WO2011020445A1 - Interaction method and apparatus for secure information - Google Patents

Interaction method and apparatus for secure information Download PDF

Info

Publication number
WO2011020445A1
WO2011020445A1 PCT/CN2010/076221 CN2010076221W WO2011020445A1 WO 2011020445 A1 WO2011020445 A1 WO 2011020445A1 CN 2010076221 W CN2010076221 W CN 2010076221W WO 2011020445 A1 WO2011020445 A1 WO 2011020445A1
Authority
WO
WIPO (PCT)
Prior art keywords
node
information
handover
key
carrier
Prior art date
Application number
PCT/CN2010/076221
Other languages
French (fr)
Chinese (zh)
Inventor
和峰
黄亚达
邓云
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2011020445A1 publication Critical patent/WO2011020445A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/047Key management, e.g. using generic bootstrapping architecture [GBA] without using a trusted network node as an anchor
    • H04W12/0471Key exchange

Definitions

  • the present invention relates to the field of communications, and in particular, to a method and apparatus for interacting with security information, for implementing security information interaction in a process of handover to a carrier aggregation cell.
  • LTE Long Term Evolution
  • E-UTRAN Evolved Universal Terrestrial Radio Access Network
  • EPC Evolved Packet Core
  • the EUTRAN is composed of a plurality of interconnected evolved base stations (eNBs, Evolved NodeBs), and each eNB is connected through an X2 interface; the EPC is composed of a mobility management entity (MME, Mobility Management Entity) and a monthly gateway entity (S-GW). , Serving Gateway ).
  • MME mobility management entity
  • S-GW monthly gateway entity
  • Serving Gateway a mobility management entity
  • the user equipment UE, User Equipment
  • the network assisted UE needs to perform handover between the cells.
  • the handover in the LTE process can be mainly divided into an S1 switch and an X2 switch according to the process, which respectively correspond to the handover process through the S1 port and the X2 port.
  • the initiator of the handover is called the source side
  • the destination of the handover is called the target side.
  • KeNB security key
  • the new KeNB on the target side is forwarded by the target side according to the next mega-value (NH, Next Hop) and the next hop count counter (NCC, Next Hop Chaining Counter) and the target cell corresponding to the MME.
  • the physical 'J, the physical cell identity (PCI, Physical Cell Identity) and the cell's downlink carrier frequency (EARFCN-DL, E-UTRA Absolute Radio Frequency Channel Number-Down Link) are calculated; and in the X2 switch, the new target side KeNB, that is, KeNB*, is the source side of the target side cell based on the physical side of the target side cell (PCI, Physical Cell Identity), and the downlink carrier frequency of the cell (EARFCN-DL, E-UTRA Absolute Radio Frequency Channel Number- Down Link) and the currently used KeNB (or next hop (NH, Next Hop)) to calculate the KeNB* on the target side.
  • PCI Physical Cell Identity
  • E-DL E-UTRA Absolute Radio Frequency Channel Number-Down Link
  • the KeNB* and the corresponding Next Hop Chaining Counter are sent to the target side through a handover request message (Handover Request), and the target side passes the NCC through the handover command message (Handover Command) through the source side.
  • the UE calculates the same method as the network side according to the NCC information in the handover command.
  • a new security key where the NCC is mainly used to indicate whether the input parameter used in calculating the new key is KeNB or NH.
  • a TDD cell provides only one carrier for uplink and downlink transmission
  • an FDD cell provides only one pair of carriers (one uplink and one downlink carrier) for uplink and downlink transmission.
  • LTE Advance a new enhancement to the LTE system
  • CA Carrier aggregation
  • the carrier aggregation method achieves a larger bandwidth.
  • a cell is composed of multiple consecutive or discontinuous carriers.
  • Each carrier is called a component carrier (CC) and can provide multi-carrier services for the UE at the same time.
  • CC component carrier
  • the component carrier can adopt a carrier compatible with the LTE system, and the carrier is called a backward compatible carrier; the component carrier can also adopt a carrier that is not compatible with the existing LTE system, and the carrier is called a backward compatible carrier (Non -backwards compatible carrier ), this carrier is only used for LTE Advance UE and higher UEs; the component carrier can also be an extension carrier.
  • This carrier cannot be used alone, and needs to be used independently with other carriers. use together.
  • the above-mentioned carrier aggregation cell is only a logical term for a plurality of consecutive or discontinuous carriers.
  • Each component carrier in the above description may also be regarded as a cell, and the cell has only one carrier.
  • the carrier aggregation cell can also be regarded as a general term for a plurality of cells. It can be seen from the above that in the carrier aggregation cell, the UE can use several uplink carriers and downlink carriers at the same time, and based on the current protocol discussion, if the target side is a carrier aggregation cell in the handover, the UE can support multiple to the target side cell. CC switches at the same time. Before the handover, the source side can determine the target carrier of the UE after the handover by the measurement of the UE.
  • the inventor has found that: since there are multiple CCs on the target side, and the prior art does not disclose the method of interaction of security information in multiple CC scenarios, information cannot be guaranteed in the process of handover to the carrier aggregation cell. Security. SUMMARY OF THE INVENTION
  • the present invention has been made in view of the problem that the security of information cannot be ensured in the process of switching to carrier aggregation and area in the prior art. Therefore, the main object of the present invention is to provide a method and apparatus for interacting security information. To solve at least one of the above problems.
  • an interactive party of security information is provided.
  • the method includes: the first node B selects one or more component carriers from component carriers of a carrier aggregation cell managed by the second node B; and the first node B calculates information of the selected component carrier as an input parameter. a key after the handover; the first node B sends a handover request message to the second node B, where the request message carries the switched key; the first node B selects the selected The information of the component carrier is sent to the terminal UE, so that the UE calculates the received key by using the received information of the selected component carrier as an input parameter.
  • a method for interacting security information including: a first node B sends a handover request message to a second node B, where the handover request message is carried in the For calculating parameter information of a key used after the handover, the parameter information includes key information or a next hop value NH; the second Node B selects one or more components from component carriers of the carrier aggregation cell managed by itself The carrier information is used to calculate the key used after the handover according to the information of the selected component carrier and the parameter information carried in the handover request message; the second node B uses the information and location of the selected component carrier.
  • an apparatus for interacting with security information is provided, which is located in a first Node B, for implementing interaction of security information in a process of handover to a carrier aggregation cell, the interaction
  • the device includes: a selection module, configured to select one or more component carriers from component carriers of a carrier aggregation cell managed by the second Node B; and a processing module, configured to calculate information of the selected component carrier as an input parameter a first sending module, configured to send a handover request message to the second node B, where the request message carries the switched key; and a second sending module, configured to send to the terminal UE Information of the selected component carrier, so that the UE calculates the switched key by using the information of the selected component carrier as an input parameter.
  • the UE and the eNodeB on the handover target side obtain the same switched security key through the interaction of the component carrier information, thereby being compatible with the current LTE handover procedure, facilitating the smooth upgrade of the network, and ensuring the aggregation of the carrier to the carrier. Switching security.
  • FIG. 2 is a preferred flowchart of an interaction method of security information according to an embodiment of the present invention
  • FIG. 3 is a flowchart according to an embodiment of the present invention.
  • FIG. 4 is a flowchart of an X2 handover with a negotiation process according to an embodiment of the present invention
  • FIG. 5 is a schematic diagram of an S1 handover process according to an embodiment of the present invention.
  • FIG. 7 is a structural diagram of an apparatus for interacting with security information according to an embodiment of the present invention.
  • the present invention provides a method and device for interacting security information by using parameters such as component carrier information, so that the UE and the handover target are implemented, in consideration of the problem that the security of the information cannot be ensured in the process of switching to the carrier aggregation cell.
  • the eNodeBs on the side obtain the same security key after the handover, which is compatible with the current LTE handover procedure, facilitating the smooth upgrade of the network, and ensuring the security of handover to the carrier aggregation cell.
  • a method for interacting security information is provided, which is used to implement interaction of security information in a process of handover to a carrier aggregation cell.
  • the interaction party of the security information in the embodiment of the present invention includes the following steps: Step S202: The first node B selects one or more component carriers from component carriers of the carrier aggregation cell managed by the second node B.
  • Step S204 the first node B calculates the switched key by using the information of the selected component carrier as an input parameter;
  • Step S206 the first node B sends a handover request message to the second node B, where The request message carries the above-mentioned switched key;
  • the interaction between the component carrier information enables the UE and the eNodeB on the handover target side to obtain the same switched security key, which is compatible with the current LTE handover procedure, facilitates smooth network upgrade, and ensures carrier aggregation. Cell handover security.
  • the handover request message includes information of the selected component carrier, where the information of the component carrier includes at least one of the following: a physical cell identifier corresponding to the selected component carrier and a downlink carrier frequency.
  • the method further includes: the UE calculating the received information of the selected component carrier as an input parameter, and after the switching, The UE sends a handover confirmation message to the second node B on the selected component carrier, where the UE encrypts the handover confirmation message by using the switched key.
  • the second node B decrypts the key using the switched key, thereby implementing security information interaction and ensuring security for handover to the carrier aggregation cell.
  • the handover request message includes a carrier aggregation 'J, a global identifier of a zone managed by the second node B.
  • the method further includes: sending, by the first node B, the global identifier to a terminal UE; the UE calculates the switched key by using the global identifier as an input parameter; and the UE sends a handover confirmation message encrypted by the switched key to the second node B.
  • the first node B calculates the key of the selected component carrier as an input parameter
  • the key after the handover includes: the first node B sequentially calculates information of the selected one component carrier as an input parameter to obtain a switched key corresponding to the component carrier.
  • the sending, by the first node B, the handover request message to the second node B includes: the first node B sending a handover request message to the second node B, where the request message is Carrying the plurality of switched keys.
  • the first node B carries the selected component
  • Sending the information of the wave to the terminal UE includes: the second node B selects a key from the plurality of switched keys as a key used after the handover; and the second node B sends the selected key to send Giving the first node B; the first node B transmitting information of the component carrier corresponding to the selected key to the UE; the UE calculating the received information of the component carrier as an input parameter to obtain the handover a key that is sent by the UE to the second Node B on the selected component carrier, where the UE performs a force key on the handover confirmation message by using the switched key. .
  • the first node B selects a plurality of the component carriers
  • the first node B sends the information of the selected component carrier to the terminal UE, where: the first node B The information of the selected multiple component carriers is sent to the UE; the UE selects information of one component carrier from the received information of the multiple component carriers, and calculates the information of the component carrier as an input parameter to obtain the a key after the handover; the UE sends a handover confirmation message to the second node B on the selected component carrier, where the UE encrypts the handover confirmation message by using the switched key.
  • the second node B receives the
  • UE handover message after confirmation further comprising: after said second key point B sequentially switching the plurality of the received acknowledgment message, select a key to decrypt the handover until successful decryption and decryption ⁇
  • the key used in the success is determined as the key after the handover.
  • the first Node B selects one or more component carriers from the component carriers of the carrier aggregation cell managed by the second Node B by using one of the following manners: B: selecting, by the terminal UE, one or more component carriers having the best signal quality from the measurement information of the component carriers of the carrier aggregation cell managed by the second Node B; or the first node B from the The first component carrier is selected from the working carrier list in the carrier aggregation cell managed by the second node B; or the first node B is selected from the component carrier of the carrier aggregation cell managed by the second node B according to a preset selection policy. Select the first carrier.
  • the embodiment of the present invention is mainly based on the case where the handover target side is a carrier aggregation cell.
  • the handover target side eNB2 is an LTE-Advance eNB, that is, the eNB2 supports carrier aggregation, and the same eNB2 manages the cell Cell 2 as a cell using carrier aggregation, and the Cell 2 may have several carriers; Whether to support the source side eNB1 of the handover and its managed cell Cell 1 Carrier aggregation does not require that eNB1 can support carrier aggregation or not, and Cell 1 can use carrier aggregation or not.
  • the embodiment according to the embodiment of the present invention may adopt the following manner: Embodiment 1
  • FIG. 3 is a flowchart of X2 handover according to an embodiment of the present invention. As shown in Figure 3, eNB (evolved
  • Node B (evolved base station) 1 determines that the target cell for UE handover is the carrier aggregation cell Cell 2 (cell 2) managed by eNB2 according to the UE (terminal) measurement.
  • the eNB1 initiates an X2 handover to the eNB2, and the eNB1 selects one of the component carriers of the target cell Cell2, and uses the PCI and EARFCN-DL information of the component carrier as input parameters to calculate the target side new key KeNB*, that is, the switched key. .
  • the following method can be used to calculate the switched key:
  • KeNB* KDF (PCI, EARFCN-DL, NH); or
  • KeNB* KDF (PCI, EARFCN-DL, KeNB); where PCI and EARFCN-DL are the physical cell identifier and downlink frequency point information corresponding to the component carrier selected by eNB1, and NH is the next megabyte stored in eNB1.
  • the KeNB is the current key information used in the eNB1, and the KDF is the currently known Key Derivation Function, which is not described here.
  • the condition that the eNB1 chooses to use the calculation mode 1) is that the new ⁇ NH, NCC ⁇ value that has not been used is stored in the eNB1, otherwise the eNB1 uses the latter.
  • the eNB1 sends the new key and the component carrier information (i.e., PCI and EARFCN-DL) and the NCC information required to calculate the key to the eNB2 through the handover request message. If the eNB2 successfully accepts the handover request, the new key KeNB* is stored, and the eNB1 is responsive to the handover request acknowledgement message, which includes the security information required by the UE to calculate the target-side new key, that is, the NCC and the calculation of the new key. Component carrier information used at the time.
  • the component carrier information i.e., PCI and EARFCN-DL
  • the eNB1 After receiving the acknowledgment message of the eNB2, the eNB1 sends an RRC (Radio Resource Control) reconfiguration message to the UE according to the acknowledgement message, where the RRC reconfiguration message includes the security information required by the UE to calculate the target side new key. That is, the NCC and the component carrier information used when calculating the new key.
  • the UE After receiving the RRC reconfiguration message, the UE calculates the UE-side new security key KeNB* according to the NCC and the corresponding component carrier information in the message, and the calculation method may be performed on the eNB side. The calculation method is consistent. Then, the UE returns a handover confirmation message to the target side eNB2, and finally the eNB2 and the UE obtain the same new key KeNB* used after the handover.
  • RRC Radio Resource Control
  • the foregoing method for selecting one of the component carriers of the target cell may be that the eNB1 selects according to the measurement report of the UE, for example, selecting a carrier with the best measurement signal quality, or the eNB1 may select according to a display or an implicit rule.
  • selecting the anchor carrier of the UE or the first carrier in the working carrier list may also be any other selection manner.
  • the display rule selection refers to selecting a certain component carrier by signaling indication; the implicit selection rule refers to pre-negotiating which component carrier to select.
  • Embodiment 2 As shown in FIG.
  • the eNB1 determines that the target cell of the UE handover is the carrier aggregation cell Cell 2 managed by the eNB2 according to the UE measurement, and then the eNB1 uses one carrier aggregation cell global identifier CA-CGI of the Cell 2. (The global identity may determine the target cell Cell 2 uniquely in the network) Replace the PCI and EARFCN-DL information of the carrier as an input parameter for calculating the new key.
  • KeNB* KDF(CA-CGI, KeNB); where CA-CGI is the carrier aggregation cell global identifier selected by eNB1, NH is the next mega-information stored in eNB1, and KeNB is the current key used in eNB1 Information, KDF is the currently known Key Derivation Function, which is not described in jt.
  • the condition that the eNB1 chooses to use the calculation mode 1) is that the new ⁇ NH, NCC ⁇ value that has not been used is stored in the eNB1, otherwise the eNB1 uses the latter.
  • the eNB1 transmits the generated new key KeNB* on the target side and the corresponding NCC and the global identifier CA-CGI of the Cell 2 used in calculating the KeNB* to the eNB 2 through the handover request message. If the eNB2 successfully accepts the handover request, the new key KeNB* is stored, and the eNB1 is responsive to the handover request acknowledgement message, the handover request acknowledgement message includes the security information required by the UE to calculate the target-side new key, that is, the NCC and the new calculation
  • the global standard for Cell 2 used in the key is only CA-CGI.
  • the eNB1 After receiving the acknowledgment message of the eNB2, the eNB1 sends an RRC reconfiguration message to the UE according to the acknowledgment message, where the RRC reconfiguration message includes the security information required by the UE to calculate the target side new key, that is, the NCC and the calculation of the new key.
  • the global identity of the target cell, CA-CGI After receiving the RRC reconfiguration message, the UE calculates the UE side new security key KeNB* according to the NCC in the message and the global identifier CA-CGI of the corresponding target cell, and the calculation method is consistent with the eNB side calculation method.
  • the UE replies to the target side eNB2 with a handover confirm message, and finally both the eNB2 and the UE obtain the same new key KeNB* used after the handover.
  • the eNB1 determines that the target cell for UE handover is the carrier aggregation cell Cell 2 managed by eNB2 according to the UE measurement. Then, the eNB1 respectively calculates the corresponding target side new key KeNB* according to the carrier information of all carriers or a part of carriers of the target cell, that is, the PCI and EARFCN-DL information of the component carrier.
  • the KeNB* can be calculated by the same calculation method as in the first embodiment.
  • the eNB1 transmits the calculated new key KeNB* of all the target sides, the NCC corresponding to the new key KeNB*, and the component carrier information used when calculating the corresponding KeNB* to the eNB2 through the handover request message. If the eNB2 successfully accepts the handover request, the UE's eNB2 selects one of the new keys KeNB* provided by the eNB1 as the new key after the handover, and calculates the component carrier information used in the key and the corresponding NCC. The acknowledgment message is sent to the eNB1 through a handover request.
  • the eNB1 After receiving the handover request acknowledgement message of the eNB2, the eNB1 sends an RRC reconfiguration message to the UE according to the acknowledgement message, where the RRC reconfiguration message includes the component carrier information and the new key required for the UE to calculate the target side new key. Corresponding NCC.
  • the UE calculates a new security key KeNB* on the UE side according to the component carrier information and the NCC information in the message.
  • the KeNB* can be calculated by the same calculation method as in the first embodiment.
  • the UE returns a handover confirmation message to the target side eNB2, and finally the eNB2 and the UE obtain the same new key KeNB* used after the handover.
  • the method for selecting the new key by using the eNB2 in the new key provided by the eNB1 may be the load selection of the corresponding carrier of the eNB2, or may be the priority selection of the corresponding carrier, or use the display or Implicit rule selection, such as selecting the anchor carrier of the UE or the key corresponding to the first carrier in the working carrier list, may also be any other choice.
  • the display rule selection refers to selecting a component carrier by signaling indication; the implicit selection rule refers to the advance It is negotiated which component carrier to select.
  • the eNB1 determines that the target cell for UE handover is the carrier aggregation cell Cell 2 managed by the eNB2 according to the UE measurement.
  • the eNB1 respectively calculates the corresponding target side new key KeNB* according to the carrier information of all carriers or a part of carriers of the target cell, that is, the PCI and EARFCN-DL information of the component carrier.
  • the KeNB * can be calculated by the same calculation method as in the first embodiment.
  • the eNB1 retrieves the calculated new key KeNB* of all the target sides and the NCC information required for calculating the new key to be sent to the eNB2; if the eNB2 successfully accepts the handover request, all the new keys KeNB* are stored, and then The handover request acknowledgement message is sent to the eNB1 according to the handover request message, where the handover request acknowledgement message includes NCC information and indication information required for the UE to generate the target side new key, and the indication information is used to indicate the switchable component carrier on the target carrier. And the component carrier information corresponding to each of the component carriers, that is, PCI and EARFCN-DL.
  • the eNB1 After receiving the acknowledgment message of the eNB2, the eNB1 sends an RRC reconfiguration message to the UE according to the acknowledgement message, where the RRC reconfiguration message includes the NCC information and the indication information from the eNB2.
  • the UE selects one component carrier from the component carriers of the switchable target side according to the indication information in the message, and generates the UE according to the component carrier information corresponding to the component carrier and the corresponding NCC.
  • Side new security key KeNB* Preferably, the KeNB * can be calculated by the same calculation method as in the first embodiment.
  • a handover confirmation message is then sent to eNB2, and the message uses the newly generated key KeNB*.
  • the eNB2 blindly solves the handover confirmation message of the UE by using all the new keys indicated by the stored eNB1. If the blind solution is successful, the "J eNB2 confirms that the currently used key KeNB* is the new key after handover. Finally, the eNB2 and the UE The new key KeNB* used after the same handover is obtained.
  • the blind solution refers to that the eNB2 uses the new carrier key one by one according to all the new carrier keys sent by the eNB1 stored in advance.
  • the handover confirmation message sent by the UE is decrypted, and if the decryption is successful, it indicates that the new key currently used is the key after the handover.
  • the UE selects a carrier selection method from the switched target carrier information, It may be selected according to the measurement result of the UE to the carrier, for example, selecting a carrier with a better measurement result, or using display or implicit rule selection, such as selecting the anchor carrier of the UE or the first carrier in the carrier list, or arbitrarily selecting.
  • the display rule selection refers to selecting a certain component carrier by signaling indication; the implicit selection rule refers to pre-negotiating which component carrier to select.
  • FIG. 4 is a flowchart of an X2 handover with a negotiation procedure according to an embodiment of the present invention. As shown in FIG.
  • the eNB1 determines that the target cell for UE handover is the carrier aggregation cell Cell 2 managed by the eNB2 according to the UE measurement, and then the eNB1 sends a handover target carrier ten-service request message to the eNB2, where
  • the request message may include information of the target carrier of the Cell 2 handover decided by the eNB1, that is, one or more component carriers that are switchable in the carrier aggregation cell managed by the eNB2, and component carrier information corresponding to the component carriers.
  • Step S2 After receiving the handover target carrier negotiation request message, the eNB2 returns a handover target carrier negotiation response message to the eNB1, where the response message may include the target carrier information of the handover decided by the eNB2, where the information of the target carrier of the handover transmitted by the eNB1 Only the reference of the switched carrier is selected by the eNB2, and the target carrier information of the handover decided by the eNB2 may be selected from the target carrier information of the handover sent by the eNB1, or may be selected according to its own situation.
  • the response message may include the target carrier information of the handover decided by the eNB2, where the information of the target carrier of the handover transmitted by the eNB1 Only the reference of the switched carrier is selected by the eNB2, and the target carrier information of the handover decided by the eNB2 may be selected from the target carrier information of the handover sent by the eNB1, or may be selected according to its own situation.
  • Step S3 The eNB1 selects one carrier from the target component carriers fed back by the Cell 2, and calculates the target side new key KeNB according to the PCI and EARFCN-DL information of the carrier, and the currently used key KeNB or NH. *, the specific KeNB* is calculated in the same manner as in the first embodiment, and the NCC is used to indicate that the KeNB or NH is used to calculate the new key. If the NH is used, the NCC needs to fill in the corresponding NCC value. Otherwise, The NCC needs to fill in the NCC value corresponding to the current KeNB.
  • the eNB1 transmits the target side new key KeNB* and the corresponding NCC and the information of the component carrier selected when the key KeNB* is calculated, to the eNB 2 through the handover request message.
  • the acknowledgement message may include the security information required by the UE to calculate the target-side new key KeNB*, that is, the corresponding NCC and the calculation of the new key. Component carrier information.
  • Step S5 After receiving the acknowledgment message of the eNB2, the eNB1 sends an RRC reconfiguration message to the UE according to the acknowledgement message, where the RRC reconfiguration message may include the security information required by the UE to calculate the target side new key, that is, the calculation target.
  • Step S6 After receiving the UE, the UE calculates a new security key KeNB* according to the component carrier information in the message, and the calculation manner of the specific KeNB* is the same as that of the first embodiment. Finally, both eNB2 and UE obtain the same new key KeNB* used after handover.
  • the eNB2 may also display or implicitly feed back a designated carrier to the eNB1 for calculating a new security key.
  • explicitly feeding back a specified carrier means passing the signal.
  • implicitly feeding back a specified carrier means pre-negotiating the specified carrier.
  • the eNB1 can directly calculate a new key according to the carrier information of the specified carrier.
  • the method for selecting one carrier from the target component carriers fed back by the Cell 2 may be selected by the eNB1 according to the measurement report of the UE, for example, selecting a carrier with the best measurement signal quality, or the eNB1 according to the display.
  • implicit rule selection such as selecting the anchor carrier of the UE or the first carrier in the carrier list, may also be any other selection method.
  • the eNB1 determines that the target cell of the UE handover is the carrier aggregation 'J, the cell Cell 2 managed by the eNB2 according to the UE measurement, and then the eNB 1 initiates a handover request message to the eNB2 in the message. Contains the currently used security key KeNB or the next mega-value NH.
  • the handover request acknowledgement message may include carrier information for calculating a target side new key by the UE and NCC information corresponding to the new key.
  • the RRC reconfiguration message is sent to the UE according to the acknowledgment message, and the RRC reconfiguration message may include the security information required by the UE to calculate the target side new key, that is, the NCC and the calculation. Component carrier information used when the new key is used.
  • the UE calculates the UE-side new security key KeNB* according to the NCC in the message and the PCI and EARFCN-DL of the corresponding component carrier, and the specific KeNB* is calculated in the same manner as in the first embodiment. The way of calculating. Finally, both e NB2 and UE obtain the same new key KeNB* used after handover.
  • the method for selecting one carrier from the handover target carrier may be selected by the eNB2 according to the load of the carrier, or may be selected according to the priority of the carrier, or may be selected by using display or implicit rules, such as selecting an anchor of the UE.
  • the first carrier in the carrier or carrier list can also be any other choice.
  • the component carrier information required to calculate the target side new key KeNB* may be the PCI and EARFCN-DL information of the component carrier, or may be The index information or other identification information of the component carrier, such as the global identifier corresponding to the carrier, and the target side eNB2 or the UE can use the index or the identifier to obtain the PCI and EARFCN-DL information of the carrier.
  • the method for notifying the component carrier information required to calculate the target side new key KeNB* may be explicit or implicit, such as by signaling.
  • the component carrier information is explicitly specified, or the anchor carrier is used by default, or the first carrier in the handover target carrier list is used.
  • FIG. 5 is a schematic diagram of an S1 handover procedure according to an embodiment of the present invention.
  • the eNB1 determines that the target cell of the UE handover is the carrier aggregation cell Cell 2 managed by the eNB2 according to the UE measurement, and then the eNB1 initiates an S1 handover request message to the eNB2 through the MME (Mobility Management Entity).
  • the message includes the target carrier information to which the UE is to switch.
  • the eNB2 successfully accepts the handover, a carrier is selected from the handover target carrier, and then the new key of the target side is calculated according to the PCI and EARFCN-DL of the carrier, and the NH and the NCC information corresponding to the NH.
  • the calculation manner is the same as that in the first embodiment, and then the eNB1 is responsive to the handover preparation response message, where the handover preparation response message includes the carrier information for calculating the new key and the corresponding NCC information.
  • the eNB1 After receiving the response message to the eNB2, the eNB1 sends an RRC reconfiguration message to the UE according to the acknowledgement message, where the message includes the security information required by the UE to calculate the target side new key, that is, the NCC and the time used to calculate the new key. Component carrier information.
  • the UE After receiving the RRC (Radio Resource Control) reconfiguration message, the UE calculates the new security key of the UE side according to the NCC in the message and the PCI and EARFCN-DL of the corresponding component carrier, and the specific calculation manner is the same. The calculation method of the first embodiment. Finally, both eNB2 and UE obtain the same new key used after handover.
  • RRC Radio Resource Control
  • the foregoing eNB2 selects one carrier from the handover target, which may be selected according to the target carrier information in the handover request message, or may be selected from all carriers of the target cell; and the selected method may be that the eNB1 measures according to the UE.
  • the selection of the report such as selecting the carrier with the best measurement signal quality, may also be selected by the eNB1 according to other display or implicit rules, such as selecting the anchor carrier of the UE or the first carrier in the carrier list, or arbitrarily selecting.
  • the display rule selection refers to selecting a certain component carrier by signaling indication
  • the implicit selection rule refers to pre-negotiating which component carrier to select.
  • the eNB calculates the new key according to the PCI of the carrier and the EARFCN-DL, etc., and may use any specific calculation method in the prior art, which is not mentioned here.
  • the interaction method of the security information according to the embodiment of the present invention, the UE and the eNodeB on the handover target side obtain the same new handover after the interaction of the component carrier information and other parameters (for example, NCC).
  • the security key is compatible with the current LTE handover procedure, facilitating the smooth upgrade of the network, and ensuring the security of handover to the carrier aggregation cell.
  • the present invention also provides a preferred method for interacting security information. As shown in FIG.
  • the method includes the following steps: S602: The first node B sends a handover request message to the second node B, where the handover request message is Carrying parameter information for calculating a key used after handover, the parameter information including key information or a next hop value NH;
  • the second node B selects information of one or more component carriers from component carriers of the carrier aggregation cell that is managed by the second node, and performs information according to the selected component carrier and parameter information carried in the handover request message. Calculate the key used after the switch;
  • the second node B sends the information about the selected component carrier and the parameter information to the terminal UE, so that the UE calculates the switch according to the information of the selected component carrier and the parameter information.
  • the UE and the eNodeB on the handover target side are caused by the interaction of the parameter information. Both of them obtain the same security key after handover, which is compatible with the current LTE handover procedure, facilitates smooth upgrade of the network, and ensures the security of handover to the carrier aggregation cell.
  • the method further includes: the UE moving to the second on the selected component carrier.
  • the Node B sends a handover confirmation message, where the UE encrypts the handover confirmation message by using the switched key.
  • the second node B decrypts the used key by using the above-mentioned switched key, thereby realizing the interaction of the security information, and ensuring the aggregation to the carrier aggregation. safety.
  • the method further includes: the second node B sequentially Deselecting one of the generated plurality of switched keys decrypts the handover confirmation message until the decryption is successful, and determines the key used when the decryption succeeds as the switched key.
  • the interaction of security information can be successfully implemented.
  • the selecting, by the second Node B, one or more component carriers of the component carrier of the carrier aggregation cell that is managed by the second node B includes: the second Node B slave terminal UE Selecting one or more component carriers with the best signal quality among the measurement information of the component carriers of the carrier aggregation cell managed by the second Node B; or the carrier aggregation cell from which the second Node B is managed The first component carrier is selected in the working carrier list; or the second node B selects the first carrier from the component carriers of the carrier aggregation cell it manages according to the preset selection policy.
  • the device embodiment provides an interaction device for security information, which is located in the first Node B, and is used to implement interaction of security information in the process of handover to a carrier aggregation cell.
  • the interaction device in this embodiment can use the methods in the embodiments of all the interaction methods described above to interact with the security information. As shown in FIG.
  • the security information interaction apparatus includes: a selection module 702, configured to select one or more component carriers from component carriers of a carrier aggregation cell managed by the second Node B; and a processing module 704, configured to The information of the selected component carrier is used as an input parameter to calculate a key after the switching; the first sending module 706 is configured to send a handover request message to the second node B, where the request message carries the switched a second sending module 708, configured to send to the UE Sending information of the selected component carrier, so that the UE calculates the switched key by using the information of the selected component carrier as an input parameter.
  • the UE may know and save the above-mentioned switched key in advance.
  • the interaction between the parameter information enables the UE and the eNodeB on the handover target side to obtain the same switched security key, which is compatible with the current LTE handover procedure, facilitates smooth network upgrade, and ensures carrier aggregation to the carrier.
  • the interaction device further includes: a third sending module 710, configured to send a handover request message to the second node B, where the handover request message carries parameter information for calculating a key used after the handover, where The parameter information includes key information or a next hop value NH, so that the second Node B can learn information of one or more component carriers in a component carrier of a carrier aggregation cell managed by itself and the handover request message.
  • the carried parameter information calculates the key used after the handover.
  • the interaction device further includes: a fourth sending module 712, configured to forward, by the UE, a handover confirmation message sent by the UE on the selected component carrier to the second node B, where the UE passes the The switched key encrypts the handover confirmation message.
  • the handover request message includes information of the selected component carrier, where the information of the component carrier includes at least one of the following: a physical cell identifier corresponding to the selected component carrier and a downlink carrier frequency.
  • the second sending module 708 of the first Node B sends the information of the selected component carrier to the terminal UE, the UE calculates the received information of the selected component carrier as an input parameter.
  • the UE sends a handover confirmation message to the second node B on the selected component carrier, where the UE encrypts the handover confirmation message by using the switched key .
  • the second node B decrypts the key using the switched key, thereby implementing security information interaction and ensuring security to carrier aggregation and area handover.
  • the handover request message includes a carrier aggregation 'J, a global identifier of a zone managed by the second node B.
  • the second sending module 708 of the first node B when the second sending module 708 of the first node B sends the information of the selected component carrier to the terminal UE, the second sending of the first node B The module 708 sends the global identifier to the terminal UE; the UE calculates the switched key by using the global identifier as an input parameter; the UE sends a solution to the second node B A handover confirmation message of the key encryption after the handover.
  • the selecting module 702 in the first node B selects a plurality of the component carriers
  • the processing module 704 of the first node B calculates the information of the selected component carrier as an input parameter to obtain the switched component.
  • the key includes: the processing module 704 of the first node B sequentially calculates information of the selected one component carrier as an input parameter to obtain a switched key corresponding to the component carrier.
  • the sending, by the first sending module 706 of the first node B, the handover request message to the second node B includes: the first sending module 706 of the first node B to the second node B And sending a handover request message, where the request message carries the multiple switched keys.
  • the second node B switches from the multiple The key selects a key as the key used after the handover; the second node B 4 sends the selected key to the first node B; the second sending module 708 of the first node B
  • the information of the component carrier corresponding to the selected key is sent to the UE; the UE calculates the switched key by using the information of the received component carrier as an input parameter; the UE is on the selected component carrier.
  • the first node B selects the multiple component carriers
  • the first node B sends a handover request message to the second node B
  • the first node B The second sending module 708 sends the information of the selected multiple component carriers to the UE; the UE selects information of one component carrier from the received information of the multiple component carriers, and uses the information of the component carrier as The input parameter is used to calculate the key after the handover; the UE sends a handover confirmation message to the second node B on the selected component carrier, where the UE passes the switched key pair. Switch the confirmation message for encryption.
  • the second node B after the second Node B receives the handover confirmation message from the UE, the second node B selects the plurality of switched keys received in sequence. A key decrypts the handover confirmation message until the decryption is successful, and the key used when the decryption succeeds is determined as the switched key. With this embodiment, the interaction of security information can be successfully implemented.
  • the selecting module 702 of the first Node B selects one or more component carriers from the component carriers of the carrier aggregation cell managed by the second Node B in one of the following manners: a carrier managed by the first node B from the terminal UE to the second node B Selecting one or more component carriers with the best signal quality in the measurement reporting information of the component carriers of the aggregated cell; or selecting, by the first Node B, a list of working carriers in the carrier aggregation cell managed by the second Node B a component carrier; or the first node B selects a first carrier from component carriers of the carrier aggregation cell managed by the second node B according to a preset selection policy.
  • the above-mentioned interaction device of the security information can implement the interaction of the security information by using any one of the foregoing method embodiments, and details are not described herein again.
  • the interaction device of the security information according to the embodiment of the present invention through the interaction of the component carrier information and other parameters, enables the UE and the eNodeB on the handover target side to obtain the same new security key after handover. It is compatible with the current LTE handover process, facilitating the smooth upgrade of the network and ensuring the security of handover to the carrier aggregation cell.

Abstract

An interaction method for secure information is provided, which includes: a first NodeB selects one or more component carriers from the component carriers in a carrier aggregation cell managed by a second NodeB; the first NodeB computes the information of the selected component carriers as the input parameter to obtain the key after handover; the first NodeB transmits a handover request carrying the key after handover to the second NodeB; the first NodeB transmits the information of the selected component carriers to the user equipment(UE) so that the UE computes the received information of the selected component carriers as the input parameter to obtain the key after handover. Correspondingly an apparatus for secure information is provided. The interaction of component carrier information enables both the UE and the eNodeB on the handover target side to obtain the same KeNB after handover so as to be compatible with the current handover flow of Long Term Evolution(LTE), facilitate the balanced upgrade of the network, guarantee the security of the handover to the carrier aggregation cell and solve the problem that the security of information can not be guaranteed during the process of the handover to the carrier aggregation cell.

Description

安全信息的交互方法和装置  Security information interaction method and device
技术领域 本发明涉及通信领域,具体而言, 涉及一种安全信息的交互方法和装置, 用于在切换到载波聚合小区的过程中实现安全信息的交互。 背景技术 如图 1所示, 长期演进(LTE, Long Term Evolution ) 网络由演进型通用 陆地无线接入网 (E-UTRAN , Evolved Universal Terrestrial Radio Access Network ) 和演进分组交换中心 (EPC, Evolved Packet Core ) 组成, 网络呈 现扁平化。 EUTRAN通过 SI接口与 EPC相连。 其中, EUTRAN由多个相 互连接的演进基站( eNB , Evolved NodeB )组成 , 各个 eNB之间通过 X2接 口连接; EPC由移动性管理实体(MME, Mobility Management Entity )和月 务网关实体 ( S-GW, Serving Gateway ) 组成。 在 LTE中, 由于用户设备 ( UE , User Equipment )在网络覆盖区 i或移动 , 可能会引起 UE的服务小区的变化。 为了保持 UE的业务连续性, 需要网络 辅助 UE在各个小区之间进行切换, 当前在 LTE内部的切换按照流程主要可 以分为 S1切换和 X2切换, 分别对应通过 S1 口和 X2 口的切换流程, 其中 切换的发起方称之为源侧 , 切换的目的方称之为目标侧。 为了保证 UE在切 换后业务的安全性, 需要在切换过程中确定 UE 在目标侧的安全密钥 ( KeNB )。 其中, 在 S1切换中, 目标侧的新 KeNB由目标侧才艮据 MME通 知的下一兆值 ( NH, Next Hop )和下一兆链计数 ( NCC, Next Hop Chaining Counter ) 以及目标小区对应的的物理 'J、区标识 ( PCI , Physical Cell Identity ) 和小区的下行载频( EARFCN-DL, E-UTRA Absolute Radio Frequency Channel Number-Down Link )来计算;而在 X2切换中, 目标侧的新 KeNB,即 KeNB* , 是由源侧才艮据目标侧小区的物理 ' j、区标识 ( PCI , Physical Cell Identity )、 小 区的下行载频 ( EARFCN-DL, E-UTRA Absolute Radio Frequency Channel Number-Down Link )以及当前使用的 KeNB(或者下一兆值( NH, Next Hop ) ) 来计算目标侧的 KeNB*。 然后, 将 KeNB*和相应的下一跳链计数(NCC, Next Hop Chaining Counter ) 通过切换请求消息 ( Handover Request ) 发送给 目标侧 , 由目标侧将 NCC通过切换命令消息 ( Handover Command ) 经源侧 发送给 UE。 UE根据切换命令中的 NCC信息使用与网络侧同样的方法计算 新的安全密钥, 其中, NCC主要用于指示在计算新密钥时使用的输入参数是 KeNB还是 NH。 在 LTE中 , TDD小区只提供一个载波用作上下行传输, 而 FDD小区只 提供一对载波(一个上行和一个下行载波) 用作上下行传输。 为了满足人们 对更高带宽的需求, 第三代合作计划 (3GPP , 3rd Generation Partnership Project ) 对 LTE 系统提出了新的增强功能, 称之为 LTE Advance, 在 LTE Advance中提出了用载波聚合 ( CA, Carrier Aggregation )方法实现更大带宽 的目的, 此时一个小区由多个连续或不连续的载波组成, 各个载波称为分量 载波( CC, Component Carrier ), 能够同时为 UE提供多载波的服务。 分量载 波可以采用兼容 LTE 系统的载波, 这种载波称为后向兼容载波(Backwards compatible carrier ); 分量载波也可以采用不兼容现有 LTE系统的载波, 这种 载波称为 后向兼容载波(Non-backwards compatible carrier ), 这种载波只肯 为 LTE Advance UE 及更高版本的 UE 使用; 分量载波还可以是扩展载波 ( Extension carrier ), 这种载波不能单独使用 , 需要和其他能够独立使用的载 波一起使用。 需要说明的是, 上述的载波聚合小区只是对多个连续或不连续载波逻辑 上的总称, 上述描述中的每个分量载波也可以看成是一个小区, 该小区只有 一个载波。 因此, 在本发明中, 载波聚合小区其实也可以看成是对多个小区 的总称。 由上述可见, 在载波聚合小区中, UE 能够同时使用若干个上行载波和 下行载波, 而且基于当前的协议讨论,在切换中如果目标侧是载波聚合小区, UE可以支持往目标侧小区的多个 CC同时切换。 在切换之前, 源侧可以通过 UE的测量来决策 UE在切换后的目标载波。 但是, 发明人发现: 由于目标侧 有多个 CC、且现有技术中并没有公开在多个 CC的场景下的安全信息的交互 方法, 因此, 在切换到载波聚合小区的过程中无法保证信息的安全性。 发明内容 针对现有技术中在切换到载波聚合 、区的过程中无法保证信息的安全性 的问题而提出本发明, 为此, 本发明的主要目的在于提供一种安全信息的交 互方法和装置, 以解决上述问题至少之一。 为了实现上述目的, 才艮据本发明的一个方面, 提供了安全信息的交互方 法, 其包括: 第一节点 B从第二节点 B管理的载波聚合小区的分量载波中选 择一个或多个分量载波; 所述第一节点 B将所选择的分量载波的信息作为输 入参数计算得到切换后的密钥;所述第一节点 B向所述第二节点 B发送切换 请求消息, 其中, 所述请求消息中携带所述切换后的密钥; 所述第一节点 B 将所选择的分量载波的信息发送给终端 UE ,以便所述 UE将接收到的所选择 的分量载波的信息作为输入参数计算得到所述切换后的密钥。 为了实现上述目的, 才艮据本发明的另一个方面, 提供了安全信息的交互 方法, 其包括: 第一节点 B向第二节点 B发送切换请求消息, 其中, 所述切 换请求消息中携带用于计算切换后使用的密钥的参数信息, 所述参数信息包 括密钥信息或下一跳值 NH; 所述第二节点 B从自身管理的载波聚合小区的 分量载波中选择一个或多个分量载波的信息, 并才艮据选择的分量载波的信息 以及所述切换请求消息中携带的参数信息计算切换后使用的密钥; 所述第二 节点 B将所述选择的分量载波的信息和所述参数信息发送给终端 UE, 以便 所述 UE才艮据所述选择的分量载波的信息以及所述参数信息计算所述切换后 使用的密钥。 为了实现上述目的 , 才艮据本发明的又一个方面, 提供了安全信息的交互 装置, 其位于第一节点 B内, 用于在切换到载波聚合小区的过程中实现安全 信息的交互, 该交互装置包括: 选择模块, 用于从第二节点 B管理的载波聚 合小区的分量载波中选择一个或多个分量载波; 处理模块, 用于将所选择的 分量载波的信息作为输入参数计算得到切换后的密钥; 第一发送模块, 用于 向所述第二节点 B发送切换请求消息, 其中, 所述请求消息中携带所述切换 后的密钥; 第二发送模块, 用于向终端 UE发送所选择的分量载波的信息, 以便所述 UE将所选择的分量载波的信息作为输入参数计算得到所述切换后 的密钥。 根据本发明, 通过分量载波信息的交互, 使得 UE 和切换目标侧的 eNodeB均获得相同的切换后的安全密钥, 从而兼容当前 LTE的切换流程, 方便网络的平滑升级, 保证了向载波聚合小区切换的安全性。 附图说明 此处所说明的附图用来提供对本发明的进一步理解, 构成本申请的一部 分, 本发明的示意性实施例及其说明用于解释本发明, 并不构成对本发明的 不当限定。 在附图中: 图 1是根据相关技术的 LTE网络侧的网络架构的示意图; 图 2是才艮据本发明实施例的安全信息的交互方法的一种优选的流程图; 图 3是才艮据本发明实施例的 X2切换的流程图; 图 4是才艮据本发明实施例的带有协商流程的 X2切换的流程图; 图 5是才艮据本发明实施例的 S 1切换流程示意图; 图 6 是才艮据本发明实施例的安全信息的交互方法的另一种优选的流程 图; 图 7是根据本发明实施例的安全信息的交互装置的结构图。 具体实施方式 下文中将参考附图并结合实施例来详细说明本发明。 需要说明的是, 在 不冲突的情况下, 本申请中的实施例及实施例中的特征可以相互组合。 考虑到现有技术在切换到载波聚合小区的过程中无法保证信息的安全性 的问题, 本发明提供一种安全信息的交互方法和装置, 通过分量载波信息等 参数的交互, 使得 UE和切换目标侧的 eNodeB均获得相同的切换后的安全 密钥, 从而兼容当前 LTE的切换流程, 方便网络的平滑升级, 保证了向载波 聚合小区切换的安全性。 根据本发明的实施例 , 提供了一种安全信息的交互方法, 用于在切换到 载波聚合小区的过程中实现安全信息的交互。 如图 2所示, 居本发明实施例的安全信息的交互方包括如下的步骤: 步骤 S202, 第一节点 B从第二节点 B管理的载波聚合小区的分量载波 中选择一个或多个分量载波; 步骤 S204,上述第一节点 B将所选择的分量载波的信息作为输入参数计 算得到切换后的密钥; 步骤 S206, 上述第一节点 B向上述第二节点 B发送切换请求消息, 其 中, 上述请求消息中携带上述切换后的密钥; 步骤 S208 ,上述第一节点 B将所选择的分量载波的信息发送给终端 UE, 以便上述 UE将接收到的所选择的分量载波的信息作为输入参数计算得到上 述切换后的密钥。 根据本实施例 , 通过分量载波信息的交互 , 使得 UE 和切换目标侧的 eNodeB均获得相同的切换后的安全密钥, 从而兼容当前 LTE的切换流程, 方便网络的平滑升级, 保证了向载波聚合小区切换的安全性。 优选的, 所述切换请求消息包括所选择的分量载波的信息, 其中, 所述 分量载波的信息包括以下至少之一: 所选择的分量载波对应的物理小区标识 和下行载频。 优选的, 在所述第一节点 B将所选择的分量载波的信息发送给终端 UE 之后, 还包括: 所述 UE将接收到的所选择的分量载波的信息作为输入参数 计算得到所述切换后的密钥; 所述 UE在所选择的分量载波上向所述第二节 点 B发送切换确认消息, 其中, 所述 UE通过所述切换后的密钥对所述切换 确认消息进行加密。在这种场景下,第二节点 B在接收到切换确认消息之后, 使用上述切换后的密钥对其进行解密, 从而实现了安全信息的交互, 并保证 了向载波聚合小区切换的安全性。 优选的, 所述切换请求消息包括所述第二节点 B所管理的载波聚合 'J、区 的全局标识。 优选的 , 在上一段所述的实施例中 , 在所述第一节点 B将所选择的分量 载波的信息发送给终端 UE时, 还包括: 所述第一节点 B将所述全局标识发 送给终端 UE;所述 UE将所述全局标识作为输入参数计算得到所述切换后的 密钥; 所述 UE向所述第二节点 B发送经所述切换后的密钥加密的切换确认 消息。 优选的, 当所述第一节点 B选择多个所述分量载波时, 所述第一节点 B 将所选择的分量载波的信息作为输入参数计算得到切换后的密钥包括: 所述 第一节点 B依次将所选择的一个分量载波的信息作为输入参数计算得到与该 分量载波对应的切换后的密钥。 在这种场景下, 所述第一节点 B向所述第二 节点 B发送切换请求消息包括: 所述第一节点 B向所述第二节点 B发送切 换请求消息, 其中, 所述请求消息中携带所述多个切换后的密钥。 优选的, 在上一段描述的实施例中, 所述第一节点 B将所选择的分量载 波的信息发送给终端 UE包括: 所述第二节点 B从所述多个切换后的密钥选 择一个密钥作为切换后使用的密钥; 所述第二节点 B 夺所选择的密钥发送给 所述第一节点 B; 所述第一节点 B将与所选择的密钥对应的分量载波的信息 发送给 UE;所述 UE将接收到的分量载波的信息作为输入参数计算得到所述 切换后的密钥; 所述 UE在所选择的分量载波上向所述第二节点 B发送切换 确认消息, 其中, 所述 UE通过所述切换后的密钥对所述切换确认消息进行 力口密。 优选的, 在上述所述第一节点 B选择多个所述分量载波的实施例中, 所 述第一节点 B将所选择的分量载波的信息发送给终端 UE包括: 所述第一节 点 B将所选择的多个分量载波的信息发送给 UE; 所述 UE从接收到的所述 多个分量载波的信息中选择一个分量载波的信息 , 并将该分量载波的信息作 为输入参数计算得到所述切换后的密钥; 所述 UE在所选择的分量载波上向 所述第二节点 B发送切换确认消息, 其中, 所述 UE通过所述切换后的密钥 对所述切换确认消息进行加密。 优选的, 在上一段描述的实施例中, 在所述第二节点 B 接收来自所述The present invention relates to the field of communications, and in particular, to a method and apparatus for interacting with security information, for implementing security information interaction in a process of handover to a carrier aggregation cell. BACKGROUND As shown in FIG. 1, a Long Term Evolution (LTE) network consists of an Evolved Universal Terrestrial Radio Access Network (E-UTRAN) and an Evolved Packet Core (EPC). ) Composition, the network is flat. EUTRAN is connected to the EPC through the SI interface. The EUTRAN is composed of a plurality of interconnected evolved base stations (eNBs, Evolved NodeBs), and each eNB is connected through an X2 interface; the EPC is composed of a mobility management entity (MME, Mobility Management Entity) and a monthly gateway entity (S-GW). , Serving Gateway ). In LTE, the user equipment (UE, User Equipment) may cause a change in the serving cell of the UE because it is in the network coverage area i or mobile. In order to maintain the service continuity of the UE, the network assisted UE needs to perform handover between the cells. Currently, the handover in the LTE process can be mainly divided into an S1 switch and an X2 switch according to the process, which respectively correspond to the handover process through the S1 port and the X2 port. The initiator of the handover is called the source side, and the destination of the handover is called the target side. In order to ensure the security of the UE after handover, it is necessary to determine the security key (KeNB) of the UE on the target side during the handover process. In the S1 handover, the new KeNB on the target side is forwarded by the target side according to the next mega-value (NH, Next Hop) and the next hop count counter (NCC, Next Hop Chaining Counter) and the target cell corresponding to the MME. The physical 'J, the physical cell identity (PCI, Physical Cell Identity) and the cell's downlink carrier frequency (EARFCN-DL, E-UTRA Absolute Radio Frequency Channel Number-Down Link) are calculated; and in the X2 switch, the new target side KeNB, that is, KeNB*, is the source side of the target side cell based on the physical side of the target side cell (PCI, Physical Cell Identity), and the downlink carrier frequency of the cell (EARFCN-DL, E-UTRA Absolute Radio Frequency Channel Number- Down Link) and the currently used KeNB (or next hop (NH, Next Hop)) to calculate the KeNB* on the target side. Then, the KeNB* and the corresponding Next Hop Chaining Counter are sent to the target side through a handover request message (Handover Request), and the target side passes the NCC through the handover command message (Handover Command) through the source side. Send to the UE. The UE calculates the same method as the network side according to the NCC information in the handover command. A new security key, where the NCC is mainly used to indicate whether the input parameter used in calculating the new key is KeNB or NH. In LTE, a TDD cell provides only one carrier for uplink and downlink transmission, and an FDD cell provides only one pair of carriers (one uplink and one downlink carrier) for uplink and downlink transmission. In order to meet people's demand for higher bandwidth, the 3rd Generation Partnership Project (3GPP) proposes a new enhancement to the LTE system, called LTE Advance. Carrier aggregation (CA) is proposed in LTE Advance. The carrier aggregation method achieves a larger bandwidth. In this case, a cell is composed of multiple consecutive or discontinuous carriers. Each carrier is called a component carrier (CC) and can provide multi-carrier services for the UE at the same time. The component carrier can adopt a carrier compatible with the LTE system, and the carrier is called a backward compatible carrier; the component carrier can also adopt a carrier that is not compatible with the existing LTE system, and the carrier is called a backward compatible carrier (Non -backwards compatible carrier ), this carrier is only used for LTE Advance UE and higher UEs; the component carrier can also be an extension carrier. This carrier cannot be used alone, and needs to be used independently with other carriers. use together. It should be noted that the above-mentioned carrier aggregation cell is only a logical term for a plurality of consecutive or discontinuous carriers. Each component carrier in the above description may also be regarded as a cell, and the cell has only one carrier. Therefore, in the present invention, the carrier aggregation cell can also be regarded as a general term for a plurality of cells. It can be seen from the above that in the carrier aggregation cell, the UE can use several uplink carriers and downlink carriers at the same time, and based on the current protocol discussion, if the target side is a carrier aggregation cell in the handover, the UE can support multiple to the target side cell. CC switches at the same time. Before the handover, the source side can determine the target carrier of the UE after the handover by the measurement of the UE. However, the inventor has found that: since there are multiple CCs on the target side, and the prior art does not disclose the method of interaction of security information in multiple CC scenarios, information cannot be guaranteed in the process of handover to the carrier aggregation cell. Security. SUMMARY OF THE INVENTION The present invention has been made in view of the problem that the security of information cannot be ensured in the process of switching to carrier aggregation and area in the prior art. Therefore, the main object of the present invention is to provide a method and apparatus for interacting security information. To solve at least one of the above problems. In order to achieve the above object, according to an aspect of the present invention, an interactive party of security information is provided. The method includes: the first node B selects one or more component carriers from component carriers of a carrier aggregation cell managed by the second node B; and the first node B calculates information of the selected component carrier as an input parameter. a key after the handover; the first node B sends a handover request message to the second node B, where the request message carries the switched key; the first node B selects the selected The information of the component carrier is sent to the terminal UE, so that the UE calculates the received key by using the received information of the selected component carrier as an input parameter. In order to achieve the above object, according to another aspect of the present invention, a method for interacting security information is provided, including: a first node B sends a handover request message to a second node B, where the handover request message is carried in the For calculating parameter information of a key used after the handover, the parameter information includes key information or a next hop value NH; the second Node B selects one or more components from component carriers of the carrier aggregation cell managed by itself The carrier information is used to calculate the key used after the handover according to the information of the selected component carrier and the parameter information carried in the handover request message; the second node B uses the information and location of the selected component carrier. The parameter information is sent to the terminal UE, so that the UE calculates the key used after the handover according to the information of the selected component carrier and the parameter information. In order to achieve the above object, according to still another aspect of the present invention, an apparatus for interacting with security information is provided, which is located in a first Node B, for implementing interaction of security information in a process of handover to a carrier aggregation cell, the interaction The device includes: a selection module, configured to select one or more component carriers from component carriers of a carrier aggregation cell managed by the second Node B; and a processing module, configured to calculate information of the selected component carrier as an input parameter a first sending module, configured to send a handover request message to the second node B, where the request message carries the switched key; and a second sending module, configured to send to the terminal UE Information of the selected component carrier, so that the UE calculates the switched key by using the information of the selected component carrier as an input parameter. According to the present invention, the UE and the eNodeB on the handover target side obtain the same switched security key through the interaction of the component carrier information, thereby being compatible with the current LTE handover procedure, facilitating the smooth upgrade of the network, and ensuring the aggregation of the carrier to the carrier. Switching security. BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are set to illustrate,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, In the drawing: 1 is a schematic diagram of a network architecture of an LTE network side according to the related art; FIG. 2 is a preferred flowchart of an interaction method of security information according to an embodiment of the present invention; FIG. 3 is a flowchart according to an embodiment of the present invention. FIG. 4 is a flowchart of an X2 handover with a negotiation process according to an embodiment of the present invention; FIG. 5 is a schematic diagram of an S1 handover process according to an embodiment of the present invention; Another preferred flowchart of the method for interacting security information according to an embodiment of the present invention; FIG. 7 is a structural diagram of an apparatus for interacting with security information according to an embodiment of the present invention. BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, the present invention will be described in detail with reference to the accompanying drawings. It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict. The present invention provides a method and device for interacting security information by using parameters such as component carrier information, so that the UE and the handover target are implemented, in consideration of the problem that the security of the information cannot be ensured in the process of switching to the carrier aggregation cell. The eNodeBs on the side obtain the same security key after the handover, which is compatible with the current LTE handover procedure, facilitating the smooth upgrade of the network, and ensuring the security of handover to the carrier aggregation cell. According to an embodiment of the present invention, a method for interacting security information is provided, which is used to implement interaction of security information in a process of handover to a carrier aggregation cell. As shown in FIG. 2, the interaction party of the security information in the embodiment of the present invention includes the following steps: Step S202: The first node B selects one or more component carriers from component carriers of the carrier aggregation cell managed by the second node B. Step S204, the first node B calculates the switched key by using the information of the selected component carrier as an input parameter; Step S206, the first node B sends a handover request message to the second node B, where The request message carries the above-mentioned switched key; Step S208: The first node B sends the information of the selected component carrier to the terminal UE, so that the UE calculates the received key by using the received information of the selected component carrier as an input parameter. According to the embodiment, the interaction between the component carrier information enables the UE and the eNodeB on the handover target side to obtain the same switched security key, which is compatible with the current LTE handover procedure, facilitates smooth network upgrade, and ensures carrier aggregation. Cell handover security. Preferably, the handover request message includes information of the selected component carrier, where the information of the component carrier includes at least one of the following: a physical cell identifier corresponding to the selected component carrier and a downlink carrier frequency. Preferably, after the first node B sends the information of the selected component carrier to the terminal UE, the method further includes: the UE calculating the received information of the selected component carrier as an input parameter, and after the switching, The UE sends a handover confirmation message to the second node B on the selected component carrier, where the UE encrypts the handover confirmation message by using the switched key. In this scenario, after receiving the handover confirmation message, the second node B decrypts the key using the switched key, thereby implementing security information interaction and ensuring security for handover to the carrier aggregation cell. Preferably, the handover request message includes a carrier aggregation 'J, a global identifier of a zone managed by the second node B. Preferably, in the foregoing embodiment, when the first node B sends the information of the selected component carrier to the terminal UE, the method further includes: sending, by the first node B, the global identifier to a terminal UE; the UE calculates the switched key by using the global identifier as an input parameter; and the UE sends a handover confirmation message encrypted by the switched key to the second node B. Preferably, when the first node B selects a plurality of the component carriers, the first node B calculates the key of the selected component carrier as an input parameter, and the key after the handover includes: the first node B sequentially calculates information of the selected one component carrier as an input parameter to obtain a switched key corresponding to the component carrier. In this scenario, the sending, by the first node B, the handover request message to the second node B includes: the first node B sending a handover request message to the second node B, where the request message is Carrying the plurality of switched keys. Preferably, in the embodiment described in the preceding paragraph, the first node B carries the selected component Sending the information of the wave to the terminal UE includes: the second node B selects a key from the plurality of switched keys as a key used after the handover; and the second node B sends the selected key to send Giving the first node B; the first node B transmitting information of the component carrier corresponding to the selected key to the UE; the UE calculating the received information of the component carrier as an input parameter to obtain the handover a key that is sent by the UE to the second Node B on the selected component carrier, where the UE performs a force key on the handover confirmation message by using the switched key. . Preferably, in the embodiment that the first node B selects a plurality of the component carriers, the first node B sends the information of the selected component carrier to the terminal UE, where: the first node B The information of the selected multiple component carriers is sent to the UE; the UE selects information of one component carrier from the received information of the multiple component carriers, and calculates the information of the component carrier as an input parameter to obtain the a key after the handover; the UE sends a handover confirmation message to the second node B on the selected component carrier, where the UE encrypts the handover confirmation message by using the switched key. Preferably, in the embodiment described in the preceding paragraph, the second node B receives the
UE的切换确认消息之后, 还包括: 所述第二节点 B依次所接收到的多个切 换后的密钥中选择一个密钥对所述切换确认消息进行解密, 直到解密成功, 并^1解密成功时所使用的密钥确定为所述切换后的密钥。 通过本实施例, 可 以成功的实现安全信息的交互。 优选的, 在上述所有的实施例中, 所述第一节点 B采用以下方式之一从 第二节点 B 管理的载波聚合小区的分量载波中选择一个或多个分量载波包 括: 所述第一节点 B从终端 UE对所述第二节点 B管理的载波聚合小区的分 量载波的测量上 4艮信息中选择信号质量最好的一个或多个分量载波; 或者所 述第一节点 B从所述第二节点 B管理的载波聚合小区中的工作载波列表中选 择第一个分量载波; 或者所述第一节点 B根据预设的选择策略从所述第二节 点 B管理的载波聚合小区的分量载波中选择第一个载波。 下面将结合实例对本发明实施例的实现过程进行详细描述。 本发明实施例主要基于切换目标侧是载波聚合小区的情况。 具体的在下 面的所有描述中切换目标侧 eNB2是 LTE-Advance eNB , 即 eNB2支持载波 聚合, 同样的 eNB2所管理小区 Cell 2为使用载波聚合的小区, Cell 2可以有 若干个载波; 相应地, 对切换的源侧 eNBl及其所管理小区 Cell 1是否支持 载波聚合不 ^故要求, 即 eNBl可以支持载波聚合, 也可以不支持, 而 Cell 1 可以使用载波聚合, 也可以不使用。 具体地 , 才艮据本发明实施例的实施方式可以采用如下方式: 实施例一 图 3是才艮据本发明实施例的 X2切换的流程图。如图 3所示, eNB( evolvedUE handover message after confirmation, further comprising: after said second key point B sequentially switching the plurality of the received acknowledgment message, select a key to decrypt the handover until successful decryption and decryption ^ The key used in the success is determined as the key after the handover. With this embodiment, the interaction of security information can be successfully implemented. Preferably, in all the foregoing embodiments, the first Node B selects one or more component carriers from the component carriers of the carrier aggregation cell managed by the second Node B by using one of the following manners: B: selecting, by the terminal UE, one or more component carriers having the best signal quality from the measurement information of the component carriers of the carrier aggregation cell managed by the second Node B; or the first node B from the The first component carrier is selected from the working carrier list in the carrier aggregation cell managed by the second node B; or the first node B is selected from the component carrier of the carrier aggregation cell managed by the second node B according to a preset selection policy. Select the first carrier. The implementation process of the embodiment of the present invention will be described in detail below with reference to examples. The embodiment of the present invention is mainly based on the case where the handover target side is a carrier aggregation cell. Specifically, in all the following descriptions, the handover target side eNB2 is an LTE-Advance eNB, that is, the eNB2 supports carrier aggregation, and the same eNB2 manages the cell Cell 2 as a cell using carrier aggregation, and the Cell 2 may have several carriers; Whether to support the source side eNB1 of the handover and its managed cell Cell 1 Carrier aggregation does not require that eNB1 can support carrier aggregation or not, and Cell 1 can use carrier aggregation or not. Specifically, the embodiment according to the embodiment of the present invention may adopt the following manner: Embodiment 1 FIG. 3 is a flowchart of X2 handover according to an embodiment of the present invention. As shown in Figure 3, eNB (evolved
Node B , 演进型基站) 1根据 UE (终端)测量上 4艮决定 UE切换的目标小区 为 eNB2所管理的载波聚合小区 Cell 2 (小区 2 )。 eNBl向 eNB2发起 X2切 换, eNBl 选择目标小区 Cell2 的若干分量载波之一, 并使用该分量载波的 PCI和 EARFCN-DL信息作为输入参数, 计算目标侧新密钥 KeNB* , 即切换 后的密钥。 ύ选的, 可以采用以下方法来计算切换后的密钥: Node B (evolved base station) 1 determines that the target cell for UE handover is the carrier aggregation cell Cell 2 (cell 2) managed by eNB2 according to the UE (terminal) measurement. The eNB1 initiates an X2 handover to the eNB2, and the eNB1 selects one of the component carriers of the target cell Cell2, and uses the PCI and EARFCN-DL information of the component carrier as input parameters to calculate the target side new key KeNB*, that is, the switched key. . For the selected one, the following method can be used to calculate the switched key:
1 ) KeNB* = KDF(PCI, EARFCN-DL, NH); 或者 1) KeNB* = KDF (PCI, EARFCN-DL, NH); or
2 ) KeNB* = KDF(PCI, EARFCN-DL, KeNB); 其中, PCI和 EARFCN-DL分别为 eNBl选择的分量载波对应的物理小 区标识和下行频点信息, NH为 eNBl中存储的下一兆信息, KeNB为 eNBl 中使用的当前的密钥信息 , KDF为当前已知的密钥派生算法 ( Key Derivation Function ), 在此不做赘述。 优选的, eNBl 选择使用计算方式 1 ) 的条件是 eNBl中存储了尚未使用的新 {NH, NCC}值, 否则 eNBl使用后者。 然后, eNBl将该新密钥以及计算该密钥所需的分量载波信息 (即, PCI 和 EARFCN-DL ) 和 NCC信息通过切换请求消息发给 eNB2。 如果 eNB2成功接纳该切换请求, 则存储新的密钥 KeNB* , 并给 eNBl 回应切换请求确认消息, 该确认消息包含 UE计算目标侧新密钥所需的安全 信息, 即 NCC以及计算新密钥时使用的分量载波信息。 eNBl收到 eNB2的确认消息后, 才艮据确认消息向 UE发送 RRC ( Radio Resource Control, 无线资源控制)重配置消息, 该 RRC重配置消息包含 UE 计算目标侧新密钥所需的安全信息, 即 NCC 以及计算新密钥时使用的分量 载波信息。 在接收到 RRC重配置消息之后 , UE才艮据消息中的 NCC和相应的分量 载波信息计算 UE侧新的安全密钥 KeNB* , 计算方法可以与上述的 eNB侧 计算方法一致。 然后 , UE给目标侧 eNB2回复切换确认消息 , 最终 eNB2与 UE都获得了相同的切换后使用的新密钥 KeNB*。 进一步地, 上述的 eNBl选择目标小区若干分量载波之一的选择方法可 以是 eNBl根据 UE的测量上报进行选择, 比如选择测量信号质量最好的载 波, 也可以是 eNBl根据显示或隐式规则选择, 比如选择 UE的锚载波或工 作载波列表中的第一个载波, 也可以是其他任意选择方式。 这里, 显示规则 选择是指通过信令指示来选择某个分量载波; 隐示选择规则是指预先协商出 选择哪个分量载波。 实施例二 如图 3所示, eNBl才艮据 UE测量上 4艮决定 UE切换的目标小区为 eNB2 所管理的载波聚合小区 Cell 2,然后 eNBl使用 Cell 2的一个载波聚合小区全 局标识 CA-CGI (该全局标识可以在网络中唯一的确定目标小区 Cell 2 )代替 载波的 PCI和 EARFCN-DL信息, 作为计算新密钥的输入参数。 优选的, 可 以采用以下计算的方法来计算切换后的密钥: 1 ) KeNB* = KDF(CA-CGI, NH); 或者 2) KeNB* = KDF (PCI, EARFCN-DL, KeNB); where PCI and EARFCN-DL are the physical cell identifier and downlink frequency point information corresponding to the component carrier selected by eNB1, and NH is the next megabyte stored in eNB1. The KeNB is the current key information used in the eNB1, and the KDF is the currently known Key Derivation Function, which is not described here. Preferably, the condition that the eNB1 chooses to use the calculation mode 1) is that the new {NH, NCC} value that has not been used is stored in the eNB1, otherwise the eNB1 uses the latter. Then, the eNB1 sends the new key and the component carrier information (i.e., PCI and EARFCN-DL) and the NCC information required to calculate the key to the eNB2 through the handover request message. If the eNB2 successfully accepts the handover request, the new key KeNB* is stored, and the eNB1 is responsive to the handover request acknowledgement message, which includes the security information required by the UE to calculate the target-side new key, that is, the NCC and the calculation of the new key. Component carrier information used at the time. After receiving the acknowledgment message of the eNB2, the eNB1 sends an RRC (Radio Resource Control) reconfiguration message to the UE according to the acknowledgement message, where the RRC reconfiguration message includes the security information required by the UE to calculate the target side new key. That is, the NCC and the component carrier information used when calculating the new key. After receiving the RRC reconfiguration message, the UE calculates the UE-side new security key KeNB* according to the NCC and the corresponding component carrier information in the message, and the calculation method may be performed on the eNB side. The calculation method is consistent. Then, the UE returns a handover confirmation message to the target side eNB2, and finally the eNB2 and the UE obtain the same new key KeNB* used after the handover. Further, the foregoing method for selecting one of the component carriers of the target cell may be that the eNB1 selects according to the measurement report of the UE, for example, selecting a carrier with the best measurement signal quality, or the eNB1 may select according to a display or an implicit rule. For example, selecting the anchor carrier of the UE or the first carrier in the working carrier list may also be any other selection manner. Here, the display rule selection refers to selecting a certain component carrier by signaling indication; the implicit selection rule refers to pre-negotiating which component carrier to select. Embodiment 2 As shown in FIG. 3, the eNB1 determines that the target cell of the UE handover is the carrier aggregation cell Cell 2 managed by the eNB2 according to the UE measurement, and then the eNB1 uses one carrier aggregation cell global identifier CA-CGI of the Cell 2. (The global identity may determine the target cell Cell 2 uniquely in the network) Replace the PCI and EARFCN-DL information of the carrier as an input parameter for calculating the new key. Preferably, the switched key can be calculated by the following calculation method: 1) KeNB* = KDF(CA-CGI, NH); or
2 ) KeNB* = KDF(CA-CGI, KeNB); 其中, CA-CGI为 eNBl选择的载波聚合小区全局标识, NH为 eNBl中 存储的下一兆信息, KeNB为 eNBl 中使用的当前的密钥信息, KDF为当前 已知的密钥派生算法( Key Derivation Function ),在 jt匕不丈赘述。优选的, eNBl 选择使用计算方式 1 )的条件是 eNBl中存储了尚未使用的新 {NH, NCC}值, 否则 eNBl使用后者。 然后, eNBl将生成的目标侧的新密钥 KeNB*以及对应的 NCC和计算该 KeNB*时使用的 Cell 2的全局标识 CA-CGI,通过切换请求消息发送给 eNB2。 如果 eNB2成功接纳该切换请求, 则存储新的密钥 KeNB* , 并给 eNBl 回应切换请求确认消息 , 该切换请求确认消息包含 UE计算目标侧新密钥所 需的安全信息,即 NCC以及计算新密钥时使用的 Cell 2的全局标只 CA-CGI。 eNBl收到 eNB2的确认消息后, 才艮据确认消息向 UE发送 RRC重配置 消息, 该 RRC重配置消息包含 UE计算目标侧新密钥所需的安全信息, 即 NCC以及计算新密钥时使用的目标小区的全局标识 CA-CGI。 在接收到 RRC重配置消息之后 , UE才艮据消息中的 NCC和相应的目标 小区的全局标识 CA-CGI计算 UE侧新的安全密钥 KeNB* , 计算方法与 eNB 侧计算方法一致。 然后 , UE给目标侧 eNB2回复切换确认消息 , 最终 eNB2 与 UE都获得了相同的切换后使用的新密钥 KeNB*。 实施例三 如图 3所示, eNBl才艮据 UE测量上 4艮决定 UE切换的目标小区为 eNB2 所管理的载波聚合小区 Cell 2。 然后 , eNBl分别才艮据目标小区的若干分量载 波中的所有载波或者一部分载波的载波信息, 即分量载波的 PCI 和 EARFCN-DL信息, 分别计算各自对应的目标侧新密钥 KeNB *。 优选的, 可 以采用与实施例一相同的计算方式来计算 KeNB*。 然后, eNBl将计算的所有目标侧的新密钥 KeNB*、 与新密钥 KeNB*对 应的 NCC、 以及计算相应 KeNB*时使用的分量载波信息, 通过切换请求消 息发送给 eNB2。 如果 eNB2成功接纳该切换请求, 贝' J eNB2在 eNBl提供的若干新密钥 KeNB*中选择一个作为切换后的新密钥, 并将计算该密钥时使用的分量载波 信息以及对应的 NCC, 通过切换请求确认消息发送给 eNBl。 eNBl接收到 eNB2的切换请求确认消息之后,才艮据确认消息向 UE发送 RRC重配置消息, 其中, 该 RRC重配置消息包含 UE计算目标侧新密钥所 需的分量载波信息和与新密钥对应的 NCC。 在接收到 RRC重配置消息之后, UE根据消息中分量载波信息和 NCC 信息计算 UE侧新的安全密钥 KeNB*。 优选的, 可以采用与实施例一相同的 计算方式来计算 KeNB*。 然后 , UE给目标侧 eNB2回复切换确认消息 , 最终 eNB2与 UE都获得 了相同的切换后使用的新密钥 KeNB*。 进一步的, 上述 eNB2在 eNB 1提供的若干新密钥中选择新密钥的选择 方法, 可以是 eNB2 居密钥相应载波的负荷选择, 也可以是 居相应载波 的优先级选择, 或者使用显示或隐式规则选择, 比如选择 UE的锚载波或工 作载波列表中的第一个载波对应的密钥, 也可以是其他任意选择。 这里, 显 示规则选择是指通过信令指示来选择某个分量载波; 隐示选择规则是指预先 协商出选择哪个分量载波。 实施例四 如图 3所示, eNBl才艮据 UE测量上 4艮决定 UE切换的目标小区为 eNB2 所管理的载波聚合小区 Cell 2。 然后 , eNBl分别才艮据目标小区的若干分量载 波中的所有载波或者一部分载波的载波信息, 即分量载波的 PCI 和 EARFCN-DL信息, 分别计算各自对应的目标侧新密钥 KeNB *。 优选的, 可 以采用与实施例一相同的计算方式来计算 KeNB *。 然后, eNBl 夺计算的所有目标侧的新密钥 KeNB*和计算新密钥所需的 NCC信息发送给 eNB2; 如果 eNB2成功接纳该切换请求, 则存储所有的新密钥 KeNB* , 并才艮据 切换请求消息给 eNBl 回应切换请求确认消息 , 在该切换请求确认消息中包 含 UE生成目标侧新密钥所需的 NCC信息和指示信息,该指示信息用于指示 目标载波上可切换的分量载波以及这些分量载波各自所对应的分量载波信 息, 即, PCI和 EARFCN-DL。 eNBl收到 eNB2的确认消息后, 才艮据确认消息向 UE发送 RRC重配置 消息, 其中, 该 RRC重配置消息包含来自 eNB2的 NCC信息和指示信息。 在接收到 RRC重配置消息之后 , UE根据消息中的指示信息来从可切换 的目标侧的分量载波中选择一个分量载波, 并才艮据该分量载波对应的分量载 波信息和对应的 NCC生成 UE侧新的安全密钥 KeNB*。 优选的, 可以采用 与实施例一相同的计算方式来计算 KeNB *。 然后向 eNB2发送切换确认消息, 且该消息使用刚生成的新密钥 KeNB* 力口密。 eNB2使用存储的 eNBl指示的所有新密钥对 UE的切换确认消息进行盲 解,如果盲解成功,贝 "J eNB2确认当前使用的密钥 KeNB*为切换后的新密钥。 最终 eNB2与 UE都获得了相同的切换后使用的新密钥 KeNB *。 这里, 上述 的盲解指的是 eNB2按照事先存储的 eNBl发来的所有新载波密钥, 逐个使 用新载波密钥来对接收到的 UE发送的切换确认消息进行解密, 如果解密成 功, 则表示当前使用的新密钥即是切换后的密钥。 进一步地,上述 UE从切换的目标载波信息中选择一个载波的选择方法, 可以是根据 UE对载波的测量结果选择, 比如选择一个测量结果比较好的载 波, 或者使用显示或隐式规则选择, 比如选择 UE的锚载波或载波列表中的 第一个载波, 或者任意选择。 这里, 显示规则选择是指通过信令指示来选择 某个分量载波; 隐示选择规则是指预先协商出选择哪个分量载波。 实施例五 图 4是才艮据本发明实施例的带有协商流程的 X2切换的流程图。 如图 4 所示, 步骤 SI , eNBl才艮据 UE测量上 4艮决定 UE切换的目标小区为 eNB2 所管理的载波聚合小区 Cell 2,然后 eNBl向 eNB2发送切换目标载波十办商请 求消息, 该请求消息可以包含 eNBl决策的 Cell 2切换的目标载波的信息, 即, eNB2 所管理的载波聚合小区中的可切换的一个或多个分量载波以及与 这些分量载波对应的分量载波信息。 步骤 S2 , eNB2在接收到切换目标载波协商请求消息后, 回复切换目标 载波协商响应消息给 eNBl ,该响应消息可以包含 eNB2决策的切换的目标载 波信息, 这里, eNBl发送的切换的目标载波的信息只是作为 eNB2选取所切 换的载波的参考, eNB2决策的切换的目标载波信息可以选自 eNBl发送的切 换的目标载波信息 , 也可以才艮据自身的情况进行选择。 步骤 S3 , eNBl从 Cell 2反馈的若干个的目标分量载波中选择一个载波, 才艮据该载波的 PCI和 EARFCN-DL信息, 以及当前使用的密钥 KeNB或者 NH, 计算目标侧新密钥 KeNB* , 具体 KeNB*的计算方式同实施例一的计算 方式, 并用 NCC来指示计算新密钥时所使用的是 KeNB或 NH, 如果使用的 NH则 NCC需要填写为与之相应的 NCC值 , 否则 NCC需要填写当前 KeNB 对应的 NCC值。 然后, eNBl将目标侧新密钥 KeNB*以及对应的 NCC和计 算该密钥 KeNB*时选中的分量载波的信息,通过切换请求消息发送给 eNB2。 步骤 S4, 如果 eNB2成功接纳该切换请求, 给 eNBl回应切换请求确认 消息, 该确认消息可以包含 UE计算目标侧新密钥 KeNB*所需的安全信息, 即相应的 NCC以及计算新密钥时使用的分量载波信息。 步骤 S5 , eNBl 在接收到 eNB2的确认消息后, 才艮据该确认消息向 UE 发送 RRC重配置消息, 该 RRC重配置消息可以包含 UE计算目标侧新密钥 所需的安全信息, 即计算目标侧新密钥 KeNB*所需的 NCC以及计算密钥时 使用的分量载波信息。 步骤 S6 , UE收到后根据消息中分量载波信息计算 UE侧新的安全密钥 KeNB* , 具体 KeNB*的计算方式同实施例一的计算方式。 最终 eNB2与 UE 都获得了相同的切换后使用的新密钥 KeNB*。 可选的 , 在上述的步骤 S2中 , eNB2也可以给 eNBl显示或隐式地反馈 一个指定的载波, 以用于计算新的安全密钥, 这里, 显式反馈一个指定的载 波是指通过信令来指定一个载波, 隐式反馈一个指定的载波是指预先协商所 指定的载波。 相应的, 在上述的步骤 S3中, eNBl可以直接根据该指定载波 的载波信息计算新密钥。 进一步的 , 上述 eNBl从 Cell 2反馈的若干个的目标分量载波中选择一 个载波的选择方法, 可以是 eNBl根据 UE的测量上报选择, 比如选择测量 信号质量最好的载波, 也可以是 eNBl根据显示或隐式规则选择, 比如选择 UE的锚载波或载波列表中的第一个载波, 也可以是其他任意选择方式。 实施例六 如图 3所示, eNBl才艮据 UE测量上 4艮决定 UE切换的目标小区为 eNB2 所管理的载波聚合 'J、区 Cell 2, 然后 eNB 1向 eNB2发起切换请求消息 , 消息 中包含当前使用的安全密钥 KeNB或下一兆值 NH。 如果 eNB2成功接纳该切换请求, 则从切换目标载波中选择一个载波, 然后才艮据该载波的 PCI和 EARFCN-DL, 以及当前使用的安全密钥 KeNB或 者 NH信息计算新的密钥 KeNB* , 具体 KeNB*的计算方式同实施例一的计 算方式, 并用 NCC来指示是通过当前使用的安全密钥 KeNB还是 NH信息 来计算新的密钥 KeNB* , 然后, 给 eNBl回应切换请求确认消息, 在该切换 请求确认消息中可以包含 UE计算目标侧新密钥的载波信息以及与新密钥相 应的 NCC信息。 eNBl接^:到 eNB2的确认消息后, 才艮据确认消息向 UE发送 RRC重配 置消息,在该 RRC重配置消息中可以包含 UE计算目标侧新密钥所需的安全 信息, 即 NCC以及计算新密钥时使用的分量载波信息。 在接收到该 RRC重配置消息之后 , UE才艮据消息中的 NCC和相应的分 量载波的 PCI和 EARFCN-DL计算 UE侧新的安全密钥 KeNB* ,具体 KeNB* 的计算方式同实施例一的计算方式。 最终 eNB2与 UE都获得了相同的切换 后使用的新密钥 KeNB*。 进一步的, 上述 eNB2从切换目标载波中选择一个载波的选择方法, 可 以是 eNB2根据载波的负荷选择, 也可以是根据载波的优先级选择, 或者使 用显示或隐式规则选择,比如选择 UE的锚载波或载波列表中的第一个载波, 也可以是其他任意选择。 进一步地,在实施例一、三、五、六中,所述的计算目标侧新密钥 KeNB* 所需的分量载波信息, 可以是该分量载波的 PCI和 EARFCN-DL信息, 也可 以是该分量载波的索引信息或其他标识信息, 比如载波对应的全局标识, 而 目标侧 eNB2或者 UE可以用该索引或标识得到该载波的 PCI和 EARFCN-DL 信息。 进一步地,在实施例一、三、五、六中,所述的计算目标侧新密钥 KeNB* 所需的分量载波信息的通知方法, 可以是显式的或者隐式的, 比如通过信令 明确指定分量载波信息, 或者默认使用锚载波, 或者使用切换目标载波列表 中第一个载波。 进一步地, 以上的实施例一至六均针对 X2切换, 即通过 X2口完成相应 的切换流程。 实施例七 本实施例主要针对 S1切换, 即通过 S1 口完成相应的切换流程。 图 5是根据本发明实施例的 S1切换流程示意图。 如图 5所示, eNBl根 据 UE测量上 4艮决定 UE切换的目标小区为 eNB2所管理的载波聚合小区 Cell 2 , 然后 eNBl通过 MME ( Mobility Management Entity, 移动管理实体) 向 eNB2发起 S1切换请求消息,该消息中包含 UE所要切换到的目标载波信息。 如果 eNB2成功接纳该切换, 则从切换目标载波中选择一个载波, 然后 才艮据该载波的 PCI和 EARFCN-DL以及 MME发送的 NH和与 NH对应的 NCC 信息计算目标侧的新密钥, 具体计算方式同实施例一的计算方式, 然后给 eNBl 回应切换准备响应消息, 在该切换准备响应消息中包含计算新密钥的 载波信息以及相应的 NCC信息。 eNBl接^:到 eNB2的响应消息后, 才艮据确认消息向 UE发送 RRC重配 置消息, 消息中包含 UE计算目标侧新密钥所需的安全信息, 即 NCC以及计 算新密钥时使用的分量载波信息。 在接收到 RRC ( Radio Resource Control, 无线资源控制) 重配置消息之 后, UE才艮据消息中的 NCC和相应的分量载波的 PCI和 EARFCN-DL计算 UE侧新的安全密钥, 具体计算方式同实施例一的计算方式。 最终 eNB2 与 UE都获得了相同的切换后使用的新密钥。 进一步地, 上述的 eNB2从切换目标中选择一个载波, 可以是根据切换 请求消息中的目标载波信息选择, 也可以是从目标小区的所有载波中选择; 而选择的方法可以是 eNBl根据 UE的测量上报选择, 比如选择测量信号质 量最好的载波, 也可以是 eNBl根据其他显示或隐式规则选择, 比如选择 UE 的锚载波或者载波列表中的第一个载波, 或者任意选择。 这里, 显示规则选 择是指通过信令指示来选择某个分量载波; 隐示选择规则是指预先协商出选 择哪个分量载波。 进一步地, 在以上描述中, eNB才艮据载波的 PCI和 EARFCN-DL等来计 算新密钥可以使用现有技术中任意一种具体计算方法 , 在此不再赞述。 综上所述, 才艮据本发明实施例的安全信息的交互方法, 通过分量载波信 息以及其他参数(例如, NCC ) 的交互, 使得 UE 和切换目标侧的 eNodeB 均获得相同的切换后的新安全密钥, 从而兼容当前 LTE的切换流程, 方便网 络的平滑升级, 保证了向载波聚合小区切换的安全性。 本发明还提供了一种优选的安全信息的交互方法, 如图 6所示, 其包括 以下步骤: S602 , 第一节点 B向第二节点 B发送切换请求消息, 其中, 所述切换请 求消息中携带用于计算切换后使用的密钥的参数信息 , 所述参数信息包括密 钥信息或下一跳值 NH; 2) KeNB* = KDF(CA-CGI, KeNB); where CA-CGI is the carrier aggregation cell global identifier selected by eNB1, NH is the next mega-information stored in eNB1, and KeNB is the current key used in eNB1 Information, KDF is the currently known Key Derivation Function, which is not described in jt. Preferably, the condition that the eNB1 chooses to use the calculation mode 1) is that the new {NH, NCC} value that has not been used is stored in the eNB1, otherwise the eNB1 uses the latter. Then, the eNB1 transmits the generated new key KeNB* on the target side and the corresponding NCC and the global identifier CA-CGI of the Cell 2 used in calculating the KeNB* to the eNB 2 through the handover request message. If the eNB2 successfully accepts the handover request, the new key KeNB* is stored, and the eNB1 is responsive to the handover request acknowledgement message, the handover request acknowledgement message includes the security information required by the UE to calculate the target-side new key, that is, the NCC and the new calculation The global standard for Cell 2 used in the key is only CA-CGI. After receiving the acknowledgment message of the eNB2, the eNB1 sends an RRC reconfiguration message to the UE according to the acknowledgment message, where the RRC reconfiguration message includes the security information required by the UE to calculate the target side new key, that is, the NCC and the calculation of the new key. The global identity of the target cell, CA-CGI. After receiving the RRC reconfiguration message, the UE calculates the UE side new security key KeNB* according to the NCC in the message and the global identifier CA-CGI of the corresponding target cell, and the calculation method is consistent with the eNB side calculation method. Then, the UE replies to the target side eNB2 with a handover confirm message, and finally both the eNB2 and the UE obtain the same new key KeNB* used after the handover. As shown in FIG. 3, the eNB1 determines that the target cell for UE handover is the carrier aggregation cell Cell 2 managed by eNB2 according to the UE measurement. Then, the eNB1 respectively calculates the corresponding target side new key KeNB* according to the carrier information of all carriers or a part of carriers of the target cell, that is, the PCI and EARFCN-DL information of the component carrier. Preferably, the KeNB* can be calculated by the same calculation method as in the first embodiment. Then, the eNB1 transmits the calculated new key KeNB* of all the target sides, the NCC corresponding to the new key KeNB*, and the component carrier information used when calculating the corresponding KeNB* to the eNB2 through the handover request message. If the eNB2 successfully accepts the handover request, the UE's eNB2 selects one of the new keys KeNB* provided by the eNB1 as the new key after the handover, and calculates the component carrier information used in the key and the corresponding NCC. The acknowledgment message is sent to the eNB1 through a handover request. After receiving the handover request acknowledgement message of the eNB2, the eNB1 sends an RRC reconfiguration message to the UE according to the acknowledgement message, where the RRC reconfiguration message includes the component carrier information and the new key required for the UE to calculate the target side new key. Corresponding NCC. After receiving the RRC reconfiguration message, the UE calculates a new security key KeNB* on the UE side according to the component carrier information and the NCC information in the message. Preferably, the KeNB* can be calculated by the same calculation method as in the first embodiment. Then, the UE returns a handover confirmation message to the target side eNB2, and finally the eNB2 and the UE obtain the same new key KeNB* used after the handover. Further, the method for selecting the new key by using the eNB2 in the new key provided by the eNB1 may be the load selection of the corresponding carrier of the eNB2, or may be the priority selection of the corresponding carrier, or use the display or Implicit rule selection, such as selecting the anchor carrier of the UE or the key corresponding to the first carrier in the working carrier list, may also be any other choice. Here, the display rule selection refers to selecting a component carrier by signaling indication; the implicit selection rule refers to the advance It is negotiated which component carrier to select. In the fourth embodiment, as shown in FIG. 3, the eNB1 determines that the target cell for UE handover is the carrier aggregation cell Cell 2 managed by the eNB2 according to the UE measurement. Then, the eNB1 respectively calculates the corresponding target side new key KeNB* according to the carrier information of all carriers or a part of carriers of the target cell, that is, the PCI and EARFCN-DL information of the component carrier. Preferably, the KeNB * can be calculated by the same calculation method as in the first embodiment. Then, the eNB1 retrieves the calculated new key KeNB* of all the target sides and the NCC information required for calculating the new key to be sent to the eNB2; if the eNB2 successfully accepts the handover request, all the new keys KeNB* are stored, and then The handover request acknowledgement message is sent to the eNB1 according to the handover request message, where the handover request acknowledgement message includes NCC information and indication information required for the UE to generate the target side new key, and the indication information is used to indicate the switchable component carrier on the target carrier. And the component carrier information corresponding to each of the component carriers, that is, PCI and EARFCN-DL. After receiving the acknowledgment message of the eNB2, the eNB1 sends an RRC reconfiguration message to the UE according to the acknowledgement message, where the RRC reconfiguration message includes the NCC information and the indication information from the eNB2. After receiving the RRC reconfiguration message, the UE selects one component carrier from the component carriers of the switchable target side according to the indication information in the message, and generates the UE according to the component carrier information corresponding to the component carrier and the corresponding NCC. Side new security key KeNB*. Preferably, the KeNB * can be calculated by the same calculation method as in the first embodiment. A handover confirmation message is then sent to eNB2, and the message uses the newly generated key KeNB*. The eNB2 blindly solves the handover confirmation message of the UE by using all the new keys indicated by the stored eNB1. If the blind solution is successful, the "J eNB2 confirms that the currently used key KeNB* is the new key after handover. Finally, the eNB2 and the UE The new key KeNB* used after the same handover is obtained. Here, the blind solution refers to that the eNB2 uses the new carrier key one by one according to all the new carrier keys sent by the eNB1 stored in advance. The handover confirmation message sent by the UE is decrypted, and if the decryption is successful, it indicates that the new key currently used is the key after the handover. Further, the UE selects a carrier selection method from the switched target carrier information, It may be selected according to the measurement result of the UE to the carrier, for example, selecting a carrier with a better measurement result, or using display or implicit rule selection, such as selecting the anchor carrier of the UE or the first carrier in the carrier list, or arbitrarily selecting. Here, the display rule selection refers to selecting a certain component carrier by signaling indication; the implicit selection rule refers to pre-negotiating which component carrier to select. Embodiment 5 FIG. 4 is a flowchart of an X2 handover with a negotiation procedure according to an embodiment of the present invention. As shown in FIG. 4, in step SI, the eNB1 determines that the target cell for UE handover is the carrier aggregation cell Cell 2 managed by the eNB2 according to the UE measurement, and then the eNB1 sends a handover target carrier ten-service request message to the eNB2, where The request message may include information of the target carrier of the Cell 2 handover decided by the eNB1, that is, one or more component carriers that are switchable in the carrier aggregation cell managed by the eNB2, and component carrier information corresponding to the component carriers. Step S2: After receiving the handover target carrier negotiation request message, the eNB2 returns a handover target carrier negotiation response message to the eNB1, where the response message may include the target carrier information of the handover decided by the eNB2, where the information of the target carrier of the handover transmitted by the eNB1 Only the reference of the switched carrier is selected by the eNB2, and the target carrier information of the handover decided by the eNB2 may be selected from the target carrier information of the handover sent by the eNB1, or may be selected according to its own situation. Step S3: The eNB1 selects one carrier from the target component carriers fed back by the Cell 2, and calculates the target side new key KeNB according to the PCI and EARFCN-DL information of the carrier, and the currently used key KeNB or NH. *, the specific KeNB* is calculated in the same manner as in the first embodiment, and the NCC is used to indicate that the KeNB or NH is used to calculate the new key. If the NH is used, the NCC needs to fill in the corresponding NCC value. Otherwise, The NCC needs to fill in the NCC value corresponding to the current KeNB. Then, the eNB1 transmits the target side new key KeNB* and the corresponding NCC and the information of the component carrier selected when the key KeNB* is calculated, to the eNB 2 through the handover request message. Step S4, if the eNB2 successfully accepts the handover request, and responds to the eNB1 with a handover request acknowledgement message, the acknowledgement message may include the security information required by the UE to calculate the target-side new key KeNB*, that is, the corresponding NCC and the calculation of the new key. Component carrier information. Step S5: After receiving the acknowledgment message of the eNB2, the eNB1 sends an RRC reconfiguration message to the UE according to the acknowledgement message, where the RRC reconfiguration message may include the security information required by the UE to calculate the target side new key, that is, the calculation target. The NCC required for the side new key KeNB* and the component carrier information used when calculating the key. Step S6: After receiving the UE, the UE calculates a new security key KeNB* according to the component carrier information in the message, and the calculation manner of the specific KeNB* is the same as that of the first embodiment. Finally, both eNB2 and UE obtain the same new key KeNB* used after handover. Optionally, in the foregoing step S2, the eNB2 may also display or implicitly feed back a designated carrier to the eNB1 for calculating a new security key. Here, explicitly feeding back a specified carrier means passing the signal. To specify a carrier, implicitly feeding back a specified carrier means pre-negotiating the specified carrier. Correspondingly, in the foregoing step S3, the eNB1 can directly calculate a new key according to the carrier information of the specified carrier. Further, the method for selecting one carrier from the target component carriers fed back by the Cell 2 may be selected by the eNB1 according to the measurement report of the UE, for example, selecting a carrier with the best measurement signal quality, or the eNB1 according to the display. Or implicit rule selection, such as selecting the anchor carrier of the UE or the first carrier in the carrier list, may also be any other selection method. In the sixth embodiment, as shown in FIG. 3, the eNB1 determines that the target cell of the UE handover is the carrier aggregation 'J, the cell Cell 2 managed by the eNB2 according to the UE measurement, and then the eNB 1 initiates a handover request message to the eNB2 in the message. Contains the currently used security key KeNB or the next mega-value NH. If the eNB2 successfully accepts the handover request, selecting one carrier from the handover target carrier, and then calculating a new key KeNB* according to the PCI and EARFCN-DL of the carrier, and the currently used security key KeNB or NH information, The calculation mode of the specific KeNB* is the same as that of the first embodiment, and the NCC is used to indicate whether the new key KeNB* is calculated by using the currently used security key KeNB or NH information, and then the eNB1 is replied to the handover request acknowledgement message. The handover request acknowledgement message may include carrier information for calculating a target side new key by the UE and NCC information corresponding to the new key. After the eNB1 receives the acknowledgment message to the eNB2, the RRC reconfiguration message is sent to the UE according to the acknowledgment message, and the RRC reconfiguration message may include the security information required by the UE to calculate the target side new key, that is, the NCC and the calculation. Component carrier information used when the new key is used. After receiving the RRC reconfiguration message, the UE calculates the UE-side new security key KeNB* according to the NCC in the message and the PCI and EARFCN-DL of the corresponding component carrier, and the specific KeNB* is calculated in the same manner as in the first embodiment. The way of calculating. Finally, both e NB2 and UE obtain the same new key KeNB* used after handover. Further, the method for selecting one carrier from the handover target carrier may be selected by the eNB2 according to the load of the carrier, or may be selected according to the priority of the carrier, or may be selected by using display or implicit rules, such as selecting an anchor of the UE. The first carrier in the carrier or carrier list can also be any other choice. Further, in the first, third, fifth, and sixth embodiments, the component carrier information required to calculate the target side new key KeNB* may be the PCI and EARFCN-DL information of the component carrier, or may be The index information or other identification information of the component carrier, such as the global identifier corresponding to the carrier, and the target side eNB2 or the UE can use the index or the identifier to obtain the PCI and EARFCN-DL information of the carrier. Further, in Embodiments 1, 3, 5, and 6, the method for notifying the component carrier information required to calculate the target side new key KeNB* may be explicit or implicit, such as by signaling. The component carrier information is explicitly specified, or the anchor carrier is used by default, or the first carrier in the handover target carrier list is used. Further, the above embodiments 1 to 6 are all for X2 switching, that is, the corresponding switching process is completed through the X2 port. Embodiment 7 This embodiment is mainly for S1 handover, that is, the corresponding handover procedure is completed through the S1 interface. FIG. 5 is a schematic diagram of an S1 handover procedure according to an embodiment of the present invention. As shown in FIG. 5, the eNB1 determines that the target cell of the UE handover is the carrier aggregation cell Cell 2 managed by the eNB2 according to the UE measurement, and then the eNB1 initiates an S1 handover request message to the eNB2 through the MME (Mobility Management Entity). The message includes the target carrier information to which the UE is to switch. If the eNB2 successfully accepts the handover, a carrier is selected from the handover target carrier, and then the new key of the target side is calculated according to the PCI and EARFCN-DL of the carrier, and the NH and the NCC information corresponding to the NH. The calculation manner is the same as that in the first embodiment, and then the eNB1 is responsive to the handover preparation response message, where the handover preparation response message includes the carrier information for calculating the new key and the corresponding NCC information. After receiving the response message to the eNB2, the eNB1 sends an RRC reconfiguration message to the UE according to the acknowledgement message, where the message includes the security information required by the UE to calculate the target side new key, that is, the NCC and the time used to calculate the new key. Component carrier information. After receiving the RRC (Radio Resource Control) reconfiguration message, the UE calculates the new security key of the UE side according to the NCC in the message and the PCI and EARFCN-DL of the corresponding component carrier, and the specific calculation manner is the same. The calculation method of the first embodiment. Finally, both eNB2 and UE obtain the same new key used after handover. Further, the foregoing eNB2 selects one carrier from the handover target, which may be selected according to the target carrier information in the handover request message, or may be selected from all carriers of the target cell; and the selected method may be that the eNB1 measures according to the UE. The selection of the report, such as selecting the carrier with the best measurement signal quality, may also be selected by the eNB1 according to other display or implicit rules, such as selecting the anchor carrier of the UE or the first carrier in the carrier list, or arbitrarily selecting. Here, the display rule selection refers to selecting a certain component carrier by signaling indication; the implicit selection rule refers to pre-negotiating which component carrier to select. Further, in the above description, the eNB calculates the new key according to the PCI of the carrier and the EARFCN-DL, etc., and may use any specific calculation method in the prior art, which is not mentioned here. In summary, according to the interaction method of the security information according to the embodiment of the present invention, the UE and the eNodeB on the handover target side obtain the same new handover after the interaction of the component carrier information and other parameters (for example, NCC). The security key is compatible with the current LTE handover procedure, facilitating the smooth upgrade of the network, and ensuring the security of handover to the carrier aggregation cell. The present invention also provides a preferred method for interacting security information. As shown in FIG. 6, the method includes the following steps: S602: The first node B sends a handover request message to the second node B, where the handover request message is Carrying parameter information for calculating a key used after handover, the parameter information including key information or a next hop value NH;
S604, 所述第二节点 B从自身管理的载波聚合小区的分量载波中选择一 个或多个分量载波的信息 , 并才艮据选择的分量载波的信息以及所述切换请求 消息中携带的参数信息计算切换后使用的密钥; S604, the second node B selects information of one or more component carriers from component carriers of the carrier aggregation cell that is managed by the second node, and performs information according to the selected component carrier and parameter information carried in the handover request message. Calculate the key used after the switch;
S606 , 所述第二节点 B将所述选择的分量载波的信息和所述参数信息发 送给终端 UE,以便所述 UE根据所述选择的分量载波的信息以及所述参数信 息计算所述切换后使用的密钥。 根据本实施例, 通过参数信息的交互, 使得 UE和切换目标侧的 eNodeB 均获得相同的切换后的安全密钥, 从而兼容当前 LTE的切换流程, 方便网络 的平滑升级, 保证了向载波聚合小区切换的安全性。 优选的, 在 UE才艮据所述选择的分量载波的信息以及所述参数信息计算 所述切换后使用的密钥之后, 还包括: 所述 UE在所选择的分量载波上向所 述第二节点 B发送切换确认消息, 其中, 所述 UE通过所述切换后的密钥对 所述切换确认消息进行加密。 在这种场景下, 第二节点 B在接收到切换确认 消息之后, 使用上述切换后的密钥对其进行解密, 从而实现了安全信息的交 互 , 并保证了向载波聚合 ' j、区切换的安全性。 优选的, 在第二节点 B选择多个分量载波的信息的实施例中, 在所述第 二节点 B接收来自所述 UE的切换确认消息之后, 还包括: 所述第二节点 B 依次从本地产生的多个切换后的密钥中选择一个密钥对所述切换确认消息进 行解密, 直到解密成功, 并将解密成功时所使用的密钥确定为所述切换后的 密钥。 通过本实施例, 可以成功的实现安全信息的交互。 优选的, 在上述所有的实施例中, 所述第二节点 B采用以下方式之一其 管理的载波聚合小区的分量载波中选择一个或多个分量载波包括: 所述第二 节点 B从终端 UE对所述第二节点 B管理的载波聚合小区的分量载波的测量 上 4艮信息中选择信号质量最好的一个或多个分量载波; 或者所述第二节点 B 从其管理的载波聚合小区中的工作载波列表中选择第一个分量载波; 或者所 述第二节点 B根据预设的选择策略从其管理的载波聚合小区的分量载波中选 择第一个载波。 装置实施例 才艮据本发明的实施例, 提供了一种安全信息的交互装置, 位于第一节点 B 内, 用于在切换到载波聚合小区的过程中实现安全信息的交互。 本实施例 中的交互装置可以使用上述所有交互方法的实施例中的方法来交互安全信 息。 如图 7所示, 该安全信息的交互装置包括: 选择模块 702, 用于从第二 节点 B管理的载波聚合小区的分量载波中选择一个或多个分量载波; 处理模 块 704, 用于将所选择的分量载波的信息作为输入参数计算得到切换后的密 钥; 第一发送模块 706 , 用于向所述第二节点 B发送切换请求消息, 其中, 所述请求消息中携带所述切换后的密钥; 第二发送模块 708, 用于向 UE发 送所选择的分量载波的信息, 以便所述 UE将所选择的分量载波的信息作为 输入参数计算得到所述切换后的密钥。 在上述实施例中, UE 可以预先获知并保存上述切换后的密钥。 居本 实施例, 通过参数信息的交互, 使得 UE和切换目标侧的 eNodeB均获得相 同的切换后的安全密钥, 从而兼容当前 LTE的切换流程, 方便网络的平滑升 级, 保证了向载波聚合小区切换的安全性。 优选的, 上述交互装置还包括: 第三发送模块 710, 用于向第二节点 B 发送切换请求消息, 其中, 所述切换请求消息中携带用于计算切换后使用的 密钥的参数信息, 所述参数信息包括密钥信息或下一跳值 NH, 以便所述第 二节点 B才艮据自身管理的载波聚合小区的分量载波中的一个或多个分量载波 的信息以及所述切换请求消息中携带的参数信息计算切换后使用的密钥。 优选的, 上述交互装置还包括: 第四发送模块 712, 用于将所述 UE在 所选择的分量载波上发送的切换确认消息转发给所述第二节点 B , 其中, 所 述 UE通过所述切换后的密钥对所述切换确认消息进行加密。 优选的, 所述切换请求消息包括所选择的分量载波的信息, 其中, 所述 分量载波的信息包括以下至少之一: 所选择的分量载波对应的物理小区标识 和下行载频。 优选的, 在所述第一节点 B的第二发送模块 708将所选择的分量载波的 信息发送给终端 UE之后, 所述 UE将接收到的所选择的分量载波的信息作 为输入参数计算得到所述切换后的密钥; 所述 UE在所选择的分量载波上向 所述第二节点 B发送切换确认消息, 其中, 所述 UE通过所述切换后的密钥 对所述切换确认消息进行加密。 在这种场景下, 第二节点 B在接收到切换确 认消息之后, 使用上述切换后的密钥对其进行解密, 从而实现了安全信息的 交互 , 并保证了向载波聚合 、区切换的安全性。 优选的, 所述切换请求消息包括所述第二节点 B所管理的载波聚合 'J、区 的全局标识。 优选的, 在上一段所述的实施例中, 在所述第一节点 B的第二发送模块 708将所选择的分量载波的信息发送给终端 UE时, 所述第一节点 B的第二 发送模块 708将所述全局标识发送给终端 UE;所述 UE将所述全局标识作为 输入参数计算得到所述切换后的密钥; 所述 UE向所述第二节点 B发送经所 述切换后的密钥加密的切换确认消息。 优选的 ,当所述第一节点 B中的选择模块 702选择多个所述分量载波时 , 所述第一节点 B的处理模块 704将所选择的分量载波的信息作为输入参数计 算得到切换后的密钥包括: 所述第一节点 B的处理模块 704依次将所选择的 一个分量载波的信息作为输入参数计算得到与该分量载波对应的切换后的密 钥。 在这种场景下, 所述第一节点 B的第一发送模块 706向所述第二节点 B 发送切换请求消息包括: 所述第一节点 B的第一发送模块 706向所述第二节 点 B发送切换请求消息,其中,所述请求消息中携带所述多个切换后的密钥。 优选的,在上一段描述的实施例中,所述第一节点 B的第一发送模块 706 向所述第二节点 B发送切换请求消息之后 ,所述第二节点 B从所述多个切换 后的密钥选择一个密钥作为切换后使用的密钥; 所述第二节点 B 4夺所选择的 密钥发送给所述第一节点 B; 所述第一节点 B的第二发送模块 708将与所选 择的密钥对应的分量载波的信息发送给 UE;所述 UE将接收到的分量载波的 信息作为输入参数计算得到所述切换后的密钥; 所述 UE在所选择的分量载 波上向所述第二节点 B发送切换确认消息, 其中, 所述 UE通过所述切换后 的密钥对所述切换确认消息进行加密。 优选的, 在上述所述第一节点 B选择多个所述分量载波的实施例中, 在 所述第一节点 B向所述第二节点 B发送切换请求消息之后, 所述第一节点 B 的第二发送模块 708 将所选择的多个分量载波的信息发送给 UE; 所述 UE 从接收到的所述多个分量载波的信息中选择一个分量载波的信息 , 并将该分 量载波的信息作为输入参数计算得到所述切换后的密钥; 所述 UE在所选择 的分量载波上向所述第二节点 B发送切换确认消息, 其中, 所述 UE通过所 述切换后的密钥对所述切换确认消息进行加密。 优选的, 在上一段描述的实施例中, 在所述第二节点 B 接收来自所述 UE的切换确认消息之后, 所述第二节点 B依次所接收到的多个切换后的密 钥中选择一个密钥对所述切换确认消息进行解密, 直到解密成功, 并将解密 成功时所使用的密钥确定为所述切换后的密钥。 通过本实施例, 可以成功的 实现安全信息的交互。 优选的, 在上述所有的实施例中, 所述第一节点 B的选择模块 702采用 以下方式之一从第二节点 B管理的载波聚合小区的分量载波中选择一个或多 个分量载波包括: 所述第一节点 B从终端 UE对所述第二节点 B管理的载波 聚合小区的分量载波的测量上报信息中选择信号质量最好的一个或多个分量 载波;或者所述第一节点 B从所述第二节点 B管理的载波聚合小区中的工作 载波列表中选择第一个分量载波; 或者所述第一节点 B根据预设的选择策略 从所述第二节点 B管理的载波聚合小区的分量载波中选择第一个载波。 上述的安全信息的交互装置可以通过上述方法实施例中的任意一种来实 现安全信息的交互, 在此不再赘述。 综上所述, 才艮据本发明实施例的安全信息的交互装置, 通过分量载波信 息以及其他参数的交互, 使得 UE和切换目标侧的 eNodeB均获得相同的切 换后的新安全密钥, 从而兼容当前 LTE的切换流程, 方便网络的平滑升级, 保证了向载波聚合小区切换的安全性。 需要说明的是, 在附图的流程图示出的步骤可以在诸如一组计算机可执 行指令的计算机系统中执行, 并且, 虽然在流程图中示出了逻辑顺序, 但是 在某些情况下 , 可以以不同于此处的顺序执行所示出或描述的步骤。 显然 , 本领域的技术人员应该明白, 上述的本发明的各模块或各步骤可 以用通用的计算装置来实现, 它们可以集中在单个的计算装置上, 或者分布 在多个计算装置所组成的网络上, 可选地, 它们可以用计算装置可执行的程 序代码来实现, 从而, 可以将它们存储在存储装置中由计算装置来执行, 或 者将它们分别制作成各个集成电路模块, 或者将它们中的多个模块或步骤制 作成单个集成电路模块来实现。 这样, 本发明不限制于任何特定的硬件和软 件结合。 以上所述仅为本发明的优选实施例而已, 并不用于限制本发明, 对于本 领域的技术人员来说, 本发明可以有各种更改和变化。 凡在本发明的^^申和 原则之内, 所作的任何修改、 等同替换、 改进等, 均应包含在本发明的保护 范围之内。 S606, the second node B sends the information about the selected component carrier and the parameter information to the terminal UE, so that the UE calculates the switch according to the information of the selected component carrier and the parameter information. The key used. According to the embodiment, the UE and the eNodeB on the handover target side are caused by the interaction of the parameter information. Both of them obtain the same security key after handover, which is compatible with the current LTE handover procedure, facilitates smooth upgrade of the network, and ensures the security of handover to the carrier aggregation cell. Preferably, after the UE calculates the key used after the handover according to the information of the selected component carrier and the parameter information, the method further includes: the UE moving to the second on the selected component carrier. The Node B sends a handover confirmation message, where the UE encrypts the handover confirmation message by using the switched key. In this scenario, after receiving the handover confirmation message, the second node B decrypts the used key by using the above-mentioned switched key, thereby realizing the interaction of the security information, and ensuring the aggregation to the carrier aggregation. safety. Preferably, in the embodiment that the second node B selects the information of the multiple component carriers, after the second node B receives the handover confirmation message from the UE, the method further includes: the second node B sequentially Deselecting one of the generated plurality of switched keys decrypts the handover confirmation message until the decryption is successful, and determines the key used when the decryption succeeds as the switched key. With this embodiment, the interaction of security information can be successfully implemented. Preferably, in all the foregoing embodiments, the selecting, by the second Node B, one or more component carriers of the component carrier of the carrier aggregation cell that is managed by the second node B includes: the second Node B slave terminal UE Selecting one or more component carriers with the best signal quality among the measurement information of the component carriers of the carrier aggregation cell managed by the second Node B; or the carrier aggregation cell from which the second Node B is managed The first component carrier is selected in the working carrier list; or the second node B selects the first carrier from the component carriers of the carrier aggregation cell it manages according to the preset selection policy. The device embodiment provides an interaction device for security information, which is located in the first Node B, and is used to implement interaction of security information in the process of handover to a carrier aggregation cell. The interaction device in this embodiment can use the methods in the embodiments of all the interaction methods described above to interact with the security information. As shown in FIG. 7, the security information interaction apparatus includes: a selection module 702, configured to select one or more component carriers from component carriers of a carrier aggregation cell managed by the second Node B; and a processing module 704, configured to The information of the selected component carrier is used as an input parameter to calculate a key after the switching; the first sending module 706 is configured to send a handover request message to the second node B, where the request message carries the switched a second sending module 708, configured to send to the UE Sending information of the selected component carrier, so that the UE calculates the switched key by using the information of the selected component carrier as an input parameter. In the above embodiment, the UE may know and save the above-mentioned switched key in advance. In this embodiment, the interaction between the parameter information enables the UE and the eNodeB on the handover target side to obtain the same switched security key, which is compatible with the current LTE handover procedure, facilitates smooth network upgrade, and ensures carrier aggregation to the carrier. Switching security. Preferably, the interaction device further includes: a third sending module 710, configured to send a handover request message to the second node B, where the handover request message carries parameter information for calculating a key used after the handover, where The parameter information includes key information or a next hop value NH, so that the second Node B can learn information of one or more component carriers in a component carrier of a carrier aggregation cell managed by itself and the handover request message. The carried parameter information calculates the key used after the handover. Preferably, the interaction device further includes: a fourth sending module 712, configured to forward, by the UE, a handover confirmation message sent by the UE on the selected component carrier to the second node B, where the UE passes the The switched key encrypts the handover confirmation message. Preferably, the handover request message includes information of the selected component carrier, where the information of the component carrier includes at least one of the following: a physical cell identifier corresponding to the selected component carrier and a downlink carrier frequency. Preferably, after the second sending module 708 of the first Node B sends the information of the selected component carrier to the terminal UE, the UE calculates the received information of the selected component carrier as an input parameter. The key after the handover; the UE sends a handover confirmation message to the second node B on the selected component carrier, where the UE encrypts the handover confirmation message by using the switched key . In this scenario, after receiving the handover confirmation message, the second node B decrypts the key using the switched key, thereby implementing security information interaction and ensuring security to carrier aggregation and area handover. . Preferably, the handover request message includes a carrier aggregation 'J, a global identifier of a zone managed by the second node B. Preferably, in the foregoing embodiment, when the second sending module 708 of the first node B sends the information of the selected component carrier to the terminal UE, the second sending of the first node B The module 708 sends the global identifier to the terminal UE; the UE calculates the switched key by using the global identifier as an input parameter; the UE sends a solution to the second node B A handover confirmation message of the key encryption after the handover. Preferably, when the selecting module 702 in the first node B selects a plurality of the component carriers, the processing module 704 of the first node B calculates the information of the selected component carrier as an input parameter to obtain the switched component. The key includes: the processing module 704 of the first node B sequentially calculates information of the selected one component carrier as an input parameter to obtain a switched key corresponding to the component carrier. In this scenario, the sending, by the first sending module 706 of the first node B, the handover request message to the second node B includes: the first sending module 706 of the first node B to the second node B And sending a handover request message, where the request message carries the multiple switched keys. Preferably, in the embodiment described in the preceding paragraph, after the first sending module 706 of the first node B sends the handover request message to the second node B, the second node B switches from the multiple The key selects a key as the key used after the handover; the second node B 4 sends the selected key to the first node B; the second sending module 708 of the first node B The information of the component carrier corresponding to the selected key is sent to the UE; the UE calculates the switched key by using the information of the received component carrier as an input parameter; the UE is on the selected component carrier. Sending a handover confirmation message to the second node B, where the UE encrypts the handover confirmation message by using the switched key. Preferably, in the embodiment that the first node B selects the multiple component carriers, after the first node B sends a handover request message to the second node B, the first node B The second sending module 708 sends the information of the selected multiple component carriers to the UE; the UE selects information of one component carrier from the received information of the multiple component carriers, and uses the information of the component carrier as The input parameter is used to calculate the key after the handover; the UE sends a handover confirmation message to the second node B on the selected component carrier, where the UE passes the switched key pair. Switch the confirmation message for encryption. Preferably, in the embodiment described in the preceding paragraph, after the second Node B receives the handover confirmation message from the UE, the second node B selects the plurality of switched keys received in sequence. A key decrypts the handover confirmation message until the decryption is successful, and the key used when the decryption succeeds is determined as the switched key. With this embodiment, the interaction of security information can be successfully implemented. Preferably, in all the foregoing embodiments, the selecting module 702 of the first Node B selects one or more component carriers from the component carriers of the carrier aggregation cell managed by the second Node B in one of the following manners: a carrier managed by the first node B from the terminal UE to the second node B Selecting one or more component carriers with the best signal quality in the measurement reporting information of the component carriers of the aggregated cell; or selecting, by the first Node B, a list of working carriers in the carrier aggregation cell managed by the second Node B a component carrier; or the first node B selects a first carrier from component carriers of the carrier aggregation cell managed by the second node B according to a preset selection policy. The above-mentioned interaction device of the security information can implement the interaction of the security information by using any one of the foregoing method embodiments, and details are not described herein again. In summary, the interaction device of the security information according to the embodiment of the present invention, through the interaction of the component carrier information and other parameters, enables the UE and the eNodeB on the handover target side to obtain the same new security key after handover. It is compatible with the current LTE handover process, facilitating the smooth upgrade of the network and ensuring the security of handover to the carrier aggregation cell. It should be noted that the steps shown in the flowchart of the accompanying drawings may be performed in a computer system such as a set of computer executable instructions, and, although the logical order is shown in the flowchart, in some cases, The steps shown or described may be performed in an order different than that herein. Obviously, those skilled in the art should understand that the above modules or steps of the present invention can be implemented by a general-purpose computing device, which can be concentrated on a single computing device or distributed over a network composed of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device, such that they may be stored in the storage device by the computing device, or they may be separately fabricated into individual integrated circuit modules, or they may be Multiple modules or steps are made into a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software. The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the scope of the present invention are intended to be included within the scope of the present invention.

Claims

权 利 要 求 书  Claims
1. 一种安全信息的交互方法, 其特征在于, 包括: A method for interacting security information, comprising:
第一节点 B从第二节点 B管理的载波聚合小区的分量载波中选择一 个或多个分量载波;  The first node B selects one or more component carriers from component carriers of the carrier aggregation cell managed by the second node B;
所述第一节点 B将所选择的分量载波的信息作为输入参数计算得到 切换后的密钥;  The first node B calculates the key after switching by using the information of the selected component carrier as an input parameter;
所述第一节点 B向所述第二节点 B发送切换请求消息, 其中, 所述 请求消息中携带所述切换后的密钥;  The first node B sends a handover request message to the second node B, where the request message carries the switched key;
所述第一节点 B将所选择的分量载波的信息发送给终端 UE, 以便 所述 UE将接收到的所选择的分量载波的信息作为输入参数计算得到所 述切换后的密钥。  The first node B sends the information of the selected component carrier to the terminal UE, so that the UE calculates the received key by using the received information of the selected component carrier as an input parameter.
2. 根据权利要求 1所述的方法, 其特征在于, 所述切换请求消息包括所选 择的分量载波的信息, 其中, 所述分量载波的信息包括以下至少之一: 所选择的分量载波对应的物理小区标识和下行载频。 The method according to claim 1, wherein the handover request message includes information of the selected component carrier, where the information of the component carrier includes at least one of the following: corresponding to the selected component carrier Physical cell identity and downlink carrier frequency.
3. 根据权利要求 1所述的方法, 其特征在于, 在所述第一节点 B将所选择 的分量载波的信息发送给终端 UE之后 , 还包括: The method according to claim 1, wherein after the first node B sends the information of the selected component carrier to the terminal UE, the method further includes:
所述 UE将接收到的所选择的分量载波的信息作为输入参数计算得 到所述切换后的密钥;  Determining, by the UE, the received information of the selected component carrier as an input parameter to the switched key;
所述 UE在所选择的分量载波上向所述第二节点 B发送切换确认消 息, 其中, 所述 UE通过所述切换后的密钥对所述切换确认消息进行加 密。  The UE sends a handover confirmation message to the second node B on the selected component carrier, where the UE encrypts the handover confirmation message by using the switched key.
4. 根据权利要求 1所述的方法, 其特征在于, 所述切换请求消息包括所述 第二节点 B所管理的载波聚合小区的全局标识。 The method according to claim 1, wherein the handover request message includes a global identifier of a carrier aggregation cell managed by the second node B.
5. 根据权利要求 4所述的方法, 其特征在于, 在所述第一节点 B将所选择 的分量载波的信息发送给终端 UE时, 还包括: The method according to claim 4, wherein when the first node B sends the information of the selected component carrier to the terminal UE, the method further includes:
所述第一节点 B将所述全局标识发送给 UE;  The first node B sends the global identifier to the UE;
所述 UE将所述全局标识作为输入参数计算得到所述切换后的密钥; 所述 UE向所述第二节点 B发送经所述切换后的密钥加密的切换确 认消息。 根据权利要求 1所述的方法, 其特征在于, 当所述第一节点 B选择多个 所述分量载波时, The UE calculates the key after the handover by using the global identifier as an input parameter; The UE sends a handover confirmation message encrypted by the switched key to the second node B. The method according to claim 1, wherein when the first node B selects a plurality of the component carriers,
所述第一节点 B将所选择的分量载波的信息作为输入参数计算得到 切换后的密钥包括:  The first node B calculates the information of the selected component carrier as an input parameter, and the key after the handover includes:
所述第一节点 B依次将所选择的一个分量载波的信息作为输入 参数计算得到与该分量载波对应的切换后的密钥;  The first node B sequentially calculates information of the selected one component carrier as an input parameter to obtain a switched key corresponding to the component carrier;
所述第一节点 B向所述第二节点 B发送切换请求消息包括:  The sending, by the first node B, the handover request message to the second node B includes:
所述第一节点 B向所述第二节点 B发送切换请求消息, 其中, 所述请求消息中携带所述多个切换后的密钥。 根据权利要求 6所述的方法, 其特征在于, 所述第一节点 B将所选择的 分量载波的信息发送给终端 UE包括:  The first node B sends a handover request message to the second node B, where the request message carries the multiple switched keys. The method according to claim 6, wherein the transmitting, by the first Node B, the information of the selected component carrier to the terminal UE comprises:
所述第二节点 B从所述多个切换后的密钥选择一个密钥作为切换后 使用的密钥;  The second node B selects a key from the plurality of switched keys as a key used after the handover;
所述第二节点 B将所选择的密钥发送给所述第一节点 B;  The second node B sends the selected key to the first node B;
所述第一节点 B 将与所选择的密钥对应的分量载波的信息发送给 The first node B sends information about a component carrier corresponding to the selected key to
UE; UE;
所述 UE将接收到的分量载波的信息作为输入参数计算得到所述切 换后的密钥;  The UE calculates the converted key by using the information of the received component carrier as an input parameter;
所述 UE在所选择的分量载波上向所述第二节点 B发送切换确认消 息, 其中, 所述 UE通过所述切换后的密钥对所述切换确认消息进行加 密。 根据权利要求 6所述的方法, 其特征在于, 所述第一节点 B将所选择的 分量载波的信息发送给终端 UE包括:  The UE sends a handover confirmation message to the second node B on the selected component carrier, where the UE encrypts the handover confirmation message by using the switched key. The method according to claim 6, wherein the transmitting, by the first Node B, the information of the selected component carrier to the terminal UE comprises:
所述第一节点 B将所选择的多个分量载波的信息发送给 UE;  The first node B sends information of the selected multiple component carriers to the UE;
所述 UE从接收到的所述多个分量载波的信息中选择一个分量载波 的信息 , 并将该分量载波的信息作为输入参数计算得到所述切换后的密 钥; 所述 UE在所选择的分量载波上向所述第二节点 B发送切换确认消 息, 其中, 所述 UE通过所述切换后的密钥对所述切换确认消息进行加 密。 The UE selects information of one component carrier from the received information of the multiple component carriers, and calculates information of the component carrier as an input parameter to obtain the switched key; The UE sends a handover confirmation message to the second node B on the selected component carrier, where the UE encrypts the handover confirmation message by using the switched key.
9. 根据权利要求 8所述的方法, 其特征在于, 在所述第二节点 B接收来自 所述 UE的切换确认消息之后, 还包括: The method according to claim 8, wherein after the second node B receives the handover confirmation message from the UE, the method further includes:
所述第二节点 B依次所接收到的多个切换后的密钥中选择一个密钥 对所述切换确认消息进行解密, 直到解密成功, 并将解密成功时所使用 的密钥确定为所述切换后的密钥。  The second node B sequentially selects one of the plurality of switched keys to decrypt the handover confirmation message until the decryption is successful, and determines the key used when the decryption succeeds. The key after the switch.
10. 才艮据权利要求 1所述的方法 , 其特征在于 , 所述第一节点 B采用以下方 式之一从第二节点 B管理的载波聚合小区的分量载波中选择一个或多个 分量载波包括: The method according to claim 1, wherein the first Node B selects one or more component carriers from the component carriers of the carrier aggregation cell managed by the second Node B in one of the following manners, including: :
所述第一节点 B从 UE对所述第二节点 B管理的载波聚合小区的分 量载波的测量上 4艮信息中选择信号质量最好的一个或多个分量载波; 或 者  The first node B selects one or more component carriers with the best signal quality from the measurement information of the component carrier of the carrier aggregation cell managed by the second node B by the UE; or
所述第一节点 B从所述第二节点 B管理的载波聚合小区中的工作载 波列表中选择第一个分量载波; 或者  The first node B selects a first component carrier from a working carrier list in a carrier aggregation cell managed by the second node B; or
所述第一节点 B根据预设的选择策略从所述第二节点 B管理的载波 聚合小区的分量载波中选择第一个载波。  The first node B selects a first carrier from component carriers of the carrier aggregation cell managed by the second node B according to a preset selection policy.
11 一种安全信息的交互方法, 其特征在于, 包括: 11 A method for interacting security information, comprising:
第一节点 B向第二节点 B发送切换请求消息, 其中, 所述切换请求 消息中携带用于计算切换后使用的密钥的参数信息 , 所述参数信息包括 密钥信息或下一 ^兆值 NH;  The first node B sends a handover request message to the second node B, where the handover request message carries parameter information for calculating a key used after the handover, where the parameter information includes key information or a next value NH;
所述第二节点 B从自身管理的载波聚合小区的分量载波中选择一个 或多个分量载波的信息 , 并才艮据选择的分量载波的信息以及所述切换请 求消息中携带的参数信息计算切换后使用的密钥;  The second Node B selects information of one or more component carriers from the component carriers of the carrier aggregation cell that it manages, and calculates the handover according to the information of the selected component carrier and the parameter information carried in the handover request message. Key used later;
所述第二节点 B将所述选择的分量载波的信息和所述参数信息发送 给终端 UE,以便所述 UE根据所述选择的分量载波的信息以及所述参数 信息计算所述切换后使用的密钥。  The second Node B sends the information of the selected component carrier and the parameter information to the terminal UE, so that the UE calculates the used after the handover according to the information of the selected component carrier and the parameter information. Key.
12. 根据权利要求 11所述的方法 , 其特征在于, 在 UE根据所述选择的分量 载波的信息以及所述参数信息计算所述切换后使用的密钥之后,还包括: 所述 UE在所选择的分量载波上向所述第二节点 B发送切换确认消 息, 其中, 所述 UE通过所述切换后的密钥对所述切换确认消息进行加 密。 The method according to claim 11, wherein after the UE calculates the key used after the handover according to the information of the selected component carrier and the parameter information, the method further includes: The UE sends a handover confirmation message to the second node B on the selected component carrier, where the UE encrypts the handover confirmation message by using the switched key.
13. 一种安全信息的交互装置, 位于第一节点 B内, 用于在切换到载波聚合 小区的过程中实现安全信息的交互, 其特征在于, 所述交互装置包括: 选择模块, 用于从第二节点 B管理的载波聚合小区的分量载波中选 择一个或多个分量载波; An interaction device for the security information, is located in the first node B, and is used to implement the interaction of the security information in the process of switching to the carrier aggregation cell, wherein the interaction device includes: a selection module, configured to Selecting one or more component carriers from component carriers of the carrier aggregation cell managed by the second Node B;
处理模块, 用于将所选择的分量载波的信息作为输入参数计算得到 切换后的密钥;  a processing module, configured to calculate, by using information of the selected component carrier as an input parameter, a switched key;
第一发送模块, 用于向所述第二节点 B发送切换请求消息, 其中, 所述请求消息中携带所述切换后的密钥;  a first sending module, configured to send a handover request message to the second node B, where the request message carries the switched key;
第二发送模块, 用于向终端 UE发送所选择的分量载波的信息, 以 便所述 UE将所选择的分量载波的信息作为输入参数计算得到所述切换 后的密钥。  And a second sending module, configured to send information of the selected component carrier to the terminal UE, so that the UE calculates the switched key by using the information of the selected component carrier as an input parameter.
14. 根据权利要求 13所述的装置, 其特征在于, 还包括: The device according to claim 13, further comprising:
第三发送模块, 用于向第二节点 B发送切换请求消息, 其中, 所述 切换请求消息中携带用于计算切换后使用的密钥的参数信息 , 所述参数 信息包括密钥信息或下一跳值 NH, 以便所述第二节点 B 居自身管理 的载波聚合小区的分量载波中的一个或多个分量载波的信息以及所述切 换请求消息中携带的参数信息计算切换后使用的密钥。  a third sending module, configured to send a handover request message to the second node B, where the handover request message carries parameter information used to calculate a key used after the handover, where the parameter information includes key information or next The hop value is NH, so that the information of one or more component carriers in the component carrier of the carrier aggregation cell managed by the second node B and the parameter information carried in the handover request message are used to calculate the key used after the handover.
15. 根据权利要求 13或 14所述的装置, 其特征在于, 还包括: The device according to claim 13 or 14, further comprising:
第四发送模块, 用于将所述 UE在所选择的分量载波上发送的切换 确认消息转发给所述第二节点 B, 其中, 所述 UE通过所述切换后的密 钥对所述切换确认消息进行加密。  a fourth sending module, configured to forward a handover confirmation message sent by the UE on the selected component carrier to the second node B, where the UE confirms the handover by using the switched key The message is encrypted.
PCT/CN2010/076221 2009-08-21 2010-08-20 Interaction method and apparatus for secure information WO2011020445A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200910167524.9 2009-08-21
CN200910167524.9A CN101998388B (en) 2009-08-21 2009-08-21 Interaction method and device for security information

Publications (1)

Publication Number Publication Date
WO2011020445A1 true WO2011020445A1 (en) 2011-02-24

Family

ID=43606665

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/076221 WO2011020445A1 (en) 2009-08-21 2010-08-20 Interaction method and apparatus for secure information

Country Status (2)

Country Link
CN (1) CN101998388B (en)
WO (1) WO2011020445A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015139298A1 (en) * 2014-03-21 2015-09-24 Qualcomm Incorporated Security mode updates during cellular relocation to avoid call drop
CN105072641A (en) * 2015-07-17 2015-11-18 工业和信息化部电信研究院 Carrier aggregation cell discovery method and apparatus
US9924416B2 (en) 2013-08-01 2018-03-20 Nokia Technologies Oy Methods, apparatuses and computer program products for fast handover
CN109417705A (en) * 2016-08-11 2019-03-01 捷开通讯(深圳)有限公司 The safety enhancing of LTE WLAN polymerization

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20140122748A (en) * 2012-02-02 2014-10-20 노키아 솔루션스 앤드 네트웍스 오와이 Signaling of uplink scheduling information in case of carrier aggregation
CN104160730B (en) 2012-02-06 2018-09-25 诺基亚技术有限公司 Fast access method and device
EP2813125B1 (en) 2012-02-10 2019-03-27 Nokia Technologies Oy A method and apparatus for enhanced connection control
CN103906053B (en) * 2012-12-28 2019-09-10 北京三星通信技术研究有限公司 The method of configuration and transmission cryptographic keys
CN105516966B (en) * 2014-09-24 2020-10-02 索尼公司 Apparatus and method in a wireless communication system
CN111093211A (en) * 2019-11-07 2020-05-01 中兴通讯股份有限公司 Control signaling transmission method, device and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1836415A (en) * 2003-08-13 2006-09-20 皇家飞利浦电子股份有限公司 Encryption method and decoding method for a digital transmission system
CN101026836A (en) * 2007-04-06 2007-08-29 东南大学 Anti vocoder compressed end-to-end voice encryption device and method
CN101169833A (en) * 2006-10-26 2008-04-30 富士通株式会社 Information access system, reader/writer device and contactless information storage device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101309500B (en) * 2007-05-15 2011-07-20 华为技术有限公司 Security negotiation method and apparatus when switching between different wireless access technologies

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1836415A (en) * 2003-08-13 2006-09-20 皇家飞利浦电子股份有限公司 Encryption method and decoding method for a digital transmission system
CN101169833A (en) * 2006-10-26 2008-04-30 富士通株式会社 Information access system, reader/writer device and contactless information storage device
CN101026836A (en) * 2007-04-06 2007-08-29 东南大学 Anti vocoder compressed end-to-end voice encryption device and method

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9924416B2 (en) 2013-08-01 2018-03-20 Nokia Technologies Oy Methods, apparatuses and computer program products for fast handover
WO2015139298A1 (en) * 2014-03-21 2015-09-24 Qualcomm Incorporated Security mode updates during cellular relocation to avoid call drop
CN105072641A (en) * 2015-07-17 2015-11-18 工业和信息化部电信研究院 Carrier aggregation cell discovery method and apparatus
CN109417705A (en) * 2016-08-11 2019-03-01 捷开通讯(深圳)有限公司 The safety enhancing of LTE WLAN polymerization

Also Published As

Publication number Publication date
CN101998388A (en) 2011-03-30
CN101998388B (en) 2015-05-20

Similar Documents

Publication Publication Date Title
WO2011020445A1 (en) Interaction method and apparatus for secure information
CN105557006B (en) User equipment in communication system and method for communication by same
KR102407695B1 (en) Anchor handover method and equipment
KR102026725B1 (en) Method and appratus for performing handover in mobile communication system
EP3322252B1 (en) Communication methods, network side device, and user equipment
WO2013097672A1 (en) Inter-base station carrier aggregation security communication method and device
US10863569B2 (en) RRC connection re-establishment method for data transmission
WO2017166247A1 (en) Communication method, network-side device, and user terminal
US10271360B2 (en) Communication method, user equipment, and base station
US11895617B2 (en) Message identification method and apparatus
CN110493776B (en) Method for synchronizing encryption information between secondary cell and UE
US10433165B2 (en) Method for configuring and transmitting key
WO2014023269A1 (en) Switching control method and apparatus
US20210385905A1 (en) Entity Establishment Processing Method and Apparatus
EP2685751B1 (en) Handover method, base station, user equipment and mobility management entity
WO2011131063A1 (en) Method and system for establishing enhanced air interface key
CN109327833B (en) Communication method and device
CN109196897B (en) Optimized secure key refresh procedure for 5G MC
AU2021219571B2 (en) Radio network node, user equipment (UE) and methods performed therein
WO2010105442A1 (en) Method, apparatus and system for generating key evolving parameters
US20180255601A1 (en) Base station, wlan terminal node, and radio terminal
KR20230021425A (en) Method and Apparatus for resuming RRC connection in mobile wireless communication system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10809578

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10809578

Country of ref document: EP

Kind code of ref document: A1