WO2015135292A1 - Procédé de mise à jour de clé, sous-station de base, terminal, système de communication et support de stockage - Google Patents

Procédé de mise à jour de clé, sous-station de base, terminal, système de communication et support de stockage Download PDF

Info

Publication number
WO2015135292A1
WO2015135292A1 PCT/CN2014/084808 CN2014084808W WO2015135292A1 WO 2015135292 A1 WO2015135292 A1 WO 2015135292A1 CN 2014084808 W CN2014084808 W CN 2014084808W WO 2015135292 A1 WO2015135292 A1 WO 2015135292A1
Authority
WO
WIPO (PCT)
Prior art keywords
base station
slave base
key
isc
station key
Prior art date
Application number
PCT/CN2014/084808
Other languages
English (en)
Chinese (zh)
Inventor
李阳
林兆骥
游世林
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2015135292A1 publication Critical patent/WO2015135292A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/068Network architectures or network communication protocols for network security for supporting key management in a packet data network using time-dependent keys, e.g. periodically changing keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/061Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying further key derivation, e.g. deriving traffic keys from a pair-wise master key

Definitions

  • the present invention relates to information security technologies in the field of communications, and in particular, to a key update method, a slave base station, a terminal, a communication system, and a storage medium. Background technique
  • LTE Long Term Evolution
  • E-UTRAN Evolved Universal Terrestrial Radio Access Network
  • EPC Evolved Packet Core
  • the EUTRAN is connected to the EPC through the S1 interface.
  • the EUTRAN is composed of a plurality of Evolved NodeBs (eNBs) connected to each other, and each eNB is connected through an X2 interface.
  • eNBs Evolved NodeBs
  • the EPC is composed of a Mobility Management Entity (MME) and a Serving Gateway (S-GW).
  • MME Mobility Management Entity
  • S-GW Serving Gateway
  • HE Home Environment
  • HSS Home Subscriber Server
  • HL Home Location Register
  • LTE-Advanced Long-Term Evolution advance
  • LTE-Advanced retains LTE for the evolution of Long-Term Evolution (LTE) systems
  • LTE Long-Term Evolution
  • SC Small Cell
  • a user equipment (UE) links two cells, a primary cell (Macro Cell), from a cell (Small cell) where the primary cell base station 0 is called the main base station (Macro eNodeB, referred to the MeNB), from cell the base station where the UE is referred to 0 to complete the function of the signaling plane between the main base station from the base station (small eNodeB, or secondary eNodeB, referred to the SeNB), the user plane by the primary base station and the UE from the base station to complete the joint, i.e., The UE has a user plane connection with the primary base station and a user plane connection with the slave base station, referred to as dual connectivity.
  • the main technology of dual connectivity is the allocation of the username protocol stack function between the primary base station and the secondary base station.
  • the main one being the scheme shown in Figure 2.
  • the user name and control plane of the primary base station remain unchanged, and the user name protocol stack of the secondary base station includes all layers from the PDCP layer to the PHY layer.
  • the slave base station is directly connected to the S-GW, and the interface S1-U is identical to the previous one.
  • the DRB to which the UE is transferred on the air interface, the UE directly connects with the secondary base station to deliver the transferred DRB.
  • the key used by the air interface security between the UE and the MeNB is generated by the AKA process between the UE and the CN, that is, the KeNB.
  • the SeNB is selected by the MeNB, and the process does not interact with the CN. Therefore, the key used by the air interface security between the UE and the SeNB (S-KeNB for short) cannot be generated by the CN.
  • the MeNB first transfers the DRB to the SeNB, the key used by the SeNB is derived by the MeNB, generated based on the M-KeNB and the MeNB internal counter SCC; and then transmitted by the MeNB to the SeNB.
  • the MeNB transfers the DRB of the UE to other SeNBs, the MeNB is still generated based on the M-KeNB and the SCC, and then sent to the new SeNB. Each time the MeNB deduces the S-KeNB, the SCC increases by one. When the MeNB transfers the DRB to the same SeNB multiple times, how to update the S-KeNB is a problem to be solved. Summary of the invention
  • embodiments of the present invention are directed to providing a slave base station key update method, a base station, a terminal, a communication system, and a computer storage medium, simplifying the slave base key update method, and improving information security between the base station and the terminal. .
  • a first aspect of the embodiments of the present invention provides a slave base station key update method, where the method includes: deriving a new slave base station key according to a current base station key and an ISC;
  • the ISC is a derivation of a count value of a slave base station key.
  • the method further includes:
  • the DRB command message includes the
  • the ISC is sent by the primary base station to the terminal by using an RRC reconfiguration request message, where the RRC reconfiguration request message is used to instruct the terminal to derive a new secondary base station key according to the ISC and the current secondary base station key, and Establishing a connection with the slave base station according to the RRC reconfiguration request message and the new slave base station key.
  • the method further includes:
  • the step of entering the slave base station based on the current slave base station key and the ISC to derive a new slave base key is entered.
  • the method further includes: Determining whether to trigger the update of the slave base station key according to the key derivation decision;
  • the step of entering the slave base station based on the current slave base station key and the ISC to derive a new slave base key is entered.
  • the determining, according to the key derivation decision, whether to trigger the update from the base station key includes:
  • the updated slave base station key is triggered.
  • the slave base station derives a new slave base station key according to the current base station key and the ISC:
  • the new slave base station key is derived based on the base station key, the ISC, and the derived parameters.
  • the derivation parameter includes a cell physical identifier and/or a cell carrier frequency
  • the cell is a cell formed by the coverage of the secondary base station.
  • the method includes:
  • a second aspect of the embodiments of the present invention provides a slave base key update method, where the method includes:
  • the RRC reconfiguration request message includes an ISC
  • the ISC is a count value for deriving a slave base station key.
  • a third aspect of the embodiments of the present invention provides a slave base station key update method, where the method includes: deriving, from a base station, a new slave base station key according to a current base station key and an ISC;
  • the DRB command message includes the ISC
  • the primary base station receives the added tampering DRB command message
  • the primary base station sends an RRC reconfiguration request message to the terminal;
  • the RRC reconfiguration message includes the ISC;
  • the terminal establishes a connection with the secondary base station according to the RRC reconfiguration message and the new secondary base station key.
  • the ISC is a derivation of a count value of a slave base station key.
  • the method further includes:
  • the primary base station sends an add modified DRB request message
  • the slave base station performs the step of deriving the new slave base station key from the base station based on the current slave base station key and the ISC.
  • the method further includes
  • the slave base station performs the slave base station to derive a new one according to the current slave base station key and the ISC. Steps from the base station key.
  • the determining, by the base station according to the key derivation decision, whether to trigger the update from the base station key comprises:
  • the updated base station key is triggered by the base station itself;
  • the updated slave base station key is triggered by the base station itself.
  • the method further includes: after the sending, by the base station, the add modified DRB command message to the primary base station, the method further includes:
  • the ISC is updated from the base station.
  • a fourth aspect of the embodiments of the present invention provides a secondary base station, where the secondary base station includes:
  • a first derivation unit configured to derive a new slave base station key according to the current base station key and the ISC;
  • the ISC is a count value of a counter that derives a key from the base station.
  • the slave base station further includes a first receiving unit
  • the first sending unit is configured to send an add modified DRB command message to the primary base station after the slave base station key and the ISC derive a new slave base key; the DRB command message includes the ISC;
  • the ISC is sent by the primary base station to the terminal by using an RRC reconfiguration request message, where the RRC reconfiguration request message is used to instruct the terminal to derive a new secondary base station key according to the ISC and the current secondary base station key, and Establishing a connection with the secondary base station according to the RRC reconfiguration request message and the new secondary base station key.
  • the slave base station further includes a first receiving unit and a determining unit, where the first receiving unit is configured to receive before the slave base station derives a new slave base station key according to the current base station key and the ISC. Adding a modified DRB request message sent by the primary base station; The determining unit is configured to determine whether there is a slave base station key in the added modified DRB request message;
  • the first derivation unit is configured to derive a new slave base station key according to the current slave base station key and the ISC when the add modified DRB request message does not carry the slave base station key.
  • the slave base station further includes a trigger unit
  • the triggering unit is configured to determine, according to the key derivation decision, whether to trigger the update of the slave base station key before the slave base station derives the new slave base station key according to the current base station key and the ISC; the first derivation unit, It is further configured to derive a new slave base station key from the base station key and the ISC after the trigger unit triggers the updated slave base station key.
  • the triggering unit is configured to determine whether the current slave base station key is invalid and the slave base station key that triggers the update when the slave base station key fails; or whether the slave base station and the terminal slave base station key are synchronized. And the updated slave base station key is triggered when not synchronized.
  • the first derivation unit is configured to derive a new slave base station key according to the base station key, the ISC, and the derivation parameter.
  • the derivation parameter includes a cell physical identifier and/or a cell carrier frequency
  • the cell is a cell formed by the coverage of the secondary base station.
  • the slave base station further includes a counter
  • the counter is configured to update the ISC after the new slave base station key is derived from the base station key and the ISC.
  • a fifth aspect of the embodiment of the present invention provides a terminal, where the terminal includes:
  • a second receiving unit configured to receive an RRC reconfiguration request message sent by the primary base station, where the second deriving unit is configured to derive a new secondary base station key according to the current ISC and the secondary base station key;
  • a connecting unit configured to be in accordance with the RRC reconfiguration request message and the new slave base station Key establishment and connection from the base station;
  • the ISC is a derivation of a count value of a slave base station key.
  • a sixth aspect of the embodiments of the present invention provides a communication system, where the communication system includes: a slave base station configured to: derive a new slave base station key according to a current base station key and an ISC; and send an add modify DRB command message to the primary base station;
  • the DRB command message includes the ISC;
  • the primary base station is configured to receive the add modified DRB command message, extract the ISC, and send the ISC to the terminal by using an RRC reconfiguration request message;
  • a terminal configured to receive the RRC reconfiguration request message, according to the ISC update and the base station key from the base station key, and according to the RRC reconfiguration request message and the new secondary base station key, Connection from the base station;
  • the ISC is a derivation of a count value of a slave base station key.
  • the primary base station is further configured to send an add modified DRB request message before the secondary base station derives a new secondary base station key according to the current secondary base station key and the ISC;
  • the slave base station is further configured to receive the add modified DRB request message; determine whether the add modified DRB request message carries a slave base station key; and the add modify DRB request message does not carry the slave base station key,
  • the new slave base station key is derived from the current base station key and ISC.
  • the slave base station is further configured to determine, according to the key derivation decision, whether to trigger the update of the slave base station key before the slave base station derives the new slave base station key according to the current base station key and the ISC; and when the slave station is triggered further In the case of a key, the step of deriving a new slave base station key from the base station key and the ISC.
  • the slave base station is configured to determine whether the current slave base station key is invalid or whether the slave base station and the slave base station key are synchronized; and when the slave base station key fails, The slave base station key that triggers the update or the slave base station key that does not trigger the update at the same time. Based on the foregoing solution, the slave base station is further configured to update the ISC after the slave base station sends a modify DRB command message to the master base station.
  • a sixth aspect of the embodiments of the present invention provides a computer storage medium, where the computer storage medium stores computer executable instructions, and the computer executable instructions are used to execute the first to third aspects of the embodiments of the present invention. At least one of the methods.
  • the slave base station key update method, the base station, the terminal, and the communication system solve the problem that the master base station transfers the associated DRB slave base station to the same slave base station multiple times by deriving the slave base station key by itself.
  • the method of key update avoids the security risk caused by the transmission of the base station key between the base stations, thereby improving communication security.
  • FIG. 1 is a schematic flowchart of a method for updating a slave base station according to a first embodiment of the present invention
  • FIG. 2 is a second schematic flowchart of a method for updating a slave base station according to Embodiment 1 of the present invention
  • FIG. 4 is a schematic diagram of a method for deriving a base station key according to Embodiment 3 of the present invention
  • FIG. 4 is a schematic diagram of a method for deriving a base station key according to Embodiment 3 of the present invention
  • FIG. 6 is a schematic flowchart of a method for updating a base station key according to Embodiment 3 of the present invention
  • FIG. 7 is a schematic diagram of a base station key update according to Embodiment 3 of the present invention
  • FIG. 8 is a schematic structural diagram of a slave base station according to Embodiment 4 of the present invention
  • FIG. 9 is a second schematic structural diagram of a slave base station according to Embodiment 4 of the present invention.
  • FIG. 10 is a schematic structural diagram of a terminal according to Embodiment 5 of the present invention.
  • FIG. 11 is a schematic structural diagram of a communication system according to Embodiment 6 of the present invention.
  • FIG. 12 is a second schematic structural diagram of a communication system according to Embodiment 6 of the present invention. detailed description
  • Embodiment 1 is a diagrammatic representation of Embodiment 1:
  • the embodiment provides a slave base key update method, where the method includes:
  • the ISC is a derivation of a count value of a slave base station key.
  • the slave base station derives a new slave base station key according to the slave base station key and the ISC currently stored in the base station.
  • the new slave base station key is different from the current base station key before derivation; the slave base station key does not need to be sent by the primary base station to the secondary base station line; firstly, a brand new slave base station key acquisition method is provided Secondly, the base station key is derived from the base station by itself, thereby avoiding the security problem caused by the transmission of the base station key, thereby improving information security.
  • the specific key derivation method can be deduced by referring to the prior art.
  • the method specifically includes: Step S110: Deriving a new slave base station key according to a current base station key and an ISC; Step S120: sending an add modify DRB command to the primary base station a message; the DRB command message includes the ISC;
  • the RRC reconfiguration request message is used to instruct the terminal to derive a new secondary base station key according to the ISC and the current secondary base station key, and establish the RRC reconfiguration request message and the new secondary base station key according to the RRC reconfiguration request message. A connection with the slave base station.
  • the updated new slave base station key will be used in the communication process from the base station to the terminal, and at this time, the connection has not been established between the base station and the terminal, so it needs to be forwarded by the primary base station to the terminal.
  • the slave base station key cannot be transmitted between the base station and the terminal, but the slave base station function module needs to be synchronized with the slave base station key in the base station, so the derivation needs to be derived from
  • the ISC of the base station key is sent to the terminal, and the terminal self-derives the slave base station according to the ISC. Key.
  • the method by which the terminal derives the base station key is consistent with the method of deriving the base station key from the base station.
  • the primary base station is usually a macro base station; the secondary base station is usually a small base station or a home base station, and may also be a normal macro base station.
  • the terminal is usually a dual connectivity terminal or a multiple connectivity terminal.
  • the method may further include the following steps:
  • Step S101 Receive an add modified DRB request message sent by the primary base station.
  • Step S102 Determine whether the added modified DRB request message carries a secondary base station key.
  • step S110 is performed or steps S110 and S120 are performed.
  • the specific application scenario includes the scenario where the primary base station transfers the associated DRB to the same secondary base station multiple times, and the current transfer DRB is not the first time to transfer the DRB.
  • the DRB is an abbreviation of date radio bearing, which can be translated into user plane radio bearer data.
  • the slave base station may also perform a slave node key update spontaneously, and the method described in this embodiment before the slave base station derives a new slave base station key according to the current base station key and the ISC. Also includes:
  • the step of entering the slave base station based on the current slave base station key and the ISC to derive a new slave base key is entered.
  • the determining, according to the key derivation decision, whether to trigger the update of the slave base station key comprises: determining whether the current slave base station key is invalid or determining whether the slave base station and the terminal slave base station key are synchronized; if the failure occurs, triggering the updated slave base station secret The key or if not synchronized triggers the updated slave base station key.
  • the slave base station key used by the base station and the terminal is correct, and the slave base station key can be triggered by the slave base station to perform the communication and data decryption smoothly.
  • the above improvement makes the method described in this embodiment further provide a step of spontaneously updating the slave base station key from the base station, and further improves the slave base station key update method.
  • step S110 includes: deriving a new slave base station key according to the base station key, the ISC, and the derivation parameter; wherein the derivation parameter includes a cell physical identifier and/or a cell carrier frequency;
  • the cell is a cell formed by the coverage of the secondary base station.
  • the slave base station in order to facilitate the next time to perform the slave node key update, after the slave base station sends the ISC to the master base station by adding the modify DRB command message, the slave base station also needs to update the ISC; 1 ; and usually the value of the ISC starts from zero.
  • the present embodiment provides a slave base key update method, in which the slave base station self-derives the slave base station key, thereby avoiding the key transmission, and simultaneously solves the error in the prior art from the base station key, and the base station A problem caused when the terminal is not synchronized with the base station and the primary base station transfers the DRB to the same secondary base station multiple times.
  • a terminal side slave base station key update method the method includes: Step S210: Receive an RRC reconfiguration request message sent by a primary base station; and include an ISC in the RRC reconfiguration request message.
  • Step S220 Deriving a new slave base station key according to the ISC and the base station key.
  • Step S230 Establish a connection with the slave base station according to the RRC reconfiguration request message and the new slave base station key.
  • the ISC is a derivation of a count value of a slave base station key.
  • the RRC reconfiguration request message includes configuration parameters for establishing a connection.
  • the terminal establishes a connection with the slave base station according to the configuration message and the new slave base station key. The terminal described in this embodiment is based on
  • the method for obtaining the slave base station key is changed from the connection between the base stations, and the method is similarly advantageous for solving the error in the prior art from the base station key, and the base station and the terminal are not synchronized from the base station key. And the problem that occurs when the primary base station transfers the DRB to the same secondary base station multiple times.
  • Embodiment 3 is a diagrammatic representation of Embodiment 3
  • the embodiment provides a slave base key update method, where the method includes:
  • the DRB command message includes the ISC
  • the primary base station receives the add modified DRB command message, and extracts the ISC;
  • the primary base station sends the ISC to the terminal by using an RRC reconfiguration request message.
  • the ISC is a derivation of a count value of a slave base station key.
  • the method for deriving a new slave base station key from the base station is performed; when the primary base station transfers the DRB to the slave base station SeNB for the first time, the master base station generates a key KeNB and sends it to the slave base station SeNB.
  • the primary base station in this embodiment may be a macro base station MeNB.
  • the macro base station continues to transfer the DRB to the slave base station SeNB, and when there is a context relationship between the DRB and the last transferred DRB, the subsequent slave base station will self-derived according to the current slave base station key S-KeNB.
  • the key KeNB is derived by the primary base station according to the primary base station key M-KeNB and the derived count value SCC stored in the primary base station.
  • the SCC count value is incremented by 1 each time the primary base station derives the key KeNB, and usually the value of the SCC starts from 0.
  • the slave base station is provided with an internal counter Intra Smallcell Counter for counting to form the ISC; and the primary base station is internally provided with a counter for counting to form the SCC.
  • the secondary base station sends the ISC to the primary base station by adding a modified DRB command message, and the primary base station passes the extraction and storage backup.
  • the RRC reconfiguration request message sends the ISC to the terminal; the terminal will derive a new slave base station key according to the current base station key and the received ISC in the RRC reconfiguration request message, and the derivation process and the slave base station derive The base station keys are similar.
  • Figure 5 shows a method for deriving a new slave base station key from the base station SeNB and the terminal UE based on the slave base station key and the ISC.
  • the KDF is an abbreviation of Key Deviation Function; the basis of the new slave base station key is deduced in a specific implementation process, and other derivation parameters, such as a cell physical identifier, may be included in addition to the previously stored slave base station key and ISC. Or information such as a carrier frequency of the cell; the cell is a cell formed by the coverage of the secondary base station.
  • the method in this embodiment further includes: before the slave base station derives a new slave base station key according to the current base station key and the ISC:
  • the primary base station sends an add modified DRB request message
  • the base station Determining, by the base station, whether the added modified DRB request message carries a slave base station key; if not, the slave base station performs the step of the base station deriving a new slave base station key according to the current slave base station key and the ISC.
  • Step S1.1 RRC connection establishment is completed between the terminal UE and the primary base station MeNB;
  • RRC is: Radio Resource Control radio resource control;
  • Step SI.2 The primary base station MeNB sends an add modified DRB request message to the secondary base station SeNB; and receives the add modified DRB request message from the base station;
  • Step S1.3 The base station determines, according to the adding and modifying the DRB request message, whether the added modified DRB request message carries a slave base station key; if otherwise, the slave base station performs the slave base station according to the current slave base station key and the ISC. Deriving a new slave base station key;
  • Step S1.4 Sending a modified DRB command message from the base station to the primary base station; the DRB command message includes the ISC; and other parameters are included in the specific implementation process, which may be referred to the prior art;
  • Step S1.5 The primary base station receives the add modified DRB command message, and sends an RRC reconfiguration request message to the secondary base station; the RRC reconfiguration request message includes the ISC;
  • Step S1.6 The terminal UE receives the RRC reconfiguration request message, and derives a new slave base station key according to the ISC and the current slave base station key; and according to the RRC reconfiguration request message and the new slave base station key. Establish a connection with the base station;
  • the method further includes:
  • Step S1.7 The terminal sends an RRC reconfiguration response message to the primary base station;
  • the slave RRC reconfiguration response message includes related information that the terminal updates the slave base station key;
  • Step S1.8 After receiving the RRC reconfiguration response message, the primary base station sends SeNB state transmission information to the secondary base station according to the RRC reconfiguration response message.
  • the above improvement is to trigger the update of the secondary base station key from the base station based on the request message of the primary base station, and is suitable for solving the problem of generating the base station key when the primary base station repeatedly transmits the associated DRB to the same base station in the existing problem.
  • the following provides a method for automatically updating the slave base key from the base station according to its own needs as follows:
  • the method further includes The base station determines whether to trigger the update of the slave base station key according to the key derivation decision; if so, the slave base station performs the step of deriving the new slave base station key according to the current slave base station key and the ISC.
  • the slave base station determines, according to the key derivation decision, whether to trigger the update of the slave base station key, including:
  • the updated base station key is triggered by the base station itself;
  • the updated slave base station key is triggered by the base station itself.
  • the case where the base station determines whether to trigger the update of the slave base station key according to the key derivation decision is not limited to the foregoing, and may further include: a decryption fault occurs in the decryption process from the base station key, and a new one needs to be regenerated. From the base station key to achieve smooth transmission of data and the like.
  • the method for triggering the update of the base station key by the base station may be implemented as shown in FIG. 7, and includes:
  • Step S2.1 If the slave base station SeNB wants to update the slave base station key S-KeNB, directly generate a new slave base station key according to the existing current base station key and the ISC;
  • Step S2.2 Sending a modified DRB command message from the base station to the primary base station, where the added modified DRB command message includes an ISC;
  • Step S2.3 After receiving the add modified DRB command message, the primary base station sends an RRC reconfiguration request message to the terminal; the RRC reconfiguration request message includes the ISC;
  • Step S2.4 After receiving the RRC reconfiguration request message, the terminal deriving a new slave base station key according to the ISC parameter in the RRC reconfiguration request message and the current slave base station key; and according to the RRC reconfiguration The request message and the new slave base station key establish a connection with the slave base station; to further inform the master base station and the slave base station of the current connection status and/or the update status of the slave base station key; the method further includes: Step S2.5: The terminal sends an RRC reconfiguration response to the primary base station.
  • Step S2.6 After receiving the RRC reconfiguration response, the primary base station sends SeNB state transmission information to the secondary base station according to the RRC reconfiguration response, to feed back information such as the current connection status to the secondary base station.
  • the method further includes: the base station Update the ISC.
  • the specific update of the ISC can add 1 to the ISC count value.
  • the foregoing embodiment is a combination of the first embodiment and the second embodiment, and can be regarded as a combination of the various technical solutions of the first embodiment and the second embodiment, and the same has solved the prior art from the base station key update.
  • the shortcomings also achieve high security between the terminal and the slave base station.
  • Embodiment 4 is a diagrammatic representation of Embodiment 4:
  • the embodiment provides a slave base station, where the slave base station includes:
  • a first derivation unit configured to derive a new slave base station key according to the current base station key and the ISC;
  • the ISC is to derive a slave base key count value.
  • the specific structure of the first derivation unit may be a processor; the processor includes a multi-core or single-core central processing unit, a single-chip microcomputer, a digital signal processing, and a programmable array, and the like.
  • the slave base station may further include a counter; the counter may be configured to form the ISC; in a specific implementation process, the value of the ISC may start from 0 or 1; The count starts from 0.
  • This embodiment provides a slave base station, which can update the slave base station key by itself, and provides the hardware support for the base station key update method described in the first embodiment, thereby solving the prior art in the same way.
  • the base station pushes the problem of the slave base station key update caused by the associated DRB to the same slave base station multiple times.
  • the slave base station includes a first derivation unit 110 and a first receiving unit 120;
  • the first sending unit 120 is configured to send an add modified DRB command message to the primary base station after the slave base station key and the ISC derive a new slave base station key; the DRB command message includes the ISC;
  • the ISC is sent by the primary base station to the terminal by using an RRC reconfiguration request message; the RRC reconfiguration request message is used to indicate that the terminal connects to the secondary base station and the terminal, and the secondary base station key is updated according to the ISC. .
  • the specific structure of the first sending unit 120 may be a wired or wireless sending interface, such as a transmitting antenna or a wired communication interface corresponding to a twisted pair cable, a coaxial cable, or an optical fiber.
  • the transmitting interface is coupled to the first derivation unit 110.
  • the slave base station further includes a first receiving unit 130 and a determining unit 140;
  • the first receiving unit 130 is configured to receive an add modified DRB request message sent by the primary base station before the secondary base station derives a new secondary base station key according to the current base station key and the ISC; the determining unit 140, configured Determining whether there is a slave base station key in the modified DRB request message;
  • the first deriving unit 110 is configured to: when the add modified DRB request message does not carry the slave base station key, derive a new slave base station key according to the current base station key and the ISC.
  • the specific structure of the first receiving unit 130 may include a receiving interface, such as a receiving antenna or other wired network communication interface; the specific structure of the determining unit 140 may be a processor; the processor may be a central processing unit, An electronic component having a processing function, such as a single chip microcomputer, a digital signal processing, or a programmable logic programming array; in a specific implementation process, the determining unit 140 and the first deriving unit 110 may respectively correspond to one processor; Interconnected from a connection interface or bus inside the base station; or integrated on the same processor, The respective functions of the first deriving unit, that is, the judging unit 140, are respectively performed by the processor by time division multiplexing or in different threads.
  • the slave base station further includes a trigger unit
  • the triggering unit is configured to determine, according to the key derivation decision, whether to trigger the update of the slave base station key before the slave base station derives the new slave base station key according to the current base station key and the ISC; the first derivation unit 110 And configuring, after the trigger unit triggers the updated slave base station key, deriving a new slave base station key according to the current base station key and the ISC.
  • the triggering unit is specifically configured to determine whether the current slave base station key is invalid and trigger the updated secondary base station key when the secondary base station key fails; or determine whether the secondary base station and the terminal secondary base station key are synchronized.
  • the updated slave base station key is triggered when not synchronized.
  • the triggering unit may also be corresponding to a processor; or other wired network communication interface; the specific structure of the triggering unit may be a processor; the processor may be a central processing unit, a single chip microcomputer, digital signal processing or An electronic component having a processing function, such as a programming logic programming array; and the triggering unit may separately include a processor, and may also be integrated with other functional units to correspond to the same processor.
  • the processor is also connected to a storage medium; the first derivation unit can be separately implemented by running a program or software stored in the storage medium
  • the function of the determining unit 140 and the triggering unit is the function of the determining unit 140 and the triggering unit.
  • the first deriving unit 110 is specifically configured to derive a new slave base station key according to the base station key, the ISC, and the derivation parameter.
  • the derivation parameter includes at least one of a cell physical identifier and a cell carrier frequency; the cell is a cell formed by the coverage by the slave base station.
  • the derivation parameters also include other parameters in a specific implementation process, and are not limited to the cell physical identity and the cell carrier frequency.
  • the slave base station further includes a counter; the counter is configured to update the ISC after deriving the new slave base station key according to the slave base station key and the ISC.
  • Embodiment 5 As shown in FIG. 10, this embodiment provides a terminal, where the terminal includes:
  • the second receiving unit 210 is configured to receive an RRC reconfiguration request message sent by the primary base station, where the second derivation unit 220 is configured to derive a new secondary base station key according to the ISC and the secondary base station key;
  • the connecting unit 230 is configured to establish a connection with the secondary base station according to the RRC reconfiguration request message and the new secondary base station key;
  • the ISC is a derivation of a count value of a slave base station key.
  • the terminal may be a dual mode terminal or a multimode terminal, and at least a connection with two base stations may be implemented.
  • the specific structure of the second receiving unit 210 may include a communication interface such as a receiving antenna.
  • the second deriving unit 220 may include a processor configured to extract required information from the message received in the second receiving unit 210, according to the ISC in the RRC reconfiguration request message and the current storage in the terminal.
  • the current slave base station key is derived from the base station key.
  • the processor can be a processing component such as a central processing unit, a single chip microcomputer, a digital signal processing or a programmable logic programming array. In a specific implementation process, the processor is also connected to a storage medium; the functions of the second derivation unit 220 can be implemented separately by running a program or software stored in the storage medium.
  • the connecting unit 230 is configured to establish a connection channel between the terminal and the secondary base station, and the corresponding structure may include a communication interface, such as an air interface.
  • the terminal in this embodiment is provided with the base station key update method described in the second embodiment, and provides hardware support, which can be used to implement the technical solution described in any one of the second embodiment, and has the same base station key.
  • the updated function and the need to obtain a key from the primary base station or the base station have the advantage of high security.
  • the embodiment provides a communication system, where the communication system includes: From the base station 330, configured to derive a new slave base station key according to the current base station key and the ISC; send an add modified DRB command message to the primary base station 310; the DRB command message includes the ISC;
  • the primary base station 310 is configured to receive the add modified DRB command message, extract the ISC, and send the ISC to the terminal by using an RRC reconfiguration request message;
  • the terminal 320 is configured to receive the RRC reconfiguration request message, deriving a new slave base station key according to the ISC and the current base station key, and according to the RRC reconfiguration request message and the new slave base station key. Establishing a connection with the slave base station 330;
  • the ISC is a derivation of a count value of a slave base station key.
  • the primary base station 310 is further configured to send an add modified DRB request message before the secondary base station derives a new secondary base station key according to the current base station key and the ISC;
  • the secondary base station 330 is further configured to receive Adding a modified DRB request message; determining whether the added modified DRB request message carries a secondary base station key; and when the added modified DRB request message does not carry the secondary base station key, according to the current secondary base station key and the ISC Derive a new slave base station key.
  • the slave base station 330 is further configured to determine, according to the key derivation decision, whether to trigger the update of the slave base station key before the slave base station derives the new slave base station key according to the current base station key and the ISC; and when the update is triggered from the base station In the case of a key, the step of deriving a new slave base station key from the base station key and the ISC.
  • the slave base station 330 is configured to determine whether the current slave base station key is invalid or whether the slave base station and the slave base station key are synchronized; and when the slave base station key fails, the updated slave base station key is triggered or The updated slave base station key is triggered at the same time.
  • the slave base station 330 is further configured to update the ISC after the slave base station sends a modify DRB command message to the master base station.
  • the primary base station 310, the terminal 320 and the secondary base station 330 are all connected via a wireless network.
  • the terminal 12 is an example of a communication system including a macro base station, a small base station, and a terminal; the macro base station as a primary base station forms a macro cell surrounded by a large ellipse; the small base station As a small cell Small cell surrounded by a small ellipse formed from a base station.
  • the terminal is connected to the macro base station and the small base station respectively; wherein the terminal and the macro base station mutually transmit data through the carrier carrier (F1), such as U-plane data; and the terminal and the small base station transmit data through the carrier carrier (F2) Such as U-plane data; the U-plane data is user plane data.
  • F1 carrier carrier
  • F2 carrier carrier
  • the communication system in this embodiment provides hardware support from the base station key update method in the third embodiment, and can be used to implement the technical solution described in any one of the third embodiments, which has solved the prior art.
  • the problem of base station key update improves the security of information transmission between the base station and the terminal.
  • the embodiment of the present invention further provides a computer storage medium, where the computer storage medium stores computer executable instructions, and the computer executable instructions are used to execute at least one of the methods described in the first to third embodiments. Specifically, the method shown in FIG. 1, FIG. 2, FIG. 3, and/or FIG.
  • the computer storage medium includes: a removable storage device, a read-only memory (ROM), a random access memory (RAM), a magnetic disk or an optical disk, and the like, which can store program code. Priority is given to non-transient storage media.

Abstract

La présente invention se rapporte au domaine des communications. La présente invention concerne un procédé de mise à jour de clé de sous-station de base, une sous-station de base, un terminal et un système de communication. Le procédé de mise à jour de clé de sous-station de base consiste : à dériver une nouvelle clé de sous-station de base conformément à la clé de sous-station de base courante et un compteur de sous-station de base intérieur (ISC), l'ISC étant une valeur de comptage pour dériver la clé de sous-station de base (S110). La présente invention concerne également un support d'informations informatique.
PCT/CN2014/084808 2014-03-14 2014-08-20 Procédé de mise à jour de clé, sous-station de base, terminal, système de communication et support de stockage WO2015135292A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410096468.5A CN104918242B (zh) 2014-03-14 2014-03-14 从基站密钥更新方法、从基站、终端及通信系统
CN201410096468.5 2014-03-14

Publications (1)

Publication Number Publication Date
WO2015135292A1 true WO2015135292A1 (fr) 2015-09-17

Family

ID=54070866

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/084808 WO2015135292A1 (fr) 2014-03-14 2014-08-20 Procédé de mise à jour de clé, sous-station de base, terminal, système de communication et support de stockage

Country Status (2)

Country Link
CN (1) CN104918242B (fr)
WO (1) WO2015135292A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106817696A (zh) * 2015-12-01 2017-06-09 宏达国际电子股份有限公司 处理用于双连接的数据传送/接收的装置及方法
US11924341B2 (en) 2021-04-27 2024-03-05 Rockwell Collins, Inc. Reliable cryptographic key update

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11212092B2 (en) 2016-04-05 2021-12-28 Nokia Solutions And Networks Oy Optimized security key refresh procedure for 5G MC
CN108810888B (zh) * 2017-05-05 2020-09-18 华为技术有限公司 秘钥更新方法和设备
CN110637469B (zh) * 2017-05-15 2023-03-31 三星电子株式会社 用于在无线通信系统中管理安全密钥的装置和方法
WO2018227480A1 (fr) 2017-06-15 2018-12-20 Qualcomm Incorporated Rafraîchissement de clés de sécurité dans des systèmes sans fil 5g
CN109756894B (zh) * 2017-08-22 2020-09-25 大唐移动通信设备有限公司 一种高清语音通话的方法、基站和终端
CN113038466B (zh) * 2018-09-12 2023-02-21 维沃移动通信有限公司 处理方法和设备

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103096308A (zh) * 2011-11-01 2013-05-08 华为技术有限公司 生成组密钥的方法和相关设备
WO2013116976A1 (fr) * 2012-02-06 2013-08-15 Nokia Corporation Procédé et appareil d'accès rapide

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101267303B (zh) * 2007-03-13 2012-07-04 中兴通讯股份有限公司 服务节点间的通信方法
CN101631307B (zh) * 2009-08-25 2015-01-28 中兴通讯股份有限公司 一种无线通信系统中空口密钥更新方法及系统
CN103167492B (zh) * 2011-12-15 2016-03-30 华为技术有限公司 在通信系统中生成接入层密钥的方法及其设备

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103096308A (zh) * 2011-11-01 2013-05-08 华为技术有限公司 生成组密钥的方法和相关设备
WO2013116976A1 (fr) * 2012-02-06 2013-08-15 Nokia Corporation Procédé et appareil d'accès rapide

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106817696A (zh) * 2015-12-01 2017-06-09 宏达国际电子股份有限公司 处理用于双连接的数据传送/接收的装置及方法
US10368238B2 (en) 2015-12-01 2019-07-30 Htc Corporation Device and method of handling data transmission/reception for dual connectivity
CN106817696B (zh) * 2015-12-01 2019-12-10 宏达国际电子股份有限公司 处理用于双连接的数据传送/接收的装置及方法
US11924341B2 (en) 2021-04-27 2024-03-05 Rockwell Collins, Inc. Reliable cryptographic key update

Also Published As

Publication number Publication date
CN104918242B (zh) 2020-04-03
CN104918242A (zh) 2015-09-16

Similar Documents

Publication Publication Date Title
JP7100115B2 (ja) セキュリティ実現方法、関連する装置及びシステム
WO2015135292A1 (fr) Procédé de mise à jour de clé, sous-station de base, terminal, système de communication et support de stockage
JP6416918B2 (ja) セキュリティキー変更方法、基地局、およびユーザ機器
US11483705B2 (en) Method and device for generating access stratum key in communications system
US10812973B2 (en) System and method for communicating with provisioned security protection
EP3682667B1 (fr) Contexte de sécurité dans un système de communications sans fil
WO2015158060A1 (fr) Procédé et système pour commander l'accès d'un groupe d'abonnés fermé (csg) dans une architecture à double connexion
AU2020264654B2 (en) Communication method and communications apparatus
WO2011054286A1 (fr) Procede de generation de cle, dispositif et systeme associes
WO2018032896A1 (fr) Procédé et appareil d'envoi de signal de synchronisation d2d
WO2015139434A1 (fr) Procédé et appareil de détermination d'un algorithme de sécurité
CN109196897B (zh) 用于5g mc的优化的安全密钥刷新过程
JP6586212B2 (ja) セキュリティキー変更方法、基地局、およびユーザ機器
WO2011000160A1 (fr) Procédé et dispositif d'indication de message

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14885513

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14885513

Country of ref document: EP

Kind code of ref document: A1