WO2015113197A1 - Apparatus and method for encrypting data - Google Patents

Apparatus and method for encrypting data Download PDF

Info

Publication number
WO2015113197A1
WO2015113197A1 PCT/CN2014/071651 CN2014071651W WO2015113197A1 WO 2015113197 A1 WO2015113197 A1 WO 2015113197A1 CN 2014071651 W CN2014071651 W CN 2014071651W WO 2015113197 A1 WO2015113197 A1 WO 2015113197A1
Authority
WO
WIPO (PCT)
Prior art keywords
handover
ncc
mme
request message
enb
Prior art date
Application number
PCT/CN2014/071651
Other languages
French (fr)
Chinese (zh)
Inventor
张丽佳
张冬梅
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2014/071651 priority Critical patent/WO2015113197A1/en
Priority to CN201480000843.XA priority patent/CN105103577B/en
Publication of WO2015113197A1 publication Critical patent/WO2015113197A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/24Reselection being triggered by specific parameters

Definitions

  • the present invention relates to the field of wireless communications, and in particular, to an apparatus and method for encrypting data. Background technique
  • a user equipment When a user equipment (UE) performs a specific service, such as an MTC (Machine Type Communication) service, it consumes a large amount of network resources, and an evolved Node B (eNB) prevents the UE from performing specific services.
  • a specific service such as an MTC (Machine Type Communication) service
  • MTC Machine Type Communication
  • eNB evolved Node B
  • the impact on the normal network will redirect the UE performing the specific service from the normal network to the specific network, and encrypt the data communicated between the eNB and the UE.
  • a method for encrypting data is provided, which may be: when a UE is attached to a common network, the first MME (Mobility Management Entity) of the common network learns from the subscription information of the UE that the UE needs to be normal.
  • the first MME sends a handover trigger message to the eNB, where the message includes the cause value of the handover (the core network triggered handover); the eNB sends a handover requirement message to the first MME, and the first MME calculates the first NCC.
  • the first NCC is obtained according to the current second NCC, and the first NH is based on the current second.
  • the first MME sends a forward relocation request message to the second MME of the specific network, where the forward relocation request message carries the first NCC and the first NH; and the second MME receives the direction sent by the first MME Re-requesting the request message, and sending a handover request message to the eNB, where the handover request message carries the first NCC and the first NH, and the eNB receives the handover request message sent by the second MME,
  • the first update computation NH NCC and a first key KeNB *, KeNB * according to data for the communication between the eNB and the UE encryption.
  • the prior art has at least the following problems:
  • the handover procedure is performed, and the eNB does not send a handover command message to the UE.
  • the UE cannot obtain the first NCC according to the handover command message, and can not calculate the updated key KeNB*, so that the KeNB on the eNB side and the KeNB on the UE side are not synchronized.
  • the present invention provides an apparatus and method for encrypting data.
  • the technical solution is as follows:
  • the present invention provides an apparatus for encrypting data, the apparatus comprising:
  • a first receiving module configured to receive a handover trigger message sent by the first mobility management entity MME, where the handover trigger message carries an identifier of the user equipment UE;
  • a second receiving module configured to receive a handover request message sent by the second MME
  • a maintaining module configured to keep the key KeNB shared between the evolved base station eNB and the UE unchanged;
  • an cryptographic module configured to perform a strong port key according to the data communicated between the eNB and the UE by the KeNB.
  • the device further includes: a determining module, configured to determine, according to the handover trigger message, that the handover cause is a core network triggered switch;
  • a first sending module configured to send a handover required message to the first MME, where the handover request message carries the handover reason, so that the first MME sends a forward relocation request message to the second MME, where The forward relocation request message carries the handover reason, so that the second MME sends the handover request message to the eNB.
  • the handover request message carries a first next hop chain counter NCC and a first next hop NH, where the first NCC is Obtained by the MME according to the second NCC, the first NH is calculated by the first MME according to the second NH, the second NCC is the current NCC, and the second NH is the current NH.
  • the first NCC is Obtained by the MME according to the second NCC
  • the first NH is calculated by the first MME according to the second NH
  • the second NCC is the current NCC
  • the second NH is the current NH.
  • the handover request message carries a second next hop chain counter NCC and a second next hop NH, the second NCC is the current NCC, and the second NH is the current NH.
  • the forward relocation request message carries a first next hop chain counter NCC and a first next hop NH
  • the first NCC is obtained by adding the first NMC according to the second NCC
  • the first NH is calculated by the first MME according to the second NH
  • the second NCC is the current NCC.
  • Said second NH is the current NH; or
  • the forward relocation request carries a second next hop chain counter NCC and a second next hop NH,
  • the second NCC is the current NCC
  • the second NH is the current NH.
  • the holding module includes:
  • a determining unit configured to determine, according to the handover trigger message or the handover request message, that the handover reason is a core network triggered handover;
  • the present invention provides an apparatus for encrypting data, the apparatus comprising:
  • a second sending module configured to send a handover trigger message to the evolved base station eNB, where the handover trigger message carries an identifier of the user equipment UE, so that the eNB sends a handover required message to the first mobility management entity according to the handover trigger message.
  • a third receiving module configured to receive the handover required message sent by the eNB
  • the acquiring module is configured to obtain a second next hop chain counter NCC and a second next hop NH, where the second NCC is the current NCC, and the second NH is the current NH;
  • a third sending module configured to send a forward relocation request message to the second mobility management entity
  • the MME the forward relocation request message carries a handover reason, and causes the second MME to send a handover request message to the eNB, so that the eNB keeps a key shared between the eNB and the UE.
  • the KeNB is unchanged, and the data communicated between the eNB and the UE is encrypted according to the KeNB.
  • the handover request message carries a first NCC and a first NH, where the first NCC is a first MME, and the first MME is added according to the second NCC. After the first NH is calculated by the first MME according to the second NH; or
  • the handover request message carries the second NCC and the second NH.
  • the forward relocation request message carries a first NCC and a first NH, where the first NCC is the first MME according to the After the second NCC is added, the first NH is calculated by the first MME according to the second NH; or
  • the forward relocation request message carries the second NCC and the second NH.
  • the device further includes: a first carrying module, configured to set a next hop indication NHI of the forward relocation request message to Presetting the identifier, and carrying the second NCC and the second NH, or
  • the present invention provides a method of encrypting data, the method comprising:
  • the key KeNB shared between the evolved base station eNB and the UE is kept unchanged, and data communicated between the eNB and the UE is encrypted according to the KeNB.
  • the method further includes:
  • the handover request message carries a first next hop chain counter NCC and a first next hop NH, where the first The NCC is obtained by the first MME according to the second NCC, the first NH is calculated by the first MME according to the second NH, the second NCC is the current NCC, and the second NH is the current NH; or,
  • the handover request message carries a second next hop chain counter NCC and a second next hop NH, the second NCC is the current NCC, and the second NH is the current NH.
  • the forward relocation request message carries a first next hop chain counter NCC and a first next hop NH
  • the first NCC is obtained by adding the first NMC according to the second NCC
  • the first NH is calculated by the first MME according to the second NH
  • the second NCC is the current NCC.
  • Said second NH is the current NH; or
  • the forward relocation request message carries a second next hop chain counter NCC and a second next hop NH, the second NCC is the current NCC, and the second NH is the current NH.
  • the key KeNB shared by the eNodeB eNB and the UE is unchanged, and includes:
  • the present invention provides a method for encrypting data, where the method includes: sending a handover trigger message to an evolved base station eNB, where the handover trigger message carries a user equipment
  • the identifier of the UE causing the eNB to send a handover required message to the first mobility management entity MME according to the handover trigger message;
  • the second NCC is the current NCC
  • the second NH is the current NH
  • the handover request message carries a first NCC and a first NH
  • the first NCC is the first MME according to the second
  • the first NH is calculated by the first MME according to the second NH;
  • the handover request message carries the second NCC and the second NH.
  • the forward relocation request message carries a first NCC and a first NH, where the first NCC is the first MME according to the After the second NCC is added, the first NH is calculated by the first MME according to the second NH; or
  • the forward relocation request message carries the second NCC and the second NH.
  • the method before the sending the relocation request message to the second mobility management entity (MME), the method further includes:
  • the present invention provides an apparatus for encrypting data, the apparatus comprising: a first memory and a first processor, a method for performing encrypted data according to any of the preceding claims.
  • the present invention provides an apparatus for encrypting data, the apparatus comprising: a second memory and a second processor, a method for performing encrypted data according to any of the claims of the fourth aspect.
  • the eNB receives the handover trigger message sent by the first MME, and receives the handover request message sent by the second MME, and determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, and the eNB acquires the current
  • the KeNB shared with the UE, and the KeNB* is used as the key KeNB* updated after the handover of the MME, that is, the KeNB between the eNB and the UE is kept unchanged, and the data communicated between the eNB and the UE is performed according to the KeNB or KeNB*.
  • Encryption ensures that the eNB side synchronizes with the KeNB on the UE side.
  • FIG. 1 is a schematic structural diagram of an apparatus for encrypting data according to Embodiment 1 of the present invention
  • FIG. 2 is a schematic structural diagram of an apparatus for encrypting data according to Embodiment 2 of the present invention
  • FIG. 3 is a flowchart of a method for encrypting data according to Embodiment 3 of the present invention.
  • FIG. 4 is a flowchart of a method for encrypting data according to Embodiment 4 of the present invention.
  • FIG. 5 is a flowchart of a method for encrypting data according to Embodiment 5 of the present invention.
  • FIG. 6 is a flowchart of a method for encrypting data according to Embodiment 6 of the present invention.
  • FIG. 7 is a schematic structural diagram of an apparatus for encrypting data according to Embodiment 7 of the present invention.
  • FIG. 8 is a schematic structural diagram of an apparatus for encrypting data according to Embodiment 8 of the present invention. detailed description
  • Embodiments of the present invention provide an apparatus for encrypting data.
  • the apparatus includes: a first receiving module 101, configured to receive a handover trigger message sent by a first MME, where the handover trigger message carries an identifier of a user equipment UE;
  • the first MME obtains the identifier of the UE, and sends a handover trigger message to the first receiving module 101, when the first MME needs to switch from the first MME of the common network to the second MME of the specific network.
  • the handover trigger message carries the identity of the UE.
  • the eNB receives the handover trigger message sent by the first MME.
  • the identifier of the UE is any identifier that can identify the UE.
  • the identifier of the UE is not specifically limited.
  • the identity of the UE is the MME UE S1AP (Access Point) ID (identity identification number), that is, the MME uniquely identifies the identity of the UE on the S1 interface or the eNB UE S1AP ID, that is, the eNB uniquely identifies on the SI interface.
  • the first MME is an MME to which the UE is currently attached.
  • the UE initiates an attach procedure to the normal network, and the network side A S-GW (Serving Gateway) or a P-GW (PDN Gateway) establishes a PDN (Public Data Network) connection.
  • S-GW Serving Gateway
  • P-GW Packet Data Network Gateway
  • the second receiving module 102 is configured to receive a handover request message sent by the second MME.
  • the second MME sends a handover request message to the second receiving module 102, and the second receiving module 102 receives the handover request message sent by the second MME, in order to redirect the UE from the first MME to the second MME.
  • the second receiving module 102 when receiving the handover request message sent by the second MME, the second receiving module 102 sends a handover confirmation message to the second MME.
  • the handover confirmation message is used to notify the second MME that the handover can be performed.
  • the maintaining module 103 is configured to keep the key KeNB shared between the evolved base station eNB and the UE unchanged;
  • the holding module 103 includes:
  • a determining unit configured to determine, according to the handover trigger message or the handover request message, that the handover reason is a core network triggered handover;
  • the determining unit is configured according to the first MME, because the handover trigger message is sent by the first MME.
  • the handover triggering message may be used to determine that the handover reason is a handover triggered by the core network.
  • the handover request message carries the handover cause, and the determining unit may determine, according to the handover reason, that the handover cause is a handover triggered by the core network.
  • the handover triggered by the core network only switches the MME to which the UE is attached, and the 'J, the area, and the base station where the UE is located do not change.
  • the holding unit is used to keep the KeNB unchanged.
  • the holding unit acquires the KeNB shared between the current eNB and the UE, and uses the KeNB as the key KeNB* after the MME is switched.
  • the encryption module 104 is configured to encrypt data communicated between the eNB and the UE according to the KeNB or the KeNB*.
  • the encryption module 104 calculates the first key and the second key according to the KeNB*, and performs encryption and integrity protection on the data communicated between the eNB and the UE by using the first key and the second key.
  • the eNB ignores the first ⁇ NCC, NH ⁇ pair and keeps the KeNB unchanged.
  • the device further includes:
  • a determining module configured to determine, according to the handover trigger message, that the handover reason is a core network triggered handover;
  • the first sending module is configured to send a handover required message to the first MME, where the handover request message carries a handover reason, so that the first MME sends a forward relocation request message to the second MME, where the forward relocation request message carries the handover reason So that the second MME sends the handover request message to the eNB.
  • the determining module determines, according to the handover trigger message, that the handover reason is a handover triggered by the core network, and the first sending module sends a handover required message to the first MME.
  • the handover requires the message to carry the handover reason;
  • the first MME receives the handover required message sent by the first sending module, and sends a forward relocation request message to the second MME, where the forward relocation request message carries the handover reason;
  • the reason for the handover carried in the forward relocation request message is used to notify the second MME to switch to the core network triggered handover.
  • the forward relocation request message may also carry Kasme and KSI (Key Set Identifier), and the Kasme and KSI are used to derive the non-access stratum NAS key.
  • Kasme and KSI Key Set Identifier
  • the handover request message may not carry any ⁇ NCC, NH ⁇ pair information; the handover The request message may also carry a first next hop chain counter NCC and a first next hop NH, where the first NCC is obtained by adding the first MME according to the second NCC, and the first NH is calculated by the first MME according to the second NH.
  • the second NCC is the current NCC, and the second NH is the current NH; or the handover request message carries the second next hop chain counter NCC and the second next hop NH, and the second NCC is the current NCC.
  • the second NH is the current NH.
  • the first MME obtains the second NCC and the second NH when receiving the handover required message; when the first MME calculates the first NCC and the first NH according to the second NCC and the second NH, the handover request message carries the first The NCC and the first NH, if the first MME does not calculate the first NCC and the first NH according to the second NCC and the second NH, the handover request message carries the second NCC and the second NH.
  • the handover request message may further carry a handover reason.
  • the first relocation request message carries the first NCC and the first NH.
  • the first NCC is obtained by adding the first MME according to the second NCC, and the first NH is calculated by the first MME according to the second NH.
  • the second NCC is the current NCC, and the second NH is the current NH; or the forward relocation request message carries the second NCC and the second NH, the second NCC is the current NCC, and the second NH is the current NH.
  • the second MME sends a forward relocation response message to the first MME.
  • the second MME obtains one according to the second NCC.
  • the first NCC calculates the first NH according to the second NH, and sends a path change message to the eNB, where the path change message carries the first ⁇ NCC, NH ⁇ pair.
  • the eNB receives the path change message sent by the second MME, and acquires the first ⁇ NCC, NH ⁇ pair.
  • the eNB receives the handover trigger message sent by the first MME, and receives the handover request message sent by the second MME, and determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, and the eNB acquires the current
  • the KeNB shared with the UE, and the KeNB* is used as the key KeNB* updated after the handover of the MME, that is, the KeNB between the eNB and the UE is kept unchanged, and the data communicated between the eNB and the UE is performed according to the KeNB or KeNB*.
  • Encryption ensures that the eNB side synchronizes with the KeNB on the UE side.
  • Embodiments of the present invention provide an apparatus for encrypting data.
  • the device includes: The second sending module 201 is configured to send a handover trigger message to the evolved base station eNB, where the handover trigger message carries the identifier of the user equipment UE, so that the eNB sends a handover requirement message according to the handover trigger message;
  • the first MME obtains the identifier of the UE when the UE needs to switch from the first MME of the common network to the second MME of the specific network, and the second sending module 201 sends a handover trigger message to the first receiving.
  • the handover trigger message carries an identifier of the UE.
  • the eNB receives the handover trigger message sent by the first MME.
  • the identifier of the UE is any identifier that can identify the UE.
  • the identifier of the UE is not specifically limited.
  • the identifier of the UE is the MME UE S1AP ID, that is, the identifier of the MME that uniquely identifies the UE on the S1 interface, or the eNB UE S1AP ID, that is, the identifier of the eNB that uniquely identifies the UE on the SI interface.
  • the first MME is an MME to which the UE is currently attached.
  • the UE initiates an attach procedure to the normal network, and the network side
  • the S-GW or P-GW establishes a PDN connection.
  • the third receiving module 202 is configured to receive the handover required message sent by the eNB;
  • the eNB sends a handover required message to the third receiving module 202 according to the handover trigger message, and the third receiving module 202 receives the handover required message sent by the eNB.
  • An acquiring module configured to obtain a second next hop chain counter NCC and a second next hop NH, where the second NCC is the current NCC, and the second NH is the current NH;
  • the third sending module 203 is configured to send a forward relocation request message to the second mobility management entity MME, where the forward relocation request message carries a handover reason, so that the second MME sends a handover request message to the eNB, so that the eNB keeps The key KeNB shared between the eNB and the UE is unchanged, and the data communicated between the eNB and the UE is encrypted according to the KeNB.
  • the handover request message carries the first NCC and the first NH, where the first NCC is obtained by adding the first MME according to the second NCC, and the first NH is calculated by the first MME according to the second NH; or
  • the handover request message carries a second NCC and a second NH.
  • the handover request message may further carry a handover reason.
  • the third receiving module 202 receives the handover required message sent by the eNB, and confirms that the handover reason is triggered by the core network according to the handover reason in the handover required message, and acquires the second ⁇ NCC, NH ⁇ pair according to the second ⁇
  • the NCC, NH ⁇ pairs calculate the first ⁇ NCC, NH ⁇ pair, that is, the second NCC is incremented by one to obtain the first NCC, and the first NH is calculated according to the second NH.
  • the second ⁇ NCC, NH ⁇ pair is the current ⁇ NCC, NH ⁇ pair, or the old ⁇ NCC, NH ⁇ pair, the second ⁇ NCC, NH ⁇ pair includes the second NCC and the second NH; first ⁇ The NCC, NH ⁇ pairs are fresh ⁇ NCC, NH ⁇ pairs, and the first ⁇ NCC, NH ⁇ pair includes the first NCC and the first NH.
  • the second NCC is the current NCC; the second NH is the current NH.
  • the first MME sends a forward relocation request message to the second MME, where the forward relocation request message carries the handover reason and the first ⁇ NCC, NH ⁇ pair, or the forward relocation request message carries the handover reason And the second ⁇ NCC, NH ⁇ pair.
  • the second MME receives the forward relocation request message sent by the first MME, and sends a handover request message to the eNB.
  • the reason for the handover carried in the forward relocation request message is used to notify the second MME to switch to the core network triggered handover.
  • the forward relocation request message may also carry Kasme and KSI, and the Kasme and KSI are used to derive the non-access stratum NAS key.
  • the second MME receives the forward relocation request message sent by the first MME, and determines that the handover is triggered by the core network according to the handover reason in the forward relocation request message, and the handover request message sent by the second MME to the eNB is not Carrying any ⁇ NCC, NH ⁇ pair information; or, if the forward relocation request message carries the first ⁇ NCC, NH ⁇ pair, the second MME receives the forward relocation request message sent by the first MME, the second MME And determining, according to the handover reason in the forward relocation request message, a handover triggered by the core network, and acquiring a first ⁇ NCC, NH ⁇ pair from the forward relocation request message, where the second MME sends the handover request message to the eNB.
  • the second MME is any MME other than the first MME.
  • the second MME is not specifically limited.
  • the second MME is a specific MME.
  • the eNB receives the handover request message sent by the second MME, and sends a handover confirmation message to the second MME; the eNB keeps the key KeNB shared between the eNB and the UE unchanged, and performs communication between the eNB and the UE according to the KeNB.
  • the data is encrypted.
  • the eNB determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, acquires the KeNB shared between the current eNB and the UE, and uses the KeNB as the key KeNB* after the handover MME;
  • the KeNB* calculates the first key and the second key, and performs encryption and integrity protection on the data communicated between the eNB and the UE by using the first key and the second key.
  • the handover confirmation message is used to notify the second conference that the handover can be performed.
  • the eNB ignores the first ⁇ NCC, NH ⁇ pair and keeps the KeNB unchanged.
  • the second MME sends a forward relocation response message to the first MME.
  • the second MME obtains one according to the second NCC.
  • the first NCC calculates the first NH according to the second NH, and sends a path change message to the eNB, where the path change message carries the first ⁇ NCC, NH ⁇ pair.
  • the eNB receives the path change message sent by the second MME, and acquires the first ⁇ NCC, NH ⁇ pair.
  • the device further includes:
  • a first carrying module configured to set a next hop indication NHI of the forward relocation request message to a preset identifier, and carry a second NCC and a second NH, or
  • a second carrying module configured to set the next hop indication NHI_old of the old evolving packet system EPS security context of the forward relocation request message to a preset identifier, and carry the second NCC and the second HN.
  • the eNB receives the handover trigger message sent by the first MME, and receives the handover request message sent by the second MME, and determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, and the eNB acquires the current
  • the KeNB shared with the UE, and the KeNB* is used as the key KeNB* updated after the handover of the MME, that is, the KeNB between the eNB and the UE is kept unchanged, and the data communicated between the eNB and the UE is performed according to the KeNB or KeNB*.
  • Encryption ensures that the eNB side synchronizes with the KeNB on the UE side.
  • Embodiments of the present invention provide a method of encrypting data.
  • the method includes: Step 301: Receive a handover trigger message sent by a first MME, where the handover trigger message carries an identifier of the UE;
  • Step 302 Receive a handover request message sent by the second MME.
  • Step 303 Keep the key KeNB shared between the eNB and the UE unchanged, and encrypt the data communicated between the eNB and the UE according to the KeNB.
  • the eNB receives the handover trigger message sent by the first MME, and receives the handover request message sent by the second MME, and determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, and the eNB acquires the current KeNB shared with the UE, and the KeNB As the key KeNB* updated after the MME is switched, that is, the KeNB between the eNB and the UE is kept unchanged, and the data communicated between the eNB and the UE is encrypted according to the KeNB or KeNB*, thereby ensuring the eNB side and the UE side.
  • KeNB synchronization Example 4
  • Embodiments of the present invention provide a method of encrypting data.
  • the method includes: Step 401: A first MME sends a handover trigger message to an eNB, where the handover trigger message carries an identifier of the UE;
  • the first MME learns that the UE needs to be handed over from the first MME of the common network to the second MME of the specific network
  • the first MME acquires the identifier of the UE, and sends a handover trigger message to the eNB, where the handover trigger message is sent. Carry the identity of the UE.
  • the identifier of the UE is any identifier that can identify the UE.
  • the identifier of the UE is not specifically limited.
  • the identifier of the UE is the MME UE S1AP ID, that is, the identifier of the MME that uniquely identifies the UE on the S1 interface, or the eNB UE S1AP ID, that is, the identifier of the eNB that uniquely identifies the UE on the SI interface.
  • the first MME is an MME to which the UE is currently attached.
  • step 401 the UE initiates an attach procedure to the normal network and establishes a PDN connection with the S-GW or the P-GW on the network side.
  • Step 402 The eNB receives a handover trigger message sent by the first MME, and determines, according to the handover trigger message, that the handover reason is a handover triggered by the core network.
  • the eNB may determine that the handover reason is a handover triggered by the core network according to the handover trigger message sent by the first MME, and the MME that is triggered by the UE is only the MME attached by the UE. The handover is performed, and the cell and the base station where the UE is located do not change.
  • Step 403 The eNB sends a handover required message to the first MME, where the handover needs the message carrying the reason for the handover;
  • Step 404 The first MME receives a handover required message sent by the eNB, and calculates a first NCC and a first NH according to the handover required message.
  • the first MME receives the handover required message sent by the eNB, and confirms that the handover reason is a handover triggered by the core network according to the handover requirement message, and acquires a second ⁇ NCC, NH ⁇ pair according to the second ⁇ NCC, NH ⁇ pair.
  • the first ⁇ NCC, NH ⁇ pair is calculated, that is, the second NCC is incremented by one to obtain the first NCC, and the first NH is calculated based on the second NH.
  • the second ⁇ NCC, NH ⁇ pair is the current ⁇ NCC, NH ⁇ pair, or the old ⁇ NCC, NH ⁇ pair, the second ⁇ NCC, NH ⁇ pair includes the second NCC and the second NH; first ⁇ The NCC, NH ⁇ pairs are fresh ⁇ NCC, NH ⁇ pairs, and the first ⁇ NCC, NH ⁇ pair includes the first NCC and the first NH.
  • the second NCC is the current NCC; the second NH is the current NH.
  • Step 405 The first MME sends a forward relocation request message to the second MME, where the forward relocation request message carries the handover reason and the first ⁇ NCC, NH ⁇ pair;
  • the reason for the handover carried in the forward relocation request message is used to notify the second MME to switch to the core network triggered handover.
  • the forward relocation request message may further carry a Kasme and a KSI (Key Set Identifier), where the Kasme and the KSI are used to derive a non-access stratum NAS key.
  • KSI Key Set Identifier
  • the second MME is any MME other than the first MME.
  • the second MME is not specifically limited.
  • the second MME is a specific MME.
  • Step 406 The second MME receives the forward relocation request message sent by the first MME, and sends a handover request message to the eNB.
  • the second MME receives the forward relocation request message sent by the first MME, and determines, according to the handover reason in the forward relocation request message, that the handover is triggered by the core network, and the second MME sends the handover request message to the eNB.
  • the second MME receives the forward relocation request message sent by the first MME, and the second MME is triggered by the core network according to the handover reason in the forward relocation request message.
  • the first ⁇ NCC, NH ⁇ pair is obtained from the forward relocation request message, and the first ⁇ NCC, NH ⁇ pair is carried in the handover request message sent by the second MME to the eNB.
  • the handover request message may further carry a handover reason.
  • Step 407 The eNB receives the handover request message sent by the second MME, and sends a handover confirmation message to the second MME.
  • the handover confirmation message is used to notify the second MME that the handover can be performed.
  • Step 408 The eNB keeps the key KeNB shared between the eNB and the UE unchanged, and encrypts data communicated between the eNB and the UE according to the KeNB or KeNB*.
  • the eNB determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, acquires the KeNB shared between the current eNB and the UE, and uses the KeNB as the key KeNB* after the handover MME;
  • the KeNB* calculates the first key and the second key, and performs encryption and integrity protection on the data communicated between the eNB and the UE by using the first key and the second key. It should be noted that, if the handover request message carries the first ⁇ NCC, NH ⁇ pair, the eNB ignores the first ⁇ NCC, NH ⁇ pair and keeps the KeNB unchanged.
  • Step 409 The second MME sends a forward relocation response message to the first MME.
  • the second MME sends a path change message to the eNB.
  • the path change message carries the first ⁇ NCC , NH ⁇ pair.
  • the eNB receives the path change message sent by the second MME, and acquires the first ⁇ NCC, NH ⁇ pair.
  • the eNB receives the handover trigger message sent by the first MME, and receives the handover request message sent by the second MME, and determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, and the eNB acquires the current
  • the KeNB shared with the UE, and the KeNB* is used as the key KeNB* updated after the handover of the MME, that is, the KeNB between the eNB and the UE is kept unchanged, and the data communicated between the eNB and the UE is performed according to the KeNB or KeNB*.
  • Encryption ensures that the eNB side synchronizes with the KeNB on the UE side.
  • Embodiments of the present invention provide a method of encrypting data.
  • the method includes: Step 501: Send a handover trigger message to an eNB, where the handover trigger message carries an identifier of the UE, so that the eNB sends a handover required message to the first MME according to the handover trigger message;
  • Step 502 Receive the handover required message sent by the eNB, and obtain a second NCC and a second NH, where the second NCC is the current NCC, and the second NH is the current NH;
  • Step 503 Send a forward relocation request message to the second MME, where the forward relocation request message carries a handover reason, so that the second MME sends a handover request message to the eNB, so that the eNB keeps the key shared between the eNB and the UE.
  • the KeNB is unchanged, and the data communicated between the eNB and the UE is encrypted according to the KeNB.
  • the eNB receives the handover trigger message sent by the first MME, and receives the handover request message sent by the second MME, and determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, and the eNB acquires the current
  • the KeNB shared with the UE, and the KeNB* is used as the key KeNB* updated after the handover of the MME, that is, the KeNB between the eNB and the UE is kept unchanged, and the data communicated between the eNB and the UE is performed according to the KeNB or KeNB*.
  • Encryption ensures that the eNB side synchronizes with the KeNB on the UE side.
  • Embodiments of the present invention provide a method of encrypting data.
  • the method includes: Step 601: The first MME sends a handover trigger message to the eNB, where the handover trigger message carries the identifier of the UE.
  • the first MME learns that the UE needs to be handed over from the first MME of the common network to the second MME of the specific network
  • the first MME acquires the identifier of the UE, and sends a handover trigger message to the eNB, where the handover trigger message is sent. Carry the identity of the UE.
  • the identifier of the UE is any identifier that can identify the UE.
  • the identifier of the UE is not specifically limited.
  • the identifier of the UE is the MME UE S1AP ID, that is, the identifier of the MME that uniquely identifies the UE on the S1 interface, or the eNB UE S1AP ID, that is, the identifier of the eNB that uniquely identifies the UE on the SI interface.
  • the first MME is an MME to which the UE is currently attached.
  • step 601 the UE initiates an attach procedure to the normal network, and establishes a PDN connection with the S-GW or the P-GW on the network side.
  • Step 602 The eNB receives a handover trigger message sent by the first MME, and determines, according to the handover trigger message, that the handover cause is a handover triggered by the core network.
  • the eNB may determine that the handover reason is a handover triggered by the core network according to the handover trigger message sent by the first MME, and the MME that is triggered by the UE is only the MME attached by the UE. The handover is performed, and the cell and the base station where the UE is located do not change.
  • Step 603 The eNB sends a handover required message to the first MME, where the handover needs the message carrying the reason for the handover;
  • the reason for the handover is used to indicate that the MME to which the UE is attached is to be switched, and the reason for the handover may be any indication message.
  • the reason for the handover is not specifically limited.
  • the reason for the handover may be a handover reason ( Core network triggered switching).
  • Step 604 The first MME receives the handover required message sent by the eNB, and sends a forward relocation request message to the second MME according to the handover required message.
  • the first MME receives the handover required message sent by the eNB, and determines, according to the handover reason in the handover required message, that the handover is triggered by the core network, and sends a forward relocation request message to the second MME, where the forward relocation request is sent.
  • the message carries the reason for the handover, the second ⁇ NCC, NH ⁇ pair;
  • the second ⁇ NCC, NH ⁇ pair is the current ⁇ NCC, NH ⁇ pair, or the old ⁇ NCC, NH ⁇ pair, the second ⁇ NCC, NH ⁇ pair includes the second NCC and the second NH; the second NCC For the current NCC; The second NH is the current NH.
  • the reason for the handover carried in the forward relocation request message is used to notify the second MME to switch to the core network triggered handover.
  • the forward relocation request message may further carry Kasme and KSI, and the Kasme and KSI are used to derive a non-access stratum NAS key.
  • the second MME is any MME other than the first MME.
  • the second MME is not specifically limited.
  • the second MME is a specific MME.
  • Step 605 The second MME receives the forward relocation request message sent by the first MME, and sends a handover request message to the eNB.
  • the second MME receives the forward relocation request message sent by the first MME, and determines, according to the handover reason in the forward relocation request message, that the handover is triggered by the core network, and the second MME sends the handover request message to the eNB.
  • the information of the ⁇ NCC, NH ⁇ pair is not carried; or the second MME receives the forward relocation request message sent by the first MME, and the second MME determines that the handover is triggered by the core network according to the handover reason in the forward relocation request message.
  • the second ⁇ NCC , NH ⁇ pair is obtained from the forward relocation request message, and the second ⁇ NCC , NH ⁇ pair is carried in the handover request message sent by the second MME to the eNB.
  • the handover request message may further carry a handover reason.
  • the NHI (Next Hop Indicator) of the forward relocation request message is set to a preset identifier, and carries the second NCC and the second NH, or NHI_old of the forward relocation request message.
  • Next Hop Indicator for Old EPS (Evolved Packet System) Security Context the next hop indication of the old EPS security context
  • is set as a preset identifier and carries the second NCC and the second HN.
  • the preset identifier is any identifier that can identify the NHI or the NHI_old.
  • the preset identifier is not specifically limited, for example, the preset identifier is 1.
  • Step 606 The eNB receives the handover request message sent by the second MME, and sends a handover confirmation message to the second MME.
  • the handover confirmation message is used to notify the second MME that the handover can be performed.
  • Step 607 The eNB keeps the key KeNB shared between the eNB and the UE unchanged, and encrypts data communicated between the eNB and the UE according to the KeNB or KeNB*.
  • the eNB determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, acquires a KeNB shared between the current eNB and the UE, and uses the KeNB as a cut.
  • the key KeNB* after the MME is changed; the eNB calculates the first key and the second key according to the KeNB*, and performs encryption and integrity protection on the data communicated between the eNB and the UE by using the first key and the second key. .
  • the eNB ignores the second ⁇ NCC, NH ⁇ pair and keeps the KeNB unchanged.
  • Step 608 The second MME sends a forward relocation response message to the first MME.
  • the second MME calculates a first ⁇ NCC, NH ⁇ pair according to the second ⁇ NCC, NH ⁇ pair, and the second MME sends a path change.
  • the message is sent to the eNB, and the path change message carries the first ⁇ NCC, NH ⁇ pair.
  • the eNB receives the path change message sent by the second MME, and acquires the first ⁇ NCC, NH ⁇ pair.
  • the second MME adds the second NCC to obtain the first NCC, and calculates the first NH according to the second NH, the second ⁇ NCC, NH ⁇ pair is the current ⁇ NCC, NH ⁇ pair, and the second ⁇ NCC, NH
  • the pair includes a second NCC and a second NH; the first ⁇ NCC, NH ⁇ pair is a fresh ⁇ NCC, NH ⁇ pair, and the first ⁇ NCC, NH ⁇ pair includes the first NCC and the first NH.
  • the eNB receives the handover trigger message sent by the first MME, and receives the handover request message sent by the second MME, and determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, and the eNB acquires the current
  • the KeNB shared with the UE, and the KeNB* is used as the key KeNB* updated after the handover of the MME, that is, the KeNB between the eNB and the UE is kept unchanged, and the data communicated between the eNB and the UE is performed according to the KeNB or KeNB*.
  • Encryption ensures that the eNB side synchronizes with the KeNB on the UE side.
  • Embodiments of the present invention provide an apparatus for encrypting data.
  • the apparatus includes: a first memory 701 and a first processor 702 for performing the following method of encrypting data:
  • the key KeNB shared between the evolved base station eNB and the UE is kept unchanged, and the data communicated between the eNB and the UE is encrypted according to the KeNB.
  • the method further includes:
  • the handover request message carries a first next hop chain counter NCC and a first next hop NH, where the first NCC is obtained by adding the first MME according to the second NCC, and the first NH is the first MME according to the first Calculated by the second NH, the second NCC is the current NCC, and the second NH is the current NH; or
  • the handover request message carries a second next hop chain counter NCC and a second next hop NH, the second NCC is the current NCC, and the second NH is the current NH.
  • the forward relocation request message carries a first next hop chain counter NCC and a first next hop NH, where the first NCC is obtained by adding the first NMC according to the second NCC.
  • the first NH is calculated by the first MME according to the second NH, the second NCC is the current NCC, and the second NH is the current NH; or
  • the forward relocation request carries a second next hop chain counter NCC and a second next hop NH, the second NCC is the current NCC, and the second NH is the current NH.
  • KeNB shared between the evolved base station eNB and the UE is unchanged, and includes:
  • the handover trigger message or the handover request message it is determined that the handover reason is a handover triggered by the core network, and the KeNB is kept unchanged.
  • the eNB receives the handover trigger message sent by the first MME, and receives the handover request message sent by the second MME, and determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, and the eNB acquires the current
  • the KeNB shared with the UE, and the KeNB* is used as the key KeNB* updated after the handover of the MME, that is, the KeNB between the eNB and the UE is kept unchanged, and the data communicated between the eNB and the UE is performed according to the KeNB or KeNB*.
  • Encryption ensures that the eNB side synchronizes with the KeNB on the UE side.
  • Embodiments of the present invention provide an apparatus for encrypting data.
  • the apparatus includes: a second memory 801 and a second processor 802 for performing the following method of encrypting data:
  • the evolved base station eNB Sending a handover trigger message to the evolved base station eNB, where the handover trigger message carries the user equipment UE
  • the eNB sends a handover required message to the first mobility management entity MME according to the handover trigger message;
  • the second NCC is the current NCC
  • the second NH is the current NH
  • the handover request message carries the first NCC and the first NH, where the first NCC is obtained by adding the first MME according to the second NCC, and the first NH is calculated by the first MME according to the second NH; or
  • the handover request message carries a second NCC and a second NH.
  • the forward relocation request message carries the first NCC and the first NH, and the first NCC is obtained by the first MME according to the second NCC, and the first NH is calculated by the first MME according to the second NH;
  • the forward relocation request message carries the second NCC and the second NH.
  • the method further includes:
  • the next hop indication NHI_old of the old evolved packet system EPS security context of the forward relocation request message is set to a preset identifier, and carries the second NCC and the second HN.
  • the eNB receives the handover trigger message sent by the first MME, and receives the handover request message sent by the second MME, and determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, and the eNB acquires the current
  • the KeNB shared with the UE, and the KeNB* is used as the key KeNB* updated after the handover of the MME, that is, the KeNB between the eNB and the UE is kept unchanged, and the data communicated between the eNB and the UE is performed according to the KeNB or KeNB*.
  • Encryption ensures that the eNB side synchronizes with the KeNB on the UE side.

Abstract

The present invention relates to the field of wireless communications. Disclosed are an apparatus and a method for encrypting data. The method comprises: receiving a handover trigger message sent by a first Mobility Management Entity (MME), wherein the handover trigger message carries an identifier of a user equipment (UE); receiving a handover request message sent by a second MME; and keeping a key KeNB shared between an evolved Node B (eNB) and the UE unchanged and encrypting data communicated between the eNB and the UE based on the KeNB. The apparatus comprises a first receiving module, a second receiving module, a keeping module and an encryption module. In the present invention, a handover reason is determined to be handover triggered by a core network based on the handover trigger message or the handover request message, and the eNB obtains the KeNB that is currently shared with the UE, keeps the KeNB between the eNB and the UE unchanged, and thus ensures KeNB synchronization at an eNB side and an UE side.

Description

说 明 书 一种加密数据的装置和方法 技术领域  Apparatus and method for encrypting data
本发明涉及无线通信领域, 特别涉及一种加密数据的装置和方法。 背景技术  The present invention relates to the field of wireless communications, and in particular, to an apparatus and method for encrypting data. Background technique
当 UE ( User Equipment,用户设备 )进行特定业务,如 MTC ( Machine Type Communication, 机器类通信)业务时, 会占用大量的网络资源, eNB ( evolved Node B, 演进型基站)为了防止 UE进行特定业务时对普通网络的影响, 会将 进行特定业务的 UE由普通网络重定向到特定网络中, 并对 eNB与 UE之间通 信的数据进行加密。  When a user equipment (UE) performs a specific service, such as an MTC (Machine Type Communication) service, it consumes a large amount of network resources, and an evolved Node B (eNB) prevents the UE from performing specific services. The impact on the normal network will redirect the UE performing the specific service from the normal network to the specific network, and encrypt the data communicated between the eNB and the UE.
目前, 提供了一种加密数据的方法, 可以为: 当 UE 附着到普通网络时, 普通网络的第一 MME ( Mobility Management Entity, 移动性管理实体 )从 UE 的签约信息中获知需要将 UE从普通网络重定向到特定网络时, 第一 MME向 eNB发送切换触发消息,消息中包含切换的原因值(核心网触发的切换); eNB 向第一 MME发送切换需要消息,第一 MME计算第一 NCC( Next hop Chaining Counter, 下一跳链计数器)和第一 NH ( Next Hop, 下一跳), 第一 NCC为根 据当前的第二 NCC加一后得到的, 第一 NH为根据当前是第二 NH计算得到 的; 第一 MME发送向前重定位请求消息给特定网络的第二 MME, 该向前重 定位请求消息携带第第一 NCC和第一 NH; 第二 MME接收第一 MME发送的 向前重定位请求消息, 并发送切换请求消息给 eNB, 该切换请求消息携带第一 NCC和第一 NH, eNB接收第二 MME发送的切换请求消息,并根据第一 NCC 和第一 NH计算更新的密钥 KeNB* , 根据 KeNB*对 eNB与 UE之间通信的数 据进行加密。  Currently, a method for encrypting data is provided, which may be: when a UE is attached to a common network, the first MME (Mobility Management Entity) of the common network learns from the subscription information of the UE that the UE needs to be normal. When the network is redirected to the specific network, the first MME sends a handover trigger message to the eNB, where the message includes the cause value of the handover (the core network triggered handover); the eNB sends a handover requirement message to the first MME, and the first MME calculates the first NCC. (Next hop Chaining Counter, the next hop chain counter) and the first NH (Next Hop), the first NCC is obtained according to the current second NCC, and the first NH is based on the current second. Calculated by the NH; the first MME sends a forward relocation request message to the second MME of the specific network, where the forward relocation request message carries the first NCC and the first NH; and the second MME receives the direction sent by the first MME Re-requesting the request message, and sending a handover request message to the eNB, where the handover request message carries the first NCC and the first NH, and the eNB receives the handover request message sent by the second MME, According to the first update computation NH NCC and a first key KeNB *, KeNB * according to data for the communication between the eNB and the UE encryption.
在实现本发明的过程中, 发明人发现现有技术至少存在以下问题: 现有技术中对切换流程进行了筒化, eNB不向 UE发送切换命令消息, In the process of implementing the present invention, the inventor has found that the prior art has at least the following problems: In the prior art, the handover procedure is performed, and the eNB does not send a handover command message to the UE.
UE无法根据切换命令消息获得第一 NCC, 更无法计算更新的密钥 KeNB* ,从 而导致 eNB侧的 KeNB与 UE侧的 KeNB不同步。 发明内容 The UE cannot obtain the first NCC according to the handover command message, and can not calculate the updated key KeNB*, so that the KeNB on the eNB side and the KeNB on the UE side are not synchronized. Summary of the invention
为了解决现有技术的问题, 本发明提供了一种加密数据的装置和方法。 所 述技术方案如下:  In order to solve the problems of the prior art, the present invention provides an apparatus and method for encrypting data. The technical solution is as follows:
第一方面, 本发明提供了一种加密数据的装置, 所述装置包括:  In a first aspect, the present invention provides an apparatus for encrypting data, the apparatus comprising:
第一接收模块,用于接收第一移动性管理实体 MME发送的切换触发消息, 所述切换触发消息携带用户设备 UE的标识;  a first receiving module, configured to receive a handover trigger message sent by the first mobility management entity MME, where the handover trigger message carries an identifier of the user equipment UE;
第二接收模块, 用于接收第二 MME发送的切换请求消息;  a second receiving module, configured to receive a handover request message sent by the second MME;
保持模块,用于保持演进型基站 eNB与所述 UE之间共享的密钥 KeNB不 变;  a maintaining module, configured to keep the key KeNB shared between the evolved base station eNB and the UE unchanged;
加密模块,用于根据所述 KeNB对所述 eNB与所述 UE之间通信的数据进 行力口密。  And an cryptographic module, configured to perform a strong port key according to the data communicated between the eNB and the UE by the KeNB.
结合第一方面,在第一方面的第一种可能的实现方式中,所述装置还包括: 确定模块, 用于根据所述切换触发消息确定出切换原因是核心网触发的切 换;  With reference to the first aspect, in a first possible implementation manner of the first aspect, the device further includes: a determining module, configured to determine, according to the handover trigger message, that the handover cause is a core network triggered switch;
第一发送模块, 用于发送切换需要消息给所述第一 MME, 所述切换需要 消息携带所述切换原因, 使所述第一 MME发送向前重定位请求消息给所述第 二 MME, 所述向前重定位请求消息携带所述切换原因, 以使所述第二 MME 发送所述切换请求消息给所述 eNB。  a first sending module, configured to send a handover required message to the first MME, where the handover request message carries the handover reason, so that the first MME sends a forward relocation request message to the second MME, where The forward relocation request message carries the handover reason, so that the second MME sends the handover request message to the eNB.
结合第一方面, 在第一方面的第二种可能的实现方式中, 所述切换请求消 息携带第一下一跳链计数器 NCC和第一下一跳 NH, 所述第一 NCC为所述第 一 MME根据第二 NCC加一后得到的,所述第一 NH为所述第一 MME根据第 二 NH计算得到的,所述第二 NCC为当前的 NCC,所述第二 NH为当前的 NH; 或者,  With reference to the first aspect, in a second possible implementation manner of the first aspect, the handover request message carries a first next hop chain counter NCC and a first next hop NH, where the first NCC is Obtained by the MME according to the second NCC, the first NH is calculated by the first MME according to the second NH, the second NCC is the current NCC, and the second NH is the current NH. Or,
所述切换请求消息携带第二下一跳链计数器 NCC和第二下一跳 NH,所述 第二 NCC为当前的 NCC, 所述第二 NH为当前的 NH。  The handover request message carries a second next hop chain counter NCC and a second next hop NH, the second NCC is the current NCC, and the second NH is the current NH.
结合第一方面的第一种可能, 在第一方面的第三种可能的实现方式中, 所 述向前重定位请求消息携带第一下一跳链计数器 NCC和第一下一跳 NH,所述 第一 NCC为所述第一 MME根据第二 NCC加一后得到的, 所述第一 NH为所 述第一 MME根据第二 NH计算得到的, 所述第二 NCC为当前的 NCC, 所述 第二 NH为当前的 NH; 或者,  With reference to the first aspect of the first aspect, in a third possible implementation manner of the first aspect, the forward relocation request message carries a first next hop chain counter NCC and a first next hop NH, The first NCC is obtained by adding the first NMC according to the second NCC, the first NH is calculated by the first MME according to the second NH, and the second NCC is the current NCC. Said second NH is the current NH; or
所述向前重定位请求携带第二下一跳链计数器 NCC和第二下一跳 NH,所 述第二 NCC为当前的 NCC, 所述第二 NH为当前的 NH。 The forward relocation request carries a second next hop chain counter NCC and a second next hop NH, The second NCC is the current NCC, and the second NH is the current NH.
结合第一方面, 在第一方面的第四种可能的实现方式中, 所述保持模块, 包括:  With reference to the first aspect, in a fourth possible implementation manner of the first aspect, the holding module includes:
确定单元, 用于根据所述切换触发消息或者所述切换请求消息确定切换原 因是核心网触发的切换;  a determining unit, configured to determine, according to the handover trigger message or the handover request message, that the handover reason is a core network triggered handover;
保持单元, 用于保持所述 KeNB不变。 第二方面, 本发明提供了一种加密数据的装置, 所述装置包括:  a holding unit, configured to keep the KeNB unchanged. In a second aspect, the present invention provides an apparatus for encrypting data, the apparatus comprising:
第二发送模块, 用于发送切换触发消息给演进型基站 eNB, 所述切换触发 消息携带用户设备 UE的标识,使所述 eNB根据所述切换触发消息发送切换需 要消息给第一移动性管理实体 MME;  a second sending module, configured to send a handover trigger message to the evolved base station eNB, where the handover trigger message carries an identifier of the user equipment UE, so that the eNB sends a handover required message to the first mobility management entity according to the handover trigger message. MME;
第三接收模块, 用于接收所述 eNB发送的所述切换需要消息;  a third receiving module, configured to receive the handover required message sent by the eNB;
获取模块,用于获取第二下一跳链计数器 NCC和第二下一跳 NH,所述第 二 NCC为当前的 NCC, 所述第二 NH为当前的 NH;  The acquiring module is configured to obtain a second next hop chain counter NCC and a second next hop NH, where the second NCC is the current NCC, and the second NH is the current NH;
第三发送模块, 用于发送向前重定位请求消息给第二移动性管理实体 a third sending module, configured to send a forward relocation request message to the second mobility management entity
MME,所述向前重定位请求消息携带切换原因,使所述第二 MME发送切换请 求消息给所述 eNB, 以使所述 eNB保持所述 eNB与所述 UE之间共享的密钥The MME, the forward relocation request message carries a handover reason, and causes the second MME to send a handover request message to the eNB, so that the eNB keeps a key shared between the eNB and the UE.
KeNB不变, 并根据所述 KeNB对所述 eNB与所述 UE之间通信的数据进行加 密。 The KeNB is unchanged, and the data communicated between the eNB and the UE is encrypted according to the KeNB.
结合第二方面, 在第二方面的第一种可能的实现方式中, 所述切换请求消 息携带第一 NCC和第一 NH, 所述第一 NCC为第一 MME根据所述第二 NCC 加一后得到的 ,所述第一 NH为所述第一 MME根据所述第二 NH计算得到的; 或者,  With reference to the second aspect, in a first possible implementation manner of the second aspect, the handover request message carries a first NCC and a first NH, where the first NCC is a first MME, and the first MME is added according to the second NCC. After the first NH is calculated by the first MME according to the second NH; or
所述切换请求消息携带所述第二 NCC和所述第二 NH。  The handover request message carries the second NCC and the second NH.
结合第二方面, 在第二方面的第二种可能的实现方式中, 所述向前重定位 请求消息携带第一 NCC和第一 NH, 所述第一 NCC为所述第一 MME根据所 述第二 NCC加一后得到的,所述第一 NH为所述第一 MME根据所述第二 NH 计算得到的; 或者,  With reference to the second aspect, in a second possible implementation manner of the second aspect, the forward relocation request message carries a first NCC and a first NH, where the first NCC is the first MME according to the After the second NCC is added, the first NH is calculated by the first MME according to the second NH; or
所述向前重定位请求消息携带所述第二 NCC和所述第二 NH。  The forward relocation request message carries the second NCC and the second NH.
结合第二方面,在第二方面的第三种可能的实现方式中,所述装置还包括: 第一携带模块,用于将所述向前重定位请求消息的下一跳指示 NHI设置为 预设标识, 并携带所述第二 NCC和所述第二 NH, 或者, With reference to the second aspect, in a third possible implementation manner of the second aspect, the device further includes: a first carrying module, configured to set a next hop indication NHI of the forward relocation request message to Presetting the identifier, and carrying the second NCC and the second NH, or
第二携带模块, 用于将所述向前重定位请求消息的旧演进分组系统 EPS 安全上下文的下一跳指示 NHI_old设置为所述预设标识,并携带所述第二 NCC 和所述第二 HN。 第三方面, 本发明提供了一种加密数据的方法, 所述方法包括:  a second carrying module, configured to set a next hop indication NHI_old of the old evolved packet system EPS security context of the forward relocation request message to the preset identifier, and carry the second NCC and the second HN. In a third aspect, the present invention provides a method of encrypting data, the method comprising:
接收第一移动性管理实体 MME发送的切换触发消息, 所述切换触发消息 携带用户设备 UE的标识;  Receiving a handover trigger message sent by the first mobility management entity MME, where the handover trigger message carries an identifier of the user equipment UE;
接收第二 MME发送的切换请求消息;  Receiving a handover request message sent by the second MME;
保持演进型基站 eNB与所述 UE之间共享的密钥 KeNB不变,并根据所述 KeNB对所述 eNB与所述 UE之间通信的数据进行加密。  The key KeNB shared between the evolved base station eNB and the UE is kept unchanged, and data communicated between the eNB and the UE is encrypted according to the KeNB.
结合第三方面, 在第三方面的第一种可能的实现方式中, 所述接收第一移 动性管理实体 MME发送的切换触发消息之后, 所述方法还包括:  With reference to the third aspect, in a first possible implementation manner of the third aspect, after the receiving the handover trigger message sent by the first mobility management entity MME, the method further includes:
根据所述切换触发消息确定出切换原因是核心网触发的切换;  Determining, according to the handover trigger message, that the handover reason is a handover triggered by the core network;
发送切换需要消息给所述第一 MME, 所述切换需要消息携带所述切换原 因, 使所述第一 MME发送向前重定位请求消息给所述第二 MME, 所述向前 重定位请求消息携带所述切换原因, 以使所述第二 MME发送所述切换请求消 息给所述 eNB。  Sending a handover request message to the first MME, the handover request message carrying the handover reason, and causing the first MME to send a forward relocation request message to the second MME, the forward relocation request message Carrying the handover reason, so that the second MME sends the handover request message to the eNB.
结合第三方面的第一种可能, 在第三方面的第二种可能的实现方式中, 所 述切换请求消息携带第一下一跳链计数器 NCC和第一下一跳 NH, 所述第一 NCC为所述第一 MME根据第二 NCC加一后得到的, 所述第一 NH为所述第 一 MME根据第二 NH计算得到的, 所述第二 NCC为当前的 NCC, 所述第二 NH为当前的 NH; 或者,  With the first possibility of the third aspect, in a second possible implementation manner of the third aspect, the handover request message carries a first next hop chain counter NCC and a first next hop NH, where the first The NCC is obtained by the first MME according to the second NCC, the first NH is calculated by the first MME according to the second NH, the second NCC is the current NCC, and the second NH is the current NH; or,
所述切换请求消息携带第二下一跳链计数器 NCC和第二下一跳 NH,所述 第二 NCC为当前的 NCC, 所述第二 NH为当前的 NH。  The handover request message carries a second next hop chain counter NCC and a second next hop NH, the second NCC is the current NCC, and the second NH is the current NH.
结合第三方面的第一种可能, 在第三方面的第三种可能的实现方式中, 所 述向前重定位请求消息携带第一下一跳链计数器 NCC和第一下一跳 NH,所述 第一 NCC为所述第一 MME根据第二 NCC加一后得到的, 所述第一 NH为所 述第一 MME根据第二 NH计算得到的, 所述第二 NCC为当前的 NCC, 所述 第二 NH为当前的 NH; 或者,  With reference to the first possibility of the third aspect, in a third possible implementation manner of the third aspect, the forward relocation request message carries a first next hop chain counter NCC and a first next hop NH, The first NCC is obtained by adding the first NMC according to the second NCC, the first NH is calculated by the first MME according to the second NH, and the second NCC is the current NCC. Said second NH is the current NH; or
所述向前重定位请求消息携带第二下一跳链计数器 NCC 和第二下一跳 NH, 所述第二 NCC为当前的 NCC, 所述第二 NH为当前的 NH。 结合第三方面, 在第三方面的第四种可能的实现方式中, 所述保持演进型 基站 eNB与所述 UE之间共享的密钥 KeNB不变, 包括: The forward relocation request message carries a second next hop chain counter NCC and a second next hop NH, the second NCC is the current NCC, and the second NH is the current NH. With reference to the third aspect, in a fourth possible implementation manner of the third aspect, the key KeNB shared by the eNodeB eNB and the UE is unchanged, and includes:
根据所述切换触发消息或者所述切换请求消息确定切换原因是核心网触 发的切换, 保持所述 KeNB不变。 第四方面, 本发明提供了一种加密数据的方法, 所述方法包括: 发送切换触发消息给演进型基站 eNB , 所述切换触发消息携带用户设备 Determining, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, keeping the KeNB unchanged. In a fourth aspect, the present invention provides a method for encrypting data, where the method includes: sending a handover trigger message to an evolved base station eNB, where the handover trigger message carries a user equipment
UE的标识, 使所述 eNB根据所述切换触发消息发送切换需要消息给第一移动 性管理实体 MME; The identifier of the UE, causing the eNB to send a handover required message to the first mobility management entity MME according to the handover trigger message;
接收所述 eNB发送的所述切换需要消息,并获取第二下一跳链计数器 NCC 和第二下一跳 NH,所述第二 NCC为当前的 NCC,所述第二 NH为当前的 NH;  Receiving the handover required message sent by the eNB, and acquiring a second next hop chain counter NCC and a second next hop NH, the second NCC is the current NCC, and the second NH is the current NH;
发送向前重定位请求消息给第二 MME, 所述向前重定位请求消息携带切 换原因,使所述第二 MME发送切换请求消息给所述 eNB, 以使所述 eNB保持 所述 eNB与所述 UE之间共享的密钥 KeNB不变, 并 居所述 KeNB对所述 eNB与所述 UE之间通信的数据进行加密。  Sending a forward relocation request message to the second MME, where the forward relocation request message carries a handover reason, so that the second MME sends a handover request message to the eNB, so that the eNB maintains the eNB and the eNB The key KeNB shared between the UEs is unchanged, and the KeNB encrypts data communicated between the eNB and the UE.
结合第四方面, 在第四方面的第一种可能的实现方式中,, 所述切换请求 消息携带第一 NCC和第一 NH, 所述第一 NCC为所述第一 MME根据所述第 二 NCC加一后得到的, 所述第一 NH为所述第一 MME根据所述第二 NH计 算得到的; 或者,  With reference to the fourth aspect, in a first possible implementation manner of the fourth aspect, the handover request message carries a first NCC and a first NH, and the first NCC is the first MME according to the second After the NCC is added, the first NH is calculated by the first MME according to the second NH; or
所述切换请求消息携带所述第二 NCC和所述第二 NH。  The handover request message carries the second NCC and the second NH.
结合第四方面, 在第四方面的第二种可能的实现方式中, 所述向前重定位 请求消息携带第一 NCC和第一 NH, 所述第一 NCC为所述第一 MME根据所 述第二 NCC加一后得到的,所述第一 NH为所述第一 MME根据所述第二 NH 计算得到的; 或者,  With reference to the fourth aspect, in a second possible implementation manner of the fourth aspect, the forward relocation request message carries a first NCC and a first NH, where the first NCC is the first MME according to the After the second NCC is added, the first NH is calculated by the first MME according to the second NH; or
所述向前重定位请求消息携带所述第二 NCC和所述第二 NH。  The forward relocation request message carries the second NCC and the second NH.
结合第四方面, 在第四方面的第三种可能的实现方式中, 所述发送向前重 定位请求消息给第二移动性管理实体 MME之前, 所述方法还包括:  With reference to the fourth aspect, in a third possible implementation manner of the fourth aspect, before the sending the relocation request message to the second mobility management entity (MME), the method further includes:
将所述向前重定位请求消息的下一跳指示 NHI设置为预设标识,并携带所 述第二 NCC和所述第二 NH, 或者,  Setting a next hop indication NHI of the forward relocation request message as a preset identifier, and carrying the second NCC and the second NH, or
将所述向前重定位请求消息的旧演进分组系统 EPS 安全上下文的下一跳 指示 NHI_old设置为所述预设标识, 并携带所述第二 NCC和所述第二 HN。 第五方面, 本发明提供了一种加密数据的装置, 所述装置包括: 第一存储 器和第一处理器, 用于执行如第三方面任一权利要求所述的加密数据的方法。 第六方面, 本发明提供了一种加密数据的装置, 所述装置包括: 第二存储 器和第二处理器, 用于执行如第四方面任一权利要求所述的加密数据的方法。 The next hop of the old evolved packet system EPS security context of the forward relocation request message Instructing NHI_old to be set to the preset identifier, and carrying the second NCC and the second HN. In a fifth aspect, the present invention provides an apparatus for encrypting data, the apparatus comprising: a first memory and a first processor, a method for performing encrypted data according to any of the preceding claims. In a sixth aspect, the present invention provides an apparatus for encrypting data, the apparatus comprising: a second memory and a second processor, a method for performing encrypted data according to any of the claims of the fourth aspect.
在本发明实施例中, eNB接收第一 MME发送的切换触发消息以及接收第 二 MME发送的切换请求消息, 根据切换触发消息或者切换请求消息确定出切 换原因是核心网触发的切换, eNB获取当前与 UE共享的 KeNB,并将该 KeNB 作为切换 MME后更新的密钥 KeNB* ,即保持 eNB与 UE之间的 KeNB不变, 并根据该 KeNB或 KeNB*对 eNB与 UE之间通信的数据进行加密, 从而保证 eNB侧与 UE侧的 KeNB同步。 附图说明  In the embodiment of the present invention, the eNB receives the handover trigger message sent by the first MME, and receives the handover request message sent by the second MME, and determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, and the eNB acquires the current The KeNB shared with the UE, and the KeNB* is used as the key KeNB* updated after the handover of the MME, that is, the KeNB between the eNB and the UE is kept unchanged, and the data communicated between the eNB and the UE is performed according to the KeNB or KeNB*. Encryption ensures that the eNB side synchronizes with the KeNB on the UE side. DRAWINGS
为了更清楚地说明本发明实施例中的技术方案, 下面将对实施例描述中所 需要使用的附图作筒单地介绍, 显而易见地, 下面描述中的附图仅仅是本发明 的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下, 还可以根据这些附图获得其他的附图。  In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the present invention. Other drawings may also be obtained from those of ordinary skill in the art in light of the inventive work.
图 1是本发明实施例 1提供的一种加密数据的装置结构示意图;  1 is a schematic structural diagram of an apparatus for encrypting data according to Embodiment 1 of the present invention;
图 2是本发明实施例 2提供的一种加密数据的装置结构示意图;  2 is a schematic structural diagram of an apparatus for encrypting data according to Embodiment 2 of the present invention;
图 3是本发明实施例 3提供的一种加密数据的方法流程图;  3 is a flowchart of a method for encrypting data according to Embodiment 3 of the present invention;
图 4是本发明实施例 4提供的一种加密数据的方法流程图;  4 is a flowchart of a method for encrypting data according to Embodiment 4 of the present invention;
图 5是本发明实施例 5提供的一种加密数据的方法流程图;  FIG. 5 is a flowchart of a method for encrypting data according to Embodiment 5 of the present invention; FIG.
图 6是本发明实施例 6提供的一种加密数据的方法流程图;  6 is a flowchart of a method for encrypting data according to Embodiment 6 of the present invention;
图 7是本发明实施例 7提供的一种加密数据的装置结构示意图;  7 is a schematic structural diagram of an apparatus for encrypting data according to Embodiment 7 of the present invention;
图 8是本发明实施例 8提供的一种加密数据的装置结构示意图。 具体实施方式  FIG. 8 is a schematic structural diagram of an apparatus for encrypting data according to Embodiment 8 of the present invention. detailed description
为使本发明的目的、 技术方案和优点更加清楚, 下面将结合附图对本发明 实施方式作进一步地详细描述。 实施例 1 The embodiments of the present invention will be further described in detail below with reference to the accompanying drawings. Example 1
本发明实施例提供了一种加密数据的装置。参见图 1 ,其中,该装置包括: 第一接收模块 101 , 用于接收第一 MME发送的切换触发消息, 该切换触 发消息携带用户设备 UE的标识;  Embodiments of the present invention provide an apparatus for encrypting data. Referring to FIG. 1 , the apparatus includes: a first receiving module 101, configured to receive a handover trigger message sent by a first MME, where the handover trigger message carries an identifier of a user equipment UE;
其中, 第一 MME从 UE的签约信息中获知需要将 UE从普通网络的第一 MME切换到特定网络的第二 MME时, 获取 UE的标识, 并发送切换触发消 息给第一接收模块 101 ,该切换触发消息携带 UE的标识。 eNB接收第一 MME 发送的切换触发消息。  The first MME obtains the identifier of the UE, and sends a handover trigger message to the first receiving module 101, when the first MME needs to switch from the first MME of the common network to the second MME of the specific network. The handover trigger message carries the identity of the UE. The eNB receives the handover trigger message sent by the first MME.
其中, UE的标识为任一可以标识 UE的标识, 在本发明实施例中, 对 UE 的标识不#文具体限定。 例如, UE的标识为 MME UE S1AP ( Access Point, 访 问接入点 ) ID ( Identity, 身份标识号码 ) 即 MME在 S1接口上唯一标识 UE 的标识或 eNB UE S1AP ID即 eNB在 SI接口上唯一标识 UE的标识等。 第一 MME为 UE当前附着的 MME。  The identifier of the UE is any identifier that can identify the UE. In the embodiment of the present invention, the identifier of the UE is not specifically limited. For example, the identity of the UE is the MME UE S1AP (Access Point) ID (identity identification number), that is, the MME uniquely identifies the identity of the UE on the S1 interface or the eNB UE S1AP ID, that is, the eNB uniquely identifies on the SI interface. The identity of the UE, etc. The first MME is an MME to which the UE is currently attached.
其中, 需要说明的是, 在第一 MME从 UE的签约信息中获知需要将 UE 从普通网络的第一 MME切换到特定网络的第二 MME之前, UE向普通网络 发起附着流程, 并和网络侧的 S-GW ( Serving Gateway,服务网关 )或者 P-GW ( PDN Gateway, PDN网关)建立 PDN ( Public Data Network, 公用数据网) 连接。  It should be noted that, before the first MME learns from the subscription information of the UE that the UE needs to be handed over from the first MME of the common network to the second MME of the specific network, the UE initiates an attach procedure to the normal network, and the network side A S-GW (Serving Gateway) or a P-GW (PDN Gateway) establishes a PDN (Public Data Network) connection.
第二接收模块 102, 用于接收第二 MME发送的切换请求消息。  The second receiving module 102 is configured to receive a handover request message sent by the second MME.
其中, 为了将 UE由第一 MME重定向到第二 MME时, 第二 MME发送 切换请求消息给第二接收模块 102, 第二接收模块 102接收第二 MME发送的 该切换请求消息。  The second MME sends a handover request message to the second receiving module 102, and the second receiving module 102 receives the handover request message sent by the second MME, in order to redirect the UE from the first MME to the second MME.
进一步地, 第二接收模块 102接收到第二 MME发送的切换请求消息时, 发送切换确认消息给第二 MME。 该切换确认消息用于通知第二 MME可以进 行此次切换。  Further, when receiving the handover request message sent by the second MME, the second receiving module 102 sends a handover confirmation message to the second MME. The handover confirmation message is used to notify the second MME that the handover can be performed.
保持模块 103, 用于保持演进型基站 eNB与 UE之间共享的密钥 KeNB不 变;  The maintaining module 103 is configured to keep the key KeNB shared between the evolved base station eNB and the UE unchanged;
其中, 保持模块 103, 包括:  The holding module 103 includes:
确定单元, 用于根据该切换触发消息或者该切换请求消息确定切换原因是 核心网触发的切换;  a determining unit, configured to determine, according to the handover trigger message or the handover request message, that the handover reason is a core network triggered handover;
其中,由于该切换触发消息是第一 MME发送的,确定单元根据第一 MME 发送的切换触发消息可以确定出此次切换原因为核心网触发的切换; 或者, 切 换请求消息中携带切换原因,确定单元可以根据切换原因确定切换原因是核心 网触发的切换。 The determining unit is configured according to the first MME, because the handover trigger message is sent by the first MME. The handover triggering message may be used to determine that the handover reason is a handover triggered by the core network. Alternatively, the handover request message carries the handover cause, and the determining unit may determine, according to the handover reason, that the handover cause is a handover triggered by the core network.
其中,核心网触发的切换只是将 UE所附着的 MME进行切换, UE所在的 'J、区和基站并不发生变化。  The handover triggered by the core network only switches the MME to which the UE is attached, and the 'J, the area, and the base station where the UE is located do not change.
保持单元, 用于保持 KeNB不变。  The holding unit is used to keep the KeNB unchanged.
其中, 保持单元获取当前 eNB与 UE之间共享的 KeNB , 并将该 KeNB作 为切换 MME后的密钥 KeNB*。  The holding unit acquires the KeNB shared between the current eNB and the UE, and uses the KeNB as the key KeNB* after the MME is switched.
加密模块 104,用于根据该 KeNB或 KeNB*对 eNB与 UE之间通信的数据 进行加密。  The encryption module 104 is configured to encrypt data communicated between the eNB and the UE according to the KeNB or the KeNB*.
具体地,加密模块 104根据 KeNB*计算第一密钥和第二密钥,并采用第一 密钥和第二密钥对 eNB与 UE之间通信的数据进行加密和完整性保护。  Specifically, the encryption module 104 calculates the first key and the second key according to the KeNB*, and performs encryption and integrity protection on the data communicated between the eNB and the UE by using the first key and the second key.
其中, 需要说明的是, 如果该切换请求消息中携带第一 {NCC, NH}对, eNB忽略第一 {NCC, NH}对, 并保持 KeNB不变。  It should be noted that, if the handover request message carries the first {NCC, NH} pair, the eNB ignores the first {NCC, NH} pair and keeps the KeNB unchanged.
进一步地, 该装置还包括:  Further, the device further includes:
确定模块, 用于根据所述切换触发消息确定出切换原因是核心网触发的切 换;  a determining module, configured to determine, according to the handover trigger message, that the handover reason is a core network triggered handover;
第一发送模块, 用于发送切换需要消息给第一 MME, 该切换需要消息携 带切换原因, 使第一 MME发送向前重定位请求消息给第二 MME, 该向前重 定位请求消息携带切换原因, 以使第二 MME发送该切换请求消息给 eNB。  The first sending module is configured to send a handover required message to the first MME, where the handover request message carries a handover reason, so that the first MME sends a forward relocation request message to the second MME, where the forward relocation request message carries the handover reason So that the second MME sends the handover request message to the eNB.
具体地, 第一接收模块 101接收到第一 MME发送的切换触发消息后, 确 定模块根据切换触发消息确定出切换原因是核心网触发的切换, 第一发送模块 发送切换需要消息给第一 MME, 该切换需要消息携带切换原因; 第一 MME 接收第一发送模块发送的切换需要消息, 并发送向前重定位请求消息给第二 MME , 该向前重定位请求消息携带切换原因; 第二 MME接收第一 MME发送 的向前重定位请求消息, 并发送切换请求消息给第二接收模块 102。  Specifically, after the first receiving module 101 receives the handover trigger message sent by the first MME, the determining module determines, according to the handover trigger message, that the handover reason is a handover triggered by the core network, and the first sending module sends a handover required message to the first MME. The handover requires the message to carry the handover reason; the first MME receives the handover required message sent by the first sending module, and sends a forward relocation request message to the second MME, where the forward relocation request message carries the handover reason; A forward relocation request message sent by the first MME, and sending a handover request message to the second receiving module 102.
其中, 该向前重定位请求消息携带的切换原因用于通知第二 MME此次切 换为核心网触发的切换。 该向前重定位请求消息中还可以携带 Kasme和 KSI ( Key Set Identifier, 密钥集标识), 该 Kasme和 KSI用于推演非接入层 NAS 密钥。  The reason for the handover carried in the forward relocation request message is used to notify the second MME to switch to the core network triggered handover. The forward relocation request message may also carry Kasme and KSI (Key Set Identifier), and the Kasme and KSI are used to derive the non-access stratum NAS key.
进一步地, 该切换请求消息可以不携带任何 {NCC, NH}对信息; 该切换 请求消息也可以携带第一下一跳链计数器 NCC和第一下一跳 NH, 第一 NCC 为第一 MME根据第二 NCC加一后得到的, 第一 NH为第一 MME根据第二 NH计算得到的, 第二 NCC为当前的 NCC, 第二 NH为当前的 NH; 或者, 该 切换请求消息携带第二下一跳链计数器 NCC和第二下一跳 NH, 第二 NCC为 当前的 NCC, 第二 NH为当前的 NH。 Further, the handover request message may not carry any {NCC, NH} pair information; the handover The request message may also carry a first next hop chain counter NCC and a first next hop NH, where the first NCC is obtained by adding the first MME according to the second NCC, and the first NH is calculated by the first MME according to the second NH. The second NCC is the current NCC, and the second NH is the current NH; or the handover request message carries the second next hop chain counter NCC and the second next hop NH, and the second NCC is the current NCC. The second NH is the current NH.
其中, 第一 MME接收到切换需要消息时, 获取第二 NCC和第二 NH; 第 一 MME根据第二 NCC和第二 NH计算第一 NCC和第一 NH时, 该切换请求 消息中携带第一 NCC和第一 NH, 如果第一 MME根据第二 NCC和第二 NH 不计算第一 NCC和第一 NH时,该切换请求消息中携带第二 NCC和第二 NH。  The first MME obtains the second NCC and the second NH when receiving the handover required message; when the first MME calculates the first NCC and the first NH according to the second NCC and the second NH, the handover request message carries the first The NCC and the first NH, if the first MME does not calculate the first NCC and the first NH according to the second NCC and the second NH, the handover request message carries the second NCC and the second NH.
进一步地, 该切换请求消息中还可以携带切换原因。  Further, the handover request message may further carry a handover reason.
其中, 该向前重定位请求消息携带第一 NCC和第一 NH, 第一 NCC为第 一 MME根据第二 NCC加一后得到的,第一 NH为第一 MME根据第二 NH计 算得到的, 第二 NCC为当前的 NCC, 第二 NH为当前的 NH; 或者, 该向前 重定位请求消息携带第二 NCC和第二 NH, 第二 NCC为当前的 NCC, 第二 NH为当前的 NH。  The first relocation request message carries the first NCC and the first NH. The first NCC is obtained by adding the first MME according to the second NCC, and the first NH is calculated by the first MME according to the second NH. The second NCC is the current NCC, and the second NH is the current NH; or the forward relocation request message carries the second NCC and the second NH, the second NCC is the current NCC, and the second NH is the current NH.
进一步地, 将 UE所附着的 MME由第一 MME切换到第二 MME之后, 第二 MME发送向前重定位响应消息给第一 MME。  Further, after the MME to which the UE is attached is switched from the first MME to the second MME, the second MME sends a forward relocation response message to the first MME.
进一步地, 当该切换请求消息中不携带任何 {NCC, NH}对信息时,在 eNB 将 UE所附着的 MME由第一 MME切换到第二 MME之后, 第二 MME根据 第二 NCC加一得到第一 NCC, 根据第二 NH计算得到第一 NH, 并发送路径 改变消息给 eNB ,该路径改变消息携带第一 { NCC , NH }对。 eNB接收第二 MME 发送的路径改变消息, 并获取第一 {NCC, NH}对。  Further, when the handover request message does not carry any {NCC, NH} pair information, after the eNB switches the MME attached by the UE from the first MME to the second MME, the second MME obtains one according to the second NCC. The first NCC calculates the first NH according to the second NH, and sends a path change message to the eNB, where the path change message carries the first {NCC, NH} pair. The eNB receives the path change message sent by the second MME, and acquires the first {NCC, NH} pair.
在本发明实施例中, eNB接收第一 MME发送的切换触发消息以及接收第 二 MME发送的切换请求消息, 根据切换触发消息或者切换请求消息确定出切 换原因是核心网触发的切换, eNB获取当前与 UE共享的 KeNB,并将该 KeNB 作为切换 MME后更新的密钥 KeNB* ,即保持 eNB与 UE之间的 KeNB不变, 并根据该 KeNB或 KeNB*对 eNB与 UE之间通信的数据进行加密, 从而保证 eNB侧与 UE侧的 KeNB同步。 实施例 2  In the embodiment of the present invention, the eNB receives the handover trigger message sent by the first MME, and receives the handover request message sent by the second MME, and determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, and the eNB acquires the current The KeNB shared with the UE, and the KeNB* is used as the key KeNB* updated after the handover of the MME, that is, the KeNB between the eNB and the UE is kept unchanged, and the data communicated between the eNB and the UE is performed according to the KeNB or KeNB*. Encryption ensures that the eNB side synchronizes with the KeNB on the UE side. Example 2
本发明实施例提供了一种加密数据的装置。参见图 2,其中,该装置包括: 第二发送模块 201 , 用于发送切换触发消息给演进型基站 eNB, 该切换触 发消息携带用户设备 UE的标识,使 eNB根据该切换触发消息发送切换需要消 息; Embodiments of the present invention provide an apparatus for encrypting data. Referring to Figure 2, the device includes: The second sending module 201 is configured to send a handover trigger message to the evolved base station eNB, where the handover trigger message carries the identifier of the user equipment UE, so that the eNB sends a handover requirement message according to the handover trigger message;
其中, 第一 MME从 UE的签约信息中获知需要将 UE从普通网络的第一 MME切换到特定网络的第二 MME时, 获取 UE的标识, 第二发送模块 201 发送切换触发消息给第一接收模块 101 ,该切换触发消息携带 UE的标识。 eNB 接收第一 MME发送的切换触发消息。  The first MME obtains the identifier of the UE when the UE needs to switch from the first MME of the common network to the second MME of the specific network, and the second sending module 201 sends a handover trigger message to the first receiving. Module 101, the handover trigger message carries an identifier of the UE. The eNB receives the handover trigger message sent by the first MME.
其中, UE的标识为任一可以标识 UE的标识, 在本发明实施例中, 对 UE 的标识不做具体限定。 例如, UE的标识为 MME UE S1AP ID即 MME在 S1 接口上唯一标识 UE的标识或 eNB UE S1AP ID即 eNB在 SI接口上唯一标识 UE的标识等。 第一 MME为 UE当前附着的 MME。  The identifier of the UE is any identifier that can identify the UE. In the embodiment of the present invention, the identifier of the UE is not specifically limited. For example, the identifier of the UE is the MME UE S1AP ID, that is, the identifier of the MME that uniquely identifies the UE on the S1 interface, or the eNB UE S1AP ID, that is, the identifier of the eNB that uniquely identifies the UE on the SI interface. The first MME is an MME to which the UE is currently attached.
其中, 需要说明的是, 在第一 MME从 UE的签约信息中获知需要将 UE 从普通网络的第一 MME切换到特定网络的第二 MME之前, UE向普通网络 发起附着流程, 并和网络侧的 S-GW或者 P-GW建立 PDN连接。  It should be noted that, before the first MME learns from the subscription information of the UE that the UE needs to be handed over from the first MME of the common network to the second MME of the specific network, the UE initiates an attach procedure to the normal network, and the network side The S-GW or P-GW establishes a PDN connection.
第三接收模块 202, 用于接收 eNB发送的该切换需要消息;  The third receiving module 202 is configured to receive the handover required message sent by the eNB;
其中, eNB根据切换触发消息发送切换需要消息给第三接收模块 202, 第 三接收模块 202接收 eNB发送的该切换需要消息。  The eNB sends a handover required message to the third receiving module 202 according to the handover trigger message, and the third receiving module 202 receives the handover required message sent by the eNB.
获取模块, 用于获取第二下一跳链计数器 NCC和第二下一跳 NH, 第二 NCC为当前的 NCC, 第二 NH为当前的 NH;  An acquiring module, configured to obtain a second next hop chain counter NCC and a second next hop NH, where the second NCC is the current NCC, and the second NH is the current NH;
第三发送模块 203, 用于发送向前重定位请求消息给第二移动性管理实体 MME,该向前重定位请求消息携带切换原因,使第二 MME发送切换请求消息 给 eNB ,以使 eNB保持 eNB与 UE之间共享的密钥 KeNB不变,并根据该 KeNB 对 eNB与 UE之间通信的数据进行加密。  The third sending module 203 is configured to send a forward relocation request message to the second mobility management entity MME, where the forward relocation request message carries a handover reason, so that the second MME sends a handover request message to the eNB, so that the eNB keeps The key KeNB shared between the eNB and the UE is unchanged, and the data communicated between the eNB and the UE is encrypted according to the KeNB.
进一步地, 该切换请求消息携带第一 NCC和第一 NH, 第一 NCC为第一 MME根据第二 NCC加一后得到的, 第一 NH为第一 MME根据第二 NH计算 得到的; 或者, 该切换请求消息携带第二 NCC和第二 NH。  Further, the handover request message carries the first NCC and the first NH, where the first NCC is obtained by adding the first MME according to the second NCC, and the first NH is calculated by the first MME according to the second NH; or The handover request message carries a second NCC and a second NH.
进一步地, 该切换请求消息中还可以携带切换原因。  Further, the handover request message may further carry a handover reason.
其中, 第三接收模块 202接收 eNB发送的切换需要消息, 并根据切换需 要消息中的切换原因确认该切换原因是由核心网触发的切换,获取第二 {NCC, NH}对, 根据第二 {NCC, NH}对计算第一 {NCC, NH}对, 即将第二 NCC加 一得到第一 NCC, 以及根据第二 NH计算第一 NH。 其中, 第二 {NCC, NH}对为当前的 {NCC, NH}对, 或者旧的 {NCC, NH} 对, 第二 {NCC, NH}对包括第二 NCC和第二 NH; 第一 {NCC, NH}对为新鲜 的 {NCC, NH}对, 第一 {NCC, NH}对包括第一 NCC和第一 NH。 The third receiving module 202 receives the handover required message sent by the eNB, and confirms that the handover reason is triggered by the core network according to the handover reason in the handover required message, and acquires the second {NCC, NH} pair according to the second { The NCC, NH} pairs calculate the first {NCC, NH} pair, that is, the second NCC is incremented by one to obtain the first NCC, and the first NH is calculated according to the second NH. Wherein the second {NCC, NH} pair is the current {NCC, NH} pair, or the old {NCC, NH} pair, the second {NCC, NH} pair includes the second NCC and the second NH; first { The NCC, NH} pairs are fresh {NCC, NH} pairs, and the first {NCC, NH} pair includes the first NCC and the first NH.
其中, 第二 NCC为当前的 NCC; 第二 NH为当前的 NH。  The second NCC is the current NCC; the second NH is the current NH.
进一步地, 第一 MME发送向前重定位请求消息给第二 MME, 该向前重 定位请求消息携带切换原因和第一 {NCC, NH}对, 或者, 该向前重定位请求 消息携带切换原因和第二 {NCC, NH}对。第二 MME接收第一 MME发送的向 前重定位请求消息, 并发送切换请求消息给 eNB。  Further, the first MME sends a forward relocation request message to the second MME, where the forward relocation request message carries the handover reason and the first {NCC, NH} pair, or the forward relocation request message carries the handover reason And the second {NCC, NH} pair. The second MME receives the forward relocation request message sent by the first MME, and sends a handover request message to the eNB.
其中, 该向前重定位请求消息携带的切换原因用于通知第二 MME此次切 换为核心网触发的切换。 该向前重定位请求消息中还可以携带 Kasme和 KSI, 该 Kasme和 KSI用于推演非接入层 NAS密钥。  The reason for the handover carried in the forward relocation request message is used to notify the second MME to switch to the core network triggered handover. The forward relocation request message may also carry Kasme and KSI, and the Kasme and KSI are used to derive the non-access stratum NAS key.
其中, 第二 MME接收第一 MME发送的向前重定位请求消息, 根据该向 前重定位请求消息中的切换原因确定是核心网触发的切换, 第二 MME发送给 eNB 的切换请求消息中不携带任何 {NCC, NH}对信息; 或者, 如果向前重定 位请求消息中携带第一 {NCC, NH}对时, 第二 MME接收第一 MME发送的向 前重定位请求消息, 第二 MME根据向前重定位请求消息中的切换原因确定是 核心网触发的切换并从该向前重定位请求消息中获取第一 {NCC, NH}对, 第 二 MME发送给 eNB的切换请求消息中携带第一 {NCC, NH}对; 或者, 如果 向前重定位请求消息中携带第二 { NCC , NH }对时, 第二 MME接收第一 MME 发送的向前定位请求消息, 第二 MME根据向前重定位请求消息中的切换原因 确定是核心网触发的切换并从该向前重定位请求消息中获取第二 { NCC , NH } 对, 第二 MME发送给 eNB的切换请求消息中携带第二 {NCC, NH}对。  The second MME receives the forward relocation request message sent by the first MME, and determines that the handover is triggered by the core network according to the handover reason in the forward relocation request message, and the handover request message sent by the second MME to the eNB is not Carrying any {NCC, NH} pair information; or, if the forward relocation request message carries the first {NCC, NH} pair, the second MME receives the forward relocation request message sent by the first MME, the second MME And determining, according to the handover reason in the forward relocation request message, a handover triggered by the core network, and acquiring a first {NCC, NH} pair from the forward relocation request message, where the second MME sends the handover request message to the eNB. The first {NCC, NH} pair; or, if the forward relocation request message carries the second { NCC , NH } pair, the second MME receives the forward positioning request message sent by the first MME, and the second MME according to the The handover reason in the pre-relocation request message is determined to be a handover triggered by the core network, and the second { NCC , NH } pair is obtained from the forward relocation request message, and the second MME sends the handover request message to the eNB. Carry the second {NCC, NH} pair.
其中,第二 MME为除第一 MME之外的任一 MME,在本发明实施例中, 对第二 MME不作具体限定, 例如, 第二 MME为某个特定 MME。  The second MME is any MME other than the first MME. In the embodiment of the present invention, the second MME is not specifically limited. For example, the second MME is a specific MME.
进一步地, eNB接收第二 MME发送的切换请求消息, 并发送切换确认消 息给第二 MME; eNB保持 eNB与 UE之间共享的密钥 KeNB不变, 并根据该 KeNB对 eNB与 UE之间通信的数据进行加密。  Further, the eNB receives the handover request message sent by the second MME, and sends a handover confirmation message to the second MME; the eNB keeps the key KeNB shared between the eNB and the UE unchanged, and performs communication between the eNB and the UE according to the KeNB. The data is encrypted.
具体地, eNB根据切换触发消息或者切换请求消息确定出切换原因是核心 网触发的切换, 获取当前 eNB与 UE之间共享的 KeNB, 并将该 KeNB作为切 换 MME后的密钥 KeNB*; eNB根据 KeNB*计算第一密钥和第二密钥, 并采 用第一密钥和第二密钥对 eNB与 UE之间通信的数据进行加密和完整性保护。 其中, 该切换确认消息用于通知第二 ΜΜΕ可以进行此次切换。 Specifically, the eNB determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, acquires the KeNB shared between the current eNB and the UE, and uses the KeNB as the key KeNB* after the handover MME; The KeNB* calculates the first key and the second key, and performs encryption and integrity protection on the data communicated between the eNB and the UE by using the first key and the second key. The handover confirmation message is used to notify the second conference that the handover can be performed.
其中, 需要说明的是, 如果该切换请求消息中携带第一 {NCC, ΝΗ}对, eNB忽略第一 {NCC, NH}对, 并保持 KeNB不变。  It should be noted that, if the handover request message carries the first {NCC, ΝΗ} pair, the eNB ignores the first {NCC, NH} pair and keeps the KeNB unchanged.
进一步地, 第二 MME发送向前重定位响应消息给第一 MME。  Further, the second MME sends a forward relocation response message to the first MME.
进一步地, 当该切换请求消息中不携带任何 {NCC, NH}对信息时,在 eNB 将 UE所附着的 MME由第一 MME切换到第二 MME之后, 第二 MME根据 第二 NCC加一得到第一 NCC, 根据第二 NH计算得到第一 NH, 并发送路径 改变消息给 eNB ,该路径改变消息携带第一 { NCC , NH }对。 eNB接收第二 MME 发送的路径改变消息, 并获取第一 {NCC, NH}对。  Further, when the handover request message does not carry any {NCC, NH} pair information, after the eNB switches the MME attached by the UE from the first MME to the second MME, the second MME obtains one according to the second NCC. The first NCC calculates the first NH according to the second NH, and sends a path change message to the eNB, where the path change message carries the first {NCC, NH} pair. The eNB receives the path change message sent by the second MME, and acquires the first {NCC, NH} pair.
进一步地, 该装置还包括:  Further, the device further includes:
第一携带模块,用于将该向前重定位请求消息的下一跳指示 NHI设置为预 设标识, 并携带第二 NCC和第二 NH, 或者,  a first carrying module, configured to set a next hop indication NHI of the forward relocation request message to a preset identifier, and carry a second NCC and a second NH, or
第二携带模块,用于将向前重定位请求消息的旧演进分组系统 EPS安全上 下文的下一跳指示 NHI_old设置为预设标识, 并携带第二 NCC和第二 HN。  And a second carrying module, configured to set the next hop indication NHI_old of the old evolving packet system EPS security context of the forward relocation request message to a preset identifier, and carry the second NCC and the second HN.
在本发明实施例中, eNB接收第一 MME发送的切换触发消息以及接收第 二 MME发送的切换请求消息, 根据切换触发消息或者切换请求消息确定出切 换原因是核心网触发的切换, eNB获取当前与 UE共享的 KeNB,并将该 KeNB 作为切换 MME后更新的密钥 KeNB* ,即保持 eNB与 UE之间的 KeNB不变, 并根据该 KeNB或 KeNB*对 eNB与 UE之间通信的数据进行加密, 从而保证 eNB侧与 UE侧的 KeNB同步。 实施例 3  In the embodiment of the present invention, the eNB receives the handover trigger message sent by the first MME, and receives the handover request message sent by the second MME, and determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, and the eNB acquires the current The KeNB shared with the UE, and the KeNB* is used as the key KeNB* updated after the handover of the MME, that is, the KeNB between the eNB and the UE is kept unchanged, and the data communicated between the eNB and the UE is performed according to the KeNB or KeNB*. Encryption ensures that the eNB side synchronizes with the KeNB on the UE side. Example 3
本发明实施例提供了一种加密数据的方法。参见图 3 ,其中,该方法包括: 步骤 301 :接收第一 MME发送的切换触发消息,该切换触发消息携带 UE 的标识;  Embodiments of the present invention provide a method of encrypting data. Referring to FIG. 3, the method includes: Step 301: Receive a handover trigger message sent by a first MME, where the handover trigger message carries an identifier of the UE;
步骤 302: 接收第二 MME发送的切换请求消息;  Step 302: Receive a handover request message sent by the second MME.
步骤 303: 保持 eNB与 UE之间共享的密钥 KeNB不变, 并根据该 KeNB 对 eNB与 UE之间通信的数据进行加密。  Step 303: Keep the key KeNB shared between the eNB and the UE unchanged, and encrypt the data communicated between the eNB and the UE according to the KeNB.
在本发明实施例中, eNB接收第一 MME发送的切换触发消息以及接收第 二 MME发送的切换请求消息, 根据切换触发消息或者切换请求消息确定出切 换原因是核心网触发的切换, eNB获取当前与 UE共享的 KeNB,并将该 KeNB 作为切换 MME后更新的密钥 KeNB* ,即保持 eNB与 UE之间的 KeNB不变, 并根据该 KeNB或 KeNB*对 eNB与 UE之间通信的数据进行加密, 从而保证 eNB侧与 UE侧的 KeNB同步。 实施例 4 In the embodiment of the present invention, the eNB receives the handover trigger message sent by the first MME, and receives the handover request message sent by the second MME, and determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, and the eNB acquires the current KeNB shared with the UE, and the KeNB As the key KeNB* updated after the MME is switched, that is, the KeNB between the eNB and the UE is kept unchanged, and the data communicated between the eNB and the UE is encrypted according to the KeNB or KeNB*, thereby ensuring the eNB side and the UE side. KeNB synchronization. Example 4
本发明实施例提供了一种加密数据的方法。参见图 4,其中,该方法包括: 步骤 401 : 第一 MME发送切换触发消息给 eNB,该切换触发消息携带 UE 的标识;  Embodiments of the present invention provide a method of encrypting data. Referring to FIG. 4, the method includes: Step 401: A first MME sends a handover trigger message to an eNB, where the handover trigger message carries an identifier of the UE;
具体地, 第一 MME从 UE的签约信息中获知需要将 UE从普通网络的第 一 MME切换到特定网络的第二 MME时, 获取 UE的标识, 并发送切换触发 消息给 eNB , 该切换触发消息携带 UE的标识。  Specifically, when the first MME learns that the UE needs to be handed over from the first MME of the common network to the second MME of the specific network, the first MME acquires the identifier of the UE, and sends a handover trigger message to the eNB, where the handover trigger message is sent. Carry the identity of the UE.
其中, UE的标识为任一可以标识 UE的标识, 在本发明实施例中, 对 UE 的标识不做具体限定。 例如, UE的标识为 MME UE S1AP ID即 MME在 S1 接口上唯一标识 UE的标识或 eNB UE S1AP ID即 eNB在 SI接口上唯一标识 UE的标识等。 第一 MME为 UE当前附着的 MME。  The identifier of the UE is any identifier that can identify the UE. In the embodiment of the present invention, the identifier of the UE is not specifically limited. For example, the identifier of the UE is the MME UE S1AP ID, that is, the identifier of the MME that uniquely identifies the UE on the S1 interface, or the eNB UE S1AP ID, that is, the identifier of the eNB that uniquely identifies the UE on the SI interface. The first MME is an MME to which the UE is currently attached.
其中, 需要说明的是, 在步骤 401之前, UE向普通网络发起附着流程并 和网络侧的 S-GW或者 P-GW建立 PDN连接。  It should be noted that, before step 401, the UE initiates an attach procedure to the normal network and establishes a PDN connection with the S-GW or the P-GW on the network side.
步骤 402: eNB接收第一 MME发送的切换触发消息, 并根据该切换触发 消息确定出切换原因是核心网触发的切换;  Step 402: The eNB receives a handover trigger message sent by the first MME, and determines, according to the handover trigger message, that the handover reason is a handover triggered by the core network.
其中, 由于该切换触发消息是第一 MME发送的, eNB根据第一 MME发 送的切换触发消息可以确定出此次切换原因为核心网触发的切换; 核心网触发 的切换只是将 UE所附着的 MME进行切换, UE所在的小区和基站并不发生变 化。  The eNB may determine that the handover reason is a handover triggered by the core network according to the handover trigger message sent by the first MME, and the MME that is triggered by the UE is only the MME attached by the UE. The handover is performed, and the cell and the base station where the UE is located do not change.
步骤 403: eNB发送切换需要消息给第一 MME, 该切换需要消息携带切 换原因;  Step 403: The eNB sends a handover required message to the first MME, where the handover needs the message carrying the reason for the handover;
步骤 404: 第一 MME接收 eNB发送的切换需要消息, 根据切换需要消息 计算第一 NCC和第一 NH;  Step 404: The first MME receives a handover required message sent by the eNB, and calculates a first NCC and a first NH according to the handover required message.
具体地, 第一 MME接收 eNB发送的切换需要消息, 并根据切换需要消息 确认该切换原因是由核心网触发的切换, 获取第二 {NCC, NH}对, 根据第二 {NCC, NH}对计算第一 {NCC, NH}对, 即将第二 NCC加一得到第一 NCC, 以及根据第二 NH计算第一 NH。 其中, 第二 {NCC, NH}对为当前的 {NCC, NH}对, 或者旧的 {NCC, NH} 对, 第二 {NCC, NH}对包括第二 NCC和第二 NH; 第一 {NCC, NH}对为新鲜 的 {NCC, NH}对, 第一 {NCC, NH}对包括第一 NCC和第一 NH。 Specifically, the first MME receives the handover required message sent by the eNB, and confirms that the handover reason is a handover triggered by the core network according to the handover requirement message, and acquires a second {NCC, NH} pair according to the second {NCC, NH} pair. The first {NCC, NH} pair is calculated, that is, the second NCC is incremented by one to obtain the first NCC, and the first NH is calculated based on the second NH. Wherein the second {NCC, NH} pair is the current {NCC, NH} pair, or the old {NCC, NH} pair, the second {NCC, NH} pair includes the second NCC and the second NH; first { The NCC, NH} pairs are fresh {NCC, NH} pairs, and the first {NCC, NH} pair includes the first NCC and the first NH.
其中, 第二 NCC为当前的 NCC; 第二 NH为当前的 NH。  The second NCC is the current NCC; the second NH is the current NH.
步骤 405: 第一 MME发送向前重定位请求消息给第二 MME,该向前重定 位请求消息携带切换原因和第一 {NCC, NH}对;  Step 405: The first MME sends a forward relocation request message to the second MME, where the forward relocation request message carries the handover reason and the first {NCC, NH} pair;
其中, 该向前重定位请求消息携带的切换原因用于通知第二 MME此次切 换为核心网触发的切换。  The reason for the handover carried in the forward relocation request message is used to notify the second MME to switch to the core network triggered handover.
进一步地, 该向前重定位请求消息中还可以携带 Kasme和 KSI ( Key Set Identifier, 密钥集标识), 该 Kasme和 KSI用于推演非接入层 NAS密钥。  Further, the forward relocation request message may further carry a Kasme and a KSI (Key Set Identifier), where the Kasme and the KSI are used to derive a non-access stratum NAS key.
其中,第二 MME为除第一 MME之外的任一 MME,在本发明实施例中, 对第二 MME不作具体限定, 例如, 第二 MME为某个特定 MME。  The second MME is any MME other than the first MME. In the embodiment of the present invention, the second MME is not specifically limited. For example, the second MME is a specific MME.
步骤 406: 第二 MME接收第一 MME发送的向前重定位请求消息, 并发 送切换请求消息给 eNB;  Step 406: The second MME receives the forward relocation request message sent by the first MME, and sends a handover request message to the eNB.
具体地, 第二 MME接收第一 MME发送的向前重定位请求消息, 根据该 向前重定位请求消息中的切换原因确定是核心网触发的切换, 第二 MME发送 给 eNB的切换请求消息中不携带任何 {NCC, NH}对信息; 或者, 第二 MME 接收第一 MME发送的向前重定位请求消息, 第二 MME根据向前重定位请求 消息中的切换原因是核心网触发的切换并从该向前重定位请求消息中获取第 一 {NCC, NH}对, 第二 MME发送给 eNB的切换请求消息中携带第一 {NCC, NH}对。  Specifically, the second MME receives the forward relocation request message sent by the first MME, and determines, according to the handover reason in the forward relocation request message, that the handover is triggered by the core network, and the second MME sends the handover request message to the eNB. The second MME receives the forward relocation request message sent by the first MME, and the second MME is triggered by the core network according to the handover reason in the forward relocation request message. The first {NCC, NH} pair is obtained from the forward relocation request message, and the first {NCC, NH} pair is carried in the handover request message sent by the second MME to the eNB.
进一步地, 该切换请求消息中还可以携带切换原因。  Further, the handover request message may further carry a handover reason.
步骤 407: eNB接收第二 MME发送的切换请求消息, 并发送切换确认消 息给第二 MME;  Step 407: The eNB receives the handover request message sent by the second MME, and sends a handover confirmation message to the second MME.
其中, 该切换确认消息用于通知第二 MME可以进行此次切换。  The handover confirmation message is used to notify the second MME that the handover can be performed.
步骤 408: eNB保持 eNB与 UE之间共享的密钥 KeNB不变, 并根据该 KeNB或 KeNB*对 eNB与 UE之间通信的数据进行加密;  Step 408: The eNB keeps the key KeNB shared between the eNB and the UE unchanged, and encrypts data communicated between the eNB and the UE according to the KeNB or KeNB*.
具体地, eNB根据切换触发消息或者切换请求消息确定出切换原因是核心 网触发的切换, 获取当前 eNB与 UE之间共享的 KeNB, 并将该 KeNB作为切 换 MME后的密钥 KeNB*; eNB根据 KeNB*计算第一密钥和第二密钥, 并采 用第一密钥和第二密钥对 eNB与 UE之间通信的数据进行加密和完整性保护。 其中, 需要说明的是, 如果该切换请求消息中携带第一 {NCC, NH}对, eNB忽略第一 {NCC, NH}对, 并保持 KeNB不变。 Specifically, the eNB determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, acquires the KeNB shared between the current eNB and the UE, and uses the KeNB as the key KeNB* after the handover MME; The KeNB* calculates the first key and the second key, and performs encryption and integrity protection on the data communicated between the eNB and the UE by using the first key and the second key. It should be noted that, if the handover request message carries the first {NCC, NH} pair, the eNB ignores the first {NCC, NH} pair and keeps the KeNB unchanged.
步骤 409: 第二 MME发送向前重定位响应消息给第一 MME。  Step 409: The second MME sends a forward relocation response message to the first MME.
进一步地, 当该切换请求消息中不携带第一 {NCC, NH}对时, 在 eNB将 UE所附着的 MME由第一 MME切换到第二 MME之后,第二 MME发送路径 改变消息给 eNB ,该路径改变消息携带第一 { NCC , NH }对。 eNB接收第二 MME 发送的路径改变消息, 并获取第一 {NCC, NH}对。  Further, when the first {NCC, NH} pair is not carried in the handover request message, after the eNB switches the MME attached by the UE from the first MME to the second MME, the second MME sends a path change message to the eNB. The path change message carries the first { NCC , NH } pair. The eNB receives the path change message sent by the second MME, and acquires the first {NCC, NH} pair.
在本发明实施例中, eNB接收第一 MME发送的切换触发消息以及接收第 二 MME发送的切换请求消息, 根据切换触发消息或者切换请求消息确定出切 换原因是核心网触发的切换, eNB获取当前与 UE共享的 KeNB,并将该 KeNB 作为切换 MME后更新的密钥 KeNB* ,即保持 eNB与 UE之间的 KeNB不变, 并根据该 KeNB或 KeNB*对 eNB与 UE之间通信的数据进行加密, 从而保证 eNB侧与 UE侧的 KeNB同步。 实施例 5  In the embodiment of the present invention, the eNB receives the handover trigger message sent by the first MME, and receives the handover request message sent by the second MME, and determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, and the eNB acquires the current The KeNB shared with the UE, and the KeNB* is used as the key KeNB* updated after the handover of the MME, that is, the KeNB between the eNB and the UE is kept unchanged, and the data communicated between the eNB and the UE is performed according to the KeNB or KeNB*. Encryption ensures that the eNB side synchronizes with the KeNB on the UE side. Example 5
本发明实施例提供了一种加密数据的方法。参见图 5 ,其中,该方法包括: 步骤 501: 发送切换触发消息给 eNB, 该切换触发消息携带 UE的标识, 使 eNB根据该切换触发消息发送切换需要消息给第一 MME;  Embodiments of the present invention provide a method of encrypting data. Referring to FIG. 5, the method includes: Step 501: Send a handover trigger message to an eNB, where the handover trigger message carries an identifier of the UE, so that the eNB sends a handover required message to the first MME according to the handover trigger message;
步骤 502:接收 eNB发送的该切换需要消息,并获取第二 NCC和第二 NH, 第二 NCC为当前的 NCC, 第二 NH为当前的 NH;  Step 502: Receive the handover required message sent by the eNB, and obtain a second NCC and a second NH, where the second NCC is the current NCC, and the second NH is the current NH;
步骤 503: 发送向前重定位请求消息给第二 MME, 该向前重定位请求消 息携带切换原因,使第二 MME发送切换请求消息给 eNB, 以使 eNB保持 eNB 与 UE之间共享的密钥 KeNB不变,并根据 KeNB对 eNB与 UE之间通信的数 据进行加密。  Step 503: Send a forward relocation request message to the second MME, where the forward relocation request message carries a handover reason, so that the second MME sends a handover request message to the eNB, so that the eNB keeps the key shared between the eNB and the UE. The KeNB is unchanged, and the data communicated between the eNB and the UE is encrypted according to the KeNB.
在本发明实施例中, eNB接收第一 MME发送的切换触发消息以及接收第 二 MME发送的切换请求消息, 根据切换触发消息或者切换请求消息确定出切 换原因是核心网触发的切换, eNB获取当前与 UE共享的 KeNB,并将该 KeNB 作为切换 MME后更新的密钥 KeNB* ,即保持 eNB与 UE之间的 KeNB不变, 并根据该 KeNB或 KeNB*对 eNB与 UE之间通信的数据进行加密, 从而保证 eNB侧与 UE侧的 KeNB同步。 实施例 6 In the embodiment of the present invention, the eNB receives the handover trigger message sent by the first MME, and receives the handover request message sent by the second MME, and determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, and the eNB acquires the current The KeNB shared with the UE, and the KeNB* is used as the key KeNB* updated after the handover of the MME, that is, the KeNB between the eNB and the UE is kept unchanged, and the data communicated between the eNB and the UE is performed according to the KeNB or KeNB*. Encryption ensures that the eNB side synchronizes with the KeNB on the UE side. Example 6
本发明实施例提供了一种加密数据的方法。参见图 6,其中,该方法包括: 步骤 601: 第一 MME发送切换触发消息给 eNB ,该切换触发消息携带 UE 的标识;  Embodiments of the present invention provide a method of encrypting data. Referring to FIG. 6, the method includes: Step 601: The first MME sends a handover trigger message to the eNB, where the handover trigger message carries the identifier of the UE.
具体地, 第一 MME从 UE的签约信息中获知需要将 UE从普通网络的第 一 MME切换到特定网络的第二 MME时, 获取 UE的标识, 并发送切换触发 消息给 eNB , 该切换触发消息携带 UE的标识。  Specifically, when the first MME learns that the UE needs to be handed over from the first MME of the common network to the second MME of the specific network, the first MME acquires the identifier of the UE, and sends a handover trigger message to the eNB, where the handover trigger message is sent. Carry the identity of the UE.
其中, UE的标识为任一可以标识 UE的标识, 在本发明实施例中, 对 UE 的标识不#文具体限定。 例如, UE的标识为 MME UE S1AP ID即 MME在 S1 接口上唯一标识 UE的标识或 eNB UE S1AP ID即 eNB在 SI接口上唯一标识 UE的标识等。 第一 MME为 UE当前附着的 MME。  The identifier of the UE is any identifier that can identify the UE. In the embodiment of the present invention, the identifier of the UE is not specifically limited. For example, the identifier of the UE is the MME UE S1AP ID, that is, the identifier of the MME that uniquely identifies the UE on the S1 interface, or the eNB UE S1AP ID, that is, the identifier of the eNB that uniquely identifies the UE on the SI interface. The first MME is an MME to which the UE is currently attached.
其中, 需要说明的是, 在步骤 601之前, UE向普通网络发起附着流程, 并和网络侧的 S-GW或者 P-GW建立 PDN连接。  It should be noted that, before step 601, the UE initiates an attach procedure to the normal network, and establishes a PDN connection with the S-GW or the P-GW on the network side.
步骤 602: eNB接收第一 MME发送的切换触发消息, 并根据该切换触发 消息确定出切换原因是核心网触发的切换;  Step 602: The eNB receives a handover trigger message sent by the first MME, and determines, according to the handover trigger message, that the handover cause is a handover triggered by the core network.
其中, 由于该切换触发消息是第一 MME发送的, eNB根据第一 MME发 送的切换触发消息可以确定出此次切换原因为核心网触发的切换; 核心网触发 的切换只是将 UE所附着的 MME进行切换, UE所在的小区和基站并不发生变 化。  The eNB may determine that the handover reason is a handover triggered by the core network according to the handover trigger message sent by the first MME, and the MME that is triggered by the UE is only the MME attached by the UE. The handover is performed, and the cell and the base station where the UE is located do not change.
步骤 603: eNB发送切换需要消息给第一 MME, 该切换需要消息携带切 换原因;  Step 603: The eNB sends a handover required message to the first MME, where the handover needs the message carrying the reason for the handover;
其中, 该切换原因用于指示将 UE所附着的 MME进行切换, 并且, 切换 原因可以为任一指示消息,在本发明实施例中对切换原因不作具体限定,例如, 切换原因可以是切换原因 (核心网触发的切换)。  The reason for the handover is used to indicate that the MME to which the UE is attached is to be switched, and the reason for the handover may be any indication message. In the embodiment of the present invention, the reason for the handover is not specifically limited. For example, the reason for the handover may be a handover reason ( Core network triggered switching).
步骤 604: 第一 MME接收 eNB发送的切换需要消息, 根据切换需要消息 发送向前重定位请求消息给第二 MME;  Step 604: The first MME receives the handover required message sent by the eNB, and sends a forward relocation request message to the second MME according to the handover required message.
具体地, 第一 MME接收 eNB发送的切换需要消息, 并根据切换需要消息 中的切换原因确定是由核心网触发的切换, 向第二 MME发送向前重定位请求 消息, 该向前重定位请求消息携带切换原因、 第二 {NCC, NH}对;  Specifically, the first MME receives the handover required message sent by the eNB, and determines, according to the handover reason in the handover required message, that the handover is triggered by the core network, and sends a forward relocation request message to the second MME, where the forward relocation request is sent. The message carries the reason for the handover, the second {NCC, NH} pair;
其中, 第二 {NCC, NH}对为当前的 {NCC, NH}对, 或者旧的 {NCC, NH} 对,第二 {NCC, NH}对包括第二 NCC和第二 NH;第二 NCC为当前的 NCC; 第二 NH为当前的 NH。 Wherein the second {NCC, NH} pair is the current {NCC, NH} pair, or the old {NCC, NH} pair, the second {NCC, NH} pair includes the second NCC and the second NH; the second NCC For the current NCC; The second NH is the current NH.
其中, 该向前重定位请求消息携带的切换原因用于通知第二 MME此次切 换为核心网触发的切换。  The reason for the handover carried in the forward relocation request message is used to notify the second MME to switch to the core network triggered handover.
进一步地, 该向前重定位请求消息中还可以携带 Kasme和 KSI, 该 Kasme 和 KSI用于推演非接入层 NAS密钥。  Further, the forward relocation request message may further carry Kasme and KSI, and the Kasme and KSI are used to derive a non-access stratum NAS key.
其中,第二 MME为除第一 MME之外的任一 MME,在本发明实施例中, 对第二 MME不作具体限定, 例如, 第二 MME为某个特定 MME。  The second MME is any MME other than the first MME. In the embodiment of the present invention, the second MME is not specifically limited. For example, the second MME is a specific MME.
步骤 605: 第二 MME接收第一 MME发送的向前重定位请求消息, 并发 送切换请求消息给 eNB;  Step 605: The second MME receives the forward relocation request message sent by the first MME, and sends a handover request message to the eNB.
具体地, 第二 MME接收第一 MME发送的向前重定位请求消息, 根据该 向前重定位请求消息中的切换原因确定是核心网触发的切换, 第二 MME发送 给 eNB的切换请求消息中不携带任何 {NCC, NH}对信息; 或者, 第二 MME 接收第一 MME发送的向前重定位请求消息, 第二 MME根据向前重定位请求 消息中的切换原因确定是核心网触发的切换并从该向前重定位请求消息中获 取第二 { NCC , NH }对,第二 MME发送给 eNB的切换请求消息中携带第二 { NCC , NH}对。  Specifically, the second MME receives the forward relocation request message sent by the first MME, and determines, according to the handover reason in the forward relocation request message, that the handover is triggered by the core network, and the second MME sends the handover request message to the eNB. The information of the {NCC, NH} pair is not carried; or the second MME receives the forward relocation request message sent by the first MME, and the second MME determines that the handover is triggered by the core network according to the handover reason in the forward relocation request message. The second { NCC , NH } pair is obtained from the forward relocation request message, and the second { NCC , NH} pair is carried in the handover request message sent by the second MME to the eNB.
进一步地, 该切换请求消息中还可以携带切换原因。  Further, the handover request message may further carry a handover reason.
其中,将该向前重定位请求消息的 NHI( Next Hop Indicator,下一跳指示 ) 设置为预设标识, 并携带第二 NCC和第二 NH, 或者, 将该向前重定位请求消 息的 NHI_old ( Next Hop Indicator for old EPS ( Evolved Packet System, 演进分 组系统) Security Context, 旧 EPS安全上下文的下一跳指示)设置为预设标 识, 并携带第二 NCC和所述第二 HN。  The NHI (Next Hop Indicator) of the forward relocation request message is set to a preset identifier, and carries the second NCC and the second NH, or NHI_old of the forward relocation request message. (Next Hop Indicator for Old EPS (Evolved Packet System) Security Context, the next hop indication of the old EPS security context) is set as a preset identifier, and carries the second NCC and the second HN.
其中, 该预设标识为任一可以标识 NHI或者 NHI_old的标识, 在本发明 实施例中, 对预设标识不作具体限定, 例如预设标识为 1。  The preset identifier is any identifier that can identify the NHI or the NHI_old. In the embodiment of the present invention, the preset identifier is not specifically limited, for example, the preset identifier is 1.
步骤 606: eNB接收第二 MME发送的切换请求消息, 并发送切换确认消 息给第二 MME;  Step 606: The eNB receives the handover request message sent by the second MME, and sends a handover confirmation message to the second MME.
其中, 该切换确认消息用于通知第二 MME可以进行此次切换。  The handover confirmation message is used to notify the second MME that the handover can be performed.
步骤 607: eNB保持 eNB与 UE之间共享的密钥 KeNB不变, 并根据该 KeNB或 KeNB*对 eNB与 UE之间通信的数据进行加密;  Step 607: The eNB keeps the key KeNB shared between the eNB and the UE unchanged, and encrypts data communicated between the eNB and the UE according to the KeNB or KeNB*.
具体地, eNB根据切换触发消息或者切换请求消息确定出切换原因是核心 网触发的切换, 获取当前 eNB与 UE之间共享的 KeNB, 并将该 KeNB作为切 换 MME后的密钥 KeNB*; eNB根据 KeNB*计算第一密钥和第二密钥, 并采 用第一密钥和第二密钥对 eNB与 UE之间通信的数据进行加密和完整性保护。 Specifically, the eNB determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, acquires a KeNB shared between the current eNB and the UE, and uses the KeNB as a cut. The key KeNB* after the MME is changed; the eNB calculates the first key and the second key according to the KeNB*, and performs encryption and integrity protection on the data communicated between the eNB and the UE by using the first key and the second key. .
其中, 需要说明的是, 如果该切换请求消息中携带第二 {NCC, NH}对, eNB忽略第二 {NCC, NH}对, 并保持 KeNB不变。  It should be noted that if the handover request message carries the second {NCC, NH} pair, the eNB ignores the second {NCC, NH} pair and keeps the KeNB unchanged.
步骤 608: 第二 MME发送向前重定位响应消息给第一 MME。  Step 608: The second MME sends a forward relocation response message to the first MME.
进一步地, 在 eNB将 UE所附着的 MME由第一 MME切换到第二 MME 之后, 第二 MME根据第二 {NCC, NH}对计算第一 {NCC, NH}对, 第二 MME 发送路径改变消息给 eNB, 该路径改变消息携带第一 {NCC, NH}对。 eNB接 收第二 MME发送的路径改变消息, 并获取第一 {NCC, NH}对。  Further, after the eNB switches the MME to which the UE is attached from the first MME to the second MME, the second MME calculates a first {NCC, NH} pair according to the second {NCC, NH} pair, and the second MME sends a path change. The message is sent to the eNB, and the path change message carries the first {NCC, NH} pair. The eNB receives the path change message sent by the second MME, and acquires the first {NCC, NH} pair.
其中, 第二 MME将第二 NCC加一得到第一 NCC, 以及根据第二 NH计 算第一 NH, 第二 {NCC, NH}对为当前的 {NCC, NH}对, 第二 {NCC, NH} 对包括第二 NCC和第二 NH; 第一 {NCC, NH}对为新鲜的 {NCC, NH}对, 第 一 {NCC, NH}对包括第一 NCC和第一 NH。  The second MME adds the second NCC to obtain the first NCC, and calculates the first NH according to the second NH, the second {NCC, NH} pair is the current {NCC, NH} pair, and the second {NCC, NH The pair includes a second NCC and a second NH; the first {NCC, NH} pair is a fresh {NCC, NH} pair, and the first {NCC, NH} pair includes the first NCC and the first NH.
在本发明实施例中, eNB接收第一 MME发送的切换触发消息以及接收第 二 MME发送的切换请求消息, 根据切换触发消息或者切换请求消息确定出切 换原因是核心网触发的切换, eNB获取当前与 UE共享的 KeNB,并将该 KeNB 作为切换 MME后更新的密钥 KeNB* ,即保持 eNB与 UE之间的 KeNB不变, 并根据该 KeNB或 KeNB*对 eNB与 UE之间通信的数据进行加密, 从而保证 eNB侧与 UE侧的 KeNB同步。 实施例 7  In the embodiment of the present invention, the eNB receives the handover trigger message sent by the first MME, and receives the handover request message sent by the second MME, and determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, and the eNB acquires the current The KeNB shared with the UE, and the KeNB* is used as the key KeNB* updated after the handover of the MME, that is, the KeNB between the eNB and the UE is kept unchanged, and the data communicated between the eNB and the UE is performed according to the KeNB or KeNB*. Encryption ensures that the eNB side synchronizes with the KeNB on the UE side. Example 7
本发明实施例提供了一种加密数据的装置。参见图 7,其中,该装置包括: 第一存储器 701和第一处理器 702, 用于执行以下加密数据的方法:  Embodiments of the present invention provide an apparatus for encrypting data. Referring to Figure 7, the apparatus includes: a first memory 701 and a first processor 702 for performing the following method of encrypting data:
接收第一移动性管理实体 MME发送的切换触发消息, 该切换触发消息携 带用户设备 UE的标识;  Receiving a handover trigger message sent by the first mobility management entity MME, where the handover trigger message carries an identifier of the user equipment UE;
接收第二 MME发送的切换请求消息;  Receiving a handover request message sent by the second MME;
保持演进型基站 eNB与 UE之间共享的密钥 KeNB不变, 并根据该 KeNB 对 eNB与 UE之间通信的数据进行加密。  The key KeNB shared between the evolved base station eNB and the UE is kept unchanged, and the data communicated between the eNB and the UE is encrypted according to the KeNB.
进一步地, 接收第一移动性管理实体 MME发送的切换触发消息之后, 该 方法还包括:  Further, after receiving the handover trigger message sent by the first mobility management entity MME, the method further includes:
根据所述切换触发消息确定出切换原因是核心网触发的切换; 发送切换需要消息给所述第一 MME, 所述切换需要消息携带所述切换原 因, 使所述第一 MME发送向前重定位请求消息给所述第二 MME, 所述向前 重定位请求消息携带所述切换原因, 以使所述第二 MME发送所述切换请求消 息给所述 eNB。 Determining, according to the handover trigger message, that the handover reason is a handover triggered by the core network; Sending a handover request message to the first MME, the handover request message carrying the handover reason, and causing the first MME to send a forward relocation request message to the second MME, the forward relocation request message Carrying the handover reason, so that the second MME sends the handover request message to the eNB.
进一步地, 该切换请求消息携带第一下一跳链计数器 NCC和第一下一跳 NH, 第一 NCC为第一 MME根据第二 NCC加一后得到的, 第一 NH为第一 MME根据第二 NH计算得到的, 第二 NCC为当前的 NCC, 第二 NH为当前 的 NH; 或者,  Further, the handover request message carries a first next hop chain counter NCC and a first next hop NH, where the first NCC is obtained by adding the first MME according to the second NCC, and the first NH is the first MME according to the first Calculated by the second NH, the second NCC is the current NCC, and the second NH is the current NH; or
该切换请求消息携带第二下一跳链计数器 NCC和第二下一跳 NH, 第二 NCC为当前的 NCC, 第二 NH为当前的 NH。  The handover request message carries a second next hop chain counter NCC and a second next hop NH, the second NCC is the current NCC, and the second NH is the current NH.
进一步地, 所述向前重定位请求消息携带第一下一跳链计数器 NCC和第 一下一跳 NH,所述第一 NCC为所述第一 MME根据第二 NCC加一后得到的, 所述第一 NH为所述第一 MME根据第二 NH计算得到的, 所述第二 NCC为 当前的 NCC, 所述第二 NH为当前的 NH; 或者,  Further, the forward relocation request message carries a first next hop chain counter NCC and a first next hop NH, where the first NCC is obtained by adding the first NMC according to the second NCC. The first NH is calculated by the first MME according to the second NH, the second NCC is the current NCC, and the second NH is the current NH; or
所述向前重定位请求携带第二下一跳链计数器 NCC和第二下一跳 NH,所 述第二 NCC为当前的 NCC, 所述第二 NH为当前的 NH。  The forward relocation request carries a second next hop chain counter NCC and a second next hop NH, the second NCC is the current NCC, and the second NH is the current NH.
进一步地, 保持演进型基站 eNB与 UE之间共享的密钥 KeNB不变, 包 括:  Further, the key KeNB shared between the evolved base station eNB and the UE is unchanged, and includes:
根据该切换触发消息或者该切换请求消息确定切换原因是核心网触发的 切换, 保持该 KeNB不变。  According to the handover trigger message or the handover request message, it is determined that the handover reason is a handover triggered by the core network, and the KeNB is kept unchanged.
在本发明实施例中, eNB接收第一 MME发送的切换触发消息以及接收第 二 MME发送的切换请求消息, 根据切换触发消息或者切换请求消息确定出切 换原因是核心网触发的切换, eNB获取当前与 UE共享的 KeNB,并将该 KeNB 作为切换 MME后更新的密钥 KeNB* ,即保持 eNB与 UE之间的 KeNB不变, 并根据该 KeNB或 KeNB*对 eNB与 UE之间通信的数据进行加密, 从而保证 eNB侧与 UE侧的 KeNB同步。 实施例 8  In the embodiment of the present invention, the eNB receives the handover trigger message sent by the first MME, and receives the handover request message sent by the second MME, and determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, and the eNB acquires the current The KeNB shared with the UE, and the KeNB* is used as the key KeNB* updated after the handover of the MME, that is, the KeNB between the eNB and the UE is kept unchanged, and the data communicated between the eNB and the UE is performed according to the KeNB or KeNB*. Encryption ensures that the eNB side synchronizes with the KeNB on the UE side. Example 8
本发明实施例提供了一种加密数据的装置。参见图 8,其中,该装置包括: 第二存储器 801和第二处理器 802, 用于执行以下加密数据的方法:  Embodiments of the present invention provide an apparatus for encrypting data. Referring to Figure 8, the apparatus includes: a second memory 801 and a second processor 802 for performing the following method of encrypting data:
发送切换触发消息给演进型基站 eNB , 该切换触发消息携带用户设备 UE 的标识, 使 eNB 根据该切换触发消息发送切换需要消息给第一移动性管理实 体 MME; Sending a handover trigger message to the evolved base station eNB, where the handover trigger message carries the user equipment UE The identifier, the eNB sends a handover required message to the first mobility management entity MME according to the handover trigger message;
接收 eNB发送的该切换需要消息, 并获取第二下一跳链计数器 NCC和第 二下一跳 NH, 第二 NCC为当前的 NCC, 第二 NH为当前的 NH;  Receiving the handover required message sent by the eNB, and acquiring a second next hop chain counter NCC and a second next hop NH, the second NCC is the current NCC, and the second NH is the current NH;
发送向前重定位请求消息给第二 MME, 该向前重定位请求消息携带切换 原因, 使第二 MME发送切换请求消息给 eNB , 以使 eNB保持 eNB与 UE之 间共享的密钥 KeNB不变,并根据该 KeNB对 eNB与 UE之间通信的数据进行 加密。  Sending a forward relocation request message to the second MME, where the forward relocation request message carries a handover reason, so that the second MME sends a handover request message to the eNB, so that the eNB keeps the key KeNB shared between the eNB and the UE unchanged. And encrypting data communicated between the eNB and the UE according to the KeNB.
进一步地, 该切换请求消息携带第一 NCC和第一 NH, 第一 NCC为第一 MME根据第二 NCC加一后得到的, 第一 NH为第一 MME根据第二 NH计算 得到的; 或者,  Further, the handover request message carries the first NCC and the first NH, where the first NCC is obtained by adding the first MME according to the second NCC, and the first NH is calculated by the first MME according to the second NH; or
该切换请求消息携带第二 NCC和第二 NH。  The handover request message carries a second NCC and a second NH.
进一步地, 向前重定位请求消息携带第一 NCC和第一 NH, 第一 NCC为 第一 MME根据第二 NCC加一后得到的, 第一 NH为第一 MME根据第二 NH 计算得到的; 或者,  Further, the forward relocation request message carries the first NCC and the first NH, and the first NCC is obtained by the first MME according to the second NCC, and the first NH is calculated by the first MME according to the second NH; Or,
向前重定位请求消息携带第二 NCC和第二 NH。  The forward relocation request message carries the second NCC and the second NH.
进一步地, 发送向前重定位请求消息给第二移动性管理实体 MME之前, 该方法还包括:  Further, before sending the forward relocation request message to the second mobility management entity MME, the method further includes:
将该向前重定位请求消息的下一跳指示 NHI设置为预设标识,并携带第二 NCC和第二 NH, 或者,  Setting a next hop indication NHI of the forward relocation request message to a preset identifier, and carrying the second NCC and the second NH, or
将该向前重定位请求消息的旧演进分组系统 EPS 安全上下文的下一跳指 示 NHI_old设置为预设标识, 并携带第二 NCC和第二 HN。  The next hop indication NHI_old of the old evolved packet system EPS security context of the forward relocation request message is set to a preset identifier, and carries the second NCC and the second HN.
在本发明实施例中, eNB接收第一 MME发送的切换触发消息以及接收第 二 MME发送的切换请求消息, 根据切换触发消息或者切换请求消息确定出切 换原因是核心网触发的切换, eNB获取当前与 UE共享的 KeNB,并将该 KeNB 作为切换 MME后更新的密钥 KeNB* ,即保持 eNB与 UE之间的 KeNB不变, 并根据该 KeNB或 KeNB*对 eNB与 UE之间通信的数据进行加密, 从而保证 eNB侧与 UE侧的 KeNB同步。 领域普通技术人员可以理解实现上述实施例的全部或部分步骤可以通过 硬件来完成, 也可以通过程序来指令相关的硬件完成, 所述的程序可以存储于 一种计算机可读存储介质中, 上述提到的存储介质可以是只读存储器, 磁盘或 光盘等。 In the embodiment of the present invention, the eNB receives the handover trigger message sent by the first MME, and receives the handover request message sent by the second MME, and determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, and the eNB acquires the current The KeNB shared with the UE, and the KeNB* is used as the key KeNB* updated after the handover of the MME, that is, the KeNB between the eNB and the UE is kept unchanged, and the data communicated between the eNB and the UE is performed according to the KeNB or KeNB*. Encryption ensures that the eNB side synchronizes with the KeNB on the UE side. A person of ordinary skill in the art may understand that all or part of the steps of implementing the above embodiments may be completed by hardware, or may be instructed by a program to execute related hardware, and the program may be stored in In a computer readable storage medium, the above mentioned storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
以上所述仅为本发明的较佳实施例, 并不用以限制本发明, 凡在本发明的 精神和原则之内, 所作的任何修改、 等同替换、 改进等, 均应包含在本发明的 保护范围之内。  The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention. Any modifications, equivalent substitutions, improvements, etc., which are within the spirit and scope of the present invention, should be included in the protection of the present invention. Within the scope.

Claims

权 利 要 求 书 claims
1、 一种加密数据的装置, 其特征在于, 所述装置包括: 1. A device for encrypting data, characterized in that the device includes:
第一接收模块,用于接收第一移动性管理实体 MME发送的切换触发消息, 所述切换触发消息携带用户设备 UE的标识; The first receiving module is configured to receive a handover trigger message sent by the first mobility management entity MME, where the handover trigger message carries the identity of the user equipment UE;
第二接收模块, 用于接收第二 MME发送的切换请求消息; The second receiving module is configured to receive the handover request message sent by the second MME;
保持模块,用于保持演进型基站 eNB与所述 UE之间共享的密钥 KeNB不 变; A maintenance module, used to keep the key KeNB shared between the evolved base station eNB and the UE unchanged;
加密模块,用于根据所述 KeNB对所述 eNB与所述 UE之间通信的数据进 行力口密。 An encryption module, configured to encrypt data communicated between the eNB and the UE according to the KeNB.
2、 如权利要求 1所述的装置, 其特征在于, 所述装置还包括: 2. The device according to claim 1, characterized in that, the device further includes:
确定模块, 用于根据所述切换触发消息确定出切换原因是核心网触发的切 换; A determination module, configured to determine, according to the handover trigger message, that the cause of the handover is a handover triggered by the core network;
第一发送模块, 用于发送切换需要消息给所述第一 MME, 所述切换需要 消息携带所述切换原因, 使所述第一 MME发送向前重定位请求消息给所述第 二 MME, 所述向前重定位请求消息携带所述切换原因, 以使所述第二 MME 发送所述切换请求消息给所述 eNB。 The first sending module is configured to send a handover need message to the first MME, where the handover need message carries the handover reason, so that the first MME sends a forward relocation request message to the second MME, so The forward relocation request message carries the handover reason, so that the second MME sends the handover request message to the eNB.
3、 如权利要求 1所述的装置, 其特征在于, 所述切换请求消息携带第一 下一跳链计数器 NCC和第一下一跳 NH, 所述第一 NCC为所述第一 MME根 据第二 NCC加一后得到的, 所述第一 NH为所述第一 MME根据第二 NH计 算得到的,所述第二 NCC为当前的 NCC,所述第二 NH为当前的 NH; 或者, 所述切换请求消息携带第二下一跳链计数器 NCC和第二下一跳 NH,所述 第二 NCC为当前的 NCC, 所述第二 NH为当前的 NH。 3. The apparatus according to claim 1, wherein the handover request message carries a first next hop chain counter NCC and a first next hop NH, and the first NCC is the first MME according to the first Obtained by adding one to two NCCs, the first NH is calculated by the first MME based on the second NH, the second NCC is the current NCC, and the second NH is the current NH; or, The handover request message carries a second next hop chain counter NCC and a second next hop NH, the second NCC is the current NCC, and the second NH is the current NH.
4、 如权利要求 2所述的装置, 其特征在于, 所述向前重定位请求消息携 带第一下一跳链计数器 NCC和第一下一跳 NH, 所述第一 NCC为所述第一 MME根据第二 NCC加一后得到的,所述第一 NH为所述第一 MME根据第二 NH计算得到的, 所述第二 NCC为当前的 NCC, 所述第二 NH为当前的 NH; 或者, 所述向前重定位请求携带第二下一跳链计数器 NCC和第二下一跳 NH,所 述第二 NCC为当前的 NCC, 所述第二 NH为当前的 NH。 4. The device of claim 2, wherein the forward relocation request message carries a first next hop chain counter NCC and a first next hop NH, and the first NCC is the first The MME is obtained by adding one according to the second NCC, the first NH is calculated by the first MME according to the second NH, the second NCC is the current NCC, and the second NH is the current NH; or, The forward relocation request carries a second next hop chain counter NCC and a second next hop NH, the second NCC is the current NCC, and the second NH is the current NH.
5、 如权利要求 1所述的装置, 其特征在于, 所述保持模块, 包括: 确定单元, 用于根据所述切换触发消息或者所述切换请求消息确定切换原 因是核心网触发的切换; 5. The device according to claim 1, wherein the holding module includes: a determining unit configured to determine, according to the handover trigger message or the handover request message, that the handover cause is a handover triggered by the core network;
保持单元, 用于保持所述 KeNB不变。 A holding unit, used to keep the KeNB unchanged.
6、 一种加密数据的装置, 其特征在于, 所述装置包括: 6. A device for encrypting data, characterized in that the device includes:
第二发送模块, 用于发送切换触发消息给演进型基站 eNB, 所述切换触发 消息携带用户设备 UE的标识,使所述 eNB根据所述切换触发消息发送切换需 要消息给第一移动性管理实体 MME; The second sending module is configured to send a handover trigger message to the evolved base station eNB. The handover trigger message carries the identity of the user equipment UE, so that the eNB sends a handover requirement message to the first mobility management entity according to the handover trigger message. MME;
第三接收模块, 用于接收所述 eNB发送的所述切换需要消息; A third receiving module, configured to receive the handover requirement message sent by the eNB;
获取模块,用于获取第二下一跳链计数器 NCC和第二下一跳 NH,所述第 二 NCC为当前的 NCC, 所述第二 NH为当前的 NH; Acquisition module, used to obtain the second next hop chain counter NCC and the second next hop NH, the second NCC is the current NCC, and the second NH is the current NH;
第三发送模块, 用于发送向前重定位请求消息给第二移动性管理实体 MME,所述向前重定位请求消息携带切换原因,使所述第二 MME发送切换请 求消息给所述 eNB, 以使所述 eNB保持所述 eNB与所述 UE之间共享的密钥 KeNB不变, 并根据所述 KeNB对所述 eNB与所述 UE之间通信的数据进行加 密。 The third sending module is configured to send a forward relocation request message to the second mobility management entity MME, where the forward relocation request message carries a handover reason, so that the second MME sends a handover request message to the eNB, So that the eNB keeps the key KeNB shared between the eNB and the UE unchanged, and encrypts the data communicated between the eNB and the UE according to the KeNB.
7、 如权利要求 6所述的装置, 其特征在于, 所述切换请求消息携带第一 NCC和第一 NH, 所述第一 NCC为所述第一 MME根据所述第二 NCC加一后 得到的 ,所述第一 NH为所述第一 MME根据所述第二 NH计算得到的;或者, 所述切换请求消息携带所述第二 NCC和所述第二 NH。 7. The apparatus according to claim 6, wherein the handover request message carries a first NCC and a first NH, and the first NCC is obtained by adding one to the second NCC by the first MME. , the first NH is calculated by the first MME based on the second NH; or, the handover request message carries the second NCC and the second NH.
8、 如权利要求 6所述的装置, 其特征在于, 所述向前重定位请求消息携 带第一 NCC和第一 NH, 所述第一 NCC为所述第一 MME根据所述第二 NCC 加一后得到的 ,所述第一 NH为所述第一 MME根据所述第二 NH计算得到的; 或者, 8. The apparatus according to claim 6, wherein the forward relocation request message carries a first NCC and a first NH, and the first NCC is added by the first MME according to the second NCC. Obtained later, the first NH is calculated by the first MME based on the second NH; or,
所述向前重定位请求消息携带所述第二 NCC和所述第二 NH。 The forward relocation request message carries the second NCC and the second NH.
9、 如权利要求 6所述的装置, 其特征在于, 所述装置还包括: 第一携带模块,用于将所述向前重定位请求消息的下一跳指示 NHI设置为 预设标识, 并携带所述第二 NCC和所述第二 NH, 或者, 9. The device according to claim 6, wherein the device further includes: a first carrying module configured to set the next hop indication NHI of the forward relocation request message as a preset identifier, and carrying the second NCC and the second NH, or,
第二携带模块, 用于将所述向前重定位请求消息的旧演进分组系统 EPS 安全上下文的下一跳指示 NHI_old设置为所述预设标识,并携带所述第二 NCC 和所述第二 HN。 A second carrying module, configured to set the next hop indication NHI_old of the old Evolved Packet System EPS security context of the forward relocation request message as the preset identifier, and carry the second NCC and the second HN.
10、 一种加密数据的方法, 其特征在于, 所述方法包括: 10. A method of encrypting data, characterized in that the method includes:
接收第一移动性管理实体 MME发送的切换触发消息, 所述切换触发消息 携带用户设备 UE的标识; Receive a handover trigger message sent by the first mobility management entity MME, where the handover trigger message carries the identity of the user equipment UE;
接收第二 MME发送的切换请求消息; Receive the handover request message sent by the second MME;
保持演进型基站 eNB与所述 UE之间共享的密钥 KeNB不变,并根据所述 KeNB对所述 eNB与所述 UE之间通信的数据进行加密。 Keep the key KeNB shared between the evolved base station eNB and the UE unchanged, and encrypt data communicated between the eNB and the UE according to the KeNB.
11、 如权利要求 10所述的方法, 所述接收第一移动性管理实体 MME发 送的切换触发消息之后, 所述方法还包括: 11. The method according to claim 10, after receiving the handover trigger message sent by the first mobility management entity MME, the method further includes:
根据所述切换触发消息确定出切换原因是核心网触发的切换; Determine according to the handover trigger message that the cause of the handover is a handover triggered by the core network;
发送切换需要消息给所述第一 MME, 所述切换需要消息携带所述切换原 因, 使所述第一 MME发送向前重定位请求消息给所述第二 MME, 所述向前 重定位请求消息携带所述切换原因, 以使所述第二 MME发送所述切换请求消 息给所述 eNB。 Send a handover need message to the first MME. The handover need message carries the handover reason, causing the first MME to send a forward relocation request message to the second MME. The forward relocation request message The handover reason is carried, so that the second MME sends the handover request message to the eNB.
12、 如权利要求 10所述的方法, 其特征在于, 所述切换请求消息携带第 一下一跳链计数器 NCC和第一下一跳 NH, 所述第一 NCC为所述第一 MME 根据第二 NCC加一后得到的, 所述第一 NH为所述第一 MME根据第二 NH 计算得到的, 所述第二 NCC为当前的 NCC, 所述第二 NH为当前的 NH; 或 者, 12. The method of claim 10, wherein the handover request message carries a first next hop chain counter NCC and a first next hop NH, and the first NCC is the first MME according to the first Two NCCs are obtained by adding one, the first NH is calculated by the first MME according to the second NH, the second NCC is the current NCC, and the second NH is the current NH; or,
所述切换请求消息携带第二下一跳链计数器 NCC和第二下一跳 NH,所述 第二 NCC为当前的 NCC, 所述第二 NH为当前的 NH。 The handover request message carries a second next hop chain counter NCC and a second next hop NH, the second NCC is the current NCC, and the second NH is the current NH.
13、 如权利要求 11 所述的方法, 其特征在于, 所述向前重定位请求消息 携带第一下一跳链计数器 NCC和第一下一跳 NH, 所述第一 NCC为所述第一 MME根据第二 NCC加一后得到的,所述第一 NH为所述第一 MME根据第二 NH计算得到的, 所述第二 NCC为当前的 NCC, 所述第二 NH为当前的 NH; 或者, 13. The method of claim 11, wherein the forward relocation request message carries a first next hop chain counter NCC and a first next hop NH, and the first NCC is the first The MME is obtained by adding one according to the second NCC, the first NH is calculated by the first MME according to the second NH, the second NCC is the current NCC, and the second NH is the current NH; or,
所述向前重定位请求携带第二下一跳链计数器 NCC和第二下一跳 NH,所 述第二 NCC为当前的 NCC, 所述第二 NH为当前的 NH。 The forward relocation request carries a second next hop chain counter NCC and a second next hop NH, the second NCC is the current NCC, and the second NH is the current NH.
14、 如权利要求 10所述的方法, 其特征在于, 所述保持演进型基站 eNB 与所述 UE之间共享的密钥 KeNB不变, 包括: 14. The method of claim 10, wherein keeping the key KeNB shared between the evolved base station eNB and the UE unchanged includes:
根据所述切换触发消息或者所述切换请求消息确定切换原因是核心网触 发的切换, 保持所述 KeNB不变。 It is determined according to the handover trigger message or the handover request message that the cause of the handover is a handover triggered by the core network, and the KeNB remains unchanged.
15、 一种加密数据的方法, 其特征在于, 所述方法包括: 15. A method of encrypting data, characterized in that the method includes:
发送切换触发消息给演进型基站 eNB , 所述切换触发消息携带用户设备 UE的标识, 使所述 eNB根据所述切换触发消息发送切换需要消息给第一移动 性管理实体 MME; Send a handover trigger message to the evolved base station eNB, where the handover trigger message carries the identity of the user equipment UE, so that the eNB sends a handover requirement message to the first mobility management entity MME according to the handover trigger message;
接收所述 eNB发送的所述切换需要消息,并获取第二下一跳链计数器 NCC 和第二下一跳 NH,所述第二 NCC为当前的 NCC,所述第二 NH为当前的 NH; 发送向前重定位请求消息给第二 MME, 所述向前重定位请求消息携带切 换原因,使所述第二 MME发送切换请求消息给所述 eNB, 以使所述 eNB保持 所述 eNB与所述 UE之间共享的密钥 KeNB不变, 并 居所述 KeNB对所述 eNB与所述 UE之间通信的数据进行加密。 Receive the handover requirement message sent by the eNB, and obtain a second next hop chain counter NCC and a second next hop NH, where the second NCC is the current NCC and the second NH is the current NH; Send a forward relocation request message to the second MME. The forward relocation request message carries the handover reason, causing the second MME to send a handover request message to the eNB, so that the eNB maintains the relationship between the eNB and the eNB. The key KeNB shared between the UEs remains unchanged, and the KeNB encrypts the data communicated between the eNB and the UE.
16、 如权利要求 15所述的方法, 其特征在于, 所述切换请求消息携带第 一 NCC和第一 NH,所述第一 NCC为所述第一 MME根据所述第二 NCC加一 后得到的, 所述第一 NH为所述第一 MME根据所述第二 NH计算得到的; 或 者, 16. The method of claim 15, wherein the handover request message carries a first NCC and a first NH, and the first NCC is obtained by adding one to the second NCC by the first MME. , the first NH is calculated by the first MME based on the second NH; or,
所述切换请求消息携带所述第二 NCC和所述第二 NH。 The handover request message carries the second NCC and the second NH.
17、 如权利要求 15所述的方法, 其特征在于, 所述向前重定位请求消息 携带第一 NCC和第一 NH,所述第一 NCC为所述第一 MME根据所述第二 NCC 加一后得到的 ,所述第一 NH为所述第一 MME根据所述第二 NH计算得到的; 或者, 17. The method of claim 15, wherein the forward relocation request message Carrying the first NCC and the first NH, the first NCC is obtained by adding one to the second NCC by the first MME, and the first NH is calculated by the first MME according to the second NH. obtained; or,
所述向前重定位请求消息携带所述第二 NCC和所述第二 NH。 The forward relocation request message carries the second NCC and the second NH.
18、 如权利要求 15所述的方法, 其特征在于, 所述发送向前重定位请求 消息给第二移动性管理实体 MME之前, 所述方法还包括: 18. The method of claim 15, wherein before sending the forward relocation request message to the second mobility management entity MME, the method further includes:
将所述向前重定位请求消息的下一跳指示 NHI设置为预设标识,并携带所 述第二 NCC和所述第二 NH, 或者, Set the next hop indication NHI of the forward relocation request message as a preset identifier and carry the second NCC and the second NH, or,
将所述向前重定位请求消息的旧演进分组系统 EPS 安全上下文的下一跳 指示 NHI_old设置为所述预设标识, 并携带所述第二 NCC和所述第二 HN。 Set the next hop indication NHI_old of the old Evolved Packet System EPS security context of the forward relocation request message as the preset identifier, and carry the second NCC and the second HN.
19、 一种加密数据的装置, 其特征在于, 所述装置包括: 第一存储器和第 一处理器, 用于执行如权利要求 11-14任一权利要求所述的加密数据的方法。 19. A device for encrypting data, characterized in that the device includes: a first memory and a first processor, configured to execute the method of encrypting data according to any one of claims 11-14.
20、 一种加密数据的装置, 其特征在于, 所述装置包括: 第二存储器和第 二处理器, 用于执行如权利要求 15-18任一权利要求所述的加密数据的方法。 20. A device for encrypting data, characterized in that the device includes: a second memory and a second processor, configured to execute the method of encrypting data according to any one of claims 15 to 18.
PCT/CN2014/071651 2014-01-28 2014-01-28 Apparatus and method for encrypting data WO2015113197A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2014/071651 WO2015113197A1 (en) 2014-01-28 2014-01-28 Apparatus and method for encrypting data
CN201480000843.XA CN105103577B (en) 2014-01-28 2014-01-28 A kind of device and method of encryption data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2014/071651 WO2015113197A1 (en) 2014-01-28 2014-01-28 Apparatus and method for encrypting data

Publications (1)

Publication Number Publication Date
WO2015113197A1 true WO2015113197A1 (en) 2015-08-06

Family

ID=53756094

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/071651 WO2015113197A1 (en) 2014-01-28 2014-01-28 Apparatus and method for encrypting data

Country Status (2)

Country Link
CN (1) CN105103577B (en)
WO (1) WO2015113197A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10455414B2 (en) 2014-10-29 2019-10-22 Qualcomm Incorporated User-plane security for next generation cellular networks
US10820193B2 (en) 2017-03-17 2020-10-27 Telefonaktiebolaget Lm Ericsson (Publ) Network node for use in a communication network, a communication device and methods of operating the same
US11019488B1 (en) 2017-11-20 2021-05-25 Telefonaktiebolaget Lm Ericsson (Publ) Security context handling in 5G during handover
US11096045B2 (en) 2017-01-30 2021-08-17 Telefonaktiebolaget Lm Ericsson (Publ) Security context handling in 5G during idle mode

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111031486B (en) * 2018-10-10 2021-05-11 电信科学技术研究院有限公司 Positioning service key distribution method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101291536A (en) * 2008-05-30 2008-10-22 中兴通讯股份有限公司 Switching method for load rebalance of mobility management entity
CN101500271A (en) * 2008-02-01 2009-08-05 华为技术有限公司 Method and equipment for implementing core network equipment load balance
CN101552983A (en) * 2008-04-01 2009-10-07 华为技术有限公司 Key generating method, key generating device, mobile management entity and user equipment
CN103139771A (en) * 2011-11-25 2013-06-05 中兴通讯股份有限公司 Key generation method and system in switching process

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101400059B (en) * 2007-09-28 2010-12-08 华为技术有限公司 Cipher key updating method and device under active state
CN101325483B (en) * 2008-07-28 2011-06-15 中国电信股份有限公司 Method and apparatus for updating symmetrical cryptographic key, symmetrical ciphering method and symmetrical deciphering method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101500271A (en) * 2008-02-01 2009-08-05 华为技术有限公司 Method and equipment for implementing core network equipment load balance
CN101552983A (en) * 2008-04-01 2009-10-07 华为技术有限公司 Key generating method, key generating device, mobile management entity and user equipment
CN101291536A (en) * 2008-05-30 2008-10-22 中兴通讯股份有限公司 Switching method for load rebalance of mobility management entity
CN103139771A (en) * 2011-11-25 2013-06-05 中兴通讯股份有限公司 Key generation method and system in switching process

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10455414B2 (en) 2014-10-29 2019-10-22 Qualcomm Incorporated User-plane security for next generation cellular networks
US11096045B2 (en) 2017-01-30 2021-08-17 Telefonaktiebolaget Lm Ericsson (Publ) Security context handling in 5G during idle mode
US11432141B2 (en) 2017-01-30 2022-08-30 Telefonaktiebolaget Lm Ericsson (Publ) Security context handling in 5G during connected mode
US11743718B2 (en) 2017-01-30 2023-08-29 Telefonaktiebolaget Lm Ericsson (Publ) Security context handling in 5G during connected mode
US11924630B2 (en) 2017-01-30 2024-03-05 Telefonaktiebolaget Lm Ericsson (Publ) Security context handling in 5G during idle mode
US10820193B2 (en) 2017-03-17 2020-10-27 Telefonaktiebolaget Lm Ericsson (Publ) Network node for use in a communication network, a communication device and methods of operating the same
US11019488B1 (en) 2017-11-20 2021-05-25 Telefonaktiebolaget Lm Ericsson (Publ) Security context handling in 5G during handover
US11388592B2 (en) 2017-11-20 2022-07-12 Telefonaktiebolaget Lm Ericsson (Publ) Security context handling in 5G during handover

Also Published As

Publication number Publication date
CN105103577A (en) 2015-11-25
CN105103577B (en) 2019-05-24

Similar Documents

Publication Publication Date Title
US10958631B2 (en) Method and system for providing security from a radio access network
US8094817B2 (en) Cryptographic key management in communication networks
JP5462411B2 (en) Method and apparatus for supporting synchronization of security settings
WO2011137805A1 (en) Method, apparatus and system for security processing in switch process
WO2009105155A2 (en) System and method for performing handovers, or key management while performing handovers in a wireless communication system
JP2012134975A (en) Method for deciphering captured data packet, method for deciphering data in lte network, method for identifying deciphering data during handover, method for identifying deciphering data during idle mode mobility, and method for correlating user equipment identifiers to captured messages
JP5774096B2 (en) Air interface key update method, core network node, and radio access system
TW200910826A (en) A method and apparatus for new key derivation upon handoff in wireless networks
WO2015113197A1 (en) Apparatus and method for encrypting data
KR20090063274A (en) Encryption in a wireless telecommunications
WO2014169451A1 (en) Method and device for data transmission
WO2017080136A1 (en) Key distribution and reception method, first key management center, and first network element
WO2009152656A1 (en) Generating method and system for key identity identifier at the time when user device transfers
TW201705780A (en) Network architecture and security with encrypted network reachability contexts
KR20150103063A (en) Method for synchronizing encryption information between scell and ue
WO2011143943A1 (en) Method, system and apparatus for establishing end-to-end security connection
WO2013075417A1 (en) Method and system for generating key during handover
JP2011515904A (en) System and method for performing handover or key management during handover in a wireless communication system
WO2014026523A1 (en) One-way key switching method and implementation device
WO2011072513A1 (en) Method and system for establishing security connection between switch equipments
JP5043928B2 (en) Method and apparatus for processing keys used for encryption and integrity
WO2014190828A1 (en) Method, apparatus and system for security key management
WO2022027476A1 (en) Key management method and communication apparatus
WO2017032298A1 (en) Key distribution and receiving method, key management center, first network element and second network element
WO2017080142A1 (en) Key distribution, generation and reception method, and related apparatus

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 201480000843.X

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14880624

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14880624

Country of ref document: EP

Kind code of ref document: A1