WO2011054286A1 - Procede de generation de cle, dispositif et systeme associes - Google Patents

Procede de generation de cle, dispositif et systeme associes Download PDF

Info

Publication number
WO2011054286A1
WO2011054286A1 PCT/CN2010/078359 CN2010078359W WO2011054286A1 WO 2011054286 A1 WO2011054286 A1 WO 2011054286A1 CN 2010078359 W CN2010078359 W CN 2010078359W WO 2011054286 A1 WO2011054286 A1 WO 2011054286A1
Authority
WO
WIPO (PCT)
Prior art keywords
base station
relay station
target base
key
station
Prior art date
Application number
PCT/CN2010/078359
Other languages
English (en)
Chinese (zh)
Inventor
毕晓宇
张冬梅
马慧
张爱琴
王可
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2011054286A1 publication Critical patent/WO2011054286A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network

Definitions

  • an RN may be provided on a high-speed mobile vehicle, and the RN provides services for user equipment (UE) on a high-speed mobile vehicle, thereby avoiding frequent handover of a large number of UEs.
  • UE user equipment
  • the message transmitted on the wireless link needs to be encrypted, and the encryption can also be applied to the integrity verification, so as to prevent the message from being illegally falsified or forged to ensure the security of the network.
  • the used key needs to be replaced with the key of the target cell, so that the key can be used to communicate with the target cell normally, that is, when the UE switches between different cells, the key needs to be performed. Update.
  • the embodiment of the present invention provides a method for generating a key, which can be applied to a scenario of RN handover, so that when the RN performs handover between different base stations, the RN or the target base station can generate a key.
  • Embodiments of the present invention also provide a base station, a relay station, and a key generation system.
  • a method for generating a key according to an embodiment of the present invention is applicable to a scenario in which a relay station switches, and the method includes:
  • the source base station calculates a key parameter K1 according to the key K between the source base station and the relay station and the identifier parameter of the target base station, where the identifier parameter of the target base station is used to uniquely identify the target base station; the source base station sends the K1 to the a target base station, configured to obtain, by the target base station, a key ⁇ 2 between the target base station and the relay station according to the K1.
  • Another method for generating a key according to an embodiment of the present invention is applicable to a scenario of a relay station handover, and the method includes:
  • the target base station receives a key parameter K1 sent by the source base station, where the K1 is obtained by the source base station according to a key ⁇ between the source base station and the relay station;
  • the target base station generates a derivation parameter ⁇ 2;
  • the target base station calculates a key ⁇ 2 between the relay station and the target base station based on the K1 and the ⁇ 2.
  • Another method for generating a key which is provided by the embodiment of the present invention, is applicable to a scene of a relay station handover, and the method includes:
  • the relay station receives the security synchronization parameter N1, wherein the N1 is received from the target base station or the source base station;
  • the relay station calculates a key K2 between the relay station and the target base station based on the N1.
  • a method for generating a key according to an embodiment of the present invention is applicable to a scene of a relay station handover, and the method includes:
  • the target base station receives the intermediate key sent by the target mobility management entity
  • the target base station calculates a key ⁇ 2 between the target base station and the relay station according to the ⁇ and the identification parameter of the target base station, where the identifier parameter of the target base station is used to uniquely identify the target base station.
  • a method for generating a key according to an embodiment of the present invention is applicable to a scenario in which a relay station switches, and the method includes:
  • the relay station generates a parameter Q1, and the Q1 is used by the user equipment under the relay station to generate a key between the relay station and the user equipment according to the Q1;
  • the relay station sends the Q1 to the user equipment.
  • a base station is provided in a scenario for a relay station handover, and the base station includes:
  • a calculation module configured to calculate a key parameter K1 according to a key ⁇ between the base station and the relay station and an identifier parameter of the target base station, where the identifier parameter of the target base station is used to uniquely identify the target base station;
  • a first sending module configured to send K1 obtained by the computing module to the target base station, so that the target base station obtains a key ⁇ 2 between the target base station and the relay station according to the K1.
  • Another base station provided by the embodiment of the present invention is applicable to a scenario of relay station handover, and the base station includes:
  • a receiving module configured to receive a key parameter K1 sent by the source base station, where the K1 is obtained by the source base station according to a key between the source base station and the relay station;
  • a relay station configured to calculate a key ⁇ 2 between the relay station and the base station according to K1 received by the receiving module and ⁇ 2 generated by the retire parameter module.
  • a relay station provided by the embodiment of the present invention is applicable to a scenario of relay station handover, and the relay station includes:
  • a receiving module configured to receive a security synchronization parameter N1, where the N1 is sent by the target base station or the source base station to the relay station;
  • a calculation module configured to calculate a key K2 between the relay station and the target base station according to the N1 received by the receiving module.
  • Another base station provided by the embodiment of the present invention is applicable to a scenario of relay station handover, and the base station includes:
  • a receiving module configured to receive an intermediate key sent by the target mobility management entity
  • a calculation module configured to calculate a key ⁇ 2 between the base station and the relay station according to the identifier of the eNB and the base station, where the identifier of the base station is used to uniquely identify the base station.
  • a key generation system is provided in the scenario of a relay station handover, and the system includes:
  • the relay station is configured to receive a derivation parameter ⁇ 2 sent by the target base station, and a security synchronization parameter N1 sent by the target base station or the source base station, and calculate a key ⁇ 2 between the relay station and the target base station according to the N1 and ⁇ 2.
  • the embodiments of the present invention generate a key used by the source base station to generate a key used by the RN and the target base station, or enable the RN to obtain the RN and the target base station by sending a security synchronization parameter.
  • the key therefore, ensures that the RN can communicate with the target base station using the key, reducing the dropped call rate and improving communication security.
  • FIG. 1 is a schematic flowchart of a key generation method according to an embodiment of the present invention
  • FIG. 2b is a schematic flowchart of a key generation method according to an embodiment of the present invention
  • FIG. 2 is a schematic flowchart of a key isolation method according to another embodiment of the present invention
  • FIG. 2 is a schematic diagram of a key isolation method according to another embodiment of the present invention
  • FIG. 3 is a schematic flowchart of a key generation method according to another embodiment of the present invention
  • FIG. 3b is a schematic flowchart of a key generation method according to another embodiment of the present invention
  • FIG. 3 is a schematic flowchart of a key generation method according to another embodiment of the present invention
  • FIG. 3 is a schematic flowchart of a key generation method according to another embodiment of the present invention
  • FIG. 3 is a schematic flowchart of a key generation method according to another embodiment of the present invention
  • FIG. 3 is a schematic flowchart of a key generation method according to another embodiment
  • FIG. 3 is a schematic flowchart of a key generation method according to another embodiment of the present invention
  • FIG. 3 is a schematic flowchart of a key generation method according to another embodiment of the present invention
  • FIG. 3g is a schematic diagram of a key generation method according to another embodiment of the present invention
  • FIG. 4 is a schematic flowchart of a key generation method according to still another embodiment of the present invention
  • FIG. 5 is a key generation method according to still another embodiment of the present invention
  • FIG. 6 is a schematic structural diagram of a base station according to an embodiment of the present invention
  • FIG. 7 is a schematic structural diagram of a base station according to an embodiment of the present disclosure.
  • FIG. 7b is a schematic structural diagram of a base station according to an embodiment of the present disclosure.
  • FIG. 7c is a schematic structural diagram of a base station according to an embodiment of the present disclosure.
  • FIG. 8 is a schematic structural diagram of a relay station according to an embodiment of the present invention.
  • FIG. 8b is a schematic structural diagram of a relay station according to an embodiment of the present disclosure.
  • FIG. 8c is a schematic structural diagram of a relay station according to an embodiment of the present invention.
  • FIG. 9 is a schematic structural diagram of a base station according to an embodiment of the present disclosure.
  • FIG. 10 is a schematic diagram of a key generation system according to an embodiment of the present invention.
  • Step 101 The source base station determines that the relay station switches to the target base station.
  • the source base station receives the measurement report sent by the relay station, and according to the measurement report, the source base station decides to perform the handover.
  • the source base station may also determine that the relay station switches to the target base station according to other conditions.
  • step 101 is an optional step, which is not necessarily performed.
  • Step 102 The source base station calculates a key parameter K1 according to the key K and/or the intermediate key NK between the base station and the relay station, and the identification parameter of the target base station.
  • the intermediate key ⁇ is sent by the mobility management entity to the source base station.
  • the identification parameter of the target base station is used to uniquely identify the target base station.
  • the identity parameter of the target base station may be the ID of the target base station, and the target base station may be uniquely identified by the ID of the target base station.
  • the identification parameter of the target base station may also be the certificate of the target base station, or the ID of the target base station and the certificate of the target base station.
  • the identifier parameter of the target base station may include one of the following parameters or any combination thereof, including the ID of the target base station and/or the certificate of the target base station: Universal UMTS (Universal Mobile Telecommunication) System, Universal Mobile Telecommunications System) Land radio access network downlink absolute radio channel number (EARFCN-DL), cell identity (C-RNTI), user equipment ID, relay station and MME (Mobility Management Entity, MME) message count Value ( Message Count ).
  • Step 102 After determining that the relay station switches to the target base station, the source base station performs step 102 to calculate K1.
  • Step 103 The source base station sends K1 to the target base station.
  • the source base station transmits K1 to the target base station, so that the target base station can obtain the key K2 between the target base station and the relay station according to K1.
  • the source base station may send a handover request to the target base station, and the handover request carries K1 to complete the transmission of K1.
  • the key generation method provided in this embodiment may further include: Step 104:
  • the source base station sends the security synchronization parameter N1 corresponding to K1 to the target base station.
  • the source base station sends the N1 corresponding to the K1 to the target base station for synchronization by the target base station for subsequent calculation.
  • step 103 and step 104 There is no specific execution order between step 103 and step 104, which may be performed sequentially or simultaneously.
  • the N1 may be sent to the target base station by using the handover request.
  • Step 105 The source base station receives N1 sent by the target base station.
  • the target base station After the source base station sends N1 to the target base station, the target base station carries N1 in the handover request response message and sends it to the source base station.
  • the target base station may not change N1, that is, the N1 sent by the source base station is the same as the value of N1 sent by the target base station.
  • Step 106 The source base station sends N1 to the relay station.
  • the source base station may send the N1 to the relay station by using a handover command, and the source base station may not change the value of N1 in this step, that is, the N1 sent by the source base station through the handover command is the same as the value of N1 sent by the target base station.
  • the source base station may implement the message sent by the target base station and forward the message, that is, the content carried in the message is transparent to the source base station.
  • step 104 to step 106 may not be performed, but the source base station directly transmits N1 corresponding to K1 to the relay station.
  • step 104, the step 105, and the step 106 are not necessary.
  • the embodiment may include part or all of the above three steps, for example, only the step 106 is included, and the step 104 and the step 105 are not included.
  • step 102 may obtain K1 by, for example, K and/or NK, and the identification parameter of the target base station as a parameter.
  • the security synchronization parameter N1 corresponding to the K1 can be determined. For example, when the source base station calculates K1 using ⁇ , N1 corresponding to the K1 is 0. When the source base station calculates K1 using ⁇ , N1 corresponding to the K1 is 1.
  • different bearers on the Uu interface of the UE under the relay station can be aggregated according to different UEs, and the same bearer is transmitted on the Un interface.
  • the keys used on the Un interface are different.
  • the UEs are different, ie the keys on the Un interface are for each UE.
  • the Un interface is an interface between the relay station and the base station, and the Uu interface is an interface between the relay station and the UE.
  • the same QoS bearers of different UEs in the relay station can be aggregated according to the QoS, and the same bearer is transmitted on the Un interface.
  • the key used on the Un interface has the same
  • the different UEs of the QoS are the same, that is, the key on the Un interface is for all UEs.
  • the “all UEs” described in the embodiments of the present invention refer to the different UEs with the same QoS.
  • the key on the Un interface may also be for each part of the UE for a part of the UE, and for all the UEs of the part for the other part of the UE.
  • the key on the Un interface may also be for each part of the UE for a part of the UE, and for all the UEs of the part for the other part of the UE.
  • the source base station calculates K1 corresponding to each UE according to step 102. Therefore, one source is generated on the source base station side. A list List1 formed by K1 corresponding to one UE. The source base station transmits the List1 to the target base station.
  • N1 can also be different for different UEs. For the sake of clarity, the following embodiments are described by taking the same case for different UEs and N1 as an example.
  • the source base station may also save the list List1.
  • the source base station transmits the calculated K1 to the target base station.
  • the handover of the RN occurs between two base stations under the same MME, that is, the handover on the X2 interface. Therefore, the source base station and the target base station can be directly transmitted through the X2 interface.
  • the source base station when the relay station performs handover, the source base station separately transmits parameters for calculating the new key to the relay station and the target base station, so that the target base station and the relay station can communicate using the generated key.
  • the function F of the calculation key is an irreversible function
  • key isolation between the target base station and the source base station may be implemented, that is, the target base station does not know the key used between the source base station and the relay station, thereby avoiding the target.
  • the source base station also has a security risk.
  • the method for generating a key provided by another embodiment of the present invention is described in detail below with reference to FIG. 2a.
  • the method can be applied to the scenario of the relay station switching.
  • the technical solutions provided in the following embodiments can be applied to the scenario of the relay station switching, and are not described again.
  • Step 201 The target base station receives the key parameter K1 and the security synchronization parameter sent by the source base station.
  • the target base station can receive K1 and N1 at the same time, and can also receive K1 and N1, respectively.
  • the target base station can obtain K1 and Nl by receiving a handover request.
  • K1 may be a key parameter calculated by the source base station according to step 102 of the previous embodiment.
  • Step 202 The target base station determines a key K2 between the relay station and the target base station according to K1.
  • the target base station may directly use K1 as the key K between the relay station and the target base station, or may calculate the key ⁇ 2 between the relay station and the target base station according to K1.
  • Step 203 The target base station sends N1 to the relay station.
  • step 203 is an optional execution step.
  • step 202 if the target base station directly uses K1 as the key ⁇ 2 between the relay station and the target base station, the source base station can easily obtain the key used by the target base station, and in order to reduce the risk of security,
  • the key isolation method shown in 2b performs key isolation.
  • Step 204 The target base station receives the fresh parameter sent by the MME. For example, the target base station can receive the fresh parameters sent by the MME in the Path Switch flow.
  • Step 205 The target base station calculates a key K2 between the target base station and the relay station according to the fresh parameter and K1.
  • the source base station Since the fresh parameter is transmitted to the target base station, and the target base station uses the fresh parameter to calculate the key, the source base station cannot know the key ⁇ 2 between the target base station and the relay station. Further, if the key parameter K1 sent by the source base station is not a key between the source base station and the relay station, but the source base station calculates the key ⁇ and/or the intermediate key ⁇ between the source base station and the relay station, and If the calculation function is irreversible, the target base station cannot know the key ⁇ between the source base station and the relay station, thereby realizing the key isolation between the source base station and the target base station, so that the source base station/target base station does not affect the security problem when it occurs. Go to the target base station/source base station.
  • the same fresh parameter is sent to the RN, and the RN calculates the key between the relay station and the target base station according to the fresh parameter.
  • the MME sends a fresh parameter to the RN to trigger the RN to complete the handover process of the Intra Nonor eNB.
  • the key isolation method shown in FIG. 2c may also be used, that is, the target base station performs a derivation operation according to the key sent by the source base station, and generates a target base station and a relay station. Key between them, so that the source base station cannot know the target base station and relay The key between the stations.
  • Step 206 The target base station generates a derivation parameter N2.
  • the derivation parameter N2 is used for key isolation, and thus may be any parameter capable of functioning as a key isolation.
  • the derivation parameter N2 may be a random number generated by the target base station, or may be a combination of one or more of the following parameters: the ID of the C-RNTL UE and the message count value between the RN and the MME, etc. Is a combination of a random number and one or more of the above parameters.
  • Step 207 The target base station calculates a key between the target base station and the relay station according to N2 and K1.
  • F can be a reversible function, or an irreversible function.
  • the target base station needs to transmit N2 to the relay station so that the relay station can calculate the key K2 between the target base station and the relay station based on N2.
  • the target base station When the target base station transmits ⁇ 2, it can transmit with N1 or with N1. When the target base station transmits N1 and ⁇ 2, for example, it can be sent by a handover request response. Since the derivation parameter ⁇ 2 is generated by the target base station, the source base station cannot know the derivation parameter, so that the key between the target base station and the relay station cannot be known, and the effect of key isolation is achieved.
  • the handover of the RN occurs between the target base station and the source base station under the same frame, so the source base station can directly transmit to the target base station through the ⁇ 2 interface.
  • the key generation method provided in this embodiment can be sent by the target base station to the source base station.
  • the transmitted key generates a key between the target base station and the relay station, so that the target base station and the relay station can communicate using the generated key, avoiding dropped calls and improving call security.
  • a method for generating a key according to another embodiment of the present invention is described in detail below with reference to FIG. 3a.
  • the method includes:
  • Step 301 The relay station receives the security synchronization parameter N1; the relay station receives the security synchronization parameter N1, which may be received from the source base station or may be received from the target base station. For example, when the relay station switches between the source base station and the target base station under the same MME, the target base station transmits the security synchronization parameter N1 to the source base station, and the source base station transmits N1 to the relay station, so the relay station receives N1 from the source base station.
  • Step 302 The relay station calculates a key K2 between the relay station and the target base station according to N1.
  • the relay station can calculate the key ⁇ 2 between the relay station and the target base station according to N1, and there may be different methods.
  • the relay station calculates the key K2 between the relay station and the target base station according to N1, which can be:
  • Step 3021 The relay station determines, according to N1, that the key K between the current relay station and the source base station is used for calculation, and calculates K2 according to the identification parameter of the target base station and K; or
  • Step 3022 the relay station calculates the intermediate key NK according to N1, and calculates K2 according to the identification parameter of the target base station and NK.
  • the target base station directly uses the key parameter K1 sent by the source base station as the key ⁇ 2 between the relay station and the target base station.
  • the method as shown in Figure 3b can be applied to the same RN
  • the scenario of the handover between the eNBs in the MME may also be applicable to the scenario in which the RN switches between the eNBs in different MMEs.
  • the relay station calculates the key K2 between the relay station and the target base station according to N1, and may also be:
  • Step 3023 the relay station determines to use the key K between the relay station and the source base station according to N1 to calculate, and calculates the intermediate parameter L according to the identification parameter of the target base station and K, and/or step 3024, the relay station calculates the intermediate key NK according to N1. And calculating the intermediate parameter L according to the identification parameter of the target base station and NK;
  • the relay station calculates K2 based on the L and the fresh parameters generated by the MME.
  • the target base station is also calculated by using the key parameter K1 sent by the source base station and the fresh parameter generated by the ⁇ 2, so that the source base station cannot know the key ⁇ 2 used between the target base station and the relay station to implement key isolation.
  • the relay station calculates a key ⁇ 2 between the relay station and the target base station according to N1, and may also be:
  • Step 303 The relay station receives a derivation parameter ⁇ 2, where ⁇ 2 is generated by the target base station and sent to the relay station;
  • Step 3026 the relay station determines to use the key ⁇ between the relay station and the source base station according to N1, and calculates an intermediate parameter according to the identification parameter of the target base station and ⁇ ; or, in step 3027, the relay station calculates the intermediate key ⁇ according to N1, and Calculating the intermediate parameter according to the identification parameter of the target base station and ⁇ ;
  • the relay station calculates ⁇ 2 based on ⁇ and ⁇ 2.
  • the target base station generates the derivation parameter N2, and calculates the intermediate parameter M by using the key parameter K1 sent by the source base station, and then calculates K2 by using M and N2, so that the source base station cannot know the use between the target base station and the relay station.
  • Key ⁇ 2 implement key isolation.
  • the key generation method provided in this embodiment may further include generating a key between the relay station and the user equipment, that is, generating a key on the Uu interface between the relay station and the user equipment.
  • the key on the Uu interface may or may not be related to the key between the relay station and the target base station.
  • the key between the relay station and the target base station that is, when the key on the Un interface is generated
  • the key on the Uu interface needs to be generated.
  • the key on the Un interface is generated.
  • the key on the Uu interface can be generated without using the original key. Of course, a new key can also be generated.
  • the key generation on the Uu interface when the key on the Uu interface is related to the key on the Un interface in this embodiment is described in detail with reference to FIG. 3e.
  • Step 304 the relay station generates a parameter Q1.
  • the parameter Q1 is used by the UE under the relay station to generate a key between the relay station and the user equipment, and can also be used by the relay station to generate a key between the relay station and the user equipment.
  • Step 305 The relay station sends the parameter Q1 to the UE.
  • the Q1 may be sent to the user equipment for the UE to complete the generation of the key on the Uu interface according to Q1. It has been explained in the above embodiments that the key on the Un interface may be for each UE, also It can be for all UEs.
  • step 304 and step 305 there are two different implementation manners in step 304 and step 305, which are described in detail below with reference to FIGS. 3f and 3g.
  • Step 3041 the relay station generates a different parameter Q1 for each UE under the relay station
  • the relay station generates different parameters Q1 for each UE, that is, each UE has its own corresponding Q1.
  • RRC Resource Control
  • the RRC connection reconfiguration message carries the parameter Q1 generated in step 3041.
  • the parameter 3051 does not necessarily carry the parameter Q1 through the RRC connection reconfiguration message, but also carries the parameter Q1 for other messages sent for each UE.
  • each UE can obtain its own parameter Q1, and generate a key on the Uu interface according to Q1.
  • step 3061 may be further included, and the relay station calculates a key between the relay station and each user equipment under the relay station according to the parameter Q1 generated in step 3041.
  • Step 3042 the relay station generates a parameter Q1, wherein the Q1 is the same for all UEs under the relay station.
  • Step 3052 The relay station periodically broadcasts a system message. Carry Ql in the system message of the periodic broadcast.
  • a system for periodic broadcast The message is, for example, an SIB (System Information Block) or an MIB (Master Information Block).
  • SIB System Information Block
  • MIB Master Information Block
  • Q 1 can be placed in the MIB for transmission. Because MIB broadcasts frequently, when Q1 is short, it can be sent in the MIB. If Q1 is long, sending it in the MIB may cause interference or waste of resources.
  • Q1 is sent in the MIB, for example, two IEs can be added to the MIB. One IE indicates whether the key on the Uu interface is updated (regenerated), and an IE indicates the specific value of Q1.
  • Q1 can be placed in SIB2 for transmission.
  • two IEs can be added to the SIB.
  • One IE indicates whether the key on the Uu interface is updated, and the other IE indicates the specific value of Q1.
  • the UE updates the key on the Uu interface it reads the specific value of Q1 in SIB2.
  • two IEs can be added to the SIBn, one IE indicating whether the key on the Uu interface is updated, and the other IE indicating the specific value of Q1.
  • the UE updates the key on the Uu interface it reads the specific value of Q1 in SIBn.
  • an IE may be added to the MIB, and the IE indicates whether the key on the Uu interface is updated, and an IE is added to the SIB2 or SIBn to indicate the specific value of the Q1.
  • the key can be broadcast to the UE in time when the key is updated on the Uu interface, and the MIB does not carry too many parameters to reduce interference or reduce signaling overhead.
  • the original key, where F** can be either a reversible function or an irreversible function.
  • step 3062 is further included, and the relay station calculates a key between the relay station and all user equipments under the relay station according to the parameter Q1 generated in step 3042.
  • a method for generating a key according to still another embodiment of the present invention is described in detail below with reference to FIG. The method includes:
  • Step 401 The target base station receives the intermediate key NK sent by the target MME.
  • the relay station switches between base stations under different MMEs.
  • the relay station sends a measurement report to the source base station.
  • the source base station determines that the relay station performs handover according to the measurement report, and sends a handover request to the source MME.
  • the source MME forwards the handover request to the target MME.
  • the target MME increments the security synchronization parameter N1 by 1, and generates an intermediate key NK.
  • the target MME sends the N1 to the target base station by using the handover request message.
  • the handover request message may carry not only the NK but also the N1, where N1 is the N1 added by the target MME. That is, the embodiment further includes the target base station receiving the N1 sent by the target MME.
  • the target base station receives N1 or receives NK at the same time, and can also perform sequential execution without specific restrictions.
  • Step 402 The target base station calculates a key K2 between the target base station and the relay station according to the NK and the identity parameter of the target base station.
  • Step 403 The target base station sends N1 to the relay station, where the relay station calculates ⁇ 2. Step 403 is an alternative.
  • the method of calculating the ⁇ 2 by the relay station is not specifically described.
  • the method for calculating the ⁇ 2 by the relay station can be specifically referred to the description of the above embodiment.
  • the interface switched by the relay station is an S1 interface.
  • the target base station can calculate according to the obtained ⁇ Obtaining a key on the new Un interface, and transmitting the acquired N1 to the relay station, so that the relay station can also calculate the key on the Un interface according to N1, thereby realizing the generation of a key between the relay station and the target base station, so that the relay station can Smooth communication with the target base station improves call security.
  • the identifier of the target base station can be referred to the description of the foregoing embodiment, and details are not described herein.
  • a key generation method provided by still another embodiment of the present invention will be described in detail below with reference to FIG.
  • the method includes:
  • Step 501 The relay station generates a parameter Q1.
  • the parameter Q1 is used by the user equipment under the relay station to generate a key between the relay station and the user equipment.
  • Step 502 The relay station sends Q1 to the user equipment.
  • the generation of the key on the Uu interface by the relay station may be independent of the generation of the key on the Un interface, or may depend on the generation of the key on the Un interface.
  • the key generation on the Un interface may depend on the key generation on the Uu interface. That is, the key on the Un interface is derived from the key on the Uu interface.
  • the key generation on the Un interface when the key generation on the Uu interface is independent of the key generation on the Un interface, the key generation on the Un interface does not affect the key used on the Uu interface, so that when the relay station performs the handover, It does not affect the UE under the relay station, and can better follow the derivation level of the key on the access link, and is better compatible with the user equipment of each version.
  • the steps 501 and 502 may also be different for the UE on the Un interface, or for all UEs.
  • the specific implementation may refer to the method described in FIG. 3f, 3g.
  • the generation of a key on the Un interface may also be included, and the specific implementation side
  • the method can be referred to the method shown in Figures 3a, 3b, 3c, 3d.
  • the relay station can perform key generation autonomously, or generate a key according to parameters provided by the target base station, thereby implementing a smooth connection between the relay station and the user equipment, and between the relay station and the target base station. Secure communication.
  • a base station 60 according to an embodiment of the present invention will be described in detail below with reference to FIG.
  • the base station 60 includes: a handover module 601, configured to determine that the relay station switches to the target base station; and a calculation module 602, configured to: after the handover module 601 determines the handover, according to the key K and/or the intermediate key NK between the base station and the relay station And the identification parameter of the target base station calculates the key parameter K1; the first sending module 603 is configured to send the K1 obtained by the calculation module 602 to the target base station, so that the target base station obtains K2 according to the K1.
  • the switching module 601 can determine, according to the measurement report sent by the relay station, that the relay station switches to the target base station.
  • the switching module 601 is an optional solution, that is, the base station 60 may include only the computing module 602 and the first sending module 603.
  • the calculation module 602 is configured to calculate the key parameter K1 according to the key ⁇ and/or the intermediate key ⁇ between the base station and the relay station, and the identification parameter of the target base station.
  • the key parameter K1 can be calculated when the relay station is switched, and K1 is sent to the target base station, so that the target base station can obtain the key ⁇ 2 between the target base station and the relay station according to the K1 calculation. Generation of the target base station key.
  • the base station 60 provided by this embodiment further includes: a second sending module 604, configured to send the security synchronization parameter N1 corresponding to K1 to the target base station; and a receiving module 605, configured to receive the N1 sent by the target base station, and third The sending module 606 is configured to send the N1 received by the receiving module 605 to the relay station, so that the relay station calculates the key ⁇ 2 between the relay station and the target base station.
  • the N1 sent by the second sending module 604 and the N1 received by the receiving module 605 are, for example, the same N1.
  • the base station 60 provided in this embodiment may further include: a generating module 607, configured to generate a security synchronization parameter N1, where the N1 corresponds to K1, and the specific correspondence may refer to the foregoing method embodiment.
  • the second sending module 604 is configured to send the N1 generated by the generating module 607 to the target base station.
  • the base station 60 provided in this embodiment may further include: a fourth sending module 608, configured to directly send the N1 corresponding to K1 to the relay station.
  • the calculation module 602 includes one or any combination of the following: a first calculation unit 6021, configured to use a key K between the base station 60 and the relay station, and an identifier of the target base station The parameter calculation is performed to obtain the key parameter K1; the second calculating unit 6022 is configured to calculate the key parameter K1 according to the intermediate key ⁇ and the identification parameter of the target base station; the third calculating unit 6023 is configured to use the base station 60 and The key K, the intermediate key ⁇ between the relay stations, and the identification parameter of the target base station are calculated to obtain a key parameter K1;
  • the first sending module 603 is configured to send a list formed by K1 corresponding to each user equipment under the relay station to the target base station.
  • the base station 60 provided in this embodiment may be used, for example, to perform the key generation method provided in the foregoing method embodiments. For the specific implementation, reference may be made to the foregoing method embodiments.
  • Another base station provided by the embodiment of the present invention is described in detail below with reference to FIG. 7a.
  • the base station includes:
  • the receiving module 701 is configured to receive the key parameter K1 sent by the source base station, and the key module 702 is configured to determine the key K2 between the relay station and the base station according to the K1 received by the receiving module 701.
  • the base station provided in this embodiment may generate the base station according to the parameter sent by the source base station. The key, so that the relay station and the base station can use the generated key for more secure communication.
  • the receiving module 701 is further configured to receive the N1 sent by the source base station, and the base station further includes a second sending module 703, configured to send the N1 received by the receiving module 701 to the relay station, so that the relay station Calculate K2 according to N1. Further, as shown in FIG.
  • the receiving module 701a may be configured to receive the fresh parameters sent by the MME, and K1 and N1.
  • the key module 702a is configured to calculate K2 according to the fresh parameters received by the receiving module 701a and K1.
  • the base station may further include a derivation parameter module 704, configured to generate a derivation parameter N2.
  • the key module 702b is configured to calculate K2 according to N2 generated by the derivation parameter module 704 and K1 received by the receiving module 701.
  • the corresponding base station may further include a first sending module 705, configured to send the ⁇ 2 generated by the retard parameter module 704 to the relay station.
  • the base station provided by this embodiment can be used, for example, to perform the key generation method provided in the foregoing method embodiment.
  • a relay station 80 according to an embodiment of the present invention will be described in detail below with reference to FIG. 8a.
  • the relay station 80 includes: a receiving module 801, configured to receive the security synchronization parameter N1; and a calculation module 802, configured to calculate a key K2 between the current relay station and the target base station according to the N1 received by the receiving module 801.
  • the relay station 80 provided in this embodiment can calculate the key between the relay station and the target base station according to the received N1, so that the key can be used to communicate with the target base station, thereby ensuring smooth communication between the relay station and the target base station, and the Communication is safe and reliable.
  • the relay station 80 may further include: a receiving module 801a for receiving the derivation parameter N2 and the security synchronization parameter N1; and a calculation module 802a for receiving the N1 according to the receiving module 801a.
  • N2 calculates K2, or according to the receiving module 801a
  • the received N1 calculates K2. Further, as shown in FIG.
  • the calculation module 802a may include, for example, a first calculating unit 8021, configured to determine, according to the N1 received by the receiving module 801, a key used between the relay station 80 and the source base station. K calculates and calculates K2 according to the identification parameter of the target base station and K; and/or, the second calculating unit 8022 is configured to calculate the intermediate key NK according to the N1 received by the receiving module 801, and according to the identification parameter of the target base station and the NK Calculate K2.
  • a first calculating unit 8021 configured to determine, according to the N1 received by the receiving module 801, a key used between the relay station 80 and the source base station.
  • K calculates and calculates K2 according to the identification parameter of the target base station and K
  • the second calculating unit 8022 is configured to calculate the intermediate key NK according to the N1 received by the receiving module 801, and according to the identification parameter of the target base station and the NK Calculate K2.
  • the calculating module 802a may include, for example, a third calculating unit 8023, configured to determine, according to the N1 received by the receiving module 801, using the key K between the relay station 80 and the source base station, and according to the identification parameter of the target base station and K calculates the intermediate parameter L; and/or, the fourth calculating unit 8024 is configured to calculate the intermediate key NK according to the N1 received by the receiving module 801, and calculate the intermediate parameter L according to the identification parameter of the target base station and NK.
  • the calculation module 802 may further include: a fifth calculation unit, configured to calculate K2 according to the L calculated by the third calculation unit 8023 or the fourth calculation unit 8024 and the fresh parameter. In this embodiment, the fresh parameters are generated by ⁇ .
  • the calculating module 802a may include, for example, a sixth calculating unit 8026, configured to determine, according to the N1 received by the receiving module 801, using the key K between the relay station 80 and the source base station, and according to the identification parameter of the target base station and K calculates the intermediate parameter M; and/or the seventh calculating unit 8027, for calculating the intermediate key NK according to the N1 received by the receiving module 801, and calculating the intermediate parameter M according to the identification parameter of the target base station and NK.
  • the calculation module 802a may further include: an eighth calculation unit 8028, configured to calculate K2 according to the calculation calculated by the sixth calculation unit 8026 or the seventh calculation unit 8027 and the N2 received by the receiving module 801a.
  • the relay station 80 may further include a generating module 803, configured to generate a parameter Q1, where the Q1 is used by the UE under the relay station 80 to generate a key between the local relay station 80 and the UE, and the sending module 804 is configured to generate a module.
  • the Q1 generated by 803 is sent to the above UE.
  • the generating module 803 may include, for example, a first generating unit 8031, configured to generate a parameter Q1 for each UE under the relay station 80, that is, for different The UE generates the parameter Q 1 respectively.
  • the sending module 804 may include, for example, a first sending unit 8041, configured to send Q1 to the user equipment corresponding to the Q1 by using an RRC connection reconfiguration message.
  • the generating module 803 may include, for example, a second generating unit.
  • the sending module 804 includes, for example, a second sending unit 8042, Q1 is sent to the UE through a system message periodically broadcast.
  • the generating module 803 may include, for example, a third generating unit.
  • the relay station 80 provided in this embodiment may be used to switch between different base stations in the same MME, and may also be applied to scenarios in which different base stations switch between different base stations.
  • the relay station 80 provided in this embodiment can be used, for example, to perform the key generation method provided in the foregoing method embodiment. For the specific implementation, reference may be made to the foregoing method embodiment.
  • a base station according to an embodiment of the present invention is described in detail below with reference to FIG.
  • the base station includes: a receiving module 901, configured to receive an intermediate key NK sent by the MME; and a calculating module 902, configured to calculate a key K2 between the base station and the relay station according to the NK received by the receiving module 901 and the identifier parameter of the base station. Further, in this embodiment, the receiving module 901 is further configured to receive the N1 sent by the UI. The corresponding base station further includes a sending module 903, configured to send the N1 received by the receiving module 901 to the relay station, so that the relay station calculates ⁇ 2 according to N1.
  • the base station provided by this embodiment may generate a key between the base station and the relay station according to the intermediate key, and send a security synchronization parameter to the relay station, so that the relay station can also generate a key between the relay station and the base station, thereby
  • the generated key can be used by the relay station and the base station Communication ensures smooth communication between the relay station and the target base station and improves communication security.
  • the base station provided by this embodiment can be used, for example, to perform the key generation method provided in the foregoing method embodiment. For the specific implementation, reference may be made to the foregoing method embodiment.
  • the key generation system provided by the embodiment of the present invention will be described in detail below with reference to FIG.
  • the system includes: a relay station 1001 for receiving a security synchronization parameter N1 transmitted by the target base station 1003 or the source base station 1002, and calculating a key K2 between the relay station 1001 and the target base station 1003 according to N1.
  • the key generation system provided in this embodiment can be applied to a scenario in which a relay station switches between different base stations in the same network, and can also be applied to a scenario in which a relay station switches between different base stations. For example, when the relay station switches between different base stations under the same network, the security synchronization parameter sent by the source base station may be received, and when the relay station switches between different base stations, the security synchronization parameter sent by the target base station may be received.
  • the system may further include a target base station 1003 and/or a source base station 1002.
  • a target base station 1003 and/or a source base station 1002 can be referred to the above embodiment.
  • the relay station 1001 is further configured to receive the derivation parameter ⁇ 2 sent by the target base station 1003, and calculate a key ⁇ 2 between the relay station 1001 and the target base station 1003 according to the N1 and the ⁇ 2.
  • the relay station 1001 is further configured to generate a parameter Q1, and send Q1 to the UE under the relay station 1001, where Q1 is used by the UE to calculate a key between the relay station 1001 and the UE.
  • the storage medium may be a magnetic disk, an optical disk, a read only memory (ROM) or a random access memory (RAM).
  • ROM read only memory
  • RAM random access memory
  • Each functional unit in the embodiment of the present invention may be integrated into one processing module, or each unit may exist physically separately, or two or more units may be integrated into one module.
  • the above integrated modules can be implemented in the form of hardware or in the form of software functional modules.
  • the integrated modules if implemented in the form of software functional modules and sold or used as separate products, may also be stored in a computer readable storage medium.
  • the above-mentioned storage medium may be a read only memory, a magnetic disk or an optical disk or the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un procédé de génération de clé. Ledit procédé est destiné au domaine du transfert de station relais, et comporte les étapes suivantes: la station de base source calcule un paramètre de clé K1 en fonction de la clé K entre la station de base source et la station relais et le paramètre identificateur de la station de base de destination, ledit paramètre identificateur de la station de base de destination est utilisé pour uniquement identifier la station de base de destination, qui est utilisé pour permettre à la station de base de destination d'obtenir la clé K2 entre la station de base de destination et la station relais selon la clé K1. L'invention concerne un système de génération de clé, la station de base et la station relais qui sont destinées au domaine du transfert de la station relais. Compte tenu de la solution technique fournie par chaque mode de réalisation, la station relais peut être activée pour générer la clé utilisée avec la station de destination, ou la station de base de destination produit la clé utilisée avec la station relais, ainsi, les deux côtés peuvent être activés pour communiquer en douceur, et la sécurité de la communication est renforcée.
PCT/CN2010/078359 2009-11-03 2010-11-03 Procede de generation de cle, dispositif et systeme associes WO2011054286A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200910110028.XA CN102056160B (zh) 2009-11-03 2009-11-03 一种密钥生成的方法、装置和系统
CN200910110028.X 2009-11-03

Publications (1)

Publication Number Publication Date
WO2011054286A1 true WO2011054286A1 (fr) 2011-05-12

Family

ID=43959974

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/078359 WO2011054286A1 (fr) 2009-11-03 2010-11-03 Procede de generation de cle, dispositif et systeme associes

Country Status (2)

Country Link
CN (1) CN102056160B (fr)
WO (1) WO2011054286A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103686708A (zh) * 2012-09-13 2014-03-26 电信科学技术研究院 一种密钥隔离方法及设备
CN104215984A (zh) * 2014-08-25 2014-12-17 北京乐富科技有限责任公司 一种卫星定位的方法和装置
US20170331625A1 (en) * 2014-11-13 2017-11-16 Zte Corporation Method For Updating A Key, And Master Transmission Point

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012084484A1 (fr) * 2010-12-21 2012-06-28 Koninklijke Kpn N.V. Établissement de clé assisté par opérateur
CN102958052B (zh) * 2011-08-29 2017-07-14 华为技术有限公司 一种数据安全传输方法及相关设备
CN103096393B (zh) * 2011-10-27 2015-08-19 普天信息技术研究院有限公司 一种移动中继的切换方法
WO2014071615A1 (fr) * 2012-11-09 2014-05-15 华为技术有限公司 Procédé et appareil de transmission d'informations
EP3536027B1 (fr) * 2016-11-07 2021-04-21 Koninklijke KPN N.V. Transfert d'un dispositif utilisant un autre dispositif en tant que relais
CN109314861B (zh) * 2017-05-04 2021-09-07 华为技术有限公司 获取密钥的方法、设备和通信系统
EP3648492B1 (fr) * 2017-07-27 2021-10-06 Huawei Technologies Co., Ltd. Procédé et dispositif de commutation de cellules
CN108337661B (zh) * 2018-01-04 2020-05-19 西南交通大学 基于票据的lte-r车-地通信接入层切换认证方法

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101233734A (zh) * 2005-06-30 2008-07-30 朗迅科技公司 用于在无线通信系统中的越区切换期间分发安全密钥的方法
CN101436931A (zh) * 2007-09-04 2009-05-20 财团法人工业技术研究院 无线通信系统中提供安全通信的方法、系统、基站与中继站
CN101500229A (zh) * 2008-01-30 2009-08-05 华为技术有限公司 建立安全关联的方法和通信网络系统

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101233734A (zh) * 2005-06-30 2008-07-30 朗迅科技公司 用于在无线通信系统中的越区切换期间分发安全密钥的方法
CN101436931A (zh) * 2007-09-04 2009-05-20 财团法人工业技术研究院 无线通信系统中提供安全通信的方法、系统、基站与中继站
CN101500229A (zh) * 2008-01-30 2009-08-05 华为技术有限公司 建立安全关联的方法和通信网络系统

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103686708A (zh) * 2012-09-13 2014-03-26 电信科学技术研究院 一种密钥隔离方法及设备
US9473933B2 (en) 2012-09-13 2016-10-18 China Academy Of Telecommunications Technology Key isolation method and device
CN103686708B (zh) * 2012-09-13 2018-01-19 电信科学技术研究院 一种密钥隔离方法及设备
CN104215984A (zh) * 2014-08-25 2014-12-17 北京乐富科技有限责任公司 一种卫星定位的方法和装置
US20170331625A1 (en) * 2014-11-13 2017-11-16 Zte Corporation Method For Updating A Key, And Master Transmission Point
US10567172B2 (en) * 2014-11-13 2020-02-18 Xi'an Zhongxing New Software Co., Ltd. Method for updating a key, and master transmission point

Also Published As

Publication number Publication date
CN102056160A (zh) 2011-05-11
CN102056160B (zh) 2013-10-09

Similar Documents

Publication Publication Date Title
WO2011054286A1 (fr) Procede de generation de cle, dispositif et systeme associes
EP2663107B1 (fr) Procédé et appareil de génération de clé
KR101147067B1 (ko) 키 파생 방법, 장치 및 시스템
CN105557006B (zh) 通信系统中的用户设备及由其进行通信的方法
JP5142417B2 (ja) リンク障害復旧のためのハンドオーバー方法とこの方法を具現するための無線機器及び基地局
JP6312126B2 (ja) 移動通信システムにおけるx2インターフェース設定及びセルスイッチングのための装置及びその方法
US20180249479A1 (en) Data transmission and reception method and device of terminal in wireless communication system
US10616927B2 (en) Method by which terminal transmits V2X signal in wireless communication system, and terminal using method
KR20160010520A (ko) 네트워크 노드 및 방법
CN111601315B (zh) 一种支持对家用基站进行验证的方法
EP3982694B1 (fr) Procédés de communication à multi-connectivité, dispositif de réseau d'accès, équipement utilisateur et support de stockage lisible par ordinateur
KR102142875B1 (ko) Scell 및 ue 사이의 암호화 정보 동기 방법
WO2015161575A1 (fr) Procédé, station de base, entité de gestion mobile, et système de notification d'emplacement de terminal utilisateur
US20170164244A1 (en) Path switching method, mobility anchor, and base station
WO2018032896A1 (fr) Procédé et appareil d'envoi de signal de synchronisation d2d
WO2015135292A1 (fr) Procédé de mise à jour de clé, sous-station de base, terminal, système de communication et support de stockage
WO2020056433A2 (fr) Communication sécurisée de demande de commande de ressource radio (rrc) sur porteuse radio de signal zéro (srb0)
TW201724799A (zh) 安全傳呼
WO2017133629A1 (fr) Procédé, dispositif, système de transfert de message, et support de stockage informatique
US20150043532A1 (en) Communication control method, base station, home base station, and gateway device
WO2012155681A1 (fr) Procédé et appareil pour la transmission de données gfa
US10412056B2 (en) Ultra dense network security architecture method
CN104980894A (zh) 一种封闭成员组接入控制方法、装置及系统
WO2012142875A1 (fr) Procédé, système et dispositif pour déterminer un type de dispositif
WO2016192058A1 (fr) Procédé, appareil et système de synchronisation d'interface radio

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10827900

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10827900

Country of ref document: EP

Kind code of ref document: A1