WO2013064002A1 - 家庭基站安全接入的方法、系统及核心网网元 - Google Patents
家庭基站安全接入的方法、系统及核心网网元 Download PDFInfo
- Publication number
- WO2013064002A1 WO2013064002A1 PCT/CN2012/082555 CN2012082555W WO2013064002A1 WO 2013064002 A1 WO2013064002 A1 WO 2013064002A1 CN 2012082555 W CN2012082555 W CN 2012082555W WO 2013064002 A1 WO2013064002 A1 WO 2013064002A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- identity information
- core network
- network element
- segw
- digital signature
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W88/00—Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
- H04W88/08—Access point devices
Definitions
- the present invention relates to a secure access technology for a home base station, and in particular, to a method, system, and core network element for secure access of a home base station. Background technique
- Evolved Packet System proposed by the 3rd Generation Partnership Project (3GPP), Evolved Universal Terrestrial Radio Access (E-UTRAN, Evolved Universal Terrestrial Radio Access) Network ), Mobility Management Entity (MME), Serving Gateway (S-GW), Packet Data Network Gateway (P-GW or PDN GW, Packet Data Network Gateway), Home Subscriber Server (HSS, Home) Subscriber Server) and 3GPP's AAA, Authentication, Authorization and Accounting server.
- 3GPP 3rd Generation Partnership Project
- E-UTRAN Evolved Universal Terrestrial Radio Access
- MME Mobility Management Entity
- S-GW Serving Gateway
- P-GW or PDN GW Packet Data Network Gateway
- HSS Home Subscriber Server
- AAA Authentication, Authorization and Accounting server.
- FIG. 1 is a schematic diagram of a system architecture of an H(e)NB accessing a core network. As shown in FIG. 1, the architecture supports both traditional GERAN/UTRAN and (LTE, Long Term Evolution) access, eNodeB) supporting LTE. Home base station.
- EPC Evolved Packet Core
- SeGW Security Gateway
- the Home NodeB Gateway (HNB GW, Home NodeB Gateway) is mandatory.
- HNB GW Home NodeB Gateway
- the evolved home base station gateway (HeNB GW, Home eNodeB Gateway) is optional when the HeNB is used for access.
- HeNB GW When the HeNB GW is deployed, the HeNB registers with the HeNB GW, and when the HeNB GW does not deploy, the HeNB registers with the MME.
- the MME Or the GPRS service support node (SGSN, Serving GPRS SUPPORT NODESGSN) or the HNB GW performs access control on the UE.
- the UE attaches through the H(e)NB if the UE and the network support a Closed Subscribe Group (CSG), the NB(e)NB notifies the SGSN or the MME of the CSG ID (CSG identity) supported by the UE.
- the SGSN or MME determines whether to allow the user to access from the H(e)NB based on the user subscription data obtained from the HSS.
- the HNBGW determines whether to allow the UE to access from the HNB according to the locally configured UE IMSI list that is allowed by the HNB.
- H (e) NB establishes a security tunnel with SeGW at power-on and authenticates each other. Therefore, from the perspective of SeGW, H (e) NB is trusted.
- the related protocol cannot guarantee that the identity sent by the H(e)NB to the MME/SGSN/HNB GW is the same as that of the mutual authentication with the SeGW.
- the H(e)NB is in the MME/SGSN/HNB.
- the GW uses an identity different from that when it is mutually authenticated with SeGW. According to the current agreement, SeGW is not responsible for the authentication of the identity used by H(e)NB in the MME/SGSN/HNB GW.
- H(e)NB can fraudulently use the identity of others when communicating with the MME/SGSN/H(e)NB GW.
- HeNB1 first establishes an IPSec tunnel with the SeGW and authenticates each other using a real identity (the identity is based on a certificate or a host-based unit (HPM)).
- HPM host-based unit
- the HeNB1 sets the HeNB ID of the HeNB2 and the CSG supported by the HeNB2.
- the ID is sent to the MME.
- the CSG ID of the HeNB2 the access of the UE is allowed, but if the CSGID supported by the HeNB1 is used, the access of the UE is not allowed.
- HeNB1 spoofs the identity of others, so that users who are not allowed to access can access the network, thereby destroying the security of the network.
- the MME/H (e) NB GW method authenticates the identity of the H(e)NB in the core network (i.e., the identity used in the MME/H(e)NB GW).
- this method has many defects. Specifically, the association between the H(e)NBID and the H(e)NB internal IP address can only be triggered by the IPSec message to be sent to the MME//H when the H(e)NB is powered on.
- SeGW needs to choose The appropriate MME//H (e) NB GW sends the association relationship, and needs to ensure that when ⁇ ( e ) NB is registered, H (e) NB selects the same MME, H ( e ) NB GW, and therefore, the specific implementation It is necessary to ensure that H(e)NB selects the same MME or H(e)NBGW, which will undoubtedly increase the difficulty of implementation, and if H(e)NB does not select the MME or H that sends its identity when it is initially powered on ( e) NB GW, this method will be invalid.
- H(e)NB selects the MME or H(e)NB GW according to the configuration information of the H(e)MS, but the SeGW has no interface with the H(e)MS, so it is difficult to guarantee the MME selected by the SeGW.
- H (e) NBGW is the same as H ( e ) NB GW and MME selected by H (e) NB.
- the scheme assumes that the MME, H(e)NBGW is an authentication server of the H(e)NB, however, according to the relevant protocol, the authentication based on the HPM module is optional, and therefore, the authentication of the H(e)NB may not be required.
- the AAA server is used, which makes the solution unsuitable for all scenarios. Summary of the invention
- the main purpose of the embodiments of the present invention is to provide a method and a system for securely accessing a home base station, which can prevent an illegal home base station from impersonating a legal home base station to access the core network and provide service services for the user equipment.
- a method for secure access of a home base station includes:
- the security gateway SeGW digitally signs the identity information of the H(e)NB, and sends the H(e)NB digital signature to the H(e)NB;
- the H ( e ) NB sends the identity information and the digital signature of the H ( e ) NB to the core network element;
- the core network element performs correctness verification on the identity information and the digital signature of the H (e) NB.
- the SeGW digitally signs the identity information of the H(e)NB to: the SeGW acquires the identity information of the H(e)NB when authenticating the H(e)NB, and The identity information of the H(e)NB is digitally signed.
- the H ( e ) NB sends the identity information of the H ( e ) NB to the core network Yuan is:
- the H(e)NB sends the identity information and the digital signature of the H(e)NB to the core network element when the H(e)NB is registered.
- the H ( e ) NB sends the identity information and the digital signature of the H ( e ) NB to the core network element:
- the H(e)NB sends the identity information and the digital signature of the H(e)NB to the core network element when the user equipment UE registers with the H(e)NB.
- the security gateway SeGW digitally signs the identity information of the H(e)NB by using the private key of the security gateway;
- the core network element performs correctness verification on the identity information and the digital signature of the H(e)NB through the public key of the security gateway.
- the SeGW uses a dynamic session key to digitally sign the identity information of the H ( e ) NB;
- the method further includes: the SeGW notifying the home session server HSS/Authentication Authorization Accounting AAA server, and the HSS/AAA server storing the dynamic session key.
- the core network element performs correctness on the identity information and the digital signature of the H ( e ) NB 3 is:
- the core network element obtains the temporary session key digitally signed by the AAA/HSS for the identity information of the H(e)NB, and uses the temporary session key pair to resolve the H(e) NB's identity information is verified.
- the identity information of the H(e)NB is an internal IP address of the home base station identifier H(e)NB ID and H(e)NB, or an internal IP of the closed subscriber group identifier CSG ID and H(e)NB Address, or H (e) NB ID, CSG ID, and H (e) NB internal IP address.
- the method further includes:
- the core network element After the core network element successfully verifies the H(e)NB information and the digital signature, the core network element saves the H(e)NB information.
- the core network element is an H ( e ) NB GW or an MME.
- the core network element is an MME or an SGSN or an MSC.
- the identity information of the H(e)NB is sent to the MME or the SGSN or the MSC, and the H (e) is obtained by the MME, the SGSN, or the MSC.
- the core network element After the core network element verifies that the identity information of the H (e) NB is correct, the H ( e ) is obtained.
- the core network element obtains the public key of the SeGW from the configured certificate of the SeGW, or the core network element obtains the SeGW from the certificate sent by the H(e)NB to the core network element. Public key.
- the SeGW sends the digital signature to the H(e)NB by extending the configuration payload CP of IKEv2.
- the SeGW may also send H(e)NB identity information to the H(e)NB by extending the configuration payload CP of IKEv2.
- a method for secure access of a home base station includes:
- the core network element When the H (e) NB is registered with the core network element, the core network element obtains the identity information of the H (e) NB through a communication interface that is set between the core network element and the SeGW, and The identity information reported by the H (e) NB is verified for correctness, and the H (e) NB registration is accepted after the verification is passed.
- the core network element is an H (e) NBGW; when the HeNBGW is not set, the core network element is an MME.
- a system for secure access of a home base station comprising a SeGW and a core network element; wherein: The SeGW is configured to: digitally sign the identity information of the H(e)NB, and send the identity information of the H(e)NB together with the digital signature to the H(e)NB;
- the core network element is configured to: receive the identity information and the digital signature sent by the H (e)NB, and perform correctness verification on the identity information and the digital signature of the H (e)NB.
- the SeGW is configured to digitally sign the identity information of the H ( e ) NB by using a private key of the SeGW;
- the core network element is configured to perform correctness verification on the identity information and the digital signature of the H(e)NB through the public key of the SeGW.
- the SeGW is configured to digitally sign the identity information of the H ( e ) NB by using a dynamic session key;
- said core network element is configured to obtain said temporary session key for digitally signing identity information of said H(e)NB from said AAA/HSS, said verifying said said temporary session key H ( e ) NB identity information.
- the identity information of the H(e)NB is an internal IP address of the home base station identifier H(e)NB ID and H(e)NB, or an internal IP of the closed subscriber group identifier CSG ID and H(e)NB Address, or H (e) NB ID, CSG ID, and H (e) NB internal IP address;
- the core network element is a mobility management unit MME or a GPRS service support node SGSN or a home base station gateway H(e)NB GW.
- the SeGW is further configured to: send identity information of the H(e)NB to the H(e)NB.
- a core network element which is set to:
- the identity information sent by the home H ( e ) NB and the digital signature of the identity information by the security gateway SeGW are received, and the identity information and the digital signature are verified for correctness.
- a core network element configured to: obtain identity information of a home base station H ( e ) NB for identity authentication by using a communication interface between the core network element and a security gateway SeGW, and the H (e) The identity information reported by the NB is verified for correctness, and the H (e) is accepted after the verification is passed. NB registration.
- Figure 1 is a schematic diagram of the system architecture of H (e) NB access to the core network.
- FIG. 2 is a flowchart of a method for secure access of a home base station according to Embodiment 1 of the present invention
- FIG. 3 is a flowchart of a method for securely accessing a home base station according to Embodiment 2 of the present invention
- FIG. 4 is a flowchart of a method for secure access of a home base station according to Embodiment 3 of the present invention.
- FIG. 5 is a flowchart of a method for secure access of a home base station according to Embodiment 4 of the present invention.
- FIG. 6 is a schematic structural diagram of a structure of a home base station security access system according to an embodiment of the present invention
- FIG. 7 is a flowchart of a method for secure access of a home base station according to Embodiment 5 of the present invention.
- the SeGW when the SeGW performs identity authentication on the H(e)NB, the SeGW digitally signs the identity information of the H(e)NB, and sends the digital signature to the H(e)NB; H (e) NB sends its own identity information and digital signature to the core network element when the UE attaches or tracks the area update or routing update; the core network element performs the correct identity information and digital signature of H ( e ) NB Sexual verification, after the verification is passed, the UE is controlled for access.
- a communication interface is set between the SeGW and the core network element, and the core network element directly obtains the identity information of the H(e)NB from the SeGW when receiving the H(e)NB registration request, and requests the registered H ( e) NB for identity authentication.
- the NB may be attacked, so the core network cannot trust the identity provided by the H(e)NB itself.
- SeGW is a trusted security entity
- the present invention considers the identity of H(e)NB by SeGW. Digitally sign and send the digital signature to H(e)NB.
- the Se(s) digital signature and identity information are sent by the H(e)NB to the core network element for identity verification.
- the method for secure access of a home base station in this example includes the following steps:
- Step 201 The SeGW digitally signs the identity information of the H(e)NB.
- H (e) NB identity information includes H (e) NB ID, and / or CSG ID, and / or other identities.
- the SeGW includes the internal IP address of the H(e)NB in the H(e)NB identity information.
- the internal IP address of the NB is the IP address assigned by the SeGW to the H (e) NB when the IPSec tunnel is established.
- H ( e ) NB uses the internal IP address to communicate with the core network element. The internal IP address is included in the header of the internal IP packet of the IPSec tunnel.
- the SeGW may use the SeGW private key to digitally sign the identity information of the H(e)NB, and may also use the session key to digitally sign the identity information of the H(e)NB.
- Step 202 The SeGW sends the digital signature to the H(e)NB, and may also send the identity information to the H(e)NB.
- Step 203 The H(e)NB sends the digital signature and the H(e)NB identity information to the core network element (ie, H(e)NBGW or MME or SGSN).
- the H ( e ) NB may send the above information at the time of registration or send the above information along with the UE related message when the UE accesses.
- the information is sent to the H(e)NB GW, and if the H(e)NB GW is not deployed, it is sent to the MME; when the UE is connected, when the UE related message is sent, The information will be sent to the MME (EUTRAN) or SGSN (UTRAN or GERAN) or MSC.
- MME EUTRAN
- SGSN UTRAN or GERAN
- Step 204 The core network element performs verification on the H (e)NB identity information digital signature.
- the core network element ie, MME or SGSN or H(e)NB GW
- the core network element uses the public key of the SeGW to verify the digital signature.
- the core network element needs to verify the digital signature using the same session key.
- the verification H(e)NB identity information there are two different verification methods according to the location of the verification H(e)NB identity information, which are: verifying the H(e)NB identity information when the H(e)NB is registered; or, in the UE The H ( e ) NB identity is verified upon access. If the H ( e ) NB identity information is verified at the time of H (e) NB registration, the entity verifying the ⁇ (e) NB identity will be H ( e ) NB GW or MME (when H ( e ) NB GW When not deployed). Since there is no interface between H(e)NBGW and AAA/HSS, this scheme is suitable for digital signature based on public and private keys.
- the entity of the NB identity is MME (EUTRAN) or SGSN (GERAN/UTRAN).
- the scheme can use digital signatures based on public and private keys, or digital signatures based on dynamic session keys.
- FIG. 3 is a flowchart of a method for secure access of a home base station according to Embodiment 2 of the present invention.
- H (e)NB when H (e)NB is registered, H (e)NB or MME verifies H (e)NB identity information digital signature.
- the method for securely accessing a home base station in this example includes the following steps:
- Step 301 H (e) NB is powered on.
- H ( e ) NB accesses the local network and obtains IP address configuration information from the local network.
- Step 302 The H(e)NB initiates IKEv2 negotiation with the SeGW.
- the process includes mutual authentication between the H(e)NB and the SeGW, negotiation between the security association, and SeGW assigning an internal IP address to the H(e)NB.
- Step 303 The SeGW acquires identity information used by the H(e)NB for core network communication, where the information includes an H(e)NB ID, and/or a CSG ID, and the like. SeGW digitally signs the identity information of H ( e ) NB.
- the specific digital signature algorithm is as follows:
- X algorithm 1 (H (e) NB identity information
- T stands for concatenation of information.
- the SeGW concatenates a plurality of information, that is, sequentially connects the plurality of information.
- the identity information is H (e) NBID and CSGID
- the H (e) NB identity information in the above formula is H (e) NBID
- Algorithm 1 is a one-way hash algorithm, and the present invention does not specify a specific algorithm.
- the purpose of the algorithm is Convert long strings to lengths suitable for digital signature algorithms.
- a simple one-way hash algorithm is the MD5 algorithm.
- Digital Signature Digital Signature Algorithm (X, Digital Signature Key) [B]
- the present invention does not specify a specific digital signature algorithm.
- the digital signature algorithm can be referred to any digital signature algorithm in the related art.
- a commonly used RSA algorithm can be used as the present invention.
- Digital signature algorithm Digital Signature algorithm.
- the digital signature key is the private key of SeGW.
- Step 304 The SeGW sends the digital signature to the H(e)NB.
- the SeGW may send the H(e)NB identity information to the H(e)NB as well. If the H(e)NB identity information (such as CSG ID, H(e)NB ID) is not sent to the H(e)NB through the SeGW, the H(e)NB may be obtained from the H(e)MS or at H(e) ) Fixed configuration on NB. If H ( e ) NB requests to assign an IP address, SeGW also sends the internal IP address of H ( e ) NB to H ( e ) NB .
- the H(e)NB identity information and digital signature can be sent by extending the IKEv2 protocol. For example, the IKEv2 configuration payload (CP, Configuration Payload) can be extended, and the ⁇ (e)NB identity information and digital signature are sent to the configuration payload. ⁇ (e) NB.
- Step 305 the IKEv2 negotiation is completed.
- An IPSec secure tunnel is established between H ( e ) NB and SeGW.
- Step 306 H ( e ) NB obtains configuration parameters from the H ( e ) MS.
- Step 307 When the network deploys the H(e)NB GW, the H(e)NB sends a registration request message to the H(e)NBGW, where the H(e)NB will H(e)NB identity information and its The digital signature is sent to the H(e)NB GW.
- Step 308 The H ( e ) NB GW authenticates the identity information and the digital signature of the H ( e ) NB .
- H (e) NB GW decrypts the digital signature according to the following formula:
- the decryption algorithm corresponds to the encryption algorithm, and can be referred to an existing decryption algorithm, such as an RSA decryption algorithm.
- the digital signature in the above formula is a digital signature of the H(e)NB identity information that H(e) ⁇ sends to the H(e)NBGW.
- the decryption key is the public key of SeGW.
- H ( e ) NB GW calculates X as follows:
- the identity information of the H(e)NB is the identity information of the H(e)NB sent by the H(e)NB to the H(e)NBGW in step 307; the H(e)NB IP address is H(e) in step 307. Source IP address of the registration request message sent by the NB to the H(e)NBGW.
- the NB GW obtains the public key from the certificate of the configured SeGW, or, optionally, in step 307, the H(e)NB sends the certificate of the SeGW to the H(e)NB GW, H(e) The NB GW obtains the public key of the SeGW from the received certificate.
- Step 309 if the digital signature verification in step 308 is successful, "" Lake 0 ⁇ is completed 11 (6)
- H (e) NB GW sends a registration response message to H (e) NB; if the digital signature verification in step 308 fails, H (e) NB GW to H (e) NB Send registration failure message.
- Step 310 When the HeNB GW is not deployed in the network, the HeNB registers with the MME.
- the HeNB sends a registration request message to the MME, where the message includes the HeNB identity information and its digital signature.
- Step 311 The MME authenticates the HeNB identity information and its digital signature in the same manner as in step 308.
- Step 312 If the digital signature verification succeeds in step 311, the MME completes the H (e) NB remaining registration process, and establishes a context for the MME, and the MME sends a registration response message to the H(e)NB; if the digital signature verification fails in step 308, The MME sends a registration failure message to the H(e)NB.
- FIG. 4 is a flowchart of a method for secure access of a home base station according to Embodiment 3 of the present invention.
- This example is a method for authenticating a digital signature of an H (e)NB identity information by an MME or an SGSN when a UE registers.
- the method for secure access of the home base station in this example specifically includes the following steps:
- Step 401 H (e) NB is powered on.
- H ( e ) NB accesses the local network and obtains IP address configuration information from the local network.
- Step 402 The H(e)NB initiates IKEv2 negotiation with the SeGW.
- the process includes mutual authentication between H(e)NB and SeGW, negotiation of security association, and SeGW assigning internal IP to H(e)NB Address, etc.
- Step 403 The SeGW acquires identity information used by the H (e) NB for core network communication, where the information includes an H (e)NB ID, and/or a CSG ID. SeGW digitally signs the identity information of H ( e ) NB.
- the digital signature algorithm is described in the algorithm shown in step 303.
- the digital signature algorithm can be used:
- the dynamic session key is dynamically generated by the SeGW, for example, a string of random numbers, or generated by other methods.
- the present invention does not specify a specific digital signature algorithm.
- the digital signature algorithm can be found in the existing digital digital signature algorithm.
- the digital signature algorithm can be a keyed HASH algorithm.
- Step 404a The SeGW sends the digital signature to the H(e)NB.
- the SeGW may send the H(e)NB identity information to the H(e)NB as well. If the H(e)NB identity information (such as CSG ID, H(e)NB ID) is not sent to the H(e)NB through the SeGW, the H(e)NB may be obtained from the H(e)MS or at H(e) ) Fixed configuration on NB. If H ( e ) NB requests to assign an IP address, SeGW also sends the internal IP address of H ( e ) NB to H ( e ) NB .
- the H(e)NB identity information and digital signature can be sent by extending the IKEv2 protocol. For example, the configuration load CP of the IKEv2 can be extended, and the H(e)NB identity information and the digital signature are placed in the configuration payload and sent to the H(e)NB. .
- Step 404b the SeGW saves the dynamic session key used to calculate the H(e)NB digital signature to the HSS/AAA.
- Step 405 the IKEv2 negotiation is completed.
- An IPSec secure tunnel is established between H ( e ) NB and SeGW.
- Step 406 H ( e ) NB obtains configuration parameters from the H ( e ) MS.
- Step 407 When the network deploys the H(e)NB GW, the H(e)NB sends a registration request message to the H(e)NBGW, where the H(e)NB will H(e)NB identity information and its The digital signature is sent to the H(e)NB GW.
- H ( e ) NB GW holds H ( e ) NB identity information, digital signature, and H ( e ) NB IP address.
- H ( e ) The NB GW completes the registration process of the H ( e ) NB and sends a registration response to the H ( e ) NB .
- Step 408 When the HeNB GW is not deployed in the network, the HeNB registers with the MME.
- the HeNB sends a registration request message to the MME, where the message includes the HeNB identity information and its digital signature.
- the MME stores the HeNB identity information, the digital signature, and the HeNB IP address.
- the MME completes the registration process of the H(e)NB and sends a registration response to the H(e)NB.
- FIG. 5 is a flowchart of a method for securely accessing a home base station according to Embodiment 4 of the present invention.
- This embodiment is a method for authenticating a digital signature of an H (e)NB identity information by an MME or an SGSN when a UE registers.
- This embodiment is a flowchart of the UE attaching or routing through the H (e)NB, and updating the tracking area.
- the method for securely accessing the home base station in this example includes the following steps:
- Step 501 When the UE is powered on under H(e)NB or the UE moves to an H(e)NB located in a new routing area or tracking area, the UE sends an attach request message or routing area/tracking to the H(e)NB. Zone update request message.
- Step 502 The H(e)NB forwards the foregoing UE registration request message through the S1 interface.
- the message is sent to the H (e) NB GW.
- the HeNB GW is not deployed, the message is directly sent to the MME.
- H ( e ) The NB GW determines whether the H ( e ) NB IP address is consistent with the H ( e ) NB IP address stored in its context. If not, H (e) NB GW returns an error to H (e) NB.
- Step 503 When the H (e) NBGW is deployed, the H ( e ) NB GW forwards the 502 step message and obtains H (e) NB identity information from its context, optionally, H (e) NBIP address and/or The digital digital signature is sent to the SGSN (in the case of GERAN or UTRAN) or MME (EUTRAN) along with the S1 message sent by the 502 H(e)NB to the H(e)NBGW.
- the H (e) NBGW forwards the 502 step message and obtains H (e) NB identity information from its context, optionally, H (e) NBIP address and/or
- the digital digital signature is sent to the SGSN (in the case of GERAN or UTRAN) or MME (EUTRAN) along with the S1 message sent by the 502 H(e)NB to the H(e)NBGW.
- Step 504 The MME/SGSN obtains the digital digital signature session key from the HSS/AAA according to the H(e)NB identity information (such as H(e)NB ID) received in step 503, and obtains the H from the HSS/AAA.
- H(e)NB identity information such as H(e)NB ID
- Other information of the NB for example, a list of CSG IDs supported by the H(e)NB, optionally, the HSS/AAA sends the digitally digitally signed key to the MME/SGSN.
- Step 505 If the step 503 H(e)NB GW sends the digital digital signature to the MME/SGSN, the MME/SGSN verifies the digital digital signature of the H(e)NB.
- the H (e) NB identity information is digitally signed with the public and private keys, the verification algorithm is described in step 308.
- the H (e) NB identity information, the H (e) NB IP address, and the digital signature are sent to the MME/SGSN in step 503 H ( e ) NB GW .
- the verification algorithm is as follows: a) Calculate X according to the formula [C] of step 308,
- step 502 If Y is the same as the digital signature received in step 502, the verification is successful, otherwise the verification fails.
- Step 506 The SGSN/MME triggers completion of a subsequent UE attach or routing area/tracking area update process.
- the SGSN/MME determines whether the UE is allowed to access the H (e)NB or the like according to the CSG list supported by the H (e)NB and the CSG list subscribed by the UE.
- step 505 If the digital signature verification fails in step 505, the UE's attach procedure or routing area/tracking area update process fails.
- FIG. 6 is a schematic structural diagram of a home base station security access system according to an embodiment of the present invention.
- This example describes another home base station security access system that implements H (e)NB authentication.
- H (e)NB authentication Specifically, the communication interface between the SeGW and the MME or the SGSN or the H(e)NB GW is added.
- the MME or the H(e)NB GW receives the identity information sent by the H(e)NB
- the MME/SGSN/ The H(e)NB GW sends an identity verification request message to the SeGW through the new interface, so that the SeGW verifies whether the identity of the H(e)NB is true.
- the Sx and Sy interfaces are new interfaces.
- the Sx interface is located between the MME and the SeGW, and is used by the MME to authenticate the H (e)NB identity.
- the interface is used only for the H(e)NB GW undeployed scenario.
- the Sy interface is located between the H(e)NB GW and the SeGW for authenticating the H(e)NB identity by the H(e)NBGW. The scheme will be described in detail below in conjunction with the flowchart.
- FIG. 7 is a flowchart of a method for securely accessing a home base station according to Embodiment 5 of the present invention, where this embodiment is
- step 701 the H (e) NB is powered on.
- H ( e ) NB accesses the local network and from the local network Obtain the IP address configuration information.
- Step 702 The H(e)NB initiates IKEv2 negotiation with the SeGW.
- the process includes mutual authentication between the H(e)NB and the SeGW, negotiation between the security association, and SeGW assigning an internal IP address to the H(e)NB.
- Step 703 H ( e ) NB obtains configuration parameters from the H ( e ) MS.
- Step 704 When the H (e) NB GW is deployed in the network, the H ( e ) NB sends a registration request message to the H ( e ) NB GW , where the H ( e ) NB sends the H ( e ) NB identity information to the message H ( e ) NBGW.
- Step 705 In order to verify the identity of the H (e) NB, the H ( e ) NB GW sends an H (e) NB identity request message to the SeGW, where the message includes the IP address of the H ( e ) NB (ie, is assigned by the SeGW) H ( e ) NB's IP address).
- Step 706 The SeGW queries the H (e) NB IP address to query the identity information of the H (e) NB according to the H ( e ) NB IP address, and returns the identity information to the H (e) NB GW.
- Step 707 The H (e) NBGW saves the H (e) NB identity information, completes the H (e) NB remaining registration process, and establishes a context for it, and the H (e) NB GW sends a registration response message to the H (e) NB.
- Step 708 When the H ( e ) NB GW is not deployed on the network, the H ( e ) NB sends a registration request message to the MME, where the H ( e ) NB sends the H ( e ) NB identity information to the MME.
- Step 709 in order to verify the identity of the H(e)NB, the MME sends an H(e)NB identity request message to the SeGW, where the message includes the IP address of the H(e)NB (ie, is assigned to the H(e)NB by the SeGW. IP address).
- Step 710 The SeGW queries the H (e) NB IP address to query the identity information of the H (e) NB according to the H ( e ) NB IP address, and returns the identity information to the MME.
- Step 711 The MME saves the H(e)NB identity information, completes the H(e)NB remaining registration process, and establishes a context for it, and the MME sends a registration response message to the H(e)NB.
- the embodiment of the present invention further describes another system for securely accessing a home base station, including a SeGW, an H(e)NB, and a core network element;
- the SeGW configured to digitally sign the identity information of the H(e)NB, and The digital signature is sent to the H(e)NB;
- the H(e)NB configured to identify the identity of the H(e)NB when the H(e)NB is registered or when the UE attaches or tracks an area update or a routing update is accessed by the H(e)NB
- the information and digital signature are sent to the core network element;
- the core network element is configured to perform correctness verification on the identity information and the digital signature of the H(e)NB.
- the SeGW may digitally sign the identity information of the H ( e ) NB by using the private key of the SeGW;
- the core network element may perform correctness verification on the identity information and the digital signature of the H(e)NB through the public key of the SeGW.
- the SeGW may digitally sign the identity information of the H ( e ) NB by using a dynamic session key;
- the SeGW may notify the home subscriber server HSS/Authentication Authorization Accounting AAA server of the dynamic session key, and the HSS/AAA server stores the dynamic session key.
- the core network element may obtain the temporary session key digitally signed by the AAA/HSS for the identity information of the H(e)NB, and verify the H(e) by using the temporary session key. ) NB identity information.
- the identity information of the H ( e ) NB may be an internal IP address of the home base station identifier H ( e ) NB ID and H ( e ) NB, or an internal IP of the closed subscriber group identifier CSG ID and H ( e ) NB Address, or H (e) NB ID, CSG ID, and H (e) NB internal IP address;
- the core network element may be an MME or an SGSN or an HNB GW.
- the identity information sent by the home H ( e ) NB and the digital signature of the identity information by the security gateway SeGW are received, and the identity information and the digital signature are verified for correctness.
- Another core network element of the embodiment of the present invention is configured to: obtain identity information of the home base station H(e)NB for identity authentication by using a communication interface between the core network element and the security gateway SeGW, and The identity information reported by the H(e)NB is verified for correctness, and the H(e)NB registration is accepted after the verification is passed.
- the solution of the embodiment of the present invention prevents the illegal H ( e ) NB from directly registering with the core network element and realizing the service access to the UE, and maintains the network security.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
Claims
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP12844878.4A EP2790429B1 (en) | 2011-10-31 | 2012-10-08 | Hnb or henb security access method and system, and core network element |
US14/355,299 US9467295B2 (en) | 2011-10-31 | 2012-10-08 | HNB or HeNB security access method and system, and core network element |
IN3216CHN2014 IN2014CN03216A (zh) | 2011-10-31 | 2012-10-08 | |
RU2014118758/08A RU2580399C2 (ru) | 2011-10-31 | 2012-10-08 | СПОСОБ И СИСТЕМА ЗАЩИЩЕННОГО ДОСТУПА К HNB ИЛИ HeNB И ЭЛЕМЕНТ БАЗОВОЙ СЕТИ |
JP2014537471A JP5977834B2 (ja) | 2011-10-31 | 2012-10-08 | ホーム基地局のセキュアアクセス方法、システム及びコアネットワークエレメント |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201110337762 | 2011-10-31 | ||
CN201110337762.7 | 2011-10-31 | ||
CN201110364549.5A CN103096311B (zh) | 2011-10-31 | 2011-11-04 | 家庭基站安全接入的方法及系统 |
CN201110364549.5 | 2011-11-04 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2013064002A1 true WO2013064002A1 (zh) | 2013-05-10 |
Family
ID=48191294
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2012/082555 WO2013064002A1 (zh) | 2011-10-31 | 2012-10-08 | 家庭基站安全接入的方法、系统及核心网网元 |
Country Status (7)
Country | Link |
---|---|
US (1) | US9467295B2 (zh) |
EP (1) | EP2790429B1 (zh) |
JP (1) | JP5977834B2 (zh) |
CN (1) | CN103096311B (zh) |
IN (1) | IN2014CN03216A (zh) |
RU (1) | RU2580399C2 (zh) |
WO (1) | WO2013064002A1 (zh) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2019183858A1 (zh) * | 2018-03-28 | 2019-10-03 | 华为技术有限公司 | 一种无人机身份识别方法及设备 |
Families Citing this family (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105472604A (zh) * | 2014-09-09 | 2016-04-06 | 中兴通讯股份有限公司 | 一种数字证书的状态处理方法、装置及系统 |
JP6088570B2 (ja) * | 2015-03-23 | 2017-03-01 | ソフトバンク株式会社 | 移動体通信システムおよび移動体通信方法 |
CN106332079A (zh) * | 2015-06-30 | 2017-01-11 | 中兴通讯股份有限公司 | 基站维护端口的连接认证方法、基站及系统 |
CN106454836B (zh) * | 2015-08-06 | 2021-12-31 | 中兴通讯股份有限公司 | 一种增强设备证书使用安全的方法及装置 |
CN107360573B (zh) * | 2016-05-10 | 2020-11-27 | 中兴通讯股份有限公司 | 一种终端接入方法和装置 |
CN108616956B (zh) * | 2017-01-16 | 2020-10-20 | 普天信息技术有限公司 | 一种电力无线专网中业务隔离的方法 |
CN110474875B (zh) * | 2017-08-31 | 2020-10-16 | 华为技术有限公司 | 基于服务化架构的发现方法及装置 |
CN109511115B (zh) * | 2017-09-14 | 2020-09-29 | 华为技术有限公司 | 一种授权方法和网元 |
CN109257212B (zh) * | 2018-09-10 | 2021-09-03 | 中信科移动通信技术股份有限公司 | 一种iab基站接入的方法 |
CN109587687A (zh) * | 2018-12-04 | 2019-04-05 | 西安佰才邦网络技术有限公司 | 基站侧设备及其组网方法 |
CN112291785B (zh) * | 2020-10-22 | 2022-07-22 | 中国联合网络通信集团有限公司 | 一种奖励方法及装置 |
CN112272376B (zh) * | 2020-10-22 | 2022-07-29 | 中国联合网络通信集团有限公司 | 一种奖励方法及装置 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101442402A (zh) * | 2007-11-20 | 2009-05-27 | 华为技术有限公司 | 认证接入点设备的方法、系统和装置 |
CN101715177A (zh) * | 2009-11-05 | 2010-05-26 | 中兴通讯股份有限公司 | 一种网络设备的位置锁定方法及位置锁定系统 |
CN101784051A (zh) * | 2009-01-21 | 2010-07-21 | 华为技术有限公司 | 一种平台完整性验证的方法、网络设备和网络系统 |
CN101795451A (zh) * | 2009-02-03 | 2010-08-04 | 中兴通讯股份有限公司 | 一种家庭基站实现注册的方法及系统 |
Family Cites Families (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101335984B (zh) * | 2007-06-25 | 2011-11-16 | 华为技术有限公司 | 家用微型基站接入控制方法及系统 |
US20090182618A1 (en) * | 2008-01-16 | 2009-07-16 | Yahoo! Inc. | System and Method for Word-of-Mouth Advertising |
US8886164B2 (en) * | 2008-11-26 | 2014-11-11 | Qualcomm Incorporated | Method and apparatus to perform secure registration of femto access points |
EP2966888A1 (en) * | 2009-03-05 | 2016-01-13 | Interdigital Patent Holdings, Inc. | Method and apparatus for h(e)nb integrity verification and validation |
JP5112363B2 (ja) * | 2009-03-05 | 2013-01-09 | 日本電信電話株式会社 | ライフログデータの管理システム、管理方法及びプログラム |
TWI514896B (zh) * | 2010-02-09 | 2015-12-21 | Interdigital Patent Holdings | 可信賴聯合身份方法及裝置 |
US8509431B2 (en) * | 2010-09-20 | 2013-08-13 | Interdigital Patent Holdings, Inc. | Identity management on a wireless device |
KR101556046B1 (ko) * | 2010-12-30 | 2015-09-30 | 인터디지탈 패튼 홀딩스, 인크 | 통신 핸드오프 시나리오를 위한 인증 및 보안 채널 설정 |
-
2011
- 2011-11-04 CN CN201110364549.5A patent/CN103096311B/zh not_active Expired - Fee Related
-
2012
- 2012-10-08 WO PCT/CN2012/082555 patent/WO2013064002A1/zh active Application Filing
- 2012-10-08 JP JP2014537471A patent/JP5977834B2/ja not_active Expired - Fee Related
- 2012-10-08 RU RU2014118758/08A patent/RU2580399C2/ru not_active IP Right Cessation
- 2012-10-08 EP EP12844878.4A patent/EP2790429B1/en not_active Not-in-force
- 2012-10-08 IN IN3216CHN2014 patent/IN2014CN03216A/en unknown
- 2012-10-08 US US14/355,299 patent/US9467295B2/en not_active Expired - Fee Related
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101442402A (zh) * | 2007-11-20 | 2009-05-27 | 华为技术有限公司 | 认证接入点设备的方法、系统和装置 |
CN101784051A (zh) * | 2009-01-21 | 2010-07-21 | 华为技术有限公司 | 一种平台完整性验证的方法、网络设备和网络系统 |
CN101795451A (zh) * | 2009-02-03 | 2010-08-04 | 中兴通讯股份有限公司 | 一种家庭基站实现注册的方法及系统 |
CN101715177A (zh) * | 2009-11-05 | 2010-05-26 | 中兴通讯股份有限公司 | 一种网络设备的位置锁定方法及位置锁定系统 |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2019183858A1 (zh) * | 2018-03-28 | 2019-10-03 | 华为技术有限公司 | 一种无人机身份识别方法及设备 |
Also Published As
Publication number | Publication date |
---|---|
IN2014CN03216A (zh) | 2015-07-03 |
EP2790429A4 (en) | 2015-04-15 |
JP2014535207A (ja) | 2014-12-25 |
CN103096311B (zh) | 2018-11-09 |
CN103096311A (zh) | 2013-05-08 |
EP2790429A1 (en) | 2014-10-15 |
US9467295B2 (en) | 2016-10-11 |
US20140310529A1 (en) | 2014-10-16 |
RU2580399C2 (ru) | 2016-04-10 |
EP2790429B1 (en) | 2018-12-05 |
RU2014118758A (ru) | 2015-12-10 |
JP5977834B2 (ja) | 2016-08-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP5977834B2 (ja) | ホーム基地局のセキュアアクセス方法、システム及びコアネットワークエレメント | |
US11405780B2 (en) | Method for performing verification by using shared key, method for performing verification by using public key and private key, and apparatus | |
US11212676B2 (en) | User identity privacy protection in public wireless local access network, WLAN, access | |
US11825303B2 (en) | Method for performing verification by using shared key, method for performing verification by using public key and private key, and apparatus | |
JP5462411B2 (ja) | セキュリティ設定の同期を支援する方法および装置 | |
JP4965671B2 (ja) | 無線通信ネットワークにおけるユーザ・プロファイル、ポリシー及びpmipキーの配布 | |
JP6732095B2 (ja) | 異種ネットワークのための統一認証 | |
JP5992554B2 (ja) | 第1のクライアントステーションのクレデンシャルを使用して第2のクライアントステーションを認証するシステム及び方法 | |
TW200952424A (en) | Authenticating a wireless device in a visited network | |
WO2010130121A1 (zh) | 一种第三代网络的接入方法及系统 | |
JP2010532596A (ja) | 証明書処理のための方法および装置 | |
WO2010012201A1 (zh) | 鉴权方法、通信装置和通信系统 | |
WO2009152749A1 (zh) | 一种绑定认证的方法、系统和装置 | |
WO2009074050A1 (fr) | Procede, systeme et appareil d'authentification de dispositif de point d'acces | |
WO2019029531A1 (zh) | 触发网络鉴权的方法及相关设备 | |
WO2009152676A1 (zh) | Aaa服务器、p-gw、pcrf、用户设备标识的获取方法和系统 | |
WO2010069202A1 (zh) | 认证协商方法及系统、安全网关、家庭无线接入点 | |
CA2690017C (en) | A method for releasing a high rate packet data session | |
TW201316792A (zh) | 區域網協存取網路元件與終端設備的認證方法與裝置 | |
WO2012000313A1 (zh) | 一种家庭网关认证方法和系统 | |
KR100668660B1 (ko) | 휴대 인터넷 망과 3g 망간의 로밍을 위한 사용자 인증처리 방법 및 이를 수행하는 라우터 | |
WO2017000620A1 (zh) | 重认证识别方法、演进分组数据网关及系统 | |
WO2008148348A1 (fr) | Procédé de communication, système et station de base domestique | |
WO2010060296A1 (zh) | 认证方法、可信任环境单元及家庭基站 | |
WO2007124657A1 (fr) | Procédé, système et dispositif d'authentification |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 12844878 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2012844878 Country of ref document: EP |
|
ENP | Entry into the national phase |
Ref document number: 2014537471 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 14355299 Country of ref document: US |
|
ENP | Entry into the national phase |
Ref document number: 2014118758 Country of ref document: RU Kind code of ref document: A |