WO2011147153A1 - Method and system for enabling access stratum (as) security algorithm synchronization - Google Patents

Method and system for enabling access stratum (as) security algorithm synchronization Download PDF

Info

Publication number
WO2011147153A1
WO2011147153A1 PCT/CN2010/077955 CN2010077955W WO2011147153A1 WO 2011147153 A1 WO2011147153 A1 WO 2011147153A1 CN 2010077955 W CN2010077955 W CN 2010077955W WO 2011147153 A1 WO2011147153 A1 WO 2011147153A1
Authority
WO
WIPO (PCT)
Prior art keywords
security algorithm
enb
security
rrc connection
algorithm
Prior art date
Application number
PCT/CN2010/077955
Other languages
French (fr)
Chinese (zh)
Inventor
王波
李静岚
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2011147153A1 publication Critical patent/WO2011147153A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/037Protecting confidentiality, e.g. by encryption of the control plane, e.g. signalling traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/106Packet or message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/19Connection re-establishment

Definitions

  • the present invention relates to a Long Term Evolution (LTE) technology, and more particularly to a method and system for synchronizing an access layer security algorithm when RRC connection reestablishment occurs after switching.
  • LTE Long Term Evolution
  • LTE Long Term Evolution
  • eNB evolved Node B
  • E-UTRAN Node B the operator cannot perform centralized security control on the eNB.
  • Each eNB is in a non-secure zone.
  • the eNB needs to select its own access layer (AS, Access Stratum) security algorithm according to its specific situation and the security capabilities of the user equipment (UE, User Equipment).
  • AS Access Stratum
  • UE User Equipment
  • the basic principle of the AS security algorithm selection is: the security capability information of the UE is sent to the eNB through the signaling process (for example, the core network carries the security capability of the UE to the eNB in the initial context setup request message), and the eNB supports the UE and the UE.
  • the AS security algorithm intersection select a highest priority AS security algorithm.
  • the eNB needs to update the AS security algorithm according to the above principles, and inform the UE of the new AS security algorithm through the air interface message.
  • FIG. 1 is a schematic diagram of the process of causing the AS security algorithm to be out of synchronization during the RRC connection reestablishment process in the prior art. As shown in Figure 1, specifically:
  • the security algorithm supported by eNB1 is not supported by eNB2, then, when the UE is switched If the eNB connection fails to be reestablished to the eNB2 when the eNB2 fails (such as the RRC reconfiguration at the time of handover), if the UE does not perform the AS security algorithm selection according to the AS security algorithm supported by the eNB2, the original AS security algorithm is still used. (ie, the security algorithm supported by eNB1), if the RRC re-establishment complete message is integrity-protected and encrypted, eNB2 must generate a failure to decrypt and integrity check the message because it does not support the original security algorithm, and finally cause the UE to switch. The subsequent access fails, which seriously affects the user's perception.
  • the security algorithm configuration cell may be added to the RRC connection re-establishment message sent by the eNB to the UE.
  • the method to solve a new problem has been introduced:
  • the new security algorithm configuration can only be sent to the UE through the RRC connection re-establishment message, and the RRC connection re-establishment message itself is not integrity-protected, therefore, if the malicious attacker will
  • the data encryption algorithm carried in the RRC connection re-establishment message is falsified, and the eNB and the UE cannot be discovered in time.
  • there are a large number of invalid data packets that the eNB cannot decrypt in the air interface for a period of time thus not only wasting air interface resources. And further seriously affect the user experience. Summary of the invention
  • the main purpose of the present invention is to provide a method and system for implementing synchronization of an access layer security algorithm, which can protect a user plane encryption algorithm in an RRC connection re-establishment from being tampered with, and avoid an AS security algorithm exception, to the greatest extent. It avoids the waste of bandwidth caused by invalid data packets, improves the timeliness of abnormal recovery, and improves the user experience before and after switching.
  • a method for implementing protection of an access layer security algorithm includes:
  • the evolved Node B notifies the user equipment (UE) whether to update the access stratum (AS) security algorithm;
  • the UE encrypts the completion of the RRC connection reestablishment by using the corresponding AS security algorithm according to the notification. And integrity protection;
  • the eNB uses the locally configured AS security algorithm to decrypt and complete the integrity of the RRC connection reestablishment, and determines whether to initiate the security acknowledgment based on the currently used AS security calculation.
  • the eNB notifies the UE whether to update the AS security algorithm, specifically:
  • the eNB After receiving the RRC connection re-establishment request from the UE, the eNB selects an AS security algorithm, and carries an AS security algorithm configuration information element in the RRC connection re-establishment message sent to the UE;
  • the AS security algorithm configures whether a cell presence flag is used to notify the UE whether the eNB's own AS security algorithm is updated.
  • the method further includes:
  • the eNB carries an algorithm configuration cell for carrying the updated AS security algorithm parameter in the RRC connection re-establishment message.
  • the eNB selecting an AS security algorithm includes:
  • the eNB determines, according to the configuration of the original AS security algorithm carried in the handover request message obtained before the RRC connection re-establishment process, whether the AS security algorithm configured by the eNB supports the original AS security algorithm, and if not, the eNB is configured according to the eNB.
  • the AS security algorithm configured by the AS and the security capability of the UE carried in the handover request message select a AS security algorithm with the highest priority and supported by the UE as the selected new AS security algorithm, and select the AS security algorithm. Save to local, configure locally with the new AS security algorithm configuration;
  • the original AS security algorithm is the selected AS security algorithm
  • the local AS security algorithm configuration is used for local configuration.
  • the UE enters the completion of the RRC connection reestablishment by using the corresponding AS security algorithm according to the notification Line encryption and integrity protection, including:
  • the UE After receiving the RRC connection re-establishment message from the eNB, the UE determines whether the AS security algorithm needs to be updated according to whether the AS security algorithm is configured in the AS security algorithm, and if the AS security algorithm configuration cell exists, the flag is displayed as If yes, the algorithm in the RRC connection re-establishment message is enabled to configure the updated AS security algorithm carried by the cell for local configuration; after that, the UE uses the updated AS security algorithm to encrypt and complete the RRC connection re-establishment message. After being protected, it is sent to the eNB;
  • the original AS security algorithm configuration cell indicates that the presence flag does not exist, the original AS security algorithm is still used for local configuration. After that, the UE uses the original AS security algorithm to encrypt and integrity protect the RRC connection re-establishment message. eNB.
  • the eNB determines whether to initiate the security confirmation according to the currently used AS security calculation, which specifically includes:
  • the eNB If the eNB's locally configured AS security algorithm is an updated AS security algorithm, the eNB initiates a security acknowledgment, and sends a security mode command SMC message to the UE for performing integrity protection using the updated AS security algorithm; After receiving the SMC message, the UE performs the SMC corresponding processing, and sends a security mode complete message to the eNB;
  • the eNB's locally configured AS security algorithm is not updated, then the eNB does not need to initiate a security acknowledgment.
  • a system for implementing protection of an access layer security algorithm comprising an eNB and a UE, where the eNB is configured to notify the UE whether to update the AS security algorithm during the RRC connection re-establishment process; and use the locally configured AS security algorithm to the RRC The completion of the connection re-establishment is performed for decryption and integrity verification, and whether the security confirmation is initiated according to the currently used AS security calculation;
  • the UE is configured to perform encryption and integrity protection on the completion of the RRC connection reestablishment by using the corresponding AS security algorithm according to the notification.
  • the present invention is on the target side of the handover failure.
  • the RRC connection reestablishment message carries the updated AS security algorithm, and immediately initiates the SMC process for security confirmation after the re-establishment is completed.
  • the invention protects the user plane encryption algorithm in the RRC link re-establishment from being tampered with, avoids the AS security algorithm exception, minimizes waste of bandwidth of the invalid data packet, improves the timeliness of abnormal recovery, and further Improved user experience before and after switching.
  • FIG. 1 is a schematic flowchart of a process in which an AS security algorithm is out of synchronization during an RRC connection re-establishment process in the prior art
  • FIG. 2 is a schematic diagram of a process for implementing synchronization of an AS algorithm when RRC connection reestablishment occurs after handover in the present invention
  • FIG. 3 is a schematic structural diagram of a system for implementing synchronization of an AS security algorithm according to the present invention
  • FIG. 4 is a schematic flowchart of a first embodiment of synchronizing AS algorithms according to the present invention. Schematic diagram of the process. detailed description
  • FIG. 2 is a schematic diagram of a process for implementing synchronization of an AS algorithm when an RRC connection reestablishment occurs after handover, and as shown in FIG. 2, the following steps are included:
  • Step 200 In the RRC connection re-establishment process, the eNB notifies the UE whether to update the AS security algorithm.
  • the eNB selects an AS security algorithm, and carries an AS security algorithm configuration cell presence flag in the RRC connection re-establishment message sent to the UE, to notify the UE, Whether the eNB's own AS security algorithm is updated. If the AS security algorithm configuration cell presence flag is displayed as being present, the eNB also carries an algorithm configuration cell in the RRC connection re-establishment message, which is used to carry the updated AS security algorithm parameter (package) Integrity protection algorithm and encryption algorithm).
  • the eNB selects an AS security algorithm including:
  • the eNB determines, according to the configuration of the original AS security algorithm carried in the handover request message, whether the AS security algorithm configured by the eNB supports the original AS security algorithm (including the integrity protection algorithm and the encryption algorithm), if not supported (integrity protection algorithm and encryption algorithm) If there is an unsupported one, it is considered that the original AS security algorithm is not supported.
  • the eNB selects the AS security algorithm with the highest priority and the UE support according to the AS security algorithm configured by the AS and the UE security capability carried in the handover request message. (including the integrity protection algorithm and the encryption algorithm) as the selected new AS security algorithm (that is, satisfying the algorithm replacement condition), and save the selected AS security algorithm to the local, and use the new AS security algorithm configuration for local configuration;
  • the original AS security algorithm is the selected AS security algorithm
  • the local configuration is configured using the original AS security algorithm configuration.
  • the eNB performs local configuration using the original AS security algorithm configuration.
  • Step 201 The UE performs encryption and integrity protection on the completion of the RRC connection reestablishment by using the corresponding AS security algorithm according to the notification.
  • the UE determines whether the AS security algorithm needs to be updated according to whether the AS security algorithm is configured in the AS security algorithm, if the AS security algorithm configures the cell to exist. If it is displayed as being present, the algorithm in the RRC connection re-establishment message is enabled to configure the updated AS security algorithm carried by the cell for local configuration; after that, the UE uses the updated AS security algorithm to encrypt the RRC connection re-establishment completion message. The integrity is protected and sent to the eNB.
  • the original AS security algorithm configuration cell indicates that the presence flag does not exist, the original AS security algorithm is still used for local configuration. After that, the UE uses the original AS security algorithm to re-establish the RRC connection. The message is sent to the eNB after encryption and integrity protection.
  • Step 202 The eNB uses the locally configured AS security algorithm to perform decryption and integrity verification on the completion of the RRC connection reestablishment, and determines whether to initiate the security confirmation according to the currently used AS security calculation.
  • the eNB's locally configured AS security algorithm is an updated AS security algorithm
  • the eNB initiates a security acknowledgment, and sends a security mode command (SMC, Security Mode Command) message to the UE using the updated AS security algorithm for integrity protection; After receiving the SMC message, the UE performs the SMC corresponding processing, and sends a Security Mode Complete message to the eNB. If the eNB locally configured AS security algorithm is not updated, the eNB does not need to initiate the security confirmation.
  • SMC Security Mode Command
  • the RRC connection reestablishment message carries the updated AN security algorithm, and is initiated immediately after the re-establishment is completed.
  • the SMC process performs a security check.
  • the invention protects the user plane encryption algorithm in the RRC link re-establishment from being tampered with, avoids the AS security algorithm exception, minimizes waste of bandwidth of the invalid data packet, improves the timeliness of abnormal recovery, and further Improved user experience before and after switching.
  • FIG. 3 is a schematic structural diagram of a system for implementing synchronization of an AS security algorithm according to the present invention. As shown in FIG. 3, an eNB and a UE are included, where
  • the eNB is configured to notify the UE whether to update the AS security algorithm during the RRC connection re-establishment process, and perform decryption and integrity verification on the completion of the RRC connection reestablishment by using the locally configured AS security algorithm, and according to the currently used AS security Calculate whether to initiate a security confirmation;
  • the UE is configured to perform encryption and integrity protection on the completion of the RRC connection reestablishment by using the corresponding AS security algorithm according to the notification.
  • 4 is a schematic flowchart of the first embodiment of the AS algorithm synchronization. In the first embodiment, after the eNB receives the RRC connection re-establishment request, it determines that the AS security algorithm does not need to be updated, as shown in FIG. The following steps:
  • Step 400 The UE sends an RRC connection re-establishment request message to the eNB.
  • Step 401 to step 402 After receiving the RRC connection re-establishment request message, the eNB determines that the AS security algorithm is not required to be updated, and configures the local AS security algorithm parameter locally.
  • the eNB determines that the AS security algorithm configured by the eNB supports the original AS security algorithm (including the integrity protection algorithm and the encryption algorithm) according to the configuration of the original AS security algorithm carried in the handover request message, and the eNB does not need to update the AS security algorithm.
  • the eNB uses the original AS security algorithm parameters to configure the local.
  • the eNB user plane configuration does not include the AS security algorithm parameters, that is, the original AS security algorithm is still used for configuration.
  • Step 403 Set the AS security algorithm configuration cell presence flag to be absent, and carry it in the RRC connection re-establishment message, and send the RRC connection re-establishment message to the UE.
  • Step 404 After receiving the RRC connection re-establishment message, the UE configures whether the cell existence flag is absent according to the AS security algorithm, that is, the AS security algorithm is not updated, and determines that the AS security algorithm does not need to be updated.
  • Step 405 to step 406 After the UE uses the original AS security algorithm to perform encryption and integrity protection on the RRC connection re-establishment complete message, the UE sends the message to the eNB.
  • the eNB uses the original AS security algorithm to perform the received RRC connection re-establishment completion message. Decryption and integrity check.
  • Step 407 The eNB determines that the SMC process does not need to be initiated.
  • FIG. 5 is a schematic flowchart of the second embodiment of the AS algorithm synchronization.
  • the eNB determines that the AS security algorithm needs to be updated, as shown in FIG. The following steps:
  • Step 500 The UE sends an RRC connection re-establishment request message to the eNB.
  • Step 501 to step 503 After receiving the RRC connection re-establishment request message, the eNB determines that the request is needed. To update the AS security algorithm, reselect the AS security algorithm and configure the local with the new AS security algorithm.
  • the eNB determines, according to the original AS security algorithm configuration carried in the handover request message, that the AS security algorithm configured by the eNB does not support the original AS security algorithm (including the integrity protection algorithm and the encryption algorithm), and the eNB configures according to the configuration.
  • the AS security algorithm carried in the AS security algorithm and the handover request message selects a AS security algorithm (including an integrity protection algorithm and an encryption algorithm) with the highest priority and supported by the UE as the selected new AS security algorithm (that is, the algorithm replacement is satisfied).
  • the selected AS security algorithm is saved locally, and is configured locally by using the new AS security algorithm configuration, where the newly selected AS security algorithm parameters are carried when configured for the eNB user plane.
  • Step 504 Set the AS security algorithm configuration cell presence flag to exist, and carry it in the RRC connection re-establishment message together with the algorithm configuration cell carrying the selected new AS security algorithm, and re-establish the RRC connection. The message is sent to the UE.
  • Step 505 After receiving the RRC connection re-establishment message, the UE configures the presence or absence of the cell according to the AS security algorithm carried in the UE, and configures the local security algorithm information of the algorithm configuration cell in the RRC connection re-establishment message to configure the local , and enable the new AS security algorithm carried in the message.
  • Step 506 to step 507 After the UE uses the original AS security algorithm to perform encryption and integrity protection on the RRC connection re-establishment complete message, the UE sends the message to the eNB.
  • the eNB uses the original AS security algorithm to perform the received RRC connection re-establishment completion message. Decryption and integrity check.
  • Step 508 Since the eNB updates the AS security algorithm, it is determined that the SMC process needs to be initiated.
  • Step 509 The eNB carries the current AS security algorithm information in the SMC message, and sends the SMC message to the UE.
  • Step 510 After receiving the SMC message, the UE performs corresponding processing on the SMC, and the specific step is performed.
  • the implementation belongs to the prior art and will not be described here.
  • Step 511 The UE sends a security mode complete message to the eNB, and the AS security algorithm is synchronized.

Abstract

The present invention discloses a method and system for enabling Access Stratum (AS) security algorithms synchronization and protection. Said method includes: during the Radio Resource Control (RRC) connection re-establishment procedure, the E-UTRAN Node B (eNB) informs the UE of whether refreshing the AS security algorithms or not, and if the AS security algorithms needs to be refreshed, the algorithms configuration cell is carried in the RRC Connection Re-establishment message to carry the AS security algorithms; according to the information, the UE implements the integrity protection and the encryption on the RRC Re-establishment Complete message by adopting the corresponding AS security algorithms; according to the AS security algorithms configured locally, the eNB decrypts the RRC Re-establishment Complete message and verifies its integrity, and determines whether to start the security acknowledgement according to the AS security algorithms adopted currently. The method and system disclosed by the present invention can prevent the AS security algorithms from being juggled during the RRC Connection Re-establishment procedure, and avoid the bandwidth waste caused by the invalid air interface data packets, and further improve the user experience during the handover procedure.

Description

一种实现接入层安全算法同步的方法及系统 技术领域  Method and system for realizing access layer security algorithm synchronization
本发明涉及长期演进(LTE, Long Term Evolution )技术, 尤指一种切 换后发生 RRC连接重建时, 实现接入层安全算法同步的方法及系统。 背景技术  The present invention relates to a Long Term Evolution (LTE) technology, and more particularly to a method and system for synchronizing an access layer security algorithm when RRC connection reestablishment occurs after switching. Background technique
目前, 在长期演进( LTE , Long Term Evolution ) 系统中, 由于演进节 点 B ( eNB, E-UTRAN Node B ) 的地理位置和逻辑结构的高度分散化, 运 营商无法对 eNB实行集中的安全控制, 每个 eNB都处于非安全区。  At present, in the Long Term Evolution (LTE) system, due to the highly decentralized geographical location and logical structure of the evolved Node B (eNB, E-UTRAN Node B), the operator cannot perform centralized security control on the eNB. Each eNB is in a non-secure zone.
eNB需要根据各自的具体情况以及用户设备(UE, User Equipment ) 的安全能力, 来选择适合自身的接入层 (AS, Access Stratum )安全算法。  The eNB needs to select its own access layer (AS, Access Stratum) security algorithm according to its specific situation and the security capabilities of the user equipment (UE, User Equipment).
AS安全算法选择的基本原则是: UE的安全能力信息通过信令流程发给 eNB (比如: 核心网在初始上下文建立请求消息中将 UE 的安全能力携带给 eNB ), eNB在自身及 UE所支持的 AS安全算法交集中, 选择一个最高优 先级的 AS安全算法。 当发生切换时, eNB需要根据上述原则更新 AS安全 算法, 并通过空口消息将新的 AS安全算法告知 UE。 The basic principle of the AS security algorithm selection is: the security capability information of the UE is sent to the eNB through the signaling process (for example, the core network carries the security capability of the UE to the eNB in the initial context setup request message), and the eNB supports the UE and the UE. The AS security algorithm intersection, select a highest priority AS security algorithm. When a handover occurs, the eNB needs to update the AS security algorithm according to the above principles, and inform the UE of the new AS security algorithm through the air interface message.
每个 eNB需要自行维护与 UE之间的 AS安全参数(包括算法和密钥)。 显然, 各 eNB对 AS安全算法的支持情况不一定相同。 当发生跨 eNB切换 时, 如果 UE切换失败, 那么, UE可能在目标侧 eNB又发起无线资源控制 ( RRC )连接重建立(RRC, connection re-establishment ), 此时, 如果目标 侧 eNB不支持 UE原来的 AS安全算法,会造成 AS安全算法不同步的问题, 图 1为现有技术中 RRC连接重建过程中造成 AS安全算法不同步的流程示 意图。 如图 1所示, 具体来讲:  Each eNB needs to maintain its own AS security parameters (including algorithms and keys) with the UE. Obviously, the support of the AS security algorithm by each eNB is not necessarily the same. When the cross-eNB handover occurs, if the UE handover fails, the UE may initiate a radio resource control (RRC) connection re-establishment (RRC) connection again at the target side eNB. At this time, if the target side eNB does not support the UE, The original AS security algorithm causes the AS security algorithm to be out of synchronization. Figure 1 is a schematic diagram of the process of causing the AS security algorithm to be out of synchronization during the RRC connection reestablishment process in the prior art. As shown in Figure 1, specifically:
假设 eNBl支持的安全算法是 eNB2不支持的, 那么, 当 UE因为切换 到 eNB2失败(如切换时的 RRC重配置未生效 )而发生 RRC连接重建立到 eNB2时,如果 UE不根据 eNB2所支持的 AS安全算法重新进行 AS安全算 法选择, 而是仍使用原 AS安全算法(即 eNBl支持的安全算法 )对 RRC 重建立完成消息进行完整性保护和加密的话, eNB2必定会因为不支持原安 全算法而产生对该消息的解密和完整性校验的失败,最终导致 UE切换后的 接入失败, 从而严重影响了用户的感受度。 It is assumed that the security algorithm supported by eNB1 is not supported by eNB2, then, when the UE is switched If the eNB connection fails to be reestablished to the eNB2 when the eNB2 fails (such as the RRC reconfiguration at the time of handover), if the UE does not perform the AS security algorithm selection according to the AS security algorithm supported by the eNB2, the original AS security algorithm is still used. (ie, the security algorithm supported by eNB1), if the RRC re-establishment complete message is integrity-protected and encrypted, eNB2 must generate a failure to decrypt and integrity check the message because it does not support the original security algorithm, and finally cause the UE to switch. The subsequent access fails, which seriously affects the user's perception.
针对上述由于 RRC连接重建立时均不进行 AS安全算法更新, 而导致 的 AS层安全算法不同步的问题, 通常, 可以通过在 eNB发给 UE的 RRC 连接重建立消息中增加安全算法配置信元的方法来解决。 但是, 同时却引 入了一个新的问题: 新的安全算法配置只能通过 RRC连接重建立消息发送 给 UE, 而 RRC连接重建立消息本身是不经过完整性保护的, 因此, 如果 恶意攻击者将 RRC连接重建立消息中携带的数据加密算法进行篡改, eNB 和 UE是不能及时发现的,这样,就会导致空口一段时间内存在大量的 eNB 无法解密的无效数据包, 这样, 不但浪费了空口资源, 而且进一步严重影 响了用户体验。 发明内容  For the problem that the AS layer security algorithm is not synchronized due to the fact that the AS security algorithm is not updated when the RRC connection is re-established, the security algorithm configuration cell may be added to the RRC connection re-establishment message sent by the eNB to the UE. The method to solve. However, at the same time, a new problem has been introduced: The new security algorithm configuration can only be sent to the UE through the RRC connection re-establishment message, and the RRC connection re-establishment message itself is not integrity-protected, therefore, if the malicious attacker will The data encryption algorithm carried in the RRC connection re-establishment message is falsified, and the eNB and the UE cannot be discovered in time. As a result, there are a large number of invalid data packets that the eNB cannot decrypt in the air interface for a period of time, thus not only wasting air interface resources. And further seriously affect the user experience. Summary of the invention
有鉴于此, 本发明的主要目的在于提供一种实现接入层安全算法同步 的方法及系统, 能够保护 RRC连接重建立中的用户面加密算法不被篡改, 避免 AS安全算法异常, 最大程度地避免空口无效数据包对带宽的浪费,提 高异常恢复及时性, 改善切换前后的用户体验。  In view of the above, the main purpose of the present invention is to provide a method and system for implementing synchronization of an access layer security algorithm, which can protect a user plane encryption algorithm in an RRC connection re-establishment from being tampered with, and avoid an AS security algorithm exception, to the greatest extent. It avoids the waste of bandwidth caused by invalid data packets, improves the timeliness of abnormal recovery, and improves the user experience before and after switching.
为达到上述目的, 本发明的技术方案是这样实现的:  In order to achieve the above object, the technical solution of the present invention is achieved as follows:
一种实现接入层安全算法保护的方法, 包括:  A method for implementing protection of an access layer security algorithm includes:
在无线资源控制(RRC )连接重建立过程中, 演进节点 B ( eNB )通知 用户设备 ( UE )是否更新接入层(AS )安全算法;  In the radio resource control (RRC) connection re-establishment process, the evolved Node B (eNB) notifies the user equipment (UE) whether to update the access stratum (AS) security algorithm;
UE根据通知釆用相应的 AS安全算法对 RRC连接重建的完成进行加密 和完整性保护; The UE encrypts the completion of the RRC connection reestablishment by using the corresponding AS security algorithm according to the notification. And integrity protection;
eNB釆用本地已配置的 AS安全算法对 RRC连接重建的完成进行解密 和完整性验证, 并根据当前釆用的 AS安全算算决定是否启动安全确认。  The eNB uses the locally configured AS security algorithm to decrypt and complete the integrity of the RRC connection reestablishment, and determines whether to initiate the security acknowledgment based on the currently used AS security calculation.
所述在 RRC连接重建立过程中, eNB通知 UE是否更新 AS安全算法, 具体包括:  In the RRC connection re-establishment process, the eNB notifies the UE whether to update the AS security algorithm, specifically:
所述 eNB收到来自 UE的 RRC连接重建立请求后,选择 AS安全算法, 并在发送给 UE的 RRC连接重建立消息中携带 AS安全算法配置信元是否 存在标志;  After receiving the RRC connection re-establishment request from the UE, the eNB selects an AS security algorithm, and carries an AS security algorithm configuration information element in the RRC connection re-establishment message sent to the UE;
所述 AS安全算法配置信元是否存在标志用于通知 UE, eNB 自身的 AS安全算法是否更新。  The AS security algorithm configures whether a cell presence flag is used to notify the UE whether the eNB's own AS security algorithm is updated.
如果所述 AS安全算法配置信元是否存在标志显示为存在,该方法还包 括:  If the AS security algorithm configuration cell presence flag is displayed as being present, the method further includes:
所述 eNB在 RRC连接重建立消息中携带用于承载更新后的 AS安全算 法参数的算法配置信元。  The eNB carries an algorithm configuration cell for carrying the updated AS security algorithm parameter in the RRC connection re-establishment message.
所述 eNB选择 AS安全算法包括:  The eNB selecting an AS security algorithm includes:
所述 eNB根据所述 RRC连接重建立过程之前获得的切换请求消息中携 带的原 AS安全算法配置, 判断自身所配置的 AS安全算法是否支持原 AS 安全算法, 如果不支持, 则所示 eNB根据自身所配置的 AS安全算法和所 述切换请求消息中携带的 UE安全能力,选择一个优先级最高且 UE支持的 AS安全算法作为选择出的新的 AS安全算法, 并将选择出的 AS安全算法 保存到本地, 利用新的 AS安全算法配置进行本地配置;  The eNB determines, according to the configuration of the original AS security algorithm carried in the handover request message obtained before the RRC connection re-establishment process, whether the AS security algorithm configured by the eNB supports the original AS security algorithm, and if not, the eNB is configured according to the eNB. The AS security algorithm configured by the AS and the security capability of the UE carried in the handover request message, select a AS security algorithm with the highest priority and supported by the UE as the selected new AS security algorithm, and select the AS security algorithm. Save to local, configure locally with the new AS security algorithm configuration;
如果所述 eNB支持切换请求消息中携带的原 AS安全算法配置, 则原 AS安全算法为选择出的 AS安全算法, 并使用原 AS安全算法配置进行本 地配置。  If the eNB supports the configuration of the original AS security algorithm carried in the handover request message, the original AS security algorithm is the selected AS security algorithm, and the local AS security algorithm configuration is used for local configuration.
所述 UE根据通知釆用相应的 AS安全算法对 RRC连接重建的完成进 行加密和完整性保护, 具体包括: The UE enters the completion of the RRC connection reestablishment by using the corresponding AS security algorithm according to the notification Line encryption and integrity protection, including:
所述 UE接收到来自 eNB的 RRC连接重建立消息后,根据其中携带的 AS安全算法配置信元是否存在标志,判断是否需要进行 AS安全算法更新, 如果 AS安全算法配置信元是否存在标志显示为存在, 则启用 RRC连接重 建立消息中的算法配置信元承载的更新后的 AS安全算法进行本地配置;之 后,UE釆用更新后的 AS安全算法对 RRC连接重建立完成消息进行加密和 完整性保护后发送给 eNB;  After receiving the RRC connection re-establishment message from the eNB, the UE determines whether the AS security algorithm needs to be updated according to whether the AS security algorithm is configured in the AS security algorithm, and if the AS security algorithm configuration cell exists, the flag is displayed as If yes, the algorithm in the RRC connection re-establishment message is enabled to configure the updated AS security algorithm carried by the cell for local configuration; after that, the UE uses the updated AS security algorithm to encrypt and complete the RRC connection re-establishment message. After being protected, it is sent to the eNB;
如果 AS安全算法配置信元是否存在标志显示为不存在, 仍使用原 AS 安全算法进行本地配置;之后, UE釆用原 AS安全算法对 RRC连接重建立 完成消息进行加密和完整性保护后发送给 eNB。  If the AS security algorithm configuration cell indicates that the presence flag does not exist, the original AS security algorithm is still used for local configuration. After that, the UE uses the original AS security algorithm to encrypt and integrity protect the RRC connection re-establishment message. eNB.
所述 eNB根据当前釆用的 AS安全算算决定是否启动安全确认, 具体 包括:  The eNB determines whether to initiate the security confirmation according to the currently used AS security calculation, which specifically includes:
如果所述 eNB本地已配置的 AS安全算法是更新后的 AS安全算法,所 述 eNB启动安全确认, 向 UE发送釆用更新后的 AS安全算法进行完整性 保护的安全模式命令 SMC消息; 所述 UE收到 SMC消息后进行 SMC相应 处理, 并发送安全模式完成消息给 eNB;  If the eNB's locally configured AS security algorithm is an updated AS security algorithm, the eNB initiates a security acknowledgment, and sends a security mode command SMC message to the UE for performing integrity protection using the updated AS security algorithm; After receiving the SMC message, the UE performs the SMC corresponding processing, and sends a security mode complete message to the eNB;
如果所述 eNB本地已配置的 AS安全算法是未更新, 那么 eNB不需要 启动安全确认。  If the eNB's locally configured AS security algorithm is not updated, then the eNB does not need to initiate a security acknowledgment.
一种实现接入层安全算法保护的系统, 包括 eNB和 UE, 其中, eNB, 用于在 RRC连接重建立过程中, 通知 UE是否更新 AS安全算 法; 釆用本地已配置的 AS安全算法对 RRC连接重建的完成进行解密和完 整性验证, 并根据当前釆用的 AS安全算算决定是否启动安全确认;  A system for implementing protection of an access layer security algorithm, comprising an eNB and a UE, where the eNB is configured to notify the UE whether to update the AS security algorithm during the RRC connection re-establishment process; and use the locally configured AS security algorithm to the RRC The completion of the connection re-establishment is performed for decryption and integrity verification, and whether the security confirmation is initiated according to the currently used AS security calculation;
UE,用于根据通知釆用相应的 AS安全算法对 RRC连接重建的完成进 行加密和完整性保护。  The UE is configured to perform encryption and integrity protection on the completion of the RRC connection reestablishment by using the corresponding AS security algorithm according to the notification.
从上述本发明提供的技术方案可以看出, 本发明在切换失败的目标侧 发起的 RRC重建立过程中, 如果基站侧需要进行 AS安全算法更新, 则在 RRC连接重建消息中携带更新后的 AS安全算法, 并在重建立完成后立即 发起 SMC过程进行安全确认。 通过本发明, 保护了 RRC链接重建立中的 用户面加密算法不被篡改,避免了 AS安全算法异常, 最大程度地避免了空 口无效数据包对带宽的浪费, 提高了异常恢复及时性, 并进一步改善了切 换前后的用户体验。 附图说明 It can be seen from the technical solution provided by the present invention that the present invention is on the target side of the handover failure. In the initiated RRC re-establishment process, if the base station side needs to perform the AS security algorithm update, the RRC connection reestablishment message carries the updated AS security algorithm, and immediately initiates the SMC process for security confirmation after the re-establishment is completed. The invention protects the user plane encryption algorithm in the RRC link re-establishment from being tampered with, avoids the AS security algorithm exception, minimizes waste of bandwidth of the invalid data packet, improves the timeliness of abnormal recovery, and further Improved user experience before and after switching. DRAWINGS
图 1为现有技术中 RRC连接重建过程中造成 AS安全算法不同步的流 程示意图;  1 is a schematic flowchart of a process in which an AS security algorithm is out of synchronization during an RRC connection re-establishment process in the prior art;
图 2为本发明切换后发生 RRC连接重建时, 实现 AS算法同步的流程 示意图;  2 is a schematic diagram of a process for implementing synchronization of an AS algorithm when RRC connection reestablishment occurs after handover in the present invention;
图 3为本发明实现 AS安全算法同步的系统的组成结构示意图; 图 4为本发明实现 A S算法同步的第一实施例的流程示意图; 图 5为本发明实现 AS算法同步的第二实施例的流程示意图。 具体实施方式  3 is a schematic structural diagram of a system for implementing synchronization of an AS security algorithm according to the present invention; FIG. 4 is a schematic flowchart of a first embodiment of synchronizing AS algorithms according to the present invention; Schematic diagram of the process. detailed description
图 2为本发明切换后发生 RRC连接重建时, 实现 AS算法同步的流程 示意图, 如图 2所示, 包括以下步骤:  FIG. 2 is a schematic diagram of a process for implementing synchronization of an AS algorithm when an RRC connection reestablishment occurs after handover, and as shown in FIG. 2, the following steps are included:
步骤 200: 在 RRC连接重建立过程中, eNB通知 UE是否更新 AS安全算 法。  Step 200: In the RRC connection re-establishment process, the eNB notifies the UE whether to update the AS security algorithm.
本步骤中, eNB收到来自 UE的 RRC连接重建立请求后, 选择 AS安 全算法, 并在发送给 UE的 RRC连接重建立消息中携带 AS安全算法配置 信元是否存在标志, 用于通知 UE, eNB自身的 AS安全算法是否更新。 如 果 AS安全算法配置信元是否存在标志显示为存在,则 eNB还在 RRC连接 重建立消息中携带算法配置信元, 用于承载更新后的 AS安全算法参数(包 括完整性保护算法和加密算法)。 In this step, after receiving the RRC connection re-establishment request from the UE, the eNB selects an AS security algorithm, and carries an AS security algorithm configuration cell presence flag in the RRC connection re-establishment message sent to the UE, to notify the UE, Whether the eNB's own AS security algorithm is updated. If the AS security algorithm configuration cell presence flag is displayed as being present, the eNB also carries an algorithm configuration cell in the RRC connection re-establishment message, which is used to carry the updated AS security algorithm parameter (package) Integrity protection algorithm and encryption algorithm).
其中, eNB选择 AS安全算法包括:  The eNB selects an AS security algorithm including:
eNB根据切换请求消息中携带的原 AS安全算法配置,判断自身所配置 的 AS安全算法是否支持原 AS安全算法 (包括完整性保护算法和加密算 法), 如果不支持(完整性保护算法和加密算法中只要存在一个不支持, 就 认为不支持原 AS安全算法), 则 eNB根据自身所配置的 AS安全算法和切 换请求消息中携带的 UE安全能力, 选择一个优先级最高且 UE支持的 AS 安全算法 (包括完整性保护算法和加密算法)作为选择出的新的 AS安全算 法(即满足算法更换条件), 并将选择出的 AS安全算法保存到本地, 利用 新的 AS安全算法配置进行本地配置;  The eNB determines, according to the configuration of the original AS security algorithm carried in the handover request message, whether the AS security algorithm configured by the eNB supports the original AS security algorithm (including the integrity protection algorithm and the encryption algorithm), if not supported (integrity protection algorithm and encryption algorithm) If there is an unsupported one, it is considered that the original AS security algorithm is not supported. The eNB selects the AS security algorithm with the highest priority and the UE support according to the AS security algorithm configured by the AS and the UE security capability carried in the handover request message. (including the integrity protection algorithm and the encryption algorithm) as the selected new AS security algorithm (that is, satisfying the algorithm replacement condition), and save the selected AS security algorithm to the local, and use the new AS security algorithm configuration for local configuration;
如果 eNB支持切换请求消息中携带的原 AS安全算法配置, 则原 AS 安全算法为选择出的 AS安全算法, 并使用原 AS安全算法配置进行本地配 置。  If the eNB supports the configuration of the original AS security algorithm carried in the handover request message, the original AS security algorithm is the selected AS security algorithm, and the local configuration is configured using the original AS security algorithm configuration.
需要说明的是, 如果不满足算法更换条件即 eNB使用原 AS安全算法 配置进行本地配置。  It should be noted that if the algorithm replacement condition is not met, the eNB performs local configuration using the original AS security algorithm configuration.
步骤 201: UE根据通知釆用相应的 AS安全算法对 RRC连接重建的完成 进行加密和完整性保护。  Step 201: The UE performs encryption and integrity protection on the completion of the RRC connection reestablishment by using the corresponding AS security algorithm according to the notification.
本步骤中, UE接收到来自 eNB的 RRC连接重建立消息后, 根据其中携 带的 AS安全算法配置信元是否存在标志, 判断是否需要进行 AS安全算法更 新, 如果 AS安全算法配置信元是否存在标志显示为存在, 则启用 RRC连接 重建立消息中的算法配置信元承载的更新后的 AS安全算法进行本地配置; 之后, UE釆用更新后的 AS安全算法对 RRC连接重建立完成消息进行加密和 完整性保护后发送给 eNB。  In this step, after receiving the RRC connection re-establishment message from the eNB, the UE determines whether the AS security algorithm needs to be updated according to whether the AS security algorithm is configured in the AS security algorithm, if the AS security algorithm configures the cell to exist. If it is displayed as being present, the algorithm in the RRC connection re-establishment message is enabled to configure the updated AS security algorithm carried by the cell for local configuration; after that, the UE uses the updated AS security algorithm to encrypt the RRC connection re-establishment completion message. The integrity is protected and sent to the eNB.
如果 AS安全算法配置信元是否存在标志显示为不存在, 仍使用原 AS安 全算法进行本地配置; 之后, UE釆用原 AS安全算法对 RRC连接重建立完成 消息进行加密和完整性保护后发送给 eNB。 If the AS security algorithm configuration cell indicates that the presence flag does not exist, the original AS security algorithm is still used for local configuration. After that, the UE uses the original AS security algorithm to re-establish the RRC connection. The message is sent to the eNB after encryption and integrity protection.
步骤 202: eNB釆用本地已配置的 AS安全算法对 RRC连接重建的完成进 行解密和完整性验证, 并根据当前釆用的 AS安全算算决定是否启动安全确 认。  Step 202: The eNB uses the locally configured AS security algorithm to perform decryption and integrity verification on the completion of the RRC connection reestablishment, and determines whether to initiate the security confirmation according to the currently used AS security calculation.
本步骤中, 如果 eNB釆用本地已配置的 AS安全算法对接收到的 RRC 连接重建的完成消息进行解密并完整性验证。  In this step, if the eNB uses the locally configured AS security algorithm to decrypt and complete the integrity message of the received RRC connection reestablishment.
如果 eNB本地已配置的 AS安全算法是更新后的 AS安全算法, eNB启动 安全确认, 向 UE发送釆用更新后的 AS安全算法进行完整性保护的安全模式 命令(SMC, Security Mode Command )消息; UE收到 SMC消息后进行 SMC 相应处理, 并发送安全模式完成( Security Mode Complete ) 消息给 eNB; 如果 eNB本地已配置的 AS安全算法是未更新, 那么 eNB不需要启动 安全确认。  If the eNB's locally configured AS security algorithm is an updated AS security algorithm, the eNB initiates a security acknowledgment, and sends a security mode command (SMC, Security Mode Command) message to the UE using the updated AS security algorithm for integrity protection; After receiving the SMC message, the UE performs the SMC corresponding processing, and sends a Security Mode Complete message to the eNB. If the eNB locally configured AS security algorithm is not updated, the eNB does not need to initiate the security confirmation.
本发明方法在切换失败的目标侧发起的 RRC重建立过程中, 如果基站 侧需要进行 AS安全算法更新,则在 RRC连接重建消息中携带更新后的 AN 安全算法, 并在重建立完成后立即发起 SMC过程进行安全确认。 通过本发 明, 保护了 RRC链接重建立中的用户面加密算法不被篡改, 避免了 AS安 全算法异常, 最大程度地避免了空口无效数据包对带宽的浪费, 提高了异 常恢复及时性, 并进一步改善了切换前后的用户体验。  In the RRC re-establishment process initiated by the target side of the handover failure, if the base station side needs to perform the AS security algorithm update, the RRC connection reestablishment message carries the updated AN security algorithm, and is initiated immediately after the re-establishment is completed. The SMC process performs a security check. The invention protects the user plane encryption algorithm in the RRC link re-establishment from being tampered with, avoids the AS security algorithm exception, minimizes waste of bandwidth of the invalid data packet, improves the timeliness of abnormal recovery, and further Improved user experience before and after switching.
针对本发明方法还提供一种系统,图 3为本发明实现 AS安全算法同步 的系统的组成结构示意图, 如图 3所示 , 包括 eNB和 UE, 其中,  A system is provided for the method of the present invention. FIG. 3 is a schematic structural diagram of a system for implementing synchronization of an AS security algorithm according to the present invention. As shown in FIG. 3, an eNB and a UE are included, where
eNB, 用于在 RRC连接重建立过程中, 通知 UE是否更新 AS安全算 法; 釆用本地已配置的 AS安全算法对 RRC连接重建的完成进行解密和完 整性验证, 并根据当前釆用的 AS安全算算决定是否启动安全确认;  The eNB is configured to notify the UE whether to update the AS security algorithm during the RRC connection re-establishment process, and perform decryption and integrity verification on the completion of the RRC connection reestablishment by using the locally configured AS security algorithm, and according to the currently used AS security Calculate whether to initiate a security confirmation;
UE,用于根据通知釆用相应的 AS安全算法对 RRC连接重建的完成进 行加密和完整性保护。 图 4为本发明实现 A S算法同步的第一实施例的流程示意图,第一实施 例中, 假设 eNB收到 RRC连接重建立请求后, 判断出 AS安全算法无需更 新, 如图 4所示, 包括以下步骤: The UE is configured to perform encryption and integrity protection on the completion of the RRC connection reestablishment by using the corresponding AS security algorithm according to the notification. 4 is a schematic flowchart of the first embodiment of the AS algorithm synchronization. In the first embodiment, after the eNB receives the RRC connection re-establishment request, it determines that the AS security algorithm does not need to be updated, as shown in FIG. The following steps:
步骤 400: UE向 eNB发 RRC连接重建立请求消息。  Step 400: The UE sends an RRC connection re-establishment request message to the eNB.
步骤 401〜步骤 402: eNB收到 RRC连接重建立请求消息后, 判断出无 需更新 AS安全算法, 釆用原 AS安全算法参数配置本地。  Step 401 to step 402: After receiving the RRC connection re-establishment request message, the eNB determines that the AS security algorithm is not required to be updated, and configures the local AS security algorithm parameter locally.
本步骤中, eNB根据切换请求消息中携带的原 AS安全算法配置,判断 出自身所配置的 AS安全算法支持原 AS安全算法 (包括完整性保护算法和 加密算法), 则 eNB无需更新 AS安全算法; eNB釆用原 AS安全算法参数 配置本地, 其中, 在给 eNB用户面配置时不带 AS安全算法参数, 即仍使 用原 AS安全算法进行配置。  In this step, the eNB determines that the AS security algorithm configured by the eNB supports the original AS security algorithm (including the integrity protection algorithm and the encryption algorithm) according to the configuration of the original AS security algorithm carried in the handover request message, and the eNB does not need to update the AS security algorithm. The eNB uses the original AS security algorithm parameters to configure the local. The eNB user plane configuration does not include the AS security algorithm parameters, that is, the original AS security algorithm is still used for configuration.
步骤 403: 将 AS安全算法配置信元是否存在标志设置为不存在, 并携 带在 RRC连接重建立消息中, 将该 RRC连接重建立消息发给 UE。  Step 403: Set the AS security algorithm configuration cell presence flag to be absent, and carry it in the RRC connection re-establishment message, and send the RRC connection re-establishment message to the UE.
步骤 404: UE收到 RRC连接重建立消息后, 根据 AS安全算法配置信 元是否存在标志为不存在, 即 AS安全算法未更新, 判断出不需要更新自身 的 AS安全算法。  Step 404: After receiving the RRC connection re-establishment message, the UE configures whether the cell existence flag is absent according to the AS security algorithm, that is, the AS security algorithm is not updated, and determines that the AS security algorithm does not need to be updated.
步骤 405〜步骤 406: UE釆用原 AS安全算法对 RRC连接重建立完成 消息进行加密和完整性保护后, 发送给 eNB; eNB釆用原 AS安全算法对 接收到的 RRC连接重建立完成消息进行解密和完整性校验。  Step 405 to step 406: After the UE uses the original AS security algorithm to perform encryption and integrity protection on the RRC connection re-establishment complete message, the UE sends the message to the eNB. The eNB uses the original AS security algorithm to perform the received RRC connection re-establishment completion message. Decryption and integrity check.
步骤 407: eNB判断出不需要发起 SMC过程。  Step 407: The eNB determines that the SMC process does not need to be initiated.
图 5为本发明实现 AS算法同步的第二实施例的流程示意图,第二实施 例中, 假设 eNB收到 RRC连接重建立请求后, 判断出 AS安全算法需要更 新, 如图 5所示, 包括以下步骤:  FIG. 5 is a schematic flowchart of the second embodiment of the AS algorithm synchronization. In the second embodiment, after the eNB receives the RRC connection re-establishment request, the eNB determines that the AS security algorithm needs to be updated, as shown in FIG. The following steps:
步骤 500: UE向 eNB发 RRC连接重建立请求消息。  Step 500: The UE sends an RRC connection re-establishment request message to the eNB.
步骤 501〜步骤 503 : eNB收到 RRC连接重建立请求消息后, 判断出需 要更新 AS安全算法, 重新选择 AS安全算法并釆用新的 AS安全算法配置 本地。 Step 501 to step 503: After receiving the RRC connection re-establishment request message, the eNB determines that the request is needed. To update the AS security algorithm, reselect the AS security algorithm and configure the local with the new AS security algorithm.
本步骤中, eNB根据切换请求消息中携带的原 AS安全算法配置,判断 出自身所配置的 AS安全算法不支持原 AS安全算法 (包括完整性保护算法 和加密算法 ) , eNB根据自身所配置的 AS安全算法和切换请求消息中携带 的 UE安全能力, 选择一个优先级最高且 UE支持的 AS安全算法(包括完 整性保护算法和加密算法)作为选择出的新的 AS安全算法(即满足算法更 换条件), 并将选择出的 AS安全算法保存到本地, 利用新的 AS安全算法 配置进行本地配置, 其中在给 eNB用户面配置时携带新选择出的 AS安全 算法参数。  In this step, the eNB determines, according to the original AS security algorithm configuration carried in the handover request message, that the AS security algorithm configured by the eNB does not support the original AS security algorithm (including the integrity protection algorithm and the encryption algorithm), and the eNB configures according to the configuration. The AS security algorithm carried in the AS security algorithm and the handover request message selects a AS security algorithm (including an integrity protection algorithm and an encryption algorithm) with the highest priority and supported by the UE as the selected new AS security algorithm (that is, the algorithm replacement is satisfied). Conditionally, the selected AS security algorithm is saved locally, and is configured locally by using the new AS security algorithm configuration, where the newly selected AS security algorithm parameters are carried when configured for the eNB user plane.
步骤 504: 将 AS安全算法配置信元是否存在标志设置为存在, 并与承 载有选择出的新的 AS安全算法的算法配置信元一同携带在 RRC连接重建 立消息中, 将该 RRC连接重建立消息发给 UE。  Step 504: Set the AS security algorithm configuration cell presence flag to exist, and carry it in the RRC connection re-establishment message together with the algorithm configuration cell carrying the selected new AS security algorithm, and re-establish the RRC connection. The message is sent to the UE.
步骤 505: UE收到 RRC连接重建立消息后, 根据其中所携带的 AS安 全算法配置信元是否存在标志为存在, 釆用 RRC连接重建立消息中算法配 置信元承载的 AS安全算法信息配置本地, 并启用消息中所携带的新的 AS 安全算法。  Step 505: After receiving the RRC connection re-establishment message, the UE configures the presence or absence of the cell according to the AS security algorithm carried in the UE, and configures the local security algorithm information of the algorithm configuration cell in the RRC connection re-establishment message to configure the local , and enable the new AS security algorithm carried in the message.
步骤 506〜步骤 507: UE釆用原 AS安全算法对 RRC连接重建立完成 消息进行加密和完整性保护后, 发送给 eNB; eNB釆用原 AS安全算法对 接收到的 RRC连接重建立完成消息进行解密和完整性校验。  Step 506 to step 507: After the UE uses the original AS security algorithm to perform encryption and integrity protection on the RRC connection re-establishment complete message, the UE sends the message to the eNB. The eNB uses the original AS security algorithm to perform the received RRC connection re-establishment completion message. Decryption and integrity check.
步骤 508: 由于 eNB更新了 AS安全算法, 因此判断出需要发起 SMC 过程。  Step 508: Since the eNB updates the AS security algorithm, it is determined that the SMC process needs to be initiated.
步骤 509: eNB将当前 AS安全算法信息携带在 SMC消息中,并将 SMC 消息发送给 UE。  Step 509: The eNB carries the current AS security algorithm information in the SMC message, and sends the SMC message to the UE.
步骤 510: UE接收到 SMC消息后进行 SMC相应处理, 本步骤的具体 实现属于现有技术, 这里不再赘述。 Step 510: After receiving the SMC message, the UE performs corresponding processing on the SMC, and the specific step is performed. The implementation belongs to the prior art and will not be described here.
步骤 511 : UE向 eNB发送安全模式完成消息, AS安全算法同步完成。 以上所述, 仅为本发明的较佳实施例而已, 并非用于限定本发明的保 护范围, 凡在本发明的精神和原则之内所作的任何修改、 等同替换和改进 等, 均应包含在本发明的保护范围之内。  Step 511: The UE sends a security mode complete message to the eNB, and the AS security algorithm is synchronized. The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included. Within the scope of protection of the present invention.

Claims

权利要求书 Claim
1、 一种实现接入层安全算法保护的方法, 其特征在于, 包括: 在无线资源控制(RRC )连接重建立过程中, 演进节点 B ( eNB )通知 用户设备 ( UE )是否更新接入层(AS )安全算法;  A method for implementing protection of an access layer security algorithm, comprising: in a radio resource control (RRC) connection re-establishment process, an evolved Node B (eNB) notifying a user equipment (UE) whether to update an access layer (AS) security algorithm;
UE根据通知釆用相应的 AS安全算法对 RRC连接重建的完成进行加密 和完整性保护;  The UE performs encryption and integrity protection on the completion of the RRC connection reestablishment by using the corresponding AS security algorithm according to the notification;
eNB釆用本地已配置的 AS安全算法对 RRC连接重建的完成进行解密 和完整性验证, 并根据当前釆用的 AS安全算算决定是否启动安全确认。  The eNB uses the locally configured AS security algorithm to decrypt and complete the integrity of the RRC connection reestablishment, and determines whether to initiate the security acknowledgment based on the currently used AS security calculation.
2、 根据权利要求 1所述的方法, 其特征在于, 所述在 RRC连接重建 立过程中, eNB通知 UE是否更新 AS安全算法, 具体包括:  The method according to claim 1, wherein, in the RRC connection reestablishment process, the eNB notifies the UE whether to update the AS security algorithm, specifically:
所述 eNB收到来自 UE的 RRC连接重建立请求后,选择 AS安全算法, 并在发送给 UE的 RRC连接重建立消息中携带 AS安全算法配置信元是否 存在标志;  After receiving the RRC connection re-establishment request from the UE, the eNB selects an AS security algorithm, and carries an AS security algorithm configuration information element in the RRC connection re-establishment message sent to the UE;
所述 AS安全算法配置信元是否存在标志用于通知 UE, eNB 自身的 AS安全算法是否更新。  The AS security algorithm configures whether a cell presence flag is used to notify the UE whether the eNB's own AS security algorithm is updated.
3、 根据权利要求 2所述的方法, 其特征在于, 如果所述 AS安全算法 配置信元是否存在标志显示为存在, 该方法还包括:  The method according to claim 2, wherein if the AS security algorithm configuration cell presence flag is displayed as being present, the method further includes:
所述 eNB在 RRC连接重建立消息中携带用于承载更新后的 AS安全算 法参数的算法配置信元。  The eNB carries an algorithm configuration cell for carrying the updated AS security algorithm parameter in the RRC connection re-establishment message.
4、 根据权利要求 2或 3所述的方法, 其特征在于, 所述 eNB选择 AS 安全算法包括:  The method according to claim 2 or 3, wherein the selecting an AS security algorithm by the eNB comprises:
所述 eNB根据所述 RRC连接重建立过程之前获得的切换请求消息中携 带的原 AS安全算法配置, 判断自身所配置的 AS安全算法是否支持原 AS 安全算法, 如果不支持, 则所示 eNB根据自身所配置的 AS安全算法和所 述切换请求消息中携带的 UE安全能力,选择一个优先级最高且 UE支持的 AS安全算法作为选择出的新的 AS安全算法, 并将选择出的 AS安全算法 保存到本地, 利用新的 AS安全算法配置进行本地配置; The eNB determines, according to the configuration of the original AS security algorithm carried in the handover request message obtained before the RRC connection re-establishment process, whether the AS security algorithm configured by the eNB supports the original AS security algorithm, and if not, the eNB is configured according to the eNB. The AS security algorithm configured by itself and the UE security capability carried in the handover request message, and selecting a highest priority and supported by the UE The AS security algorithm is selected as the new AS security algorithm, and the selected AS security algorithm is saved locally, and configured locally by using the new AS security algorithm configuration.
如果所述 eNB支持切换请求消息中携带的原 AS安全算法配置, 则原 AS安全算法为选择出的 AS安全算法, 并使用原 AS安全算法配置进行本 地配置。  If the eNB supports the configuration of the original AS security algorithm carried in the handover request message, the original AS security algorithm is the selected AS security algorithm, and the local AS security algorithm configuration is used for local configuration.
5、 根据权利要求 3所述的方法, 其特征在于, 所述 UE根据通知釆用 相应的 AS安全算法对 RRC连接重建的完成进行加密和完整性保护, 具体 包括:  The method according to claim 3, wherein the UE performs encryption and integrity protection on the completion of the RRC connection reestablishment by using the corresponding AS security algorithm according to the notification, which specifically includes:
所述 UE接收到来自 eNB的 RRC连接重建立消息后,根据其中携带的 AS安全算法配置信元是否存在标志,判断是否需要进行 AS安全算法更新, 如果 AS安全算法配置信元是否存在标志显示为存在, 则启用 RRC连接重 建立消息中的算法配置信元承载的更新后的 AS安全算法进行本地配置;之 后,UE釆用更新后的 AS安全算法对 RRC连接重建立完成消息进行加密和 完整性保护后发送给 eNB;  After receiving the RRC connection re-establishment message from the eNB, the UE determines whether the AS security algorithm needs to be updated according to whether the AS security algorithm is configured in the AS security algorithm, and if the AS security algorithm configuration cell exists, the flag is displayed as If yes, the algorithm in the RRC connection re-establishment message is enabled to configure the updated AS security algorithm carried by the cell for local configuration; after that, the UE uses the updated AS security algorithm to encrypt and complete the RRC connection re-establishment message. After being protected, it is sent to the eNB;
如果 AS安全算法配置信元是否存在标志显示为不存在, 仍使用原 AS 安全算法进行本地配置;之后, UE釆用原 AS安全算法对 RRC连接重建立 完成消息进行加密和完整性保护后发送给 eNB。  If the AS security algorithm configuration cell indicates that the presence flag does not exist, the original AS security algorithm is still used for local configuration. After that, the UE uses the original AS security algorithm to encrypt and integrity protect the RRC connection re-establishment message. eNB.
6、根据权利要求 2或 3所述的方法, 其特征在于, 所述 eNB根据当前 釆用的 AS安全算算决定是否启动安全确认, 具体包括:  The method according to claim 2 or 3, wherein the eNB determines whether to initiate the security confirmation according to the current AS security calculation, which specifically includes:
如果所述 eNB本地已配置的 AS安全算法是更新后的 AS安全算法,所 述 eNB启动安全确认, 向 UE发送釆用更新后的 AS安全算法进行完整性 保护的安全模式命令 SMC消息; 所述 UE收到 SMC消息后进行 SMC相应 处理, 并发送安全模式完成消息给 eNB;  If the eNB's locally configured AS security algorithm is an updated AS security algorithm, the eNB initiates a security acknowledgment, and sends a security mode command SMC message to the UE for performing integrity protection using the updated AS security algorithm; After receiving the SMC message, the UE performs the SMC corresponding processing, and sends a security mode complete message to the eNB;
如果所述 eNB本地已配置的 AS安全算法是未更新, 那么 eNB不需要 启动安全确认。 If the eNB's locally configured AS security algorithm is not updated, then the eNB does not need to initiate a security acknowledgment.
7、 一种实现接入层安全算法保护的系统, 其特征在于, 包括 eNB 和 UE, 其中, A system for implementing protection of an access layer security algorithm, comprising: an eNB and a UE, where
eNB, 用于在 RRC连接重建立过程中, 通知 UE是否更新 AS安全算 法; 还用于釆用本地已配置的 AS安全算法对 RRC连接重建的完成进行解 密和完整性验证, 并根据当前釆用的 AS安全算算决定是否启动安全确认; The eNB is configured to notify the UE whether to update the AS security algorithm during the RRC connection re-establishment process, and is further configured to perform decryption and integrity verification on the completion of the RRC connection reestablishment by using the locally configured AS security algorithm, and according to the current application. AS security calculation determines whether to initiate a security confirmation;
UE,用于根据通知釆用相应的 AS安全算法对 RRC连接重建的完成进 行加密和完整性保护。 The UE is configured to perform encryption and integrity protection on the completion of the RRC connection reestablishment by using the corresponding AS security algorithm according to the notification.
PCT/CN2010/077955 2010-05-27 2010-10-21 Method and system for enabling access stratum (as) security algorithm synchronization WO2011147153A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201010187364.7 2010-05-27
CN2010101873647A CN102264064A (en) 2010-05-27 2010-05-27 Method and system for synchronizing access stratum (AS) security algorithms

Publications (1)

Publication Number Publication Date
WO2011147153A1 true WO2011147153A1 (en) 2011-12-01

Family

ID=45003242

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/077955 WO2011147153A1 (en) 2010-05-27 2010-10-21 Method and system for enabling access stratum (as) security algorithm synchronization

Country Status (2)

Country Link
CN (1) CN102264064A (en)
WO (1) WO2011147153A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102572816A (en) * 2011-12-27 2012-07-11 电信科学技术研究院 Method and device for mobile switching

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015192264A1 (en) * 2014-06-16 2015-12-23 Orange Method for checking the integrity of data transmitted through c-ran
WO2018227480A1 (en) 2017-06-15 2018-12-20 Qualcomm Incorporated Refreshing security keys in 5g wireless systems
CN109600804B (en) 2017-09-30 2021-04-02 华为技术有限公司 Safety protection method, device and system
CN114071459A (en) 2017-10-31 2022-02-18 华为技术有限公司 RRC (radio resource control) connection recovery method and device
CN110149630A (en) * 2018-02-11 2019-08-20 华为技术有限公司 A kind of negotiation of security algorithm, sending method and device
CN114071466A (en) * 2018-08-10 2022-02-18 华为技术有限公司 User plane integrity protection method, device and equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009020789A2 (en) * 2007-08-03 2009-02-12 Interdigital Patent Holdings, Inc. Security procedure and apparatus for handover in a 3gpp long term evolution system
CN101552983A (en) * 2008-04-01 2009-10-07 华为技术有限公司 Key generating method, key generating device, mobile management entity and user equipment
CN101645877A (en) * 2008-08-07 2010-02-10 华为技术有限公司 Method, system and network node for consulting cipher key derivative function

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009020789A2 (en) * 2007-08-03 2009-02-12 Interdigital Patent Holdings, Inc. Security procedure and apparatus for handover in a 3gpp long term evolution system
CN101552983A (en) * 2008-04-01 2009-10-07 华为技术有限公司 Key generating method, key generating device, mobile management entity and user equipment
CN101645877A (en) * 2008-08-07 2010-02-10 华为技术有限公司 Method, system and network node for consulting cipher key derivative function

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"3GPP, 3GPP System Architecture Evolution (SAE); Security architecture (Release 9).", 3GPP TS 33.401 V9.3.1, 30 April 2010 (2010-04-30) *
ZTE CORPORATION ET AL.: "RRC Connection Re-establishment Algorithms.", 3GPP TSG-SA3 (SECURITY), S3-100019, SA3#58, 5 February 2010 (2010-02-05) *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102572816A (en) * 2011-12-27 2012-07-11 电信科学技术研究院 Method and device for mobile switching
CN102572816B (en) * 2011-12-27 2014-08-06 电信科学技术研究院 Method and device for mobile switching

Also Published As

Publication number Publication date
CN102264064A (en) 2011-11-30

Similar Documents

Publication Publication Date Title
US10375609B2 (en) Operation of a serving node in a network
EP2528403B1 (en) Method and system for security processing during rrc connection re-establishment
EP3322252B1 (en) Communication methods, network side device, and user equipment
WO2011147153A1 (en) Method and system for enabling access stratum (as) security algorithm synchronization
US20170359719A1 (en) Key generation method, device, and system
EP2897398B1 (en) Key isolation method and device
JP6694824B2 (en) Liberation of the bearers
WO2015113207A1 (en) Security password changing method, base station, and user equipment
WO2011137805A1 (en) Method, apparatus and system for security processing in switch process
WO2009020789A2 (en) Security procedure and apparatus for handover in a 3gpp long term evolution system
WO2011003299A1 (en) Security key processing method, device and system for radio resource control (rrc) connection re-establishing
WO2009127114A1 (en) A cryptographic key generating method, device and system
EP3965446B1 (en) Communication method and device thereof
WO2014044070A1 (en) Connection reestablishment method and device
WO2012171281A1 (en) Security parameter modification method and base station
WO2018133607A1 (en) Data transmission method, device, and system
WO2011147152A1 (en) Method and system for implementing synchronization of access stratum security algorithm
WO2014094663A1 (en) Cell optimization method and device
JP2011515904A (en) System and method for performing handover or key management during handover in a wireless communication system
AU2024200711A1 (en) Managing security keys in a communication system
WO2013075417A1 (en) Method and system for generating key during handover
WO2011131063A1 (en) Method and system for establishing enhanced air interface key
CN114557033A (en) System and method for handling radio resource control inactivity
WO2011147154A1 (en) Method and system for implementing synchronization of access stratum security algorithm
US20230413372A1 (en) Early data communication with preconfigured resources

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10852022

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10852022

Country of ref document: EP

Kind code of ref document: A1