WO2015081784A1 - Method, device, and system for verifying security capability - Google Patents

Method, device, and system for verifying security capability Download PDF

Info

Publication number
WO2015081784A1
WO2015081784A1 PCT/CN2014/091258 CN2014091258W WO2015081784A1 WO 2015081784 A1 WO2015081784 A1 WO 2015081784A1 CN 2014091258 W CN2014091258 W CN 2014091258W WO 2015081784 A1 WO2015081784 A1 WO 2015081784A1
Authority
WO
WIPO (PCT)
Prior art keywords
security capability
network device
security
user equipment
capability
Prior art date
Application number
PCT/CN2014/091258
Other languages
French (fr)
Chinese (zh)
Inventor
吴义壮
陈璟
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2015081784A1 publication Critical patent/WO2015081784A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security

Definitions

  • the present invention relates to the field of communications, and in particular, to a method, device, and system for verifying security capabilities.
  • SGSN Server GPRS Support Node
  • GPRS General Packet Radio Service
  • TD-SCDMA Time Division Synchronization Code Division Multiple Access
  • WCDMA Wideband Code Division Multiple Access
  • RNC Radio Network Controller
  • 3G 3rd Generation, 3rd Generation Mobile Communication Technology
  • RNC Radio Resource Control Protocol
  • RRC Radio Resource Control Protocol
  • the message sent by the user end to the RNC and the SGSN may be acquired and tampered by the attacker, and the transmission of the information is not secured.
  • Embodiments of the present invention provide a method, device, and system for verifying security capabilities, relating to the field of communications, capable of verifying whether information transmission is secure, and improving information transmission security.
  • a method of verifying security capabilities includes:
  • the user equipment verifies whether the second security capability is consistent with the first security capability.
  • the first network device is a serving network controller SRNC or a network controller RNC
  • the second network device is a service supporting node SGSN or a visited location register VLR;
  • the method further includes:
  • the user equipment verifies whether the third security capability is consistent with the first security capability.
  • the method further includes:
  • the user equipment turns on security protection according to the integrity protection algorithm of the first network device.
  • the method further includes:
  • the user equipment If the second security capability is inconsistent with the first security capability, the user equipment generates a security establishment complete message and sends the security establishment complete message to the first network device, so as to facilitate the first network. And transmitting, by the device, the first security capability to the second network device according to the security establishment complete message.
  • the first network device is an evolved node eNB, and the second network device is a mobility management entity MME;
  • Transmitting, by the user equipment, the first security energy of the user equipment to the second network device Force including:
  • the third network device is an SGSN or a VLR.
  • the method further includes:
  • the user equipment sends the first security capability to the first network device and the second network device, so as to facilitate the second The network device and the first network device update the security capabilities according to the first security capability.
  • the method further includes:
  • a method of verifying security capabilities includes:
  • the first network device verifies whether the first security capability is consistent with the second security capability.
  • the first network device is a serving network controller SRNC or a network controller RNC
  • the second network device is a service supporting node SGSN or a visited location register VLR;
  • the method further includes:
  • the first network device turns on security protection.
  • the method further includes:
  • the first network device sends a third security capability to the user equipment, so that the user equipment verifies that the third security capability is consistent with the first security capability, and then turns on security protection.
  • the first network device is an evolved node eNB, and the second network device is a mobility management entity MME;
  • the method further includes:
  • the first network device updates the security capability according to the first security capability.
  • the method further includes:
  • the first network device updates its own algorithm to the higher priority algorithm, and the A higher priority algorithm is sent to the user equipment to facilitate the user equipment update algorithm.
  • a method of verifying security capabilities includes:
  • the mobility management entity MME receives the first security capability sent by the user equipment and the second security capability sent by the service support node SGSN or the visited location register VLR, wherein the first security capability is forwarded by the evolved node eNB to the MME;
  • the MME verifies whether the first security capability is consistent with the second security capability.
  • the method further includes:
  • the MME updates the security capability according to the first security capability.
  • the method further includes:
  • the first network device updates its own algorithm to the higher priority algorithm. And transmitting the higher priority algorithm to the user equipment to facilitate the user equipment update algorithm.
  • a user equipment includes:
  • a sending unit configured to send, to the second network device, the first security capability of the user equipment
  • a receiving unit configured to receive a second security capability sent by the second network device, where the second security capability is forwarded by the first network device to the user equipment;
  • a verification unit configured to verify whether the second security capability is consistent with the first security capability.
  • the first network device is a serving network controller SRNC or a network controller RNC
  • the second network device is a service supporting node SGSN or a visited location register VLR;
  • the sending unit is further configured to send the first security capability to the first network device
  • the receiving unit is further configured to receive a third security capability sent by the first network device
  • the verification unit is further configured to verify whether the third security capability is consistent with the first security capability.
  • the user equipment further includes a protection unit, configured to enable security protection according to the integrity protection algorithm of the first network device when the third security capability is consistent with the first security capability.
  • the verification unit is further configured to generate a security establishment complete message when the second security capability is inconsistent with the first security capability
  • the sending unit is further configured to complete the security establishment generated by the verification unit Sending a message to the first network device, so that the first network device sends the first security capability to the second network device according to the security setup complete message.
  • the first network device is an evolved node eNB, and the second network device is a mobility management entity MME;
  • the sending unit is further configured to send the first security capability to the third network device, so that the third network device acquires the second security capability, and sends the second security capability to the a second network device, wherein the third network device is an SGSN or a VLR.
  • the sending unit is further configured to: when the second security capability is inconsistent with the first security capability, send the first security capability to the first network device and the second network device, so as to facilitate The second network device and the first network device update security capabilities according to the first security capability.
  • the receiving unit is further configured to: when the first security device received by the first network device or the second network device includes an algorithm with a higher priority, receive the first network device or the The higher priority algorithm sent by the second network device;
  • the user equipment further includes a protection unit, configured to update its own algorithm according to the higher priority algorithm received by the receiving unit.
  • a first network device includes:
  • a receiving unit configured to receive a first security capability sent by the user equipment and a second security capability sent by the second network device
  • a verification unit configured to verify whether the first security capability is consistent with the second security capability.
  • the first network device is a serving network controller SRNC or a network controller RNC
  • the second network device is a service supporting node SGSN or a visited location register VLR;
  • the first network device further includes a protection unit, configured to enable security protection when the second security capability is consistent with the first security capability.
  • the first network device further includes a sending unit, configured to send a third security capability to the user equipment, so that the user equipment verifies that the third security capability is consistent with the first security capability, and then turns on security protection. .
  • the first network device is an evolved node eNB, and the second network device is a mobility management entity MME;
  • the first network device further includes a protection unit, configured to update the security capability according to the first security capability when the second security capability is inconsistent with the first security capability.
  • the protection unit is further configured to: when the first security capability received by the receiving unit includes an algorithm with a higher priority, update its own algorithm to the higher priority algorithm;
  • the sending unit is further configured to send the higher priority algorithm to the user equipment, so that the user equipment updates an algorithm.
  • a mobility management entity MME includes:
  • a receiving unit configured to receive a first security capability sent by the user equipment, and a second security capability sent by the service support node SGSN or the visited location register VLR, where the first security capability is forwarded by the evolved node eNB to the MME ;
  • a verification unit configured to verify whether the first security capability is consistent with the second security capability.
  • the MME further includes a protection unit, configured to: when the first security capability and the first When the two security capabilities are inconsistent, the security capability is updated according to the first security capability.
  • the protection unit is further configured to: when the first security capability received by the receiving unit includes an algorithm with a higher priority, update its own algorithm to the higher priority algorithm;
  • the MME further includes a sending unit, configured to send the higher priority algorithm to the user equipment, so that the user equipment updates the algorithm.
  • the user equipment sends the first security capability of the user equipment to the second network device, receives the second security capability sent by the second network device, and verifies the Whether the second security capability is consistent with the first security capability, verifying whether the information transmission is secure and improving the security of information transmission.
  • FIG. 1 is a schematic flowchart of a method for verifying security capability according to an embodiment of the present invention
  • FIG. 2 is a schematic diagram of instruction interaction of another method for verifying security capabilities according to an embodiment of the present invention.
  • FIG. 3 is a schematic diagram of an instruction interaction of another method for verifying security capabilities according to an embodiment of the present invention.
  • FIG. 4 is a schematic flowchart of a method for verifying security capability according to another embodiment of the present invention.
  • FIG. 5 is a schematic diagram of instruction interaction of another method for verifying security capabilities according to another embodiment of the present invention.
  • FIG. 6 is a schematic diagram of another instruction interaction of a method for verifying security capabilities according to another embodiment of the present invention.
  • FIG. 7 is a schematic flowchart of a method for verifying security capability according to another embodiment of the present invention.
  • FIG. 8 is a schematic diagram of another instruction interaction of a method for verifying security capability according to another embodiment of the present invention.
  • FIG. 9 is a schematic structural diagram of a user equipment according to an embodiment of the present invention.
  • FIG. 10 is a schematic structural diagram of a first network device according to an embodiment of the present invention.
  • FIG. 11 is a schematic structural diagram of an MME according to an embodiment of the present invention.
  • FIG. 12 is a schematic structural diagram of a user equipment according to another embodiment of the present invention.
  • FIG. 13 is a schematic structural diagram of a first network device according to another embodiment of the present invention.
  • FIG. 14 is a schematic structural diagram of an MME according to another embodiment of the present invention.
  • FIG. 15 is a schematic structural diagram of a wireless network system according to an embodiment of the present invention.
  • FIG. 16 is a schematic structural diagram of a wireless network system according to another embodiment of the present invention.
  • FIG. 17 is a schematic structural diagram of a wireless network system according to still another embodiment of the present invention.
  • a method, device and system for verifying security capabilities provided by embodiments of the present invention can be applied to GSM (Global System of Mobile communication) and GERAN (Enhanced Data Rate for GSM Evolution). Rate GSM evolution) Radio Access Network, GSM/EDGN radio access network system, UMTS (Universal Mobile Telecommunications System), LTE (Long Term Evolution) system, EPS (Evolved Packet System, evolution) Packet system), of course, the present invention can also be applied to other network systems, but in the existing communication field, the above five network systems are widely used. Therefore, the embodiments of the present invention mainly use the five network systems. The detailed description is made, but the present invention is not limited to these five network systems, and the present invention can also be implemented in other network systems.
  • an embodiment of the present invention provides a method for verifying security capabilities, the method comprising the following steps:
  • the user equipment sends the first security capability of the user equipment to the second network device.
  • the first security capability may include one or more of UMTS security capability, GERAN security capability, GSM security capability, and EPS security capability.
  • the first security capability of the user equipment is first sent to the second network device.
  • the user equipment receives a second security capability sent by the second network device.
  • the second security capability may include one or more of UMTS security capability, GERAN security capability, GSM security capability, and EPS security capability, and specifically includes security capability and security included in the first security capability in step 101.
  • the ability corresponds. It can also be said that the first security capability includes which network security capabilities, and the second security capability also includes which network security capabilities.
  • the user equipment verifies whether the second security capability is consistent with the first security capability.
  • the user equipment verifies that the second security capability sent by the second network device is consistent with the first security capability of the user equipment, and if it is inconsistent, it represents security.
  • the ability to be tampered with can stop accessing the network. If it is consistent, it means that the security capability has not been tampered with and can access the network.
  • the user equipment verifies whether the transmission of information between itself and the second network device is secure.
  • the first security capability of the user equipment is only the security capability of the security function of the user, and the user equipment may also send the security capability that does not need to be verified to the second network device.
  • the security capability of the user equipment includes the security capability. A list of all encryption algorithms and integrity algorithms supported by the user.
  • the method for verifying the security capability provided by the embodiment is to verify whether the second security capability sent by the second network device is consistent with the first security capability of the user equipment, and verify whether the information transmission is secure, and the information transmission is improved. .
  • An embodiment of the present invention provides another method for verifying security capabilities, which is applied to a UMTS system.
  • a user equipment may be a user equipment (UE), where the UE includes an MS (Mobile Station).
  • the first network device may be an RNC or an SRNC (Serving Radio Network Controller), and the second network device may be an SGSN or a VLR (Visitor Location Register).
  • SRNC and SGSN are used to describe the technology of the present invention. It does not mean that the technology of the present invention can be implemented only by these devices, and the same effect can be achieved by other devices.
  • the method includes:
  • the user equipment sends the first security capability of the user equipment to the second network device.
  • the first security capability includes a list of encryption algorithms supported by the user equipment and a list of integrity algorithms, where the first security capability may be included in an initial L3 (Layer 3, Layer 3) message sent to the second network device.
  • the L3 message may also include the security capability not included in the first security capability, because the first security capability represents the security capability for verification, but the user equipment may choose to use other security features that are temporarily not verified when transmitting. Send it out together.
  • the security capability sent by the user equipment may be tampered with during the process of sending to the second network device, the security capability received by the second network device is referred to as the second security capability. If the first security capability and the second security capability are consistent, it proves that the first security capability has not been tampered with, and the information transmission is secure.
  • the user equipment receives a second security capability sent by the second network device.
  • the second security capability is forwarded by the first network device to the user equipment.
  • the second security capability is sent to the first network device in an SMC (Security Mode Command) message, and is sent by the first network.
  • SMC Security Mode Command
  • the device forwards the second security capability to the user equipment in the SMC message.
  • the second security capability may include one or more of UMTS security capability, GERAN security capability, GSM security capability, and EPS security capability, and specifically includes content corresponding to content included in the first security capability of the user equipment.
  • the SMC message may also include the security capability that is not included in the second security capability, and the second security capability only represents the security capability for performing the verification, but the SMC message may also include the security capability that does not need to be verified temporarily.
  • the user equipment verifies whether the second security capability is consistent with the first security capability.
  • the user equipment verifies whether the information transmission between itself and the second network device is secure.
  • the method further includes a step 204, and the step 204 has no sequential relationship with the step 201, the step 202, and the step 203, that is, the step 204 can be performed simultaneously with any step of step 201, step 202, and step 203 or at a certain step. Before or after.
  • the user equipment sends the first security capability to the first network device.
  • the first security capability sent to the first network device is sent in an RRC connection setup.
  • the user equipment receives a third security capability sent by the first network device.
  • the third security capability may include one or more of UMTS security capability, GERAN security capability, GSM security capability, and EPS security capability, specifically including the security capability and the first security capability and the second security capability in the foregoing steps.
  • the content contained corresponds.
  • the third security capability is included in the SMC message and sent to the user equipment.
  • the user equipment verifies whether the third security capability sent by the first network device is consistent with the first security capability of the user equipment.
  • the user equipment verifies whether the information transmission between itself and the first network device is secure.
  • the method further includes step 207, and any step between step 207 and steps 201-206 has no sequential relationship.
  • the first network device receives a priority list of integrity protection algorithms sent by the second network device.
  • the integrity protection algorithm priority list is sent to the first network device in the SMC message, where the SMC message may further include one of an encryption algorithm priority list, an encryption key, and an integrity protection key. Or multiple, so that the first network device encrypts and integrity protects the transmitted data.
  • the first network device according to the received integrity protection algorithm priority list and the first A security capability selects an integrity protection algorithm and turns on security protection based on the selected integrity protection algorithm.
  • the first network device further receives the encryption algorithm priority list, and selects an encryption algorithm according to the encryption algorithm priority list, and starts security protection according to the selected encryption algorithm and the integrity protection algorithm, and then transmits the data.
  • the first network device encrypts and integrity protects the data by using the selected encryption algorithm and the integrity protection algorithm.
  • the same algorithm is used to de-encrypt, and the same algorithm is used to transmit the data. Encryption ensures the security of subsequent data transmission.
  • the first network device sends the selected integrity protection algorithm to the user equipment.
  • the first network device sends the selected integrity protection algorithm to the user equipment in the SMC message, where the SMC message may further include an encryption algorithm selected by the first network device.
  • step 206 if the third security capability sent by the first network device is consistent with the first security capability of the user equipment, after step 209, the method further includes:
  • the user equipment turns on security protection according to an integrity protection algorithm.
  • the user equipment generates a security establishment complete message, and sends a security establishment complete message to the first network device.
  • the first network device sends a security setup complete message to the second network device.
  • the first network device sends the first security capability to the second network device in the security establishment complete message. So that the second network device updates the security capability according to the first security capability.
  • the security setup complete message may further include an encryption algorithm and an integrity protection algorithm selected by the first network device.
  • the user equipment verifies whether the first security capability is consistent with the second security capability sent by the second network device, and then verifies whether the third security capability sent by the first network device is consistent with the first security capability of the user equipment. Moreover, if the third security capability sent by the first network device is consistent with the first security capability of the user equipment, the user equipment turns on the security protection to ensure the security of the data transmission after the security protection is turned on, so as to verify the first network. Whether the security capability of the device, the second network device, and the user device itself are consistent, has not been tampered with, and the possibility of transmitting data without security guarantee is reduced, thereby improving the security of information transmission.
  • the method for verifying the security capability provided by the embodiment is to verify whether the second security capability sent by the second network device is consistent with the first security capability of the user equipment, and verify whether the information transmission is secure, and the information transmission is improved. .
  • An embodiment of the present invention provides a method for verifying security capabilities, which is applied to an LTE system.
  • the network device includes an SRNC, an eNB (Envolved Node B), an SGSN, and an MME (Mobility Management Entity, The mobility management entity, wherein the eNB is a first network device, the MME is a second network device, and the SGSN is a third network device.
  • the present embodiment uses the MME, the eNB, and the SGSN as an example to describe the technology of the present invention, and does not mean that the technology of the present invention can be implemented only by these devices, and the same effect can be achieved by other devices.
  • the embodiment of the present invention is applied to the scenario where the user equipment is switched from the UMTS system to the LTE system. Referring to FIG. 3, the method includes:
  • the SRNC sends a relocation request message to the SGSN.
  • the SRNC sends a Relocation Request message to the SGSN to initiate a system handover.
  • the SGSN sends a relocation request message to the MME.
  • the SGSN can send the second security capability to the MME.
  • the second security capability is included in the relocation request message and sent to the MME.
  • the specific content of the second security capability included in the relocation request message is not limited in the present invention.
  • steps 301-302 complete the first security capability sent by the user equipment to the second network device, so that the second network device acquires the second security capability.
  • the user equipment sends the first security device to the third network device.
  • a security capability such that the third network device acquires the second security capability and sends the second security capability to the second network device.
  • the MME sends a handover request message to the eNB.
  • the MME detects whether the handover request message includes a second security capability, and when the handover request message includes the second security capability, the MME
  • the second security capability is included in an IE (Information Element) of a NAS (Non Access Stratum) secure transparent container, and the IE of the NAS secure transparent container is included in the handover request and sent to the eNB;
  • the MME detects whether the first security capability of the relocation request message includes the second security capability, and when the handover request message includes the second security capability, the MME performs the second security.
  • the capability and security capability indications are included in the handover request message sent to the eNB.
  • the user equipment cannot directly communicate with the eNB when the user equipment is not connected to the LTE network, it must be forwarded by the SGSN and the MME to send the security capability to the eNB.
  • the eNB sends a handover confirmation message to the MME.
  • the eNB after receiving the second security capability sent by the MME, the eNB creates an RRC connection reconfiguration cell to establish a direct connection with the user equipment, and sends a handover request acknowledgement message to the MME, where the handover request acknowledgement message is compared with step 303.
  • the IE of the NAS secure transparent container may be included, and the IE of the NAS secure transparent container includes the second security capability;
  • the eNB includes the second security capability in the RRC connection reconfiguration cell according to the security capability indication, and the RRC connection reconfiguration cell is included in the handover request acknowledgement message and sent to the MME.
  • the MME sends a redirect response message to the SGSN.
  • the SGSN sends a redirect command message to the SRNC.
  • the SRNC sends a handover command message to the user equipment.
  • the MME sends a redirect response message to the SGSN, and the SGSN forwards the message to the user equipment, wherein the redirect response message includes the second security capability according to step 303 and step 304.
  • steps 303-307 complete the second security capability sent by the user equipment by the second network device, and the second security capability is forwarded by the first network device to the user equipment, specifically, the second network device. Transmitting the second security capability to the first network device, the first network device returning the second security capability to the second network device and passing the third The network device sends to the user device.
  • the user equipment verifies whether the second security capability sent by the eNB is consistent with the first security capability of the user equipment.
  • the user equipment sends a handover complete message to the eNB.
  • the handover complete message further includes a first security capability, and the eNB may update the security capability and the algorithm according to the first security capability.
  • the eNB sends a handover notification message to the MME.
  • the handover message may further include a first security capability, a security capability and an algorithm that the MME updates according to the first security capability.
  • the MME changes the NAS algorithm, and the NAS algorithm is used to transmit data between the MME and the user equipment. Data is encrypted and integrity protected.
  • the eNB also changes the AS algorithm, and the AS algorithm encrypts the data when the user equipment and the eNB transmit data. And integrity protection, correspondingly, also triggers the user device to change its own algorithm.
  • the MME sends a relocation complete message to the SGSN.
  • the relocation complete message includes a first security capability, so that the SGSN updates its saved user equipment security capability.
  • the SGSN sends a relocation complete confirmation message to the MME.
  • the method for verifying the security capability provided by the embodiment is to verify whether the second security capability sent by the second network device is consistent with the first security capability of the user equipment, and whether the information transmission is secure and the information transmission is improved. Safety.
  • Another embodiment of the present invention provides a method for verifying security capabilities. Referring to FIG. 4, the method includes:
  • the first network device receives a second security capability sent by the second network device.
  • the second security capability may include one or more of UMTS security capability, GERAN security capability, GSM security capability, and EPS security capability.
  • the first network device receives the first security capability sent by the user equipment.
  • the user equipment may be a UE, wherein the UE comprises an MS.
  • the first security capability may include one or more of UMTS security capabilities, GERAN security capabilities, GSM security capabilities, and EPS security capabilities.
  • the first network device verifies whether the first security capability is consistent with the second security capability.
  • the method for verifying the security capability provided by the embodiment is to verify whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device by using the first network device, verifying whether the information transmission is secure, and improving information transmission. Security.
  • a user equipment may be a UE, where the UE includes an MS, and the first network device may be an RNC or an SRNC.
  • the second network device can be an SGSN or a VLR.
  • the present embodiment uses the UE, the SRNC, and the SGSN as an example to describe the technology of the present invention, and does not mean that the technology of the present invention can be implemented only by these devices, and the same effect can be achieved by other devices.
  • the method includes:
  • the user equipment sends the first security capability to the first network device.
  • the first security capability is sent to the first network device in the RRC establishment connection.
  • the first security capability includes the UMTS security capability, and may also include one or more of the GERAN security capability, the GSM security capability, and the EPS security capability.
  • the user equipment sends the first security capability to the second network device.
  • the first security capability is included in the initial L3 message sent to the second network device. Because the first security capability sent by the user may be tampered with during the process of sending to the second network device, the security capability received by the second network device is called second. Security capability, if the first security capability and the second security capability are consistent, it proves that the security capability has not been tampered with and the information transmission is secure.
  • Step 501 and step 502 have no sequential relationship.
  • the first network device receives a second security capability sent by the second network device.
  • the second security capability is sent to the first network device in the SMC message.
  • the first network device verifies whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device.
  • the method further includes step 505, and step 505 has no sequential relationship with any of steps 501-504.
  • the first network device receives a priority list of integrity protection algorithms sent by the second network device.
  • the integrity protection algorithm priority list is sent to the first network device in the SMC message, where the SMC message may further include one of an encryption algorithm priority list, an encryption key, and an integrity protection key. Or multiple, so that the first network device secures the transmitted data.
  • the method further includes:
  • the first network device selects an integrity protection algorithm according to the received integrity protection algorithm priority list and the first security capability, and starts security protection according to the selected integrity protection algorithm.
  • the first network device may also receive an encryption algorithm and select an encryption algorithm, and enable encryption protection according to the selected encryption algorithm.
  • the second security capability and integrity protection algorithm priority list sent by the second network device may be included in the SMC message, that is, the steps 503-506 may also be combined into the following three steps:
  • the first network device receives a second security capability and an integrity protection algorithm priority list sent by the second network device.
  • the second security capability and integrity protection algorithm priority list is included in The SMC message is sent to the network controller, where the SMC message may further include one or more of an encryption algorithm priority list, an encryption key, and an integrity protection key, so that the first network device secures the transmitted data. protection.
  • the first network device verifies whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device.
  • the method further includes:
  • the first network device selects an integrity protection algorithm according to the received integrity protection algorithm priority list and the first security capability, and starts security protection according to the selected integrity protection algorithm.
  • the first network device may also receive an encryption algorithm and select an encryption algorithm, and enable encryption protection according to the selected encryption algorithm.
  • the first network device sends the third security capability to the user equipment.
  • the third security capability is included in the SMC message and sent to the user equipment.
  • the user equipment verifies whether the third security capability sent by the first network device is consistent with the first security capability of the user equipment.
  • the method further includes:
  • the first network device sends the selected integrity protection algorithm to the user equipment.
  • the first network device sends the selected encryption algorithm and the integrity protection algorithm to the user equipment in the SMC message.
  • the user equipment turns on security protection according to an integrity protection algorithm sent by the first network device.
  • the security protection is started according to the encryption algorithm and the integrity protection algorithm.
  • the user equipment generates a security establishment complete message, and sends a security establishment complete message to the first network device.
  • the first network device sends a security setup complete message to the second network device.
  • the first network device sends the first security capability to the second network device in the security establishment complete message, so as to facilitate the second Network device update security capabilities.
  • the first network device verifies whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device, and then sends the third security capability to the user equipment, so that the user equipment verifies the first device from the first network device.
  • the three security capabilities are consistent with the first security capability of the user equipment.
  • the first network device verifies that the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device, the first network device turns on the security protection to ensure the security of the user equipment after the first network device is verified.
  • the capability is sent to the user equipment, it will not be tampered with. This can verify whether the security capabilities of the first network device, the second network device, and the user device are consistent, whether they have been tampered with, and the security is not reduced. The possibility of transmitting data, thereby improving the security of information transmission.
  • the method for verifying the security capability provided by the embodiment is to verify whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device by using the first network device, verifying whether the information transmission is secure, and improving information transmission. Security.
  • the network device includes an SRNC, an eNB, an SGSN, and an MME, where the eNB For the first network device, the MME is the second network device, and the SGSN is the third network device.
  • the present embodiment uses the MME, the eNB, and the SGSN as an example to describe the technology of the present invention, and does not mean that the technology of the present invention can be implemented only by these devices, and the same effect can be achieved by other devices.
  • the user equipment is switched from the UMTS system to the LTE system.
  • the method includes:
  • the SRNC sends a relocation request message to the SGSN.
  • the SRNC sends a Relocation Request message to the SGSN to initiate a system handover.
  • the SGSN sends a relocation request message to the MME.
  • the SGSN can send the second security capability to the MME.
  • the second security The capability is included in the relocation request message and sent to the MME.
  • the specific content of the second security capability included in the relocation request message is not limited in the present invention.
  • the MME sends a handover request message to the eNB.
  • steps 601-603 complete the second network device receiving the second security capability sent by the second network device.
  • the user equipment sends the first security capability to the third network device
  • the third network device acquires the second security capability
  • the first network device sends the first security capability to the third network device.
  • the eNB sends a handover confirmation message to the MME.
  • the MME sends a redirect response message to the SGSN.
  • the SGSN sends a redirect command message to the SRNC.
  • the SRNC sends a handover command message to the user equipment.
  • the user equipment sends a handover complete message to the eNB.
  • the handover complete message includes the first security capability.
  • Step 608 completes that the first network device receives the first security capability sent by the user equipment.
  • the eNB verifies whether the second security capability is consistent with the first security capability.
  • the handover is continued. If the first security capability is consistent with the second security capability, the handover is continued. If the first security capability is inconsistent with the second security capability, when the first security capability includes a higher priority AS algorithm, the eNB changes the AS algorithm. In the first security capability, the AS algorithm with high priority is selected. The AS algorithm is used to encrypt data when the user equipment transmits data with the eNB, and also triggers the user equipment update algorithm.
  • the eNB sends a handover notification message to the MME.
  • the handover notification message includes a first security capability.
  • the MME changes the NAS algorithm, and selects a NAS algorithm with a high priority among the first security capabilities, and the NAS algorithm is used to transmit between the MME and the user equipment. Data is encrypted while the user device update algorithm is also triggered.
  • the MME sends a relocation complete message to the SGSN.
  • the relocation complete message includes a first security capability, so that the SGSN updates its saved user equipment security capability.
  • the SGSN sends a relocation complete confirmation message to the MME.
  • the method for verifying the security capability provided by the embodiment is to verify whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device by using the first network device, verifying whether the information transmission is secure, and improving information transmission. Security.
  • a further embodiment of the present invention provides a method for verifying security capabilities, which is applied to an LTE system.
  • the network device includes an eNB, an SGSN/VLR, and an MME.
  • the MME is used in this embodiment.
  • the eNB and the SGSN/VLR are used as an example to describe the technology of the present invention. It does not mean that the technology of the present invention can be implemented only by these devices, and the same effect can be achieved by other devices. Referring to FIG. 7, the method includes:
  • the MME receives a second security capability sent by the SGSN or the VLR.
  • the second security capability may include one or more of UMTS security capability, GERAN security capability, GSM security capability, and EPS security capability.
  • the MME receives the first security capability sent by the user equipment.
  • the first security capability is forwarded by the eNB to the MME, and the second security capability may include one or more of UMTS security capability, GERAN security capability, GSM security capability, and EPS security capability.
  • the MME verifies whether the first security capability is consistent with the second security capability.
  • the method for verifying the security capability provided by the embodiment is to verify whether the first security capability sent by the user equipment is consistent with the second security capability sent by the SGSN or the VLR, and verify whether the information transmission is secure and improve the security of information transmission.
  • a further embodiment of the present invention provides another method for verifying security capabilities, which is applied to an LTE system.
  • the network device includes an SRNC, an eNB, an SGSN, and an MME.
  • the MME, the eNB, the SRNC, and the SGSN are used in this embodiment.
  • the technology of the present invention is described as an example, and does not mean that the technology of the present invention can be realized only by these devices, and the same effect can be achieved by other devices.
  • the user equipment is switched from the UMTS system to the LTE system, and the method includes:
  • the SRNC sends a relocation request message to the SGSN.
  • the SRNC sends a Relocation Request message to the SGSN to initiate a cross-system handover.
  • the SGSN sends a relocation request message to the MME.
  • the SGSN can send the second security capability to the MME.
  • the second security capability is sent to the MME in the relocation request message, that is, the MME receives the second security capability sent by the SGSN or the VLR, where the specific content of the second security capability included in the relocation request message is not Make restrictions.
  • the MME sends a handover request message to the eNB.
  • the eNB sends a handover confirmation message to the MME.
  • the MME sends a redirect response message to the SGSN.
  • the SGSN sends a redirect command message to the SRNC.
  • the SRNC sends a handover command message to the user equipment.
  • the user equipment sends a handover complete message to the eNB.
  • the handover complete message includes the first security capability.
  • the eNB sends a handover notification message to the MME.
  • the handover notification message includes a first security capability. That is, the MME receives the first security capability sent by the user equipment.
  • the MME verifies whether the second security capability is consistent with the first security capability.
  • the MME updates the security capability, and when the first security capability includes a higher priority.
  • the MME will change the NAS algorithm.
  • the NAS algorithm is used to encrypt and protect the data when transmitting data between the MME and the user equipment, and trigger the user equipment change algorithm.
  • the MME sends an S1 context modification request containing the correct security capability to the eNB, if the security capability
  • the AS algorithm is included in the higher priority AS, and the eNB also changes the AS algorithm.
  • the AS algorithm is used to encrypt and protect data when transmitting data between the user equipment and the eNB.
  • the MME sends a relocation complete message to the SGSN.
  • the relocation complete message includes the first security capability, so that the SGSN updates the user device security capability saved by itself.
  • the SGSN sends a relocation complete confirmation message to the MME.
  • the method for verifying the security capability provided by the embodiment is to verify whether the first security capability sent by the user equipment is consistent with the second security capability sent by the SGSN or the VLR, and verify whether the information transmission is secure and improve the security of information transmission.
  • the embodiment of the present invention provides a user equipment for performing the method performed by the user equipment described in the embodiment corresponding to FIG. 1, FIG. 2 or FIG. 3, the structure of which is shown in FIG.
  • the sending unit 901 is configured to send the first security capability of the user equipment 90 to the second network device.
  • the receiving unit 902 is configured to receive a second security capability sent by the second network device, where the second security capability is forwarded by the first network device to the user device 90.
  • the verification unit 903 is configured to verify whether the second security capability is consistent with the first security capability.
  • the user equipment provided in this embodiment verifies whether the information transmission is secure and improves the security of information transmission by verifying whether the second security capability sent by the second network device is consistent with the first security capability of the user equipment.
  • the first network device is a serving network controller SRNC or a network controller RNC
  • the second network device is a service supporting node SGSN or a visited location register VLR.
  • the sending unit 901 is further configured to send the first security capability to the first network device.
  • the receiving unit 902 is further configured to receive a third security capability sent by the first network device.
  • the verification unit 903 is further configured to verify whether the third security capability and the first security capability are one To.
  • the user equipment 90 may further include a protection unit 904.
  • the protection unit 904 is configured to enable security protection according to an integrity protection algorithm of the first network device when the third security capability is consistent with the first security capability.
  • verification unit 903 is further configured to generate a security establishment complete message when the second security capability is inconsistent with the first security capability.
  • the sending unit 901 is further configured to send the security setup complete message generated by the verification unit 903 to the first network device, so that the first network device sends the first security capability to the second network device according to the security setup complete message.
  • the first network device is an evolved node eNB
  • the second network device is a mobility management entity MME.
  • the sending unit 901 is further configured to send the first security capability to the third network device, so that the third network device acquires the second security capability, and sends the second security capability to the second network device, where the third network device For SGSN or VLR.
  • the sending unit 901 is further configured to: when the second security capability is inconsistent with the first security capability, send the first security capability to the first network device and the second network device, so as to facilitate the second network device and the first The network device updates the security capabilities according to the first security capability.
  • the receiving unit 902 is further configured to: when the first security device received by the first network device or the second network device includes a higher priority algorithm, receive the priority sent by the first network device or the second network device Higher level algorithm.
  • the protection unit 904 is configured to update its own algorithm according to a higher priority algorithm received by the receiving unit 902.
  • the user equipment verifies whether the first security capability is consistent with the second security capability sent by the second network device, and then verifies whether the third security capability sent by the first network device is consistent with the first security capability of the user equipment. Moreover, if the third security capability sent by the first network device is consistent with the first security capability of the user equipment, the user equipment turns on the security protection to ensure the security of the data transmission after the security protection is turned on, so as to verify the first network device, Whether the security capability of the second network device and the user equipment itself are consistent, has not been tampered with, and reduces the transmission of data without security guarantees. It is possible to improve the security of information transmission.
  • the user equipment provided in this embodiment verifies whether the information transmission is secure by verifying whether the second security capability sent by the second network device is consistent with the first security capability of the user equipment, and improves the security of information transmission.
  • An embodiment of the present invention provides a first network device, where the method performed by the first network device described in the embodiment corresponding to FIG. 4, FIG. 5 or FIG. 6 is performed, and the structure thereof is as shown in FIG.
  • a network device 100 includes a receiving unit 1001 and a verification unit 1002.
  • the receiving unit 1001 is configured to receive a first security capability sent by the user equipment and a second security capability sent by the second network device.
  • the verification unit 1002 is configured to verify whether the first security capability is consistent with the second security capability.
  • the first network device provided in this embodiment verifies whether the information transmission is secure and improves the security of information transmission by verifying whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device.
  • the first network device 100 is a serving network controller SRNC or a network controller RNC
  • the second network device is a service supporting node SGSN or a visited location register VLR.
  • the first network device 100 further includes a protection unit 1003 and a transmitting unit 1004.
  • the protection unit 1003 is configured to enable security protection when the second security capability is consistent with the first security capability.
  • the sending unit 1004 is configured to send the third security capability to the user equipment, so that the user equipment verifies that the third security capability is consistent with the first security capability, and then turns on the security protection.
  • the first network device is an evolved node eNB
  • the second network device is a mobility management entity MME, where:
  • the protection unit 1003 is configured to update the security capability according to the first security capability when the second security capability is inconsistent with the first security capability.
  • the protection unit 1003 is further configured to: when the first security capability received by the receiving unit 1001 includes a higher priority algorithm, update the algorithm to be prioritized. Higher level algorithm.
  • the sending unit 1004 is further configured to send a higher priority algorithm to the user equipment, so that the user equipment updates the algorithm.
  • the first network device verifies whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device, and then sends the third security capability of the user equipment to the user equipment, so that the user equipment is verified from the first network. Whether the third security capability of the device is consistent with the first security capability of the user device. Moreover, if the first network device verifies that the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device, the first network device turns on the security protection to ensure the security of the user equipment after the first network device is verified. When the capability is sent to the user equipment, it will not be tampered with. This can verify whether the security capabilities of the user equipment stored by the first network device, the second network device, and the user device are consistent, have not been tampered with, and have no security. In the case of the possibility of transmitting data, thereby improving the security of information transmission.
  • the first network device provided in this embodiment verifies whether the information transmission is secure and improves the security of information transmission by verifying whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device.
  • An embodiment of the present invention provides a mobility management entity MME, which is configured to perform the method performed by the MME described in the embodiment corresponding to FIG. 7 or FIG. 8.
  • the MME 110 includes a receiving unit 1101 and a verification unit 1102. .
  • the receiving unit 1101 is configured to receive the first security capability sent by the user equipment and the second security capability sent by the service support node SGSN or the visited location register VLR, where the first security capability is forwarded by the evolved node eNB to the MME.
  • the verification unit 1102 is configured to verify whether the first security capability is consistent with the second security capability.
  • the MME provided in this embodiment verifies whether the information transmission is secure and improves the security of information transmission by verifying whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device.
  • the MME 110 further includes a protection unit 1103 and a sending unit 1104.
  • the protection unit 1103 is configured to update the security capability according to the first security capability when the first security capability is inconsistent with the second security capability.
  • the protection unit 1103 is further configured to: when the first security capability received by the receiving unit includes a higher priority algorithm, update the algorithm to a higher priority algorithm.
  • the sending unit 1104 is further configured to send a higher priority algorithm to the user equipment, so that the user equipment updates the algorithm.
  • the MME provided in this embodiment verifies whether the information transmission is secure and improves the security of information transmission by verifying whether the first security capability sent by the user equipment is consistent with the second security capability sent by the SGSN or the VLR.
  • the device may be embedded or itself.
  • the user device 1201 includes: at least one processor 1211, a memory 1212 and a bus 1213, the at least one processor 1211 and the memory 1212 Connections to each other are completed via bus 1213.
  • the bus 1213 may be an ISA (Industry Standard Architecture) bus, a PCI (Peripheral Component) bus, or an EISA (Extended Industry Standard Architecture) bus.
  • the bus 1213 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 12, but it does not mean that there is only one bus or one type of bus. among them:
  • the memory 1212 is for executing application code of the inventive scheme, and the application code for executing the inventive scheme is stored in a memory and controlled by the processor 1211 for execution.
  • the memory can be a read only memory ROM or other type of static storage device that can store static information and instructions, a random access memory RAM or other type of dynamic storage device that can store information and instructions, or can be electrically erasable or programmable.
  • These memories are connected to the processor via a bus.
  • the processor 1211 may be a central processing unit (CPU), or an application specific integrated circuit (ASIC), or one or more configured to implement the embodiments of the present invention. Integrated circuits.
  • CPU central processing unit
  • ASIC application specific integrated circuit
  • the processor 1211 is configured to call the program code in the memory 1212. In a possible implementation manner, when the application program is executed by the processor 1211, the following functions are implemented.
  • the processor 1211 is configured to send the first security capability of the user equipment to the second network device.
  • the processor 1211 is further configured to receive a second security capability sent by the second network device, where the second security capability is forwarded by the first network device to the user equipment.
  • the processor 1211 is further configured to verify whether the second security capability is consistent with the first security capability.
  • the user equipment provided in this embodiment verifies whether the information transmission is secure and improves the security of information transmission by verifying whether the second security capability sent by the second network device is consistent with the first security capability of the user equipment.
  • the first network device is a serving network controller SRNC or a network controller RNC
  • the second network device is a service supporting node SGSN or a visited location register VLR.
  • the processor 1211 is further configured to send the first security capability to the first network device.
  • the processor 1211 is further configured to receive a third security capability sent by the first network device.
  • the processor 1211 is further configured to verify whether the third security capability is consistent with the first security capability.
  • the processor 1211 is further configured to: when the third security capability is consistent with the first security capability, enable security protection according to the integrity protection algorithm of the first network device.
  • processor 1211 is further configured to generate a security establishment complete message when the second security capability is inconsistent with the first security capability.
  • the processor 1211 is further configured to send a security setup complete message to the first network device, so that the first network device sends the first security capability to the second network device according to the security setup complete message.
  • the first network device is an evolved node eNB
  • the second network device is a mobility management entity MME.
  • the processor 1211 is further configured to send the first security capability to the third network device, so that the third network device acquires the second security capability, and sends the second security capability to the second network device, where the third network device For SGSN or VLR.
  • the processor 1211 is further configured to: when the second security capability is inconsistent with the first security capability, send the first security capability to the first network device and the second network device, so as to facilitate the second network device and the first The network device updates the security capabilities according to the first security capability.
  • the processor 1211 is further configured to: when the first security device received by the first network device or the second network device includes a higher priority algorithm, receive the priority sent by the first network device or the second network device Higher level algorithms and update their own algorithms.
  • the user equipment verifies whether the first security capability is consistent with the second security capability sent by the second network device, and then verifies whether the third security capability sent by the first network device is consistent with the first security capability of the user equipment. Moreover, if the third security capability sent by the first network device is consistent with the first security capability of the user equipment, the user equipment turns on the security protection to ensure the security of the data transmission after the security protection is turned on, so as to verify the first network device, Whether the security capability stored by the second network device and the user equipment itself is consistent, has been tampered with, and the possibility of transmitting data without security guarantee is reduced, thereby improving the security of information transmission.
  • the user equipment provided in this embodiment is configured to verify the second security sent by the second network device. Whether the full capability is consistent with the first security capability of the user equipment, verifying that the information transmission is secure, and improving the security of information transmission.
  • the first network device 1301 may include: at least one processor 1311, a memory 1312, and a bus 1313, at least one of which may be embedded or itself a microprocessor computer, such as a general purpose computer, a custom machine, a mobile phone terminal, or a tablet computer.
  • the processor 1311 and the memory 1312 are connected by a bus 1313 and complete communication with each other.
  • the bus 1313 may be an ISA (Industry Standard Architecture) bus, a PCI (Peripheral Component) bus, or an EISA (Extended Industry Standard Architecture) bus.
  • the bus 1313 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in FIG. 13, but it does not mean that there is only one bus or one type of bus. among them:
  • the memory 1313 is for executing the application code of the inventive scheme, and the application code for executing the inventive scheme is stored in the memory and controlled by the processor 1311 for execution.
  • the memory can be a read only memory ROM or other type of static storage device that can store static information and instructions, a random access memory RAM or other type of dynamic storage device that can store information and instructions, or can be electrically erasable or programmable.
  • These memories are connected to the processor via a bus.
  • the processor 1311 may be a central processing unit (CPU), or an application specific integrated circuit (ASIC), or one or more configured to implement the embodiments of the present invention. Integrated circuits.
  • CPU central processing unit
  • ASIC application specific integrated circuit
  • the processor 1311 is configured to call the program code in the memory 1313. In a possible implementation manner, when the application program is executed by the processor 1311, the following functions are implemented.
  • the processor 1311 is configured to receive a first security capability sent by the user equipment and a second security capability sent by the second network device.
  • the processor 1311 is further configured to verify whether the first security capability is consistent with the second security capability.
  • the first network device provided in this embodiment verifies whether the information transmission is secure and improves the security of information transmission by verifying whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device.
  • the first network device is a serving network controller SRNC or a network controller RNC
  • the second network device is a service supporting node SGSN or a visited location register VLR.
  • the processor 1311 is further configured to enable security protection when the second security capability is consistent with the first security capability.
  • the processor 1311 is further configured to send the third security capability to the user equipment, so that the user equipment verifies that the third security capability is consistent with the first security capability, and then turns on the security protection.
  • the first network device is an evolved node eNB
  • the second network device is a mobility management entity MME, where:
  • the processor 1311 is further configured to: when the second security capability is inconsistent with the first security capability, update the security capability according to the first security capability.
  • the processor 1311 is further configured to: when the received first security capability includes a higher priority algorithm, update the algorithm to a higher priority algorithm.
  • the processor 1311 is further configured to send a higher priority algorithm to the user equipment, so that the user equipment updates the algorithm.
  • the first network device verifies whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device, and then sends the third security capability to the user equipment, so that the user equipment verifies the first device from the first network device.
  • the three security capabilities are consistent with the first security capability of the user equipment.
  • the first network device authenticates the user device
  • the first security capability sent by the second network device is consistent with the second security capability sent by the second network device, and the first network device is enabled to ensure that the security capability of the user equipment after the first network device is verified is not tampering when being sent to the user equipment. In this way, it can be verified whether the security capabilities of the first network device, the second network device and the user device are consistent, whether or not it has been tampered with, thereby reducing the possibility of transmitting data without security guarantee, thereby improving information transmission. Security.
  • the first network device provided in this embodiment verifies whether the information transmission is secure and improves the security of information transmission by verifying whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device.
  • the device may be embedded or itself Processing a computer, such as a general-purpose computer, a custom machine, a mobile terminal, or a tablet
  • the MME 1401 includes: at least one processor 1411, a memory 1412, and a bus 1413.
  • the at least one processor 1411 and the memory 1412 are connected by a bus 1413. And complete the communication with each other.
  • the bus 1413 may be an ISA (Industry Standard Architecture) bus, a PCI (Peripheral Component) bus, or an EISA (Extended Industry Standard Architecture) bus.
  • the bus 1413 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 14, but it does not mean that there is only one bus or one type of bus. among them:
  • the memory 1414 is used to execute the application code of the inventive scheme, and the application code for executing the inventive scheme is stored in a memory and controlled by the processor 1411 for execution.
  • the memory can be a read only memory ROM or other type of static storage device that can store static information and instructions, a random access memory RAM or other type of dynamic storage device that can store information and instructions, or can be electrically erasable or programmable.
  • These memories are connected to the processor via a bus.
  • the processor 1411 may be a central processing unit (CPU), or an application specific integrated circuit (ASIC), or one or more configured to implement the embodiments of the present invention. Integrated circuits.
  • CPU central processing unit
  • ASIC application specific integrated circuit
  • the processor 1411 is configured to call the program code in the memory 1414. In a possible implementation manner, when the application program is executed by the processor 1411, the following functions are implemented.
  • the processor 1411 is configured to receive the first security capability sent by the user equipment and the second security capability sent by the service support node SGSN or the visited location register VLR, where the first security capability is forwarded by the evolved node eNB to the MME.
  • the processor 1411 is further configured to verify whether the first security capability is consistent with the second security capability.
  • the MME provided in this embodiment verifies whether the information transmission is secure and improves the security of information transmission by verifying whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device.
  • the processor 1411 is further configured to: when the first security capability is inconsistent with the second security capability, update the security capability according to the first security capability.
  • the processor 1411 is further configured to: when the first security capability received by the receiving unit includes a higher priority algorithm, update the algorithm to a higher priority algorithm.
  • the processor 1411 is further configured to send a higher priority algorithm to the user equipment, so that the user equipment updates the algorithm.
  • the MME provided by the embodiment verifies that the information transmission is verified by verifying whether the first security capability sent by the user equipment is consistent with the second security capability sent by the SGSN or the VLR. No security, improve the security of information transmission.
  • the wireless network system 151 includes: a first network device 1501 and a second network device 1502.
  • the wireless network system 151 may further include: a third network device 1503 and a user equipment 1504.
  • the user equipment 1504 is the user equipment described in the embodiment corresponding to FIG. 9.
  • the user equipment 1504 is the user equipment described in the embodiment corresponding to FIG. 12.
  • the first network device is an SRNC or an RNC
  • the second network device is an SGSN or a VLR
  • the user equipment is a UE.
  • the user equipment 1504 can directly communicate with the second network device 1502.
  • the network device includes an eNB, an SGSN, and an MME, where the eNB is the first network device, the MME is the second network device, and the SGSN is the third network device. At this time, the user equipment 1504 needs to pass the third network device 1503. And the first network device 1501 can communicate with the second network device 1502.
  • the wireless network system provided by the embodiment is configured to verify whether the second security capability of the user equipment sent by the second network device is consistent with the first security capability of the user equipment of the user equipment, and verify whether the information transmission is secure and the information is improved. The security of the transmission.
  • the wireless network system 161 includes: a first network device 1601 and a second network device 1602.
  • the first network device 1601 is the first network device described in the embodiment corresponding to FIG. 10 .
  • the first network device 1601 is the first network device described in the embodiment corresponding to FIG.
  • the wireless network system 161 may further include: a third network device 1603 and a user equipment 1604.
  • the first network device is an SRNC or an RNC
  • the second network device is an SGSN or a VLR
  • the user equipment is a UE.
  • the user equipment 1604 can directly communicate with the second network device 1602.
  • the eNB is the first network device
  • the MME is the second network device
  • the SGSN is the third network device.
  • the user The device 1604 needs to communicate with the second network device 1602 through the third network device 1603 and the first network device 1601.
  • the wireless network system provided by the embodiment is configured to verify whether the first security capability of the user equipment sent by the user equipment is consistent with the second security capability of the user equipment sent by the second network device, and verify whether the information transmission is secure. Improve the security of information transmission.
  • a further embodiment of the present invention provides a wireless network system, the structure of which is shown in FIG. 17, the wireless network system 171 includes: an MME 1701, an SGSN/VLR 1702.
  • the MME 1701 is the MME described in the embodiment corresponding to FIG. 11.
  • the MME 1701 is the MME described in the embodiment corresponding to FIG. 14.
  • the wireless network system 171 may further include: an eNB 1703, and a user equipment 1704.
  • the wireless network system verifies whether the first security capability sent by the user equipment is consistent with whether the SGSN or the VLR sends the second security capability, and verifies whether the information transmission is secure, and improves the security of information transmission.
  • Computer readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one location to another.
  • a storage medium may be any available media that can be accessed by a computer.
  • the computer readable medium may include a RAM (Random Access Memory), a ROM (Read Only Memory), and an EEPROM (Electrically Erasable Programmable Read Only Memory).
  • CD-ROM Compact Disc Read Only Memory
  • CD-ROM Compact Disc Read Only Memory
  • Any connection may suitably be a computer readable medium.
  • the software is making Coaxial cable, fiber optic cable, twisted pair, DSL (Digital Subscriber Line) or wireless technology such as infrared, radio and microwave transmission from a website, server or other remote source, then coaxial cable, Fiber optic cables, twisted pair, DSL, or wireless technologies such as infrared, wireless, and microwaves are included in the fixing of the associated media.
  • the disc and the disc include a CD (Compact Disc), a laser disc, a compact disc, a DVD disc (Digital Versatile Disc), a floppy disc, and a Blu-ray disc, wherein the disc is usually magnetically copied,
  • the disc uses a laser to optically replicate the data. Combinations of the above should also be included within the scope of the computer readable media.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Embodiments of the present invention relate to the field of communications, and disclosed are a method, a device, and a system for verifying a security capability, which solve the problem of insecure information transmission. A specific solution comprises: a user equipment sending a first security capability of the user equipment to a second network device, receiving a second security capability sent by the second network device, and verifying whether the second security capability is consistent with the first security capability. The present invention is used for verifying a security capability.

Description

一种验证安全能力的方法、设备及系统Method, device and system for verifying security capability
本申请要求于2013年12月02日提交中国专利局、申请号为201310635001.9、发明名称为“一种验证安全能力的方法、设备及系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to Chinese Patent Application No. 201310635001.9, entitled "A Method, Apparatus and System for Verifying Security Capabilities", filed on December 2, 2013, the entire contents of which are incorporated by reference. In this application.
技术领域Technical field
本发明涉及通信领域,尤其涉及一种验证安全能力的方法、设备及系统。The present invention relates to the field of communications, and in particular, to a method, device, and system for verifying security capabilities.
背景技术Background technique
SGSN(Serving GPRS Support Node,GPRS服务支持节点)作为GPRS(General Packet Radio Service,通用分组无线服务技术)/TD-SCDMA(Time Division Synchronization Code Division Multiple Access,时分双工同步码分多址)(WCDMA(Wideband Code Division Multiple Access,宽带码分多址)核心网分组域设备的重要组成部分,主要完成分组数据包的路由转发、移动性管理、会话管理、逻辑链路管理、鉴权和加密、话单产生和输出等功能。SGSN (Serving GPRS Support Node) as GPRS (General Packet Radio Service)/TD-SCDMA (Time Division Synchronization Code Division Multiple Access) (WCDMA) (Wideband Code Division Multiple Access) An important component of the core network packet domain equipment, which mainly completes the routing and forwarding of packet data packets, mobility management, session management, logical link management, authentication and encryption, and words. Single generation and output functions.
RNC(Radio Network Controller,无线网络控制器)是3G(3rd Generation,第三代移动通信技术)网络的一个关键网元。它是接入网的组成部分,用于提供移动性管理、呼叫处理、链接管理和切换机制,在无线网络系统中,当用户端需要与网络进行通信时,首先要与RNC建立RRC(Radio Resource Control,无线资源控制协议)连接,在与RNC建立RRC连接之后,与SGSN建立连接。RNC (Radio Network Controller) is a key network element of 3G (3rd Generation, 3rd Generation Mobile Communication Technology) network. It is an integral part of the access network and is used to provide mobility management, call processing, link management and handover mechanism. In the wireless network system, when the user needs to communicate with the network, first establish RRC with the RNC (Radio Resource). Control, Radio Resource Control Protocol) connection, establishes a connection with the SGSN after establishing an RRC connection with the RNC.
在实现上述用户端与网络侧建立连接的过程中,用户端向RNC和SGSN发送的消息有可能被攻击者获取并篡改,这些信息的传输没有安全保障。In the process of establishing the connection between the user end and the network side, the message sent by the user end to the RNC and the SGSN may be acquired and tampered by the attacker, and the transmission of the information is not secured.
发明内容Summary of the invention
本发明的实施例提供一种验证安全能力的方法、设备及系统,涉及通信领域,能够验证信息传输是否安全,提高了信息传输的安全。Embodiments of the present invention provide a method, device, and system for verifying security capabilities, relating to the field of communications, capable of verifying whether information transmission is secure, and improving information transmission security.
为达到上述目的,本发明的实施例采用如下技术方案:In order to achieve the above object, embodiments of the present invention adopt the following technical solutions:
第一方面,一种验证安全能力的方法,包括: In a first aspect, a method of verifying security capabilities includes:
用户设备向第二网络设备发送所述用户设备的第一安全能力;Transmitting, by the user equipment, the first security capability of the user equipment to the second network device;
所述用户设备接收所述第二网络设备发送的第二安全能力,所述第二安全能力由第一网络设备转发至所述用户设备;Receiving, by the user equipment, a second security capability sent by the second network device, where the second security capability is forwarded by the first network device to the user equipment;
所述用户设备验证所述第二安全能力与所述第一安全能力是否一致。The user equipment verifies whether the second security capability is consistent with the first security capability.
结合第一方面,在第一种可能的实现方式中,In combination with the first aspect, in a first possible implementation manner,
所述第一网络设备为服务网络控制器SRNC或者网络控制器RNC,所述第二网络设备为业务支撑节点SGSN或者拜访地位置寄存器VLR;The first network device is a serving network controller SRNC or a network controller RNC, and the second network device is a service supporting node SGSN or a visited location register VLR;
所述方法还包括:The method further includes:
所述用户设备将所述第一安全能力发送至所述第一网络设备;Transmitting, by the user equipment, the first security capability to the first network device;
所述用户设备接收所述第一网络设备发送的第三安全能力;Receiving, by the user equipment, a third security capability sent by the first network device;
所述用户设备验证所述第三安全能力与所述第一安全能力是否一致。The user equipment verifies whether the third security capability is consistent with the first security capability.
结合第一方面的第一种可能的实现方式,在第二种可能的实现方式中,所述方法还包括:In conjunction with the first possible implementation of the first aspect, in a second possible implementation, the method further includes:
如果所述第三安全能力与所述第一安全能力一致,则所述用户设备根据所述第一网络设备的完整性保护算法开启安全保护。If the third security capability is consistent with the first security capability, the user equipment turns on security protection according to the integrity protection algorithm of the first network device.
结合第一方面的第二种可能的实现方式,在第三种可能的实现方式中,所述用户设备根据所述第一网络设备发送的完整性保护算法开启安全保护之后,还包括:With the second possible implementation of the first aspect, in a third possible implementation, after the user equipment is enabled to perform security protection according to the integrity protection algorithm sent by the first network device, the method further includes:
如果所述第二安全能力与所述第一安全能力不一致,则所述用户设备生成安全建立完成消息并将所述安全建立完成消息发送至所述第一网络设备,以便于所述第一网络设备根据所述安全建立完成消息向所述第二网络设备发送所述第一安全能力。If the second security capability is inconsistent with the first security capability, the user equipment generates a security establishment complete message and sends the security establishment complete message to the first network device, so as to facilitate the first network. And transmitting, by the device, the first security capability to the second network device according to the security establishment complete message.
结合第一方面,在第四种可能的实现方式中,In combination with the first aspect, in a fourth possible implementation,
所述第一网络设备为演进型节点eNB,所述第二网络设备为移动管理实体MME;The first network device is an evolved node eNB, and the second network device is a mobility management entity MME;
所述用户设备向第二网络设备发送所述用户设备的第一安全能 力,包括:Transmitting, by the user equipment, the first security energy of the user equipment to the second network device Force, including:
所述用户设备将所述第一安全能力发送至第三网络设备,以便所述第三网络设备获取所述第二安全能力,并将所述第二安全能力发送至所述第二网络设备,其中,所述第三网络设备为SGSN或VLR。Transmitting, by the user equipment, the first security capability to the third network device, so that the third network device acquires the second security capability, and sends the second security capability to the second network device, The third network device is an SGSN or a VLR.
结合第一方面的第四种可能的实现方式,在第五种可能的实现方式中,所述方法还包括:In conjunction with the fourth possible implementation of the first aspect, in a fifth possible implementation, the method further includes:
如果所述第二安全能力与所述第一安全能力不一致,则所述用户设备将所述第一安全能力发送至所述第一网络设备和所述第二网络设备,以便于所述第二网络设备与所述第一网络设备根据所述第一安全能力更新安全能力。If the second security capability is inconsistent with the first security capability, the user equipment sends the first security capability to the first network device and the second network device, so as to facilitate the second The network device and the first network device update the security capabilities according to the first security capability.
结合第一方面的第五种可能的实现方式,在第六种可能的实现方式中,所述方法进一步包括:With reference to the fifth possible implementation of the first aspect, in a sixth possible implementation, the method further includes:
如果所述第一网络设备或所述第二网络设备接收的所述第一安全能力中包含优先级更高的算法,则所述用户设备接收所述第一网络设备或所述第二网络设备发送的所述优先级更高的算法,并更新自身的算法。Receiving, by the user equipment, the first network device or the second network device, if the first security device received by the first network device or the second network device includes a higher priority algorithm The higher priority algorithm is sent and its own algorithm is updated.
第二方面,一种验证安全能力的方法,包括:In a second aspect, a method of verifying security capabilities includes:
第一网络设备接收用户设备发送的第一安全能力和第二网络设备发送的第二安全能力;Receiving, by the first network device, the first security capability sent by the user equipment and the second security capability sent by the second network device;
所述第一网络设备验证所述第一安全能力与所述第二安全能力是否一致。The first network device verifies whether the first security capability is consistent with the second security capability.
结合第二方面,在第一种可能的实现方式中,In combination with the second aspect, in a first possible implementation manner,
所述第一网络设备为服务网络控制器SRNC或者网络控制器RNC,所述第二网络设备为业务支撑节点SGSN或者拜访地位置寄存器VLR;The first network device is a serving network controller SRNC or a network controller RNC, and the second network device is a service supporting node SGSN or a visited location register VLR;
所述方法还包括:The method further includes:
如果所述第二安全能力与所述第一安全能力一致,则所述第一网络设备开启安全保护。If the second security capability is consistent with the first security capability, the first network device turns on security protection.
结合第二方面的第一种可能的实现方式,在第二种可能的实现方 式中,所述第一网络设备开启安全保护之后,还包括:In combination with the first possible implementation of the second aspect, in the second possible implementation In the formula, after the first network device turns on the security protection, the method further includes:
所述第一网络设备将第三安全能力发送至所述用户设备,以便所述用户设备验证所述第三安全能力与所述第一安全能力一致后,开启安全保护。The first network device sends a third security capability to the user equipment, so that the user equipment verifies that the third security capability is consistent with the first security capability, and then turns on security protection.
结合第二方面,在第三种可能的实现方式中,In combination with the second aspect, in a third possible implementation,
所述第一网络设备为演进型节点eNB,所述第二网络设备为移动管理实体MME;The first network device is an evolved node eNB, and the second network device is a mobility management entity MME;
所述方法还包括:The method further includes:
如果所述第二安全能力与所述第一安全能力不一致,则所述第一网络设备根据所述第一安全能力更新安全能力。And if the second security capability is inconsistent with the first security capability, the first network device updates the security capability according to the first security capability.
结合第二方面的第三种可能的实现方式,在第四种可能的实现方式中,所述方法进一步包括:In conjunction with the third possible implementation of the second aspect, in a fourth possible implementation, the method further includes:
如果所述第一网络设备接收的所述第一安全能力中包含优先级更高的算法,则所述第一网络设备将自身的算法更新为所述优先级更高的算法,并将所述优先级更高的算法发送至所述用户设备,以便于所述用户设备更新算法。If the first security capability received by the first network device includes a higher priority algorithm, the first network device updates its own algorithm to the higher priority algorithm, and the A higher priority algorithm is sent to the user equipment to facilitate the user equipment update algorithm.
第三方面,一种验证安全能力的方法,包括:In a third aspect, a method of verifying security capabilities includes:
移动管理实体MME接收用户设备发送的第一安全能力和业务支撑节点SGSN或者拜访地位置寄存器VLR发送的第二安全能力,其中,所述第一安全能力由演进型节点eNB转发至所述MME;The mobility management entity MME receives the first security capability sent by the user equipment and the second security capability sent by the service support node SGSN or the visited location register VLR, wherein the first security capability is forwarded by the evolved node eNB to the MME;
所述MME验证所述第一安全能力与所述第二安全能力是否一致。The MME verifies whether the first security capability is consistent with the second security capability.
结合第三方面,在第一种可能的实现方式中,所述方法还包括:In conjunction with the third aspect, in a first possible implementation, the method further includes:
如果所述第一安全能力与所述第二安全能力不一致,则所述MME根据所述第一安全能力更新安全能力。If the first security capability is inconsistent with the second security capability, the MME updates the security capability according to the first security capability.
结合第三方面的第一种可能的实现方式,在第二种可能的实现方式中,所述方法进一步包括:In conjunction with the first possible implementation of the third aspect, in a second possible implementation, the method further includes:
如果所述MME接收的所述第一安全能力中包含优先级更高的算法,则所述第一网络设备将自身的算法更新为所述优先级更高的算 法,并将所述优先级更高的算法发送至所述用户设备,以便于所述用户设备更新算法。If the first security capability received by the MME includes an algorithm with a higher priority, the first network device updates its own algorithm to the higher priority algorithm. And transmitting the higher priority algorithm to the user equipment to facilitate the user equipment update algorithm.
第四方面,一种用户设备,包括:In a fourth aspect, a user equipment includes:
发送单元,用于向第二网络设备发送所述用户设备的第一安全能力;a sending unit, configured to send, to the second network device, the first security capability of the user equipment;
接收单元,用于接收所述第二网络设备发送的第二安全能力,所述第二安全能力由第一网络设备转发至所述用户设备;a receiving unit, configured to receive a second security capability sent by the second network device, where the second security capability is forwarded by the first network device to the user equipment;
验证单元,用于验证所述第二安全能力与所述第一安全能力是否一致。And a verification unit, configured to verify whether the second security capability is consistent with the first security capability.
结合第四方面,在第一种可能的实现方式中,In combination with the fourth aspect, in a first possible implementation manner,
所述第一网络设备为服务网络控制器SRNC或者网络控制器RNC,所述第二网络设备为业务支撑节点SGSN或者拜访地位置寄存器VLR;The first network device is a serving network controller SRNC or a network controller RNC, and the second network device is a service supporting node SGSN or a visited location register VLR;
所述发送单元,还用于将所述第一安全能力发送至所述第一网络设备;The sending unit is further configured to send the first security capability to the first network device;
所述接收单元,还用于接收所述第一网络设备发送的第三安全能力;The receiving unit is further configured to receive a third security capability sent by the first network device;
所述验证单元,还用于验证所述第三安全能力与所述第一安全能力是否一致。The verification unit is further configured to verify whether the third security capability is consistent with the first security capability.
结合第四方面的第一种可能的实现方式,在第二种可能的实现方式中,In conjunction with the first possible implementation of the fourth aspect, in a second possible implementation manner,
所述用户设备还包括保护单元,用于当所述第三安全能力与所述第一安全能力一致时,根据所述第一网络设备的完整性保护算法开启安全保护。The user equipment further includes a protection unit, configured to enable security protection according to the integrity protection algorithm of the first network device when the third security capability is consistent with the first security capability.
结合第四方面的第二种可能的实现方式,在第三种可能的实现方式中,In conjunction with the second possible implementation of the fourth aspect, in a third possible implementation manner,
所述验证单元,还用于当所述第二安全能力与所述第一安全能力不一致时,生成安全建立完成消息;The verification unit is further configured to generate a security establishment complete message when the second security capability is inconsistent with the first security capability;
所述发送单元,还用于将所述验证单元生成的所述安全建立完成 消息发送至所述第一网络设备,以便于所述第一网络设备根据所述安全建立完成消息向所述第二网络设备发送所述第一安全能力。The sending unit is further configured to complete the security establishment generated by the verification unit Sending a message to the first network device, so that the first network device sends the first security capability to the second network device according to the security setup complete message.
结合第四方面,在第四种可能的实现方式中,In conjunction with the fourth aspect, in a fourth possible implementation,
所述第一网络设备为演进型节点eNB,所述第二网络设备为移动管理实体MME;The first network device is an evolved node eNB, and the second network device is a mobility management entity MME;
所述发送单元,还具体用于将所述第一安全能力发送至第三网络设备,以便所述第三网络设备获取所述第二安全能力,并将所述第二安全能力发送至所述第二网络设备,其中,所述第三网络设备为SGSN或VLR。The sending unit is further configured to send the first security capability to the third network device, so that the third network device acquires the second security capability, and sends the second security capability to the a second network device, wherein the third network device is an SGSN or a VLR.
结合第四方面的第四种可能的实现方式,在第五种可能的实现方式中,With reference to the fourth possible implementation manner of the fourth aspect, in a fifth possible implementation manner,
所述发送单元,还用于当所述第二安全能力与所述第一安全能力不一致时,将所述第一安全能力发送至所述第一网络设备和所述第二网络设备,以便于所述第二网络设备与所述第一网络设备根据所述第一安全能力更新安全能力。The sending unit is further configured to: when the second security capability is inconsistent with the first security capability, send the first security capability to the first network device and the second network device, so as to facilitate The second network device and the first network device update security capabilities according to the first security capability.
结合第四方面的第五种可能的实现方式,在第六种可能的实现方式中,With reference to the fifth possible implementation manner of the fourth aspect, in a sixth possible implementation manner,
所述接收单元,还用于当所述第一网络设备或所述第二网络设备接收的所述第一安全能力中包含优先级更高的算法时,接收所述第一网络设备或所述第二网络设备发送的所述优先级更高的算法;The receiving unit is further configured to: when the first security device received by the first network device or the second network device includes an algorithm with a higher priority, receive the first network device or the The higher priority algorithm sent by the second network device;
所述用户设备还包括保护单元,用于根据所述接收单元接收的所述优先级更高的算法更新自身的算法。The user equipment further includes a protection unit, configured to update its own algorithm according to the higher priority algorithm received by the receiving unit.
第五方面,一种第一网络设备,包括:In a fifth aspect, a first network device includes:
接收单元,用于接收用户设备发送的第一安全能力和第二网络设备发送的第二安全能力;a receiving unit, configured to receive a first security capability sent by the user equipment and a second security capability sent by the second network device;
验证单元,用于验证所述第一安全能力与所述第二安全能力是否一致。And a verification unit, configured to verify whether the first security capability is consistent with the second security capability.
结合第五方面,在第一种可能的实现方式中,In combination with the fifth aspect, in the first possible implementation manner,
所述第一网络设备为服务网络控制器SRNC或者网络控制器 RNC,所述第二网络设备为业务支撑节点SGSN或者拜访地位置寄存器VLR;The first network device is a serving network controller SRNC or a network controller RNC, the second network device is a service supporting node SGSN or a visited location register VLR;
所述第一网络设备还包括保护单元,用于当所述第二安全能力与所述第一安全能力一致时,开启安全保护。The first network device further includes a protection unit, configured to enable security protection when the second security capability is consistent with the first security capability.
结合第五方面的第一种可能的实现方式,在第二种可能的实现方式中,In conjunction with the first possible implementation of the fifth aspect, in a second possible implementation manner,
所述第一网络设备还包括发送单元,用于将第三安全能力发送至所述用户设备,以便所述用户设备验证所述第三安全能力与所述第一安全能力一致后,开启安全保护。The first network device further includes a sending unit, configured to send a third security capability to the user equipment, so that the user equipment verifies that the third security capability is consistent with the first security capability, and then turns on security protection. .
结合第七方面,在第三种可能的实现方式中,In combination with the seventh aspect, in a third possible implementation manner,
所述第一网络设备为演进型节点eNB,所述第二网络设备为移动管理实体MME;The first network device is an evolved node eNB, and the second network device is a mobility management entity MME;
所述第一网络设备还包括保护单元,用于当所述第二安全能力与所述第一安全能力不一致时,根据所述第一安全能力更新安全能力。The first network device further includes a protection unit, configured to update the security capability according to the first security capability when the second security capability is inconsistent with the first security capability.
结合第七方面的第三种可能的实现方式,在第四种可能的实现方式中,In conjunction with the third possible implementation of the seventh aspect, in a fourth possible implementation manner,
所述保护单元,还用于当所述接收单元接收的所述第一安全能力中包含优先级更高的算法时,将自身的算法更新为所述优先级更高的算法;The protection unit is further configured to: when the first security capability received by the receiving unit includes an algorithm with a higher priority, update its own algorithm to the higher priority algorithm;
所述发送单元,还用于将所述优先级更高的算法发送至所述用户设备,以便于所述用户设备更新算法。The sending unit is further configured to send the higher priority algorithm to the user equipment, so that the user equipment updates an algorithm.
第六方面,一种移动管理实体MME,包括:In a sixth aspect, a mobility management entity MME includes:
接收单元,用于接收用户设备发送的第一安全能力和业务支撑节点SGSN或者拜访地位置寄存器VLR发送的第二安全能力,其中,所述第一安全能力由演进型节点eNB转发至所述MME;a receiving unit, configured to receive a first security capability sent by the user equipment, and a second security capability sent by the service support node SGSN or the visited location register VLR, where the first security capability is forwarded by the evolved node eNB to the MME ;
验证单元,用于验证所述第一安全能力与所述第二安全能力是否一致。And a verification unit, configured to verify whether the first security capability is consistent with the second security capability.
结合第六方面,在第一种可能的实现方式中,In combination with the sixth aspect, in a first possible implementation manner,
所述MME还包括保护单元,用于当所述第一安全能力与所述第 二安全能力不一致时,根据所述第一安全能力更新安全能力。The MME further includes a protection unit, configured to: when the first security capability and the first When the two security capabilities are inconsistent, the security capability is updated according to the first security capability.
结合第六方面的第一种可能的实现方式,在第二种可能的实现方式中,In conjunction with the first possible implementation of the sixth aspect, in a second possible implementation manner,
所述保护单元,还用于当所述接收单元接收的所述第一安全能力中包含优先级更高的算法时,将自身的算法更新为所述优先级更高的算法;The protection unit is further configured to: when the first security capability received by the receiving unit includes an algorithm with a higher priority, update its own algorithm to the higher priority algorithm;
所述MME还包括发送单元,还用于将所述优先级更高的算法发送至所述用户设备,以便于所述用户设备更新算法。The MME further includes a sending unit, configured to send the higher priority algorithm to the user equipment, so that the user equipment updates the algorithm.
本发明实施例提供的一种验证安全能力的方法、设备及系统,通过用户设备向第二网络设备发送用户设备的第一安全能力,接收第二网络设备发送的第二安全能力,并且验证第二安全能力与第一安全能力是否一致,验证了信息传输是否安全,提高了信息传输的安全。The method, the device and the system for verifying the security capability provided by the embodiment of the present invention, the user equipment sends the first security capability of the user equipment to the second network device, receives the second security capability sent by the second network device, and verifies the Whether the second security capability is consistent with the first security capability, verifying whether the information transmission is secure and improving the security of information transmission.
附图说明DRAWINGS
为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍。In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly described below.
图1为本发明的实施例提供的一种验证安全能力方法的流程示意图;1 is a schematic flowchart of a method for verifying security capability according to an embodiment of the present invention;
图2为本发明的实施例提供的另一种验证安全能力方法的指令交互示意图;2 is a schematic diagram of instruction interaction of another method for verifying security capabilities according to an embodiment of the present invention;
图3为本发明的实施例提供的又一种验证安全能力方法的指令交互示意图;FIG. 3 is a schematic diagram of an instruction interaction of another method for verifying security capabilities according to an embodiment of the present invention; FIG.
图4为本发明的另一实施例提供的一种验证安全能力方法的流程示意图;FIG. 4 is a schematic flowchart of a method for verifying security capability according to another embodiment of the present invention; FIG.
图5为本发明的另一实施例提供的另一种验证安全能力方法的指令交互示意图;FIG. 5 is a schematic diagram of instruction interaction of another method for verifying security capabilities according to another embodiment of the present invention; FIG.
图6为本发明的另一实施例提供的又一种验证安全能力方法的指令交互示意图;FIG. 6 is a schematic diagram of another instruction interaction of a method for verifying security capabilities according to another embodiment of the present invention; FIG.
图7为本发明的又一实施例提供的一种验证安全能力方法的流程示意图; FIG. 7 is a schematic flowchart of a method for verifying security capability according to another embodiment of the present invention; FIG.
图8为本发明的又一实施例提供的另一种验证安全能力方法的指令交互示意图;FIG. 8 is a schematic diagram of another instruction interaction of a method for verifying security capability according to another embodiment of the present invention; FIG.
图9为本发明的实施例提供的一种用户设备结构示意图;FIG. 9 is a schematic structural diagram of a user equipment according to an embodiment of the present invention;
图10为本发明的实施例提供的一种第一网络设备结构示意图;FIG. 10 is a schematic structural diagram of a first network device according to an embodiment of the present invention;
图11为本发明的实施例提供的一种MME结构示意图;FIG. 11 is a schematic structural diagram of an MME according to an embodiment of the present invention;
图12为本发明的另一实施例提供的一种用户设备结构示意图;FIG. 12 is a schematic structural diagram of a user equipment according to another embodiment of the present invention;
图13为本发明的另一实施例提供的一种第一网络设备结构示意图;FIG. 13 is a schematic structural diagram of a first network device according to another embodiment of the present invention;
图14为本发明的另一实施例提供的一种MME结构示意图;FIG. 14 is a schematic structural diagram of an MME according to another embodiment of the present invention;
图15为本发明的实施例提供的一种无线网络系统结构示意图;FIG. 15 is a schematic structural diagram of a wireless network system according to an embodiment of the present invention;
图16为本发明的另一实施例提供的一种无线网络系统结构示意图;FIG. 16 is a schematic structural diagram of a wireless network system according to another embodiment of the present invention; FIG.
图17为本发明的又一实施例提供的一种无线网络系统结构示意图。FIG. 17 is a schematic structural diagram of a wireless network system according to still another embodiment of the present invention.
具体实施方式detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, but not all embodiments.
本发明的实施例提供的一种验证安全能力的方法、装置及系统可以应用于GSM(Global System of Mobile communication,全球移动通讯系统)、GERAN(GSM EDGE(Enhanced Data Rate for GSM Evolution,增强型数据速率的GSM演进)Radio Access Network,GSM/EDGN无线接入网)系统、UMTS(Universal Mobile Telecommunications System,通用移动通信系统)、LTE(Long Term Evolution,长期演进)系统、EPS(Evolved Packet System,演进分组系统),当然,本发明也可以应用于其他网络系统,只不过在现有的通信领域内,上述五种网络系统应用较为广泛,因此,本发明的实施例以这五种网络系统为主进行详尽说明,但本发明不仅限于这五种网络系统,在其他的网络系统中,本发明也可以实现。 A method, device and system for verifying security capabilities provided by embodiments of the present invention can be applied to GSM (Global System of Mobile communication) and GERAN (Enhanced Data Rate for GSM Evolution). Rate GSM evolution) Radio Access Network, GSM/EDGN radio access network system, UMTS (Universal Mobile Telecommunications System), LTE (Long Term Evolution) system, EPS (Evolved Packet System, evolution) Packet system), of course, the present invention can also be applied to other network systems, but in the existing communication field, the above five network systems are widely used. Therefore, the embodiments of the present invention mainly use the five network systems. The detailed description is made, but the present invention is not limited to these five network systems, and the present invention can also be implemented in other network systems.
参照图1所示,本发明的实施例提供一种验证安全能力的方法,该方法包括以下步骤:Referring to FIG. 1, an embodiment of the present invention provides a method for verifying security capabilities, the method comprising the following steps:
101、用户设备向第二网络设备发送用户设备的第一安全能力。101. The user equipment sends the first security capability of the user equipment to the second network device.
其中,该第一安全能力可以包括UMTS安全能力、GERAN安全能力、GSM安全能力、EPS安全能力中的一个或者多个。该用户设备在接入网络时,首先要向第二网络设备发送该用户设备的第一安全能力。The first security capability may include one or more of UMTS security capability, GERAN security capability, GSM security capability, and EPS security capability. When the user equipment accesses the network, the first security capability of the user equipment is first sent to the second network device.
102、用户设备接收第二网络设备发送的第二安全能力。102. The user equipment receives a second security capability sent by the second network device.
其中,可选的,第二安全能力可以包括UMTS安全能力、GERAN安全能力、GSM安全能力、EPS安全能力中的一个或多个,具体包括的安全能力与步骤101中第一安全能力包括的安全能力相对应。也可以说,第一安全能力包含哪些网络的安全能力,第二安全能力也就包含哪些网络的安全能力。Optionally, the second security capability may include one or more of UMTS security capability, GERAN security capability, GSM security capability, and EPS security capability, and specifically includes security capability and security included in the first security capability in step 101. The ability corresponds. It can also be said that the first security capability includes which network security capabilities, and the second security capability also includes which network security capabilities.
103、用户设备验证第二安全能力与第一安全能力是否一致。103. The user equipment verifies whether the second security capability is consistent with the first security capability.
为了保证在用户设备接入网络的过程中所发送的信息是安全的,所以用户设备验证第二网络设备发送的第二安全能力与该用户设备的第一安全能力是否一致,如果不一致就代表安全能力被篡改,可以停止接入网络,如果一致就代表安全能力没有被篡改,可以接入网络。此处,用户设备验证了其自身与第二网络设备之间的信息传输是否安全。其中,用户设备的第一安全能力只是用户的安全能力中进行验证的安全能力,用户设备也可以向第二网络设备发送暂时不需要验证的安全能力,可选的,用户设备的安全能力包括该用户支持的所有加密算法列表和完整性算法列表。In order to ensure that the information sent by the user equipment is secure, the user equipment verifies that the second security capability sent by the second network device is consistent with the first security capability of the user equipment, and if it is inconsistent, it represents security. The ability to be tampered with can stop accessing the network. If it is consistent, it means that the security capability has not been tampered with and can access the network. Here, the user equipment verifies whether the transmission of information between itself and the second network device is secure. The first security capability of the user equipment is only the security capability of the security function of the user, and the user equipment may also send the security capability that does not need to be verified to the second network device. Optionally, the security capability of the user equipment includes the security capability. A list of all encryption algorithms and integrity algorithms supported by the user.
这样,通过用户设备验证第一安全能力和第二安全能力是否一致,降低了在没有安全保障的情况下传输数据的可能,提高了信息传输的安全。In this way, whether the first security capability and the second security capability are consistent by the user equipment reduces the possibility of transmitting data without security, and improves the security of information transmission.
本实施例提供的验证安全能力的方法,通过用户设备验证第二网络设备发送的第二安全能力与该用户设备的第一安全能力是否一致,验证了信息传输是否安全,提高了信息传输的安全。 The method for verifying the security capability provided by the embodiment is to verify whether the second security capability sent by the second network device is consistent with the first security capability of the user equipment, and verify whether the information transmission is secure, and the information transmission is improved. .
本发明的实施例提供另一种验证安全能力的方法,应用于UMTS系统,在UMTS系统中,用户设备可以是UE(User Equipment,用户设备),其中,UE包括MS(Mobile Station,移动台),第一网络设备可以是RNC或SRNC(Serving Radio Network Controller,服务无线网络控制器),第二网络设备可以是SGSN或VLR(Visitor Location Register,拜访地位置寄存器)当然,本实施例用UE、SRNC、SGSN为例来描述本发明的技术,并不代表本发明的技术只能通过这些设备来实现,也可以通过其他设备达到相同的效果。An embodiment of the present invention provides another method for verifying security capabilities, which is applied to a UMTS system. In a UMTS system, a user equipment may be a user equipment (UE), where the UE includes an MS (Mobile Station). The first network device may be an RNC or an SRNC (Serving Radio Network Controller), and the second network device may be an SGSN or a VLR (Visitor Location Register). SRNC and SGSN are used to describe the technology of the present invention. It does not mean that the technology of the present invention can be implemented only by these devices, and the same effect can be achieved by other devices.
参照图2所示,该方法包括:Referring to Figure 2, the method includes:
201、用户设备向第二网络设备发送用户设备的第一安全能力。201. The user equipment sends the first security capability of the user equipment to the second network device.
可选的,该第一安全能力包括该用户设备支持的加密算法列表和完整性算法列表,此处的第一安全能力可以包含在初始L3(Layer3,层3)消息中发送至第二网络设备,此处该L3消息还可以包括第一安全能力中没有包含的安全能力,因为第一安全能力代表进行验证的安全能力,但用户设备在发送的时候可以选择将其他暂时不用验证的安全能力也一起发送出去。因为用户设备发出去的第一安全能力,在发送至第二网络设备的过程中有可能被篡改,所以第二网络设备接收到的安全能力称为第二安全能力。如果第一安全能力和第二安全能力一致,则证明第一安全能力没有被篡改,信息传输是安全的。Optionally, the first security capability includes a list of encryption algorithms supported by the user equipment and a list of integrity algorithms, where the first security capability may be included in an initial L3 (Layer 3, Layer 3) message sent to the second network device. The L3 message may also include the security capability not included in the first security capability, because the first security capability represents the security capability for verification, but the user equipment may choose to use other security features that are temporarily not verified when transmitting. Send it out together. Because the first security capability sent by the user equipment may be tampered with during the process of sending to the second network device, the security capability received by the second network device is referred to as the second security capability. If the first security capability and the second security capability are consistent, it proves that the first security capability has not been tampered with, and the information transmission is secure.
202、用户设备接收第二网络设备发送的第二安全能力。202. The user equipment receives a second security capability sent by the second network device.
其中,第二安全能力由第一网络设备转发至用户设备,可选的,第二安全能力包含在SMC(Security Mode Command,安全模式命令)消息中发送至第一网络设备,并由第一网络设备将该第二安全能力包含在SMC消息中转发至用户设备。The second security capability is forwarded by the first network device to the user equipment. Optionally, the second security capability is sent to the first network device in an SMC (Security Mode Command) message, and is sent by the first network. The device forwards the second security capability to the user equipment in the SMC message.
第二安全能力可以包括UMTS安全能力、GERAN安全能力、GSM安全能力、EPS安全能力中的一个或多个,具体包括的内容与用户设备的第一安全能力所包含的内容相对应。此处,SMC消息也可以包含第二安全能力没有包含的安全能力,第二安全能力只代表进行验证的安全能力,但SMC消息中也可以包括暂时不需要验证的安全能力。 The second security capability may include one or more of UMTS security capability, GERAN security capability, GSM security capability, and EPS security capability, and specifically includes content corresponding to content included in the first security capability of the user equipment. Here, the SMC message may also include the security capability that is not included in the second security capability, and the second security capability only represents the security capability for performing the verification, but the SMC message may also include the security capability that does not need to be verified temporarily.
203、用户设备验证第二安全能力与第一安全能力是否一致。203. The user equipment verifies whether the second security capability is consistent with the first security capability.
步骤201-203,用户设备验证了其自身与第二网络设备之间的信息传输是否安全。In steps 201-203, the user equipment verifies whether the information transmission between itself and the second network device is secure.
该方法还包括步骤204,且步骤204分别与步骤201、步骤202及步骤203无先后顺序关系,即步骤204可以与步骤201、步骤202及步骤203中的任一步骤同时进行或者在某一步骤之前或者之后进行。The method further includes a step 204, and the step 204 has no sequential relationship with the step 201, the step 202, and the step 203, that is, the step 204 can be performed simultaneously with any step of step 201, step 202, and step 203 or at a certain step. Before or after.
204、用户设备将第一安全能力发送至第一网络设备。204. The user equipment sends the first security capability to the first network device.
可选的,向第一网络设备发送的第一安全能力是在RRC连接建立中发送的。Optionally, the first security capability sent to the first network device is sent in an RRC connection setup.
205、用户设备接收第一网络设备发送的第三安全能力。205. The user equipment receives a third security capability sent by the first network device.
此处,第三安全能力可以包括UMTS安全能力、GERAN安全能力、GSM安全能力、EPS安全能力中的一个或者多个,具体包括的安全能力与上述步骤中第一安全能力和第二安全能力所包含的内容相对应。Here, the third security capability may include one or more of UMTS security capability, GERAN security capability, GSM security capability, and EPS security capability, specifically including the security capability and the first security capability and the second security capability in the foregoing steps. The content contained corresponds.
可选的,第三安全能力包含在SMC消息中发送至用户设备。Optionally, the third security capability is included in the SMC message and sent to the user equipment.
206、用户设备验证第一网络设备发送的第三安全能力与该用户设备的第一安全能力是否一致。206. The user equipment verifies whether the third security capability sent by the first network device is consistent with the first security capability of the user equipment.
通过上述步骤204-206,用户设备验证了其自身与第一网络设备之间的信息传输是否安全。Through the above steps 204-206, the user equipment verifies whether the information transmission between itself and the first network device is secure.
可选的,该方法还包括步骤207,且步骤207与步骤201-206之间的任一步骤无先后顺序关系。Optionally, the method further includes step 207, and any step between step 207 and steps 201-206 has no sequential relationship.
207、第一网络设备接收第二网络设备发送的完整性保护算法优先级列表。207. The first network device receives a priority list of integrity protection algorithms sent by the second network device.
可选的,该完整性保护算法优先级列表包含在SMC消息中发送至第一网络设备,此处的SMC消息还可以包括加密算法优先级列表、加密密钥和完整性保护密钥中的一个或者多个,以便于第一网络设备对传输数据进行加密和完整性保护。Optionally, the integrity protection algorithm priority list is sent to the first network device in the SMC message, where the SMC message may further include one of an encryption algorithm priority list, an encryption key, and an integrity protection key. Or multiple, so that the first network device encrypts and integrity protects the transmitted data.
208、第一网络设备根据接收的完整性保护算法优先级列表及第 一安全能力选择完整性保护算法,并根据选择的完整性保护算法开启安全保护。208. The first network device according to the received integrity protection algorithm priority list and the first A security capability selects an integrity protection algorithm and turns on security protection based on the selected integrity protection algorithm.
具体的,在实际情况中,第一网络设备还接收加密算法优先级列表,并根据加密算法优先级列表选择加密算法,根据选择的加密算法和完整性保护算法开启安全保护,在之后的数据传输中,第一网络设备会用所选择的加密算法和完整性保护算法对数据进行加密和完整性保护,用户设备接收数据时也会用相同的算法解加密,发送数据时也用相同的算法进行加密,从而保证了之后的数据传输的安全性。Specifically, in an actual situation, the first network device further receives the encryption algorithm priority list, and selects an encryption algorithm according to the encryption algorithm priority list, and starts security protection according to the selected encryption algorithm and the integrity protection algorithm, and then transmits the data. The first network device encrypts and integrity protects the data by using the selected encryption algorithm and the integrity protection algorithm. When the user equipment receives the data, the same algorithm is used to de-encrypt, and the same algorithm is used to transmit the data. Encryption ensures the security of subsequent data transmission.
209、第一网络设备将选择的完整性保护算法发送至用户设备。209. The first network device sends the selected integrity protection algorithm to the user equipment.
可选的,第一网络设备将选择的完整性保护算法包含在SMC消息中发送至用户设备,该SMC消息还可以包括第一网络设备选择的加密算法。Optionally, the first network device sends the selected integrity protection algorithm to the user equipment in the SMC message, where the SMC message may further include an encryption algorithm selected by the first network device.
对于步骤206,如果第一网络设备发送的第三安全能力与用户设备的第一安全能力一致,则在步骤209之后,还包括:For step 206, if the third security capability sent by the first network device is consistent with the first security capability of the user equipment, after step 209, the method further includes:
210、用户设备根据完整性保护算法开启安全保护。210. The user equipment turns on security protection according to an integrity protection algorithm.
211、用户设备生成安全建立完成消息,并将安全建立完成消息发送至第一网络设备。211. The user equipment generates a security establishment complete message, and sends a security establishment complete message to the first network device.
212、第一网络设备将安全建立完成消息发送至第二网络设备。212. The first network device sends a security setup complete message to the second network device.
具体可选的,如果第二网络设备发送的第二安全能力与该用户设备的第一安全能力不一致,则第一网络设备将第一安全能力携带在安全建立完成消息中发送至第二网络设备,以便于第二网络设备根据第一安全能力更新安全能力。Specifically, if the second security capability sent by the second network device is inconsistent with the first security capability of the user equipment, the first network device sends the first security capability to the second network device in the security establishment complete message. So that the second network device updates the security capability according to the first security capability.
其中,可选的,该安全建立完成消息还可以包括第一网络设备选择的加密算法和完整性保护算法。Optionally, the security setup complete message may further include an encryption algorithm and an integrity protection algorithm selected by the first network device.
这样用户设备验证第一安全能力与第二网络设备发送的第二安全能力是否一致,然后验证第一网络设备发送的第三安全能力与用户设备的第一安全能力是否一致。而且,如果第一网络设备发送的第三安全能力与用户设备的第一安全能力一致,用户设备就会开启安全保护,保证了开启安全保护后数据传输的安全,这样通过验证第一网络 设备、第二网络设备与用户设备自身三者存储的安全能力是否一致,有没有被篡改,降低了在没有安全保障的情况下传输数据的可能,从而提高信息传输的安全。The user equipment verifies whether the first security capability is consistent with the second security capability sent by the second network device, and then verifies whether the third security capability sent by the first network device is consistent with the first security capability of the user equipment. Moreover, if the third security capability sent by the first network device is consistent with the first security capability of the user equipment, the user equipment turns on the security protection to ensure the security of the data transmission after the security protection is turned on, so as to verify the first network. Whether the security capability of the device, the second network device, and the user device itself are consistent, has not been tampered with, and the possibility of transmitting data without security guarantee is reduced, thereby improving the security of information transmission.
本实施例提供的验证安全能力的方法,通过用户设备验证第二网络设备发送的第二安全能力与该用户设备的第一安全能力是否一致,验证了信息传输是否安全,提高了信息传输的安全。The method for verifying the security capability provided by the embodiment is to verify whether the second security capability sent by the second network device is consistent with the first security capability of the user equipment, and verify whether the information transmission is secure, and the information transmission is improved. .
本发明的实施例提供又一种验证安全能力的方法,应用于LTE系统中,在LTE系统中,网络设备包括SRNC、eNB(Envolved Node B,演进节点B)、SGSN及MME(Mobility Management Entity,移动管理实体),其中,eNB为第一网络设备,MME为第二网络设备,SGSN为第三网络设备。当然,此处,本实施例以MME、eNB、SGSN为例来描述本发明的技术,并不代表本发明的技术只能通过这些设备来实现,也可以通过其他设备达到相同的效果。具体的,本发明的实施例应用于用户设备由UMTS系统切换至LTE系统场景下,参照图3所示,该方法包括:An embodiment of the present invention provides a method for verifying security capabilities, which is applied to an LTE system. In an LTE system, the network device includes an SRNC, an eNB (Envolved Node B), an SGSN, and an MME (Mobility Management Entity, The mobility management entity, wherein the eNB is a first network device, the MME is a second network device, and the SGSN is a third network device. Certainly, the present embodiment uses the MME, the eNB, and the SGSN as an example to describe the technology of the present invention, and does not mean that the technology of the present invention can be implemented only by these devices, and the same effect can be achieved by other devices. Specifically, the embodiment of the present invention is applied to the scenario where the user equipment is switched from the UMTS system to the LTE system. Referring to FIG. 3, the method includes:
301、SRNC向SGSN发送重定位请求消息。301. The SRNC sends a relocation request message to the SGSN.
SRNC发送重定位请求消息给SGSN,发起系统切换。The SRNC sends a Relocation Request message to the SGSN to initiate a system handover.
302、SGSN向MME发送重定位请求消息。302. The SGSN sends a relocation request message to the MME.
因为在接入UMTS网络中已经向SGSN发送过用户设备安全能力,所以SGSN可以将第二安全能力发送给MME。其中,第二安全能力包含在重定位请求消息中发送给MME。此处,重定位请求消息中包括的第二安全能力的具体内容本发明不做限制。Because the user equipment security capability has been sent to the SGSN in the access UMTS network, the SGSN can send the second security capability to the MME. The second security capability is included in the relocation request message and sent to the MME. Here, the specific content of the second security capability included in the relocation request message is not limited in the present invention.
对照图2对应的实施例,步骤301-302完成了用户设备向第二网络设备发送第一安全能力,以便第二网络设备获取第二安全能力,具体的,用户设备向第三网络设备发送第一安全能力,以便第三网络设备获取第二安全能力并将第二安全能力发送至第二网络设备。With reference to the embodiment corresponding to FIG. 2, steps 301-302 complete the first security capability sent by the user equipment to the second network device, so that the second network device acquires the second security capability. Specifically, the user equipment sends the first security device to the third network device. A security capability, such that the third network device acquires the second security capability and sends the second security capability to the second network device.
303、MME向eNB发送切换请求消息。303. The MME sends a handover request message to the eNB.
具体的,MME接收到切换请求消息后,检测该切换请求消息是否包含第二安全能力,当该切换请求消息包含第二安全能力时,MME 将第二安全能力包含在NAS(Non Access Stratum,非接入层)安全透明容器的IE(Information Element,信息元素)中,将NAS安全透明容器的IE包含在切换请求中发送给eNB;Specifically, after receiving the handover request message, the MME detects whether the handover request message includes a second security capability, and when the handover request message includes the second security capability, the MME The second security capability is included in an IE (Information Element) of a NAS (Non Access Stratum) secure transparent container, and the IE of the NAS secure transparent container is included in the handover request and sent to the eNB;
或者,可选的,MME接收到重定位请求消息后,检测该重定位请求消息的第一安全能力是否包含第二安全能力,当该切换请求消息包含第二安全能力时,MME将第二安全能力和安全能力指示包含在切换请求消息中发送给eNB。Or, optionally, after receiving the relocation request message, the MME detects whether the first security capability of the relocation request message includes the second security capability, and when the handover request message includes the second security capability, the MME performs the second security. The capability and security capability indications are included in the handover request message sent to the eNB.
因为在用户设备尚未接入LTE网络中时,用户设备不能与eNB直接进行通信,所以必须通过SGSN与MME转发,才能向eNB发送安全能力。Because the user equipment cannot directly communicate with the eNB when the user equipment is not connected to the LTE network, it must be forwarded by the SGSN and the MME to send the security capability to the eNB.
304、eNB向MME发送切换确认消息。304. The eNB sends a handover confirmation message to the MME.
具体的,eNB接收到MME发送的第二安全能力后,创建RRC连接重配信元,以便和用户设备建立直接连接,并向MME发送切换请求确认消息,其中,对照步骤303,该切换请求确认消息中可以包括NAS安全透明容器的IE,该NAS安全透明容器的IE包含第二安全能力;Specifically, after receiving the second security capability sent by the MME, the eNB creates an RRC connection reconfiguration cell to establish a direct connection with the user equipment, and sends a handover request acknowledgement message to the MME, where the handover request acknowledgement message is compared with step 303. The IE of the NAS secure transparent container may be included, and the IE of the NAS secure transparent container includes the second security capability;
或者,eNB根据安全能力指示,将第二安全能力包含在RRC连接重配信元中,将RRC连接重配信元包含在切换请求确认消息中发送至MME。Alternatively, the eNB includes the second security capability in the RRC connection reconfiguration cell according to the security capability indication, and the RRC connection reconfiguration cell is included in the handover request acknowledgement message and sent to the MME.
305、MME向SGSN发送重定向响应消息。305. The MME sends a redirect response message to the SGSN.
306、SGSN向SRNC发送重定向命令消息。306. The SGSN sends a redirect command message to the SRNC.
307、SRNC向用户设备发送切换命令消息。307. The SRNC sends a handover command message to the user equipment.
步骤305-307中,MME向SGSN发送重定向响应消息,SGSN将此消息转发至用户设备,其中,对照步骤303和步骤304,该重定向响应消息包括第二安全能力。In steps 305-307, the MME sends a redirect response message to the SGSN, and the SGSN forwards the message to the user equipment, wherein the redirect response message includes the second security capability according to step 303 and step 304.
对照图2所对应的实施例,步骤303-307完成了用户设备接收第二网络设备发送的第二安全能力,第二安全能力由第一网络设备转发至用户设备,具体的,第二网络设备将第二安全能力发送至第一网络设备,第一网络设备将第二安全能力返回给第二网络设备并通过第三 网络设备发送至用户设备。Referring to the embodiment corresponding to FIG. 2, steps 303-307 complete the second security capability sent by the user equipment by the second network device, and the second security capability is forwarded by the first network device to the user equipment, specifically, the second network device. Transmitting the second security capability to the first network device, the first network device returning the second security capability to the second network device and passing the third The network device sends to the user device.
308、用户设备验证eNB发送的第二安全能力与该用户设备的第一安全能力是否一致。308. The user equipment verifies whether the second security capability sent by the eNB is consistent with the first security capability of the user equipment.
309、用户设备向eNB发送切换完成消息。309. The user equipment sends a handover complete message to the eNB.
如果eNB发送的安全能力与该用户设备的第一安全能力不一致,则该切换完成消息还包括第一安全能力,eNB可以根据第一安全能力更新安全能力和算法。If the security capability sent by the eNB is inconsistent with the first security capability of the user equipment, the handover complete message further includes a first security capability, and the eNB may update the security capability and the algorithm according to the first security capability.
310、eNB向MME发送切换通知消息。310. The eNB sends a handover notification message to the MME.
如果eNB发送的第二安全能力与该用户设备的第一安全能力不一致,则该切换消息还可以包括第一安全能力,MME根据第一安全能力更新的安全能力和算法。If the second security capability sent by the eNB is inconsistent with the first security capability of the user equipment, the handover message may further include a first security capability, a security capability and an algorithm that the MME updates according to the first security capability.
具体的,当第一安全能力中包含优先级更高的NAS(Non Access Stratum,非接入层)算法时,MME将改变NAS算法,NAS算法用于在MME和用户设备之间传输数据时对数据进行加密和完整性保护。同时,如果第一安全能力中包含优先级更高的AS(Access Stratum,接入层)算法时,eNB也会改变AS算法,AS算法用于用户设备与eNB之间传输数据时对数据进行加密和完整性保护,相应的,也会触发用户设备更改自身的算法。Specifically, when the first security capability includes a NAS (Non Access Stratum) algorithm with a higher priority, the MME changes the NAS algorithm, and the NAS algorithm is used to transmit data between the MME and the user equipment. Data is encrypted and integrity protected. At the same time, if the first security capability includes an AS (Access Stratum) algorithm with a higher priority, the eNB also changes the AS algorithm, and the AS algorithm encrypts the data when the user equipment and the eNB transmit data. And integrity protection, correspondingly, also triggers the user device to change its own algorithm.
311、MME向SGSN发送重定位完成消息。311. The MME sends a relocation complete message to the SGSN.
可选的,当SGSN发送的安全能力与该用户设备的第一安全能力不一致时,该重定位完成消息包括第一安全能力,以便SGSN更新自己保存的用户设备安全能力。Optionally, when the security capability sent by the SGSN is inconsistent with the first security capability of the user equipment, the relocation complete message includes a first security capability, so that the SGSN updates its saved user equipment security capability.
312、SGSN向MME发送重定位完成确认消息。312. The SGSN sends a relocation complete confirmation message to the MME.
这样,通过用户设备验证第一安全能力和第二安全能力是否一致,降低了在没有安全保障的情况下传输数据的可能,提高了信息传输的安全。In this way, whether the first security capability and the second security capability are consistent by the user equipment reduces the possibility of transmitting data without security, and improves the security of information transmission.
本实施例提供的验证安全能力的方法,通过用户设备验证第二网络设备发送的第二安全能力与该用户设备的第一安全能力是否一致,验证了了信息传输是否安全,提高了信息传输的安全。 The method for verifying the security capability provided by the embodiment is to verify whether the second security capability sent by the second network device is consistent with the first security capability of the user equipment, and whether the information transmission is secure and the information transmission is improved. Safety.
本发明的另一实施例提供一种验证安全能力的方法,参照图4所示,该方法包括:Another embodiment of the present invention provides a method for verifying security capabilities. Referring to FIG. 4, the method includes:
401、第一网络设备接收第二网络设备发送的第二安全能力。401. The first network device receives a second security capability sent by the second network device.
其中,该第二安全能力可以包括UMTS安全能力、GERAN安全能力、GSM安全能力、EPS安全能力中的一个或者多个。The second security capability may include one or more of UMTS security capability, GERAN security capability, GSM security capability, and EPS security capability.
402、第一网络设备接收用户设备发送的第一安全能力。402. The first network device receives the first security capability sent by the user equipment.
该用户设备可以是UE,其中,UE包括MS。该第一安全能力可以包括UMTS安全能力、GERAN安全能力、GSM安全能力、EPS安全能力中的一个或者多个。The user equipment may be a UE, wherein the UE comprises an MS. The first security capability may include one or more of UMTS security capabilities, GERAN security capabilities, GSM security capabilities, and EPS security capabilities.
403、第一网络设备验证第一安全能力与第二安全能力是否一致。403. The first network device verifies whether the first security capability is consistent with the second security capability.
本实施例提供的验证安全能力的方法,通过第一网络设备验证用户设备发送的第一安全能力与第二网络设备发送的第二安全能力是否一致,验证了信息传输是否安全,提高了信息传输的安全。The method for verifying the security capability provided by the embodiment is to verify whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device by using the first network device, verifying whether the information transmission is secure, and improving information transmission. Security.
本发明的另一实施例提供另一种验证安全能力的方法,应用于UMTS网络,在UMTS系统中,用户设备可以是UE,其中,UE包括MS,第一网络设备可以是RNC或SRNC,第二网络设备可以是SGSN或VLR。当然,本实施例用UE、SRNC、SGSN为例来描述本发明的技术,并不代表本发明的技术只能通过这些设备来实现,也可以通过其他设备达到相同的效果。参照图5所示,该方法包括:Another embodiment of the present invention provides another method for verifying security capabilities, which is applied to a UMTS network. In a UMTS system, a user equipment may be a UE, where the UE includes an MS, and the first network device may be an RNC or an SRNC. The second network device can be an SGSN or a VLR. Certainly, the present embodiment uses the UE, the SRNC, and the SGSN as an example to describe the technology of the present invention, and does not mean that the technology of the present invention can be implemented only by these devices, and the same effect can be achieved by other devices. Referring to Figure 5, the method includes:
501、用户设备向第一网络设备发送第一安全能力。501. The user equipment sends the first security capability to the first network device.
可选的,此处第一安全能力是在RRC建立连接中发送至第一网络设备的。Optionally, the first security capability is sent to the first network device in the RRC establishment connection.
其中,在本实施例中,第一安全能力包括UMTS安全能力,还可以包括GERAN安全能力、GSM安全能力、EPS安全能力中的一个或者多个。In this embodiment, the first security capability includes the UMTS security capability, and may also include one or more of the GERAN security capability, the GSM security capability, and the EPS security capability.
502、用户设备向第二网络设备发送第一安全能力。502. The user equipment sends the first security capability to the second network device.
可选的,此处第一安全能力包含在初始L3消息中发送至第二网络设备的。因为用户发出去的第一安全能力在发送至第二网络设备的过程中有可能被篡改,所以第二网络设备接收到的安全能力称为第二 安全能力,如果第一安全能力和第二安全能力一致,则证明安全能力没有被篡改,信息传输是安全的。Optionally, the first security capability is included in the initial L3 message sent to the second network device. Because the first security capability sent by the user may be tampered with during the process of sending to the second network device, the security capability received by the second network device is called second. Security capability, if the first security capability and the second security capability are consistent, it proves that the security capability has not been tampered with and the information transmission is secure.
步骤501与步骤502无先后顺序关系。Step 501 and step 502 have no sequential relationship.
503、第一网络设备接收第二网络设备发送的第二安全能力。503. The first network device receives a second security capability sent by the second network device.
可选的,该第二安全能力包含在SMC消息中发送至第一网络设备。Optionally, the second security capability is sent to the first network device in the SMC message.
504、第一网络设备验证用户设备发送的第一安全能力与第二网络设备发送的第二安全能力是否一致。504. The first network device verifies whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device.
该方法还包括步骤505,且步骤505与步骤501-504中的任一步骤无先后顺序关系。The method further includes step 505, and step 505 has no sequential relationship with any of steps 501-504.
505、第一网络设备接收第二网络设备发送的完整性保护算法优先级列表。505. The first network device receives a priority list of integrity protection algorithms sent by the second network device.
可选的,该完整性保护算法优先级列表包含在SMC消息中发送至第一网络设备,此处的SMC消息还可以包含加密算法优先级列表、加密密钥、完整性保护密钥中的一个或者多个,以便于第一网络设备对传输数据进行安全保护。Optionally, the integrity protection algorithm priority list is sent to the first network device in the SMC message, where the SMC message may further include one of an encryption algorithm priority list, an encryption key, and an integrity protection key. Or multiple, so that the first network device secures the transmitted data.
步骤504和505之后,如果用户设备发送的第一安全能力与第二网络设备发送的第二安全能力一致,则该方法还包括:After the steps 504 and 505, if the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device, the method further includes:
506、第一网络设备根据接收的完整性保护算法优先级列表及第一安全能力选择完整性保护算法,并根据选择的完整性保护算法开启安全保护。506. The first network device selects an integrity protection algorithm according to the received integrity protection algorithm priority list and the first security capability, and starts security protection according to the selected integrity protection algorithm.
具体的,第一网络设备也可以接收加密算法并选择加密算法,根据选择的加密算法开启加密保护。Specifically, the first network device may also receive an encryption algorithm and select an encryption algorithm, and enable encryption protection according to the selected encryption algorithm.
可选的,第二网络设备发送的第二安全能力和完整性保护算法优先级列表可以同时包含在SMC消息中发送,即步骤503-506也可以合并成以下三个步骤:Optionally, the second security capability and integrity protection algorithm priority list sent by the second network device may be included in the SMC message, that is, the steps 503-506 may also be combined into the following three steps:
a、第一网络设备接收第二网络设备发送的第二安全能力和完整性保护算法优先级列表。a. The first network device receives a second security capability and an integrity protection algorithm priority list sent by the second network device.
可选的,该第二安全能力和完整性保护算法优先级列表包含在 SMC消息中发送至网络控制器,此处的SMC消息还可以包含加密算法优先级列表、加密密钥、完整性保护密钥中的一个或者多个,以便于第一网络设备对传输数据进行安全保护。Optionally, the second security capability and integrity protection algorithm priority list is included in The SMC message is sent to the network controller, where the SMC message may further include one or more of an encryption algorithm priority list, an encryption key, and an integrity protection key, so that the first network device secures the transmitted data. protection.
b、第一网络设备验证用户设备发送的第一安全能力与第二网络设备发送的第二安全能力是否一致。The first network device verifies whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device.
如果用户设备发送的第一安全能力与第二网络设备发送的第二安全能力一致,则该方法还包括:If the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device, the method further includes:
c、第一网络设备根据接收的完整性保护算法优先级列表及第一安全能力选择完整性保护算法,并根据选择的完整性保护算法开启安全保护。c. The first network device selects an integrity protection algorithm according to the received integrity protection algorithm priority list and the first security capability, and starts security protection according to the selected integrity protection algorithm.
具体的,第一网络设备也可以接收加密算法并选择加密算法,根据选择的加密算法开启加密保护。Specifically, the first network device may also receive an encryption algorithm and select an encryption algorithm, and enable encryption protection according to the selected encryption algorithm.
507、第一网络设备将第三安全能力发送至用户设备。507. The first network device sends the third security capability to the user equipment.
可选的,该第三安全能力是包含在SMC消息中发送至用户设备的。Optionally, the third security capability is included in the SMC message and sent to the user equipment.
508、用户设备验证第一网络设备发送的第三安全能力与用户设备的第一安全能力是否一致。508. The user equipment verifies whether the third security capability sent by the first network device is consistent with the first security capability of the user equipment.
如果发送的第三安全能力与用户设备的第一安全能力一致,则该方法还包括:If the third security capability sent is consistent with the first security capability of the user equipment, the method further includes:
509、第一网络设备将选择的完整性保护算法发送至用户设备。509. The first network device sends the selected integrity protection algorithm to the user equipment.
可选的,第一网络设备将选择的加密算法及完整性保护算法包含在SMC消息中发送至用户设备。Optionally, the first network device sends the selected encryption algorithm and the integrity protection algorithm to the user equipment in the SMC message.
510、用户设备根据第一网络设备发送的完整性保护算法开启安全保护。510. The user equipment turns on security protection according to an integrity protection algorithm sent by the first network device.
可选的,用户设备如果接收了加密算法,则根据加密算法和完整性保护算法开启安全保护。Optionally, if the user equipment receives the encryption algorithm, the security protection is started according to the encryption algorithm and the integrity protection algorithm.
511、用户设备生成安全建立完成消息,并将安全建立完成消息发送至第一网络设备。511. The user equipment generates a security establishment complete message, and sends a security establishment complete message to the first network device.
512、第一网络设备将安全建立完成消息发送至第二网络设备。 512. The first network device sends a security setup complete message to the second network device.
如果第二网络设备发送的第二安全能力与用户设备发送的第一安全能力不一致,则第一网络设备将第一安全能力携带在安全建立完成消息中发送至第二网络设备,以便于第二网络设备更新安全能力。If the second security capability sent by the second network device is inconsistent with the first security capability sent by the user equipment, the first network device sends the first security capability to the second network device in the security establishment complete message, so as to facilitate the second Network device update security capabilities.
第一网络设备验证用户设备发送的第一安全能力与第二网络设备发送的第二安全能力是否一致,然后将第三安全能力发送至用户设备,以便用户设备验证来自于第一网络设备的第三安全能力与用户设备的第一安全能力是否一致。而且,如果第一网络设备验证用户设备发送的第一安全能力与第二网络设备发送的第二安全能力一致,第一网络设备会开启安全保护,保证了第一网络设备验证之后的用户设备安全能力向用户设备发送时不会被篡改,这样就能验证第一网络设备、第二网络设备与用户设备自身三者存储的安全能力是否一致,有没有被篡改,降低了在没有安全保障的情况下传输数据的可能,从而提高信息传输的安全。The first network device verifies whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device, and then sends the third security capability to the user equipment, so that the user equipment verifies the first device from the first network device. The three security capabilities are consistent with the first security capability of the user equipment. Moreover, if the first network device verifies that the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device, the first network device turns on the security protection to ensure the security of the user equipment after the first network device is verified. When the capability is sent to the user equipment, it will not be tampered with. This can verify whether the security capabilities of the first network device, the second network device, and the user device are consistent, whether they have been tampered with, and the security is not reduced. The possibility of transmitting data, thereby improving the security of information transmission.
本实施例提供的验证安全能力的方法,通过第一网络设备验证用户设备发送的第一安全能力与第二网络设备发送的第二安全能力是否一致,验证了信息传输是否安全,提高了信息传输的安全。The method for verifying the security capability provided by the embodiment is to verify whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device by using the first network device, verifying whether the information transmission is secure, and improving information transmission. Security.
本发明的另一实施例提供又一种验证安全能力的方法,应用于LTE系统,具体可选的,在本实施例的LTE系统中,网络设备包括SRNC、eNB、SGSN及MME,其中,eNB为第一网络设备,MME为第二网络设备,SGSN为第三网络设备。当然,此处,本实施例以MME、eNB、SGSN为例来描述本发明的技术,并不代表本发明的技术只能通过这些设备来实现,也可以通过其他设备达到相同的效果。Another embodiment of the present invention provides a method for verifying security capabilities, which is applied to an LTE system. Specifically, in the LTE system of this embodiment, the network device includes an SRNC, an eNB, an SGSN, and an MME, where the eNB For the first network device, the MME is the second network device, and the SGSN is the third network device. Certainly, the present embodiment uses the MME, the eNB, and the SGSN as an example to describe the technology of the present invention, and does not mean that the technology of the present invention can be implemented only by these devices, and the same effect can be achieved by other devices.
此处以用户设备从UMTS系统切换至LTE系统为例,参照图6所示,该方法包括:For example, the user equipment is switched from the UMTS system to the LTE system. Referring to FIG. 6, the method includes:
601、SRNC向SGSN发送重定位请求消息。601. The SRNC sends a relocation request message to the SGSN.
SRNC发送重定位请求消息给SGSN,发起系统切换。The SRNC sends a Relocation Request message to the SGSN to initiate a system handover.
602、SGSN向MME发送重定位请求消息。602. The SGSN sends a relocation request message to the MME.
因为在接入UMTS网络中已经向SGSN发送过用户设备安全能力,所以SGSN可以将第二安全能力发送给MME。其中,第二安全 能力包含在重定位请求消息中发送给MME。此处,重定位请求消息中包括的第二安全能力的具体内容本发明不做限制。Because the user equipment security capability has been sent to the SGSN in the access UMTS network, the SGSN can send the second security capability to the MME. Among them, the second security The capability is included in the relocation request message and sent to the MME. Here, the specific content of the second security capability included in the relocation request message is not limited in the present invention.
603、MME向eNB发送切换请求消息。603. The MME sends a handover request message to the eNB.
对照图5对应的实施例,步骤601-603完成了第一网络设备接收第二网络设备发送的第二安全能力。具体可选的,用户设备向第三网络设备发送第一安全能力,第三网络设备获取第二安全能力并向第二网络设备发送第二安全能力,由第二网络设备将第二安全能力发送至第一网络设备。Referring to the embodiment corresponding to FIG. 5, steps 601-603 complete the second network device receiving the second security capability sent by the second network device. Specifically, the user equipment sends the first security capability to the third network device, the third network device acquires the second security capability, and sends the second security capability to the second network device, where the second network device sends the second security capability. To the first network device.
604、eNB向MME发送切换确认消息。604. The eNB sends a handover confirmation message to the MME.
605、MME向SGSN发送重定向响应消息。605. The MME sends a redirect response message to the SGSN.
606、SGSN向SRNC发送重定向命令消息。606. The SGSN sends a redirect command message to the SRNC.
607、SRNC向用户设备发送切换命令消息。607. The SRNC sends a handover command message to the user equipment.
608、用户设备向eNB发送切换完成消息。608. The user equipment sends a handover complete message to the eNB.
此处,该切换完成消息包括第一安全能力。Here, the handover complete message includes the first security capability.
步骤608完成了第一网络设备接收用户设备发送的第一安全能力。Step 608 completes that the first network device receives the first security capability sent by the user equipment.
609、eNB验证第二安全能力与第一安全能力是否一致。609. The eNB verifies whether the second security capability is consistent with the first security capability.
如果第一安全能力与第二安全能力一致,则继续完成切换,如果第一安全能力与第二安全能力不一致,当第一安全能力中包含优先级更高的AS算法时,eNB改变AS算法,在第一安全能力中选择优先级高的AS算法,AS算法用于用户设备与eNB之间传输数据时对数据进行加密,同时也触发用户设备更新算法。If the first security capability is consistent with the second security capability, the handover is continued. If the first security capability is inconsistent with the second security capability, when the first security capability includes a higher priority AS algorithm, the eNB changes the AS algorithm. In the first security capability, the AS algorithm with high priority is selected. The AS algorithm is used to encrypt data when the user equipment transmits data with the eNB, and also triggers the user equipment update algorithm.
610、eNB向MME发送切换通知消息。610. The eNB sends a handover notification message to the MME.
此处,该切换通知消息包括第一安全能力。具体的,当第一安全能力中包含更高级别的NAS算法时,MME将改变NAS算法,在第一安全能力中选择优先级高的NAS算法,NAS算法用于在MME和用户设备之间传输数据时对数据进行加密,同时也触发用户设备更新算法。Here, the handover notification message includes a first security capability. Specifically, when the first security capability includes a higher-level NAS algorithm, the MME changes the NAS algorithm, and selects a NAS algorithm with a high priority among the first security capabilities, and the NAS algorithm is used to transmit between the MME and the user equipment. Data is encrypted while the user device update algorithm is also triggered.
611、MME向SGSN发送重定位完成消息。 611. The MME sends a relocation complete message to the SGSN.
可选的,当来自SGSN的第二安全能力与该用户设备的第一安全能力不一致时,该重定位完成消息包括第一安全能力,以便SGSN更新自己保存的用户设备安全能力。Optionally, when the second security capability from the SGSN is inconsistent with the first security capability of the user equipment, the relocation complete message includes a first security capability, so that the SGSN updates its saved user equipment security capability.
612、SGSN向MME发送重定位完成确认消息。612. The SGSN sends a relocation complete confirmation message to the MME.
本实施例提供的验证安全能力的方法,通过第一网络设备验证用户设备发送的第一安全能力与第二网络设备发送的第二安全能力是否一致,验证了信息传输是否安全,提高了信息传输的安全。The method for verifying the security capability provided by the embodiment is to verify whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device by using the first network device, verifying whether the information transmission is secure, and improving information transmission. Security.
本发明的又一实施例提供一种验证安全能力的方法,应用于LTE系统,可选的,在LTE系统中,网络设备包括eNB、SGSN/VLR及MME,此处,本实施例以MME、eNB、SGSN/VLR为例来描述本发明的技术,并不代表本发明的技术只能通过这些设备来实现,也可以通过其他设备达到相同的效果,参照图7所示,该方法包括:A further embodiment of the present invention provides a method for verifying security capabilities, which is applied to an LTE system. Optionally, in an LTE system, the network device includes an eNB, an SGSN/VLR, and an MME. Here, the MME is used in this embodiment. The eNB and the SGSN/VLR are used as an example to describe the technology of the present invention. It does not mean that the technology of the present invention can be implemented only by these devices, and the same effect can be achieved by other devices. Referring to FIG. 7, the method includes:
701、MME接收SGSN或者VLR发送的第二安全能力。701. The MME receives a second security capability sent by the SGSN or the VLR.
其中,该第二安全能力可以包括UMTS安全能力、GERAN安全能力、GSM安全能力、EPS安全能力中的一个或者多个。The second security capability may include one or more of UMTS security capability, GERAN security capability, GSM security capability, and EPS security capability.
702、MME接收用户设备发送的第一安全能力。702. The MME receives the first security capability sent by the user equipment.
其中,该第一安全能力由eNB转发至MME,该第二安全能力可以包括UMTS安全能力、GERAN安全能力、GSM安全能力、EPS安全能力中的一个或者多个。The first security capability is forwarded by the eNB to the MME, and the second security capability may include one or more of UMTS security capability, GERAN security capability, GSM security capability, and EPS security capability.
703、MME验证第一安全能力与第二安全能力是否一致。703. The MME verifies whether the first security capability is consistent with the second security capability.
这样,通过MME验证第一安全能力和第二安全能力是否一致,降低了在没有安全保障的情况下传输数据的可能,提高了信息传输的安全。In this way, it is verified by the MME whether the first security capability and the second security capability are consistent, which reduces the possibility of transmitting data without security guarantee, and improves the security of information transmission.
本实施例提供的验证安全能力的方法,通过MME验证用户设备发送的第一安全能力与SGSN或VLR发送的第二安全能力是否一致,验证了信息传输是否安全,提高了信息传输的安全。The method for verifying the security capability provided by the embodiment is to verify whether the first security capability sent by the user equipment is consistent with the second security capability sent by the SGSN or the VLR, and verify whether the information transmission is secure and improve the security of information transmission.
本发明的又一实施例提供另一种验证安全能力的方法,应用于LTE系统,具体可选的,在LTE系统中,网络设备包括SRNC、eNB、SGSN及MME。当然,此处,本实施例以MME、eNB、SRNC、SGSN 为例来描述本发明的技术,并不代表本发明的技术只能通过这些设备来实现,也可以通过其他设备达到相同的效果。A further embodiment of the present invention provides another method for verifying security capabilities, which is applied to an LTE system. Specifically, in an LTE system, the network device includes an SRNC, an eNB, an SGSN, and an MME. Of course, here, the MME, the eNB, the SRNC, and the SGSN are used in this embodiment. The technology of the present invention is described as an example, and does not mean that the technology of the present invention can be realized only by these devices, and the same effect can be achieved by other devices.
此处以用户设备从UMTS系统切换至LTE系统为例,参照图8所示,该方法包括:For example, as shown in FIG. 8 , the user equipment is switched from the UMTS system to the LTE system, and the method includes:
801、SRNC向SGSN发送重定位请求消息。801. The SRNC sends a relocation request message to the SGSN.
SRNC发送重定位请求消息给SGSN,发起跨系统切换。The SRNC sends a Relocation Request message to the SGSN to initiate a cross-system handover.
802、SGSN向MME发送重定位请求消息。802. The SGSN sends a relocation request message to the MME.
因为在接入UMTS网络中已经向SGSN发送过用户设备安全能力,所以SGSN可以将第二安全能力发送给MME。其中,第二安全能力包含在重定位请求消息中发送给MME,即MME接收SGSN或VLR发送的第二安全能力,此处,重定位请求消息中包括的第二安全能力的具体内容本发明不做限制。Because the user equipment security capability has been sent to the SGSN in the access UMTS network, the SGSN can send the second security capability to the MME. The second security capability is sent to the MME in the relocation request message, that is, the MME receives the second security capability sent by the SGSN or the VLR, where the specific content of the second security capability included in the relocation request message is not Make restrictions.
803、MME向eNB发送切换请求消息。803. The MME sends a handover request message to the eNB.
804、eNB向MME发送切换确认消息。804. The eNB sends a handover confirmation message to the MME.
805、MME向SGSN发送重定向响应消息。805. The MME sends a redirect response message to the SGSN.
806、SGSN向SRNC发送重定向命令消息。806. The SGSN sends a redirect command message to the SRNC.
807、SRNC向用户设备发送切换命令消息。807. The SRNC sends a handover command message to the user equipment.
808、用户设备向eNB发送切换完成消息。808. The user equipment sends a handover complete message to the eNB.
此处,该切换完成消息包括第一安全能力。Here, the handover complete message includes the first security capability.
809、eNB向MME发送切换通知消息。809. The eNB sends a handover notification message to the MME.
此处,该切换通知消息包括第一安全能力。即MME接收用户设备发送的第一安全能力。Here, the handover notification message includes a first security capability. That is, the MME receives the first security capability sent by the user equipment.
810、MME验证第二安全能力与第一安全能力是否一致。810. The MME verifies whether the second security capability is consistent with the first security capability.
具体的,如果第一安全能力与第二安全能力一致,则继续完成切换,如果第一安全能力与第二安全能力不一致,MME更新安全能力,且当第一安全能力中包含优先级更高的NAS算法时,MME将改变NAS算法,NAS算法用于在MME和用户设备之间传输数据时对数据进行加密和完整性保护,同时触发用户设备更改算法。同时,MME向eNB发送包含正确安全能力的S1上下文修改请求,如果安全能力 中包含更高优先级的AS算法,eNB也会改变AS算法,AS算法用于用户设备与eNB之间传输数据时对数据进行加密和完整性保护。Specifically, if the first security capability is consistent with the second security capability, the handover is continued. If the first security capability is inconsistent with the second security capability, the MME updates the security capability, and when the first security capability includes a higher priority. In the NAS algorithm, the MME will change the NAS algorithm. The NAS algorithm is used to encrypt and protect the data when transmitting data between the MME and the user equipment, and trigger the user equipment change algorithm. At the same time, the MME sends an S1 context modification request containing the correct security capability to the eNB, if the security capability The AS algorithm is included in the higher priority AS, and the eNB also changes the AS algorithm. The AS algorithm is used to encrypt and protect data when transmitting data between the user equipment and the eNB.
811、MME向SGSN发送重定位完成消息。811. The MME sends a relocation complete message to the SGSN.
可选的,当用户发送的第一安全能力与第二网络设备的第二安全能力不一致时,该重定位完成消息包括第一安全能力,以便SGSN更新自己保存的用户设备安全能力。Optionally, when the first security capability sent by the user is inconsistent with the second security capability of the second network device, the relocation complete message includes the first security capability, so that the SGSN updates the user device security capability saved by itself.
812、SGSN向MME发送重定位完成确认消息。812. The SGSN sends a relocation complete confirmation message to the MME.
本实施例提供的验证安全能力的方法,通过MME验证用户设备发送的第一安全能力与SGSN或VLR发送的第二安全能力是否一致,验证了信息传输是否安全,提高了信息传输的安全。The method for verifying the security capability provided by the embodiment is to verify whether the first security capability sent by the user equipment is consistent with the second security capability sent by the SGSN or the VLR, and verify whether the information transmission is secure and improve the security of information transmission.
本发明的实施例提供一种用户设备,用于执行图1、图2或图3对应的实施例中所描述的用户设备执行的方法,其结构参照图9所示,该用户设备90包括:发送单元901、接收单元902和验证单元903。The embodiment of the present invention provides a user equipment for performing the method performed by the user equipment described in the embodiment corresponding to FIG. 1, FIG. 2 or FIG. 3, the structure of which is shown in FIG. The transmitting unit 901, the receiving unit 902, and the verifying unit 903.
其中,发送单元901,用于向第二网络设备发送用户设备90的第一安全能力。The sending unit 901 is configured to send the first security capability of the user equipment 90 to the second network device.
接收单元902,用于接收第二网络设备发送的第二安全能力,第二安全能力由第一网络设备转发至用户设备90。The receiving unit 902 is configured to receive a second security capability sent by the second network device, where the second security capability is forwarded by the first network device to the user device 90.
验证单元903,用于验证第二安全能力与第一安全能力是否一致。The verification unit 903 is configured to verify whether the second security capability is consistent with the first security capability.
本实施例提供的用户设备,通过验证第二网络设备发送的第二安全能力与该用户设备的第一安全能力是否一致,验证了信息传输是否安全,提高了信息传输的安全。The user equipment provided in this embodiment verifies whether the information transmission is secure and improves the security of information transmission by verifying whether the second security capability sent by the second network device is consistent with the first security capability of the user equipment.
可选的,在一种应用场景中,第一网络设备为服务网络控制器SRNC或者网络控制器RNC,第二网络设备为业务支撑节点SGSN或者拜访地位置寄存器VLR。则:Optionally, in an application scenario, the first network device is a serving network controller SRNC or a network controller RNC, and the second network device is a service supporting node SGSN or a visited location register VLR. then:
发送单元901,还用于将第一安全能力发送至第一网络设备。The sending unit 901 is further configured to send the first security capability to the first network device.
接收单元902,还用于接收第一网络设备发送的第三安全能力。The receiving unit 902 is further configured to receive a third security capability sent by the first network device.
验证单元903,还用于验证第三安全能力与第一安全能力是否一 致。The verification unit 903 is further configured to verify whether the third security capability and the first security capability are one To.
可选的,该用户设备90还可以包括保护单元904,Optionally, the user equipment 90 may further include a protection unit 904.
保护单元904,用于当第三安全能力与第一安全能力一致时,根据第一网络设备的完整性保护算法开启安全保护。The protection unit 904 is configured to enable security protection according to an integrity protection algorithm of the first network device when the third security capability is consistent with the first security capability.
进一步可选的,验证单元903,还用于当第二安全能力与第一安全能力不一致时,生成安全建立完成消息。Further, the verification unit 903 is further configured to generate a security establishment complete message when the second security capability is inconsistent with the first security capability.
发送单元901,还用于将验证单元903生成的安全建立完成消息发送至第一网络设备,以便于第一网络设备根据安全建立完成消息向第二网络设备发送第一安全能力。The sending unit 901 is further configured to send the security setup complete message generated by the verification unit 903 to the first network device, so that the first network device sends the first security capability to the second network device according to the security setup complete message.
可选的,在另一种应用场景中,第一网络设备为演进型节点eNB,第二网络设备为移动管理实体MME。则:Optionally, in another application scenario, the first network device is an evolved node eNB, and the second network device is a mobility management entity MME. then:
发送单元901,还具体用于将第一安全能力发送至第三网络设备,以便第三网络设备获取第二安全能力,并将第二安全能力发送至第二网络设备,其中,第三网络设备为SGSN或VLR。The sending unit 901 is further configured to send the first security capability to the third network device, so that the third network device acquires the second security capability, and sends the second security capability to the second network device, where the third network device For SGSN or VLR.
可选的,发送单元901,还用于当第二安全能力与第一安全能力不一致时,将第一安全能力发送至第一网络设备和第二网络设备,以便于第二网络设备与第一网络设备根据第一安全能力更新安全能力。Optionally, the sending unit 901 is further configured to: when the second security capability is inconsistent with the first security capability, send the first security capability to the first network device and the second network device, so as to facilitate the second network device and the first The network device updates the security capabilities according to the first security capability.
可选的,接收单元902,还用于当第一网络设备或第二网络设备接收的第一安全能力中包含优先级更高的算法时,接收第一网络设备或第二网络设备发送的优先级更高的算法。Optionally, the receiving unit 902 is further configured to: when the first security device received by the first network device or the second network device includes a higher priority algorithm, receive the priority sent by the first network device or the second network device Higher level algorithm.
保护单元904,用于根据接收单元902接收的优先级更高的算法更新自身的算法。The protection unit 904 is configured to update its own algorithm according to a higher priority algorithm received by the receiving unit 902.
通过本实施例,用户设备验证第一安全能力与第二网络设备发送的第二安全能力是否一致,然后验证第一网络设备发送的第三安全能力与用户设备的第一安全能力是否一致。而且,如果第一网络设备发送的第三安全能力与用户设备的第一安全能力一致,用户设备就会开启安全保护,保证了开启安全保护后数据传输的安全,这样通过验证第一网络设备、第二网络设备与用户设备自身三者存储的安全能力是否一致,有没有被篡改,降低了在没有安全保障的情况下传输数据的 可能,从而提高信息传输的安全。In this embodiment, the user equipment verifies whether the first security capability is consistent with the second security capability sent by the second network device, and then verifies whether the third security capability sent by the first network device is consistent with the first security capability of the user equipment. Moreover, if the third security capability sent by the first network device is consistent with the first security capability of the user equipment, the user equipment turns on the security protection to ensure the security of the data transmission after the security protection is turned on, so as to verify the first network device, Whether the security capability of the second network device and the user equipment itself are consistent, has not been tampered with, and reduces the transmission of data without security guarantees. It is possible to improve the security of information transmission.
本实施例提供的用户设备,通过验证第二网络设备发送的第二安全能力与该用户设备的第一安全能力是否一致,验证了信息传输是否安全的问题,提高了信息传输的安全。The user equipment provided in this embodiment verifies whether the information transmission is secure by verifying whether the second security capability sent by the second network device is consistent with the first security capability of the user equipment, and improves the security of information transmission.
本发明的实施例提供一种第一网络设备,用于执行图4、图5或图6对应的实施例中所描述的第一网络设备执行的方法,其结构参照图10所示,该第一网络设备100包括:接收单元1001和验证单元1002。An embodiment of the present invention provides a first network device, where the method performed by the first network device described in the embodiment corresponding to FIG. 4, FIG. 5 or FIG. 6 is performed, and the structure thereof is as shown in FIG. A network device 100 includes a receiving unit 1001 and a verification unit 1002.
其中,接收单元1001,用于接收用户设备发送的第一安全能力和第二网络设备发送的第二安全能力。The receiving unit 1001 is configured to receive a first security capability sent by the user equipment and a second security capability sent by the second network device.
验证单元1002,用于验证第一安全能力与第二安全能力是否一致。The verification unit 1002 is configured to verify whether the first security capability is consistent with the second security capability.
本实施例提供的第一网络设备,通过验证用户设备发送的第一安全能力与第二网络设备发送的第二安全能力是否一致,验证了信息传输是否安全,提高了信息传输的安全。The first network device provided in this embodiment verifies whether the information transmission is secure and improves the security of information transmission by verifying whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device.
可选的,在一种应用场景中,第一网络设备100为服务网络控制器SRNC或者网络控制器RNC,第二网络设备为业务支撑节点SGSN或者拜访地位置寄存器VLR。则:Optionally, in an application scenario, the first network device 100 is a serving network controller SRNC or a network controller RNC, and the second network device is a service supporting node SGSN or a visited location register VLR. then:
第一网络设备100还包括保护单元1003和发送单元1004。The first network device 100 further includes a protection unit 1003 and a transmitting unit 1004.
保护单元1003,用于当第二安全能力与第一安全能力一致时,开启安全保护。The protection unit 1003 is configured to enable security protection when the second security capability is consistent with the first security capability.
发送单元1004,用于将第三安全能力发送至用户设备,以便用户设备验证第三安全能力与第一安全能力一致后,开启安全保护。The sending unit 1004 is configured to send the third security capability to the user equipment, so that the user equipment verifies that the third security capability is consistent with the first security capability, and then turns on the security protection.
可选的,在另一种应用场景中,第一网络设备为演进型节点eNB,第二网络设备为移动管理实体MME,则:Optionally, in another application scenario, the first network device is an evolved node eNB, and the second network device is a mobility management entity MME, where:
保护单元1003,用于当第二安全能力与第一安全能力不一致时,根据第一安全能力更新安全能力。The protection unit 1003 is configured to update the security capability according to the first security capability when the second security capability is inconsistent with the first security capability.
进一步可选的,保护单元1003,还用于当接收单元1001接收的第一安全能力中包含优先级更高的算法时,将自身的算法更新为优先 级更高的算法。Further optionally, the protection unit 1003 is further configured to: when the first security capability received by the receiving unit 1001 includes a higher priority algorithm, update the algorithm to be prioritized. Higher level algorithm.
发送单元1004,还用于将优先级更高的算法发送至用户设备,以便于用户设备更新算法。The sending unit 1004 is further configured to send a higher priority algorithm to the user equipment, so that the user equipment updates the algorithm.
这样,通过第一网络设备验证第一安全能力和第二安全能力是否一致,降低了在没有安全保障的情况下传输数据的可能,提高了信息传输的安全。In this way, whether the first security capability and the second security capability are consistent by the first network device reduces the possibility of transmitting data without security guarantee, and improves the security of information transmission.
第一网络设备验证用户设备发送的第一安全能力与第二网络设备发送的第二安全能力是否一致,然后将用户设备的第三安全能力发送至用户设备,以便用户设备验证来自于第一网络设备的第三安全能力与用户设备的第一安全能力是否一致。而且,如果第一网络设备验证用户设备发送的第一安全能力与第二网络设备发送的第二安全能力一致,第一网络设备会开启安全保护,保证了第一网络设备验证之后的用户设备安全能力向用户设备发送时不会被篡改,这样就能验证第一网络设备、第二网络设备与用户设备自身三者存储的用户设备安全能力是否一致,有没有被篡改,降低了在没有安全保障的情况下传输数据的可能,从而提高信息传输的安全。The first network device verifies whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device, and then sends the third security capability of the user equipment to the user equipment, so that the user equipment is verified from the first network. Whether the third security capability of the device is consistent with the first security capability of the user device. Moreover, if the first network device verifies that the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device, the first network device turns on the security protection to ensure the security of the user equipment after the first network device is verified. When the capability is sent to the user equipment, it will not be tampered with. This can verify whether the security capabilities of the user equipment stored by the first network device, the second network device, and the user device are consistent, have not been tampered with, and have no security. In the case of the possibility of transmitting data, thereby improving the security of information transmission.
本实施例提供的第一网络设备,通过验证用户设备发送的第一安全能力与第二网络设备发送的第二安全能力是否一致,验证了信息传输是否安全,提高了信息传输的安全。The first network device provided in this embodiment verifies whether the information transmission is secure and improves the security of information transmission by verifying whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device.
本发明的实施例提供一种移动管理实体MME,用于执行图7或图8对应的实施例中所描述的MME执行的方法,参照图11所示,该MME110包括接收单元1101和验证单元1102。An embodiment of the present invention provides a mobility management entity MME, which is configured to perform the method performed by the MME described in the embodiment corresponding to FIG. 7 or FIG. 8. Referring to FIG. 11, the MME 110 includes a receiving unit 1101 and a verification unit 1102. .
接收单元1101,用于接收用户设备发送的第一安全能力和业务支撑节点SGSN或者拜访地位置寄存器VLR发送的第二安全能力,其中,第一安全能力由演进型节点eNB转发至MME。The receiving unit 1101 is configured to receive the first security capability sent by the user equipment and the second security capability sent by the service support node SGSN or the visited location register VLR, where the first security capability is forwarded by the evolved node eNB to the MME.
验证单元1102,用于验证第一安全能力与第二安全能力是否一致。The verification unit 1102 is configured to verify whether the first security capability is consistent with the second security capability.
这样,通过MME验证第一安全能力和第二安全能力是否一致,降低了在没有安全保障的情况下传输数据的可能,提高了信息传输的 安全。In this way, it is verified by the MME whether the first security capability and the second security capability are consistent, which reduces the possibility of transmitting data without security guarantee, and improves information transmission. Safety.
本实施例提供的MME,通过验证用户设备发送的第一安全能力与第二网络设备发送的第二安全能力是否一致,验证了信息传输是否安全,提高了信息传输的安全。The MME provided in this embodiment verifies whether the information transmission is secure and improves the security of information transmission by verifying whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device.
可选的,该MME110还包括保护单元1103和发送单元1104。Optionally, the MME 110 further includes a protection unit 1103 and a sending unit 1104.
保护单元1103,用于当第一安全能力与第二安全能力不一致时,根据第一安全能力更新安全能力。The protection unit 1103 is configured to update the security capability according to the first security capability when the first security capability is inconsistent with the second security capability.
进一步可选的,保护单元1103,还用于当接收单元接收的第一安全能力中包含优先级更高的算法时,将自身的算法更新为优先级更高的算法。Further, the protection unit 1103 is further configured to: when the first security capability received by the receiving unit includes a higher priority algorithm, update the algorithm to a higher priority algorithm.
发送单元1104,还用于将优先级更高的算法发送至用户设备,以便于用户设备更新算法。The sending unit 1104 is further configured to send a higher priority algorithm to the user equipment, so that the user equipment updates the algorithm.
本实施例提供的MME,通过验证用户设备发送的第一安全能力与SGSN或VLR发送的第二安全能力是否一致,验证了信息传输是否安全,提高了信息传输的安全。The MME provided in this embodiment verifies whether the information transmission is secure and improves the security of information transmission by verifying whether the first security capability sent by the user equipment is consistent with the second security capability sent by the SGSN or the VLR.
本发明的另一实施例提供一种用户设备,用于执行图1、图2或图3对应的实施例中所描述的用户设备执行的方法,参照图12所示,该设备可以嵌入或本身就是微处理计算机,比如:通用计算机、客户定制机、手机终端或平板机等便携设备,该用户设备1201包括:至少一个处理器1211、存储器1212和总线1213,该至少一个处理器1211和存储器1212通过总线1213连接并完成相互间的通信。Another embodiment of the present invention provides a user equipment for performing the method performed by the user equipment described in the embodiment corresponding to FIG. 1, FIG. 2 or FIG. 3. Referring to FIG. 12, the device may be embedded or itself. Is a micro-processing computer, such as a general-purpose computer, a custom machine, a mobile phone terminal or a tablet device, the user device 1201 includes: at least one processor 1211, a memory 1212 and a bus 1213, the at least one processor 1211 and the memory 1212 Connections to each other are completed via bus 1213.
该总线1213可以是ISA(Industry Standard Architecture,工业标准体系结构)总线、PCI(Peripheral Component,外部设备互连)总线或EISA(Extended Industry Standard Architecture,扩展工业标准体系结构)总线等。该总线1213可以分为地址总线、数据总线、控制总线等。为便于表示,图12中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。其中:The bus 1213 may be an ISA (Industry Standard Architecture) bus, a PCI (Peripheral Component) bus, or an EISA (Extended Industry Standard Architecture) bus. The bus 1213 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 12, but it does not mean that there is only one bus or one type of bus. among them:
存储器1212用于执行本发明方案的应用程序代码,执行本发明方案的应用程序代码保存在存储器中,并由处理器1211来控制执行。 The memory 1212 is for executing application code of the inventive scheme, and the application code for executing the inventive scheme is stored in a memory and controlled by the processor 1211 for execution.
该存储器可以是只读存储器ROM或可存储静态信息和指令的其他类型的静态存储设备,随机存取存储器RAM或者可存储信息和指令的其他类型的动态存储设备,也可以是电可擦可编程只读存储器EEPROM、只读光盘CD-ROM或其他光盘存储、光碟存储(包括压缩光碟、激光碟、光碟、数字通用光碟、蓝光光碟等)、磁盘存储介质或者其他磁存储设备、或者能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。这些存储器通过总线与处理器相连接。The memory can be a read only memory ROM or other type of static storage device that can store static information and instructions, a random access memory RAM or other type of dynamic storage device that can store information and instructions, or can be electrically erasable or programmable. Read-only memory EEPROM, CD-ROM or other optical disc storage, optical disc storage (including compact discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), disk storage media or other magnetic storage devices, or can be used for Any other medium that carries or stores the desired program code in the form of an instruction or data structure and that can be accessed by a computer, but is not limited thereto. These memories are connected to the processor via a bus.
处理器1211可能是一个中央处理器1211(Central Processing Unit,简称为CPU),或者是特定集成电路(Application Specific Integrated Circuit,简称为ASIC),或者是被配置成实施本发明实施例的一个或多个集成电路。The processor 1211 may be a central processing unit (CPU), or an application specific integrated circuit (ASIC), or one or more configured to implement the embodiments of the present invention. Integrated circuits.
处理器1211,用于调用存储器1212中的程序代码,在一种可能的实施方式中,当上述应用程序被所述处理器1211执行时,实现如下功能。The processor 1211 is configured to call the program code in the memory 1212. In a possible implementation manner, when the application program is executed by the processor 1211, the following functions are implemented.
处理器1211,用于向第二网络设备发送用户设备的第一安全能力。The processor 1211 is configured to send the first security capability of the user equipment to the second network device.
处理器1211,还用于接收第二网络设备发送的第二安全能力,第二安全能力由第一网络设备转发至用户设备。The processor 1211 is further configured to receive a second security capability sent by the second network device, where the second security capability is forwarded by the first network device to the user equipment.
处理器1211,还用于验证第二安全能力与第一安全能力是否一致。The processor 1211 is further configured to verify whether the second security capability is consistent with the first security capability.
本实施例提供的用户设备,通过验证第二网络设备发送的第二安全能力与该用户设备的第一安全能力是否一致,验证了信息传输是否安全,提高了信息传输的安全。The user equipment provided in this embodiment verifies whether the information transmission is secure and improves the security of information transmission by verifying whether the second security capability sent by the second network device is consistent with the first security capability of the user equipment.
可选的,在一种应用场景中,第一网络设备为服务网络控制器SRNC或者网络控制器RNC,第二网络设备为业务支撑节点SGSN或者拜访地位置寄存器VLR。则:Optionally, in an application scenario, the first network device is a serving network controller SRNC or a network controller RNC, and the second network device is a service supporting node SGSN or a visited location register VLR. then:
处理器1211,还用于将第一安全能力发送至第一网络设备。The processor 1211 is further configured to send the first security capability to the first network device.
处理器1211,还用于接收第一网络设备发送的第三安全能力。 The processor 1211 is further configured to receive a third security capability sent by the first network device.
处理器1211,还用于验证第三安全能力与第一安全能力是否一致。The processor 1211 is further configured to verify whether the third security capability is consistent with the first security capability.
可选的,处理器1211,还用于当第三安全能力与第一安全能力一致时,根据第一网络设备的完整性保护算法开启安全保护。Optionally, the processor 1211 is further configured to: when the third security capability is consistent with the first security capability, enable security protection according to the integrity protection algorithm of the first network device.
进一步可选的,处理器1211,还用于当第二安全能力与第一安全能力不一致时,生成安全建立完成消息。Further, the processor 1211 is further configured to generate a security establishment complete message when the second security capability is inconsistent with the first security capability.
处理器1211,还用于将安全建立完成消息发送至第一网络设备,以便于第一网络设备根据安全建立完成消息向第二网络设备发送第一安全能力。The processor 1211 is further configured to send a security setup complete message to the first network device, so that the first network device sends the first security capability to the second network device according to the security setup complete message.
可选的,在另一种应用场景中,第一网络设备为演进型节点eNB,第二网络设备为移动管理实体MME。则:Optionally, in another application scenario, the first network device is an evolved node eNB, and the second network device is a mobility management entity MME. then:
处理器1211,还具体用于将第一安全能力发送至第三网络设备,以便第三网络设备获取第二安全能力,并将第二安全能力发送至第二网络设备,其中,第三网络设备为SGSN或VLR。The processor 1211 is further configured to send the first security capability to the third network device, so that the third network device acquires the second security capability, and sends the second security capability to the second network device, where the third network device For SGSN or VLR.
可选的,处理器1211,还用于当第二安全能力与第一安全能力不一致时,将第一安全能力发送至第一网络设备和第二网络设备,以便于第二网络设备与第一网络设备根据第一安全能力更新安全能力。Optionally, the processor 1211 is further configured to: when the second security capability is inconsistent with the first security capability, send the first security capability to the first network device and the second network device, so as to facilitate the second network device and the first The network device updates the security capabilities according to the first security capability.
可选的,处理器1211,还用于当第一网络设备或第二网络设备接收的第一安全能力中包含优先级更高的算法时,接收第一网络设备或第二网络设备发送的优先级更高的算法,并更新自身的算法。Optionally, the processor 1211 is further configured to: when the first security device received by the first network device or the second network device includes a higher priority algorithm, receive the priority sent by the first network device or the second network device Higher level algorithms and update their own algorithms.
这样用户设备验证第一安全能力与第二网络设备发送的第二安全能力是否一致,然后验证第一网络设备发送的第三安全能力与用户设备的第一安全能力是否一致。而且,如果第一网络设备发送的第三安全能力与用户设备的第一安全能力一致,用户设备就会开启安全保护,保证了开启安全保护后数据传输的安全,这样通过验证第一网络设备、第二网络设备与用户设备自身三者存储的安全能力是否一致,有没有被篡改,降低了在没有安全保障的情况下传输数据的可能,从而提高信息传输的安全。The user equipment verifies whether the first security capability is consistent with the second security capability sent by the second network device, and then verifies whether the third security capability sent by the first network device is consistent with the first security capability of the user equipment. Moreover, if the third security capability sent by the first network device is consistent with the first security capability of the user equipment, the user equipment turns on the security protection to ensure the security of the data transmission after the security protection is turned on, so as to verify the first network device, Whether the security capability stored by the second network device and the user equipment itself is consistent, has been tampered with, and the possibility of transmitting data without security guarantee is reduced, thereby improving the security of information transmission.
本实施例提供的用户设备,通过验证第二网络设备发送的第二安 全能力与该用户设备的第一安全能力是否一致,验证了信息传输是否安全的问题,提高了信息传输的安全。The user equipment provided in this embodiment is configured to verify the second security sent by the second network device. Whether the full capability is consistent with the first security capability of the user equipment, verifying that the information transmission is secure, and improving the security of information transmission.
本发明的另一实施例提供一种第一网络设备,用于执行图4、图5或图6对应的实施例中所描述的第一网络设备执行的方法,参照图13所示,该设备可以嵌入或本身就是微处理计算机,比如:通用计算机、客户定制机、手机终端或平板机等便携设备,该第一网络设备1301包括:至少一个处理器1311、存储器1312和总线1313,该至少一个处理器1311和存储器1312通过总线1313连接并完成相互间的通信。Another embodiment of the present invention provides a first network device, for performing the method performed by the first network device described in the embodiment corresponding to FIG. 4, FIG. 5 or FIG. 6, referring to FIG. The first network device 1301 may include: at least one processor 1311, a memory 1312, and a bus 1313, at least one of which may be embedded or itself a microprocessor computer, such as a general purpose computer, a custom machine, a mobile phone terminal, or a tablet computer. The processor 1311 and the memory 1312 are connected by a bus 1313 and complete communication with each other.
该总线1313可以是ISA(Industry Standard Architecture,工业标准体系结构)总线、PCI(Peripheral Component,外部设备互连)总线或EISA(Extended Industry Standard Architecture,扩展工业标准体系结构)总线等。该总线1313可以分为地址总线、数据总线、控制总线等。为便于表示,图13中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。其中:The bus 1313 may be an ISA (Industry Standard Architecture) bus, a PCI (Peripheral Component) bus, or an EISA (Extended Industry Standard Architecture) bus. The bus 1313 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in FIG. 13, but it does not mean that there is only one bus or one type of bus. among them:
存储器1313用于执行本发明方案的应用程序代码,执行本发明方案的应用程序代码保存在存储器中,并由处理器1311来控制执行。The memory 1313 is for executing the application code of the inventive scheme, and the application code for executing the inventive scheme is stored in the memory and controlled by the processor 1311 for execution.
该存储器可以是只读存储器ROM或可存储静态信息和指令的其他类型的静态存储设备,随机存取存储器RAM或者可存储信息和指令的其他类型的动态存储设备,也可以是电可擦可编程只读存储器EEPROM、只读光盘CD-ROM或其他光盘存储、光碟存储(包括压缩光碟、激光碟、光碟、数字通用光碟、蓝光光碟等)、磁盘存储介质或者其他磁存储设备、或者能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。这些存储器通过总线与处理器相连接。The memory can be a read only memory ROM or other type of static storage device that can store static information and instructions, a random access memory RAM or other type of dynamic storage device that can store information and instructions, or can be electrically erasable or programmable. Read-only memory EEPROM, CD-ROM or other optical disc storage, optical disc storage (including compact discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), disk storage media or other magnetic storage devices, or can be used for Any other medium that carries or stores the desired program code in the form of an instruction or data structure and that can be accessed by a computer, but is not limited thereto. These memories are connected to the processor via a bus.
处理器1311可能是一个中央处理器1311(Central Processing Unit,简称为CPU),或者是特定集成电路(Application Specific Integrated Circuit,简称为ASIC),或者是被配置成实施本发明实施例的一个或多个集成电路。 The processor 1311 may be a central processing unit (CPU), or an application specific integrated circuit (ASIC), or one or more configured to implement the embodiments of the present invention. Integrated circuits.
处理器1311,用于调用存储器1313中的程序代码,在一种可能的实施方式中,当上述应用程序被所述处理器1311执行时,实现如下功能。The processor 1311 is configured to call the program code in the memory 1313. In a possible implementation manner, when the application program is executed by the processor 1311, the following functions are implemented.
处理器1311,用于接收用户设备发送的第一安全能力和第二网络设备发送的第二安全能力。The processor 1311 is configured to receive a first security capability sent by the user equipment and a second security capability sent by the second network device.
处理器1311,还用于验证第一安全能力与第二安全能力是否一致。The processor 1311 is further configured to verify whether the first security capability is consistent with the second security capability.
本实施例提供的第一网络设备,通过验证用户设备发送的第一安全能力与第二网络设备发送的第二安全能力是否一致,验证了信息传输是否安全,提高了信息传输的安全。The first network device provided in this embodiment verifies whether the information transmission is secure and improves the security of information transmission by verifying whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device.
可选的,在一种应用场景中,第一网络设备为服务网络控制器SRNC或者网络控制器RNC,第二网络设备为业务支撑节点SGSN或者拜访地位置寄存器VLR。则:Optionally, in an application scenario, the first network device is a serving network controller SRNC or a network controller RNC, and the second network device is a service supporting node SGSN or a visited location register VLR. then:
处理器1311,还用于当第二安全能力与第一安全能力一致时,开启安全保护。The processor 1311 is further configured to enable security protection when the second security capability is consistent with the first security capability.
处理器1311,还用于将第三安全能力发送至用户设备,以便用户设备验证第三安全能力与第一安全能力一致后,开启安全保护。The processor 1311 is further configured to send the third security capability to the user equipment, so that the user equipment verifies that the third security capability is consistent with the first security capability, and then turns on the security protection.
可选的,在另一种应用场景中,第一网络设备为演进型节点eNB,第二网络设备为移动管理实体MME,则:Optionally, in another application scenario, the first network device is an evolved node eNB, and the second network device is a mobility management entity MME, where:
处理器1311,还用于当第二安全能力与第一安全能力不一致时,根据第一安全能力更新安全能力。The processor 1311 is further configured to: when the second security capability is inconsistent with the first security capability, update the security capability according to the first security capability.
进一步可选的,处理器1311,还用于当接收的第一安全能力中包含优先级更高的算法时,将自身的算法更新为优先级更高的算法。Further, the processor 1311 is further configured to: when the received first security capability includes a higher priority algorithm, update the algorithm to a higher priority algorithm.
处理器1311,还用于将优先级更高的算法发送至用户设备,以便于用户设备更新算法。The processor 1311 is further configured to send a higher priority algorithm to the user equipment, so that the user equipment updates the algorithm.
第一网络设备验证用户设备发送的第一安全能力与第二网络设备发送的第二安全能力是否一致,然后将第三安全能力发送至用户设备,以便用户设备验证来自于第一网络设备的第三安全能力与用户设备的第一安全能力是否一致。而且,如果第一网络设备验证用户设备 发送的第一安全能力与第二网络设备发送的第二安全能力一致,第一网络设备会开启安全保护,保证了第一网络设备验证之后的用户设备安全能力向用户设备发送时不会被篡改,这样就能验证第一网络设备、第二网络设备与用户设备自身三者存储的安全能力是否一致,有没有被篡改,降低了在没有安全保障的情况下传输数据的可能,从而提高信息传输的安全。The first network device verifies whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device, and then sends the third security capability to the user equipment, so that the user equipment verifies the first device from the first network device. The three security capabilities are consistent with the first security capability of the user equipment. Moreover, if the first network device authenticates the user device The first security capability sent by the second network device is consistent with the second security capability sent by the second network device, and the first network device is enabled to ensure that the security capability of the user equipment after the first network device is verified is not tampering when being sent to the user equipment. In this way, it can be verified whether the security capabilities of the first network device, the second network device and the user device are consistent, whether or not it has been tampered with, thereby reducing the possibility of transmitting data without security guarantee, thereby improving information transmission. Security.
本实施例提供的第一网络设备,通过验证用户设备发送的第一安全能力与第二网络设备发送的第二安全能力是否一致,验证了信息传输是否安全,提高了信息传输的安全。The first network device provided in this embodiment verifies whether the information transmission is secure and improves the security of information transmission by verifying whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device.
本发明的另一实施例提供一种移动管理实体MME,用于执行图7或图8对应的实施例中所描述的MME执行的方法,参照图14所示,该设备可以嵌入或本身就是微处理计算机,比如:通用计算机、客户定制机、手机终端或平板机等便携设备,该MME1401包括:至少一个处理器1411、存储器1412和总线1413,该至少一个处理器1411和存储器1412通过总线1413连接并完成相互间的通信。Another embodiment of the present invention provides a mobility management entity MME for performing the method performed by the MME described in the embodiment corresponding to FIG. 7 or FIG. 8. Referring to FIG. 14, the device may be embedded or itself Processing a computer, such as a general-purpose computer, a custom machine, a mobile terminal, or a tablet, the MME 1401 includes: at least one processor 1411, a memory 1412, and a bus 1413. The at least one processor 1411 and the memory 1412 are connected by a bus 1413. And complete the communication with each other.
该总线1413可以是ISA(Industry Standard Architecture,工业标准体系结构)总线、PCI(Peripheral Component,外部设备互连)总线或EISA(Extended Industry Standard Architecture,扩展工业标准体系结构)总线等。该总线1413可以分为地址总线、数据总线、控制总线等。为便于表示,图14中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。其中:The bus 1413 may be an ISA (Industry Standard Architecture) bus, a PCI (Peripheral Component) bus, or an EISA (Extended Industry Standard Architecture) bus. The bus 1413 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 14, but it does not mean that there is only one bus or one type of bus. among them:
存储器1414用于执行本发明方案的应用程序代码,执行本发明方案的应用程序代码保存在存储器中,并由处理器1411来控制执行。The memory 1414 is used to execute the application code of the inventive scheme, and the application code for executing the inventive scheme is stored in a memory and controlled by the processor 1411 for execution.
该存储器可以是只读存储器ROM或可存储静态信息和指令的其他类型的静态存储设备,随机存取存储器RAM或者可存储信息和指令的其他类型的动态存储设备,也可以是电可擦可编程只读存储器EEPROM、只读光盘CD-ROM或其他光盘存储、光碟存储(包括压缩光碟、激光碟、光碟、数字通用光碟、蓝光光碟等)、磁盘存储介质或者其他磁存储设备、或者能够用于携带或存储具有指令或数据结 构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。这些存储器通过总线与处理器相连接。The memory can be a read only memory ROM or other type of static storage device that can store static information and instructions, a random access memory RAM or other type of dynamic storage device that can store information and instructions, or can be electrically erasable or programmable. Read-only memory EEPROM, CD-ROM or other optical disc storage, optical disc storage (including compact discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), disk storage media or other magnetic storage devices, or can be used for Carry or store with instructions or data knots A desired form of program code and any other medium that can be accessed by a computer, but is not limited thereto. These memories are connected to the processor via a bus.
处理器1411可能是一个中央处理器1411(Central Processing Unit,简称为CPU),或者是特定集成电路(Application Specific Integrated Circuit,简称为ASIC),或者是被配置成实施本发明实施例的一个或多个集成电路。The processor 1411 may be a central processing unit (CPU), or an application specific integrated circuit (ASIC), or one or more configured to implement the embodiments of the present invention. Integrated circuits.
处理器1411,用于调用存储器1414中的程序代码,在一种可能的实施方式中,当上述应用程序被所述处理器1411执行时,实现如下功能。The processor 1411 is configured to call the program code in the memory 1414. In a possible implementation manner, when the application program is executed by the processor 1411, the following functions are implemented.
处理器1411,用于接收用户设备发送的第一安全能力和业务支撑节点SGSN或者拜访地位置寄存器VLR发送的第二安全能力,其中,第一安全能力由演进型节点eNB转发至MME。The processor 1411 is configured to receive the first security capability sent by the user equipment and the second security capability sent by the service support node SGSN or the visited location register VLR, where the first security capability is forwarded by the evolved node eNB to the MME.
处理器1411,还用于验证第一安全能力与第二安全能力是否一致。The processor 1411 is further configured to verify whether the first security capability is consistent with the second security capability.
本实施例提供的MME,通过验证用户设备发送的第一安全能力与第二网络设备发送的第二安全能力是否一致,验证了信息传输是否安全,提高了信息传输的安全。The MME provided in this embodiment verifies whether the information transmission is secure and improves the security of information transmission by verifying whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device.
可选的,处理器1411,还用于当第一安全能力与第二安全能力不一致时,根据第一安全能力更新安全能力。Optionally, the processor 1411 is further configured to: when the first security capability is inconsistent with the second security capability, update the security capability according to the first security capability.
进一步可选的,处理器1411,还用于当接收单元接收的第一安全能力中包含优先级更高的算法时,将自身的算法更新为优先级更高的算法。Further, the processor 1411 is further configured to: when the first security capability received by the receiving unit includes a higher priority algorithm, update the algorithm to a higher priority algorithm.
处理器1411,还用于将优先级更高的算法发送至用户设备,以便于用户设备更新算法。The processor 1411 is further configured to send a higher priority algorithm to the user equipment, so that the user equipment updates the algorithm.
这样,通过MME验证第一安全能力和第二安全能力是否一致,降低了在没有安全保障的情况下传输数据的可能,提高了信息传输的安全。In this way, it is verified by the MME whether the first security capability and the second security capability are consistent, which reduces the possibility of transmitting data without security guarantee, and improves the security of information transmission.
本实施例提供的MME,通过验证用户设备发送的第一安全能力与SGSN或VLR发送的第二安全能力是否一致,验证了信息传输是 否安全,提高了信息传输的安全。The MME provided by the embodiment verifies that the information transmission is verified by verifying whether the first security capability sent by the user equipment is consistent with the second security capability sent by the SGSN or the VLR. No security, improve the security of information transmission.
本发明的实施例提供一种无线网络系统,其结构参照图15所示,该无线网络系统151包括:第一网络设备1501和第二网络设备1502。An embodiment of the present invention provides a wireless network system, the structure of which is shown in FIG. 15. The wireless network system 151 includes: a first network device 1501 and a second network device 1502.
可选的,该无线网络系统151还可以包括:第三网络设备1503和用户设备1504。Optionally, the wireless network system 151 may further include: a third network device 1503 and a user equipment 1504.
其中,用户设备1504为图9对应的实施例中所描述的用户设备。The user equipment 1504 is the user equipment described in the embodiment corresponding to FIG. 9.
或者用户设备1504为图12对应的实施例中所描述的用户设备。Or the user equipment 1504 is the user equipment described in the embodiment corresponding to FIG. 12.
在UMTS系统中,第一网络设备为SRNC或RNC,第二网络设备为SGSN或VLR,用户设备为UE,此时,用户设备1504可以直接和第二网络设备1502进行通信。在LTE系统中,网络设备包括eNB、SGSN及MME,其中,eNB为第一网络设备,MME为第二网络设备,SGSN为第三网络设备,此时,用户设备1504需要通过第三网络设备1503、及第一网络设备1501才能与第二网络设备1502进行通信。In the UMTS system, the first network device is an SRNC or an RNC, the second network device is an SGSN or a VLR, and the user equipment is a UE. In this case, the user equipment 1504 can directly communicate with the second network device 1502. In the LTE system, the network device includes an eNB, an SGSN, and an MME, where the eNB is the first network device, the MME is the second network device, and the SGSN is the third network device. At this time, the user equipment 1504 needs to pass the third network device 1503. And the first network device 1501 can communicate with the second network device 1502.
本实施例提供的无线网络系统,通过用户设备验证第二网络设备发送的用户设备的第二安全能力与用户设备的用户设备的第一安全能力是否一致,验证了信息传输是否安全,提高了信息传输的安全。The wireless network system provided by the embodiment is configured to verify whether the second security capability of the user equipment sent by the second network device is consistent with the first security capability of the user equipment of the user equipment, and verify whether the information transmission is secure and the information is improved. The security of the transmission.
本发明的另一实施例提供一种无线网络系统,其结构参照图16所示,该无线网络系统161包括:第一网络设备1601和第二网络设备1602。Another embodiment of the present invention provides a wireless network system, the structure of which is shown in FIG. 16. The wireless network system 161 includes: a first network device 1601 and a second network device 1602.
其中,第一网络设备1601为图10对应的实施例中所描述的第一网络设备。The first network device 1601 is the first network device described in the embodiment corresponding to FIG. 10 .
或者,第一网络设备1601为图13对应的实施例中所描述的第一网络设备。Alternatively, the first network device 1601 is the first network device described in the embodiment corresponding to FIG.
可选的,该无线网络系统161还可以包括:第三网络设备1603和用户设备1604。Optionally, the wireless network system 161 may further include: a third network device 1603 and a user equipment 1604.
在UMTS系统中,第一网络设备为SRNC或RNC,第二网络设备为SGSN或VLR,用户设备为UE,此时,用户设备1604可以直接和第二网络设备1602进行通信。在LTE系统中,eNB为第一网络设备,MME为第二网络设备,SGSN为第三网络设备,此时,用户 设备1604需要通过第三网络设备1603、及第一网络设备1601才能与第二网络设备1602进行通信。In the UMTS system, the first network device is an SRNC or an RNC, the second network device is an SGSN or a VLR, and the user equipment is a UE. In this case, the user equipment 1604 can directly communicate with the second network device 1602. In the LTE system, the eNB is the first network device, the MME is the second network device, and the SGSN is the third network device. At this time, the user The device 1604 needs to communicate with the second network device 1602 through the third network device 1603 and the first network device 1601.
本实施例提供的无线网络系统,通过第一网络设备验证用户设备发送的用户设备的第一安全能力与第二网络设备发送的用户设备的第二安全能力是否一致,验证了信息传输是否安全,提高了信息传输的安全。The wireless network system provided by the embodiment is configured to verify whether the first security capability of the user equipment sent by the user equipment is consistent with the second security capability of the user equipment sent by the second network device, and verify whether the information transmission is secure. Improve the security of information transmission.
本发明的又一实施例提供一种无线网络系统,其结构参照图17所示,该无线网络系统171包括:MME1701、SGSN/VLR1702。A further embodiment of the present invention provides a wireless network system, the structure of which is shown in FIG. 17, the wireless network system 171 includes: an MME 1701, an SGSN/VLR 1702.
其中,MME1701为图11对应的实施例中所描述的MME。The MME 1701 is the MME described in the embodiment corresponding to FIG. 11.
或者,MME1701为图14对应的实施例中所描述的MME。Alternatively, the MME 1701 is the MME described in the embodiment corresponding to FIG. 14.
可选的,该无线网络系统171还可以包括:eNB1703、用户设备1704。Optionally, the wireless network system 171 may further include: an eNB 1703, and a user equipment 1704.
本发明的实施例提供的无线网络系统,通过MME验证用户设备发送的第一安全能力与SGSN或VLR发送第二安全能力是否一致,验证了信息传输是否安全,提高了信息传输的安全。The wireless network system provided by the embodiment of the present invention verifies whether the first security capability sent by the user equipment is consistent with whether the SGSN or the VLR sends the second security capability, and verifies whether the information transmission is secure, and improves the security of information transmission.
通过以上的实施方式的描述,所属领域的技术人员可以清楚地了解到本发明可以用硬件实现,或固件实现,或它们的组合方式来实现。当使用软件实现时,可以将上述功能存储在计算机可读介质中或作为计算机可读介质上的一个或多个指令或代码进行传输。计算机可读介质包括计算机存储介质和通信介质,其中通信介质包括便于从一个地方向另一个地方传送计算机程序的任何介质。存储介质可以是计算机能够存取的任何可用介质。以此为例但不限于:计算机可读介质可以包括RAM(Random Access Memory,随机存储器)、ROM(Read Only Memory,只读内存)、EEPROM(Electrically Erasable Programmable Read Only Memory,电可擦可编程只读存储器)、CD-ROM(Compact Disc Read Only Memory,即只读光盘)或其他光盘存储、磁盘存储介质或者其他磁存储设备、或者能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质。此外。任何连接可以适当的成为计算机可读介质。例如,如果软件是使 用同轴电缆、光纤光缆、双绞线、DSL(Digital Subscriber Line,数字用户专线)或者诸如红外线、无线电和微波之类的无线技术从网站、服务器或者其他远程源传输的,那么同轴电缆、光纤光缆、双绞线、DSL或者诸如红外线、无线和微波之类的无线技术包括在所属介质的定影中。如本发明所使用的,盘和碟包括CD(Compact Disc,压缩光碟)、激光碟、光碟、DVD碟(Digital Versatile Disc,数字通用光)、软盘和蓝光光碟,其中盘通常磁性的复制数据,而碟则用激光来光学的复制数据。上面的组合也应当包括在计算机可读介质的保护范围之内。Through the description of the above embodiments, those skilled in the art can clearly understand that the present invention can be implemented in hardware, firmware implementation, or a combination thereof. When implemented in software, the functions described above may be stored in or transmitted as one or more instructions or code on a computer readable medium. Computer readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one location to another. A storage medium may be any available media that can be accessed by a computer. For example, but not limited to, the computer readable medium may include a RAM (Random Access Memory), a ROM (Read Only Memory), and an EEPROM (Electrically Erasable Programmable Read Only Memory). Read memory), CD-ROM (Compact Disc Read Only Memory) or other optical disk storage, disk storage media or other magnetic storage device, or can be used to carry or store a desired program in the form of an instruction or data structure. Code and any other medium that can be accessed by a computer. Also. Any connection may suitably be a computer readable medium. For example, if the software is making Coaxial cable, fiber optic cable, twisted pair, DSL (Digital Subscriber Line) or wireless technology such as infrared, radio and microwave transmission from a website, server or other remote source, then coaxial cable, Fiber optic cables, twisted pair, DSL, or wireless technologies such as infrared, wireless, and microwaves are included in the fixing of the associated media. As used in the present invention, the disc and the disc include a CD (Compact Disc), a laser disc, a compact disc, a DVD disc (Digital Versatile Disc), a floppy disc, and a Blu-ray disc, wherein the disc is usually magnetically copied, The disc uses a laser to optically replicate the data. Combinations of the above should also be included within the scope of the computer readable media.
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应所述以权利要求的保护范围为准。 The above is only a specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or substitutions within the technical scope of the present invention. It should be covered by the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the claims.

Claims (30)

  1. 一种验证安全能力的方法,其特征在于,包括:A method for verifying security capabilities, comprising:
    用户设备向第二网络设备发送所述用户设备的第一安全能力;Transmitting, by the user equipment, the first security capability of the user equipment to the second network device;
    所述用户设备接收所述第二网络设备发送的第二安全能力,所述第二安全能力由第一网络设备转发至所述用户设备;Receiving, by the user equipment, a second security capability sent by the second network device, where the second security capability is forwarded by the first network device to the user equipment;
    所述用户设备验证所述第二安全能力与所述第一安全能力是否一致。The user equipment verifies whether the second security capability is consistent with the first security capability.
  2. 根据权利要求1所述的方法,其特征在于,The method of claim 1 wherein
    所述第一网络设备为服务网络控制器SRNC或者网络控制器RNC,所述第二网络设备为业务支撑节点SGSN或者拜访地位置寄存器VLR;The first network device is a serving network controller SRNC or a network controller RNC, and the second network device is a service supporting node SGSN or a visited location register VLR;
    所述方法还包括:The method further includes:
    所述用户设备将所述第一安全能力发送至所述第一网络设备;Transmitting, by the user equipment, the first security capability to the first network device;
    所述用户设备接收所述第一网络设备发送的第三安全能力;Receiving, by the user equipment, a third security capability sent by the first network device;
    所述用户设备验证所述第三安全能力与所述第一安全能力是否一致。The user equipment verifies whether the third security capability is consistent with the first security capability.
  3. 根据权利要求2所述的方法,其特征在于,所述方法还包括:The method of claim 2, wherein the method further comprises:
    如果所述第三安全能力与所述第一安全能力一致,则所述用户设备根据所述第一网络设备的完整性保护算法开启安全保护。If the third security capability is consistent with the first security capability, the user equipment turns on security protection according to the integrity protection algorithm of the first network device.
  4. 根据权利要求3所述的方法,其特征在于,所述用户设备根据所述第一网络设备发送的完整性保护算法开启安全保护之后,还包括:The method according to claim 3, wherein after the user equipment turns on the security protection according to the integrity protection algorithm sent by the first network device, the method further includes:
    如果所述第二安全能力与所述第一安全能力不一致,则所述用户设备生成安全建立完成消息并将所述安全建立完成消息发送至所述第一网络设备,以便于所述第一网络设备根据所述安全建立完成消息向所述第二网络设备发送所述第一安全能力。If the second security capability is inconsistent with the first security capability, the user equipment generates a security establishment complete message and sends the security establishment complete message to the first network device, so as to facilitate the first network. And transmitting, by the device, the first security capability to the second network device according to the security establishment complete message.
  5. 根据权利要求1所述的方法,其特征在于,The method of claim 1 wherein
    所述第一网络设备为演进型节点eNB,所述第二网络设备为移动管理实体MME; The first network device is an evolved node eNB, and the second network device is a mobility management entity MME;
    所述用户设备向第二网络设备发送所述用户设备的第一安全能力,包括:The user equipment sends the first security capability of the user equipment to the second network device, including:
    所述用户设备将所述第一安全能力发送至第三网络设备,以便所述第三网络设备获取所述第二安全能力,并将所述第二安全能力发送至所述第二网络设备,其中,所述第三网络设备为SGSN或VLR。Transmitting, by the user equipment, the first security capability to the third network device, so that the third network device acquires the second security capability, and sends the second security capability to the second network device, The third network device is an SGSN or a VLR.
  6. 根据权利要求5所述的方法,其特征在于,所述方法还包括:The method of claim 5, wherein the method further comprises:
    如果所述第二安全能力与所述第一安全能力不一致,则所述用户设备将所述第一安全能力发送至所述第一网络设备和所述第二网络设备,以便于所述第二网络设备与所述第一网络设备根据所述第一安全能力更新安全能力。If the second security capability is inconsistent with the first security capability, the user equipment sends the first security capability to the first network device and the second network device, so as to facilitate the second The network device and the first network device update the security capabilities according to the first security capability.
  7. 根据权利要求6所述的方法,其特征在于,所述方法进一步包括:The method of claim 6 wherein the method further comprises:
    如果所述第一网络设备或所述第二网络设备接收的所述第一安全能力中包含优先级更高的算法,则所述用户设备接收所述第一网络设备或所述第二网络设备发送的所述优先级更高的算法,并更新自身的算法。Receiving, by the user equipment, the first network device or the second network device, if the first security device received by the first network device or the second network device includes a higher priority algorithm The higher priority algorithm is sent and its own algorithm is updated.
  8. 一种验证安全能力的方法,其特征在于,包括:A method for verifying security capabilities, comprising:
    第一网络设备接收用户设备发送的第一安全能力和第二网络设备发送的第二安全能力;Receiving, by the first network device, the first security capability sent by the user equipment and the second security capability sent by the second network device;
    所述第一网络设备验证所述第一安全能力与所述第二安全能力是否一致。The first network device verifies whether the first security capability is consistent with the second security capability.
  9. 根据权利要求8所述的方法,其特征在于,The method of claim 8 wherein:
    所述第一网络设备为服务网络控制器SRNC或者网络控制器RNC,所述第二网络设备为业务支撑节点SGSN或者拜访地位置寄存器VLR;The first network device is a serving network controller SRNC or a network controller RNC, and the second network device is a service supporting node SGSN or a visited location register VLR;
    所述方法还包括:The method further includes:
    如果所述第二安全能力与所述第一安全能力一致,则所述第一网络设备开启安全保护。If the second security capability is consistent with the first security capability, the first network device turns on security protection.
  10. 根据权利要求9所述的方法,其特征在于,所述第一网络设 备开启安全保护之后,还包括:The method of claim 9 wherein said first network is After the security is turned on, it also includes:
    所述第一网络设备将第三安全能力发送至所述用户设备,以便所述用户设备验证所述第三安全能力与所述第一安全能力一致后,开启安全保护。The first network device sends a third security capability to the user equipment, so that the user equipment verifies that the third security capability is consistent with the first security capability, and then turns on security protection.
  11. 根据权利要求8所述的方法,其特征在于,The method of claim 8 wherein:
    所述第一网络设备为演进型节点eNB,所述第二网络设备为移动管理实体MME;The first network device is an evolved node eNB, and the second network device is a mobility management entity MME;
    所述方法还包括:The method further includes:
    如果所述第二安全能力与所述第一安全能力不一致,则所述第一网络设备根据所述第一安全能力更新安全能力。And if the second security capability is inconsistent with the first security capability, the first network device updates the security capability according to the first security capability.
  12. 根据权利要求11所述的方法,其特征在于,所述方法进一步包括:The method of claim 11 wherein the method further comprises:
    如果所述第一网络设备接收的所述第一安全能力中包含优先级更高的算法,则所述第一网络设备将自身的算法更新为所述优先级更高的算法,并将所述优先级更高的算法发送至所述用户设备,以便于所述用户设备更新算法。If the first security capability received by the first network device includes a higher priority algorithm, the first network device updates its own algorithm to the higher priority algorithm, and the A higher priority algorithm is sent to the user equipment to facilitate the user equipment update algorithm.
  13. 一种验证安全能力的方法,其特征在于,包括:A method for verifying security capabilities, comprising:
    移动管理实体MME接收用户设备发送的第一安全能力和业务支撑节点SGSN或者拜访地位置寄存器VLR发送的第二安全能力,其中,所述第一安全能力由演进型节点eNB转发至所述MME;The mobility management entity MME receives the first security capability sent by the user equipment and the second security capability sent by the service support node SGSN or the visited location register VLR, wherein the first security capability is forwarded by the evolved node eNB to the MME;
    所述MME验证所述第一安全能力与所述第二安全能力是否一致。The MME verifies whether the first security capability is consistent with the second security capability.
  14. 根据权利要求13所述的方法,其特征在于,所述方法还包括:The method of claim 13 wherein the method further comprises:
    如果所述第一安全能力与所述第二安全能力不一致,则所述MME根据所述第一安全能力更新安全能力。If the first security capability is inconsistent with the second security capability, the MME updates the security capability according to the first security capability.
  15. 根据权利要求14所述的方法,其特征在于,所述方法进一步包括:The method of claim 14 wherein the method further comprises:
    如果所述MME接收的所述第一安全能力中包含优先级更高的算 法,则所述第一网络设备将自身的算法更新为所述优先级更高的算法,并将所述优先级更高的算法发送至所述用户设备,以便于所述用户设备更新算法。If the first security capability received by the MME includes a higher priority calculation The first network device updates its own algorithm to the higher priority algorithm, and sends the higher priority algorithm to the user equipment, so that the user equipment updates the algorithm.
  16. 一种用户设备,其特征在于,包括:A user equipment, comprising:
    发送单元,用于向第二网络设备发送所述用户设备的第一安全能力;a sending unit, configured to send, to the second network device, the first security capability of the user equipment;
    接收单元,用于接收所述第二网络设备发送的第二安全能力,所述第二安全能力由第一网络设备转发至所述用户设备;a receiving unit, configured to receive a second security capability sent by the second network device, where the second security capability is forwarded by the first network device to the user equipment;
    验证单元,用于验证所述第二安全能力与所述第一安全能力是否一致。And a verification unit, configured to verify whether the second security capability is consistent with the first security capability.
  17. 根据权利要求16所述的用户设备,其特征在于,The user equipment according to claim 16, wherein
    所述第一网络设备为服务网络控制器SRNC或者网络控制器RNC,所述第二网络设备为业务支撑节点SGSN或者拜访地位置寄存器VLR;The first network device is a serving network controller SRNC or a network controller RNC, and the second network device is a service supporting node SGSN or a visited location register VLR;
    所述发送单元,还用于将所述第一安全能力发送至所述第一网络设备;The sending unit is further configured to send the first security capability to the first network device;
    所述接收单元,还用于接收所述第一网络设备发送的第三安全能力;The receiving unit is further configured to receive a third security capability sent by the first network device;
    所述验证单元,还用于验证所述第三安全能力与所述第一安全能力是否一致。The verification unit is further configured to verify whether the third security capability is consistent with the first security capability.
  18. 根据权利要求17所述的用户设备,其特征在于,The user equipment according to claim 17, wherein
    所述用户设备还包括保护单元,用于当所述第三安全能力与所述第一安全能力一致时,根据所述第一网络设备的完整性保护算法开启安全保护。The user equipment further includes a protection unit, configured to enable security protection according to the integrity protection algorithm of the first network device when the third security capability is consistent with the first security capability.
  19. 根据权利要求18所述的用户设备,其特征在于,User equipment according to claim 18, characterized in that
    所述验证单元,还用于当所述第二安全能力与所述第一安全能力不一致时,生成安全建立完成消息;The verification unit is further configured to generate a security establishment complete message when the second security capability is inconsistent with the first security capability;
    所述发送单元,还用于将所述验证单元生成的所述安全建立完成消息发送至所述第一网络设备,以便于所述第一网络设备根据所述安 全建立完成消息向所述第二网络设备发送所述第一安全能力。The sending unit is further configured to send the security setup complete message generated by the verification unit to the first network device, so that the first network device is configured according to the security The all-establishment completion message sends the first security capability to the second network device.
  20. 根据权利要求16所述的用户设备,其特征在于,The user equipment according to claim 16, wherein
    所述第一网络设备为演进型节点eNB,所述第二网络设备为移动管理实体MME;The first network device is an evolved node eNB, and the second network device is a mobility management entity MME;
    所述发送单元,具体用于将所述第一安全能力发送至第三网络设备,以便所述第三网络设备获取所述第二安全能力,并将所述第二安全能力发送至所述第二网络设备,其中,所述第三网络设备为SGSN或VLR。The sending unit is specifically configured to send the first security capability to the third network device, so that the third network device acquires the second security capability, and sends the second security capability to the A network device, wherein the third network device is an SGSN or a VLR.
  21. 根据权利要求20所述的用户设备,其特征在于,User equipment according to claim 20, characterized in that
    所述发送单元,还用于当所述第二安全能力与所述第一安全能力不一致时,将所述第一安全能力发送至所述第一网络设备和所述第二网络设备,以便于所述第二网络设备与所述第一网络设备根据所述第一安全能力更新安全能力。The sending unit is further configured to: when the second security capability is inconsistent with the first security capability, send the first security capability to the first network device and the second network device, so as to facilitate The second network device and the first network device update security capabilities according to the first security capability.
  22. 根据权利要求21所述的用户设备,其特征在于,A user equipment according to claim 21, wherein
    所述接收单元,还用于当所述第一网络设备或所述第二网络设备接收的所述第一安全能力中包含优先级更高的算法时,接收所述第一网络设备或所述第二网络设备发送的所述优先级更高的算法;The receiving unit is further configured to: when the first security device received by the first network device or the second network device includes an algorithm with a higher priority, receive the first network device or the The higher priority algorithm sent by the second network device;
    所述用户设备还包括保护单元,用于根据所述接收单元接收的所述优先级更高的算法更新自身的算法。The user equipment further includes a protection unit, configured to update its own algorithm according to the higher priority algorithm received by the receiving unit.
  23. 一种第一网络设备,其特征在于,包括:A first network device, comprising:
    接收单元,用于接收用户设备发送的第一安全能力和第二网络设备发送的第二安全能力;a receiving unit, configured to receive a first security capability sent by the user equipment and a second security capability sent by the second network device;
    验证单元,用于验证所述第一安全能力与所述第二安全能力是否一致。And a verification unit, configured to verify whether the first security capability is consistent with the second security capability.
  24. 根据权利要求23所述设备,其特征在于,The device according to claim 23, characterized in that
    所述第一网络设备为服务网络控制器SRNC或者网络控制器RNC,所述第二网络设备为业务支撑节点SGSN或者拜访地位置寄存器VLR;The first network device is a serving network controller SRNC or a network controller RNC, and the second network device is a service supporting node SGSN or a visited location register VLR;
    所述第一网络设备还包括保护单元,用于当所述第二安全能力与 所述第一安全能力一致时,开启安全保护。The first network device further includes a protection unit, configured to use the second security capability When the first security capability is consistent, the security protection is turned on.
  25. 根据权利要求24所述的设备,其特征在于,The device according to claim 24, wherein
    所述第一网络设备还包括发送单元,用于将第三安全能力发送至所述用户设备,以便所述用户设备验证所述第三安全能力与所述第一安全能力一致后,开启安全保护。The first network device further includes a sending unit, configured to send a third security capability to the user equipment, so that the user equipment verifies that the third security capability is consistent with the first security capability, and then turns on security protection. .
  26. 根据权利要求23所述的设备,其特征在于,The device according to claim 23, wherein
    所述第一网络设备为演进型节点eNB,所述第二网络设备为移动管理实体MME;The first network device is an evolved node eNB, and the second network device is a mobility management entity MME;
    所述第一网络设备还包括保护单元,用于当所述第二安全能力与所述第一安全能力不一致时,根据所述第一安全能力更新安全能力。The first network device further includes a protection unit, configured to update the security capability according to the first security capability when the second security capability is inconsistent with the first security capability.
  27. 根据权利要求26所述的设备,其特征在于,The device according to claim 26, wherein
    所述保护单元,还用于当所述接收单元接收的所述第一安全能力中包含优先级更高的算法时,将自身的算法更新为所述优先级更高的算法;The protection unit is further configured to: when the first security capability received by the receiving unit includes an algorithm with a higher priority, update its own algorithm to the higher priority algorithm;
    所述发送单元,还用于将所述优先级更高的算法发送至所述用户设备,以便于所述用户设备更新算法。The sending unit is further configured to send the higher priority algorithm to the user equipment, so that the user equipment updates an algorithm.
  28. 一种移动管理实体MME,其特征在于,包括:A mobility management entity MME, comprising:
    接收单元,用于接收用户设备发送的第一安全能力和业务支撑节点SGSN或者拜访地位置寄存器VLR发送的第二安全能力,其中,所述第一安全能力由演进型节点eNB转发至所述MME;a receiving unit, configured to receive a first security capability sent by the user equipment, and a second security capability sent by the service support node SGSN or the visited location register VLR, where the first security capability is forwarded by the evolved node eNB to the MME ;
    验证单元,用于验证所述第一安全能力与所述第二安全能力是否一致。And a verification unit, configured to verify whether the first security capability is consistent with the second security capability.
  29. 根据权利要求28所述的设备,其特征在于,The device according to claim 28, characterized in that
    所述MME还包括保护单元,用于当所述第一安全能力与所述第二安全能力不一致时,根据所述第一安全能力更新安全能力。The MME further includes a protection unit, configured to update the security capability according to the first security capability when the first security capability is inconsistent with the second security capability.
  30. 根据权利要求29所述的设备,其特征在于,The device according to claim 29, characterized in that
    所述保护单元,还用于当所述接收单元接收的所述第一安全能力中包含优先级更高的算法时,将自身的算法更新为所述优先级更高的算法; The protection unit is further configured to: when the first security capability received by the receiving unit includes an algorithm with a higher priority, update its own algorithm to the higher priority algorithm;
    所述MME还包括发送单元,用于将所述优先级更高的算法发送至所述用户设备,以便于所述用户设备更新算法。 The MME further includes a sending unit, configured to send the higher priority algorithm to the user equipment, so that the user equipment updates the algorithm.
PCT/CN2014/091258 2013-12-02 2014-11-17 Method, device, and system for verifying security capability WO2015081784A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310635001.9A CN104683981B (en) 2013-12-02 2013-12-02 A kind of method, equipment and system for verifying security capabilities
CN201310635001.9 2013-12-02

Publications (1)

Publication Number Publication Date
WO2015081784A1 true WO2015081784A1 (en) 2015-06-11

Family

ID=53272862

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/091258 WO2015081784A1 (en) 2013-12-02 2014-11-17 Method, device, and system for verifying security capability

Country Status (2)

Country Link
CN (1) CN104683981B (en)
WO (1) WO2015081784A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102016110723A1 (en) * 2016-06-10 2017-12-14 Endress+Hauser Process Solutions Ag A method for preventing unauthorized access to software applications in field devices
CN108668281B (en) * 2017-03-31 2021-07-09 华为技术有限公司 Communication method, related equipment and system
CN109819492B (en) * 2017-11-20 2021-02-12 华为技术有限公司 Method and device for determining safety capability
CN110912854B (en) * 2018-09-15 2021-03-23 华为技术有限公司 Safety protection method, equipment and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101039314A (en) * 2006-03-16 2007-09-19 华为技术有限公司 Method for realizing safety warranty in evolution accessing network
CN101378591A (en) * 2007-08-31 2009-03-04 华为技术有限公司 Method, system and device for negotiating safety capability when terminal is moving
CN101384079A (en) * 2007-09-03 2009-03-11 华为技术有限公司 Method, system and apparatus for preventing degraded attack when terminal moving
CN101651949A (en) * 2009-08-17 2010-02-17 中兴通讯股份有限公司 Method for establishing safety mode and radio network controller

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101552982A (en) * 2008-04-01 2009-10-07 华为技术有限公司 Method and user equipment for detecting degradation attack
CN101383702B (en) * 2008-10-06 2014-07-02 中兴通讯股份有限公司 Method and system protecting cipher generating parameter in tracing region updating

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101039314A (en) * 2006-03-16 2007-09-19 华为技术有限公司 Method for realizing safety warranty in evolution accessing network
CN101378591A (en) * 2007-08-31 2009-03-04 华为技术有限公司 Method, system and device for negotiating safety capability when terminal is moving
CN101384079A (en) * 2007-09-03 2009-03-11 华为技术有限公司 Method, system and apparatus for preventing degraded attack when terminal moving
CN103220674A (en) * 2007-09-03 2013-07-24 华为技术有限公司 Method and system for preventing quality degradation attack during terminal movement and device
CN101651949A (en) * 2009-08-17 2010-02-17 中兴通讯股份有限公司 Method for establishing safety mode and radio network controller

Also Published As

Publication number Publication date
CN104683981B (en) 2019-01-25
CN104683981A (en) 2015-06-03

Similar Documents

Publication Publication Date Title
CN109587688B (en) Security in inter-system mobility
RU2440688C2 (en) User profile, policy and distribution of pmip keys in wireless communication network
WO2020038236A1 (en) Routing method, apparatus and system
JP5462411B2 (en) Method and apparatus for supporting synchronization of security settings
US8526617B2 (en) Method of handling security configuration in wireless communications system and related communication device
WO2017117721A1 (en) Mobile communication method, apparatus and device
JP2018510578A (en) Authentication and key sharing with full forward secrecy
US20100172500A1 (en) Method of handling inter-system handover security in wireless communications system and related communication device
EP3709692A1 (en) Routing method, apparatus and system
EP3634023B1 (en) Re-establishing a radio resource control connection
US11689922B2 (en) Re-establishing a radio resource control connection
JP2021510262A (en) Key update method and device
WO2019196766A1 (en) Communication method and apparatus
WO2015081784A1 (en) Method, device, and system for verifying security capability
WO2013078858A1 (en) Method and device for processing srvcc switch, and terminal therefor
CN113170369B (en) Method and apparatus for security context handling during intersystem changes
JP2024506102A (en) Method for configuring evolved packet system non-access layer security algorithm and related devices
TWI776982B (en) Reliable server management method and device supporting wireless network switching
JP5680149B2 (en) NAS security processing device, NAS security processing method, and program
JP2011216994A (en) Nas security processing apparatus, nas security processing method, and program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14867918

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14867918

Country of ref document: EP

Kind code of ref document: A1