WO2014110908A1 - Secure data transmission method and lte access network system - Google Patents

Secure data transmission method and lte access network system Download PDF

Info

Publication number
WO2014110908A1
WO2014110908A1 PCT/CN2013/083505 CN2013083505W WO2014110908A1 WO 2014110908 A1 WO2014110908 A1 WO 2014110908A1 CN 2013083505 W CN2013083505 W CN 2013083505W WO 2014110908 A1 WO2014110908 A1 WO 2014110908A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
lte
lpn
menb
user equipment
Prior art date
Application number
PCT/CN2013/083505
Other languages
French (fr)
Chinese (zh)
Inventor
王昕�
和峰
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2014110908A1 publication Critical patent/WO2014110908A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement

Definitions

  • the present invention relates to the field of mobile communications, and in particular, to a data security transmission method and a Long Term Evolution (LTE) access network system.
  • LTE Long Term Evolution
  • LPN Long PN backhaul
  • the enhancements in LPN deployment have been identified by the Third Generation Partnership Projects (3GPP) as one of the most interesting topics in future network development.
  • 3GPP Third Generation Partnership Projects
  • the deployment of LPN in the coverage of the macro network is very different from the traditional macro network in terms of transmission, mobility, security and interference.
  • the demand for large data volume and high mobility; and due to practical limitations and historical factors, the selection of LPN backhaul (Backhaul) is also diverse, and the characteristics of each interface are different, and the macro network The coordination interaction is limited.
  • the present invention provides a data security transmission method and an LTE access network system, to at least solve the related art lacking a heterogeneous network in which a macro base station and a low power node are deployed, to provide a joint transmission service for the UE.
  • the present invention provides a data security transmission method for a heterogeneous network based on an LTE system.
  • the heterogeneous network includes: an LTE core network, an LTE access network, and an LTE user equipment.
  • One or more LTE access networks are deployed.
  • the macro base station MeNB has one or more low-power nodes LPNs deployed in the coverage of the MeNB.
  • the method includes: when the LTE user equipment accesses the MeNB, the MeNB acquires the base station key from the LTE core network, and generates the base station key according to the base station key.
  • An access layer key and through the control plane interface with the LTE user equipment, encrypts the corresponding control plane information and user data by using the first access layer key, and performs integrity protection on the corresponding control plane information And then sent to the LTE user equipment; the MeNB determines a traffic off policy of the user data of the LTE user equipment, and sends a multi-stream transmission service for the LTE user equipment to the corresponding LPN through the backward link interface between the MeNB and the LPN.
  • the MeNB receives the request response sent by the LPN, and receives the request response from the core network according to the offload policy
  • a part of the user data is encrypted by using the first access layer key to encrypt the corresponding user data and then sent to the LTE user equipment through the user plane interface with the LTE user equipment, and the other part of the user data is passed through the backward chain.
  • the road interface is sent to the LPN.
  • the LPN encrypts the corresponding user data by using the second access layer key, and sends the encrypted user data to the LTE user equipment through the user plane interface with the LTE user equipment.
  • the first access layer key comprises: a user plane encryption key for user plane data encryption, and a control plane encryption key for control plane signaling encryption and/or for control plane signaling integrity Protected control plane integrity protection key.
  • the method further includes: receiving, by the LPN, a measurement plane interface between the LTE user equipment and the LTE user equipment, and receiving the measurement result information reported by the LTE user equipment, and adjusting the scheduling of the LTE user equipment according to the measurement result information.
  • the second access layer key includes: a user plane encryption key for user plane data encryption; and between the LPN and the LTE user equipment.
  • the user interface interface and the control plane interface, the second access layer key includes: a user plane encryption key for user plane data encryption, and a control plane encryption key for control plane signaling encryption and/or for Control plane integrity protection key for control plane signaling integrity protection.
  • the first access layer key is the same as or different from the second access layer key; when the first access layer key is different from the second access layer key, the LTE user equipment needs to support two Set of security algorithms.
  • the offloading policy of the user data by the MeNB includes: determining, by the MeNB, a traffic offloading policy of the user data by using the radio bearer as the split granularity according to the network load and the measurement result information reported by the LTE user equipment.
  • the protocol form of the offloading policy includes: a data packet aggregation protocol entity for performing security protection, and each lower layer protocol entity respectively configured on the MeNB and the LPN, wherein each The lower layer protocol entities include: a radio link control sublayer, a medium access control sublayer, and a physical layer.
  • the method further includes: in a multi-stream transmission service process, when the key update is required according to the requirements of the operator, the LTE core network, or the LTE access network, the MeNB sends the secret to the LPN through the backward link interface.
  • the key update indication indicates that the key update indication carries a new access layer key; the MeNB receives the key update response that the LPN feeds back through the backward link interface, and notifies the LTE through the control plane interface between the LTE user equipment and the LTE user equipment. Update of the user device key.
  • the present invention also provides an LTE access network system in which one or more macro base stations MeNB are deployed in the LTE access network, and one or more low power nodes LPN are deployed within the coverage of the MeNB: MeNB, which is set to When the LTE user equipment accesses the MeNB, the base station key is obtained from the LTE core network, the first access layer key is generated according to the base station key, and the first access layer is used through the control plane interface with the LTE user equipment.
  • the key encrypts the corresponding control plane information and the user data, and performs integrity protection on the corresponding control plane information, and then sends the information to the LTE user equipment; determines a traffic splitting strategy of the user data of the LTE user equipment, and passes the LPN through the LPN.
  • a backward link interface sending a request message for providing a multi-stream transmission service for the LTE user equipment, control plane information required by the LPN, and a second access layer key to the corresponding LPN; receiving the request response sent by the LPN
  • the splitting policy a part of the user data received from the core network is used to interface with the LTE user equipment, and the first access layer key is used to input the corresponding user data.
  • the LTE user equipment After being encrypted, the LTE user equipment is sent to the LTE user equipment, and another part of the user data is sent to the LPN through the backward link interface.
  • the LPN is configured to receive the request message sent by the MeNB for providing the multi-stream transmission service for the LTE user equipment, and send the request message to the MeNB. Requesting a response; encrypting the corresponding user data by using the second access layer key, and transmitting the encrypted user data to the LTE user equipment through the user plane interface with the LTE user equipment.
  • the first access layer key comprises: a user plane encryption key for user plane data encryption, and a control plane encryption key for control plane signaling encryption and/or for control plane signaling integrity. Control surface integrity protection key for sexual protection.
  • the foregoing LPN is further configured to: receive, through its control plane interface with the LTE user equipment, receive
  • the second access layer key includes: a user plane encryption key for user plane data encryption; and between the LPN and the LTE user equipment.
  • the user interface interface and the control plane interface the second access layer key includes: a user plane encryption key for user plane data encryption, and a control plane encryption key for control plane signaling encryption and/or for Control plane integrity protection key for control plane signaling integrity protection.
  • the first access layer key is the same as or different from the second access layer key; when the first access layer key is different from the second access layer key, the LTE user equipment needs to support two Set of security algorithms.
  • the foregoing MeNB is configured to: determine, according to the network load and the measurement result information reported by the LTE user equipment, the traffic offloading policy of the user data by using the radio bearer as the split granularity.
  • the protocol form of the offloading policy includes:
  • the MeNB and the LPN are respectively provided with a data packet aggregation protocol entity for performing security protection, and each lower layer protocol entity, wherein each lower layer protocol entity includes: a radio link control sublayer, a media access control sublayer, and a physical layer.
  • each lower layer protocol entity includes: a radio link control sublayer, a media access control sublayer, and a physical layer.
  • the foregoing MeNB is further configured to: when the key update is required according to the requirements of the operator, the LTE core network, or the LTE access network, send the secret to the LPN through the backward link interface in the multi-stream transmission service process.
  • the key update indication carries a new access layer key; receives the key update response that the LPN feeds back through the backward link interface, and notifies the LTE user through the control plane interface between the LPN and the LTE user equipment Update of the device key.
  • the beneficial effects of the present invention are as follows: In the embodiment of the present invention, a part of user data can be offloaded to an LPN for transmission by a heavily loaded MeNB.
  • the signaling in the handover process can be reduced, and the message load of the network is reduced.
  • the bandwidth widening of the multi-carrier transmission can better meet the requirements of the large data volume service, and the distance.
  • the more recent LPN transmission is also more power efficient, and the system architecture improves the user experience.
  • the key is transmitted to the LPN through the macro base station in the heterogeneous access network.
  • the transmission on the radio link between the LPN and the UE can implement the configured security protection function, which ensures the security performance of the system architecture.
  • the technical solution of the embodiment of the present invention can provide a good joint transmission service for the UE securely and reliably.
  • FIG. 1 is a schematic diagram of a node deployment scenario according to an embodiment of the present invention.
  • FIG. 2 is a schematic diagram of a system architecture of the present invention
  • FIG. 3 is a flowchart of a data security transmission method according to an embodiment of the present invention
  • FIG. 5 is a schematic diagram of a user plane and a control plane protocol in the embodiment of the present invention
  • FIG. 6 is a signaling flowchart of the example 1 of the embodiment of the present invention
  • Figure 7 is a signaling flow chart of Example 2 of the embodiment of the present invention
  • Figure 8 is a signaling flow chart of Example 3 of the embodiment of the present invention
  • Figure 9 is a schematic structural diagram of an LTE access network system according to an embodiment of the present invention.
  • the present invention provides a heterogeneous network in which a macro base station and a low power node are deployed to provide a joint for the UE.
  • the system architecture of the transport service and the scheme for realizing secure transmission of data in the architecture are provided.
  • a data security transmission method is provided for a heterogeneous network based on a Long Term Evolution (LTE) system, where the heterogeneous network includes: an LTE core network, an LTE access network, and an LTE user equipment, and LTE access One or more macro base stations MeNB are deployed in the network, and one or more low power nodes LPN are deployed within the coverage of the MeNB.
  • LTE Long Term Evolution
  • FIG. 1 is a schematic diagram of a node deployment scenario according to an embodiment of the present invention.
  • one or more LPNs are deployed in a coverage area of a MeNB (eg, in a hotspot area), and the LPN may be a low-power micro base station ( Pico eNB), Relay Node or Home Base Station (HeNB).
  • the Backhaul interface between the LPN and the MeNB may be a wired interface (such as a fiber) or a wireless interface (such as an Un port).
  • 2 is a schematic diagram of a system architecture of the present invention. As shown in FIG.
  • the system includes an LTE core network (Core Network, abbreviated as CN), an LTE access network composed of an MeNB and an LPN, and a multi-data transmission and reception mechanism.
  • LTE user equipment The LTE core network is the same as the core network of the existing LTE network.
  • the LTE access network includes an MeNB and an LPN.
  • the MeNB and the core network and the UE are respectively connected to the existing Control Plane (CP) and User Plane (UP).
  • the LPN and the UE can be UP or UP.
  • the CP is connected, and the MeNB and the LPN are Backhaul interfaces (wired or wireless) that can transmit control signaling and user data.
  • FIG. 3 is a flowchart of a data security transmission method according to an embodiment of the present invention.
  • a data security transmission method includes the following processing: Step 301: When an LTE user equipment accesses an MeNB, the MeNB The core network obtains the base station key, generates the first access layer key according to the base station key, and uses the first access layer key pair to control the corresponding control plane information and user data through the control plane interface with the LTE user equipment. Performing encryption, and performing integrity protection on the corresponding control plane information, and then sending the information to the LTE user equipment; that is, before the offloading, the MeNB and the LTE user equipment perform normal user data interaction and control signaling interaction according to the prior art. .
  • the first access layer key includes: a user plane encryption key for user plane data encryption, and a control plane encryption key for control plane signaling encryption and/or for control plane signaling integrity protection.
  • the control plane integrity protects the key.
  • the MeNB determines the traffic policy of the user data, including: the MeNB according to at least the network load and the measurement result information reported by the LTE user equipment (the MeNB may also be based on other information) , with radio bearer A shunting policy for determining user data for the shunt granularity.
  • the protocol form of the offloading policy includes: a packet aggregation protocol entity for performing security protection on the MeNB and the LPN, and each lower layer protocol entity, wherein each lower layer The protocol entity includes: a radio link control sublayer, a medium access control sublayer, and a physical layer.
  • Step 303 The MeNB receives the request response sent by the LPN, and uses a first access layer key to the corresponding user by using a part of the user data received from the core network according to the splitting policy.
  • the data is encrypted and sent to the LTE user equipment, and another part of the user data is sent to the LPN through the backward link interface.
  • the LPN encrypts the corresponding user data by using the second access layer key, and passes through the data.
  • the user plane interface with the LTE user equipment sends the encrypted user data to the LTE user equipment.
  • the LPN can receive the measurement result information reported by the LTE user equipment by using the control plane interface with the LTE user equipment, and adjust the scheduling of the LTE user equipment according to the measurement result information.
  • the second access layer key includes: a user plane encryption key used for user plane data encryption; between the LPN and the LTE user equipment.
  • the second access layer key includes: a user plane encryption key for user plane data encryption, and a control plane encryption key for control plane signaling encryption and/or Control plane integrity protection key for control plane signaling integrity protection.
  • the first access layer key is the same as or different from the second access layer key; when the first access layer key is different from the second access layer key, LTE User equipment needs to support two sets of security algorithms.
  • the MeNB in the multi-stream transmission service process, when the key update is required according to the requirements of the operator, the LTE core network, or the LTE access network, the MeNB needs to send the secret to the LPN through the backward link interface.
  • the key update indication indicates that the key update indication carries a new access layer key; the MeNB receives the key update response that the LPN feeds back through the backward link interface, and notifies the LTE through the control plane interface between the LTE user equipment and the LTE user equipment. Update of the user device key.
  • the MeNB is responsible for all control signaling with the UE, and on the other hand is responsible for the control plane information required by the LPN, so that the LPN can hold the necessary UE context information, configure each protocol layer, and implement the UE.
  • Effective scheduling preferably, the LPN and the UE may also have a CP connection (there may be an existing CP connection) Part of the function), so as to obtain more timely information such as the measurement results of the UE, so as to quickly adjust the scheduling strategy.
  • the MeNB sends a part of the UE user data received from the core network to the UE through the UP connection between the UE and the UE according to the splitting policy determined by the user, and the other part is sent to the LP through the Backhaul interface, and then the LPN
  • the prior art is sent to the UE through an air interface.
  • the UE data offload policy determined by the MeNB may be a radio bearer (Radio Bearer, referred to as
  • RB is a traffic-split granularity, that is, for services with different Quality of Service (QoS), the MeNB may decide to transmit it to the UE through different carrier links according to its QoS characteristics. For example, real-time services (such as voice) are transmitted on the link between the MeNB and the UE, and services with large data volume and delay tolerance (such as video download) are offloaded to the LPN and then transmitted to the UE.
  • QoS Quality of Service
  • FIG. 4 is a schematic diagram of a feasible protocol form of a traffic offloading policy according to an embodiment of the present invention. As shown in FIG. 4, the MeNB includes the MeNB to transmit the offloaded data to the LPN and then to the user plane part of the UE (upstream data).
  • the Backhaul interface protocol between the MeNB and the LPN may be in other forms depending on the wired/wireless characteristics of the specific interface (for example, the GTP-U may also be replaced by other protocols).
  • PDCP Packet Data Convergence Protocol
  • the network side has a Packet Data Convergence Protocol (PDCP) entity and the following lower layer protocol entities (Radio Link Control (Radio Link Control).
  • PDCP Packet Data Convergence Protocol
  • the RLC, the Medium Access Control (MAC), and the Physical Layer (PHY) are located at the MeNB and the LPN.
  • the MeNB with heavy load can offload part of the user data to the LPN for transmission.
  • the signaling in the handover process can be reduced, and the message load of the network is reduced.
  • the multi-carrier transmission is performed.
  • the bandwidth widening can better meet the needs of large data services, and the power consumption is also more efficient with LPN transmissions that are closer.
  • the system architecture improves the user experience. In the process of message transmission between the user and the access network through the wireless interface, the network side needs to provide sufficient security protection mechanism to prevent the message from being intercepted and easily cracked by the attacker.
  • the MeNB when the UE is attached to the network, the MeNB acquires a base station key (eNB Key, denoted as K ⁇ B) from the core network and/or derives an access stratum key (AS Key for short). ).
  • the AS Key includes a user plane encryption key (UP Key, K UPen .), a control plane encryption key (RRC Key, K RRCen .), and a control plane security key (RRC Key, K RRCmt ), which are respectively used for the user plane. Encryption of data, encryption of control plane signaling, and integrity protection of control plane signaling.
  • the MeNB uses the AS Key and the corresponding encryption/guarantee algorithm to provide configuration security protection for the sending information, and after receiving the UE, the UE performs processing such as decryption/integrity verification according to the corresponding key and algorithm.
  • the functions are all located in the PDCP layer of the protocol.
  • the LPN is only a cooperative base station that performs the offload data transmission task in the access network, and does not have direct information interaction with the core network; and because the MeNB and the LPN use the RB as the offload granularity for data offloading and The joint data transmission service is provided to the UE.
  • the PDCP layer is located at the MeNB and the LPN, respectively.
  • the embodiment of the present invention proposes the following solutions:
  • the LPN obtains a security key (AS Key) from the MeNB, and performs corresponding security protection according to the configuration of the offloaded data and the possible control signaling transmitted on the radio interface.
  • the security key refers to the AS Key derived by the MeNB according to K ⁇ B, and the MeNB determines the AS Key used for transmitting to the LPN and the AS Key used by the MeNB according to the network configuration and the UE capability (supporting one/two sets of security contexts). Is it consistent?
  • the security key is different according to the specific traffic distribution mode: if only the transmission of the offload data between the LPN and the UE (that is, only UP), the AS Key only includes the UP Key, that is, K UP; if there is a split between the LPN and the UE
  • the transmission of data and control signaling ie having UP and CP, even if only part of the CP
  • the AS key includes all UP Keys and RRC Keys, ie K Upenc , and at least one of K RRCenc and K RRCmt .
  • the conditions for the LPN to obtain the security key from the MeNB are as follows (but not limited to):
  • the MeNB transmits the necessary information such as the offloading bearer and the security key to the LPN through the Backhaul interface;
  • the key is updated, that is, in the process of the joint transmission service, according to the requirement of the operator, the core network or the MeNB/LPN itself to update the UE key, the MeNB transmits the updated security key to the LPN through the Backhaul interface.
  • the key is transmitted to the LPN through the macro base station in the heterogeneous access network, so that the transmission on the radio link between the LPN and the UE can be configured.
  • the security protection function guarantees the security performance of the system architecture.
  • Example 1 The MeNB and the LPN are deployed in the network. These two nodes constitute the access network of the system architecture of the present invention, and the LPN bears the transmission of the offloaded data. At the network side, it is decided to provide the UE with cross-base station multi-stream joint transmission service.
  • Step 1 The UE accesses the macro cell established by the MeNB according to the existing LTE procedure, and A CP connection (RRC Connection) that can transmit control plane information and an UP connection that can transmit user data are established.
  • the MeNB obtains the KeNB from the core network, and derives the AS Key (including the UP Key and the RRC Key), and utilizes the AS.
  • Step 2 The MeNB decides to offload a certain data bearer of the UE to the LPN according to the network load and the measurement report of the UE, and the remaining bearers are still transmitted on the radio link between the MeNB and the UE.
  • the MeNB transmits the necessary UE context and the like to the LPN through the Backhaul interface to request to provide the multi-stream transmission service for the UE.
  • the information may be carried in a message called a “bearer setup request” (may be other existing The message, or a new message, which is the same as the processing of the message name mentioned below, includes the relevant parameters of the offloading bearer, the security capabilities of the UE, and the like.
  • the message should carry an AS Key derived by the MeNB according to the KeNB. In this example, there is only an UP connection between the LPN and the UE (as shown in FIG.
  • the AS Key transmitted by the MeNB to the LPN only includes the UP Key (such as KUPenc).
  • the AS Key transmitted by the MeNB to the LPN may be the same as or different from the AS Key used by the MeNB itself. If the two AS keys are different, the MeNB must know that the UE can support two different security contexts, that is, the messages sent/received by the UE on the two wireless carriers with the MeNB and the LPN are respectively encrypted/decrypted using different security keys. And integrity protection/verification.
  • the LPN agrees to the post-establishment reply response message of the offload bearer, which may be referred to as a "bearer setup response" message, and the message may carry a list of the admission bearers and specific configurations of the UE protocol layers.
  • Step 3 After receiving the consent splitting response message of the LPN reply, the MeNB notifies the UE to access the cell established by the LPN.
  • the UE only has an UP connection with the LPN, and the user data transmitted on the wireless carrier has a key (KUPenc) and an encryption protection according to the configuration, that is, the sender (such as the MeNB or the LPN).
  • the user data interacting with the wireless link on the receiving end can be encrypted and decrypted separately by using a valid key and a known algorithm, and the security performance requirements of the network are guaranteed.
  • Example 2 Same as the deployment scenario of instance 1. In the service process in which the MeNB and the LPN provide joint transmission for the UE, the MeNB side updates the key, and then it needs to notify the LPN of the updated key, so that its effective execution Line security features.
  • FIG. 7 is a signaling flowchart of Embodiment 2 of the embodiment of the present invention. As shown in FIG. 7, the following may be included. Step 1 In the system architecture of the embodiment of the present invention, a wireless connection between the UE and the MeNB and the LPN is respectively implemented.
  • the UE and the MeNB are the same as the prior art, and the CP and the UP are connected.
  • an UP connection is established between the UE and the LPN.
  • the LPN pairs the data transmitted between the UE and the UP Key (KUPenc) obtained from the MeNB.
  • KUPenc UP Key
  • the algorithm performs security protection for encryption/decryption.
  • Step 2 During the process of the UE being connected to the network, the key may be updated according to the requirements of the operator, the core network, or the access network itself. Then, after updating the own key, the MeNB needs to update the key. The key is notified to the LPN.
  • the information can be carried in a message called a "key update indication" and passed to the LPN via the Backhaul interface.
  • the message may also carry an indication of whether the key is updated, and the updated key.
  • This example takes the UP connection between the LPN and the UE as an example. Therefore, the message carries the updated UP Key (such as KUPenc').
  • the New AS Key transmitted by the MeNB to the LPN may be the same as or different from the New AS Key used by the MeNB itself.
  • the MeNB must know that the UE can support two different security contexts, that is, the data transmitted/received by the UE on the two wireless carriers with the MeNB and the LPN are respectively encrypted/decrypted using different security keys. . It should be noted that when the MeNB and the LPN use different keys, only the LPN side needs to update the key at a time and the MeNB does not need the requirement. Then, the MeNB derives the updated key for the LPN and then notifies the LPN ( Because the MeNB and the LPN in this architecture will exchange some necessary information related to data packet transmission in real time, the MeNB will know the need to update the key on the LPN side in time.
  • the LPN may reply to the response message after successfully updating the key, such as a message called "Key Update Response".
  • the MeNB also needs to notify the UE of the update of the key.
  • the service for cross-base station offload joint transmission may be continued, and the data exchanged between the UE and the LPN in the access network uses a new key and algorithm for encryption/decryption security protection.
  • Example 3 Same as the deployment scenario of instance 1. In the architecture in which the MeNB and the LPN provide the UE with the inter-base station multi-stream joint transmission service, this embodiment takes the CP and the UP connection between the LPN and the UE as an example.
  • FIG. 8 is a signaling flowchart of Example 3 of the embodiment of the present invention. As shown in FIG. 8, the following may be included: Step 1: When the MeNB decides to provide a multi-stream transmission service across the base station for the UE accessing the cell, the MeNB determines that Information such as the UE context is transmitted to the LPN through the Backhaul interface, as carried in the "bearer setup request" message. In addition to the necessary information about the offloading bearer related parameters and the security capabilities of the UE, the message also needs to include the AS Key derived by the MeNB according to the KeNB.
  • the AS Key transmitted by the MeNB to the LPN needs to include the UP Key and the RRC Key (KUpenc, and at least one of KRRCenc and KRRCint).
  • the AS Key transmitted by the MeNB to the LPN may be the same as or different from the AS Key used by the MeNB itself. If the two AS Keys are different, then the MeNB must know that the UE can support two different sets of security contexts.
  • Step 3 In the process of the multi-stream service, if the network side (including the operator, the core network, the MeNB, and the LPN) has a need to update the key, the MeNB needs to notify the LPN of the updated key.
  • the information can be carried in a message called a "key update indication" and passed to the LPN via the Backhaul interface.
  • the message carries an indication of "whether the key is updated” and the updated key.
  • This example takes the example of an UP and RRC connection between the LPN and the UE. Therefore, the New AS Key transmitted by the MeNB to the LPN needs to include the UP Key and the RRC Key (KUpenc', and at least one of KRRCenc' and KRRCint').
  • the New AS Key transmitted by the MeNB to the LPN may be the same as or different from the New AS Key used by the MeNB itself.
  • the MeNB must know that the UE can support two different sets of security contexts.
  • the LPN may reply to the response message after successfully updating the key, such as a message called "Key Update Response".
  • the MeNB needs to notify the UE of information such as update of the key and change of the protocol layer configuration.
  • the service of the cross-base station offload joint transmission may be continued, and the UE and the access network
  • the user data and control signaling that the MeNB interacts with the LPN uses the new key and algorithm to perform effective encryption and secure security protection according to the configuration.
  • a part of user data can be offloaded to the LPN for transmission by the heavily loaded MeNB, and the UE can also reduce the signaling in the handover process when moving between the Small cells.
  • the key is transmitted to the LPN through the macro base station in the heterogeneous access network, so that the transmission on the radio link between the LPN and the UE can implement the configured security protection function. , to ensure the security of the system architecture.
  • an LTE access network system is provided.
  • One or more macro base stations MeNB are deployed in an LTE access network, and one or more low-power nodes are deployed in a coverage area of the MeNB.
  • LPN preferably, FIG. 1 is a schematic diagram of a node deployment scenario according to an embodiment of the present invention. As shown in FIG. 1, one or more LPNs are deployed in the coverage of the MeNB (such as in a hotspot area), and the LPN may be a low power micro.
  • a base station Pico eNB
  • a relay node Relay Node
  • HeNB home base station
  • the Backhaul interface between the LPN and the MeNB can be a wired interface (such as a fiber) or a wireless interface (such as an Un port).
  • 2 is a schematic diagram of a system architecture of the present invention.
  • the system includes an LTE core network (Core Network, abbreviated as CN), an LTE access network composed of an MeNB and an LPN, and a multi-data transmission and reception mechanism.
  • LTE user equipment is the same as the core network of the existing LTE network.
  • the LTE access network includes an MeNB and an LPN.
  • FIG. 9 is a schematic structural diagram of an LTE access network system according to an embodiment of the present invention.
  • an LTE access network according to an embodiment of the present invention includes: an MeNB 90, and an LPN 92.
  • the following modules are used in the embodiments of the present invention. Carry out detailed instructions.
  • the MeNB 90 is configured to: when the LTE user equipment accesses the MeNB 90, acquire a base station key from the core network, generate a first access layer key according to the base station key, and interface with a control plane between the LTE user equipment and the LTE user equipment, Encrypting the corresponding control plane information and the user data by using the first access layer key, and performing integrity protection on the corresponding control plane information, and then sending the information to the LTE user equipment; determining a traffic splitting strategy of the user data of the LTE user equipment, And through its backward link interface with the LPN 92, send a request message for providing a multi-stream transmission service for the LTE user equipment, control plane information required by the LPN 92, and a second access layer confidentiality to the corresponding LPN 92.
  • the first access layer key includes: user plane encryption for user plane data encryption. Key, and control plane encryption key for control plane signaling encryption and/or control plane integrity protection key for control plane signaling integrity protection.
  • the foregoing MeNB 90 is configured to: determine, according to the network load and the measurement result information reported by the LTE user equipment, the traffic offloading policy of the user data by using the radio bearer as the split granularity.
  • the protocol form of the offloading policy includes: the MeNB 90 and the LPN 92 are respectively provided with a packet aggregation protocol entity for performing security protection, and each lower layer protocol entity, wherein each lower layer protocol The entity includes: a radio link control sublayer, a medium access control sublayer, and a physical layer.
  • the foregoing MeNB 90 is further configured to: send a key to the LPN 92 through the backward link interface when the key update is required according to the requirements of the operator, the LTE core network, or the LTE access network in the multi-stream transmission service process.
  • the update indication, the key update indication carries a new access layer key; receives the key update response that the LPN 92 feeds back through the backward link interface, and notifies the LTE user through the control plane interface between the LTE user equipment and the LTE user equipment Update of the device key.
  • the LPN 92 is configured to receive a request message that is sent by the MeNB 90 to provide a multi-stream transmission service for the LTE user equipment, and send a request response to the MeNB 90; use the second access layer key to encrypt the corresponding user data, and pass the same
  • the user plane interface with the LTE user equipment sends the encrypted user data to the LTE user equipment.
  • the LPN 92 is further configured to: receive, by using a control plane interface with the LTE user equipment, the measurement result information reported by the LTE user equipment, and adjust the scheduling of the LTE user equipment according to the measurement result information.
  • the second access layer key includes: a user plane encryption key used for user plane data encryption; and the LPN 92 and the LTE user equipment.
  • the second access layer key includes: a user plane encryption key for user plane data encryption, and a control plane encryption key for control plane signaling encryption and/or Or control plane integrity protection key for control plane signaling integrity protection.
  • the first access layer key is the same as or different from the second access layer key; when the first access layer key is different from the second access layer key, the LTE user
  • the device needs to support two sets of security algorithms.
  • the MeNB is responsible for all control signaling with the UE, and on the other hand is responsible for the control plane information required by the LPN, so that the LPN can hold the necessary UE context information, configure each protocol layer, and implement the UE. An effective scheduling is performed.
  • the LPN and the UE may also have a CP connection (which may be part of the function of the existing CP connection), so as to obtain information such as measurement results of the UE in a timely manner, so as to quickly adjust the scheduling policy.
  • the MeNB sends a part of the UE user data received from the core network to the UE through the UP connection between the UE and the UE according to the splitting policy determined by the user, and the other part is sent to the LP through the Backhaul interface, and then the LPN
  • the prior art is sent to the UE through an air interface.
  • the MeNB may determine that the UE data offloading policy may be a radio bearer (Radio Bearer, RB for short), that is, for a service with different quality of service (QoS), the MeNB may Its QoS characteristics determine that it is transmitted to the UE through different carrier links. For example, real-time services (such as voice) are transmitted on the link between the MeNB and the UE, and services with large data volume and delay tolerance (such as video download) are offloaded to the LPN and then transmitted to the UE.
  • FIG. 4 is a schematic diagram of a feasible protocol form of a traffic offloading policy according to an embodiment of the present invention. As shown in FIG.
  • the MeNB includes the MeNB to transmit the offloaded data to the LPN and then to the user plane part of the UE (upstream data). Then reverse); the interface between the MeNB and the LPN, and the control plane portion of the interface between the possible LPN and the UE.
  • the Backhaul interface protocol between the MeNB and the LPN may be in other forms depending on the wired/wireless characteristics of the specific interface (for example, the GTP-U may also be replaced by other protocols). It can be seen that when the RB is used as the offloading granularity, the network side has a Packet Data Convergence Protocol (PDCP) entity and the following lower layer protocol entities (Radio Link Control (Radio Link Control).
  • PDCP Packet Data Convergence Protocol
  • Radio Link Control Radio Link Control
  • FIG. 5 is a schematic diagram of a user plane and a control plane protocol in the embodiment of the present invention.
  • the MeNB with heavy load can offload part of the user data to the LPN for transmission.
  • the signaling in the handover process can be reduced, and the message load of the network is reduced.
  • the multi-carrier transmission is performed.
  • the bandwidth widening can better meet the needs of large data services, and the power consumption is also more efficient with LPN transmissions that are closer.
  • the system architecture improves the user experience.
  • the network side needs to provide sufficient security protection mechanism to prevent the message from being intercepted and easily cracked by the attacker.
  • the MeNB acquires the base station key (eNB Key, denoted as K ⁇ B) and/or from the core network, and derives the connection.
  • Access Stratum Key (AS Key).
  • the AS Key includes a user plane encryption key (UP Key, K UPen .), a control plane encryption key (RRC Key, K RRCen .), and a control plane security key (RRC Key, K RRCmt ), which are respectively used for the user plane.
  • the MeNB uses the AS Key and the corresponding encryption/guarantee algorithm to provide configuration security protection for the sending information, and after receiving the UE, the UE performs processing such as decryption/integrity verification according to the corresponding key and algorithm.
  • the functions are all located in the PDCP layer of the protocol.
  • the LPN is only a cooperative base station that performs the offload data transmission task in the access network, and does not have direct information interaction with the core network; and because the MeNB and the LPN use the RB as the offload granularity for data offloading and The joint data transmission service is provided to the UE.
  • the PDCP layer is located at the MeNB and the LPN, respectively. Therefore, the LPN cannot obtain K ⁇ B from the core network, and the PDCPLTM cannot protect the encryption/security of the shunt data and possible control signaling. The security problem is extremely serious. Because, in the architecture of the embodiment of the present invention, for the UE that obtains the joint transmission service, the MeNB needs to transmit its necessary key to the LPN that bears the offload transmission. However, if the MeNB is to transmit to the LPN in order to derive the AS Key, since the LPN is physically lower than the MeNB, it is easy to be intruded by an attacker, and the risk of key leakage is high.
  • the embodiment of the present invention proposes the following solutions:
  • the LPN obtains a security key (AS Key) from the MeNB, and performs corresponding security protection according to the configuration of the offloaded data and the possible control signaling transmitted on the radio interface.
  • the security key refers to the AS Key derived by the MeNB according to K ⁇ B, and the MeNB determines the AS Key used for transmitting to the LPN and the AS Key used by the MeNB according to the network configuration and the UE capability (supporting one/two sets of security contexts). Is it consistent?
  • the security key is different according to the specific splitting mode: if there is only the transmission of the offloaded data between the LPN and the UE (that is, only UP), then the AS Key only includes the UP Key, that is, ⁇ ⁇ ; if there is a split between the LPN and the UE
  • the transmission of data and control signaling ie having UP and CP, even if only part of the CP
  • the AS key includes all UP Keys and RRC Keys, ie K Upenc , and at least one of K RRCenc and K RRCmt .
  • the conditions for the LPN to obtain the security key from the MeNB are as follows (but not limited to):
  • the MeNB transmits the necessary information such as the offloading bearer and the security key to the LPN through the Backhaul interface;
  • the key is updated, that is, in the process of the joint transmission service, according to the requirement of the operator, the core network or the MeNB/LPN itself to update the UE key, the MeNB transmits the updated security key to the LPN through the Backhaul interface.
  • the key is transmitted to the LPN through the macro base station in the heterogeneous access network, so that the transmission on the radio link between the LPN and the UE can be configured.
  • the security protection function guarantees the security performance of the system architecture.
  • Example 1 The MeNB and the LPN are deployed in the network. These two nodes constitute the access network of the system architecture of the present invention, and the LPN bears the transmission of the offloaded data.
  • Step 1 The UE accesses the macro cell established by the MeNB according to the existing LTE procedure, and A CP connection (RRC Connection) that can transmit control plane information and an UP connection that can transmit user data are established.
  • the MeNB obtains the KeNB from the core network, and derives the AS Key (including the UP Key and the RRC Key), and utilizes the AS.
  • Step 2 The MeNB decides to offload a certain data bearer of the UE to the LPN according to the network load and the measurement report of the UE, and the remaining bearers are still transmitted on the radio link between the MeNB and the UE.
  • the MeNB transmits the necessary UE context and the like to the LPN through the Backhaul interface to request to provide the multi-stream transmission service for the UE.
  • the information may be carried in a message called a “bearer setup request” (may be other existing The message, or a new message, which is the same as the processing of the message name mentioned below, includes the relevant parameters of the offloading bearer, the security capabilities of the UE, and the like.
  • the message should carry an AS Key derived by the MeNB according to the KeNB.
  • there is only a UP connection between the LPN and the UE (as shown in Figure 6, that is, the LPN only bears the transmission of the offloaded data), then the AS Key transmitted by the MeNB to the LPN only contains the UP Key (such as KUPenc).
  • the AS Key transmitted by the MeNB to the LPN may be the same as or different from the AS Key used by the MeNB itself. If the two AS keys are different, the MeNB must know that the UE can support two different security contexts, that is, the messages sent/received by the UE on the two wireless carriers with the MeNB and the LPN are respectively encrypted/decrypted using different security keys. And integrity protection/verification.
  • the LPN agrees to the post-establishment reply response message of the offload bearer, which may be referred to as a "bearer setup response" message, and the message may carry a list of the admission bearers and specific configurations of the UE protocol layers.
  • Step 3 After receiving the consent splitting response message of the LPN reply, the MeNB notifies the UE to access the cell established by the LPN.
  • the UE only has an UP connection with the LPN, and then the wireless carrier
  • the transmitted user data has a key (KUPenc) and encryption protection according to the configuration of the algorithm, that is, the sender (such as MeNB or LPN) and the receiving end (such as UE) interact with each other on the wireless link between the two.
  • KUPenc key
  • the sender such as MeNB or LPN
  • the receiving end such as UE
  • Example 2 Same as the deployment scenario of instance 1.
  • the MeNB side updates the key, and then it needs to notify the LPN of the updated key, so that it can effectively perform the security protection function.
  • FIG. 7 is a signaling flowchart of Embodiment 2 of the embodiment of the present invention. As shown in FIG. 7, the following may be included. Step 1 In the system architecture of the embodiment of the present invention, a wireless connection between the UE and the MeNB and the LPN is respectively implemented. Connect, thereby obtaining a multi-stream joint transmission service across base stations.
  • the UE and the MeNB are the same as the prior art, and the CP and the UP are connected.
  • an UP connection is established between the UE and the LPN.
  • the LPN pairs the data transmitted between the UE and the UP Key (KUPenc) obtained from the MeNB.
  • KUPenc UP Key
  • the algorithm performs security protection for encryption/decryption.
  • Step 2 During the process of the UE being connected to the network, the key may be updated according to the requirements of the operator, the core network, or the access network itself. Then, after updating the own key, the MeNB needs to update the key. The key is notified to the LPN. For example, the information can be carried in a message called a "key update indication" and passed to the LPN via the Backhaul interface.
  • the message may also carry an indication of whether the key is updated, and the updated key.
  • the UP connection between the LPN and the UE is taken as an example. Therefore, the message carries the updated UP Key (such as KUPenc').
  • the MeNB transmits the New AS Key to the LPN and the MeNB itself.
  • New AS Keys can be the same or different. If the two AS keys are different, the MeNB must know that the UE can support two different security contexts, that is, the data transmitted/received by the UE on the two wireless carriers with the MeNB and the LPN are respectively encrypted/decrypted using different security keys. . It should be noted that when the MeNB and the LPN use different keys, only the LPN side needs to update the key at a time and the MeNB does not need the requirement. Then, the MeNB derives the updated key for the LPN and then notifies the LPN ( Because the MeNB and the LPN in this architecture will exchange some necessary information related to data packet transmission in real time, the MeNB will know the need of the update key on the LPN side in time.
  • the LPN may reply to the response message after successfully updating the key, such as a message called "Key Update Response".
  • the MeNB also needs to notify the UE of the update of the key.
  • the service for cross-base station offload joint transmission may be continued, and the data exchanged between the UE and the LPN in the access network uses a new key and algorithm for encryption/decryption security protection.
  • Example 3 Same as the deployment scenario of instance 1. In the architecture in which the MeNB and the LPN provide the UE with the inter-base station multi-stream joint transmission service, this embodiment takes the CP and the UP connection between the LPN and the UE as an example.
  • FIG. 8 is a signaling flowchart of Example 3 of the embodiment of the present invention. As shown in FIG. 8, the following may be included: Step 1: When the MeNB decides to provide a multi-stream transmission service across the base station for the UE accessing the cell, the MeNB determines that Information such as the UE context is transmitted to the LPN through the Backhaul interface, as carried in the "bearer setup request" message.
  • the message In addition to the necessary information about the offloading bearer related parameters and the security capabilities of the UE, the message also needs to include the AS Key derived by the MeNB according to the KeNB.
  • the UP and RRC connections between the LPN and the UE are taken as an example. Therefore, the AS Key transmitted by the MeNB to the LPN needs to include the UP Key and the RRC Key (KUpenc, and at least one of KRRCenc and KRRCint).
  • the AS Key transmitted by the MeNB to the LPN may be the same as or different from the AS Key used by the MeNB itself. If the two AS Keys are different, then the MeNB must know that the UE can support two different sets of security contexts.
  • Step 3 In the process of the multi-stream service, if the network side (including the operator, the core network, the MeNB, and the LPN) has a need to update the key, the MeNB needs to notify the LPN of the updated key.
  • the information can be carried in a message called a "key update indication" and passed to the LPN via the Backhaul interface.
  • the message carries an indication of "whether the key is updated" and the updated key.
  • the UP and RRC connections between the LPN and the UE are taken as an example. Therefore, the New AS Key transmitted by the MeNB to the LPN needs to include at least one of the UP Key and the RRC Key (KUpenc', and KRRCenc' and KRRCint'. ).
  • the New AS Key transmitted by the MeNB to the LPN may be the same as or different from the New AS Key used by the MeNB itself.
  • the MeNB must know that the UE can support two different sets of security contexts.
  • the LPN may reply to the response message after successfully updating the key, such as a message called "Key Update Response".
  • the MeNB needs to notify the UE of information such as update of the key and change of the protocol layer configuration.
  • the service of the cross-base station offload joint transmission may be continued, and the user data and control signaling exchanged between the UE and the LPN in the access network are valid according to the configuration by using a new key and algorithm. Encryption and security protection.
  • a part of user data can be offloaded to the LPN for transmission by the heavily loaded MeNB, and the UE can also reduce the signaling in the handover process when moving between the Small cells.
  • the key is transmitted to the LPN through the macro base station in the heterogeneous access network, so that the transmission on the radio link between the LPN and the UE can implement the configured security protection function. , to ensure the security of the system architecture.
  • the technical solution of the embodiment of the present invention can provide a good joint transmission service for the UE securely and reliably.
  • the algorithms and displays provided herein are not inherently related to any particular computer, virtual system, or other device.
  • Various general purpose systems can also be used with the teaching based on the teachings herein. From the above description, the structure required to construct such a system is obvious.
  • the invention is not directed to any particular programming language. It is to be understood that the invention may be embodied in a variety of programming language, and the description of the specific language has been described above in order to disclose the preferred embodiments of the invention. Numerous specific details are set forth in the description provided herein. However, it is understood that the embodiments of the invention may be practiced without these specific details.
  • modules in the devices of the embodiments can be adaptively changed and placed in one or more devices different from the embodiment.
  • the modules or units or components of the embodiments may be combined into one module or unit or component, and further they may be divided into a plurality of sub-modules or sub-units or sub-components.
  • any combination of the features disclosed in the specification, including the accompanying claims, the abstract and the drawings, and any methods so disclosed, or All processes or units of the device are combined.
  • Each feature disclosed in the specification (including the accompanying claims, the abstract and the drawings) may be replaced by alternative features that provide the same, equivalent, or similar purpose, unless otherwise stated.
  • the invention can also be implemented as a device or device program (e.g., a computer program and a computer program product) for performing some or all of the methods described herein.
  • a program implementing the invention may be stored on a computer readable medium or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.
  • the word “comprising” does not exclude the presence of the elements or the steps in the claims.
  • the invention can be implemented by means of hardware comprising several distinct elements and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means can be embodied by the same hardware item.
  • the use of the words first, second, and third does not indicate any order. These words can be interpreted as names.
  • a data security transmission method and an LTE access network system provided by the embodiments of the present invention have the following beneficial effects:
  • a heavily loaded MeNB can offload part of user data to an LPN for transmission,
  • UE When moving between small cells, the signaling in the handover process can also be reduced, and the message load of the network is reduced.
  • the bandwidth widening of the multi-carrier transmission can better meet the demand of the large data volume service, and the distance is better.
  • the near-LPN transmission is also more power efficient, and the system architecture improves the user experience.
  • the key is transmitted to the LPN through the macro base station in the heterogeneous access network.
  • the transmission on the radio link between the LPN and the UE can implement the configured security protection function, which ensures the security performance of the system architecture.

Abstract

Disclosed are a secure data transmission method and an LTE access network. The method comprises: an MeNB obtaining a base station key from a core network, generating a first access layer key according to the base station key, using the first access layer key to encrypt corresponding control plane information and user data, and sending the corresponding control plane information to an LTE user equipment after performing integrity protection on the corresponding control plane information; the MeNB determining a shunting policy of the user data of the LTE user equipment, and sending a request message to a corresponding LPN for providing a multi-stream transmission service for the LTE user equipment; the MeNB receiving a request response sent by the LPN, sending a part of the user data received from the core network to the LTE user equipment after encrypting the corresponding user data using the first access layer key according to the shunting policy, and sending the other part of the user data to the LPN; and the LPN using a second access layer key to encrypt the corresponding user data, and sending the encrypted user data to the LTE user equipment.

Description

数据安全传输方法及 LTE接入网系统  Data security transmission method and LTE access network system
技术领域 本发明涉及移动通讯领域, 特别是涉及一种数据安全传输方法及长期演进 (Long Term Evolution, 简称为 LTE) 接入网系统。 背景技术 在现有技术中, 随着无线通信技术和协议标准的不断演进, 移动分组业务经历了 巨大的发展, 单个终端的数据吞吐能力不断提升。 以 LTE系统为例, 在 20M带宽内 可以支持下行最大速率为 100Mbps的数据传输; 后续的增强 LTE (LTE Advanced, 简 称为 LTE-A) 系统中, 数据的传输速率将进一步提升, 甚至可以达到 lGbps。 终端数据业务量膨胀式的增长, 使得移动网络的服务能力和部署策略都面临着巨 大的压力与挑战。 运营商一方面需要增强现有的网络部署和通讯技术, 另一方面希望 加快新技术的推广和网络拓展, 从而达到快速提升网络性能的目的。 而移动通信系统 发展至今, 仅通过对宏网络(Macro networks)进行增强以提供经济、 灵活、 高能力的 服务变得越来越困难, 因此, 部署低功率节点 (Low power Node, 简称为 LPN) 提供 小小区 (Small cell) 覆盖的网络策略成为了一个极具吸引力的解决方案, 尤其是在数 据传输量巨大的室内 /室外热点地区需要为用户提供良好的用户体验时。 The present invention relates to the field of mobile communications, and in particular, to a data security transmission method and a Long Term Evolution (LTE) access network system. BACKGROUND OF THE INVENTION In the prior art, with the continuous evolution of wireless communication technologies and protocol standards, mobile packet services have undergone tremendous development, and the data throughput capability of a single terminal has been continuously improved. Taking the LTE system as an example, the data transmission rate of the downlink maximum rate of 100 Mbps can be supported in the 20 M bandwidth. In the subsequent LTE (LTE Advanced, LTE-A) system, the data transmission rate will be further increased, even up to 1 Gbps. . The inflated growth of terminal data traffic has put tremendous pressure and challenge on the service capabilities and deployment strategies of mobile networks. On the one hand, operators need to enhance existing network deployment and communication technologies. On the other hand, they hope to accelerate the promotion of new technologies and network expansion, so as to achieve rapid improvement of network performance. Since the development of mobile communication systems, it has become more and more difficult to provide economical, flexible, and high-capacity services only by enhancing macro networks. Therefore, deploy low power nodes (Low Power Nodes, LPN for short). The network strategy of providing small cell coverage has become an attractive solution, especially when indoor/outdoor hotspots with huge data transmission need to provide users with a good user experience.
LPN 部署方面的增强已经被第三代伙伴组织计划 (Third Generation Partnership Projects, 简称为 3GPP) 确认为未来网络发展中最令人感兴趣的课题之一。 在宏网络 的覆盖范围中部署 LPN, 其传输、 移动、 安全和干扰等方面都与传统的宏网络有很大 不同, 在各基站独立为终端提供服务的过程中既存在诸多问题, 又无法满足大数据量 及高移动性的业务需求;而因为实际限制和历史因素等原因, LPN后向链路( Backhaul ) 的选择也是多种多样的, 各接口的特性均有所不同, 与宏网络间的协调交互有限。 因 此, 在部署了 LPN的场景中, 如何利用其特点与宏基站(Macro eNB, 简称为 MeNB) 间保持良好的协作机制, 从而为用户终端 (User Equipment, 简称为 UE) 提供优化的 通讯服务, 以满足更高带宽、 更好性能、 更低成本、 更安全且适用多种后向链路的需 求, 是 LTE通讯系统未来发展中亟需解决一个重要议题。 因此, 目前急需一种部署了宏基站与低功率节点的异构网络为 UE提供联合传输 服务的系统架构以及在该架构中实现安全传输数据的方法。 发明内容 本发明提供一种数据安全传输方法及 LTE接入网系统, 以至少解决相关技术中缺 乏一种部署了宏基站与低功率节点的异构网络为 UE提供联合传输服务的系统架构以 及在该架构中实现安全传输数据的方法的问题。 本发明提供一种数据安全传输方法, 用于基于 LTE系统的异构网络, 异构网络包 括: LTE核心网、 LTE接入网、 以及 LTE用户设备, LTE接入网中部署有一个或多个 宏基站 MeNB, 在 MeNB的覆盖范围内部署有一个或多个低功率节点 LPN, 上述方法 包括: 在 LTE用户设备接入 MeNB时, MeNB从 LTE核心网获取基站密钥, 根据基 站密钥生成第一接入层密钥, 并通过其与 LTE用户设备之间的控制面接口, 使用第一 接入层密钥对相应控制面信息和用户数据进行加密, 并对相应控制面信息进行完整性 保护后发送给所述 LTE用户设备; MeNB确定 LTE用户设备的用户数据的分流策略, 并通过其与 LPN之间的后向链路接口, 向相应的 LPN发送为 LTE用户设备提供多流 传输服务的请求消息、 LPN所需的控制面信息、以及第二接入层密钥; MeNB接收 LPN 发送的请求响应, 根据分流策略将从核心网接收到的用户数据中的一部分通过其与 LTE用户设备之间的用户面接口, 使用第一接入层密钥对相应用户数据进行加密后发 送给 LTE用户设备,将用户数据中的另一部分通过后向链路接口发送给 LPN; LPN使 用第二接入层密钥对相应的用户数据进行加密, 并通过其与 LTE用户设备之间的用户 面接口将加密后的用户数据发送给 LTE用户设备。 优选地, 第一接入层密钥包括: 用于用户面数据加密的用户面加密密钥, 以及用 于控制面信令加密的控制面加密密钥和 /或用于控制面信令完整性保护的控制面完整 性保护密钥。 优选地, 上述方法还包括: LPN通过其与 LTE用户设备之间的控制面接口, 接收 LTE用户设备上报的测量结果信息,并根据测量结果信息调整对 LTE用户设备的调度。 优选地, 上述在 LPN与 LTE用户设备之间仅具有用户面接口时, 第二接入层密 钥包括: 用于用户面数据加密的用户面加密密钥; 在 LPN与 LTE用户设备之间具有 用户面接口和控制面接口时, 第二接入层密钥包括: 用于用户面数据加密的用户面加 密密钥, 以及用于控制面信令加密的控制面加密密钥和 /或用于控制面信令完整性保护 的控制面完整性保护密钥。 优选地, 上述第一接入层密钥与第二接入层密钥相同或不相同; 在第一接入层密 钥与第二接入层密钥不相同时, LTE用户设备需要支持两套安全算法。 优选地, 上述 MeNB确定用户数据的分流策略包括: MeNB至少根据网络负载、 以及 LTE用户设备上报的测量结果信息, 以无线承载为分流粒度确定用户数据的分流 策略。 优选地, 上述在分流策略以无线承载为分流粒度时, 分流策略的协议桟形式包括: 在 MeNB和 LPN上分别设置有用于进行安全保护的数据包汇聚协议实体, 以及各低 层协议实体, 其中各低层协议实体包括: 无线链路控制子层、 媒体接入控制子层、 以 及物理层。 优选地, 上述方法还包括: 在多流传输服务过程中, 根据运营商、 LTE核心网、 或 LTE接入网的需求, 需要进行密钥更新时, MeNB通过后向链路接口向 LPN发送 密钥更新指示, 密钥更新指示中携带有新的接入层密钥; MeNB接收 LPN通过后向链 路接口反馈的密钥更新响应,并通过其与 LTE用户设备之间的控制面接口通知 LTE用 户设备密钥的更新。 本发明还提供了一种 LTE 接入网系统, LTE接入网中部署有一个或多个宏基站 MeNB, 在 MeNB的覆盖范围内部署有一个或多个低功率节点 LPN: MeNB, 设置为 在 LTE用户设备接入 MeNB时, 从 LTE核心网获取基站密钥, 根据基站密钥生成第 一接入层密钥, 并通过其与 LTE用户设备之间的控制面接口, 使用第一接入层密钥对 相应控制面信息和用户数据进行加密, 并对相应控制面信息进行完整性保护后发送给 所述 LTE用户设备;确定所述 LTE用户设备的用户数据的分流策略,并通过其与 LPN 之间的后向链路接口, 向相应的 LPN发送为 LTE用户设备提供多流传输服务的请求 消息、 LPN所需的控制面信息、 以及第二接入层密钥; 接收 LPN发送的请求响应, 根 据分流策略将从核心网接收到的用户数据中的一部分通过其与 LTE用户设备之间的用 户面接口, 使用第一接入层密钥对相应用户数据进行加密后发送给 LTE用户设备, 将 用户数据中的另一部分通过后向链路接口发送给 LPN; LPN, 设置为接收 MeNB发送 的为 LTE用户设备提供多流传输服务的请求消息, 并向 MeNB发送请求响应; 使用第 二接入层密钥对相应的用户数据进行加密, 并通过其与 LTE用户设备之间的用户面接 口将加密后的用户数据发送给 LTE用户设备。 优选地, 上述第一接入层密钥包括: 用于用户面数据加密的用户面加密密钥, 以 及用于控制面信令加密的控制面加密密钥和 /或用于控制面信令完整性保护的控制面 完整性保护密钥。 优选地, 上述 LPN还设置为: 通过其与 LTE用户设备之间的控制面接口, 接收The enhancements in LPN deployment have been identified by the Third Generation Partnership Projects (3GPP) as one of the most interesting topics in future network development. The deployment of LPN in the coverage of the macro network is very different from the traditional macro network in terms of transmission, mobility, security and interference. There are many problems in the process of each base station independently providing services to the terminal, and it cannot meet the requirements. The demand for large data volume and high mobility; and due to practical limitations and historical factors, the selection of LPN backhaul (Backhaul) is also diverse, and the characteristics of each interface are different, and the macro network The coordination interaction is limited. Therefore, in the scenario where the LPN is deployed, how to use the features of the macro base station (Macro eNB, referred to as MeNB) to maintain a good cooperation mechanism, thereby providing an optimized communication service for the user equipment (User Equipment, UE for short). To meet the needs of higher bandwidth, better performance, lower cost, more security and a variety of backward links, it is an important issue to be solved in the future development of LTE communication systems. Therefore, there is an urgent need for a system architecture in which a heterogeneous network in which a macro base station and a low power node are deployed provides a joint transmission service for the UE and a method for securely transmitting data in the architecture. SUMMARY OF THE INVENTION The present invention provides a data security transmission method and an LTE access network system, to at least solve the related art lacking a heterogeneous network in which a macro base station and a low power node are deployed, to provide a joint transmission service for the UE. The problem of implementing a method of securely transferring data in this architecture. The present invention provides a data security transmission method for a heterogeneous network based on an LTE system. The heterogeneous network includes: an LTE core network, an LTE access network, and an LTE user equipment. One or more LTE access networks are deployed. The macro base station MeNB has one or more low-power nodes LPNs deployed in the coverage of the MeNB. The method includes: when the LTE user equipment accesses the MeNB, the MeNB acquires the base station key from the LTE core network, and generates the base station key according to the base station key. An access layer key, and through the control plane interface with the LTE user equipment, encrypts the corresponding control plane information and user data by using the first access layer key, and performs integrity protection on the corresponding control plane information And then sent to the LTE user equipment; the MeNB determines a traffic off policy of the user data of the LTE user equipment, and sends a multi-stream transmission service for the LTE user equipment to the corresponding LPN through the backward link interface between the MeNB and the LPN. Request message, control plane information required by the LPN, and a second access layer key; the MeNB receives the request response sent by the LPN, and receives the request response from the core network according to the offload policy A part of the user data is encrypted by using the first access layer key to encrypt the corresponding user data and then sent to the LTE user equipment through the user plane interface with the LTE user equipment, and the other part of the user data is passed through the backward chain. The road interface is sent to the LPN. The LPN encrypts the corresponding user data by using the second access layer key, and sends the encrypted user data to the LTE user equipment through the user plane interface with the LTE user equipment. Preferably, the first access layer key comprises: a user plane encryption key for user plane data encryption, and a control plane encryption key for control plane signaling encryption and/or for control plane signaling integrity Protected control plane integrity protection key. Preferably, the method further includes: receiving, by the LPN, a measurement plane interface between the LTE user equipment and the LTE user equipment, and receiving the measurement result information reported by the LTE user equipment, and adjusting the scheduling of the LTE user equipment according to the measurement result information. Preferably, when the user has only a user plane interface between the LPN and the LTE user equipment, the second access layer key includes: a user plane encryption key for user plane data encryption; and between the LPN and the LTE user equipment. The user interface interface and the control plane interface, the second access layer key includes: a user plane encryption key for user plane data encryption, and a control plane encryption key for control plane signaling encryption and/or for Control plane integrity protection key for control plane signaling integrity protection. Preferably, the first access layer key is the same as or different from the second access layer key; when the first access layer key is different from the second access layer key, the LTE user equipment needs to support two Set of security algorithms. Preferably, the offloading policy of the user data by the MeNB includes: determining, by the MeNB, a traffic offloading policy of the user data by using the radio bearer as the split granularity according to the network load and the measurement result information reported by the LTE user equipment. Preferably, when the offloading policy uses the radio bearer as the offloading granularity, the protocol form of the offloading policy includes: a data packet aggregation protocol entity for performing security protection, and each lower layer protocol entity respectively configured on the MeNB and the LPN, wherein each The lower layer protocol entities include: a radio link control sublayer, a medium access control sublayer, and a physical layer. Preferably, the method further includes: in a multi-stream transmission service process, when the key update is required according to the requirements of the operator, the LTE core network, or the LTE access network, the MeNB sends the secret to the LPN through the backward link interface. The key update indication indicates that the key update indication carries a new access layer key; the MeNB receives the key update response that the LPN feeds back through the backward link interface, and notifies the LTE through the control plane interface between the LTE user equipment and the LTE user equipment. Update of the user device key. The present invention also provides an LTE access network system in which one or more macro base stations MeNB are deployed in the LTE access network, and one or more low power nodes LPN are deployed within the coverage of the MeNB: MeNB, which is set to When the LTE user equipment accesses the MeNB, the base station key is obtained from the LTE core network, the first access layer key is generated according to the base station key, and the first access layer is used through the control plane interface with the LTE user equipment. The key encrypts the corresponding control plane information and the user data, and performs integrity protection on the corresponding control plane information, and then sends the information to the LTE user equipment; determines a traffic splitting strategy of the user data of the LTE user equipment, and passes the LPN through the LPN. a backward link interface, sending a request message for providing a multi-stream transmission service for the LTE user equipment, control plane information required by the LPN, and a second access layer key to the corresponding LPN; receiving the request response sent by the LPN According to the splitting policy, a part of the user data received from the core network is used to interface with the LTE user equipment, and the first access layer key is used to input the corresponding user data. After being encrypted, the LTE user equipment is sent to the LTE user equipment, and another part of the user data is sent to the LPN through the backward link interface. The LPN is configured to receive the request message sent by the MeNB for providing the multi-stream transmission service for the LTE user equipment, and send the request message to the MeNB. Requesting a response; encrypting the corresponding user data by using the second access layer key, and transmitting the encrypted user data to the LTE user equipment through the user plane interface with the LTE user equipment. Preferably, the first access layer key comprises: a user plane encryption key for user plane data encryption, and a control plane encryption key for control plane signaling encryption and/or for control plane signaling integrity. Control surface integrity protection key for sexual protection. Preferably, the foregoing LPN is further configured to: receive, through its control plane interface with the LTE user equipment, receive
LTE用户设备上报的测量结果信息,并根据测量结果信息调整对 LTE用户设备的调度。 优选地, 上述在 LPN与 LTE用户设备之间仅具有用户面接口时, 第二接入层密 钥包括: 用于用户面数据加密的用户面加密密钥; 在 LPN与 LTE用户设备之间具有 用户面接口和控制面接口时, 第二接入层密钥包括: 用于用户面数据加密的用户面加 密密钥, 以及用于控制面信令加密的控制面加密密钥和 /或用于控制面信令完整性保护 的控制面完整性保护密钥。 优选地, 上述第一接入层密钥与第二接入层密钥相同或不相同; 在第一接入层密 钥与第二接入层密钥不相同时, LTE用户设备需要支持两套安全算法。 优选地, 上述 MeNB设置为: 至少根据网络负载、 以及 LTE用户设备上报的测量 结果信息, 以无线承载为分流粒度确定用户数据的分流策略。 优选地, 上述在分流策略以无线承载为分流粒度时, 分流策略的协议桟形式包括:The measurement result information reported by the LTE user equipment, and the scheduling of the LTE user equipment is adjusted according to the measurement result information. Preferably, when the user has only a user plane interface between the LPN and the LTE user equipment, the second access layer key includes: a user plane encryption key for user plane data encryption; and between the LPN and the LTE user equipment. The user interface interface and the control plane interface, the second access layer key includes: a user plane encryption key for user plane data encryption, and a control plane encryption key for control plane signaling encryption and/or for Control plane integrity protection key for control plane signaling integrity protection. Preferably, the first access layer key is the same as or different from the second access layer key; when the first access layer key is different from the second access layer key, the LTE user equipment needs to support two Set of security algorithms. Preferably, the foregoing MeNB is configured to: determine, according to the network load and the measurement result information reported by the LTE user equipment, the traffic offloading policy of the user data by using the radio bearer as the split granularity. Preferably, when the offloading policy uses the radio bearer as the offloading granularity, the protocol form of the offloading policy includes:
MeNB和 LPN上分别设置有用于进行安全保护的数据包汇聚协议实体, 以及各低层协 议实体, 其中各低层协议实体包括: 无线链路控制子层、 媒体接入控制子层、 以及物 理层。 优选地, 上述 MeNB还设置为: 在多流传输服务过程中, 根据运营商、 LTE核心 网、 或 LTE接入网的需求, 需要进行密钥更新时, 通过后向链路接口向 LPN发送密 钥更新指示, 密钥更新指示中携带有新的接入层密钥; 接收 LPN通过后向链路接口反 馈的密钥更新响应,并通过其与 LTE用户设备之间的控制面接口通知 LTE用户设备密 钥的更新。 本发明有益效果如下: 本发明实施例通过负荷较重的 MeNB可以将部分用户数据分流到 LPN进行传输,The MeNB and the LPN are respectively provided with a data packet aggregation protocol entity for performing security protection, and each lower layer protocol entity, wherein each lower layer protocol entity includes: a radio link control sublayer, a media access control sublayer, and a physical layer. Preferably, the foregoing MeNB is further configured to: when the key update is required according to the requirements of the operator, the LTE core network, or the LTE access network, send the secret to the LPN through the backward link interface in the multi-stream transmission service process. The key update indication, the key update indication carries a new access layer key; receives the key update response that the LPN feeds back through the backward link interface, and notifies the LTE user through the control plane interface between the LPN and the LTE user equipment Update of the device key. The beneficial effects of the present invention are as follows: In the embodiment of the present invention, a part of user data can be offloaded to an LPN for transmission by a heavily loaded MeNB.
UE在 Small cell间移动时也可以减少切换流程中的信令, 减轻了网络的消息负载; 而 对 UE来说, 多载波传输的频带拓宽能够更好的满足大数据量业务的需求, 与距离较 近的 LPN传输也更为省电, 该系统架构很好的提升了用户体验; 此外, 在本发明实施 例的系统架构中, 通过异构接入网中宏基站将密钥传输给 LPN, 使得 LPN与 UE间无 线链路上的传输可以实现配置的安全保护功能, 保障了该系统架构的安全性能。 本发 明实施例的技术方案能够安全、 可靠的为 UE提供良好的联合传输服务。 上述说明仅是本发明技术方案的概述, 为了能够更清楚了解本发明的技术手段, 而可依照说明书的内容予以实施, 并且为了让本发明的上述和其它目的、 特征和优点 能够更明显易懂, 以下特举本发明的具体实施方式。 附图说明 通过阅读下文优选实施方式的详细描述, 各种其他的优点和益处对于本领域普通 技术人员将变得清楚明了。 附图仅用于示出优选实施方式的目的, 而并不认为是对本 发明的限制。 而且在整个附图中, 用相同的参考符号表示相同的部件。 在附图中: 图 1是本发明实施例的节点部署场景示意图; 图 2是本发明的系统架构的示意图; 图 3是本发明实施例的数据安全传输方法的流程图; 图 4是本发明实施例的分流策略的一个可行的协议桟形式的示意图; 图 5是本发明实施例的用户面和控制面协议桟形式的示意图; 图 6是本发明实施例的实例 1的信令流程图; 图 7是本发明实施例的实例 2的信令流程图; 图 8是本发明实施例的实例 3的信令流程图; 图 9是本发明实施例的 LTE接入网系统的结构示意图。 具体实施方式 下面将参照附图更详细地描述本公开的示例性实施例。 虽然附图中显示了本公开 的示例性实施例, 然而应当理解, 可以以各种形式实现本公开而不应被这里阐述的实 施例所限制。 相反, 提供这些实施例是为了能够更透彻地理解本公开, 并且能够将本 公开的范围完整的传达给本领域的技术人员。 为了满足用户更高带宽、 更好性能、 更低成本、 更安全且适用多种后向链路的需 求, 本发明提供了一种部署了宏基站与低功率节点的异构网络为 UE提供联合传输服 务的系统架构以及在该架构中实现安全传输数据的方案, 该架构与方案适用于各种 Backhaul链路, 能够安全、 可靠的为 UE提供良好的联合传输服务。 以下结合附图以 及实施例, 对本发明进行进一步详细说明。 应当理解, 此处所描述的具体实施例仅仅 用以解释本发明, 并不限定本发明。 方法实施例 根据本发明的实施例, 提供了一种数据安全传输方法, 用于基于长期演进 LTE系 统的异构网络, 异构网络包括: LTE核心网、 LTE接入网、 以及 LTE用户设备, LTE 接入网中部署有一个或多个宏基站 MeNB, 在 MeNB的覆盖范围内部署有一个或多个 低功率节点 LPN。 具体地, 图 1是本发明实施例的节点部署场景示意图, 如图 1所示, MeNB的覆 盖范围内(如在热点地区)部署有一个或多个 LPN,该 LPN可以是低功率微基站(Pico eNB)、 中继节点 (Relay Node) 或家庭基站 (HeNB)。 相应的, LPN与 MeNB间的 Backhaul接口可以是有线接口 (如光纤) 或无线接口 (如 Un口)。 图 2是本发明的系统架构的示意图, 如图 2所示, 该系统包括 LTE核心网 (Core Network, 简称为 CN)、 MeNB和 LPN组成的 LTE接入网、 以及可支持多数据流收发 机制的 LTE用户设备。 其中, LTE核心网同现有 LTE网络的核心网。 所述 LTE接入 网包括 MeNB和 LPN。 MeNB与核心网、 UE间分别为现有的控制面 (Control Plane, 简称为 CP)、 用户面 (User Plane, 简称为 UP) 连接, LPN和 UE之间可以为 UP连 接,也可以为 UP和 CP连接, MeNB与 LPN间为可传输控制信令与用户数据的 Backhaul 接口 (有线或无线)。 图 3是本发明实施例的数据安全传输方法的流程图, 如图 3所示, 根据本发明实 施例的数据安全传输方法包括如下处理: 步骤 301, 在 LTE用户设备接入 MeNB时, MeNB从核心网获取基站密钥, 根据 基站密钥生成第一接入层密钥, 并通过其与 LTE用户设备之间的控制面接口, 使用第 一接入层密钥对相应控制面信息和用户数据进行加密, 并对相应控制面信息进行完整 性保护后发送给所述 LTE用户设备; 也就是说, 在分流之前, MeNB与 LTE用户设备 根据现有技术进行正常的用户数据交互和控制信令交互。 其中, 第一接入层密钥包括: 用于用户面数据加密的用户面加密密钥, 以及用于 控制面信令加密的控制面加密密钥和 /或用于控制面信令完整性保护的控制面完整性 保护密钥。 步骤 302, MeNB确定 LTE用户设备的用户数据的分流策略, 并通过其与 LPN之 间的后向链路接口, 向相应的 LPN发送为 LTE用户设备提供多流传输服务的请求消 息、 LPN所需的控制面信息、 以及第二接入层密钥; 在步骤 302中, MeNB确定用户数据的分流策略包括: MeNB至少根据网络负载 以及 LTE用户设备上报的测量结果信息 (MeNB还可以根据其他信息), 以无线承载 为分流粒度确定用户数据的分流策略。 其中, 上述在分流策略以无线承载为分流粒度 时, 分流策略的协议桟形式包括: 在 MeNB和 LPN上分别设置有用于进行安全保护 的数据包汇聚协议实体, 以及各低层协议实体, 其中各低层协议实体包括: 无线链路 控制子层、 媒体接入控制子层、 以及物理层。 步骤 303, MeNB接收 LPN发送的请求响应, 根据分流策略将从核心网接收到的 用户数据中的一部分通过其与 LTE用户设备之间的用户面接口, 使用第一接入层密钥 对相应用户数据进行加密后发送给 LTE用户设备, 将用户数据中的另一部分通过后向 链路接口发送给 LPN; 步骤 304, LPN使用第二接入层密钥对相应的用户数据进行加密,并通过其与 LTE 用户设备之间的用户面接口将加密后的用户数据发送给 LTE用户设备。 优选地,在本发明实施例中, LPN可以通过其与 LTE用户设备之间的控制面接口, 接收 LTE用户设备上报的测量结果信息,并根据测量结果信息调整对 LTE用户设备的 调度。 需要说明的是, 在 LPN与 LTE用户设备之间仅具有用户面接口时, 第二接入层 密钥包括: 用于用户面数据加密的用户面加密密钥; 在 LPN与 LTE用户设备之间具 有用户面接口和控制面接口时, 第二接入层密钥包括: 用于用户面数据加密的用户面 加密密钥, 以及用于控制面信令加密的控制面加密密钥和 /或用于控制面信令完整性保 护的控制面完整性保护密钥。 并且, 在本发明实施例中, 第一接入层密钥与第二接入层密钥相同或不相同; 在 第一接入层密钥与第二接入层密钥不相同时, LTE用户设备需要支持两套安全算法。 在本发明实施例中, 在多流传输服务过程中, 根据运营商、 LTE核心网、 或 LTE 接入网的需求, 需要进行密钥更新时, MeNB需要通过后向链路接口向 LPN发送密钥 更新指示, 密钥更新指示中携带有新的接入层密钥; MeNB接收 LPN通过后向链路接 口反馈的密钥更新响应,并通过其与 LTE用户设备之间的控制面接口通知 LTE用户设 备密钥的更新。 以下结合附图, 对本发明实施例的上述技术方案进行详细的说明。 从控制面来讲, MeNB—方面负责与 UE间的全部控制信令, 另一方面负责 LPN 所需的控制面信息, 使得 LPN可持有必要的 UE上下文信息、 配置各协议层、 对 UE 实施有效的调度; 优选地, LPN与 UE间也可以有 CP连接(具备的可能是现有 CP连 接的部分功能), 从而更及时的获取如 UE的测量结果等信息, 以便快速的调整调度策 略。 从用户面来讲, MeNB根据自身决定的分流策略, 将从核心网接收到的 UE用户 数据一部分通过自身与 UE间的 UP连接发送给 UE,另一部分通过 Backhaul接口发送 给 LPN, 再由 LPN以现有技术为基础通过空口发送给 UE。 其中, MeNB决定的 UE数据分流策略可以是以无线承载 (Radio Bearer, 简称为When the UE moves between the Small cells, the signaling in the handover process can be reduced, and the message load of the network is reduced. For the UE, the bandwidth widening of the multi-carrier transmission can better meet the requirements of the large data volume service, and the distance. The more recent LPN transmission is also more power efficient, and the system architecture improves the user experience. In addition, in the system architecture of the embodiment of the present invention, the key is transmitted to the LPN through the macro base station in the heterogeneous access network. The transmission on the radio link between the LPN and the UE can implement the configured security protection function, which ensures the security performance of the system architecture. The technical solution of the embodiment of the present invention can provide a good joint transmission service for the UE securely and reliably. The above description is only an overview of the technical solutions of the present invention, and the technical means of the present invention can be more clearly understood, and can be implemented in accordance with the contents of the specification, and the above and other objects, features and advantages of the present invention can be more clearly understood. Specific embodiments of the invention are set forth below. BRIEF DESCRIPTION OF THE DRAWINGS Various other advantages and benefits will become apparent to those skilled in the art from this description. The drawings are only for the purpose of illustrating the preferred embodiments and are not to be construed as limiting. Throughout the drawings, the same reference numerals are used to refer to the same parts. 1 is a schematic diagram of a node deployment scenario according to an embodiment of the present invention; FIG. 2 is a schematic diagram of a system architecture of the present invention; FIG. 3 is a flowchart of a data security transmission method according to an embodiment of the present invention; FIG. 5 is a schematic diagram of a user plane and a control plane protocol in the embodiment of the present invention; FIG. 6 is a signaling flowchart of the example 1 of the embodiment of the present invention; Figure 7 is a signaling flow chart of Example 2 of the embodiment of the present invention; Figure 8 is a signaling flow chart of Example 3 of the embodiment of the present invention; and Figure 9 is a schematic structural diagram of an LTE access network system according to an embodiment of the present invention. DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While the embodiments of the present invention have been shown in the drawings, the embodiments Rather, these embodiments are provided so that this disclosure will be more fully understood, and the scope of the disclosure may be fully disclosed to those skilled in the art. In order to meet the requirements of a user with higher bandwidth, better performance, lower cost, more security, and multiple backward links, the present invention provides a heterogeneous network in which a macro base station and a low power node are deployed to provide a joint for the UE. The system architecture of the transport service and the scheme for realizing secure transmission of data in the architecture. The architecture and scheme are applicable to various Backhaul links, and can provide a good joint transmission service for the UE securely and reliably. The present invention will be further described in detail below in conjunction with the drawings and embodiments. It is understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. Method embodiment According to an embodiment of the present invention, a data security transmission method is provided for a heterogeneous network based on a Long Term Evolution (LTE) system, where the heterogeneous network includes: an LTE core network, an LTE access network, and an LTE user equipment, and LTE access One or more macro base stations MeNB are deployed in the network, and one or more low power nodes LPN are deployed within the coverage of the MeNB. Specifically, FIG. 1 is a schematic diagram of a node deployment scenario according to an embodiment of the present invention. As shown in FIG. 1 , one or more LPNs are deployed in a coverage area of a MeNB (eg, in a hotspot area), and the LPN may be a low-power micro base station ( Pico eNB), Relay Node or Home Base Station (HeNB). Correspondingly, the Backhaul interface between the LPN and the MeNB may be a wired interface (such as a fiber) or a wireless interface (such as an Un port). 2 is a schematic diagram of a system architecture of the present invention. As shown in FIG. 2, the system includes an LTE core network (Core Network, abbreviated as CN), an LTE access network composed of an MeNB and an LPN, and a multi-data transmission and reception mechanism. LTE user equipment. The LTE core network is the same as the core network of the existing LTE network. The LTE access network includes an MeNB and an LPN. The MeNB and the core network and the UE are respectively connected to the existing Control Plane (CP) and User Plane (UP). The LPN and the UE can be UP or UP. The CP is connected, and the MeNB and the LPN are Backhaul interfaces (wired or wireless) that can transmit control signaling and user data. FIG. 3 is a flowchart of a data security transmission method according to an embodiment of the present invention. As shown in FIG. 3, a data security transmission method according to an embodiment of the present invention includes the following processing: Step 301: When an LTE user equipment accesses an MeNB, the MeNB The core network obtains the base station key, generates the first access layer key according to the base station key, and uses the first access layer key pair to control the corresponding control plane information and user data through the control plane interface with the LTE user equipment. Performing encryption, and performing integrity protection on the corresponding control plane information, and then sending the information to the LTE user equipment; that is, before the offloading, the MeNB and the LTE user equipment perform normal user data interaction and control signaling interaction according to the prior art. . The first access layer key includes: a user plane encryption key for user plane data encryption, and a control plane encryption key for control plane signaling encryption and/or for control plane signaling integrity protection. The control plane integrity protects the key. Step 302: The MeNB determines a traffic off policy of the user data of the LTE user equipment, and sends a request message for providing the multi-stream transmission service to the LTE user equipment, and the LPN is required to be sent to the corresponding LPN through the backward link interface between the MeNB and the LPN. The control plane information and the second access layer key; in step 302, the MeNB determines the traffic policy of the user data, including: the MeNB according to at least the network load and the measurement result information reported by the LTE user equipment (the MeNB may also be based on other information) , with radio bearer A shunting policy for determining user data for the shunt granularity. When the offloading policy uses the radio bearer as the offloading granularity, the protocol form of the offloading policy includes: a packet aggregation protocol entity for performing security protection on the MeNB and the LPN, and each lower layer protocol entity, wherein each lower layer The protocol entity includes: a radio link control sublayer, a medium access control sublayer, and a physical layer. Step 303: The MeNB receives the request response sent by the LPN, and uses a first access layer key to the corresponding user by using a part of the user data received from the core network according to the splitting policy. The data is encrypted and sent to the LTE user equipment, and another part of the user data is sent to the LPN through the backward link interface. In step 304, the LPN encrypts the corresponding user data by using the second access layer key, and passes through the data. The user plane interface with the LTE user equipment sends the encrypted user data to the LTE user equipment. Preferably, in the embodiment of the present invention, the LPN can receive the measurement result information reported by the LTE user equipment by using the control plane interface with the LTE user equipment, and adjust the scheduling of the LTE user equipment according to the measurement result information. It should be noted that, when only the user plane interface exists between the LPN and the LTE user equipment, the second access layer key includes: a user plane encryption key used for user plane data encryption; between the LPN and the LTE user equipment. When having a user plane interface and a control plane interface, the second access layer key includes: a user plane encryption key for user plane data encryption, and a control plane encryption key for control plane signaling encryption and/or Control plane integrity protection key for control plane signaling integrity protection. In the embodiment of the present invention, the first access layer key is the same as or different from the second access layer key; when the first access layer key is different from the second access layer key, LTE User equipment needs to support two sets of security algorithms. In the embodiment of the present invention, in the multi-stream transmission service process, when the key update is required according to the requirements of the operator, the LTE core network, or the LTE access network, the MeNB needs to send the secret to the LPN through the backward link interface. The key update indication indicates that the key update indication carries a new access layer key; the MeNB receives the key update response that the LPN feeds back through the backward link interface, and notifies the LTE through the control plane interface between the LTE user equipment and the LTE user equipment. Update of the user device key. The above technical solutions of the embodiments of the present invention are described in detail below with reference to the accompanying drawings. From the control plane, the MeNB is responsible for all control signaling with the UE, and on the other hand is responsible for the control plane information required by the LPN, so that the LPN can hold the necessary UE context information, configure each protocol layer, and implement the UE. Effective scheduling; preferably, the LPN and the UE may also have a CP connection (there may be an existing CP connection) Part of the function), so as to obtain more timely information such as the measurement results of the UE, so as to quickly adjust the scheduling strategy. From the perspective of the user, the MeNB sends a part of the UE user data received from the core network to the UE through the UP connection between the UE and the UE according to the splitting policy determined by the user, and the other part is sent to the LP through the Backhaul interface, and then the LPN The prior art is sent to the UE through an air interface. The UE data offload policy determined by the MeNB may be a radio bearer (Radio Bearer, referred to as
RB) 为分流粒度的, 也就是说, 对于服务质量 (Quality of Service, 简称为 QoS) 不 同的业务, MeNB可根据其 QoS特性决定将其通过不同的载波链路分别传输给 UE。 例如, 实时业务 (如话音) 在 MeNB与 UE间的链路上传输, 而数据量大、 时延容忍 的业务 (如视频下载) 被分流到 LPN再传输给 UE。 举例来讲, 图 4是本发明实施例的分流策略的一个可行的协议桟形式的示意图, 如图 4所示, 包括 MeNB将分流数据传输到 LPN、 再传递给 UE的用户面部分 (上行 数据则反向); MeNB与 LPN间接口、 及可能的 LPN与 UE间接口的控制面部分。 其 中, MeNB与 LPN间的 Backhaul接口协议桟形式根据具体接口的有线 /无线等特性, 也可以是其他形式 (比如 GTP-U也可以由其他协议所置换)。 可以看到, 在以 RB为 分流粒度时, 网络侧分别有数据包汇聚协议 (Packet Data Convergence Protocol, 简称 为 PDCP)实体及以下各低层协议实体(无线链路控制子层(Radio Link Control, 简称 为 RLC)、媒体接入控制子层(Medium Access Control,简称为 MAC)、物理层(Physical layer, 简称为 PHY)) 位于 MeNB和 LPN。 图 5是本发明实施例的用户面和控制面协 议桟形式的示意图。 负荷较重的 MeNB可以将部分用户数据分流到 LPN进行传输, UE在 Small cell间移动时也可以减少切换流程中的信令, 减轻了网络的消息负载; 而 对 UE来说, 多载波传输的频带拓宽能够更好的满足大数据量业务的需求, 与距离较 近的 LPN传输也更为省电, 该系统架构很好的提升了用户体验。 在用户与接入网通过无线接口进行消息传递的过程中, 网络侧需要提供足够的安 全保障机制, 以防止消息被攻击者中途截获及轻易破解。 在 LTE系统中, 当 UE附着 到网络中时, MeNB从核心网获取基站密钥 (eNB Key, 记作 K^B) 和 /或, 派生出接 入层密钥(Access Stratum Key,简称 AS Key)。 AS Key包括用户面加密密钥(UP Key, KUPen。)、控制面加密密钥(RRC Key, KRRCen。)以及控制面完保密钥(RRC Key, KRRCmt), 分别用于用户面数据的加密、 控制面信令的加密以及控制面信令的完整性保护。 以下 行为例, MeNB利用所述 AS Key与相应的加密 /完保算法对发送信息提供配置的安全 保护, UE接收后依据对应的密钥及算法对该消息进行解密 /完整性验证等处理。 所述 功能均位于协议桟的 PDCP层。 在本发明的系统架构中, LPN仅是在接入网中承担分流数据传输任务的协作基站, 并不与核心网存在直接信息交互;而因为 MeNB与 LPN间以 RB为分流粒度进行数据 分流并对 UE提供联合数据传输服务,如前述协议桟架构所示, PDCP层分别位于 MeNB 与 LPN。 因此, LPN无法从核心网获取 K^B, PDCPLPN也就无法对分流数据及可能的 控制信令进行加密 /完保的安全性保护了, 安全问题极其严重。 因为, 在本发明实施例的架构中, 对获得联合传输服务的 UE, MeNB需要将其必 需的密钥传输给承担分流传输的 LPN。 但是, 如果 MeNB将 K^B传输给 LPN以便以 派生 AS Key, 那么因为 LPN在物理上的安全性能低于 MeNB, 即易于被攻击者侵入、 密钥泄露的风险很大。一旦 LPN侧的 K^B被破解, MeNB侧的 K^B也就随之泄露了, 故接入网中两个基站共用同一 K^B的方案不可行。 为了安全、有效的解决所述架构中的这一问题,本发明实施例提出如下解决方案:RB) is a traffic-split granularity, that is, for services with different Quality of Service (QoS), the MeNB may decide to transmit it to the UE through different carrier links according to its QoS characteristics. For example, real-time services (such as voice) are transmitted on the link between the MeNB and the UE, and services with large data volume and delay tolerance (such as video download) are offloaded to the LPN and then transmitted to the UE. For example, FIG. 4 is a schematic diagram of a feasible protocol form of a traffic offloading policy according to an embodiment of the present invention. As shown in FIG. 4, the MeNB includes the MeNB to transmit the offloaded data to the LPN and then to the user plane part of the UE (upstream data). Then reverse); the interface between the MeNB and the LPN, and the control plane portion of the interface between the possible LPN and the UE. The Backhaul interface protocol between the MeNB and the LPN may be in other forms depending on the wired/wireless characteristics of the specific interface (for example, the GTP-U may also be replaced by other protocols). It can be seen that when the RB is used as the offloading granularity, the network side has a Packet Data Convergence Protocol (PDCP) entity and the following lower layer protocol entities (Radio Link Control (Radio Link Control). The RLC, the Medium Access Control (MAC), and the Physical Layer (PHY) are located at the MeNB and the LPN. FIG. 5 is a schematic diagram of a user plane and a control plane protocol in the form of an embodiment of the present invention. The MeNB with heavy load can offload part of the user data to the LPN for transmission. When the UE moves between the Small cells, the signaling in the handover process can be reduced, and the message load of the network is reduced. For the UE, the multi-carrier transmission is performed. The bandwidth widening can better meet the needs of large data services, and the power consumption is also more efficient with LPN transmissions that are closer. The system architecture improves the user experience. In the process of message transmission between the user and the access network through the wireless interface, the network side needs to provide sufficient security protection mechanism to prevent the message from being intercepted and easily cracked by the attacker. In the LTE system, when the UE is attached to the network, the MeNB acquires a base station key (eNB Key, denoted as K^B) from the core network and/or derives an access stratum key (AS Key for short). ). The AS Key includes a user plane encryption key (UP Key, K UPen .), a control plane encryption key (RRC Key, K RRCen .), and a control plane security key (RRC Key, K RRCmt ), which are respectively used for the user plane. Encryption of data, encryption of control plane signaling, and integrity protection of control plane signaling. In the following behavior example, the MeNB uses the AS Key and the corresponding encryption/guarantee algorithm to provide configuration security protection for the sending information, and after receiving the UE, the UE performs processing such as decryption/integrity verification according to the corresponding key and algorithm. The functions are all located in the PDCP layer of the protocol. In the system architecture of the present invention, the LPN is only a cooperative base station that performs the offload data transmission task in the access network, and does not have direct information interaction with the core network; and because the MeNB and the LPN use the RB as the offload granularity for data offloading and The joint data transmission service is provided to the UE. As shown in the foregoing protocol, the PDCP layer is located at the MeNB and the LPN, respectively. Therefore, the LPN cannot obtain K^B from the core network, and the PDCPL PN cannot protect the encryption/security of the shunt data and possible control signaling. The security problem is extremely serious. Because, in the architecture of the embodiment of the present invention, for the UE that obtains the joint transmission service, the MeNB needs to transmit its necessary key to the LPN that bears the offload transmission. However, if the MeNB transmits K^B to the LPN in order to derive the AS Key, since the LPN is physically lower than the MeNB, it is easy to be intruded by an attacker, and the risk of key leakage is high. Once the K^B on the LPN side is cracked, the K^B on the MeNB side is also leaked. Therefore, the scheme in which the two base stations in the access network share the same K^B is not feasible. In order to solve this problem in the architecture in a safe and effective manner, the embodiment of the present invention proposes the following solutions:
LPN从 MeNB获取安全密钥 (AS Key), 对无线接口上传输的分流数据及可能的控制 信令依据配置执行相应的安全保护。 所述安全密钥指的是 MeNB依据 K^B派生的 AS Key,由 MeNB依据网络配置及 UE能力(支持一套 /两套安全上下文)决定传输给 LPN 的 AS Key与 MeNB自身所用的 AS Key是否一致。 所述安全密钥依据具体的分流形式而有所不同: 如果 LPN与 UE间只有分流数据 的传输 (即只有 UP), 那么 AS Key只包括 UP Key, 即 KUP ; 如果 LPN与 UE间有 分流数据和控制信令的传输(即具有 UP和 CP, 即使只是 CP的一部分),那么 AS key 包括全部的 UP Key和 RRC Key, 即 KUpenc, 以及 KRRCenc和 KRRCmt中的至少一项。 LPN从 MeNB获取安全密钥的条件有下述(但不限于)两种情况: 一是分流服务 请求时, MeNB将分流承载、 安全密钥等必要信息通过 Backhaul接口传输给 LPN; 二 是安全密钥更新时, 即如果在联合传输服务的过程中, 依据运营商、 核心网或 MeNB/LPN 自身有更新该 UE 密钥的需求, 那么 MeNB 将更新后的安全密钥通过 Backhaul接口传输给 LPN。 通过上述系统及安全传输数据的实现方法, 在本发明的系统架构中, 通过异构接 入网中宏基站将密钥传输给 LPN,使得 LPN与 UE间无线链路上的传输可以实现配置 的安全保护功能, 保障了该系统架构的安全性能。 下面结合不同的实施例对本发明实施例进行举例说明。 实例 1 : 网络中部署有 MeNB和 LPN, 这两种节点组成了本发明系统架构的接入 网, LPN承担分流数据的传输。 在网络侧决定为 UE提供跨基站多流联合传输服务的 准备过程中, MeNB将 AS Key传输给 LPN, 以便其可以执行安全保护功能。 图 6是 本发明实施例的实例 1的信令流程图, 如图 6所示, 可以包括如下处理: 步骤 1, UE按照现有的 LTE流程接入到 MeNB建立的宏小区中, 并与之建立了 可传输控制面信息的 CP连接(RRC Connection)和可传输用户数据的 UP连接。 MeNB 从核心网获取 KeNB, 据此派生出 AS Key (包括 UP Key及 RRC Key), 并利用此 ASThe LPN obtains a security key (AS Key) from the MeNB, and performs corresponding security protection according to the configuration of the offloaded data and the possible control signaling transmitted on the radio interface. The security key refers to the AS Key derived by the MeNB according to K^B, and the MeNB determines the AS Key used for transmitting to the LPN and the AS Key used by the MeNB according to the network configuration and the UE capability (supporting one/two sets of security contexts). Is it consistent? The security key is different according to the specific traffic distribution mode: if only the transmission of the offload data between the LPN and the UE (that is, only UP), the AS Key only includes the UP Key, that is, K UP; if there is a split between the LPN and the UE The transmission of data and control signaling (ie having UP and CP, even if only part of the CP), then the AS key includes all UP Keys and RRC Keys, ie K Upenc , and at least one of K RRCenc and K RRCmt . The conditions for the LPN to obtain the security key from the MeNB are as follows (but not limited to): In the case of the offloading service request, the MeNB transmits the necessary information such as the offloading bearer and the security key to the LPN through the Backhaul interface; When the key is updated, that is, in the process of the joint transmission service, according to the requirement of the operator, the core network or the MeNB/LPN itself to update the UE key, the MeNB transmits the updated security key to the LPN through the Backhaul interface. Through the above system and the method for implementing secure transmission data, in the system architecture of the present invention, the key is transmitted to the LPN through the macro base station in the heterogeneous access network, so that the transmission on the radio link between the LPN and the UE can be configured. The security protection function guarantees the security performance of the system architecture. The embodiments of the present invention are exemplified below in conjunction with different embodiments. Example 1: The MeNB and the LPN are deployed in the network. These two nodes constitute the access network of the system architecture of the present invention, and the LPN bears the transmission of the offloaded data. At the network side, it is decided to provide the UE with cross-base station multi-stream joint transmission service. During the preparation process, the MeNB transmits the AS Key to the LPN so that it can perform security protection functions. Figure 6 is a signaling flow chart of the first embodiment of the present invention. As shown in Figure 6, the method may include the following steps: Step 1: The UE accesses the macro cell established by the MeNB according to the existing LTE procedure, and A CP connection (RRC Connection) that can transmit control plane information and an UP connection that can transmit user data are established. The MeNB obtains the KeNB from the core network, and derives the AS Key (including the UP Key and the RRC Key), and utilizes the AS.
Key与相应的加密 /完保算法共同为发送 /接收的信息提供配置的安全保护功能。 步骤 2, MeNB根据网络负荷及 UE的测量上报等信息, 决定将该 UE的某数据承 载分流到 LPN进行传输, 其余的承载则仍在 MeNB与 UE间的无线链路上进行传输。 The Key together with the corresponding encryption/surpass algorithm provides a configured security protection for the transmitted/received information. Step 2: The MeNB decides to offload a certain data bearer of the UE to the LPN according to the network load and the measurement report of the UE, and the remaining bearers are still transmitted on the radio link between the MeNB and the UE.
MeNB将必要的 UE上下文等信息通过 Backhaul接口传输给 LPN以请求为该 UE 提供多流传输服务, 例如, 所述信息可携带在一称为"承载建立请求"的消息 (也可以 是其他现有消息、 或一条新的消息, 下述提到消息名称的处理均与此相同) 中, 包括 分流承载的相关参数、 UE的安全能力等。本发明中,该消息应携带有 MeNB根据 KeNB 派生出的 AS Key。 在本实例中 LPN与 UE间只有 UP连接(如图 6所示, 即 LPN只承担分流数据的 传输), 那么 MeNB传输给 LPN的 AS Key只包含 UP Key (如 KUPenc )。 优选地, MeNB传输给 LPN的 AS Key与 MeNB自身所用的 AS Key可以相同或 不同。 如果两 AS Key不同, 那么 MeNB必已知该 UE可以支持两套不同的安全上下 文, 即 UE在与 MeNB、 LPN间两无线载波上发送 /接收的消息分别使用不同的安全密 钥进行加 /解密和完整性保护 /验证。 LPN同意分流承载的建立后回复响应消息, 如可称为"承载建立响应 "消息, 消息 中可携带准入承载的列表及对 UE各协议层的具体配置等信息。 步骤 3, MeNB接收到 LPN回复的同意分流响应消息后, 通知 UE接入该 LPN建 立的小区 (Small cell)。 在本实例中, UE只与 LPN建有 UP连接, 那么该无线载波上 传输的用户数据会有密钥 (KUPenc)和算法依据配置进行的加密保护, 也就是说, 发 送端 (如 MeNB或 LPN) 与接收端 (如 UE) 对两者间无线链路上交互的用户数据可 以利用有效的密钥和已知的算法分别进行加密与解密操作, 网络的安全性能需求得以 保证了。 实例 2: 与实例 1的部署场景相同。 在 MeNB与 LPN为 UE提供联合传输的服务 过程中, MeNB侧更新了密钥, 则其需要将更新后的密钥通知 LPN, 以便其有效的执 行安全保护功能。 图 7是本发明实施例的实例 2的信令流程图, 如图 7所示, 可以包 括如下处理: 步骤 1, 在本发明实施例的系统架构中, UE与 MeNB和 LPN间分别建有无线连 接、 从而获取跨基站多流联合传输服务。 UE与 MeNB间同现有技术, 建有 CP、 UP 连接; 本实例以 UE与 LPN间只建有 UP连接为例, LPN对与 UE间所传数据以从 MeNB获取的 UP Key (KUPenc) 及算法进行加密 /解密的安全保护。 步骤 2, 在 UE与网络保持连接的过程中, 依据运营商、核心网或接入网自身的需 求, 可能需要进行密钥的更新, 那么 MeNB在更新自身密钥的同时, 还需要将更新后 的密钥通知给 LPN。 例如, 该信息可携带在一称为"密钥更新指示 "的消息中, 通过 Backhaul接口传递给 LPN。优选地, 消息中还可以携带一个 "密钥是否更新"的指示, 以及更新后的密钥。 本实例以 LPN与 UE间仅有 UP连接为例,因此消息中携带的为更新后的 UP Key (如 KUPenc' )。 优选地, 密钥更新后, MeNB传输给 LPN的 New AS Key与 MeNB自身所用的 New AS Key可以相同或不同。 如果两 AS Key不同, 那么 MeNB必已知该 UE可以支 持两套不同的安全上下文, 即 UE在与 MeNB、 LPN间两无线载波上发送 /接收的数据 分别使用不同的安全密钥进行加 /解密。 需要说明的是, 在 MeNB与 LPN使用不同的密钥时, 可能某时只有 LPN侧需要 更新密钥而 MeNB无此需求, 那么仍然是 MeNB为 LPN派生出更新后的密钥再通知 给 LPN (因为此架构中 MeNB与 LPN间会实时性的交互一些数据包传输相关的必要 信息, 所以 MeNB会及时了解到 LPN侧有更新密钥的需求)。 优选地, LPN成功更新密钥后可回复响应消息, 如称为 "密钥更新响应"消息。 另一方面, MeNB也需要向 UE通知密钥的更新。 待各节点的配置更新完成后, 可以继续进行跨基站分流联合传输的服务, UE与接入网中的 MeNB与 LPN间交互的 数据使用新的密钥和算法进行加 /解密安全保护。 实例 3: 与实例 1的部署场景相同。 在 MeNB与 LPN为 UE提供跨基站多流联合 传输服务的架构中, 此实施例以 LPN与 UE间建有 CP、 UP连接为例。 在多流服务的 准备过程中或网络侧有密钥更新的需求时, MeNB都需要将 AS Key传输给 LPN, 以 便其可以执行安全保护功能。 图 8是本发明实施例的实例 3的信令流程图, 如图 8所 示, 可以包括如下处理: 步骤 1, MeNB决策为接入其小区的 UE提供跨基站多流传输服务时, 将必要的 UE上下文等信息通过 Backhaul接口传输给 LPN, 如携带在"承载建立请求 "消息中。 该消息内除包含必要的分流承载相关参数、 UE 的安全能力等信息外, 还需要包括 MeNB根据 KeNB派生出的 AS Key。 本实例以 LPN与 UE间具有 UP和 RRC连接为例, 因此, MeNB传输给 LPN的 AS Key需要包含 UP Key和 RRC Key (KUpenc, 以及 KRRCenc和 KRRCint中至少一 项)。 优选地, MeNB传输给 LPN的 AS Key与 MeNB自身所用的 AS Key可以相同或 不同。 如果两 AS Key不同, 那么 MeNB必已知该 UE可以支持两套不同的安全上下 文。 The MeNB transmits the necessary UE context and the like to the LPN through the Backhaul interface to request to provide the multi-stream transmission service for the UE. For example, the information may be carried in a message called a “bearer setup request” (may be other existing The message, or a new message, which is the same as the processing of the message name mentioned below, includes the relevant parameters of the offloading bearer, the security capabilities of the UE, and the like. In the present invention, the message should carry an AS Key derived by the MeNB according to the KeNB. In this example, there is only an UP connection between the LPN and the UE (as shown in FIG. 6, that is, the LPN only bears the transmission of the offloaded data), then the AS Key transmitted by the MeNB to the LPN only includes the UP Key (such as KUPenc). Preferably, the AS Key transmitted by the MeNB to the LPN may be the same as or different from the AS Key used by the MeNB itself. If the two AS keys are different, the MeNB must know that the UE can support two different security contexts, that is, the messages sent/received by the UE on the two wireless carriers with the MeNB and the LPN are respectively encrypted/decrypted using different security keys. And integrity protection/verification. The LPN agrees to the post-establishment reply response message of the offload bearer, which may be referred to as a "bearer setup response" message, and the message may carry a list of the admission bearers and specific configurations of the UE protocol layers. Step 3: After receiving the consent splitting response message of the LPN reply, the MeNB notifies the UE to access the cell established by the LPN. In this example, the UE only has an UP connection with the LPN, and the user data transmitted on the wireless carrier has a key (KUPenc) and an encryption protection according to the configuration, that is, the sender (such as the MeNB or the LPN). The user data interacting with the wireless link on the receiving end (such as the UE) can be encrypted and decrypted separately by using a valid key and a known algorithm, and the security performance requirements of the network are guaranteed. Example 2: Same as the deployment scenario of instance 1. In the service process in which the MeNB and the LPN provide joint transmission for the UE, the MeNB side updates the key, and then it needs to notify the LPN of the updated key, so that its effective execution Line security features. FIG. 7 is a signaling flowchart of Embodiment 2 of the embodiment of the present invention. As shown in FIG. 7, the following may be included. Step 1 In the system architecture of the embodiment of the present invention, a wireless connection between the UE and the MeNB and the LPN is respectively implemented. Connect, thereby obtaining a multi-stream joint transmission service across base stations. The UE and the MeNB are the same as the prior art, and the CP and the UP are connected. In this example, an UP connection is established between the UE and the LPN. The LPN pairs the data transmitted between the UE and the UP Key (KUPenc) obtained from the MeNB. The algorithm performs security protection for encryption/decryption. Step 2: During the process of the UE being connected to the network, the key may be updated according to the requirements of the operator, the core network, or the access network itself. Then, after updating the own key, the MeNB needs to update the key. The key is notified to the LPN. For example, the information can be carried in a message called a "key update indication" and passed to the LPN via the Backhaul interface. Preferably, the message may also carry an indication of whether the key is updated, and the updated key. This example takes the UP connection between the LPN and the UE as an example. Therefore, the message carries the updated UP Key (such as KUPenc'). Preferably, after the key is updated, the New AS Key transmitted by the MeNB to the LPN may be the same as or different from the New AS Key used by the MeNB itself. If the two AS keys are different, the MeNB must know that the UE can support two different security contexts, that is, the data transmitted/received by the UE on the two wireless carriers with the MeNB and the LPN are respectively encrypted/decrypted using different security keys. . It should be noted that when the MeNB and the LPN use different keys, only the LPN side needs to update the key at a time and the MeNB does not need the requirement. Then, the MeNB derives the updated key for the LPN and then notifies the LPN ( Because the MeNB and the LPN in this architecture will exchange some necessary information related to data packet transmission in real time, the MeNB will know the need to update the key on the LPN side in time. Preferably, the LPN may reply to the response message after successfully updating the key, such as a message called "Key Update Response". On the other hand, the MeNB also needs to notify the UE of the update of the key. After the configuration update of each node is completed, the service for cross-base station offload joint transmission may be continued, and the data exchanged between the UE and the LPN in the access network uses a new key and algorithm for encryption/decryption security protection. Example 3: Same as the deployment scenario of instance 1. In the architecture in which the MeNB and the LPN provide the UE with the inter-base station multi-stream joint transmission service, this embodiment takes the CP and the UP connection between the LPN and the UE as an example. During the preparation of the multi-stream service or the need for key update on the network side, the MeNB needs to transmit the AS Key to the LPN to It can perform security protection functions. FIG. 8 is a signaling flowchart of Example 3 of the embodiment of the present invention. As shown in FIG. 8, the following may be included: Step 1: When the MeNB decides to provide a multi-stream transmission service across the base station for the UE accessing the cell, the MeNB determines that Information such as the UE context is transmitted to the LPN through the Backhaul interface, as carried in the "bearer setup request" message. In addition to the necessary information about the offloading bearer related parameters and the security capabilities of the UE, the message also needs to include the AS Key derived by the MeNB according to the KeNB. This example takes the UP and RRC connections between the LPN and the UE as an example. Therefore, the AS Key transmitted by the MeNB to the LPN needs to include the UP Key and the RRC Key (KUpenc, and at least one of KRRCenc and KRRCint). Preferably, the AS Key transmitted by the MeNB to the LPN may be the same as or different from the AS Key used by the MeNB itself. If the two AS Keys are different, then the MeNB must know that the UE can support two different sets of security contexts.
LPN同意分流承载的建立后向 MeNB回复响应消息, 如可称为"承载建立响应 "消 息; 随后 MeNB即可通知 UE接入该 LPN建立的小区。 因 UE分别与 MeNB和 LPN 建有 CP、 UP连接, 那么两无线载波上传输的用户数据和控制信令都会有密钥和算法 依据配置进行加密及完保的安全性保护, 网络的安全性能需求得以保证了。 步骤 3,在多流服务的过程中,如果网络侧(包括运营商、核心网、 MeNB及 LPN) 有更新密钥的需求, 那么 MeNB需要将更新后的密钥通知给 LPN。 例如, 该信息可携 带在一称为"密钥更新指示 "的消息中, 通过 Backhaul接口传递给 LPN。 优选地, 消息 中携带一个"密钥是否更新 "的指示, 以及更新后的密钥。 本实例以 LPN与 UE间具有 UP和 RRC连接为例, 因此, MeNB传输给 LPN的 New AS Key需要包含 UP Key和 RRC Key ( KUpenc', 以及 KRRCenc'和 KRRCint'中 的至少一项)。 优选地, 密钥更新后, MeNB传输给 LPN的 New AS Key与 MeNB自身所用的 New AS Key可以相同或不同。 如果两 AS Key不同, 那么 MeNB必已知该 UE可以支 持两套不同的安全上下文。 优选地, LPN成功更新密钥后可回复响应消息, 如称为 "密钥更新响应"消息。 另一方面, MeNB需要向 UE通知密钥的更新及协议层配置变更等信息。 待各节 点的配置更新完成后, 可以继续进行跨基站分流联合传输的服务, UE 与接入网中的 MeNB与 LPN间交互的用户数据和控制信令使用新的密钥和算法依据配置进行有效的 加密及完保的安全性保护。 综上所述, 借助于本发明实施例的技术方案, 通过负荷较重的 MeNB可以将部分 用户数据分流到 LPN进行传输, UE在 Small cell间移动时也可以减少切换流程中的信 令, 减轻了网络的消息负载; 而对 UE来说, 多载波传输的频带拓宽能够更好的满足 大数据量业务的需求, 与距离较近的 LPN传输也更为省电, 该系统架构很好的提升了 用户体验; 此外, 在本发明实施例的系统架构中, 通过异构接入网中宏基站将密钥传 输给 LPN, 使得 LPN与 UE间无线链路上的传输可以实现配置的安全保护功能, 保障 了该系统架构的安全性能。 本发明实施例的技术方案能够安全、 可靠的为 UE提供良 好的联合传输服务。 系统实施例 根据本发明的实施例, 提供了一种 LTE接入网系统, LTE接入网中部署有一个或 多个宏基站 MeNB, 在 MeNB的覆盖范围内部署有一个或多个低功率节点 LPN, 优选 地, 图 1是本发明实施例的节点部署场景示意图, 如图 1所示, MeNB的覆盖范围内 (如在热点地区)部署有一个或多个 LPN, 该 LPN可以是低功率微基站(Pico eNB)、 中继节点 (Relay Node) 或家庭基站 (HeNB)。 相应的, LPN与 MeNB间的 Backhaul 接口可以是有线接口 (如光纤) 或无线接口 (如 Un口)。 图 2是本发明的系统架构的示意图, 如图 2所示, 该系统包括 LTE核心网 (Core Network, 简称为 CN)、 MeNB和 LPN组成的 LTE接入网、 以及可支持多数据流收发 机制的 LTE用户设备。 其中, LTE核心网同现有 LTE网络的核心网。 所述 LTE接入 网包括 MeNB和 LPN。 MeNB与核心网、 UE间分别为现有的控制面 (Control Plane, 简称为 CP)、 用户面 (User Plane, 简称为 UP) 连接, LPN与 UE间为现有的 UP连 接、 可能具有 CP连接, MeNB与 LPN间为可传输控制信令与用户数据的 Backhaul 接口 (有线或无线)。 图 9是本发明实施例的 LTE接入网系统的结构示意图, 如图 9所示, 根据本发明 实施例的 LTE接入网包括: MeNB 90、 以及 LPN 92, 以下对本发明实施例的各个模 块进行详细的说明。 After the LPN agrees to establish the offloaded bearer, it responds to the MeNB with a response message, as may be referred to as a "bearer setup response"message; then the MeNB may notify the UE to access the cell established by the LPN. Since the UE has a CP and UP connection with the MeNB and the LPN respectively, the user data and control signaling transmitted on the two wireless carriers are protected by the key and the algorithm according to the configuration, and the security protection of the network is required. It is guaranteed. Step 3: In the process of the multi-stream service, if the network side (including the operator, the core network, the MeNB, and the LPN) has a need to update the key, the MeNB needs to notify the LPN of the updated key. For example, the information can be carried in a message called a "key update indication" and passed to the LPN via the Backhaul interface. Preferably, the message carries an indication of "whether the key is updated" and the updated key. This example takes the example of an UP and RRC connection between the LPN and the UE. Therefore, the New AS Key transmitted by the MeNB to the LPN needs to include the UP Key and the RRC Key (KUpenc', and at least one of KRRCenc' and KRRCint'). Preferably, after the key is updated, the New AS Key transmitted by the MeNB to the LPN may be the same as or different from the New AS Key used by the MeNB itself. If the two AS Keys are different, then the MeNB must know that the UE can support two different sets of security contexts. Preferably, the LPN may reply to the response message after successfully updating the key, such as a message called "Key Update Response". On the other hand, the MeNB needs to notify the UE of information such as update of the key and change of the protocol layer configuration. After the configuration update of each node is completed, the service of the cross-base station offload joint transmission may be continued, and the UE and the access network The user data and control signaling that the MeNB interacts with the LPN uses the new key and algorithm to perform effective encryption and secure security protection according to the configuration. In summary, with the technical solution of the embodiment of the present invention, a part of user data can be offloaded to the LPN for transmission by the heavily loaded MeNB, and the UE can also reduce the signaling in the handover process when moving between the Small cells. The message load of the network; for the UE, the bandwidth widening of the multi-carrier transmission can better meet the demand of the large data volume service, and the LPN transmission with the closer distance is also more power-saving, and the system architecture is improved. In addition, in the system architecture of the embodiment of the present invention, the key is transmitted to the LPN through the macro base station in the heterogeneous access network, so that the transmission on the radio link between the LPN and the UE can implement the configured security protection function. , to ensure the security of the system architecture. The technical solution of the embodiment of the present invention can provide a good joint transmission service for the UE securely and reliably. System Embodiments According to an embodiment of the present invention, an LTE access network system is provided. One or more macro base stations MeNB are deployed in an LTE access network, and one or more low-power nodes are deployed in a coverage area of the MeNB. LPN, preferably, FIG. 1 is a schematic diagram of a node deployment scenario according to an embodiment of the present invention. As shown in FIG. 1, one or more LPNs are deployed in the coverage of the MeNB (such as in a hotspot area), and the LPN may be a low power micro. A base station (Pico eNB), a relay node (Relay Node), or a home base station (HeNB). Correspondingly, the Backhaul interface between the LPN and the MeNB can be a wired interface (such as a fiber) or a wireless interface (such as an Un port). 2 is a schematic diagram of a system architecture of the present invention. As shown in FIG. 2, the system includes an LTE core network (Core Network, abbreviated as CN), an LTE access network composed of an MeNB and an LPN, and a multi-data transmission and reception mechanism. LTE user equipment. The LTE core network is the same as the core network of the existing LTE network. The LTE access network includes an MeNB and an LPN. The existing control plane (Control Plane, abbreviated as CP) and the user plane (User Plane, referred to as UP) are respectively connected between the MeNB and the core network and the UE. The existing UP connection between the LPN and the UE may have a CP connection. The MeNB and the LPN are Backhaul interfaces (wired or wireless) that can transmit control signaling and user data. FIG. 9 is a schematic structural diagram of an LTE access network system according to an embodiment of the present invention. As shown in FIG. 9, an LTE access network according to an embodiment of the present invention includes: an MeNB 90, and an LPN 92. The following modules are used in the embodiments of the present invention. Carry out detailed instructions.
MeNB 90, 设置为在 LTE用户设备接入 MeNB 90时, 从核心网获取基站密钥, 根据基站密钥生成第一接入层密钥, 并通过其与 LTE用户设备之间的控制面接口, 使 用第一接入层密钥对相应控制面信息和用户数据进行加密, 并对相应控制面信息进行 完整性保护后发送给所述 LTE用户设备; 确定 LTE用户设备的用户数据的分流策略, 并通过其与 LPN 92之间的后向链路接口,向相应的 LPN 92发送为 LTE用户设备提供 多流传输服务的请求消息、 LPN 92 所需的控制面信息、 以及第二接入层密钥; 接收 LPN 92发送的请求响应,根据分流策略将从核心网接收到的用户数据中的一部分通过 其与 LTE用户设备之间的用户面接口, 使用第一接入层密钥对相应用户数据进行加密 后发送给 LTE用户设备, 将用户数据中的另一部分通过后向链路接口发送给 LPN 92; 其中, 上述第一接入层密钥包括: 用于用户面数据加密的用户面加密密钥, 以及 用于控制面信令加密的控制面加密密钥和 /或用于控制面信令完整性保护的控制面完 整性保护密钥。 上述 MeNB 90设置为: 至少根据网络负载、 以及 LTE用户设备上报的测量结果 信息, 以无线承载为分流粒度确定用户数据的分流策略。 上述在分流策略以无线承载 为分流粒度时, 分流策略的协议桟形式包括: MeNB 90和 LPN 92上分别设置有用于 进行安全保护的数据包汇聚协议实体, 以及各低层协议实体, 其中各低层协议实体包 括: 无线链路控制子层、 媒体接入控制子层、 以及物理层。 上述 MeNB 90还设置为: 在多流传输服务过程中, 根据运营商、 LTE核心网、 或 LTE接入网的需求, 需要进行密钥更新时, 通过后向链路接口向 LPN 92发送密钥更 新指示, 密钥更新指示中携带有新的接入层密钥; 接收 LPN 92通过后向链路接口反 馈的密钥更新响应,并通过其与 LTE用户设备之间的控制面接口通知 LTE用户设备密 钥的更新。 The MeNB 90 is configured to: when the LTE user equipment accesses the MeNB 90, acquire a base station key from the core network, generate a first access layer key according to the base station key, and interface with a control plane between the LTE user equipment and the LTE user equipment, Encrypting the corresponding control plane information and the user data by using the first access layer key, and performing integrity protection on the corresponding control plane information, and then sending the information to the LTE user equipment; determining a traffic splitting strategy of the user data of the LTE user equipment, And through its backward link interface with the LPN 92, send a request message for providing a multi-stream transmission service for the LTE user equipment, control plane information required by the LPN 92, and a second access layer confidentiality to the corresponding LPN 92. Receiving a request response sent by the LPN 92, according to a part of the user data received from the core network according to the offloading policy, using the first access layer key to the corresponding user data through the user plane interface with the LTE user equipment After being encrypted, the LTE user equipment is sent to the LTE user equipment, and another part of the user data is sent to the LPN 92 through the backward link interface. The first access layer key includes: user plane encryption for user plane data encryption. Key, and control plane encryption key for control plane signaling encryption and/or control plane integrity protection key for control plane signaling integrity protection. The foregoing MeNB 90 is configured to: determine, according to the network load and the measurement result information reported by the LTE user equipment, the traffic offloading policy of the user data by using the radio bearer as the split granularity. When the offloading policy uses the radio bearer as the offloading granularity, the protocol form of the offloading policy includes: the MeNB 90 and the LPN 92 are respectively provided with a packet aggregation protocol entity for performing security protection, and each lower layer protocol entity, wherein each lower layer protocol The entity includes: a radio link control sublayer, a medium access control sublayer, and a physical layer. The foregoing MeNB 90 is further configured to: send a key to the LPN 92 through the backward link interface when the key update is required according to the requirements of the operator, the LTE core network, or the LTE access network in the multi-stream transmission service process. The update indication, the key update indication carries a new access layer key; receives the key update response that the LPN 92 feeds back through the backward link interface, and notifies the LTE user through the control plane interface between the LTE user equipment and the LTE user equipment Update of the device key.
LPN 92, 设置为接收 MeNB 90发送的为 LTE用户设备提供多流传输服务的请求 消息,并向 MeNB 90发送请求响应;使用第二接入层密钥对相应的用户数据进行加密, 并通过其与 LTE用户设备之间的用户面接口将加密后的用户数据发送给 LTE用户设 备。 The LPN 92 is configured to receive a request message that is sent by the MeNB 90 to provide a multi-stream transmission service for the LTE user equipment, and send a request response to the MeNB 90; use the second access layer key to encrypt the corresponding user data, and pass the same The user plane interface with the LTE user equipment sends the encrypted user data to the LTE user equipment.
LPN 92还设置为: 通过其与 LTE用户设备之间的控制面接口, 接收 LTE用户设 备上报的测量结果信息, 并根据测量结果信息调整对 LTE用户设备的调度。 需要说明的是, 在 LPN 92与 LTE用户设备之间仅具有用户面接口时, 第二接入 层密钥包括: 用于用户面数据加密的用户面加密密钥; 在 LPN 92与 LTE用户设备之 间具有用户面接口和控制面接口时, 第二接入层密钥包括: 用于用户面数据加密的用 户面加密密钥, 以及用于控制面信令加密的控制面加密密钥和 /或用于控制面信令完整 性保护的控制面完整性保护密钥。 在本发明实施例中, 上述第一接入层密钥与第二接入层密钥相同或不相同; 在第 一接入层密钥与第二接入层密钥不相同时, LTE用户设备需要支持两套安全算法。 以下结合附图, 对本发明实施例的上述技术方案进行详细的说明。 从控制面来讲, MeNB—方面负责与 UE间的全部控制信令, 另一方面负责 LPN 所需的控制面信息, 使得 LPN可持有必要的 UE上下文信息、 配置各协议层、 对 UE 实施有效的调度; 优选地, LPN与 UE间也可以有 CP连接(具备的可能是现有 CP连 接的部分功能), 从而更及时的获取如 UE的测量结果等信息, 以便快速的调整调度策 略。 从用户面来讲, MeNB根据自身决定的分流策略, 将从核心网接收到的 UE用户 数据一部分通过自身与 UE间的 UP连接发送给 UE,另一部分通过 Backhaul接口发送 给 LPN, 再由 LPN以现有技术为基础通过空口发送给 UE。 其中, MeNB决定的 UE数据分流策略可以是以无线承载 (Radio Bearer, 简称为 RB) 为分流粒度的, 也就是说, 对于服务质量 (Quality of Service, 简称为 QoS) 不 同的业务, MeNB可根据其 QoS特性决定将其通过不同的载波链路分别传输给 UE。 例如, 实时业务 (如话音) 在 MeNB与 UE间的链路上传输, 而数据量大、 时延容忍 的业务 (如视频下载) 被分流到 LPN再传输给 UE。 举例来讲, 图 4是本发明实施例的分流策略的一个可行的协议桟形式的示意图, 如图 4所示, 包括 MeNB将分流数据传输到 LPN、 再传递给 UE的用户面部分 (上行 数据则反向); MeNB与 LPN间接口、 及可能的 LPN与 UE间接口的控制面部分。 其 中, MeNB与 LPN间的 Backhaul接口协议桟形式根据具体接口的有线 /无线等特性, 也可以是其他形式 (比如 GTP-U也可以由其他协议所置换)。 可以看到, 在以 RB为 分流粒度时, 网络侧分别有数据包汇聚协议 (Packet Data Convergence Protocol, 简称 为 PDCP)实体及以下各低层协议实体(无线链路控制子层(Radio Link Control, 简称 为 RLC)、媒体接入控制子层(Medium Access Control,简称为 MAC)、物理层(Physical layer, 简称为 PHY)) 位于 MeNB和 LPN。 图 5是本发明实施例的用户面、 控制面协 议桟形式的示意图。 负荷较重的 MeNB可以将部分用户数据分流到 LPN进行传输, UE在 Small cell间移动时也可以减少切换流程中的信令, 减轻了网络的消息负载; 而 对 UE来说, 多载波传输的频带拓宽能够更好的满足大数据量业务的需求, 与距离较 近的 LPN传输也更为省电, 该系统架构很好的提升了用户体验。 在用户与接入网通过无线接口进行消息传递的过程中, 网络侧需要提供足够的安 全保障机制, 以防止消息被攻击者中途截获及轻易破解。 在 LTE系统中, 当 UE附着 到网络中时, MeNB从核心网获取基站密钥 (eNB Key, 记作 K^B) 和 /或, 派生出接 入层密钥(Access Stratum Key,简称为 AS Key)。AS Key包括用户面加密密钥(UP Key, KUPen。)、控制面加密密钥(RRC Key, KRRCen。)以及控制面完保密钥(RRC Key, KRRCmt), 分别用于用户面数据的加密、 控制面信令的加密以及控制面信令的完整性保护。 以下 行为例, MeNB利用所述 AS Key与相应的加密 /完保算法对发送信息提供配置的安全 保护, UE接收后依据对应的密钥及算法对该消息进行解密 /完整性验证等处理。 所述 功能均位于协议桟的 PDCP层。 在本发明的系统架构中, LPN仅是在接入网中承担分流数据传输任务的协作基站, 并不与核心网存在直接信息交互;而因为 MeNB与 LPN间以 RB为分流粒度进行数据 分流并对 UE提供联合数据传输服务,如前述协议桟架构所示, PDCP层分别位于 MeNB 与 LPN。 因此, LPN无法从核心网获取 K^B, PDCPL™也就无法对分流数据及可能的 控制信令进行加密 /完保的安全性保护了, 安全问题极其严重。 因为, 在本发明实施例的架构中, 对获得联合传输服务的 UE, MeNB需要将其必 需的密钥传输给承担分流传输的 LPN。 但是, 如果 MeNB将 传输给 LPN以便以 派生 AS Key, 那么因为 LPN在物理上的安全性能低于 MeNB, 即易于被攻击者侵入、 密钥泄露的风险很大。一旦 LPN侧的 K^B被破解, MeNB侧的 K^B也就随之泄露了, 故接入网中两个基站共用同一 K^B的方案不可行。 为了安全、有效的解决所述架构中的这一问题,本发明实施例提出如下解决方案:The LPN 92 is further configured to: receive, by using a control plane interface with the LTE user equipment, the measurement result information reported by the LTE user equipment, and adjust the scheduling of the LTE user equipment according to the measurement result information. It should be noted that, when only the user plane interface exists between the LPN 92 and the LTE user equipment, the second access layer key includes: a user plane encryption key used for user plane data encryption; and the LPN 92 and the LTE user equipment. When there is a user plane interface and a control plane interface, the second access layer key includes: a user plane encryption key for user plane data encryption, and a control plane encryption key for control plane signaling encryption and/or Or control plane integrity protection key for control plane signaling integrity protection. In the embodiment of the present invention, the first access layer key is the same as or different from the second access layer key; when the first access layer key is different from the second access layer key, the LTE user The device needs to support two sets of security algorithms. The above technical solutions of the embodiments of the present invention are described in detail below with reference to the accompanying drawings. From the control plane, the MeNB is responsible for all control signaling with the UE, and on the other hand is responsible for the control plane information required by the LPN, so that the LPN can hold the necessary UE context information, configure each protocol layer, and implement the UE. An effective scheduling is performed. Preferably, the LPN and the UE may also have a CP connection (which may be part of the function of the existing CP connection), so as to obtain information such as measurement results of the UE in a timely manner, so as to quickly adjust the scheduling policy. From the perspective of the user, the MeNB sends a part of the UE user data received from the core network to the UE through the UP connection between the UE and the UE according to the splitting policy determined by the user, and the other part is sent to the LP through the Backhaul interface, and then the LPN The prior art is sent to the UE through an air interface. The MeNB may determine that the UE data offloading policy may be a radio bearer (Radio Bearer, RB for short), that is, for a service with different quality of service (QoS), the MeNB may Its QoS characteristics determine that it is transmitted to the UE through different carrier links. For example, real-time services (such as voice) are transmitted on the link between the MeNB and the UE, and services with large data volume and delay tolerance (such as video download) are offloaded to the LPN and then transmitted to the UE. For example, FIG. 4 is a schematic diagram of a feasible protocol form of a traffic offloading policy according to an embodiment of the present invention. As shown in FIG. 4, the MeNB includes the MeNB to transmit the offloaded data to the LPN and then to the user plane part of the UE (upstream data). Then reverse); the interface between the MeNB and the LPN, and the control plane portion of the interface between the possible LPN and the UE. The Backhaul interface protocol between the MeNB and the LPN may be in other forms depending on the wired/wireless characteristics of the specific interface (for example, the GTP-U may also be replaced by other protocols). It can be seen that when the RB is used as the offloading granularity, the network side has a Packet Data Convergence Protocol (PDCP) entity and the following lower layer protocol entities (Radio Link Control (Radio Link Control). The RLC, the Medium Access Control (MAC), and the Physical Layer (PHY) are located at the MeNB and the LPN. FIG. 5 is a schematic diagram of a user plane and a control plane protocol in the embodiment of the present invention. The MeNB with heavy load can offload part of the user data to the LPN for transmission. When the UE moves between the Small cells, the signaling in the handover process can be reduced, and the message load of the network is reduced. For the UE, the multi-carrier transmission is performed. The bandwidth widening can better meet the needs of large data services, and the power consumption is also more efficient with LPN transmissions that are closer. The system architecture improves the user experience. In the process of message transmission between the user and the access network through the wireless interface, the network side needs to provide sufficient security protection mechanism to prevent the message from being intercepted and easily cracked by the attacker. In the LTE system, when the UE is attached to the network, the MeNB acquires the base station key (eNB Key, denoted as K^B) and/or from the core network, and derives the connection. Access Stratum Key (AS Key). The AS Key includes a user plane encryption key (UP Key, K UPen .), a control plane encryption key (RRC Key, K RRCen .), and a control plane security key (RRC Key, K RRCmt ), which are respectively used for the user plane. Encryption of data, encryption of control plane signaling, and integrity protection of control plane signaling. In the following behavior example, the MeNB uses the AS Key and the corresponding encryption/guarantee algorithm to provide configuration security protection for the sending information, and after receiving the UE, the UE performs processing such as decryption/integrity verification according to the corresponding key and algorithm. The functions are all located in the PDCP layer of the protocol. In the system architecture of the present invention, the LPN is only a cooperative base station that performs the offload data transmission task in the access network, and does not have direct information interaction with the core network; and because the MeNB and the LPN use the RB as the offload granularity for data offloading and The joint data transmission service is provided to the UE. As shown in the foregoing protocol, the PDCP layer is located at the MeNB and the LPN, respectively. Therefore, the LPN cannot obtain K^B from the core network, and the PDCPLTM cannot protect the encryption/security of the shunt data and possible control signaling. The security problem is extremely serious. Because, in the architecture of the embodiment of the present invention, for the UE that obtains the joint transmission service, the MeNB needs to transmit its necessary key to the LPN that bears the offload transmission. However, if the MeNB is to transmit to the LPN in order to derive the AS Key, since the LPN is physically lower than the MeNB, it is easy to be intruded by an attacker, and the risk of key leakage is high. Once the K^B on the LPN side is cracked, the K^B on the MeNB side is also leaked. Therefore, the scheme in which the two base stations in the access network share the same K^B is not feasible. In order to solve this problem in the architecture in a safe and effective manner, the embodiment of the present invention proposes the following solutions:
LPN从 MeNB获取安全密钥 (AS Key), 对无线接口上传输的分流数据及可能的控制 信令依据配置执行相应的安全保护。 所述安全密钥指的是 MeNB依据 K^B派生的 AS Key,由 MeNB依据网络配置及 UE能力(支持一套 /两套安全上下文)决定传输给 LPN 的 AS Key与 MeNB自身所用的 AS Key是否一致。 所述安全密钥依据具体的分流形式而有所不同: 如果 LPN与 UE间只有分流数据 的传输 (即只有 UP), 那么 AS Key只包括 UP Key, 即 ΚυΡ ; 如果 LPN与 UE间有 分流数据和控制信令的传输(即具有 UP和 CP, 即使只是 CP的一部分),那么 AS key 包括全部的 UP Key和 RRC Key, 即 KUpenc, 以及 KRRCenc和 KRRCmt中的至少一项。 The LPN obtains a security key (AS Key) from the MeNB, and performs corresponding security protection according to the configuration of the offloaded data and the possible control signaling transmitted on the radio interface. The security key refers to the AS Key derived by the MeNB according to K^B, and the MeNB determines the AS Key used for transmitting to the LPN and the AS Key used by the MeNB according to the network configuration and the UE capability (supporting one/two sets of security contexts). Is it consistent? The security key is different according to the specific splitting mode: if there is only the transmission of the offloaded data between the LPN and the UE (that is, only UP), then the AS Key only includes the UP Key, that is, Κ υΡ; if there is a split between the LPN and the UE The transmission of data and control signaling (ie having UP and CP, even if only part of the CP), then the AS key includes all UP Keys and RRC Keys, ie K Upenc , and at least one of K RRCenc and K RRCmt .
LPN从 MeNB获取安全密钥的条件有下述(但不限于)两种情况: 一是分流服务 请求时, MeNB将分流承载、 安全密钥等必要信息通过 Backhaul接口传输给 LPN; 二 是安全密钥更新时, 即如果在联合传输服务的过程中, 依据运营商、 核心网或 MeNB/LPN 自身有更新该 UE 密钥的需求, 那么 MeNB 将更新后的安全密钥通过 Backhaul接口传输给 LPN。 通过上述系统及安全传输数据的实现方法, 在本发明的系统架构中, 通过异构接 入网中宏基站将密钥传输给 LPN,使得 LPN与 UE间无线链路上的传输可以实现配置 的安全保护功能, 保障了该系统架构的安全性能。 下面结合不同的实施例对本发明实施例进行举例说明。 实例 1 : 网络中部署有 MeNB和 LPN, 这两种节点组成了本发明系统架构的接入 网, LPN承担分流数据的传输。 在网络侧决定为 UE提供跨基站多流联合传输服务的 准备过程中, MeNB将 AS Key传输给 LPN, 以便其可以执行安全保护功能。 图 6是 本发明实施例的实例 1的信令流程图, 如图 6所示, 可以包括如下处理: 步骤 1, UE按照现有的 LTE流程接入到 MeNB建立的宏小区中, 并与之建立了 可传输控制面信息的 CP连接(RRC Connection)和可传输用户数据的 UP连接。 MeNB 从核心网获取 KeNB, 据此派生出 AS Key (包括 UP Key及 RRC Key), 并利用此 ASThe conditions for the LPN to obtain the security key from the MeNB are as follows (but not limited to): In the case of the offloading service request, the MeNB transmits the necessary information such as the offloading bearer and the security key to the LPN through the Backhaul interface; When the key is updated, that is, in the process of the joint transmission service, according to the requirement of the operator, the core network or the MeNB/LPN itself to update the UE key, the MeNB transmits the updated security key to the LPN through the Backhaul interface. Through the above system and the method for implementing secure transmission data, in the system architecture of the present invention, the key is transmitted to the LPN through the macro base station in the heterogeneous access network, so that the transmission on the radio link between the LPN and the UE can be configured. The security protection function guarantees the security performance of the system architecture. The embodiments of the present invention are exemplified below in conjunction with different embodiments. Example 1: The MeNB and the LPN are deployed in the network. These two nodes constitute the access network of the system architecture of the present invention, and the LPN bears the transmission of the offloaded data. In the preparation process for the network side to provide the UE with the cross-base station multi-stream joint transmission service, the MeNB transmits the AS Key to the LPN so that it can perform the security protection function. Figure 6 is a signaling flow chart of the first embodiment of the present invention. As shown in Figure 6, the method may include the following steps: Step 1: The UE accesses the macro cell established by the MeNB according to the existing LTE procedure, and A CP connection (RRC Connection) that can transmit control plane information and an UP connection that can transmit user data are established. The MeNB obtains the KeNB from the core network, and derives the AS Key (including the UP Key and the RRC Key), and utilizes the AS.
Key与相应的加密 /完保算法共同为发送 /接收的信息提供配置的安全保护功能。 步骤 2, MeNB根据网络负荷及 UE的测量上报等信息, 决定将该 UE的某数据承 载分流到 LPN进行传输, 其余的承载则仍在 MeNB与 UE间的无线链路上进行传输。 MeNB将必要的 UE上下文等信息通过 Backhaul接口传输给 LPN以请求为该 UE 提供多流传输服务, 例如, 所述信息可携带在一称为"承载建立请求"的消息 (也可以 是其他现有消息、 或一条新的消息, 下述提到消息名称的处理均与此相同) 中, 包括 分流承载的相关参数、 UE的安全能力等。本发明中,该消息应携带有 MeNB根据 KeNB 派生出的 AS Key。 在本实例中, LPN与 UE间只有 UP连接 (如图 6所示, 即 LPN只承担分流数据 的传输), 那么 MeNB传输给 LPN的 AS Key只包含 UP Key (如 KUPenc)。 优选地, MeNB传输给 LPN的 AS Key与 MeNB自身所用的 AS Key可以相同或 不同。 如果两 AS Key不同, 那么 MeNB必已知该 UE可以支持两套不同的安全上下 文, 即 UE在与 MeNB、 LPN间两无线载波上发送 /接收的消息分别使用不同的安全密 钥进行加 /解密和完整性保护 /验证。 The Key together with the corresponding encryption/surpass algorithm provides a configured security protection for the transmitted/received information. Step 2: The MeNB decides to offload a certain data bearer of the UE to the LPN according to the network load and the measurement report of the UE, and the remaining bearers are still transmitted on the radio link between the MeNB and the UE. The MeNB transmits the necessary UE context and the like to the LPN through the Backhaul interface to request to provide the multi-stream transmission service for the UE. For example, the information may be carried in a message called a “bearer setup request” (may be other existing The message, or a new message, which is the same as the processing of the message name mentioned below, includes the relevant parameters of the offloading bearer, the security capabilities of the UE, and the like. In the present invention, the message should carry an AS Key derived by the MeNB according to the KeNB. In this example, there is only a UP connection between the LPN and the UE (as shown in Figure 6, that is, the LPN only bears the transmission of the offloaded data), then the AS Key transmitted by the MeNB to the LPN only contains the UP Key (such as KUPenc). Preferably, the AS Key transmitted by the MeNB to the LPN may be the same as or different from the AS Key used by the MeNB itself. If the two AS keys are different, the MeNB must know that the UE can support two different security contexts, that is, the messages sent/received by the UE on the two wireless carriers with the MeNB and the LPN are respectively encrypted/decrypted using different security keys. And integrity protection/verification.
LPN同意分流承载的建立后回复响应消息, 如可称为"承载建立响应 "消息, 消息 中可携带准入承载的列表及对 UE各协议层的具体配置等信息。 步骤 3, MeNB接收到 LPN回复的同意分流响应消息后, 通知 UE接入该 LPN建 立的小区 (Small cell)。 在本实例中, UE只与 LPN建有 UP连接, 那么该无线载波上 传输的用户数据会有密钥 (KUPenc)和算法依据配置进行的加密保护, 也就是说, 发 送端 (如 MeNB或 LPN) 与接收端 (如 UE) 对两者间无线链路上交互的用户数据可 以利用有效的密钥和已知的算法分别进行加密与解密操作, 网络的安全性能需求得以 保证了。 实例 2: 与实例 1的部署场景相同。 在 MeNB与 LPN为 UE提供联合传输的服务 过程中, MeNB侧更新了密钥, 则其需要将更新后的密钥通知 LPN, 以便其有效的执 行安全保护功能。 图 7是本发明实施例的实例 2的信令流程图, 如图 7所示, 可以包 括如下处理: 步骤 1, 在本发明实施例的系统架构中, UE与 MeNB和 LPN间分别建有无线连 接、 从而获取跨基站多流联合传输服务。 UE与 MeNB间同现有技术, 建有 CP、 UP 连接; 本实例以 UE与 LPN间只建有 UP连接为例, LPN对与 UE间所传数据以从 MeNB获取的 UP Key (KUPenc) 及算法进行加密 /解密的安全保护。 步骤 2, 在 UE与网络保持连接的过程中, 依据运营商、核心网或接入网自身的需 求, 可能需要进行密钥的更新, 那么 MeNB在更新自身密钥的同时, 还需要将更新后 的密钥通知给 LPN。 例如, 该信息可携带在一称为"密钥更新指示 "的消息中, 通过 Backhaul接口传递给 LPN。 优选地, 消息中还可以携带一个"密钥是否更新 "的指示, 以及更新后的密钥。 在本实例中是以 LPN与 UE间仅有 UP连接为例, 因此, 消息中携带的为更新后 的 UP Key (如 KUPenc' )。 优选地, 密钥更新后, MeNB传输给 LPN的 New AS Key与 MeNB自身所用的The LPN agrees to the post-establishment reply response message of the offload bearer, which may be referred to as a "bearer setup response" message, and the message may carry a list of the admission bearers and specific configurations of the UE protocol layers. Step 3: After receiving the consent splitting response message of the LPN reply, the MeNB notifies the UE to access the cell established by the LPN. In this example, the UE only has an UP connection with the LPN, and then the wireless carrier The transmitted user data has a key (KUPenc) and encryption protection according to the configuration of the algorithm, that is, the sender (such as MeNB or LPN) and the receiving end (such as UE) interact with each other on the wireless link between the two. The data can be encrypted and decrypted separately using a valid key and a known algorithm, and the security performance requirements of the network are guaranteed. Example 2: Same as the deployment scenario of instance 1. In the service process in which the MeNB and the LPN provide joint transmission for the UE, the MeNB side updates the key, and then it needs to notify the LPN of the updated key, so that it can effectively perform the security protection function. FIG. 7 is a signaling flowchart of Embodiment 2 of the embodiment of the present invention. As shown in FIG. 7, the following may be included. Step 1 In the system architecture of the embodiment of the present invention, a wireless connection between the UE and the MeNB and the LPN is respectively implemented. Connect, thereby obtaining a multi-stream joint transmission service across base stations. The UE and the MeNB are the same as the prior art, and the CP and the UP are connected. In this example, an UP connection is established between the UE and the LPN. The LPN pairs the data transmitted between the UE and the UP Key (KUPenc) obtained from the MeNB. The algorithm performs security protection for encryption/decryption. Step 2: During the process of the UE being connected to the network, the key may be updated according to the requirements of the operator, the core network, or the access network itself. Then, after updating the own key, the MeNB needs to update the key. The key is notified to the LPN. For example, the information can be carried in a message called a "key update indication" and passed to the LPN via the Backhaul interface. Preferably, the message may also carry an indication of whether the key is updated, and the updated key. In this example, the UP connection between the LPN and the UE is taken as an example. Therefore, the message carries the updated UP Key (such as KUPenc'). Preferably, after the key is updated, the MeNB transmits the New AS Key to the LPN and the MeNB itself.
New AS Key可以相同或不同。 如果两 AS Key不同, 那么 MeNB必已知该 UE可以支 持两套不同的安全上下文, 即 UE在与 MeNB、 LPN间两无线载波上发送 /接收的数据 分别使用不同的安全密钥进行加 /解密。 需要说明的是, 在 MeNB与 LPN使用不同的密钥时, 可能某时只有 LPN侧需要 更新密钥而 MeNB无此需求, 那么仍然是 MeNB为 LPN派生出更新后的密钥再通知 给 LPN (因为此架构中 MeNB与 LPN间会实时性的交互一些数据包传输相关的必要 信息, 所以 MeNB会及时了解到 LPN侧有更新密钥的需求。)。 优选地, LPN成功更新密钥后可回复响应消息, 如称为 "密钥更新响应"消息。 另一方面, MeNB也需要向 UE通知密钥的更新。 待各节点的配置更新完成后, 可以继续进行跨基站分流联合传输的服务, UE与接入网中的 MeNB与 LPN间交互的 数据使用新的密钥和算法进行加 /解密安全保护。 实例 3: 与实例 1的部署场景相同。 在 MeNB与 LPN为 UE提供跨基站多流联合 传输服务的架构中, 此实施例以 LPN与 UE间建有 CP、 UP连接为例。 在多流服务的 准备过程中或网络侧有密钥更新的需求时, MeNB都需要将 AS Key传输给 LPN, 以 便其可以执行安全保护功能。 图 8是本发明实施例的实例 3的信令流程图, 如图 8所 示, 可以包括如下处理: 步骤 1, MeNB决策为接入其小区的 UE提供跨基站多流传输服务时, 将必要的 UE上下文等信息通过 Backhaul接口传输给 LPN, 如携带在"承载建立请求 "消息中。 该消息内除包含必要的分流承载相关参数、 UE 的安全能力等信息外, 还需要包括 MeNB根据 KeNB派生出的 AS Key。 在实例中是以 LPN与 UE间具有 UP和 RRC连接为例, 因此 MeNB传输给 LPN 的 AS Key需要包含 UP Key和 RRC Key (KUpenc, 以及 KRRCenc和 KRRCint中至 少一项)。 优选地, MeNB传输给 LPN的 AS Key与 MeNB自身所用的 AS Key可以相同或 不同。 如果两 AS Key不同, 那么 MeNB必已知该 UE可以支持两套不同的安全上下 文。 New AS Keys can be the same or different. If the two AS keys are different, the MeNB must know that the UE can support two different security contexts, that is, the data transmitted/received by the UE on the two wireless carriers with the MeNB and the LPN are respectively encrypted/decrypted using different security keys. . It should be noted that when the MeNB and the LPN use different keys, only the LPN side needs to update the key at a time and the MeNB does not need the requirement. Then, the MeNB derives the updated key for the LPN and then notifies the LPN ( Because the MeNB and the LPN in this architecture will exchange some necessary information related to data packet transmission in real time, the MeNB will know the need of the update key on the LPN side in time. Preferably, the LPN may reply to the response message after successfully updating the key, such as a message called "Key Update Response". On the other hand, the MeNB also needs to notify the UE of the update of the key. After the configuration update of each node is completed, the service for cross-base station offload joint transmission may be continued, and the data exchanged between the UE and the LPN in the access network uses a new key and algorithm for encryption/decryption security protection. Example 3: Same as the deployment scenario of instance 1. In the architecture in which the MeNB and the LPN provide the UE with the inter-base station multi-stream joint transmission service, this embodiment takes the CP and the UP connection between the LPN and the UE as an example. During the preparation of the multi-stream service or the need for key update on the network side, the MeNB needs to transmit the AS Key to the LPN so that it can perform the security protection function. FIG. 8 is a signaling flowchart of Example 3 of the embodiment of the present invention. As shown in FIG. 8, the following may be included: Step 1: When the MeNB decides to provide a multi-stream transmission service across the base station for the UE accessing the cell, the MeNB determines that Information such as the UE context is transmitted to the LPN through the Backhaul interface, as carried in the "bearer setup request" message. In addition to the necessary information about the offloading bearer related parameters and the security capabilities of the UE, the message also needs to include the AS Key derived by the MeNB according to the KeNB. In the example, the UP and RRC connections between the LPN and the UE are taken as an example. Therefore, the AS Key transmitted by the MeNB to the LPN needs to include the UP Key and the RRC Key (KUpenc, and at least one of KRRCenc and KRRCint). Preferably, the AS Key transmitted by the MeNB to the LPN may be the same as or different from the AS Key used by the MeNB itself. If the two AS Keys are different, then the MeNB must know that the UE can support two different sets of security contexts.
LPN同意分流承载的建立后向 MeNB回复响应消息, 如可称为"承载建立响应 "消 息; 随后 MeNB即可通知 UE接入该 LPN建立的小区。 因 UE分别与 MeNB和 LPN 建有 CP、 UP连接, 那么两无线载波上传输的用户数据和控制信令都会有密钥和算法 依据配置进行加密及完保的安全性保护, 网络的安全性能需求得以保证了。 步骤 3,在多流服务的过程中,如果网络侧(包括运营商、核心网、 MeNB及 LPN) 有更新密钥的需求, 那么 MeNB需要将更新后的密钥通知给 LPN。 例如, 该信息可携 带在一称为 "密钥更新指示"的消息中, 通过 Backhaul接口传递给 LPN。 优选地, 消 息中携带一个 "密钥是否更新" 的指示, 以及更新后的密钥。 在本实例中是以 LPN与 UE间具有 UP和 RRC连接为例, 因此, MeNB传输给 LPN的 New AS Key需要包含 UP Key和 RRC Key (KUpenc' , 以及 KRRCenc'和 KRRCint'中的至少一项)。 优选地, 密钥更新后, MeNB传输给 LPN的 New AS Key与 MeNB自身所用的 New AS Key可以相同或不同。 如果两 AS Key不同, 那么 MeNB必已知该 UE可以支 持两套不同的安全上下文。 优选地, LPN成功更新密钥后可回复响应消息, 如称为 "密钥更新响应"消息。 另一方面, MeNB需要向 UE通知密钥的更新及协议层配置变更等信息。 待各节 点的配置更新完成后, 可以继续进行跨基站分流联合传输的服务, UE 与接入网中的 MeNB与 LPN间交互的用户数据和控制信令使用新的密钥和算法依据配置进行有效的 加密及完保的安全性保护。 综上所述, 借助于本发明实施例的技术方案, 通过负荷较重的 MeNB可以将部分 用户数据分流到 LPN进行传输, UE在 Small cell间移动时也可以减少切换流程中的信 令, 减轻了网络的消息负载; 而对 UE来说, 多载波传输的频带拓宽能够更好的满足 大数据量业务的需求, 与距离较近的 LPN传输也更为省电, 该系统架构很好的提升了 用户体验; 此外, 在本发明实施例的系统架构中, 通过异构接入网中宏基站将密钥传 输给 LPN, 使得 LPN与 UE间无线链路上的传输可以实现配置的安全保护功能, 保障 了该系统架构的安全性能。 本发明实施例的技术方案能够安全、 可靠的为 UE提供良 好的联合传输服务。 在此提供的算法和显示不与任何特定计算机、 虚拟系统或者其它设备固有相关。 各种通用系统也可以与基于在此的示教一起使用。 根据上面的描述, 构造这类系统所 要求的结构是显而易见的。 此外, 本发明也不针对任何特定编程语言。 应当明白, 可 以利用各种编程语言实现在此描述的本发明的内容, 并且上面对特定语言所做的描述 是为了披露本发明的最佳实施方式。 在此处所提供的说明书中, 说明了大量具体细节。 然而, 能够理解, 本发明的实 施例可以在没有这些具体细节的情况下实践。 在一些实例中, 并未详细示出公知的方 法、 结构和技术, 以便不模糊对本说明书的理解。 类似地, 应当理解, 为了精简本公开并帮助理解各个发明方面中的一个或多个, 在上面对本发明的示例性实施例的描述中, 本发明的各个特征有时被一起分组到单个 实施例、 图、 或者对其的描述中。 然而, 并不应将该公开的方法解释成反映如下意图: 即所要求保护的本发明要求比在每个权利要求中所明确记载的特征更多的特征。 更确 切地说, 如下面的权利要求书所反映的那样, 发明方面在于少于前面公开的单个实施 例的所有特征。 因此, 遵循具体实施方式的权利要求书由此明确地并入该具体实施方 式, 其中每个权利要求本身都作为本发明的单独实施例。 本领域那些技术人员可以理解, 可以对实施例中的设备中的模块进行自适应性地 改变并且把它们设置在与该实施例不同的一个或多个设备中。 可以把实施例中的模块 或单元或组件组合成一个模块或单元或组件, 以及此外可以把它们分成多个子模块或 子单元或子组件。 除了这样的特征和 /或过程或者单元中的至少一些是相互排斥之外, 可以采用任何组合对本说明书 (包括伴随的权利要求、 摘要和附图) 中公开的所有特 征以及如此公开的任何方法或者设备的所有过程或单元进行组合。除非另外明确陈述, 本说明书 (包括伴随的权利要求、 摘要和附图) 中公开的每个特征可以由提供相同、 等同或相似目的的替代特征来代替。 此外, 本领域的技术人员能够理解, 尽管在此所述的一些实施例包括其它实施例 中所包括的某些特征而不是其它特征, 但是不同实施例的特征的组合意味着处于本发 明的范围之内并且形成不同的实施例。 例如, 在下面的权利要求书中, 所要求保护的 实施例的任意之一都可以以任意的组合方式来使用。 本发明的各个部件实施例可以以硬件实现, 或者以在一个或者多个处理器上运行 的软件模块实现, 或者以它们的组合实现。 本领域的技术人员应当理解, 可以在实践 中使用微处理器或者数字信号处理器 (DSP) 来实现根据本发明实施例的 LTE接入网 中的一些或者全部部件的一些或者全部功能。 本发明还可以实现为用于执行这里所描 述的方法的一部分或者全部的设备或者装置程序 (例如, 计算机程序和计算机程序产 品)。这样的实现本发明的程序可以存储在计算机可读介质上, 或者可以具有一个或者 多个信号的形式。这样的信号可以从因特网网站上下载得到, 或者在载体信号上提供, 或者以任何其他形式提供。 应该注意的是上述实施例对本发明进行说明而不是对本发明进行限制, 并且本领 域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。 在权利要求 中, 不应将位于括号之间的任何参考符号构造成对权利要求的限制。 单词"包含"不排 除存在未列在权利要求中的元件或步骤。 位于元件之前的单词 "一"或"一个"不排除存 在多个这样的元件。 本发明可以借助于包括有若干不同元件的硬件以及借助于适当编 程的计算机来实现。 在列举了若干装置的单元权利要求中, 这些装置中的若干个可以 是通过同一个硬件项来具体体现。 单词第一、 第二、 以及第三等的使用不表示任何顺 序。 可将这些单词解释为名称。 工业实用性 如上所述, 本发明实施例提供的一种数据安全传输方法及 LTE接入网系统具有以 下有益效果: 通过负荷较重的 MeNB可以将部分用户数据分流到 LPN进行传输, UE 在 Small cell间移动时也可以减少切换流程中的信令, 减轻了网络的消息负载; 而对 UE来说,多载波传输的频带拓宽能够更好的满足大数据量业务的需求,与距离较近的 LPN传输也更为省电, 该系统架构很好的提升了用户体验; 此外, 在本发明实施例的 系统架构中, 通过异构接入网中宏基站将密钥传输给 LPN, 使得 LPN与 UE间无线链 路上的传输可以实现配置的安全保护功能, 保障了该系统架构的安全性能。 After the LPN agrees to establish the offloaded bearer, it responds to the MeNB with a response message, as may be referred to as a "bearer setup response"message; then the MeNB may notify the UE to access the cell established by the LPN. Since the UE has a CP and UP connection with the MeNB and the LPN respectively, the user data and control signaling transmitted on the two wireless carriers are protected by the key and the algorithm according to the configuration, and the security protection of the network is required. It is guaranteed. Step 3: In the process of the multi-stream service, if the network side (including the operator, the core network, the MeNB, and the LPN) has a need to update the key, the MeNB needs to notify the LPN of the updated key. For example, the information can be carried in a message called a "key update indication" and passed to the LPN via the Backhaul interface. Preferably, the message carries an indication of "whether the key is updated" and the updated key. In this example, the UP and RRC connections between the LPN and the UE are taken as an example. Therefore, the New AS Key transmitted by the MeNB to the LPN needs to include at least one of the UP Key and the RRC Key (KUpenc', and KRRCenc' and KRRCint'. ). Preferably, after the key is updated, the New AS Key transmitted by the MeNB to the LPN may be the same as or different from the New AS Key used by the MeNB itself. If the two AS Keys are different, then the MeNB must know that the UE can support two different sets of security contexts. Preferably, the LPN may reply to the response message after successfully updating the key, such as a message called "Key Update Response". On the other hand, the MeNB needs to notify the UE of information such as update of the key and change of the protocol layer configuration. After the configuration update of each node is completed, the service of the cross-base station offload joint transmission may be continued, and the user data and control signaling exchanged between the UE and the LPN in the access network are valid according to the configuration by using a new key and algorithm. Encryption and security protection. In summary, with the technical solution of the embodiment of the present invention, a part of user data can be offloaded to the LPN for transmission by the heavily loaded MeNB, and the UE can also reduce the signaling in the handover process when moving between the Small cells. The message load of the network; for the UE, the bandwidth widening of the multi-carrier transmission can better meet the demand of the large data volume service, and the LPN transmission with the closer distance is also more power-saving, and the system architecture is improved. In addition, in the system architecture of the embodiment of the present invention, the key is transmitted to the LPN through the macro base station in the heterogeneous access network, so that the transmission on the radio link between the LPN and the UE can implement the configured security protection function. , to ensure the security of the system architecture. The technical solution of the embodiment of the present invention can provide a good joint transmission service for the UE securely and reliably. The algorithms and displays provided herein are not inherently related to any particular computer, virtual system, or other device. Various general purpose systems can also be used with the teaching based on the teachings herein. From the above description, the structure required to construct such a system is obvious. Moreover, the invention is not directed to any particular programming language. It is to be understood that the invention may be embodied in a variety of programming language, and the description of the specific language has been described above in order to disclose the preferred embodiments of the invention. Numerous specific details are set forth in the description provided herein. However, it is understood that the embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures, and techniques are not shown in detail so as not to obscure the understanding of the description. Similarly, the various features of the present invention are sometimes grouped together into a single embodiment, in the above description of the exemplary embodiments of the invention, Figure, or a description of it. However, the method disclosed is not to be interpreted as reflecting the intention that the claimed invention requires more features than those recited in the claims. Rather, as the following claims reflect, inventive aspects reside in less than all features of the single embodiments disclosed herein. Therefore, the claims following the specific embodiments are hereby explicitly incorporated into the specific embodiments, and each of the claims as a separate embodiment of the invention. Those skilled in the art will appreciate that the modules in the devices of the embodiments can be adaptively changed and placed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and further they may be divided into a plurality of sub-modules or sub-units or sub-components. In addition to such features and/or at least some of the processes or units being mutually exclusive, any combination of the features disclosed in the specification, including the accompanying claims, the abstract and the drawings, and any methods so disclosed, or All processes or units of the device are combined. Each feature disclosed in the specification (including the accompanying claims, the abstract and the drawings) may be replaced by alternative features that provide the same, equivalent, or similar purpose, unless otherwise stated. In addition, those skilled in the art will appreciate that, although some embodiments described herein include certain features that are not included in other embodiments, and other features, combinations of features of different embodiments are intended to be within the scope of the present invention. Different embodiments are formed and formed. For example, in the following claims, any one of the claimed embodiments can be used in any combination. The various component embodiments of the present invention may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or digital signal processor (DSP) may be used in practice to implement some or all of the functionality of some or all of the components of the LTE access network in accordance with embodiments of the present invention. The invention can also be implemented as a device or device program (e.g., a computer program and a computer program product) for performing some or all of the methods described herein. Such a program implementing the invention may be stored on a computer readable medium or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form. It is to be noted that the above-described embodiments are illustrative of the invention and are not intended to limit the scope of the invention, and those skilled in the art can devise alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as a limitation. The word "comprising" does not exclude the presence of the elements or the steps in the claims. The word "a" or "an" preceding the <RTIgt; The invention can be implemented by means of hardware comprising several distinct elements and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means can be embodied by the same hardware item. The use of the words first, second, and third does not indicate any order. These words can be interpreted as names. Industrial Applicability As described above, a data security transmission method and an LTE access network system provided by the embodiments of the present invention have the following beneficial effects: A heavily loaded MeNB can offload part of user data to an LPN for transmission, UE When moving between small cells, the signaling in the handover process can also be reduced, and the message load of the network is reduced. For the UE, the bandwidth widening of the multi-carrier transmission can better meet the demand of the large data volume service, and the distance is better. The near-LPN transmission is also more power efficient, and the system architecture improves the user experience. In addition, in the system architecture of the embodiment of the present invention, the key is transmitted to the LPN through the macro base station in the heterogeneous access network. The transmission on the radio link between the LPN and the UE can implement the configured security protection function, which ensures the security performance of the system architecture.

Claims

权 利 要 求 书 、 一种数据安全传输方法, 用于基于长期演进 LTE系统的异构网络, 所述异构网 络包括: LTE核心网、 LTE接入网、 以及 LTE用户设备, 所述 LTE接入网中部 署有一个或多个宏基站 MeNB, 在所述 MeNB的覆盖范围内部署有一个或多个 低功率节点 LPN, 所述方法包括: The present invention is directed to a heterogeneous network based on a Long Term Evolution (LTE) system, where the heterogeneous network includes: an LTE core network, an LTE access network, and an LTE user equipment, where the LTE access network One or more macro base stations MeNB are deployed, and one or more low power nodes LPN are deployed in the coverage of the MeNB, and the method includes:
在所述 LTE用户设备接入所述 MeNB时, 所述 MeNB从所述 LTE核心网 获取基站密钥, 根据所述基站密钥生成第一接入层密钥, 并通过其与所述 LTE 用户设备之间的控制面接口, 使用所述第一接入层密钥对相应控制面信息和用 户数据进行加密,并对相应控制面信息进行完整性保护后发送给所述 LTE用户 设备;  When the LTE user equipment accesses the MeNB, the MeNB acquires a base station key from the LTE core network, generates a first access layer key according to the base station key, and passes the same with the LTE user. a control plane interface between the devices, using the first access layer key to encrypt the corresponding control plane information and the user data, and performing integrity protection on the corresponding control plane information, and then sending the information to the LTE user equipment;
所述 MeNB确定所述 LTE用户设备的用户数据的分流策略, 并通过其与 LPN之间的后向链路接口, 向相应的 LPN发送为所述 LTE用户设备提供多流 传输服务的请求消息、 所述 LPN所需的控制面信息、 以及第二接入层密钥; 所述 MeNB接收所述 LPN发送的请求响应, 根据所述分流策略将从所述 LTE核心网接收到的用户数据中的一部分通过其与所述 LTE用户设备之间的用 户面接口, 使用所述第一接入层密钥对相应用户数据进行加密后发送给所述 LTE用户设备, 将所述用户数据中的另一部分通过所述后向链路接口发送给所 述 LPN;  Determining, by the MeNB, a traffic offloading policy of the user data of the LTE user equipment, and transmitting, by using a backward link interface with the LPN, a request message for providing the multi-stream transmission service to the LTE user equipment, Control plane information required by the LPN, and a second access layer key; the MeNB receives a request response sent by the LPN, according to the user data received from the LTE core network according to the offload policy Passing a user plane interface with the LTE user equipment, encrypting the corresponding user data by using the first access layer key, and transmitting the data to the LTE user equipment, and using another part of the user data. Transmitting to the LPN through the backward link interface;
所述 LPN使用所述第二接入层密钥对相应的用户数据进行加密,并通过其 与所述 LTE用户设备之间的用户面接口将加密后的用户数据发送给所述 LTE 用户设备。 、 如权利要求 1所述的方法, 其中, 所述第一接入层密钥包括: 用于用户面数据 加密的用户面加密密钥, 以及用于控制面信令加密的控制面加密密钥和 /或用于 控制面信令完整性保护的控制面完整性保护密钥。 、 如权利要求 1所述的方法, 其中, 所述方法还包括:  The LPN encrypts the corresponding user data by using the second access layer key, and sends the encrypted user data to the LTE user equipment through a user plane interface with the LTE user equipment. The method according to claim 1, wherein the first access layer key comprises: a user plane encryption key for user plane data encryption, and a control plane encryption key for control plane signaling encryption. And/or control plane integrity protection keys for control plane signaling integrity protection. The method of claim 1, wherein the method further comprises:
所述 LPN通过其与所述 LTE用户设备之间的控制面接口, 接收所述 LTE 用户设备上报的测量结果信息,并根据所述测量结果信息调整对所述 LTE用户 设备的调度。 、 如权利要求 3所述的方法, 其中, 在所述 LPN与所述 LTE用户设备之间仅具有用户面接口时, 所述第二接 入层密钥包括: 用于用户面数据加密的用户面加密密钥; The LPN receives the measurement result information reported by the LTE user equipment by using the control plane interface with the LTE user equipment, and adjusts the scheduling of the LTE user equipment according to the measurement result information. The method of claim 3, wherein The second access layer key includes: a user plane encryption key used for user plane data encryption, when the user interface is only provided with the user plane interface between the LPN and the LTE user equipment;
在所述 LPN与所述 LTE用户设备之间具有用户面接口和控制面接口时, 所述第二接入层密钥包括: 用于用户面数据加密的用户面加密密钥, 以及用于 控制面信令加密的控制面加密密钥和 /或用于控制面信令完整性保护的控制面 完整性保护密钥。 、 如权利要求 1所述的方法, 其中, 所述第一接入层密钥与所述第二接入层密钥 相同或不相同;  When the user interface and the control plane interface are provided between the LPN and the LTE user equipment, the second access layer key includes: a user plane encryption key for user plane data encryption, and is used for controlling Control plane encryption key for face signaling encryption and/or control plane integrity protection key for control plane signaling integrity protection. The method according to claim 1, wherein the first access layer key is the same as or different from the second access layer key;
在所述第一接入层密钥与所述第二接入层密钥不相同时,所述 LTE用户设 备需要支持两套安全算法。 、 如权利要求 1所述的方法, 其中, 所述 MeNB确定用户数据的分流策略包括: 所述 MeNB至少根据网络负载、以及所述 LTE用户设备上报的测量结果信 息, 以无线承载为分流粒度确定用户数据的分流策略。 、 如权利要求 6所述的方法, 其中, 在所述分流策略以无线承载为分流粒度时, 所述分流策略的协议桟形式包括: 在所述 MeNB和所述 LPN上分别设置有用 于进行安全保护的数据包汇聚协议实体, 以及各低层协议实体, 其中所述各低 层协议实体包括: 无线链路控制子层、 媒体接入控制子层、 以及物理层。 、 如权利要求 1所述的方法, 其中, 所述方法还包括:  When the first access layer key is different from the second access layer key, the LTE user equipment needs to support two sets of security algorithms. The method of claim 1, wherein the determining, by the MeNB, the offloading policy of the user data comprises: determining, by the MeNB, the radio bearer as the offloading granularity according to at least the network load and the measurement result information reported by the LTE user equipment A traffic offloading strategy for user data. The method according to claim 6, wherein, when the offloading policy uses the radio bearer as the offloading granularity, the protocol form of the offloading policy includes: setting, on the MeNB and the LPN, respectively, for performing security The protected packet aggregation protocol entity, and each lower layer protocol entity, where the lower layer protocol entities include: a radio link control sublayer, a medium access control sublayer, and a physical layer. The method of claim 1, wherein the method further comprises:
在多流传输服务过程中, 根据运营商、所述 LTE核心网、或所述 LTE接入 网的需求, 需要进行密钥更新时, 所述 MeNB 通过所述后向链路接口向所述 LPN发送密钥更新指示, 所述密钥更新指示中携带有新的接入层密钥;  In the process of the multi-stream transmission service, when the key update is required according to the requirements of the operator, the LTE core network, or the LTE access network, the MeNB sends the LPN to the LPN through the backward link interface. Sending a key update indication, where the key update indication carries a new access layer key;
所述 MeNB接收所述 LPN通过所述后向链路接口反馈的密钥更新响应, 并通过其与所述 LTE用户设备之间的控制面接口通知所述 LTE用户设备密钥的 更新。 、 一种长期演进系统 LTE接入网系统,所述 LTE接入网中部署有一个或多个宏基 站 MeNB, 在所述 MeNB的覆盖范围内部署有一个或多个低功率节点 LPN: 所述 MeNB, 设置为在所述 LTE用户设备接入所述 MeNB时, 从所述 LTE 核心网获取基站密钥, 根据所述基站密钥生成第一接入层密钥, 并通过其与所 述 LTE用户设备之间的控制面接口,使用所述第一接入层密钥对相应控制面信 息和用户数据进行加密, 并对相应控制面信息进行完整性保护后发送给所述 LTE用户设备; 确定所述 LTE 用户设备的用户数据的分流策略, 并通过其与 LPN之间的后向链路接口, 向相应的 LPN发送为所述 LTE用户设备提供多流 传输服务的请求消息、所述 LPN所需的控制面信息、 以及第二接入层密钥; 接 收所述 LPN发送的请求响应,根据所述分流策略将从所述核心网接收到的用户 数据中的一部分通过其与所述 LTE用户设备之间的用户面接口,使用所述第一 接入层密钥对相应用户数据进行加密后发送给所述 LTE用户设备,将所述用户 数据中的另一部分通过所述后向链路接口发送给所述 LPN; And the MeNB receives a key update response that is sent by the LPN through the backward link interface, and notifies an update of the LTE user equipment key by using a control plane interface with the LTE user equipment. An LTE access network system, where one or more macro base stations MeNB are deployed in the LTE access network, and one or more low power nodes LPN are deployed in the coverage of the MeNB: The MeNB is configured to: when the LTE user equipment accesses the MeNB, acquire a base station key from the LTE core network, generate a first access layer key according to the base station key, and pass the LTE with the LTE a control plane interface between the user equipments, using the first access layer key pair corresponding control surface information And the user data is encrypted, and the corresponding control plane information is integrity-protected and sent to the LTE user equipment; determining a traffic splitting strategy of the user data of the LTE user equipment, and passing the backward chain between the user and the LPN a path interface, sending, to the corresponding LPN, a request message for providing the multi-stream transmission service for the LTE user equipment, control plane information required by the LPN, and a second access layer key; receiving a request response sent by the LPN According to the offloading policy, a part of the user data received from the core network is used to perform corresponding user data by using the first access layer key through a user plane interface with the LTE user equipment. After being encrypted, the LTE user equipment is sent to the LTE user equipment, and another part of the user data is sent to the LPN through the backward link interface;
所述 LPN, 设置为接收所述 MeNB发送的为所述 LTE用户设备提供多流 传输服务的请求消息, 并向所述 MeNB发送请求响应; 使用所述第二接入层密 钥对相应的用户数据进行加密,并通过其与所述 LTE用户设备之间的用户面接 口将加密后的用户数据发送给所述 LTE用户设备。 、 如权利要求 9所述的 LTE接入网, 其中, 所述第一接入层密钥包括: 用于用户 面数据加密的用户面加密密钥, 以及用于控制面信令加密的控制面加密密钥和 / 或用于控制面信令完整性保护的控制面完整性保护密钥。 、 如权利要求 9所述的 LTE接入网, 其中, 所述 LPN还设置为: 通过其与所述 LTE用户设备之间的控制面接口,接收所述 LTE用户设备上报的测量结果信息, 并根据所述测量结果信息调整对所述 LTE用户设备的调度。 、 如权利要求 11所述的 LTE接入网, 其中,  The LPN is configured to receive a request message that is sent by the MeNB to provide a multi-stream transmission service for the LTE user equipment, and send a request response to the MeNB, and use the second access layer key to the corresponding user. The data is encrypted, and the encrypted user data is sent to the LTE user equipment through a user plane interface with the LTE user equipment. The LTE access network according to claim 9, wherein the first access layer key comprises: a user plane encryption key for user plane data encryption, and a control plane for control plane signaling encryption. Encryption key and/or control plane integrity protection key for control plane signaling integrity protection. The LTE access network according to claim 9, wherein the LPN is further configured to: receive, by using a control plane interface with the LTE user equipment, measurement result information reported by the LTE user equipment, and The scheduling of the LTE user equipment is adjusted according to the measurement result information. The LTE access network according to claim 11, wherein
在所述 LPN与所述 LTE用户设备之间仅具有用户面接口时, 所述第二接 入层密钥包括: 用于用户面数据加密的用户面加密密钥;  The second access layer key includes: a user plane encryption key for user plane data encryption when the user interface is only provided with the user plane interface between the LPN and the LTE user equipment;
在所述 LPN与所述 LTE用户设备之间具有用户面接口和控制面接口时, 所述第二接入层密钥包括: 用于用户面数据加密的用户面加密密钥, 以及用于 控制面信令加密的控制面加密密钥和 /或用于控制面信令完整性保护的控制面 完整性保护密钥。 、 如权利要求 9所述的 LTE接入网, 其中, 所述第一接入层密钥与所述第二接入 层密钥相同或不相同;  When the user interface and the control plane interface are provided between the LPN and the LTE user equipment, the second access layer key includes: a user plane encryption key for user plane data encryption, and is used for controlling Control plane encryption key for face signaling encryption and/or control plane integrity protection key for control plane signaling integrity protection. The LTE access network according to claim 9, wherein the first access layer key is the same as or different from the second access layer key;
在所述第一接入层密钥与所述第二接入层密钥不相同时,所述 LTE用户设 备需要支持两套安全算法。 、 如权利要求 9所述的 LTE接入网, 其中, 所述 MeNB还设置为: 至少根据网络 负载、 以及所述 LTE用户设备上报的测量结果信息, 以无线承载为分流粒度确 定用户数据的分流策略。 、 如权利要求 14所述的 LTE接入网, 其中, 在所述分流策略以无线承载为分流 粒度时, 所述分流策略的协议桟形式包括: 所述 MeNB和所述 LPN上分别设 置有用于进行安全保护的数据包汇聚协议实体, 以及各低层协议实体, 其中所 述各低层协议实体包括: 无线链路控制子层、媒体接入控制子层、 以及物理层。 、 如权利要求 9所述的 LTE接入网, 其中, 所述 MeNB还设置为: When the first access layer key is different from the second access layer key, the LTE user equipment needs to support two sets of security algorithms. The LTE access network according to claim 9, wherein the MeNB is further configured to: determine, according to the network load, and the measurement result information reported by the LTE user equipment, the splitting of the user data by using the radio bearer as a split granularity Strategy. The LTE access network according to claim 14, wherein, when the offloading policy uses the radio bearer as the offloading granularity, the protocol form of the offloading policy includes: the MeNB and the LPN are respectively configured to be used for And a lower layer protocol entity, where the lower layer protocol entity includes: a radio link control sublayer, a medium access control sublayer, and a physical layer. The LTE access network according to claim 9, wherein the MeNB is further configured to:
在多流传输服务过程中, 根据运营商、所述 LTE核心网、或所述 LTE接入 网的需求, 需要进行密钥更新时,通过所述后向链路接口向所述 LPN发送密钥 更新指示, 所述密钥更新指示中携带有新的接入层密钥; 接收所述 LPN通过所 述后向链路接口反馈的密钥更新响应,并通过其与所述 LTE用户设备之间的控 制面接口通知所述 LTE用户设备密钥的更新。  In the process of the multi-stream transmission service, when the key update is required according to the requirements of the operator, the LTE core network, or the LTE access network, the key is sent to the LPN through the backward link interface. And an update indication, where the key update indication carries a new access layer key; receiving a key update response that is forwarded by the LPN through the backward link interface, and passing between the LTE user equipment and the LTE user equipment The control plane interface notifies the update of the LTE user equipment key.
PCT/CN2013/083505 2013-01-15 2013-09-13 Secure data transmission method and lte access network system WO2014110908A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310013744.2A CN103929740B (en) 2013-01-15 2013-01-15 Safe data transmission method and LTE access network system
CN201310013744.2 2013-01-15

Publications (1)

Publication Number Publication Date
WO2014110908A1 true WO2014110908A1 (en) 2014-07-24

Family

ID=51147789

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/083505 WO2014110908A1 (en) 2013-01-15 2013-09-13 Secure data transmission method and lte access network system

Country Status (2)

Country Link
CN (1) CN103929740B (en)
WO (1) WO2014110908A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110365470A (en) * 2018-03-26 2019-10-22 华为技术有限公司 A kind of key generation method and relevant apparatus

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10091649B2 (en) * 2015-07-12 2018-10-02 Qualcomm Incorporated Network architecture and security with encrypted client device contexts
CN106375989B (en) 2015-07-20 2019-03-12 中兴通讯股份有限公司 The method and user equipment and wireless access minor node of realization access layer safety
CN106375992B (en) * 2015-07-20 2019-08-06 中兴通讯股份有限公司 The method and user equipment and node of realization access layer safety
JP6630990B2 (en) 2015-12-03 2020-01-15 テレフオンアクチーボラゲット エルエム エリクソン(パブル) Lightweight RRC connection setup in multi-RAT network
CN108605224B (en) * 2015-12-03 2022-02-22 瑞典爱立信有限公司 Multi-RAT access layer security
CN108924826B (en) * 2017-03-24 2023-04-14 北京三星通信技术研究有限公司 Data transmission control method and device
CN109586900B (en) * 2017-09-29 2020-08-07 华为技术有限公司 Data security processing method and device
CN114390596A (en) 2018-08-13 2022-04-22 华为技术有限公司 Method for processing service flow, communication method and device
WO2020252790A1 (en) * 2019-06-21 2020-12-24 Oppo广东移动通信有限公司 Information transmission method and apparatus, network device, and user equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110274276A1 (en) * 2010-05-10 2011-11-10 Samsung Electronics Co. Ltd. Method and system for positioning mobile station in handover procedure
CN102625300A (en) * 2011-01-28 2012-08-01 华为技术有限公司 Generation method and device for key
CN102857971A (en) * 2011-06-30 2013-01-02 华为技术有限公司 Method for data transmission, diverging point device, user terminal and system thereof

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102056159B (en) * 2009-11-03 2014-04-02 华为技术有限公司 Method and device for acquiring safe key of relay system
CN102056157B (en) * 2009-11-04 2013-09-11 电信科学技术研究院 Method, system and device for determining keys and ciphertexts
CN101945387B (en) * 2010-09-17 2015-10-21 中兴通讯股份有限公司 The binding method of a kind of access layer secret key and equipment and system
CN101931953B (en) * 2010-09-20 2015-09-16 中兴通讯股份有限公司 Generate the method and system with the safe key of apparatus bound
CN101977378B (en) * 2010-09-30 2015-08-12 中兴通讯股份有限公司 Information transferring method, network side and via node
CN102142942B (en) * 2011-04-01 2017-02-08 中兴通讯股份有限公司 Data processing method and system in relay node system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110274276A1 (en) * 2010-05-10 2011-11-10 Samsung Electronics Co. Ltd. Method and system for positioning mobile station in handover procedure
CN102625300A (en) * 2011-01-28 2012-08-01 华为技术有限公司 Generation method and device for key
CN102857971A (en) * 2011-06-30 2013-01-02 华为技术有限公司 Method for data transmission, diverging point device, user terminal and system thereof

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110365470A (en) * 2018-03-26 2019-10-22 华为技术有限公司 A kind of key generation method and relevant apparatus
CN110365470B (en) * 2018-03-26 2023-10-10 华为技术有限公司 Key generation method and related device

Also Published As

Publication number Publication date
CN103929740A (en) 2014-07-16
CN103929740B (en) 2017-05-10

Similar Documents

Publication Publication Date Title
US11050727B2 (en) Security key generation and management method of PDCP distributed structure for supporting dual connectivity
US10567957B1 (en) Dual connectivity mode of operation of a user equipment in a wireless communication network
WO2014110908A1 (en) Secure data transmission method and lte access network system
CN109088714B (en) System and method for communicating secure key information
JP2020109975A (en) Derivation of security key in double connection
US11483705B2 (en) Method and device for generating access stratum key in communications system
CN109417740B (en) Maintaining security key usage during handover of the same wireless terminal
CN110463270A (en) System and method for dynamic data relaying
WO2018137689A1 (en) Method for secure data transmission, access network, terminal and core network device
US10863569B2 (en) RRC connection re-establishment method for data transmission
WO2015062097A1 (en) Dual connection mode key processing method and device
WO2012071845A1 (en) Method and system for realizing integrality protection
TW201831040A (en) Non-access stratum transport for non-mobility management messages
WO2011127791A1 (en) Method and system for establishing enhanced key when terminal moves to enhanced universal terrestrial radio access network(utran)
WO2017219355A1 (en) Multi-connection communications method and device
WO2014180280A1 (en) Link establishment method, base station, and system
WO2014101677A1 (en) Method, base station and system for sending rrc signaling
WO2014190828A1 (en) Method, apparatus and system for security key management
KR102104844B1 (en) Data transmission method, first device and second device
EP3046362B1 (en) Distribution method, base station and user equipment
WO2011143977A1 (en) Method and system for establishing enhanced keys when terminal moves to enhanced universal terrestrial radio access network (utran)
WO2014040259A1 (en) Radio resource control connection reestablishment method, device and network system
CN107925874B (en) Ultra-dense network security architecture and method
US20160249215A1 (en) Communication control method, authentication server, and user terminal
WO2014111049A1 (en) Cell optimization method and device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13872227

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13872227

Country of ref document: EP

Kind code of ref document: A1