WO2009039782A1 - Appareil de nœud mobile, procédé de réalisation d'un transfert automatique de liaisons indépendamment du média et système associé - Google Patents

Appareil de nœud mobile, procédé de réalisation d'un transfert automatique de liaisons indépendamment du média et système associé Download PDF

Info

Publication number
WO2009039782A1
WO2009039782A1 PCT/CN2008/072435 CN2008072435W WO2009039782A1 WO 2009039782 A1 WO2009039782 A1 WO 2009039782A1 CN 2008072435 W CN2008072435 W CN 2008072435W WO 2009039782 A1 WO2009039782 A1 WO 2009039782A1
Authority
WO
WIPO (PCT)
Prior art keywords
shared key
service
mobile node
protected
request message
Prior art date
Application number
PCT/CN2008/072435
Other languages
English (en)
Chinese (zh)
Inventor
Guohui Zou
Bin Xia
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2009039782A1 publication Critical patent/WO2009039782A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/005Control or signalling for completing the hand-off involving radio access media independent information, e.g. MIH [Media independent Hand-off]

Definitions

  • Mobile node device method and system for implementing media independent switching
  • the present invention relates to the field of wireless communication technologies, and in particular, to a mobile node device and a method and system for implementing media independent switching. Background technique
  • Media-independent switching means that by switching between different media types, mobile users can automatically select the best network connection type and seamlessly switch the voice channel when roaming between networks to achieve IEEE 802.3/802.11/802.16/3GPP. Roaming switching between various systems such as /3GPP2.
  • the media-independent handover technology is mainly through the Media Independent Handover Function (MIHF) module on the Mobile Node (MN), and the media independent handover service point (MIH Point) of the MN service attachment point (service PoA).
  • MIHF Media Independent Handover Function
  • MN Mobile Node
  • MIH Point media independent handover service point
  • service PoA service attachment point
  • the MIH PoS of the MN serving PoA refers to the MIH network entity that can directly exchange MIH messages with the MN having the MIH function, that is, the PoS currently serving the MN, that is, the POS (Serving PoS) in the service state;
  • the MIH of the MN candidate PoA PoS refers to an MIH network entity that can directly exchange MIH messages with a MIH-enabled MN, that is, a candidate PoS;
  • an MIH PoS that does not include a MN's PoA refers to an MIH network entity that can directly interact with an MIH-enabled MN, such as a wired network.
  • the MIHF-enabled router in the MIHF Non-PoS that does not include the MN's PoA refers to the MIH network entity that can directly interact with other MIH network entities, but the network entity cannot directly exchange MIH messages with the MIH-capable MN.
  • the Serving PoS provides the MN with the MIH service determined during the MIH capability discovery process, including: MIH Event Service (MIES): Provides event classification, event filtering, and events on dynamically changing link characteristics, link status, and link quality.
  • MIH Event Service MIES: Provides event classification, event filtering, and events on dynamically changing link characteristics, link status, and link quality.
  • MIH Command Service Provides upper layer management and control of link behavior related to handover and mobility.
  • MIH Information Service Provides detailed information on the characteristics and services of the service network and surrounding networks for effective system access and handover decisions.
  • the MN determines whether the target network to be switched is allowed to access according to the provided MIH service, the MN initiates a query request to the Serving PoS on the network side, and sends a handover request to the PoS of the target network when the Serving PoS returns the handover command on the network side. Switch.
  • a first aspect of an embodiment of the present invention is to provide a method for implementing media independent handover to solve the security problem of media independent handover.
  • a second aspect of an embodiment of the present invention provides a mobile node device that enables a mobile node to perform secure media independent handover.
  • a third aspect of the embodiments of the present invention provides a system for implementing media independent handover to implement secure media independent handover.
  • a method for implementing media-free handover including:
  • the network side sends the service information protected by the shared key to the mobile node
  • the shared key is used to protect the message in the service process and the handover process, so that the third party who maliciously intercepts the message cannot obtain the content in the media-independent handover process, thereby effectively solving the security problem of the media independent handover and ensuring the media independent service. Security that is not related to media switching.
  • a mobile node device including:
  • a service information obtaining module configured to obtain service information protected by the shared key from the network side
  • a verification module configured to verify the shared key
  • a requesting module configured to send, by using the service information, a handover preparation request message to the network side, if the verification module verifies that the shared key passes;
  • the message protection module is configured to protect the handover preparation request message with the first shared key.
  • the scheme effectively ensures the security of the mobile node to send and receive messages through the modules such as the message protection module and the verification module, so that the mobile node can interact with the network-side media independent switching system with security protection function, thereby ensuring the secure receiving and transmitting of the mobile node.
  • a system for implementing media-free handover including:
  • a message sending module configured to send service information to the mobile node
  • a system message protection module configured to protect the service information by using a shared key
  • a message receiving module configured to receive a handover preparation request message that is sent by the mobile node and is protected by the first shared key
  • a system verification module configured to verify the first shared key
  • a switching module configured to access the mobile node to the target service point according to the handover preparation request message, to complete the handover.
  • the scheme effectively protects various messages in the process of switching to the mobile node service network through the modules of the message protection module and the verification module, and avoids the third party who maliciously intercepts the message to obtain the switchover.
  • the content of the message in the process solves the security problem in the media-independent handover, and ensures the security of the service and handover in the media-independent handover.
  • FIG. 2 is a schematic diagram of a direct security architecture in a method for implementing media independent handover according to the present invention
  • FIG. 3 is a signaling flowchart of a first embodiment of a method for implementing media independent handover according to the present invention
  • FIG. 5 is a schematic structural diagram of a mobile node device according to an embodiment of the present invention
  • FIG. 6 is a schematic structural diagram of an embodiment of a media independent switching system according to the present invention. detailed description
  • the MN and each network entity have the MIH function, and the security association (SA) between the MN and each network entity and each network entity is established to form the security of the MIH.
  • SA security association
  • the establishment of the SA is implemented by a shared key between the MN and each network entity or between network entities.
  • the shared key between the MN and the Serving PoS on the network side is referred to as a first shared key (Kms), and the key may be generated before the MN obtains the service information;
  • the shared key with the information server is called the second shared key (Kns), which can be dynamically generated or statically configured, depending on actual needs;
  • the key between the MN and the information server is called The third shared key (Kmn), the key needs to be dynamically generated;
  • the shared key between the Serving PoS and each candidate PoS is referred to as a fourth shared key (Kcs);
  • the shared key between the server (AAA Server) is called the fifth shared key (Kma);
  • the shared key between the MN and the target PoS is called the sixth shared key (Kmc); and, according to the MN Whether MIHF needs to clarify the new communication peer of MIH, and divide the security architecture into the default security architecture. With a direct security architecture.
  • the MIHF of the MN only needs to know whether the MIHF of the MIH PoS of the Serving PoA exists, and other MIHFs in the network are invisible to the MN.
  • the MIHF of the MN it is only necessary to establish an SA with the MIHF of the Serving PoA's MIH PoS and request all services from it.
  • the default security architecture is shown in Figure 1.
  • the solid lines indicate direct connections, the dashed lines indicate that they are not directly connected, and the thick lines indicate connections with security protection associated with the MIHF of the MN. Other connections may have security associations but are not related to MN's MIHF.
  • the MN's MIHF needs to know the existence of the MIHF of the Serving PoA's MIH PoS, and also needs to know the existence of other MIHFs in the network.
  • MN's MIHF it needs to establish a security association with all MIHFs that need to interact with it and request the corresponding services separately.
  • the architecture can be as shown in Figure 2.
  • the solid lines indicate direct connections, the dashed lines indicate that they cannot be directly connected, and the thick lines indicate connections with security protection associated with the MIHF of the MN. Other connections may have a security association but are not related to the MN's MIHF. It is important to note that the thick dotted lines also indicate that there is a security alliance between them, although they cannot be directly connected.
  • the MIH PoS in Figure 1 and Figure 2 is a functional module that does not include the MN's PoA on the network side. It can directly interact with the MIH-capable MN, such as a MIH-enabled router in a wired network.
  • FIG. 3 is a signaling flowchart of a first embodiment of a method for implementing media independent handover according to the present invention.
  • the default security architecture is taken as an example in this embodiment.
  • Step 101 The MN sends a Kms-protected service request message "[MIH_Service-REQ]Kms,, to the Serving PoS.
  • [MIH_ Service-REQ]Kms means that the "MIH_Service-REQ” message is protected by Kms. The following is similar. The security between MN and Serving PoS is guaranteed by Kms.
  • Step 102 The Serving PoS receives the "[MIH_Service-REQ]Kms" message and verifies the Kms; by verifying the Kms, the reliability of the message is ensured, and after the verification is passed, the Serving PoS sends the Kms-protected service response message to the MN.
  • [MIH—Service-RSP]Kms” "[Mffl_Service-RSP]Kms, the message contains the service information requested by the MN.
  • Step 103 The MN receives "[MIH_Service-RSP]Kms,,, and verifies Kms;
  • the service information such as the surrounding network information is obtained securely and effectively.
  • the MN selects the target network according to the service information, and initiates a Kms-protected handover preparation request message to the Serving PoS "[MIH-Prepare-REQ]Kms " , to query whether the target network allows itself to access," [MIH - Prepare-REQ] Kms can carry PoS information that the MN is ready to query.
  • Step 104 The Serving PoS receives "[MIH_Prepare-REQ]Kms,,, and verifies Kms; after the verification is passed, the Serving PoS sends a Kcs-protected resource query request message "[MIH_Query-REQ]Kcs" to each candidate PoS.
  • Step 105 Each candidate PoS receives "[MIH_ Query-REQ]Kcs", and verifies Kcs;
  • each candidate PoS determines whether the service point can access the MN, and returns a Kcs-protected resource query response message "[MIH_ Query-RSP]Kcs", "[MIH_ Query-RSP]Kcs" to the Serving PoS.
  • the judgment result is included; and, if it is judged that access is available, resources may also be reserved for the MN.
  • Step 106 Serving PoS receives "[MIH_Query-RSP]Kcs,,, and verifies Kcs;
  • the Serving PoS selects the target service point for the MN according to the judgment result, and sends a Kms-protected handover command to the MN, where the handover command includes the target PoS information; or the Serving PoS sends the Kms-protected handover to the MN.
  • the preparation response message "[MIH_Prepare-RSP]Kms", "[MIH_Prepare-RSP]Kms" contains the judgment result; after the Serving PoS receives "[MIH-Prepare-RSP]Kms", it can be immediately sent to the MN, also All candidate PoSs can be returned to the MN after returning the result.
  • Step 107 The MN receives the handover command or "[MIH_Prepare-RSP]Kms, and verifies Kms; after the verification is passed, the MN sends a Kms-protected handover execution request message "[MIH_Commit-REQ]Kms to the Serving PoS according to the handover command, Or the MN obtains the judgment result from "[MIH_Prepare-RSP]Km s", and sends the KMS-protected "[MI H_Commit-REQ]Kmsr "[MIH_Commit-REQ]Kms" containing the target PoS information to the Serving PoS according to the judgment result.
  • the MN receives the handover command or "[MIH_Prepare-RSP]Kms, and verifies Kms; after the verification is passed, the MN sends a Kms-protected handover execution request message "[MIH_Commit-REQ]Kms to the Serving PoS according to the
  • Step 108 The Serving PoS receives "[MIH-Commit-REQ]Kms" and verifies the Kms; after the verification is passed, the Serving PoS protects the "MIH_Commit-REQ” message with Kcs, and obtains [[MIH_Commit- EQ]Kcs", and Send "[MIH_Commit-REQ]Kcs," to the target PoS based on the target PoS information.
  • Step 109 The target PoS receives "[MIH-Commit-REQ]Kcs", and verifies Kcs;
  • the target PoS After the verification is passed, the target PoS returns the Kcs-protected handover execution response message "[MIH-Commit-RSP]Kcs" to the Serving PoS.
  • Step 110 Serving PoS receives "[MIH_Commit-RSP]Kcs,,, and verifies Kcs;
  • the Serving PoS uses the Kms protection "MIH_Commit-RSP" message to get “[MIH_Commit-RSP]Kms” and sends it to the MN.
  • Step 111 The MN receives "[MIH_Commit-RSP]Kms,,, and verifies Kms;
  • the MN After the verification is passed, the MN sends a Kma-protected key generation request message "[MIH-Key-REQ]Kma" to the AAA server through the target PoS.
  • Step 112 The target PoS forwards "[MIH_Key-REQ]Kma' to the AAA server via the "AAA REQ” message.
  • Step 113 The AAA server receives "AAA REQ”, obtains "[MIH_Key-REQ]Kma, and then verifies Kma;
  • the AAA server After the verification is passed, the AAA server generates Kmc and sends "AAA RSP" to the target PoS, returning the risk result and Kmc.
  • Step 114 The target PoS sends a key generation response message "[MIH_Key-RSP]Kmc" to the MN, and the key generation response message is protected by Kmc.
  • Step 115 The MN receives "[MIH_Key-RSP]Kmc,,, and verifies Kmc;
  • the switch After the verification is passed, the switch is completed. After that, the MN may also send a handover complete message "[M IH_Complete-REQ]Kmc," to the target PoS, and the target PoS returns a response message "[MIH_Complete-RSP]Km cV confirms that the switch is complete.
  • the Serving PoS may further determine whether it stores the information requested by the MN when the Kms authentication is passed, and if so, execute: Serving PoS Direction
  • the MN sends a Kms-protected service response message "[Ml H_Service-RSP]Kms. Otherwise, the Serving PoS sends a "[MIH_Service-REQ] KnsV Information Server Receive” [MIH_Service-REQ]Kns” message to the Information Server to verify that Kns passes.
  • the [MIH_Service-RSP]Kns message containing the service information requested by the MN is returned to the Serving PoS; the Serving PoS receives the message [MIH_Service-RSP]Kns, the message is obtained by verifying the Kns, and then: Serving PoS
  • the Kms-protected service response message "[M IH_Service-RSP]Kms' is sent to the MN: The Serving PoS returns a failure message to the MN if the Kms has not passed the verification.
  • the process by which the MN obtains service information can also be implemented by the following process:
  • the information server broadcasts a "[MIH-Service]Kns" message to each PoS, where Kns may vary depending on the PoS;
  • the Serving PoS After receiving the "[MIH_Service]Kns" message, the Serving PoS verifies the Kns and, if the verification passes, broadcasts the obtained service information to all MNs via the "[MIH_Service]Kms" message, where Kms also May vary by MN;
  • the MN receives the "[MIH_Service]Kms" message and obtains the service information after verifying the Kms.
  • the SA is established between the MN and the Serving PoS, that is, the shared key is used to ensure that the MN securely obtains the service information; and the MN and the Serving PoS, the candidate PoS, the AAA server, and the PoS
  • the establishment of the SA guarantees the security of the network handover, thereby ensuring the security of the media independent handover as a whole.
  • the default interaction object of the MN is the Serving PoS
  • no identifier can be introduced during the MIH interaction, which reduces signaling overhead and facilitates wireless transmission.
  • FIG. 4 is a signaling flowchart of a second embodiment of a method for implementing media independent handover according to the present invention.
  • This example takes a direct security architecture as an example.
  • the handover process is specifically as follows:
  • Step 201 The MN sends a Kmn protected service request message "[MIH_Service-REQ]
  • the Serving PoS determines whether the service point is the message delivery destination of the MN according to the transmission destination information in the service request message "[MIH_Service-REQ]Kmn", and if so, the shared key of the protection message should be the first shared key.
  • the Serving PoS can be verified. After the verification is passed, the Serving PoS returns the service information to the MN.
  • the Serving PoS receives the "[MIH-Se rvice-REQ]Kms" message and verifies the Kms; after the verification is passed, The Serving PoS sends a Kms-protected service response message to the MN "[MIH_Service-RSP]Kms,.,
  • Step 202 When Serving PoS determines that the service point is not the message sending target of the MN, the information server receives "[MIH_Service-REQ] Kmn", and verifies Kmn;
  • the information server sends a service response message "[MIH_Service-REQ]Kmn,", "[MIH_Service-REQ]Kmn” requested by the KMN protected MN to the MN, containing the service information requested by the MN.
  • Step 203 The MN receives the "[MIH_Service-REQ] Kmn" message and verifies the Kmn; after the verification is passed, the MN obtains the service information.
  • the MN selects the target PoS based on the service information and transmits the Kms-protected "[MIH_Prepare-REQ]Kms" to the Serving PoS.
  • Step 204 Serving PoS receives "[MIH_Prepare-REQ]Kms,,, and verifies Kms;
  • the Serving PoS sends the KCS-protected "[MIH_Query-REQ]Kcs" to each candidate PoS on the network side.
  • Step 205 Each candidate PoS receives "[MIH_Query-REQ]Kcs", and verifies Kcs; After the verification is passed, each candidate PoS determines whether the service point can access the MN, and returns the KCS-protected "[MIH_Query-RSP]Kcs,,,"[MIH_Query-RSP]Kcs to the Serving PoS, including the judgment result; If it is judged that access is available, resources may also be reserved for the MN.
  • Step 206 Serving PoS receives "[MIH_Query-RSP]Kcs,,, and verifies Kcs;
  • the Serving PoS sends the KMS-protected "[MIH_Prepare-RSP]Kms, message, "[MIH_Prepare-RSP]Kms to the MN, which contains the judgment result.
  • Step 207 The MN receives "[MIH_Prepare-RSP]Kms", and verifies Kms;
  • the MN sends the Kma-protected "[MIH_Key-REQ]Kma" to the accessible candidate PoS according to the judgment result.
  • Step 208 The accessible candidate PoS forwards "[MIH-Key-REQ]Kma" to the AAA server through "AAA REQ".
  • Step 209 The AAA server receives "[MIH-Key-REQ]Kma" and verifies Kma;
  • the AAA server After the verification is passed, the AAA server generates Kmc and returns the 3 full certificate result and Kmc to the accessible PoS through "AAA RSP".
  • Step 210 The accessible PoS receives the verification result and Kmc, and sends the Kmc protected "[MIH_Key- RSP]Kmc" to the MN.
  • Step 211 The MN receives "[MIH_Key-RSP]Kmc,,, and verifies Kmc;
  • the MN selects the target PoS to be accessed from the candidate PoSs that can be accessed, and sends the KMS-protected "[MIH-Commit-REQ]Kms" to the Serving PoS.
  • Step 212 Serving PoS receives "[MIH-Commit-REQ]Kms" and verifies Kms; After the verification is passed, Serving PoS protects "[MIH-Commit-REQ]Kcs" with Kcs and sends it to the target PoS.
  • Step 213 The target PoS receives "[MIH-Commit-REQ]Kcs", and verifies Kcs;
  • the target PoS sends the KCS-protected "[MIH-Commit-RSP]Kcs, to the Serving PoS.
  • Step 214 Serving PoS receives "[MIH-Commit-RSP]Kcs,,, and verifies Kcs; After the verification is passed, the Serving PoS sends the KMS protected "[MIH-Commit- RSP]Kms'" to the MN.
  • Step 215 The MN receives "[Mffl_Commit-RSP]Kms,, and verifies Kms, and completes the handover. Thereafter, the MN may also send a handover complete message "[MIH_Complete-REQ]Kmc" to the target PoS, and the target PoS returns a response. The message "[MIH_Complete-RSP]Kmc" confirms that the switch is complete.
  • the SA is established between the MN and each PoS and between the PoSs, that is, the shared key is used to ensure the secure access of the MN to the service information and the security of the network handover process, thereby solving the media as a whole.
  • the information server may further determine whether the service point is a MN message transmission according to the transmission destination information in "[MIH_Service-REQ]Kmn". And the method of obtaining the service information in the embodiment may be replaced by the method for obtaining the service information in the method embodiment 1, or by using the Serving PoS broadcast service message "[MIH-Service] Kms".
  • the MN obtains the service information, and can also directly broadcast the "[MIH_Service]Kmn" message to the MN through the information server to obtain the service information.
  • the process of switching the network after obtaining the service information in this embodiment can also be obtained by using the method embodiment 1. The process after the information is replaced, and the network switching of the MN is implemented securely.
  • the MN can distinguish the object of the key request and establish its SA with the target network in the original network. Therefore, the SA can be established after the handover, which reduces the handover delay.
  • the MN after receiving the "[MIH-Prepare-RSP]Kms" message, the MN first establishes an SA with all accessible candidate PoSs, that is, generates a sharing between the MN and all accessible candidate PoSs. The key, and then initiates a handover execution request message to the target PoS, avoiding the establishment of the SA during the handover execution process or the inability to establish the handover, thereby saving the handover execution time and speeding up the network handover speed.
  • the Serving PoS of the visited network where the MN is located may not have a security association with the information server.
  • the SA may be built first, and then the handover is accessed, thereby saving the access switching time.
  • the message is protected by a shared key, which is either encryption or integrity. Protection, which method is used is determined by a specific agreement.
  • the mobile node device 10 includes: a service information acquiring module 11, a verification module 12, a requesting module 13, and a message protection module 14; wherein the service information acquiring module 11 is used for the slave network.
  • the side obtains the service information protected by the shared key;
  • the verification module 12 is configured to verify the shared key, such as Kms, Kmn, Kmc; and the requesting module 13 is configured to verify, at the verification module 12, that the shared key passes And sending a handover preparation request message to the network side according to the service information; or sending a service request message for acquiring the service information to the network side;
  • the message protection module 14 protects the handover preparation request message and the service by using Kms Request message; or protect the service request message with Kmn.
  • the service information acquiring module 11 is further configured to receive a Kms-protected handover command or a handover preparation response message and a handover execution response message that are sent by the network side, where the handover preparation response message includes the determination result;
  • the requesting module 13 is further configured to send a Kms-protected handover execution request message to the network side according to the handover command; or obtain the determination result from the handover preparation response message, and according to the determination result,
  • the network side sends a Kms-protected handover execution request message; the handover execution request message includes target service point information; and the requesting module 13 is further configured to send a KMA-protected key generation request message to the network-side AAA server.
  • the message protection module 14 is further configured to protect the key generation request message with Kma; the service information obtaining module 11 is further configured to receive a Kmc-protected key generation response message sent by the network side; the verification module 12 is further configured to verify the Kmc .
  • the mobile node device embodiment described above enables the mobile node to securely perform media independent switching through the verification module 12 and the message protection module 14.
  • FIG. 6 is a schematic structural diagram of an embodiment of a media independent switching system according to the present invention.
  • the system 20 includes a message sending module 21, a system message protection module 22, a message receiving module 23, a system checking module 24, and a switching module 25.
  • the system message protection module 22 is used. Protect the service information with a shared key; then send it by message
  • the sending module 21 sends the protected service information to the MN;
  • the message receiving module 23 is configured to receive the Kms-protected handover preparation request message sent by the MN;
  • the system verification module 24 is configured to verify the Kms;
  • the switching module 25 is configured to prepare according to the handover
  • the request message connects the MN to the target service point and completes the handover.
  • the message receiving module 23 is further configured to receive the Kms-protected service request message sent by the MN; the message sending module 21 may be further configured to send a service response message including the service information to the MN; the system message protection module 22 may also use the Kms. The service response message is protected.
  • the switching module 25 may include a first receiving module, a first verifying module, a first protection module, a first sending module, a second receiving module, a second verifying module, a second protecting module, a second sending module, and a third receiving module. a third verification module, a key generation module, and a third transmission module; wherein, the first verification module, the first protection module, and the first transmission module are disposed in the Serving PoS, and after the system verification module verifies that the Kms is passed, the first protection module is used The Kcs protects the resource query request message and sends it to the candidate PoS by the first sending module.
  • the second receiving module, the second verifying module, the second protection module, and the second sending module are set in the candidate PoS or the target PoS, and the second receiving module receives the first a resource query request message sent by the sending module, the second verification module verifies the Kcs of the protection resource query request message, and after the verification is passed, the candidate PoS generates a resource query response message, and after the second protection module is protected by the Kcs, the second sending module Sending to the Serving PoS; the first receiving module receives the resource query response message, and the first verification module verifies the Kcs;
  • the first protection module sends the Kms-protected handover execution request message sent by the MN, and the first verification module verifies the Kms.
  • the first protection module sends the Kms-protected handover execution request message sent by the MN.
  • the first protection module uses Kcs to protect the handover execution request message, and the first sending module sends the Kcs-protected handover execution request message to the second receiving module.
  • the second verification module verifies the Kcs, and after the verification is passed, The target PoS generates a handover execution response message, the second protection module uses Kcs to protect the handover execution response message, and the second sending module sends the protected handover execution response message to the MN; the second receiving module receives the Kma-protected key sent by the MN.
  • the second sending module sends the Kma protected key generation request message to the third receiving module;
  • the third receiving module, the third verifying module, the key generating module, and the third sending module are disposed in the AAA server, Three receiving module Receiving a key generation request message, the third verification module verifies Kma; after the verification is passed, the key generation module generates Kmc, and the third sending module sends the verification result of the third verification module and the Kcs to the second receiving module;
  • the second receiving module Receiving, the target PoS generates a key generation response message, the second protection module generates a response message by using the Kmc protection key, and the second sending module sends the protected key generation response message to the MN;
  • the second receiving module receives the MN transmission After the Kmc protection switch completion request message, the second check ii ⁇ mo block verification Kmc, after the verification is passed, the target PoS generates a handover completion response message, the second protection module is protected by Kmc, and the second transmission module completes the
  • the media independent switching system may further include a determining module, where the determining module is configured to be located in the Serving PoS, and configured to determine whether the PoS is the sending target of the service request message, or determine whether the MN requests information is stored by the MN; If the PoS is the destination of the service request message, the Serving PoS performs a corresponding operation, such as verifying the Kms. If it is determined that the MN requests the information, the first sending module sends the information requested by the MN to the MN.
  • the determining module is configured to be located in the Serving PoS, and configured to determine whether the PoS is the sending target of the service request message, or determine whether the MN requests information is stored by the MN; If the PoS is the destination of the service request message, the Serving PoS performs a corresponding operation, such as verifying the Kms. If it is determined that the MN requests the information, the first sending module sends the information requested by the MN to the MN.
  • the media independent switching system may further include a creating module, and the creating module is set on the Serving PoS. If the determining module determines that the Serving PoS does not store the information requested by the MN, the new service request message is created and sent to the information server.
  • system message protection module ensures security of the media independent handover.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Cette invention se rapporte à un appareil de nœud mobile, à un procédé de réalisation d'un transfert automatique de liaison indépendamment du média (MIH, media independent handover) et à un système associé. Le procédé inclut les étapes suivantes : le côté réseau envoie les informations de service protégées par une clé partagée au nœud mobile (MN) ; reçoit le message de demande de préparation de transfert, qui est envoyé par le MN selon les informations de service une fois que le MN a validé la clé commune et qui est protégé par la première clé partagée ; valide la première clé partagée et contrôle le MN pour accéder au point de service cible (PoS). Grâce au procédé, le problème de sécurité du MIH est résolu de manière efficace et la sécurité du service indépendant du média et du MIH est assurée. L'appareil de nœud mobile inclut un module d'obtention des informations de service, un module de vérification, un module de demande et un module de protection de message. Le système inclut un module d'envoi de message, un module de protection de message système, un module de réception de message, un module de vérification système et un module de transfert. Grâce à l'appareil et au système, la sécurité du MIH est assurée.
PCT/CN2008/072435 2007-09-19 2008-09-19 Appareil de nœud mobile, procédé de réalisation d'un transfert automatique de liaisons indépendamment du média et système associé WO2009039782A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2007101541423A CN101394664B (zh) 2007-09-19 2007-09-19 移动节点、实现媒体无关切换的方法及系统
CN200710154142.3 2007-09-19

Publications (1)

Publication Number Publication Date
WO2009039782A1 true WO2009039782A1 (fr) 2009-04-02

Family

ID=40494684

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/072435 WO2009039782A1 (fr) 2007-09-19 2008-09-19 Appareil de nœud mobile, procédé de réalisation d'un transfert automatique de liaisons indépendamment du média et système associé

Country Status (2)

Country Link
CN (1) CN101394664B (fr)
WO (1) WO2009039782A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1534931A (zh) * 2003-04-02 2004-10-06 华为技术有限公司 一种在无线局域网中生成动态密钥的方法
WO2006052805A2 (fr) * 2004-11-05 2006-05-18 Freescale Semiconductor, Inc. Procede de transfert independant du support (mih) a balise simplifiee
CN1881919A (zh) * 2006-02-18 2006-12-20 华为技术有限公司 一种异构网络间切换的方法
CN1968252A (zh) * 2006-06-29 2007-05-23 华为技术有限公司 媒体无关的链路切换方法和装置

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1290362C (zh) * 2003-05-30 2006-12-13 华为技术有限公司 一种无线局域网中用于移动台切换的密钥协商方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1534931A (zh) * 2003-04-02 2004-10-06 华为技术有限公司 一种在无线局域网中生成动态密钥的方法
WO2006052805A2 (fr) * 2004-11-05 2006-05-18 Freescale Semiconductor, Inc. Procede de transfert independant du support (mih) a balise simplifiee
CN1881919A (zh) * 2006-02-18 2006-12-20 华为技术有限公司 一种异构网络间切换的方法
CN1968252A (zh) * 2006-06-29 2007-05-23 华为技术有限公司 媒体无关的链路切换方法和装置

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
JEE, JUNGHOON ET AL., HANDOVER COMMANDS UPDATE: LB ISSUE-#18: COMMENT 495. I.E.E., vol. 802, no. 21, September 2006 (2006-09-01) *

Also Published As

Publication number Publication date
CN101394664B (zh) 2012-01-04
CN101394664A (zh) 2009-03-25

Similar Documents

Publication Publication Date Title
US20220225263A1 (en) Interworking function using untrusted network
US11431695B2 (en) Authorization method and network element
JP5421274B2 (ja) 異種無線アクセスネットワーク間におけるハンドオーバー方法
JP6343044B2 (ja) WiMAXネットワークにおいてモビリティ・イベント中にアクセス・サービス・ネットワーク機能エンティティを再配置する方法
EP2534889B1 (fr) Procédé et appareil de redirection de trafic de données
US20110078442A1 (en) Method, device, system and server for network authentication
WO2008131689A1 (fr) Procédé et système de fourniture d'un service de communication d'urgence et dispositifs correspondants
KR20140109478A (ko) 통신 핸드오프 시나리오를 위한 인증 및 보안 채널 설정
KR20110138548A (ko) 응급 콜을 지원하는 이동 통신 시스템에서 보안 관리 방법 및 장치와 그 시스템
WO2005081567A1 (fr) Ameliorations de l'authentification et de l'autorisation dans les reseaux heterogenes
JP4352048B2 (ja) ドメイン間ハンドオーバ
CN108881131B (zh) Sdn多域移动网络环境下主机身份鉴别信息的高效移交机制
WO2008019615A1 (fr) Procédé, dispositif et système pour authentification d'accès
WO2016155012A1 (fr) Procédé d'accès dans un réseau de communication sans fil, dispositif et système associés
WO2006000152A1 (fr) Procede pour la gestion d'equipement d'utilisateur d'acces au reseau au moyen de l'architecture d'authentification generique
JP4474465B2 (ja) セキュアハンドオーバ
WO2010130191A1 (fr) Procédé d'authentification en commutation de réseaux d'accès, système et dispositif correspondants
WO2007073654A1 (fr) Procede de gestion ip mobile et systeme de reseau correspondant
WO2022247812A1 (fr) Procédé d'authentification, dispositif de communication et système
US20110003546A1 (en) System and Method for Communications Device and Network Component Operation
US9137661B2 (en) Authentication method and apparatus for user equipment and LIPA network entities
WO2009097749A1 (fr) Procédé, système et dispositif pour protéger l'utilisateur de la fraude par nœud b domestique
WO2009039782A1 (fr) Appareil de nœud mobile, procédé de réalisation d'un transfert automatique de liaisons indépendamment du média et système associé
WO2010015164A1 (fr) Procédé de traitement de transfert, dispositif côté réseau et système de réseau
CN105636033A (zh) 一种终端移动管理的方法、装置和系统

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08800929

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08800929

Country of ref document: EP

Kind code of ref document: A1