WO2011054288A1 - 一种中继系统的安全密钥获取方法、装置 - Google Patents
一种中继系统的安全密钥获取方法、装置 Download PDFInfo
- Publication number
- WO2011054288A1 WO2011054288A1 PCT/CN2010/078367 CN2010078367W WO2011054288A1 WO 2011054288 A1 WO2011054288 A1 WO 2011054288A1 CN 2010078367 W CN2010078367 W CN 2010078367W WO 2011054288 A1 WO2011054288 A1 WO 2011054288A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- node
- key
- air interface
- enb
- initial
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/041—Key generation or derivation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/061—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying further key derivation, e.g. deriving traffic keys from a pair-wise master key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/04—Large scale networks; Deep hierarchical networks
- H04W84/042—Public Land Mobile systems, e.g. cellular systems
- H04W84/047—Public Land Mobile systems, e.g. cellular systems using dedicated repeater stations
Definitions
- the present invention relates to the field of communications technologies, and in particular, to a system key acquisition method and apparatus for a relay system.
- LTE-A Long Term Evoluting-Advanced, Evolved LTE
- 3GPP LTE Third Generation Partnership Project
- RN Re lay Node
- the RN is located between the base station (DeNB, Donor eNB) to which the RN belongs and the UE, and the RN sends a downlink signal to the UE, or the RN sends an uplink signal to the DeNB, where the air interface between the RN and the DeNB is called the Un port, and between the RN and the UE.
- the empty mouth is called Uu.
- the data from the DeNB to the UE passes through two air interfaces, that is, two hops arrive at the UE. As more RNs join, a multi-hop scenario can also occur in LTE-A.
- the embodiment of the invention provides a method and a device for acquiring a security key of a relay system, so that the data of the UE on the Un-port link can be separately protected.
- the embodiment of the invention discloses a method for acquiring a security key of a relay system, which includes:
- the node of the relay system acquires an initial key; And obtaining, by the node, a root key of an air interface protection key between another node directly adjacent to the local node according to the initial key;
- the node obtains the air interface protection key between the other nodes directly adjacent to the local node and the local node according to the root key.
- the embodiment of the invention discloses a method for acquiring a security key of a relay system, which includes:
- the first relay node acquires a root key in the process of authenticating with the adjacent node of the first relay node
- the adjacent node of the first relay node includes an upper node of the first relay node and/or a lower node of the first relay node.
- a base station comprising:
- An obtaining module where the node for the relay system acquires an initial key
- the obtaining module 1 is configured to obtain, according to the initial key acquired by the acquiring module, a root key of an air interface protection key between another node directly adjacent to the node and the local node;
- the obtaining module 2 is configured to obtain, according to the root key acquired by the acquiring module 1, the air interface protection key between the other nodes directly adjacent to the local node.
- a relay node comprising:
- the obtaining module 1 is configured to: acquire, by the first relay node, a root key in an authentication process between the adjacent node and the first relay node;
- the adjacent node of the first relay node includes an upper node of the first relay node and/or a lower node of the first relay node.
- the embodiment of the present invention receives an initial key by using a node in the relay system, and obtains a root key of the air interface protection key between the node and other directly adjacent nodes according to the initial key, according to the root key. Obtaining an air interface protection key between the node and other directly adjacent nodes, so that the data of the UE on the Un port link can be separately protected, that is, each active UE has a set of security parameters on the Un port link, thereby Effectively protect the data on each segment of the air interface.
- FIG. 1 is a flowchart of a first embodiment of a method for acquiring a security key of a relay system according to the present invention
- FIG. 2 is a flowchart of a second embodiment of a method for acquiring a security key of a relay system according to the present invention
- FIG. 4 is a flowchart of a fourth embodiment of a method for acquiring a security key of a relay system according to the present invention
- FIG. 5 is a fifth embodiment of a method for acquiring a security key of a relay system according to the present invention
- FIG. 6 is a flowchart of a sixth embodiment of a method for acquiring a security key of a relay system according to the present invention
- FIG. 7 is a flowchart of a seventh embodiment of a method for acquiring a security key of a relay system according to the present invention
- FIG. 9 is a flowchart of a ninth embodiment of a method for acquiring a security key of a relay system according to the present invention
- FIG. 10 is a flowchart of a ninth embodiment of a method for acquiring a security key of a relay system according to the present invention. Schematic diagram of the system node;
- FIG. 11 is a schematic structural diagram of another relay system node according to an embodiment of the present invention.
- the RN has the following characteristics:
- the RN may have its own physical cell identity (PCI, Physical Cell Identity) for transmitting its own synchronization signal and reference signal;
- PCI Physical Cell Identity
- the UE may receive the scheduling information of the RN and the HARQ (Hybrid Automatic Retransmitting Request) feedback, and send its own control information to the RN;
- HARQ Hybrid Automatic Retransmitting Request
- the RN may be an R8 eNB, that is, have a backward compatibility feature; for an LTE-A UE, the RN may be an entity different from the R8 eNB.
- the Home Subscriber Server (HSS) generates the original encrypted root key and the original integrity protection root key according to the local original root key K, that is, CK ' ⁇ .
- the HSS is based on the HSS.
- the CK ' IK obtains the initial key of the core network ⁇ ⁇ and sends the ⁇ to ⁇ , ⁇ according to the ⁇ to obtain the non-access stratum (NAS, Non-Access Stratum) key ⁇ and the initial key of the access network
- the MME sends the MME to the base station eNB, and the eNB locally obtains the access layer (AS, access s trat ⁇ ) key ⁇ , wherein ⁇ ⁇ includes the NAS message encryption key and the NAS message integrity protection key, ⁇ It includes the encryption key of the user plane UP (User Plane), the integrity protection key of the control plane CP (Control Plane) and the encryption key of the control plane CP.
- the UE side also generates CK ' IK according to the local original root key K, and the UE obtains the ⁇ according to the d', and obtains the NAS key according to the ⁇
- the UE obtains the AS key K AS according to the , and the key acquisition method used by the UE and the UE is as follows:
- KDF key derivation function
- FC length is one byte, which is used to distinguish different algorithms
- P0 is the input parameter
- L0 is the length of P0, ....
- the acquisition method is as follows:
- K NAS KDF ( , S15 )
- S15 f ( algorithm type distinguisher, algorithm id );
- the eNB and the UE obtain locally:
- K ⁇ s KDF ( K ⁇ B , S15 ).
- FC, PLMN ID, SQN AK FC
- FC 0xl0
- PLMN ID is the public land mobile network identity.
- SQN is the serial number
- AK can be an anonymous key;
- length of XX can be the length of XX;
- Uplink NAS COUNT can be the count value of the uplink NAS message
- algorithm type distinguisher can be the algorithm type difference number
- algorithm id can be the algorithm identification number
- the embodiment of the present invention provides a key acquisition method for a multi-hop system, and the specific situation is as follows: The following embodiments of the present invention are described in detail by taking a 3-hop system as an example, and the methods of the embodiments are also the same. Suitable for systems with 1 hop or greater than 1 hop.
- FIG. 1 is a flowchart of a first embodiment of a method for acquiring a security key of a relay system according to the present invention, including: 101.
- a node of a relay system acquires an initial key;
- the node acquires, according to the initial key, another node that is directly adjacent to the node by the node.
- the node obtains the air interface protection key between the other nodes directly adjacent to the node and the node according to the root key.
- the embodiment of the present invention acquires an initial key by using a node of the relay system, and the node acquires, according to the initial key, a root key of an air interface protection key between another node directly adjacent to the local node, The node obtains the air interface protection key between the other nodes directly adjacent to the local node and the local node according to the root key.
- the data of the UE on the Un port link can be separately protected. That is, each active UE has a set of security parameters on the Un port link, so as to effectively protect the data on each segment of the air interface.
- the node of the relay system is a base station eNB
- the node in the relay system acquires an initial key, including:
- the eNB acquires an initial key from a mobility management entity MME;
- the node of the relay system is a relay node RN
- the node in the relay system acquires an initial key, including:
- the RN acquires an initial key from a solid E or an eNB;
- the node of the relay system when the node of the relay system is a user terminal UE, the node in the relay system acquires an initial key, including:
- the UE acquires an initial key from a superior node of the UE.
- the method further includes: the eNB acquiring an initial key of a lower node of the eNB according to the delivery input parameter and the initial key;
- the method further includes:
- the node obtains a root key of the air interface protection key between the node and the node directly adjacent to the node according to the initial key, and specifically includes:
- the relay node RN acquires a root key of the air interface protection key between the local node and the directly adjacent node according to the initial key and the delivery input parameter.
- the method further includes:
- the node obtains a root key of the air interface protection key between the node and the node directly adjacent to the node according to the initial key, and specifically includes:
- the UE acquires a root key of the air interface protection key between the local node and the directly adjacent node according to the initial key and the delivery input parameter.
- the input parameter involved in this embodiment may be a transfer input parameter.
- the embodiment of the present invention acquires an initial key by using a node of the relay system, and the node acquires, according to the initial key, a root key of an air interface protection key between another node directly adjacent to the local node, The node obtains the air interface protection key between the other nodes directly adjacent to the local node and the local node according to the root key.
- the data of the UE on the Un-link can be separately protected. That is, each active UE has a set of security parameters on the Un-link, so that the data on each air interface is effectively protected.
- a UE obtains all air interface keys according to a local original root key K of the UE, and ⁇ is obtained from an air interface of the upper node eNB or RN.
- the input parameters involved in the embodiment of the present invention may be
- the RN1 accesses the network and completes the authentication process.
- the RN2 accesses the network, and completes the authentication process.
- the UE accesses the network, and completes the authentication process.
- Step 201, step 202, and step 203 are in no particular order.
- the MME obtains the K NAS and the initial key ⁇ according to the key K ASME generated by the UE authentication process.
- the method for obtaining the initial key is similar to the key acquisition method in the LTE system, and details are not described herein. .
- the initial key ⁇ is sent to the eNB.
- the eNB receives and saves the initial key ⁇ sent by the MME.
- eNB forwards the initial key to the RN1 ⁇ ;
- RN1 saves the initial key ⁇ .
- the first input parameter may be a temporary identification parameter C-TNTI 1 allocated by the eNB to the RN1 when the RN1 enters the network, and the C-RNTI 1 obtained by the RN1 each time re-accessing the new DeNB is different;
- the first input parameter may be a radio resource control (RRC, Radio Re Source Cont ro l ) message count value parameter RRC MESSAGE C0UNT1 of the specific UE between the eNB and the RN1; or the first input parameter may be
- the random value parameter NONCE 1 negotiated by the eNB and the RN1 may include, but is not limited to, one or any combination of the above three parameters.
- the UP and CP data protection keys used to protect the eNB and the RN1 are obtained by the root key.
- the UP data protection key that is, the UP encryption key
- the CP data protection key that is, the CP encryption key and the CP integrity protection.
- the key ⁇ mt the three key acquisition methods refer to the above
- the input key is described below by taking the key acquisition as an example, namely: KDF ( KeNB , f (UP encrypt ion algorithm type distinguished er, UP encrypt ion algorithm id))
- the UP encryption ion algorithm type distinguisher is a user-specific secret algorithm type specifier, and the UP encryption algorithm id is a user face force. Secret algorithm ID.
- RN1 forwards the initial key ⁇ to RN2;
- RN2 saves the initial key ⁇ .
- the second input parameter may be a temporary identification parameter C-RNTI2 allocated by the RN1 to the RN2 when the RN2 is in the network; or the second input parameter may be an RRC message count parameter RRC between the RN1 and the RN2 for the specific UE. MESSAGE C0UNT2; or the second input parameter may be a random value parameter N0NCE2 negotiated by RN1 and RN2.
- Input parameters may include, but are not limited to, one or any combination of the three above.
- the method of the K UP U KRRC ⁇ ' is similar to the method of obtaining the ⁇ ⁇ system in the LTE system, and details are not described herein again.
- the UE obtains the ⁇ and the initial key ⁇ locally, and the obtaining method is similar to the prior art, and details are not described herein again.
- the RN2 and the UE obtain the root key according to the initial key, and obtain an air interface key for protecting the UP and CP data between the UE and the RN2 according to the root key.
- the obtaining method may include the following two methods:
- the input key is a third input parameter, which may be a temporary identifier parameter C-RNTI3 allocated by the RN2 to the UE when the UE enters the network; or the third input parameter may be an RRC message count parameter parameter between the RN2 and the UE for the specific UE. RRC MESSAGE C0UNT3, or the third input parameter can be RN2 negotiates a random value parameter N0NCE3 with the UE.
- the input parameters may include, but are not limited to, one or any combination of the above three parameters.
- the input key is the key ⁇ MJ used before the handover, and the input parameter may be the target cell physical identifier PCI and the target cell radio frequency channel number EARFCN-DL
- the eNB receives the initial key ⁇ , and obtains the root key between the eNB and the RN1 node according to the initial key ⁇ , and obtains the air interface between the e NB and the direct lower node according to the root key M.
- protection key forward the initial key to the eNB so that the respective lower nodes obtain the initial root key key ⁇ air interface protection key between each lower node according to the data to the UE on the Un interface link may be respectively Protection, that is, each active UE has a set of security parameters on the Un port link, so as to effectively protect the data on each segment of the air interface.
- FIG. 3 is a flowchart of a method for acquiring a security key of a relay system according to a third embodiment of the present invention.
- the eNB obtains the initial density of all lower-level RN nodes locally according to the received ⁇ .
- the key is then sent to the RNs at various levels.
- the input parameters involved in the embodiments of the present invention may include the input parameters and the local input parameters. As shown in Figure 3:
- Steps 301 to 305 are similar to steps 201 to 205 in the second embodiment, and are not mentioned here;
- the fourth input parameter may be a transmission input parameter, and the fourth transmission input parameter may be a temporary identification parameter C-RNTI 4 allocated by the RN1 to the RN2 when the RN2 enters the network, which needs special description.
- the C-RNTI4 obtained by the RN2 is re-accessed to the new DeNB each time; or the fourth delivery input parameter may be a random value parameter NONCE 4 negotiated by RN1 and RN2;
- the fifth input parameter may be a fifth delivery input parameter, and the fifth delivery input parameter may be a temporary identification parameter C-RNTI5 allocated by the RN2 to the UE when the UE enters the network, and the UE needs to specifically indicate that the UE re-accesses the new one each time.
- the C-RNTI 5 obtained by the DeNB is different; or the fifth delivery input parameter may be a random value parameter NONCE 5 negotiated by the eNB and the RN1;
- the fourth input parameter and the fifth input parameter may also be other input parameters, such as the id of the corresponding RN, or the carrier frequency of the corresponding RN.
- the input parameters may include, but are not limited to, one or any combination of the above three parameters.
- the eNB sends the initial key and the fourth input parameter to the RN1.
- the eNB and RN1 ⁇ initial key according to the root key W is acquired, RN1 between eNB and eNB based on the root key and RN1 'for protecting the UP acquisition, CP key data, the' acquisition method ⁇ under:
- the sixth local input parameter may be a temporary identification parameter C-TNT6 allocated by the eNB to the RN1 when the RN1 is in the network, and the RN1 is re-accessed to the new DeNB each time, and the obtained C-RNTI6 is different;
- the six local input parameters may be a radio resource control (RRC, Radi. Resource Control) message count value parameter RRC MESSAGE C0UNT6 of the specific UE between the eNB and the RN1; the sixth local input parameter may be a random value negotiated by the eNB and the RN1.
- the local input parameters may include, but are not limited to, one or any combination of the above three parameters.
- the root key 'obtained is used to protect the UP and CP data protection keys between the eNB and the RN1, wherein the UP data protection key is the UP encryption key ⁇ , the CP data protection key, that is, the CP encryption key set and the CP complete.
- the sexual protection key ⁇ " the three key acquisition methods refer to the above ⁇ ⁇ acquisition method formula
- the input key is the following to take the key acquisition as an example, that is,
- Kupenc KDF ( KeNB , f ( UP encrypt ion algorithm type distinguished er, UP encrypt ion algorithm id))
- the UP encryption ion algorithm type distinguisher is a user-specific secret algorithm type specifier, and the UP encryption algorithm id is a user face force.
- Secret algorithm ID is a user-specific secret algorithm type specifier, and the UP encryption algorithm id is a user face force.
- the eNB sends the initial key ⁇ ⁇ and the fifth input parameter to the RN2;
- RN1 and RN2 obtain the air interface keys ⁇ , Krrc ⁇ , Krrc ' ⁇ for protecting the UP CP data between RN1 and RN2 according to the root key ⁇ ', and the acquisition method is similar to the K acquisition method in the LTE system, and is not Again, the method of obtaining '' is as follows:
- the input key is ⁇
- the seventh local input parameter may be the RRC message count value parameter RRC MESSAGE C0UNT7 between the RN1 and the RN2 for the specific UE, or the seventh local input parameter may be the temporary identification parameter C assigned to the RN2 by the RN1. - RNTI7, or the seventh local input parameter may negotiate a random value parameter N0NCE7 for RN1 and RN2.
- the local input parameters may include, but are not limited to, one or any combination of the above three parameters.
- 312 RN2 sends the fifth input parameter to the UE
- the UE obtains the initial key ⁇ and K RN2 locally.
- the method for obtaining the initial key ⁇ refers to the above-mentioned acquisition formula, and will not be described again.
- the method for obtaining the initial key is similar to the method for obtaining the ⁇ in step 306.
- RN2 and UE acquires a root key K ⁇ key between the UE and based on the initial RN2, and RN2 ⁇ UE based on the 'data acquisition UP CP key is used for air interface between the UE and the protection of RN2, ⁇ ' acquisition method There are two ways to do this:
- the eighth local input parameter may be the RRC message count value parameter RRC MESSAGE C0UNT8 between the RN2 and the UE, or the eighth local input parameter may be the temporary identification parameter C-RNTI 8 allocated by the RN2 to the UE, or The eighth local input parameter may negotiate a random value parameter N0NCE8 with the UE for the RN2, and the input parameter may include, but is not limited to, one or any combination of the above three parameters.
- K KDF ( , f ( PCI , EARFCN-DL ) );
- the input key may be the key used before the handover ⁇ 2
- the input parameter PC I may be the target cell physical identifier
- the EARFCN-DL may be the target cell radio frequency channel number.
- the eNB acquires an initial key of each lower-level node according to the ⁇ , and the eNB forwards the initial key of each lower-level node and acquires an input parameter used by the initial key, so that each lower-level node according to the The initial key and the input parameter obtain the root key of the air interface protection key of each lower node.
- the data of the UE on the Un interface link can be separately protected. That is, each active UE has a set of security parameters on the Un interface link, so as to effectively protect the data on each segment of the air interface.
- Steps 401 to 403 are similar to steps 201 to 203 in the second embodiment, and are not mentioned here, except that:
- the initial key E ⁇ solid eNB UE according to a key generated in the authentication process and obtaining a solid E ⁇ Li, obtaining as follows:
- the input key is a key generated during the authentication process
- the UL NAS COUNT is a count value parameter of the uplink NAS signaling of the UE in the solid E
- the tenth input parameter may include a tenth pass input parameter, and the tenth pass
- the input parameter may be a random value parameter N0NCE1 0 or a NAS COUNT value between the MME and the corresponding RN
- the eleventh input parameter may be an eleventh pass input parameter, the eleventh value.
- the input parameters may include, but are not limited to, one or any combination of the above three parameters.
- the solid E sends an initial key ⁇ to the eNB.
- the MME sends an initial key and a tenth input parameter to the RN1.
- 408 RN2 sends an eleventh input parameter to the UE
- RN1 and the eNB 409 acquires a root key according to the initial key ', and e NB RN1 based on the root key' for protecting the air interface key acquisition UP CP data between RN1 and the eNB, the acquisition method:
- the twelfth local input parameter may be C-TNT12, and the twelfth local input parameter may be a temporary identification parameter C-TNT12 allocated by the eNB to the RN1 when the RN1 enters the network, and the RN1 re-accesses the new one each time.
- DeNB the obtained C-RNTI 12 is different; or the twelfth local input parameter may be a radio resource control (RRC, Radio Resource Control) message count value parameter RRC MESSAGE C0UNT12 of a specific UE between the eNB and the RN1; or
- the twelfth local input parameter may be a random value parameter NONCE 12 negotiated by the eNB and the RN1.
- the local input parameters may include, but are not limited to, one or any combination of the above three parameters.
- KDF ( KeNB , f (UP encrypt ion algorithm type distinguished er, UP encrypt ion algorithm id))
- the UP encryption ion algorithm type distinguisher is a user-specific secret algorithm type specifier, and the UP encryption algorithm id is a user face force.
- Secret algorithm ID is a user-specific secret algorithm type specifier, and the UP encryption algorithm id is a user face force.
- the RN1 acquires the initial key acquisition method of the RN1 according to the eNB's initial key and the tenth input parameter, which is similar to the step 404, and is not described here.
- RN1 and RN2 respectively obtain the root between RN1 and RN2 according to the initial key ⁇ .
- the key ⁇ obtaining method is similar to the step 310 in the third embodiment, and is not described here again; the RN1 RN2 obtains the UP CP data air interface protection key between the RN1 and the RN2 according to the root key ⁇ '
- 411 RN2 obtains according to the initial key and the eleventh input parameter between the RN1 and the eNB
- the initial key between the RN2 and the UE is obtained in a similar manner to step 404;
- the UE obtains the initial key of the eNB locally, and the UE acquires the initial key of the RN2 according to the eleventh input parameter, and the UE and the RN2 acquire the root key K and the RN2 between the RN2 and the UE according to the initial key ⁇ of the RN2. and based on the UE follows ⁇ 'acquired CP UP key data for the air interface between the UE and the protection of RN2, K w K mcenc K, the LTE system acquisition method ⁇ obtaining the like, not repeated here, acquisition methods :
- the thirteenth local input parameter of the input key may be a temporary identification parameter C-RNTI13 that may be allocated to the UE by the RN2 when the UE enters the network; or the thirteenth input parameter may be an RRC message count parameter between the RN2 and the UE.
- the RRC MESSAGE C0UNT13, or the thirteenth local input parameter may negotiate the random value parameter N0NCE13 with the UE for the RN2; the local input parameter may include, but is not limited to, one or any combination of the above three parameters.
- the embodiment of the present invention acquires an initial key of a lower node of the eNB under the solid E and an initial key of the eNB according to a key generated in the solid E authentication process by the mobility management entity, and the initial key of the eNB; Transmitting, to the lower-level node, an initial key of the eNB or an initial key of the lower-level node, so that the lower-level node generates according to an initial key of the eNB or the lower-level node and the solid E authentication process
- the data of the UE on the Un port link can be separately protected. That is, each active UE has a set of security parameters on the Un port link, so as to effectively protect the data on each segment of the air interface.
- FIG. 5 is a flowchart of a fifth embodiment of a method for acquiring a security key of a relay system according to the present invention.
- an Un-link protection key is based on a permanent key Ka of an RN, and can be used to protect an RN-specific RB. It can also be used to protect RBs of all UEs belonging to the RN.
- the input parameters involved in the embodiments of the present invention may be local input parameters. As shown in Figure 5:
- RN1 accesses the network, completes the authentication process, and uses Ka to obtain the key during the authentication process.
- RN2 accesses the network, completes the authentication process, and obtains the key by using Kb during the authentication process.
- RN1 are generated during the authentication key ⁇ Li --1 acquisition and initial key K RN1 of legs, solid E, RN2 are generated during the authentication key ⁇ Rei - 2 of acquisition and RN2
- the initial key, the obtaining method can refer to the obtaining formula of the above ⁇ , and the input key is the key generated in the authentication process;
- the E sends the obtained initial key to the eNB.
- the fixed E sends the obtained initial key ⁇ to the RN1;
- the RN1 and the eNB obtain an air interface key for protecting the UP and CP data between the RN1 and the eNB according to the initial key, and the acquiring method is similar to the method for obtaining the ⁇ in the LTE system, and inputting the key. 507.
- the RN2 obtains a root key ⁇ ' between the RN1 and the RN2 according to the initial key ⁇ , and the RN2 and the RN2 obtain an air interface for protecting the UP and CP data between the RN1 and the RN2 according to the root key ⁇ 2'
- the key acquisition method is similar to the method for obtaining ⁇ in the LTE system.
- the input key is ⁇ '
- the acquisition method is:
- the fourteenth input parameter may be an RRC message count value parameter RRC MESSAGE C0NUT14 between the RN1 and the RN2 for the specific UE; or the fourteenth input parameter may be the temporary identifier parameter C-RNT allocated by the RN1 to the RN2 when the RN2 enters the network.
- the I 14 or the fourteenth input parameter may also be a random value parameter N0NCE14 negotiated by RN1 and RN1, which may include, but is not limited to, one or any combination of the above three parameters.
- the embodiment of the present invention acquires, by the mobility management entity MME, an initial key of a lower node of the eNB under the solid E according to an input parameter and a key generated in the MME authentication process, and an initial key of the eNB; Solid E sends an initial key of the eNB or an initial key of the lower node to the lower node; the solid E sends the input parameter to the lower node; so that the lower node according to the input Determining an air interface protection key between the lower node and the direct lower node of the lower node by using the parameter and the initial key of the eNB, or the input parameter and the key generated by the lower node and the MME authentication process Root key.
- the data of the UE on the Un port link can be separately protected, that is, each active UE has a set of security parameters on the Un port link, thereby effectively protecting the data on each segment of the air interface.
- the embodiments of the present invention may also be used in combination.
- the bearer of the RN1 and the bearer of the UE may be generated by using the method of the fifth embodiment.
- the key is protected.
- the method of the second embodiment can be used for protection.
- the method of the fifth embodiment can also be used to generate the key for protection.
- the UE 7 on the Un port between RN1 and RN2 also The method of the second embodiment can be used to generate a key for protection.
- the UE bearer on the Un interface between the RN1 and the eNB can also use the method in the third embodiment to generate a key for protection, for the Un port between the RN1 and the RN2.
- the UE bearer may also use the method in the third embodiment to generate a key for protection.
- the UE bearer on the Un interface between the RN1 and the eNB may also use the method in the fourth embodiment to generate a key for protection, for RN1 and RN2.
- the UE bearer on the Un port can also be protected by using the method in the fourth embodiment.
- FIG. 6 is a flowchart of a sixth embodiment of a method for acquiring a security key of a relay system according to the present invention.
- a protection key used by a lower-level RN is associated with a key used by an upper-level RN, and the input parameters are related to the embodiment of the present invention. Parameters can be entered locally. As shown in Figure 6:
- 601 RN1 accesses the network and completes the authentication process
- the solid E and the RN 1 respectively obtain the initial key of the K NAS and the RN1 according to the key generated in the authentication process.
- the acquisition method can be similar to the LTE system, and the input key is the key generated during the authentication process ⁇ - 1 , the input parameter can be RN1 Up l ink NAS COUNT;
- the E sends the initial key to the eNB.
- RN1 directly acquires an UP between the RN1 and the eNB according to the initial key leg.
- the air interface key of the CP data is obtained in a similar manner to the acquisition s in the LTE system, and the input key is ⁇ ;
- RN2 accesses the network and completes the authentication process.
- the MME sends the initial key leg of the RN1 to the RN2.
- the solid E and the RN2 obtain the initial key ⁇ 2 of the K NAS and the RN 2 according to the initial key of the brain-RN1 generated in the authentication process, and the method for obtaining the defect is as follows:
- KDF KDF ⁇ brain one leg 2 , K RNI , f ( Up l ink NAS COUNT of RN2 ) )
- the input key is ⁇ - 2 and,
- the initial key ⁇ is sent to the RN1;
- RN2 2 acquires a root key between RN1 and RN2 According to this ⁇ ⁇ , according to the root key ⁇ 2' obtains an air interface key for protecting UP CP data between RN1 and RN2, and the acquisition method is similar to the acquisition in the LTE system, and the input key is ⁇ 2';
- 609 UE accesses the network, completes the authentication process, and sends KRN1 and KRN2 to the UE.
- the 610 MME and the UE acquire the initial keys K eNB and K NAS according to the key-UE K M2 generated in the authentication process, where the obtaining method is as follows:
- the solid E sends the initial key ⁇ of the eNB to the RN2;
- RN2 W 612 acquires a root key between the UE and based on the initial key K0 RN2, and RN2 UE based on the ⁇ 'UP CP acquired for data protection between the UE and RN2 air interface keys, input key for ⁇ There are two ways to get this:
- the input key is, the first input parameter may be the RRC message count value between the RN2 and the UE, or the first input parameter may be the C-RNTI allocated by the RN2 to the UE. Or the first input parameter may be a fresh value NONCE negotiated by the RN2 with the UE; the input parameter may include but is not limited to one or any combination of the above parameters.
- Update with the intra-cell handover method Obtain the root key.
- the update method is:
- K KDF ( K ⁇ B , f (PCI, EARFCN-DL ) );
- the input key may be used as pre-switching key ⁇ ⁇ ⁇
- the input parameter may be a target cell physical cell identity (Physical Cell Identifier, PCI), EARFCN-DL target cell The number of radio frequency channels.
- the embodiment of the present invention acquires an initial key by using a node of the relay system, and the node acquires, according to the initial key, a root key of an air interface protection key between another node directly adjacent to the local node, The node obtains, according to the root key, the other sections directly adjacent to the node by the local node.
- the data of the UE on the Un port link can be separately protected. That is, each active UE has a set of security parameters on the Un port link, so as to effectively protect the data on each segment of the air interface.
- each level of the RN authenticates with its own upper-level node, and generates each segment of the air interface protection key. As shown in Figure 7:
- the RN1 accesses the network, and mutually authenticates with the eNB.
- the RN1 and the eNB respectively generate a root key between the RN1 and the eNB generated in the authentication process.
- ⁇ - Obtain the key used to protect the UP and CP data on the air interface between them.
- the acquisition method is similar to the ⁇ obtained in the LTE system, and the input key is ;
- the RN2 accesses the network, and mutually authenticates with the RN1.
- RN1 and RN2 respectively use a root key between RN1 and RN2 generated in the authentication process.
- ⁇ - Obtain the key used to protect the UP and CP data on the air interface between them. Obtain the method and reference the above formula for ⁇ «, and enter the key as ⁇ .
- the first relay node obtains a root key in the process of authenticating with the adjacent node of the first relay node, and the first relay node acquires the first key according to the root key for protecting the first An air interface protection key between the relay node and the adjacent node, where the adjacent node of the first relay node includes an upper node of the first relay node and/or the first relay The lower node of the node.
- the data on each node can be separately protected, that is, each active UE has a set of security parameters on the Un port link, so as to effectively protect the data on each segment of the air interface.
- the embodiment of the present invention can also be used in combination with the first/second/third embodiment.
- the method in the seventh embodiment is used to protect the RN-related bearer on the Un interface
- the first/second/third embodiment is used to protect the UE-related bearer on the Un interface. .
- FIG. 8 is a flowchart of a method for obtaining a security key of a relay system according to an eighth embodiment of the present invention.
- all levels of RNs are authenticated with the eNB, and each segment of the air interface protection key is generated, as shown in FIG.
- the RN1 accesses the network, and mutually authenticates with the eNB. 802.
- the eNB and the RN1 respectively obtain, according to the root key leg between the eNB and the RN1 generated in the authentication process, a key for protecting UP and CP data on the air interface between them;
- the RN2 accesses the network, and mutually authenticates with the eNB.
- the eNB and the RN2 respectively generate an initial key K2 of the RN2 in the authentication process, and the eNB forwards the initial key ⁇ to the RN1, and the RN1 and the RN2 respectively obtain the root key between the RN1 and the RN2 according to the K ⁇ 2 ', according to the ⁇ ' to obtain a key for protecting UP, CP data on the air interface between RN1 and RN2.
- the first relay node obtains a root key in the process of authenticating with the adjacent node of the first relay node, and the first relay node acquires the first key according to the root key for protecting the first An air interface protection key between the relay node and the adjacent node, where the adjacent node of the first relay node includes an upper node of the first relay node and/or the first relay The lower node of the node.
- the data on each node can be separately protected, that is, each active UE has a set of security parameters on the Un port link, so as to effectively protect the data on each segment of the air interface.
- the embodiment of the present invention can also be used in combination with the first/second/third embodiment.
- the method in the eighth embodiment is used to protect the RN-related bearer on the Un interface
- the first/second/third embodiment is used to protect the UE-related bearer on the Un interface.
- the data of the UE on the Un-link can be separately protected. That is, each active UE has a set of security parameters on the Un-link, so that the data on each air interface is effectively protected.
- FIG. 9 is a flowchart of a twelfth embodiment of a method for acquiring a security key of a relay system according to the present invention, including:
- the first relay node acquires a root key in the process of authenticating with the adjacent node of the first relay node.
- the first relay node acquires, according to the root key, an air interface protection key used to protect the first relay node and the adjacent node.
- the adjacent node of the first relay node includes an upper node of the first relay node and/or a lower node of the first relay node.
- the embodiment of the present invention acquires an initial key by using a node of the relay system, and the node acquires, according to the initial key, a root key of an air interface protection key between another node directly adjacent to the local node, The node obtains the air interface protection key between the other nodes directly adjacent to the local node and the local node according to the root key.
- the data of the UE on the Un port link can be separately protected. That is, each active UE has a set of security parameters on the Un port link, so as to effectively protect the data on each segment of the air interface.
- FIG. 10 is a schematic structural diagram of a node of a relay system according to an embodiment of the present invention, including: an acquiring module 1 001, where a node used in a relay system acquires an initial key;
- the obtaining module 1 002 is configured to obtain, according to the initial key acquired by the acquiring module, a root key of an air interface protection key between another node directly adjacent to the node and the node;
- the obtaining module 2 003 is configured to obtain, according to the root key acquired by the acquiring module 1, the air interface protection key between the other nodes directly adjacent to the node.
- the acquiring module is specifically configured to: when the node in the relay system is a base station eNB, the eNB acquires an initial key from a mobility management entity MME;
- the acquiring module is specifically configured to: when the node in the relay system is a relay node RN, the RN obtains an initial key from a solid E or an eNB;
- the acquiring module is specifically configured to: when the node in the relay system is a user terminal UE, the UE acquires an initial key from a superior node of the UE.
- the device further includes:
- the acquiring module is further configured to: when the node in the relay system is an eNB, the eNB acquires an initial density of a lower node of the eNB according to the input parameter and the initial key acquired by the acquiring module. Key
- a sending module 1 004 configured to send, by the eNB, the initial key to one of a node of a lower node of the node, and send the eNB to a directly adjacent node of a node of a node of the node of the local node. Passing input parameters such that a node of the lower node of the local node and a node directly adjacent to a node of the lower node of the local node according to the transfer input parameter and The initial key acquires a root key of an air interface protection key between a node of the lower node of the local node and a node directly adjacent to a node of the lower node of the local node.
- the device when the node in the relay system is a relay node RN, the device further includes: a receiving module 1005, configured to receive, by the RN, an upper node to transmit an input parameter;
- the obtaining module 1 is further configured to obtain, by the RN, a root key of an air interface protection key between directly adjacent nodes of the node according to the initial key and the delivery input parameter.
- the apparatus further includes: the receiving module is further configured to: when a node in the relay system is a relay node UE,
- the acquiring module 1 is further configured to acquire, by the UE, a root key of an air interface protection key between directly adjacent nodes of the node according to the initial key and the delivery input parameter.
- the embodiment of the present invention acquires an initial key by using a node of the relay system, and the node acquires, according to the initial key, a root key of an air interface protection key between another node directly adjacent to the local node, The node obtains the air interface protection key between the other nodes directly adjacent to the local node and the local node according to the root key.
- the data of the UE on the Un port link can be separately protected. That is, each active UE has a set of security parameters on the Un port link, so as to effectively protect the data on each segment of the air interface.
- FIG. 11 is a schematic structural diagram of a relay node according to an embodiment of the present invention, including:
- the obtaining module 1101 is configured to acquire, by the first relay node, a root key in the process of authenticating with the adjacent node of the first relay node;
- the obtaining module 2102 is configured to acquire, by the first relay node, the air interface protection key between the first relay node and the adjacent node according to the root key acquired by the acquiring module 1 ;
- the adjacent node of the first relay node includes an upper node of the first relay node and/or a lower node of the first relay node.
- an initial key is obtained by a node of the relay system, and the node is based on the initial
- the start key acquires a root key of the air interface protection key between the other node directly adjacent to the local node, and the node obtains the other node directly adjacent to the local node according to the root key.
- the air interface protection key between the nodes.
- the data of the UE on the Un interface link can be separately protected. That is, each active UE has a set of security parameters on the Un interface link, so as to effectively protect the data on each segment of the air interface.
- the present invention can be implemented by means of software and a necessary general hardware platform. Of course, it can also be through hardware, but in many cases, the former is more Good implementation.
- the technical solution of the present invention which is essential or contributes to the prior art, may be embodied in the form of a software product stored in a storage medium, including a plurality of instructions for making a
- the computer device (which may be a personal computer, server, or network device, etc.) performs the method of various embodiments of the present invention.
- the present invention can be implemented by means of software and a necessary general hardware platform. Of course, hardware can also be used, but in many cases, the former is better. Implementation. Based on such understanding, the technical solution of the present invention, which is essential or contributes to the prior art, may be embodied in the form of a software product stored in a storage medium, including a plurality of instructions for making a The computer device (which may be a personal computer, server, or network device, etc.) performs the method of various embodiments of the present invention.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Description
Claims
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
RU2012122772/08A RU2523954C2 (ru) | 2009-11-03 | 2010-11-03 | Способ и устройство для получения ключа безопасности в ретрансляционной системе |
BR112012010514A BR112012010514A2 (pt) | 2009-11-03 | 2010-11-03 | método e dispositivo para obter chave de segurança em sistema de transmissão |
EP10827902.7A EP2487947B1 (en) | 2009-11-03 | 2010-11-03 | Method and device for acquiring safe key in relay system |
US13/463,444 US8605908B2 (en) | 2009-11-03 | 2012-05-03 | Method and device for obtaining security key in relay system |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200910110027.5A CN102056159B (zh) | 2009-11-03 | 2009-11-03 | 一种中继系统的安全密钥获取方法、装置 |
CN200910110027.5 | 2009-11-03 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/463,444 Continuation US8605908B2 (en) | 2009-11-03 | 2012-05-03 | Method and device for obtaining security key in relay system |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2011054288A1 true WO2011054288A1 (zh) | 2011-05-12 |
Family
ID=43959973
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2010/078367 WO2011054288A1 (zh) | 2009-11-03 | 2010-11-03 | 一种中继系统的安全密钥获取方法、装置 |
Country Status (6)
Country | Link |
---|---|
US (1) | US8605908B2 (zh) |
EP (1) | EP2487947B1 (zh) |
CN (1) | CN102056159B (zh) |
BR (1) | BR112012010514A2 (zh) |
RU (1) | RU2523954C2 (zh) |
WO (1) | WO2011054288A1 (zh) |
Families Citing this family (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103167492B (zh) | 2011-12-15 | 2016-03-30 | 华为技术有限公司 | 在通信系统中生成接入层密钥的方法及其设备 |
JP5944184B2 (ja) * | 2012-02-29 | 2016-07-05 | 株式会社東芝 | 情報通知装置、方法、プログラム及びシステム |
CN103929740B (zh) * | 2013-01-15 | 2017-05-10 | 中兴通讯股份有限公司 | 数据安全传输方法及lte接入网系统 |
KR101762376B1 (ko) * | 2014-01-10 | 2017-07-27 | 한국전자통신연구원 | 모바일 인증 시스템 및 방법 |
US20160366707A1 (en) * | 2014-03-24 | 2016-12-15 | Intel IP Corporation | Apparatus, system and method of securing communications of a user equipment (ue) in a wireless local area network |
CN106714153B (zh) * | 2015-11-13 | 2022-06-10 | 华为技术有限公司 | 密钥分发、生成和接收方法以及相关装置 |
US10298549B2 (en) * | 2015-12-23 | 2019-05-21 | Qualcomm Incorporated | Stateless access stratum security for cellular internet of things |
US10638388B2 (en) * | 2016-08-05 | 2020-04-28 | Qualcomm Incorporated | Techniques for fast transition of a connection between a wireless device and a local area network, from a source access node to a target access node |
CN108377495B (zh) | 2016-10-31 | 2021-10-15 | 华为技术有限公司 | 一种数据传输方法、相关设备及系统 |
CN112385266B (zh) * | 2018-07-09 | 2022-06-14 | 华为技术有限公司 | 通信方法、设备及系统 |
CN114268903B (zh) * | 2021-12-28 | 2022-09-30 | 北京航空航天大学 | 一种地理信息辅助的无人机中继位置部署以及功率分配方法 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1914960A1 (en) * | 2006-10-16 | 2008-04-23 | Nokia Siemens Networks Oy | Method for transmission of DHCP messages |
CN101292558A (zh) * | 2005-10-18 | 2008-10-22 | Lg电子株式会社 | 为中继站提供安全性的方法 |
CN101437226A (zh) * | 2007-09-04 | 2009-05-20 | 财团法人工业技术研究院 | 提供安全通信之方法、提供安全通信之系统、中继站、以及基站 |
CN101534236A (zh) * | 2008-03-11 | 2009-09-16 | 华为技术有限公司 | 中继站通信时的加密方法及装置 |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030235305A1 (en) * | 2002-06-20 | 2003-12-25 | Hsu Raymond T. | Key generation in a communication system |
US7793103B2 (en) | 2006-08-15 | 2010-09-07 | Motorola, Inc. | Ad-hoc network key management |
JP4222403B2 (ja) | 2006-10-16 | 2009-02-12 | 沖電気工業株式会社 | 不正端末推定システム、不正端末推定装置及び通信端末装置 |
ES2837540T3 (es) * | 2006-10-20 | 2021-06-30 | Nokia Technologies Oy | Generación de claves para protección en redes móviles de la siguiente generación |
US20080107013A1 (en) | 2006-11-06 | 2008-05-08 | Nokia Corporation | Signature generation using coded waveforms |
CN101815293B (zh) | 2009-02-20 | 2012-08-15 | 华为技术有限公司 | 无线中继网络中的链路安全认证方法、装置和系统 |
-
2009
- 2009-11-03 CN CN200910110027.5A patent/CN102056159B/zh active Active
-
2010
- 2010-11-03 RU RU2012122772/08A patent/RU2523954C2/ru active
- 2010-11-03 BR BR112012010514A patent/BR112012010514A2/pt not_active Application Discontinuation
- 2010-11-03 EP EP10827902.7A patent/EP2487947B1/en active Active
- 2010-11-03 WO PCT/CN2010/078367 patent/WO2011054288A1/zh active Application Filing
-
2012
- 2012-05-03 US US13/463,444 patent/US8605908B2/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101292558A (zh) * | 2005-10-18 | 2008-10-22 | Lg电子株式会社 | 为中继站提供安全性的方法 |
EP1914960A1 (en) * | 2006-10-16 | 2008-04-23 | Nokia Siemens Networks Oy | Method for transmission of DHCP messages |
CN101437226A (zh) * | 2007-09-04 | 2009-05-20 | 财团法人工业技术研究院 | 提供安全通信之方法、提供安全通信之系统、中继站、以及基站 |
CN101534236A (zh) * | 2008-03-11 | 2009-09-16 | 华为技术有限公司 | 中继站通信时的加密方法及装置 |
Also Published As
Publication number | Publication date |
---|---|
BR112012010514A2 (pt) | 2016-03-15 |
CN102056159B (zh) | 2014-04-02 |
RU2012122772A (ru) | 2013-12-10 |
US8605908B2 (en) | 2013-12-10 |
EP2487947A4 (en) | 2012-09-12 |
US20120213372A1 (en) | 2012-08-23 |
EP2487947A1 (en) | 2012-08-15 |
CN102056159A (zh) | 2011-05-11 |
RU2523954C2 (ru) | 2014-07-27 |
EP2487947B1 (en) | 2018-09-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11785510B2 (en) | Communication system | |
WO2011054288A1 (zh) | 一种中继系统的安全密钥获取方法、装置 | |
EP2663107B1 (en) | Key generating method and apparatus | |
CN109922051B (zh) | 用于使能用于enb间的传输的安全通信的方法和系统 | |
US11121862B2 (en) | System and method for wireless network access protection and security architecture | |
CN104349309B (zh) | 一种移动通信系统中利用nh、ncc对解决安全问题的方法 | |
CN101945387B (zh) | 一种接入层密钥与设备的绑定方法和系统 | |
WO2011137805A1 (zh) | 切换过程中的安全处理方法、装置和系统 | |
WO2013185735A2 (zh) | 一种加密实现方法及系统 | |
WO2012031510A1 (zh) | 一种实现安全密钥同步绑定的方法及系统 | |
CN101931953A (zh) | 生成与设备绑定的安全密钥的方法及系统 | |
CN101977378B (zh) | 信息传输方法、网络侧及中继节点 | |
WO2013075417A1 (zh) | 切换过程中密钥生成方法及系统 | |
CN107925874B (zh) | 超密集网络安全架构和方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 10827902 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2010827902 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 4256/CHENP/2012 Country of ref document: IN |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2012122772 Country of ref document: RU |
|
REG | Reference to national code |
Ref country code: BR Ref legal event code: B01A Ref document number: 112012010514 Country of ref document: BR |
|
ENP | Entry into the national phase |
Ref document number: 112012010514 Country of ref document: BR Kind code of ref document: A2 Effective date: 20120503 |