WO2009143745A1

WO2009143745A1 - Method, mobility management network element and mobile communication system for providing security context,

Info

Publication number: WO2009143745A1
Application number: PCT/CN2009/071822
Authority: WO
Inventors: 胡伟华; 张艳平; 吴问付; 周汉
Original assignee: 华为技术有限公司
Priority date: 2008-05-30
Filing date: 2009-05-15
Publication date: 2009-12-03
Also published as: CN101594608B; CN101594608A

Abstract

A method, a mobility management network element and a mobile communication system for providing security context are provided, belong to the communication field. The method includes the following steps: receiving a request message sent by a mobility management network element on the destination side, which carries an indication information; sending a security context of a user equipment corresponding to the indication information to the mobility management network element on the destination side. In the embodiment of the present invention, the request message sent from the mobility management network element on the destination side to the mobility management network element on the source side carries the indication information, so that the mobility management network element on the source side can send the security context corresponding to the indication information to the mobility management network element on the destination side according to the indication information within the request message, then the flow that the mobility management network element on the destination side makes interaction with the Home Subscriber Server (HSS) to obtain the security context is avoided, and the load of interaction with HSS is reduced.

Description

Method for providing security context, mobility management network element and mobile communication system The application claims to be submitted to the Chinese Patent Office on May 30, 2008, and the application number is 200810114117. 7. The invention is entitled "Method of Providing Security Context, Mobility Management" The priority of the Chinese Patent Application for the Network Element and the Mobile Communication System, the entire contents of which is incorporated herein by reference.

Say

Technical field

The present invention relates to the field of communications, and in particular, to a method for providing a security context, a mobility management network element, and a mobile communication system.

Book

Background technique

The core network of the wireless evolution network mainly includes three logical functions: a mobility management unit (MME), a serving gateway (SG), and a packet data network gateway (PDN Gateway). The Serving GPRS Support Node (SGSN) is a core network device in a Universal Mobile Telecommunications System (UMTS) and a General Packet Radio Service (GPRS) system.

In the prior art, when the user equipment (UE, User Equipment) is in the Global System For Mobile Communication (GSM) or the EDGE (Enhanced Data for GSM Evolution) radio access network (GERAN, GSM/EDGE Radio Access Network) / Universal Mobile Telecommunications System (UTRAN, UMTS Territorial Radio Access Network) network and Evolved Universal Mobile Telecommunications System (E-UTRAN, Evolved UMTS Territorial Radio Access Network) When moving between, the UE initiates a tracking area update process or a routing area update process to register to the target network. In the prior art, the SGSN and the MME are independent functional entities, wherein the MME can support access of the E-UTRAN wireless access system.

In the prior art, when the UE is attached to the GERAN/UTRAN network or the E-UTRAN network, the UE first performs an attach procedure: The source-side mobility management network element is found according to the temporary identifier of the user sent by the target-side mobility management network element. The user's International Mobile Subscriber Identity (IMSI), and the security context and the IMSI are returned to the target-side mobility management network element together with the identity response message.

When the UE moves from the GERAN/UTRAN network to the E-UTRAN network, the UE sends a message to the MME. The tracking area update request message initiates a tracking area update process: when receiving the tracking area update request message sent by the UE, the target side MME sends a context request message request context information to the source side SGSN, and receives the context carrying the context information returned by the source side SGSN. In response to the message, a Tracking Area Update Accept message is returned to the UE. Similarly, when the UE moves from the E-UTRAN network to the GERAN/UTRAN network, the UE initiates a routing area update procedure by sending a Routing Area Update Request message to the SGSN.

In the process of implementing the present invention, the inventors discovered that:

Since the functions of the SGSN and the MME are close to each other, in the implementation process, the two functions can be implemented in one physical entity, and the physical entity is a unified device, which has the functions of the SGSN and the MME. The first time the UE attaches to the unified device, the unified device obtains the security context of the UE on the GERAN/UTRAN network and the E-UTRAN network from the HSS. When the subsequent UE switches from the one-to-one device to the target-side mobility management network element, the tracking area update process or the routing area update process needs to be initiated. In the tracking area update process or the routing area update process, the target-side mobility management network element needs to obtain the context information of the UE from the unified device on the source side. Since the source-side mobility management network element simultaneously stores the security contexts in the GERAN/UTRAN network and the E-UTRAN network, the source-side mobility management network element cannot provide a suitable security context when the target-side mobility management network element acquires the context. When the target-side mobility management network element does not have a security context or does not have a suitable security context, the target-side mobility management network element needs to interact with the HSS to obtain a security context, which increases the interaction load with the HSS. Summary of the invention

In order to solve the problem in the prior art, the source-side mobility management network element cannot provide a suitable security context for the target-side mobility management network element, and the embodiment of the present invention provides a method for providing a security context, a mobility management network element, and a mobile communication system. In order for the source side mobility management network element to provide a suitable security context to the target side mobility management network element. The technical solution is as follows:

A method of providing a security context, the method comprising:

Receiving a request message that is sent by the target side mobility management network element and carrying the indication information;

And transmitting, to the target-side mobility management network element, a security context of the user equipment corresponding to the indication information. A mobility management network element, the mobility management network element includes:

a first receiving module (41), configured to receive a request message that is sent by the target side mobility management network element and carries the indication information;

The first sending module (43) is configured to send, to the target side mobility management network element, a security context of the user equipment corresponding to the indication information.

A mobility management network element, the mobility management network element includes: a second sending module (51), configured to send a request message carrying the indication information to the source-side mobility management network element, where the second receiving module (53) is configured to receive the source-side mobility management network element Corresponding to the security context of the user equipment of the indication information.

A mobile communication system, the system comprising: a source side mobility management network element (61) and a target side mobility management network element (63);

The source-side mobility management network element (61) is configured to receive a request message that is sent by the target-side mobility management network element (63) and that carries the indication information, to the target-side mobility management network element ( 63) transmitting a security context of the user equipment corresponding to the indication information;

The target-side mobility management network element (63) is configured to send a request message carrying the indication information to the source-side mobility management network element (61), and receive the source-side mobility management network element (61) a security context sent by the user equipment corresponding to the indication information.

In the embodiment of the present invention, the request message sent by the target-side mobility management network element to the source-side mobility management network element carries the indication information, so that the source-side mobility management network element can follow the indication information in the request message. Transmitting the corresponding security context to the target-side mobility management network element, thereby avoiding the process of the target-side mobility management network element interacting with the home network server (HSS, Home Subscriber Server) to obtain the security context, and reducing the interaction with the HSS load. DRAWINGS

1 is a schematic structural diagram of a wireless evolved network in a non-roaming scenario;

2 is a flowchart of a method for providing a security context according to Embodiment 1 of the present invention;

3 is a flowchart of a method for providing a security context according to Embodiment 2 of the present invention;

4 is a schematic structural diagram of a mobility management network element according to Embodiment 3 of the present invention;

FIG. 5 is a schematic structural diagram of a mobility management network element according to Embodiment 4 of the present invention; FIG.

FIG. 6 is a schematic structural diagram of a mobile communication system according to Embodiment 5 of the present invention. detailed description

The embodiments of the present invention will be further described in detail below with reference to the accompanying drawings.

FIG. 1 is a schematic diagram of an architecture of a wireless evolved network in a non-roaming scenario. The MME has the functions of network-attached storage (NAS, Network-Attached Storage) and NAS signaling encryption, roaming, tracking, etc., and assigns user temporary identity, security function, etc., which corresponds to the control plane part of the current UMTS internal SGSN. Serving The Gateway is responsible for local mobility anchors and mobility anchors within the 3GPP system as well as lawful interception related information. The PDN Gateway is responsible for policy enforcement and billing as well as lawful interception related functions. The HSS is used to store user subscription information. The Policy and Charging Rules Function (PCRF) is responsible for formulating control and accounting policies. The SGSN supports access to GERAN and UTRAN systems and is responsible for mobility management and forwarding of user data.

In the embodiment of the present invention, when the UE initiates the routing area update process or the tracking area update process, the source side mobility management network is in the context transfer process between the source side mobility management network element and the target side mobility management network element. The element transmits the security context of the appropriate UE according to the target side mobility management network element device type or according to the type of required security context indicated by the target side mobility management network element.

It should be noted that the security context described in the embodiment of the present invention may be a security parameter, and may be a security parameter such as an authentication vector or a security key.

In addition, when the UE performs the attach procedure, the target-side mobility management network element acquires the IMSI and the security context from the source-side mobility management network element, and the source-side mobility management network element manages the network element device type according to the target-side mobility or according to the target. The type of required security context indicated by the side mobility management network element, delivering the security context of the appropriate UE.

The following Embodiment 1 illustrates a method for providing a security context by using a UE to initiate a routing area update process or a tracking area update process.

It should be noted that, for convenience of description, the routing area update or the tracking area update in the first embodiment is collectively referred to as location area update.

Example 1

In this embodiment, the UE first attaches to the source-side mobility management network element, and the source-side mobility management network element simultaneously stores the security contexts in the GERAN/UTRAN network and the E-UTRAN network. When the UE initiates the routing area update process or the tracking area update process, the target side mobility management network element may be in the context request message during the context transfer process between the source side mobility management network element and the target side mobility management network element. The device carries a message indicating the type of the device, for example, a supported radio access type (Supported RAT, Supported Radio Access Type), and informs the source-side mobility management network element of the device type, so that the source-side mobility management network element is based on the target side. The mobility management network element device type delivers the security context of the corresponding UE; or the target side mobility management network element carries the source side by other means, for example, carrying a message indicating the type of the security context to be acquired in the context request message. The mobility management network element delivers the security context of the appropriate UE according to the target side mobility management network element device type.

The method for providing a security context provided by this embodiment is described in detail below with reference to FIG. As shown in FIG. 2, the method mainly includes the following steps:

Step 101: Send a location area update request message to the target side mobility management network element after the UE moves to the target side network. After the UE moves to the E-UTRAN network, the UE-side mobility management network element functional entity is the MME. When the UE moves to the GERAN/UTRAN network, the target side mobility management network element functional entity is the SGSN. It can be understood that the target-side mobility management network element may be a SGSN and MME-integrated device regardless of the network.

The location area update is an overview of the routing area update and the tracking area update; the location area update request message includes: a tracking area update request message and a routing area update request message. Specifically, when the UE moves to the E-UTRAN network, the UE initiates a tracking area update procedure, and the UE sends a tracking area update request message to the target side mobility management network element; when the UE moves to the GERAN/UTRAN network, the UE initiates the routing area. In the update process, the UE sends a routing area update request message to the target side mobility management network element.

Step 102: The target-side mobility management network element sends a context request message to the source-side mobility management network element, and adds information indicating the target-side mobility management network element device type to the message.

The target-side mobility management network element requests the source-side mobility management network element to acquire the context information of the UE, including the security context of the UE, by sending the foregoing context request message.

And adding, in the context request message, information indicating the type of the target side mobility management network element device, such as a Supported RAT. Specifically includes the following:

1) If the target-side mobility management network element is a MME separate functional entity, the Supported RAT value is 0;

2) If the target-side mobility management network element is a separate functional entity of the SGSN, the Supported RAT value is 1;

3) If the target-side mobility management network element is a SGSN and MME-integrated device, the supported RAT value is 2. The value of the Supported RAT can be set by software.

Step 103: The source-side mobility management network element returns a context response message to the target-side mobility management network element, and returns the context information of the UE by using the message, including the security context of the UE.

The return context response message corresponding to the three situations in step 102 specifically includes the following situations: 1) When the supported RAT value is 0, the security context returned by the source side mobility management network element in the context response message is The security context of the UE in the E-UTRAN network;

2) When the Supported RAT value is 1, the security context that the source-side mobility management network element needs to return in the context response message is the security context of the UE in the GERAN/UTRAN network;

3) When the Supported RAT value is 2, the security context that the source-side mobility management network element needs to return in the context response message is the security context of the UE in the E-UTRAN network and the GERAN/UTRAN network.

Step 104: The target side mobility management network element sends a context confirmation message to the source side mobility management network element.

Step 105: The target side mobility management network element returns a location area update accept message to the UE.

In step 102 of this embodiment, a security indication that needs to be acquired may also be added to the context request message. Information about the type of the text, such as the Authentication Type. E.g:

1) If the target-side mobility management network element only needs the security context of the UE in the E-UTRAN network, the Authentication Type value is 0;

2) If the target-side mobility management network element only needs the security context of the UE in the GERAN/UTRAN network, the Authentication Type value is 1;

3) If the target-side mobility management network element requires the UE's full security context on the E-UTRAN network and the GERAN/UTRAN network, the Authentication Type value is 2.

Corresponding to the above three cases, in step 103 of this embodiment, the returning the context response message specifically includes the following cases:

1) When the Authentication Type value is 0, the security context returned by the source-side mobility management network element in the context response message is the security context of the UE in the E-UTRAN network;

2) When the Authentication Type value is 1, the security context returned by the source-side mobility management network element in the context response message is the security context of the UE in the GERAN/UTRAN network;

3) When the Authentication Type value is 2, the security context that the source-side mobility management network element needs to return in the context response message is the security context of the UE in the E-UTRAN network and the GERAN/UTRAN network.

It should be noted that, the embodiment of the present invention does not limit the form of the indication information, such as the information indicating the type of the target side mobility management network element device, and may further extend the cell to carry the target side mobility management network element device. The type name, for example, when the target-side mobility management network element is an SGSN, the cell can be set to "SGSN". When the target-side mobility management network element is an MME, the cell can be set to "MME". When the target-side mobility management network element is a unified device of the SGSN and the MME, the cell may be set to "combined SGSN/MME". In this case, in step 103, the source-side mobility management network element may be configured according to the indication information. The indicated target-side mobility management network element device type sends its corresponding security context to the target-side mobility management network element in the context response message.

In the foregoing embodiment, the source-side mobility management network element may be a unified device of the SGSN and the MME, so that when the UE is attached to the unified device for the first time, the unified device will use the UE in the GERAN/UTRAN network and the E-UTRAN network. The security context of the source is obtained from the HSS. In addition, the source-side mobility management network element may also be a separate SGSN or MME. Since the user is attached to a single device before being registered to a separate SGSN or MME, the unified device obtains The security context of the user in the E-UTRAN network and the GERAN/UTRAN network. When a user initiates a routing area update or a tracking area update is registered to a separate SGSN or MME, the individual SGSN or MME requests the user from the starting unified device. Security context, at this time, the unified device will send all the security contexts of the user in the E-UTRAN network and the GERAN/UTRAN network to a separate SGSN or MME. At this time, the SGSN or MME not only stores the user in the GERAN/UTRAN network. The security context also preserves the security of the user on the E-UTRAN network. Text. When the single SGSN or the MME is again used as the source mobility management network element, since the source side mobility management network element also stores the security context of the GERAN/UTRAN network and the E-UTRAN network, it may also be based on the target side mobility. The indication information in the request message sent by the management network element is sent to the target mobility management network element.

In this embodiment, when the UE first attaches to the source-side mobility management network element, when the UE initiates the routing area update process or the tracking area update process, the source-side mobility management network element and the target-side mobility management network In the process of context transfer between the elements, the source-side mobility management network element determines different device types of the target-side mobility management network element according to the indication information in the request message, or indicates the target-side mobility management network element according to the request message. The type of the security context that needs to be obtained returns the security context corresponding to the appropriate UE, so that the interaction between the target-side mobility management network element and the HSS can be avoided to obtain the security context, and the interaction load with the HSS is reduced.

The following Embodiment 2 illustrates a method for providing a security context by taking a UE-initiated attach procedure as an example.

Example 2

In this embodiment, the UE first attaches to the source-side mobility management network element, and the source-side mobility management network element simultaneously stores the security contexts in the GERAN/UTRAN network and the E-UTRAN network. When the UE is separated from the source-side mobility management network element to change the attached object, the UE needs to perform an attach procedure, and sends an attach request message to the target-side mobility management network element, where the message carries the temporary identifier of the UE, and the target side The mobility management network element needs to obtain the IMSI and the security context from the source-side mobility management network element, and the source-side mobility management network element needs to deliver different UE security contexts according to the target-side mobility management network element device type.

The method for providing a security context provided by this embodiment is described in detail below with reference to FIG. As shown in FIG. 3, the method mainly includes the following steps:

Step 201: When the UE performs the attach procedure, the UE sends an attach request message to the target mobility management network element.

The UE is attached to the source-side mobility management network element before being separated;

The attach request message includes the temporary identifier of the UE or the international mobile subscriber identity IMSI. If the UE only carries its temporary identity, the target-side mobility management network element needs to request the IMSI and the security context from the source-side mobility management network element. When the target-side mobility management unit is the SGSN, the temporary identifier carried by the UE in the attach request message is a packet temporary mobile subscriber identity (P-TMSI, Packet Temporary Mobile Subscriber Identity) and a routing area identifier i (RAI, Routeing Area). Identity ).

When the target-side mobility management network element is a MME, the UE carried in the attach request message is a global unique temporary identity temporary identity (GUTI, Globally Unique Temporary Identity) 0

Step 202: The target-side mobility management network element sends an identifier request message to the source-side mobility management network element, and adds information indicating the target-side mobility management network element device type to the message. The target-side mobility management network element requests the source-side mobility management network element to acquire the IMSI of the user and its security context by using the temporary identifier of the user in the identifier request message.

And adding, in the context request message, information indicating the type of the target side mobility management network element device, such as a Supported RAT. The specific situation is similar to the three cases in step 102 of Embodiment 1, and details are not described herein again.

Step 203: The source-side mobility management network element returns an identifier response message to the target-side mobility management network element, where the message includes the IMSI of the user and the corresponding security context.

Specifically, the following three situations are included:

1) When the supported RAT value is 0, the security context returned by the source-side mobility management network element in the identity response message is the security context of the UE in the E-UTRAN network;

2) When the supported RAT value is 1, the security context returned by the source-side mobility management network element in the identity response message is the security context of the UE in the GERAN/UTRAN network;

3) When the Supported RAT value is 2, the security context returned by the source-side mobility management network element in the identity response message is the security context of the UE in the E-UTRAN network and the GERAN/UTRAN network.

Step 204: The target side mobility management network element returns an attach accept message to the UE.

In the step 202 of the embodiment, the information about the type of the security context to be acquired, for example, the Authentication Type, may be added to the identifier request message. Accordingly, the source-side mobility management network element needs to return in the identifier response message. The security context is also divided into three cases, and the specific content is similar to that described in Embodiment 1, and details are not described herein again.

It should be noted that, similar to the first embodiment, the embodiment of the present invention does not limit the form of the indication information, such as the information indicating the type of the target side mobility management network element device, and may further extend the cell to carry the target side. The type name of the mobility management network element device, for example, when the target-side mobility management network element is an SGSN, the cell may be set to "SGSN", and when the target-side mobility management network element is an MME, the cell It can be set to "MME". When the target-side mobility management network element is a unified device of the SGSN and the MME, the cell can be set to "Combined SGSN/MME". At this time, in step 203, the source-side mobility management is performed. The network element may send its corresponding security context to the target side mobility management network element in the identity response message according to the target-side mobility management network element device type indicated by the indication information.

In the foregoing embodiment, the source-side mobility management network element may be a unified device of the SGSN and the MME, so that when the UE is attached to the unified device for the first time, the unified device will use the UE in the GERAN/UTRAN network and the E-UTRAN network. The security context of the source is obtained from the HSS. In addition, the source-side mobility management network element may also be a separate SGSN or MME. Since the user is attached to a single device before attaching to the SGSN or MME, the unified device obtains The security context of the user in the E-UTRAN network and the GERAN/UTRAN network is attached to the user when the attach process is performed. In the case of a separate SGSN or MME, the separate SGSN or MME will request the user security context from the starting unifying device. At this time, the unified device will send all the security contexts of the user on the E-UTRAN network and the GERAN/UTRAN network. For a separate SGSN or MME, the SGSN or MME not only stores the security context of the user in the GERAN/UTRAN network but also the security context of the user in the E-UTRAN network. When the single SGSN or MME is again used as the source mobility management network element, since the source side mobility management network element also stores the security context of the GERAN/UTRAN network and the E-UTRAN network, it may also be based on the target side mobility. The indication information in the request message sent by the management network element is sent to the target mobility management network element.

In this embodiment, the UE is first attached to the source-side mobility management network element. When the UE is separated from the source-side mobility management network element to change the attached object, the UE needs to perform an attach procedure, in the process, by using the identifier request message. Different information is added to enable the source-side mobility management network element to return a security context corresponding to the appropriate UE according to the target-side mobility management network element device type, so that the interaction between the target-side mobility management network element and the HSS can be avoided to obtain security. The context of the process reduces the interaction load with the HSS. Example 3

Referring to FIG. 4, this embodiment provides a mobility management network element, where the mobility management network element includes:

The first receiving module 41 is configured to receive a request message that is sent by the target-side mobility management network element and that carries the indication information.

The first sending module 43 is configured to send, to the target side mobility management network element, a security context of the user equipment corresponding to the indication information.

The indication information in the request message includes information indicating a device type of the target side mobility management network element or information indicating a security context type of the user equipment that the target side mobility management network element needs to acquire.

The first sending module 43 includes:

a first sending unit, configured to: when the device type indicating the target side mobility management network element in the indication information is the SGSN or the security context type of the user equipment that the target side mobility management network element needs to acquire, the security context in the GERAN/UTRAN network Sending a security context in the GERAN/UTRAN network to the target-side mobility management network element. The second sending unit is configured to indicate, in the indication information, that the device type of the target-side mobility management network element is the MME or the target-side mobility management. When the security context type of the user equipment that the network element needs to acquire is the security context in the E-UTRAN network, the security context in the E-UTRAN network is sent to the target side mobility management network element;

a third sending unit, configured to: when the device type indicating the target side mobility management network element is the MME and the SGSN, or the target side mobility management network element, the security context type of the user equipment to be acquired is E- Sending the security context of the UTRAN network and the GERAN/UTRAN network to the target-side mobility management network element Security context for E-UTRAN networks and GERAN/UTRAN networks.

Example 4

Referring to FIG. 5, the embodiment provides a mobility management network element, where the mobility management network element includes:

The second sending module 51 is configured to send, to the source-side mobility management network element, a request message that carries the indication information, where the request message may be a context request message or an identifier request message. For details, refer to the description in the method embodiment.

The second receiving module 53 is configured to receive a security context of the user equipment corresponding to the indication information sent by the source side mobility management network element.

The second sending module 51 includes:

a first indication unit, configured to add indication information indicating a device type of the target side mobility management network element to the request message, and send a request message carrying the indication information to the source side mobility management network element; or

a second indication unit, configured to add, in the request message, indication information indicating a security context type of the user equipment that the target side mobility management network element needs to acquire, and send the indication to the source side mobility management network element Request message for information.

In this embodiment, the mobility management network element may be an SGSN device in the GERAN/UTRAN network or a unified device of the SGSN and the MME, or may be an MME device in the E-UTRAN network or a unified device of the SGSN and the MME. The second sending module 51 adds the indication information to the request message to distinguish the different device types or the security context of the corresponding user equipment that needs to be obtained by the different devices.

In the foregoing embodiments 3 to 4, the source-side mobility management network element determines, according to the indication information in the request message, different device types of the target-side mobility management network element or indicates in the request message according to the target-side mobility management network element. The type of required security context provides a corresponding security context, thereby avoiding the process of the target-side mobility management network element interacting with the HSS to obtain a security context, and reducing the interaction load with the HSS.

Example 5

Referring to FIG. 6, this embodiment provides a mobile communication system, including: a source side mobility management network element 61 and a target side mobility management network element 63.

The source-side mobility management network element 61 is configured to receive the request message carrying the indication information sent by the target-side mobility management network element 63, and send the user equipment corresponding to the indication information to the target-side mobility management network element 63. Security context

The target-side mobility management network element 63 is configured to send a request message carrying the indication information to the source-side mobility management network element 61, and receive the user corresponding to the indication information sent by the source-side mobility management network element 61. The security context of the device.

The request message may be a context request message or an identifier request message, as described in the method embodiment. Bright.

The source side mobility management network element 61 includes:

The first receiving module 41 is configured to receive the message carrying the indication information sent by the target-side mobility management network element 63.

The first sending module 43 is configured to send the security context of the user equipment corresponding to the indication information to the target side mobility management network element 63.

The indication information in the request message includes information indicating the device type of the target side mobility management network element 63 or information indicating the security context type of the user equipment that the target side mobility management network element 63 needs to acquire. Therefore, the first sending module 43 includes:

a first sending unit, configured to indicate, in the indication information, that the device type of the target-side mobility management network element 63 is the SGSN or the target-side mobility management network element 63 needs to acquire the security context type of the user equipment in the GERAN/UTRAN network. In the security context, the security context in the GERAN/UTRAN network is sent to the target side mobility management network element 63;

a second sending unit, configured to indicate, in the indication information, that the device type of the target-side mobility management network element 63 is the MME or the target-side mobility management network element 63 needs to acquire the security context type of the user equipment in the E-UTRAN network. In the security context, the security context in the E-UTRAN network is sent to the target side mobility management network element 63;

The third sending unit is configured to: when the indication information indicates that the device type of the target side mobility management network element 63 is the MME and the SGSN, or the target side mobility management network element 63, the security context type of the user equipment that needs to be acquired is When the security context of the E-UTRAN network and the GERAN/UTRAN network, the security context of the E-UTRAN network and the GERAN/UTRAN network is transmitted to the target side mobility management network element 63.

The target side mobility management network element 63 includes:

The second sending module 51 is configured to send the indication information request message to the source side mobility management network element 61, and the second receiving module 53 is configured to receive the indication sent by the source side mobility management network element 61 corresponding to the indication. The security context of the user device of the information.

The second sending module 51 includes:

The first indication unit is configured to add indication information indicating a device type of the target side mobility management network element 63 to the request message, and send a request message carrying the indication information to the source side mobility management network element 61. ; or

a second indication unit, configured to add, in the request message, indication information indicating a security context type of the user equipment that the target-side mobility management network element 63 needs to acquire, and send the information to the source-side mobility management network element 61 A request message indicating the information.

The target side mobility management network element 63 may be an SGSN device in the GERAN/UTRAN network or The unifying device of the SGSN and the MME may also be an MME device in the E-UTRAN network or a unified device of the SGSN and the MME.

In this embodiment, the source side mobility management network element 61 determines different device types of the target side mobility management network element 63 according to the indication information in the request message or according to the target side mobility management network element 63 indicated in the request message. The type of security context required provides a corresponding security context, thereby avoiding the process of the target-side mobility management network element 63 interacting with the HSS to obtain a security context, and reducing the interaction load with the HSS. The embodiments of the present invention can be implemented by software, and the corresponding software can be stored in a readable storage medium, such as a hard disk, an optical disk or a floppy disk of a computer.

The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention. Any modifications, equivalent substitutions, improvements, etc., which are within the spirit and scope of the present invention, should be included in the protection of the present invention. Within the scope.

Claims

Claim

A method for providing a security context, the method comprising:

Receiving, by the target-side mobility management network element, a request message that carries the indication information;

And transmitting, to the target-side mobility management network element, a security context of the user equipment corresponding to the indication information.

The method for providing a security context according to claim 1, wherein the request message is a context request message or an identification request message.

The method for providing a security context according to claim 1 or 2, wherein the indication information in the request message includes information indicating a device type of the target-side mobility management network element or indicates the target The information about the security context type of the user equipment that the side mobility management network element needs to acquire.

The method for providing a security context according to claim 3, wherein the transmitting the security context of the user equipment corresponding to the indication information to the target mobility management network element comprises:

When the device type indicating the target side mobility management network element in the indication information is the serving general packet radio service support node (SGSN) or the type of the security context of the user equipment that needs to be acquired by the target side mobility management network element is wireless When the security context in the access network (GERAN)/Universal Mobile Telecommunications System Terrestrial Radio Access Network (UTRAN) network is sent to the target side mobility management network element, the security context in the GERAN/UTRAN network is sent;

When the device type indicating that the target-side mobility management network element is the mobility management unit (MME) or the target-side mobility management network element needs to acquire the security context type of the user equipment is the terrestrial radio access network (E-UTRAN), when the security context in the network is sent, the security context in the E-UTRAN network is sent to the target-side mobility management network element;

When the indication information indicates that the device type of the target-side mobility management network element is the MME and the SGSN, or the target-side mobility management network element needs to acquire the security context type of the user equipment, the E-UTRAN network and The security context of the GERAN/UTRAN network then transmits the security context of the E-UTRAN network and the GERAN/UTRAN network to the target-side mobility management network element.

5. The method of providing a security context according to claim 1, wherein the security context is a security parameter.

6. A mobility management network element, wherein the mobility management network element comprises:

The first sending module (43) is configured to send, to the target-side mobility management network element, a security context of the user equipment corresponding to the indication information.

The mobility management network element according to claim 6, wherein the first sending module (43) comprises: a first sending unit, configured to indicate a target side mobility management network in the indication information The device type of the service is the serving general packet radio service support node (SGSN) or the security context type of the user equipment that the target side mobility management network element needs to acquire is the radio access network (GERAN) / universal mobile communication system terrestrial wireless connection Transmitting a security context in the GERAN/UTRAN network to the target-side mobility management network element when a security context in the network (UTRAN) network is used;

a second sending unit, configured to: when the device type indicating the target-side mobility management network element in the indication information is a mobility management unit (MME) or a security context of the user equipment that needs to be acquired by the target-side mobility management network element When the type is a security context in a terrestrial radio access network (E-UTRAN) network, the security context in the E-UTRAN network is sent to the target side mobility management network element;

a third sending unit, configured to: when the indication information indicates that the device type of the target-side mobility management network element is a unified device of the MME and the SGSN, or the security context of the user equipment that the target-side mobility management network element needs to acquire When the security context of the E-UTRAN network and the GERAN/UTRAN network is of type, the security context of the E-UTRAN network and the GERAN/UTRAN network is transmitted to the target-side mobility management network element.

8. A mobility management network element, wherein the mobility management network element comprises:

a second sending module (51), configured to send a request message carrying the indication information to the source-side mobility management network element, where the second receiving module (53) is configured to receive the source-side mobility management network element Corresponding to the security context of the user equipment of the indication information.

The mobility management network element according to claim 8, wherein the second sending module (51) comprises: a first indication unit, configured to add a target side mobility management to the request message And indicating, by the device type of the network element, a request message carrying the indication information to the source side mobility management network element;

Or a second indicating unit, configured to add, in the request message, indication information indicating a security context type of the user equipment that the target side mobility management network element needs to acquire, and send the carrying information to the source side mobility management network element A request message indicating the information.

10. A mobile communication system, the system comprising: a source side mobility management network element (61) and a target side mobility management network element (63);

The mobile communication system according to claim 10, wherein the target-side mobility management network element (63) comprises:

a second sending module, configured to send a request message carrying the indication information to the source-side mobility management network element (61), and a second receiving module, configured to receive, by the source-side mobility management network element (61) The security context of the user equipment corresponding to the indication information sent.

The mobile communication system according to claim 11, wherein the second sending module comprises: a first indicating unit, configured to add, in the request message, the target side mobility management network element ( 63) indicating the device type, and transmitting, to the source-side mobility management network element (61), a request message carrying the indication information;

Or

a second indication unit, configured to add, in the request message, indication information indicating a security context type of the user equipment that the target-side mobility management network element (63) needs to acquire, and to the source-side mobility management network The element (61) transmits a request message carrying the indication information.