WO2015135292A1 - Key update method, sub base station, terminal, communication system and storage medium - Google Patents

Key update method, sub base station, terminal, communication system and storage medium Download PDF

Info

Publication number
WO2015135292A1
WO2015135292A1 PCT/CN2014/084808 CN2014084808W WO2015135292A1 WO 2015135292 A1 WO2015135292 A1 WO 2015135292A1 CN 2014084808 W CN2014084808 W CN 2014084808W WO 2015135292 A1 WO2015135292 A1 WO 2015135292A1
Authority
WO
WIPO (PCT)
Prior art keywords
base station
slave base
key
isc
station key
Prior art date
Application number
PCT/CN2014/084808
Other languages
French (fr)
Chinese (zh)
Inventor
李阳
林兆骥
游世林
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2015135292A1 publication Critical patent/WO2015135292A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/068Network architectures or network communication protocols for network security for supporting key management in a packet data network using time-dependent keys, e.g. periodically changing keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/061Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying further key derivation, e.g. deriving traffic keys from a pair-wise master key

Definitions

  • the present invention relates to information security technologies in the field of communications, and in particular, to a key update method, a slave base station, a terminal, a communication system, and a storage medium. Background technique
  • LTE Long Term Evolution
  • E-UTRAN Evolved Universal Terrestrial Radio Access Network
  • EPC Evolved Packet Core
  • the EUTRAN is connected to the EPC through the S1 interface.
  • the EUTRAN is composed of a plurality of Evolved NodeBs (eNBs) connected to each other, and each eNB is connected through an X2 interface.
  • eNBs Evolved NodeBs
  • the EPC is composed of a Mobility Management Entity (MME) and a Serving Gateway (S-GW).
  • MME Mobility Management Entity
  • S-GW Serving Gateway
  • HE Home Environment
  • HSS Home Subscriber Server
  • HL Home Location Register
  • LTE-Advanced Long-Term Evolution advance
  • LTE-Advanced retains LTE for the evolution of Long-Term Evolution (LTE) systems
  • LTE Long-Term Evolution
  • SC Small Cell
  • a user equipment (UE) links two cells, a primary cell (Macro Cell), from a cell (Small cell) where the primary cell base station 0 is called the main base station (Macro eNodeB, referred to the MeNB), from cell the base station where the UE is referred to 0 to complete the function of the signaling plane between the main base station from the base station (small eNodeB, or secondary eNodeB, referred to the SeNB), the user plane by the primary base station and the UE from the base station to complete the joint, i.e., The UE has a user plane connection with the primary base station and a user plane connection with the slave base station, referred to as dual connectivity.
  • the main technology of dual connectivity is the allocation of the username protocol stack function between the primary base station and the secondary base station.
  • the main one being the scheme shown in Figure 2.
  • the user name and control plane of the primary base station remain unchanged, and the user name protocol stack of the secondary base station includes all layers from the PDCP layer to the PHY layer.
  • the slave base station is directly connected to the S-GW, and the interface S1-U is identical to the previous one.
  • the DRB to which the UE is transferred on the air interface, the UE directly connects with the secondary base station to deliver the transferred DRB.
  • the key used by the air interface security between the UE and the MeNB is generated by the AKA process between the UE and the CN, that is, the KeNB.
  • the SeNB is selected by the MeNB, and the process does not interact with the CN. Therefore, the key used by the air interface security between the UE and the SeNB (S-KeNB for short) cannot be generated by the CN.
  • the MeNB first transfers the DRB to the SeNB, the key used by the SeNB is derived by the MeNB, generated based on the M-KeNB and the MeNB internal counter SCC; and then transmitted by the MeNB to the SeNB.
  • the MeNB transfers the DRB of the UE to other SeNBs, the MeNB is still generated based on the M-KeNB and the SCC, and then sent to the new SeNB. Each time the MeNB deduces the S-KeNB, the SCC increases by one. When the MeNB transfers the DRB to the same SeNB multiple times, how to update the S-KeNB is a problem to be solved. Summary of the invention
  • embodiments of the present invention are directed to providing a slave base station key update method, a base station, a terminal, a communication system, and a computer storage medium, simplifying the slave base key update method, and improving information security between the base station and the terminal. .
  • a first aspect of the embodiments of the present invention provides a slave base station key update method, where the method includes: deriving a new slave base station key according to a current base station key and an ISC;
  • the ISC is a derivation of a count value of a slave base station key.
  • the method further includes:
  • the DRB command message includes the
  • the ISC is sent by the primary base station to the terminal by using an RRC reconfiguration request message, where the RRC reconfiguration request message is used to instruct the terminal to derive a new secondary base station key according to the ISC and the current secondary base station key, and Establishing a connection with the slave base station according to the RRC reconfiguration request message and the new slave base station key.
  • the method further includes:
  • the step of entering the slave base station based on the current slave base station key and the ISC to derive a new slave base key is entered.
  • the method further includes: Determining whether to trigger the update of the slave base station key according to the key derivation decision;
  • the step of entering the slave base station based on the current slave base station key and the ISC to derive a new slave base key is entered.
  • the determining, according to the key derivation decision, whether to trigger the update from the base station key includes:
  • the updated slave base station key is triggered.
  • the slave base station derives a new slave base station key according to the current base station key and the ISC:
  • the new slave base station key is derived based on the base station key, the ISC, and the derived parameters.
  • the derivation parameter includes a cell physical identifier and/or a cell carrier frequency
  • the cell is a cell formed by the coverage of the secondary base station.
  • the method includes:
  • a second aspect of the embodiments of the present invention provides a slave base key update method, where the method includes:
  • the RRC reconfiguration request message includes an ISC
  • the ISC is a count value for deriving a slave base station key.
  • a third aspect of the embodiments of the present invention provides a slave base station key update method, where the method includes: deriving, from a base station, a new slave base station key according to a current base station key and an ISC;
  • the DRB command message includes the ISC
  • the primary base station receives the added tampering DRB command message
  • the primary base station sends an RRC reconfiguration request message to the terminal;
  • the RRC reconfiguration message includes the ISC;
  • the terminal establishes a connection with the secondary base station according to the RRC reconfiguration message and the new secondary base station key.
  • the ISC is a derivation of a count value of a slave base station key.
  • the method further includes:
  • the primary base station sends an add modified DRB request message
  • the slave base station performs the step of deriving the new slave base station key from the base station based on the current slave base station key and the ISC.
  • the method further includes
  • the slave base station performs the slave base station to derive a new one according to the current slave base station key and the ISC. Steps from the base station key.
  • the determining, by the base station according to the key derivation decision, whether to trigger the update from the base station key comprises:
  • the updated base station key is triggered by the base station itself;
  • the updated slave base station key is triggered by the base station itself.
  • the method further includes: after the sending, by the base station, the add modified DRB command message to the primary base station, the method further includes:
  • the ISC is updated from the base station.
  • a fourth aspect of the embodiments of the present invention provides a secondary base station, where the secondary base station includes:
  • a first derivation unit configured to derive a new slave base station key according to the current base station key and the ISC;
  • the ISC is a count value of a counter that derives a key from the base station.
  • the slave base station further includes a first receiving unit
  • the first sending unit is configured to send an add modified DRB command message to the primary base station after the slave base station key and the ISC derive a new slave base key; the DRB command message includes the ISC;
  • the ISC is sent by the primary base station to the terminal by using an RRC reconfiguration request message, where the RRC reconfiguration request message is used to instruct the terminal to derive a new secondary base station key according to the ISC and the current secondary base station key, and Establishing a connection with the secondary base station according to the RRC reconfiguration request message and the new secondary base station key.
  • the slave base station further includes a first receiving unit and a determining unit, where the first receiving unit is configured to receive before the slave base station derives a new slave base station key according to the current base station key and the ISC. Adding a modified DRB request message sent by the primary base station; The determining unit is configured to determine whether there is a slave base station key in the added modified DRB request message;
  • the first derivation unit is configured to derive a new slave base station key according to the current slave base station key and the ISC when the add modified DRB request message does not carry the slave base station key.
  • the slave base station further includes a trigger unit
  • the triggering unit is configured to determine, according to the key derivation decision, whether to trigger the update of the slave base station key before the slave base station derives the new slave base station key according to the current base station key and the ISC; the first derivation unit, It is further configured to derive a new slave base station key from the base station key and the ISC after the trigger unit triggers the updated slave base station key.
  • the triggering unit is configured to determine whether the current slave base station key is invalid and the slave base station key that triggers the update when the slave base station key fails; or whether the slave base station and the terminal slave base station key are synchronized. And the updated slave base station key is triggered when not synchronized.
  • the first derivation unit is configured to derive a new slave base station key according to the base station key, the ISC, and the derivation parameter.
  • the derivation parameter includes a cell physical identifier and/or a cell carrier frequency
  • the cell is a cell formed by the coverage of the secondary base station.
  • the slave base station further includes a counter
  • the counter is configured to update the ISC after the new slave base station key is derived from the base station key and the ISC.
  • a fifth aspect of the embodiment of the present invention provides a terminal, where the terminal includes:
  • a second receiving unit configured to receive an RRC reconfiguration request message sent by the primary base station, where the second deriving unit is configured to derive a new secondary base station key according to the current ISC and the secondary base station key;
  • a connecting unit configured to be in accordance with the RRC reconfiguration request message and the new slave base station Key establishment and connection from the base station;
  • the ISC is a derivation of a count value of a slave base station key.
  • a sixth aspect of the embodiments of the present invention provides a communication system, where the communication system includes: a slave base station configured to: derive a new slave base station key according to a current base station key and an ISC; and send an add modify DRB command message to the primary base station;
  • the DRB command message includes the ISC;
  • the primary base station is configured to receive the add modified DRB command message, extract the ISC, and send the ISC to the terminal by using an RRC reconfiguration request message;
  • a terminal configured to receive the RRC reconfiguration request message, according to the ISC update and the base station key from the base station key, and according to the RRC reconfiguration request message and the new secondary base station key, Connection from the base station;
  • the ISC is a derivation of a count value of a slave base station key.
  • the primary base station is further configured to send an add modified DRB request message before the secondary base station derives a new secondary base station key according to the current secondary base station key and the ISC;
  • the slave base station is further configured to receive the add modified DRB request message; determine whether the add modified DRB request message carries a slave base station key; and the add modify DRB request message does not carry the slave base station key,
  • the new slave base station key is derived from the current base station key and ISC.
  • the slave base station is further configured to determine, according to the key derivation decision, whether to trigger the update of the slave base station key before the slave base station derives the new slave base station key according to the current base station key and the ISC; and when the slave station is triggered further In the case of a key, the step of deriving a new slave base station key from the base station key and the ISC.
  • the slave base station is configured to determine whether the current slave base station key is invalid or whether the slave base station and the slave base station key are synchronized; and when the slave base station key fails, The slave base station key that triggers the update or the slave base station key that does not trigger the update at the same time. Based on the foregoing solution, the slave base station is further configured to update the ISC after the slave base station sends a modify DRB command message to the master base station.
  • a sixth aspect of the embodiments of the present invention provides a computer storage medium, where the computer storage medium stores computer executable instructions, and the computer executable instructions are used to execute the first to third aspects of the embodiments of the present invention. At least one of the methods.
  • the slave base station key update method, the base station, the terminal, and the communication system solve the problem that the master base station transfers the associated DRB slave base station to the same slave base station multiple times by deriving the slave base station key by itself.
  • the method of key update avoids the security risk caused by the transmission of the base station key between the base stations, thereby improving communication security.
  • FIG. 1 is a schematic flowchart of a method for updating a slave base station according to a first embodiment of the present invention
  • FIG. 2 is a second schematic flowchart of a method for updating a slave base station according to Embodiment 1 of the present invention
  • FIG. 4 is a schematic diagram of a method for deriving a base station key according to Embodiment 3 of the present invention
  • FIG. 4 is a schematic diagram of a method for deriving a base station key according to Embodiment 3 of the present invention
  • FIG. 6 is a schematic flowchart of a method for updating a base station key according to Embodiment 3 of the present invention
  • FIG. 7 is a schematic diagram of a base station key update according to Embodiment 3 of the present invention
  • FIG. 8 is a schematic structural diagram of a slave base station according to Embodiment 4 of the present invention
  • FIG. 9 is a second schematic structural diagram of a slave base station according to Embodiment 4 of the present invention.
  • FIG. 10 is a schematic structural diagram of a terminal according to Embodiment 5 of the present invention.
  • FIG. 11 is a schematic structural diagram of a communication system according to Embodiment 6 of the present invention.
  • FIG. 12 is a second schematic structural diagram of a communication system according to Embodiment 6 of the present invention. detailed description
  • Embodiment 1 is a diagrammatic representation of Embodiment 1:
  • the embodiment provides a slave base key update method, where the method includes:
  • the ISC is a derivation of a count value of a slave base station key.
  • the slave base station derives a new slave base station key according to the slave base station key and the ISC currently stored in the base station.
  • the new slave base station key is different from the current base station key before derivation; the slave base station key does not need to be sent by the primary base station to the secondary base station line; firstly, a brand new slave base station key acquisition method is provided Secondly, the base station key is derived from the base station by itself, thereby avoiding the security problem caused by the transmission of the base station key, thereby improving information security.
  • the specific key derivation method can be deduced by referring to the prior art.
  • the method specifically includes: Step S110: Deriving a new slave base station key according to a current base station key and an ISC; Step S120: sending an add modify DRB command to the primary base station a message; the DRB command message includes the ISC;
  • the RRC reconfiguration request message is used to instruct the terminal to derive a new secondary base station key according to the ISC and the current secondary base station key, and establish the RRC reconfiguration request message and the new secondary base station key according to the RRC reconfiguration request message. A connection with the slave base station.
  • the updated new slave base station key will be used in the communication process from the base station to the terminal, and at this time, the connection has not been established between the base station and the terminal, so it needs to be forwarded by the primary base station to the terminal.
  • the slave base station key cannot be transmitted between the base station and the terminal, but the slave base station function module needs to be synchronized with the slave base station key in the base station, so the derivation needs to be derived from
  • the ISC of the base station key is sent to the terminal, and the terminal self-derives the slave base station according to the ISC. Key.
  • the method by which the terminal derives the base station key is consistent with the method of deriving the base station key from the base station.
  • the primary base station is usually a macro base station; the secondary base station is usually a small base station or a home base station, and may also be a normal macro base station.
  • the terminal is usually a dual connectivity terminal or a multiple connectivity terminal.
  • the method may further include the following steps:
  • Step S101 Receive an add modified DRB request message sent by the primary base station.
  • Step S102 Determine whether the added modified DRB request message carries a secondary base station key.
  • step S110 is performed or steps S110 and S120 are performed.
  • the specific application scenario includes the scenario where the primary base station transfers the associated DRB to the same secondary base station multiple times, and the current transfer DRB is not the first time to transfer the DRB.
  • the DRB is an abbreviation of date radio bearing, which can be translated into user plane radio bearer data.
  • the slave base station may also perform a slave node key update spontaneously, and the method described in this embodiment before the slave base station derives a new slave base station key according to the current base station key and the ISC. Also includes:
  • the step of entering the slave base station based on the current slave base station key and the ISC to derive a new slave base key is entered.
  • the determining, according to the key derivation decision, whether to trigger the update of the slave base station key comprises: determining whether the current slave base station key is invalid or determining whether the slave base station and the terminal slave base station key are synchronized; if the failure occurs, triggering the updated slave base station secret The key or if not synchronized triggers the updated slave base station key.
  • the slave base station key used by the base station and the terminal is correct, and the slave base station key can be triggered by the slave base station to perform the communication and data decryption smoothly.
  • the above improvement makes the method described in this embodiment further provide a step of spontaneously updating the slave base station key from the base station, and further improves the slave base station key update method.
  • step S110 includes: deriving a new slave base station key according to the base station key, the ISC, and the derivation parameter; wherein the derivation parameter includes a cell physical identifier and/or a cell carrier frequency;
  • the cell is a cell formed by the coverage of the secondary base station.
  • the slave base station in order to facilitate the next time to perform the slave node key update, after the slave base station sends the ISC to the master base station by adding the modify DRB command message, the slave base station also needs to update the ISC; 1 ; and usually the value of the ISC starts from zero.
  • the present embodiment provides a slave base key update method, in which the slave base station self-derives the slave base station key, thereby avoiding the key transmission, and simultaneously solves the error in the prior art from the base station key, and the base station A problem caused when the terminal is not synchronized with the base station and the primary base station transfers the DRB to the same secondary base station multiple times.
  • a terminal side slave base station key update method the method includes: Step S210: Receive an RRC reconfiguration request message sent by a primary base station; and include an ISC in the RRC reconfiguration request message.
  • Step S220 Deriving a new slave base station key according to the ISC and the base station key.
  • Step S230 Establish a connection with the slave base station according to the RRC reconfiguration request message and the new slave base station key.
  • the ISC is a derivation of a count value of a slave base station key.
  • the RRC reconfiguration request message includes configuration parameters for establishing a connection.
  • the terminal establishes a connection with the slave base station according to the configuration message and the new slave base station key. The terminal described in this embodiment is based on
  • the method for obtaining the slave base station key is changed from the connection between the base stations, and the method is similarly advantageous for solving the error in the prior art from the base station key, and the base station and the terminal are not synchronized from the base station key. And the problem that occurs when the primary base station transfers the DRB to the same secondary base station multiple times.
  • Embodiment 3 is a diagrammatic representation of Embodiment 3
  • the embodiment provides a slave base key update method, where the method includes:
  • the DRB command message includes the ISC
  • the primary base station receives the add modified DRB command message, and extracts the ISC;
  • the primary base station sends the ISC to the terminal by using an RRC reconfiguration request message.
  • the ISC is a derivation of a count value of a slave base station key.
  • the method for deriving a new slave base station key from the base station is performed; when the primary base station transfers the DRB to the slave base station SeNB for the first time, the master base station generates a key KeNB and sends it to the slave base station SeNB.
  • the primary base station in this embodiment may be a macro base station MeNB.
  • the macro base station continues to transfer the DRB to the slave base station SeNB, and when there is a context relationship between the DRB and the last transferred DRB, the subsequent slave base station will self-derived according to the current slave base station key S-KeNB.
  • the key KeNB is derived by the primary base station according to the primary base station key M-KeNB and the derived count value SCC stored in the primary base station.
  • the SCC count value is incremented by 1 each time the primary base station derives the key KeNB, and usually the value of the SCC starts from 0.
  • the slave base station is provided with an internal counter Intra Smallcell Counter for counting to form the ISC; and the primary base station is internally provided with a counter for counting to form the SCC.
  • the secondary base station sends the ISC to the primary base station by adding a modified DRB command message, and the primary base station passes the extraction and storage backup.
  • the RRC reconfiguration request message sends the ISC to the terminal; the terminal will derive a new slave base station key according to the current base station key and the received ISC in the RRC reconfiguration request message, and the derivation process and the slave base station derive The base station keys are similar.
  • Figure 5 shows a method for deriving a new slave base station key from the base station SeNB and the terminal UE based on the slave base station key and the ISC.
  • the KDF is an abbreviation of Key Deviation Function; the basis of the new slave base station key is deduced in a specific implementation process, and other derivation parameters, such as a cell physical identifier, may be included in addition to the previously stored slave base station key and ISC. Or information such as a carrier frequency of the cell; the cell is a cell formed by the coverage of the secondary base station.
  • the method in this embodiment further includes: before the slave base station derives a new slave base station key according to the current base station key and the ISC:
  • the primary base station sends an add modified DRB request message
  • the base station Determining, by the base station, whether the added modified DRB request message carries a slave base station key; if not, the slave base station performs the step of the base station deriving a new slave base station key according to the current slave base station key and the ISC.
  • Step S1.1 RRC connection establishment is completed between the terminal UE and the primary base station MeNB;
  • RRC is: Radio Resource Control radio resource control;
  • Step SI.2 The primary base station MeNB sends an add modified DRB request message to the secondary base station SeNB; and receives the add modified DRB request message from the base station;
  • Step S1.3 The base station determines, according to the adding and modifying the DRB request message, whether the added modified DRB request message carries a slave base station key; if otherwise, the slave base station performs the slave base station according to the current slave base station key and the ISC. Deriving a new slave base station key;
  • Step S1.4 Sending a modified DRB command message from the base station to the primary base station; the DRB command message includes the ISC; and other parameters are included in the specific implementation process, which may be referred to the prior art;
  • Step S1.5 The primary base station receives the add modified DRB command message, and sends an RRC reconfiguration request message to the secondary base station; the RRC reconfiguration request message includes the ISC;
  • Step S1.6 The terminal UE receives the RRC reconfiguration request message, and derives a new slave base station key according to the ISC and the current slave base station key; and according to the RRC reconfiguration request message and the new slave base station key. Establish a connection with the base station;
  • the method further includes:
  • Step S1.7 The terminal sends an RRC reconfiguration response message to the primary base station;
  • the slave RRC reconfiguration response message includes related information that the terminal updates the slave base station key;
  • Step S1.8 After receiving the RRC reconfiguration response message, the primary base station sends SeNB state transmission information to the secondary base station according to the RRC reconfiguration response message.
  • the above improvement is to trigger the update of the secondary base station key from the base station based on the request message of the primary base station, and is suitable for solving the problem of generating the base station key when the primary base station repeatedly transmits the associated DRB to the same base station in the existing problem.
  • the following provides a method for automatically updating the slave base key from the base station according to its own needs as follows:
  • the method further includes The base station determines whether to trigger the update of the slave base station key according to the key derivation decision; if so, the slave base station performs the step of deriving the new slave base station key according to the current slave base station key and the ISC.
  • the slave base station determines, according to the key derivation decision, whether to trigger the update of the slave base station key, including:
  • the updated base station key is triggered by the base station itself;
  • the updated slave base station key is triggered by the base station itself.
  • the case where the base station determines whether to trigger the update of the slave base station key according to the key derivation decision is not limited to the foregoing, and may further include: a decryption fault occurs in the decryption process from the base station key, and a new one needs to be regenerated. From the base station key to achieve smooth transmission of data and the like.
  • the method for triggering the update of the base station key by the base station may be implemented as shown in FIG. 7, and includes:
  • Step S2.1 If the slave base station SeNB wants to update the slave base station key S-KeNB, directly generate a new slave base station key according to the existing current base station key and the ISC;
  • Step S2.2 Sending a modified DRB command message from the base station to the primary base station, where the added modified DRB command message includes an ISC;
  • Step S2.3 After receiving the add modified DRB command message, the primary base station sends an RRC reconfiguration request message to the terminal; the RRC reconfiguration request message includes the ISC;
  • Step S2.4 After receiving the RRC reconfiguration request message, the terminal deriving a new slave base station key according to the ISC parameter in the RRC reconfiguration request message and the current slave base station key; and according to the RRC reconfiguration The request message and the new slave base station key establish a connection with the slave base station; to further inform the master base station and the slave base station of the current connection status and/or the update status of the slave base station key; the method further includes: Step S2.5: The terminal sends an RRC reconfiguration response to the primary base station.
  • Step S2.6 After receiving the RRC reconfiguration response, the primary base station sends SeNB state transmission information to the secondary base station according to the RRC reconfiguration response, to feed back information such as the current connection status to the secondary base station.
  • the method further includes: the base station Update the ISC.
  • the specific update of the ISC can add 1 to the ISC count value.
  • the foregoing embodiment is a combination of the first embodiment and the second embodiment, and can be regarded as a combination of the various technical solutions of the first embodiment and the second embodiment, and the same has solved the prior art from the base station key update.
  • the shortcomings also achieve high security between the terminal and the slave base station.
  • Embodiment 4 is a diagrammatic representation of Embodiment 4:
  • the embodiment provides a slave base station, where the slave base station includes:
  • a first derivation unit configured to derive a new slave base station key according to the current base station key and the ISC;
  • the ISC is to derive a slave base key count value.
  • the specific structure of the first derivation unit may be a processor; the processor includes a multi-core or single-core central processing unit, a single-chip microcomputer, a digital signal processing, and a programmable array, and the like.
  • the slave base station may further include a counter; the counter may be configured to form the ISC; in a specific implementation process, the value of the ISC may start from 0 or 1; The count starts from 0.
  • This embodiment provides a slave base station, which can update the slave base station key by itself, and provides the hardware support for the base station key update method described in the first embodiment, thereby solving the prior art in the same way.
  • the base station pushes the problem of the slave base station key update caused by the associated DRB to the same slave base station multiple times.
  • the slave base station includes a first derivation unit 110 and a first receiving unit 120;
  • the first sending unit 120 is configured to send an add modified DRB command message to the primary base station after the slave base station key and the ISC derive a new slave base station key; the DRB command message includes the ISC;
  • the ISC is sent by the primary base station to the terminal by using an RRC reconfiguration request message; the RRC reconfiguration request message is used to indicate that the terminal connects to the secondary base station and the terminal, and the secondary base station key is updated according to the ISC. .
  • the specific structure of the first sending unit 120 may be a wired or wireless sending interface, such as a transmitting antenna or a wired communication interface corresponding to a twisted pair cable, a coaxial cable, or an optical fiber.
  • the transmitting interface is coupled to the first derivation unit 110.
  • the slave base station further includes a first receiving unit 130 and a determining unit 140;
  • the first receiving unit 130 is configured to receive an add modified DRB request message sent by the primary base station before the secondary base station derives a new secondary base station key according to the current base station key and the ISC; the determining unit 140, configured Determining whether there is a slave base station key in the modified DRB request message;
  • the first deriving unit 110 is configured to: when the add modified DRB request message does not carry the slave base station key, derive a new slave base station key according to the current base station key and the ISC.
  • the specific structure of the first receiving unit 130 may include a receiving interface, such as a receiving antenna or other wired network communication interface; the specific structure of the determining unit 140 may be a processor; the processor may be a central processing unit, An electronic component having a processing function, such as a single chip microcomputer, a digital signal processing, or a programmable logic programming array; in a specific implementation process, the determining unit 140 and the first deriving unit 110 may respectively correspond to one processor; Interconnected from a connection interface or bus inside the base station; or integrated on the same processor, The respective functions of the first deriving unit, that is, the judging unit 140, are respectively performed by the processor by time division multiplexing or in different threads.
  • the slave base station further includes a trigger unit
  • the triggering unit is configured to determine, according to the key derivation decision, whether to trigger the update of the slave base station key before the slave base station derives the new slave base station key according to the current base station key and the ISC; the first derivation unit 110 And configuring, after the trigger unit triggers the updated slave base station key, deriving a new slave base station key according to the current base station key and the ISC.
  • the triggering unit is specifically configured to determine whether the current slave base station key is invalid and trigger the updated secondary base station key when the secondary base station key fails; or determine whether the secondary base station and the terminal secondary base station key are synchronized.
  • the updated slave base station key is triggered when not synchronized.
  • the triggering unit may also be corresponding to a processor; or other wired network communication interface; the specific structure of the triggering unit may be a processor; the processor may be a central processing unit, a single chip microcomputer, digital signal processing or An electronic component having a processing function, such as a programming logic programming array; and the triggering unit may separately include a processor, and may also be integrated with other functional units to correspond to the same processor.
  • the processor is also connected to a storage medium; the first derivation unit can be separately implemented by running a program or software stored in the storage medium
  • the function of the determining unit 140 and the triggering unit is the function of the determining unit 140 and the triggering unit.
  • the first deriving unit 110 is specifically configured to derive a new slave base station key according to the base station key, the ISC, and the derivation parameter.
  • the derivation parameter includes at least one of a cell physical identifier and a cell carrier frequency; the cell is a cell formed by the coverage by the slave base station.
  • the derivation parameters also include other parameters in a specific implementation process, and are not limited to the cell physical identity and the cell carrier frequency.
  • the slave base station further includes a counter; the counter is configured to update the ISC after deriving the new slave base station key according to the slave base station key and the ISC.
  • Embodiment 5 As shown in FIG. 10, this embodiment provides a terminal, where the terminal includes:
  • the second receiving unit 210 is configured to receive an RRC reconfiguration request message sent by the primary base station, where the second derivation unit 220 is configured to derive a new secondary base station key according to the ISC and the secondary base station key;
  • the connecting unit 230 is configured to establish a connection with the secondary base station according to the RRC reconfiguration request message and the new secondary base station key;
  • the ISC is a derivation of a count value of a slave base station key.
  • the terminal may be a dual mode terminal or a multimode terminal, and at least a connection with two base stations may be implemented.
  • the specific structure of the second receiving unit 210 may include a communication interface such as a receiving antenna.
  • the second deriving unit 220 may include a processor configured to extract required information from the message received in the second receiving unit 210, according to the ISC in the RRC reconfiguration request message and the current storage in the terminal.
  • the current slave base station key is derived from the base station key.
  • the processor can be a processing component such as a central processing unit, a single chip microcomputer, a digital signal processing or a programmable logic programming array. In a specific implementation process, the processor is also connected to a storage medium; the functions of the second derivation unit 220 can be implemented separately by running a program or software stored in the storage medium.
  • the connecting unit 230 is configured to establish a connection channel between the terminal and the secondary base station, and the corresponding structure may include a communication interface, such as an air interface.
  • the terminal in this embodiment is provided with the base station key update method described in the second embodiment, and provides hardware support, which can be used to implement the technical solution described in any one of the second embodiment, and has the same base station key.
  • the updated function and the need to obtain a key from the primary base station or the base station have the advantage of high security.
  • the embodiment provides a communication system, where the communication system includes: From the base station 330, configured to derive a new slave base station key according to the current base station key and the ISC; send an add modified DRB command message to the primary base station 310; the DRB command message includes the ISC;
  • the primary base station 310 is configured to receive the add modified DRB command message, extract the ISC, and send the ISC to the terminal by using an RRC reconfiguration request message;
  • the terminal 320 is configured to receive the RRC reconfiguration request message, deriving a new slave base station key according to the ISC and the current base station key, and according to the RRC reconfiguration request message and the new slave base station key. Establishing a connection with the slave base station 330;
  • the ISC is a derivation of a count value of a slave base station key.
  • the primary base station 310 is further configured to send an add modified DRB request message before the secondary base station derives a new secondary base station key according to the current base station key and the ISC;
  • the secondary base station 330 is further configured to receive Adding a modified DRB request message; determining whether the added modified DRB request message carries a secondary base station key; and when the added modified DRB request message does not carry the secondary base station key, according to the current secondary base station key and the ISC Derive a new slave base station key.
  • the slave base station 330 is further configured to determine, according to the key derivation decision, whether to trigger the update of the slave base station key before the slave base station derives the new slave base station key according to the current base station key and the ISC; and when the update is triggered from the base station In the case of a key, the step of deriving a new slave base station key from the base station key and the ISC.
  • the slave base station 330 is configured to determine whether the current slave base station key is invalid or whether the slave base station and the slave base station key are synchronized; and when the slave base station key fails, the updated slave base station key is triggered or The updated slave base station key is triggered at the same time.
  • the slave base station 330 is further configured to update the ISC after the slave base station sends a modify DRB command message to the master base station.
  • the primary base station 310, the terminal 320 and the secondary base station 330 are all connected via a wireless network.
  • the terminal 12 is an example of a communication system including a macro base station, a small base station, and a terminal; the macro base station as a primary base station forms a macro cell surrounded by a large ellipse; the small base station As a small cell Small cell surrounded by a small ellipse formed from a base station.
  • the terminal is connected to the macro base station and the small base station respectively; wherein the terminal and the macro base station mutually transmit data through the carrier carrier (F1), such as U-plane data; and the terminal and the small base station transmit data through the carrier carrier (F2) Such as U-plane data; the U-plane data is user plane data.
  • F1 carrier carrier
  • F2 carrier carrier
  • the communication system in this embodiment provides hardware support from the base station key update method in the third embodiment, and can be used to implement the technical solution described in any one of the third embodiments, which has solved the prior art.
  • the problem of base station key update improves the security of information transmission between the base station and the terminal.
  • the embodiment of the present invention further provides a computer storage medium, where the computer storage medium stores computer executable instructions, and the computer executable instructions are used to execute at least one of the methods described in the first to third embodiments. Specifically, the method shown in FIG. 1, FIG. 2, FIG. 3, and/or FIG.
  • the computer storage medium includes: a removable storage device, a read-only memory (ROM), a random access memory (RAM), a magnetic disk or an optical disk, and the like, which can store program code. Priority is given to non-transient storage media.

Abstract

The present invention relates to the field of communications. Disclosed are a sub base station key update method, sub base station, terminal and communication system. The sub base station key update method comprises: deriving a new sub base station key according to the current sub base station key and an inside sub base station counter (ISC), the ISC being a count value for deriving the sub base station key (S110). Also disclosed in the present invention is a computer storage medium.

Description

密钥更新方法、 从基站、 终端、 通信系统和存储介质 技术领域  Key update method, slave base station, terminal, communication system, and storage medium
本发明涉及通信领域的信息安全技术, 尤其涉及一种密钥更新方法、 从基站、 终端、 通信系统和存储介质。 背景技术  The present invention relates to information security technologies in the field of communications, and in particular, to a key update method, a slave base station, a terminal, a communication system, and a storage medium. Background technique
长期演进( Long Term Evolution, 简称 LTE ) 网络, 由演进全球陆地无 线接入网 (Evolved Universal Terrestrial Radio Access Network, 简称 E-UTRAN)和演进分组交换中心 ( Evolved Packet Core, 简称 EPC )组成, 且网络结构呈现扁平化。  Long Term Evolution (LTE) network consists of an Evolved Universal Terrestrial Radio Access Network (E-UTRAN) and an Evolved Packet Core (EPC) network. The structure is flattened.
所述 EUTRAN通过 S1接口与 EPC相连。 所述 EUTRAN由多个相互 连接的演进基站 (Evolved NodeB , 简称 eNB )组成, 各个 eNB之间通过 X2接口连接。  The EUTRAN is connected to the EPC through the S1 interface. The EUTRAN is composed of a plurality of Evolved NodeBs (eNBs) connected to each other, and each eNB is connected through an X2 interface.
所述 EPC由移动性管理实体( Mobility Management Entity,简称 MME ) 和服务网关实体( Serving Gateway, 简称 S-GW )组成。  The EPC is composed of a Mobility Management Entity (MME) and a Serving Gateway (S-GW).
在所述长期演进网络的系统架构中还有一个归属环境 ( Home Environment, HE ) 即归属用户服务器 ( Home Subscriber Server, HSS )或 归属位置寄存器 ( Home Location Register, HL ), 作为用户数据库。 它包 含用户配置文件, 执行用户的身份验证和授权, 并可提供有关用户物理位 置的信息等。  In the system architecture of the long-term evolution network, there is also a Home Environment (HE), that is, a Home Subscriber Server (HSS) or a Home Location Register (HL), as a user database. It contains user profiles, performs user authentication and authorization, and provides information about the user's physical location.
为了满足日益增长的大带宽高速移动接入的需求, 第三代伙伴组织计 划 (Third Generation Partnership Projects, 简称 3GPP )推出高级长期演进 ( Long-Term Evolution advance , 简称 LTE- Advanced )标准。 LTE- Advanced 对于长期演进 ( Long-Term Evolution, 简称 LTE ) 系统的演进保留了 LTE 的核心, 在此基础上釆用一系列技术对频域、 空域进行扩充, 以达到提高 频谱利用率、 增加系统容量等目的。 在某些应用场景下, 会使用到小小区In order to meet the growing demand for large-bandwidth high-speed mobile access, the Third Generation Partnership Projects (3GPP) has introduced the Long-Term Evolution advance (LTE-Advanced) standard. LTE-Advanced retains LTE for the evolution of Long-Term Evolution (LTE) systems At the core of this, a series of technologies are used to expand the frequency domain and the airspace to achieve the purpose of improving spectrum utilization and increasing system capacity. In some application scenarios, small cells are used.
( Small Cell, 简称 SC )增强技术, 用来提高用户的吞吐量。 Small Cell (SC) enhancement technology is used to improve user throughput.
SC增强技术的主要实现方式就是双连接(dual connectivity ), 如图 1 所示。 一个用户设备 (UE)同时连接两个小区, 一个是主小区 (Macro Cell ), 一个是从小区 (Small cell )0 主小区所在的基站被称为主基站 (Macro eNodeB, 简称 MeNB ), 从小区所在的基站被称为从基站( small eNodeB, or secondary eNodeB, 简称 SeNB )0 UE与基站之间的信令面功能通过主基 站来完成, 用户面通过 UE与主基站和从基站共同完成, 即 UE既与主基站 有用户面连接, 也与从基站有用户面连接, 简称双连接。 The main implementation of SC enhancement technology is dual connectivity, as shown in Figure 1. A user equipment (UE) links two cells, a primary cell (Macro Cell), from a cell (Small cell) where the primary cell base station 0 is called the main base station (Macro eNodeB, referred to the MeNB), from cell the base station where the UE is referred to 0 to complete the function of the signaling plane between the main base station from the base station (small eNodeB, or secondary eNodeB, referred to the SeNB), the user plane by the primary base station and the UE from the base station to complete the joint, i.e., The UE has a user plane connection with the primary base station and a user plane connection with the slave base station, referred to as dual connectivity.
双连接的主要技术就是主基站与从基站之间的用户名协议栈功能的分 配问题, 目前有几种备选的方案, 主要的一种就是图 2 所示的方案。 该方 案中, 主基站的用户名和控制面都保持不变, 从基站的用户名协议栈包括 从 PDCP层到 PHY层所有层。从基站直接与 S-GW连接,之间的接口 S1-U 与之前的完全相同。 UE被转移的 DRB, 在空口上, UE直接与从基站相连, 来传递被转移的 DRB。  The main technology of dual connectivity is the allocation of the username protocol stack function between the primary base station and the secondary base station. Currently, there are several alternative solutions, the main one being the scheme shown in Figure 2. In this scheme, the user name and control plane of the primary base station remain unchanged, and the user name protocol stack of the secondary base station includes all layers from the PDCP layer to the PHY layer. The slave base station is directly connected to the S-GW, and the interface S1-U is identical to the previous one. The DRB to which the UE is transferred, on the air interface, the UE directly connects with the secondary base station to deliver the transferred DRB.
UE与 MeNB之间的空口安全所使用的密钥由 UE与 CN之间的 AKA 过程产生, 即 KeNB。 而 SeNB由 MeNB选择, 此过程并不与 CN交互, 所 以 UE与 SeNB之间的空口安全所使用的密钥 (简称 S-KeNB ) 不能由 CN 来产生。 MeNB向 SeNB首次转移 DRB时, SeNB所使用的密钥由 MeNB 推导, 基于 M-KeNB和 MeNB内部计数器 SCC产生; 然后由 MeNB传递 给 SeNB。 如果后续 MeNB向其他的 SeNB转移该 UE的 DRB时, MeNB 仍基于 M-KeNB和 SCC产生, 然后发给新的 SeNB。 MeNB每推导一次 S-KeNB, SCC增加 1。而在 MeNB多次向同一个 SeNB转移 DRB时, S-KeNB 如何更新都是待解决的问题。 发明内容 The key used by the air interface security between the UE and the MeNB is generated by the AKA process between the UE and the CN, that is, the KeNB. The SeNB is selected by the MeNB, and the process does not interact with the CN. Therefore, the key used by the air interface security between the UE and the SeNB (S-KeNB for short) cannot be generated by the CN. When the MeNB first transfers the DRB to the SeNB, the key used by the SeNB is derived by the MeNB, generated based on the M-KeNB and the MeNB internal counter SCC; and then transmitted by the MeNB to the SeNB. If the subsequent MeNB transfers the DRB of the UE to other SeNBs, the MeNB is still generated based on the M-KeNB and the SCC, and then sent to the new SeNB. Each time the MeNB deduces the S-KeNB, the SCC increases by one. When the MeNB transfers the DRB to the same SeNB multiple times, how to update the S-KeNB is a problem to be solved. Summary of the invention
有鉴于此, 本发明实施例期望提供一种从基站密钥更新方法、 从基站、 终端、 通信系统和计算机存储介质, 简化从基站密钥更新方法, 提高从基 站与终端之间的信息安全性。  In view of this, embodiments of the present invention are directed to providing a slave base station key update method, a base station, a terminal, a communication system, and a computer storage medium, simplifying the slave base key update method, and improving information security between the base station and the terminal. .
为达到上述目的, 本发明实施例的技术方案是这样实现的:  To achieve the above objective, the technical solution of the embodiment of the present invention is implemented as follows:
本发明实施例第一方面提供一种从基站密钥更新方法, 所述方法包括: 依据当前从基站密钥以及 ISC推导新的从基站密钥;  A first aspect of the embodiments of the present invention provides a slave base station key update method, where the method includes: deriving a new slave base station key according to a current base station key and an ISC;
其中, 所述 ISC为推导从基站密钥的计数值。  The ISC is a derivation of a count value of a slave base station key.
基于上述方案, 在所述从基站密钥以及 ISC推导新的从基站密钥之后, 所述方法还包括:  Based on the foregoing solution, after the slave base station key and the ISC are used to derive a new slave base station key, the method further includes:
向主基站发送添加修改 DRB命令消息; 所述 DRB命令消息包括所述 Sending an add modified DRB command message to the primary base station; the DRB command message includes the
ISC; ISC;
其中, 所述 ISC由所述主基站通过 RRC重配置请求消息发送到终端; 所述 RRC重配置请求消息用于指示终端依据所述 ISC及当前从基站密 钥推导新的从基站密钥, 并依据所述 RRC重配置请求消息及所述新的从基 站密钥建立与所述从基站的连接。  The ISC is sent by the primary base station to the terminal by using an RRC reconfiguration request message, where the RRC reconfiguration request message is used to instruct the terminal to derive a new secondary base station key according to the ISC and the current secondary base station key, and Establishing a connection with the slave base station according to the RRC reconfiguration request message and the new slave base station key.
基于上述方案, 在所述从基站依据当前从基站密钥以及 ISC推导新的 从基站密钥之前, 所述方法还包括:  Based on the foregoing solution, before the slave base station derives a new slave base station key according to the current base station key and the ISC, the method further includes:
接收主基站发送的添加修改 DRB请求消息;  Receiving an add modified DRB request message sent by the primary base station;
判断所述添加修改 DRB请求消息中是否有携带从基站密钥;  Determining whether the added modified DRB request message carries a slave base station key;
若否, 则进入所述从基站依据当前从基站密钥以及 ISC推导新的从基 站密钥的步骤。  If not, the step of entering the slave base station based on the current slave base station key and the ISC to derive a new slave base key is entered.
基于上述方案,  Based on the above scheme,
在所述从基站依据当前从基站密钥以及 ISC推导新的从基站密钥之前, 所述方法还包括: 依据密钥推导决策判断是否触发更新从基站密钥; Before the slave base station derives a new slave base station key according to the current base station key and the ISC, the method further includes: Determining whether to trigger the update of the slave base station key according to the key derivation decision;
若是, 则进入所述从基站依据当前从基站密钥以及 ISC推导新的从基 站密钥的步骤。  If so, the step of entering the slave base station based on the current slave base station key and the ISC to derive a new slave base key is entered.
基于上述方案; 所述依据密钥推导决策判断是否触发更新从基站密钥 包括:  Based on the foregoing solution, the determining, according to the key derivation decision, whether to trigger the update from the base station key includes:
判断当前从基站密钥是失效;  Determining that the current slave base station key is invalid;
若失效则触发更新的从基站密钥; 或  If it fails, trigger the updated slave base station key; or
判断从基站与终端的从基站密钥是否同步;  Determining whether the slave base station and the slave base station key are synchronized;
若不同步则触发更新的从基站密钥。  If not synchronized, the updated slave base station key is triggered.
基于上述方案, 所述从基站依据当前从基站密钥以及 ISC推导新的从 基站密钥包括:  Based on the foregoing solution, the slave base station derives a new slave base station key according to the current base station key and the ISC:
依据从基站密钥、 ISC及推导参数推导新的从基站密钥。  The new slave base station key is derived based on the base station key, the ISC, and the derived parameters.
基于上述方案,  Based on the above scheme,
所述推导参数包括小区物理标识和 /或小区载频;  The derivation parameter includes a cell physical identifier and/or a cell carrier frequency;
所述小区为由所述从基站覆盖所形成的小区。  The cell is a cell formed by the coverage of the secondary base station.
基于上述方案, 在所述依据从基站密钥及 ISC推导新的从基站密钥之 后, 所述方法包括:  Based on the foregoing solution, after the deriving the new slave base station key from the base station key and the ISC, the method includes:
更新所述 ISC。  Update the ISC.
本发明实施例第二方面提供一种从基站密钥更新方法,, 所述方法包 括:  A second aspect of the embodiments of the present invention provides a slave base key update method, where the method includes:
接收主基站发送的 RRC重配置请求消息; 所述 RRC重配置请求消息 中包括 ISC;  Receiving an RRC reconfiguration request message sent by the primary base station; the RRC reconfiguration request message includes an ISC;
根据所述 ISC及当前从基站密钥推导新的新的从基站密钥;  Deriving a new new slave base station key according to the ISC and the current base station key;
根据所述 RRC重配置请求消息和所述新的从基站密钥, 与从基站建立 连接; 其中, 所述 ISC为推导从基站密钥的计数值。 Establishing a connection with the slave base station according to the RRC reconfiguration request message and the new slave base station key; The ISC is a count value for deriving a slave base station key.
本发明实施例第三方面提供一种从基站密钥更新方法, 所述方法包括: 从基站依据当前从基站密钥以及 ISC推导新的从基站密钥;  A third aspect of the embodiments of the present invention provides a slave base station key update method, where the method includes: deriving, from a base station, a new slave base station key according to a current base station key and an ISC;
从基站向主基站发送添加修改 DRB命令消息; 所述 DRB命令消息包 括所述 ISC;  Sending a modified DRB command message from the base station to the primary base station; the DRB command message includes the ISC;
主基站接收所述添加爹改 DRB命令消息;  The primary base station receives the added tampering DRB command message;
主基站向终端发送 RRC重配置请求消息; 所述 RRC重配置消息包含 所述 ISC;  The primary base station sends an RRC reconfiguration request message to the terminal; the RRC reconfiguration message includes the ISC;
终端接收所述 RRC重配置请求消息;  Receiving, by the terminal, the RRC reconfiguration request message;
终端依据所述 ISC及当前从基站密钥推导新的从基站密钥;  Deriving a new slave base station key according to the ISC and the current base station key;
终端依据所述 RRC重配置消息及所述新的从基站密钥与从基站建立连 接。  The terminal establishes a connection with the secondary base station according to the RRC reconfiguration message and the new secondary base station key.
其中, 所述 ISC为推导从基站密钥的计数值。  The ISC is a derivation of a count value of a slave base station key.
基于上述方案, 在所述从基站依据当前从基站密钥以及 ISC推导新的 从基站密钥之前, 所述方法还包括:  Based on the foregoing solution, before the slave base station derives a new slave base station key according to the current base station key and the ISC, the method further includes:
主基站发送添加修改 DRB请求消息;  The primary base station sends an add modified DRB request message;
从基站接收所述添加修改 DRB请求消息;  Receiving, by the base station, the add modified DRB request message;
从基站依据判断所述添加修改 DRB 请求消息中是否有携带从基站密 钥;  Whether the slave base station key is carried in the DRB request message according to the judgment by the base station;
若否, 则从基站执行所述从基站依据当前从基站密钥以及 ISC推导新 的从基站密钥的步骤。  If not, the slave base station performs the step of deriving the new slave base station key from the base station based on the current slave base station key and the ISC.
基于上述方案, 在所述从基站依据当前从基站密钥以及 ISC推导新的 从基站密钥之前, 所述方法还包括  Based on the foregoing solution, before the slave base station derives a new slave base station key according to the current base station key and the ISC, the method further includes
从基站依据密钥推导决策判断是否触发更新从基站密钥;  Determining, by the base station according to the key derivation decision, whether to trigger the update of the slave base station key;
若是, 从基站执行所述从基站依据当前从基站密钥以及 ISC推导新的 从基站密钥的步骤。 If yes, the slave base station performs the slave base station to derive a new one according to the current slave base station key and the ISC. Steps from the base station key.
基于上述方案, 所述从基站依据密钥推导决策判断是否触发更新从基 站密钥包括:  Based on the foregoing solution, the determining, by the base station according to the key derivation decision, whether to trigger the update from the base station key comprises:
从基站判断当前从基站密钥是失效;  Determining from the base station that the current slave base station key is invalid;
若失效则从基站自行触发更新的从基站密钥; 或  If it fails, the updated base station key is triggered by the base station itself; or
从基站判断从基站与终端的从基站密钥是否同步;  Determining, by the base station, whether the slave base station and the slave base station key are synchronized;
若不同步则从基站自行触发更新的从基站密钥。  If not synchronized, the updated slave base station key is triggered by the base station itself.
基于上述方案, 在所述从基站向主基站发送添加修改 DRB命令消息之 后, 所述方法还包括:  The method further includes: after the sending, by the base station, the add modified DRB command message to the primary base station, the method further includes:
从基站更新所述 ISC。  The ISC is updated from the base station.
本发明实施例第四方面提供一种从基站, 所述从基站包括:  A fourth aspect of the embodiments of the present invention provides a secondary base station, where the secondary base station includes:
第一推导单元, 配置为依据当前从基站密钥以及 ISC推导新的从基站 密钥;  a first derivation unit configured to derive a new slave base station key according to the current base station key and the ISC;
其中, 所述 ISC为推导从基站密钥的计数器的计数值。  The ISC is a count value of a counter that derives a key from the base station.
基于上述方案, 所述从基站还包括第一接收单元;  Based on the foregoing solution, the slave base station further includes a first receiving unit;
所述第一发送单元, 配置为在所述从基站密钥以及 ISC推导新的从基 站密钥之后, 向主基站发送添加修改 DRB命令消息; 所述 DRB命令消息 包括所述 ISC;  The first sending unit is configured to send an add modified DRB command message to the primary base station after the slave base station key and the ISC derive a new slave base key; the DRB command message includes the ISC;
其中, 所述 ISC由所述主基站通过 RRC重配置请求消息发送到终端; 所述 RRC重配置请求消息用于指示终端依据所述 ISC及当前从基站密 钥推导新的从基站密钥, 并依据所述 RRC重配置请求消息及所述新的从基 站密钥建立与从基站的连接。  The ISC is sent by the primary base station to the terminal by using an RRC reconfiguration request message, where the RRC reconfiguration request message is used to instruct the terminal to derive a new secondary base station key according to the ISC and the current secondary base station key, and Establishing a connection with the secondary base station according to the RRC reconfiguration request message and the new secondary base station key.
基于上述方案, 所述从基站还包括第一接收单元及判断单元; 所述第一接收单元,配置为在所述从基站依据当前从基站密钥以及 ISC 推导新的从基站密钥之前, 接收主基站发送的添加修改 DRB请求消息; 所述判断单元, 配置为判断所述添加修改 DRB请求消息中是否有携带 从基站密钥; Based on the foregoing solution, the slave base station further includes a first receiving unit and a determining unit, where the first receiving unit is configured to receive before the slave base station derives a new slave base station key according to the current base station key and the ISC. Adding a modified DRB request message sent by the primary base station; The determining unit is configured to determine whether there is a slave base station key in the added modified DRB request message;
所述第一推导单元, 配置为当添加修改 DRB请求消息没有携带从基站 密钥时, 依据当前从基站密钥以及 ISC推导新的从基站密钥。  The first derivation unit is configured to derive a new slave base station key according to the current slave base station key and the ISC when the add modified DRB request message does not carry the slave base station key.
基于上述方案, 所述从基站还包括触发单元;  Based on the foregoing solution, the slave base station further includes a trigger unit;
所述触发单元, 配置为在所述从基站依据当前从基站密钥以及 ISC推 导新的从基站密钥之前, 依据密钥推导决策判断是否触发更新从基站密钥; 所述第一推导单元, 还配置为在所述触发单元触发更新的从基站密钥 之后, 依据当前从基站密钥以及 ISC推导新的从基站密钥。  The triggering unit is configured to determine, according to the key derivation decision, whether to trigger the update of the slave base station key before the slave base station derives the new slave base station key according to the current base station key and the ISC; the first derivation unit, It is further configured to derive a new slave base station key from the base station key and the ISC after the trigger unit triggers the updated slave base station key.
基于上述方案, 所述触发单元, 配置为判断当前从基站密钥是失效及 当所述从基站密钥失效时触发更新的从基站密钥; 或判断从基站与终端的 从基站密钥是否同步及当不同步时触发更新的从基站密钥。  Based on the foregoing solution, the triggering unit is configured to determine whether the current slave base station key is invalid and the slave base station key that triggers the update when the slave base station key fails; or whether the slave base station and the terminal slave base station key are synchronized. And the updated slave base station key is triggered when not synchronized.
基于上述方案, 所述第一推导单元, 配置为依据从基站密钥、 ISC及推 导参数推导新的从基站密钥。  Based on the foregoing solution, the first derivation unit is configured to derive a new slave base station key according to the base station key, the ISC, and the derivation parameter.
基于上述方案,  Based on the above scheme,
所述推导参数包括小区物理标识和 /或小区载频;  The derivation parameter includes a cell physical identifier and/or a cell carrier frequency;
所述小区为由所述从基站覆盖所形成的小区。  The cell is a cell formed by the coverage of the secondary base station.
基于上述方案, 所述从基站还包括计数器;  Based on the foregoing solution, the slave base station further includes a counter;
所述计数器, 配置为在所述依据从基站密钥及 ISC推导新的从基站密 钥之后, 更新所述 ISC。  The counter is configured to update the ISC after the new slave base station key is derived from the base station key and the ISC.
本发明实施例第五方面提供一种终端, 所述终端包括:  A fifth aspect of the embodiment of the present invention provides a terminal, where the terminal includes:
第二接收单元, 配置为接收主基站发送的 RRC重配置请求消息; 第二推导单元, 配置为依据当前所述 ISC及从基站密钥推导新的从基 站密钥;  a second receiving unit, configured to receive an RRC reconfiguration request message sent by the primary base station, where the second deriving unit is configured to derive a new secondary base station key according to the current ISC and the secondary base station key;
连接单元, 配置为依据所述 RRC重配置请求消息及所述新的从基站密 钥建立与从基站的连接; a connecting unit, configured to be in accordance with the RRC reconfiguration request message and the new slave base station Key establishment and connection from the base station;
其中, 所述 ISC为推导从基站密钥的计数值。  The ISC is a derivation of a count value of a slave base station key.
本发明实施例第六方面提供一种通信系统, 所述通信系统包括: 从基站, 配置为依据当前从基站密钥以及 ISC推导新的从基站密钥; 向主基站发送添加修改 DRB命令消息; 所述 DRB命令消息包括所述 ISC;  A sixth aspect of the embodiments of the present invention provides a communication system, where the communication system includes: a slave base station configured to: derive a new slave base station key according to a current base station key and an ISC; and send an add modify DRB command message to the primary base station; The DRB command message includes the ISC;
主基站, 配置为接收所述添加修改 DRB命令消息, 提取所述 ISC; 通 过 RRC重配置请求消息向终端发送所述 ISC;  The primary base station is configured to receive the add modified DRB command message, extract the ISC, and send the ISC to the terminal by using an RRC reconfiguration request message;
终端, 配置为接收所述 RRC重配置请求消息; 依据所述 ISC更新及从 基站密钥从基站密钥, 并依据所述 RRC重配置请求消息及所述新的从基站 密钥建立与所述从基站的连接;  a terminal, configured to receive the RRC reconfiguration request message, according to the ISC update and the base station key from the base station key, and according to the RRC reconfiguration request message and the new secondary base station key, Connection from the base station;
其中, 所述 ISC为推导从基站密钥的计数值。  The ISC is a derivation of a count value of a slave base station key.
基于上述方案,  Based on the above scheme,
所述主基站, 还配置为在所述从基站依据当前从基站密钥以及 ISC推 导新的从基站密钥之前发送添加修改 DRB请求消息;  The primary base station is further configured to send an add modified DRB request message before the secondary base station derives a new secondary base station key according to the current secondary base station key and the ISC;
所述从基站, 还配置为接收所述添加修改 DRB请求消息; 判断所述添 加修改 DRB请求消息中是否有携带从基站密钥; 且所述添加修改 DRB请 求消息没有携带从基站密钥时, 依据当前从基站密钥以及 ISC推导新的从 基站密钥。  The slave base station is further configured to receive the add modified DRB request message; determine whether the add modified DRB request message carries a slave base station key; and the add modify DRB request message does not carry the slave base station key, The new slave base station key is derived from the current base station key and ISC.
基于上述方案,  Based on the above scheme,
所述从基站, 还配置为在所述从基站依据当前从基站密钥以及 ISC推 导新的从基站密钥之前依据密钥推导决策判断是否触发更新从基站密钥; 且当触发更行从基站密钥时, 依据当前从基站密钥以及 ISC推导新的从基 站密钥的步骤。  The slave base station is further configured to determine, according to the key derivation decision, whether to trigger the update of the slave base station key before the slave base station derives the new slave base station key according to the current base station key and the ISC; and when the slave station is triggered further In the case of a key, the step of deriving a new slave base station key from the base station key and the ISC.
基于上述方案, 所述从基站, 配置为判断当前从基站密钥是失效或判 断从基站与终端的从基站密钥是否同步; 且当所述从基站密钥失效时自行 触发更新的从基站密钥或当不同时自行触发更新的从基站密钥。 基于上述方案, 所述从基站, 还配置为在所述从基站向主基站发送添 加修改 DRB命令消息之后, 更新所述 ISC。 Based on the foregoing solution, the slave base station is configured to determine whether the current slave base station key is invalid or whether the slave base station and the slave base station key are synchronized; and when the slave base station key fails, The slave base station key that triggers the update or the slave base station key that does not trigger the update at the same time. Based on the foregoing solution, the slave base station is further configured to update the ISC after the slave base station sends a modify DRB command message to the master base station.
本发明实施例第六方面提供一种计算机存储介质, 所述计算机存储介 质中存储有计算机可执行指令, 所述计算机可执行指令用于执行权利本发 明实施例第一方面至第三方面所述方法的至少其中之一。  A sixth aspect of the embodiments of the present invention provides a computer storage medium, where the computer storage medium stores computer executable instructions, and the computer executable instructions are used to execute the first to third aspects of the embodiments of the present invention. At least one of the methods.
本发明实施例所述的从基站密钥更新方法、 从基站、 终端及通信系统, 通过从基站自行推导从基站密钥, 解决了主基站向同一从基站多次转移相 关联的 DRB中从基站密钥更新的方法, 同时避免了从基站密钥在基站之间 的传输带来的安全隐患, 从而提升了通信安全。 附图说明  The slave base station key update method, the base station, the terminal, and the communication system according to the embodiments of the present invention solve the problem that the master base station transfers the associated DRB slave base station to the same slave base station multiple times by deriving the slave base station key by itself. The method of key update avoids the security risk caused by the transmission of the base station key between the base stations, thereby improving communication security. DRAWINGS
图 1为本发明实施例一所述的从基站密钥更新方法的流程示意图之一; 图 2为本发明实施例一所述的从基站密钥更新方法的流程示意图之二; 图 3为本发明实施例二所述的从基站密钥更新方法的流程示意图; 图 4为本发明实施例三所述的从基站密钥推导方法的示意图之一; 图 5为本发明实施例三所述的从基站密钥推导方法的示意图之二; 图 6为本发明实施例三所述的从基站密钥更新方法的流程示意图之一; 图 7为本发明实施例三所述的从基站密钥更新方法的流程示意图之二; 图 8为本发明实施例四所述的从基站的结构示意图之一;  1 is a schematic flowchart of a method for updating a slave base station according to a first embodiment of the present invention; FIG. 2 is a second schematic flowchart of a method for updating a slave base station according to Embodiment 1 of the present invention; FIG. 4 is a schematic diagram of a method for deriving a base station key according to Embodiment 3 of the present invention; FIG. 4 is a schematic diagram of a method for deriving a base station key according to Embodiment 3 of the present invention; FIG. 6 is a schematic flowchart of a method for updating a base station key according to Embodiment 3 of the present invention; FIG. 7 is a schematic diagram of a base station key update according to Embodiment 3 of the present invention; FIG. 8 is a schematic structural diagram of a slave base station according to Embodiment 4 of the present invention;
图 9为本发明实施例四所述的从基站的结构示意图之二;  9 is a second schematic structural diagram of a slave base station according to Embodiment 4 of the present invention;
图 10为本发明实施例五所述的终端的结构示意图;  10 is a schematic structural diagram of a terminal according to Embodiment 5 of the present invention;
图 11为本发明实施例六所述的通信系统的结构示意图之一;  11 is a schematic structural diagram of a communication system according to Embodiment 6 of the present invention;
图 12为本发明实施例六所述的通信系统的结构示意图之二。 具体实施方式 FIG. 12 is a second schematic structural diagram of a communication system according to Embodiment 6 of the present invention. detailed description
以下结合附图对本发明的优选实施例进行详细说明, 应当理解, 以下 所说明的优选实施例仅用于说明和解释本发明, 并不用于限定本发明。  The preferred embodiments of the present invention are described in detail below with reference to the accompanying drawings.
实施例一:  Embodiment 1:
本实施例提供一种从基站密钥更新方法, 所述方法包括:  The embodiment provides a slave base key update method, where the method includes:
依据当前从基站密钥以及 ISC推导新的从基站密钥;  Deriving a new slave base station key based on the current base station key and the ISC;
其中, 所述 ISC为推导从基站密钥的计数值。  The ISC is a derivation of a count value of a slave base station key.
本实施例所述的从基站密钥更新方法, 是由从基站根据其内部当前所 存储的从基站密钥及 ISC推导新的从基站密钥。 所述新的从基站密钥与推 导之前的所述当前从基站密钥不同; 所述从基站密钥无需由主基站向从基 站行发送; 首先提供了一种全新的从基站密钥获取方法, 其次从基站自行 推导从基站密钥, 从而避免了从基站密钥的传输导致的安全问题, 从而提 高了信息安全性。 具体的密钥推导方法可以参见现有技术进行推导。  In the slave base station key update method according to this embodiment, the slave base station derives a new slave base station key according to the slave base station key and the ISC currently stored in the base station. The new slave base station key is different from the current base station key before derivation; the slave base station key does not need to be sent by the primary base station to the secondary base station line; firstly, a brand new slave base station key acquisition method is provided Secondly, the base station key is derived from the base station by itself, thereby avoiding the security problem caused by the transmission of the base station key, thereby improving information security. The specific key derivation method can be deduced by referring to the prior art.
作为本实施例的进一步改进, 如图 1所示, 所述方法具体包括: 步骤 S110: 依据当前从基站密钥以及 ISC推导新的从基站密钥; 步骤 S120: 向主基站发送添加修改 DRB命令消息; 所述 DRB命令消 息包括所述 ISC;  As a further improvement of the embodiment, as shown in FIG. 1 , the method specifically includes: Step S110: Deriving a new slave base station key according to a current base station key and an ISC; Step S120: sending an add modify DRB command to the primary base station a message; the DRB command message includes the ISC;
其中, 所述 RRC重配置请求消息用于指示终端依据所述 ISC及当前从 基站密钥推导新的从基站密钥, 并依据所述 RRC重配置请求消息及所述新 的从基站密钥建立与所述从基站的连接。  The RRC reconfiguration request message is used to instruct the terminal to derive a new secondary base station key according to the ISC and the current secondary base station key, and establish the RRC reconfiguration request message and the new secondary base station key according to the RRC reconfiguration request message. A connection with the slave base station.
更新后的新的从基站密钥将用于从基站与终端的通信过程中, 而此时 从基站和终端之间还未建立连接, 故需要由主基站转发到终端。 同时为了 保证从基站密钥安全; 所述从基站密钥不能在基站与终端之间发送, 但是 终端的从基站功能模块需要和从基站内的从基站密钥保持同步, 故还需将 推导从基站密钥的 ISC发送到终端, 由终端根据所述 ISC 自行推导从基站 密钥。 终端推导从基站密钥的方法与从基站推导从基站密钥的方法一致。 所述主基站通常为宏基站; 所述从基站通常为小基站或家庭基站, 同 样也可以是普通宏基站。 所述终端通常为双连接终端或多连接终端。 The updated new slave base station key will be used in the communication process from the base station to the terminal, and at this time, the connection has not been established between the base station and the terminal, so it needs to be forwarded by the primary base station to the terminal. At the same time, in order to ensure the security of the slave base station key; the slave base station key cannot be transmitted between the base station and the terminal, but the slave base station function module needs to be synchronized with the slave base station key in the base station, so the derivation needs to be derived from The ISC of the base station key is sent to the terminal, and the terminal self-derives the slave base station according to the ISC. Key. The method by which the terminal derives the base station key is consistent with the method of deriving the base station key from the base station. The primary base station is usually a macro base station; the secondary base station is usually a small base station or a home base station, and may also be a normal macro base station. The terminal is usually a dual connectivity terminal or a multiple connectivity terminal.
作为本实施例的进一步改进, 如图 2 所示, 所述方法还可包括以下步 骤:  As a further improvement of the embodiment, as shown in FIG. 2, the method may further include the following steps:
步骤 S 101: 接收主基站发送的添加修改 DRB请求消息;  Step S101: Receive an add modified DRB request message sent by the primary base station.
步骤 S102: 判断所述添加修改 DRB请求消息中是否有携带从基站密 钥;  Step S102: Determine whether the added modified DRB request message carries a secondary base station key.
若否, 则执行步骤 S110或执行步骤 S110和步骤 S120。  If not, step S110 is performed or steps S110 and S120 are performed.
此处, 提供了一种由主基站通过添加修改 DRB请求消息的方式触发从 基站用于自行更新从基站密钥的方法。 具体的应用场景包括在主基站多次 向同一个从基站转移相关联的 DRB, 且本次转移 DRB为非首次转移 DRB 的情景。 所述 DRB为 date radio bearing的缩写, 可译为用户面无线承载数 据。 Here, a method for triggering a slave base station to self-update a slave base station key by adding a Modify DRB Request message by the primary base station is provided. The specific application scenario includes the scenario where the primary base station transfers the associated DRB to the same secondary base station multiple times, and the current transfer DRB is not the first time to transfer the DRB. The DRB is an abbreviation of date radio bearing, which can be translated into user plane radio bearer data.
此外, 在某些场景下所述从基站还可以自发进行从基站密钥更新, 在 所述从基站依据当前从基站密钥以及 ISC推导新的从基站密钥之前, 本实 施例所述的方法还包括:  In addition, in some scenarios, the slave base station may also perform a slave node key update spontaneously, and the method described in this embodiment before the slave base station derives a new slave base station key according to the current base station key and the ISC. Also includes:
依据密钥推导决策判断是否触发更新从基站密钥;  Determining whether to trigger the update of the slave base station key according to the key derivation decision;
若是, 则进入所述从基站依据当前从基站密钥以及 ISC推导新的从基 站密钥的步骤。  If so, the step of entering the slave base station based on the current slave base station key and the ISC to derive a new slave base key is entered.
具体的所述依据密钥推导决策判断是否触发更新从基站密钥包括: 判断当前从基站密钥是失效或者判断从基站与终端的从基站密钥是否 同步; 若失效则触发更新的从基站密钥或若不同步则触发更新的从基站密 钥。  Specifically, the determining, according to the key derivation decision, whether to trigger the update of the slave base station key comprises: determining whether the current slave base station key is invalid or determining whether the slave base station and the terminal slave base station key are synchronized; if the failure occurs, triggering the updated slave base station secret The key or if not synchronized triggers the updated slave base station key.
在具体的执行过程中还包括从基站在数据解密出现故障时, 需重新确 定从基站与终端所用的从基站密钥是否正确, 同样的可由从基站自行触发 更新从基站密钥, 以顺利实现通信和数据解密。 In the specific implementation process, it is also necessary to re-determine when the data decryption fails from the base station. It is determined whether the slave base station key used by the base station and the terminal is correct, and the slave base station key can be triggered by the slave base station to perform the communication and data decryption smoothly.
上述改进, 使得本实施例所述的方法还提供了从基站自发更新从基站 密钥的步骤, 进一步完善了从基站密钥更新方法。  The above improvement makes the method described in this embodiment further provide a step of spontaneously updating the slave base station key from the base station, and further improves the slave base station key update method.
以下提供步骤 S110的具体操作, 所述步骤 S110包括: 依据从基站密 钥、 ISC及推导参数推导新的从基站密钥; 其中, 所述推导参数包括小区物 理标识和 /或小区载频; 所述小区为由所述从基站覆盖所形成的小区。  The following provides the specific operation of step S110, where the step S110 includes: deriving a new slave base station key according to the base station key, the ISC, and the derivation parameter; wherein the derivation parameter includes a cell physical identifier and/or a cell carrier frequency; The cell is a cell formed by the coverage of the secondary base station.
作为本实施例的进一步改进, 为了方便下次进行从基站密钥更新, 在 所述从基站将 ISC通过添加修改 DRB命令消息发送给主基站以后,所述从 基站还需要更新 ISC; 通常 ISC加 1 ; 且通常所述 ISC的取值从 0开始。  As a further improvement of the embodiment, in order to facilitate the next time to perform the slave node key update, after the slave base station sends the ISC to the master base station by adding the modify DRB command message, the slave base station also needs to update the ISC; 1 ; and usually the value of the ISC starts from zero.
综合上述, 本实施例提供了一种从基站密钥更新方法, 由从基站自行 推导从基站密钥, 避免了密钥的传输, 同时解决了现有技术中从基站密钥 出现的错误、 基站与终端之间从基站密钥不同步以及主基站多次向同一从 基站转移 DRB时带来的问题。  In summary, the present embodiment provides a slave base key update method, in which the slave base station self-derives the slave base station key, thereby avoiding the key transmission, and simultaneously solves the error in the prior art from the base station key, and the base station A problem caused when the terminal is not synchronized with the base station and the primary base station transfers the DRB to the same secondary base station multiple times.
实施例二  Embodiment 2
如图 3所示, 一种终端侧从基站密钥更新方法, 所述方法包括: 步骤 S210: 接收主基站发送的 RRC重配置请求消息; 所述 RRC重配 置请求消息中包括 ISC  As shown in FIG. 3, a terminal side slave base station key update method, the method includes: Step S210: Receive an RRC reconfiguration request message sent by a primary base station; and include an ISC in the RRC reconfiguration request message.
步骤 S220: 依据所述 ISC及从基站密钥推导新的从基站密钥; 步骤 S230:依据所述 RRC重配置请求消息及所述新的从基站密钥,建 立与从基站的连接;  Step S220: Deriving a new slave base station key according to the ISC and the base station key. Step S230: Establish a connection with the slave base station according to the RRC reconfiguration request message and the new slave base station key.
其中, 所述 ISC为推导从基站密钥的计数值。  The ISC is a derivation of a count value of a slave base station key.
所述 RRC重配置请求消息中除了所述 ISC以外,还包括用于建立连接 的配置参数。 所述步骤 S230中, 终端依据所述配置消息及所述新的从基站 密钥, 建立与从基站的连接。 本实施例所述的终端根据 In addition to the ISC, the RRC reconfiguration request message includes configuration parameters for establishing a connection. In the step S230, the terminal establishes a connection with the slave base station according to the configuration message and the new slave base station key. The terminal described in this embodiment is based on
主基站所发送的 RRC重配置请求消息中所携带的 ISC参数及当前从基 站密钥推导新的从基站密钥, 并根据所述 RRC重配置请求消息及所述新的 从基站密钥建立与从基站之间的连接, 改变了终端获取从基站密钥的方法, 此方法同样的有利于用来解决现有技术中从基站密钥出现的错误、 基站与 终端之间从基站密钥不同步以及主基站多次向同一从基站转移 DRB时带来 的问题。  Deriving a new slave base station key from the ISC parameter carried in the RRC reconfiguration request message sent by the primary base station, and currently establishing a new slave base station key according to the RRC reconfiguration request message and the new base station key The method for obtaining the slave base station key is changed from the connection between the base stations, and the method is similarly advantageous for solving the error in the prior art from the base station key, and the base station and the terminal are not synchronized from the base station key. And the problem that occurs when the primary base station transfers the DRB to the same secondary base station multiple times.
实施例三:  Embodiment 3:
本实施例提供一种从基站密钥更新方法, 所述方法包括:  The embodiment provides a slave base key update method, where the method includes:
从基站依据当前从基站密钥以及 ISC推导新的从基站密钥;  Deriving a new slave base station key from the base station according to the current base station key and the ISC;
从基站向主基站发送添加修改 DRB命令消息; 所述 DRB命令消息包 括所述 ISC;  Sending a modified DRB command message from the base station to the primary base station; the DRB command message includes the ISC;
主基站接收所述添加修改 DRB命令消息, 提取所述 ISC;  The primary base station receives the add modified DRB command message, and extracts the ISC;
主基站通过 RRC重配置请求消息向终端发送所述 ISC,  The primary base station sends the ISC to the terminal by using an RRC reconfiguration request message.
终端接收所述 RRC重配置请求消息;  Receiving, by the terminal, the RRC reconfiguration request message;
终端依据所述 ISC及当前从基站密钥推导新的从基站密钥;  Deriving a new slave base station key according to the ISC and the current base station key;
终端依据所述 RRC重配置请求消息及所述新的从基站密钥, 建立与所 述从基站的连接;  And establishing, by the terminal, a connection with the slave base station according to the RRC reconfiguration request message and the new slave base station key;
其中, 所述 ISC为推导从基站密钥的计数值。  The ISC is a derivation of a count value of a slave base station key.
如图 4所示, 所述从基站推导从基站新的从基站密钥的方法; 当主基 站首次向从基站 SeNB转移 DRB时, 则由主基站生成密钥 KeNB, 并发送 给从基站 SeNB作为第一个从基站密钥 S-KeNB, 且此时推导从基站密钥推 导的计数值 ISC为 0。本实施例中的所述主基站可为宏基站 MeNB。宏基站 继续向从基站 SeNB转移 DRB, 且此时所述 DRB与上次转移的 DRB之间 存在上下文等关系时,后续从基站将自行推导根据当前从基站密钥 S-KeNB 与 ISC推导新的从基站密钥。 所述密钥 KeNB为主基站根据主基站内部存 储的主基站密钥 M-KeNB及推导计数值 SCC推导的。主基站每推导一次密 钥 KeNB则所述 SCC计数值加 1, 且通常所述 SCC的取值从 0开始。 在具 体的实现过程中所述从基站内设有内部计数器 Intra Smallcell Counter,用于 计数形成所述 ISC; 所述主基站内部设有计数器, 用于计数形成所述 SCC。 As shown in FIG. 4, the method for deriving a new slave base station key from the base station is performed; when the primary base station transfers the DRB to the slave base station SeNB for the first time, the master base station generates a key KeNB and sends it to the slave base station SeNB. A slave base station key S-KeNB, and at this time, the count value ISC derived from the base station key is derived to be zero. The primary base station in this embodiment may be a macro base station MeNB. The macro base station continues to transfer the DRB to the slave base station SeNB, and when there is a context relationship between the DRB and the last transferred DRB, the subsequent slave base station will self-derived according to the current slave base station key S-KeNB. Deriving a new slave base station key with ISC. The key KeNB is derived by the primary base station according to the primary base station key M-KeNB and the derived count value SCC stored in the primary base station. The SCC count value is incremented by 1 each time the primary base station derives the key KeNB, and usually the value of the SCC starts from 0. In a specific implementation process, the slave base station is provided with an internal counter Intra Smallcell Counter for counting to form the ISC; and the primary base station is internally provided with a counter for counting to form the SCC.
为了实现从基站和终端内从基站密钥的同步, 在本实施例中所述从基 站将通过添加修改 DRB命令消息将所述 ISC发送到主基站,主基站在进行 提取和存储备份后, 通过 RRC重配置请求消息将所述 ISC发送到终端; 终 端将根据当前从基站密钥及接收到的所述 RRC重配置请求消息中的 ISC推 导新的从基站密钥, 推导过程与从基站推导从基站密钥相似。  In order to achieve synchronization from the base station and the base station key in the terminal, in the embodiment, the secondary base station sends the ISC to the primary base station by adding a modified DRB command message, and the primary base station passes the extraction and storage backup. The RRC reconfiguration request message sends the ISC to the terminal; the terminal will derive a new slave base station key according to the current base station key and the received ISC in the RRC reconfiguration request message, and the derivation process and the slave base station derive The base station keys are similar.
图 5所示的为从基站 SeNB及终端 UE用于根据从基站密钥及 ISC推导 新的从基站密钥的方法。其中,所述 KDF为 Key Deviation Function的缩写; 在具体的实现过程中推导新的从基站密钥的依据, 除原先存储的从基站密 钥及 ISC以外还可包括其他推导参数, 如小区物理标识或小区载频等信息; 所述小区为所述从基站所覆盖形成的小区。 作为本实施例的进一步改进, 本实施例所述方法在所述从基站依据当 前从基站密钥以及 ISC推导新的从基站密钥之前还包括:  Figure 5 shows a method for deriving a new slave base station key from the base station SeNB and the terminal UE based on the slave base station key and the ISC. The KDF is an abbreviation of Key Deviation Function; the basis of the new slave base station key is deduced in a specific implementation process, and other derivation parameters, such as a cell physical identifier, may be included in addition to the previously stored slave base station key and ISC. Or information such as a carrier frequency of the cell; the cell is a cell formed by the coverage of the secondary base station. As a further improvement of the embodiment, the method in this embodiment further includes: before the slave base station derives a new slave base station key according to the current base station key and the ISC:
主基站发送添加修改 DRB请求消息;  The primary base station sends an add modified DRB request message;
从基站接收所述添加修改 DRB请求消息;  Receiving, by the base station, the add modified DRB request message;
从基站判断所述添加修改 DRB请求消息中是否有携带从基站密钥; 若否, 则从基站执行所述从基站依据当前从基站密钥以及 ISC推导新 的从基站密钥的步骤。  Determining, by the base station, whether the added modified DRB request message carries a slave base station key; if not, the slave base station performs the step of the base station deriving a new slave base station key according to the current slave base station key and the ISC.
故本实施例所述的方法, 具体的实现可如图 6所示, 包括以下步骤: 步骤 S1.1 : 终端 UE与主基站 MeNB之间完成了 RRC连接建立; RRC 为: Radio Resource Control 无线资源控制; 步骤 SI.2:主基站 MeNB向从基站 SeNB发送添加修改 DRB请求消息; 从基站接收所述添加修改 DRB请求消息; Therefore, the specific implementation of the method in this embodiment may include the following steps: Step S1.1: RRC connection establishment is completed between the terminal UE and the primary base station MeNB; RRC is: Radio Resource Control radio resource control; Step SI.2: The primary base station MeNB sends an add modified DRB request message to the secondary base station SeNB; and receives the add modified DRB request message from the base station;
步骤 S1.3: 从基站依据所述添加修改 DRB请求消息, 判断所述添加修 改 DRB请求消息中是否有携带从基站密钥; 若否则从基站执行所述从基站 依据当前从基站密钥以及 ISC推导新的从基站密钥;  Step S1.3: The base station determines, according to the adding and modifying the DRB request message, whether the added modified DRB request message carries a slave base station key; if otherwise, the slave base station performs the slave base station according to the current slave base station key and the ISC. Deriving a new slave base station key;
步骤 S1.4: 从基站向主基站发送添加修改 DRB命令消息; 所述 DRB 命令消息中包括由 ISC; 在具体的实现过程中还会包括其他的参数, 具体的 可参见现有技术;  Step S1.4: Sending a modified DRB command message from the base station to the primary base station; the DRB command message includes the ISC; and other parameters are included in the specific implementation process, which may be referred to the prior art;
步骤 S1.5: 主基站接收所述添加修改 DRB命令消息, 并向从基站发送 RRC重配置请求消息; 所述 RRC重配置请求消息中包括所述 ISC;  Step S1.5: The primary base station receives the add modified DRB command message, and sends an RRC reconfiguration request message to the secondary base station; the RRC reconfiguration request message includes the ISC;
步骤 S1.6: 终端 UE接收所述 RRC重配置请求消息, 依据所述 ISC及 当前从基站密钥推导新的从基站密钥; 并依据所述 RRC重配置请求消息及 新的从基站密钥建立与从基站的连接;  Step S1.6: The terminal UE receives the RRC reconfiguration request message, and derives a new slave base station key according to the ISC and the current slave base station key; and according to the RRC reconfiguration request message and the new slave base station key. Establish a connection with the base station;
为了通知主基站及从基站已经完成了从基站密钥的更新, 作为本实施 例的进一步改进, 所述方法还包括:  In order to notify the primary base station and the secondary base station that the update of the secondary base station key has been completed, as a further improvement of the embodiment, the method further includes:
步骤 S1.7: 终端向主基站发送 RRC重配置响应消息; 所述从 RRC重 配置响应消息包括了终端更新从基站密钥的相关信息;  Step S1.7: The terminal sends an RRC reconfiguration response message to the primary base station; the slave RRC reconfiguration response message includes related information that the terminal updates the slave base station key;
步骤 S1.8: 主基站在接收到所述 RRC重配置响应消息之后, 将根据所 述 RRC重配置响应消息向从基站发送 SeNB状态传输信息。  Step S1.8: After receiving the RRC reconfiguration response message, the primary base station sends SeNB state transmission information to the secondary base station according to the RRC reconfiguration response message.
本实施例上述改进是从基站基于主基站的请求消息触发更新从基站密 钥, 适用于解决现有问题中主基站向同一基站多次转达相关联的 DRB时从 基站密钥生成的问题。 以下提供一种从基站根据自身需要, 自发更新从基 站密钥的方法操作如下:  The above improvement is to trigger the update of the secondary base station key from the base station based on the request message of the primary base station, and is suitable for solving the problem of generating the base station key when the primary base station repeatedly transmits the associated DRB to the same base station in the existing problem. The following provides a method for automatically updating the slave base key from the base station according to its own needs as follows:
在所述从基站依据当前从基站密钥以及 ISC推导新的从基站密钥之前, 所述方法还包括 从基站依据密钥推导决策判断是否触发更新从基站密钥; 若是, 从基站执行所述从基站依据当前从基站密钥以及 ISC推导新的 从基站密钥的步骤。 Before the slave base station derives a new slave base station key according to the current base station key and the ISC, the method further includes The base station determines whether to trigger the update of the slave base station key according to the key derivation decision; if so, the slave base station performs the step of deriving the new slave base station key according to the current slave base station key and the ISC.
优选地, 所述从基站依据密钥推导决策判断是否触发更新从基站密钥 包括:  Preferably, the slave base station determines, according to the key derivation decision, whether to trigger the update of the slave base station key, including:
从基站判断当前从基站密钥是失效;  Determining from the base station that the current slave base station key is invalid;
若失效则从基站自行触发更新的从基站密钥; 或  If it fails, the updated base station key is triggered by the base station itself; or
从基站判断从基站与终端的从基站密钥是否同步;  Determining, by the base station, whether the slave base station and the slave base station key are synchronized;
若不同步则从基站自行触发更新的从基站密钥。  If not synchronized, the updated slave base station key is triggered by the base station itself.
在具体的执行过程中, 从基站依据密钥推导决策判断是否触发更新从 基站密钥的情况不限于上述情况, 具体还可包括从基站密钥在解密过程中 出现解密故障, 需要重新生成新的从基站密钥以实现数据的顺利传输等。  In a specific implementation process, the case where the base station determines whether to trigger the update of the slave base station key according to the key derivation decision is not limited to the foregoing, and may further include: a decryption fault occurs in the decryption process from the base station key, and a new one needs to be regenerated. From the base station key to achieve smooth transmission of data and the like.
所述从基站自行触发从基站密钥更新的方法, 具体实现可如图 7所示, 包括:  The method for triggering the update of the base station key by the base station may be implemented as shown in FIG. 7, and includes:
步骤 S2.1 : 从基站 SeNB若想更新从基站密钥 S-KeNB, 直接依据现有 的当前从基站密钥和 ISC产生新的从基站密钥;  Step S2.1: If the slave base station SeNB wants to update the slave base station key S-KeNB, directly generate a new slave base station key according to the existing current base station key and the ISC;
步骤 S2.2: 从基站向主基站发送添加修改 DRB命令消息, 所述添加修 改 DRB命令消息中包括 ISC;  Step S2.2: Sending a modified DRB command message from the base station to the primary base station, where the added modified DRB command message includes an ISC;
步骤 S2.3: 主基站接收到所述添加修改 DRB命令消息后, 向终端发送 RRC重配置请求消息; 所述 RRC重配置请求消息中包括有所述 ISC;  Step S2.3: After receiving the add modified DRB command message, the primary base station sends an RRC reconfiguration request message to the terminal; the RRC reconfiguration request message includes the ISC;
步骤 S2.4: 终端接收到所述 RRC重配置请求消息后, 依据所述 RRC 重配置请求消息中的 ISC参数及当前从基站密钥推导新的从基站密钥; 并 依据所述 RRC重配置请求消息及新的从基站密钥建立与从基站的连接; 为了进一步告知主基站和从基站当前连接状况和 /或从基站密钥的更新 状况; 所述方法还包括: 步骤 S2.5: 终端向所述主基站发送 RRC重配置响应; Step S2.4: After receiving the RRC reconfiguration request message, the terminal deriving a new slave base station key according to the ISC parameter in the RRC reconfiguration request message and the current slave base station key; and according to the RRC reconfiguration The request message and the new slave base station key establish a connection with the slave base station; to further inform the master base station and the slave base station of the current connection status and/or the update status of the slave base station key; the method further includes: Step S2.5: The terminal sends an RRC reconfiguration response to the primary base station.
步骤 S2.6: 主基站接收到所述 RRC重配置响应后, 依据所述 RRC重 配置响应向所述从基站发送 SeNB状态传输信息,以向从基站反馈当前连接 状况等消息。  Step S2.6: After receiving the RRC reconfiguration response, the primary base station sends SeNB state transmission information to the secondary base station according to the RRC reconfiguration response, to feed back information such as the current connection status to the secondary base station.
为了方便下一次从基站密钥的更新, 在本实施例中任——个技术方案 的基础上, 在所述从基站向主基站发送添加修改 DRB命令消息之后, 所述 方法还包括: 从基站更新所述 ISC。 具体的更新所述 ISC可为 ISC的计数 值加 1。  In order to facilitate the next update of the base station key, after the slave base station sends the add modified DRB command message to the primary base station, the method further includes: the base station Update the ISC. The specific update of the ISC can add 1 to the ISC count value.
综合上述本实施例是实施例一与实施例二的结合, 可视为实现实施例 一与实施例二的各种技术方案的组合, 同样的具有解决了现有技术中从基 站密钥更新中的不足, 还实现了终端与从基站之间的安全高保障。  The foregoing embodiment is a combination of the first embodiment and the second embodiment, and can be regarded as a combination of the various technical solutions of the first embodiment and the second embodiment, and the same has solved the prior art from the base station key update. The shortcomings also achieve high security between the terminal and the slave base station.
实施例四:  Embodiment 4:
本实施例提供一种从基站, 所述从基站包括:  The embodiment provides a slave base station, where the slave base station includes:
第一推导单元, 配置为依据当前从基站密钥以及 ISC推导新的从基站 密钥;  a first derivation unit configured to derive a new slave base station key according to the current base station key and the ISC;
其中, 所述 ISC为推导从基站密钥计数值。  The ISC is to derive a slave base key count value.
所述第一推导单元的具体结构可为处理器; 所述处理器包括多核或单 核的中央处理器、 单片机、 数字信号处理及可编程阵列等具有处理功能的 电子元气件。 在具体的实现过程中所述从基站还可包括计数器; 所述计数 器可配置为形成所述 ISC; 在具体的实现过程中, 所述 ISC 的取值可从 0 或 1开始; 在本实施例中从 0开始计数。  The specific structure of the first derivation unit may be a processor; the processor includes a multi-core or single-core central processing unit, a single-chip microcomputer, a digital signal processing, and a programmable array, and the like. In a specific implementation process, the slave base station may further include a counter; the counter may be configured to form the ISC; in a specific implementation process, the value of the ISC may start from 0 or 1; The count starts from 0.
本实施例提供了一种从基站, 可自行更新从基站密钥, 为实施例一中 所述的从基站密钥更新方法提供了实现的硬件支撑, 从而同样的具有解决 了现有技术中主基站向同一从基站多次推送相关联 DRB中导致的从基站密 钥更新的问题。 优选地, 如图 8所示, 所述从基站包括第一推导单元 110及第一接收 单元 120; This embodiment provides a slave base station, which can update the slave base station key by itself, and provides the hardware support for the base station key update method described in the first embodiment, thereby solving the prior art in the same way. The base station pushes the problem of the slave base station key update caused by the associated DRB to the same slave base station multiple times. Preferably, as shown in FIG. 8, the slave base station includes a first derivation unit 110 and a first receiving unit 120;
所述第一发送单元 120,配置为在所述从基站密钥以及 ISC推导新的从 基站密钥之后, 向主基站发送添加修改 DRB命令消息; 所述 DRB命令消 息包括所述 ISC;  The first sending unit 120 is configured to send an add modified DRB command message to the primary base station after the slave base station key and the ISC derive a new slave base station key; the DRB command message includes the ISC;
其中, 所述 ISC由所述主基站通过 RRC重配置请求消息发送到终端; 所述 RRC重配置请求消息用于指示终端连接所述从基站及终端, 并依 据所述 ISC更新的从基站密钥。  The ISC is sent by the primary base station to the terminal by using an RRC reconfiguration request message; the RRC reconfiguration request message is used to indicate that the terminal connects to the secondary base station and the terminal, and the secondary base station key is updated according to the ISC. .
所述第一发送单元 120 的具体结构可为有线或无线的发送接口, 具体 的如发送天线或双绞线、 同轴电缆或光纤所对应的有线通信接口。 所述发 送接口与所述第一推导单元 110相连。  The specific structure of the first sending unit 120 may be a wired or wireless sending interface, such as a transmitting antenna or a wired communication interface corresponding to a twisted pair cable, a coaxial cable, or an optical fiber. The transmitting interface is coupled to the first derivation unit 110.
优选地, 如图 9所示, 所述从基站还包括第一接收单元 130及判断单 元 140;  Preferably, as shown in FIG. 9, the slave base station further includes a first receiving unit 130 and a determining unit 140;
所述第一接收单元 130,配置为在所述从基站依据当前从基站密钥以及 ISC推导新的从基站密钥之前,接收主基站发送的添加修改 DRB请求消息; 所述判断单元 140, 配置为判断所述添加修改 DRB请求消息中是否有 携带从基站密钥;  The first receiving unit 130 is configured to receive an add modified DRB request message sent by the primary base station before the secondary base station derives a new secondary base station key according to the current base station key and the ISC; the determining unit 140, configured Determining whether there is a slave base station key in the modified DRB request message;
所述第一推导单元 110, 配置为当所述添加修改 DRB请求消息没有携 带从基站密钥时, 依据当前从基站密钥以及 ISC推导新的从基站密钥。  The first deriving unit 110 is configured to: when the add modified DRB request message does not carry the slave base station key, derive a new slave base station key according to the current base station key and the ISC.
所述第一接收单元 130 的具体结构可包括接收接口, 如接收天线或其 他有线网络通信接口等结构; 所述判断单元 140 的具体结构可为处理器; 所述处理器可为中央处理器、 单片机、 数字信号处理或可编程逻辑编程阵 列等具有处理功能的电子元器件; 在具体的实现过程中所述判断单元 140 和所述第一推导单元 110 可以各自分别对应一个处理器; 处理器之间通过 从基站内部的连接接口或总线进行连接; 还可以是集成在同一处理器上, 由处理器通过时分复用或以不同线程的方式分别完成所述第一推导单元即 所述判断单元 140的相应功能。 The specific structure of the first receiving unit 130 may include a receiving interface, such as a receiving antenna or other wired network communication interface; the specific structure of the determining unit 140 may be a processor; the processor may be a central processing unit, An electronic component having a processing function, such as a single chip microcomputer, a digital signal processing, or a programmable logic programming array; in a specific implementation process, the determining unit 140 and the first deriving unit 110 may respectively correspond to one processor; Interconnected from a connection interface or bus inside the base station; or integrated on the same processor, The respective functions of the first deriving unit, that is, the judging unit 140, are respectively performed by the processor by time division multiplexing or in different threads.
优选地, 所述从基站还包括触发单元;  Preferably, the slave base station further includes a trigger unit;
所述触发单元, 配置为在所述从基站依据当前从基站密钥以及 ISC推 导新的从基站密钥之前, 依据密钥推导决策判断是否触发更新从基站密钥; 所述第一推导单元 110,还配置为在所述触发单元触发更新的从基站密 钥之后, 依据当前从基站密钥以及 ISC推导新的从基站密钥。  The triggering unit is configured to determine, according to the key derivation decision, whether to trigger the update of the slave base station key before the slave base station derives the new slave base station key according to the current base station key and the ISC; the first derivation unit 110 And configuring, after the trigger unit triggers the updated slave base station key, deriving a new slave base station key according to the current base station key and the ISC.
具体地所述触发单元, 具体配置为判断当前从基站密钥是失效及当所 述从基站密钥失效时触发更新的从基站密钥; 或判断从基站与终端的从基 站密钥是否同步及当不同步时触发更新的从基站密钥。  Specifically, the triggering unit is specifically configured to determine whether the current slave base station key is invalid and trigger the updated secondary base station key when the secondary base station key fails; or determine whether the secondary base station and the terminal secondary base station key are synchronized. The updated slave base station key is triggered when not synchronized.
所述触发单元同样的可以对应为处理器; 或其他有线网络通信接口等 结构; 所述触发单元的具体结构可为处理器; 所述处理器可为中央处理器、 单片机、 数字信号处理或可编程逻辑编程阵列等具有处理功能的电子元器 件; 且所述触发单元可以单独包括一个处理器, 还可与其他功能单元集成 对应于同一处理器。 在具体的实现过程中, 所述处理器还将与存储介质相 连; 通过运行存储在存储介质中的程序或软件可以分别实现第一推导单元 The triggering unit may also be corresponding to a processor; or other wired network communication interface; the specific structure of the triggering unit may be a processor; the processor may be a central processing unit, a single chip microcomputer, digital signal processing or An electronic component having a processing function, such as a programming logic programming array; and the triggering unit may separately include a processor, and may also be integrated with other functional units to correspond to the same processor. In a specific implementation process, the processor is also connected to a storage medium; the first derivation unit can be separately implemented by running a program or software stored in the storage medium
110、 判断单元 140以及触发单元的功能。 110. The function of the determining unit 140 and the triggering unit.
优选地, 所述第一推导单元 110, 具体配置为依据从基站密钥、 ISC及 推导参数推导新的从基站密钥。 所述推导参数包括小区物理标识及小区载 频的至少其中之一; 所述小区为由所述从基站覆盖所形成的小区。 在具体 的实施过程中所述推导参数还包括其他的参数, 不局限于所述小区物理标 识和小区载频。  Preferably, the first deriving unit 110 is specifically configured to derive a new slave base station key according to the base station key, the ISC, and the derivation parameter. The derivation parameter includes at least one of a cell physical identifier and a cell carrier frequency; the cell is a cell formed by the coverage by the slave base station. The derivation parameters also include other parameters in a specific implementation process, and are not limited to the cell physical identity and the cell carrier frequency.
优选地, 所述从基站还包括计数器; 所述计数器, 配置为在所述依据 从基站密钥及 ISC推导新的从基站密钥之后, 更新所述 ISC。  Preferably, the slave base station further includes a counter; the counter is configured to update the ISC after deriving the new slave base station key according to the slave base station key and the ISC.
实施例五: 如图 10所示, 本实施例提供一种终端, 所述终端包括: Embodiment 5: As shown in FIG. 10, this embodiment provides a terminal, where the terminal includes:
第二接收单元 210, 配置为接收主基站发送的 RRC重配置请求消息; 第二推导单元 220,配置为依据所述 ISC及从基站密钥推导新的从基站 密钥;  The second receiving unit 210 is configured to receive an RRC reconfiguration request message sent by the primary base station, where the second derivation unit 220 is configured to derive a new secondary base station key according to the ISC and the secondary base station key;
连接单元 230, 配置为依据所述 RRC重配置请求消息及所述新的从基 站密钥建立与从基站的连接;  The connecting unit 230 is configured to establish a connection with the secondary base station according to the RRC reconfiguration request message and the new secondary base station key;
其中, 所述 ISC为推导从基站密钥的计数值。  The ISC is a derivation of a count value of a slave base station key.
其中所述终端可为双模终端或多模终端, 至少可以实现与两个基站之 间的连接。  The terminal may be a dual mode terminal or a multimode terminal, and at least a connection with two base stations may be implemented.
所述第二接收单元 210 的具体结构可包括接收天线等通信接口。 所述 第二推导单元 220可包括处理器, 配置为从第二接收单元 210中所接收的 消息中提取所需的信息, 具体依据所述 RRC重配置请求消息中的 ISC及终 端中当前所存储的当前从基站密钥推导新的从基站密钥。 所述处理器可为 中央处理器、 单片机、 数字信号处理或可编程逻辑编程阵列等具有处理功 能的电子元器件。 在具体的实现过程中, 所述处理器还将与存储介质相连; 通过运行存储在存储介质中的程序或软件可以分别实现第二推导单元 220 的功能。  The specific structure of the second receiving unit 210 may include a communication interface such as a receiving antenna. The second deriving unit 220 may include a processor configured to extract required information from the message received in the second receiving unit 210, according to the ISC in the RRC reconfiguration request message and the current storage in the terminal. The current slave base station key is derived from the base station key. The processor can be a processing component such as a central processing unit, a single chip microcomputer, a digital signal processing or a programmable logic programming array. In a specific implementation process, the processor is also connected to a storage medium; the functions of the second derivation unit 220 can be implemented separately by running a program or software stored in the storage medium.
所述连接单元 230 配置为建立终端与从基站之间建立连接通道, 具体 所对应的结构可包括通信接口, 如空口。  The connecting unit 230 is configured to establish a connection channel between the terminal and the secondary base station, and the corresponding structure may include a communication interface, such as an air interface.
本实施例所述的终端为实施例二中所述的从基站密钥更新方法, 提供 了硬件支持, 能够用于实现实施例二中任一所述的技术方案, 同样的具有 从基站密钥更新的功能以及无需从主基站或从基站获取密钥, 进而具有安 全性高的优点。  The terminal in this embodiment is provided with the base station key update method described in the second embodiment, and provides hardware support, which can be used to implement the technical solution described in any one of the second embodiment, and has the same base station key. The updated function and the need to obtain a key from the primary base station or the base station have the advantage of high security.
实施例六:  Example 6:
如图 11所示, 本实施例提供一种通信系统, 所述通信系统包括: 从基站 330, 配置为依据当前从基站密钥以及 ISC推导新的从基站密 钥; 向主基站 310发送添加修改 DRB命令消息; 所述 DRB命令消息包括 所述 ISC; As shown in FIG. 11, the embodiment provides a communication system, where the communication system includes: From the base station 330, configured to derive a new slave base station key according to the current base station key and the ISC; send an add modified DRB command message to the primary base station 310; the DRB command message includes the ISC;
主基站 310, 配置为接收所述添加修改 DRB命令消息, 提取所述 ISC; 通过 RRC重配置请求消息向终端发送所述 ISC;  The primary base station 310 is configured to receive the add modified DRB command message, extract the ISC, and send the ISC to the terminal by using an RRC reconfiguration request message;
终端 320, 配置为接收所述 RRC重配置请求消息; 依据所述 ISC及当 前从基站密钥推导新的从基站密钥, 并依据所述 RRC重配置请求消息及所 述新的从基站密钥建立与所述从基站 330的连接;  The terminal 320 is configured to receive the RRC reconfiguration request message, deriving a new slave base station key according to the ISC and the current base station key, and according to the RRC reconfiguration request message and the new slave base station key. Establishing a connection with the slave base station 330;
其中, 所述 ISC为推导从基站密钥的计数值。  The ISC is a derivation of a count value of a slave base station key.
优选地, 所述主基站 310,还配置为在所述从基站依据当前从基站密钥 以及 ISC推导新的从基站密钥之前发送添加修改 DRB请求消息; 所述从基 站 330,还配置为接收所述添加修改 DRB请求消息;判断所述添加修改 DRB 请求消息中是否有携带从基站密钥; 且当所述添加修改 DRB请求消息没有 携带从基站密钥时, 依据当前从基站密钥以及 ISC推导新的从基站密钥。  Preferably, the primary base station 310 is further configured to send an add modified DRB request message before the secondary base station derives a new secondary base station key according to the current base station key and the ISC; the secondary base station 330 is further configured to receive Adding a modified DRB request message; determining whether the added modified DRB request message carries a secondary base station key; and when the added modified DRB request message does not carry the secondary base station key, according to the current secondary base station key and the ISC Derive a new slave base station key.
所述从基站 330, 还配置为在所述从基站依据当前从基站密钥以及 ISC 推导新的从基站密钥之前依据密钥推导决策判断是否触发更新从基站密 钥; 且当触发更新从基站密钥时, 依据当前从基站密钥以及 ISC推导新的 从基站密钥的步骤。 所述从基站 330, 配置为判断当前从基站密钥是失效或 判断从基站与终端的从基站密钥是否同步; 且当所述从基站密钥失效时自 行触发更新的从基站密钥或当不同时自行触发更新的从基站密钥。  The slave base station 330 is further configured to determine, according to the key derivation decision, whether to trigger the update of the slave base station key before the slave base station derives the new slave base station key according to the current base station key and the ISC; and when the update is triggered from the base station In the case of a key, the step of deriving a new slave base station key from the base station key and the ISC. The slave base station 330 is configured to determine whether the current slave base station key is invalid or whether the slave base station and the slave base station key are synchronized; and when the slave base station key fails, the updated slave base station key is triggered or The updated slave base station key is triggered at the same time.
所述从基站 330, 还配置为在所述从基站向主基站发送添加修改 DRB 命令消息之后, 更新所述 ISC。  The slave base station 330 is further configured to update the ISC after the slave base station sends a modify DRB command message to the master base station.
主基站 310、 终端 320及从基站 330都是通过无线网络相连。  The primary base station 310, the terminal 320 and the secondary base station 330 are all connected via a wireless network.
图 12所示的为一个通信系统的示例,其中包括宏基站、小基站及终端; 所述宏基站作为主基站形成大椭圓所围成的宏小区 Macro cell; 所述小基站 作为从基站形成小椭圓所围成的小小区 Small cell 。终端分别于宏基站及小 基站都有连接; 其中终端与宏基站之间通过载波 Carrier ( F1 )相互传输数 据, 如 U-plane data; 终端与小基站之间通过载波 Carrier ( F2 )相互传输数 据如 U-plane data; 所述 U-plane data为用户面数据。 12 is an example of a communication system including a macro base station, a small base station, and a terminal; the macro base station as a primary base station forms a macro cell surrounded by a large ellipse; the small base station As a small cell Small cell surrounded by a small ellipse formed from a base station. The terminal is connected to the macro base station and the small base station respectively; wherein the terminal and the macro base station mutually transmit data through the carrier carrier (F1), such as U-plane data; and the terminal and the small base station transmit data through the carrier carrier (F2) Such as U-plane data; the U-plane data is user plane data.
本实施例所述的通信系统为实施例三中所述的从基站密钥更新方法提 供了硬件支持, 能够用于实现实施例三中任一所述的技术方案, 具有解决 了现有技术从基站密钥更新的问题, 同时提升了从基站和终端之间的信息 传输的安全性。  The communication system in this embodiment provides hardware support from the base station key update method in the third embodiment, and can be used to implement the technical solution described in any one of the third embodiments, which has solved the prior art. The problem of base station key update improves the security of information transmission between the base station and the terminal.
本发明实施例还提供一种计算机存储介质, 所述计算机存储介质中存 储有计算机可执行指令, 所述计算机可执行指令用于执行权利实施例一至 实施例三中所述方法的至少其中之一, 具体如图 1、 图 2、 图 3和 /或图 6 中所示的方法。  The embodiment of the present invention further provides a computer storage medium, where the computer storage medium stores computer executable instructions, and the computer executable instructions are used to execute at least one of the methods described in the first to third embodiments. Specifically, the method shown in FIG. 1, FIG. 2, FIG. 3, and/or FIG.
所述计算机存储介质包括: 移动存储设备、 只读存储器 (ROM, Read-Only Memory )、随机存取存者器( RAM, Random Access Memory )、 磁碟或者光盘等各种可以存储程序代码的介质;优先为非瞬间存储介质。  The computer storage medium includes: a removable storage device, a read-only memory (ROM), a random access memory (RAM), a magnetic disk or an optical disk, and the like, which can store program code. Priority is given to non-transient storage media.
以上所述, 仅为本发明的较佳实施例而已, 并非用于限定本发明的保 护范围。 凡按照本发明原理所作的修改, 都应当理解为落入本发明的保护 范围。  The above is only the preferred embodiment of the present invention and is not intended to limit the scope of the present invention. Modifications made in accordance with the principles of the invention are understood to fall within the scope of the invention.

Claims

权利要求书 claims
1、 一种从基站密钥更新方法, 所述方法包括: 1. A method for updating a slave base station key, the method including:
依据当前从基站密钥以及 ISC推导新的从基站密钥; Derive a new slave base station key based on the current slave base station key and ISC;
其中, 所述 ISC为推导从基站密钥的计数值。 Wherein, the ISC is the count value derived from the base station key.
2、 根据权利要求 1所述的方法, 其中, 在所述从基站密钥以及 ISC推 导新的从基站密钥之后, 所述方法还包括: 2. The method according to claim 1, wherein, after the slave base station key and the ISC derive the new slave base station key, the method further includes:
向主基站发送添加修改 DRB命令消息; 所述 DRB命令消息包括所述 Send an add modification DRB command message to the main base station; the DRB command message includes the
ISC; ISC;
其中, 所述 ISC由所述主基站通过 RRC重配置请求消息发送到终端; 所述 RRC重配置请求消息用于指示终端依据所述 ISC及当前从基站密 钥推导新的从基站密钥, 并依据所述 RRC重配置请求消息及所述新的从基 站密钥建立与所述从基站的连接。 Wherein, the ISC is sent to the terminal by the master base station through an RRC reconfiguration request message; the RRC reconfiguration request message is used to instruct the terminal to derive a new slave base station key based on the ISC and the current slave base station key, and Establish a connection with the secondary base station according to the RRC reconfiguration request message and the new secondary base station key.
3、 根据权利要求 1或 2所述的方法, 其中, 在所述从基站依据当前从 基站密钥以及 ISC推导新的从基站密钥之前, 所述方法还包括: 3. The method according to claim 1 or 2, wherein before the slave base station derives the new slave base station key based on the current slave base station key and the ISC, the method further includes:
接收主基站发送的添加修改 DRB请求消息; Receive the add and modify DRB request message sent by the main base station;
判断所述添加修改 DRB请求消息中是否有携带从基站密钥; Determine whether the add-modify DRB request message carries the slave base station key;
若否, 则进入所述从基站依据当前从基站密钥以及 ISC推导新的从基 站密钥的步骤。 If not, enter the step of deriving a new slave base station key based on the current slave base station key and the ISC.
4、 根据权利要求 1或 2所述的方法, 其中, 4. The method according to claim 1 or 2, wherein,
在所述从基站依据当前从基站密钥以及 ISC推导新的从基站密钥之前, 所述方法还包括: Before the slave base station derives a new slave base station key based on the current slave base station key and the ISC, the method further includes:
依据密钥推导决策判断是否触发更新从基站密钥; Determine whether to trigger the update of the slave base station key based on the key derivation decision;
若是, 则进入所述从基站依据当前从基站密钥以及 ISC推导新的从基 站密钥的步骤。 If so, enter the step of deriving a new slave base station key based on the current slave base station key and the ISC.
5、 根据权利要求 4所述的方法, 其中, 所述依据密钥推导决策判断是 否触发更新从基站密钥包括: 5. The method according to claim 4, wherein the judging whether to trigger the update of the slave base station key based on the key derivation decision includes:
判断当前从基站密钥是失效; Determine whether the current slave base station key is invalid;
若失效则触发更新的从基站密钥; 或 If invalid, trigger the updated slave base station key; or
判断从基站与终端的从基站密钥是否同步; Determine whether the slave base station keys of the slave base station and the terminal are synchronized;
若不同步则触发更新的从基站密钥。 If not synchronized, the updated slave base station key is triggered.
6、 根据权利要求 1或 2所述的方法, 其中, 所述从基站依据当前从基 站密钥以及 ISC推导新的从基站密钥包括: 6. The method according to claim 1 or 2, wherein the derivation of the new slave base station key by the slave base station based on the current slave base station key and ISC includes:
依据从基站密钥、 ISC及推导参数推导新的从基站密钥。 The new slave base station key is derived based on the slave base station key, ISC and derivation parameters.
7、 根据权利要求 6所述的方法, 其中, 7. The method according to claim 6, wherein,
所述推导参数包括小区物理标识和 /或小区载频; The derivation parameters include cell physical identification and/or cell carrier frequency;
所述小区为由所述从基站覆盖所形成的小区。 The cell is a cell formed by the coverage of the secondary base station.
8、 根据权利要求 1或 2所述的方法, 其中, 在所述依据从基站密钥及 ISC推导新的从基站密钥之后, 所述方法包括: 8. The method according to claim 1 or 2, wherein, after deriving the new slave base station key based on the slave base station key and ISC, the method includes:
更新所述 ISC。 Update the ISC.
9、 一种从基站密钥更新方法, 所述方法包括: 9. A slave base station key update method, the method includes:
接收主基站发送的 RRC重配置请求消息; 所述 RRC重配置请求消息 中包括 ISC; Receive the RRC reconfiguration request message sent by the master base station; the RRC reconfiguration request message includes ISC;
根据所述 ISC及当前从基站密钥推导新的新的从基站密钥; Derive a new slave base station key according to the ISC and the current slave base station key;
根据所述 RRC重配置请求消息和所述新的从基站密钥, 与从基站建立 连接; Establish a connection with the slave base station according to the RRC reconfiguration request message and the new slave base station key;
其中, 所述 ISC为推导从基站密钥的计数值。 Wherein, the ISC is the count value derived from the base station key.
10、 一种从基站密钥更新方法, 其中, 所述方法包括: 10. A method for updating a key from a base station, wherein the method includes:
从基站依据当前从基站密钥以及 ISC推导新的从基站密钥; The slave base station derives a new slave base station key based on the current slave base station key and ISC;
从基站向主基站发送添加修改 DRB命令消息; 所述 DRB命令消息包 括所述 ISC; Send an add and modify DRB command message from the base station to the main base station; the DRB command message package including the ISC;
主基站接收所述添加爹改 DRB命令消息; The main base station receives the add and change DRB command message;
主基站向终端发送 RRC重配置请求消息; 所述 RRC重配置消息包含 所述 ISC; The main base station sends an RRC reconfiguration request message to the terminal; the RRC reconfiguration message includes the ISC;
终端接收所述 RRC重配置请求消息; The terminal receives the RRC reconfiguration request message;
终端依据所述 ISC及当前从基站密钥推导新的从基站密钥; The terminal derives a new slave base station key based on the ISC and the current slave base station key;
终端依据所述 RRC重配置消息及所述新的从基站密钥与从基站建立连 接; The terminal establishes a connection with the slave base station based on the RRC reconfiguration message and the new slave base station key;
其中, 所述 ISC为推导从基站密钥的计数值。 Wherein, the ISC is the count value derived from the base station key.
11、 根据权利要求 10所述的方法, 其中, 在所述从基站依据当前从基 站密钥以及 ISC推导新的从基站密钥之前, 所述方法还包括: 11. The method according to claim 10, wherein before the slave base station derives the new slave base station key based on the current slave base station key and the ISC, the method further includes:
主基站发送添加修改 DRB请求消息; The main base station sends an add and modify DRB request message;
从基站接收所述添加修改 DRB请求消息; Receive the add modification DRB request message from the base station;
从基站判断所述添加修改 DRB请求消息中是否有携带从基站密钥; 若否, 则从基站执行所述从基站依据当前从基站密钥以及 ISC推导新 的从基站密钥的步骤。 The slave base station determines whether the add modification DRB request message carries the slave base station key; if not, the slave base station performs the step of deriving a new slave base station key based on the current slave base station key and the ISC.
12、 根据权利要求 10所述的方法, 其中, 在所述从基站依据当前从基 站密钥以及 ISC推导新的从基站密钥之前, 所述方法还包括 12. The method according to claim 10, wherein before the slave base station derives the new slave base station key based on the current slave base station key and the ISC, the method further includes
从基站依据密钥推导决策判断是否触发更新从基站密钥; The slave base station determines whether to trigger the update of the slave base station key based on the key derivation decision;
若是, 从基站执行所述从基站依据当前从基站密钥以及 ISC推导新的 从基站密钥的步骤。 If so, the slave base station performs the step of deriving a new slave base station key based on the current slave base station key and the ISC.
13、 根据权利要求 12所述的方法, 其中, 所述从基站依据密钥推导决 策判断是否触发更新从基站密钥包括: 13. The method according to claim 12, wherein the slave base station determines whether to trigger the update of the slave base station key based on the key derivation decision including:
从基站判断当前从基站密钥是失效; The slave base station determines that the current slave base station key is invalid;
若失效则从基站自行触发更新的从基站密钥; 或 从基站判断从基站与终端的从基站密钥是否同步; If it fails, the slave base station will trigger the updated slave base station key on its own; or The slave base station determines whether the slave base station keys of the slave base station and the terminal are synchronized;
若不同步则从基站自行触发更新的从基站密钥。 If not synchronized, the slave base station will trigger the updated slave base station key by itself.
14、 根据权利要求 10至 13 中任一项所述的方法, 其中, 在所述从基 站向主基站发送添加修改 DRB命令消息之后, 所述方法还包括: 14. The method according to any one of claims 10 to 13, wherein after the slave base station sends the add modification DRB command message to the master base station, the method further includes:
从基站更新所述 ISC。 Update the ISC from the base station.
15、 一种从基站, 所述从基站包括: 15. A slave base station, the slave base station includes:
第一推导单元, 配置为依据当前从基站密钥以及 ISC推导新的从基站 密钥; The first derivation unit is configured to derive a new slave base station key based on the current slave base station key and the ISC;
其中, 所述 ISC为推导从基站密钥的计数器的计数值。 Wherein, the ISC is the count value of the counter used to derive the key from the base station.
16、 根据权利要求 15所述的从基站, 其中, 所述从基站还包括第一接 收单元; 16. The slave base station according to claim 15, wherein the slave base station further includes a first receiving unit;
所述第一发送单元, 配置为在所述从基站密钥以及 ISC推导新的从基 站密钥之后, 向主基站发送添加修改 DRB命令消息; 所述 DRB命令消息 包括所述 ISC; The first sending unit is configured to send an add modification DRB command message to the master base station after deriving a new slave base station key from the slave base station key and the ISC; the DRB command message includes the ISC;
其中, 所述 ISC由所述主基站通过 RRC重配置请求消息发送到终端; 所述 RRC重配置请求消息用于指示终端依据所述 ISC及当前从基站密 钥推导新的从基站密钥, 并依据所述 RRC重配置请求消息及所述新的从基 站密钥建立与从基站的连接。 Wherein, the ISC is sent to the terminal by the master base station through an RRC reconfiguration request message; the RRC reconfiguration request message is used to instruct the terminal to derive a new slave base station key based on the ISC and the current slave base station key, and A connection with the secondary base station is established based on the RRC reconfiguration request message and the new secondary base station key.
17、 根据权利要求 15或 16所述的从基站, 其中, 所述从基站还包括 第一接收单元及判断单元; 17. The slave base station according to claim 15 or 16, wherein the slave base station further includes a first receiving unit and a judging unit;
所述第一接收单元,配置为在所述从基站依据当前从基站密钥以及 ISC 推导新的从基站密钥之前, 接收主基站发送的添加修改 DRB请求消息; 所述判断单元, 用于判断所述添加修改 DRB请求消息中是否有携带从 基站密钥; The first receiving unit is configured to receive an add and modify DRB request message sent by the master base station before the slave base station derives a new slave base station key based on the current slave base station key and ISC; the judgment unit is used to judge Whether the add-modify DRB request message carries the slave base station key;
所述第一推导单元, 配置为当所述添加修改 DRB请求消息没有携带从 基站密钥时, 依据当前从基站密钥以及 ISC推导新的从基站密钥。 The first derivation unit is configured to when the add modification DRB request message does not carry the from When the base station key is used, a new slave base station key is derived based on the current slave base station key and ISC.
18、 根据 15或 16所述的从基站, 其中, 所述从基站还包括触发单元; 所述触发单元, 配置为在所述从基站依据当前从基站密钥以及 ISC推 导新的从基站密钥之前, 依据密钥推导决策判断是否触发更新从基站密钥; 所述第一推导单元, 还配置为在所述触发单元触发更新的从基站密钥 之后, 依据当前从基站密钥以及 ISC推导新的从基站密钥。 18. The slave base station according to 15 or 16, wherein the slave base station further includes a triggering unit; the triggering unit is configured to derive a new slave base station key based on the current slave base station key and ISC at the slave base station Before, it is judged based on the key derivation decision whether to trigger the update of the slave base station key; the first derivation unit is also configured to derive a new slave base station key based on the current slave base station key and the ISC after the trigger unit triggers the updated slave base station key. The slave base station key.
19、 根据权利要求 18所述的从基站, 其中, 所述触发单元, 配置为判 断当前从基站密钥是失效及当所述从基站密钥失效时触发更新的从基站密 钥; 或判断从基站与终端的从基站密钥是否同步及当不同步时触发更新的 从基站密钥。 19. The slave base station according to claim 18, wherein the triggering unit is configured to determine whether the current slave base station key is invalid and to trigger an updated slave base station key when the slave base station key becomes invalid; or to determine whether the slave base station key is invalid. Whether the slave base station keys of the base station and the terminal are synchronized and trigger the updated slave base station key when they are not synchronized.
20、 根据权利要求 15或 16所述的从基站, 其中, 所述第一推导单元, 配置为依据从基站密钥、 ISC及推导参数推导新的从基站密钥。 20. The slave base station according to claim 15 or 16, wherein the first derivation unit is configured to derive a new slave base station key based on the slave base station key, ISC and derivation parameters.
21、 根据权利要求 20所述的从基站, 其中, 21. The slave base station according to claim 20, wherein,
所述推导参数包括小区物理标识和 /或小区载频; The derivation parameters include cell physical identification and/or cell carrier frequency;
所述小区为由所述从基站覆盖所形成的小区。 The cell is a cell formed by the coverage of the secondary base station.
22、 根据权利要 15或 16所述的从基站, 其中, 所述从基站还包括计 数器; 22. The slave base station according to claim 15 or 16, wherein the slave base station further includes a counter;
所述计数器, 配置为在所述依据从基站密钥及 ISC推导新的从基站密 钥之后, 更新所述 ISC。 The counter is configured to update the ISC after deriving a new slave base station key based on the slave base station key and the ISC.
23、 一种终端, 所述终端包括: 23. A terminal, the terminal includes:
第二接收单元, 配置为接收主基站发送的 RRC重配置请求消息; 第二推导单元, 配置为依据当前所述 ISC及从基站密钥推导新的从基 站密钥; The second receiving unit is configured to receive the RRC reconfiguration request message sent by the master base station; the second derivation unit is configured to derive the new slave base station key based on the current ISC and the slave base station key;
连接单元, 配置为依据所述 RRC重配置请求消息及所述新的从基站密 钥建立与从基站的连接; 其中, 所述 ISC为推导从基站密钥的计数值。 The connection unit is configured to establish a connection with the slave base station based on the RRC reconfiguration request message and the new slave base station key; Wherein, the ISC is a count value from which the key of the slave base station is derived.
24、 一种通信系统, 所述通信系统包括: 24. A communication system, the communication system includes:
从基站, 配置为依据当前从基站密钥以及 ISC推导新的从基站密钥; 向主基站发送添加修改 DRB命令消息; 所述 DRB命令消息包括所述 ISC; The slave base station is configured to derive a new slave base station key based on the current slave base station key and ISC; send an add and modify DRB command message to the master base station; the DRB command message includes the ISC;
主基站, 配置为接收所述添加修改 DRB命令消息, 提取所述 ISC; 通 过 RRC重配置请求消息向终端发送所述 ISC; The master base station is configured to receive the add and modify DRB command message, extract the ISC; and send the ISC to the terminal through an RRC reconfiguration request message;
终端, 配置为接收所述 RRC重配置请求消息; 依据所述 ISC更新及从 基站密钥从基站密钥, 并依据所述 RRC重配置请求消息及所述新的从基站 密钥建立与所述从基站的连接; The terminal is configured to receive the RRC reconfiguration request message; to create the slave base station key according to the ISC update and the slave base station key, and to establish the slave base station key according to the RRC reconfiguration request message and the new slave base station key. Connection from base station;
其中, 所述 ISC为推导从基站密钥的计数值。 Wherein, the ISC is the count value derived from the base station key.
25、 根据权利要求 24所述的系统, 其中, 25. The system of claim 24, wherein,
所述主基站, 还配置为在所述从基站依据当前从基站密钥以及 ISC推 导新的从基站密钥之前发送添加修改 DRB请求消息; The master base station is further configured to send an add modification DRB request message before the slave base station derives a new slave base station key based on the current slave base station key and the ISC;
所述从基站, 还配置为接收所述添加修改 DRB请求消息; 判断所述添 加修改 DRB请求消息中是否有携带从基站密钥; 且当所述添加修改 DRB 请求消息没有携带从基站密钥时, 依据当前从基站密钥以及 ISC推导新的 从基站密钥。 The slave base station is further configured to receive the add and modify DRB request message; determine whether the add and modify DRB request message carries the slave base station key; and when the add and modify DRB request message does not carry the slave base station key; , derive a new slave base station key based on the current slave base station key and ISC.
26、 根据权利要求 24所述的系统, 其中, 26. The system of claim 24, wherein,
所述从基站, 还配置为在所述从基站依据当前从基站密钥以及 ISC推 导新的从基站密钥之前依据密钥推导决策判断是否触发更新从基站密钥; 且当触发更行从基站密钥时, 依据当前从基站密钥以及 ISC推导新的从基 站密钥的步骤。 The slave base station is also configured to determine whether to trigger an update of the slave base station key based on the key derivation decision before the slave base station derives a new slave base station key based on the current slave base station key and ISC; and when the slave base station update is triggered, key, the step of deriving a new slave base station key based on the current slave base station key and ISC.
27、 根据权利要求 26所述的方法, 其中, 所述从基站, 配置为判断当 前从基站密钥是失效或判断从基站与终端的从基站密钥是否同步; 且当所 述从基站密钥失效时自行触发更新的从基站密钥或当不同时自行触发更新 的从基站密钥。 27. The method according to claim 26, wherein the slave base station is configured to determine whether the current slave base station key is invalid or to determine whether the slave base station key is synchronized with the slave base station key of the terminal; and when the slave base station key The slave base station key that automatically triggers the update when it expires or triggers the update when it is different. The slave base station key.
28、 根据权利要求 24至 26中任一项所述的方法, 其中, 所述从基站, 还配置为在所述从基站向主基站发送添加修改 DRB命令消息之后, 更新所 述 ISC。 28. The method according to any one of claims 24 to 26, wherein the slave base station is further configured to update the ISC after the slave base station sends an add-modify DRB command message to the master base station.
29、 一种计算机存储介质, 所述计算机存储介质中存储有计算机可执 行指令, 所述计算机可执行指令用于执行权利要求 1至 14所述方法的至少 其中之一。 29. A computer storage medium, the computer storage medium stores computer-executable instructions, and the computer-executable instructions are used to execute at least one of the methods described in claims 1 to 14.
PCT/CN2014/084808 2014-03-14 2014-08-20 Key update method, sub base station, terminal, communication system and storage medium WO2015135292A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410096468.5A CN104918242B (en) 2014-03-14 2014-03-14 Slave base station key updating method, slave base station, terminal and communication system
CN201410096468.5 2014-03-14

Publications (1)

Publication Number Publication Date
WO2015135292A1 true WO2015135292A1 (en) 2015-09-17

Family

ID=54070866

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/084808 WO2015135292A1 (en) 2014-03-14 2014-08-20 Key update method, sub base station, terminal, communication system and storage medium

Country Status (2)

Country Link
CN (1) CN104918242B (en)
WO (1) WO2015135292A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106817696A (en) * 2015-12-01 2017-06-09 宏达国际电子股份有限公司 Process the device and method of the data transmission/reception for dual link
US11924341B2 (en) 2021-04-27 2024-03-05 Rockwell Collins, Inc. Reliable cryptographic key update

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109196897B (en) * 2016-04-05 2022-04-26 诺基亚通信公司 Optimized secure key refresh procedure for 5G MC
CN108810888B (en) * 2017-05-05 2020-09-18 华为技术有限公司 Key updating method and device
GB2564530B (en) 2017-05-15 2020-08-05 Samsung Electronics Co Ltd Improvements in and relating to telecommunication network security
WO2018227480A1 (en) 2017-06-15 2018-12-20 Qualcomm Incorporated Refreshing security keys in 5g wireless systems
CN109756894B (en) * 2017-08-22 2020-09-25 大唐移动通信设备有限公司 High-definition voice call method, base station and terminal
CN110896539B (en) * 2018-09-12 2021-03-19 维沃移动通信有限公司 Processing method and apparatus

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103096308A (en) * 2011-11-01 2013-05-08 华为技术有限公司 Method for generating group key and an associated device
WO2013116976A1 (en) * 2012-02-06 2013-08-15 Nokia Corporation A fast-accessing method and apparatus

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101267303B (en) * 2007-03-13 2012-07-04 中兴通讯股份有限公司 Communication method between service nodes
CN101631307B (en) * 2009-08-25 2015-01-28 中兴通讯股份有限公司 Empty password refreshing method and system for wireless communication system
CN103167492B (en) * 2011-12-15 2016-03-30 华为技术有限公司 Generate method and the equipment thereof of access layer secret key in a communications system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103096308A (en) * 2011-11-01 2013-05-08 华为技术有限公司 Method for generating group key and an associated device
WO2013116976A1 (en) * 2012-02-06 2013-08-15 Nokia Corporation A fast-accessing method and apparatus

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106817696A (en) * 2015-12-01 2017-06-09 宏达国际电子股份有限公司 Process the device and method of the data transmission/reception for dual link
US10368238B2 (en) 2015-12-01 2019-07-30 Htc Corporation Device and method of handling data transmission/reception for dual connectivity
CN106817696B (en) * 2015-12-01 2019-12-10 宏达国际电子股份有限公司 Apparatus and method for processing data transmission/reception for dual connection
US11924341B2 (en) 2021-04-27 2024-03-05 Rockwell Collins, Inc. Reliable cryptographic key update

Also Published As

Publication number Publication date
CN104918242B (en) 2020-04-03
CN104918242A (en) 2015-09-16

Similar Documents

Publication Publication Date Title
JP7100115B2 (en) Security implementation methods, related devices and systems
WO2015135292A1 (en) Key update method, sub base station, terminal, communication system and storage medium
JP6416918B2 (en) Security key changing method, base station, and user equipment
US11483705B2 (en) Method and device for generating access stratum key in communications system
US10812973B2 (en) System and method for communicating with provisioned security protection
EP3682667B1 (en) Security context in a wireless communication system
WO2015158060A1 (en) Method and system for controlling access of csg in dual-connection architecture
AU2020264654B2 (en) Communication method and communications apparatus
EP3403386A2 (en) Key establishment for communications within a group
WO2011054286A1 (en) Key generation method, device and system
WO2018032896A1 (en) D2d synchronization signal sending method and apparatus
WO2015139434A1 (en) Method and apparatus for determining a security algorithm
CN109196897B (en) Optimized secure key refresh procedure for 5G MC
JP6586212B2 (en) Security key changing method, base station, and user equipment
WO2011000160A1 (en) Message informing method and device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14885513

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14885513

Country of ref document: EP

Kind code of ref document: A1