WO2011127791A1 - 终端移动到增强utran时建立增强密钥的方法及系统 - Google Patents
终端移动到增强utran时建立增强密钥的方法及系统 Download PDFInfo
- Publication number
- WO2011127791A1 WO2011127791A1 PCT/CN2011/072442 CN2011072442W WO2011127791A1 WO 2011127791 A1 WO2011127791 A1 WO 2011127791A1 CN 2011072442 W CN2011072442 W CN 2011072442W WO 2011127791 A1 WO2011127791 A1 WO 2011127791A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- key
- enhanced
- terminal
- target
- utran
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/69—Identity-dependent
- H04W12/73—Access point logical identity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/0005—Control or signalling for completing the hand-off
- H04W36/0011—Control or signalling for completing the hand-off for data sessions of end-to-end connection
- H04W36/0033—Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
- H04W36/0038—Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information of security context information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
- H04W12/033—Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
- H04W12/037—Protecting confidentiality, e.g. by encryption of the control plane, e.g. signalling traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/041—Key generation or derivation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/047—Key management, e.g. using generic bootstrapping architecture [GBA] without using a trusted network node as an anchor
- H04W12/0471—Key exchange
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
- H04W12/106—Packet or message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
- H04W12/108—Source integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/30—Security of mobile devices; Security of mobile applications
- H04W12/37—Managing security policies for mobile devices or for controlling mobile applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/40—Security arrangements using identity modules
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/69—Identity-dependent
- H04W12/71—Hardware identity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/69—Identity-dependent
- H04W12/72—Subscriber identity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/69—Identity-dependent
- H04W12/75—Temporary identity
Definitions
- the present invention relates to the field of wireless communications, and in particular to a method and system for establishing an enhanced key when a terminal moves from an EUTRAN to an enhanced UTRAN in a wireless communication system.
- 3GPP (3rd Generation Partnership Project, third-generation partner TIC'J) uses Orthogonal Frequency Division Multiplexing (OFDM) and Multiple-Input Multiple-Output (Reference) in Release7 , referred to as ⁇ ) technology to complete HSDPA (High Speed Downlink Packet Access) and HSUPA (High Speed Uplink Packet Access) future evolution road HSPA+.
- HSPA+ is an enhancement technology for 3GPP HSPA (including HSDPA and HSUPA), providing HSPA operators with a low-complexity, low-cost path from HSPA to LTE.
- HSPA+ uses high-order modulation (such as downlink 64QAM (Quadature Amplitude Modulation) and uplink 16QAM), MIMO, and high-stage modulation.
- high-order modulation such as downlink 64QAM (Quadature Amplitude Modulation) and uplink 16QAM
- MIMO multiplexing
- HSPA+ also uses a series of other enhancement technologies to increase user capacity, reduce latency, reduce terminal power consumption, better support voice over IP (VOIP) and enhance the system.
- Targets such as multicast/broadcast capabilities.
- HSPA+ decentralizes the function of Radio Network Controller (RNC) to the base station Node B (Node B) on the system architecture to form a completely flat wireless access network architecture, as shown in Figure 1. Show. At this time, the Node B integrated with the full RNC function is called Evolved HSPA Node B, or simply called the enhanced node Node (Node B+ ).
- SGSN+ is an SGSN (ServICE GPRS SUPPORT NODE, Serving GPRS Support Node; GPRS: General Packet Radio System) that has been upgraded to support HSPA+ functions.
- ⁇ + is a user terminal device (also called UE+) that can support HSPA+ function.
- the evolved HSPA system can use 3GPP Rel-5 and later air interface versions, and does not have any air interface HSPA services. Modified. After using this scheme, each Node B+ becomes a node equivalent to the RNC.
- the Iu-PS interface can be directly connected to the PS CN (Core Network), and the Iu-PS user plane is terminated at the SGSN.
- the network supports the direct tunnel function, and the Iu-PS user plane can also be terminated at the GGSN (Gateway GPRS Support Node).
- the communication between the evolved HSPA Node Bs is performed through the lur interface.
- Node B+ has the ability to independently network and support full mobility features, including inter-system and intra-system switching.
- Node B+ can be thought of as a combination of Node B and RNC. Both are a physical entity, but are still two different logical entities. Therefore, the Node B+ that supports the HSPA+ enhanced key hierarchy in this article can also be equivalent to the RNC upgraded in UMTS. To distinguish, we can call it RNC+.
- K Key
- CK Chiping Key
- IK Intelligent Security Key
- UMTS Universal Mobile Telecommunications System
- AuC Authentication Center
- USIM UNIVERSAL SUBSCRIBER IDENTITY MODULE
- CK and ⁇ are the user equipment and the HSS (Authentication and Key Agreement, Authentication and key agreement)
- the secret key and integrity key calculated by K.
- RNC uses CK and IK to encrypt and protect data.
- CK and IK as traditional air interface security keys, referred to as traditional keys.
- HSPA+ introduces a key hierarchy similar to EUTRAN (Evolved Universal Terrestrial Radio Access Network), namely UTRAN Key Hierarchy.
- EUTRAN Evolved Universal Terrestrial Radio Access Network
- UTRAN Key Hierarchy the intermediate key KR NC (also known as KASMEU) is the newly introduced key of HSPA+, derived from the traditional keys CK and IK.
- KR NC generates CKu (also known as CK S ) and IKu (also known as IK S ), where CKu is used to encrypt user plane data and control plane signaling, and is used for integrity protection of control plane signaling.
- CKu also known as CK S
- IKu also known as IK S
- CKu and nickname enhanced air interface security keys, referred to as enhanced keys.
- LTE/SAE is a 3GPP evolution technology for UMTS, which supports spectrum bandwidth of 20MHz. Provides a peak rate of 100 Mbps downstream and 50 Mbps upstream.
- the network of the LTE/SAE is composed of a User Equipment (UE), an access network, and a core network.
- UE User Equipment
- the entire LTE architecture is shown in Figure 3.
- the base station device is an evolved Node-B (eNB), and is mainly responsible for wireless communication, wireless communication management, and mobility context management.
- the core network includes a Mobility Management Entity (MME), which is responsible for control plane-related tasks such as mobility management, non-access stratum signaling processing, and user security mode management.
- MME Mobility Management Entity
- the source MME When the user moves from EUTRAN to UTRAN, the source MME generates a mapped legacy key IK', CK' according to the key KASME in LTE.
- the traditional key derivation of the mapping is as follows:
- IK' l l CK' KDF (KASME, downlink NAS COUNT)
- KDF is a security algorithm defined by 3GPP, and the specific definition can refer to the relevant 3GPP specifications.
- KASME is a key generated by the HSS based on CK and IK, and is sent to the MME in the AKA (Authentication and Key Agreement) process to derive the NAS (non-access stratum) layer key and the eNB.
- AS access layer
- the NAS COU T is the NAS count COUNT, a downlink NAS COUNT.
- the NAS COUNT is 24 bits long and is maintained independently by the UE and the MME.
- the source MME sends the derived mapped legacy keys IK' and CK' to the core network node SGSN of the target network.
- the target SGSN protects the communication between the user and the network using the mapped legacy key.
- the technical problem to be solved by the present invention is to provide a method and system for establishing an enhanced key when a terminal moves from EUTRAN to enhanced UTRAN, and ensures that the terminal can be enhanced in the enhanced UTRAN. Conduct normal communication all over the place.
- the present invention provides a method for establishing an enhanced key when a terminal moves from an evolved universal terrestrial wireless access network (EUTRAN) to an enhanced universal terrestrial radio access network (UTRAN), including:
- the enhanced QoS support service GPRS support node (SGSN+) derives the intermediate key used in the UTRAN based on the mapped legacy key obtained from the source mobility management entity when the terminal moves from the EUTRAN to the enhanced UTRAN;
- the intermediate key used in the enhanced UTRAN is derived based on the mapping of the traditional key using the same algorithm as the target SGSN+.
- the method further includes: when the terminal is in an active state, the target SGSN+, after deriving the intermediate key, sends the intermediate key to a target enhanced radio network controller in the enhanced UTRAN ( RNC+), derived by the target RNC+ according to the intermediate key, an enhanced air interface integrity key (IKu) and/or an enhanced air interface encryption key (CKu); after deriving the intermediate key, the terminal
- the enhanced air interface key is derived from the intermediate key using the same algorithm as the target RNC+.
- the method further includes: when the terminal is in an active state, the target SGSN+ derives the enhanced air interface integrity key (IKu) according to the intermediate key after deriving the intermediate key. And/or an enhanced air interface encryption key (CKu), and transmitting the derived enhanced air interface key to the target enhanced radio network controller (RNC+); after deriving the intermediate key, the terminal according to the middle
- the key uses the same algorithm as the target SGSN+ to derive the enhanced air interface key.
- the method further includes: the target SGSN+ deriving a modified intermediate key according to the mapped legacy key and the intermediate key, and transmitting the modified intermediate key to the target RNC+,
- the morphing intermediate key is used to update the enhanced air interface key when the terminal performs a serving radio network controller (SRNC) migration within the enhanced UTRAN network.
- SRNC serving radio network controller
- the method further includes: the target SGSN+, when deriving the modified intermediate key, setting an associated counter for the modified intermediate key, wherein the counter is used to record the number of times the generated intermediate key is generated .
- the method further includes: the target SGSN+ changing the counter value along with the change The intermediate key is sent to the target RNC+.
- the message that the target SGSN+ sends a key to the target RNC+ is a migration request message.
- the step of deriving the intermediate key used in the UTRAN includes: deriving an intermediate key used in the enhanced UTRAN according to the mapped legacy key in combination with the first parameter; the terminal is in accordance with the traditional mapping
- the step of deriving the intermediate key used in the enhanced UTRAN by using the same algorithm as the target SGSN+ includes: recombining the first parameter according to the mapped legacy key with the same algorithm as the target SGSN+ Deriving an intermediate key used in the enhanced UTRAN; the first parameter is sent to the terminal by the target SGSN+, or the target SGSN+ is agreed with the terminal.
- the enhanced air interface key is derived according to the intermediate key and the second parameter.
- the first parameter comprises one or more of the following parameters: a service network identifier (PLMN identifier), a core network node type, a sequence number (SQN), a hidden key (AK), a user identity, a target SGSN+ The generated random number.
- PLMN identifier service network identifier
- SQN sequence number
- AK hidden key
- the second parameter comprises one or more of the following parameters: a refresh random number (FRESH) generated by a target radio network controller (RNC), an encryption algorithm identifier (enc-alg-ID), and an integrity algorithm identifier.
- FRESH refresh random number
- RNC target radio network controller
- enc-alg-ID encryption algorithm identifier
- integrity algorithm identifier int-alg-ID
- PCI physical cell identifier
- URFCN absolute frequency of the Node B
- Scrambling Code assigned by the target RNC to the terminal the user identifier
- target RNC identification start (START) parameter defined in the universal mobile communication system
- RRC SN radio link control sequence number defined in the universal mobile communication system Parameter
- random number generated by the target SGSN+ the random number generated by the target SGSN+.
- the random number generated by the target SGSN+ is sent to the terminal by: the target SGSN+ forwarding migration response message sent to the source mobility management entity, the source mobility management entity The handover command message sent by the source base station and the slave E-UTRAN handover command message sent by the source base station to the terminal.
- the step of deriving the intermediate key used in the UTRAN according to the traditional key of the mapping obtained by the target SGSN from the source mobility management entity comprises: the traditional key according to the mapping Deriving the intermediate key used in the enhanced UTRAN with the first parameter; the terminal deriving the intermediate used in the enhanced UTRAN according to the traditional key of the mapping and using the same algorithm as the target SGSN+
- the step of the key comprises: deriving the intermediate key used in the enhanced UTRAN by recombining the first parameter according to the mapped legacy key and using the same algorithm as the target SGSN+.
- the first parameter includes one or more of the following parameters: service network identifier
- PLMN identifier core network node type, serial number (SQN), hidden key (AK), user identity, random number generated by target SGSN+, random number generated by the terminal.
- the random number generated by the target SGSN+ is sent to the terminal by using a routing area update accept message.
- the random number generated by the terminal is sent to the target SGSN+ by using the routing area update request message.
- the present invention also provides a system for establishing an enhanced key when a terminal moves from an evolved universal terrestrial radio access network (EUTRAN) to an enhanced universal terrestrial radio access network (UTRAN), including a terminal, Enhanced Target Enhancement Service GPRS Support Node (SGSN+) in UTRAN:
- EUTRAN evolved universal terrestrial radio access network
- UTRAN enhanced universal terrestrial radio access network
- SGSN+ Enhanced Target Enhancement Service GPRS Support Node
- the SGSN+ is configured to: derive an intermediate key used in the UTRAN based on a mapped legacy key obtained from the source mobility management entity when the terminal moves from the EUTRAN to the enhanced UTRAN;
- the terminal is configured to: derive a traditional key of the mapping, and derive the traditional key obtained by the mapping, and then derivate the enhanced key in the UTRAN according to the traditional algorithm of the mapping and the same algorithm as the SGSN+ The intermediate key used.
- the system further includes a target enhanced radio network controller (RNC+) in the enhanced UTRAN, the SGSN+ comprising: a first receiving unit, a second key derivation unit and a first transmitting unit, wherein: the first receiving unit The first key derivation unit is configured to: derive the intermediate key according to the mapped traditional key;
- RNC+ target enhanced radio network controller
- the first sending unit is configured to: send the derived intermediate key to the RNC+; the RNC+ is set to: derive an enhanced air interface integrity key (IKu) and/or according to the intermediate key Enhanced air interface encryption key (CKu);
- IKu enhanced air interface integrity key
- CKu Enhanced air interface encryption key
- the terminal includes: a second receiving unit and a second key deriving unit, where:
- the second receiving unit is configured to: receive a command sent by the network side;
- the second key derivation unit is configured to: derive a traditional key mapped according to the command, and derive the intermediate key by using the same algorithm as the SGSN+ according to the traditional key obtained by the derivation, And deriving the enhanced air interface key according to the intermediate key using the same algorithm as the RNC+.
- the system further includes a target enhanced radio network controller (RNC+) in the enhanced UTRAN, the SGSN+ comprising: a first receiving unit, a first key derivation unit and a first transmitting unit, wherein: the first receiving unit And being configured to: receive a traditional key of the mapping sent by the source mobility management entity; the first key derivation unit is configured to: derive the intermediate key according to the mapped traditional key, and derive the intermediate key Enhanced air interface integrity key (IKu) and/or enhanced air interface encryption key (CKu);
- RNC+ target enhanced radio network controller
- the first sending unit is configured to: send the derived enhanced air interface key to the RNC+; the RNC+ is set to: save the received enhanced air interface key;
- the terminal includes: a second receiving unit and a second key deriving unit, where:
- the second receiving unit is configured to: receive a command sent by the network side;
- the second key derivation unit is configured to: derive a traditional key mapped according to the command, and derivate the traditional key using the mapping obtained according to the derivation with the same algorithm as the SGSN+.
- the intermediate key, and the enhanced air interface key are derived according to the intermediate key using the same algorithm as the SGSN+.
- the first key derivation unit of the SGSN+ is further configured to: derive a modified intermediate key according to the mapped legacy key and the intermediate key, and send the modified intermediate key to the target RNC+
- the variant intermediate key is used to update the enhanced air interface key when the terminal performs a serving radio network controller (SRNC) migration within the enhanced UTRAN network.
- SRNC serving radio network controller
- the network side and the terminal can respectively establish an enhanced key system according to the mapped legacy key, instead of performing the AKA process again, thereby enabling It saves network overhead, improves system efficiency, and ensures that the terminal can communicate securely with the enhanced UTRAN network.
- FIG. 1 is a schematic structural diagram of a radio access network using HSPA+ technology in the prior art
- FIG. 2 is a schematic diagram of a HiSPA+ enhanced security key hierarchy in the prior art
- FIG. 3 is a schematic structural diagram of an LTE/SAE in the prior art
- FIG. 5 is a flowchart of Embodiment 2 of the present invention.
- Embodiment 6 of the present invention is a flowchart of Embodiment 6 of the present invention.
- FIG. 10 is a flowchart of Embodiment 7 of the present invention
- FIG. 11 is a flowchart of Embodiment 8 of the present invention.
- the principle of the present invention is: when the terminal moves from the EUTRAN to the UTRAN supporting the HSPA+ security function (ie, the enhanced UTRAN, hereinafter referred to as the enhanced UTRAN), the intermediate key used in the UTRAN is enhanced; the terminal derives the traditional mapping of the mapping After the key, the intermediate key (KRNC) used in the enhanced UTRAN is derived according to the traditional key of the mapping using the same algorithm as the target SGSN+.
- the target SGSN+ When the terminal is in an active state, the target SGSN+ obtains the mapped legacy key from the source mobility management entity by forwarding a migration request message. After deriving the intermediate key, the target SGSN+ transmits the intermediate key KR NC to a target radio network controller (RNC+) in the enhanced UTRAN through a key distribution message (such as a migration request message), by the target RNC+ An enhanced air interface key (IKu and/or CKu) is derived from the intermediate key KR NC . After deriving the intermediate key used in the enhanced UTRAN, the terminal derives an enhanced air interface key (IKu and/or CKu) according to the same algorithm as the target RNC+ according to the intermediate key.
- RNC+ target radio network controller
- the target SGSN+ derives the enhanced air interface key IKu and/or CKu according to the intermediate key, and distributes the enhanced air interface key IKu and/or CKu by key
- the message (such as the migration request message) is sent to the target RNC+, the target RNC+ stores the air interface integrity key IKu and/or the encryption key CCu; the terminal after deriving the intermediate key used in the enhanced UTRAN,
- the enhanced air interface key IKu and/or CKu is derived from the intermediate key using the same algorithm as the target SGSN+.
- the target SGSN+ derives the modified intermediate key according to the mapped legacy key and the intermediate key, and transmits the modified intermediate key to the target wireless in the enhanced UTRAN through a key distribution message (such as a migration request message)
- the network controller RNC+ the modified intermediate key is used to update the enhanced air interface keys IKu and CKu when the terminal performs a serving radio network controller (SRNC) migration within the enhanced UTRAN network.
- SRNC serving radio network controller
- the target SGSN+ sets an associated counter for the modified intermediate key while deriving the modified intermediate key, and the counter is used to record the number of times the deformed intermediate key is generated.
- the target SGSN+ can also send the counter value to RNC+.
- the target SGSN+ derives the intermediate key used in the enhanced UTRAN according to the mapped legacy key and the first parameter; the terminal in the process of deriving the intermediate key, the same Deriving an intermediate key used in the enhanced UTRAN according to the mapped legacy key and combining the first parameter with the same algorithm as the target SGSN+; the first parameter is sent to the terminal by the target SGSN+ Or the target SGSN+ is agreed with the terminal.
- the enhanced air interface key IKu and / or CKu is derived according to the intermediate key and the second parameter.
- the first parameter includes one or more of the following parameters: a service network identifier (PLMN identifier), a core network node type, a sequence number (SQN), a hidden key (AK), a user identity, and a target SGSN+ generated random number.
- PLMN identifier service network identifier
- SQN sequence number
- AK hidden key
- user identity a user identity
- target SGSN+ generated random number a target SGSN+ generated random number.
- the second parameter includes one or more of the following parameters: a refresh random number (FRESH) generated by a target radio network controller (RNC), an encryption algorithm identifier (enc-alg-ID), and an integrity algorithm identifier (int- alg-ID), enhance the physical cell identity (PCI) of the Node B, enhance the absolute frequency of the Node B (UARFCN), the scrambling code assigned by the target RNC to the terminal, the user identifier, the target RNC identifier, and the universal Start (START) parameter defined in the mobile communication system, integrity sequence number (COUNT-I) parameter defined in the universal mobile communication system, radio link control sequence number (RRC SN) parameter defined in the universal mobile communication system, target The random number generated by SGSN+.
- FRESH refresh random number
- RNC target radio network controller
- enc-alg-ID an encryption algorithm identifier
- int- alg-ID integrity algorithm identifier
- enhance the physical cell identity (PCI) of the Node B enhance the absolute frequency
- the target SGSN+ When the terminal is in an idle state, the target SGSN+ obtains the mapped legacy key from the source mobility management entity by using a context response message. In the process of deriving the intermediate key, the target SGSN+ derives the intermediate key used in the enhanced UTRAN according to the mapped legacy key and the first parameter; the terminal in the process of deriving the intermediate key, the same The intermediate key used in the enhanced UTRAN is derived from the mapped legacy key in conjunction with the first parameter using the same algorithm as the target SGSN+.
- the first parameter includes one or more of the following parameters: a service network identifier (PLMN identifier), a core network node type, a sequence number (SQN), a hidden key (AK), a user identity, and a target SGSN+ generated random Number NONCESGSN, the random number generated by the terminal NONCEuEo
- PLMN identifier a service network identifier
- SQN sequence number
- AK hidden key
- NONCESGSN the random number generated by the terminal NONCEuEo
- the random number NONCESGSN is generated by the target SGSN+ after receiving the forwarding migration request message sent by the source MME, and is forwarded to the terminal via the source MME and the source base station; or the random number is updated by the target SGSN+ in the routing area sent by the receiving terminal.
- the request message is generated and sent to the terminal via the routing area update accept message.
- the above random number NONCEUE is generated by the terminal before transmitting the routing area update request message to the target SGSN+, and is transmitted to the target SGSN+ via the routing area update request message.
- the above FRESH is generated by the target RNC+ after receiving the migration request message sent by the target SGSN+.
- the FRESH parameter is forwarded to the terminal via the target SGSN+ and the source MME and the source base station.
- the terminal state in the embodiment 1-4 is an active state
- the terminal state in the embodiment 5-6 is an idle state.
- This embodiment illustrates an example of an air interface key management procedure when the terminal moves from the EUTRAN to the enhanced UTRAN.
- the target SGSN+ is responsible for deriving the KRNC
- the target RNC+ is responsible for deriving the enhanced keys CKu and IKu. As shown in Figure 4, the following steps are included:
- Step 101 The source base station decides to switch from the E-UTRAN network to the target enhanced UTRAN network.
- Step 103 The source ⁇ confirms that the terminal is to switch to the UTRAN, and derives the mapped traditional keys IK' and CK' according to the KASME;
- KASME is stored at both the terminal and the MME.
- the derivation of the mapped traditional keys IK, and CK, is defined in the LTE-related protocol, and is not described here.
- Step 104 The source MME sends a Forward Migration Request message to the target SGSN, requesting the target SGSN. Allocating resources to the terminal; the message carries security-related parameters: for example, mapped traditional keys IK' and CK.
- the migration process of the Serving GW may be performed at the same time.
- Step 105 If the target SGSN supports the HSPA+ enhanced security function, that is, if the target SGSN is SGSN+, the target SGSN+ derives the intermediate key KR NC according to the received mapped traditional keys IK', CK';
- the target SGSN+ derives the modified intermediate key KR NC * according to the mapped traditional key IK', CK' and the intermediate key KR NC , and the modified intermediate key is used when When the terminal performs SRNC migration in the enhanced UTRAN network, the enhanced air interface keys IKu and CKu are updated.
- the morphing intermediate key KR NC * is associated with a counter NCC for recording the number of times the morphing intermediate key is generated.
- the morphing intermediate key KRNC* is associated with the NCC. The value is 1.
- target SGSN does not support the HSPA+ enhanced security function, the following processes are performed according to the procedures specified in the LTE specification, and are not described here.
- Step 106 The target SGSN+ sends a migration request message to the target RNC+, requesting the target RNC+ to establish a wireless network resource for the terminal, where the message carries security-related information, and at least includes: KRNC and algorithm information;
- the algorithm information includes integrity algorithm information and/or encryption algorithm information, and the integrity algorithm may be an integrity algorithm supported by the terminal, or an integrity algorithm selected by the network side; the encryption algorithm may be an encryption supported by the terminal. Algorithm, or an encryption algorithm selected on the network side. If integrity protection is required, the algorithm information contains at least an integrity algorithm.
- the target SGSN+ may also carry: the modified intermediate key KRNC*. If the counter NCC is set for KRNC*, the counter NCC value can also be carried.
- Step 107 The target RNC+ allocates radio resources to the terminal, and derives an enhanced air interface integrity key IKu and/or an air interface encryption key CKu according to the received KRNC, and saves the generated IKu and/or CKu;
- the derivation of IKu and CKu is as shown in Examples 10 and 11. If the refresh random number (FRESH) is needed during the derivation, the target RNC+ also needs to generate the FRESH parameter.
- FRESH refresh random number
- Step 108 The target RNC+ sends a migration request acknowledgement message to the target SGSN+.
- the RNC+ needs to carry the RNC+ selected algorithm (integrity algorithm and/or encryption algorithm) in the migration request acknowledgement message.
- the target RNC+ may add an indication in the migration request acknowledgement message to implicitly or explicitly instruct the terminal to perform the derivation of the enhanced key IKu and/or CKu, for example: adding the network side security in the migration request acknowledgement message Capability indication (implicit mode), or enhanced key enable indication (explicit mode).
- the target SGSN+ and the serving gateway may perform an indirect data forwarding tunnel request message interaction process.
- Step 109 The target SGSN+ sends a forwarding migration response message to the source MME.
- the RNC+ selected algorithm is carried in the forward migration response message.
- the target SGSN+ may also add an indication in the forwarding migration response message to implicitly or explicitly instruct the terminal to perform the derivation of the enhanced key IKu and/or CKu, for example: adding the network side security capability in the forwarding migration response message Indication (implicit mode), or enhanced key enable indication (explicit mode). If the target RNC+ carries the indication in step 108, the target SGSN+ may add the indication in the constructed forwarding migration response message.
- Step 110 The source MME sends a handover command message to the source base station, indicating that the network completes the handover preparation process.
- the handover command message sent by the source MME to the source base station also carries the parameter indicating the algorithm.
- the source MME carries an indication of the target RNC+ or the target SGSN+ added in the handover command message to instruct the terminal to perform derivation of the enhanced key IKu and/or CKu.
- Step 111 The source base station sends a handover command message from the EUTRAN to the terminal, instructing the terminal to switch to the target access network.
- the handover command message carries radio parameters of the target RNC+ allocated to the terminal in the preparation phase, and algorithm information (including integrity algorithms and/or encryption algorithms).
- the source base station also carries an indication added by the target RNC+ or the target SGSN+ in the message, to instruct the terminal to perform derivation of the enhanced keys IKu and CKu.
- Step 112 The terminal derives the mapped traditional keys IK' and CK' according to the KASME, and then derives the KR NC according to the mapped traditional keys IK' and CK', and then derives the enhanced air interface integrity key IKu and / according to the KR NC. Or air interface encryption key CKu;
- Step 113 The terminal sends a handover to the target RNC+ to the UTRAN complete message, where the message is integrity protected using the newly generated enhanced integrity key IKu, and/or encrypted using the enhanced encryption key CKu;
- Step 114 The target RNC+ sends a migration complete message to the target SGSN+, indicating to the target SGSN+ that the terminal has successfully switched from the EUTRAN to the target RNC+;
- Step 115 The target SGSN+ and the source MME perform message interaction, and confirm that the migration is complete.
- This embodiment illustrates an example of an enhanced air key establishment procedure for a terminal moving from EUTRAN to an enhanced UTRAN.
- the difference between this embodiment and the example 1 is that the enhanced air interface integrity key IKu and the air interface encryption key CKu are generated at the target SGSN+ and delivered to the target RNC+ in the migration request message through the target SGSN+. As shown in Figure 5, the following steps are included:
- Steps 201-204 the same as the embodiment 1 steps 101-104;
- Step 205 If the target SGSN supports the enhanced security function, that is, if the target SGSN is SGSN+, the target SGSN+ derives the KR NC according to the received traditional keys IK' and CK', and then derives according to the intermediate key KR NC.
- the target SGSN+ derives the variant intermediate key KRNC* from the mapped legacy keys IK', CK' and the intermediate key KRNC.
- enhanced air interface key information enhanced air interface integrity key IKu and/or Or air interface encryption key CCu
- the algorithm information includes integrity algorithm information and/or encryption algorithm information.
- the target SGSN+ further derives the modified intermediate key KR NC * in step 205
- the target SGSN+ further carries: the modified intermediate key KR NC *.
- the counter NCC is set for KRNC*, the counter NCC value can also be carried.
- Step 207 the target RNC+ stores enhanced air interface key information
- Steps 208-216 the same as Embodiment 1 steps 108-116.
- This embodiment illustrates another example of an enhanced air key establishment procedure for a terminal moving from EUTRAN to enhanced UTRAN.
- the difference between this embodiment and the example 1 is that a random number NONCESGSN is generated by the target SGSN+, and the intermediate key KRNC is derived using the random number NONCESGSN and the mapped legacy keys IK, and CK. As shown in Figure 6, the following steps are included:
- Steps 301-304 the same as the embodiment 1 steps 101-104;
- Step 305 if the target SGSN is SGSN+, the target SGSN+ generates a random number NONCESGSN, and derives the KRNC according to the received traditional key IK', CK' and the generated random number NONCESGSN;
- the target SGSN+ derives the modified intermediate key KRNC* according to the mapped traditional key IK', CK' and the intermediate key KRNC, and the modified intermediate key is used when the terminal is in the terminal
- the enhanced air interface keys IKu and CKu are updated.
- the variant intermediate key KRNC* is associated with a counter NCC. In this embodiment, at this time, the NCC value associated with the modified intermediate key KASMEU* is 1.
- Steps 306-308 the same as the embodiment 1 steps 106-108;
- Step 309 The target SGSN+ sends a forwarding migration response message to the source MME, and carries the parameter: a random number NONCESGSN, and algorithm information, where the algorithm information includes: integrity algorithm information and/or encryption algorithm information;
- the target SGSN+ may carry an indication in the message, and the source MME relays the terminal to perform the derivation of the enhanced keys IKu and CKu, which may be indicated in an implicit or explicit manner, for example: adding the inclusion in the forwarding migration response message Network side security capability indication (implicit mode), or enhanced key enable indication (explicit mode).
- the source MME relays the terminal to perform the derivation of the enhanced keys IKu and CKu, which may be indicated in an implicit or explicit manner, for example: adding the inclusion in the forwarding migration response message Network side security capability indication (implicit mode), or enhanced key enable indication (explicit mode).
- Step 310 The source MME sends a handover command message to the source base station, instructing the network to complete the handover preparation process, and carrying the parameter in the message: a random number NONCESGSN, and algorithm information;
- Step 311 The source base station sends a handover command message from the EUTRAN to the terminal, instructing the terminal to switch to the target access network, and carries the radio parameters of the target RNC+ allocated to the terminal in the preparation phase, including: a random number NONCESGSN, and Algorithm information;
- the source base station instructs the terminal to perform the derivation of the enhanced keys IKu and CKu in the message, which may be indicated in an implicit or explicit manner, for example: adding a network side security capability indication (implicit indication) in the handover command , or an enhanced key enable indicator (explicit indication).
- Step 312 The terminal derives the mapped traditional keys IK' and CK' according to the KASME, and then derives the KRNC according to the mapped traditional keys IK', CK' and the random number NONCESGSN, and then derives the enhanced air interface integrity according to the KRNC.
- Steps 313-316 the same as Embodiment 1 steps 113-116.
- This embodiment illustrates an example of an enhanced air key establishment procedure for a terminal moving from EUTRAN to an enhanced UTRAN.
- the difference between this embodiment and the example 3 is that the enhanced air interface integrity key IKu and the air interface encryption key CKu are generated at the target SGSN+ and delivered to the target RNC+ in the migration request message by the target SGSN+. As shown in Figure 7, the following steps are included:
- Steps 401-404 the same as the embodiment 3 steps 301-304;
- Step 405 If the target SGSN is SGSN+, the target SGSN+ generates a random number NONCESGSN, and derives according to the received traditional key IK', CK' and the generated random number NONCESGSN. KRNC, and then derive an enhanced air interface integrity key IKu and/or air interface encryption key CCu according to the intermediate key KR NC ; or, the target SGSN+ derives KRNC according to the received mapped traditional key IK', CK ', and then according to The intermediate key KRNC and the generated random number NONCESGSN derive an enhanced air interface integrity key IKu and/or an air interface encryption key CKu;
- the target SGSN+ derives the modified intermediate key KRNC* from the mapped legacy key IK', CK' and the intermediate key KRNC, and sets the counter NCC for the modified intermediate key KRNC*.
- Step 406 The target SGSN+ sends a migration request message to the target RNC+, requesting the target RNC+ to establish a wireless network resource for the terminal, and the message carrying the security-related information includes at least: enhanced air interface key information (enhanced air interface integrity key IKu and/or Air interface encryption key CCu) and algorithm information;
- enhanced air interface key information enhanced air interface integrity key IKu and/or Air interface encryption key CCu
- the algorithm information includes integrity algorithm information and/or encryption algorithm information.
- the target SGSN+ further derives the modified intermediate key KRNC* in step 405
- the target SGSN+ further carries: the modified intermediate key KRNC*. If the counter NCC is set for KRNC*, the counter NCC value can also be carried.
- Step 407 the target RNC+ stores enhanced air interface key information
- Steps 408-416 the same as the embodiment 3 steps 309-316.
- the terminal derives the enhanced keys IKu and / or CKu in the same manner as the network side.
- This embodiment shows an example of an enhanced air interface key establishment when the terminal moves from the EUTRAN to the enhanced UTRAN to perform routing area update in the idle mode. As shown in FIG. 8, the following steps are included:
- Step 501 When the routing area update trigger condition is met, the terminal sends a routing area update request message to the target SGSN+, requesting to perform routing area update, and the message carries a NAS token (non-access stratum token) for the network to verify the terminal;
- NAS token non-access stratum token
- the derivation of the NAS token complies with the definition of the LTE-related protocol and will not be described here.
- Step 502 The target SGSN+ sends a context request message to the source MME of the terminal, requesting the context of the terminal, and the message carries the parameter: NAS token;
- Step 503 The source MME verifies the NAS token. If the verification succeeds, the source MME derives the mapped traditional keys IK' and CK' according to the KASME.
- Step 504 The source MME sends a context response message to the target SGSN+, where the message carries parameters: the mapped traditional keys IK' and CK';
- Step 505 the target SGSN+ is derived according to the received traditional keys IK' and CK' of the mapping
- Step 506 The target SGSN+ sends a routing area update accept message to the terminal.
- the target SGSN+ adds an indication in the routing area update accept message to implicitly or explicitly instruct the terminal to perform the KRNC derivation, for example: adding a network side security capability indication to the routing area update accept message (hidden) Mode), or enhanced key enable indication (explicit mode).
- Step 507 The terminal derives the mapped traditional keys IK' and CK' according to the KASME, and then derives the KRNC from the mapped traditional keys IK' and CK'; wherein the mapping of the mapped traditional keys IK' and CK' may also occur Before this step;
- Step 508 The terminal sends a routing area update complete message to the target SGSN+ to confirm that the routing area update is completed.
- This embodiment shows an example in which the terminal establishes an enhanced air interface key when moving from the EUTRAN to the enhanced UTRAN for routing area update in the idle mode.
- the difference between this embodiment and Embodiment 5 is that a random number NONCESGSN is generated by the target SGSN+, and the target SGSN+ and the terminal derive the intermediate key KRNC using the random number NONCESGSN and the mapped legacy keys IK', CK'.
- the following steps are included:
- Steps 601-604 the same as the embodiment 5 steps 501-504;
- Step 605 The target SGSN+ generates a random number NONCESGSN, and derives a KRNC according to the received traditional key IK', CK' and the random number NONCESGSN.
- Step 606 The target SGSN+ sends a routing area update accept message to the terminal, and carries the parameter in the message: a random number NONCESGSN;
- the target SGSN+ adds an indication in the routing area update accept message to implicitly or explicitly instruct the terminal to perform KRNC derivation.
- Step 607 The terminal derives the mapped traditional keys IK' and CK' according to the KASME, and then derives the KRNC according to the mapped traditional keys IK', CK', and NONCESGSN; wherein the mapping of the mapped traditional keys IK' and CK is also Occurs before this step;
- Step 608 the same as step 5 of embodiment 5.
- This embodiment shows an example in which the terminal establishes an enhanced air interface key when moving from the EUTRAN to the enhanced UTRAN for routing area update in the idle mode.
- the difference between this embodiment and Embodiment 5 is that a random number NONCEUE is generated by the terminal, and the target SGSN+ and the terminal derive the intermediate key KRNC using the random number NONCEUE and the mapped legacy keys IK', CK'. As shown in Figure 10, the following steps are included:
- Step 701 When the routing area update trigger condition is met, the terminal generates a random number NONCEUE.
- the message carries a NAS token for network to authenticate the terminal.
- the derivation of the NAS token complies with the definition of the LTE-related protocol and will not be described here.
- Steps 703-705 the same as the embodiment 5 steps 502-504;
- Step 706 the target SGSN+ is based on the received traditional key IK', CK' and the random number
- Step 707 the same as step 506 of the embodiment 5;
- Step 708 The terminal derives the mapped traditional keys IK' and CK' according to the KASME, and then derives the KRNC according to the mapped traditional keys IK', CK', and NONCEUE, wherein the mapping of the mapped traditional keys IK' and CK' is also Occurs before this step;
- Step 709 the same as step 5 of embodiment 5.
- This embodiment shows an example in which the terminal establishes an enhanced air interface key when moving from EUTRAN to enhanced UTRAN for routing area update in idle mode.
- the terminal generates a random number NONCEUE
- the target SGSN+ generates a random number NONCESGSN
- the terminal and the target SGSN+ respectively use the random number NONCEUE, the random number NONCESGSN, and the mapped traditional secret.
- the keys IK', CK' derive the intermediate key KR NC . As shown in FIG. 11, the following steps are included:
- Step 801 When the routing area update trigger condition is met, the terminal generates a random number NONCEUE.
- the derivation of the NAS token complies with the definition of the LTE-related protocol and will not be described here.
- Steps 803-805 the same as the embodiment 5 steps 502-504;
- Step 806 The target SGSN+ generates a random number NONCESGSN, and derives a KRNC according to the received traditional key IK, CK', and the random number NONCEUE and the random number NONCESGSN.
- Step 807 The target SGSN+ sends a routing area update accept message to the terminal, and carries the parameter in the message: a random number NONCESGSN;
- the target SGSN+ adds an indication in the routing area update accept message to implicitly or explicitly instruct the terminal to perform KRNC derivation.
- Step 808 The terminal derives the mapped traditional keys IK' and CK' according to the KASME, and then combines the random Number NONCEUE, random number NONCESGSN derivation KRNC, wherein the derivation of the mapped traditional keys IK' and CK' may also occur before this step;
- Step 809 the same as step 5 of embodiment 5.
- This embodiment gives an example of the derivation of the intermediate key KRNC.
- the generation parameter of the SGSN+ derived intermediate key KRNC includes one of the following parameters or a combination of any of the following parameters in addition to the mapped traditional encryption key CK and the mapped legacy integrity key IK: Service Network Identity (PLMN identifier) ), core network node type (TYPE, indicating packet switching or circuit switching), serial number (SQN), hidden key (AK), user identity (such as IMSI, IMEI or TMSI), random number NONCE; the serial number Both the hidden key and the hidden key are parameters generated by the user and the home user server respectively during the authentication and key agreement process.
- PLMN identifier Service Network Identity
- TYPE indicating packet switching or circuit switching
- SQN serial number
- AK hidden key
- user identity such as IMSI, IMEI or TMSI
- random number NONCE random number
- KRNC F1 (CK,, IK', Type, SQN ® AK );
- KRNC F1 (CK,, IK', PLMN identifier, SQN ® AK );
- KRNC F1 (CK,, IK', Type, IMSI, SQN ® AK );
- KRNC F1 (CK,, IK', PLMN identifier, SQN);
- KRNC F1 (CK,, IK', PLMN identifier, AK);
- KRNC F1 (CK,, IK', SQN ® AK );
- KRNC F1 (CK,, IK', TYPE, AK);
- KRNC F1 (CK,, IK', NONCESGSN, NONCEUE);
- Fl is an arbitrary key generation algorithm, for example: A KDF algorithm that can be defined by 3GPP. " ® " refers to the 3GPP definition for an exclusive OR algorithm.
- the target SGSN+ cannot obtain the value of SQN@AK, it can be initialized to
- This embodiment gives an example of the derivation of the enhanced air interface integrity key IKu and air interface encryption key CKu.
- the core network node SGSN+ sends the intermediate key KRNC to the RNC+, and the RNC+ calculates the encryption key CCu and the integrity key IKu according to the intermediate key KRNC and the existing parameters of the universal mobile communication system network, and the target SGSN+ and the terminal can be combined with the following
- the existing parameters of the UMTS network calculate CKu and IKu.
- the existing parameters of the UMTS network include one of the following parameters or a combination of any number: RNC+ generated refresh random number (FRESH), encryption algorithm identifier (enc-alg-ID), integrity algorithm identifier (int-alg-ID), Enhance Node B's physical cell identity (PCI), enhance Node B's Absolute Radio Frequency Channel Number (UARFCN), RNC+ Scrambling Code assigned to user equipment, User ID, RNC+ Logo, General
- the START parameter defined in the mobile communication system the integrity sequence number (COU TI) parameter defined in the universal mobile communication system, and the radio link control sequence number (RRCSN) parameter defined in the universal mobile communication system.
- CKu F2 ( KRNC, FRESH, enc-alg-ID),
- IKu F3 (KRNC, FRESH, int-alg-ID);
- IKu F2 ( KRNC, PCI, UARFCN, int-alg-ID );
- IKu F2 ( KRNC, START, int-alg-ID );
- IKu F2 ( KRNC, COUNT-I, int-alg-ID );
- IKu F2 ( KRNC, RRC SN, int-alg-ID );
- CKu, IKu F2 ( KRNC, NONCE );
- NONCE can be a random number generated by SGSN+.
- F is an arbitrary key generation algorithm, for example: A KDF algorithm that can be defined by 3GPP.
- the random number FRESH is a parameter that has been defined in the UMTS. The random number is 32 bits long.
- a random number FRESH is generated for each user by the RNC (corresponding to HSPA+, that is, Node B+), and is sent to the user through the security mode command message. Throughout the duration of the connection, the network and the user use the random number to calculate a message authentication code (MAC-I) for protecting the network from replay attacks of user signaling messages.
- MAC-I message authentication code
- the target RNC+ When the terminal switches from EUTRAN to UTRAN, the target RNC+ generates the FRESH parameter after receiving the migration request message sent by the target SGSN+.
- the FRESH parameter is transmitted to the terminal via the relay of the target SGSN+ and the source MME and the source base station (i.e., steps 108-111 in Embodiment 1). The terminal uses this parameter
- the start parameter is a parameter that has been defined in the UMTS and is stored in the user equipment (UE) and the Universal Subscriber Identity Module (USIM) for managing the encryption key and the integrity key.
- the life cycle in a successful authentication and key agreement process, the START value associated with the newly generated key is initialized to 0 in the ME and USIM.
- the user equipment controls the connection establishment completion message through the radio link to send the value of the start parameter to the radio network controller (RNC) during the wireless connection maintenance process.
- RNC radio network controller
- the user equipment and the radio network controller increment the start parameter value according to the network rule.
- the START value reaches the specified threshold, the key is invalidated.
- the integrity sequence number (COU T-I) is 32 bits long and consists of a 4-bit RRC sequence number (RRC SN) and a 28-bit superframe number. The superframe number is incremented in each RRC SN period, and the RRC sequence number (RRC SN) is incremented in each integrity protected radio link control message.
- the physical cell identity (PCI) and absolute frequency of the enhanced Node B are broadcast in the system broadcast message of the enhanced Node B.
- the scrambling code assigned by the enhanced Node B to the user equipment is obtained from the network side before the user establishes a wireless connection with the network.
- This embodiment gives an example of another derivation of the enhanced air interface integrity key IKu and air interface encryption key CCu.
- Intermediate key KRN C ( IK'UCK');
- a system implementing the above method comprising a terminal, an enhanced service GPRS support node (SGSN+) in the enhanced UTRAN, wherein:
- the SGSN+ for deriving an intermediate key used in the UTRAN according to a mapped legacy key obtained from a source mobility management entity (MME) when the terminal moves from the EUTRAN to the enhanced UTRAN;
- MME source mobility management entity
- the system further includes a target enhanced radio network controller (RNC+) in the enhanced UTRAN, the SGSN+ comprising: a first receiving unit, a first key derivation unit and a first transmitting unit, wherein: the first receiving unit a traditional key for receiving a mapping sent by the source mobility management entity; the first key derivation unit deriving the intermediate key according to the mapped legacy key; the first sending unit, configured to The derived intermediate key is sent to the RNC+; the RNC+ is used to derive an enhanced air interface integrity key (IKu) and/or an enhanced air interface encryption key (CKu) according to the intermediate key. ) ;
- RNC+ target enhanced radio network controller
- the terminal includes: a second receiving unit, a second key deriving unit, where:
- the second receiving unit is configured to receive a command sent by the network side
- the second key derivation unit is configured to derivate the traditional key mapped according to the command, and derive the intermediate key according to the traditional key of the mapping obtained by deriving, using the same algorithm as the SGSN+, And deriving the enhanced air interface key according to the intermediate key using the same algorithm as the RNC+.
- the system further includes a target enhanced radio network controller (RNC+) in the enhanced UTRAN, the SGSN+ comprising: a first receiving unit, a first key derivation unit and a first transmitting unit, wherein: the first receiving unit a traditional key for receiving a mapping sent by the source mobility management entity; the first key derivation unit deriving the intermediate key according to the mapped legacy key, and deriving an enhanced according to the intermediate key Air interface integrity key (IKu) and/or enhanced air interface encryption key (CKu);
- RNC+ target enhanced radio network controller
- the first sending unit is configured to send the derived enhanced air interface key to the RNC+; the RNC+ is configured to save the received enhanced air interface key;
- the terminal includes: a second receiving unit, a second key deriving unit, where:
- the second receiving unit is configured to receive a command sent by the network side
- the second key derivation unit is configured to derivate the traditional key mapped according to the command, and derive the intermediate key according to the traditional key of the mapping obtained by deriving, using the same algorithm as the SGSN+, And deriving the enhancement according to the same algorithm as the SGSN+ according to the intermediate key Air interface key.
- the key derivation unit of the SGSN+ is further configured to derive a modified intermediate key according to the mapped traditional key and the intermediate key, and send the modified intermediate key to the target RNC+, where the middle of the deformation
- the key is used to update the enhanced air interface key when the terminal performs a Serving Radio Network Controller (SRNC) migration within the enhanced UTRAN network.
- SRNC Serving Radio Network Controller
- each unit may be known by referring to the foregoing method.
- the sending unit of the SGSN may also be used to send a parameter used when deriving a key to the terminal, and the sending unit of the terminal may also be used to send the SGSN+
- the random number generated by the terminal is used for derivation of the key by the SGSN+, and is not described here again.
- the network side and the terminal can respectively establish an enhanced key system according to the mapped legacy key, without performing the AKA process again. Therefore, network overhead can be saved, system efficiency can be improved, and the terminal can securely communicate with the enhanced UTRAN network.
Abstract
Description
Claims
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/515,186 US8712054B2 (en) | 2010-04-16 | 2011-04-02 | Method and system for establishing enhanced key when terminal moves to enhanced universal terminal radio access network (UTRAN) |
EP11768403.5A EP2501164B1 (en) | 2010-04-16 | 2011-04-02 | Method and system for establishing enhanced key when terminal moves to enhanced universal terrestrial radio access network(utran) |
CA2787969A CA2787969C (en) | 2010-04-16 | 2011-04-02 | Method and system for establishing enhanced key when terminal moves to enhanced universal terrestrial radio access network (utran) |
JP2012545075A JP5436694B2 (ja) | 2010-04-16 | 2011-04-02 | 端末が強化型utranに移動する時に強化キーを確立する方法及びシステム |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201010165581.6 | 2010-04-16 | ||
CN201010165581A CN101835152A (zh) | 2010-04-16 | 2010-04-16 | 终端移动到增强utran时建立增强密钥的方法及系统 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2011127791A1 true WO2011127791A1 (zh) | 2011-10-20 |
Family
ID=42719041
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2011/072442 WO2011127791A1 (zh) | 2010-04-16 | 2011-04-02 | 终端移动到增强utran时建立增强密钥的方法及系统 |
Country Status (6)
Country | Link |
---|---|
US (1) | US8712054B2 (zh) |
EP (1) | EP2501164B1 (zh) |
JP (1) | JP5436694B2 (zh) |
CN (1) | CN101835152A (zh) |
CA (1) | CA2787969C (zh) |
WO (1) | WO2011127791A1 (zh) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2015512181A (ja) * | 2012-01-30 | 2015-04-23 | テレフオンアクチーボラゲット エル エム エリクソン(パブル) | 異なる機密保護コンテキストをサポートする複数のセルラ通信システムノード間の呼のハンドオーバ |
Families Citing this family (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
ES2385690T3 (es) | 2007-12-11 | 2012-07-30 | Telefonaktiebolaget L M Ericsson (Publ) | Métodos y aparatos que generan una clave para estación de base de radio en un sistema celular de radio |
CN101835152A (zh) * | 2010-04-16 | 2010-09-15 | 中兴通讯股份有限公司 | 终端移动到增强utran时建立增强密钥的方法及系统 |
CN101860862B (zh) * | 2010-05-17 | 2015-05-13 | 中兴通讯股份有限公司 | 终端移动到增强utran时建立增强密钥的方法及系统 |
CN102469454A (zh) * | 2010-11-08 | 2012-05-23 | 华为技术有限公司 | Rnc切换中的密钥设置方法及无线网络控制器、终端 |
CN102137398B (zh) * | 2011-03-10 | 2017-04-12 | 中兴通讯股份有限公司 | 增强密钥的更新方法、装置和用户设备 |
CN104010276B (zh) * | 2013-02-27 | 2019-02-15 | 中兴通讯股份有限公司 | 一种宽带集群系统的组密钥分层管理方法、系统和终端 |
US9510376B2 (en) | 2013-09-25 | 2016-11-29 | At&T Intellectual Property I, L.P. | Tunneling packet exchange in long term evolution protocol based networks |
US9538563B2 (en) | 2014-10-13 | 2017-01-03 | At&T Intellectual Property I, L.P. | System and methods for managing a user data path |
WO2017084043A1 (en) * | 2015-11-18 | 2017-05-26 | Alcatel-Lucent Shanghai Bell Co., Ltd. | Handover between e-utran and wlan |
BR112019015387B1 (pt) | 2017-01-30 | 2020-11-03 | Telefonaktiebolaget Lm Ericsson (Publ) | manuseio de contexto de segurança em 5g durante modo conectado |
CN109511113B (zh) | 2017-07-28 | 2020-04-14 | 华为技术有限公司 | 安全实现方法、相关装置以及系统 |
US10542428B2 (en) | 2017-11-20 | 2020-01-21 | Telefonaktiebolaget Lm Ericsson (Publ) | Security context handling in 5G during handover |
US10355773B1 (en) * | 2018-01-02 | 2019-07-16 | Talal Awad | Connectivity system and method for high speed aircraft internet |
EP3837873A1 (en) | 2018-08-13 | 2021-06-23 | Telefonaktiebolaget Lm Ericsson (Publ) | Protection of non-access stratum communication in a wireless communication network |
CN112019489B (zh) * | 2019-05-31 | 2022-03-04 | 华为技术有限公司 | 验证方法及装置 |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101232731A (zh) * | 2008-02-04 | 2008-07-30 | 中兴通讯股份有限公司 | 用于ue从utran切换到eutran的密钥生成方法和系统 |
CN101835152A (zh) * | 2010-04-16 | 2010-09-15 | 中兴通讯股份有限公司 | 终端移动到增强utran时建立增强密钥的方法及系统 |
Family Cites Families (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6857075B2 (en) * | 2000-12-11 | 2005-02-15 | Lucent Technologies Inc. | Key conversion system and method |
US8462742B2 (en) * | 2006-03-31 | 2013-06-11 | Samsung Electronics Co., Ltd | System and method for optimizing authentication procedure during inter access system handovers |
ES2659368T3 (es) * | 2007-12-19 | 2018-03-15 | Nokia Technologies Oy | Métodos, aparatos, sistema y productos de programa informático relacionados para la seguridad del traspaso |
AU2009233486B2 (en) * | 2008-04-04 | 2012-07-26 | Nokia Technologies Oy | Methods, apparatuses, and computer program products for providing multi-hop cryptographic separation for handovers |
CN101257723A (zh) * | 2008-04-08 | 2008-09-03 | 中兴通讯股份有限公司 | 密钥生成方法、装置及系统 |
CN101304311A (zh) * | 2008-06-12 | 2008-11-12 | 中兴通讯股份有限公司 | 密钥生成方法和系统 |
JP4390842B1 (ja) * | 2008-08-15 | 2009-12-24 | 株式会社エヌ・ティ・ティ・ドコモ | 移動通信方法、無線基地局及び移動局 |
CN101931951B (zh) * | 2009-06-26 | 2012-11-07 | 华为技术有限公司 | 密钥推演方法、设备及系统 |
-
2010
- 2010-04-16 CN CN201010165581A patent/CN101835152A/zh active Pending
-
2011
- 2011-04-02 EP EP11768403.5A patent/EP2501164B1/en active Active
- 2011-04-02 WO PCT/CN2011/072442 patent/WO2011127791A1/zh active Application Filing
- 2011-04-02 JP JP2012545075A patent/JP5436694B2/ja not_active Expired - Fee Related
- 2011-04-02 US US13/515,186 patent/US8712054B2/en active Active
- 2011-04-02 CA CA2787969A patent/CA2787969C/en not_active Expired - Fee Related
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101232731A (zh) * | 2008-02-04 | 2008-07-30 | 中兴通讯股份有限公司 | 用于ue从utran切换到eutran的密钥生成方法和系统 |
CN101835152A (zh) * | 2010-04-16 | 2010-09-15 | 中兴通讯股份有限公司 | 终端移动到增强utran时建立增强密钥的方法及系统 |
Non-Patent Citations (1)
Title |
---|
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on the Introduction of the EPS Key Hierarchy in UMTS (Release 9)", 3GPP TR33.CDE VX.Y.Z, 7 April 2008 (2008-04-07), XP050280555 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2015512181A (ja) * | 2012-01-30 | 2015-04-23 | テレフオンアクチーボラゲット エル エム エリクソン(パブル) | 異なる機密保護コンテキストをサポートする複数のセルラ通信システムノード間の呼のハンドオーバ |
US10433161B2 (en) | 2012-01-30 | 2019-10-01 | Telefonaktiebolaget Lm Ericsson (Publ) | Call handover between cellular communication system nodes that support different security contexts |
Also Published As
Publication number | Publication date |
---|---|
JP2013516092A (ja) | 2013-05-09 |
EP2501164B1 (en) | 2019-09-04 |
CN101835152A (zh) | 2010-09-15 |
CA2787969A1 (en) | 2011-10-20 |
JP5436694B2 (ja) | 2014-03-05 |
US8712054B2 (en) | 2014-04-29 |
EP2501164A1 (en) | 2012-09-19 |
CA2787969C (en) | 2015-12-01 |
US20130028421A1 (en) | 2013-01-31 |
EP2501164A4 (en) | 2018-01-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11785510B2 (en) | Communication system | |
WO2011127791A1 (zh) | 终端移动到增强utran时建立增强密钥的方法及系统 | |
EP2429227B1 (en) | Method and system for updating air interface keys | |
CN110224982B (zh) | 双连接性中的安全性密钥推导 | |
EP3453149B1 (en) | Secure signaling before performing an authentication and key agreement | |
US8565433B2 (en) | Method and system for managing air interface key | |
Forsberg | LTE key management analysis with session keys context | |
WO2011088770A1 (zh) | 一种派生空中接口密钥的方法及系统 | |
WO2011153852A1 (zh) | 空中接口密钥的更新方法、核心网节点及无线接入系统 | |
EP2648437B1 (en) | Method, apparatus and system for key generation | |
WO2011131063A1 (zh) | 一种建立增强的空口密钥的方法及系统 | |
WO2013075417A1 (zh) | 切换过程中密钥生成方法及系统 | |
WO2011143977A1 (zh) | 终端移动到增强通用陆地无线接入网络(utran)时建立增强密钥的方法及系统 | |
WO2011095077A1 (zh) | 无线通信系统中管理空口映射密钥的方法、系统和装置 | |
WO2012025020A1 (zh) | Geran与增强utran间建立密钥的方法、系统及增强sgsn | |
WO2012009981A1 (zh) | 空中接口密钥的更新方法、核心网节点及无线接入系统 | |
Mukherjee et al. | WiMAX, LTE, and WiFi Interworking |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 11768403 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2011768403 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 13515186 Country of ref document: US |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2012545075 Country of ref document: JP |
|
ENP | Entry into the national phase |
Ref document number: 2787969 Country of ref document: CA |
|
NENP | Non-entry into the national phase |
Ref country code: DE |