信方法
CN1491002A (zh) * 2002-10-15 2004-04-21 宽联(上海)通信软件有限公司 Ip视频终端设备与信令网的交互
US20050149732A1 (en) * 2004-01-07 2005-07-07 Microsoft Corporation Use of static Diffie-Hellman key with IPSec for authentication
US20050198490A1 (en) * 2004-03-02 2005-09-08 Microsoft Corporation Dynamic negotiation of encryption protocols
US6975729B1 (en) * 2000-08-15 2005-12-13 Sun Microsystems, Inc. Method and apparatus for facilitating use of a pre-shared secret key with identity hiding
CN1722689A (zh) * 2005-06-21 2006-01-18 中兴通讯股份有限公司 一种ip多媒体子系统接入安全的保护方法

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6975729B1 (en) * 2000-08-15 2005-12-13 Sun Microsystems, Inc. Method and apparatus for facilitating use of a pre-shared secret key with identity hiding
CN1491002A (zh) * 2002-10-15 2004-04-21 宽联(上海)通信软件有限公司 Ip视频终端设备与信令网的交互
CN1426200A (zh) * 2002-11-06 2003-06-25 西安西电捷通无线网络通信有限公司 无线局域网移动终端的安全接入与无线链路的数据保密通信方法
US20050149732A1 (en) * 2004-01-07 2005-07-07 Microsoft Corporation Use of static Diffie-Hellman key with IPSec for authentication
US20050198490A1 (en) * 2004-03-02 2005-09-08 Microsoft Corporation Dynamic negotiation of encryption protocols
CN1722689A (zh) * 2005-06-21 2006-01-18 中兴通讯股份有限公司 一种ip多媒体子系统接入安全的保护方法

Also Published As

Publication number Publication date
CN101064921B (zh) 2011-12-21
CN101064921A (zh) 2007-10-31

Similar Documents

Publication Publication Date Title
US11690130B2 (en) Network initiated release assistance information
US11737156B2 (en) Establishing a session or cellular Internet of Things packet transmission
US10834636B2 (en) Discovery and selection of UPF for uplink classifier
EP3881635B1 (fr) Déclenchement d'application pour un dispositif sans fil
US20100048161A1 (en) Method, system and apparatuses thereof for realizing emergency communication service
EP1881660B1 (fr) Procédé, appareil et système pour accès sans fil
WO2008101392A1 (fr) Procédé de transmission de qualité de service lors de transfert entre systèmes et système de réseau et réseau de destination correspondants
WO2014056445A1 (fr) Procédé, système et contrôleur pour transfert de routage
WO2011079634A1 (fr) Procédé de délestage de trafic, entité fonctionnelle de délestage de trafic et système de délestage de trafic
US9113436B2 (en) Method and system for information transmission
WO2013063783A1 (fr) Procédé et dispositif de gestion de canal de sécurité de données
WO2009043209A1 (fr) Procédé permettant d'établir une porteuse vers un terminal utilisateur en mode repos
WO2007147345A1 (fr) Procédé de sélection d'entité plan utilisateur du côté réseau et d'entité plan contrôle
WO2007045177A1 (fr) Procede, systeme et appareil de realisation de desenregistrement de protocole mobile
WO2007131455A1 (fr) Procédé, système et appareil de synchronisation de clés entre la commande et l'utilisateur
JP2010516072A (ja) 移動体通信ネットワークにおいて、パケットベアラコンテクストのユーザセットを一意に識別及び統一するための仕組み
US20230109272A1 (en) Network Slice
WO2009046598A1 (fr) Procédé pour établir une porteuse dédiée pour un terminal utilisateur
WO2010015134A1 (fr) Procédé de transmission d'options de configuration du protocole, système et équipement utilisateur s'y rapportant
WO2010054560A1 (fr) Procédé et système de mise en œuvre d’un accès multiple
WO2010139285A1 (fr) Procédé de synchronisation d'informations, système de communication et dispositifs associés
WO2013104248A1 (fr) Procédé et dispositif pour la gestion d'une connexion d'accès à un réseau local
WO2007124671A1 (fr) Procédé, dispositif et système de négociation de l'algorithme de chiffrement entre l'équipement d'utilisateur et le réseau
WO2012146093A1 (fr) Procédé et système destinés à réaliser un traitement de service
WO2011032522A1 (fr) Système et procédé de mise en œuvre d'accès local

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07720827

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07720827

Country of ref document: EP

Kind code of ref document: A1