WO2009039782A1 - A mobile node apparatus, a method for realizing media independent handover and the system thereof - Google Patents

A mobile node apparatus, a method for realizing media independent handover and the system thereof Download PDF

Info

Publication number
WO2009039782A1
WO2009039782A1 PCT/CN2008/072435 CN2008072435W WO2009039782A1 WO 2009039782 A1 WO2009039782 A1 WO 2009039782A1 CN 2008072435 W CN2008072435 W CN 2008072435W WO 2009039782 A1 WO2009039782 A1 WO 2009039782A1
Authority
WO
WIPO (PCT)
Prior art keywords
shared key
service
mobile node
protected
request message
Prior art date
Application number
PCT/CN2008/072435
Other languages
French (fr)
Chinese (zh)
Inventor
Guohui Zou
Bin Xia
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2009039782A1 publication Critical patent/WO2009039782A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/005Control or signalling for completing the hand-off involving radio access media independent information, e.g. MIH [Media independent Hand-off]

Definitions

  • Mobile node device method and system for implementing media independent switching
  • the present invention relates to the field of wireless communication technologies, and in particular, to a mobile node device and a method and system for implementing media independent switching. Background technique
  • Media-independent switching means that by switching between different media types, mobile users can automatically select the best network connection type and seamlessly switch the voice channel when roaming between networks to achieve IEEE 802.3/802.11/802.16/3GPP. Roaming switching between various systems such as /3GPP2.
  • the media-independent handover technology is mainly through the Media Independent Handover Function (MIHF) module on the Mobile Node (MN), and the media independent handover service point (MIH Point) of the MN service attachment point (service PoA).
  • MIHF Media Independent Handover Function
  • MN Mobile Node
  • MIH Point media independent handover service point
  • service PoA service attachment point
  • the MIH PoS of the MN serving PoA refers to the MIH network entity that can directly exchange MIH messages with the MN having the MIH function, that is, the PoS currently serving the MN, that is, the POS (Serving PoS) in the service state;
  • the MIH of the MN candidate PoA PoS refers to an MIH network entity that can directly exchange MIH messages with a MIH-enabled MN, that is, a candidate PoS;
  • an MIH PoS that does not include a MN's PoA refers to an MIH network entity that can directly interact with an MIH-enabled MN, such as a wired network.
  • the MIHF-enabled router in the MIHF Non-PoS that does not include the MN's PoA refers to the MIH network entity that can directly interact with other MIH network entities, but the network entity cannot directly exchange MIH messages with the MIH-capable MN.
  • the Serving PoS provides the MN with the MIH service determined during the MIH capability discovery process, including: MIH Event Service (MIES): Provides event classification, event filtering, and events on dynamically changing link characteristics, link status, and link quality.
  • MIH Event Service MIES: Provides event classification, event filtering, and events on dynamically changing link characteristics, link status, and link quality.
  • MIH Command Service Provides upper layer management and control of link behavior related to handover and mobility.
  • MIH Information Service Provides detailed information on the characteristics and services of the service network and surrounding networks for effective system access and handover decisions.
  • the MN determines whether the target network to be switched is allowed to access according to the provided MIH service, the MN initiates a query request to the Serving PoS on the network side, and sends a handover request to the PoS of the target network when the Serving PoS returns the handover command on the network side. Switch.
  • a first aspect of an embodiment of the present invention is to provide a method for implementing media independent handover to solve the security problem of media independent handover.
  • a second aspect of an embodiment of the present invention provides a mobile node device that enables a mobile node to perform secure media independent handover.
  • a third aspect of the embodiments of the present invention provides a system for implementing media independent handover to implement secure media independent handover.
  • a method for implementing media-free handover including:
  • the network side sends the service information protected by the shared key to the mobile node
  • the shared key is used to protect the message in the service process and the handover process, so that the third party who maliciously intercepts the message cannot obtain the content in the media-independent handover process, thereby effectively solving the security problem of the media independent handover and ensuring the media independent service. Security that is not related to media switching.
  • a mobile node device including:
  • a service information obtaining module configured to obtain service information protected by the shared key from the network side
  • a verification module configured to verify the shared key
  • a requesting module configured to send, by using the service information, a handover preparation request message to the network side, if the verification module verifies that the shared key passes;
  • the message protection module is configured to protect the handover preparation request message with the first shared key.
  • the scheme effectively ensures the security of the mobile node to send and receive messages through the modules such as the message protection module and the verification module, so that the mobile node can interact with the network-side media independent switching system with security protection function, thereby ensuring the secure receiving and transmitting of the mobile node.
  • a system for implementing media-free handover including:
  • a message sending module configured to send service information to the mobile node
  • a system message protection module configured to protect the service information by using a shared key
  • a message receiving module configured to receive a handover preparation request message that is sent by the mobile node and is protected by the first shared key
  • a system verification module configured to verify the first shared key
  • a switching module configured to access the mobile node to the target service point according to the handover preparation request message, to complete the handover.
  • the scheme effectively protects various messages in the process of switching to the mobile node service network through the modules of the message protection module and the verification module, and avoids the third party who maliciously intercepts the message to obtain the switchover.
  • the content of the message in the process solves the security problem in the media-independent handover, and ensures the security of the service and handover in the media-independent handover.
  • FIG. 2 is a schematic diagram of a direct security architecture in a method for implementing media independent handover according to the present invention
  • FIG. 3 is a signaling flowchart of a first embodiment of a method for implementing media independent handover according to the present invention
  • FIG. 5 is a schematic structural diagram of a mobile node device according to an embodiment of the present invention
  • FIG. 6 is a schematic structural diagram of an embodiment of a media independent switching system according to the present invention. detailed description
  • the MN and each network entity have the MIH function, and the security association (SA) between the MN and each network entity and each network entity is established to form the security of the MIH.
  • SA security association
  • the establishment of the SA is implemented by a shared key between the MN and each network entity or between network entities.
  • the shared key between the MN and the Serving PoS on the network side is referred to as a first shared key (Kms), and the key may be generated before the MN obtains the service information;
  • the shared key with the information server is called the second shared key (Kns), which can be dynamically generated or statically configured, depending on actual needs;
  • the key between the MN and the information server is called The third shared key (Kmn), the key needs to be dynamically generated;
  • the shared key between the Serving PoS and each candidate PoS is referred to as a fourth shared key (Kcs);
  • the shared key between the server (AAA Server) is called the fifth shared key (Kma);
  • the shared key between the MN and the target PoS is called the sixth shared key (Kmc); and, according to the MN Whether MIHF needs to clarify the new communication peer of MIH, and divide the security architecture into the default security architecture. With a direct security architecture.
  • the MIHF of the MN only needs to know whether the MIHF of the MIH PoS of the Serving PoA exists, and other MIHFs in the network are invisible to the MN.
  • the MIHF of the MN it is only necessary to establish an SA with the MIHF of the Serving PoA's MIH PoS and request all services from it.
  • the default security architecture is shown in Figure 1.
  • the solid lines indicate direct connections, the dashed lines indicate that they are not directly connected, and the thick lines indicate connections with security protection associated with the MIHF of the MN. Other connections may have security associations but are not related to MN's MIHF.
  • the MN's MIHF needs to know the existence of the MIHF of the Serving PoA's MIH PoS, and also needs to know the existence of other MIHFs in the network.
  • MN's MIHF it needs to establish a security association with all MIHFs that need to interact with it and request the corresponding services separately.
  • the architecture can be as shown in Figure 2.
  • the solid lines indicate direct connections, the dashed lines indicate that they cannot be directly connected, and the thick lines indicate connections with security protection associated with the MIHF of the MN. Other connections may have a security association but are not related to the MN's MIHF. It is important to note that the thick dotted lines also indicate that there is a security alliance between them, although they cannot be directly connected.
  • the MIH PoS in Figure 1 and Figure 2 is a functional module that does not include the MN's PoA on the network side. It can directly interact with the MIH-capable MN, such as a MIH-enabled router in a wired network.
  • FIG. 3 is a signaling flowchart of a first embodiment of a method for implementing media independent handover according to the present invention.
  • the default security architecture is taken as an example in this embodiment.
  • Step 101 The MN sends a Kms-protected service request message "[MIH_Service-REQ]Kms,, to the Serving PoS.
  • [MIH_ Service-REQ]Kms means that the "MIH_Service-REQ” message is protected by Kms. The following is similar. The security between MN and Serving PoS is guaranteed by Kms.
  • Step 102 The Serving PoS receives the "[MIH_Service-REQ]Kms" message and verifies the Kms; by verifying the Kms, the reliability of the message is ensured, and after the verification is passed, the Serving PoS sends the Kms-protected service response message to the MN.
  • [MIH—Service-RSP]Kms” "[Mffl_Service-RSP]Kms, the message contains the service information requested by the MN.
  • Step 103 The MN receives "[MIH_Service-RSP]Kms,,, and verifies Kms;
  • the service information such as the surrounding network information is obtained securely and effectively.
  • the MN selects the target network according to the service information, and initiates a Kms-protected handover preparation request message to the Serving PoS "[MIH-Prepare-REQ]Kms " , to query whether the target network allows itself to access," [MIH - Prepare-REQ] Kms can carry PoS information that the MN is ready to query.
  • Step 104 The Serving PoS receives "[MIH_Prepare-REQ]Kms,,, and verifies Kms; after the verification is passed, the Serving PoS sends a Kcs-protected resource query request message "[MIH_Query-REQ]Kcs" to each candidate PoS.
  • Step 105 Each candidate PoS receives "[MIH_ Query-REQ]Kcs", and verifies Kcs;
  • each candidate PoS determines whether the service point can access the MN, and returns a Kcs-protected resource query response message "[MIH_ Query-RSP]Kcs", "[MIH_ Query-RSP]Kcs" to the Serving PoS.
  • the judgment result is included; and, if it is judged that access is available, resources may also be reserved for the MN.
  • Step 106 Serving PoS receives "[MIH_Query-RSP]Kcs,,, and verifies Kcs;
  • the Serving PoS selects the target service point for the MN according to the judgment result, and sends a Kms-protected handover command to the MN, where the handover command includes the target PoS information; or the Serving PoS sends the Kms-protected handover to the MN.
  • the preparation response message "[MIH_Prepare-RSP]Kms", "[MIH_Prepare-RSP]Kms" contains the judgment result; after the Serving PoS receives "[MIH-Prepare-RSP]Kms", it can be immediately sent to the MN, also All candidate PoSs can be returned to the MN after returning the result.
  • Step 107 The MN receives the handover command or "[MIH_Prepare-RSP]Kms, and verifies Kms; after the verification is passed, the MN sends a Kms-protected handover execution request message "[MIH_Commit-REQ]Kms to the Serving PoS according to the handover command, Or the MN obtains the judgment result from "[MIH_Prepare-RSP]Km s", and sends the KMS-protected "[MI H_Commit-REQ]Kmsr "[MIH_Commit-REQ]Kms" containing the target PoS information to the Serving PoS according to the judgment result.
  • the MN receives the handover command or "[MIH_Prepare-RSP]Kms, and verifies Kms; after the verification is passed, the MN sends a Kms-protected handover execution request message "[MIH_Commit-REQ]Kms to the Serving PoS according to the
  • Step 108 The Serving PoS receives "[MIH-Commit-REQ]Kms" and verifies the Kms; after the verification is passed, the Serving PoS protects the "MIH_Commit-REQ” message with Kcs, and obtains [[MIH_Commit- EQ]Kcs", and Send "[MIH_Commit-REQ]Kcs," to the target PoS based on the target PoS information.
  • Step 109 The target PoS receives "[MIH-Commit-REQ]Kcs", and verifies Kcs;
  • the target PoS After the verification is passed, the target PoS returns the Kcs-protected handover execution response message "[MIH-Commit-RSP]Kcs" to the Serving PoS.
  • Step 110 Serving PoS receives "[MIH_Commit-RSP]Kcs,,, and verifies Kcs;
  • the Serving PoS uses the Kms protection "MIH_Commit-RSP" message to get “[MIH_Commit-RSP]Kms” and sends it to the MN.
  • Step 111 The MN receives "[MIH_Commit-RSP]Kms,,, and verifies Kms;
  • the MN After the verification is passed, the MN sends a Kma-protected key generation request message "[MIH-Key-REQ]Kma" to the AAA server through the target PoS.
  • Step 112 The target PoS forwards "[MIH_Key-REQ]Kma' to the AAA server via the "AAA REQ” message.
  • Step 113 The AAA server receives "AAA REQ”, obtains "[MIH_Key-REQ]Kma, and then verifies Kma;
  • the AAA server After the verification is passed, the AAA server generates Kmc and sends "AAA RSP" to the target PoS, returning the risk result and Kmc.
  • Step 114 The target PoS sends a key generation response message "[MIH_Key-RSP]Kmc" to the MN, and the key generation response message is protected by Kmc.
  • Step 115 The MN receives "[MIH_Key-RSP]Kmc,,, and verifies Kmc;
  • the switch After the verification is passed, the switch is completed. After that, the MN may also send a handover complete message "[M IH_Complete-REQ]Kmc," to the target PoS, and the target PoS returns a response message "[MIH_Complete-RSP]Km cV confirms that the switch is complete.
  • the Serving PoS may further determine whether it stores the information requested by the MN when the Kms authentication is passed, and if so, execute: Serving PoS Direction
  • the MN sends a Kms-protected service response message "[Ml H_Service-RSP]Kms. Otherwise, the Serving PoS sends a "[MIH_Service-REQ] KnsV Information Server Receive” [MIH_Service-REQ]Kns” message to the Information Server to verify that Kns passes.
  • the [MIH_Service-RSP]Kns message containing the service information requested by the MN is returned to the Serving PoS; the Serving PoS receives the message [MIH_Service-RSP]Kns, the message is obtained by verifying the Kns, and then: Serving PoS
  • the Kms-protected service response message "[M IH_Service-RSP]Kms' is sent to the MN: The Serving PoS returns a failure message to the MN if the Kms has not passed the verification.
  • the process by which the MN obtains service information can also be implemented by the following process:
  • the information server broadcasts a "[MIH-Service]Kns" message to each PoS, where Kns may vary depending on the PoS;
  • the Serving PoS After receiving the "[MIH_Service]Kns" message, the Serving PoS verifies the Kns and, if the verification passes, broadcasts the obtained service information to all MNs via the "[MIH_Service]Kms" message, where Kms also May vary by MN;
  • the MN receives the "[MIH_Service]Kms" message and obtains the service information after verifying the Kms.
  • the SA is established between the MN and the Serving PoS, that is, the shared key is used to ensure that the MN securely obtains the service information; and the MN and the Serving PoS, the candidate PoS, the AAA server, and the PoS
  • the establishment of the SA guarantees the security of the network handover, thereby ensuring the security of the media independent handover as a whole.
  • the default interaction object of the MN is the Serving PoS
  • no identifier can be introduced during the MIH interaction, which reduces signaling overhead and facilitates wireless transmission.
  • FIG. 4 is a signaling flowchart of a second embodiment of a method for implementing media independent handover according to the present invention.
  • This example takes a direct security architecture as an example.
  • the handover process is specifically as follows:
  • Step 201 The MN sends a Kmn protected service request message "[MIH_Service-REQ]
  • the Serving PoS determines whether the service point is the message delivery destination of the MN according to the transmission destination information in the service request message "[MIH_Service-REQ]Kmn", and if so, the shared key of the protection message should be the first shared key.
  • the Serving PoS can be verified. After the verification is passed, the Serving PoS returns the service information to the MN.
  • the Serving PoS receives the "[MIH-Se rvice-REQ]Kms" message and verifies the Kms; after the verification is passed, The Serving PoS sends a Kms-protected service response message to the MN "[MIH_Service-RSP]Kms,.,
  • Step 202 When Serving PoS determines that the service point is not the message sending target of the MN, the information server receives "[MIH_Service-REQ] Kmn", and verifies Kmn;
  • the information server sends a service response message "[MIH_Service-REQ]Kmn,", "[MIH_Service-REQ]Kmn” requested by the KMN protected MN to the MN, containing the service information requested by the MN.
  • Step 203 The MN receives the "[MIH_Service-REQ] Kmn" message and verifies the Kmn; after the verification is passed, the MN obtains the service information.
  • the MN selects the target PoS based on the service information and transmits the Kms-protected "[MIH_Prepare-REQ]Kms" to the Serving PoS.
  • Step 204 Serving PoS receives "[MIH_Prepare-REQ]Kms,,, and verifies Kms;
  • the Serving PoS sends the KCS-protected "[MIH_Query-REQ]Kcs" to each candidate PoS on the network side.
  • Step 205 Each candidate PoS receives "[MIH_Query-REQ]Kcs", and verifies Kcs; After the verification is passed, each candidate PoS determines whether the service point can access the MN, and returns the KCS-protected "[MIH_Query-RSP]Kcs,,,"[MIH_Query-RSP]Kcs to the Serving PoS, including the judgment result; If it is judged that access is available, resources may also be reserved for the MN.
  • Step 206 Serving PoS receives "[MIH_Query-RSP]Kcs,,, and verifies Kcs;
  • the Serving PoS sends the KMS-protected "[MIH_Prepare-RSP]Kms, message, "[MIH_Prepare-RSP]Kms to the MN, which contains the judgment result.
  • Step 207 The MN receives "[MIH_Prepare-RSP]Kms", and verifies Kms;
  • the MN sends the Kma-protected "[MIH_Key-REQ]Kma" to the accessible candidate PoS according to the judgment result.
  • Step 208 The accessible candidate PoS forwards "[MIH-Key-REQ]Kma" to the AAA server through "AAA REQ".
  • Step 209 The AAA server receives "[MIH-Key-REQ]Kma" and verifies Kma;
  • the AAA server After the verification is passed, the AAA server generates Kmc and returns the 3 full certificate result and Kmc to the accessible PoS through "AAA RSP".
  • Step 210 The accessible PoS receives the verification result and Kmc, and sends the Kmc protected "[MIH_Key- RSP]Kmc" to the MN.
  • Step 211 The MN receives "[MIH_Key-RSP]Kmc,,, and verifies Kmc;
  • the MN selects the target PoS to be accessed from the candidate PoSs that can be accessed, and sends the KMS-protected "[MIH-Commit-REQ]Kms" to the Serving PoS.
  • Step 212 Serving PoS receives "[MIH-Commit-REQ]Kms" and verifies Kms; After the verification is passed, Serving PoS protects "[MIH-Commit-REQ]Kcs" with Kcs and sends it to the target PoS.
  • Step 213 The target PoS receives "[MIH-Commit-REQ]Kcs", and verifies Kcs;
  • the target PoS sends the KCS-protected "[MIH-Commit-RSP]Kcs, to the Serving PoS.
  • Step 214 Serving PoS receives "[MIH-Commit-RSP]Kcs,,, and verifies Kcs; After the verification is passed, the Serving PoS sends the KMS protected "[MIH-Commit- RSP]Kms'" to the MN.
  • Step 215 The MN receives "[Mffl_Commit-RSP]Kms,, and verifies Kms, and completes the handover. Thereafter, the MN may also send a handover complete message "[MIH_Complete-REQ]Kmc" to the target PoS, and the target PoS returns a response. The message "[MIH_Complete-RSP]Kmc" confirms that the switch is complete.
  • the SA is established between the MN and each PoS and between the PoSs, that is, the shared key is used to ensure the secure access of the MN to the service information and the security of the network handover process, thereby solving the media as a whole.
  • the information server may further determine whether the service point is a MN message transmission according to the transmission destination information in "[MIH_Service-REQ]Kmn". And the method of obtaining the service information in the embodiment may be replaced by the method for obtaining the service information in the method embodiment 1, or by using the Serving PoS broadcast service message "[MIH-Service] Kms".
  • the MN obtains the service information, and can also directly broadcast the "[MIH_Service]Kmn" message to the MN through the information server to obtain the service information.
  • the process of switching the network after obtaining the service information in this embodiment can also be obtained by using the method embodiment 1. The process after the information is replaced, and the network switching of the MN is implemented securely.
  • the MN can distinguish the object of the key request and establish its SA with the target network in the original network. Therefore, the SA can be established after the handover, which reduces the handover delay.
  • the MN after receiving the "[MIH-Prepare-RSP]Kms" message, the MN first establishes an SA with all accessible candidate PoSs, that is, generates a sharing between the MN and all accessible candidate PoSs. The key, and then initiates a handover execution request message to the target PoS, avoiding the establishment of the SA during the handover execution process or the inability to establish the handover, thereby saving the handover execution time and speeding up the network handover speed.
  • the Serving PoS of the visited network where the MN is located may not have a security association with the information server.
  • the SA may be built first, and then the handover is accessed, thereby saving the access switching time.
  • the message is protected by a shared key, which is either encryption or integrity. Protection, which method is used is determined by a specific agreement.
  • the mobile node device 10 includes: a service information acquiring module 11, a verification module 12, a requesting module 13, and a message protection module 14; wherein the service information acquiring module 11 is used for the slave network.
  • the side obtains the service information protected by the shared key;
  • the verification module 12 is configured to verify the shared key, such as Kms, Kmn, Kmc; and the requesting module 13 is configured to verify, at the verification module 12, that the shared key passes And sending a handover preparation request message to the network side according to the service information; or sending a service request message for acquiring the service information to the network side;
  • the message protection module 14 protects the handover preparation request message and the service by using Kms Request message; or protect the service request message with Kmn.
  • the service information acquiring module 11 is further configured to receive a Kms-protected handover command or a handover preparation response message and a handover execution response message that are sent by the network side, where the handover preparation response message includes the determination result;
  • the requesting module 13 is further configured to send a Kms-protected handover execution request message to the network side according to the handover command; or obtain the determination result from the handover preparation response message, and according to the determination result,
  • the network side sends a Kms-protected handover execution request message; the handover execution request message includes target service point information; and the requesting module 13 is further configured to send a KMA-protected key generation request message to the network-side AAA server.
  • the message protection module 14 is further configured to protect the key generation request message with Kma; the service information obtaining module 11 is further configured to receive a Kmc-protected key generation response message sent by the network side; the verification module 12 is further configured to verify the Kmc .
  • the mobile node device embodiment described above enables the mobile node to securely perform media independent switching through the verification module 12 and the message protection module 14.
  • FIG. 6 is a schematic structural diagram of an embodiment of a media independent switching system according to the present invention.
  • the system 20 includes a message sending module 21, a system message protection module 22, a message receiving module 23, a system checking module 24, and a switching module 25.
  • the system message protection module 22 is used. Protect the service information with a shared key; then send it by message
  • the sending module 21 sends the protected service information to the MN;
  • the message receiving module 23 is configured to receive the Kms-protected handover preparation request message sent by the MN;
  • the system verification module 24 is configured to verify the Kms;
  • the switching module 25 is configured to prepare according to the handover
  • the request message connects the MN to the target service point and completes the handover.
  • the message receiving module 23 is further configured to receive the Kms-protected service request message sent by the MN; the message sending module 21 may be further configured to send a service response message including the service information to the MN; the system message protection module 22 may also use the Kms. The service response message is protected.
  • the switching module 25 may include a first receiving module, a first verifying module, a first protection module, a first sending module, a second receiving module, a second verifying module, a second protecting module, a second sending module, and a third receiving module. a third verification module, a key generation module, and a third transmission module; wherein, the first verification module, the first protection module, and the first transmission module are disposed in the Serving PoS, and after the system verification module verifies that the Kms is passed, the first protection module is used The Kcs protects the resource query request message and sends it to the candidate PoS by the first sending module.
  • the second receiving module, the second verifying module, the second protection module, and the second sending module are set in the candidate PoS or the target PoS, and the second receiving module receives the first a resource query request message sent by the sending module, the second verification module verifies the Kcs of the protection resource query request message, and after the verification is passed, the candidate PoS generates a resource query response message, and after the second protection module is protected by the Kcs, the second sending module Sending to the Serving PoS; the first receiving module receives the resource query response message, and the first verification module verifies the Kcs;
  • the first protection module sends the Kms-protected handover execution request message sent by the MN, and the first verification module verifies the Kms.
  • the first protection module sends the Kms-protected handover execution request message sent by the MN.
  • the first protection module uses Kcs to protect the handover execution request message, and the first sending module sends the Kcs-protected handover execution request message to the second receiving module.
  • the second verification module verifies the Kcs, and after the verification is passed, The target PoS generates a handover execution response message, the second protection module uses Kcs to protect the handover execution response message, and the second sending module sends the protected handover execution response message to the MN; the second receiving module receives the Kma-protected key sent by the MN.
  • the second sending module sends the Kma protected key generation request message to the third receiving module;
  • the third receiving module, the third verifying module, the key generating module, and the third sending module are disposed in the AAA server, Three receiving module Receiving a key generation request message, the third verification module verifies Kma; after the verification is passed, the key generation module generates Kmc, and the third sending module sends the verification result of the third verification module and the Kcs to the second receiving module;
  • the second receiving module Receiving, the target PoS generates a key generation response message, the second protection module generates a response message by using the Kmc protection key, and the second sending module sends the protected key generation response message to the MN;
  • the second receiving module receives the MN transmission After the Kmc protection switch completion request message, the second check ii ⁇ mo block verification Kmc, after the verification is passed, the target PoS generates a handover completion response message, the second protection module is protected by Kmc, and the second transmission module completes the
  • the media independent switching system may further include a determining module, where the determining module is configured to be located in the Serving PoS, and configured to determine whether the PoS is the sending target of the service request message, or determine whether the MN requests information is stored by the MN; If the PoS is the destination of the service request message, the Serving PoS performs a corresponding operation, such as verifying the Kms. If it is determined that the MN requests the information, the first sending module sends the information requested by the MN to the MN.
  • the determining module is configured to be located in the Serving PoS, and configured to determine whether the PoS is the sending target of the service request message, or determine whether the MN requests information is stored by the MN; If the PoS is the destination of the service request message, the Serving PoS performs a corresponding operation, such as verifying the Kms. If it is determined that the MN requests the information, the first sending module sends the information requested by the MN to the MN.
  • the media independent switching system may further include a creating module, and the creating module is set on the Serving PoS. If the determining module determines that the Serving PoS does not store the information requested by the MN, the new service request message is created and sent to the information server.
  • system message protection module ensures security of the media independent handover.

Abstract

A mobile node apparatus, a method for realizing media independent handover (MIH) and the system thereof are provided. The method includes: the network side sending the service information protected by a shared key to the mobile node (MN); receiving the handover prepare request message, which is sent by MN according to the service information after MN validates the common key and protected by the first shared key; validating the first shared key and controlling MN to access the target point of service (PoS). With the method, the security problem of MIH is efficiently resolved and the security of media independent service and MIH is ensured. The mobile node apparatus includes service information getting module, verifying module, requesting module and message protecting module. The system includes message sending module, system message protecting module, message receiving module, system verifying module and handover module. With the apparatus and the system, the security of MIH is ensured.

Description

移动节点设备、 实现媒体无关切换的方法及系统 技术领域  Mobile node device, method and system for implementing media independent switching
本发明涉及无线通信技术领域, 尤其涉及一种移动节点设备、 实现媒体 无关切换的方法及系统。 背景技术  The present invention relates to the field of wireless communication technologies, and in particular, to a mobile node device and a method and system for implementing media independent switching. Background technique
媒体无关切换是指通过支持不同媒体类型之间的切换, 使得移动用户在 网间漫游时能自动选择最好的网络连接类型并无缝切换话路, 以实现在 IEEE 802.3/802.11/802.16/3GPP/3GPP2等各种系统之间的漫游切换。  Media-independent switching means that by switching between different media types, mobile users can automatically select the best network connection type and seamlessly switch the voice channel when roaming between networks to achieve IEEE 802.3/802.11/802.16/3GPP. Roaming switching between various systems such as /3GPP2.
目前, 媒体无关切换技术主要是通过移动节点 (Mobile Node, MN )上 的媒体无关切换功能 ( Media Independent Handover Function, MIHF )模块、 MN服务附着点( serving PoA )的媒体无关切换服务点( MIH Point of Service, MIH PoS ), MN候选 PoA的 MIH PoS、 不包括 MN PoA的 MIH PoS以及不 包括 MN PoA 的 MIH 非服务点 ( Non-PoS ) 来实现移动用户在 IEEE 802.3/802.11/802.16/3GPP/3GPP2等系统之间的漫游切换。 其中, MN serving PoA的 MIH PoS指可以直接和具有 MIH功能的 MN交互 MIH消息的 MIH 网络实体,即当前为 MN服务的 PoS,也即处于服务状态的 POS( Serving PoS ); MN候选 PoA的 MIH PoS指可以直接和具备 MIH功能的 MN交互 MIH消息 的 MIH网络实体, 即候选 PoS; 不包括 MN的 PoA的 MIH PoS指可以和具 备 MIH功能的 MN直接交互 MIH消息的 MIH网络实体,例如有线网络中的 具备 MIHF的 Router; 不包括 MN的 PoA的 MIH Non-PoS指可以直接和其 它 MIH网络实体交互 MIH消息的 MIH网络实体, 但是该网络实体不可以直 接和具有 MIH功能的 MN交互 MIH消息。  Currently, the media-independent handover technology is mainly through the Media Independent Handover Function (MIHF) module on the Mobile Node (MN), and the media independent handover service point (MIH Point) of the MN service attachment point (service PoA). Of Service, MIH PoS), MIH PoS for MN candidate PoA, MIH PoS for MN PoA, and MIH non-service point (Non-PoS) without MN PoA for mobile users in IEEE 802.3/802.11/802.16/3GPP/ Roaming switching between systems such as 3GPP2. The MIH PoS of the MN serving PoA refers to the MIH network entity that can directly exchange MIH messages with the MN having the MIH function, that is, the PoS currently serving the MN, that is, the POS (Serving PoS) in the service state; the MIH of the MN candidate PoA PoS refers to an MIH network entity that can directly exchange MIH messages with a MIH-enabled MN, that is, a candidate PoS; an MIH PoS that does not include a MN's PoA refers to an MIH network entity that can directly interact with an MIH-enabled MN, such as a wired network. The MIHF-enabled router in the MIHF Non-PoS that does not include the MN's PoA refers to the MIH network entity that can directly interact with other MIH network entities, but the network entity cannot directly exchange MIH messages with the MIH-capable MN.
具体切换时, 首先, Serving PoS为 MN提供 MIH能力发现过程中确定 的 MIH服务, 包括: MIH事件服务(MIES ): 提供关于链路特征、 链路状态和链路质量的动 态变化的事件分类、 事件过滤和事件。 In the specific handover, first, the Serving PoS provides the MN with the MIH service determined during the MIH capability discovery process, including: MIH Event Service (MIES): Provides event classification, event filtering, and events on dynamically changing link characteristics, link status, and link quality.
MIH命令服务( MICS ): 提供上层管理和控制与切换和移动性相关的链 路行为。  MIH Command Service (MICS): Provides upper layer management and control of link behavior related to handover and mobility.
MIH信息服务(MIIS ) : 提供服务网络和周围网络的特征和业务的详细 信息, 这些信息用于有效的系统接入和切换决定。  MIH Information Service (MIIS): Provides detailed information on the characteristics and services of the service network and surrounding networks for effective system access and handover decisions.
其次, MN根据提供的 MIH服务决定查询要切换的目标网络是否允许接 入后, 向网络侧 Serving PoS发起查询请求, 在网络侧 Serving PoS返回切换 命令的情况下, 向目标网络的 PoS发送切换请求进行切换。  Secondly, after the MN determines whether the target network to be switched is allowed to access according to the provided MIH service, the MN initiates a query request to the Serving PoS on the network side, and sends a handover request to the PoS of the target network when the Serving PoS returns the handover command on the network side. Switch.
在实现本发明的过程中, 发明人发现现有技术至少存在以下问题: PoS 为 MN提供 MIH服务以及 MN切换网络的过程中, MN与各网络实体之间的 信息交互缺乏安全保护, 因此, 媒体无关切换存在安全问题。 发明内容  In the process of implementing the present invention, the inventor has found that the prior art has at least the following problems: In the process of providing the MIH service by the MN and the MN switching the network, the information interaction between the MN and each network entity lacks security protection, and therefore, the media There is a security issue with irrelevant switching. Summary of the invention
本发明实施例的第一方面是提供一种实现媒体无关切换的方法, 用以解 决媒体无关切换的安全问题。  A first aspect of an embodiment of the present invention is to provide a method for implementing media independent handover to solve the security problem of media independent handover.
本发明实施例的第二方面是提供一种移动节点设备, 使移动节点能进行 安全媒体无关切换。  A second aspect of an embodiment of the present invention provides a mobile node device that enables a mobile node to perform secure media independent handover.
本发明实施例的第三方面是提供一中实现媒体无关切换的系统, 以实现 安全媒体无关切换。  A third aspect of the embodiments of the present invention provides a system for implementing media independent handover to implement secure media independent handover.
本发明第一方面通过一些实施例提供了以下技术方案: 一种实现媒体无 关切换的方法, 包括:  The first aspect of the present invention provides the following technical solutions through some embodiments: A method for implementing media-free handover, including:
网络侧向移动节点发送经过共享密钥保护的服务信息;  The network side sends the service information protected by the shared key to the mobile node;
接收切换准备请求消息, 所述切换准备请求消息由所述移动节点在验证 所述共享密钥后根据所述服务信息发送, 所述切换准备请求消息经过第一共 享密钥保护; 验证所述第一共享密钥, 将所述移动节点接入目标服务点。 Receiving a handover preparation request message, where the handover preparation request message is sent by the mobile node according to the service information after verifying the shared key, and the handover preparation request message is protected by a first shared key; Verifying the first shared key and accessing the mobile node to a target service point.
通过共享密钥对服务过程及切换过程中的消息进行保护, 使恶意截获消 息的第三者无法获得媒体无关切换过程中的内容, 从而有效解决了媒体无关 切换的安全问题, 保证了媒体无关服务和媒体无关切换的安全。  The shared key is used to protect the message in the service process and the handover process, so that the third party who maliciously intercepts the message cannot obtain the content in the media-independent handover process, thereby effectively solving the security problem of the media independent handover and ensuring the media independent service. Security that is not related to media switching.
本发明第二方面通过一些实施例提供了以下技术方案: 一种移动节点设 备, 包括:  The second aspect of the present invention provides the following technical solutions through some embodiments: A mobile node device, including:
服务信息获取模块, 用于从网络侧获得经过共享密钥保护的服务信息; 验证模块, 用于验证所述共享密钥;  a service information obtaining module, configured to obtain service information protected by the shared key from the network side; and a verification module, configured to verify the shared key;
请求模块, 用于在所述验证模块验证所述共享密钥通过的情况下, 根据 所述服务信息向所述网络侧发送切换准备请求消息;  a requesting module, configured to send, by using the service information, a handover preparation request message to the network side, if the verification module verifies that the shared key passes;
消息保护模块, 用于用第一共享密钥保护所述切换准备请求消息。  The message protection module is configured to protect the handover preparation request message with the first shared key.
本方案通过消息保护模块及验证模块等模块, 有效保证了移动节点收发 消息的安全, 使得移动节点能够与具有安全保护功能的网络侧媒体无关切换 系统进行交互, 从而保证了移动节点安全的接收发送信息, 实现了移动节点 安全的媒体无关切换。  The scheme effectively ensures the security of the mobile node to send and receive messages through the modules such as the message protection module and the verification module, so that the mobile node can interact with the network-side media independent switching system with security protection function, thereby ensuring the secure receiving and transmitting of the mobile node. Information, media-independent switching for mobile node security.
本发明第三方面通过一些实施例提供了以下技术方案: 一种实现媒体无 关切换的系统, 包括:  The third aspect of the present invention provides the following technical solutions through some embodiments: A system for implementing media-free handover, including:
消息发送模块, 用于向移动节点发送服务信息;  a message sending module, configured to send service information to the mobile node;
系统消息保护模块, 用于用共享密钥保护所述服务信息;  a system message protection module, configured to protect the service information by using a shared key;
消息接收模块, 用于接收所述移动节点发送的经过第一共享密钥保护的 切换准备请求消息;  a message receiving module, configured to receive a handover preparation request message that is sent by the mobile node and is protected by the first shared key;
系统验证模块, 用于验证所述第一共享密钥;  a system verification module, configured to verify the first shared key;
切换模块, 用于根据所述切换准备请求消息将所述移动节点接入目标服 务点, 完成切换。  And a switching module, configured to access the mobile node to the target service point according to the handover preparation request message, to complete the handover.
本方案通过消息保护模块及验证模块等模块, 有效保护了切换为移动节 点服务网络的过程中的各种消息, 避免了恶意截获消息的第三者获得切换过 程中的消息内容, 解决了媒体无关切换中的安全问题, 保证了媒体无关切换 中服务与切换的安全。 The scheme effectively protects various messages in the process of switching to the mobile node service network through the modules of the message protection module and the verification module, and avoids the third party who maliciously intercepts the message to obtain the switchover. The content of the message in the process solves the security problem in the media-independent handover, and ensures the security of the service and handover in the media-independent handover.
下面通过附图和实施例, 对本发明的技术方案做进一步的详细描述。 附图说明 图 2为本发明媒体无关切换的方法实施例中直接安全架构示意图; 图 3为本发明实现媒体无关切换的方法第一实施例的信令流程图; 图 4为本发明实现媒体无关切换的方法第二实施例的信令流程图; 图 5为本发明移动节点设备实施例的结构示意图;  The technical solution of the present invention will be further described in detail below through the accompanying drawings and embodiments. 2 is a schematic diagram of a direct security architecture in a method for implementing media independent handover according to the present invention; FIG. 3 is a signaling flowchart of a first embodiment of a method for implementing media independent handover according to the present invention; FIG. 5 is a schematic structural diagram of a mobile node device according to an embodiment of the present invention; FIG.
图 6为本发明媒体无关切换系统实施例的结构示意图。 具体实施方式  FIG. 6 is a schematic structural diagram of an embodiment of a media independent switching system according to the present invention. detailed description
本发明实现媒体无关切换的方法实施例中, MN 与各网络实体均具备 MIH功能 , 通过建立 MN与各网络实体间以及各网络实体之间的安全联盟 ( Security Association, SA ), 形成 MIH的安全架构。 其中, SA的建立通过 在 MN与各网络实体之间或各网络实体之间的共享密钥来实现。为了便于说 明, 本发明实施例中, 将 MN与网络侧 Serving PoS之间的共享密钥称之为 第一共享密钥( Kms ),该密钥可以在 MN获得服务信息之前生成;将 Serving PoS与信息服务器之间的共享密钥称之为第二共享密钥(Kns ), 该密钥可动 态生成也可静态配置, 可视实际需求而定; 将 MN与信息服务器之间的密钥 称之为第三共享密钥(Kmn ), 该密钥需要动态生成; 将 Serving PoS与各候 选 PoS之间的共享密钥称之为第四共享密钥( Kcs );将 MN与认证授权计费 服务器( AAA Server )之间的共享密钥称之为第五共享密钥( Kma ); 将 MN 与目标 PoS之间的共享密钥称之为第六共享密钥 (Kmc ); 并且, 根据 MN 的 MIHF是否需要明确 MIH新的通信对端, 将安全架构分为缺省安全架构 与直接安全架构。 In the embodiment of the method for implementing media independent handover, the MN and each network entity have the MIH function, and the security association (SA) between the MN and each network entity and each network entity is established to form the security of the MIH. Architecture. The establishment of the SA is implemented by a shared key between the MN and each network entity or between network entities. For convenience of description, in the embodiment of the present invention, the shared key between the MN and the Serving PoS on the network side is referred to as a first shared key (Kms), and the key may be generated before the MN obtains the service information; The shared key with the information server is called the second shared key (Kns), which can be dynamically generated or statically configured, depending on actual needs; the key between the MN and the information server is called The third shared key (Kmn), the key needs to be dynamically generated; the shared key between the Serving PoS and each candidate PoS is referred to as a fourth shared key (Kcs); The shared key between the server (AAA Server) is called the fifth shared key (Kma); the shared key between the MN and the target PoS is called the sixth shared key (Kmc); and, according to the MN Whether MIHF needs to clarify the new communication peer of MIH, and divide the security architecture into the default security architecture. With a direct security architecture.
缺省安全架构下, MN的 MIHF只需要知道 Serving PoA的 MIH PoS的 MIHF是否存在, 网络中的其他 MIHF对 MN来说均不可见。 对于 MN的 MIHF来说,只需要建立与 Serving PoA的 MIH PoS的 MIHF之间的 SA,并 向它请求所有服务。 缺省安全架构如图 1所示, 实线表示直接相连, 虚线表 示不能直接相连, 粗线表示具有与 MN的 MIHF相关的安全保护的连接。 其 他连接可能存在安全联盟但是与 MN的 MIHF不相关。  Under the default security architecture, the MIHF of the MN only needs to know whether the MIHF of the MIH PoS of the Serving PoA exists, and other MIHFs in the network are invisible to the MN. For the MIHF of the MN, it is only necessary to establish an SA with the MIHF of the Serving PoA's MIH PoS and request all services from it. The default security architecture is shown in Figure 1. The solid lines indicate direct connections, the dashed lines indicate that they are not directly connected, and the thick lines indicate connections with security protection associated with the MIHF of the MN. Other connections may have security associations but are not related to MN's MIHF.
在直接安全架构下, MN的 MIHF需要知道 Serving PoA的 MIH PoS的 MIHF的存在, 还需要知道网络中的其他 MIHF的存在。 对于 MN的 MIHF 来说, 它需要建立与所有需要与之交互的 MIHF之间的安全关联, 并分别向 它们请求相应的服务。 其架构可如图 2所示, 实线表示直接相连, 虚线表示 不能直接相连, 粗线表示具有与 MN的 MIHF相关的安全保护的连接。 其他 连接可能存在安全联盟但是与 MN的 MIHF不相关。 需要特别说明的是, 粗 的虚线也表明他们之间存在安全联盟, 尽管他们不能直接相连。 图 1与图 2 中 MIH PoS为网络侧不包括 MN的 PoA的功能模块,可以与具备 MIH功能 的 MN直接交互, 例如有线网络中具备 MIH功能的路由器。  Under the direct security architecture, the MN's MIHF needs to know the existence of the MIHF of the Serving PoA's MIH PoS, and also needs to know the existence of other MIHFs in the network. For MN's MIHF, it needs to establish a security association with all MIHFs that need to interact with it and request the corresponding services separately. The architecture can be as shown in Figure 2. The solid lines indicate direct connections, the dashed lines indicate that they cannot be directly connected, and the thick lines indicate connections with security protection associated with the MIHF of the MN. Other connections may have a security association but are not related to the MN's MIHF. It is important to note that the thick dotted lines also indicate that there is a security alliance between them, although they cannot be directly connected. The MIH PoS in Figure 1 and Figure 2 is a functional module that does not include the MN's PoA on the network side. It can directly interact with the MIH-capable MN, such as a MIH-enabled router in a wired network.
方法实施例一  Method embodiment 1
图 3为本发明实现媒体无关切换的方法第一实施例的信令流程图, 本实 施例以缺省安全架构为例, 切换过程具体为:  FIG. 3 is a signaling flowchart of a first embodiment of a method for implementing media independent handover according to the present invention. The default security architecture is taken as an example in this embodiment.
步骤 101 : MN 向 Serving PoS 发送经过 Kms 保护的服务请求消息 "[MIH— Service-REQ]Kms,,。  Step 101: The MN sends a Kms-protected service request message "[MIH_Service-REQ]Kms,, to the Serving PoS.
"[MIH— Service-REQ]Kms"表示" MIH— Service-REQ"消息经过 Kms保护, 以下情况类似 , 通过 Kms保证了 MN与 Serving PoS之间的安全。  "[MIH_ Service-REQ]Kms" means that the "MIH_Service-REQ" message is protected by Kms. The following is similar. The security between MN and Serving PoS is guaranteed by Kms.
步骤 102: Serving PoS接收 "[MIH— Service-REQ]Kms"消息,并验证 Kms; 通过验证 Kms , 保证了消息的可靠性, 验证通过后, Serving PoS向 MN 发送经过 Kms 保护的服务响应 消 息 "[MIH— Service-RSP]Kms" , "[Mffl_Service-RSP]Kms,,消息中包含有 MN请求的服务信息。 Step 102: The Serving PoS receives the "[MIH_Service-REQ]Kms" message and verifies the Kms; by verifying the Kms, the reliability of the message is ensured, and after the verification is passed, the Serving PoS sends the Kms-protected service response message to the MN. [MIH—Service-RSP]Kms" , "[Mffl_Service-RSP]Kms, the message contains the service information requested by the MN.
步骤 103: MN接收" [MIH_Service-RSP]Kms,,, 并验证 Kms;  Step 103: The MN receives "[MIH_Service-RSP]Kms,,, and verifies Kms;
验证通过后, 安全有效地获得了周围网络信息等服务信息, 验证通过后, MN根据服务信息选择目标网络, 并向 Serving PoS发起经过 Kms保护的切 换准备请求消息" [MIH— Prepare-REQ]Kms" , 以查询目标网络是否允许自己接 入," [MIH— Prepare-REQ]Kms"中可携带 MN准备查询的 PoS信息。  After the verification is passed, the service information such as the surrounding network information is obtained securely and effectively. After the verification is passed, the MN selects the target network according to the service information, and initiates a Kms-protected handover preparation request message to the Serving PoS "[MIH-Prepare-REQ]Kms " , to query whether the target network allows itself to access," [MIH - Prepare-REQ] Kms can carry PoS information that the MN is ready to query.
步骤 104: Serving PoS接收" [MIH_Prepare-REQ]Kms,,, 并验证 Kms; 验证通过后, Serving PoS向各候选 PoS发送经过 Kcs保护的资源查询请 求消息" [MIH_Query-REQ]Kcs"。  Step 104: The Serving PoS receives "[MIH_Prepare-REQ]Kms,,, and verifies Kms; after the verification is passed, the Serving PoS sends a Kcs-protected resource query request message "[MIH_Query-REQ]Kcs" to each candidate PoS.
步骤 105: 各候选 PoS接收" [MIH— Query-REQ]Kcs", 并验证 Kcs;  Step 105: Each candidate PoS receives "[MIH_ Query-REQ]Kcs", and verifies Kcs;
验证通过后, 各候选 PoS判断本服务点是否可接入 MN, 向 Serving PoS 返回经过 Kcs 保护的资源查询响应消息 "[MIH— Query-RSP]Kcs" , "[MIH— Query-RSP]Kcs"包含判断结果; 并且, 若判断可接入, 则还可为该 MN预留资源。  After the verification is passed, each candidate PoS determines whether the service point can access the MN, and returns a Kcs-protected resource query response message "[MIH_ Query-RSP]Kcs", "[MIH_ Query-RSP]Kcs" to the Serving PoS. The judgment result is included; and, if it is judged that access is available, resources may also be reserved for the MN.
步骤 106: Serving PoS接收" [MIH_Query-RSP]Kcs,,, 并验证 Kcs;  Step 106: Serving PoS receives "[MIH_Query-RSP]Kcs,,, and verifies Kcs;
验证通过后, Serving PoS根据判断结果为 MN选择接入的目标服务点, 并向 MN发送经过 Kms保护的切换命令, 切换命令中包含有目标 PoS信息; 或者 Serving PoS 向 MN 发送经过 Kms 保护的切换准备响应消息 "[MIH_Prepare-RSP]Kms" , "[MIH_Prepare-RSP]Kms"中包含有判断结果; Serving PoS 收到" [MIH— Prepare-RSP]Kms"后, 可立即下发给 MN, 也可等所 有的候选 PoS都返回结果后下发给 MN。  After the verification is passed, the Serving PoS selects the target service point for the MN according to the judgment result, and sends a Kms-protected handover command to the MN, where the handover command includes the target PoS information; or the Serving PoS sends the Kms-protected handover to the MN. The preparation response message "[MIH_Prepare-RSP]Kms", "[MIH_Prepare-RSP]Kms" contains the judgment result; after the Serving PoS receives "[MIH-Prepare-RSP]Kms", it can be immediately sent to the MN, also All candidate PoSs can be returned to the MN after returning the result.
步骤 107: MN接收切换命令或" [MIH_Prepare-RSP]Kms,,, 并验证 Kms; 验证通过后, MN根据切换命令向 Serving PoS发送经过 Kms保护的切 换执行请求消息" [MIH_Commit-REQ]Kms,或 MN从" [MIH_Prepare-RSP]Km s"获得判断结果, 并根据判断结果向 Serving PoS发送经过 Kms保护的 "[MI H_Commit-REQ]Kmsr "[MIH_Commit-REQ]Kms"中包含有目标 PoS信息, 如目标 PoS的 IP地址、 网络接入标识 ( Network Access Identifier, NAI )或 MIHF的标识符 (ID )等标识符。 Step 107: The MN receives the handover command or "[MIH_Prepare-RSP]Kms,, and verifies Kms; after the verification is passed, the MN sends a Kms-protected handover execution request message "[MIH_Commit-REQ]Kms to the Serving PoS according to the handover command, Or the MN obtains the judgment result from "[MIH_Prepare-RSP]Km s", and sends the KMS-protected "[MI H_Commit-REQ]Kmsr "[MIH_Commit-REQ]Kms" containing the target PoS information to the Serving PoS according to the judgment result. , Such as the IP address of the target PoS, the Network Access Identifier (NAI) or the identifier (ID) of the MIHF.
步骤 108: Serving PoS接收" [MIH—Commit-REQ]Kms", 并验证 Kms; 验证通过后, Serving PoS 用 Kcs保护" MIH— Commit-REQ"消息, 得到 "[MIH_Commit- EQ]Kcs" ,并根据目标 PoS信息将 "[MIH_Commit-REQ]Kcs,, 发送给目标 PoS。  Step 108: The Serving PoS receives "[MIH-Commit-REQ]Kms" and verifies the Kms; after the verification is passed, the Serving PoS protects the "MIH_Commit-REQ" message with Kcs, and obtains [[MIH_Commit- EQ]Kcs", and Send "[MIH_Commit-REQ]Kcs," to the target PoS based on the target PoS information.
步骤 109: 目标 PoS接收" [MIH— Commit-REQ]Kcs", 并验证 Kcs;  Step 109: The target PoS receives "[MIH-Commit-REQ]Kcs", and verifies Kcs;
验证通过后,目标 PoS向 Serving PoS返回经 Kcs保护的切换执行响应消 息" [MIH— Commit-RSP]Kcs"。  After the verification is passed, the target PoS returns the Kcs-protected handover execution response message "[MIH-Commit-RSP]Kcs" to the Serving PoS.
步骤 110: Serving PoS接收" [MIH_Commit-RSP]Kcs,,, 并验证 Kcs;  Step 110: Serving PoS receives "[MIH_Commit-RSP]Kcs,,, and verifies Kcs;
验证通过后, Serving PoS 用 Kms 保护" MIH_Commit-RSP"消息得到 "[MIH_Commit-RSP]Kms" , 并发送给 MN。  After the verification is passed, the Serving PoS uses the Kms protection "MIH_Commit-RSP" message to get "[MIH_Commit-RSP]Kms" and sends it to the MN.
步骤 111 : MN接收" [MIH_Commit-RSP]Kms,,, 并验证 Kms;  Step 111: The MN receives "[MIH_Commit-RSP]Kms,,, and verifies Kms;
验证通过后, MN通过目标 PoS向 AAA服务器发送经过 Kma保护的密 钥生成请求消息" [MIH— Key-REQ]Kma"。  After the verification is passed, the MN sends a Kma-protected key generation request message "[MIH-Key-REQ]Kma" to the AAA server through the target PoS.
步骤 112: 目标 PoS通过" AAA REQ"消息将" [MIH_Key-REQ]Kma',转发 给 AAA服务器。  Step 112: The target PoS forwards "[MIH_Key-REQ]Kma' to the AAA server via the "AAA REQ" message.
步骤 113: AAA服务器接收" AAA REQ",获得" [MIH_Key-REQ]Kma,,后, 验证 Kma;  Step 113: The AAA server receives "AAA REQ", obtains "[MIH_Key-REQ]Kma, and then verifies Kma;
验证通过后, AAA服务器生成 Kmc, 并向目标 PoS发送" AAA RSP", 返回险证结果以及 Kmc。  After the verification is passed, the AAA server generates Kmc and sends "AAA RSP" to the target PoS, returning the risk result and Kmc.
步骤 114:目标 PoS向 MN发送密钥生成响应消息" [MIH— Key-RSP]Kmc" , 该密钥生成响应消息通过 Kmc保护。  Step 114: The target PoS sends a key generation response message "[MIH_Key-RSP]Kmc" to the MN, and the key generation response message is protected by Kmc.
步骤 115: MN接收" [MIH_Key-RSP]Kmc,,, 验证 Kmc;  Step 115: The MN receives "[MIH_Key-RSP]Kmc,,, and verifies Kmc;
验证通过后,完成切换。之后, MN也可向目标 PoS发送切换完成消息" [M IH_Complete-REQ]Kmc,,,待目标 PoS返回响应消息 "[MIH— Complete-RSP]Km cV 确认切换完成。 After the verification is passed, the switch is completed. After that, the MN may also send a handover complete message "[M IH_Complete-REQ]Kmc," to the target PoS, and the target PoS returns a response message "[MIH_Complete-RSP]Km cV confirms that the switch is complete.
本实施例中, Serving PoS接收 " [MIH— Service-REQ]Kms"消息后, 还可 在 Kms验证通过的情况下, 进一步判断自身是否存储 MN所请求的信息, 若是, 则执行: Serving PoS向 MN发送经过 Kms保护的服务响应消息" [Ml H_Service-RSP]Kms 否则, Serving PoS 向信息服务器发送" [MIH_Service- REQ]KnsV信息服务器接收" [MIH— Service-REQ]Kns"消息,验证 Kns通过后, 向 Serving PoS返回包含 MN请求的服务信息的" [MIH_Service-RSP]Kns,,消 息; Serving PoS接收" [MIH_Service-RSP]Kns,,消息, 通过验证 Kns后获得 信息,然后执行: Serving PoS向 MN发送经过 Kms保护的服务响应消息" [M IH_Service-RSP]Kms': 在 Kms没有通过验证的情况下, Serving PoS向 MN 返回失败信息。  In this embodiment, after receiving the "[MIH_Service-REQ]Kms" message, the Serving PoS may further determine whether it stores the information requested by the MN when the Kms authentication is passed, and if so, execute: Serving PoS Direction The MN sends a Kms-protected service response message "[Ml H_Service-RSP]Kms. Otherwise, the Serving PoS sends a "[MIH_Service-REQ] KnsV Information Server Receive" [MIH_Service-REQ]Kns" message to the Information Server to verify that Kns passes. After that, the [MIH_Service-RSP]Kns, message containing the service information requested by the MN is returned to the Serving PoS; the Serving PoS receives the message [MIH_Service-RSP]Kns, the message is obtained by verifying the Kns, and then: Serving PoS The Kms-protected service response message "[M IH_Service-RSP]Kms' is sent to the MN: The Serving PoS returns a failure message to the MN if the Kms has not passed the verification.
MN获得服务信息的过程, 还可用以下过程实现:  The process by which the MN obtains service information can also be implemented by the following process:
信息服务器向各 PoS广播" [MIH— Service]Kns"消息, 其中 Kns可因 PoS 而异;  The information server broadcasts a "[MIH-Service]Kns" message to each PoS, where Kns may vary depending on the PoS;
Serving PoS接收到 "[MIH— Service]Kns"消息后, 验证 Kns, 并在验证通 过的情况下, 将获得的服务信息通过" [MIH— Service]Kms"消息广播给所有的 MN, 其中 Kms也可因 MN而异;  After receiving the "[MIH_Service]Kns" message, the Serving PoS verifies the Kns and, if the verification passes, broadcasts the obtained service information to all MNs via the "[MIH_Service]Kms" message, where Kms also May vary by MN;
MN接收" [MIH— Service]Kms"消息, 验证 Kms后获得服务信息。  The MN receives the "[MIH_Service]Kms" message and obtains the service information after verifying the Kms.
本实施例媒体无关切换过程中, 通过 MN与 Serving PoS之间建立 SA, 即利用共享密钥, 保证了 MN安全获取服务信息; 通过 MN与 Serving PoS、 候选 PoS、 AAA服务器之间,以及 PoS之间建立 SA保证了网络切换的安全, 从而整体上保证了媒体无关切换的安全。  In the media-independent handover process of this embodiment, the SA is established between the MN and the Serving PoS, that is, the shared key is used to ensure that the MN securely obtains the service information; and the MN and the Serving PoS, the candidate PoS, the AAA server, and the PoS The establishment of the SA guarantees the security of the network handover, thereby ensuring the security of the media independent handover as a whole.
并且, 由于 MN默认的交互对象就是 Serving PoS, 因此, 可以在进行 MIH交互时不引入任何标识, 减少了信令开销, 便于无线传输。  Moreover, since the default interaction object of the MN is the Serving PoS, no identifier can be introduced during the MIH interaction, which reduces signaling overhead and facilitates wireless transmission.
对于简单 IP和移动 IP网络, 由于这两种网络中 MN只需要知道自己的 接入路由器(AR ) 即可, 这种情况与不进行跨 PoS访问的情况类似, 因此 AR与 PoS角色类似, 网络容易对 AR进行简单升级后获得 MIH功能, 不需 要进行跨 PoS的访问, 本方案可以方便地应用到简单 IP和移动 IP网络。 For simple IP and mobile IP networks, since the MN only needs to know its own access router (AR) in these two networks, this situation is similar to the case of not performing cross-PoS access. Similar to the role of the PoS, the AR is easy to upgrade to the MI and obtain the MIH function. It does not need to be accessed across PoS. This solution can be easily applied to simple IP and mobile IP networks.
方法实施例二  Method embodiment two
图 4为本发明实现媒体无关切换的方法第二实施例的信令流程图。 本实 施例以直接安全架构为例, 切换过程具体为:  FIG. 4 is a signaling flowchart of a second embodiment of a method for implementing media independent handover according to the present invention. This example takes a direct security architecture as an example. The handover process is specifically as follows:
步骤 201: MN发送经过 Kmn保护的服务请求消息" [MIH— Service-REQ]  Step 201: The MN sends a Kmn protected service request message "[MIH_Service-REQ]
Serving PoS 根据服务请求消息" [MIH— Service-REQ]Kmn"中的发送目标 信息判断本服务点是否是 MN的消息发送目标, 若是, 则保护消息的共享密 钥应为第一共享密钥, Serving PoS 可进行验证, 验证通过后, Serving PoS 向 MN返回服务信息, 类似方法实施例一中的: Serving PoS接收 " [MIH—Se rvice-REQ]Kms"消息, 并验证 Kms; 验证通过后, Serving PoS向 MN发送 经过 Kms保护的服务响应消息" [MIH_Service-RSP]Kms,。, The Serving PoS determines whether the service point is the message delivery destination of the MN according to the transmission destination information in the service request message "[MIH_Service-REQ]Kmn", and if so, the shared key of the protection message should be the first shared key. The Serving PoS can be verified. After the verification is passed, the Serving PoS returns the service information to the MN. In the first embodiment, the Serving PoS receives the "[MIH-Se rvice-REQ]Kms" message and verifies the Kms; after the verification is passed, The Serving PoS sends a Kms-protected service response message to the MN "[MIH_Service-RSP]Kms,.,
步骤 202: 当 Serving PoS判断本服务点不是 MN的消息发送目标时, 信 息服务器接收 "[MIH— Service-REQ]Kmn", 并验证 Kmn;  Step 202: When Serving PoS determines that the service point is not the message sending target of the MN, the information server receives "[MIH_Service-REQ] Kmn", and verifies Kmn;
验证通过后, 信息服务器向 MN发送经过 Kmn保护的 MN请求的服务 响应消息" [MIH_Service-REQ]Kmn,,, "[MIH_Service-REQ]Kmn" 包含有 MN 请求的服务信息。  After the verification is passed, the information server sends a service response message "[MIH_Service-REQ]Kmn,", "[MIH_Service-REQ]Kmn" requested by the KMN protected MN to the MN, containing the service information requested by the MN.
步骤 203: MN接收" [MIH— Service-REQ]Kmn"消息, 并验证 Kmn; 验证 通过后, MN获得服务信息。  Step 203: The MN receives the "[MIH_Service-REQ] Kmn" message and verifies the Kmn; after the verification is passed, the MN obtains the service information.
MN根据服务信息选择目标 PoS,并向 Serving PoS发送经过 Kms保护的 "[MIH_Prepare-REQ]Kms"。  The MN selects the target PoS based on the service information and transmits the Kms-protected "[MIH_Prepare-REQ]Kms" to the Serving PoS.
步骤 204: Serving PoS接收" [MIH_Prepare-REQ]Kms,,, 验证 Kms;  Step 204: Serving PoS receives "[MIH_Prepare-REQ]Kms,,, and verifies Kms;
验证通过后, Serving PoS 向网络侧各候选 PoS 发送经过 Kcs保护的 "[MIH_Query-REQ]Kcs"„  After the verification is passed, the Serving PoS sends the KCS-protected "[MIH_Query-REQ]Kcs" to each candidate PoS on the network side.
步骤 205: 各候选 PoS接收" [MIH— Query-REQ]Kcs", 并验证 Kcs; 验证通过后,各候选 PoS判断本服务点是否可接入 MN,并向 Serving PoS 返回经过 Kcs保护的 "[MIH_Query-RSP]Kcs,,, "[MIH_Query-RSP]Kcs,,包含判 断结果; 并且, 若判断可接入, 则还可为该 MN预留资源。 Step 205: Each candidate PoS receives "[MIH_Query-REQ]Kcs", and verifies Kcs; After the verification is passed, each candidate PoS determines whether the service point can access the MN, and returns the KCS-protected "[MIH_Query-RSP]Kcs,,,"[MIH_Query-RSP]Kcs to the Serving PoS, including the judgment result; If it is judged that access is available, resources may also be reserved for the MN.
步骤 206: Serving PoS接收" [MIH—Query-RSP]Kcs,,, 并验证 Kcs;  Step 206: Serving PoS receives "[MIH_Query-RSP]Kcs,,, and verifies Kcs;
险证通过后 , Serving PoS 向 MN 发送经过 Kms 保护的 "[MIH_Prepare-RSP]Kms,,消息, "[MIH_Prepare-RSP]Kms,,中包含判断结果。  After the insurance certificate is passed, the Serving PoS sends the KMS-protected "[MIH_Prepare-RSP]Kms, message, "[MIH_Prepare-RSP]Kms to the MN, which contains the judgment result.
步骤 207: MN接收" [MIH_Prepare-RSP]Kms", 并验证 Kms;  Step 207: The MN receives "[MIH_Prepare-RSP]Kms", and verifies Kms;
验证通过后, MN根据判断结果向可接入的候选 PoS发送经过 Kma保护 的 "[MIH_Key-REQ]Kma"。  After the verification is passed, the MN sends the Kma-protected "[MIH_Key-REQ]Kma" to the accessible candidate PoS according to the judgment result.
步骤 208: 可接入的候选 PoS将" [MIH— Key-REQ]Kma"通过" AAA REQ" 转发给 AAA服务器。  Step 208: The accessible candidate PoS forwards "[MIH-Key-REQ]Kma" to the AAA server through "AAA REQ".
步骤 209: AAA服务器接收" [MIH— Key-REQ]Kma", 并验证 Kma;  Step 209: The AAA server receives "[MIH-Key-REQ]Kma" and verifies Kma;
验证通过后, AAA服务器生成 Kmc, 并通过 "AAA RSP"向可接入的 PoS 返回 3全证结果以及 Kmc。  After the verification is passed, the AAA server generates Kmc and returns the 3 full certificate result and Kmc to the accessible PoS through "AAA RSP".
步骤 210:可接入的 PoS接收验证结果以及 Kmc,并向 MN发送经过 Kmc 保护的 "[MIH_Key- RSP]Kmc"。  Step 210: The accessible PoS receives the verification result and Kmc, and sends the Kmc protected "[MIH_Key- RSP]Kmc" to the MN.
步骤 211 : MN接收" [MIH_Key-RSP]Kmc,,, 并验证 Kmc;  Step 211: The MN receives "[MIH_Key-RSP]Kmc,,, and verifies Kmc;
验证通过后, MN从可接入的候选 PoS 中选择待接入目标 PoS, 并向 Serving PoS发送经过 Kms保护的 "[MIH— Commit-REQ]Kms"。  After the verification is passed, the MN selects the target PoS to be accessed from the candidate PoSs that can be accessed, and sends the KMS-protected "[MIH-Commit-REQ]Kms" to the Serving PoS.
步骤 212: Serving PoS接收" [MIH— Commit-REQ]Kms", 并验证 Kms; 验证通过后, Serving PoS用 Kcs保护" [MIH一 Commit-REQ]Kcs", 并发送 给目标 PoS。  Step 212: Serving PoS receives "[MIH-Commit-REQ]Kms" and verifies Kms; After the verification is passed, Serving PoS protects "[MIH-Commit-REQ]Kcs" with Kcs and sends it to the target PoS.
步骤 213: 目标 PoS接收" [MIH— Commit-REQ]Kcs", 并验证 Kcs;  Step 213: The target PoS receives "[MIH-Commit-REQ]Kcs", and verifies Kcs;
验证通过后, 目标 PoS 向 Serving PoS 发送经过 Kcs 保护的 "[MIH— Commit-RSP]Kcs,,。  After the verification is passed, the target PoS sends the KCS-protected "[MIH-Commit-RSP]Kcs, to the Serving PoS.
步骤 214: Serving PoS接收" [MIH—Commit-RSP]Kcs,,, 并验证 Kcs; 验证通过后, Serving PoS向 MN发送经过 Kms保护的 "[MIH— Commit- RSP]Kms'„' Step 214: Serving PoS receives "[MIH-Commit-RSP]Kcs,,, and verifies Kcs; After the verification is passed, the Serving PoS sends the KMS protected "[MIH-Commit- RSP]Kms'" to the MN.
步骤 215: MN接收" [Mffl_Commit-RSP]Kms,,, 并验证 Kms, 完成切换。 之后, MN也可向目标 PoS 发送切换完成消息" [MIH— Complete-REQ]Kmc", 待目标 PoS返回响应消息" [MIH— Complete-RSP]Kmc", 确认切换完成。  Step 215: The MN receives "[Mffl_Commit-RSP]Kms,, and verifies Kms, and completes the handover. Thereafter, the MN may also send a handover complete message "[MIH_Complete-REQ]Kmc" to the target PoS, and the target PoS returns a response. The message "[MIH_Complete-RSP]Kmc" confirms that the switch is complete.
本实施例媒体无关切换过程中,通过 MN与各 PoS之间以及各 PoS之间 建立 SA, 即利用共享密钥, 保证了 MN安全获取服务信息以及网络切换过 程的安全, 从而整体上解决了媒体无关切换的安全问题。  In the media-independent handover process of this embodiment, the SA is established between the MN and each PoS and between the PoSs, that is, the shared key is used to ensure the secure access of the MN to the service information and the security of the network handover process, thereby solving the media as a whole. A security issue that has nothing to do with switching.
本实施例中, 信息服务器接收到" [MIH— Service-REQ]Kmn"后, 还可进一 步根据 "[MIH— Service-REQ]Kmn"中的发送目的信息判断本服务点是否是 MN的消息发送目标, 并验证 Kmn; 并且, 本实施例中获得服务信息的方法 可用方法实施例一中获得服务信息的方法替换获得服务信息, 也可通过 Serving PoS广播服务消息" [MIH— Service]Kms"给 MN获得服务信息,还可通 过信息服务器将" [MIH— Service]Kmn"消息直接广播给 MN, 获得服务信息; 本实施例中得到服务信息之后切换网络的过程也可用方法实施例一中获得 服务信息之后的过程替换, 安全实现 MN的网络切换。  In this embodiment, after the information server receives "[MIH_Service-REQ]Kmn", it may further determine whether the service point is a MN message transmission according to the transmission destination information in "[MIH_Service-REQ]Kmn". And the method of obtaining the service information in the embodiment may be replaced by the method for obtaining the service information in the method embodiment 1, or by using the Serving PoS broadcast service message "[MIH-Service] Kms". The MN obtains the service information, and can also directly broadcast the "[MIH_Service]Kmn" message to the MN through the information server to obtain the service information. The process of switching the network after obtaining the service information in this embodiment can also be obtained by using the method embodiment 1. The process after the information is replaced, and the network switching of the MN is implemented securely.
由于直接安全架构下, MN可区分密钥请求的对象, 在原网络建立它与 目标网络的 SA, 因此, 该 SA可在切换之后进行建立, 降低了切换延迟。 本实施例中, MN接收到 "[MIH— Prepare-RSP]Kms"消息后, 首先建立与所有 可接入的候选 PoS之间的 SA, 即生成 MN与所有可接入的候选 PoS间的共 享密钥, 然后向目标 PoS发起切换执行请求消息, 避免了切换执行过程中建 立 SA或因为无法建立而导致无法访问切换, 节省了切换执行时间, 加快了 网络切换速度。 如果 MN需要访问一个位于家乡网络的信息服务器, 该 MN 所在的拜访网络的 Serving PoS可能与该信息服务器并没有安全联盟, 可先 建 SA, 然后访问切换, 从而节约了访问切换时间。  Because of the direct security architecture, the MN can distinguish the object of the key request and establish its SA with the target network in the original network. Therefore, the SA can be established after the handover, which reduces the handover delay. In this embodiment, after receiving the "[MIH-Prepare-RSP]Kms" message, the MN first establishes an SA with all accessible candidate PoSs, that is, generates a sharing between the MN and all accessible candidate PoSs. The key, and then initiates a handover execution request message to the target PoS, avoiding the establishment of the SA during the handover execution process or the inability to establish the handover, thereby saving the handover execution time and speeding up the network handover speed. If the MN needs to access an information server located in the home network, the Serving PoS of the visited network where the MN is located may not have a security association with the information server. The SA may be built first, and then the handover is accessed, thereby saving the access switching time.
上述实施例中, 用共享密钥对消息进行保护, 既可是加密也可是完整性 保护, 具体使用哪种方式由具体的协议确定。 In the above embodiment, the message is protected by a shared key, which is either encryption or integrity. Protection, which method is used is determined by a specific agreement.
移动节点设备实施例  Mobile node device embodiment
图 5为本发明移动节点设备实施例的结构示意图,移动节点设备 10包括: 服务信息获取模块 11、验证模块 12、请求模块 13及消息保护模块 14; 其中, 服务信息获取模块 11用于从网络侧获得经过共享密钥保护的服务信息;验证 模块 12用于验证所述共享密钥, 如 Kms、 Kmn、 Kmc; 请求模块 13用于在 所述验证模块 12验证所述共享密钥通过的情况下,根据所述服务信息向所述 网络侧发起切换准备请求消息; 或向网络侧发送用于获取所述服务信息的服 务请求消息; 消息保护模块 14用 Kms保护所述切换准备请求消息、 服务请 求消息; 或用 Kmn保护服务请求消息。  5 is a schematic structural diagram of an embodiment of a mobile node device according to the present invention. The mobile node device 10 includes: a service information acquiring module 11, a verification module 12, a requesting module 13, and a message protection module 14; wherein the service information acquiring module 11 is used for the slave network. The side obtains the service information protected by the shared key; the verification module 12 is configured to verify the shared key, such as Kms, Kmn, Kmc; and the requesting module 13 is configured to verify, at the verification module 12, that the shared key passes And sending a handover preparation request message to the network side according to the service information; or sending a service request message for acquiring the service information to the network side; the message protection module 14 protects the handover preparation request message and the service by using Kms Request message; or protect the service request message with Kmn.
本实施例中, 服务信息获取模块 11 还用于接收网络侧发送的经过 Kms 保护的切换命令或切换准备响应消息及切换执行响应消息, 所述切换准备响 应消息中包含有所述判断结果;所述请求模块 13还用于根据所述切换命令向 所述网络侧发送经过 Kms保护的切换执行请求消息; 或从所述切换准备响应 消息获得所述判断结果, 并根据所述判断结果向所述网络侧发送经过 Kms保 护的切换执行请求消息; 所述切换执行请求消息中包含有目标服务点信息; 请求模块 13还用于向所述网络侧的 AAA服务器发送经过 Kma保护的密钥生 成请求消息; 消息保护模块 14还用于用 Kma保护所述密钥生成请求消息; 服务信息获取模块 11还用于接收网络侧发送的经过 Kmc保护的密钥生成响 应消息; 验证模块 12还用于验证 Kmc。  In this embodiment, the service information acquiring module 11 is further configured to receive a Kms-protected handover command or a handover preparation response message and a handover execution response message that are sent by the network side, where the handover preparation response message includes the determination result; The requesting module 13 is further configured to send a Kms-protected handover execution request message to the network side according to the handover command; or obtain the determination result from the handover preparation response message, and according to the determination result, The network side sends a Kms-protected handover execution request message; the handover execution request message includes target service point information; and the requesting module 13 is further configured to send a KMA-protected key generation request message to the network-side AAA server. The message protection module 14 is further configured to protect the key generation request message with Kma; the service information obtaining module 11 is further configured to receive a Kmc-protected key generation response message sent by the network side; the verification module 12 is further configured to verify the Kmc .
上述移动节点设备实施例通过验证模块 12、 消息保护模块 14, 使得移动 节点能够安全地进行媒体无关切换。  The mobile node device embodiment described above enables the mobile node to securely perform media independent switching through the verification module 12 and the message protection module 14.
系统实施例  System embodiment
图 6为本发明媒体无关切换系统实施例的结构示意图,系统 20包括消息发 送模块 21、 系统消息保护模块 22、 消息接收模块 23、 系统验 莫块 24及切换 模块 25, 系统消息保护模块 22用于用共享密钥保护服务信息; 然后由消息发 送模块 21向 MN发送经过保护的服务信息; 消息接收模块 23用于接收 MN发 送的经过 Kms保护的切换准备请求消息; 系统验证模块 24用于验证 Kms; 切 换模块 25用于根据所述切换准备请求消息将 MN接入目标服务点, 完成切换。 FIG. 6 is a schematic structural diagram of an embodiment of a media independent switching system according to the present invention. The system 20 includes a message sending module 21, a system message protection module 22, a message receiving module 23, a system checking module 24, and a switching module 25. The system message protection module 22 is used. Protect the service information with a shared key; then send it by message The sending module 21 sends the protected service information to the MN; the message receiving module 23 is configured to receive the Kms-protected handover preparation request message sent by the MN; the system verification module 24 is configured to verify the Kms; and the switching module 25 is configured to prepare according to the handover The request message connects the MN to the target service point and completes the handover.
本实施例中, 消息接收模块 23还可用于接收 MN发送的经过 Kms保护 的服务请求消息;消息发送模块 21还可用于向 MN发送包含服务信息的服务 响应消息; 系统消息保护模块 22还可用 Kms保护所述服务响应消息。  In this embodiment, the message receiving module 23 is further configured to receive the Kms-protected service request message sent by the MN; the message sending module 21 may be further configured to send a service response message including the service information to the MN; the system message protection module 22 may also use the Kms. The service response message is protected.
切换模块 25可包括第一接收模块、 第一验证模块、 第一保护模块、 第一 发送模块、 第二接收模块、 第二验证模块、 第二保护模块、 第二发送模块、 第三接收模块、 第三验证模块、 密钥生成模块及第三发送模块; 其中, 第一 验证模块、 第一保护模块、 第一发送模块设于 Serving PoS中, 系统验证模块 验证 Kms通过后,第一保护模块用 Kcs保护资源查询请求消息并由第一发送 模块发送给候选 PoS; 第二接收模块、 第二验证模块、 第二保护模块、 第二 发送模块设于候选 PoS或目标 PoS, 第二接收模块接收第一发送模块发送的 资源查询请求消息, 第二验证模块验证保护资源查询请求消息的 Kcs, 验证 通过后,候选 PoS生成资源查询响应消息,第二保护模块用 Kcs进行保护后, 由第二发送模块发送给 Serving PoS; 第一接收模块接收资源查询响应消息, 第一验证模块验证 Kcs; 第一保护模块用 Kms保护切换准备响应消息后, 由 第一发送模块发送给 MN; 第一接收模块接收 MN发送的经过 Kms保护的切 换执行请求消息,第一验证模块验证 Kms,验证通过后,第一保护模块用 Kcs 保护切换执行请求消息, 第一发送模块将经过 Kcs保护的切换执行请求消息 发送给第二接收模块, 第二接收模块接收后, 第二验证模块验证 Kcs, 验证 通过后, 目标 PoS生成切换执行响应消息, 第二保护模块用 Kcs保护切换执 行响应消息, 第二发送模块将经过保护的切换执行响应消息发送给 MN; 第 二接收模块接收 MN发送的用 Kma保护的密钥生成请求消息,第二发送模块 将 Kma保护的密钥生成请求消息发送给第三接收模块; 第三接收模块、 第三 验证模块、密钥生成模块及第三发送模块设于 AAA服务器中,第三接收模块 接收密钥生成请求消息, 第三验证模块验证 Kma; 验证通过后, 密钥生成模块生 成 Kmc, 第三发送模块将第三验证模块的验证结果及 Kcs发送给第二接收模块; 第二接收模块进行接收, 目标 PoS生成密钥生成响应消息, 第二保护模块用 Kmc 保护密钥生成响应消息,第二发送模块将保护后的密钥生成响应消息发送给 MN; 第二接收模块接收 MN发送的经过 Kmc保护的切换完成请求消息,第二验 ii^莫块 验证 Kmc ,验证通过后, 目标 PoS生成切换完成响应消息, 第二保护模块用 Kmc 进行保护, 第二发送模块将保护后的切换完成响应消息发送给 MN。 The switching module 25 may include a first receiving module, a first verifying module, a first protection module, a first sending module, a second receiving module, a second verifying module, a second protecting module, a second sending module, and a third receiving module. a third verification module, a key generation module, and a third transmission module; wherein, the first verification module, the first protection module, and the first transmission module are disposed in the Serving PoS, and after the system verification module verifies that the Kms is passed, the first protection module is used The Kcs protects the resource query request message and sends it to the candidate PoS by the first sending module. The second receiving module, the second verifying module, the second protection module, and the second sending module are set in the candidate PoS or the target PoS, and the second receiving module receives the first a resource query request message sent by the sending module, the second verification module verifies the Kcs of the protection resource query request message, and after the verification is passed, the candidate PoS generates a resource query response message, and after the second protection module is protected by the Kcs, the second sending module Sending to the Serving PoS; the first receiving module receives the resource query response message, and the first verification module verifies the Kcs; The first protection module sends the Kms-protected handover execution request message sent by the MN, and the first verification module verifies the Kms. After the verification is passed, the first protection module sends the Kms-protected handover execution request message sent by the MN. The first protection module uses Kcs to protect the handover execution request message, and the first sending module sends the Kcs-protected handover execution request message to the second receiving module. After receiving the second receiving module, the second verification module verifies the Kcs, and after the verification is passed, The target PoS generates a handover execution response message, the second protection module uses Kcs to protect the handover execution response message, and the second sending module sends the protected handover execution response message to the MN; the second receiving module receives the Kma-protected key sent by the MN. Generating a request message, the second sending module sends the Kma protected key generation request message to the third receiving module; the third receiving module, the third verifying module, the key generating module, and the third sending module are disposed in the AAA server, Three receiving module Receiving a key generation request message, the third verification module verifies Kma; after the verification is passed, the key generation module generates Kmc, and the third sending module sends the verification result of the third verification module and the Kcs to the second receiving module; the second receiving module Receiving, the target PoS generates a key generation response message, the second protection module generates a response message by using the Kmc protection key, and the second sending module sends the protected key generation response message to the MN; the second receiving module receives the MN transmission After the Kmc protection switch completion request message, the second check ii^mo block verification Kmc, after the verification is passed, the target PoS generates a handover completion response message, the second protection module is protected by Kmc, and the second transmission module completes the protection handover. A response message is sent to the MN.
上述系统实施例中, 媒体无关切换系统还可包括判断模块, 判断模块设 于 Serving PoS, 用于判断本 PoS是否是所述服务请求消息的发送目标, 或判 断自身是否存储有 MN请求的信息; 若本 PoS是所述服务请求消息的发送目 标, 则 Serving PoS执行相应操作, 如验证 Kms; 若判断自身存储有 MN请 求的信息, 则第一发送模块将 MN请求的信息发送给 MN。  In the foregoing system embodiment, the media independent switching system may further include a determining module, where the determining module is configured to be located in the Serving PoS, and configured to determine whether the PoS is the sending target of the service request message, or determine whether the MN requests information is stored by the MN; If the PoS is the destination of the service request message, the Serving PoS performs a corresponding operation, such as verifying the Kms. If it is determined that the MN requests the information, the first sending module sends the information requested by the MN to the MN.
媒体无关切换系统还可包括创建模块, 创建模块设于 Serving PoS, 若判 断模块判断 Serving PoS没有存储 MN请求的信息, 则创建新服务请求消息, 发送给信息服务器。  The media independent switching system may further include a creating module, and the creating module is set on the Serving PoS. If the determining module determines that the Serving PoS does not store the information requested by the MN, the new service request message is created and sent to the information server.
上述系统实施例, 通过系统消息保护模块、 系统验证模块以及密钥生成 模块, 保证了媒体无关切换的安全。  In the above system embodiment, the system message protection module, the system verification module, and the key generation module ensure the security of the media independent handover.
本领域普通技术人员可以理解: 实现上述方法实施例的全部或部分步骤 可以通过程序指令相关的硬件来完成, 前述的程序可以存储于一计算机可读 取存储介质中, 该程序在执行时, 执行包括上述方法实施例的步骤; 而前述的 存储介质包括: ROM, RAM,磁碟或者光盘等各种可以存储程序代码的介质。  A person skilled in the art can understand that all or part of the steps of implementing the above method embodiments may be completed by using hardware related to program instructions, and the foregoing program may be stored in a computer readable storage medium, and the program is executed when executed. The foregoing steps include the steps of the foregoing method embodiments; and the foregoing storage medium includes: a medium that can store program codes, such as a ROM, a RAM, a magnetic disk, or an optical disk.
最后应说明的是: 以上实施例仅用以说明本发明的技术方案, 而非对其 限制; 尽管参照前述实施例对本发明进行了详细的说明, 本领域的普通技术 人员应当理解: 其依然可以对前述各实施例所记载的技术方案进行修改, 或 者对其中部分技术特征进行等同替换; 而这些修改或者替换, 并不使相应技 术方案的本质脱离本发明各实施例技术方案的精神和范围。  It should be noted that the above embodiments are only for explaining the technical solutions of the present invention, and are not intended to be limiting; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those skilled in the art that: The technical solutions described in the foregoing embodiments are modified, or some of the technical features are equivalently replaced. The modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

权 利 要求 Rights request
1、 一种实现媒体无关切换的方法, 其特征在于, 包括: A method for implementing media independent switching, which is characterized by comprising:
网络侧向移动节点发送经过共享密钥保护的服务信息;  The network side sends the service information protected by the shared key to the mobile node;
接收切换准备请求消息, 所述切换准备请求消息由所述移动节点在验证 所述共享密钥后根据所述服务信息发送, 所述切换准备请求消息经过第一共 享密钥保护;  Receiving a handover preparation request message, where the handover preparation request message is sent by the mobile node according to the service information after verifying the shared key, and the handover preparation request message is protected by a first shared key;
验证所述第一共享密钥, 将所述移动节点接入目标服务点。  Verifying the first shared key and accessing the mobile node to a target service point.
2、 根据权利要求 1所述的方法, 其特征在于, 网络侧向移动节点发送经 过共享密钥保护的服务信息具体为:  2. The method according to claim 1, wherein the network side transmits the service information protected by the shared key to the mobile node, specifically:
所述网络侧接收所述移动节点发送的经过共享密钥保护的服务请求消 息, 并验证所述共享密钥;  Receiving, by the network side, the shared key protected service request message sent by the mobile node, and verifying the shared key;
验证通过后, 所述网络侧向所述移动节点发送经过所述共享密钥保护的 服务响应消息, 所述服务响应消息中包含有所述移动节点请求的服务信息。  After the verification is passed, the network side sends a service response message that is protected by the shared key to the mobile node, where the service response message includes service information requested by the mobile node.
3、 根据权利要求 2所述的方法, 其特征在于, 所述验证所述共享密钥之 前还包括:  The method according to claim 2, wherein the verifying the shared key further comprises:
所述网络侧中接收到所述服务请求消息的服务点判断本服务点是否是所 述服务请求消息的发送目标;  The service point that receives the service request message in the network side determines whether the service point is a sending target of the service request message;
若本服务点不是所述服务请求消息的发送目标, 则将所述服务请求消息 转发给所述服务请求消息的发送目标; 所述网络侧接收所述发送目标在接收 所述服务请求消息后返回的服务请求的响应消息, 所述服务响应消息包含有 所述移动节点请求的服务信息。  And if the service point is not the sending target of the service request message, forwarding the service request message to a sending target of the service request message; the network side receiving the sending target returns after receiving the service request message The response message of the service request, the service response message includes service information requested by the mobile node.
4、 根据权利要求 2所述的方法, 其特征在于, 所述网络侧向所述移动节 点发送经过所述共享密钥保护的服务响应消息之前还包括:  The method according to claim 2, wherein before the sending, by the network side, the service response message protected by the shared key to the mobile node, the method further includes:
所述网络侧中的处于服务状态的服务点在所述共享密钥验证通过时判断 本服务点是否存储有所述移动节点请求的服务信息; 若否, 则所述处于服务状态的服务点创建新服务请求消息, 并用第二共 享密钥进行保护, 然后发送给所述网络侧中的信息服务器; 所述信息服务器 接收所述新服务请求消息, 并验证所述第二共享密钥; 验证通过后, 所述信 息服务器向所述处于服务状态的服务点返回经过所述第二共享密钥保护的新 服务响应消息, 所述新服务响应消息包含有所述移动节点请求的服务信息; 所述处于服务状态的服务点接收所述新服务响应消息, 并验证所述第二共享 密钥; 验证通过后, 所述处于服务状态的服务点获得所述服务信息。 The service point in the service state in the network side determines, when the shared key verification is passed, whether the service point stores the service information requested by the mobile node; If not, the service point in the service state creates a new service request message, and is protected by the second shared key, and then sent to the information server in the network side; the information server receives the new service request message. And verifying the second shared key; after the verification is passed, the information server returns a new service response message protected by the second shared key to the service point in the service state, the new service response message Include the service information requested by the mobile node; the service point in the service state receives the new service response message, and verifies the second shared key; after the verification is passed, the service point in the service state is obtained The service information.
5、 根据权利要求 1所述的方法, 其特征在于, 网络侧向移动节点发送经 过共享密钥保护的服务信息具体为:  The method according to claim 1, wherein the network side transmits the service information protected by the shared key to the mobile node, specifically:
所述网络侧中的信息服务器向所述网络侧的各个服务点广播所述服务信 息, 所述服务信息经第二共享密钥保护;  The information server in the network side broadcasts the service information to each service point on the network side, and the service information is protected by a second shared key;
所述网络侧中处于服务状态的服务点接收所述服务信息, 并验证所述第 二共享密钥;  The service point in the service state in the network side receives the service information, and verifies the second shared key;
验证通过后, 所述处于服务状态的服务点广播经所述共享密钥保护的服 务消息, 所述服务消息中包含所述服务信息。  After the verification is passed, the service point in the service state broadcasts the service message protected by the shared key, and the service message includes the service information.
6、 根据权利要求 1所述的方法, 其特征在于, 网络侧向移动节点发送经 过共享密钥保护的服务信息具体为:  The method according to claim 1, wherein the network side transmits the service information protected by the shared key to the mobile node, specifically:
所述网络侧广播经过第一共享密钥或第三共享密钥保护的服务消息, 或 网络侧向所述移动节点单播经过第一共享密钥保护的服务消息, 所述服务消 息包含有所述服务信息。  The network side broadcasts a service message protected by the first shared key or the third shared key, or the network side unicasts the service message protected by the first shared key to the mobile node, where the service message includes Service information.
7、 根据权利要求 1所述的方法, 其特征在于, 验证所述第一共享密钥, 将所述移动节点接入目标服务点具体为:  The method according to claim 1, wherein the verifying the first shared key and accessing the mobile node to the target service point is specifically:
所述网络侧验证所述第一共享密钥;  The network side verifies the first shared key;
验证通过后, 所述网络侧根据所述切换准备请求消息, 向所述移动节点 返回经过所述第一共享密钥保护的切换命令或切换准备响应消息; 所述切换 准备响应消息包含是否可接入所述移动节点的判断结果; 所述网络侧接收所述移动节点发送的经过所述第一共享密钥保护的切换 执行请求消息, 并验证所述第一共享密钥; After the verification is passed, the network side returns, according to the handover preparation request message, a handover command or a handover preparation response message that is protected by the first shared key to the mobile node, and the handover preparation response message includes whether the handover preparation response message includes The judgment result of entering the mobile node; Receiving, by the network side, the handover execution request message that is sent by the mobile node and protected by the first shared key, and verifying the first shared key;
验证通过后, 所述网络侧根据所述切换执行请求消息向所述移动节点返 回经过所述第一共享密钥保护的切换执行响应消息;  After the verification is passed, the network side returns a handover execution response message that is protected by the first shared key to the mobile node according to the handover execution request message;
所述网络侧接收所述移动节点发送的经过第五共享密钥保护的密钥生成 请求消息, 并验证所述第五共享密钥;  Receiving, by the network side, a key generation request message that is protected by the fifth shared key and sent by the mobile node, and verifying the fifth shared key;
验证通过后, 所述网络侧向所述移动节点返回经过第六共享密钥保护的 密钥生成响应消息。  After the verification is passed, the network side returns a key generation response message protected by the sixth shared key to the mobile node.
8、 根据权利要求 7所述的方法, 其特征在于, 所述网络侧接收所述移动 节点发送的经过所述第一共享密钥保护的切换执行请求消息之前还包括: 所述网络侧中处于服务状态的服务点接收所述移动节点发送的经过第一 共享密钥保护的所述切换执行请求消息, 所述经过第一共享密钥保护的所述 切换执行请求消息由所述移动节点在接收所述切换命令或切换准备响应消 息, 并验证所述第一共享密钥后发出; 或者  The method according to claim 7, wherein the network side before receiving the handover execution request message that is sent by the mobile node and is protected by the first shared key further includes: The service status service point receives the handover execution request message that is sent by the mobile node and is protected by the first shared key, and the handover execution request message protected by the first shared key is received by the mobile node. Transmitting a command or switching a preparation response message, and verifying the first shared key; or
所述网络侧中处于服务状态的服务点接收所述移动节点根据所述判断结 果发送的经过第一共享密钥保护的切换执行请求消息; 所述切换执行请求消 息由所述移动节点在接收所述切换命令或切换准备响应消息, 并验证所述第 一共享密钥后发出; 所述判断结果由所述移动节点从所述切换准备响应消息 获得; 所述切换执行请求消息中包含有目标服务点信息。  The service point in the service state in the network side receives the handover execution request message that is sent by the mobile node according to the determination result and is protected by the first shared key; the handover execution request message is received by the mobile node by the mobile node. Determining a handover command or a handover preparation response message, and verifying the first shared key; the determination result is obtained by the mobile node from the handover preparation response message; the handover execution request message includes a target service Point information.
9、 根据权利要求 7所述的方法, 其特征在于, 所述网络侧接收所述移动 节点发送的经过第五共享密钥保护的密钥生成请求消息之前还包括:  The method according to claim 7, wherein the network side further includes: before receiving, by the mobile node, the key generation request message protected by the fifth shared key;
接收所述移动节点发送的经过所述第五共享密钥保护的密钥生成请求消 息, 所述经过所述第五共享密钥保护的密钥生成请求消息由所述移动节点在 接收所述切换执行相应消息, 并验证所述第一共享密钥后发出。  Receiving, by the mobile node, a key generation request message protected by the fifth shared key, where the key generation request message protected by the fifth shared key is received by the mobile node The corresponding message is executed, and the first shared key is verified and issued.
10、 根据权利要求 1所述的方法, 其特征在于, 验证所述第一共享密钥, 将所述移动节点接入目标服务点具体为: 所述网络侧验证所述第一共享密钥; The method according to claim 1, wherein the verifying the first shared key and the accessing the mobile node to the target service point are: The network side verifies the first shared key;
验证通过后, 所述网络侧根据所述切换准备请求消息, 向所述移动节点 返回经过所述第一共享密钥保护的切换命令或切换准备响应消息;  After the verification is passed, the network side returns, according to the handover preparation request message, a handover command or a handover preparation response message that is protected by the first shared key to the mobile node;
所述网络侧接收所述移动节点发送的经过第五共享密钥保护的密钥生成 请求消息, 并验证所述第五共享密钥;  Receiving, by the network side, a key generation request message that is protected by the fifth shared key and sent by the mobile node, and verifying the fifth shared key;
验证通过后, 所述网络侧根据所述密钥生成请求消息向所述移动节点返 回经过第六共享密钥保护的密钥生成响应消息;  After the verification is passed, the network side returns a key generation response message protected by the sixth shared key to the mobile node according to the key generation request message;
所述网络侧接收所述移动节点发送的经过所述第一共享密钥保护的切换 执行请求消息, 并验证所述第一共享密钥;  Receiving, by the network side, a handover execution request message that is sent by the mobile node and protected by the first shared key, and verifying the first shared key;
验证通过后, 所述网络侧向所述移动节点返回经过所述第一共享密钥保 护的切换执行响应消息。  After the verification is passed, the network side returns a handover execution response message that is protected by the first shared key to the mobile node.
11、 根据权利要求 10所述的方法, 其特征在于, 所述网络侧接收所述移 动节点发送的经过第五共享密钥保护的密钥生成请求消息之前还包括:  The method according to claim 10, wherein, before the receiving, by the network side, the key generation request message protected by the fifth shared key sent by the mobile node, the method further includes:
接收所述移动节点根据所述判断结果发送的经过第五共享密钥保护的密 钥生成请求消息; 所述经过第五共享密钥保护的密钥生成请求消息由所述移 动节点在接收所述切换准备响应消息, 并验证所述第一共享密钥后发出。  Receiving a fifth shared key protected key generation request message sent by the mobile node according to the determination result; the fifth shared key protected key generation request message is received by the mobile node by the mobile node The preparation preparation response message is sent, and the first shared key is verified and issued.
12、 根据权利要求 10所述的方法, 其特征在于, 所述网络侧接收所述移 动节点发送的经过所述第一共享密钥保护的切换执行请求消息之前还包括: 接收所述移动节点发送的经过所述第一共享密钥保护的切换执行请求消 息; 所述经过所述第一共享密钥保护的切换执行请求消息由所述移动节点在 接收所述密钥生成响应消息, 并验证所述第六共享密钥后发出。  The method according to claim 10, wherein the receiving, by the network side, the handover execution request message that is sent by the mobile node and that is protected by the first shared key, further comprises: receiving, sending, by the mobile node, The handover execution request message protected by the first shared key; the handover execution request message protected by the first shared key is received by the mobile node to receive the key generation response message, and the verification Issued after the sixth shared key.
13、 根据权利要求 7-12中任一项所述的方法, 其特征在于, 所述网络侧 根据所述切换准备请求消息, 向所述移动节点返回经过所述第一共享密钥保 护的切换命令或切换准备响应消息具体为:  The method according to any one of claims 7 to 12, wherein the network side returns a handover that is protected by the first shared key to the mobile node according to the handover preparation request message. The command or switch preparation response message is specifically:
所述网络侧中处于服务状态的服务点向所述网络侧中各候选服务点发送 经过第四共享密钥保护的资源查询请求消息; 所述各候选服务点接收所述资源查询请求消息, 并验证所述第四共享密 钥; The service point in the service state of the network side sends a resource query request message protected by the fourth shared key to each candidate service point in the network side; Receiving, by each candidate service point, the resource query request message, and verifying the fourth shared key;
验证通过后,所述各候选服务点判断本服务点是否可接入所述移动节点, 并向所述处于服务状态的服务点返回经过所述第四共享密钥保护的资源查询 响应消息, 所述资源查询响应消息包含判断结果;  After the verification is passed, the candidate service points determine whether the service point can access the mobile node, and return a resource query response message protected by the fourth shared key to the service point in the service state. The resource query response message includes a judgment result;
所述处于服务状态的服务点接收所述资源查询响应消息, 并验证所述第 四共享密钥;  The service point in the service state receives the resource query response message, and verifies the fourth shared key;
验证通过后, 所述处于服务状态的服务点根据所述判断结果为所述移动 节点选择接入的目标服务点, 并向所述移动节点发送经过所述第一共享密钥 保护的切换命令, 所述切换命令中包含有所述目标服务点信息; 或者所述处 于服务状态的服务点向所述移动节点发送经过第一共享密钥保护的切换准备 响应消息, 所述切换准备响应消息中包含有所述判断结果。  After the verification is passed, the service point in the service state selects a target service point for the mobile node to access according to the determination result, and sends a handover command that is protected by the first shared key to the mobile node. The handover command includes the target service point information; or the service point in the service state sends a handover preparation response message protected by the first shared key to the mobile node, where the handover preparation response message includes There is the result of the judgment.
14、 根据权利要求 7-12中任一项所述的方法, 其特征在于, 所述网络侧 根据所述切换执行请求消息向所述移动节点返回经过所述第一共享密钥保护 的切换执行响应消息具体为:  The method according to any one of claims 7 to 12, wherein the network side returns a handover execution by the first shared key protection to the mobile node according to the handover execution request message. The response message is specifically:
所述网络侧中处于服务状态的服务点用第四共享密钥保护所述切换执行 请求消息, 并根据所述目标服务点信息将所述切换执行请求消息发送给所述 目标服务点;  The service point in the service state in the network side protects the handover execution request message by using a fourth shared key, and sends the handover execution request message to the target service point according to the target service point information;
所述目标服务点接收所述切换执行请求消息,并验证所述第四共享密钥; 验证通过后, 所述目标服务点向所述处于服务状态的服务点返回经第四 共享密钥保护的切换执行响应消息;  Receiving, by the target service point, the handover execution request message, and verifying the fourth shared key; after the verification is passed, the target service point returns to the service point in the service state to be protected by the fourth shared key Switching execution response message;
所述处于服务状态的服务点接收所述切换执行响应消息, 并验证所述第 四共享密钥;  The service point in the service state receives the handover execution response message, and verifies the fourth shared key;
验证通过后, 所述处于服务状态的服务点用所述第一共享密钥保护所述 切换执行响应消息, 并发送给所述移动节点。  After the verification is passed, the service point in the service state protects the handover execution response message with the first shared key, and sends the handover execution response message to the mobile node.
15、 根据权利要求 7-9 中任一项所述的方法, 其特征在于, 所述网络侧 向所述移动节点返回经过第六共享密钥保护的密钥生成响应消息具体为: 所述网络侧的目标服务点向所述网络侧的认证授权计费服务器发送经过 第五共享密钥保护的密钥生成请求消息; The method according to any one of claims 7-9, wherein the network side Returning, by the mobile node, the key generation response message protected by the sixth shared key is: the target service point on the network side sends the fifth shared key protection to the authentication and authorization charging server on the network side. Key generation request message;
所述认证授权计费服务器接收所述密钥生成请求消息, 并验证所述第五 共享密钥;  Receiving, by the authentication and authorization charging server, the key generation request message, and verifying the fifth shared key;
验证通过后, 所述认证授权计费服务器生成第六共享密钥, 并向所述目 标服务点返回验证结果以及所述第六共享密钥;  After the verification is passed, the authentication and authorization charging server generates a sixth shared key, and returns a verification result and the sixth shared key to the target service point;
所述目标服务点向所述移动节点返回经过第六共享密钥保护的密钥生成 响应消息。  The target service point returns a key generation response message protected by the sixth shared key to the mobile node.
16、 根据权利要求 10-12 中任一项所述的方法, 其特征在于, 所述网络 侧根据所述密钥生成请求消息向所述移动节点返回经过第六共享密钥保护的 密钥生成响应消息具体为:  The method according to any one of claims 10 to 12, wherein the network side returns a key generated by the sixth shared key protection to the mobile node according to the key generation request message. The response message is specifically:
所述网络侧中可接入的候选服务点将所述密钥生成请求消息转发给所述 网络侧的认证授权计费服务器;  The candidate service point accessible in the network side forwards the key generation request message to the authentication and authorization accounting server on the network side;
所述认证授权计费服务器接收所述密钥生成请求消息, 并验证所述第五 共享密钥;  Receiving, by the authentication and authorization charging server, the key generation request message, and verifying the fifth shared key;
验证通过后, 所述认证授权计费服务器生成第六共享密钥, 并向所述可 接入的服务点返回验证结果以及所述第六共享密钥;  After the verification is passed, the authentication and authorization charging server generates a sixth shared key, and returns a verification result and the sixth shared key to the accessible service point;
所述可接入的服务点接收所述验证结果以及所述第六共享密钥, 并向所 述移动节点发送经过所述第六共享密钥保护的密钥生成响应消息。  The accessible service point receives the verification result and the sixth shared key, and transmits a key generation response message protected by the sixth shared key to the mobile node.
17、 一种移动节点设备, 其特征在于, 包括:  17. A mobile node device, comprising:
服务信息获取模块, 用于从网络侧获得经过共享密钥保护的服务信息; 验证模块, 用于验证所述共享密钥;  a service information obtaining module, configured to obtain service information protected by the shared key from the network side; and a verification module, configured to verify the shared key;
请求模块, 用于在所述验证模块验证所述共享密钥通过的情况下, 根据 所述服务信息向所述网络侧发送切换准备请求消息;  a requesting module, configured to send, by using the service information, a handover preparation request message to the network side, if the verification module verifies that the shared key passes;
消息保护模块, 用于用第一共享密钥保护所述切换准备请求消息。 The message protection module is configured to protect the handover preparation request message with the first shared key.
18、 根据权利要求 17所述的移动节点设备, 其特征在于, 所述请求模块 还用于向网络侧发送用于获取所述服务信息的服务请求消息; 所述消息保护 模块还用于用所述第一共享密钥保护所述服务请求消息; 所述服务信息获取 模块还用于接收网络侧发送的包含所述服务信息的服务响应消息。 The mobile node device according to claim 17, wherein the requesting module is further configured to send a service request message for acquiring the service information to a network side, where the message protection module is further used for The first shared key protects the service request message; the service information obtaining module is further configured to receive a service response message that is sent by the network side and includes the service information.
19、 根据权利要求 17所述的移动节点设备, 其特征在于, 所述服务信息 获取模块还用于接收网络侧广播的经过第一共享密钥或第三共享密钥保护的 服务消息, 所述服务消息包含所述服务信息。  The mobile node device according to claim 17, wherein the service information acquiring module is further configured to receive a service message that is broadcast by the network side and is protected by the first shared key or the third shared key, where The service message contains the service information.
20、 根据权利要求 17所述的移动节点设备, 其特征在于, 所述请求模块 还用于向网络侧发送用于获取所述服务信息的服务请求消息; 所述消息保护 模块还用于用第三共享密钥保护所述服务请求消息; 所述服务信息获取模块 还用于接收网络侧发送的包含所述服务信息的服务响应消息; 所述验证模块 还用于验证保护所述服务响应消息的第三共享密钥。  The mobile node device according to claim 17, wherein the requesting module is further configured to send, to the network side, a service request message for acquiring the service information; the message protection module is further configured to use The third shared key protects the service request message; the service information obtaining module is further configured to receive a service response message that is sent by the network side and includes the service information; the verification module is further configured to verify that the service response message is protected The third shared key.
21、 根据权利要求 17所述的移动节点设备, 其特征在于, 所述服务信息 获取模块还用于接收网络侧单播的经过第一共享密钥保护的服务消息, 所述 服务消息包含有所述服务信息。  The mobile node device according to claim 17, wherein the service information acquiring module is further configured to receive a first shared key protected service message unicast by the network side, where the service message includes Service information.
22、 根据权利要求 17-21中任一项所述的移动节点设备, 其特征在于: 所述服务信息获取模块还用于接收所述网络侧发送的经过第一共享密钥 保护的切换命令或切换准备响应消息及切换执行响应消息、 切换执行响应消 息, 及经过第六共享密钥保护的密钥生成响应消息;  The mobile node device according to any one of claims 17 to 21, wherein: the service information acquiring module is further configured to receive a handover command that is sent by the network side and is protected by the first shared key or a handover preparation response message and a handover execution response message, a handover execution response message, and a key generation response message protected by the sixth shared key;
所述请求模块还用于根据所述切换命令或切换准备响应消息向所述网络 侧发送经过第一共享密钥保护的切换执行请求消息; 向所述网络侧发送密钥 生成请求消息;  The requesting module is further configured to send, by using the handover command or the handover preparation response message, a handover execution request message that is protected by the first shared key to the network side; and send a key generation request message to the network side;
所述消息保护模块还用于用所述第一共享密钥保护所述切换执行请求消 息, 用第五共享密钥保护所述密钥生成请求消息;  The message protection module is further configured to protect the handover execution request message with the first shared key, and protect the key generation request message with a fifth shared key;
所述验证模块还用于验证所述第六共享密钥。  The verification module is further configured to verify the sixth shared key.
23、 一种实现媒体无关切换的系统, 其特征在于, 包括: 消息发送模块, 用于向移动节点发送服务信息; 23. A system for implementing media independent switching, comprising: a message sending module, configured to send service information to the mobile node;
系统消息保护模块, 用于用共享密钥保护所述服务信息;  a system message protection module, configured to protect the service information by using a shared key;
消息接收模块, 用于接收所述移动节点发送的经过第一共享密钥保护的 切换准备请求消息;  a message receiving module, configured to receive a handover preparation request message that is sent by the mobile node and is protected by the first shared key;
系统验证模块, 用于验证所述第一共享密钥;  a system verification module, configured to verify the first shared key;
切换模块, 用于根据所述切换准备请求消息将所述移动节点接入目标服 务点, 完成切换。  And a switching module, configured to access the mobile node to the target service point according to the handover preparation request message, to complete the handover.
PCT/CN2008/072435 2007-09-19 2008-09-19 A mobile node apparatus, a method for realizing media independent handover and the system thereof WO2009039782A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200710154142.3 2007-09-19
CN2007101541423A CN101394664B (en) 2007-09-19 2007-09-19 Mobile node, method and system for implementing media irrelevant switching

Publications (1)

Publication Number Publication Date
WO2009039782A1 true WO2009039782A1 (en) 2009-04-02

Family

ID=40494684

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/072435 WO2009039782A1 (en) 2007-09-19 2008-09-19 A mobile node apparatus, a method for realizing media independent handover and the system thereof

Country Status (2)

Country Link
CN (1) CN101394664B (en)
WO (1) WO2009039782A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1534931A (en) * 2003-04-02 2004-10-06 华为技术有限公司 Method of forming dynamic key in radio local network
WO2006052805A2 (en) * 2004-11-05 2006-05-18 Freescale Semiconductor, Inc. Media-independent handover (mih) method featuring a simplified beacon
CN1881919A (en) * 2006-02-18 2006-12-20 华为技术有限公司 Method for switching between heterogeneous networks
CN1968252A (en) * 2006-06-29 2007-05-23 华为技术有限公司 Media-independent link switching method and apparatus

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1290362C (en) * 2003-05-30 2006-12-13 华为技术有限公司 Key consulting method for switching mobile station in wireless local network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1534931A (en) * 2003-04-02 2004-10-06 华为技术有限公司 Method of forming dynamic key in radio local network
WO2006052805A2 (en) * 2004-11-05 2006-05-18 Freescale Semiconductor, Inc. Media-independent handover (mih) method featuring a simplified beacon
CN1881919A (en) * 2006-02-18 2006-12-20 华为技术有限公司 Method for switching between heterogeneous networks
CN1968252A (en) * 2006-06-29 2007-05-23 华为技术有限公司 Media-independent link switching method and apparatus

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
JEE, JUNGHOON ET AL., HANDOVER COMMANDS UPDATE: LB ISSUE-#18: COMMENT 495. I.E.E., vol. 802, no. 21, September 2006 (2006-09-01) *

Also Published As

Publication number Publication date
CN101394664B (en) 2012-01-04
CN101394664A (en) 2009-03-25

Similar Documents

Publication Publication Date Title
US20220225263A1 (en) Interworking function using untrusted network
JP5421274B2 (en) Handover method between different radio access networks
KR101556046B1 (en) Authentication and secure channel setup for communication handoff scenarios
JP6343044B2 (en) Method for relocating access service network functional entities during a mobility event in a WiMAX network
US20110078442A1 (en) Method, device, system and server for network authentication
WO2008131689A1 (en) Method and system for realizing an emergency communication service and corresponding apparatuses thereof
EP2534889B1 (en) Method and apparatus for redirecting data traffic
KR20110138548A (en) Mehthod and apparatus for managing security in a mobiel communication system supporting emergency call
WO2005081567A1 (en) Improvements in authentication and authorization in heterogeneous networks
CN108881131B (en) Efficient transfer mechanism of host identity authentication information in SDN multi-domain mobile network environment
WO2008019615A1 (en) The method, device and system for access authenticating
JP4352048B2 (en) Interdomain handover
WO2006000152A1 (en) A method for managing the user equipment accessed to the network by using the generic authentication architecture
WO2016155012A1 (en) Access method in wireless communication network, related device and system
WO2010130191A1 (en) Authentication method of switching access networks, system and device thereof
WO2009092315A1 (en) Wireless personal area network accessing method
WO2022247812A1 (en) Authentication method, communication device, and system
US9137661B2 (en) Authentication method and apparatus for user equipment and LIPA network entities
WO2007073654A1 (en) Method for realizing mobile ip management and the network system thereof
US20110003546A1 (en) System and Method for Communications Device and Network Component Operation
WO2009097749A1 (en) A method, system and apparatus for protecting user from cheat by home nodeb
WO2009039782A1 (en) A mobile node apparatus, a method for realizing media independent handover and the system thereof
WO2010015164A1 (en) Handover processing method, network-side device and network system
CN105636033A (en) Method, device and system for movably managing terminals
WO2010139261A1 (en) Resource control method and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08800929

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08800929

Country of ref document: EP

Kind code of ref document: A1