WO2011054286A1 - Key generation method, device and system - Google Patents

Key generation method, device and system Download PDF

Info

Publication number
WO2011054286A1
WO2011054286A1 PCT/CN2010/078359 CN2010078359W WO2011054286A1 WO 2011054286 A1 WO2011054286 A1 WO 2011054286A1 CN 2010078359 W CN2010078359 W CN 2010078359W WO 2011054286 A1 WO2011054286 A1 WO 2011054286A1
Authority
WO
WIPO (PCT)
Prior art keywords
base station
relay station
target base
key
station
Prior art date
Application number
PCT/CN2010/078359
Other languages
French (fr)
Chinese (zh)
Inventor
毕晓宇
张冬梅
马慧
张爱琴
王可
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2011054286A1 publication Critical patent/WO2011054286A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network

Definitions

  • an RN may be provided on a high-speed mobile vehicle, and the RN provides services for user equipment (UE) on a high-speed mobile vehicle, thereby avoiding frequent handover of a large number of UEs.
  • UE user equipment
  • the message transmitted on the wireless link needs to be encrypted, and the encryption can also be applied to the integrity verification, so as to prevent the message from being illegally falsified or forged to ensure the security of the network.
  • the used key needs to be replaced with the key of the target cell, so that the key can be used to communicate with the target cell normally, that is, when the UE switches between different cells, the key needs to be performed. Update.
  • the embodiment of the present invention provides a method for generating a key, which can be applied to a scenario of RN handover, so that when the RN performs handover between different base stations, the RN or the target base station can generate a key.
  • Embodiments of the present invention also provide a base station, a relay station, and a key generation system.
  • a method for generating a key according to an embodiment of the present invention is applicable to a scenario in which a relay station switches, and the method includes:
  • the source base station calculates a key parameter K1 according to the key K between the source base station and the relay station and the identifier parameter of the target base station, where the identifier parameter of the target base station is used to uniquely identify the target base station; the source base station sends the K1 to the a target base station, configured to obtain, by the target base station, a key ⁇ 2 between the target base station and the relay station according to the K1.
  • Another method for generating a key according to an embodiment of the present invention is applicable to a scenario of a relay station handover, and the method includes:
  • the target base station receives a key parameter K1 sent by the source base station, where the K1 is obtained by the source base station according to a key ⁇ between the source base station and the relay station;
  • the target base station generates a derivation parameter ⁇ 2;
  • the target base station calculates a key ⁇ 2 between the relay station and the target base station based on the K1 and the ⁇ 2.
  • Another method for generating a key which is provided by the embodiment of the present invention, is applicable to a scene of a relay station handover, and the method includes:
  • the relay station receives the security synchronization parameter N1, wherein the N1 is received from the target base station or the source base station;
  • the relay station calculates a key K2 between the relay station and the target base station based on the N1.
  • a method for generating a key according to an embodiment of the present invention is applicable to a scene of a relay station handover, and the method includes:
  • the target base station receives the intermediate key sent by the target mobility management entity
  • the target base station calculates a key ⁇ 2 between the target base station and the relay station according to the ⁇ and the identification parameter of the target base station, where the identifier parameter of the target base station is used to uniquely identify the target base station.
  • a method for generating a key according to an embodiment of the present invention is applicable to a scenario in which a relay station switches, and the method includes:
  • the relay station generates a parameter Q1, and the Q1 is used by the user equipment under the relay station to generate a key between the relay station and the user equipment according to the Q1;
  • the relay station sends the Q1 to the user equipment.
  • a base station is provided in a scenario for a relay station handover, and the base station includes:
  • a calculation module configured to calculate a key parameter K1 according to a key ⁇ between the base station and the relay station and an identifier parameter of the target base station, where the identifier parameter of the target base station is used to uniquely identify the target base station;
  • a first sending module configured to send K1 obtained by the computing module to the target base station, so that the target base station obtains a key ⁇ 2 between the target base station and the relay station according to the K1.
  • Another base station provided by the embodiment of the present invention is applicable to a scenario of relay station handover, and the base station includes:
  • a receiving module configured to receive a key parameter K1 sent by the source base station, where the K1 is obtained by the source base station according to a key between the source base station and the relay station;
  • a relay station configured to calculate a key ⁇ 2 between the relay station and the base station according to K1 received by the receiving module and ⁇ 2 generated by the retire parameter module.
  • a relay station provided by the embodiment of the present invention is applicable to a scenario of relay station handover, and the relay station includes:
  • a receiving module configured to receive a security synchronization parameter N1, where the N1 is sent by the target base station or the source base station to the relay station;
  • a calculation module configured to calculate a key K2 between the relay station and the target base station according to the N1 received by the receiving module.
  • Another base station provided by the embodiment of the present invention is applicable to a scenario of relay station handover, and the base station includes:
  • a receiving module configured to receive an intermediate key sent by the target mobility management entity
  • a calculation module configured to calculate a key ⁇ 2 between the base station and the relay station according to the identifier of the eNB and the base station, where the identifier of the base station is used to uniquely identify the base station.
  • a key generation system is provided in the scenario of a relay station handover, and the system includes:
  • the relay station is configured to receive a derivation parameter ⁇ 2 sent by the target base station, and a security synchronization parameter N1 sent by the target base station or the source base station, and calculate a key ⁇ 2 between the relay station and the target base station according to the N1 and ⁇ 2.
  • the embodiments of the present invention generate a key used by the source base station to generate a key used by the RN and the target base station, or enable the RN to obtain the RN and the target base station by sending a security synchronization parameter.
  • the key therefore, ensures that the RN can communicate with the target base station using the key, reducing the dropped call rate and improving communication security.
  • FIG. 1 is a schematic flowchart of a key generation method according to an embodiment of the present invention
  • FIG. 2b is a schematic flowchart of a key generation method according to an embodiment of the present invention
  • FIG. 2 is a schematic flowchart of a key isolation method according to another embodiment of the present invention
  • FIG. 2 is a schematic diagram of a key isolation method according to another embodiment of the present invention
  • FIG. 3 is a schematic flowchart of a key generation method according to another embodiment of the present invention
  • FIG. 3b is a schematic flowchart of a key generation method according to another embodiment of the present invention
  • FIG. 3 is a schematic flowchart of a key generation method according to another embodiment of the present invention
  • FIG. 3 is a schematic flowchart of a key generation method according to another embodiment of the present invention
  • FIG. 3 is a schematic flowchart of a key generation method according to another embodiment of the present invention
  • FIG. 3 is a schematic flowchart of a key generation method according to another embodiment
  • FIG. 3 is a schematic flowchart of a key generation method according to another embodiment of the present invention
  • FIG. 3 is a schematic flowchart of a key generation method according to another embodiment of the present invention
  • FIG. 3g is a schematic diagram of a key generation method according to another embodiment of the present invention
  • FIG. 4 is a schematic flowchart of a key generation method according to still another embodiment of the present invention
  • FIG. 5 is a key generation method according to still another embodiment of the present invention
  • FIG. 6 is a schematic structural diagram of a base station according to an embodiment of the present invention
  • FIG. 7 is a schematic structural diagram of a base station according to an embodiment of the present disclosure.
  • FIG. 7b is a schematic structural diagram of a base station according to an embodiment of the present disclosure.
  • FIG. 7c is a schematic structural diagram of a base station according to an embodiment of the present disclosure.
  • FIG. 8 is a schematic structural diagram of a relay station according to an embodiment of the present invention.
  • FIG. 8b is a schematic structural diagram of a relay station according to an embodiment of the present disclosure.
  • FIG. 8c is a schematic structural diagram of a relay station according to an embodiment of the present invention.
  • FIG. 9 is a schematic structural diagram of a base station according to an embodiment of the present disclosure.
  • FIG. 10 is a schematic diagram of a key generation system according to an embodiment of the present invention.
  • Step 101 The source base station determines that the relay station switches to the target base station.
  • the source base station receives the measurement report sent by the relay station, and according to the measurement report, the source base station decides to perform the handover.
  • the source base station may also determine that the relay station switches to the target base station according to other conditions.
  • step 101 is an optional step, which is not necessarily performed.
  • Step 102 The source base station calculates a key parameter K1 according to the key K and/or the intermediate key NK between the base station and the relay station, and the identification parameter of the target base station.
  • the intermediate key ⁇ is sent by the mobility management entity to the source base station.
  • the identification parameter of the target base station is used to uniquely identify the target base station.
  • the identity parameter of the target base station may be the ID of the target base station, and the target base station may be uniquely identified by the ID of the target base station.
  • the identification parameter of the target base station may also be the certificate of the target base station, or the ID of the target base station and the certificate of the target base station.
  • the identifier parameter of the target base station may include one of the following parameters or any combination thereof, including the ID of the target base station and/or the certificate of the target base station: Universal UMTS (Universal Mobile Telecommunication) System, Universal Mobile Telecommunications System) Land radio access network downlink absolute radio channel number (EARFCN-DL), cell identity (C-RNTI), user equipment ID, relay station and MME (Mobility Management Entity, MME) message count Value ( Message Count ).
  • Step 102 After determining that the relay station switches to the target base station, the source base station performs step 102 to calculate K1.
  • Step 103 The source base station sends K1 to the target base station.
  • the source base station transmits K1 to the target base station, so that the target base station can obtain the key K2 between the target base station and the relay station according to K1.
  • the source base station may send a handover request to the target base station, and the handover request carries K1 to complete the transmission of K1.
  • the key generation method provided in this embodiment may further include: Step 104:
  • the source base station sends the security synchronization parameter N1 corresponding to K1 to the target base station.
  • the source base station sends the N1 corresponding to the K1 to the target base station for synchronization by the target base station for subsequent calculation.
  • step 103 and step 104 There is no specific execution order between step 103 and step 104, which may be performed sequentially or simultaneously.
  • the N1 may be sent to the target base station by using the handover request.
  • Step 105 The source base station receives N1 sent by the target base station.
  • the target base station After the source base station sends N1 to the target base station, the target base station carries N1 in the handover request response message and sends it to the source base station.
  • the target base station may not change N1, that is, the N1 sent by the source base station is the same as the value of N1 sent by the target base station.
  • Step 106 The source base station sends N1 to the relay station.
  • the source base station may send the N1 to the relay station by using a handover command, and the source base station may not change the value of N1 in this step, that is, the N1 sent by the source base station through the handover command is the same as the value of N1 sent by the target base station.
  • the source base station may implement the message sent by the target base station and forward the message, that is, the content carried in the message is transparent to the source base station.
  • step 104 to step 106 may not be performed, but the source base station directly transmits N1 corresponding to K1 to the relay station.
  • step 104, the step 105, and the step 106 are not necessary.
  • the embodiment may include part or all of the above three steps, for example, only the step 106 is included, and the step 104 and the step 105 are not included.
  • step 102 may obtain K1 by, for example, K and/or NK, and the identification parameter of the target base station as a parameter.
  • the security synchronization parameter N1 corresponding to the K1 can be determined. For example, when the source base station calculates K1 using ⁇ , N1 corresponding to the K1 is 0. When the source base station calculates K1 using ⁇ , N1 corresponding to the K1 is 1.
  • different bearers on the Uu interface of the UE under the relay station can be aggregated according to different UEs, and the same bearer is transmitted on the Un interface.
  • the keys used on the Un interface are different.
  • the UEs are different, ie the keys on the Un interface are for each UE.
  • the Un interface is an interface between the relay station and the base station, and the Uu interface is an interface between the relay station and the UE.
  • the same QoS bearers of different UEs in the relay station can be aggregated according to the QoS, and the same bearer is transmitted on the Un interface.
  • the key used on the Un interface has the same
  • the different UEs of the QoS are the same, that is, the key on the Un interface is for all UEs.
  • the “all UEs” described in the embodiments of the present invention refer to the different UEs with the same QoS.
  • the key on the Un interface may also be for each part of the UE for a part of the UE, and for all the UEs of the part for the other part of the UE.
  • the key on the Un interface may also be for each part of the UE for a part of the UE, and for all the UEs of the part for the other part of the UE.
  • the source base station calculates K1 corresponding to each UE according to step 102. Therefore, one source is generated on the source base station side. A list List1 formed by K1 corresponding to one UE. The source base station transmits the List1 to the target base station.
  • N1 can also be different for different UEs. For the sake of clarity, the following embodiments are described by taking the same case for different UEs and N1 as an example.
  • the source base station may also save the list List1.
  • the source base station transmits the calculated K1 to the target base station.
  • the handover of the RN occurs between two base stations under the same MME, that is, the handover on the X2 interface. Therefore, the source base station and the target base station can be directly transmitted through the X2 interface.
  • the source base station when the relay station performs handover, the source base station separately transmits parameters for calculating the new key to the relay station and the target base station, so that the target base station and the relay station can communicate using the generated key.
  • the function F of the calculation key is an irreversible function
  • key isolation between the target base station and the source base station may be implemented, that is, the target base station does not know the key used between the source base station and the relay station, thereby avoiding the target.
  • the source base station also has a security risk.
  • the method for generating a key provided by another embodiment of the present invention is described in detail below with reference to FIG. 2a.
  • the method can be applied to the scenario of the relay station switching.
  • the technical solutions provided in the following embodiments can be applied to the scenario of the relay station switching, and are not described again.
  • Step 201 The target base station receives the key parameter K1 and the security synchronization parameter sent by the source base station.
  • the target base station can receive K1 and N1 at the same time, and can also receive K1 and N1, respectively.
  • the target base station can obtain K1 and Nl by receiving a handover request.
  • K1 may be a key parameter calculated by the source base station according to step 102 of the previous embodiment.
  • Step 202 The target base station determines a key K2 between the relay station and the target base station according to K1.
  • the target base station may directly use K1 as the key K between the relay station and the target base station, or may calculate the key ⁇ 2 between the relay station and the target base station according to K1.
  • Step 203 The target base station sends N1 to the relay station.
  • step 203 is an optional execution step.
  • step 202 if the target base station directly uses K1 as the key ⁇ 2 between the relay station and the target base station, the source base station can easily obtain the key used by the target base station, and in order to reduce the risk of security,
  • the key isolation method shown in 2b performs key isolation.
  • Step 204 The target base station receives the fresh parameter sent by the MME. For example, the target base station can receive the fresh parameters sent by the MME in the Path Switch flow.
  • Step 205 The target base station calculates a key K2 between the target base station and the relay station according to the fresh parameter and K1.
  • the source base station Since the fresh parameter is transmitted to the target base station, and the target base station uses the fresh parameter to calculate the key, the source base station cannot know the key ⁇ 2 between the target base station and the relay station. Further, if the key parameter K1 sent by the source base station is not a key between the source base station and the relay station, but the source base station calculates the key ⁇ and/or the intermediate key ⁇ between the source base station and the relay station, and If the calculation function is irreversible, the target base station cannot know the key ⁇ between the source base station and the relay station, thereby realizing the key isolation between the source base station and the target base station, so that the source base station/target base station does not affect the security problem when it occurs. Go to the target base station/source base station.
  • the same fresh parameter is sent to the RN, and the RN calculates the key between the relay station and the target base station according to the fresh parameter.
  • the MME sends a fresh parameter to the RN to trigger the RN to complete the handover process of the Intra Nonor eNB.
  • the key isolation method shown in FIG. 2c may also be used, that is, the target base station performs a derivation operation according to the key sent by the source base station, and generates a target base station and a relay station. Key between them, so that the source base station cannot know the target base station and relay The key between the stations.
  • Step 206 The target base station generates a derivation parameter N2.
  • the derivation parameter N2 is used for key isolation, and thus may be any parameter capable of functioning as a key isolation.
  • the derivation parameter N2 may be a random number generated by the target base station, or may be a combination of one or more of the following parameters: the ID of the C-RNTL UE and the message count value between the RN and the MME, etc. Is a combination of a random number and one or more of the above parameters.
  • Step 207 The target base station calculates a key between the target base station and the relay station according to N2 and K1.
  • F can be a reversible function, or an irreversible function.
  • the target base station needs to transmit N2 to the relay station so that the relay station can calculate the key K2 between the target base station and the relay station based on N2.
  • the target base station When the target base station transmits ⁇ 2, it can transmit with N1 or with N1. When the target base station transmits N1 and ⁇ 2, for example, it can be sent by a handover request response. Since the derivation parameter ⁇ 2 is generated by the target base station, the source base station cannot know the derivation parameter, so that the key between the target base station and the relay station cannot be known, and the effect of key isolation is achieved.
  • the handover of the RN occurs between the target base station and the source base station under the same frame, so the source base station can directly transmit to the target base station through the ⁇ 2 interface.
  • the key generation method provided in this embodiment can be sent by the target base station to the source base station.
  • the transmitted key generates a key between the target base station and the relay station, so that the target base station and the relay station can communicate using the generated key, avoiding dropped calls and improving call security.
  • a method for generating a key according to another embodiment of the present invention is described in detail below with reference to FIG. 3a.
  • the method includes:
  • Step 301 The relay station receives the security synchronization parameter N1; the relay station receives the security synchronization parameter N1, which may be received from the source base station or may be received from the target base station. For example, when the relay station switches between the source base station and the target base station under the same MME, the target base station transmits the security synchronization parameter N1 to the source base station, and the source base station transmits N1 to the relay station, so the relay station receives N1 from the source base station.
  • Step 302 The relay station calculates a key K2 between the relay station and the target base station according to N1.
  • the relay station can calculate the key ⁇ 2 between the relay station and the target base station according to N1, and there may be different methods.
  • the relay station calculates the key K2 between the relay station and the target base station according to N1, which can be:
  • Step 3021 The relay station determines, according to N1, that the key K between the current relay station and the source base station is used for calculation, and calculates K2 according to the identification parameter of the target base station and K; or
  • Step 3022 the relay station calculates the intermediate key NK according to N1, and calculates K2 according to the identification parameter of the target base station and NK.
  • the target base station directly uses the key parameter K1 sent by the source base station as the key ⁇ 2 between the relay station and the target base station.
  • the method as shown in Figure 3b can be applied to the same RN
  • the scenario of the handover between the eNBs in the MME may also be applicable to the scenario in which the RN switches between the eNBs in different MMEs.
  • the relay station calculates the key K2 between the relay station and the target base station according to N1, and may also be:
  • Step 3023 the relay station determines to use the key K between the relay station and the source base station according to N1 to calculate, and calculates the intermediate parameter L according to the identification parameter of the target base station and K, and/or step 3024, the relay station calculates the intermediate key NK according to N1. And calculating the intermediate parameter L according to the identification parameter of the target base station and NK;
  • the relay station calculates K2 based on the L and the fresh parameters generated by the MME.
  • the target base station is also calculated by using the key parameter K1 sent by the source base station and the fresh parameter generated by the ⁇ 2, so that the source base station cannot know the key ⁇ 2 used between the target base station and the relay station to implement key isolation.
  • the relay station calculates a key ⁇ 2 between the relay station and the target base station according to N1, and may also be:
  • Step 303 The relay station receives a derivation parameter ⁇ 2, where ⁇ 2 is generated by the target base station and sent to the relay station;
  • Step 3026 the relay station determines to use the key ⁇ between the relay station and the source base station according to N1, and calculates an intermediate parameter according to the identification parameter of the target base station and ⁇ ; or, in step 3027, the relay station calculates the intermediate key ⁇ according to N1, and Calculating the intermediate parameter according to the identification parameter of the target base station and ⁇ ;
  • the relay station calculates ⁇ 2 based on ⁇ and ⁇ 2.
  • the target base station generates the derivation parameter N2, and calculates the intermediate parameter M by using the key parameter K1 sent by the source base station, and then calculates K2 by using M and N2, so that the source base station cannot know the use between the target base station and the relay station.
  • Key ⁇ 2 implement key isolation.
  • the key generation method provided in this embodiment may further include generating a key between the relay station and the user equipment, that is, generating a key on the Uu interface between the relay station and the user equipment.
  • the key on the Uu interface may or may not be related to the key between the relay station and the target base station.
  • the key between the relay station and the target base station that is, when the key on the Un interface is generated
  • the key on the Uu interface needs to be generated.
  • the key on the Un interface is generated.
  • the key on the Uu interface can be generated without using the original key. Of course, a new key can also be generated.
  • the key generation on the Uu interface when the key on the Uu interface is related to the key on the Un interface in this embodiment is described in detail with reference to FIG. 3e.
  • Step 304 the relay station generates a parameter Q1.
  • the parameter Q1 is used by the UE under the relay station to generate a key between the relay station and the user equipment, and can also be used by the relay station to generate a key between the relay station and the user equipment.
  • Step 305 The relay station sends the parameter Q1 to the UE.
  • the Q1 may be sent to the user equipment for the UE to complete the generation of the key on the Uu interface according to Q1. It has been explained in the above embodiments that the key on the Un interface may be for each UE, also It can be for all UEs.
  • step 304 and step 305 there are two different implementation manners in step 304 and step 305, which are described in detail below with reference to FIGS. 3f and 3g.
  • Step 3041 the relay station generates a different parameter Q1 for each UE under the relay station
  • the relay station generates different parameters Q1 for each UE, that is, each UE has its own corresponding Q1.
  • RRC Resource Control
  • the RRC connection reconfiguration message carries the parameter Q1 generated in step 3041.
  • the parameter 3051 does not necessarily carry the parameter Q1 through the RRC connection reconfiguration message, but also carries the parameter Q1 for other messages sent for each UE.
  • each UE can obtain its own parameter Q1, and generate a key on the Uu interface according to Q1.
  • step 3061 may be further included, and the relay station calculates a key between the relay station and each user equipment under the relay station according to the parameter Q1 generated in step 3041.
  • Step 3042 the relay station generates a parameter Q1, wherein the Q1 is the same for all UEs under the relay station.
  • Step 3052 The relay station periodically broadcasts a system message. Carry Ql in the system message of the periodic broadcast.
  • a system for periodic broadcast The message is, for example, an SIB (System Information Block) or an MIB (Master Information Block).
  • SIB System Information Block
  • MIB Master Information Block
  • Q 1 can be placed in the MIB for transmission. Because MIB broadcasts frequently, when Q1 is short, it can be sent in the MIB. If Q1 is long, sending it in the MIB may cause interference or waste of resources.
  • Q1 is sent in the MIB, for example, two IEs can be added to the MIB. One IE indicates whether the key on the Uu interface is updated (regenerated), and an IE indicates the specific value of Q1.
  • Q1 can be placed in SIB2 for transmission.
  • two IEs can be added to the SIB.
  • One IE indicates whether the key on the Uu interface is updated, and the other IE indicates the specific value of Q1.
  • the UE updates the key on the Uu interface it reads the specific value of Q1 in SIB2.
  • two IEs can be added to the SIBn, one IE indicating whether the key on the Uu interface is updated, and the other IE indicating the specific value of Q1.
  • the UE updates the key on the Uu interface it reads the specific value of Q1 in SIBn.
  • an IE may be added to the MIB, and the IE indicates whether the key on the Uu interface is updated, and an IE is added to the SIB2 or SIBn to indicate the specific value of the Q1.
  • the key can be broadcast to the UE in time when the key is updated on the Uu interface, and the MIB does not carry too many parameters to reduce interference or reduce signaling overhead.
  • the original key, where F** can be either a reversible function or an irreversible function.
  • step 3062 is further included, and the relay station calculates a key between the relay station and all user equipments under the relay station according to the parameter Q1 generated in step 3042.
  • a method for generating a key according to still another embodiment of the present invention is described in detail below with reference to FIG. The method includes:
  • Step 401 The target base station receives the intermediate key NK sent by the target MME.
  • the relay station switches between base stations under different MMEs.
  • the relay station sends a measurement report to the source base station.
  • the source base station determines that the relay station performs handover according to the measurement report, and sends a handover request to the source MME.
  • the source MME forwards the handover request to the target MME.
  • the target MME increments the security synchronization parameter N1 by 1, and generates an intermediate key NK.
  • the target MME sends the N1 to the target base station by using the handover request message.
  • the handover request message may carry not only the NK but also the N1, where N1 is the N1 added by the target MME. That is, the embodiment further includes the target base station receiving the N1 sent by the target MME.
  • the target base station receives N1 or receives NK at the same time, and can also perform sequential execution without specific restrictions.
  • Step 402 The target base station calculates a key K2 between the target base station and the relay station according to the NK and the identity parameter of the target base station.
  • Step 403 The target base station sends N1 to the relay station, where the relay station calculates ⁇ 2. Step 403 is an alternative.
  • the method of calculating the ⁇ 2 by the relay station is not specifically described.
  • the method for calculating the ⁇ 2 by the relay station can be specifically referred to the description of the above embodiment.
  • the interface switched by the relay station is an S1 interface.
  • the target base station can calculate according to the obtained ⁇ Obtaining a key on the new Un interface, and transmitting the acquired N1 to the relay station, so that the relay station can also calculate the key on the Un interface according to N1, thereby realizing the generation of a key between the relay station and the target base station, so that the relay station can Smooth communication with the target base station improves call security.
  • the identifier of the target base station can be referred to the description of the foregoing embodiment, and details are not described herein.
  • a key generation method provided by still another embodiment of the present invention will be described in detail below with reference to FIG.
  • the method includes:
  • Step 501 The relay station generates a parameter Q1.
  • the parameter Q1 is used by the user equipment under the relay station to generate a key between the relay station and the user equipment.
  • Step 502 The relay station sends Q1 to the user equipment.
  • the generation of the key on the Uu interface by the relay station may be independent of the generation of the key on the Un interface, or may depend on the generation of the key on the Un interface.
  • the key generation on the Un interface may depend on the key generation on the Uu interface. That is, the key on the Un interface is derived from the key on the Uu interface.
  • the key generation on the Un interface when the key generation on the Uu interface is independent of the key generation on the Un interface, the key generation on the Un interface does not affect the key used on the Uu interface, so that when the relay station performs the handover, It does not affect the UE under the relay station, and can better follow the derivation level of the key on the access link, and is better compatible with the user equipment of each version.
  • the steps 501 and 502 may also be different for the UE on the Un interface, or for all UEs.
  • the specific implementation may refer to the method described in FIG. 3f, 3g.
  • the generation of a key on the Un interface may also be included, and the specific implementation side
  • the method can be referred to the method shown in Figures 3a, 3b, 3c, 3d.
  • the relay station can perform key generation autonomously, or generate a key according to parameters provided by the target base station, thereby implementing a smooth connection between the relay station and the user equipment, and between the relay station and the target base station. Secure communication.
  • a base station 60 according to an embodiment of the present invention will be described in detail below with reference to FIG.
  • the base station 60 includes: a handover module 601, configured to determine that the relay station switches to the target base station; and a calculation module 602, configured to: after the handover module 601 determines the handover, according to the key K and/or the intermediate key NK between the base station and the relay station And the identification parameter of the target base station calculates the key parameter K1; the first sending module 603 is configured to send the K1 obtained by the calculation module 602 to the target base station, so that the target base station obtains K2 according to the K1.
  • the switching module 601 can determine, according to the measurement report sent by the relay station, that the relay station switches to the target base station.
  • the switching module 601 is an optional solution, that is, the base station 60 may include only the computing module 602 and the first sending module 603.
  • the calculation module 602 is configured to calculate the key parameter K1 according to the key ⁇ and/or the intermediate key ⁇ between the base station and the relay station, and the identification parameter of the target base station.
  • the key parameter K1 can be calculated when the relay station is switched, and K1 is sent to the target base station, so that the target base station can obtain the key ⁇ 2 between the target base station and the relay station according to the K1 calculation. Generation of the target base station key.
  • the base station 60 provided by this embodiment further includes: a second sending module 604, configured to send the security synchronization parameter N1 corresponding to K1 to the target base station; and a receiving module 605, configured to receive the N1 sent by the target base station, and third The sending module 606 is configured to send the N1 received by the receiving module 605 to the relay station, so that the relay station calculates the key ⁇ 2 between the relay station and the target base station.
  • the N1 sent by the second sending module 604 and the N1 received by the receiving module 605 are, for example, the same N1.
  • the base station 60 provided in this embodiment may further include: a generating module 607, configured to generate a security synchronization parameter N1, where the N1 corresponds to K1, and the specific correspondence may refer to the foregoing method embodiment.
  • the second sending module 604 is configured to send the N1 generated by the generating module 607 to the target base station.
  • the base station 60 provided in this embodiment may further include: a fourth sending module 608, configured to directly send the N1 corresponding to K1 to the relay station.
  • the calculation module 602 includes one or any combination of the following: a first calculation unit 6021, configured to use a key K between the base station 60 and the relay station, and an identifier of the target base station The parameter calculation is performed to obtain the key parameter K1; the second calculating unit 6022 is configured to calculate the key parameter K1 according to the intermediate key ⁇ and the identification parameter of the target base station; the third calculating unit 6023 is configured to use the base station 60 and The key K, the intermediate key ⁇ between the relay stations, and the identification parameter of the target base station are calculated to obtain a key parameter K1;
  • the first sending module 603 is configured to send a list formed by K1 corresponding to each user equipment under the relay station to the target base station.
  • the base station 60 provided in this embodiment may be used, for example, to perform the key generation method provided in the foregoing method embodiments. For the specific implementation, reference may be made to the foregoing method embodiments.
  • Another base station provided by the embodiment of the present invention is described in detail below with reference to FIG. 7a.
  • the base station includes:
  • the receiving module 701 is configured to receive the key parameter K1 sent by the source base station, and the key module 702 is configured to determine the key K2 between the relay station and the base station according to the K1 received by the receiving module 701.
  • the base station provided in this embodiment may generate the base station according to the parameter sent by the source base station. The key, so that the relay station and the base station can use the generated key for more secure communication.
  • the receiving module 701 is further configured to receive the N1 sent by the source base station, and the base station further includes a second sending module 703, configured to send the N1 received by the receiving module 701 to the relay station, so that the relay station Calculate K2 according to N1. Further, as shown in FIG.
  • the receiving module 701a may be configured to receive the fresh parameters sent by the MME, and K1 and N1.
  • the key module 702a is configured to calculate K2 according to the fresh parameters received by the receiving module 701a and K1.
  • the base station may further include a derivation parameter module 704, configured to generate a derivation parameter N2.
  • the key module 702b is configured to calculate K2 according to N2 generated by the derivation parameter module 704 and K1 received by the receiving module 701.
  • the corresponding base station may further include a first sending module 705, configured to send the ⁇ 2 generated by the retard parameter module 704 to the relay station.
  • the base station provided by this embodiment can be used, for example, to perform the key generation method provided in the foregoing method embodiment.
  • a relay station 80 according to an embodiment of the present invention will be described in detail below with reference to FIG. 8a.
  • the relay station 80 includes: a receiving module 801, configured to receive the security synchronization parameter N1; and a calculation module 802, configured to calculate a key K2 between the current relay station and the target base station according to the N1 received by the receiving module 801.
  • the relay station 80 provided in this embodiment can calculate the key between the relay station and the target base station according to the received N1, so that the key can be used to communicate with the target base station, thereby ensuring smooth communication between the relay station and the target base station, and the Communication is safe and reliable.
  • the relay station 80 may further include: a receiving module 801a for receiving the derivation parameter N2 and the security synchronization parameter N1; and a calculation module 802a for receiving the N1 according to the receiving module 801a.
  • N2 calculates K2, or according to the receiving module 801a
  • the received N1 calculates K2. Further, as shown in FIG.
  • the calculation module 802a may include, for example, a first calculating unit 8021, configured to determine, according to the N1 received by the receiving module 801, a key used between the relay station 80 and the source base station. K calculates and calculates K2 according to the identification parameter of the target base station and K; and/or, the second calculating unit 8022 is configured to calculate the intermediate key NK according to the N1 received by the receiving module 801, and according to the identification parameter of the target base station and the NK Calculate K2.
  • a first calculating unit 8021 configured to determine, according to the N1 received by the receiving module 801, a key used between the relay station 80 and the source base station.
  • K calculates and calculates K2 according to the identification parameter of the target base station and K
  • the second calculating unit 8022 is configured to calculate the intermediate key NK according to the N1 received by the receiving module 801, and according to the identification parameter of the target base station and the NK Calculate K2.
  • the calculating module 802a may include, for example, a third calculating unit 8023, configured to determine, according to the N1 received by the receiving module 801, using the key K between the relay station 80 and the source base station, and according to the identification parameter of the target base station and K calculates the intermediate parameter L; and/or, the fourth calculating unit 8024 is configured to calculate the intermediate key NK according to the N1 received by the receiving module 801, and calculate the intermediate parameter L according to the identification parameter of the target base station and NK.
  • the calculation module 802 may further include: a fifth calculation unit, configured to calculate K2 according to the L calculated by the third calculation unit 8023 or the fourth calculation unit 8024 and the fresh parameter. In this embodiment, the fresh parameters are generated by ⁇ .
  • the calculating module 802a may include, for example, a sixth calculating unit 8026, configured to determine, according to the N1 received by the receiving module 801, using the key K between the relay station 80 and the source base station, and according to the identification parameter of the target base station and K calculates the intermediate parameter M; and/or the seventh calculating unit 8027, for calculating the intermediate key NK according to the N1 received by the receiving module 801, and calculating the intermediate parameter M according to the identification parameter of the target base station and NK.
  • the calculation module 802a may further include: an eighth calculation unit 8028, configured to calculate K2 according to the calculation calculated by the sixth calculation unit 8026 or the seventh calculation unit 8027 and the N2 received by the receiving module 801a.
  • the relay station 80 may further include a generating module 803, configured to generate a parameter Q1, where the Q1 is used by the UE under the relay station 80 to generate a key between the local relay station 80 and the UE, and the sending module 804 is configured to generate a module.
  • the Q1 generated by 803 is sent to the above UE.
  • the generating module 803 may include, for example, a first generating unit 8031, configured to generate a parameter Q1 for each UE under the relay station 80, that is, for different The UE generates the parameter Q 1 respectively.
  • the sending module 804 may include, for example, a first sending unit 8041, configured to send Q1 to the user equipment corresponding to the Q1 by using an RRC connection reconfiguration message.
  • the generating module 803 may include, for example, a second generating unit.
  • the sending module 804 includes, for example, a second sending unit 8042, Q1 is sent to the UE through a system message periodically broadcast.
  • the generating module 803 may include, for example, a third generating unit.
  • the relay station 80 provided in this embodiment may be used to switch between different base stations in the same MME, and may also be applied to scenarios in which different base stations switch between different base stations.
  • the relay station 80 provided in this embodiment can be used, for example, to perform the key generation method provided in the foregoing method embodiment. For the specific implementation, reference may be made to the foregoing method embodiment.
  • a base station according to an embodiment of the present invention is described in detail below with reference to FIG.
  • the base station includes: a receiving module 901, configured to receive an intermediate key NK sent by the MME; and a calculating module 902, configured to calculate a key K2 between the base station and the relay station according to the NK received by the receiving module 901 and the identifier parameter of the base station. Further, in this embodiment, the receiving module 901 is further configured to receive the N1 sent by the UI. The corresponding base station further includes a sending module 903, configured to send the N1 received by the receiving module 901 to the relay station, so that the relay station calculates ⁇ 2 according to N1.
  • the base station provided by this embodiment may generate a key between the base station and the relay station according to the intermediate key, and send a security synchronization parameter to the relay station, so that the relay station can also generate a key between the relay station and the base station, thereby
  • the generated key can be used by the relay station and the base station Communication ensures smooth communication between the relay station and the target base station and improves communication security.
  • the base station provided by this embodiment can be used, for example, to perform the key generation method provided in the foregoing method embodiment. For the specific implementation, reference may be made to the foregoing method embodiment.
  • the key generation system provided by the embodiment of the present invention will be described in detail below with reference to FIG.
  • the system includes: a relay station 1001 for receiving a security synchronization parameter N1 transmitted by the target base station 1003 or the source base station 1002, and calculating a key K2 between the relay station 1001 and the target base station 1003 according to N1.
  • the key generation system provided in this embodiment can be applied to a scenario in which a relay station switches between different base stations in the same network, and can also be applied to a scenario in which a relay station switches between different base stations. For example, when the relay station switches between different base stations under the same network, the security synchronization parameter sent by the source base station may be received, and when the relay station switches between different base stations, the security synchronization parameter sent by the target base station may be received.
  • the system may further include a target base station 1003 and/or a source base station 1002.
  • a target base station 1003 and/or a source base station 1002 can be referred to the above embodiment.
  • the relay station 1001 is further configured to receive the derivation parameter ⁇ 2 sent by the target base station 1003, and calculate a key ⁇ 2 between the relay station 1001 and the target base station 1003 according to the N1 and the ⁇ 2.
  • the relay station 1001 is further configured to generate a parameter Q1, and send Q1 to the UE under the relay station 1001, where Q1 is used by the UE to calculate a key between the relay station 1001 and the UE.
  • the storage medium may be a magnetic disk, an optical disk, a read only memory (ROM) or a random access memory (RAM).
  • ROM read only memory
  • RAM random access memory
  • Each functional unit in the embodiment of the present invention may be integrated into one processing module, or each unit may exist physically separately, or two or more units may be integrated into one module.
  • the above integrated modules can be implemented in the form of hardware or in the form of software functional modules.
  • the integrated modules if implemented in the form of software functional modules and sold or used as separate products, may also be stored in a computer readable storage medium.
  • the above-mentioned storage medium may be a read only memory, a magnetic disk or an optical disk or the like.

Abstract

A key generation method is provided. The method is adapted to the scene of the relay station handover, and includes the following steps: the source base station computes a key parameter K1 according to the key K between the source base station and the relay station and the identifier parameter of the destination base station, wherein the identifier parameter of the destination base station is used to uniquely identify the destination base station; the source base station sends the K1 to the destination base station, which is used for the destination base station to get the key K2 between the destination base station and the relay station according to the K1. A key generation system, and the base station and the relay station which are adapted to the scene of the relay station handover, are also provided. With the technical solution provided by each embodiment, the relay station may be enabled to generate the key used with the destination station, or the destination base station generates the key used with the relay station, thus the both sides can be enabled to smoothly communicate, and the safety of the communication is strengthened.

Description

一种密钥生成的方法、 装置和系统  Method, device and system for key generation
本申请要求于 2009 年 11 月 3 日提交中国专利局、 申请号为 200910110028.X,发明名称为"一种密钥生成的方法、装置和系统"的中国专 利申请的优先权, 其全部内容通过引用结合在本申请中。 技术领域 本发明涉及通信技术领域, 具体而言是涉及一种密钥生成的技术。 背景技术 随着无线通信网络覆盖范围的增加以及对 、区边缘性能要求的提高, 在无线通信系统中引入了中继技术。 中继站(Relay Node, RN ) 的引入能 够增加高速率数据传输的覆盖、 群移动、 临时的网络部署和延展, 以及增 强小区边缘的覆盖。 例如, 可以在高速移动的交通工具上设置 RN, 通过该 RN为高速移动 的交通工具上的用户设备( User Equipment, UE )提供服务, 从而避免了大 量 UE的频繁切换。 为了保证通信的安全, 需要对无线链路上传输的消息进行加密, 并且 加密同时还能够应用于完整性的验证, 避免消息被非法篡改或者伪造, 以 保证网络的安全。 在 UE在不同小区间切换时, 需要将使用的密钥更换为目标小区的密 钥,从而才能正常的利用密钥与目标小区进行通信, 即 UE在不同小区之间 切换时, 需要进行密钥的更新。 但是在引入 RN后, RN在不同基站之间切换时, 并没有 RN如何获得 RN与目标基站之间密钥的方案, 也没有目标基站如何获得 RN与目标基站 之间密钥的方案, 因此, RN在切换后无法使用密钥与目标基站通信, 从而 导致 RN与目标基站之间无法通信,或者导致 RN与目标基站之间的通信存 在巨大的安全风险。 发明内容 This application claims priority to Chinese Patent Application No. 200910110028.X, filed on November 3, 2009, entitled "A Method, Apparatus and System for Key Generation", the entire contents of which are hereby incorporated by reference. The citations are incorporated herein by reference. TECHNICAL FIELD The present invention relates to the field of communications technologies, and in particular, to a technique for key generation. BACKGROUND OF THE INVENTION With the increase in the coverage of wireless communication networks and the improvement in the requirements for the edge and area edges, relay technologies have been introduced in wireless communication systems. The introduction of Relay Nodes (RNs) can increase coverage of high-rate data transmissions, group mobility, temporary network deployment and extension, and enhance coverage at the cell edge. For example, an RN may be provided on a high-speed mobile vehicle, and the RN provides services for user equipment (UE) on a high-speed mobile vehicle, thereby avoiding frequent handover of a large number of UEs. In order to ensure the security of the communication, the message transmitted on the wireless link needs to be encrypted, and the encryption can also be applied to the integrity verification, so as to prevent the message from being illegally falsified or forged to ensure the security of the network. When the UE switches between different cells, the used key needs to be replaced with the key of the target cell, so that the key can be used to communicate with the target cell normally, that is, when the UE switches between different cells, the key needs to be performed. Update. However, after the RN is introduced, when the RN switches between different base stations, there is no RN obtained. The scheme of the key between the RN and the target base station does not have a scheme of how the target base station obtains the key between the RN and the target base station. Therefore, the RN cannot communicate with the target base station by using the key after the handover, thereby causing the RN and the target base station to There is a huge security risk between the inability to communicate or the communication between the RN and the target base station. Summary of the invention
本发明实施例提供了一种密钥生成的方法,该方法能够适用于 RN切换 的场景, 以使得 RN在不同基站之间进行切换时, RN或者目标基站可以生 成密钥。  The embodiment of the present invention provides a method for generating a key, which can be applied to a scenario of RN handover, so that when the RN performs handover between different base stations, the RN or the target base station can generate a key.
本发明实施例还提供了一种基站、 中继站以及密钥生成的系统。  Embodiments of the present invention also provide a base station, a relay station, and a key generation system.
本发明实施例提供的一种密钥生成的方法, 适用于中继站切换的场景, 该方法包括:  A method for generating a key according to an embodiment of the present invention is applicable to a scenario in which a relay station switches, and the method includes:
源基站根据该源基站与中继站之间的密钥 K以及目标基站的标识参数 计算密钥参数 Kl, 其中目标基站的标识参数用于唯一的标识该目标基站; 该源基站将该 K1发送至该目标基站, 用于该目标基站根据该 K1获得 该目标基站与该中继站之间的密钥 Κ2。  The source base station calculates a key parameter K1 according to the key K between the source base station and the relay station and the identifier parameter of the target base station, where the identifier parameter of the target base station is used to uniquely identify the target base station; the source base station sends the K1 to the a target base station, configured to obtain, by the target base station, a key Κ2 between the target base station and the relay station according to the K1.
本发明实施例提供的另一种密钥生成的方法, 适用于中继站切换的场 景, 该方法包括:  Another method for generating a key according to an embodiment of the present invention is applicable to a scenario of a relay station handover, and the method includes:
目标基站接收源基站发送的密钥参数 Kl, 其中该 K1 由该源基站根据 该源基站与中继站之间的密钥 Κ得到;  The target base station receives a key parameter K1 sent by the source base station, where the K1 is obtained by the source base station according to a key 之间 between the source base station and the relay station;
该目标基站生成推衍参数 Ν2;  The target base station generates a derivation parameter Ν2;
该目标基站根据该 K1以及该 Ν2计算该中继站与该目标基站之间的密 钥 Κ2。  The target base station calculates a key Κ2 between the relay station and the target base station based on the K1 and the Ν2.
本发明实施例提供的又一种密钥生成的方法, 适用于中继站切换的场 景, 该方法包括:  Another method for generating a key, which is provided by the embodiment of the present invention, is applicable to a scene of a relay station handover, and the method includes:
中继站接收安全同步参数 Nl,其中该 N1接收自目标基站或者源基站; 该中继站根据该 N1计算该中继站与该目标基站之间的密钥 K2。 The relay station receives the security synchronization parameter N1, wherein the N1 is received from the target base station or the source base station; The relay station calculates a key K2 between the relay station and the target base station based on the N1.
本发明实施例提供的再一种密钥生成的方法, 适用于中继站切换的场 景, 该方法包括:  A method for generating a key according to an embodiment of the present invention is applicable to a scene of a relay station handover, and the method includes:
目标基站接收目标移动性管理实体发送的中间密钥 ΝΚ;  The target base station receives the intermediate key sent by the target mobility management entity;
该目标基站根据该 ΝΚ 以及该目标基站的标识参数计算该目标基站与 中继站之间的密钥 Κ2, 其中该目标基站的标识参数用于唯一的标识所述目 标基站。  The target base station calculates a key Κ2 between the target base station and the relay station according to the ΝΚ and the identification parameter of the target base station, where the identifier parameter of the target base station is used to uniquely identify the target base station.
本发明实施例提供的又再一种密钥生成的方法, 适用于中继站切换的 场景, 该方法包括:  A method for generating a key according to an embodiment of the present invention is applicable to a scenario in which a relay station switches, and the method includes:
中继站生成参数 Q1 , 该 Q1用于该中继站下的用户设备根据该 Q1生 成该中继站与该用户设备之间的密钥;  The relay station generates a parameter Q1, and the Q1 is used by the user equipment under the relay station to generate a key between the relay station and the user equipment according to the Q1;
该中继站将该 Q1发送至该用户设备。  The relay station sends the Q1 to the user equipment.
本发明实施例提供的一种基站, 适用于中继站切换的场景, 该基站包 括:  A base station is provided in a scenario for a relay station handover, and the base station includes:
计算模块, 用于根据本基站与中继站之间的密钥 Κ以及目标基站的标 识参数计算密钥参数 K1 , 其中目标基站的标识参数用于唯一的标识该目标 基站;  a calculation module, configured to calculate a key parameter K1 according to a key 之间 between the base station and the relay station and an identifier parameter of the target base station, where the identifier parameter of the target base station is used to uniquely identify the target base station;
第一发送模块, 用于将计算模块得到的 K1发送至该目标基站, 以使得 该目标基站根据所述 K1获得该目标基站与该中继站之间的密钥 Κ2。  And a first sending module, configured to send K1 obtained by the computing module to the target base station, so that the target base station obtains a key Κ2 between the target base station and the relay station according to the K1.
本发明实施例提供的另一种基站, 适用于中继站切换的场景, 该基站 包括:  Another base station provided by the embodiment of the present invention is applicable to a scenario of relay station handover, and the base station includes:
接收模块, 用于接收源基站发送的密钥参数 Kl, 其中该 K1 由该源基 站根据该源基站与中继站之间的密钥 Κ得到;  a receiving module, configured to receive a key parameter K1 sent by the source base station, where the K1 is obtained by the source base station according to a key between the source base station and the relay station;
推衍参数模块, 用于生成推衍参数 Ν2;  Deriving a parameter module for generating a derivation parameter Ν2;
密钥模块,用于根据该接收模块接收的 K1以及该推衍参数模块生成的 Ν2计算该中继站与本基站之间的密钥 Κ2。 本发明实施例提供的一种中继站, 适用于中继站切换的场景, 该中继 站包括: And a key module, configured to calculate a key 之间2 between the relay station and the base station according to K1 received by the receiving module and Ν2 generated by the retire parameter module. A relay station provided by the embodiment of the present invention is applicable to a scenario of relay station handover, and the relay station includes:
接收模块, 用于接收安全同步参数 Nl, 其中该 N1 由目标基站或者源 基站发送至本中继站;  a receiving module, configured to receive a security synchronization parameter N1, where the N1 is sent by the target base station or the source base station to the relay station;
计算模块,用于根据接收模块接收的 N1计算本中继站与该目标基站之 间的密钥 K2。  And a calculation module, configured to calculate a key K2 between the relay station and the target base station according to the N1 received by the receiving module.
本发明实施例提供的又一种基站, 适用于中继站切换的场景, 该基站 包括:  Another base station provided by the embodiment of the present invention is applicable to a scenario of relay station handover, and the base station includes:
接收模块, 用于接收目标移动性管理实体发送的中间密钥 ΝΚ;  a receiving module, configured to receive an intermediate key sent by the target mobility management entity;
计算模块, 用于根据该 ΝΚ以及本基站的标识参数计算本基站与中继 站之间的密钥 Κ2, 其中本基站的标识参数用于唯一的标识本基站。  And a calculation module, configured to calculate a key Κ2 between the base station and the relay station according to the identifier of the eNB and the base station, where the identifier of the base station is used to uniquely identify the base station.
本发明实施例提供的一种密钥生成系统, 适用于中继站切换的场景, 该系统包括:  A key generation system is provided in the scenario of a relay station handover, and the system includes:
中继站, 用于接收目标基站发送的推衍参数 Ν2, 以及该目标基站或者 源基站发送的安全同步参数 N1, 并根据该 N1和 Ν2计算本中继站与目标 基站之间的密钥 Κ2。  The relay station is configured to receive a derivation parameter Ν2 sent by the target base station, and a security synchronization parameter N1 sent by the target base station or the source base station, and calculate a key Κ2 between the relay station and the target base station according to the N1 and Ν2.
通过上述技术方案的描述可知, 本发明各实施例通过获得源基站使用 的密钥,从而生成 RN与目标基站使用的密钥,或者通过发送安全同步参数 使得 RN能够获得 RN与目标基站之间的密钥, 因此保证了 RN能够与目标 基站使用密钥进行通信, 减少掉话率, 提高了通信安全。  According to the description of the foregoing technical solution, the embodiments of the present invention generate a key used by the source base station to generate a key used by the RN and the target base station, or enable the RN to obtain the RN and the target base station by sending a security synchronization parameter. The key, therefore, ensures that the RN can communicate with the target base station using the key, reducing the dropped call rate and improving communication security.
附图说明 为了更清楚地说明本发明实施例或现有技术中的技术方案, 下面将对 实施例或现有技术描述中所需要使用的附图作一简单地介绍, 显而易见地, 下面描述中的附图仅仅是本发明的一些实施例, 对于本领域普通技术人员 来讲, 在不付出创造性劳动性的前提下, 还可以根据这些附图获得其他的 附图。 BRIEF DESCRIPTION OF THE DRAWINGS In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, a brief description of the drawings used in the embodiments or the prior art description will be briefly described below. The drawings are only some embodiments of the invention, and will be apparent to those of ordinary skill in the art In other words, other drawings can be obtained based on these drawings without paying for creative labor.
图 la为本发明一实施例提供的一种密钥生成方法的流程示意图; 图 lb为本发明一实施例提供的一种密钥生成方法的流程示意图; 图 2a为本发明另一实施例提供的一种密钥生成方法的流程示意图; 图 2b为本发明另一实施例提供的一种密钥隔离方法的流程示意图; 图 2c为本发明另一实施例提供的一种密钥隔离方法的流程示意图; 图 3a为本发明又一实施例提供的一种密钥生成方法的流程示意图; 图 3b为本发明又一实施例提供的一种密钥生成方法的流程示意图; 图 3c为本发明又一实施例提供的一种密钥生成方法的流程示意图; 图 3d为本发明又一实施例提供的一种密钥生成方法的流程示意图; 图 3e为本发明又一实施例提供的一种密钥生成方法的流程示意图; 图 3f为本发明又一实施例提供的一种密钥生成方法的流程示意图; 图 3g为本发明又一实施例提供的一种密钥生成方法的流程示意图; 图 4为本发明再一实施例提供的一种密钥生成方法的流程示意图; 图 5为本发明又再一实施例提供的一种密钥生成方法的流程示意图; 图 6为本发明实施例提供的一种基站的结构示意图;  FIG. 1 is a schematic flowchart of a key generation method according to an embodiment of the present invention; FIG. 2b is a schematic flowchart of a key generation method according to an embodiment of the present invention; FIG. 2 is a schematic flowchart of a key isolation method according to another embodiment of the present invention; FIG. 2 is a schematic diagram of a key isolation method according to another embodiment of the present invention; FIG. 3 is a schematic flowchart of a key generation method according to another embodiment of the present invention; FIG. 3b is a schematic flowchart of a key generation method according to another embodiment of the present invention; FIG. 3 is a schematic flowchart of a key generation method according to another embodiment of the present invention; FIG. 3 is a schematic flowchart of a key generation method according to another embodiment of the present invention; FIG. 3 is a schematic flowchart of a key generation method according to another embodiment of the present invention; FIG. 3g is a schematic diagram of a key generation method according to another embodiment of the present invention; FIG. 4 is a schematic flowchart of a key generation method according to still another embodiment of the present invention; FIG. 5 is a key generation method according to still another embodiment of the present invention; FIG. 6 is a schematic structural diagram of a base station according to an embodiment of the present invention;
图 7a为本发明实施例提供的一种基站的结构示意图;  FIG. 7 is a schematic structural diagram of a base station according to an embodiment of the present disclosure;
图 7b为本发明实施例提供的一种基站的结构示意图;  FIG. 7b is a schematic structural diagram of a base station according to an embodiment of the present disclosure;
图 7c为本发明实施例提供的一种基站的结构示意图;  FIG. 7c is a schematic structural diagram of a base station according to an embodiment of the present disclosure;
图 8a为本发明实施例提供的一种中继站的结构示意图;  FIG. 8 is a schematic structural diagram of a relay station according to an embodiment of the present invention;
图 8 b为本发明实施例提供的一种中继站的结构示意图;  FIG. 8b is a schematic structural diagram of a relay station according to an embodiment of the present disclosure;
图 8c为本发明实施例提供的一种中继站的结构示意图;  FIG. 8c is a schematic structural diagram of a relay station according to an embodiment of the present invention;
图 9为本发明实施例提供的一种基站的结构示意图;  FIG. 9 is a schematic structural diagram of a base station according to an embodiment of the present disclosure;
图 10为本发明实施例提供的一种密钥生成系统的示意图。  FIG. 10 is a schematic diagram of a key generation system according to an embodiment of the present invention.
具体实施方式 为使本发明的目的、 技术方案、 及优点更加清楚明白, 下面结合附图 并举实施例, 对本发明提供的技术方案进一步详细描述。 显然, 所描述的 实施例仅仅是本发明一部分实施例, 而不是全部的实施例。 基于本发明中 的实施例, 本领域普通技术人员在没有作出创造性劳动前提下所获得的所 有其他实施例, 都属于本发明保护的范围。 detailed description In order to make the objects, the technical solutions, and the advantages of the present invention more comprehensible, the technical solutions provided by the present invention are further described in detail below with reference to the accompanying drawings. It is apparent that the described embodiments are only a part of the embodiments of the invention, and not all of the embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
下面结合附图 la, 对本发明一实施例提供的密钥生成的方法进行详细 说明, 该密钥生成的方法适用于中继站切换的场景。 该方法包括下述步骤: 步骤 101, 源基站确定中继站向目标基站切换。  A method for generating a key according to an embodiment of the present invention will be described in detail below with reference to the accompanying drawings. The method for generating a key is applicable to a scenario in which a relay station switches. The method includes the following steps: Step 101: The source base station determines that the relay station switches to the target base station.
源基站会接收中继站发送的测量报告, 根据该测量报告, 源基站决定 执行切换。  The source base station receives the measurement report sent by the relay station, and according to the measurement report, the source base station decides to perform the handover.
此外, 源基站也可以根据其他条件确定中继站向目标基站切换。  In addition, the source base station may also determine that the relay station switches to the target base station according to other conditions.
本实施例中, 步骤 101为可选步骤, 并非一定执行的步骤。  In this embodiment, step 101 is an optional step, which is not necessarily performed.
步骤 102, 源基站根据本基站与中继站之间的密钥 K和 /或中间密钥 NK, 以及目标基站的标识参数计算密钥参数 Kl。  Step 102: The source base station calculates a key parameter K1 according to the key K and/or the intermediate key NK between the base station and the relay station, and the identification parameter of the target base station.
中间密钥 ΝΚ由移动性管理实体发送至源基站。  The intermediate key 发送 is sent by the mobility management entity to the source base station.
目标基站的标识参数用于唯一的标识该目标基站。 例如, 目标基站的 标识参数可以是目标基站的 ID,通过目标基站的 ID可以唯一的标识该目标 基站。  The identification parameter of the target base station is used to uniquely identify the target base station. For example, the identity parameter of the target base station may be the ID of the target base station, and the target base station may be uniquely identified by the ID of the target base station.
目标基站的标识参数还可以是目标基站的证书, 或者目标基站的 ID以 及目标基站的证书。 此外, 为了更好的标识目标基站, 目标基站的标识参 数在包括目标基站的 ID和 /或目标基站的证书之夕卜,还可以包括以下参数之 一或其任意组合:增强 UMTS ( Universal Mobile Telecommunication System, 通用移动通信系统)陆地无线接入网下行绝对无线频道数 ( EARFCN-DL )、 小区标识( C-RNTI )、 用户设备 ID、 中继站与 MME ( Mobility Management Entity, MME )之间的消息计数值 ( Message Count )。  The identification parameter of the target base station may also be the certificate of the target base station, or the ID of the target base station and the certificate of the target base station. In addition, in order to better identify the target base station, the identifier parameter of the target base station may include one of the following parameters or any combination thereof, including the ID of the target base station and/or the certificate of the target base station: Universal UMTS (Universal Mobile Telecommunication) System, Universal Mobile Telecommunications System) Land radio access network downlink absolute radio channel number (EARFCN-DL), cell identity (C-RNTI), user equipment ID, relay station and MME (Mobility Management Entity, MME) message count Value ( Message Count ).
源基站在确定中继站向目标基站切换后, 会执行步骤 102计算 Kl。 步骤 103, 源基站将 K1发送至目标基站。 After determining that the relay station switches to the target base station, the source base station performs step 102 to calculate K1. Step 103: The source base station sends K1 to the target base station.
源基站将 K1发送至目标基站, 从而目标基站可以根据 K1获得该目标 基站与中继站之间的密钥 K2。  The source base station transmits K1 to the target base station, so that the target base station can obtain the key K2 between the target base station and the relay station according to K1.
在本实施例的步骤 103 中, 源基站可以向目标基站发送切换请求, 并 且该切换请求中携带 Kl, 完成 K1的发送。  In step 103 of this embodiment, the source base station may send a handover request to the target base station, and the handover request carries K1 to complete the transmission of K1.
进一步的,如附图 lb所示,本实施例提供的密钥生成方法还可以包括: 步骤 104, 源基站将与 K1对应的安全同步参数 N1发送至目标基站。 根据 K1, 源基站会发送该 K1对应的 N1至目标基站, 以用于目标基 站进行同步便于后续的计算。  Further, as shown in FIG. 1b, the key generation method provided in this embodiment may further include: Step 104: The source base station sends the security synchronization parameter N1 corresponding to K1 to the target base station. According to K1, the source base station sends the N1 corresponding to the K1 to the target base station for synchronization by the target base station for subsequent calculation.
步骤 103与步骤 104之间没有特定的执行顺序, 可以先后执行也可以 同时执行。 本实施例中, 可以通过切换请求携带 N1发送至目标基站。  There is no specific execution order between step 103 and step 104, which may be performed sequentially or simultaneously. In this embodiment, the N1 may be sent to the target base station by using the handover request.
步骤 105, 源基站接收目标基站发送的 Nl。  Step 105: The source base station receives N1 sent by the target base station.
源基站将 N1发送至目标基站之后, 目标基站会将 N1携带在切换请求 响应消息中, 发送至源基站。 目标基站可以不改变 Nl, 即源基站发送的 N1与目标基站发送的 N1的值相同。  After the source base station sends N1 to the target base station, the target base station carries N1 in the handover request response message and sends it to the source base station. The target base station may not change N1, that is, the N1 sent by the source base station is the same as the value of N1 sent by the target base station.
步骤 106, 源基站发送 N1至中继站。  Step 106: The source base station sends N1 to the relay station.
源基站可以将 N1通过切换命令发送至中继站,并且源基站在该步骤中 可以不改变 N1的值, 即源基站通过切换命令发送的 N1与目标基站发送的 N1的值相同。  The source base station may send the N1 to the relay station by using a handover command, and the source base station may not change the value of N1 in this step, that is, the N1 sent by the source base station through the handover command is the same as the value of N1 sent by the target base station.
在步骤 105和步骤 106中, 例如源基站可以通过接收目标基站发送的 消息并转发该消息实现, 也即该消息中携带的内容对于源基站是透明的。  In step 105 and step 106, for example, the source base station may implement the message sent by the target base station and forward the message, that is, the content carried in the message is transparent to the source base station.
进一步的, 本实施例中, 也可以不执行步骤 104至步骤 106, 而是由源 基站将与 K1对应的 N1直接发送至中继站。  Further, in this embodiment, step 104 to step 106 may not be performed, but the source base station directly transmits N1 corresponding to K1 to the relay station.
本实施例中, 步骤 104、 步骤 105和步骤 106并不是必须的, 本实施例 可以包括上述 3个步骤的部分或者全部, 例如仅包括步骤 106而不包括步 骤 104和步骤 105。 进一步的, 本实施例中, 步骤 102例如可以将 K和 /或 NK, 以及目标 基站的标识参数作为参量通过函数运算得到 Kl。 In this embodiment, the step 104, the step 105, and the step 106 are not necessary. The embodiment may include part or all of the above three steps, for example, only the step 106 is included, and the step 104 and the step 105 are not included. Further, in this embodiment, step 102 may obtain K1 by, for example, K and/or NK, and the identification parameter of the target base station as a parameter.
例如, 源基站根据 K1=F[K, 目标基站的 ID, EARFCN-DL] , 得到 Kl, 其中, F可以为任意函数, 优选的为不可逆函数。  For example, the source base station obtains K1 according to K1=F[K, the ID of the target base station, EARFCN-DL], where F may be an arbitrary function, preferably an irreversible function.
例如, 源基站根据 K1=F[NK, 目标基站的 ID, EARFCN-DL] , 得到 For example, the source base station obtains according to K1=F[NK, target base station ID, EARFCN-DL]
Kl。 Kl.
在源基站计算得到 K1后, 也就可以确定与该 K1对应的安全同步参数 Nl。 例如, 源基站使用 Κ计算 K1时, 与该 K1对应的 N1为 0。 源基站使 用 ΝΚ计算 K1时, 与该 K1对应的 N1为 1。  After the source base station calculates K1, the security synchronization parameter N1 corresponding to the K1 can be determined. For example, when the source base station calculates K1 using Κ, N1 corresponding to the K1 is 0. When the source base station calculates K1 using ΝΚ, N1 corresponding to the K1 is 1.
在本实施例中, 根据 UE的不同, 可以将中继站下每个 UE在 Uu接口 上的不同承载聚合, 在 Un接口上通过同一个承载进行传输, 此时, Un接 口上使用的密钥对于不同的 UE是不同的, 即 Un接口上的密钥是针对每一 个 UE的。 其中, Un接口为中继站和基站之间的接口, Uu接口为中继站与 UE之间的接口。  In this embodiment, different bearers on the Uu interface of the UE under the relay station can be aggregated according to different UEs, and the same bearer is transmitted on the Un interface. In this case, the keys used on the Un interface are different. The UEs are different, ie the keys on the Un interface are for each UE. The Un interface is an interface between the relay station and the base station, and the Uu interface is an interface between the relay station and the UE.
在本实施例中, 才艮据 QoS的不同, 可以将中继站下不同 UE的相同的 QoS承载聚合, 在 Un接口上通过同一个承载进行传输, 此时, Un接口上 使用的密钥对于具有相同 QoS的不同 UE是相同的,即 Un接口上的密钥是 针对所有 UE的,本发明实施例中所述的 "所有 UE"即指上述具有相同 QoS 的不同 UE。  In this embodiment, the same QoS bearers of different UEs in the relay station can be aggregated according to the QoS, and the same bearer is transmitted on the Un interface. At this time, the key used on the Un interface has the same The different UEs of the QoS are the same, that is, the key on the Un interface is for all UEs. The “all UEs” described in the embodiments of the present invention refer to the different UEs with the same QoS.
还可以根据其他因素, 区分 Un接口上的密钥是针对每一个 UE或者所 有 UE的。 并且, Un接口上的密钥也可以是对于一部分 UE是针对该部分 每一个 UE的, 对于另一部分 UE是针对该部分所有 UE的。 以下各实施例 中为了描述方便,仅以针对每一个 UE或者针对所有 UE的情况为例进行说 明, 部分针对每一个 UE部分针对所有 UE的情况可以参照实施。  It is also possible to distinguish the key on the Un interface for each UE or all UEs according to other factors. Moreover, the key on the Un interface may also be for each part of the UE for a part of the UE, and for all the UEs of the part for the other part of the UE. For the convenience of description in the following embodiments, only the case for each UE or for all UEs is taken as an example, and the case is partially implemented for each UE part for all UEs.
在源基站与中继站之间的密钥是针对每一个 UE的时候,源基站会根据 步骤 102计算得到对应每一个 UE的 Kl, 因此, 在源基站侧会生成一个每 一个 UE对应的 Kl形成的列表 Listl。 源基站将该 Listl发送至目标基站。 此外, 对于不同的 UE, N1 也可以是不同的。 为了描述更清楚, 下述各实 施例仅以对于不同 UE, N1相同的情况为例进行说明。 When the key between the source base station and the relay station is for each UE, the source base station calculates K1 corresponding to each UE according to step 102. Therefore, one source is generated on the source base station side. A list List1 formed by K1 corresponding to one UE. The source base station transmits the List1 to the target base station. In addition, N1 can also be different for different UEs. For the sake of clarity, the following embodiments are described by taking the same case for different UEs and N1 as an example.
进一步的, 源基站还可以保存列表 Listl。  Further, the source base station may also save the list List1.
在源基站与中继站之间的密钥是针对所有 UE的时候,源基站将计算得 到的 K1发送至目标基站。  When the key between the source base station and the relay station is for all UEs, the source base station transmits the calculated K1 to the target base station.
在本实施例中, RN的切换发生在同一个 MME下的两个基站之间, 即 为 X2接口上的切换, 因此, 源基站和目标基站之间可以通过 X2接口直接 传输。  In this embodiment, the handover of the RN occurs between two base stations under the same MME, that is, the handover on the X2 interface. Therefore, the source base station and the target base station can be directly transmitted through the X2 interface.
通过本实施例提供的密钥生成方法, 在中继站发生切换时, 源基站会 将用于计算新密钥的参数分别发送至中继站、 目标基站, 使得目标基站和 中继站可以使用生成的密钥通信。  With the key generation method provided in this embodiment, when the relay station performs handover, the source base station separately transmits parameters for calculating the new key to the relay station and the target base station, so that the target base station and the relay station can communicate using the generated key.
进一步的, 在计算密钥的函数 F为不可逆函数时, 还可以实现目标基 站与源基站之间的密钥隔离, 即目标基站不会获知源基站与中继站之间使 用的密钥, 从而避免目标基站出现安全问题时, 源基站也会存在安全风险 的问题。  Further, when the function F of the calculation key is an irreversible function, key isolation between the target base station and the source base station may be implemented, that is, the target base station does not know the key used between the source base station and the relay station, thereby avoiding the target. When a base station has a security problem, the source base station also has a security risk.
下面结合附图 2a, 对本发明另一实施例提供的密钥生成的方法进行详 细描述。 该方法同样可以适用于中继站切换的场景, 下述各实施例中提供 的技术方案均可以适用于中继站切换的场景, 不再一一赘述。  The method for generating a key provided by another embodiment of the present invention is described in detail below with reference to FIG. 2a. The method can be applied to the scenario of the relay station switching. The technical solutions provided in the following embodiments can be applied to the scenario of the relay station switching, and are not described again.
步骤 201, 目标基站接收源基站发送的密钥参数 K1以及安全同步参数 Step 201: The target base station receives the key parameter K1 and the security synchronization parameter sent by the source base station.
Nl。 Nl.
目标基站可以同时接收 K1和 N 1, 也可以分别接收 K1和 N 1。 例如, 目标基站可以通过接收切换请求获得 K1和 Nl。  The target base station can receive K1 and N1 at the same time, and can also receive K1 and N1, respectively. For example, the target base station can obtain K1 and Nl by receiving a handover request.
其中, K1例如可以为源基站依照上一实施例步骤 102计算得到的密钥 参数。  For example, K1 may be a key parameter calculated by the source base station according to step 102 of the previous embodiment.
步骤 202, 目标基站根据 K1确定中继站与本目标基站之间的密钥 K2。 在步骤 202中, 目标基站可以直接将 K1作为中继站与本目标基站之间 的密钥 K, 也可以根据 K1计算得到中继站与本目标基站之间的密钥 Κ2。 Step 202: The target base station determines a key K2 between the relay station and the target base station according to K1. In step 202, the target base station may directly use K1 as the key K between the relay station and the target base station, or may calculate the key Κ2 between the relay station and the target base station according to K1.
步骤 203, 目标基站将 N1发送至中继站。  Step 203: The target base station sends N1 to the relay station.
目标基站将 N1发送至中继站后, 中继站可以根据 N1计算得到 Κ2。 在本实施例中, 步骤 203为可选的执行步骤。  After the target base station sends N1 to the relay station, the relay station can calculate Κ2 according to N1. In this embodiment, step 203 is an optional execution step.
在步骤 202中,如果目标基站直接将 K1作为中继站与本目标基站之间 的密钥 Κ2, 容易导致源基站能够获知目标基站使用的密钥, 为了降低安全 上存在的风险, 可以通过如附图 2b所示的密钥隔离方法进行密钥隔离。 步骤 204, 目标基站接收 MME发送的新鲜参数。 例如, 目标基站可以在 Path Switch流程中接收 MME发送的新鲜参数。 步骤 205, 目标基站根据新鲜参数和 K1计算本目标基站和中继站之间 的密钥 K2。  In step 202, if the target base station directly uses K1 as the key Κ2 between the relay station and the target base station, the source base station can easily obtain the key used by the target base station, and in order to reduce the risk of security, The key isolation method shown in 2b performs key isolation. Step 204: The target base station receives the fresh parameter sent by the MME. For example, the target base station can receive the fresh parameters sent by the MME in the Path Switch flow. Step 205: The target base station calculates a key K2 between the target base station and the relay station according to the fresh parameter and K1.
由于新鲜参数是 ΜΜΕ发送给目标基站的,且目标基站使用该新鲜参数 计算密钥,所以源基站无法获知目标基站与中继站之间密钥 Κ2。进一步的, 如果源基站发送的密钥参数 K1并非源基站与中继站之间的密钥,而是源基 站根据源基站与中继站之间的密钥 Κ和 /或中间密钥 ΝΚ计算得到的, 且计 算函数不可逆, 则目标基站也无法获知源基站与中继站之间的密钥 Κ, 从 而实现了源基站与目标基站之间的密钥隔离, 使得源基站 /目标基站出现安 全问题时, 不会影响到目标基站 /源基站。 相应的, ΜΜΕ也会发送相同的新鲜参数给 RN, 用于 RN根据该新鲜 参数计算本中继站与目标基站之间的密钥。并且可以通过 MME下发新鲜参 数给 RN触发 RN完成 Intra Nonor eNB的切换流程。 在本实施例中, 为了解决密钥隔离的问题, 还可以采用附图 2c所示的 密钥隔离方法, 即由目标基站根据源基站发送的密钥进行推衍运算, 生成 目标基站与中继站之间的密钥, 从而使得源基站无法获知目标基站与中继 站之间的密钥。 步骤 206, 目标基站生成推衍参数 N2。 Since the fresh parameter is transmitted to the target base station, and the target base station uses the fresh parameter to calculate the key, the source base station cannot know the key Κ2 between the target base station and the relay station. Further, if the key parameter K1 sent by the source base station is not a key between the source base station and the relay station, but the source base station calculates the key Κ and/or the intermediate key 之间 between the source base station and the relay station, and If the calculation function is irreversible, the target base station cannot know the key 之间 between the source base station and the relay station, thereby realizing the key isolation between the source base station and the target base station, so that the source base station/target base station does not affect the security problem when it occurs. Go to the target base station/source base station. Correspondingly, the same fresh parameter is sent to the RN, and the RN calculates the key between the relay station and the target base station according to the fresh parameter. And the MME sends a fresh parameter to the RN to trigger the RN to complete the handover process of the Intra Nonor eNB. In this embodiment, in order to solve the problem of key isolation, the key isolation method shown in FIG. 2c may also be used, that is, the target base station performs a derivation operation according to the key sent by the source base station, and generates a target base station and a relay station. Key between them, so that the source base station cannot know the target base station and relay The key between the stations. Step 206: The target base station generates a derivation parameter N2.
本实施例中推衍参数 N2用于密钥隔离, 因此可以是能够起到密钥隔离 作用的任何参数。 例如, 推衍参数 N2可以是目标基站生成的随机数, 也可 以是下述参数中的一个或者多个的组合: C-RNTL UE 的 ID 以及 RN与 MME之间的消息计数值等,还可以是随机数与上述参数中的一个或者多个 的组合。  In this embodiment, the derivation parameter N2 is used for key isolation, and thus may be any parameter capable of functioning as a key isolation. For example, the derivation parameter N2 may be a random number generated by the target base station, or may be a combination of one or more of the following parameters: the ID of the C-RNTL UE and the message count value between the RN and the MME, etc. Is a combination of a random number and one or more of the above parameters.
在应用附图 2c所示的密钥隔离方法时, 目标基站生成 N2与目标基站 接收 K1之间并没有特定的顺序, 可以是先后执行也可以是同时执行。  When the key isolation method shown in Figure 2c is applied, there is no specific order between the target base station generating N2 and the target base station receiving K1, which may be performed sequentially or simultaneously.
步骤 207, 目标基站根据 N2与 K1计算目标基站与中继站之间的密钥 Step 207: The target base station calculates a key between the target base station and the relay station according to N2 and K1.
K2。 目标基站可以根据 K2=F,[K1, N2]计算获得, 其中 F,可以与计算 K1 的函数 F相同, 也可以不同。 F,可以为可逆函数, 也可以为不可逆函数。 步骤 208, 目标基站将 N2发送至中继站。 K2. The target base station can be calculated according to K2=F, [K1, N2], where F can be the same as or different from the function F for calculating K1. F, can be a reversible function, or an irreversible function. Step 208: The target base station sends N2 to the relay station.
目标基站需要将 N2发送至中继站, 以使得中继站可以根据 N2计算目 标基站与中继站之间的密钥 K2。  The target base station needs to transmit N2 to the relay station so that the relay station can calculate the key K2 between the target base station and the relay station based on N2.
目标基站发送 Ν2时, 可以与 N1—起发送, 也可以与 N1分别发送。 在目标基站将 N1和 Ν2—起发送时, 例如可以通过切换请求响应发送。 由于推衍参数 Ν2是目标基站生成的, 因此, 源基站无法获知该推衍参 数, 从而就无法获知目标基站与中继站之间的密钥, 达到了密钥隔离的效 果。  When the target base station transmits Ν2, it can transmit with N1 or with N1. When the target base station transmits N1 and Ν2, for example, it can be sent by a handover request response. Since the derivation parameter Ν2 is generated by the target base station, the source base station cannot know the derivation parameter, so that the key between the target base station and the relay station cannot be known, and the effect of key isolation is achieved.
本实施例中, RN的切换是发生在同一 ΜΜΕ下的目标基站和源基站之 间, 因此源基站可以直接通过 Χ2接口与目标基站进行传输。 通过本实施例提供的密钥生成方法, 可以通过目标基站接收源基站发 送的密钥生成目标基站与中继站之间的密钥, 从而使得目标基站和中继站 能够使用生成的密钥进行通信, 避免了掉话, 提高了通话安全。 In this embodiment, the handover of the RN occurs between the target base station and the source base station under the same frame, so the source base station can directly transmit to the target base station through the Χ2 interface. The key generation method provided in this embodiment can be sent by the target base station to the source base station. The transmitted key generates a key between the target base station and the relay station, so that the target base station and the relay station can communicate using the generated key, avoiding dropped calls and improving call security.
下面结合附图 3a详细描述本发明又一实施例提供的密钥生成的方法。 该方法包括:  A method for generating a key according to another embodiment of the present invention is described in detail below with reference to FIG. 3a. The method includes:
步骤 301, 中继站接收安全同步参数 N1 ; 中继站接收安全同步参数 N1可以是从源基站接收的,也可以是从目标 基站接收的。 例如, 当中继站在同一 MME下的源基站和目标基站之间切换时, 目标 基站会将安全同步参数 N1发送给源基站, 源基站再将 N1发送至中继站, 所以中继站会从源基站接收 N1。 例如, 当中继站在不同 MME下的源基站和目标基站之间切换时, 目标 MME会将安全同步参数 N1发送至目标基站, 目标基站会将该 N1发送至 中继站, 所以中继站会从目标基站接收 N 1。 步骤 302, 中继站根据 N1计算中继站与目标基站之间的密钥 K2。 本实施例中, 中继站才艮据 N1计算中继站与目标基站之间的密钥 Κ2可 以有不同的方法。  Step 301: The relay station receives the security synchronization parameter N1; the relay station receives the security synchronization parameter N1, which may be received from the source base station or may be received from the target base station. For example, when the relay station switches between the source base station and the target base station under the same MME, the target base station transmits the security synchronization parameter N1 to the source base station, and the source base station transmits N1 to the relay station, so the relay station receives N1 from the source base station. For example, when the relay station switches between the source base station and the target base station under different MMEs, the target MME sends the security synchronization parameter N1 to the target base station, and the target base station sends the N1 to the relay station, so the relay station receives the N from the target base station. 1. Step 302: The relay station calculates a key K2 between the relay station and the target base station according to N1. In this embodiment, the relay station can calculate the key Κ2 between the relay station and the target base station according to N1, and there may be different methods.
参照附图 3b, 中继站根据 N1计算中继站与目标基站之间密钥 K2可以 为:  Referring to FIG. 3b, the relay station calculates the key K2 between the relay station and the target base station according to N1, which can be:
步骤 3021, 中继站根据 N1确定使用本中继站与源基站之间的密钥 K 进行计算, 并根据目标基站的标识参数以及 K计算 K2; 或者  Step 3021: The relay station determines, according to N1, that the key K between the current relay station and the source base station is used for calculation, and calculates K2 according to the identification parameter of the target base station and K; or
步骤 3022, 中继站根据 N1计算中间密钥 NK, 并根据目标基站的标识 参数以及 NK计算 K2。 相应的, 目标基站直接使用源基站发送的密钥参数 K1作为中继站与本 目标基站之间的密钥 Κ2。 如附图 3b所示的方法, 可以适用于 RN在同一 MME下的基站之间切换的场景, 也可以适用于 RN在不同 MME下的基站 之间切换的场景。 Step 3022, the relay station calculates the intermediate key NK according to N1, and calculates K2 according to the identification parameter of the target base station and NK. Correspondingly, the target base station directly uses the key parameter K1 sent by the source base station as the key Κ2 between the relay station and the target base station. The method as shown in Figure 3b can be applied to the same RN The scenario of the handover between the eNBs in the MME may also be applicable to the scenario in which the RN switches between the eNBs in different MMEs.
参照附图 3c, 中继站根据 N1计算中继站与目标基站之间的密钥 K2还 可以为:  Referring to FIG. 3c, the relay station calculates the key K2 between the relay station and the target base station according to N1, and may also be:
步骤 3023, 中继站根据 N1确定使用中继站与源基站之间的密钥 K进 行计算, 并根据目标基站的标识参数以及 K计算中间参数 L, 和 /或 步骤 3024, 中继站根据 N1计算中间密钥 NK, 并根据目标基站的标识 参数以及 NK计算中间参数 L; 以及  Step 3023, the relay station determines to use the key K between the relay station and the source base station according to N1 to calculate, and calculates the intermediate parameter L according to the identification parameter of the target base station and K, and/or step 3024, the relay station calculates the intermediate key NK according to N1. And calculating the intermediate parameter L according to the identification parameter of the target base station and NK;
步骤 3025, 中继站根据 L以及 MME生成的新鲜参数计算 K2。 相应的, 目标基站也是用源基站发送的密钥参数 K1以及 ΜΜΕ生成的 新鲜参数计算 Κ2, 从而可以实现源基站无法获知目标基站与中继站之间使 用的密钥 Κ2, 实现密钥隔离。  In step 3025, the relay station calculates K2 based on the L and the fresh parameters generated by the MME. Correspondingly, the target base station is also calculated by using the key parameter K1 sent by the source base station and the fresh parameter generated by the Κ2, so that the source base station cannot know the key Κ2 used between the target base station and the relay station to implement key isolation.
参照附图 3d, 中继站根据 N1计算中继站与目标基站之间的密钥 Κ2还 可以为:  Referring to FIG. 3d, the relay station calculates a key 中继2 between the relay station and the target base station according to N1, and may also be:
步骤 303, 中继站接收推衍参数 Ν2,其中 Ν2为目标基站生成并发送给 中继站的;  Step 303: The relay station receives a derivation parameter Ν2, where Ν2 is generated by the target base station and sent to the relay station;
步骤 3026, 中继站根据 N1确定使用中继站与源基站之间的密钥 Κ进 行计算, 并根据目标基站的标识参数以及 Κ计算中间参数 Μ; 或者, 步骤 3027, 中继站根据 N1计算中间密钥 ΝΚ, 并根据目标基站的标识 参数以及 ΝΚ计算中间参数 Μ;  Step 3026, the relay station determines to use the key 之间 between the relay station and the source base station according to N1, and calculates an intermediate parameter according to the identification parameter of the target base station and Κ; or, in step 3027, the relay station calculates the intermediate key 根据 according to N1, and Calculating the intermediate parameter according to the identification parameter of the target base station and ΝΚ;
步骤 3028, 中继站根据 Μ以及 Ν2计算 Κ2。 在本实施例中, 步骤 301和步骤 303之间没有特定的执行顺序, 可以 先后执行, 也可以同时执行。 相应的, 目标基站会生成推衍参数 N2, 并利用源基站发送的密钥参数 K1计算中间参数 M, 再利用 M和 N2计算 K2, 从而可以实现源基站无法 获知目标基站与中继站之间使用的密钥 Κ2, 实现密钥隔离。 进一步的, 本实施例提供的密钥生成方法还可以包括中继站与用户设 备之间密钥的生成, 也即中继站与用户设备之间的 Uu接口上密钥的生成。 本实施例中,上述 Uu接口上的密钥可以与中继站与目标基站之间的密 钥相关, 也可以不相关。 在相关时, 中继站与目标基站之间的密钥生成时, 也即 Un接口上的密钥生成时, Uu接口上的密钥也需要生成; 在不相关时, Un接口上的密钥生成时, Uu接口上的密钥可以不生成仍使用原来的密钥, 当然也可以生成新的密钥。 下面结合附图 3e, 详细描述本实施例中 Uu接口上的密钥与 Un接口上 的密钥相关时, Uu接口上的密钥的生成。 In step 3028, the relay station calculates Κ2 based on Μ and Ν2. In this embodiment, there is no specific execution order between step 301 and step 303, which may be performed sequentially or simultaneously. Correspondingly, the target base station generates the derivation parameter N2, and calculates the intermediate parameter M by using the key parameter K1 sent by the source base station, and then calculates K2 by using M and N2, so that the source base station cannot know the use between the target base station and the relay station. Key Κ 2, implement key isolation. Further, the key generation method provided in this embodiment may further include generating a key between the relay station and the user equipment, that is, generating a key on the Uu interface between the relay station and the user equipment. In this embodiment, the key on the Uu interface may or may not be related to the key between the relay station and the target base station. When relevant, when the key between the relay station and the target base station is generated, that is, when the key on the Un interface is generated, the key on the Uu interface needs to be generated. When it is irrelevant, the key on the Un interface is generated. The key on the Uu interface can be generated without using the original key. Of course, a new key can also be generated. The key generation on the Uu interface when the key on the Uu interface is related to the key on the Un interface in this embodiment is described in detail with reference to FIG. 3e.
步骤 304, 中继站生成参数 Ql。 该参数 Q1用于中继站下的 UE生成该中继站与用户设备之间的密钥, 也可以用于中继站生成该中继站与用户设备之间的密钥。 本实施例中, 并 不限制生成 Q1的方式, 也即 Q1例如可以为中继站随机生成的, 或者才艮据 某一函数 F"生成的。 其中, F"可以为可逆函数, 也可以为不可逆函数, 当 函数 F"为 Un接口上的密钥与 Uu接口上的密钥之间的关系函数时, Q 1例 如可以为 Q1=F"[N1]。 在本实施例中, 还可以利用其他参数来生成 Ql, 例 如用户设备的 ID、 基站 ID、 小区 ID或者消息数等。 步骤 305, 中继站将参数 Q1发送至 UE。  Step 304, the relay station generates a parameter Q1. The parameter Q1 is used by the UE under the relay station to generate a key between the relay station and the user equipment, and can also be used by the relay station to generate a key between the relay station and the user equipment. In this embodiment, the manner of generating Q1 is not limited, that is, Q1 may be randomly generated by the relay station, for example, or may be generated according to a function F. Wherein, F" may be an invertible function or an irreversible function. When the function F" is a function of the relationship between the key on the Un interface and the key on the Uu interface, Q 1 may be, for example, Q1=F"[N1]. In this embodiment, other parameters may also be used to generate Q1, such as the ID of the user equipment, the base station ID, the cell ID, or the number of messages. Step 305: The relay station sends the parameter Q1 to the UE.
中继站在生成参数 Q1后, 可以将 Q1发送至用户设备, 以用于 UE根 据 Q1完成 Uu接口上密钥的生成。 在上述实施例中已经说明 Un接口上的密钥可以是针对每个 UE的, 也 可以是针对所有 UE的。 After the relay station generates the parameter Q1, the Q1 may be sent to the user equipment for the UE to complete the generation of the key on the Uu interface according to Q1. It has been explained in the above embodiments that the key on the Un interface may be for each UE, also It can be for all UEs.
进一步的, 本实施例中, 步骤 304、 步骤 305也存在两种不同的实现方 式, 下面结合附图 3f、 3g进行详细说明。  Further, in this embodiment, there are two different implementation manners in step 304 and step 305, which are described in detail below with reference to FIGS. 3f and 3g.
步骤 3041, 中继站生成针对本中继站下每个 UE不同的参数 Q1 ;  Step 3041, the relay station generates a different parameter Q1 for each UE under the relay station;
中继站针对每个 UE生成不同的参数 Q1, 也即每个 UE具有自己对应 的 Ql。  The relay station generates different parameters Q1 for each UE, that is, each UE has its own corresponding Q1.
Resource Control, RRC )连接重配置消息。  Resource Control, RRC ) Connection reconfiguration message.
其中, RRC连接重配置消息中携带步骤 3041 中生成的参数 Ql。 本领 域普通技术人员可以理解, 步骤 3051 中并不一定只能通过 RRC连接重配 置消息携带参数 Q 1,也可以针对其他针对每个 UE发送的消息携带参数 Q1。  The RRC connection reconfiguration message carries the parameter Q1 generated in step 3041. A person skilled in the art can understand that the parameter 3051 does not necessarily carry the parameter Q1 through the RRC connection reconfiguration message, but also carries the parameter Q1 for other messages sent for each UE.
通过上述方法, 可以使得每个 UE获得自己的参数 Q1 , 并根据 Q1生 成 Uu接口上的密钥, 例如根据 F*=[Ku, Q1]计算得到 Uu接口上的新的密 钥, 其中 Ku为 Uu接口上原来的密钥, 其中 F*可以为可逆函数也可以为不 可逆函数。  Through the above method, each UE can obtain its own parameter Q1, and generate a key on the Uu interface according to Q1. For example, a new key on the Uu interface is calculated according to F*=[Ku, Q1], where Ku is The original key on the Uu interface, where F* can be either a reversible function or an irreversible function.
因此,相应的本实施例中,还可以包括步骤 3061,中继站根据步骤 3041 中生成的参数 Q1,计算得到中继站与本中继站下每个用户设备之间的密钥。  Therefore, in the corresponding embodiment, step 3061 may be further included, and the relay station calculates a key between the relay station and each user equipment under the relay station according to the parameter Q1 generated in step 3041.
步骤 3042, 中继站生成参数 Ql,其中该 Q1对于本中继站下所有的 UE 都相同。  Step 3042, the relay station generates a parameter Q1, wherein the Q1 is the same for all UEs under the relay station.
在本实施例中, 虽然所有的 UE都对应同一个 Q1, 但是每个 UE也可 以根据该同一个 Q1生成不同的密钥, 例如计算的起始参数不同, 或者采用 的计算公式不同。 步骤 3052, 中继站周期性广播系统消息。 在周期性广播的系统消息中携带 Ql。 本实施例中, 周期性广播的系统 消息例如为 SIB (系统信息块, System Information Block )或者 MIB (控制 信息块, Master Information Block )。 本实施例并不将周期性广播的系统消 息限制在 MIB、 SIB, 也包括其他周期性广播的系统消息。 In this embodiment, although all UEs correspond to the same Q1, each UE may generate different keys according to the same Q1, for example, the calculated starting parameters are different, or the calculation formulas used are different. Step 3052: The relay station periodically broadcasts a system message. Carry Ql in the system message of the periodic broadcast. In this embodiment, a system for periodic broadcast The message is, for example, an SIB (System Information Block) or an MIB (Master Information Block). This embodiment does not limit periodic broadcast system messages to MIBs, SIBs, but also other periodic broadcast system messages.
例如, 如果参数 Q 1较短, 可以将 Q 1放入 MIB中进行发送。 由于 MIB 广播频繁, 所以在 Q1较短时, 可以在 MIB中发送, 如果 Q1较长, 放在 MIB中进行发送可能导致干扰或者资源浪费。 在 MIB中发送 Q1时, 例如 可以在 MIB中加入两个 IE, 一个 IE指示 Uu接口上的密钥是否更新(重新 生成), 一个 IE指示 Q1具体的值。 UE通过指示 Uu接口上的密钥是否更 新的 IE获知 Uu接口上的密钥更新时, 读取 Q1具体的值。  For example, if parameter Q 1 is shorter, Q 1 can be placed in the MIB for transmission. Because MIB broadcasts frequently, when Q1 is short, it can be sent in the MIB. If Q1 is long, sending it in the MIB may cause interference or waste of resources. When Q1 is sent in the MIB, for example, two IEs can be added to the MIB. One IE indicates whether the key on the Uu interface is updated (regenerated), and an IE indicates the specific value of Q1. When the UE learns that the key on the Uu interface is updated by the IE indicating whether the key on the Uu interface is updated, the specific value of Q1 is read.
例如, 可以将 Q1放入 SIB2进行发送。 同样, 可以在 SIB中加入两个 IE, 一个 IE指示 Uu接口上的密钥是否更新, 另一个 IE指示 Q1具体的值。 UE在 Uu接口上的密钥更新时, 读取 SIB2中 Q1具体的值。  For example, Q1 can be placed in SIB2 for transmission. Similarly, two IEs can be added to the SIB. One IE indicates whether the key on the Uu interface is updated, and the other IE indicates the specific value of Q1. When the UE updates the key on the Uu interface, it reads the specific value of Q1 in SIB2.
例如, 还可以将 Q1放入新创建的 SIBn进行发送。 同样, 可以在 SIBn 中加入两个 IE, 一个 IE指示 Uu接口上的密钥是否更新, 另一个 IE指示 Q1具体的值。 UE在 Uu接口上的密钥更新时, 读取 SIBn中 Q1具体的值。  For example, you can also put Q1 into the newly created SIBn for transmission. Similarly, two IEs can be added to the SIBn, one IE indicating whether the key on the Uu interface is updated, and the other IE indicating the specific value of Q1. When the UE updates the key on the Uu interface, it reads the specific value of Q1 in SIBn.
例如, 还可以在 MIB中加入一个 IE, 该 IE指示 Uu接口上的密钥是否 更新, 并在 SIB2或者 SIBn中加入一个 IE, 指示 Q1具体的值。 这样既可 以满足 Uu接口上的密钥更新时, 可以被及时广播给 UE, 也可以满足 MIB 中不携带过多的参数, 以减少干扰或者降低信令开销。  For example, an IE may be added to the MIB, and the IE indicates whether the key on the Uu interface is updated, and an IE is added to the SIB2 or SIBn to indicate the specific value of the Q1. In this way, the key can be broadcast to the UE in time when the key is updated on the Uu interface, and the MIB does not carry too many parameters to reduce interference or reduce signaling overhead.
通过上述方法, 可以使得 UE获得参数 Ql, 并根据 Q1生成 Uu接口上 的密钥, 例如根据 F**=[Ku, Q1]计算得到 Uu接口上的新的密钥, 其中 Ku 为 Uu接口上原来的密钥, 其中 F**可以为可逆函数也可以为不可逆函数。  Through the above method, the UE may obtain the parameter Q1, and generate a key on the Uu interface according to Q1, for example, calculate a new key on the Uu interface according to F**=[Ku, Q1], where Ku is on the Uu interface. The original key, where F** can be either a reversible function or an irreversible function.
因此,相应的本实施例中,还可以包括步骤 3062,中继站根据步骤 3042 中生成的参数 Q1,计算得到中继站与本中继站下所有用户设备之间的密钥。 下面结合附图 4详细描述本发明再一实施例提供的密钥生成的方法。 该方法包括: Therefore, in the corresponding embodiment, step 3062 is further included, and the relay station calculates a key between the relay station and all user equipments under the relay station according to the parameter Q1 generated in step 3042. A method for generating a key according to still another embodiment of the present invention is described in detail below with reference to FIG. The method includes:
步骤 401, 目标基站接收目标 MME发送的中间密钥 NK。  Step 401: The target base station receives the intermediate key NK sent by the target MME.
本实施例中, 中继站在不同 MME下的基站之间切换。 中继站向源基站 发送测量报告。 源基站根据测量报告决定中继站进行切换, 并向源 MME 发送切换请求。 源 MME会将该切换请求转发至目标 MME。 目标 MME在 接收到该切换请求时, 会将安全同步参数 N1增加 1, 并生成中间密钥 NK。 目标 MME通过切换请求消息将 N1发送至目标基站,该切换请求消息中不 仅可以携带 NK, 还可以携带 Nl, 其中 N1为由目标 MME增加后的 Nl。 也即本实施例进一步还可以包括目标基站接收目标 MME发送的 N1。 目标 基站接收 N1或者接收 NK可以同时执行, 也可以区分先后执行, 并没有特 定的限制。  In this embodiment, the relay station switches between base stations under different MMEs. The relay station sends a measurement report to the source base station. The source base station determines that the relay station performs handover according to the measurement report, and sends a handover request to the source MME. The source MME forwards the handover request to the target MME. Upon receiving the handover request, the target MME increments the security synchronization parameter N1 by 1, and generates an intermediate key NK. The target MME sends the N1 to the target base station by using the handover request message. The handover request message may carry not only the NK but also the N1, where N1 is the N1 added by the target MME. That is, the embodiment further includes the target base station receiving the N1 sent by the target MME. The target base station receives N1 or receives NK at the same time, and can also perform sequential execution without specific restrictions.
步骤 402, 目标基站根据 NK以及本目标基站的标识参数计算目标基站 与中继站之间的密钥 K2。  Step 402: The target base station calculates a key K2 between the target base station and the relay station according to the NK and the identity parameter of the target base station.
步骤 402 的具体实现可以参照上述实施例的描述。 例如, 目标基站根 据 K2=F[NK, 目标基站的 ID, EARFCN-DL] , 得到 K2, 其中, F可以为任 意函数, 优选的为不可逆函数。  For a specific implementation of step 402, reference may be made to the description of the above embodiment. For example, the target base station obtains K2 according to K2 = F[NK, ID of the target base station, EARFCN-DL], where F can be any function, preferably an irreversible function.
步骤 403, 目标基站将 N1发送至中继站, 用于中继站计算得到 Κ2。 步 骤 403为可选方案。  Step 403: The target base station sends N1 to the relay station, where the relay station calculates Κ2. Step 403 is an alternative.
本实施例中, 不再具体描述中继站计算 Κ2的方法。 中继站计算 Κ2的 方法具体可以参照上述实施例的描述。 步骤 403和步骤 402之间不存在特 定的执行顺序, 可以先后执行, 也可以同时执行。  In this embodiment, the method of calculating the Κ2 by the relay station is not specifically described. The method for calculating the Κ2 by the relay station can be specifically referred to the description of the above embodiment. There is no specific execution order between step 403 and step 402, which may be performed sequentially or simultaneously.
进一步的, 本实施例中, 中继站切换的接口为 S1接口。 通过本实施例提供的密钥生成方法,目标基站可以根据获取的 ΝΚ计算 得到新的 Un接口上的密钥, 并将获取的 N1发送给中继站, 以使得中继站 也可以根据 N1计算 Un接口上的密钥, 从而实现中继站与目标基站之间密 钥的生成, 使得中继站可以顺利与目标基站进行通信, 提高了通话安全性。 Further, in this embodiment, the interface switched by the relay station is an S1 interface. With the key generation method provided in this embodiment, the target base station can calculate according to the obtained ΝΚ Obtaining a key on the new Un interface, and transmitting the acquired N1 to the relay station, so that the relay station can also calculate the key on the Un interface according to N1, thereby realizing the generation of a key between the relay station and the target base station, so that the relay station can Smooth communication with the target base station improves call security.
本实施例中, 目标基站的标识参数可以参照上述实施例的描述, 不再 赘述。  In this embodiment, the identifier of the target base station can be referred to the description of the foregoing embodiment, and details are not described herein.
下面结合附图 5 详细描述本发明的又一实施例提供的密钥生成方法。 该方法包括:  A key generation method provided by still another embodiment of the present invention will be described in detail below with reference to FIG. The method includes:
步骤 501, 中继站生成参数 Ql。  Step 501: The relay station generates a parameter Q1.
其中,参数 Q1用于本中继站下的用户设备生成本中继站与用户设备之 间的密钥。  The parameter Q1 is used by the user equipment under the relay station to generate a key between the relay station and the user equipment.
步骤 502, 中继站将 Q1发送至用户设备。  Step 502: The relay station sends Q1 to the user equipment.
本实施例中, 中继站进行 Uu接口上密钥的生成可以是独立于 Un接口 上密钥的生成, 也可以依赖于 Un接口上密钥的生成。  In this embodiment, the generation of the key on the Uu interface by the relay station may be independent of the generation of the key on the Un interface, or may depend on the generation of the key on the Un interface.
本实施例中, Uu接口上的密钥生成独立于 Un接口上的密钥生成时, 还可以是 Un接口上的密钥生成依赖于 Uu接口上的密钥生成。 也即, Un 接口上的密钥根据 Uu接口上的密钥推衍得出。  In this embodiment, when the key generation on the Uu interface is independent of the key generation on the Un interface, the key generation on the Un interface may depend on the key generation on the Uu interface. That is, the key on the Un interface is derived from the key on the Uu interface.
本实施例中,在 Uu接口上的密钥生成独立于 Un接口上的密钥生成时, Un接口上的密钥生成不会影响到 Uu接口上使用的密钥, 从而在中继站进 行切换时, 不会影响到中继站下的 UE, 并且能够较好的遵循接入链路上密 钥的派生层次, 更好的兼容各版本的用户设备。  In this embodiment, when the key generation on the Uu interface is independent of the key generation on the Un interface, the key generation on the Un interface does not affect the key used on the Uu interface, so that when the relay station performs the handover, It does not affect the UE under the relay station, and can better follow the derivation level of the key on the access link, and is better compatible with the user equipment of each version.
本实施例中,步骤 501和步骤 502也可以针对 Un接口上密钥是针对每 个 UE的, 或者是针对所有 UE的而有所不同, 具体实现可以参照附图 3f、 3g所描述的方法。  In this embodiment, the steps 501 and 502 may also be different for the UE on the Un interface, or for all UEs. The specific implementation may refer to the method described in FIG. 3f, 3g.
进一步的, 本实施例中还可以包括 Un接口上密钥的生成, 具体实现方 法可以参照附图 3a、 3b、 3c、 3d所示的方法。 通过本实施例提供的密钥生成的方法, 中继站可以自主的进行密钥生 成, 或者根据目标基站提供的参数进行密钥的生成, 从而实现中继站与用 户设备, 以及中继站与目标基站之间顺利、 安全的通信。 下面结合附图 6, 对本发明实施例提供的一种基站 60进行详细说明。 该基站 60包括: 切换模块 601, 用于确定中继站向目标基站切换; 计算模块 602, 用于 在切换模块 601确定切换后, 根据本基站与中继站之间的密钥 K和 /或中间 密钥 NK, 以及目标基站的标识参数计算密钥参数 K1 ; 第一发送模块 603, 用于将计算模块 602得到的 K1发送至目标基站, 以使得目标基站根据该 K1获得 K2。 其中, 切换模块 601 可以根据中继站发送的测量报告确定该中继站向 目标基站切换。 本实施例中, 切换模块 601为可选方案, 也即基站 60可以只包括计算 模块 602和第一发送模块 603。 此时, 计算模块 602用于根据本基站与中继 站之间的密钥 Κ和 /或中间密钥 ΝΚ, 以及目标基站的标识参数计算密钥参 数 Kl。 通过本实施例提供的基站 60,可以在中继站切换时,计算密钥参数 K1 , 并将 K1发送至目标基站, 从而使得目标基站可以根据 K1计算获得目标基 站与中继站之间的密钥 Κ2, 实现目标基站密钥的生成。 Further, in this embodiment, the generation of a key on the Un interface may also be included, and the specific implementation side The method can be referred to the method shown in Figures 3a, 3b, 3c, 3d. With the method for generating a key provided by the embodiment, the relay station can perform key generation autonomously, or generate a key according to parameters provided by the target base station, thereby implementing a smooth connection between the relay station and the user equipment, and between the relay station and the target base station. Secure communication. A base station 60 according to an embodiment of the present invention will be described in detail below with reference to FIG. The base station 60 includes: a handover module 601, configured to determine that the relay station switches to the target base station; and a calculation module 602, configured to: after the handover module 601 determines the handover, according to the key K and/or the intermediate key NK between the base station and the relay station And the identification parameter of the target base station calculates the key parameter K1; the first sending module 603 is configured to send the K1 obtained by the calculation module 602 to the target base station, so that the target base station obtains K2 according to the K1. The switching module 601 can determine, according to the measurement report sent by the relay station, that the relay station switches to the target base station. In this embodiment, the switching module 601 is an optional solution, that is, the base station 60 may include only the computing module 602 and the first sending module 603. At this time, the calculation module 602 is configured to calculate the key parameter K1 according to the key Κ and/or the intermediate key 之间 between the base station and the relay station, and the identification parameter of the target base station. With the base station 60 provided in this embodiment, the key parameter K1 can be calculated when the relay station is switched, and K1 is sent to the target base station, so that the target base station can obtain the key Κ2 between the target base station and the relay station according to the K1 calculation. Generation of the target base station key.
进一步的, 本实施例提供的基站 60还包括: 第二发送模块 604, 用于 将与 K1对应的安全同步参数 N1发送至目标基站; 接收模块 605, 用于接 收目标基站发送的 Nl, 第三发送模块 606, 用于将接收模块 605接收的 N1 发送至中继站, 以使得中继站计算中继站与目标基站之间的密钥 Κ2。 在本 实施例中, 第二发送模块 604发送的 N1与接收模块 605接收的 N1例如为 同一个 Nl。 Further, the base station 60 provided by this embodiment further includes: a second sending module 604, configured to send the security synchronization parameter N1 corresponding to K1 to the target base station; and a receiving module 605, configured to receive the N1 sent by the target base station, and third The sending module 606 is configured to send the N1 received by the receiving module 605 to the relay station, so that the relay station calculates the key Κ2 between the relay station and the target base station. In this In the embodiment, the N1 sent by the second sending module 604 and the N1 received by the receiving module 605 are, for example, the same N1.
进一步的, 本实施例提供的基站 60还可以包括, 生成模块 607, 用于 生成安全同步参数 Nl, 其中该 N1与 K1相对应, 具体对应关系可以参照 上述方法实施例。 此时, 第二发送模块 604, 用于将生成模块 607生成的 N1发送至目标基站。  Further, the base station 60 provided in this embodiment may further include: a generating module 607, configured to generate a security synchronization parameter N1, where the N1 corresponds to K1, and the specific correspondence may refer to the foregoing method embodiment. At this time, the second sending module 604 is configured to send the N1 generated by the generating module 607 to the target base station.
进一步的, 本实施例提供的基站 60还可以包括, 第四发送模块 608, 用于将与 K1对应的 N1直接发送至中继站。  Further, the base station 60 provided in this embodiment may further include: a fourth sending module 608, configured to directly send the N1 corresponding to K1 to the relay station.
进一步的, 本实施例中, 计算模块 602 包括以下之一或其任意组合: 第一计算单元 6021, 用于根据本基站 60与所述中继站之间的密钥 K, 以及 所述目标基站的标识参数计算得到密钥参数 K1 ; 第二计算单元 6022, 用于 根据中间密钥 ΝΚ, 以及所述目标基站的标识参数计算得到密钥参数 K1 ; 第三计算单元 6023, 用于根据本基站 60与所述中继站之间的密钥 Κ、 中间 密钥 ΝΚ, 以及所述目标基站的标识参数计算得到密钥参数 K1 ;  Further, in this embodiment, the calculation module 602 includes one or any combination of the following: a first calculation unit 6021, configured to use a key K between the base station 60 and the relay station, and an identifier of the target base station The parameter calculation is performed to obtain the key parameter K1; the second calculating unit 6022 is configured to calculate the key parameter K1 according to the intermediate key ΝΚ and the identification parameter of the target base station; the third calculating unit 6023 is configured to use the base station 60 and The key K, the intermediate key 之间 between the relay stations, and the identification parameter of the target base station are calculated to obtain a key parameter K1;
进一步的,本实施例中,在中继站下不同的用户设备对应不同的 K1时, 第一发送模块 603, 用于将中继站下每一个用户设备对应的 K1形成的列表 发送至目标基站。 本实施例提供的基站 60例如可以用于执行上述方法实施例中提供的密 钥生成方法, 具体实现可以参照上述方法实施例。 下面结合附图 7a, 对本发明实施例提供的另一种基站进行详细描述。 该基站包括:  Further, in this embodiment, when different user equipments of the relay station correspond to different K1, the first sending module 603 is configured to send a list formed by K1 corresponding to each user equipment under the relay station to the target base station. The base station 60 provided in this embodiment may be used, for example, to perform the key generation method provided in the foregoing method embodiments. For the specific implementation, reference may be made to the foregoing method embodiments. Another base station provided by the embodiment of the present invention is described in detail below with reference to FIG. 7a. The base station includes:
接收模块 701, 用于接收源基站发送的密钥参数 K1 ; 密钥模块 702, 用于根据接收模块 701接收的 K1确定中继站与本基站之间的密钥 K2。 通过本实施例提供的基站, 可以根据源基站发送的参数生成本基站的 密钥, 从而使得中继站与本基站可以使用生成的密钥进行更为安全的通信。 进一步的, 本实施例中, 接收模块 701 还可以用于接收源基站发送的 N1 , 以及该基站进一步包括第二发送模块 703, 用于将接收模块 701接收 的 N1发送至中继站, 以使得该中继站根据 N1计算 K2。 进一步的, 如附图 7b所示, 本实施例中,接收模块 701a可以用于接收 MME发送的新鲜参数以及 K1和 Nl。 此时, 密钥模块 702a用于根据接收 模块 701a接收的新鲜参数以及 K1计算 K2。 进一步的, 如附图 7c所示, 本实施例中, 基站还可以包括推衍参数模 块 704, 用于生成推衍参数 N2。 相应的, 密钥模块 702b, 用于根据推衍参 数模块 704生成的 N2以及接收模块 701接收的 K1计算 K2。 相应的基站 还可以包括第一发送模块 705, 用于将推衍参数模块 704生成的 Ν2发送至 中继站。 The receiving module 701 is configured to receive the key parameter K1 sent by the source base station, and the key module 702 is configured to determine the key K2 between the relay station and the base station according to the K1 received by the receiving module 701. The base station provided in this embodiment may generate the base station according to the parameter sent by the source base station. The key, so that the relay station and the base station can use the generated key for more secure communication. Further, in this embodiment, the receiving module 701 is further configured to receive the N1 sent by the source base station, and the base station further includes a second sending module 703, configured to send the N1 received by the receiving module 701 to the relay station, so that the relay station Calculate K2 according to N1. Further, as shown in FIG. 7b, in this embodiment, the receiving module 701a may be configured to receive the fresh parameters sent by the MME, and K1 and N1. At this time, the key module 702a is configured to calculate K2 according to the fresh parameters received by the receiving module 701a and K1. Further, as shown in FIG. 7c, in this embodiment, the base station may further include a derivation parameter module 704, configured to generate a derivation parameter N2. Correspondingly, the key module 702b is configured to calculate K2 according to N2 generated by the derivation parameter module 704 and K1 received by the receiving module 701. The corresponding base station may further include a first sending module 705, configured to send the Ν2 generated by the retard parameter module 704 to the relay station.
本实施例提供的基站例如可以用于执行上述方法实施例中提供的密钥 生成方法, 具体实现可以参照上述方法实施例。 下面结合附图 8a,对本发明实施例提供的一种中继站 80进行详细描述。 该中继站 80 包括: 接收模块 801, 用于接收安全同步参数 N1 ; 计算模块 802, 用于根据接收模块 801接收的 N1计算本中继站与目标基站之间的密 钥 K2。 通过本实施例提供的中继站 80, 可以根据接收的 N1计算得到本中继 站与目标基站之间的密钥, 从而能够使用该密钥与目标基站进行通信, 保 证了中继站与目标基站顺利通信, 以及该通信的安全、 可靠。 进一步的, 如附图 8b所示, 本实施例中, 中继站 80例如还可以包括: 接收模块 801a用于接收推衍参数 N2以及安全同步参数 N1 ;计算模块 802a 用于根据接收模块 801a接收的 N1以及 N2计算 K2,或者根据接收模块 801a 接收的 Nl计算 K2。 进一步的,如附图 8c所示,本实施例中,计算模块 802a例如可以包括: 第一计算单元 8021, 用于根据接收模块 801接收的 N1确定使用本中继站 80与源基站之间的密钥 K进行计算,并根据目标基站的标识参数以及 K计 算 K2; 和 /或, 第二计算单元 8022, 用于根据接收模块 801接收的 N1计算 中间密钥 NK, 并根据目标基站的标识参数以及 NK计算 K2。 进一步的, 计算模块 802a例如可以包括: 第三计算单元 8023, 用于根 据接收模块 801接收的 N1确定使用本中继站 80与源基站之间的密钥 K进 行计算, 并根据目标基站的标识参数以及 K计算中间参数 L; 和 /或, 第四 计算单元 8024, 用于根据接收模块 801接收的 N1计算中间密钥 NK, 并根 据目标基站的标识参数以及 NK计算中间参数 L。并且,计算模块 802还可 以包括:第五计算单元,用于根据第三计算单元 8023或者第四计算单元 8024 计算得到的 L以及新鲜参数计算 K2。本实施例中,新鲜参数由 ΜΜΕ生成。 进一步的, 计算模块 802a例如可以包括: 第六计算单元 8026, 用于根 据接收模块 801接收的 N1确定使用本中继站 80与源基站之间的密钥 K进 行计算, 并根据目标基站的标识参数以及 K计算中间参数 M; 和 /或第七计 算单元 8027, 用于根据接收模块 801接收的 N1计算中间密钥 NK, 并根据 目标基站的标识参数以及 NK计算中间参数 M。 并且计算模块 802a还可以 包括: 第八计算单元 8028, 用于根据第六计算单元 8026或者第七计算单元 8027计算得到的 M以及接收模块 801a接收的 N2计算 K2。 进一步的, 中继站 80还可以包括生成模块 803, 用于生成参数 Ql, 该 Q1用于本中继站 80下的 UE生成本中继站 80与上述 UE之间的密钥; 发 送模块 804, 用于将生成模块 803生成的 Q1发送至上述 UE。 The base station provided by this embodiment can be used, for example, to perform the key generation method provided in the foregoing method embodiment. For the specific implementation, reference may be made to the foregoing method embodiment. A relay station 80 according to an embodiment of the present invention will be described in detail below with reference to FIG. 8a. The relay station 80 includes: a receiving module 801, configured to receive the security synchronization parameter N1; and a calculation module 802, configured to calculate a key K2 between the current relay station and the target base station according to the N1 received by the receiving module 801. The relay station 80 provided in this embodiment can calculate the key between the relay station and the target base station according to the received N1, so that the key can be used to communicate with the target base station, thereby ensuring smooth communication between the relay station and the target base station, and the Communication is safe and reliable. Further, as shown in FIG. 8b, in this embodiment, the relay station 80 may further include: a receiving module 801a for receiving the derivation parameter N2 and the security synchronization parameter N1; and a calculation module 802a for receiving the N1 according to the receiving module 801a. And N2 calculates K2, or according to the receiving module 801a The received N1 calculates K2. Further, as shown in FIG. 8c, in this embodiment, the calculation module 802a may include, for example, a first calculating unit 8021, configured to determine, according to the N1 received by the receiving module 801, a key used between the relay station 80 and the source base station. K calculates and calculates K2 according to the identification parameter of the target base station and K; and/or, the second calculating unit 8022 is configured to calculate the intermediate key NK according to the N1 received by the receiving module 801, and according to the identification parameter of the target base station and the NK Calculate K2. Further, the calculating module 802a may include, for example, a third calculating unit 8023, configured to determine, according to the N1 received by the receiving module 801, using the key K between the relay station 80 and the source base station, and according to the identification parameter of the target base station and K calculates the intermediate parameter L; and/or, the fourth calculating unit 8024 is configured to calculate the intermediate key NK according to the N1 received by the receiving module 801, and calculate the intermediate parameter L according to the identification parameter of the target base station and NK. Moreover, the calculation module 802 may further include: a fifth calculation unit, configured to calculate K2 according to the L calculated by the third calculation unit 8023 or the fourth calculation unit 8024 and the fresh parameter. In this embodiment, the fresh parameters are generated by ΜΜΕ. Further, the calculating module 802a may include, for example, a sixth calculating unit 8026, configured to determine, according to the N1 received by the receiving module 801, using the key K between the relay station 80 and the source base station, and according to the identification parameter of the target base station and K calculates the intermediate parameter M; and/or the seventh calculating unit 8027, for calculating the intermediate key NK according to the N1 received by the receiving module 801, and calculating the intermediate parameter M according to the identification parameter of the target base station and NK. The calculation module 802a may further include: an eighth calculation unit 8028, configured to calculate K2 according to the calculation calculated by the sixth calculation unit 8026 or the seventh calculation unit 8027 and the N2 received by the receiving module 801a. Further, the relay station 80 may further include a generating module 803, configured to generate a parameter Q1, where the Q1 is used by the UE under the relay station 80 to generate a key between the local relay station 80 and the UE, and the sending module 804 is configured to generate a module. The Q1 generated by 803 is sent to the above UE.
进一步的, 本实施例中, 生成模块 803 例如可以包括: 第一生成单元 8031 , 用于生成针对本中继站 80下每个 UE的参数 Q1 , 也即针对不同的 UE分别生成参数 Q 1; 发送模块 804例如可以包括: 第一发送单元 8041, 用于通过 RRC连接重配置消息发送 Q1至该 Q1对应的用户设备。 Further, in this embodiment, the generating module 803 may include, for example, a first generating unit 8031, configured to generate a parameter Q1 for each UE under the relay station 80, that is, for different The UE generates the parameter Q 1 respectively. The sending module 804 may include, for example, a first sending unit 8041, configured to send Q1 to the user equipment corresponding to the Q1 by using an RRC connection reconfiguration message.
进一步的, 本实施例中, 生成模块 803 例如可以包括: 第二生成单元 Further, in this embodiment, the generating module 803 may include, for example, a second generating unit.
8032, 用于生成针对本中继站 80下所有 UE的参数 Ql, 即本中继站 80下 所有 UE的参数 Q1都是相同的, 因此生成一个 Q1即可; 发送模块 804例 如包括第二发送单元 8042, 用于通过周期性广播的系统消息将 Q1发送至 UE。 8032, configured to generate a parameter Q1 for all UEs in the relay station 80, that is, the parameters Q1 of all UEs in the relay station 80 are the same, so a Q1 is generated; the sending module 804 includes, for example, a second sending unit 8042, Q1 is sent to the UE through a system message periodically broadcast.
进一步的, 本实施例中, 生成模块 803 例如可以包括: 第三生成单元 Further, in this embodiment, the generating module 803 may include, for example, a third generating unit.
8033 , 用于随机生成参数 Q1 ; 和 /或, 第四生成单元 8034, 用于根据 N1生 成参数 Ql。 本实施例提供的中继站 80可以用于在同一 MME下不同基站之间切换 的场景, 也可以应用于不同 MME下不同基站之间切换的场景。 本实施例提供的中继站 80例如可以用于执行上述方法实施例中提供的 密钥生成方法, 具体实现可以参照上述方法实施例。 下面结合附图 9, 对本发明实施例提供的一种基站进行详细描述。 该基 站包括:接收模块 901,用于接收 MME发送的中间密钥 NK;计算模块 902, 根据接收模块 901接收的 NK以及本基站的标识参数计算本基站与中继站 之间的密钥 K2。 进一步的, 本实施例中, 接收模块 901还可以用于接收 ΜΜΕ发送的 Nl。 相应的该基站进一步包括发送模块 903, 用于将接收模块 901接收的 N1发送至中继站, 以使得该中继站根据 N1计算得到 Κ2。 通过本实施例提供的基站, 可以根据中间密钥生成本基站与中继站之 间的密钥, 并通过向中继站发送安全同步参数, 使得中继站也能够生成中 继站与本基站之间的密钥, 从而使得中继站和本基站可以使用生成的密钥 进行通信, 保证了中继站和目标基站之间顺利通信并提高了通信安全。 本实施例提供的基站例如可以用于执行上述方法实施例中提供的密钥 生成方法, 具体实现可以参照上述方法实施例。 下面结合附图 10,对本发明实施例提供的密钥生成系统进行详细说明。 该系统包括: 中继站 1001, 该中继站 1001用于接收目标基站 1003或者源 基站 1002发送的安全同步参数 Nl, 并根据 N1计算中继站 1001与目标基 站 1003之间的密钥 K2。 本实施例提供的密钥生成系统可以应用于中继站在同一 ΜΜΕ 下不同 基站之间切换的场景,也可以应用于中继站在不同 ΜΜΕ下不同基站之间切 换的场景。 例如, 在中继站在同一 ΜΜΕ下不同基站之间切换时, 可以接收 源基站发送的安全同步参数, 在中继站在不同 ΜΜΕ 下不同基站之间切换 时, 可以接收目标基站发送的安全同步参数。 8033, configured to randomly generate a parameter Q1; and/or, a fourth generating unit 8034, configured to generate a parameter Q1 according to N1. The relay station 80 provided in this embodiment may be used to switch between different base stations in the same MME, and may also be applied to scenarios in which different base stations switch between different base stations. The relay station 80 provided in this embodiment can be used, for example, to perform the key generation method provided in the foregoing method embodiment. For the specific implementation, reference may be made to the foregoing method embodiment. A base station according to an embodiment of the present invention is described in detail below with reference to FIG. The base station includes: a receiving module 901, configured to receive an intermediate key NK sent by the MME; and a calculating module 902, configured to calculate a key K2 between the base station and the relay station according to the NK received by the receiving module 901 and the identifier parameter of the base station. Further, in this embodiment, the receiving module 901 is further configured to receive the N1 sent by the UI. The corresponding base station further includes a sending module 903, configured to send the N1 received by the receiving module 901 to the relay station, so that the relay station calculates Κ2 according to N1. The base station provided by this embodiment may generate a key between the base station and the relay station according to the intermediate key, and send a security synchronization parameter to the relay station, so that the relay station can also generate a key between the relay station and the base station, thereby The generated key can be used by the relay station and the base station Communication ensures smooth communication between the relay station and the target base station and improves communication security. The base station provided by this embodiment can be used, for example, to perform the key generation method provided in the foregoing method embodiment. For the specific implementation, reference may be made to the foregoing method embodiment. The key generation system provided by the embodiment of the present invention will be described in detail below with reference to FIG. The system includes: a relay station 1001 for receiving a security synchronization parameter N1 transmitted by the target base station 1003 or the source base station 1002, and calculating a key K2 between the relay station 1001 and the target base station 1003 according to N1. The key generation system provided in this embodiment can be applied to a scenario in which a relay station switches between different base stations in the same network, and can also be applied to a scenario in which a relay station switches between different base stations. For example, when the relay station switches between different base stations under the same network, the security synchronization parameter sent by the source base station may be received, and when the relay station switches between different base stations, the security synchronization parameter sent by the target base station may be received.
进一步的, 本实施例中, 该系统还可以包括目标基站 1003和 /或源基站 1002。 目标基站 1003、 源基站 1002的实现可以参照上述实施例。  Further, in this embodiment, the system may further include a target base station 1003 and/or a source base station 1002. The implementation of the target base station 1003 and the source base station 1002 can be referred to the above embodiment.
进一步的, 本实施例中, 中继站 1001 还可以用于接收目标基站 1003 发送的推衍参数 Ν2, 并根据所述 N1和所述 Ν2计算中继站 1001与所述目 标基站 1003之间的密钥 Κ2。  Further, in this embodiment, the relay station 1001 is further configured to receive the derivation parameter Ν2 sent by the target base station 1003, and calculate a key Κ2 between the relay station 1001 and the target base station 1003 according to the N1 and the Ν2.
进一步的, 本实施例中, 中继站 1001 还可以用于生成参数 Ql, 并将 Q1发送至中继站 1001下的 UE, 其中 Ql用于 UE计算中继站 1001与 UE 之间的密钥。  Further, in this embodiment, the relay station 1001 is further configured to generate a parameter Q1, and send Q1 to the UE under the relay station 1001, where Q1 is used by the UE to calculate a key between the relay station 1001 and the UE.
最后需要说明的是, 本领域普通技术人员可以理解实现上述实施例方 法中的全部或部分流程, 是可以通过计算机程序来指令相关的硬件来完成, 所述的程序可存储于一计算机可读取存储介质中, 该程序在执行时, 可包 括如上述各方法的实施例的流程。 其中, 所述的存储介质可为磁碟、 光盘、 只读存储记忆体(ROM )或随机存储记忆体(RAM )等。 本发明实施例中的各功能单元可以集成在一个处理模块中, 也可以是 各个单元单独物理存在, 也可以两个或两个以上单元集成在一个模块中。 上述集成的模块既可以采用硬件的形式实现, 也可以采用软件功能模块的 形式实现。 所述集成的模块如果以软件功能模块的形式实现并作为独立的 产品销售或使用时, 也可以存储在一个计算机可读取存储介质中。 上述提 到的存储介质可以是只读存储器, 磁盘或光盘等。 上述具体实施例并不用以限制本发明, 对于本技术领域的普通技术人 员来说, 凡在不脱离本发明原理的前提下, 所作的任何修改、 等同替换、 改进等, 均应包含在本发明的保护范围之内。 Finally, it should be understood that those skilled in the art can understand that all or part of the process of implementing the above embodiments can be completed by a computer program to instruct related hardware, and the program can be stored in a computer readable. In the storage medium, the program, when executed, may include the flow of an embodiment of the methods as described above. The storage medium may be a magnetic disk, an optical disk, a read only memory (ROM) or a random access memory (RAM). Each functional unit in the embodiment of the present invention may be integrated into one processing module, or each unit may exist physically separately, or two or more units may be integrated into one module. The above integrated modules can be implemented in the form of hardware or in the form of software functional modules. The integrated modules, if implemented in the form of software functional modules and sold or used as separate products, may also be stored in a computer readable storage medium. The above-mentioned storage medium may be a read only memory, a magnetic disk or an optical disk or the like. The above specific embodiments are not intended to limit the present invention, and any modifications, equivalents, improvements, etc., which are included in the present invention, should be included in the present invention without departing from the principles of the present invention. Within the scope of protection.

Claims

权利要求 Rights request
1、 一种密钥生成的方法, 适用于中继站切换的场景, 其特征在于, 所 述方法包括: 源基站根据所述源基站与中继站之间的密钥 K和 /或中间密钥 NK, 以 及目标基站的标识参数计算密钥参数 Kl, 其中, 所述目标基站的标识参数 用于唯一的标识所述目标基站, 所述中间密钥获取自移动性管理实体发送; 所述源基站将所述 K1发送至所述目标基站,用于所述目标基站根据所 述 K1获得所述目标基站与所述中继站之间的密钥 Κ2。 A method for generating a key, suitable for a handover of a relay station, the method comprising: the source base station according to a key K and/or an intermediate key NK between the source base station and the relay station, and The identification parameter of the target base station calculates a key parameter K1, wherein the identification parameter of the target base station is used to uniquely identify the target base station, and the intermediate key acquisition is sent by the mobility management entity; K1 is sent to the target base station, and the target base station obtains a key Κ2 between the target base station and the relay station according to the K1.
2、 根据权利要求 1所述的方法, 其特征在于, 所述方法进一步包括: 所述源基站将与所述 K1 对应的安全同步参数 N1 发送至所述目标基站, 接收所述目标基站发送的所述 Nl, 并发送所述 N1至所述中继站, 用于所述中继站才艮据所述 N1计算所述中继站与所述目 标基站之间的密钥 Κ2; The method according to claim 1, wherein the method further comprises: the source base station transmitting a security synchronization parameter N1 corresponding to the K1 to the target base station, and receiving the sending by the target base station The N1, and send the N1 to the relay station, for the relay station to calculate a key Κ2 between the relay station and the target base station according to the N1;
或者, 所述方法进一步包括: 所述源基站将与所述 K1对应的安全同步 参数 N1直接发送至所述中继站。  Alternatively, the method further includes: the source base station directly transmitting the security synchronization parameter N1 corresponding to the K1 to the relay station.
3、 根据权利要求 1或 2所述的方法, 其特征在于, 所述目标基站的标识参数包括:所述目标基站的标识 ID和 /或所述目标 基站的证书; 或者 所述目标基站的标识参数包括:所述目标基站的 ID和 /或所述目标基站 的证书, 以及以下之一或其任意组合: 增强通用移动通信系统 UMTS陆地 无线接入网下行绝对无线频道数、 小区标识 C-RNTI、 用户设备 ID、所述中 继站与移动性管理实体之间的消息计数值。  The method according to claim 1 or 2, wherein the identifier of the target base station includes: an identifier ID of the target base station and/or a certificate of the target base station; or an identifier of the target base station The parameter includes: an ID of the target base station and/or a certificate of the target base station, and one or any combination of the following: an enhanced universal mobile communication system UMTS terrestrial radio access network downlink absolute radio channel number, cell identity C-RNTI , a user equipment ID, a message count value between the relay station and the mobility management entity.
4、 一种密钥生成的方法, 适用于中继站切换的场景, 其特征在于, 所 述方法包括: 目标基站接收源基站发送的密钥参数 Kl, 其中所述 K1 由所述源基站 根据所述源基站与中继站之间的密钥 Κ得到; 所述目标基站生成推衍参数 Ν2; 4. A method for generating a key, which is applicable to a scenario in which a relay station switches, and is characterized in that The method includes: the target base station receives a key parameter K1 sent by the source base station, where the K1 is obtained by the source base station according to a key 之间 between the source base station and the relay station; the target base station generates a derivation parameter Ν2;
所述目标基站根据所述 K1以及所述 Ν2计算所述中继站与所述目标基 站之间的密钥 Κ2。  The target base station calculates a key Κ2 between the relay station and the target base station based on the K1 and the Ν2.
5、 根据权利要求 4 所述的方法, 其特征在于, 在所述目标基站生成 Ν2之后, 所述方法进一步包括: 所述目标基站将所述 Ν2发送至所述中继站,用于所述中继站根据所述 Ν2计算所述 Κ2。 The method according to claim 4, after the target base station generates Ν2, the method further comprises: the target base station transmitting the Ν2 to the relay station, where the relay station is configured according to the relay station The Ν2 calculates the Κ2.
6、 根据权利要求 4或 5所述的方法, 其特征在于, 所述方法进一步包 括: The method according to claim 4 or 5, wherein the method further comprises:
所述目标基站接收所述源基站发送的安全同步参数 N1; 所述目标基站将所述 N1发送至所述中继站,用于所述中继站计算所述 Receiving, by the target base station, a security synchronization parameter N1 sent by the source base station; the target base station sending the N1 to the relay station, where the relay station calculates the
Κ2。 Κ 2.
7、 一种密钥生成的方法, 适用于中继站切换的场景, 其特征在于, 所 述方法包括: 中继站接收安全同步参数 N1 , 其中所述 N1接收自目标基站或者源基 站; A method for generating a key, which is applicable to a scenario of relay station handover, wherein the method includes: the relay station receives a security synchronization parameter N1, wherein the N1 is received from a target base station or a source base station;
所述中继站根据所述 N1 计算所述中继站与所述目标基站之间的密钥 The relay station calculates a key between the relay station and the target base station according to the N1
Κ2。 Κ 2.
8、 根据权利要求 7所述的方法, 其特征在于, 所述方法进一步包括: 所述中继站接收推衍参数 Ν2, 其中所述 Ν2由 所述目标基站生成并发送给所述中继站; The method according to claim 7, wherein the method further comprises: the relay station receiving a derivation parameter Ν2, wherein the Ν2 is The target base station generates and sends to the relay station;
以及, 所述中继站根据所述 N1计算所述 K2, 包括: 所述中继站根据 所述 N1以及所述 Ν2计算所述 Κ2。  And calculating, by the relay station, the K2 according to the N1, comprising: the relay station calculating the Κ2 according to the N1 and the Ν2.
9、 根据权利要求 8 所述的方法, 其特征在于, 所述中继站根据所述 N1以及所述 Ν2计算所述中继站与目标基站之间的密钥 Κ2, 包括: The method according to claim 8, wherein the relay station calculates a key Κ2 between the relay station and the target base station according to the N1 and the Ν2, including:
所述中继站根据所述 N1确定使用所述中继站与源基站之间的密钥 Κ进 行计算, 并根据所述目标基站的标识参数以及所述 Κ计算中间参数 Μ, 或 者, 所述中继站根据所述 N1计算中间密钥 ΝΚ, 并根据所述目标基站的标 识参数以及所述 ΝΚ计算中间参数 Μ;  The relay station determines, according to the N1, that a key 之间 between the relay station and the source base station is used, and calculates an intermediate parameter 根据 according to the identifier parameter of the target base station and the 基站, or the relay station according to the N1 calculates an intermediate key ΝΚ, and calculates an intermediate parameter 根据 according to the identification parameter of the target base station and the ΝΚ;
所述中继站根据所述 Μ以及所述 Ν2计算所述 Κ2; 其中, 所述目标基站的标识参数用于唯一的标识所述目标基站。  The relay station calculates the Κ2 according to the Μ and the Ν2; wherein the identifier parameter of the target base station is used to uniquely identify the target base station.
10、 根据权利要求 7至 9中任一项所述的方法, 其特征在于, 所述方 法进一步包括:  The method according to any one of claims 7 to 9, wherein the method further comprises:
所述中继站生成参数 Ql, 所述 Q1用于所述中继站下的用户设备根据 所述 Q1生成所述中继站与所述用户设备之间的密钥;  The relay station generates a parameter Q1, where the Q1 is used by the user equipment under the relay station to generate a key between the relay station and the user equipment according to the Q1;
所述中继站将所述 Q1发送至所述用户设备。  The relay station transmits the Q1 to the user equipment.
11、 一种密钥生成的方法, 适用于中继站切换的场景, 其特征在于, 所 述方法包括: 目标基站接收目标移动性管理实体发送的中间密钥 NK;  A method for generating a key, suitable for a relay station handover scenario, the method comprising: the target base station receiving an intermediate key NK sent by the target mobility management entity;
所述目标基站根据所述 NK 以及所述目标基站的标识参数计算所述目 标基站与中继站之间的密钥 K2, 其中所述目标基站的标识参数用于唯一的 标识所述目标基站。  The target base station calculates a key K2 between the target base station and the relay station according to the NK and the identifier parameter of the target base station, where the identifier parameter of the target base station is used to uniquely identify the target base station.
12、根据权利要求 11所述的方法, 其特征在于, 所述方法进一步包括: 所述目标基站接收所述目标移动性管理实体发送的安全同步参数 Nl ; 所述目标基站将所述 N1发送至所述中继站,用于所述中继站根据所述 N1计算得到所述 K2。 The method according to claim 11, wherein the method further comprises: The target base station receives the security synchronization parameter N1 sent by the target mobility management entity; the target base station sends the N1 to the relay station, and the relay station calculates the K2 according to the N1.
13、根据权利要求 11或 12所述的方法, 其特征在于, 所述目标基站的 标识参数包括: 所述目标基站的标识 ID和 /或所述目标基站的证书; 或者, 所述目标基站的标识参数包括: 所述目标基站的 ID和 /或所述目 标基站的证书,以及以下之一或其任意组合:增强通用移动通信系统 UMTS 陆地无线接入网下行绝对无线频道数、 小区标识 C-RNTI、用户设备 ID、 中 继站与移动性管理实体之间的消息计数值。 The method according to claim 11 or 12, wherein the identifier of the target base station includes: an identifier ID of the target base station and/or a certificate of the target base station; or, the target base station The identification parameter includes: an ID of the target base station and/or a certificate of the target base station, and one or any combination of the following: an enhanced universal mobile communication system UMTS terrestrial radio access network downlink absolute radio channel number, cell identifier C- The RNTI, user equipment ID, message count value between the relay station and the mobility management entity.
14、 一种密钥生成的方法, 适用于中继站切换的场景, 其特征在于, 所述方法包括: A method for generating a key, which is applicable to a scenario in which a relay station is switched, and the method includes:
中继站生成参数 Ql, 所述 Q1用于所述中继站下的用户设备根据所述 Q 1生成所述中继站与所述用户设备之间的密钥; 所述中继站将所述 Q1发送至所述用户设备。  The relay station generates a parameter Q1, where the Q1 is used by the user equipment under the relay station to generate a key between the relay station and the user equipment according to the Q1; the relay station sends the Q1 to the user equipment .
15、 根据权利要求 14所述的方法, 其特征在于, 所述中继站生成参数 Q1 , 包括:  The method according to claim 14, wherein the relay station generates the parameter Q1, including:
所述中继站随机生成参数 Q1 ; 或者 所述中继站根据安全同步参数 N1生成参数 Q1,其中所述 N1接收自源 基站或者目标基站。  The relay station randomly generates a parameter Q1; or the relay station generates a parameter Q1 according to the safety synchronization parameter N1, wherein the N1 is received from a source base station or a target base station.
16、 根据权要求 14所述的方法, 其特征在于,  16. The method of claim 14 wherein:
所述中继站生成参数 Ql, 包括: 所述中继站针对所述中继站下的每个 用户设备生成所述每个用户设备对应的 Q1 ; 以及, 所述中继站将所述 Q1 发送至所述用户设备, 包括: 所述中继站将所述每个用户设备对应的 Q1通 过无线资源控制连接重配置消息发送至所述每个用户设备; 或者, 所述中继站生成参数 Ql, 包括: 所述中继站针对所述中继站下 的所有用户设备生成参数 Q 1,其中所述 Q 1对于所述所有用户设备都相同; 以及所述中继站将所述 Q1发送至所述用户设备, 包括: 所述中继站将所述 Q1通过周期性广播的系统消息发送至所述所有用户设备。 The relay station generates the parameter Q1, including: the relay station generates Q1 corresponding to each user equipment for each user equipment under the relay station; and the relay station sends the Q1 to the user equipment, including The relay station sends the Q1 corresponding to each user equipment to each user equipment by using a radio resource control connection reconfiguration message; Or the relay station generates the parameter Q1, including: the relay station generates a parameter Q1 for all user equipments under the relay station, where the Q1 is the same for all the user equipments; and the relay station uses the Q1 The sending to the user equipment includes: the relay station transmitting the Q1 to the all user equipments by periodically broadcasting a system message.
17、 一种基站, 适用于中继站切换的场景, 其特征在于, 所述基站包 括:  A scenario of a base station, suitable for relay station handover, wherein the base station comprises:
计算模块,用于根据本基站与中继站之间的密钥 K和 /或中间密钥 NK, 以及目标基站的标识参数计算密钥参数 Kl, 其中, 所述目标基站的标识参 数用于唯一的标识所述目标基站, 所述中间密钥 ΝΚ 由移动性管理实体发 送至本基站; 第一发送模块, 用于将所述计算模块得到的 K1发送至所述目标基站, 以使得所述目标基站根据所述 K1 获得所述目标基站与所述中继站之间的 密钥 Κ2。  a calculation module, configured to calculate a key parameter K1 according to a key K and/or an intermediate key NK between the base station and the relay station, and an identifier parameter of the target base station, where the identifier parameter of the target base station is used for the unique identifier The target base station, the intermediate key 发送 is sent by the mobility management entity to the local base station; the first sending module is configured to send K1 obtained by the computing module to the target base station, so that the target base station is configured according to the target base station The K1 obtains a key Κ2 between the target base station and the relay station.
18、 根据权利要求 17所述的基站, 其特征在于, 所述基站进一步包括: The base station according to claim 17, wherein the base station further comprises:
第二发送模块, 用于将与所述 K1对应的安全同步参数 N1发送至目标 基站, 接收模块, 用于接收所述目标基站发送的所述 Nl, 以及第三发送模 块, 用于将所述接收模块接收的 N1发送至所述中继站, 以使得中继站计算 所述中继站与所述目标基站之间的密钥 Κ2; 或者, 所述基站进一步包括:  a second sending module, configured to send the security synchronization parameter N1 corresponding to the K1 to the target base station, the receiving module, configured to receive the N1 sent by the target base station, and a third sending module, configured to: The N1 received by the receiving module is sent to the relay station, so that the relay station calculates the key Κ2 between the relay station and the target base station; or the base station further includes:
第四发送模块, 用于将与所述 K1对应的安全同步参数 N1直接发送至 ϋ标基站。  And a fourth sending module, configured to directly send the security synchronization parameter N1 corresponding to the K1 to the target base station.
19、 一种基站, 适用于中继站切换场景, 其特征在于, 所述基站包括: 接收模块, 用于接收源基站发送的密钥参数 Kl, 其中所述 K1 由所述 源基站根据所述源基站与中继站之间的密钥 K得到; A base station, applicable to a relay station handover scenario, the base station includes: a receiving module, configured to receive a key parameter K1 sent by a source base station, where the K1 is The source base station is obtained according to the key K between the source base station and the relay station;
推衍参数模块, 用于生成推衍参数 N2;  Deriving a parameter module for generating a derivation parameter N2;
密钥模块,用于根据所述接收模块接收的 K1以及所述推衍参数模块生 成的 N2计算所述中继站与本基站之间的密钥 K2。  And a key module, configured to calculate a key K2 between the relay station and the base station according to K1 received by the receiving module and N2 generated by the derivation parameter module.
20、根据权利要求 19所述的基站, 其特征在于, 所述基站进一步包括: 第一发送模块, 用于将所述推衍参数模块得到的 Ν2 发送至所述中继 站, 以使得所述中继站根据所述 Ν2得到所述 Κ2  The base station according to claim 19, wherein the base station further comprises: a first sending module, configured to send the Ν2 obtained by the retort parameter module to the relay station, so that the relay station is configured according to The Ν 2 gets the Κ 2
21、 根据权利要求 19或 20所述的基站, 其特征在于, 所述接收模块, 进一步用于接收所述源基站发送的安全同步参数 N1; 以及, 所述基站进一步包括: 第二发送模块, 用于将所述接收模块接收的 N1发送至所述中继站, 以 使得所述中继站根据所述 N1获得所述 Κ2。 The base station according to claim 19 or 20, wherein the receiving module is further configured to receive the security synchronization parameter N1 sent by the source base station; and the base station further includes: a second sending module, And transmitting N1 received by the receiving module to the relay station, so that the relay station obtains the UI2 according to the N1.
22、 一种中继站, 适用于中继站切换的场景, 其特征在于, 所述中继 站包括: 接收模块, 用于接收安全同步参数 N1, 其中所述 N1 由目标基站或者 源基站发送至本中继站;  A relay station, suitable for a relay station handover scenario, wherein the relay station includes: a receiving module, configured to receive a security synchronization parameter N1, where the N1 is sent by the target base station or the source base station to the relay station;
计算模块,用于根据所述接收模块接收的 N1计算本中继站与所述目标 基站之间的密钥 Κ2。  And a calculation module, configured to calculate a key Κ2 between the relay station and the target base station according to the N1 received by the receiving module.
23、 根据权利要求 22所述的中继站, 其特征在于, 所述接收模块, 进一步用于接收推衍参数 Ν2, 其中所述 Ν2由所述目 标基站生成并发送给本中继站; 以及 The relay station according to claim 22, wherein the receiving module is further configured to receive a derivation parameter Ν2, wherein the Ν2 is generated by the target base station and sent to the relay station;
所述计算模块, 用于根据所述接收模块接收的 N1和 Ν2计算所述 Κ2。 The calculating module is configured to calculate the Κ2 according to N1 and Ν2 received by the receiving module.
24、 根据权利要求 22或 23所述的中继站, 其特征在于, 所述中继站 进一步包括: 生成模块, 用于生成参数 Ql, 所述 Ql用于本中继站下的用户设备生 成本中继站与所述用户设备之间的密钥; 发送模块, 用于将所述 Q1发送至所述用户设备。 The relay station according to claim 22 or 23, wherein the relay station The method further includes: a generating module, configured to generate a parameter Q1, where the Q1 is used by the user equipment under the relay station to generate a key between the current relay station and the user equipment; and the sending module is configured to send the Q1 to the User equipment.
25、 一种基站, 适用于中继站切换的场景, 其特征在于, 所述基站包 括: 接收模块, 用于接收目标移动性管理实体发送的中间密钥 NK;  25, a base station, suitable for relay station switching scenarios, wherein the base station comprises: a receiving module, configured to receive an intermediate key NK sent by the target mobility management entity;
计算模块,用于根据所述 NK以及本基站的标识参数计算本基站与中继 站之间的密钥 K2, 其中所述本基站的标识参数用于唯一的标识本基站。  And a calculation module, configured to calculate a key K2 between the base station and the relay station according to the identifier of the NK and the base station, where the identifier of the local base station is used to uniquely identify the base station.
26、 根据权利要求 25所述的基站, 其特征在于, 所述接收模块, 进一步用于接收所述目标移动性管理实体发送的安全 同步参数 N1 ; 以及, 所述基站进一步包括: 发送模块, 用于将所述 N1发送至所述中继站, 以使得所述中继站根据 所述 N1计算得到所述 Κ2。 The base station according to claim 25, wherein the receiving module is further configured to receive a security synchronization parameter N1 sent by the target mobility management entity; and the base station further includes: a sending module, The N1 is sent to the relay station, so that the relay station calculates the Κ2 according to the N1.
27、 一种密钥生成的系统, 适用于中继站切换的场景, 其特征在于, 所述系统包括: 中继站, 用于接收目标基站发送的推衍参数 Ν2, 以及所述目标基站或 者源基站发送的安全同步参数 N1 , 并根据所述 N1和所述 Ν2计算本中继 站与目标基站之间的密钥 Κ2。 A key generation system, which is applicable to a relay station handover scenario, the system includes: a relay station, configured to receive a derivation parameter Ν2 sent by the target base station, and send by the target base station or the source base station The security synchronization parameter N1 is calculated, and the key Κ2 between the present relay station and the target base station is calculated according to the N1 and the Ν2.
28、 根据权利要求 27所述的系统, 其特征在于, 所述中继站进一步用 于生成参数 Ql, 并将所述 Ql发送至本中继站下的用户设备, 其中所述 Q1 用于所述用户设备根据所述 Q1生成本中继站与所述用户设备之间的密钥。  The system according to claim 27, wherein the relay station is further configured to generate a parameter Q1, and send the Q1 to a user equipment under the relay station, where the Q1 is used by the user equipment according to The Q1 generates a key between the relay station and the user equipment.
PCT/CN2010/078359 2009-11-03 2010-11-03 Key generation method, device and system WO2011054286A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200910110028.X 2009-11-03
CN200910110028.XA CN102056160B (en) 2009-11-03 2009-11-03 Method, device and system for generating key

Publications (1)

Publication Number Publication Date
WO2011054286A1 true WO2011054286A1 (en) 2011-05-12

Family

ID=43959974

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/078359 WO2011054286A1 (en) 2009-11-03 2010-11-03 Key generation method, device and system

Country Status (2)

Country Link
CN (1) CN102056160B (en)
WO (1) WO2011054286A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103686708A (en) * 2012-09-13 2014-03-26 电信科学技术研究院 Key isolation method and device
CN104215984A (en) * 2014-08-25 2014-12-17 北京乐富科技有限责任公司 Satellite positioning method and satellite positioning device
US20170331625A1 (en) * 2014-11-13 2017-11-16 Zte Corporation Method For Updating A Key, And Master Transmission Point

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012084484A1 (en) * 2010-12-21 2012-06-28 Koninklijke Kpn N.V. Operator-assisted key establishment
CN102958052B (en) * 2011-08-29 2017-07-14 华为技术有限公司 A kind of data safe transmission method and relevant device
CN103096393B (en) * 2011-10-27 2015-08-19 普天信息技术研究院有限公司 A kind of changing method of mobile relay
WO2014071615A1 (en) * 2012-11-09 2014-05-15 华为技术有限公司 Method and apparatus for information transmission
CN109891932B (en) * 2016-11-07 2021-06-29 皇家Kpn公司 System, method and storage medium for receiving encryption information in mobile communication network
BR112019022934A2 (en) * 2017-05-04 2020-06-09 Huawei Tech Co Ltd method and apparatus for obtaining a key, terminal device, computer-readable storage media, method for securely processing the mobility of a terminal device and communications system
EP3648492B1 (en) 2017-07-27 2021-10-06 Huawei Technologies Co., Ltd. Cell switching method and device
CN108337661B (en) * 2018-01-04 2020-05-19 西南交通大学 LTE-R vehicle-ground communication access layer switching authentication method based on bill

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101233734A (en) * 2005-06-30 2008-07-30 朗迅科技公司 Method for distributing security keys during hand-off in a wireless communication system
CN101436931A (en) * 2007-09-04 2009-05-20 财团法人工业技术研究院 Methods, system, base station and relay station for providing security communication in wireless communication systems
CN101500229A (en) * 2008-01-30 2009-08-05 华为技术有限公司 Method for establishing security association and communication network system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101233734A (en) * 2005-06-30 2008-07-30 朗迅科技公司 Method for distributing security keys during hand-off in a wireless communication system
CN101436931A (en) * 2007-09-04 2009-05-20 财团法人工业技术研究院 Methods, system, base station and relay station for providing security communication in wireless communication systems
CN101500229A (en) * 2008-01-30 2009-08-05 华为技术有限公司 Method for establishing security association and communication network system

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103686708A (en) * 2012-09-13 2014-03-26 电信科学技术研究院 Key isolation method and device
US9473933B2 (en) 2012-09-13 2016-10-18 China Academy Of Telecommunications Technology Key isolation method and device
CN103686708B (en) * 2012-09-13 2018-01-19 电信科学技术研究院 A kind of secret key insulating method and equipment
CN104215984A (en) * 2014-08-25 2014-12-17 北京乐富科技有限责任公司 Satellite positioning method and satellite positioning device
US20170331625A1 (en) * 2014-11-13 2017-11-16 Zte Corporation Method For Updating A Key, And Master Transmission Point
US10567172B2 (en) * 2014-11-13 2020-02-18 Xi'an Zhongxing New Software Co., Ltd. Method for updating a key, and master transmission point

Also Published As

Publication number Publication date
CN102056160B (en) 2013-10-09
CN102056160A (en) 2011-05-11

Similar Documents

Publication Publication Date Title
WO2011054286A1 (en) Key generation method, device and system
KR101147067B1 (en) Method, apparatus and system for key derivation
US9049594B2 (en) Method and device for key generation
CN105557006B (en) User equipment in communication system and method for communication by same
JP5142417B2 (en) Handover method for link failure recovery, radio equipment and base station for implementing this method
US10582522B2 (en) Data transmission and reception method and device of terminal in wireless communication system
JP6312126B2 (en) Apparatus and method for X2 interface setting and cell switching in a mobile communication system
CN107920350B (en) Privacy protection switching authentication method based on SDN and 5G heterogeneous network
US10616927B2 (en) Method by which terminal transmits V2X signal in wireless communication system, and terminal using method
EP2928220B1 (en) Method, system, base station and cluster epc for establishing group call context
KR20160010520A (en) Network nodes and methods
CN111601315B (en) Method for supporting verification of home base station
EP3982694B1 (en) Multi-connectivity communication methods, access network device, user equipment and compter readable storage medium
KR102142875B1 (en) Method for synchronizing encryption information between scell and ue
WO2015161575A1 (en) Method, base station, mobile management entity, and system for reporting location of user terminal
EP3171635B1 (en) Path switching method, mobile anchor point and base station
WO2018032896A1 (en) D2d synchronization signal sending method and apparatus
WO2015135292A1 (en) Key update method, sub base station, terminal, communication system and storage medium
WO2020056433A2 (en) SECURE COMMUNICATION OF RADIO RESOURCE CONTROL (RRC) REQUEST OVER SIGNAL RADIO BEARER ZERO (SRBo)
TW201724799A (en) Secured paging
WO2017133629A1 (en) Message forwarding method, device, system, and computer storage medium
US20150043532A1 (en) Communication control method, base station, home base station, and gateway device
WO2012155681A1 (en) Method and apparatus for transmitting csg information
US10412056B2 (en) Ultra dense network security architecture method
CN104980894A (en) Access control method, device and system of closed subscriber group

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10827900

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10827900

Country of ref document: EP

Kind code of ref document: A1