WO2009094942A1 - Procédé et système de réseau de communication pour établir une conjonction de sécurité - Google Patents

Procédé et système de réseau de communication pour établir une conjonction de sécurité Download PDF

Info

Publication number
WO2009094942A1
WO2009094942A1 PCT/CN2009/070273 CN2009070273W WO2009094942A1 WO 2009094942 A1 WO2009094942 A1 WO 2009094942A1 CN 2009070273 W CN2009070273 W CN 2009070273W WO 2009094942 A1 WO2009094942 A1 WO 2009094942A1
Authority
WO
WIPO (PCT)
Prior art keywords
security
relay station
terminal
base station
key
Prior art date
Application number
PCT/CN2009/070273
Other languages
English (en)
Chinese (zh)
Inventor
Xiaoying Xu
Jing Chen
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Priority to CN200980102466.XA priority Critical patent/CN101926151B/zh
Publication of WO2009094942A1 publication Critical patent/WO2009094942A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/162Implementing security features at a particular protocol layer at the data link layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies

Definitions

  • the present invention relates to the field of wireless communications, and in particular, to a method and a communication network system for establishing a security association. Background technique
  • the user terminal can receive the service through the relay station, and the introduction of the relay station derives a new function of the air interface, and further enhances the distributed processing characteristics of the system.
  • the deployment of the relay station can improve the wireless access performance of the system, cover the shadow area, expand the wired coverage radius of the base station, and enhance the data rate of the specific area.
  • the wireless access technology itself is enhanced in multiple directions.
  • the wireless relay station is an important direction. Since a relay station is introduced in the LTE system, the process of establishing a security association between the terminal and the network inevitably involves the relay station.
  • the security protection in the LTE system is divided into two parts: the access network and the core network. Therefore, it is necessary to ensure the complexity and security of the LTE system design after the introduction of the relay station, and to realize the excellent mobile communication system by utilizing the good characteristics of the relay system. .
  • the terminal synchronizes and registers with the network side through the relay station, and obtains a basic key sequence (MSK) with the authentication server through the public key management protocol; the authentication server sends the MSK to the base station, and the base station derives according to the MSK.
  • MSK basic key sequence
  • AK Jian Authorization Key
  • the base station sends the authentication key to the terminal through the relay station;
  • the terminal and the relay station synchronize the AK by means of a three-way handshake, and according to the AK, a Key Encryption Key (KEK) of the Data Encryption Key (TEK) is derived, and the TEK is generated by the base station;
  • KEK Key Encryption Key
  • TEK Data Encryption Key
  • the TEK is obtained between the terminal and the relay through the TEK request procedure.
  • the inventors have found that the prior art has at least the following problems:
  • the key of the LTE system is more than the security key in the IEEE 16j system, and the process of key generation is compared.
  • Complex therefore, when the LTE system introduces a relay station, there is no suitable method for establishing a security association between the terminal and the network, and the security process in the prior art is not applicable to establish a security association between the terminal and the network.
  • the embodiment of the present invention provides a method for establishing a security association between a terminal and a network side. After the relay station is introduced in the LTE evolution system, a security association is established between the terminal and the network.
  • An embodiment of the present invention provides a method for establishing a security association between a terminal and a network side, including: receiving an access request message sent by a relay station, and obtaining a shared root key after authenticating the terminal according to the access request message; Selecting a security algorithm, the security algorithm is an algorithm supported by the terminal and the network side; and deriving a base station key according to the shared root key; sending, by the relay station, a security mode command to the terminal, the security mode command
  • the security algorithm is included.
  • the embodiment of the invention further discloses a communication network system, comprising: a first receiving unit, configured to receive an access request message sent by a relay station, and a key obtaining unit, configured to receive according to the first receiving unit
  • the access request message obtains the shared root key after the terminal authentication is authenticated;
  • the selecting unit is configured to select a security algorithm, the security algorithm is an algorithm supported by both the terminal and the network side; and the deriving unit is configured according to the a shared root key derived by the key obtaining unit to derive a base station key;
  • a first sending unit configured to pass the middle
  • the relay station sends a security mode command to the terminal, where the security mode command includes a security algorithm selected by the selection unit.
  • the embodiment of the invention has the following advantages:
  • the network side after receiving the access request sent by the terminal through the relay station, the network side selects a security algorithm for establishing a security association, and sends a security mode command to the terminal through the relay station, where the security is performed.
  • the mode command includes the selected security algorithm, and the terminal establishes a security association with the network side after obtaining the security algorithm, and solves the problem that a security association is established between the terminal and the network side after the introduction of the relay station in the LTE system, and the embodiment of the present invention
  • the technical solution provided inherits the security mechanism of the LTE system, and ensures the security of the mobile communication system after joining the relay station without changing the existing security mechanism and without increasing the complexity of the system.
  • FIG. 1 is a schematic diagram of a method for establishing a security association between a terminal and a network side in the IEEE 16j standard in the prior art
  • FIG. 2 is a schematic diagram of a method for establishing a security association between a terminal and a network side according to a first embodiment of the present invention
  • FIG. 3 is a schematic diagram of a method for establishing a security association between a terminal and a network side according to a second embodiment of the present invention
  • FIG. 4 is a schematic diagram of a method for establishing a security association between a terminal and a network side according to a third embodiment of the present invention.
  • FIG. 5 is a schematic diagram of a method for establishing a security association between a terminal and a network side according to a fourth embodiment of the present invention.
  • FIG. 6 is a schematic diagram of a method for establishing a security association between a terminal and a network side according to a fifth embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of a communication network system according to a sixth embodiment of the present invention.
  • the technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
  • a first embodiment of the present invention is introduced, and a method for establishing a terminal and a network side security association is firstly applied to an LTE system and an evolved system thereof. Specifically include:
  • Step 201 Receive an access request message sent by the relay station forwarding terminal.
  • Step 202 Obtain a shared root key after authenticating the terminal according to the access request message.
  • Step 203 Select a security algorithm, where the security algorithm is an algorithm supported by the terminal and the network side.
  • Step 204 Deriving a base station key according to the shared root key.
  • Step 205 Send a security mode command to the terminal by using the relay station, where the security mode command includes the security algorithm.
  • the network side selects a security algorithm for establishing a security association, and sends a security mode command to the terminal through the relay station, in the security mode.
  • the command includes the selected security algorithm, and after obtaining the security algorithm, the terminal can establish a security association with the network side, and solves the problem that a security association is established between the terminal and the network side after the introduction of the relay station in the LTE system, and the present invention is implemented.
  • the technical solution provided by the example inherits the security mechanism of the LTE system, and ensures the security of the mobile communication system after joining the relay station without substantially changing the existing security mechanism and without increasing the complexity of the system.
  • Step 301 The terminal sends an access request message to the relay station, where the access request message includes the terminal capability and the terminal identity.
  • the terminal capabilities may include algorithms supported by the terminal itself.
  • the terminal identity may be an identifier of a terminal identity such as a Temporary Mobile Subscriber Identity (TMSI) or an International Mobile Subscriber Identity (IMSI).
  • TMSI Temporary Mobile Subscriber Identity
  • IMSI International Mobile Subscriber Identity
  • Step 302 The relay station sends an access request message sent by the terminal to the base station.
  • Step 303 After receiving the access request message sent by the relay station, the base station forwards the access request message to the mobility management entity.
  • the base station may further notify the mobile management entity of the base station capability of the base station, and the base station capability may include the base station.
  • the algorithms supported by itself are not limited to:
  • Step 304 The mobility management entity sends the relay identifier in the received access request message to the home subscriber server.
  • Step 305 The home subscriber server generates an authentication vector according to the identity of the terminal, where the authentication vector is used for mutual authentication between the terminal and the network side, including a random number RAND, an expected response XRES (EXpected user RESponse), and an authentication symbol AUTN (AUTN).
  • RAND random number
  • XRES EXpected user RESponse
  • AUTN AUTN
  • SQNIIAMFIIMAC Shared Root Key (Key Access System Management Entity, Kasme ).
  • Step 306 The home subscriber server sends the authentication vector to the mobility management entity after generating the authentication vector.
  • Step 307 The mobility management entity sends the random number RAND and the authentication symbol AUTN to the base station.
  • Step 308 The base station sends the received random number RAND and the authentication symbol AUTN to the relay station.
  • Step 309 The relay station sends the received random number RAND and the authentication symbol AUTN to the terminal.
  • Step 311 The terminal sends a response message to the relay station, where the response message includes the RES.
  • Step 312 The relay station sends a response message sent by the terminal to the base station.
  • Step 313 The base station sends the received response message to the mobility management entity.
  • Step 314 The mobility management entity verifies whether the RES is the same as the XRES in the authentication vector. If they are the same, the terminal and the mobility management entity obtain the shared root key Kasme by authenticating the terminal.
  • Step 315 The mobility management entity selects a security algorithm according to the terminal capability and the base station capability, where the security algorithm is an algorithm supported by the terminal and the network side, including an access layer security algorithm, and the access layer security algorithm may include radio resource control. (Radio Resource Control, RRC) algorithm and User Plane (UP) algorithm, etc.; base station key can be derived according to the security algorithm selected by the mobility management entity and the shared root key Kasme.
  • RRC Radio Resource Control
  • UP User Plane
  • the security algorithm may further include: a Non-Access Stratum (NAS) algorithm.
  • NAS Non-Access Stratum
  • Step 316 The mobility management entity sends a security algorithm and a base station key.
  • the security algorithm and base station key may be included in a message sent by the mobility management entity to the base station.
  • Step 317 The base station sends a security algorithm and an integrity check code to the relay station.
  • the security algorithm and integrity check code may be included in a security mode command.
  • the base station may perform security protection on the transmitted content through the base station key, generate an integrity check code, and send the integrity check code to the relay station.
  • Step 318 The relay station sends the received security algorithm and integrity check code to the terminal.
  • Step 319 After receiving the security algorithm and the integrity check code, the terminal performs integrity verification on the message forwarded by the relay station, and after the verification succeeds, sends a verification confirmation message to the relay station.
  • Step 320 The relay station sends the received verification confirmation message to the base station.
  • Step 321 The base station sends the received verification confirmation message to the mobility management entity.
  • Step 322 After the mobile management entity receives the verification confirmation message, the terminal and the The security algorithm negotiation and key agreement are completed between the base stations, and the establishment of the security association is completed.
  • the relay station when the relay station sends the access request message, the relay station may send its own relay capability to the mobility management entity.
  • the mobility management entity may perform the terminal capability. , relay capabilities and base station capabilities to select security algorithms.
  • the relay station has no security association between the terminal and the base station, and there is no information about the terminal.
  • the relay station transparently transmits the message between the terminal and the network side.
  • the embodiment may further include full association to establish a security association between the terminal and the relay station, so that communication between the terminal and the relay station is more secure.
  • Step 323 The base station sends a security association key (such as an RRC key and an UP key) established by the terminal and the base station to the relay station, and a security algorithm (such as an RRC algorithm and an UP algorithm), where the security association key is generated by the base station; the relay station and the base station
  • a security association key such as an RRC key and an UP key
  • the security association key is generated by the base station; the relay station and the base station
  • the message sent between the relay station and the base station can be protected by a security association between the relay station and the base station.
  • the security association between the relay station and the base station is pre-existing between the relay station and the base station, and is established by the relay station after accessing the network, to protect the base station and The security of sending information between relay stations.
  • Step 324 After receiving the key and related algorithm sent by the base station, the relay station uses the security association established between the relay station and the base station to perform verification, and returns an acknowledgement message to the base station.
  • the base station may send a base station key and a security algorithm, such as an RRC algorithm and an UP algorithm, to the relay station.
  • the message sent between the relay station and the base station can be protected by a security association between the relay station and the base station.
  • the relay station after receiving the base station key and algorithm sent by the base station, the relay station derives a security association key, such as an RRC key and an UP key, based on the base station key and the C-RNTI, and sends a message between the relay station and the base station. It can be protected by a security association between the relay station and the base station.
  • the security association established between the relay station and the terminal is different from the security association between the base station and the relay station.
  • the relay station needs to firstly be based on the security between the relay station and the terminal.
  • the association is decrypted, and then re-encrypted by using the security association between the relay station and the base station, and then forwarded.
  • the relay station receives the message sent by the base station, it first decrypts according to the security association between the relay station and the base station, and then uses the relay station.
  • the security association with the terminal is encrypted and sent to the terminal.
  • step 323 and step 324 the relay station passively receives the message from the base station, and obtains the security association between the terminal and the network side.
  • the relay station may actively request the base station to obtain the relevant security association. Therefore, step 323 and step 324 may be respectively Step 323, and step 324, are as follows:
  • Step 323 The relay station sends a terminal security association request to the base station, requesting the base station to send the security association related information that the terminal and the base station have established, and the message sent between the relay station and the base station can be protected by the security association between the relay station and the base station.
  • Step 324 The base station sends a request response message to the relay station, where the message includes a security algorithm, such as an RRC algorithm and an UP algorithm, and a security association key generated by the base station, such as an RRC key and an UP key; if the relay station can generate C - RNTI, the base station may not directly transmit the RRC key and the UP key, and the security message and the base station key are included in the response message. Based on the received information, the relay station can obtain security association information between the terminal and the base station.
  • a security algorithm such as an RRC algorithm and an UP algorithm
  • a security association key generated by the base station such as an RRC key and an UP key
  • a third embodiment of the present invention is described.
  • the method for establishing a security association between a terminal and a network is described.
  • the terminal has passed the initial access network and is in an idle state to enter an active state (idle to active). ), the method includes:
  • Step 401 The terminal sends an access request message to the network side by using the relay station, where the message includes a TMSI and a Key Set Identifier Access System Management Entity (KSIasme).
  • KKIasme Key Set Identifier Access System Management Entity
  • the device has already learned the terminal capability of the terminal. Therefore, the terminal capability may not be included in the access request message unless the terminal capability is changed.
  • Steps 402 through 414 may refer to the contents described in steps 302 through 314 of the second embodiment.
  • Step 415 The mobility management entity derives the base station key according to the shared root key.
  • Step 416 The mobility management entity sends the base station key to the base station.
  • Step 417 The base station sends a security mode command to the relay station, and includes a security algorithm and an integrity check code in the command.
  • Step 418 The relay station sends the received security algorithm and integrity check code to the terminal.
  • Step 419 After receiving the security algorithm and the integrity check code sent by the relay station, the terminal performs integrity verification on the message forwarded by the relay station. After the verification succeeds, the terminal sends a horse complete certificate confirmation message to the relay station.
  • Step 420 The relay station forwards the verification confirmation message to the base station.
  • Step 421 After receiving the verification confirmation message, the base station performs security check, and the security algorithm and key agreement are completed between the terminal and the base station.
  • Step 422 The base station sends an acknowledgement message to the mobility management entity to inform the establishment of the security association.
  • the relay station does not have a security association between the terminal and the base station, and the relay station transparently transmits the message between the terminal and the base station.
  • the embodiment may further include the following steps, so that the relay station in this embodiment can obtain the security association between the terminal and the base station:
  • Step 423 The base station sends, to the relay station, a security association key generated by the base station itself, such as an RRC key and an UP key, and a security algorithm, such as an RRC algorithm and an UP algorithm.
  • a security association key generated by the base station itself, such as an RRC key and an UP key
  • a security algorithm such as an RRC algorithm and an UP algorithm.
  • the message sent between the relay station and the base station may pass through the relay station and the base station. Protection between the security associations.
  • Step 424 After receiving the key and algorithm sent by the base station, the relay station uses the security association established between the relay station and the base station to perform verification, and returns the confirmation information to the base station.
  • the base station may send the base station key and the security algorithm, such as the RRC algorithm and the UP algorithm, to the relay station; the message sent between the relay station and the base station may pass through the relay station. Protection with the security association between the base station.
  • the relay station after receiving the base station key and algorithm sent by the base station, the relay station derives a security association key, such as an RRC key and an UP key, based on the base station key and the C-RNTI, and sends a message between the relay station and the base station. It can be protected by a security association between the relay station and the base station.
  • the relay station obtains the terminal
  • the security association established between the base station and the relay station is different.
  • the relay station needs to first decrypt according to the security association between the relay station and the terminal, and then utilize the security between the relay station and the base station. The association performs re-encryption and then forwards.
  • the relay station receives the message sent by the base station, it first decrypts according to the security association between the relay station and the base station, and then encrypts by using the security association between the relay station and the terminal, and then sends the message to the terminal. terminal.
  • step 423 and step 424 the relay station passively receives the message from the base station, and obtains the access layer security association information between the terminal and the network side.
  • the relay station may actively request the base station to acquire the relevant security association. Therefore, step 423 and steps are performed.
  • 424 can be step 423, and step 424, respectively, as follows:
  • Step 423 The relay station sends a terminal security association request to the base station, requesting the base station to send the security association key that the terminal and the base station have established, and the message sent between the relay station and the base station can be protected by the security association between the relay station and the base station.
  • Step 424 The base station sends a request response message to the relay station, where the message includes a security algorithm, such as an RRC algorithm and an UP algorithm, and a security association key generated by the base station, such as an RRC key and an UP key; if the relay station can generate C - RNTI, the base station may not directly transmit the security association key, and the security message and the base station key are included in the response message.
  • the relay station derives a security association key, such as an RRC key and an UP key, based on the base station key and the C-RNTI, so that a security association with the terminal can be obtained.
  • the method for establishing a security association between a terminal and a base station can speed up the establishment of a security association time in the entire system.
  • This embodiment includes step 501.
  • Step 522 is substantially the same as step 301 to step 322 in the second embodiment, except that in step 517, the base station generates the security association generated by the base station while transmitting the security algorithm and the integrity check code to the relay station.
  • the key such as the RRC key and the UP key, is sent to the relay station; in step 520, the relay station forwards the terminal confirmation command and also transmits a confirmation message that the relay station receives the terminal security association.
  • the base station sends the security algorithm and the integrity check code to the relay station, and sends the base station key to the middle.
  • the relay station may derive a security association key according to the base station key and the C-RNTI.
  • the relay station forwards the terminal confirmation command and also sends a confirmation message that the relay station receives the terminal security association.
  • the establishment of a security association between the terminal and the base station is achieved, and the establishment of a security association between the terminal and the relay station is also achieved, thereby saving the time for the entire system to establish a security association.
  • the embodiment includes steps 601 to 622, which are basically the same as steps 401 to 422 in the third embodiment, except that in step 617, the base station is transmitting.
  • the security association key generated by the base station itself such as the RRC key and the UP key, is sent to the relay station; in step 620, the relay station forwards the terminal confirmation command, and also sends the relay station to receive the terminal security association.
  • a confirmation message for the message is sent to the terminal security association.
  • the base station sends the base station key to the relay station while transmitting the security mode command, and the relay station can derive the security association key according to the base station key and the C-RNTI.
  • the relay station forwards the terminal confirmation command, and also sends a confirmation message that the relay station receives the terminal security association.
  • the establishment of a security association between the terminal and the base station is achieved, and the establishment of a security association between the terminal and the relay station is also achieved, thereby saving the time for the entire system to establish a security association.
  • the technical solution provided by the embodiment of the present invention solves the problem that the terminal establishes a security association between the relay station and the base station after the introduction of the relay station in the LTE system, and not only enables the terminal to establish a security association with the base station through the relay station, and further, the terminal and the relay station can be established.
  • the security association between the two systems makes the communication of the entire system more secure, and at the same time, the time for establishing a security association in the LTE relay system can be saved.
  • the technical solution provided by the embodiment of the present invention inherits the security mechanism of the LTE system, and combines the forwarding feature and the distributed feature of the relay station without substantially changing the existing security mechanism, without increasing the complexity of the system.
  • a sixth embodiment of the present invention relates to a communication network system 700, including a first receiving unit 701, configured to receive an access request message sent by a relay station forwarding terminal, and a key obtaining unit 702, configured to The access request message received by the first receiving unit 701 obtains the shared root key after the terminal authentication and authentication; the selecting unit 703 is configured to select a security algorithm, where the security algorithm is an algorithm supported by both the terminal and the base station; a deriving unit 704, configured to derive a base station key according to the shared root key obtained by the key obtaining unit 702.
  • the first sending unit 705 is configured to send, by using a relay station, a security mode command, where the security mode command includes a selection The security algorithm selected by unit 703.
  • the first receiving unit 701 is further configured to receive an authentication confirmation message sent by the terminal through the relay station.
  • the relay station does not have a security association between the terminal and the base station, and there is no information about the terminal.
  • the relay station only transparently transmits the message between the terminal and the base station.
  • the communication network system further includes a second sending unit and a second receiving unit; the deriving unit is further configured to generate a network side security association key;
  • the second sending unit is configured to: after the first receiving unit receives the verification confirmation message sent by the terminal, send the security algorithm and the network side security association key to the relay station;
  • the second receiving unit is configured to receive an acknowledgment message sent by the relay station, where the acknowledgment message is an acknowledgment message sent by the relay station to the network side after obtaining the security association key between the terminal and the terminal according to the security algorithm and the security association key.
  • Security association to establish a security association between the terminal and the relay station, making communication between the terminal and the relay station more secure.
  • the communication network system can further include a third transmitting unit and a third receiving unit.
  • the third sending unit is configured to: after receiving the verification confirmation message sent by the terminal, the first receiving unit sends a security algorithm and a base station key to the relay station, where the relay station generates a C-RNTI;
  • the third receiving unit is configured to receive an acknowledgement message sent by the relay station, where the acknowledgement message is The acknowledgment message sent by the relay station to the network side after obtaining the security association key with the terminal according to the C-RNTI and the received base station key and security algorithm.
  • the relay station can passively receive the relevant security association information sent by the communication network system, and can also actively request the relevant security association information to the communication network system.
  • the communication network system further includes a fourth sending unit and a fourth receiving unit;
  • the fourth receiving unit is configured to receive a terminal security association request sent by the relay station; the derivative unit is further configured to generate a network side security association key;
  • the fourth sending unit is configured to send a request response message to the relay station, where the message includes a security algorithm and a security association key on the network side.
  • the communication network system when the relay station can generate the C-RNTI, when the communication network system receives the request of the relay station, the security association key may not be directly sent, but the base station key may be sent.
  • the communication network system further includes a fifth sending unit and a fifth receiving unit;
  • the fifth receiving unit is configured to receive a terminal security association request sent by the relay station to the network side;
  • the fifth sending unit is configured to send a request response message to the relay station, where the message includes a security algorithm and a base station key;
  • the fifth receiving unit is further configured to receive a confirmation message sent by the relay station to the base station after obtaining the security association key of the terminal according to the C-RNTI and the received base station key and the security algorithm.
  • the communication network system is provided in the embodiment of the present invention, so that the terminal can establish a security association between the terminal and the network side in the LTE evolution system, and further establish a security association between the terminal and the relay station, so that the communication is more secure, and
  • the technical solution provided by the embodiment of the present invention inherits the security mechanism of the LTE system, and ensures the security of the mobile communication system after joining the relay station without substantially changing the existing security mechanism and without increasing the complexity of the system.
  • the present invention can be implemented by hardware, or by software plus necessary general hardware platform. Based on such understanding, the technical solution of the present invention can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (In the case of a CD-ROM, a USB flash drive, a mobile hard disk, etc., a number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform the methods described in various embodiments of the present invention.
  • a computer device which may be a personal computer, server, or network device, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un procédé pour établir une conjonction de sécurité consistant à : recevoir le message de demande d'accès qui est transmis par le terminal et transféré par la station relais (201) ; obtenir la clé racine partagée après l'authentification pour le terminal conformément au message de demande d'accès (202) ; sélectionner l'arithmétique de sécurité, qui est prise en charge à la fois par le terminal et le côté réseau (203) ; et déduire la clé de station de base conformément à la clé racine partagée (204) ; transmettre la commande de mode de sécurité au terminal par l'intermédiaire de la station relais, la commande de mode de sécurité comprenant l'arithmétique de sécurité (205). L'invention concerne également un système de réseau de communication. L'application de la solution de la présente invention résout le problème d'établissement d'une conjonction de sécurité entre le terminal et le réseau après l'introduction de la station relais dans le système LTE, et le mécanisme de sécurité du LTE est hérité, dans le cas où sans augmentation de complexité du système, la sécurité et la capacité de manipulation du système sont assurées.
PCT/CN2009/070273 2008-01-30 2009-01-22 Procédé et système de réseau de communication pour établir une conjonction de sécurité WO2009094942A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200980102466.XA CN101926151B (zh) 2008-01-30 2009-01-22 建立安全关联的方法和通信网络系统

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2008100652635A CN101500229B (zh) 2008-01-30 2008-01-30 建立安全关联的方法和通信网络系统
CN200810065263.5 2008-01-30

Publications (1)

Publication Number Publication Date
WO2009094942A1 true WO2009094942A1 (fr) 2009-08-06

Family

ID=40912286

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/070273 WO2009094942A1 (fr) 2008-01-30 2009-01-22 Procédé et système de réseau de communication pour établir une conjonction de sécurité

Country Status (2)

Country Link
CN (2) CN101500229B (fr)
WO (1) WO2009094942A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107071768A (zh) * 2012-02-22 2017-08-18 华为技术有限公司 建立安全上下文的方法、装置及系统
EP3675541A4 (fr) * 2017-09-25 2020-09-23 Huawei Technologies Co., Ltd. Procédé et dispositif d'authentification
EP4358601A1 (fr) * 2022-10-18 2024-04-24 Nokia Technologies Oy Mise en uvre d'un accessoire pour communication de dispositif ido passif avec une source d'énergie ambiante

Families Citing this family (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2421292B1 (fr) 2009-04-30 2015-04-15 Huawei Technologies Co., Ltd. Procédé et dispositif d'établissement de mécanisme de sécurité de liaison d'interface radio
US8605904B2 (en) 2009-08-14 2013-12-10 Industrial Technology Research Institute Security method in wireless communication system having relay node
TWI430674B (zh) * 2009-08-14 2014-03-11 Ind Tech Res Inst 用於具有中繼節點之無線通訊系統的安全性方法
CN102056160B (zh) * 2009-11-03 2013-10-09 华为技术有限公司 一种密钥生成的方法、装置和系统
US8904167B2 (en) * 2010-01-22 2014-12-02 Qualcomm Incorporated Method and apparatus for securing wireless relay nodes
CN101951554A (zh) * 2010-08-25 2011-01-19 中兴通讯股份有限公司 一种实现加密会议电话预接入的方法及系统
CN101931955B (zh) * 2010-09-03 2015-01-28 中兴通讯股份有限公司 认证方法、装置及系统
CN101945386B (zh) * 2010-09-10 2015-12-16 中兴通讯股份有限公司 一种实现安全密钥同步绑定的方法及系统
CN101945387B (zh) * 2010-09-17 2015-10-21 中兴通讯股份有限公司 一种接入层密钥与设备的绑定方法和系统
CN101931953B (zh) * 2010-09-20 2015-09-16 中兴通讯股份有限公司 生成与设备绑定的安全密钥的方法及系统
CN101977378B (zh) * 2010-09-30 2015-08-12 中兴通讯股份有限公司 信息传输方法、网络侧及中继节点
WO2014075238A1 (fr) * 2012-11-14 2014-05-22 华为技术有限公司 Procédé de traitement de sécurité pour des communications mobiles, macro-station de base, micro-station de base et équipement d'utilisateur
CN108112013B (zh) * 2013-03-13 2020-12-15 华为技术有限公司 数据的传输方法、装置和系统
CN104581710B (zh) * 2014-12-18 2018-11-23 中国科学院信息工程研究所 一种在空口上安全传输lte用户imsi的方法和系统
CN108464019A (zh) * 2016-02-04 2018-08-28 华为技术有限公司 一种安全参数传输方法及相关设备
WO2018126452A1 (fr) * 2017-01-06 2018-07-12 华为技术有限公司 Procédé et dispositif de vérification d'autorisation
CN109842881B (zh) * 2017-09-15 2021-08-31 华为技术有限公司 通信方法、相关设备以及系统
CN110381608B (zh) * 2018-04-13 2021-06-15 华为技术有限公司 一种中继网络的数据传输方法及装置
CN111866884B (zh) * 2019-04-26 2022-05-24 华为技术有限公司 一种安全保护方法及装置

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1764195A (zh) * 2005-11-15 2006-04-26 中兴通讯股份有限公司 一种非对等实体安全等级协商方法
CN1773904A (zh) * 2004-11-08 2006-05-17 中兴通讯股份有限公司 一种通用的安全等级协商方法
WO2006096017A1 (fr) * 2005-03-09 2006-09-14 Electronics And Telecommunications Research Institute Procede d'authentification et procede de generation de cle dans un systeme internet portatif sans fil

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100525156C (zh) * 2003-09-25 2009-08-05 华为技术有限公司 一种选择安全通信算法的方法
CN100561914C (zh) * 2005-08-25 2009-11-18 华为技术有限公司 获取密钥的方法

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1773904A (zh) * 2004-11-08 2006-05-17 中兴通讯股份有限公司 一种通用的安全等级协商方法
WO2006096017A1 (fr) * 2005-03-09 2006-09-14 Electronics And Telecommunications Research Institute Procede d'authentification et procede de generation de cle dans un systeme internet portatif sans fil
CN1764195A (zh) * 2005-11-15 2006-04-26 中兴通讯股份有限公司 一种非对等实体安全等级协商方法

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107071768A (zh) * 2012-02-22 2017-08-18 华为技术有限公司 建立安全上下文的方法、装置及系统
US10735185B2 (en) 2012-02-22 2020-08-04 Huawei Technologies Co., Ltd. Method, apparatus, and system for performing an establishment of a security context between user equipment and an access node by a base station
EP3675541A4 (fr) * 2017-09-25 2020-09-23 Huawei Technologies Co., Ltd. Procédé et dispositif d'authentification
EP4358601A1 (fr) * 2022-10-18 2024-04-24 Nokia Technologies Oy Mise en uvre d'un accessoire pour communication de dispositif ido passif avec une source d'énergie ambiante

Also Published As

Publication number Publication date
CN101926151A (zh) 2010-12-22
CN101926151B (zh) 2013-01-02
CN101500229A (zh) 2009-08-05
CN101500229B (zh) 2012-05-23

Similar Documents

Publication Publication Date Title
WO2009094942A1 (fr) Procédé et système de réseau de communication pour établir une conjonction de sécurité
CN108781366B (zh) 用于5g技术的认证机制
JP6262308B2 (ja) リンク設定および認証を実行するシステムおよび方法
JP6727294B2 (ja) ユーザ機器ueのアクセス方法、アクセスデバイス、およびアクセスシステム
EP2421292B1 (fr) Procédé et dispositif d'établissement de mécanisme de sécurité de liaison d'interface radio
US7793103B2 (en) Ad-hoc network key management
TWI388180B (zh) 通信系統中之金鑰產生
US7734280B2 (en) Method and apparatus for authentication of mobile devices
US20190149990A1 (en) Unified authentication for heterogeneous networks
US9392453B2 (en) Authentication
US20130298209A1 (en) One round trip authentication using sngle sign-on systems
WO2009097789A1 (fr) Procédé et système de communication pour établir une association de sécurité
WO2016134536A1 (fr) Procédé, dispositif et système de génération de clé
WO2019029531A1 (fr) Procédé de déclenchement d'authentification de réseau et dispositif associé
WO2013166908A1 (fr) Procédé, système, équipement terminal et appareil de réseau d'accès de génération d'informations de clé
WO2016023198A1 (fr) Procédé de commutation et système de commutation entre des réseaux hétérogènes
WO2012028043A1 (fr) Procédé, dispositif et système d'authentification
WO2023083170A1 (fr) Procédé et appareil de génération de clé, dispositif terminal et serveur
CN104602229A (zh) 一种针对wlan与5g融合组网应用场景的高效初始接入认证方法
WO2022027476A1 (fr) Procédé de gestion de clés et appareil de communication
WO2014117524A1 (fr) Procédé permettant la transmission d'une clé maîtresse par paire dans un réseau local sans fil
WO2013104301A1 (fr) Procédé pour la transmission d'un message, procédé pour l'établissement d'une connexion sécurisée, point d'accès et station de travail
WO2010133036A1 (fr) Procédé de communication, dispositif et système de communication entre des stations de base
WO2012159356A1 (fr) Procédé, appareil et système de simplification d'une authentification de réseau local sans fil

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 200980102466.X

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09705742

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09705742

Country of ref document: EP

Kind code of ref document: A1