WO2013064002A1 - 家庭基站安全接入的方法、系统及核心网网元 - Google Patents

家庭基站安全接入的方法、系统及核心网网元 Download PDF

Info

Publication number
WO2013064002A1
WO2013064002A1 PCT/CN2012/082555 CN2012082555W WO2013064002A1 WO 2013064002 A1 WO2013064002 A1 WO 2013064002A1 CN 2012082555 W CN2012082555 W CN 2012082555W WO 2013064002 A1 WO2013064002 A1 WO 2013064002A1
Authority
WO
WIPO (PCT)
Prior art keywords
identity information
core network
network element
segw
digital signature
Prior art date
Application number
PCT/CN2012/082555
Other languages
English (en)
French (fr)
Inventor
宗在峰
周晓云
朱李
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Priority to EP12844878.4A priority Critical patent/EP2790429B1/en
Priority to US14/355,299 priority patent/US9467295B2/en
Priority to IN3216CHN2014 priority patent/IN2014CN03216A/en
Priority to RU2014118758/08A priority patent/RU2580399C2/ru
Priority to JP2014537471A priority patent/JP5977834B2/ja
Publication of WO2013064002A1 publication Critical patent/WO2013064002A1/zh

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/08Access point devices

Definitions

  • the present invention relates to a secure access technology for a home base station, and in particular, to a method, system, and core network element for secure access of a home base station. Background technique
  • Evolved Packet System proposed by the 3rd Generation Partnership Project (3GPP), Evolved Universal Terrestrial Radio Access (E-UTRAN, Evolved Universal Terrestrial Radio Access) Network ), Mobility Management Entity (MME), Serving Gateway (S-GW), Packet Data Network Gateway (P-GW or PDN GW, Packet Data Network Gateway), Home Subscriber Server (HSS, Home) Subscriber Server) and 3GPP's AAA, Authentication, Authorization and Accounting server.
  • 3GPP 3rd Generation Partnership Project
  • E-UTRAN Evolved Universal Terrestrial Radio Access
  • MME Mobility Management Entity
  • S-GW Serving Gateway
  • P-GW or PDN GW Packet Data Network Gateway
  • HSS Home Subscriber Server
  • AAA Authentication, Authorization and Accounting server.
  • FIG. 1 is a schematic diagram of a system architecture of an H(e)NB accessing a core network. As shown in FIG. 1, the architecture supports both traditional GERAN/UTRAN and (LTE, Long Term Evolution) access, eNodeB) supporting LTE. Home base station.
  • EPC Evolved Packet Core
  • SeGW Security Gateway
  • the Home NodeB Gateway (HNB GW, Home NodeB Gateway) is mandatory.
  • HNB GW Home NodeB Gateway
  • the evolved home base station gateway (HeNB GW, Home eNodeB Gateway) is optional when the HeNB is used for access.
  • HeNB GW When the HeNB GW is deployed, the HeNB registers with the HeNB GW, and when the HeNB GW does not deploy, the HeNB registers with the MME.
  • the MME Or the GPRS service support node (SGSN, Serving GPRS SUPPORT NODESGSN) or the HNB GW performs access control on the UE.
  • the UE attaches through the H(e)NB if the UE and the network support a Closed Subscribe Group (CSG), the NB(e)NB notifies the SGSN or the MME of the CSG ID (CSG identity) supported by the UE.
  • the SGSN or MME determines whether to allow the user to access from the H(e)NB based on the user subscription data obtained from the HSS.
  • the HNBGW determines whether to allow the UE to access from the HNB according to the locally configured UE IMSI list that is allowed by the HNB.
  • H (e) NB establishes a security tunnel with SeGW at power-on and authenticates each other. Therefore, from the perspective of SeGW, H (e) NB is trusted.
  • the related protocol cannot guarantee that the identity sent by the H(e)NB to the MME/SGSN/HNB GW is the same as that of the mutual authentication with the SeGW.
  • the H(e)NB is in the MME/SGSN/HNB.
  • the GW uses an identity different from that when it is mutually authenticated with SeGW. According to the current agreement, SeGW is not responsible for the authentication of the identity used by H(e)NB in the MME/SGSN/HNB GW.
  • H(e)NB can fraudulently use the identity of others when communicating with the MME/SGSN/H(e)NB GW.
  • HeNB1 first establishes an IPSec tunnel with the SeGW and authenticates each other using a real identity (the identity is based on a certificate or a host-based unit (HPM)).
  • HPM host-based unit
  • the HeNB1 sets the HeNB ID of the HeNB2 and the CSG supported by the HeNB2.
  • the ID is sent to the MME.
  • the CSG ID of the HeNB2 the access of the UE is allowed, but if the CSGID supported by the HeNB1 is used, the access of the UE is not allowed.
  • HeNB1 spoofs the identity of others, so that users who are not allowed to access can access the network, thereby destroying the security of the network.
  • the MME/H (e) NB GW method authenticates the identity of the H(e)NB in the core network (i.e., the identity used in the MME/H(e)NB GW).
  • this method has many defects. Specifically, the association between the H(e)NBID and the H(e)NB internal IP address can only be triggered by the IPSec message to be sent to the MME//H when the H(e)NB is powered on.
  • SeGW needs to choose The appropriate MME//H (e) NB GW sends the association relationship, and needs to ensure that when ⁇ ( e ) NB is registered, H (e) NB selects the same MME, H ( e ) NB GW, and therefore, the specific implementation It is necessary to ensure that H(e)NB selects the same MME or H(e)NBGW, which will undoubtedly increase the difficulty of implementation, and if H(e)NB does not select the MME or H that sends its identity when it is initially powered on ( e) NB GW, this method will be invalid.
  • H(e)NB selects the MME or H(e)NB GW according to the configuration information of the H(e)MS, but the SeGW has no interface with the H(e)MS, so it is difficult to guarantee the MME selected by the SeGW.
  • H (e) NBGW is the same as H ( e ) NB GW and MME selected by H (e) NB.
  • the scheme assumes that the MME, H(e)NBGW is an authentication server of the H(e)NB, however, according to the relevant protocol, the authentication based on the HPM module is optional, and therefore, the authentication of the H(e)NB may not be required.
  • the AAA server is used, which makes the solution unsuitable for all scenarios. Summary of the invention
  • the main purpose of the embodiments of the present invention is to provide a method and a system for securely accessing a home base station, which can prevent an illegal home base station from impersonating a legal home base station to access the core network and provide service services for the user equipment.
  • a method for secure access of a home base station includes:
  • the security gateway SeGW digitally signs the identity information of the H(e)NB, and sends the H(e)NB digital signature to the H(e)NB;
  • the H ( e ) NB sends the identity information and the digital signature of the H ( e ) NB to the core network element;
  • the core network element performs correctness verification on the identity information and the digital signature of the H (e) NB.
  • the SeGW digitally signs the identity information of the H(e)NB to: the SeGW acquires the identity information of the H(e)NB when authenticating the H(e)NB, and The identity information of the H(e)NB is digitally signed.
  • the H ( e ) NB sends the identity information of the H ( e ) NB to the core network Yuan is:
  • the H(e)NB sends the identity information and the digital signature of the H(e)NB to the core network element when the H(e)NB is registered.
  • the H ( e ) NB sends the identity information and the digital signature of the H ( e ) NB to the core network element:
  • the H(e)NB sends the identity information and the digital signature of the H(e)NB to the core network element when the user equipment UE registers with the H(e)NB.
  • the security gateway SeGW digitally signs the identity information of the H(e)NB by using the private key of the security gateway;
  • the core network element performs correctness verification on the identity information and the digital signature of the H(e)NB through the public key of the security gateway.
  • the SeGW uses a dynamic session key to digitally sign the identity information of the H ( e ) NB;
  • the method further includes: the SeGW notifying the home session server HSS/Authentication Authorization Accounting AAA server, and the HSS/AAA server storing the dynamic session key.
  • the core network element performs correctness on the identity information and the digital signature of the H ( e ) NB 3 is:
  • the core network element obtains the temporary session key digitally signed by the AAA/HSS for the identity information of the H(e)NB, and uses the temporary session key pair to resolve the H(e) NB's identity information is verified.
  • the identity information of the H(e)NB is an internal IP address of the home base station identifier H(e)NB ID and H(e)NB, or an internal IP of the closed subscriber group identifier CSG ID and H(e)NB Address, or H (e) NB ID, CSG ID, and H (e) NB internal IP address.
  • the method further includes:
  • the core network element After the core network element successfully verifies the H(e)NB information and the digital signature, the core network element saves the H(e)NB information.
  • the core network element is an H ( e ) NB GW or an MME.
  • the core network element is an MME or an SGSN or an MSC.
  • the identity information of the H(e)NB is sent to the MME or the SGSN or the MSC, and the H (e) is obtained by the MME, the SGSN, or the MSC.
  • the core network element After the core network element verifies that the identity information of the H (e) NB is correct, the H ( e ) is obtained.
  • the core network element obtains the public key of the SeGW from the configured certificate of the SeGW, or the core network element obtains the SeGW from the certificate sent by the H(e)NB to the core network element. Public key.
  • the SeGW sends the digital signature to the H(e)NB by extending the configuration payload CP of IKEv2.
  • the SeGW may also send H(e)NB identity information to the H(e)NB by extending the configuration payload CP of IKEv2.
  • a method for secure access of a home base station includes:
  • the core network element When the H (e) NB is registered with the core network element, the core network element obtains the identity information of the H (e) NB through a communication interface that is set between the core network element and the SeGW, and The identity information reported by the H (e) NB is verified for correctness, and the H (e) NB registration is accepted after the verification is passed.
  • the core network element is an H (e) NBGW; when the HeNBGW is not set, the core network element is an MME.
  • a system for secure access of a home base station comprising a SeGW and a core network element; wherein: The SeGW is configured to: digitally sign the identity information of the H(e)NB, and send the identity information of the H(e)NB together with the digital signature to the H(e)NB;
  • the core network element is configured to: receive the identity information and the digital signature sent by the H (e)NB, and perform correctness verification on the identity information and the digital signature of the H (e)NB.
  • the SeGW is configured to digitally sign the identity information of the H ( e ) NB by using a private key of the SeGW;
  • the core network element is configured to perform correctness verification on the identity information and the digital signature of the H(e)NB through the public key of the SeGW.
  • the SeGW is configured to digitally sign the identity information of the H ( e ) NB by using a dynamic session key;
  • said core network element is configured to obtain said temporary session key for digitally signing identity information of said H(e)NB from said AAA/HSS, said verifying said said temporary session key H ( e ) NB identity information.
  • the identity information of the H(e)NB is an internal IP address of the home base station identifier H(e)NB ID and H(e)NB, or an internal IP of the closed subscriber group identifier CSG ID and H(e)NB Address, or H (e) NB ID, CSG ID, and H (e) NB internal IP address;
  • the core network element is a mobility management unit MME or a GPRS service support node SGSN or a home base station gateway H(e)NB GW.
  • the SeGW is further configured to: send identity information of the H(e)NB to the H(e)NB.
  • a core network element which is set to:
  • the identity information sent by the home H ( e ) NB and the digital signature of the identity information by the security gateway SeGW are received, and the identity information and the digital signature are verified for correctness.
  • a core network element configured to: obtain identity information of a home base station H ( e ) NB for identity authentication by using a communication interface between the core network element and a security gateway SeGW, and the H (e) The identity information reported by the NB is verified for correctness, and the H (e) is accepted after the verification is passed. NB registration.
  • Figure 1 is a schematic diagram of the system architecture of H (e) NB access to the core network.
  • FIG. 2 is a flowchart of a method for secure access of a home base station according to Embodiment 1 of the present invention
  • FIG. 3 is a flowchart of a method for securely accessing a home base station according to Embodiment 2 of the present invention
  • FIG. 4 is a flowchart of a method for secure access of a home base station according to Embodiment 3 of the present invention.
  • FIG. 5 is a flowchart of a method for secure access of a home base station according to Embodiment 4 of the present invention.
  • FIG. 6 is a schematic structural diagram of a structure of a home base station security access system according to an embodiment of the present invention
  • FIG. 7 is a flowchart of a method for secure access of a home base station according to Embodiment 5 of the present invention.
  • the SeGW when the SeGW performs identity authentication on the H(e)NB, the SeGW digitally signs the identity information of the H(e)NB, and sends the digital signature to the H(e)NB; H (e) NB sends its own identity information and digital signature to the core network element when the UE attaches or tracks the area update or routing update; the core network element performs the correct identity information and digital signature of H ( e ) NB Sexual verification, after the verification is passed, the UE is controlled for access.
  • a communication interface is set between the SeGW and the core network element, and the core network element directly obtains the identity information of the H(e)NB from the SeGW when receiving the H(e)NB registration request, and requests the registered H ( e) NB for identity authentication.
  • the NB may be attacked, so the core network cannot trust the identity provided by the H(e)NB itself.
  • SeGW is a trusted security entity
  • the present invention considers the identity of H(e)NB by SeGW. Digitally sign and send the digital signature to H(e)NB.
  • the Se(s) digital signature and identity information are sent by the H(e)NB to the core network element for identity verification.
  • the method for secure access of a home base station in this example includes the following steps:
  • Step 201 The SeGW digitally signs the identity information of the H(e)NB.
  • H (e) NB identity information includes H (e) NB ID, and / or CSG ID, and / or other identities.
  • the SeGW includes the internal IP address of the H(e)NB in the H(e)NB identity information.
  • the internal IP address of the NB is the IP address assigned by the SeGW to the H (e) NB when the IPSec tunnel is established.
  • H ( e ) NB uses the internal IP address to communicate with the core network element. The internal IP address is included in the header of the internal IP packet of the IPSec tunnel.
  • the SeGW may use the SeGW private key to digitally sign the identity information of the H(e)NB, and may also use the session key to digitally sign the identity information of the H(e)NB.
  • Step 202 The SeGW sends the digital signature to the H(e)NB, and may also send the identity information to the H(e)NB.
  • Step 203 The H(e)NB sends the digital signature and the H(e)NB identity information to the core network element (ie, H(e)NBGW or MME or SGSN).
  • the H ( e ) NB may send the above information at the time of registration or send the above information along with the UE related message when the UE accesses.
  • the information is sent to the H(e)NB GW, and if the H(e)NB GW is not deployed, it is sent to the MME; when the UE is connected, when the UE related message is sent, The information will be sent to the MME (EUTRAN) or SGSN (UTRAN or GERAN) or MSC.
  • MME EUTRAN
  • SGSN UTRAN or GERAN
  • Step 204 The core network element performs verification on the H (e)NB identity information digital signature.
  • the core network element ie, MME or SGSN or H(e)NB GW
  • the core network element uses the public key of the SeGW to verify the digital signature.
  • the core network element needs to verify the digital signature using the same session key.
  • the verification H(e)NB identity information there are two different verification methods according to the location of the verification H(e)NB identity information, which are: verifying the H(e)NB identity information when the H(e)NB is registered; or, in the UE The H ( e ) NB identity is verified upon access. If the H ( e ) NB identity information is verified at the time of H (e) NB registration, the entity verifying the ⁇ (e) NB identity will be H ( e ) NB GW or MME (when H ( e ) NB GW When not deployed). Since there is no interface between H(e)NBGW and AAA/HSS, this scheme is suitable for digital signature based on public and private keys.
  • the entity of the NB identity is MME (EUTRAN) or SGSN (GERAN/UTRAN).
  • the scheme can use digital signatures based on public and private keys, or digital signatures based on dynamic session keys.
  • FIG. 3 is a flowchart of a method for secure access of a home base station according to Embodiment 2 of the present invention.
  • H (e)NB when H (e)NB is registered, H (e)NB or MME verifies H (e)NB identity information digital signature.
  • the method for securely accessing a home base station in this example includes the following steps:
  • Step 301 H (e) NB is powered on.
  • H ( e ) NB accesses the local network and obtains IP address configuration information from the local network.
  • Step 302 The H(e)NB initiates IKEv2 negotiation with the SeGW.
  • the process includes mutual authentication between the H(e)NB and the SeGW, negotiation between the security association, and SeGW assigning an internal IP address to the H(e)NB.
  • Step 303 The SeGW acquires identity information used by the H(e)NB for core network communication, where the information includes an H(e)NB ID, and/or a CSG ID, and the like. SeGW digitally signs the identity information of H ( e ) NB.
  • the specific digital signature algorithm is as follows:
  • X algorithm 1 (H (e) NB identity information
  • T stands for concatenation of information.
  • the SeGW concatenates a plurality of information, that is, sequentially connects the plurality of information.
  • the identity information is H (e) NBID and CSGID
  • the H (e) NB identity information in the above formula is H (e) NBID
  • Algorithm 1 is a one-way hash algorithm, and the present invention does not specify a specific algorithm.
  • the purpose of the algorithm is Convert long strings to lengths suitable for digital signature algorithms.
  • a simple one-way hash algorithm is the MD5 algorithm.
  • Digital Signature Digital Signature Algorithm (X, Digital Signature Key) [B]
  • the present invention does not specify a specific digital signature algorithm.
  • the digital signature algorithm can be referred to any digital signature algorithm in the related art.
  • a commonly used RSA algorithm can be used as the present invention.
  • Digital signature algorithm Digital Signature algorithm.
  • the digital signature key is the private key of SeGW.
  • Step 304 The SeGW sends the digital signature to the H(e)NB.
  • the SeGW may send the H(e)NB identity information to the H(e)NB as well. If the H(e)NB identity information (such as CSG ID, H(e)NB ID) is not sent to the H(e)NB through the SeGW, the H(e)NB may be obtained from the H(e)MS or at H(e) ) Fixed configuration on NB. If H ( e ) NB requests to assign an IP address, SeGW also sends the internal IP address of H ( e ) NB to H ( e ) NB .
  • the H(e)NB identity information and digital signature can be sent by extending the IKEv2 protocol. For example, the IKEv2 configuration payload (CP, Configuration Payload) can be extended, and the ⁇ (e)NB identity information and digital signature are sent to the configuration payload. ⁇ (e) NB.
  • Step 305 the IKEv2 negotiation is completed.
  • An IPSec secure tunnel is established between H ( e ) NB and SeGW.
  • Step 306 H ( e ) NB obtains configuration parameters from the H ( e ) MS.
  • Step 307 When the network deploys the H(e)NB GW, the H(e)NB sends a registration request message to the H(e)NBGW, where the H(e)NB will H(e)NB identity information and its The digital signature is sent to the H(e)NB GW.
  • Step 308 The H ( e ) NB GW authenticates the identity information and the digital signature of the H ( e ) NB .
  • H (e) NB GW decrypts the digital signature according to the following formula:
  • the decryption algorithm corresponds to the encryption algorithm, and can be referred to an existing decryption algorithm, such as an RSA decryption algorithm.
  • the digital signature in the above formula is a digital signature of the H(e)NB identity information that H(e) ⁇ sends to the H(e)NBGW.
  • the decryption key is the public key of SeGW.
  • H ( e ) NB GW calculates X as follows:
  • the identity information of the H(e)NB is the identity information of the H(e)NB sent by the H(e)NB to the H(e)NBGW in step 307; the H(e)NB IP address is H(e) in step 307. Source IP address of the registration request message sent by the NB to the H(e)NBGW.
  • the NB GW obtains the public key from the certificate of the configured SeGW, or, optionally, in step 307, the H(e)NB sends the certificate of the SeGW to the H(e)NB GW, H(e) The NB GW obtains the public key of the SeGW from the received certificate.
  • Step 309 if the digital signature verification in step 308 is successful, "" Lake 0 ⁇ is completed 11 (6)
  • H (e) NB GW sends a registration response message to H (e) NB; if the digital signature verification in step 308 fails, H (e) NB GW to H (e) NB Send registration failure message.
  • Step 310 When the HeNB GW is not deployed in the network, the HeNB registers with the MME.
  • the HeNB sends a registration request message to the MME, where the message includes the HeNB identity information and its digital signature.
  • Step 311 The MME authenticates the HeNB identity information and its digital signature in the same manner as in step 308.
  • Step 312 If the digital signature verification succeeds in step 311, the MME completes the H (e) NB remaining registration process, and establishes a context for the MME, and the MME sends a registration response message to the H(e)NB; if the digital signature verification fails in step 308, The MME sends a registration failure message to the H(e)NB.
  • FIG. 4 is a flowchart of a method for secure access of a home base station according to Embodiment 3 of the present invention.
  • This example is a method for authenticating a digital signature of an H (e)NB identity information by an MME or an SGSN when a UE registers.
  • the method for secure access of the home base station in this example specifically includes the following steps:
  • Step 401 H (e) NB is powered on.
  • H ( e ) NB accesses the local network and obtains IP address configuration information from the local network.
  • Step 402 The H(e)NB initiates IKEv2 negotiation with the SeGW.
  • the process includes mutual authentication between H(e)NB and SeGW, negotiation of security association, and SeGW assigning internal IP to H(e)NB Address, etc.
  • Step 403 The SeGW acquires identity information used by the H (e) NB for core network communication, where the information includes an H (e)NB ID, and/or a CSG ID. SeGW digitally signs the identity information of H ( e ) NB.
  • the digital signature algorithm is described in the algorithm shown in step 303.
  • the digital signature algorithm can be used:
  • the dynamic session key is dynamically generated by the SeGW, for example, a string of random numbers, or generated by other methods.
  • the present invention does not specify a specific digital signature algorithm.
  • the digital signature algorithm can be found in the existing digital digital signature algorithm.
  • the digital signature algorithm can be a keyed HASH algorithm.
  • Step 404a The SeGW sends the digital signature to the H(e)NB.
  • the SeGW may send the H(e)NB identity information to the H(e)NB as well. If the H(e)NB identity information (such as CSG ID, H(e)NB ID) is not sent to the H(e)NB through the SeGW, the H(e)NB may be obtained from the H(e)MS or at H(e) ) Fixed configuration on NB. If H ( e ) NB requests to assign an IP address, SeGW also sends the internal IP address of H ( e ) NB to H ( e ) NB .
  • the H(e)NB identity information and digital signature can be sent by extending the IKEv2 protocol. For example, the configuration load CP of the IKEv2 can be extended, and the H(e)NB identity information and the digital signature are placed in the configuration payload and sent to the H(e)NB. .
  • Step 404b the SeGW saves the dynamic session key used to calculate the H(e)NB digital signature to the HSS/AAA.
  • Step 405 the IKEv2 negotiation is completed.
  • An IPSec secure tunnel is established between H ( e ) NB and SeGW.
  • Step 406 H ( e ) NB obtains configuration parameters from the H ( e ) MS.
  • Step 407 When the network deploys the H(e)NB GW, the H(e)NB sends a registration request message to the H(e)NBGW, where the H(e)NB will H(e)NB identity information and its The digital signature is sent to the H(e)NB GW.
  • H ( e ) NB GW holds H ( e ) NB identity information, digital signature, and H ( e ) NB IP address.
  • H ( e ) The NB GW completes the registration process of the H ( e ) NB and sends a registration response to the H ( e ) NB .
  • Step 408 When the HeNB GW is not deployed in the network, the HeNB registers with the MME.
  • the HeNB sends a registration request message to the MME, where the message includes the HeNB identity information and its digital signature.
  • the MME stores the HeNB identity information, the digital signature, and the HeNB IP address.
  • the MME completes the registration process of the H(e)NB and sends a registration response to the H(e)NB.
  • FIG. 5 is a flowchart of a method for securely accessing a home base station according to Embodiment 4 of the present invention.
  • This embodiment is a method for authenticating a digital signature of an H (e)NB identity information by an MME or an SGSN when a UE registers.
  • This embodiment is a flowchart of the UE attaching or routing through the H (e)NB, and updating the tracking area.
  • the method for securely accessing the home base station in this example includes the following steps:
  • Step 501 When the UE is powered on under H(e)NB or the UE moves to an H(e)NB located in a new routing area or tracking area, the UE sends an attach request message or routing area/tracking to the H(e)NB. Zone update request message.
  • Step 502 The H(e)NB forwards the foregoing UE registration request message through the S1 interface.
  • the message is sent to the H (e) NB GW.
  • the HeNB GW is not deployed, the message is directly sent to the MME.
  • H ( e ) The NB GW determines whether the H ( e ) NB IP address is consistent with the H ( e ) NB IP address stored in its context. If not, H (e) NB GW returns an error to H (e) NB.
  • Step 503 When the H (e) NBGW is deployed, the H ( e ) NB GW forwards the 502 step message and obtains H (e) NB identity information from its context, optionally, H (e) NBIP address and/or The digital digital signature is sent to the SGSN (in the case of GERAN or UTRAN) or MME (EUTRAN) along with the S1 message sent by the 502 H(e)NB to the H(e)NBGW.
  • the H (e) NBGW forwards the 502 step message and obtains H (e) NB identity information from its context, optionally, H (e) NBIP address and/or
  • the digital digital signature is sent to the SGSN (in the case of GERAN or UTRAN) or MME (EUTRAN) along with the S1 message sent by the 502 H(e)NB to the H(e)NBGW.
  • Step 504 The MME/SGSN obtains the digital digital signature session key from the HSS/AAA according to the H(e)NB identity information (such as H(e)NB ID) received in step 503, and obtains the H from the HSS/AAA.
  • H(e)NB identity information such as H(e)NB ID
  • Other information of the NB for example, a list of CSG IDs supported by the H(e)NB, optionally, the HSS/AAA sends the digitally digitally signed key to the MME/SGSN.
  • Step 505 If the step 503 H(e)NB GW sends the digital digital signature to the MME/SGSN, the MME/SGSN verifies the digital digital signature of the H(e)NB.
  • the H (e) NB identity information is digitally signed with the public and private keys, the verification algorithm is described in step 308.
  • the H (e) NB identity information, the H (e) NB IP address, and the digital signature are sent to the MME/SGSN in step 503 H ( e ) NB GW .
  • the verification algorithm is as follows: a) Calculate X according to the formula [C] of step 308,
  • step 502 If Y is the same as the digital signature received in step 502, the verification is successful, otherwise the verification fails.
  • Step 506 The SGSN/MME triggers completion of a subsequent UE attach or routing area/tracking area update process.
  • the SGSN/MME determines whether the UE is allowed to access the H (e)NB or the like according to the CSG list supported by the H (e)NB and the CSG list subscribed by the UE.
  • step 505 If the digital signature verification fails in step 505, the UE's attach procedure or routing area/tracking area update process fails.
  • FIG. 6 is a schematic structural diagram of a home base station security access system according to an embodiment of the present invention.
  • This example describes another home base station security access system that implements H (e)NB authentication.
  • H (e)NB authentication Specifically, the communication interface between the SeGW and the MME or the SGSN or the H(e)NB GW is added.
  • the MME or the H(e)NB GW receives the identity information sent by the H(e)NB
  • the MME/SGSN/ The H(e)NB GW sends an identity verification request message to the SeGW through the new interface, so that the SeGW verifies whether the identity of the H(e)NB is true.
  • the Sx and Sy interfaces are new interfaces.
  • the Sx interface is located between the MME and the SeGW, and is used by the MME to authenticate the H (e)NB identity.
  • the interface is used only for the H(e)NB GW undeployed scenario.
  • the Sy interface is located between the H(e)NB GW and the SeGW for authenticating the H(e)NB identity by the H(e)NBGW. The scheme will be described in detail below in conjunction with the flowchart.
  • FIG. 7 is a flowchart of a method for securely accessing a home base station according to Embodiment 5 of the present invention, where this embodiment is
  • step 701 the H (e) NB is powered on.
  • H ( e ) NB accesses the local network and from the local network Obtain the IP address configuration information.
  • Step 702 The H(e)NB initiates IKEv2 negotiation with the SeGW.
  • the process includes mutual authentication between the H(e)NB and the SeGW, negotiation between the security association, and SeGW assigning an internal IP address to the H(e)NB.
  • Step 703 H ( e ) NB obtains configuration parameters from the H ( e ) MS.
  • Step 704 When the H (e) NB GW is deployed in the network, the H ( e ) NB sends a registration request message to the H ( e ) NB GW , where the H ( e ) NB sends the H ( e ) NB identity information to the message H ( e ) NBGW.
  • Step 705 In order to verify the identity of the H (e) NB, the H ( e ) NB GW sends an H (e) NB identity request message to the SeGW, where the message includes the IP address of the H ( e ) NB (ie, is assigned by the SeGW) H ( e ) NB's IP address).
  • Step 706 The SeGW queries the H (e) NB IP address to query the identity information of the H (e) NB according to the H ( e ) NB IP address, and returns the identity information to the H (e) NB GW.
  • Step 707 The H (e) NBGW saves the H (e) NB identity information, completes the H (e) NB remaining registration process, and establishes a context for it, and the H (e) NB GW sends a registration response message to the H (e) NB.
  • Step 708 When the H ( e ) NB GW is not deployed on the network, the H ( e ) NB sends a registration request message to the MME, where the H ( e ) NB sends the H ( e ) NB identity information to the MME.
  • Step 709 in order to verify the identity of the H(e)NB, the MME sends an H(e)NB identity request message to the SeGW, where the message includes the IP address of the H(e)NB (ie, is assigned to the H(e)NB by the SeGW. IP address).
  • Step 710 The SeGW queries the H (e) NB IP address to query the identity information of the H (e) NB according to the H ( e ) NB IP address, and returns the identity information to the MME.
  • Step 711 The MME saves the H(e)NB identity information, completes the H(e)NB remaining registration process, and establishes a context for it, and the MME sends a registration response message to the H(e)NB.
  • the embodiment of the present invention further describes another system for securely accessing a home base station, including a SeGW, an H(e)NB, and a core network element;
  • the SeGW configured to digitally sign the identity information of the H(e)NB, and The digital signature is sent to the H(e)NB;
  • the H(e)NB configured to identify the identity of the H(e)NB when the H(e)NB is registered or when the UE attaches or tracks an area update or a routing update is accessed by the H(e)NB
  • the information and digital signature are sent to the core network element;
  • the core network element is configured to perform correctness verification on the identity information and the digital signature of the H(e)NB.
  • the SeGW may digitally sign the identity information of the H ( e ) NB by using the private key of the SeGW;
  • the core network element may perform correctness verification on the identity information and the digital signature of the H(e)NB through the public key of the SeGW.
  • the SeGW may digitally sign the identity information of the H ( e ) NB by using a dynamic session key;
  • the SeGW may notify the home subscriber server HSS/Authentication Authorization Accounting AAA server of the dynamic session key, and the HSS/AAA server stores the dynamic session key.
  • the core network element may obtain the temporary session key digitally signed by the AAA/HSS for the identity information of the H(e)NB, and verify the H(e) by using the temporary session key. ) NB identity information.
  • the identity information of the H ( e ) NB may be an internal IP address of the home base station identifier H ( e ) NB ID and H ( e ) NB, or an internal IP of the closed subscriber group identifier CSG ID and H ( e ) NB Address, or H (e) NB ID, CSG ID, and H (e) NB internal IP address;
  • the core network element may be an MME or an SGSN or an HNB GW.
  • the identity information sent by the home H ( e ) NB and the digital signature of the identity information by the security gateway SeGW are received, and the identity information and the digital signature are verified for correctness.
  • Another core network element of the embodiment of the present invention is configured to: obtain identity information of the home base station H(e)NB for identity authentication by using a communication interface between the core network element and the security gateway SeGW, and The identity information reported by the H(e)NB is verified for correctness, and the H(e)NB registration is accepted after the verification is passed.
  • the solution of the embodiment of the present invention prevents the illegal H ( e ) NB from directly registering with the core network element and realizing the service access to the UE, and maintains the network security.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明实施例公开了一种家庭基站安全接入的方法、系统和核心网网元,所述方法包括:安全网关SeGW对家庭基站H(e)NB的身份信息进行数字签名,并将所述数字签名发送给所述H(e)NB;所述H(e)NB将所述H(e)NB的身份信息和所述数字签名发送给核心网网元;所述核心网网元对所述H(e)NB的身份信息和所述数字签名进行正确性验证。

Description

家庭基站安全接入的方法、 系统及核心网网元 技术领域
本发明涉及家庭基站安全接入技术, 尤其涉及一种家庭基站安全接入的 方法、 系统及核心网网元。 背景技术
第三代合作伙伴计划 ( 3GPP, 3rd Generation Partnership Project )提出的 演进的分组系统(EPS, Evolved Packet System ) , 由演进的通用移动通信系 统陆地无线接入网 (E-UTRAN, Evolved Universal Terrestrial Radio Access Network ) 、 移动管理单元 ( MME, Mobility Management Entity ) 、 服务网关 ( S-GW, Serving Gateway )、分组数据网络网关( P-GW或者 PDN GW, Packet Data Network Gateway ) 、 归属用户服务器(HSS, Home Subscriber Server ) 和 3 GPP的认证授权计费 ( AAA, Authentication、 Authorization and Accounting ) 服务器组成。
家庭基站在接入演进的核心网 (EPC, Evolved Packet Core ) 时, 为了保 证安全, 在演进的核心网中引入了安全网关 ( SeGW , Security Gateway ) , 家庭基站在与核心网设备通信前首先与安全网关间建立 IPSec隧道。 家庭基 站与核心网设备间的控制面通信数据以及用户面数据均经过该 IPSec隧道的 加密。 图 1为 H ( e ) NB接入核心网的系统架构的示意图, 如图 1所示, 该 架构同时支持传统的 GERAN/UTRAN和( LTE, Long Term Evolution )接入, eNodeB )是支持 LTE的家庭基站。 当釆用 HNB接入时, 家庭基站网关 ( HNB GW, Home NodeB Gateway )是必选的。在 HNB上电时, HNB需到 HNB GW 注册。当釆用 HeNB接入时,演进的家庭基站网关( HeNB GW, Home eNodeB Gateway )是可选的。在 HeNB GW部署时, HeNB 注册到 HeNB GW,当 HeNB GW不部署时, HeNB注册到 MME。
根据 3GPP协议, 当 UE从 H ( e ) NB (即 HNB或 HeNB )接入时, MME 或 GPRS服务支持节点 (SGSN, Serving GPRS SUPPORT NODESGSN )或 HNB GW对 UE进行接入控制。 当 UE通过 H ( e ) NB附着时, 若 UE和网 络支持闭合用户组( CSG, Closed Subscribe Group ) , 该 Η ( e ) NB将自身 所支持的 CSG ID ( CSG identity )通知给 SGSN或 MME。 SGSN或 MME根 据从 HSS中获得的用户签约数据判断是否允许该用户从该 H (e) NB接入。 当 UE通过 HNB附着时,若 UE或网络不支持 CSG, HNBGW根据本地配置 的该 HNB所允许的 UE IMSI列表判断是否允许该 UE从该 HNB接入。
在上述 UE通过 H (e) NB接入过程中, 所有相关消息均经过了 H (e) NB和 SeGW间的安全隧道进行保护。 H (e) NB在上电时与 SeGW建立安 全隧道, 并且互相认证, 因此, 从 SeGW的角度看, H (e) NB是可信的。 但是, 相关协议无法保证 H (e) NB发送给 MME/SGSN/HNB GW的身份与 其在与 SeGW互认证时的身份一致, 事实上, 在很多场景中 H (e) NB在 MME/SGSN/HNB GW中使用了不同于其与 SeGW互认证时的身份。 根据目 前协议, SeGW不负责 H ( e ) NB在 MME/SGSN/HNB GW中所使用身份的 认证。
因此,根据相关协议, H( e )NB可以在后续与 MME/SGSN/H( e )NB GW 通信时冒用别人的身份。 比如, HeNBl先使用真实身份(该身份基于证书或 基于托管方单元( HPM ) )与 SeGW建立 IPSec隧道并互认证,当 UE从 HeNBl 接入时, HeNBl将 HeNB2的 HeNB ID和 HeNB2所支持的 CSG ID发送给 MME。 根据该 HeNB2的 CSG ID, UE的接入是允许的 , 但若根据 HeNBl所 支持的 CSGID, UE的接入是不被允许的。 在上述例子中, HeNBl冒用别人 身份, 从而使得本来不允许接入的用户可以接入网络, 从而破坏了网络的安 全性。
针对该问题, 有人提出了一种在 SeGW和 MME/H ( e ) NB GW之间增 加新接口, 并由 SeGW将 H ( e ) NB ID和 H ( e ) NB内部 IP地址的关联关 系发送给 MME/H ( e ) NB GW的方法, 以对 H ( e ) NB在核心网中的身份(亦 即在 MME/H ( e ) NB GW中所用身份)进行认证。 然而, 该方法存在很多缺 陷, 具体的: H(e)NBID和 H(e)NB内部 IP地址的关联关系只能在 H(e) NB上电时由 IPSec消息触发发送给 MME//H ( e ) NB GW, SeGW需选择合 适的 MME//H (e) NB GW发送该关联关系, 并且需要保证当 Η ( e ) NB注 册时, H (e) NB选择了相同的 MME、 H ( e ) NB GW, 因此, 具体实施时 需要保证 H ( e ) NB选择相同的 MME或 H ( e ) NB GW, 这无疑会增加实现 的难度, 并且, 如果 H ( e ) NB未选择初始上电时发送自身身份的 MME或 H (e) NB GW, 该方法就会失效。 根据相关协议, H ( e ) NB是根据 H (e) MS的配置信息选择 MME或 H ( e ) NB GW的, 然而 SeGW与 H ( e ) MS 并无接口, 因此艮难保证 SeGW选择的 MME、 H (e) NBGW与 H (e) NB 所选择的 H ( e ) NB GW和 MME相同。 并且, 该方案假设 MME、 H (e) NBGW是 H (e) NB的认证服务器, 然而, 根据相关协议, 基于 HPM模块 的认证是可选的, 因此, H (e) NB的认证可能不需要用到 AAA服务器, 这 使得该方案不能适用于所有场景。 发明内容
有鉴于此, 本发明实施例的主要目的在于提供一种家庭基站安全接入的 方法及系统, 能防止非法家庭基站冒充合法家庭基站接入核心网并为用户设 备提供业务服务。
为达到上述目的, 本发明实施例的技术方案是这样实现的:
一种家庭基站安全接入的方法, 包括:
安全网关 SeGW对 H ( e ) NB的身份信息进行数字签名,并将所述 H ( e ) NB数字签名发送给所述 H (e) NB;
所述 H ( e ) NB将所述 H ( e ) NB的身份信息和数字签名发送给核心网 网元;
所述核心网网元对所述 H (e) NB的身份信息和数字签名进行正确性验 证。
优选地, 所述 SeGW对 H ( e ) NB的身份信息进行数字签名为: 所述 SeGW在对所述 H ( e ) NB进行身份认证时获取所述 H ( e ) NB的 身份信息, 并对所述 H (e) NB的身份信息进行数字签名。
优选地, 所述 H ( e ) NB将所述 H ( e ) NB的身份信息发送给核心网网 元为:
所述 H ( e ) NB在所述 H ( e ) NB注册时将所述 H ( e ) NB的身份信息 和数字签名发送给所述核心网网元。
优选地, 所述 H ( e ) NB将所述 H ( e ) NB的身份信息和数字签名发送 给核心网网元为:
所述 H ( e ) NB在用户设备 UE通过所述 H ( e ) NB注册时, 将所述 H ( e ) NB的身份信息和数字签名发送给所述核心网网元。
优选地, 所述安全网关 SeGW釆用所述安全网关的私钥对所述 H ( e ) NB的身份信息进行数字签名;
对应地, 所述核心网网元通过所述安全网关的公钥对所述 H ( e ) NB的 身份信息和数字签名进行正确性验证。
优选地, 所述 SeGW釆用动态会话密钥对所述 H ( e ) NB的身份信息进 行数字签名;
所述方法还包括: 所述 SeGW将所述动态会话密钥通知归属用户服务器 HSS/认证授权计费 AAA服务器, 所述 HSS/AAA服务器存储所述动态会话密 钥。
优选地, 所述核心网网元对所述 H ( e ) NB的身份信息和数字签名进行 正确性 3全证为:
所述核心网网元从所述 AAA/HSS获取对所述 H ( e ) NB的身份信息数 字签名的所述临时会话密钥, 利用所述临时会话密钥对所解析出的 H ( e ) NB 的身份信息进行验证。
优选地, 所述 H ( e ) NB的身份信息为家庭基站标识 H ( e ) NB ID和 H ( e ) NB的内部 IP地址, 或闭合用户组标识 CSG ID和 H ( e ) NB的内部 IP 地址, 或 H ( e ) NB ID、 CSG ID和 H ( e ) NB内部 IP地址。
优选地, 所述方法还包括:
所述核心网网元在验证所述 H ( e ) NB信息和数字签名成功后, 所述核 心网网元保存所述 H ( e ) NB信息。 优选地, 所述核心网网元为 H ( e ) NB GW或 MME。
优选地, 所述核心网网元为 MME或 SGSN或 MSC。
优选地, 当 UE通过所述 H (e) NB接入时:
所述核心网网元验证所述 H ( e ) NB的身份信息正确后将所述 H ( e ) NB 的身份信息发送给 MME或 SGSN或 MSC, 由 MME、 SGSN或 MSC获取所 述 H ( e ) NB所支持的 CSG ID信息, 并根据所述 CSG ID信息对所述 UE进 行接入控制; 其中, 所述 MME、 SGSN或 MSC从所述 H (e) NB信息中获 取所述 CSG ID信息, 或从所述 HSS/AAA服务器获取所述 CSG ID信息。
优选地, 当 UE通过所述 H (e) NB接入时:
所述核心网网元验证所述 H (e) NB的身份信息正确后获取所述 H ( e )
NB所支持的 CSG ID信息, 并根据所述 CSG ID信息对所述 UE进行接入控 制; 其中, 所述核心网网元从所述 H (e) NB信息中获取所述 CSG ID信息, 或从所述 HSS/AAA服务器获取所述 CSG ID信息。
优选地, 所述核心网网元从配置的所述 SeGW的证书中获取 SeGW的公 钥, 或者所述核心网网元从 H (e) NB发送给所述核心网网元的证书中获取 SeGW的公钥。
优选地, 所述 SeGW通过扩展 IKEv2的配置载荷 CP将所述数字签名发 送给所述 H (e) NB。
优选地,所述 SeGW还可通过扩展 IKEv2的配置载荷 CP将 H(e)NB身份 信息发送给所述 H ( e ) NB。
一种家庭基站安全接入的方法, 包括:
H (e) NB 向核心网网元注册时, 所述核心网网元通过设置于所述核心 网网元与 SeGW之间的通信接口获取所述 H (e) NB的身份信息, 并与所述 H (e) NB上报的身份信息进行正确性验证, 验证通过后接受所述 H ( e ) NB 注册。
优选地, 所述核心网网元为 H (e) NBGW; 未设置 HeNBGW时, 所述 核心网网元为 MME。
一种家庭基站安全接入的系统, 包括 SeGW和核心网网元; 其中: 所述 SeGW, 设置为: 对所述 H ( e ) NB的身份信息进行数字签名, 并 将所述 H ( e ) NB的身份信息连同数字签名一起发送给所述 H ( e ) NB;
所述核心网网元, 设置为: 接收所述 H ( e ) NB发送的身份信息和数字 签名, 对所述 H ( e ) NB的身份信息和数字签名进行正确性验证。
优选地, 所述 SeGW是设置为釆用所述 SeGW的私钥对所述 H ( e ) NB 的身份信息进行数字签名;
对应地, 所述核心网网元是设置为通过所述 SeGW的公钥对所述 H ( e ) NB的身份信息和数字签名进行正确性验证。
优选地, 所述 SeGW是设置为釆用动态会话密钥对所述 H ( e ) NB的身 份信息进行数字签名;
将所述动态会话密钥通知归属用户服务器 HSS/认证授权计费 AAA服务 哭口
优选地, 所述核心网网元是设置为从所述 AAA/HSS获取对所述 H ( e ) NB的身份信息数字签名的所述临时会话密钥,利用所述临时会话密钥验证所 述 H ( e ) NB的身份信息。
优选地, 所述 H ( e ) NB的身份信息为家庭基站标识 H ( e ) NB ID和 H ( e ) NB的内部 IP地址, 或闭合用户组标识 CSG ID和 H ( e ) NB的内部 IP 地址, 或 H ( e ) NB ID、 CSG ID和 H ( e ) NB内部 IP地址;
所述核心网网元为移动管理单元 MME或 GPRS服务支持节点 SGSN或 家庭基站网关 H( e )NB GW。
优选的, 所述 SeGW还设置为: 将所述 H(e)NB的身份信息发送给所述 H(e)NB。
一种核心网网元, 其设置为:
接收家庭 H ( e ) NB发送的身份信息和以及安全网关 SeGW对所述身份 信息的数字签名, 对所述身份信息和所述数字签名进行正确性验证。
一种核心网网元, 其设置为: 通过所述核心网网元与安全网关 SeGW之 间的通信接口获取家庭基站 H ( e ) NB进行身份认证时的身份信息, 并与所 述 H ( e ) NB上报的身份信息进行正确性验证, 验证通过后接受所述 H ( e ) NB注册。
本发明实施例的方案避免了非法 H (e) NB直接到核心网网元注册并实 现对 UE的业务接入, 维护了网络安全。 附图概述
图 1为 H (e) NB接入核心网的系统架构的示意图。
图 2为本发明实施例一的家庭基站安全接入的方法流程图;
图 3为本发明实施例二的家庭基站安全接入的方法流程图;
图 4为本发明实施例三的家庭基站安全接入的方法流程图;
图 5为本发明实施例四的家庭基站安全接入的方法流程图;
图 6为本发明实施例的家庭基站安全接入系统的组成结构示意图; 图 7为本发明实施例五的家庭基站安全接入的方法流程图。 本发明的较佳实施方式
本发明实施例中, 在 SeGW对 H ( e ) NB进行身份认证时, SeGW会对 所述 H ( e ) NB的身份信息进行数字签名, 并将数字签名发送给所述 H ( e ) NB; H (e) NB在 UE附着或跟踪区更新或路由更新时, 将自身的身份信息 和数字签名发送给核心网网元; 核心网网元对 H ( e ) NB的身份信息和数字 签名进行正确性验证, 验证通过后对 UE进行接入控制。 或者, 在 SeGW与 核心网网元之间设置通信接口, 核心网网元在接收到 H (e) NB注册请求时 直接从 SeGW获取 H (e) NB的身份信息, 并对请求注册的 H (e) NB进行 身份认证。
实施例一
图 2为本发明实施例一的家庭基站安全接入的方法流程图, 由于 H ( e )
NB可能会被攻击, 因此核心网不能信任 H(e)NB自身提供的身份。 考虑到 SeGW是可信任的安全实体, 因此, 本发明考虑由 SeGW对 H ( e ) NB身份 进行数字签名, 并将该数字签名发送给 H (e) NB。 由 H(e)NB将由 SeGW 数字签名以及身份信息发送给核心网网元进行身份验证。 如图 2所示, 本示 例的家庭基站安全接入的方法包括以下步骤:
步骤 201 , SeGW对 H ( e ) NB的身份信息进行数字签名。
H (e) NB的身份信息包括 H (e) NB ID, 和 /或 CSG ID, 和 /或其它身 份。 为了验证数字签名的 H (e) NB的身份信息确实是 SeGW发送给某个 H (e) NB的, SeGW在该 H (e) NB身份信息中包括该 H (e) NB的内部 IP 地址。 H ( e ) NB的内部 IP地址是在 IPSec隧道建立时 SeGW分配给 H (e) NB的 IP地址。 H ( e ) NB釆用该内部 IP地址与核心网网元进行通信 , 该内 部 IP地址包含在 IPSec隧道才艮文内部 IP包的包头中。
SeGW可釆用 SeGW的私密钥对 H ( e ) NB的身份信息进行数字签名, 也可釆用会话密钥对 H ( e ) NB的身份信息进行数字签名。
步骤 202, SeGW将数字签名发送给 H (e) NB, 还可以将身份信息发送 给 H (e) NB。
步骤 203 , H (e) NB将上述数字签名和 H ( e ) NB身份信息发送给核心 网网元(即 H (e) NBGW或 MME或 SGSN ) 。 H ( e ) NB可以在注册时发 送上述信息或者在 UE接入时随同 UE相关消息发送上述信息。当在注册时发 送上述信息时, 该信息将发送给 H (e) NB GW, 若 H ( e ) NB GW未部署, 则发送给 MME; 当在 UE接入时随同 UE相关消息发送时, 该信息将发送给 MME ( EUTRAN时 )或 SGSN ( UTRAN或 GERAN时 )或 MSC。
步骤 204, 核心网网元对该 H ( e ) NB身份信息数字签名进行验证。 当 SeGW釆用私密钥对 H (e) NB的身份信息进行数字签名时, 核心网 网元(即 MME或 SGSN或 H ( e ) NB GW )釆用 SeGW的公开密钥对数字 签名进行验证。 当 SeGW釆用会话密钥对 H ( e ) NB的身份信息进行数字签 名时, 核心网网元需使用相同的会话密钥对数字签名进行验证。
在本实施例中, 根据验证 H (e) NB身份信息的位置不同验证方式有两 种, 分别为: 在 H ( e ) NB注册时对 H ( e ) NB身份信息进行验证; 或者, 在 UE接入时对 H ( e ) NB身份进行验证。 若 H ( e ) NB身份信息进行验证是在 H (e) NB注册时验证的, 则验证 Η (e) NB身份的实体将为 H ( e ) NB GW或 MME (当 H ( e ) NB GW不部 署时)。 由于 H(e)NBGW与 AAA/HSS间无接口, 该方案适合使用基于公 私钥的数字签名方式。
若 H ( e ) NB身份信息进行验证是在 UE接入时验证的, 则验证 H (e)
NB身份的实体是 MME ( EUTRAN时 )或 SGSN ( GERAN/UTRAN时 ) 。 该方案可釆用基于公私钥的数字签名方式, 或基于动态会话密钥的数字签名 方式。
下面将结合具体流程对上述方法作进行进一步描述。
实施例二
图 3为本发明实施例二的家庭基站安全接入的方法流程图, 本示例是 H (e) NB注册时 H ( e ) NB GW或 MME对 H ( e ) NB身份信息数字签名进 行验证的方法。 如图 3所示, 本示例的家庭基站安全接入的方法具体包括以 下步骤:
步骤 301, H (e) NB上电。 H ( e ) NB接入到本地网络, 并从本地网络 获取 IP地址配置信息。
步骤 302, H (e) NB发起与 SeGW的 IKEv2协商。 该过程包括 H ( e ) NB与 SeGW的互认证、 安全联盟的协商、 SeGW为 H ( e ) NB分配内部 IP 地址等。
步骤 303, SeGW获取 H(e)NB用于核心网通信的身份信息, 该信息包 括 H ( e ) NB ID, 和 /或 CSG ID等。 SeGW对 H ( e ) NB的身份信息进行数 字签名, 具体数字签名算法如下:
X=算法 1 (H (e) NB身份信息 |H (e) NB内部 IP地址) [A] 公式 [A]中, T代表将信息串连。 当 H (e) ΝΒ的身份信息包括多个信 息时, SeGW将多个信息串联, 也即将多个信息顺序连接。 比如, 当身份信 息是 H (e) NBID和 CSGID时, 上述公式中的 H ( e ) NB身份信息即为 H (e) NBID|CSGID。
算法 1是一种单向散列算法, 本发明不规定具体算法, 该算法的目的是 将长的字符串转换成适合数字签名算法的长度。 作为示例, 一种简单的单向 散列算法是 MD5算法。
数字签名=数字签名算法 ( X, 数字签名密钥 ) [B] 本发明不规定具体的数字签名算法, 数字签名算法可参见相关技术中的 任意数字签名算法, 如常用的 RSA算法可作本发明的数字签名算法。
在本示例中, 数字签名密钥是 SeGW的私密钥。
步骤 304, SeGW将数字签名发送给 H (e) NB, 可选地, SeGW可将 H(e)NB身份信息也一起发送给 H(e)NB。 若 H(e)NB身份信息 (如 CSG ID、 H(e)NB ID )不是通过 SeGW发送给 H(e)NB的, H(e)NB可以从 H(e)MS获取 或者在 H(e)NB上固定配置。 若 H ( e ) NB请求分配 IP地址, SeGW亦将 H ( e ) NB内部 IP地址发送给 H ( e ) NB。 H ( e ) NB身份信息和数字签名可 通过扩展 IKEv2协议发送,比如,可扩展 IKEv2的配置载荷( CP, Configuration Payload ) , 将 Η (e) NB身份信息和数字签名放在配置载荷中发送给 Η (e) NB。
步骤 305, IKEv2协商完成。 H ( e ) NB和 SeGW间建立了 IPSec安全隧 道。
步骤 306, H ( e ) NB从 H ( e ) MS中获取配置参数。
步骤 307, 当网络部署了 H ( e ) NB GW时, H ( e ) NB给 H ( e ) NB GW 发送注册请求消息, 该消息中 H ( e ) NB将 H ( e ) NB身份信息和其数字签 名发送给 H (e) NB GW。
步骤 308, H ( e ) NB GW对 H ( e ) NB的身份信息和数字签名进行认证。 马全证方法 ^下:
H (e) NB GW按以下公式对数字签名解密:
Y=解密算法(数字签名, 解密密钥)
解密算法与加密算法对应,可参见现有的解密算法,如 RSA解密算法等。 上述公式中的数字签名是 H (e) ΝΒ发送给 H ( e ) NB GW的 H ( e ) NB 身份信息的数字签名。 在本示例中解密密钥是 SeGW的公开密钥。 H ( e ) NB GW按如下公式计算 X, :
X , = 算法 1 ( H ( e ) NB身份信息 |H ( e ) NB IP地址 ) 。 [C]
H (e) NB的身份信息是步骤 307 中 H ( e ) NB发送给 H ( e ) NB GW 的 H ( e ) NB的身份信息; H ( e ) NB IP地址是步骤 307中 H ( e ) NB发送 给 H ( e ) NB GW的注册请求消息的源 IP地址。
若 Y=X , , 数字签名验证成功; 否则, 数字签名验证失败。
H (e) NB GW从配置的 SeGW的证书中获取公钥, 或者, 可选地, 在 步骤 307中, H(e)NB将 SeGW的证书发送给 H( e )NB GW, H(e)NB GW 从接收到的证书中获取 SeGW的公钥。
步骤 309,若步骤 308中的数字签名验证成功,:《 )湖0\^完成11( 6 )
NB剩余注册流程, 并为其建立上下文, H (e) NB GW向 H (e) NB发送注 册响应消息; 若步骤 308中的数字签名验证失败, H (e) NB GW向 H (e) NB发送注册失败消息。
步骤 310, 当网络中未部署 HeNB GW时 , HeNB到 MME中进行注册。
HeNB向 MME发送注册请求消息,消息中包含 HeNB身份信息及其数字签名。
步骤 311, MME釆用与步骤 308中相同的方法对 HeNB身份信息及其数 字签名进行认证。
步骤 312, 若步骤 311中数字签名验证成功, MME完成 H (e) NB剩余 注册流程, 并为其建立上下文, MME向 H ( e ) NB发送注册响应消息; 若步 骤 308中数字签名验证失败, MME向 H ( e ) NB发送注册失败消息。
实施例三
图 4为本发明实施例三的家庭基站安全接入的方法流程图,本示例是 UE 注册时 MME或 SGSN对 H ( e ) NB身份信息数字签名进行验证的方法。 如 图 4所示, 本示例的家庭基站安全接入的方法具体包括以下步骤:
步骤 401, H (e) NB上电。 H ( e ) NB接入到本地网络, 并从本地网络 获取 IP地址配置信息。
步骤 402, H (e) NB发起与 SeGW的 IKEv2协商。 该过程包括 H ( e ) NB与 SeGW的互认证、 安全联盟的协商、 SeGW为 H ( e ) NB分配内部 IP 地址等。
步骤 403, SeGW获取 H (e) NB用于核心网通信的身份信息, 该信息包 括 H ( e ) NB ID, 和 /或 CSG ID等。 SeGW对 H ( e ) NB的身份信息进行数 字签名。 当釆用 SeGW的私钥进行数字签名时, 数字签名算法参见步骤 303 所示的算法。 当釆用动态会话密钥进行数字签名时, 可釆用如下算法:
a ) 按步骤 303中的公式 [A]计算 X b) 数字签名=数字签名算法(X, 动态会话密钥)
其中, 动态会话密钥是由 SeGW动态生成的, 比如, 一串随机数, 或者 釆用其他方法生成。
本发明不规定具体的数字签名算法, 数字签名算法可参见现有的数字数 字签名算法。 作为例子, 数字签名算法可以是有密钥的 HASH算法。
步骤 404a, SeGW将数字签名发送给 H (e) NB, 可选地, SeGW可将 H(e)NB身份信息也一起发送给 H(e)NB。 若 H(e)NB身份信息 (如 CSG ID、 H(e)NB ID )不是通过 SeGW发送给 H(e)NB的, H(e)NB可以从 H(e)MS获取 或者在 H(e)NB上固定配置。 若 H ( e ) NB请求分配 IP地址, SeGW亦将 H ( e ) NB内部 IP地址发送给 H ( e ) NB。 H ( e ) NB身份信息和数字签名可 通过扩展 IKEv2协议发送, 比如, 可扩展 IKEv2的配置载荷 CP, 将 H (e) NB身份信息和数字签名放在配置载荷中发送给 H (e) NB。
步骤 404b, SeGW将用于计算 H ( e ) NB数字签名的动态会话密钥保存 到 HSS/AAA。
步骤 405, IKEv2协商完成。 H ( e ) NB和 SeGW间建立了 IPSec安全隧 道。
步骤 406, H ( e ) NB从 H ( e ) MS中获取配置参数。
步骤 407, 当网络部署了 H ( e ) NB GW时, H ( e ) NB给 H ( e ) NB GW 发送注册请求消息, 该消息中 H ( e ) NB将 H ( e ) NB身份信息和其数字签 名发送给 H (e) NB GW。 H ( e ) NB GW保存 H ( e ) NB身份信息、 数字签 名、 及 H ( e ) NB IP地址。 H ( e ) NB GW完成 H ( e ) NB的注册过程, 并 给 H ( e ) NB发送注册响应。 步骤 408, 当网络中未部署 HeNB GW时, HeNB到 MME中注册。 HeNB 向 MME发送注册请求消息,消息中包含 HeNB身份信息及其数字签名。 MME 保存 HeNB身份信息、 数字签名、 及 HeNB IP地址。 MME完成 H ( e ) NB 的注册过程 , 并给 H (e) NB发送注册响应。
实施例四
图 5为本发明实施例四的家庭基站安全接入的方法流程图, 本实施例是 UE注册时 MME或 SGSN对 H ( e ) NB身份信息数字签名进行验证的方法。 本实施例是 UE通过 H ( e ) NB进行附着或路由、 跟踪区更新的流程图 , 如 图 5所示, 本示例的家庭基站安全接入的方法包括以下步骤:
步骤 501 , 当 UE在 H ( e ) NB下开机或者 UE移动到一个位于新的路由 区或跟踪区的 H (e) NB时, UE给 H (e) NB发送附着请求消息或路由区 / 跟踪区更新请求消息。
步骤 502, H(e)NB通过 S1接口转发上述 UE注册请求消息。 当 HeNB GW部署时, 该消息发送给 H ( e ) NB GW, 当 HeNB GW不部署时, 该消息 直接发送给 MME。 H ( e ) NB GW判断 H ( e ) NB IP地址是否和其上下文中 保存到 H ( e ) NB IP地址一致。 若不一致, H (e) NB GW给 H (e) NB返 回错误。
步骤 503, 当 H (e) NBGW部署时, H ( e ) NB GW转发 502步消息, 并从其上下文中获取 H (e) NB身份信息, 可选地, H (e) NBIP地址和 /或 数字数字签名, 并将这些信息与 502步 H ( e ) NB发给 H ( e ) NB GW的 S1 消息一起发送给 SGSN ( GERAN或 UTRAN时 )或 MME ( EUTRAN时 ) 。
H (e) NBGW是在步骤 407中保存上述信息的。
步骤 504, MME/SGSN根据步骤 503接收到的 H ( e ) NB身份信息 (如 H ( e ) NB ID )从 HSS/AAA中获取数字数字签名会话密钥, 并从 HSS/AAA 中获取该 H (e) NB的其他信息, 比如, 该 H ( e ) NB支持的 CSG ID列表, 可选地, HSS/AAA将数字数字签名的密钥发送给 MME/SGSN。
步骤 505,若步骤 503 H( e )NB GW将数字数字签名发给了 MME/SGSN, MME/SGSN对 H ( e ) NB的数字数字签名进行验证。 当釆用公私钥对 H (e) NB身份信息进行数字签名时, 验证算法参见步 骤 308。 其中的 H (e) NB身份信息、 H (e) NB IP地址、 数字签名是步骤 503 H ( e ) NB GW发送给 MME/SGSN的。
当釆用会话密钥对 H ( e ) NB身份信息进行数字签名时, 验证算法如下: a )按步骤 308的公式 [C]计算 X,
b) Y=数字签名算法(Χ, , 会话密钥)
若 Y与步骤 502中接收到的数字签名相同, 则表示验证成功, 否则验证 失败。
步骤 506, SGSN/MME触发完成后续的 UE附着或路由区 /跟踪区更新流 程。 其中包括 SGSN/MME根据 H ( e ) NB所支持的 CSG列表以及 UE签约 的 CSG列表判断是否允许该 UE接入该 H ( e ) NB等操作。
若步骤 505数字签名验证失败, UE的附着流程或路由区 /跟踪区更新流 程失败结束。
图 6为本发明实施例的家庭基站安全接入系统的组成结构示意图, 本示 例记载了另外一种实现 H ( e ) NB的身份验证的家庭基站安全接入系统。 具 体的, 增加了 SeGW与 MME或 SGSN或 H ( e ) NB GW之间的通信接口, 当 MME或 H ( e ) NB GW收到 H ( e ) NB发来的身份信息后, MME/SGSN/H ( e )NB GW通过该新增接口向 SeGW发送身份验证请求消息,从而由 SeGW 验证该 H (e) NB的身份是否属实。 如图 6所示, Sx和 Sy接口是新增接口。 Sx接口位于 MME和 SeGW之间 , 用于 MME对 H ( e ) NB身份进行认证, 该接口仅用于 H( e )NB GW未部署场景。 Sy接口位于 H( e )NB GW和 SeGW 之间, 用于 H (e) NB GW对 H (e) NB身份进行认证。 下面结合流程图对 本方案进行详细说明。
实施例五
图 7为本发明实施例五的家庭基站安全接入的方法流程图, 本实施例是
H (e) NB上电注册流程图, 如图 7所示, 本示例的家庭基站安全接入的方 法具体包括以下步骤:
步骤 701, H (e) NB上电。 H ( e ) NB接入到本地网络, 并从本地网络 获取 IP地址配置信息。
步骤 702, H (e) NB发起与 SeGW的 IKEv2协商。 该过程包括 H ( e ) NB与 SeGW的互认证、 安全联盟的协商、 SeGW为 H ( e ) NB分配内部 IP 地址等。
步骤 703, H ( e ) NB从 H ( e ) MS中获取配置参数。
步骤 704, 当网络部署了 H ( e ) NB GW时, H ( e ) NB给 H ( e ) NB GW 发送注册请求消息, 该消息中 H ( e ) NB将 H ( e ) NB身份信息发送给 H ( e ) NBGW„
步骤 705, 为了验证 H (e) NB的身份, H ( e ) NB GW向 SeGW发送 H (e) NB身份请求消息, 该消息中包含了 H ( e ) NB的 IP地址(即由 SeGW 分配给 H ( e ) NB的 IP地址 ) 。
步骤 706, SeGW根据 H ( e ) NB IP地址查询 H ( e ) NB的 IP地址查询 H (e) NB的身份信息, 并将该身份信息返回给 H (e) NB GW。
步骤 707, H (e) NBGW保存 H (e) NB身份信息, 完成 H (e) NB剩 余注册流程, 并为其建立上下文, H (e) NB GW向 H (e) NB发送注册响 应消息。
步骤 708, 当网络未部署 H ( e ) NB GW时, H ( e ) NB给 MME发送注 册请求消息, 该消息中 H ( e ) NB将 H ( e ) NB身份信息发送给 MME。
步骤 709, 为了验证 H (e) NB的身份, MME向 SeGW发送 H ( e ) NB 身份请求消息, 该消息中包含了 H ( e ) NB的 IP地址(即由 SeGW分配给 H ( e ) NB的 IP地址 ) 。
步骤 710, SeGW根据 H ( e ) NB IP地址查询 H ( e ) NB的 IP地址查询 H (e) NB的身份信息, 并将该身份信息返回给 MME。
步骤 711, MME保存 H ( e ) NB身份信息, 完成 H ( e ) NB剩余注册流 程, 并为其建立上下文, MME向 H (e) NB发送注册响应消息。
本发明实施例还记载了另外一种家庭基站安全接入的系统, 包括 SeGW、 H (e) NB和核心网网元; 其中:
所述 SeGW, 设置为对所述 H ( e ) NB的身份信息进行数字签名, 并将 所述数字签名发送给所述 H ( e ) NB;
所述 H ( e ) NB , 设置为在 H(e)NB注册时或 UE附着或跟踪区更新或路 由更新通过所述 H(e)NB接入时, 将所述 H ( e ) NB的身份信息和数字签名发 送给核心网网元;
所述核心网网元, 设置为对所述 H ( e ) NB的身份信息和数字签名进行 正确性验证。
其中, 所述 SeGW可釆用所述 SeGW的私钥对所述 H ( e ) NB的身份信 息进行数字签名;
对应地, 所述核心网网元可通过所述 SeGW的公钥对所述 H ( e ) NB的 身份信息和数字签名进行正确性验证。
其中, 所述 SeGW可釆用动态会话密钥对所述 H ( e ) NB的身份信息进 行数字签名;
所述 SeGW可将所述动态会话密钥通知归属用户服务器 HSS/认证授权计 费 AAA服务器, 所述 HSS/ AAA服务器存储所述动态会话密钥。
其中, 所述核心网网元可从所述 AAA/HSS获取对所述 H ( e ) NB的身 份信息数字签名的所述临时会话密钥,利用所述临时会话密钥验证所述 H( e ) NB的身份信息。
其中, 所述 H ( e ) NB的身份信息可以为家庭基站标识 H ( e ) NB ID和 H ( e ) NB的内部 IP地址, 或闭合用户组标识 CSG ID和 H ( e ) NB的内部 IP地址, 或 H ( e ) NB ID、 CSG ID和 H ( e ) NB内部 IP地址;
所述核心网网元可以为 MME或 SGSN或 HNB GW。
本发明实施例的一种核心网网元, 其设置为:
接收家庭 H ( e ) NB发送的身份信息和以及安全网关 SeGW对所述身份 信息的数字签名, 对所述身份信息和所述数字签名进行正确性验证。
本发明实施例的另一种核心网网元, 其设置为: 通过所述核心网网元与 安全网关 SeGW之间的通信接口获取家庭基站 H ( e ) NB进行身份认证时的 身份信息, 并与所述 H ( e ) NB上报的身份信息进行正确性验证, 验证通过 后接受所述 H ( e ) NB注册。 本领域技术人员应当理解, 本示例中的家庭基站安全接入的系统以及核 心网网友, 可参见前述实施例一至四中的相关描述而理解。
本领域普通技术人员可以理解上述方法中的全部或部分步骤可通过程序 来指令相关硬件完成, 所述程序可以存储于计算机可读存储介质中, 如只读 存储器、 磁盘或光盘等。 可选地, 上述实施例的全部或部分步骤也可以使用 一个或多个集成电路来实现。 相应地, 上述实施例中的各模块 /单元可以釆用 硬件的形式实现, 也可以釆用软件功能模块的形式实现。 本发明不限制于任 何特定形式的硬件和软件的结合。
以上所述仅为本发明的优选实施例而已, 并不用于限制本发明, 对于本 领域的技术人员来说, 本发明可以有各种更改和变化。 凡在本发明的精神和 原则之内, 所作的任何修改、 等同替换、 改进等, 均应包含在本发明的保护 范围之内。
工业实用性
本发明实施例的方案避免了非法 H ( e ) NB直接到核心网网元注册并实 现对 UE的业务接入, 维护了网络安全。

Claims

权 利 要 求 书
1、 一种家庭基站安全接入的方法, 所述方法包括:
安全网关 SeGW对家庭基站 H ( e ) NB的身份信息进行数字签名, 并将 所述数字签名发送给所述 H ( e ) NB;
所述 H ( e ) NB将所述 H ( e ) NB的身份信息和所述数字签名发送给核 心网网元;
所述核心网网元对所述 H ( e ) NB的身份信息和所述数字签名进行正确 性验证。
2、 根据权利要求 1所述的方法, 其中, 所述 SeGW对 H ( e ) NB的身份 信息进行数字签名的步骤包括:
所述 SeGW在对所述 H ( e ) NB进行身份认证时获取所述 H ( e ) NB的 身份信息, 并对所述 H ( e ) NB的身份信息进行数字签名。
3、 根据权利要求 1所述的方法, 其中, 所述 H ( e ) NB将所述 H ( e ) NB的身份信息和所述数字签名发送给核心网网元的步骤包括:
所述 H ( e ) NB在所述 H ( e ) NB注册时将所述 H ( e ) NB的身份信息 和所述数字签名发送给所述核心网网元。
4、 根据权利要求 1所述的方法, 其中, 所述 H ( e ) NB将所述 H ( e ) NB的身份信息和所述数字签名发送给核心网网元的步骤包括:
所述 H ( e ) NB在用户设备 UE通过所述 H ( e ) NB注册时, 将所述 H ( e ) NB的身份信息和所述数字签名发送给所述核心网网元。
5、 根据权利要求 1所述的方法, 其中:
所述安全网关 SeGW釆用所述安全网关的私钥对所述 H ( e ) NB的身份 信息进行数字签名;
对应地, 所述核心网网元通过所述安全网关的公钥对所述 H ( e ) NB的 身份信息和所述数字签名进行正确性验证。
6、根据权利要求 1所述的方法, 其中: 所述 SeGW釆用动态会话密钥对 所述 H ( e ) NB的身份信息进行数字签名; 所述方法还包括: 所述 SeGW将所述动态会话密钥通知归属用户服务器 HSS/认证授权计费 AAA服务器, 所述 HSS/AAA服务器存储所述动态会话密 钥。
7、 根据权利要求 6所述的方法, 其中, 所述核心网网元对所述 H ( e ) NB的身份信息和所述数字签名进行正确性验证的步骤包括:
所述核心网网元从所述 AAA/HSS获取对所述 H ( e ) NB的身份信息签 名的所述临时会话密钥, 利用所述临时会话密钥对所述 H ( e ) NB的身份信 息进行验证。
8、 根据权利要求 1至 7任一项所述的方法, 其中, 所述 H ( e ) NB的身 份信息为家庭基站标识 H ( e ) NB ID和 H ( e ) NB的内部 IP地址, 或闭合 用户组标识 CSG ID和 H ( e ) NB的内部 IP地址, 或 H ( e ) NB ID、 CSG ID 和 H ( e ) NB内部 IP地址。
9、 根据权利要求 1所述的方法, 所述方法还包括:
所述核心网网元在验证所述 H ( e ) NB信息和所述数字签名成功后, 所 述核心网网元保存所述 H ( e ) NB信息。
10、 根据权利要求 3所述的方法, 其中, 所述核心网网元为家庭基站网 关 H ( e ) NB GW或移动管理实体 MME。
11、 根据权利要求 4所述的方法, 其中, 所述核心网网元为 MME或通 用分组无线业务服务支持节点 SGSN或移动交换中心 MSC。
12、 根据权利要求 3或 10所述的方法, 其中, 当 UE通过所述 H ( e )
NB接入时:
所述核心网网元验证所述 H ( e ) NB的身份信息正确后将所述 H ( e ) NB 的身份信息发送给 MME或 SGSN或 MSC, 由 MME、 SGSN或 MSC获取所 述 H ( e ) NB所支持的 CSG ID信息, 并根据所述 CSG ID信息对所述 UE进 行接入控制; 其中, 所述 MME、 SGSN或 MSC从所述 H ( e ) NB信息中获 取所述 CSG ID信息, 或从所述 HSS/AAA服务器获取所述 CSG ID信息。
13、 根据权利要求 4或 11所述的方法, 其中, 当 UE通过所述 H ( e ) NB接入时: 所述核心网网元验证所述 H ( e ) NB的身份信息正确后获取所述 H ( e ) NB所支持的 CSG ID信息, 并根据所述 CSG ID信息对所述 UE进行接入控 制; 其中, 所述核心网网元从所述 H ( e ) NB信息中获取所述 CSG ID信息, 或从所述 HSS/AAA服务器获取所述 CSG ID信息。
14、 根据权利要求 5所述的方法, 其中, 所述核心网网元从配置的所述
SeGW的证书中获取 SeGW的公钥, 或者所述核心网网元从所述 H ( e ) NB 发送给所述核心网网元的证书中获取 SeGW的公钥。
15、 根据权利要求 1所述的方法, 其中, 所述 SeGW通过扩展 IKEv2的 配置载荷 CP将所述数字签名发送给所述 H ( e ) NB。
16、根据权利要求 15所述的方法,该方法还包括:所述 SeGW将 H(e)NB 身份信息发送给所述 H ( e ) NB。
17、 一种家庭基站安全接入的方法, 所述方法包括:
家庭基站 H ( e ) NB向核心网网元注册时, 所述核心网网元通过设置于 所述核心网网元与安全网关 SeGW之间的通信接口获取所述 H ( e ) NB的身 份信息, 并与所述 H ( e ) NB上报的身份信息进行正确性验证, 验证通过后 接受所述 H ( e ) NB注册。
18、 根据权利要求 17所述的方法, 其中, 所述核心网网元为 H ( e ) NB GW; 未设置 HeNB GW时 , 所述核心网网元为 MME。
19、一种家庭基站安全接入的系统, 包括安全网关 SeGW和核心网网元; 其中:
所述 SeGW设置为: 对所述 H ( e ) NB的身份信息进行数字签名, 并将 所述 H ( e ) NB的数字签名发送给所述 H ( e ) NB;
所述核心网网元设置为: 接收所述 H ( e ) NB发送的身份信息和数字签 名, 对所述身份信息和所述数字签名进行正确性验证。
20、 根据权利要求 19所述的系统, 其中:
所述 SeGW是设置为釆用所述 SeGW的私钥对所述 H ( e ) NB的身份信 息进行数字签名;
对应地, 所述核心网网元是设置为通过所述 SeGW的公钥对所述 H ( e ) NB的身份信息和所述数字签名进行正确性验证。
21、 根据权利要求 19所述的系统, 其中, 所述 SeGW是设置为: 釆用动态会话密钥对所述 H ( e ) NB的身份信息进行数字签名; 将所述动态会话密钥通知归属用户服务器 HSS/认证授权计费 AAA服务 哭口
22、 根据权利要求 21所述的系统, 其中:
所述核心网网元是设置为: 从所述 AAA/HSS获取对所述 H ( e ) NB的 身份信息数字签名的所述临时会话密钥, 利用所述临时会话密钥验证所述 H ( e ) NB的身份信息。
23、 根据权利要求 19至 22任一项所述的系统, 其中, 所述 H ( e ) NB 的身份信息为家庭基站标识 H ( e ) NB ID和 H ( e ) NB的内部 IP地址, 或 闭合用户组标识 CSG ID和 H ( e ) NB的内部 IP地址, 或 H ( e ) NB ID、 CSG ID和 H ( e ) NB内部 IP地址;
所述核心网网元为移动管理单元 MME或 GPRS服务支持节点 SGSN或 家庭基站网关 H( e )NB GW。
24、 如权利要求 19所述的系统, 其中, 所述 SeGW还设置为: 将所述 H(e)NB的身份信息发送给所述 H(e)NB。
25、 一种核心网网元, 其设置为:
接收家庭 H ( e ) NB发送的身份信息和以及安全网关 SeGW对所述身份 信息的数字签名, 对所述身份信息和所述数字签名进行正确性验证。
26、 一种核心网网元,
所述核心网网元设置为: 通过所述核心网网元与安全网关 SeGW之间的 通信接口获取家庭基站 H ( e ) NB进行身份认证时的身份信息, 并与所述 H ( e ) NB上报的身份信息进行正确性验证, 验证通过后接受所述 H ( e ) NB 注册。
PCT/CN2012/082555 2011-10-31 2012-10-08 家庭基站安全接入的方法、系统及核心网网元 WO2013064002A1 (zh)

Priority Applications (5)

Application Number Priority Date Filing Date Title
EP12844878.4A EP2790429B1 (en) 2011-10-31 2012-10-08 Hnb or henb security access method and system, and core network element
US14/355,299 US9467295B2 (en) 2011-10-31 2012-10-08 HNB or HeNB security access method and system, and core network element
IN3216CHN2014 IN2014CN03216A (zh) 2011-10-31 2012-10-08
RU2014118758/08A RU2580399C2 (ru) 2011-10-31 2012-10-08 СПОСОБ И СИСТЕМА ЗАЩИЩЕННОГО ДОСТУПА К HNB ИЛИ HeNB И ЭЛЕМЕНТ БАЗОВОЙ СЕТИ
JP2014537471A JP5977834B2 (ja) 2011-10-31 2012-10-08 ホーム基地局のセキュアアクセス方法、システム及びコアネットワークエレメント

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN201110337762 2011-10-31
CN201110337762.7 2011-10-31
CN201110364549.5A CN103096311B (zh) 2011-10-31 2011-11-04 家庭基站安全接入的方法及系统
CN201110364549.5 2011-11-04

Publications (1)

Publication Number Publication Date
WO2013064002A1 true WO2013064002A1 (zh) 2013-05-10

Family

ID=48191294

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/082555 WO2013064002A1 (zh) 2011-10-31 2012-10-08 家庭基站安全接入的方法、系统及核心网网元

Country Status (7)

Country Link
US (1) US9467295B2 (zh)
EP (1) EP2790429B1 (zh)
JP (1) JP5977834B2 (zh)
CN (1) CN103096311B (zh)
IN (1) IN2014CN03216A (zh)
RU (1) RU2580399C2 (zh)
WO (1) WO2013064002A1 (zh)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019183858A1 (zh) * 2018-03-28 2019-10-03 华为技术有限公司 一种无人机身份识别方法及设备

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105472604A (zh) * 2014-09-09 2016-04-06 中兴通讯股份有限公司 一种数字证书的状态处理方法、装置及系统
JP6088570B2 (ja) * 2015-03-23 2017-03-01 ソフトバンク株式会社 移動体通信システムおよび移動体通信方法
CN106332079A (zh) * 2015-06-30 2017-01-11 中兴通讯股份有限公司 基站维护端口的连接认证方法、基站及系统
CN106454836B (zh) * 2015-08-06 2021-12-31 中兴通讯股份有限公司 一种增强设备证书使用安全的方法及装置
CN107360573B (zh) * 2016-05-10 2020-11-27 中兴通讯股份有限公司 一种终端接入方法和装置
CN108616956B (zh) * 2017-01-16 2020-10-20 普天信息技术有限公司 一种电力无线专网中业务隔离的方法
CN110474875B (zh) * 2017-08-31 2020-10-16 华为技术有限公司 基于服务化架构的发现方法及装置
CN109511115B (zh) * 2017-09-14 2020-09-29 华为技术有限公司 一种授权方法和网元
CN109257212B (zh) * 2018-09-10 2021-09-03 中信科移动通信技术股份有限公司 一种iab基站接入的方法
CN109587687A (zh) * 2018-12-04 2019-04-05 西安佰才邦网络技术有限公司 基站侧设备及其组网方法
CN112291785B (zh) * 2020-10-22 2022-07-22 中国联合网络通信集团有限公司 一种奖励方法及装置
CN112272376B (zh) * 2020-10-22 2022-07-29 中国联合网络通信集团有限公司 一种奖励方法及装置

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101442402A (zh) * 2007-11-20 2009-05-27 华为技术有限公司 认证接入点设备的方法、系统和装置
CN101715177A (zh) * 2009-11-05 2010-05-26 中兴通讯股份有限公司 一种网络设备的位置锁定方法及位置锁定系统
CN101784051A (zh) * 2009-01-21 2010-07-21 华为技术有限公司 一种平台完整性验证的方法、网络设备和网络系统
CN101795451A (zh) * 2009-02-03 2010-08-04 中兴通讯股份有限公司 一种家庭基站实现注册的方法及系统

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101335984B (zh) * 2007-06-25 2011-11-16 华为技术有限公司 家用微型基站接入控制方法及系统
US20090182618A1 (en) * 2008-01-16 2009-07-16 Yahoo! Inc. System and Method for Word-of-Mouth Advertising
US8886164B2 (en) * 2008-11-26 2014-11-11 Qualcomm Incorporated Method and apparatus to perform secure registration of femto access points
EP2966888A1 (en) * 2009-03-05 2016-01-13 Interdigital Patent Holdings, Inc. Method and apparatus for h(e)nb integrity verification and validation
JP5112363B2 (ja) * 2009-03-05 2013-01-09 日本電信電話株式会社 ライフログデータの管理システム、管理方法及びプログラム
TWI514896B (zh) * 2010-02-09 2015-12-21 Interdigital Patent Holdings 可信賴聯合身份方法及裝置
US8509431B2 (en) * 2010-09-20 2013-08-13 Interdigital Patent Holdings, Inc. Identity management on a wireless device
KR101556046B1 (ko) * 2010-12-30 2015-09-30 인터디지탈 패튼 홀딩스, 인크 통신 핸드오프 시나리오를 위한 인증 및 보안 채널 설정

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101442402A (zh) * 2007-11-20 2009-05-27 华为技术有限公司 认证接入点设备的方法、系统和装置
CN101784051A (zh) * 2009-01-21 2010-07-21 华为技术有限公司 一种平台完整性验证的方法、网络设备和网络系统
CN101795451A (zh) * 2009-02-03 2010-08-04 中兴通讯股份有限公司 一种家庭基站实现注册的方法及系统
CN101715177A (zh) * 2009-11-05 2010-05-26 中兴通讯股份有限公司 一种网络设备的位置锁定方法及位置锁定系统

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019183858A1 (zh) * 2018-03-28 2019-10-03 华为技术有限公司 一种无人机身份识别方法及设备

Also Published As

Publication number Publication date
IN2014CN03216A (zh) 2015-07-03
EP2790429A4 (en) 2015-04-15
JP2014535207A (ja) 2014-12-25
CN103096311B (zh) 2018-11-09
CN103096311A (zh) 2013-05-08
EP2790429A1 (en) 2014-10-15
US9467295B2 (en) 2016-10-11
US20140310529A1 (en) 2014-10-16
RU2580399C2 (ru) 2016-04-10
EP2790429B1 (en) 2018-12-05
RU2014118758A (ru) 2015-12-10
JP5977834B2 (ja) 2016-08-24

Similar Documents

Publication Publication Date Title
JP5977834B2 (ja) ホーム基地局のセキュアアクセス方法、システム及びコアネットワークエレメント
US11405780B2 (en) Method for performing verification by using shared key, method for performing verification by using public key and private key, and apparatus
US11212676B2 (en) User identity privacy protection in public wireless local access network, WLAN, access
US11825303B2 (en) Method for performing verification by using shared key, method for performing verification by using public key and private key, and apparatus
JP5462411B2 (ja) セキュリティ設定の同期を支援する方法および装置
JP4965671B2 (ja) 無線通信ネットワークにおけるユーザ・プロファイル、ポリシー及びpmipキーの配布
JP6732095B2 (ja) 異種ネットワークのための統一認証
JP5992554B2 (ja) 第1のクライアントステーションのクレデンシャルを使用して第2のクライアントステーションを認証するシステム及び方法
TW200952424A (en) Authenticating a wireless device in a visited network
WO2010130121A1 (zh) 一种第三代网络的接入方法及系统
JP2010532596A (ja) 証明書処理のための方法および装置
WO2010012201A1 (zh) 鉴权方法、通信装置和通信系统
WO2009152749A1 (zh) 一种绑定认证的方法、系统和装置
WO2009074050A1 (fr) Procede, systeme et appareil d'authentification de dispositif de point d'acces
WO2019029531A1 (zh) 触发网络鉴权的方法及相关设备
WO2009152676A1 (zh) Aaa服务器、p-gw、pcrf、用户设备标识的获取方法和系统
WO2010069202A1 (zh) 认证协商方法及系统、安全网关、家庭无线接入点
CA2690017C (en) A method for releasing a high rate packet data session
TW201316792A (zh) 區域網協存取網路元件與終端設備的認證方法與裝置
WO2012000313A1 (zh) 一种家庭网关认证方法和系统
KR100668660B1 (ko) 휴대 인터넷 망과 3g 망간의 로밍을 위한 사용자 인증처리 방법 및 이를 수행하는 라우터
WO2017000620A1 (zh) 重认证识别方法、演进分组数据网关及系统
WO2008148348A1 (fr) Procédé de communication, système et station de base domestique
WO2010060296A1 (zh) 认证方法、可信任环境单元及家庭基站
WO2007124657A1 (fr) Procédé, système et dispositif d'authentification

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12844878

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2012844878

Country of ref document: EP

ENP Entry into the national phase

Ref document number: 2014537471

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 14355299

Country of ref document: US

ENP Entry into the national phase

Ref document number: 2014118758

Country of ref document: RU

Kind code of ref document: A