WO2015081784A1 - Procédé, dispositif et système pour vérifier une capacité de sécurité - Google Patents

Procédé, dispositif et système pour vérifier une capacité de sécurité Download PDF

Info

Publication number
WO2015081784A1
WO2015081784A1 PCT/CN2014/091258 CN2014091258W WO2015081784A1 WO 2015081784 A1 WO2015081784 A1 WO 2015081784A1 CN 2014091258 W CN2014091258 W CN 2014091258W WO 2015081784 A1 WO2015081784 A1 WO 2015081784A1
Authority
WO
WIPO (PCT)
Prior art keywords
security capability
network device
security
user equipment
capability
Prior art date
Application number
PCT/CN2014/091258
Other languages
English (en)
Chinese (zh)
Inventor
吴义壮
陈璟
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2015081784A1 publication Critical patent/WO2015081784A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security

Definitions

  • the present invention relates to the field of communications, and in particular, to a method, device, and system for verifying security capabilities.
  • SGSN Server GPRS Support Node
  • GPRS General Packet Radio Service
  • TD-SCDMA Time Division Synchronization Code Division Multiple Access
  • WCDMA Wideband Code Division Multiple Access
  • RNC Radio Network Controller
  • 3G 3rd Generation, 3rd Generation Mobile Communication Technology
  • RNC Radio Resource Control Protocol
  • RRC Radio Resource Control Protocol
  • the message sent by the user end to the RNC and the SGSN may be acquired and tampered by the attacker, and the transmission of the information is not secured.
  • Embodiments of the present invention provide a method, device, and system for verifying security capabilities, relating to the field of communications, capable of verifying whether information transmission is secure, and improving information transmission security.
  • a method of verifying security capabilities includes:
  • the user equipment verifies whether the second security capability is consistent with the first security capability.
  • the first network device is a serving network controller SRNC or a network controller RNC
  • the second network device is a service supporting node SGSN or a visited location register VLR;
  • the method further includes:
  • the user equipment verifies whether the third security capability is consistent with the first security capability.
  • the method further includes:
  • the user equipment turns on security protection according to the integrity protection algorithm of the first network device.
  • the method further includes:
  • the user equipment If the second security capability is inconsistent with the first security capability, the user equipment generates a security establishment complete message and sends the security establishment complete message to the first network device, so as to facilitate the first network. And transmitting, by the device, the first security capability to the second network device according to the security establishment complete message.
  • the first network device is an evolved node eNB, and the second network device is a mobility management entity MME;
  • Transmitting, by the user equipment, the first security energy of the user equipment to the second network device Force including:
  • the third network device is an SGSN or a VLR.
  • the method further includes:
  • the user equipment sends the first security capability to the first network device and the second network device, so as to facilitate the second The network device and the first network device update the security capabilities according to the first security capability.
  • the method further includes:
  • a method of verifying security capabilities includes:
  • the first network device verifies whether the first security capability is consistent with the second security capability.
  • the first network device is a serving network controller SRNC or a network controller RNC
  • the second network device is a service supporting node SGSN or a visited location register VLR;
  • the method further includes:
  • the first network device turns on security protection.
  • the method further includes:
  • the first network device sends a third security capability to the user equipment, so that the user equipment verifies that the third security capability is consistent with the first security capability, and then turns on security protection.
  • the first network device is an evolved node eNB, and the second network device is a mobility management entity MME;
  • the method further includes:
  • the first network device updates the security capability according to the first security capability.
  • the method further includes:
  • the first network device updates its own algorithm to the higher priority algorithm, and the A higher priority algorithm is sent to the user equipment to facilitate the user equipment update algorithm.
  • a method of verifying security capabilities includes:
  • the mobility management entity MME receives the first security capability sent by the user equipment and the second security capability sent by the service support node SGSN or the visited location register VLR, wherein the first security capability is forwarded by the evolved node eNB to the MME;
  • the MME verifies whether the first security capability is consistent with the second security capability.
  • the method further includes:
  • the MME updates the security capability according to the first security capability.
  • the method further includes:
  • the first network device updates its own algorithm to the higher priority algorithm. And transmitting the higher priority algorithm to the user equipment to facilitate the user equipment update algorithm.
  • a user equipment includes:
  • a sending unit configured to send, to the second network device, the first security capability of the user equipment
  • a receiving unit configured to receive a second security capability sent by the second network device, where the second security capability is forwarded by the first network device to the user equipment;
  • a verification unit configured to verify whether the second security capability is consistent with the first security capability.
  • the first network device is a serving network controller SRNC or a network controller RNC
  • the second network device is a service supporting node SGSN or a visited location register VLR;
  • the sending unit is further configured to send the first security capability to the first network device
  • the receiving unit is further configured to receive a third security capability sent by the first network device
  • the verification unit is further configured to verify whether the third security capability is consistent with the first security capability.
  • the user equipment further includes a protection unit, configured to enable security protection according to the integrity protection algorithm of the first network device when the third security capability is consistent with the first security capability.
  • the verification unit is further configured to generate a security establishment complete message when the second security capability is inconsistent with the first security capability
  • the sending unit is further configured to complete the security establishment generated by the verification unit Sending a message to the first network device, so that the first network device sends the first security capability to the second network device according to the security setup complete message.
  • the first network device is an evolved node eNB, and the second network device is a mobility management entity MME;
  • the sending unit is further configured to send the first security capability to the third network device, so that the third network device acquires the second security capability, and sends the second security capability to the a second network device, wherein the third network device is an SGSN or a VLR.
  • the sending unit is further configured to: when the second security capability is inconsistent with the first security capability, send the first security capability to the first network device and the second network device, so as to facilitate The second network device and the first network device update security capabilities according to the first security capability.
  • the receiving unit is further configured to: when the first security device received by the first network device or the second network device includes an algorithm with a higher priority, receive the first network device or the The higher priority algorithm sent by the second network device;
  • the user equipment further includes a protection unit, configured to update its own algorithm according to the higher priority algorithm received by the receiving unit.
  • a first network device includes:
  • a receiving unit configured to receive a first security capability sent by the user equipment and a second security capability sent by the second network device
  • a verification unit configured to verify whether the first security capability is consistent with the second security capability.
  • the first network device is a serving network controller SRNC or a network controller RNC
  • the second network device is a service supporting node SGSN or a visited location register VLR;
  • the first network device further includes a protection unit, configured to enable security protection when the second security capability is consistent with the first security capability.
  • the first network device further includes a sending unit, configured to send a third security capability to the user equipment, so that the user equipment verifies that the third security capability is consistent with the first security capability, and then turns on security protection. .
  • the first network device is an evolved node eNB, and the second network device is a mobility management entity MME;
  • the first network device further includes a protection unit, configured to update the security capability according to the first security capability when the second security capability is inconsistent with the first security capability.
  • the protection unit is further configured to: when the first security capability received by the receiving unit includes an algorithm with a higher priority, update its own algorithm to the higher priority algorithm;
  • the sending unit is further configured to send the higher priority algorithm to the user equipment, so that the user equipment updates an algorithm.
  • a mobility management entity MME includes:
  • a receiving unit configured to receive a first security capability sent by the user equipment, and a second security capability sent by the service support node SGSN or the visited location register VLR, where the first security capability is forwarded by the evolved node eNB to the MME ;
  • a verification unit configured to verify whether the first security capability is consistent with the second security capability.
  • the MME further includes a protection unit, configured to: when the first security capability and the first When the two security capabilities are inconsistent, the security capability is updated according to the first security capability.
  • the protection unit is further configured to: when the first security capability received by the receiving unit includes an algorithm with a higher priority, update its own algorithm to the higher priority algorithm;
  • the MME further includes a sending unit, configured to send the higher priority algorithm to the user equipment, so that the user equipment updates the algorithm.
  • the user equipment sends the first security capability of the user equipment to the second network device, receives the second security capability sent by the second network device, and verifies the Whether the second security capability is consistent with the first security capability, verifying whether the information transmission is secure and improving the security of information transmission.
  • FIG. 1 is a schematic flowchart of a method for verifying security capability according to an embodiment of the present invention
  • FIG. 2 is a schematic diagram of instruction interaction of another method for verifying security capabilities according to an embodiment of the present invention.
  • FIG. 3 is a schematic diagram of an instruction interaction of another method for verifying security capabilities according to an embodiment of the present invention.
  • FIG. 4 is a schematic flowchart of a method for verifying security capability according to another embodiment of the present invention.
  • FIG. 5 is a schematic diagram of instruction interaction of another method for verifying security capabilities according to another embodiment of the present invention.
  • FIG. 6 is a schematic diagram of another instruction interaction of a method for verifying security capabilities according to another embodiment of the present invention.
  • FIG. 7 is a schematic flowchart of a method for verifying security capability according to another embodiment of the present invention.
  • FIG. 8 is a schematic diagram of another instruction interaction of a method for verifying security capability according to another embodiment of the present invention.
  • FIG. 9 is a schematic structural diagram of a user equipment according to an embodiment of the present invention.
  • FIG. 10 is a schematic structural diagram of a first network device according to an embodiment of the present invention.
  • FIG. 11 is a schematic structural diagram of an MME according to an embodiment of the present invention.
  • FIG. 12 is a schematic structural diagram of a user equipment according to another embodiment of the present invention.
  • FIG. 13 is a schematic structural diagram of a first network device according to another embodiment of the present invention.
  • FIG. 14 is a schematic structural diagram of an MME according to another embodiment of the present invention.
  • FIG. 15 is a schematic structural diagram of a wireless network system according to an embodiment of the present invention.
  • FIG. 16 is a schematic structural diagram of a wireless network system according to another embodiment of the present invention.
  • FIG. 17 is a schematic structural diagram of a wireless network system according to still another embodiment of the present invention.
  • a method, device and system for verifying security capabilities provided by embodiments of the present invention can be applied to GSM (Global System of Mobile communication) and GERAN (Enhanced Data Rate for GSM Evolution). Rate GSM evolution) Radio Access Network, GSM/EDGN radio access network system, UMTS (Universal Mobile Telecommunications System), LTE (Long Term Evolution) system, EPS (Evolved Packet System, evolution) Packet system), of course, the present invention can also be applied to other network systems, but in the existing communication field, the above five network systems are widely used. Therefore, the embodiments of the present invention mainly use the five network systems. The detailed description is made, but the present invention is not limited to these five network systems, and the present invention can also be implemented in other network systems.
  • an embodiment of the present invention provides a method for verifying security capabilities, the method comprising the following steps:
  • the user equipment sends the first security capability of the user equipment to the second network device.
  • the first security capability may include one or more of UMTS security capability, GERAN security capability, GSM security capability, and EPS security capability.
  • the first security capability of the user equipment is first sent to the second network device.
  • the user equipment receives a second security capability sent by the second network device.
  • the second security capability may include one or more of UMTS security capability, GERAN security capability, GSM security capability, and EPS security capability, and specifically includes security capability and security included in the first security capability in step 101.
  • the ability corresponds. It can also be said that the first security capability includes which network security capabilities, and the second security capability also includes which network security capabilities.
  • the user equipment verifies whether the second security capability is consistent with the first security capability.
  • the user equipment verifies that the second security capability sent by the second network device is consistent with the first security capability of the user equipment, and if it is inconsistent, it represents security.
  • the ability to be tampered with can stop accessing the network. If it is consistent, it means that the security capability has not been tampered with and can access the network.
  • the user equipment verifies whether the transmission of information between itself and the second network device is secure.
  • the first security capability of the user equipment is only the security capability of the security function of the user, and the user equipment may also send the security capability that does not need to be verified to the second network device.
  • the security capability of the user equipment includes the security capability. A list of all encryption algorithms and integrity algorithms supported by the user.
  • the method for verifying the security capability provided by the embodiment is to verify whether the second security capability sent by the second network device is consistent with the first security capability of the user equipment, and verify whether the information transmission is secure, and the information transmission is improved. .
  • An embodiment of the present invention provides another method for verifying security capabilities, which is applied to a UMTS system.
  • a user equipment may be a user equipment (UE), where the UE includes an MS (Mobile Station).
  • the first network device may be an RNC or an SRNC (Serving Radio Network Controller), and the second network device may be an SGSN or a VLR (Visitor Location Register).
  • SRNC and SGSN are used to describe the technology of the present invention. It does not mean that the technology of the present invention can be implemented only by these devices, and the same effect can be achieved by other devices.
  • the method includes:
  • the user equipment sends the first security capability of the user equipment to the second network device.
  • the first security capability includes a list of encryption algorithms supported by the user equipment and a list of integrity algorithms, where the first security capability may be included in an initial L3 (Layer 3, Layer 3) message sent to the second network device.
  • the L3 message may also include the security capability not included in the first security capability, because the first security capability represents the security capability for verification, but the user equipment may choose to use other security features that are temporarily not verified when transmitting. Send it out together.
  • the security capability sent by the user equipment may be tampered with during the process of sending to the second network device, the security capability received by the second network device is referred to as the second security capability. If the first security capability and the second security capability are consistent, it proves that the first security capability has not been tampered with, and the information transmission is secure.
  • the user equipment receives a second security capability sent by the second network device.
  • the second security capability is forwarded by the first network device to the user equipment.
  • the second security capability is sent to the first network device in an SMC (Security Mode Command) message, and is sent by the first network.
  • SMC Security Mode Command
  • the device forwards the second security capability to the user equipment in the SMC message.
  • the second security capability may include one or more of UMTS security capability, GERAN security capability, GSM security capability, and EPS security capability, and specifically includes content corresponding to content included in the first security capability of the user equipment.
  • the SMC message may also include the security capability that is not included in the second security capability, and the second security capability only represents the security capability for performing the verification, but the SMC message may also include the security capability that does not need to be verified temporarily.
  • the user equipment verifies whether the second security capability is consistent with the first security capability.
  • the user equipment verifies whether the information transmission between itself and the second network device is secure.
  • the method further includes a step 204, and the step 204 has no sequential relationship with the step 201, the step 202, and the step 203, that is, the step 204 can be performed simultaneously with any step of step 201, step 202, and step 203 or at a certain step. Before or after.
  • the user equipment sends the first security capability to the first network device.
  • the first security capability sent to the first network device is sent in an RRC connection setup.
  • the user equipment receives a third security capability sent by the first network device.
  • the third security capability may include one or more of UMTS security capability, GERAN security capability, GSM security capability, and EPS security capability, specifically including the security capability and the first security capability and the second security capability in the foregoing steps.
  • the content contained corresponds.
  • the third security capability is included in the SMC message and sent to the user equipment.
  • the user equipment verifies whether the third security capability sent by the first network device is consistent with the first security capability of the user equipment.
  • the user equipment verifies whether the information transmission between itself and the first network device is secure.
  • the method further includes step 207, and any step between step 207 and steps 201-206 has no sequential relationship.
  • the first network device receives a priority list of integrity protection algorithms sent by the second network device.
  • the integrity protection algorithm priority list is sent to the first network device in the SMC message, where the SMC message may further include one of an encryption algorithm priority list, an encryption key, and an integrity protection key. Or multiple, so that the first network device encrypts and integrity protects the transmitted data.
  • the first network device according to the received integrity protection algorithm priority list and the first A security capability selects an integrity protection algorithm and turns on security protection based on the selected integrity protection algorithm.
  • the first network device further receives the encryption algorithm priority list, and selects an encryption algorithm according to the encryption algorithm priority list, and starts security protection according to the selected encryption algorithm and the integrity protection algorithm, and then transmits the data.
  • the first network device encrypts and integrity protects the data by using the selected encryption algorithm and the integrity protection algorithm.
  • the same algorithm is used to de-encrypt, and the same algorithm is used to transmit the data. Encryption ensures the security of subsequent data transmission.
  • the first network device sends the selected integrity protection algorithm to the user equipment.
  • the first network device sends the selected integrity protection algorithm to the user equipment in the SMC message, where the SMC message may further include an encryption algorithm selected by the first network device.
  • step 206 if the third security capability sent by the first network device is consistent with the first security capability of the user equipment, after step 209, the method further includes:
  • the user equipment turns on security protection according to an integrity protection algorithm.
  • the user equipment generates a security establishment complete message, and sends a security establishment complete message to the first network device.
  • the first network device sends a security setup complete message to the second network device.
  • the first network device sends the first security capability to the second network device in the security establishment complete message. So that the second network device updates the security capability according to the first security capability.
  • the security setup complete message may further include an encryption algorithm and an integrity protection algorithm selected by the first network device.
  • the user equipment verifies whether the first security capability is consistent with the second security capability sent by the second network device, and then verifies whether the third security capability sent by the first network device is consistent with the first security capability of the user equipment. Moreover, if the third security capability sent by the first network device is consistent with the first security capability of the user equipment, the user equipment turns on the security protection to ensure the security of the data transmission after the security protection is turned on, so as to verify the first network. Whether the security capability of the device, the second network device, and the user device itself are consistent, has not been tampered with, and the possibility of transmitting data without security guarantee is reduced, thereby improving the security of information transmission.
  • the method for verifying the security capability provided by the embodiment is to verify whether the second security capability sent by the second network device is consistent with the first security capability of the user equipment, and verify whether the information transmission is secure, and the information transmission is improved. .
  • An embodiment of the present invention provides a method for verifying security capabilities, which is applied to an LTE system.
  • the network device includes an SRNC, an eNB (Envolved Node B), an SGSN, and an MME (Mobility Management Entity, The mobility management entity, wherein the eNB is a first network device, the MME is a second network device, and the SGSN is a third network device.
  • the present embodiment uses the MME, the eNB, and the SGSN as an example to describe the technology of the present invention, and does not mean that the technology of the present invention can be implemented only by these devices, and the same effect can be achieved by other devices.
  • the embodiment of the present invention is applied to the scenario where the user equipment is switched from the UMTS system to the LTE system. Referring to FIG. 3, the method includes:
  • the SRNC sends a relocation request message to the SGSN.
  • the SRNC sends a Relocation Request message to the SGSN to initiate a system handover.
  • the SGSN sends a relocation request message to the MME.
  • the SGSN can send the second security capability to the MME.
  • the second security capability is included in the relocation request message and sent to the MME.
  • the specific content of the second security capability included in the relocation request message is not limited in the present invention.
  • steps 301-302 complete the first security capability sent by the user equipment to the second network device, so that the second network device acquires the second security capability.
  • the user equipment sends the first security device to the third network device.
  • a security capability such that the third network device acquires the second security capability and sends the second security capability to the second network device.
  • the MME sends a handover request message to the eNB.
  • the MME detects whether the handover request message includes a second security capability, and when the handover request message includes the second security capability, the MME
  • the second security capability is included in an IE (Information Element) of a NAS (Non Access Stratum) secure transparent container, and the IE of the NAS secure transparent container is included in the handover request and sent to the eNB;
  • the MME detects whether the first security capability of the relocation request message includes the second security capability, and when the handover request message includes the second security capability, the MME performs the second security.
  • the capability and security capability indications are included in the handover request message sent to the eNB.
  • the user equipment cannot directly communicate with the eNB when the user equipment is not connected to the LTE network, it must be forwarded by the SGSN and the MME to send the security capability to the eNB.
  • the eNB sends a handover confirmation message to the MME.
  • the eNB after receiving the second security capability sent by the MME, the eNB creates an RRC connection reconfiguration cell to establish a direct connection with the user equipment, and sends a handover request acknowledgement message to the MME, where the handover request acknowledgement message is compared with step 303.
  • the IE of the NAS secure transparent container may be included, and the IE of the NAS secure transparent container includes the second security capability;
  • the eNB includes the second security capability in the RRC connection reconfiguration cell according to the security capability indication, and the RRC connection reconfiguration cell is included in the handover request acknowledgement message and sent to the MME.
  • the MME sends a redirect response message to the SGSN.
  • the SGSN sends a redirect command message to the SRNC.
  • the SRNC sends a handover command message to the user equipment.
  • the MME sends a redirect response message to the SGSN, and the SGSN forwards the message to the user equipment, wherein the redirect response message includes the second security capability according to step 303 and step 304.
  • steps 303-307 complete the second security capability sent by the user equipment by the second network device, and the second security capability is forwarded by the first network device to the user equipment, specifically, the second network device. Transmitting the second security capability to the first network device, the first network device returning the second security capability to the second network device and passing the third The network device sends to the user device.
  • the user equipment verifies whether the second security capability sent by the eNB is consistent with the first security capability of the user equipment.
  • the user equipment sends a handover complete message to the eNB.
  • the handover complete message further includes a first security capability, and the eNB may update the security capability and the algorithm according to the first security capability.
  • the eNB sends a handover notification message to the MME.
  • the handover message may further include a first security capability, a security capability and an algorithm that the MME updates according to the first security capability.
  • the MME changes the NAS algorithm, and the NAS algorithm is used to transmit data between the MME and the user equipment. Data is encrypted and integrity protected.
  • the eNB also changes the AS algorithm, and the AS algorithm encrypts the data when the user equipment and the eNB transmit data. And integrity protection, correspondingly, also triggers the user device to change its own algorithm.
  • the MME sends a relocation complete message to the SGSN.
  • the relocation complete message includes a first security capability, so that the SGSN updates its saved user equipment security capability.
  • the SGSN sends a relocation complete confirmation message to the MME.
  • the method for verifying the security capability provided by the embodiment is to verify whether the second security capability sent by the second network device is consistent with the first security capability of the user equipment, and whether the information transmission is secure and the information transmission is improved. Safety.
  • Another embodiment of the present invention provides a method for verifying security capabilities. Referring to FIG. 4, the method includes:
  • the first network device receives a second security capability sent by the second network device.
  • the second security capability may include one or more of UMTS security capability, GERAN security capability, GSM security capability, and EPS security capability.
  • the first network device receives the first security capability sent by the user equipment.
  • the user equipment may be a UE, wherein the UE comprises an MS.
  • the first security capability may include one or more of UMTS security capabilities, GERAN security capabilities, GSM security capabilities, and EPS security capabilities.
  • the first network device verifies whether the first security capability is consistent with the second security capability.
  • the method for verifying the security capability provided by the embodiment is to verify whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device by using the first network device, verifying whether the information transmission is secure, and improving information transmission. Security.
  • a user equipment may be a UE, where the UE includes an MS, and the first network device may be an RNC or an SRNC.
  • the second network device can be an SGSN or a VLR.
  • the present embodiment uses the UE, the SRNC, and the SGSN as an example to describe the technology of the present invention, and does not mean that the technology of the present invention can be implemented only by these devices, and the same effect can be achieved by other devices.
  • the method includes:
  • the user equipment sends the first security capability to the first network device.
  • the first security capability is sent to the first network device in the RRC establishment connection.
  • the first security capability includes the UMTS security capability, and may also include one or more of the GERAN security capability, the GSM security capability, and the EPS security capability.
  • the user equipment sends the first security capability to the second network device.
  • the first security capability is included in the initial L3 message sent to the second network device. Because the first security capability sent by the user may be tampered with during the process of sending to the second network device, the security capability received by the second network device is called second. Security capability, if the first security capability and the second security capability are consistent, it proves that the security capability has not been tampered with and the information transmission is secure.
  • Step 501 and step 502 have no sequential relationship.
  • the first network device receives a second security capability sent by the second network device.
  • the second security capability is sent to the first network device in the SMC message.
  • the first network device verifies whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device.
  • the method further includes step 505, and step 505 has no sequential relationship with any of steps 501-504.
  • the first network device receives a priority list of integrity protection algorithms sent by the second network device.
  • the integrity protection algorithm priority list is sent to the first network device in the SMC message, where the SMC message may further include one of an encryption algorithm priority list, an encryption key, and an integrity protection key. Or multiple, so that the first network device secures the transmitted data.
  • the method further includes:
  • the first network device selects an integrity protection algorithm according to the received integrity protection algorithm priority list and the first security capability, and starts security protection according to the selected integrity protection algorithm.
  • the first network device may also receive an encryption algorithm and select an encryption algorithm, and enable encryption protection according to the selected encryption algorithm.
  • the second security capability and integrity protection algorithm priority list sent by the second network device may be included in the SMC message, that is, the steps 503-506 may also be combined into the following three steps:
  • the first network device receives a second security capability and an integrity protection algorithm priority list sent by the second network device.
  • the second security capability and integrity protection algorithm priority list is included in The SMC message is sent to the network controller, where the SMC message may further include one or more of an encryption algorithm priority list, an encryption key, and an integrity protection key, so that the first network device secures the transmitted data. protection.
  • the first network device verifies whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device.
  • the method further includes:
  • the first network device selects an integrity protection algorithm according to the received integrity protection algorithm priority list and the first security capability, and starts security protection according to the selected integrity protection algorithm.
  • the first network device may also receive an encryption algorithm and select an encryption algorithm, and enable encryption protection according to the selected encryption algorithm.
  • the first network device sends the third security capability to the user equipment.
  • the third security capability is included in the SMC message and sent to the user equipment.
  • the user equipment verifies whether the third security capability sent by the first network device is consistent with the first security capability of the user equipment.
  • the method further includes:
  • the first network device sends the selected integrity protection algorithm to the user equipment.
  • the first network device sends the selected encryption algorithm and the integrity protection algorithm to the user equipment in the SMC message.
  • the user equipment turns on security protection according to an integrity protection algorithm sent by the first network device.
  • the security protection is started according to the encryption algorithm and the integrity protection algorithm.
  • the user equipment generates a security establishment complete message, and sends a security establishment complete message to the first network device.
  • the first network device sends a security setup complete message to the second network device.
  • the first network device sends the first security capability to the second network device in the security establishment complete message, so as to facilitate the second Network device update security capabilities.
  • the first network device verifies whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device, and then sends the third security capability to the user equipment, so that the user equipment verifies the first device from the first network device.
  • the three security capabilities are consistent with the first security capability of the user equipment.
  • the first network device verifies that the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device, the first network device turns on the security protection to ensure the security of the user equipment after the first network device is verified.
  • the capability is sent to the user equipment, it will not be tampered with. This can verify whether the security capabilities of the first network device, the second network device, and the user device are consistent, whether they have been tampered with, and the security is not reduced. The possibility of transmitting data, thereby improving the security of information transmission.
  • the method for verifying the security capability provided by the embodiment is to verify whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device by using the first network device, verifying whether the information transmission is secure, and improving information transmission. Security.
  • the network device includes an SRNC, an eNB, an SGSN, and an MME, where the eNB For the first network device, the MME is the second network device, and the SGSN is the third network device.
  • the present embodiment uses the MME, the eNB, and the SGSN as an example to describe the technology of the present invention, and does not mean that the technology of the present invention can be implemented only by these devices, and the same effect can be achieved by other devices.
  • the user equipment is switched from the UMTS system to the LTE system.
  • the method includes:
  • the SRNC sends a relocation request message to the SGSN.
  • the SRNC sends a Relocation Request message to the SGSN to initiate a system handover.
  • the SGSN sends a relocation request message to the MME.
  • the SGSN can send the second security capability to the MME.
  • the second security The capability is included in the relocation request message and sent to the MME.
  • the specific content of the second security capability included in the relocation request message is not limited in the present invention.
  • the MME sends a handover request message to the eNB.
  • steps 601-603 complete the second network device receiving the second security capability sent by the second network device.
  • the user equipment sends the first security capability to the third network device
  • the third network device acquires the second security capability
  • the first network device sends the first security capability to the third network device.
  • the eNB sends a handover confirmation message to the MME.
  • the MME sends a redirect response message to the SGSN.
  • the SGSN sends a redirect command message to the SRNC.
  • the SRNC sends a handover command message to the user equipment.
  • the user equipment sends a handover complete message to the eNB.
  • the handover complete message includes the first security capability.
  • Step 608 completes that the first network device receives the first security capability sent by the user equipment.
  • the eNB verifies whether the second security capability is consistent with the first security capability.
  • the handover is continued. If the first security capability is consistent with the second security capability, the handover is continued. If the first security capability is inconsistent with the second security capability, when the first security capability includes a higher priority AS algorithm, the eNB changes the AS algorithm. In the first security capability, the AS algorithm with high priority is selected. The AS algorithm is used to encrypt data when the user equipment transmits data with the eNB, and also triggers the user equipment update algorithm.
  • the eNB sends a handover notification message to the MME.
  • the handover notification message includes a first security capability.
  • the MME changes the NAS algorithm, and selects a NAS algorithm with a high priority among the first security capabilities, and the NAS algorithm is used to transmit between the MME and the user equipment. Data is encrypted while the user device update algorithm is also triggered.
  • the MME sends a relocation complete message to the SGSN.
  • the relocation complete message includes a first security capability, so that the SGSN updates its saved user equipment security capability.
  • the SGSN sends a relocation complete confirmation message to the MME.
  • the method for verifying the security capability provided by the embodiment is to verify whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device by using the first network device, verifying whether the information transmission is secure, and improving information transmission. Security.
  • a further embodiment of the present invention provides a method for verifying security capabilities, which is applied to an LTE system.
  • the network device includes an eNB, an SGSN/VLR, and an MME.
  • the MME is used in this embodiment.
  • the eNB and the SGSN/VLR are used as an example to describe the technology of the present invention. It does not mean that the technology of the present invention can be implemented only by these devices, and the same effect can be achieved by other devices. Referring to FIG. 7, the method includes:
  • the MME receives a second security capability sent by the SGSN or the VLR.
  • the second security capability may include one or more of UMTS security capability, GERAN security capability, GSM security capability, and EPS security capability.
  • the MME receives the first security capability sent by the user equipment.
  • the first security capability is forwarded by the eNB to the MME, and the second security capability may include one or more of UMTS security capability, GERAN security capability, GSM security capability, and EPS security capability.
  • the MME verifies whether the first security capability is consistent with the second security capability.
  • the method for verifying the security capability provided by the embodiment is to verify whether the first security capability sent by the user equipment is consistent with the second security capability sent by the SGSN or the VLR, and verify whether the information transmission is secure and improve the security of information transmission.
  • a further embodiment of the present invention provides another method for verifying security capabilities, which is applied to an LTE system.
  • the network device includes an SRNC, an eNB, an SGSN, and an MME.
  • the MME, the eNB, the SRNC, and the SGSN are used in this embodiment.
  • the technology of the present invention is described as an example, and does not mean that the technology of the present invention can be realized only by these devices, and the same effect can be achieved by other devices.
  • the user equipment is switched from the UMTS system to the LTE system, and the method includes:
  • the SRNC sends a relocation request message to the SGSN.
  • the SRNC sends a Relocation Request message to the SGSN to initiate a cross-system handover.
  • the SGSN sends a relocation request message to the MME.
  • the SGSN can send the second security capability to the MME.
  • the second security capability is sent to the MME in the relocation request message, that is, the MME receives the second security capability sent by the SGSN or the VLR, where the specific content of the second security capability included in the relocation request message is not Make restrictions.
  • the MME sends a handover request message to the eNB.
  • the eNB sends a handover confirmation message to the MME.
  • the MME sends a redirect response message to the SGSN.
  • the SGSN sends a redirect command message to the SRNC.
  • the SRNC sends a handover command message to the user equipment.
  • the user equipment sends a handover complete message to the eNB.
  • the handover complete message includes the first security capability.
  • the eNB sends a handover notification message to the MME.
  • the handover notification message includes a first security capability. That is, the MME receives the first security capability sent by the user equipment.
  • the MME verifies whether the second security capability is consistent with the first security capability.
  • the MME updates the security capability, and when the first security capability includes a higher priority.
  • the MME will change the NAS algorithm.
  • the NAS algorithm is used to encrypt and protect the data when transmitting data between the MME and the user equipment, and trigger the user equipment change algorithm.
  • the MME sends an S1 context modification request containing the correct security capability to the eNB, if the security capability
  • the AS algorithm is included in the higher priority AS, and the eNB also changes the AS algorithm.
  • the AS algorithm is used to encrypt and protect data when transmitting data between the user equipment and the eNB.
  • the MME sends a relocation complete message to the SGSN.
  • the relocation complete message includes the first security capability, so that the SGSN updates the user device security capability saved by itself.
  • the SGSN sends a relocation complete confirmation message to the MME.
  • the method for verifying the security capability provided by the embodiment is to verify whether the first security capability sent by the user equipment is consistent with the second security capability sent by the SGSN or the VLR, and verify whether the information transmission is secure and improve the security of information transmission.
  • the embodiment of the present invention provides a user equipment for performing the method performed by the user equipment described in the embodiment corresponding to FIG. 1, FIG. 2 or FIG. 3, the structure of which is shown in FIG.
  • the sending unit 901 is configured to send the first security capability of the user equipment 90 to the second network device.
  • the receiving unit 902 is configured to receive a second security capability sent by the second network device, where the second security capability is forwarded by the first network device to the user device 90.
  • the verification unit 903 is configured to verify whether the second security capability is consistent with the first security capability.
  • the user equipment provided in this embodiment verifies whether the information transmission is secure and improves the security of information transmission by verifying whether the second security capability sent by the second network device is consistent with the first security capability of the user equipment.
  • the first network device is a serving network controller SRNC or a network controller RNC
  • the second network device is a service supporting node SGSN or a visited location register VLR.
  • the sending unit 901 is further configured to send the first security capability to the first network device.
  • the receiving unit 902 is further configured to receive a third security capability sent by the first network device.
  • the verification unit 903 is further configured to verify whether the third security capability and the first security capability are one To.
  • the user equipment 90 may further include a protection unit 904.
  • the protection unit 904 is configured to enable security protection according to an integrity protection algorithm of the first network device when the third security capability is consistent with the first security capability.
  • verification unit 903 is further configured to generate a security establishment complete message when the second security capability is inconsistent with the first security capability.
  • the sending unit 901 is further configured to send the security setup complete message generated by the verification unit 903 to the first network device, so that the first network device sends the first security capability to the second network device according to the security setup complete message.
  • the first network device is an evolved node eNB
  • the second network device is a mobility management entity MME.
  • the sending unit 901 is further configured to send the first security capability to the third network device, so that the third network device acquires the second security capability, and sends the second security capability to the second network device, where the third network device For SGSN or VLR.
  • the sending unit 901 is further configured to: when the second security capability is inconsistent with the first security capability, send the first security capability to the first network device and the second network device, so as to facilitate the second network device and the first The network device updates the security capabilities according to the first security capability.
  • the receiving unit 902 is further configured to: when the first security device received by the first network device or the second network device includes a higher priority algorithm, receive the priority sent by the first network device or the second network device Higher level algorithm.
  • the protection unit 904 is configured to update its own algorithm according to a higher priority algorithm received by the receiving unit 902.
  • the user equipment verifies whether the first security capability is consistent with the second security capability sent by the second network device, and then verifies whether the third security capability sent by the first network device is consistent with the first security capability of the user equipment. Moreover, if the third security capability sent by the first network device is consistent with the first security capability of the user equipment, the user equipment turns on the security protection to ensure the security of the data transmission after the security protection is turned on, so as to verify the first network device, Whether the security capability of the second network device and the user equipment itself are consistent, has not been tampered with, and reduces the transmission of data without security guarantees. It is possible to improve the security of information transmission.
  • the user equipment provided in this embodiment verifies whether the information transmission is secure by verifying whether the second security capability sent by the second network device is consistent with the first security capability of the user equipment, and improves the security of information transmission.
  • An embodiment of the present invention provides a first network device, where the method performed by the first network device described in the embodiment corresponding to FIG. 4, FIG. 5 or FIG. 6 is performed, and the structure thereof is as shown in FIG.
  • a network device 100 includes a receiving unit 1001 and a verification unit 1002.
  • the receiving unit 1001 is configured to receive a first security capability sent by the user equipment and a second security capability sent by the second network device.
  • the verification unit 1002 is configured to verify whether the first security capability is consistent with the second security capability.
  • the first network device provided in this embodiment verifies whether the information transmission is secure and improves the security of information transmission by verifying whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device.
  • the first network device 100 is a serving network controller SRNC or a network controller RNC
  • the second network device is a service supporting node SGSN or a visited location register VLR.
  • the first network device 100 further includes a protection unit 1003 and a transmitting unit 1004.
  • the protection unit 1003 is configured to enable security protection when the second security capability is consistent with the first security capability.
  • the sending unit 1004 is configured to send the third security capability to the user equipment, so that the user equipment verifies that the third security capability is consistent with the first security capability, and then turns on the security protection.
  • the first network device is an evolved node eNB
  • the second network device is a mobility management entity MME, where:
  • the protection unit 1003 is configured to update the security capability according to the first security capability when the second security capability is inconsistent with the first security capability.
  • the protection unit 1003 is further configured to: when the first security capability received by the receiving unit 1001 includes a higher priority algorithm, update the algorithm to be prioritized. Higher level algorithm.
  • the sending unit 1004 is further configured to send a higher priority algorithm to the user equipment, so that the user equipment updates the algorithm.
  • the first network device verifies whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device, and then sends the third security capability of the user equipment to the user equipment, so that the user equipment is verified from the first network. Whether the third security capability of the device is consistent with the first security capability of the user device. Moreover, if the first network device verifies that the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device, the first network device turns on the security protection to ensure the security of the user equipment after the first network device is verified. When the capability is sent to the user equipment, it will not be tampered with. This can verify whether the security capabilities of the user equipment stored by the first network device, the second network device, and the user device are consistent, have not been tampered with, and have no security. In the case of the possibility of transmitting data, thereby improving the security of information transmission.
  • the first network device provided in this embodiment verifies whether the information transmission is secure and improves the security of information transmission by verifying whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device.
  • An embodiment of the present invention provides a mobility management entity MME, which is configured to perform the method performed by the MME described in the embodiment corresponding to FIG. 7 or FIG. 8.
  • the MME 110 includes a receiving unit 1101 and a verification unit 1102. .
  • the receiving unit 1101 is configured to receive the first security capability sent by the user equipment and the second security capability sent by the service support node SGSN or the visited location register VLR, where the first security capability is forwarded by the evolved node eNB to the MME.
  • the verification unit 1102 is configured to verify whether the first security capability is consistent with the second security capability.
  • the MME provided in this embodiment verifies whether the information transmission is secure and improves the security of information transmission by verifying whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device.
  • the MME 110 further includes a protection unit 1103 and a sending unit 1104.
  • the protection unit 1103 is configured to update the security capability according to the first security capability when the first security capability is inconsistent with the second security capability.
  • the protection unit 1103 is further configured to: when the first security capability received by the receiving unit includes a higher priority algorithm, update the algorithm to a higher priority algorithm.
  • the sending unit 1104 is further configured to send a higher priority algorithm to the user equipment, so that the user equipment updates the algorithm.
  • the MME provided in this embodiment verifies whether the information transmission is secure and improves the security of information transmission by verifying whether the first security capability sent by the user equipment is consistent with the second security capability sent by the SGSN or the VLR.
  • the device may be embedded or itself.
  • the user device 1201 includes: at least one processor 1211, a memory 1212 and a bus 1213, the at least one processor 1211 and the memory 1212 Connections to each other are completed via bus 1213.
  • the bus 1213 may be an ISA (Industry Standard Architecture) bus, a PCI (Peripheral Component) bus, or an EISA (Extended Industry Standard Architecture) bus.
  • the bus 1213 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 12, but it does not mean that there is only one bus or one type of bus. among them:
  • the memory 1212 is for executing application code of the inventive scheme, and the application code for executing the inventive scheme is stored in a memory and controlled by the processor 1211 for execution.
  • the memory can be a read only memory ROM or other type of static storage device that can store static information and instructions, a random access memory RAM or other type of dynamic storage device that can store information and instructions, or can be electrically erasable or programmable.
  • These memories are connected to the processor via a bus.
  • the processor 1211 may be a central processing unit (CPU), or an application specific integrated circuit (ASIC), or one or more configured to implement the embodiments of the present invention. Integrated circuits.
  • CPU central processing unit
  • ASIC application specific integrated circuit
  • the processor 1211 is configured to call the program code in the memory 1212. In a possible implementation manner, when the application program is executed by the processor 1211, the following functions are implemented.
  • the processor 1211 is configured to send the first security capability of the user equipment to the second network device.
  • the processor 1211 is further configured to receive a second security capability sent by the second network device, where the second security capability is forwarded by the first network device to the user equipment.
  • the processor 1211 is further configured to verify whether the second security capability is consistent with the first security capability.
  • the user equipment provided in this embodiment verifies whether the information transmission is secure and improves the security of information transmission by verifying whether the second security capability sent by the second network device is consistent with the first security capability of the user equipment.
  • the first network device is a serving network controller SRNC or a network controller RNC
  • the second network device is a service supporting node SGSN or a visited location register VLR.
  • the processor 1211 is further configured to send the first security capability to the first network device.
  • the processor 1211 is further configured to receive a third security capability sent by the first network device.
  • the processor 1211 is further configured to verify whether the third security capability is consistent with the first security capability.
  • the processor 1211 is further configured to: when the third security capability is consistent with the first security capability, enable security protection according to the integrity protection algorithm of the first network device.
  • processor 1211 is further configured to generate a security establishment complete message when the second security capability is inconsistent with the first security capability.
  • the processor 1211 is further configured to send a security setup complete message to the first network device, so that the first network device sends the first security capability to the second network device according to the security setup complete message.
  • the first network device is an evolved node eNB
  • the second network device is a mobility management entity MME.
  • the processor 1211 is further configured to send the first security capability to the third network device, so that the third network device acquires the second security capability, and sends the second security capability to the second network device, where the third network device For SGSN or VLR.
  • the processor 1211 is further configured to: when the second security capability is inconsistent with the first security capability, send the first security capability to the first network device and the second network device, so as to facilitate the second network device and the first The network device updates the security capabilities according to the first security capability.
  • the processor 1211 is further configured to: when the first security device received by the first network device or the second network device includes a higher priority algorithm, receive the priority sent by the first network device or the second network device Higher level algorithms and update their own algorithms.
  • the user equipment verifies whether the first security capability is consistent with the second security capability sent by the second network device, and then verifies whether the third security capability sent by the first network device is consistent with the first security capability of the user equipment. Moreover, if the third security capability sent by the first network device is consistent with the first security capability of the user equipment, the user equipment turns on the security protection to ensure the security of the data transmission after the security protection is turned on, so as to verify the first network device, Whether the security capability stored by the second network device and the user equipment itself is consistent, has been tampered with, and the possibility of transmitting data without security guarantee is reduced, thereby improving the security of information transmission.
  • the user equipment provided in this embodiment is configured to verify the second security sent by the second network device. Whether the full capability is consistent with the first security capability of the user equipment, verifying that the information transmission is secure, and improving the security of information transmission.
  • the first network device 1301 may include: at least one processor 1311, a memory 1312, and a bus 1313, at least one of which may be embedded or itself a microprocessor computer, such as a general purpose computer, a custom machine, a mobile phone terminal, or a tablet computer.
  • the processor 1311 and the memory 1312 are connected by a bus 1313 and complete communication with each other.
  • the bus 1313 may be an ISA (Industry Standard Architecture) bus, a PCI (Peripheral Component) bus, or an EISA (Extended Industry Standard Architecture) bus.
  • the bus 1313 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in FIG. 13, but it does not mean that there is only one bus or one type of bus. among them:
  • the memory 1313 is for executing the application code of the inventive scheme, and the application code for executing the inventive scheme is stored in the memory and controlled by the processor 1311 for execution.
  • the memory can be a read only memory ROM or other type of static storage device that can store static information and instructions, a random access memory RAM or other type of dynamic storage device that can store information and instructions, or can be electrically erasable or programmable.
  • These memories are connected to the processor via a bus.
  • the processor 1311 may be a central processing unit (CPU), or an application specific integrated circuit (ASIC), or one or more configured to implement the embodiments of the present invention. Integrated circuits.
  • CPU central processing unit
  • ASIC application specific integrated circuit
  • the processor 1311 is configured to call the program code in the memory 1313. In a possible implementation manner, when the application program is executed by the processor 1311, the following functions are implemented.
  • the processor 1311 is configured to receive a first security capability sent by the user equipment and a second security capability sent by the second network device.
  • the processor 1311 is further configured to verify whether the first security capability is consistent with the second security capability.
  • the first network device provided in this embodiment verifies whether the information transmission is secure and improves the security of information transmission by verifying whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device.
  • the first network device is a serving network controller SRNC or a network controller RNC
  • the second network device is a service supporting node SGSN or a visited location register VLR.
  • the processor 1311 is further configured to enable security protection when the second security capability is consistent with the first security capability.
  • the processor 1311 is further configured to send the third security capability to the user equipment, so that the user equipment verifies that the third security capability is consistent with the first security capability, and then turns on the security protection.
  • the first network device is an evolved node eNB
  • the second network device is a mobility management entity MME, where:
  • the processor 1311 is further configured to: when the second security capability is inconsistent with the first security capability, update the security capability according to the first security capability.
  • the processor 1311 is further configured to: when the received first security capability includes a higher priority algorithm, update the algorithm to a higher priority algorithm.
  • the processor 1311 is further configured to send a higher priority algorithm to the user equipment, so that the user equipment updates the algorithm.
  • the first network device verifies whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device, and then sends the third security capability to the user equipment, so that the user equipment verifies the first device from the first network device.
  • the three security capabilities are consistent with the first security capability of the user equipment.
  • the first network device authenticates the user device
  • the first security capability sent by the second network device is consistent with the second security capability sent by the second network device, and the first network device is enabled to ensure that the security capability of the user equipment after the first network device is verified is not tampering when being sent to the user equipment. In this way, it can be verified whether the security capabilities of the first network device, the second network device and the user device are consistent, whether or not it has been tampered with, thereby reducing the possibility of transmitting data without security guarantee, thereby improving information transmission. Security.
  • the first network device provided in this embodiment verifies whether the information transmission is secure and improves the security of information transmission by verifying whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device.
  • the device may be embedded or itself Processing a computer, such as a general-purpose computer, a custom machine, a mobile terminal, or a tablet
  • the MME 1401 includes: at least one processor 1411, a memory 1412, and a bus 1413.
  • the at least one processor 1411 and the memory 1412 are connected by a bus 1413. And complete the communication with each other.
  • the bus 1413 may be an ISA (Industry Standard Architecture) bus, a PCI (Peripheral Component) bus, or an EISA (Extended Industry Standard Architecture) bus.
  • the bus 1413 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 14, but it does not mean that there is only one bus or one type of bus. among them:
  • the memory 1414 is used to execute the application code of the inventive scheme, and the application code for executing the inventive scheme is stored in a memory and controlled by the processor 1411 for execution.
  • the memory can be a read only memory ROM or other type of static storage device that can store static information and instructions, a random access memory RAM or other type of dynamic storage device that can store information and instructions, or can be electrically erasable or programmable.
  • These memories are connected to the processor via a bus.
  • the processor 1411 may be a central processing unit (CPU), or an application specific integrated circuit (ASIC), or one or more configured to implement the embodiments of the present invention. Integrated circuits.
  • CPU central processing unit
  • ASIC application specific integrated circuit
  • the processor 1411 is configured to call the program code in the memory 1414. In a possible implementation manner, when the application program is executed by the processor 1411, the following functions are implemented.
  • the processor 1411 is configured to receive the first security capability sent by the user equipment and the second security capability sent by the service support node SGSN or the visited location register VLR, where the first security capability is forwarded by the evolved node eNB to the MME.
  • the processor 1411 is further configured to verify whether the first security capability is consistent with the second security capability.
  • the MME provided in this embodiment verifies whether the information transmission is secure and improves the security of information transmission by verifying whether the first security capability sent by the user equipment is consistent with the second security capability sent by the second network device.
  • the processor 1411 is further configured to: when the first security capability is inconsistent with the second security capability, update the security capability according to the first security capability.
  • the processor 1411 is further configured to: when the first security capability received by the receiving unit includes a higher priority algorithm, update the algorithm to a higher priority algorithm.
  • the processor 1411 is further configured to send a higher priority algorithm to the user equipment, so that the user equipment updates the algorithm.
  • the MME provided by the embodiment verifies that the information transmission is verified by verifying whether the first security capability sent by the user equipment is consistent with the second security capability sent by the SGSN or the VLR. No security, improve the security of information transmission.
  • the wireless network system 151 includes: a first network device 1501 and a second network device 1502.
  • the wireless network system 151 may further include: a third network device 1503 and a user equipment 1504.
  • the user equipment 1504 is the user equipment described in the embodiment corresponding to FIG. 9.
  • the user equipment 1504 is the user equipment described in the embodiment corresponding to FIG. 12.
  • the first network device is an SRNC or an RNC
  • the second network device is an SGSN or a VLR
  • the user equipment is a UE.
  • the user equipment 1504 can directly communicate with the second network device 1502.
  • the network device includes an eNB, an SGSN, and an MME, where the eNB is the first network device, the MME is the second network device, and the SGSN is the third network device. At this time, the user equipment 1504 needs to pass the third network device 1503. And the first network device 1501 can communicate with the second network device 1502.
  • the wireless network system provided by the embodiment is configured to verify whether the second security capability of the user equipment sent by the second network device is consistent with the first security capability of the user equipment of the user equipment, and verify whether the information transmission is secure and the information is improved. The security of the transmission.
  • the wireless network system 161 includes: a first network device 1601 and a second network device 1602.
  • the first network device 1601 is the first network device described in the embodiment corresponding to FIG. 10 .
  • the first network device 1601 is the first network device described in the embodiment corresponding to FIG.
  • the wireless network system 161 may further include: a third network device 1603 and a user equipment 1604.
  • the first network device is an SRNC or an RNC
  • the second network device is an SGSN or a VLR
  • the user equipment is a UE.
  • the user equipment 1604 can directly communicate with the second network device 1602.
  • the eNB is the first network device
  • the MME is the second network device
  • the SGSN is the third network device.
  • the user The device 1604 needs to communicate with the second network device 1602 through the third network device 1603 and the first network device 1601.
  • the wireless network system provided by the embodiment is configured to verify whether the first security capability of the user equipment sent by the user equipment is consistent with the second security capability of the user equipment sent by the second network device, and verify whether the information transmission is secure. Improve the security of information transmission.
  • a further embodiment of the present invention provides a wireless network system, the structure of which is shown in FIG. 17, the wireless network system 171 includes: an MME 1701, an SGSN/VLR 1702.
  • the MME 1701 is the MME described in the embodiment corresponding to FIG. 11.
  • the MME 1701 is the MME described in the embodiment corresponding to FIG. 14.
  • the wireless network system 171 may further include: an eNB 1703, and a user equipment 1704.
  • the wireless network system verifies whether the first security capability sent by the user equipment is consistent with whether the SGSN or the VLR sends the second security capability, and verifies whether the information transmission is secure, and improves the security of information transmission.
  • Computer readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one location to another.
  • a storage medium may be any available media that can be accessed by a computer.
  • the computer readable medium may include a RAM (Random Access Memory), a ROM (Read Only Memory), and an EEPROM (Electrically Erasable Programmable Read Only Memory).
  • CD-ROM Compact Disc Read Only Memory
  • CD-ROM Compact Disc Read Only Memory
  • Any connection may suitably be a computer readable medium.
  • the software is making Coaxial cable, fiber optic cable, twisted pair, DSL (Digital Subscriber Line) or wireless technology such as infrared, radio and microwave transmission from a website, server or other remote source, then coaxial cable, Fiber optic cables, twisted pair, DSL, or wireless technologies such as infrared, wireless, and microwaves are included in the fixing of the associated media.
  • the disc and the disc include a CD (Compact Disc), a laser disc, a compact disc, a DVD disc (Digital Versatile Disc), a floppy disc, and a Blu-ray disc, wherein the disc is usually magnetically copied,
  • the disc uses a laser to optically replicate the data. Combinations of the above should also be included within the scope of the computer readable media.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Conformément à des modes de réalisation, la présente invention se rapporte au domaine des communications, et concerne un procédé, un dispositif et un système pour vérifier une capacité de sécurité, lesquels résolvent le problème de transmission d'informations non sécurisée. Une solution spécifique comprend les opérations suivantes : un équipement utilisateur envoie une première capacité de sécurité de l'équipement utilisateur à un second dispositif de réseau, reçoit une seconde capacité de sécurité envoyée par le second dispositif de réseau, et vérifie si la seconde capacité de sécurité est ou non cohérente avec la première capacité de sécurité. La présente invention est utilisée pour vérifier une capacité de sécurité.
PCT/CN2014/091258 2013-12-02 2014-11-17 Procédé, dispositif et système pour vérifier une capacité de sécurité WO2015081784A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310635001.9 2013-12-02
CN201310635001.9A CN104683981B (zh) 2013-12-02 2013-12-02 一种验证安全能力的方法、设备及系统

Publications (1)

Publication Number Publication Date
WO2015081784A1 true WO2015081784A1 (fr) 2015-06-11

Family

ID=53272862

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/091258 WO2015081784A1 (fr) 2013-12-02 2014-11-17 Procédé, dispositif et système pour vérifier une capacité de sécurité

Country Status (2)

Country Link
CN (1) CN104683981B (fr)
WO (1) WO2015081784A1 (fr)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102016110723A1 (de) * 2016-06-10 2017-12-14 Endress+Hauser Process Solutions Ag Verfahren zum Verhindern eines unerlaubten Zugriffs auf Softwareanwendungen in Feldgeräten
CN108668281B (zh) 2017-03-31 2021-07-09 华为技术有限公司 一种通信方法、相关设备及系统
CN109819492B (zh) * 2017-11-20 2021-02-12 华为技术有限公司 一种确定安全能力的方法和装置
CN110912854B (zh) * 2018-09-15 2021-03-23 华为技术有限公司 一种安全保护方法、设备及系统

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101039314A (zh) * 2006-03-16 2007-09-19 华为技术有限公司 一种在演进接入网络中实现安全性保证的方法
CN101378591A (zh) * 2007-08-31 2009-03-04 华为技术有限公司 终端移动时安全能力协商的方法、系统及装置
CN101384079A (zh) * 2007-09-03 2009-03-11 华为技术有限公司 一种终端移动时防止降质攻击的方法、系统及装置
CN101651949A (zh) * 2009-08-17 2010-02-17 中兴通讯股份有限公司 一种安全模式建立的方法及无线网络控制器

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101552982A (zh) * 2008-04-01 2009-10-07 华为技术有限公司 检测降质攻击的方法及用户设备
CN101383702B (zh) * 2008-10-06 2014-07-02 中兴通讯股份有限公司 在更新跟踪区过程中保护密钥生成参数的方法及系统

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101039314A (zh) * 2006-03-16 2007-09-19 华为技术有限公司 一种在演进接入网络中实现安全性保证的方法
CN101378591A (zh) * 2007-08-31 2009-03-04 华为技术有限公司 终端移动时安全能力协商的方法、系统及装置
CN101384079A (zh) * 2007-09-03 2009-03-11 华为技术有限公司 一种终端移动时防止降质攻击的方法、系统及装置
CN103220674A (zh) * 2007-09-03 2013-07-24 华为技术有限公司 一种终端移动时防止降质攻击的方法、系统及装置
CN101651949A (zh) * 2009-08-17 2010-02-17 中兴通讯股份有限公司 一种安全模式建立的方法及无线网络控制器

Also Published As

Publication number Publication date
CN104683981B (zh) 2019-01-25
CN104683981A (zh) 2015-06-03

Similar Documents

Publication Publication Date Title
CN109587688B (zh) 系统间移动性中的安全性
JP6759232B2 (ja) 完全前方秘匿性を有する認証および鍵共有
RU2440688C2 (ru) Профиль пользователя, политика и распределение ключей pmip в сети беспроводной связи
WO2020038236A1 (fr) Procédé, appareil, et système de routage
JP5462411B2 (ja) セキュリティ設定の同期を支援する方法および装置
US8526617B2 (en) Method of handling security configuration in wireless communications system and related communication device
WO2017117721A1 (fr) Procédé, appareil et dispositif de communication mobile
EP3709692A1 (fr) Procédé, appareil, et système de routage
US20100172500A1 (en) Method of handling inter-system handover security in wireless communications system and related communication device
JP6725764B2 (ja) 無線リソース制御接続の再確立
JP2021510262A (ja) 鍵更新方法および装置
EP3634023B1 (fr) Ré-établissement d'une connexion de commande de ressource radio
WO2019196766A1 (fr) Procédé et appareil de communication
WO2015081784A1 (fr) Procédé, dispositif et système pour vérifier une capacité de sécurité
WO2013078858A1 (fr) Procédé et dispositif de traitement de commutation srvcc et terminal correspondant
CN113170369B (zh) 用于在系统间改变期间的安全上下文处理的方法和装置
JP2024506102A (ja) 進化型パケットシステム非アクセス層セキュリティアルゴリズムを構成する方法、および関連装置
TWI776982B (zh) 支援無線網路切換的可靠伺服管理方法以及裝置
JP5680149B2 (ja) Nasセキュリティ処理装置、nasセキュリティ処理方法、及びプログラム
WO2014113921A1 (fr) Procédé et dispositif de réseau destinés à effectuer une authentification sécurisée d'un système de communication mobile

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14867918

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14867918

Country of ref document: EP

Kind code of ref document: A1