WO2015139434A1 - Method and apparatus for determining a security algorithm - Google Patents

Method and apparatus for determining a security algorithm Download PDF

Info

Publication number
WO2015139434A1
WO2015139434A1 PCT/CN2014/086764 CN2014086764W WO2015139434A1 WO 2015139434 A1 WO2015139434 A1 WO 2015139434A1 CN 2014086764 W CN2014086764 W CN 2014086764W WO 2015139434 A1 WO2015139434 A1 WO 2015139434A1
Authority
WO
WIPO (PCT)
Prior art keywords
security algorithm
base station
security
algorithm
supported
Prior art date
Application number
PCT/CN2014/086764
Other languages
French (fr)
Chinese (zh)
Inventor
李阳
林兆骥
游世林
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2015139434A1 publication Critical patent/WO2015139434A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/037Protecting confidentiality, e.g. by encryption of the control plane, e.g. signalling traffic

Definitions

  • the present invention relates to the field of communications, and in particular to a method and apparatus for determining a security algorithm.
  • the Long Term Evolution (LTE) network consists of an Evolved Universal Terrestrial Radio Access Network (E-UTRAN) and an Evolved Packet Core (EPC). Its network is flat.
  • the EUTRAN is connected to the EPC through an S1 interface, where the EUTRAN is composed of a plurality of interconnected Evolved NodeBs (eNBs), and the eNBs are connected through an X2 interface.
  • the EPC is composed of a Mobility Management Entity (MME) and a Serving Gateway (S-GW).
  • MME Mobility Management Entity
  • S-GW Serving Gateway
  • HE Home Environment
  • HSS Home Subscriber Server
  • HLR Home Location Register
  • LTE-Advanced Long-Term Evolution advance
  • SC Small Cell
  • FIG. 1 is a schematic diagram of networking including a slave base station according to the related art.
  • one user equipment (UE) simultaneously connects two cells, one of which is a primary cell (Macro Cell) and the other is a secondary cell (Small cell).
  • the base station where the primary cell is located is referred to as a primary base station (Macro eNodeB, abbreviated as MeNB), and the base station where the secondary cell is located is referred to as a secondary eNodeB (or secondary eNodeB, SeNB for short).
  • MeNB primary base station
  • SeNB secondary eNodeB
  • the signaling plane function between the UE and the base station can be completed by the primary base station, and the user plane can be completed by the UE together with the primary base station and the secondary base station, that is, the UE has both a user plane connection with the primary base station and a user plane with the secondary base station. Connection, which is referred to as dual connection.
  • the main technology of dual connectivity is the allocation of user plane protocol stack functions between the primary base station and the secondary base station.
  • the control plane remains unchanged, and the user plane protocol stack of the base station can include all layers from the Packet Data Convergence Protocol (PDCP) layer to the Physical Layer (PHY) layer.
  • PDCP Packet Data Convergence Protocol
  • PHY Physical Layer
  • the base station is directly connected to the S-GW, and the interface S1-U between the two is exactly the same as that used previously.
  • the UE directly connects with the secondary base station to deliver the data radio bearer (DRB) to which the UE is transferred.
  • DRB data radio bearer
  • the algorithm used by the air interface security between the UE and the MeNB is completed by an algorithm negotiation process of the LTE system. After the MeNB transfers the partial DRB of the UE to the SeNB, an algorithm negotiation process needs to exist between the SeNB and the UE in order to implement encryption protection.
  • the currently discussed method may be that the MeNB learns the algorithm supported by the SeNB, or configures an algorithm supported by the SeNB on the MeNB, and then the MeNB replaces the SeNB to select an algorithm, and the MeNB notifies the UE and the SeNB of the selected algorithm.
  • this method is feasible, it has two main defects:
  • the algorithm between the SeNB and the UE is not determined by the SeNB itself, but is completed by the MeNB, and the algorithm adopted by the device in the existing LTE is inconsistently selected by itself;
  • the encryption security protection method between the UE and the SeNB used in the related art is not determined by the SeNB itself and the implementation process is complicated.
  • the embodiments of the present invention provide a method and a device for determining a security algorithm, so as to at least solve the problem that the encryption security protection between the UE and the SeNB in the related art is not determined by the SeNB itself and the implementation process is complicated.
  • a method of determining a security algorithm is provided.
  • the determining method of the security algorithm includes: receiving a request message from the base station from the base station; and determining, by the base station, the security capability information of the UE carried in the request message, whether the request message carries the recommended by the primary base station to the secondary base station.
  • the security algorithm and the security algorithm supported by the base station itself determine the security algorithm to be used by itself.
  • determining, by the base station, the security algorithm to be used includes: determining, by the base station, a plurality of security algorithms supported by the local and the UE according to the locally supported security algorithm and the security algorithm supported by the UE; if the request message does not carry the recommended security algorithm, The base station selects the security algorithm with the highest priority according to the preset priority order of multiple security algorithms as the security algorithm to be used.
  • the method further includes: sending, by the base station, the security algorithm to be used to the UE by using the primary base station.
  • selecting a security algorithm to be used from the base station includes: determining, by the base station, a plurality of security algorithms supported by the local and the UE according to the locally supported security algorithm and the security algorithm supported by the UE; if the request message carries the recommended security algorithm, The base station determines whether the recommended security algorithm is included in the multiple security algorithms; if so, the recommended security algorithm is selected from the base station as the security algorithm to be used.
  • the method further includes: the base station does not carry the security algorithm to be used in the response message returned to the primary base station; the UE continues to use the security algorithm currently used for communication with the primary base station. .
  • selecting a security algorithm to be used from the base station includes: determining, by the base station, a plurality of security algorithms supported by the local and the UE according to the locally supported security algorithm and the security algorithm supported by the UE; if the request message carries the recommended security algorithm, The base station determines whether the recommended security algorithm is included in the multiple security algorithms. If not, the base station selects the security algorithm with the highest priority as the security algorithm to be used according to the preset priority ranking of the multiple security algorithms.
  • the method further includes: sending, by the base station, the security algorithm to be used to the UE by using the primary base station; and using the security algorithm to be used between the UE and the secondary base station.
  • the recommended security algorithm is the security algorithm currently used for communication between the primary base station and the UE.
  • the manner in which the primary base station sends the recommended security algorithm to the secondary base station is one of the following: the primary base station configures a parameter in a preset field of the request message, where the parameter is used to indicate a security algorithm provided by the primary base station to the secondary base station; The base station adjusts the priority order of the multiple security algorithms supported in the security capability information of the UE by sending a request message to the secondary base station.
  • a determining apparatus of a security algorithm is provided.
  • the determining apparatus of the security algorithm includes: a receiving module, configured to receive a request message from the primary base station; and a determining module, configured to: according to the security capability information of the UE carried in the request message, whether the request message carries the master The security algorithm recommended by the base station to itself and the security algorithm supported by the base station itself determine the security algorithm to be used by itself.
  • the determining module includes: a first determining unit, configured to determine, according to the locally supported security algorithm and the security algorithm supported by the UE, multiple security algorithms supported by the local and the UE; the first selecting unit is set to be When the message does not carry the recommended security algorithm, the security algorithm with the highest priority is selected as the security algorithm to be used according to the preset priority ranking of multiple security algorithms.
  • the determining module includes: a second determining unit, configured to determine, according to the locally supported security algorithm and the security algorithm supported by the UE, multiple security algorithms supported by the local and the UE; the first determining unit is configured to carry the request message When the recommended security algorithm is used, it is determined whether the recommended security algorithm is included in the multiple security algorithms.
  • the second selection unit is configured to select the recommended security algorithm as the security algorithm to be used when the output of the first determining unit is YES.
  • the determining module includes: a third determining unit, configured to determine a plurality of security algorithms supported by the local and the UE according to the locally supported security algorithm and the security algorithm supported by the UE; and the second determining unit is configured to carry the request message
  • the third selecting unit is configured to sort the priorities of the multiple security algorithms according to the preset when the output of the second determining unit is negative. Select the security algorithm with the highest priority as the security algorithm to be used.
  • the apparatus further includes: a sending module, configured to send the security algorithm to be used to the UE via the primary base station.
  • a sending module configured to send the security algorithm to be used to the UE via the primary base station.
  • the recommended security algorithm is the security algorithm currently used for communication between the primary base station and the UE.
  • the manner in which the primary base station sends the recommended security algorithm to the secondary base station is one of the following: the primary base station configures a parameter in a preset field of the request message, where the parameter is used to indicate a security algorithm provided by the primary base station to the secondary base station; The base station adjusts the priority order of the multiple security algorithms supported in the security capability information of the UE by sending a request message to the secondary base station.
  • the request message from the base station is received from the base station; the security capability information of the UE carried by the base station according to the request message, whether the request message carries the security algorithm recommended by the primary base station to the secondary base station, and the secondary base station itself
  • the supported security algorithm determines the security algorithm to be used by itself, that is, the primary base station, the secondary base station, and the UE participate in the negotiation process of the security algorithm, and the secondary base station can select according to the security capability information of the UE and whether the primary base station recommends the security algorithm to itself.
  • the security algorithm is used to solve the problem that the encryption security protection between the UE and the SeNB in the related art is not determined by the SeNB itself and the implementation process is complicated, and the SeNB can determine the security algorithm selected by the SeNB, and can effectively The complexity of the encryption security protection between the UE and the SeNB is reduced.
  • 1 is a schematic diagram of networking including a slave base station according to the related art
  • FIG. 2 is a flowchart of a method for determining a security algorithm according to an embodiment of the present invention
  • 3 is a flow chart of algorithm negotiation with MeNB recommendation in accordance with a preferred embodiment of the present invention.
  • FIG. 5 is a structural block diagram of a determining apparatus of a security algorithm according to an embodiment of the present invention.
  • FIG. 6 is a structural block diagram of a determining apparatus of a security algorithm according to a preferred embodiment of the present invention.
  • FIG. 2 is a flow chart of a method of determining a security algorithm in accordance with an embodiment of the present invention. As shown in FIG. 2, the method may include the following processing steps:
  • Step S202 Receive a request message from the base station from the base station;
  • Step S204 The slave base station determines, according to the security capability information of the UE carried in the request message, whether the request message carries a security algorithm recommended by the primary base station to the secondary base station, and a security algorithm supported by the base station itself to determine a security algorithm to be used.
  • the cryptographic security protection between the UE and the SeNB in the related art is not determined by the SeNB itself and the implementation process is complicated.
  • the primary base station, the secondary base station, and the UE participate in the negotiation process of the security algorithm, and the secondary base station can determine the manner of selecting the security algorithm according to the security capability information of the UE and whether the primary base station recommends the security algorithm to itself. Therefore, the problem that the encryption security protection between the UE and the SeNB in the related art is not determined by the SeNB itself and the implementation process is complicated, and the SeNB determines the security algorithm selected by the SeNB, and can effectively reduce the UE and the UE.
  • the complexity of cryptographic security protection between SeNBs is not determined by the SeNB itself and the implementation process.
  • the above-mentioned recommended security algorithm may be a security algorithm currently used for communication between the primary base station and the UE.
  • the manner in which the primary base station sends the recommended security algorithm to the secondary base station may be one of the following:
  • Manner 1 The primary base station configures parameters in a preset field of the request message, where the parameter is used to indicate a security algorithm provided by the primary base station to the secondary base station; for example, writing 0 in the preset field indicates that the security algorithm 1 is recommended, and writing Enter 1 to recommend the security algorithm 2.
  • the primary base station adjusts the priority order of multiple security algorithms supported by the security capability information of the UE by sending a request message to the secondary base station.
  • the UE supports the security algorithm 1, the security algorithm 2, and the security algorithm 3, and the priority is from high to low, which are security algorithm 1, security algorithm 2, and security algorithm 3.
  • the primary base station can adjust the prioritization by sending a request message to the secondary base station, and adjust the security algorithm 2 to the security algorithm with the highest priority.
  • step S204 determining, by the base station, the security algorithm to be used may include the following operations:
  • Step S1 The base station determines multiple security algorithms supported by the local and the UE according to the locally supported security algorithm and the security algorithm supported by the UE.
  • Step S2 If the request message does not carry the recommended security algorithm, the base station selects the security algorithm with the highest priority as the security algorithm to be used according to the preset priority order of the multiple security algorithms.
  • the security algorithm 1, the security algorithm 2, the security algorithm 3, the security algorithm 4, the security algorithm 5, and the UE support the security algorithm 1, the security algorithm 3, and the security algorithm 4 are supported locally from the base station.
  • the intersection ie, the commonly supported security algorithms
  • the priorities preset from the base station are preset from high to low: security algorithm 3, security algorithm 1, and security algorithm 4. Therefore, the slave station will select the security algorithm 3 with the highest priority.
  • the following steps may also be included:
  • Step S3 The security algorithm to be used is sent from the base station to the UE via the primary base station. That is, the base station can send a response message to the primary base station, where the response message carries the security algorithm to be used selected from the base station; and then the primary base station returns a response message to the UE, where the response message carries the selected from the base station.
  • the security algorithm to be used is sent from the base station to the UE via the primary base station. That is, the base station can send a response message to the primary base station, where the response message carries the security algorithm to be used selected from the base station; and then the primary base station returns a response message to the UE, where the response message carries the selected from the base station.
  • the security algorithm to be used is sent from the base station to the UE via the primary base station. That is, the base station can send a response message to the primary base station, where the response message carries the security algorithm to be used selected from the base station; and then the primary base station returns a response message to the UE
  • selecting a security algorithm to be used from the base station may include the following steps:
  • Step S4 The base station determines multiple security algorithms supported by the local and the UE according to the locally supported security algorithm and the security algorithm supported by the UE.
  • Step S5 If the request message carries the recommended security algorithm, the base station determines whether the recommended security algorithm is included in the multiple security algorithms.
  • Step S6 If yes, the recommended security algorithm is selected from the base station as the security algorithm to be used.
  • the security algorithm 1, the security algorithm 2, the security algorithm 3, the security algorithm 4, the security algorithm 5, and the UE support the security algorithm 1, the security algorithm 3, and the security algorithm 4 are supported locally from the base station.
  • the intersection ie, the commonly supported security algorithms
  • the security algorithm recommended by the primary base station to the secondary base station is the security algorithm 1, and the base station determines that the security algorithm 1 is a security algorithm supported by the local and the UE. Therefore, the security algorithm 1 is selected as the security algorithm to be selected.
  • the following operations may also be included:
  • Step S7 The slave base station does not carry the security algorithm to be used in the response message returned to the primary base station;
  • Step S8 The UE continues to use the security algorithm currently used for communication with the primary base station.
  • the security algorithm recommended by the primary base station is selected from the base station, and the recommended security algorithm is usually a security algorithm used by the current UE to communicate with the primary base station, the response of the secondary base station to the primary base station is returned.
  • the recommended security algorithm is not required to be carried in the message and in the response message returned by the primary base station to the UE.
  • the UE can continue to use the security algorithm currently used to communicate with the primary base station.
  • selecting a security algorithm to be used from the base station may include the following steps:
  • Step S9 The base station determines multiple security algorithms supported by the local and the UE according to the locally supported security algorithm and the security algorithm supported by the UE.
  • Step S10 If the request message carries the recommended security algorithm, the base station determines whether the recommended security algorithm is included in the multiple security algorithms.
  • Step S11 If no, the base station selects the security algorithm with the highest priority according to the preset priority order of the multiple security algorithms as the security algorithm to be used.
  • the security algorithm 1, the security algorithm 2, the security algorithm 3, the security algorithm 4, the security algorithm 5, and the UE support the security algorithm 1, the security algorithm 3, and the security algorithm 4 are supported locally from the base station.
  • the intersection ie, the commonly supported security algorithms
  • Security Algorithm 1 Security Algorithm 3
  • Security Algorithm 4 The security algorithm recommended by the primary base station to the secondary base station is the security algorithm 6.
  • the base station determines that the security algorithm 6 is not a security algorithm supported by the local and the UE, and the priorities preset from the base station are preset from high to low: Security algorithm 3, security algorithm 1, security algorithm 4. Therefore, the slave station will select the security algorithm 3 with the highest priority.
  • the security algorithm recommended by the base station and the UE and recommended by the primary base station to the secondary base station should be selected first.
  • the secondary base station cannot support the primary base station recommendation.
  • the security algorithm with the highest priority supported by both the base station and the UE is selected.
  • the following operations may also be included:
  • Step S12 The security algorithm to be used is sent from the base station to the UE via the primary base station;
  • Step S13 The UE uses a security algorithm to be used between the UE and the secondary base station.
  • FIG. 3 is a flowchart of algorithm negotiation with MeNB recommendation in accordance with a preferred embodiment of the present invention.
  • the MeNB recommends a security algorithm to the SeNB and the SeNB negotiates a security algorithm with the UE is described in the preferred embodiment.
  • the process can include the following processing steps:
  • Step S302 The radio resource control (RRC) connection and the DRBs are established between the UE and the MeNB, and the UE reports the security capability information to the MeNB, where the security capability information may include: security algorithm information, and the security algorithm information may include: an encryption algorithm and integrity. Protection algorithm.
  • RRC radio resource control
  • Step S304 The MeNB sends an add/modify DRB request message to the SeNB, where the request message carries the security capability information of the UE and an encryption algorithm recommended by the MeNB to the SeNB.
  • the algorithm recommended by the MeNB can also be implemented by adjusting the priority of the UE supporting algorithm, so that the SeNB only needs to negotiate according to the algorithm supported by the UE and the algorithm supported by the SeNB.
  • Step S306 The SeNB may preferentially select the UE security capability support, the SeNB support, and the algorithm recommended by the MeNB. Secondly, the UE security capability support, the SeNB supported, and the high priority algorithm are selected.
  • the SeNB If the algorithm selected by the SeNB is recommended by the MeNB, it may not be necessary to carry a security algorithm in subsequent steps, whereby the UE can use the algorithm used to communicate with the MeNB.
  • Step S308 The SeNB sends an add/modify DRB command message to the MeNB, where the command message carries a security algorithm, and the security algorithm may be identified by using an algorithm identifier.
  • Step S310 The MeNB instructs the UE to connect to the SeNB by using an RRC connection reconfiguration request message, where the request message carries the identification information of the security algorithm.
  • Step S312 The UE returns an RRC connection reconfiguration response message to the MeNB.
  • FIG. 4 is a flow chart of algorithm negotiation without MeNB recommendation in accordance with a preferred embodiment of the present invention. As shown in FIG. 4, a scenario in which the MeNB does not recommend a security algorithm to the SeNB and the SeNB negotiates a security algorithm with the UE is described in the preferred embodiment.
  • the process can include the following processing steps:
  • Step S402 The radio resource control (RRC) connection and the DRBs are established between the UE and the MeNB, and the UE reports the security capability information to the MeNB, where the security capability information may include: security algorithm information, and the security algorithm information may include: an encryption algorithm and integrity. Protection algorithm.
  • RRC radio resource control
  • Step S404 The MeNB sends an add/modify DRB request message to the SeNB, where the request message carries only the security capability information of the UE.
  • the algorithm recommended by the MeNB can also be implemented by adjusting the priority of the UE supporting algorithm, so that the SeNB only needs to negotiate according to the algorithm supported by the UE and the algorithm supported by the SeNB.
  • Step S406 The SeNB may select a UE with high security priority support and a high priority algorithm supported by the SeNB.
  • Step S408 The SeNB sends an add/modify DRB command message to the MeNB, where the command message carries a security algorithm, and the security algorithm may be identified by using an algorithm identifier.
  • Step S410 The MeNB indicates that the UE is connected to the SeNB by using an RRC connection reconfiguration request message, where the request message carries the identification information of the security algorithm.
  • Step S412 The UE returns an RRC connection reconfiguration response message to the MeNB.
  • FIG. 5 is a structural block diagram of a determining apparatus of a security algorithm according to an embodiment of the present invention.
  • the device may be disposed on the slave base station side.
  • the determining apparatus of the security algorithm may include: a receiving module 10 configured to receive a request message from the primary base station; and a determining module 20 configured to carry according to the request message
  • the security capability information of the UE, whether the request message carries the security algorithm recommended by the primary base station to itself, and the security algorithm supported by the base station itself determine the security algorithm to be used by itself.
  • the apparatus shown in FIG. 5 solves the problem that the encryption security protection between the UE and the SeNB in the related art is not determined by the SeNB itself and the implementation process is complicated, and the security algorithm selected by the SeNB can be implemented, and The complexity of encryption security protection between the UE and the SeNB can be effectively reduced.
  • the above-mentioned recommended security algorithm may be a security algorithm currently used for communication between the primary base station and the UE.
  • the manner in which the primary base station sends the recommended security algorithm to the secondary base station may be one of the following:
  • Manner 1 The primary base station configures parameters in a preset field of the request message, where the parameter is used to indicate a security algorithm provided by the primary base station to the secondary base station;
  • Manner 2 The primary base station adjusts the priority order of multiple security algorithms supported by the security capability information of the UE by sending a request message to the secondary base station.
  • the determining module 20 may include: a first determining unit 200, configured to determine multiple security algorithms supported by the local and the UE according to the locally supported security algorithm and the security algorithm supported by the UE;
  • the unit 202 is configured to select the security algorithm with the highest priority as the security algorithm to be used according to the preset priority ranking of the multiple security algorithms when the request message does not carry the recommended security algorithm.
  • the determining module 20 may include: a second determining unit 204, configured to determine multiple security algorithms supported by the local and the UE according to the locally supported security algorithm and the security algorithm supported by the UE;
  • the unit 206 is configured to determine whether the recommended security algorithm is included in the multiple security algorithms when the request message carries the recommended security algorithm.
  • the second selecting unit 208 is configured to select the recommendation when the output of the first determining unit is yes.
  • the security algorithm acts as a security algorithm to be used.
  • the determining module 20 may include: a third determining unit 210, configured to determine, according to the locally supported security algorithm and the security algorithm supported by the UE, multiple security algorithms supported by the local and the UE;
  • the unit 212 is configured to determine whether the recommended security algorithm is included in the multiple security algorithms when the request message carries the recommended security algorithm.
  • the third selecting unit 214 is configured to: when the output of the second determining unit is negative, The priority ranking of multiple security algorithms is set to select the security algorithm with the highest priority as the security algorithm to be used.
  • the apparatus may further include: a sending module 30, configured to send a security algorithm to be used to the UE via the primary base station.
  • a sending module 30 configured to send a security algorithm to be used to the UE via the primary base station.
  • the base station and the terminal negotiate an optimal encryption algorithm. Since the negotiation process has the participation of the primary base station, the secondary base station, and the terminal, the primary base station can recommend an algorithm to the secondary base station, and the secondary base station can support the algorithm of the UE security capability and support itself. The algorithm and the algorithm recommended by the primary base station are comprehensively considered, and finally the security algorithm adopted by itself is determined, so that the encryption security protection between the UE and the SeNB is more easily realized.
  • modules or steps of the present invention described above can be implemented by a general-purpose computing device that can be centralized on a single computing device or distributed across a network of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device, thereby Storing them in a storage device is performed by a computing device, and in some cases, the steps shown or described may be performed in an order different than that herein, or separately fabricated into individual integrated circuit modules, or Multiple of these modules or steps are fabricated as a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software.
  • the base station and the terminal negotiate an optimal encryption algorithm
  • the negotiation process includes a primary base station, a secondary base station, and a terminal.
  • Participating the primary base station can recommend an algorithm to the secondary base station, and the base station can comprehensively consider the algorithm supported by the UE security capability, the algorithm supported by itself, and the algorithm recommended by the primary base station, and finally determine the security algorithm adopted by itself, so it is easier to implement the UE and Encryption security protection between SeNBs.

Abstract

Disclosed in the present invention are a method and apparatus for determining a security algorithm; within said method, a secondary eNodeB (SeNB) receives a request message from a macro eNodeB; on the basis of UE security capability information carried in the request message, whether the request message carries a security algorithm recommended by the macro eNodeB for the secondary eNodeB, and the security algorithms supported by the secondary eNodeB, the secondary eNodeB determines the security algorithm to be used by same. The technical solution provided by the present invention enables an SeNB to determine its own selection of security algorithm, and can effectively reduce the degree of complexity of encryption security protection between an SeNB and UE.

Description

安全算法的确定方法及装置Method and device for determining security algorithm 技术领域Technical field
本发明涉及通信领域,具体而言,涉及一种安全算法的确定方法及装置。The present invention relates to the field of communications, and in particular to a method and apparatus for determining a security algorithm.
背景技术Background technique
长期演进(Long Term Evolution,简称为LTE)网络由演进全球陆地无线接入网(Evolved Universal Terrestrial Radio Access Network,简称为E-UTRAN)和演进分组交换中心(Evolved Packet Core,简称为EPC)组成,其网络呈现扁平化。EUTRAN通过S1接口与EPC相连,其中,EUTRAN由多个相互连接的演进基站(Evolved NodeB,简称为eNB)组成,各个eNB之间通过X2接口连接。EPC由移动性管理实体(Mobility Management Entity,简称为MME)和服务网关实体(Serving Gateway,简称为S-GW)组成。另外,在系统架构中还存在一个归属环境(Home Environment,简称为HE),即归属用户服务器(Home Subscriber Server,简称为HSS)或归属位置寄存器(Home Location Register,简称为HLR)作为用户数据库。它可以包含用户配置文件,执行用户的身份验证和授权,并可以提供有关用户物理位置的信息等。The Long Term Evolution (LTE) network consists of an Evolved Universal Terrestrial Radio Access Network (E-UTRAN) and an Evolved Packet Core (EPC). Its network is flat. The EUTRAN is connected to the EPC through an S1 interface, where the EUTRAN is composed of a plurality of interconnected Evolved NodeBs (eNBs), and the eNBs are connected through an X2 interface. The EPC is composed of a Mobility Management Entity (MME) and a Serving Gateway (S-GW). In addition, there is a Home Environment (hereinafter referred to as HE) in the system architecture, that is, a Home Subscriber Server (HSS) or a Home Location Register (HLR) as a user database. It can contain user profiles, perform user authentication and authorization, and can provide information about the user's physical location.
为了满足日益增长的大带宽、高速移动接入的需求,第三代伙伴组织计划(Third Generation Partnership Projects,简称为3GPP)推出了高级长期演进(Long-Term Evolution advance,简称为LTE-Advanced)标准。LTE-Advanced对于LTE系统的演进保留了LTE的核心,并在此基础上采用了一系列技术对频域、空域进行扩充,以达到提高频谱利用率、增加系统容量等目的。在某些应用场景下,会使用到小小区(Small Cell,简称为SC)增强技术,用来提高用户的吞吐量。In order to meet the growing demand for large-bandwidth, high-speed mobile access, the Third Generation Partnership Projects (3GPP) has introduced the Long-Term Evolution advance (LTE-Advanced) standard. . LTE-Advanced retains the core of LTE for the evolution of LTE systems. Based on this, a series of technologies are used to expand the frequency domain and airspace to improve spectrum utilization and increase system capacity. In some application scenarios, a small cell (Small Cell, SC for short) enhancement technology is used to improve user throughput.
SC增强技术的主要实现方式为双连接(dual connectivity)。图1是根据相关技术的含有从基站的组网示意图。如图1所示,一个用户设备(UE)同时连接两个小区,其中一个是主小区(Macro Cell),而另一个是从小区(Small cell)。主小区所在的基站被称为主基站(Macro eNodeB,简称为MeNB),从小区所在的基站被称为从基站(small eNodeB,or secondary eNodeB,简称为SeNB)。UE与基站之间的信令面功能可以通过主基站来完成,其用户面可以通过UE与主基站和从基站共同完成,即UE既与主基站存在用户面连接,又与从基站存在用户面连接,从而简称双连接。The main implementation of SC enhancement technology is dual connectivity. FIG. 1 is a schematic diagram of networking including a slave base station according to the related art. As shown in FIG. 1, one user equipment (UE) simultaneously connects two cells, one of which is a primary cell (Macro Cell) and the other is a secondary cell (Small cell). The base station where the primary cell is located is referred to as a primary base station (Macro eNodeB, abbreviated as MeNB), and the base station where the secondary cell is located is referred to as a secondary eNodeB (or secondary eNodeB, SeNB for short). The signaling plane function between the UE and the base station can be completed by the primary base station, and the user plane can be completed by the UE together with the primary base station and the secondary base station, that is, the UE has both a user plane connection with the primary base station and a user plane with the secondary base station. Connection, which is referred to as dual connection.
双连接的主要技术即为主基站与从基站之间的用户面协议栈功能的分配问题。相关技术中存在几种备选的解决方案,其中最主要的一种解决方案采用主基站的用户面 和控制面均保持不变,从基站的用户面协议栈可以包括从分组数据汇聚协议(PDCP)层到物理层(PHY)层之间的所有层。从基站直接与S-GW连接,两者之间的接口S1-U与之前使用的完全相同。在空口上,UE直接与从基站相连,来传递UE被转移的数据无线承载(DRB)。The main technology of dual connectivity is the allocation of user plane protocol stack functions between the primary base station and the secondary base station. There are several alternative solutions in the related art, the most important one of which uses the user plane of the primary base station. The control plane remains unchanged, and the user plane protocol stack of the base station can include all layers from the Packet Data Convergence Protocol (PDCP) layer to the Physical Layer (PHY) layer. The base station is directly connected to the S-GW, and the interface S1-U between the two is exactly the same as that used previously. On the air interface, the UE directly connects with the secondary base station to deliver the data radio bearer (DRB) to which the UE is transferred.
UE与MeNB之间的空口安全所使用的算法由LTE系统的算法协商过程来完成。在MeNB将UE的部分DRB转移到SeNB后,SeNB与UE之间为了实现加密保护,同样需要存在一个算法协商过程。目前讨论的方法可以是由MeNB来学习SeNB支持的算法,或者在MeNB上配置SeNB所支持的算法,然后由MeNB代替SeNB来选择一个算法,MeNB再将选择后的算法通知给UE和SeNB。这种方法虽然可行,但其存在以下两个主要缺陷:The algorithm used by the air interface security between the UE and the MeNB is completed by an algorithm negotiation process of the LTE system. After the MeNB transfers the partial DRB of the UE to the SeNB, an algorithm negotiation process needs to exist between the SeNB and the UE in order to implement encryption protection. The currently discussed method may be that the MeNB learns the algorithm supported by the SeNB, or configures an algorithm supported by the SeNB on the MeNB, and then the MeNB replaces the SeNB to select an algorithm, and the MeNB notifies the UE and the SeNB of the selected algorithm. Although this method is feasible, it has two main defects:
其一、SeNB与UE之间的算法不是由SeNB自身决定的,而是由MeNB代为完成的,与现有LTE中设备所采用的算法由自身来选择不一致;First, the algorithm between the SeNB and the UE is not determined by the SeNB itself, but is completed by the MeNB, and the algorithm adopted by the device in the existing LTE is inconsistently selected by itself;
其二、SeNB的数量很多,通过学习或配置会给系统带来一定的复杂性。Second, the number of SeNBs is large, and learning or configuration will bring certain complexity to the system.
综上所述,相关技术中所采用的UE与SeNB之间的加密安全保护方法不是由SeNB自身决定且实现过程较为复杂。In summary, the encryption security protection method between the UE and the SeNB used in the related art is not determined by the SeNB itself and the implementation process is complicated.
发明内容Summary of the invention
本发明实施例提供了一种安全算法的确定方法及装置,以至少解决相关技术中的UE与SeNB之间的加密安全保护不是由SeNB自身决定且实现过程较为复杂的问题。The embodiments of the present invention provide a method and a device for determining a security algorithm, so as to at least solve the problem that the encryption security protection between the UE and the SeNB in the related art is not determined by the SeNB itself and the implementation process is complicated.
根据本发明的一个方面,提供了一种安全算法的确定方法。According to an aspect of the present invention, a method of determining a security algorithm is provided.
根据本发明实施例的安全算法的确定方法包括:从基站接收来自于主基站的请求消息;从基站根据请求消息中携带的UE的安全能力信息、请求消息是否携带有主基站向从基站推荐的安全算法以及从基站自身支持的安全算法确定自身待使用的安全算法。The determining method of the security algorithm according to the embodiment of the present invention includes: receiving a request message from the base station from the base station; and determining, by the base station, the security capability information of the UE carried in the request message, whether the request message carries the recommended by the primary base station to the secondary base station The security algorithm and the security algorithm supported by the base station itself determine the security algorithm to be used by itself.
优选地,从基站确定待使用的安全算法包括:从基站根据本地支持的安全算法和UE支持的安全算法确定本地与UE均支持的多种安全算法;如果请求消息没有携带推荐的安全算法,从基站按照预设的对多种安全算法的优先级排序选取优先级最高的安全算法作为待使用的安全算法。 Preferably, determining, by the base station, the security algorithm to be used includes: determining, by the base station, a plurality of security algorithms supported by the local and the UE according to the locally supported security algorithm and the security algorithm supported by the UE; if the request message does not carry the recommended security algorithm, The base station selects the security algorithm with the highest priority according to the preset priority order of multiple security algorithms as the security algorithm to be used.
优选地,在从基站确定待使用的安全算法之后,还包括:从基站经由主基站将待使用的安全算法发送至UE。Preferably, after determining the security algorithm to be used from the base station, the method further includes: sending, by the base station, the security algorithm to be used to the UE by using the primary base station.
优选地,从基站选取待使用的安全算法包括:从基站根据本地支持的安全算法和UE支持的安全算法确定本地与UE均支持的多种安全算法;如果请求消息携带有推荐的安全算法,从基站判断在多种安全算法中是否包括推荐的安全算法;如果是,则从基站选取推荐的安全算法作为待使用的安全算法。Preferably, selecting a security algorithm to be used from the base station includes: determining, by the base station, a plurality of security algorithms supported by the local and the UE according to the locally supported security algorithm and the security algorithm supported by the UE; if the request message carries the recommended security algorithm, The base station determines whether the recommended security algorithm is included in the multiple security algorithms; if so, the recommended security algorithm is selected from the base station as the security algorithm to be used.
优选地,在从基站选取待使用的安全算法之后,还包括:从基站在向主基站返回的响应消息中不携带待使用的安全算法;UE继续使用当前与主基站进行通信所使用的安全算法。Preferably, after selecting the security algorithm to be used from the base station, the method further includes: the base station does not carry the security algorithm to be used in the response message returned to the primary base station; the UE continues to use the security algorithm currently used for communication with the primary base station. .
优选地,从基站选取待使用的安全算法包括:从基站根据本地支持的安全算法和UE支持的安全算法确定本地与UE均支持的多种安全算法;如果请求消息携带有推荐的安全算法,从基站判断在多种安全算法中是否包括推荐的安全算法;如果否,则从基站按照预设的对多种安全算法的优先级排序选取优先级最高的安全算法作为待使用的安全算法。Preferably, selecting a security algorithm to be used from the base station includes: determining, by the base station, a plurality of security algorithms supported by the local and the UE according to the locally supported security algorithm and the security algorithm supported by the UE; if the request message carries the recommended security algorithm, The base station determines whether the recommended security algorithm is included in the multiple security algorithms. If not, the base station selects the security algorithm with the highest priority as the security algorithm to be used according to the preset priority ranking of the multiple security algorithms.
优选地,在从基站选取待使用的安全算法之后,还包括:从基站经由主基站将待使用的安全算法发送至UE;UE在该UE与从基站之间使用待使用的安全算法。Preferably, after selecting the security algorithm to be used from the base station, the method further includes: sending, by the base station, the security algorithm to be used to the UE by using the primary base station; and using the security algorithm to be used between the UE and the secondary base station.
优选地,推荐的安全算法是当前在主基站与UE之间进行通信所使用的安全算法。Preferably, the recommended security algorithm is the security algorithm currently used for communication between the primary base station and the UE.
优选地,主基站向从基站发送推荐的安全算法的方式为以下之一:主基站在请求消息的预设字段中配置参数,其中,参数用于指示主基站向从基站提供的安全算法;主基站通过向从基站发送请求消息,对UE的安全能力信息中支持的多种安全算法的优先级排序进行调整。Preferably, the manner in which the primary base station sends the recommended security algorithm to the secondary base station is one of the following: the primary base station configures a parameter in a preset field of the request message, where the parameter is used to indicate a security algorithm provided by the primary base station to the secondary base station; The base station adjusts the priority order of the multiple security algorithms supported in the security capability information of the UE by sending a request message to the secondary base station.
根据本发明的另一方面,提供了一种安全算法的确定装置。According to another aspect of the present invention, a determining apparatus of a security algorithm is provided.
根据本发明实施例的安全算法的确定装置包括:接收模块,设置为接收来自于主基站的请求消息;确定模块,设置为根据请求消息中携带的UE的安全能力信息、请求消息是否携带有主基站向自身推荐的安全算法以及从基站自身支持的安全算法确定自身待使用的安全算法。The determining apparatus of the security algorithm according to the embodiment of the present invention includes: a receiving module, configured to receive a request message from the primary base station; and a determining module, configured to: according to the security capability information of the UE carried in the request message, whether the request message carries the master The security algorithm recommended by the base station to itself and the security algorithm supported by the base station itself determine the security algorithm to be used by itself.
优选地,确定模块包括:第一确定单元,设置为根据本地支持的安全算法和UE支持的安全算法确定本地与UE均支持的多种安全算法;第一选取单元,设置为在请 求消息没有携带推荐的安全算法时,按照预设的对多种安全算法的优先级排序选取优先级最高的安全算法作为待使用的安全算法。Preferably, the determining module includes: a first determining unit, configured to determine, according to the locally supported security algorithm and the security algorithm supported by the UE, multiple security algorithms supported by the local and the UE; the first selecting unit is set to be When the message does not carry the recommended security algorithm, the security algorithm with the highest priority is selected as the security algorithm to be used according to the preset priority ranking of multiple security algorithms.
优选地,确定模块包括:第二确定单元,设置为根据本地支持的安全算法和UE支持的安全算法确定本地与UE均支持的多种安全算法;第一判断单元,设置为在请求消息携带有推荐的安全算法时,判断在多种安全算法中是否包括推荐的安全算法;第二选取单元,设置为在第一判断单元输出为是时,选取推荐的安全算法作为待使用的安全算法。Preferably, the determining module includes: a second determining unit, configured to determine, according to the locally supported security algorithm and the security algorithm supported by the UE, multiple security algorithms supported by the local and the UE; the first determining unit is configured to carry the request message When the recommended security algorithm is used, it is determined whether the recommended security algorithm is included in the multiple security algorithms. The second selection unit is configured to select the recommended security algorithm as the security algorithm to be used when the output of the first determining unit is YES.
优选地,确定模块包括:第三确定单元,设置为根据本地支持的安全算法和UE支持的安全算法确定本地与UE均支持的多种安全算法;第二判断单元,设置为在请求消息携带有推荐的安全算法时,判断在多种安全算法中是否包括推荐的安全算法;第三选取单元,设置为在第二判断单元输出为否时,按照预设的对多种安全算法的优先级排序选取优先级最高的安全算法作为待使用的安全算法。Preferably, the determining module includes: a third determining unit, configured to determine a plurality of security algorithms supported by the local and the UE according to the locally supported security algorithm and the security algorithm supported by the UE; and the second determining unit is configured to carry the request message When the recommended security algorithm is used, it is determined whether the recommended security algorithm is included in the multiple security algorithms; and the third selecting unit is configured to sort the priorities of the multiple security algorithms according to the preset when the output of the second determining unit is negative. Select the security algorithm with the highest priority as the security algorithm to be used.
优选地,上述装置还包括:发送模块,设置为经由主基站将待使用的安全算法发送至UE。Preferably, the apparatus further includes: a sending module, configured to send the security algorithm to be used to the UE via the primary base station.
优选地,推荐的安全算法是当前在主基站与UE之间进行通信所使用的安全算法。Preferably, the recommended security algorithm is the security algorithm currently used for communication between the primary base station and the UE.
优选地,主基站向从基站发送推荐的安全算法的方式为以下之一:主基站在请求消息的预设字段中配置参数,其中,参数用于指示主基站向从基站提供的安全算法;主基站通过向从基站发送请求消息,对UE的安全能力信息中支持的多种安全算法的优先级排序进行调整。Preferably, the manner in which the primary base station sends the recommended security algorithm to the secondary base station is one of the following: the primary base station configures a parameter in a preset field of the request message, where the parameter is used to indicate a security algorithm provided by the primary base station to the secondary base station; The base station adjusts the priority order of the multiple security algorithms supported in the security capability information of the UE by sending a request message to the secondary base station.
通过本发明实施例,采用从基站接收来自于主基站的请求消息;从基站根据请求消息中携带的UE的安全能力信息、请求消息是否携带有主基站向从基站推荐的安全算法以及从基站自身支持的安全算法确定自身待使用的安全算法,即主基站、从基站以及UE均参与安全算法的协商过程,从基站可以根据UE的安全能力信息以及主基站是否向自身推荐安全算法由自身决定选取安全算法的方式,由此解决了相关技术中的UE与SeNB之间的加密安全保护不是由SeNB自身决定且实现过程较为复杂的问题,进而可以实现由SeNB决定自身选用的安全算法,并且能够有效地降低UE与SeNB之间的加密安全保护的复杂度。 According to the embodiment of the present invention, the request message from the base station is received from the base station; the security capability information of the UE carried by the base station according to the request message, whether the request message carries the security algorithm recommended by the primary base station to the secondary base station, and the secondary base station itself The supported security algorithm determines the security algorithm to be used by itself, that is, the primary base station, the secondary base station, and the UE participate in the negotiation process of the security algorithm, and the secondary base station can select according to the security capability information of the UE and whether the primary base station recommends the security algorithm to itself. The security algorithm is used to solve the problem that the encryption security protection between the UE and the SeNB in the related art is not determined by the SeNB itself and the implementation process is complicated, and the SeNB can determine the security algorithm selected by the SeNB, and can effectively The complexity of the encryption security protection between the UE and the SeNB is reduced.
附图说明DRAWINGS
此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:The drawings described herein are intended to provide a further understanding of the invention, and are intended to be a part of the invention. In the drawing:
图1是根据相关技术的含有从基站的组网示意图;1 is a schematic diagram of networking including a slave base station according to the related art;
图2是根据本发明实施例的安全算法的确定方法的流程图;2 is a flowchart of a method for determining a security algorithm according to an embodiment of the present invention;
图3是根据本发明优选实施例的带有MeNB推荐的算法协商流程图;3 is a flow chart of algorithm negotiation with MeNB recommendation in accordance with a preferred embodiment of the present invention;
图4是根据本发明优选实施例的不带MeNB推荐的算法协商流程图;4 is a flow chart of algorithm negotiation without MeNB recommendation in accordance with a preferred embodiment of the present invention;
图5是根据本发明实施例的安全算法的确定装置的结构框图;FIG. 5 is a structural block diagram of a determining apparatus of a security algorithm according to an embodiment of the present invention; FIG.
图6是根据本发明优选实施例的安全算法的确定装置的结构框图。FIG. 6 is a structural block diagram of a determining apparatus of a security algorithm according to a preferred embodiment of the present invention.
具体实施方式detailed description
下文中将参考附图并结合实施例来详细说明本发明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。The invention will be described in detail below with reference to the drawings in conjunction with the embodiments. It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict.
图2是根据本发明实施例的安全算法的确定方法的流程图。如图2所示,该方法可以包括以下处理步骤:2 is a flow chart of a method of determining a security algorithm in accordance with an embodiment of the present invention. As shown in FIG. 2, the method may include the following processing steps:
步骤S202:从基站接收来自于主基站的请求消息;Step S202: Receive a request message from the base station from the base station;
步骤S204:从基站根据请求消息中携带的UE的安全能力信息、请求消息是否携带有主基站向从基站推荐的安全算法以及从基站自身支持的安全算法确定自身待使用的安全算法。Step S204: The slave base station determines, according to the security capability information of the UE carried in the request message, whether the request message carries a security algorithm recommended by the primary base station to the secondary base station, and a security algorithm supported by the base station itself to determine a security algorithm to be used.
相关技术中的UE与SeNB之间的加密安全保护不是由SeNB自身决定且实现过程较为复杂。采用如图2所示的方法,主基站、从基站以及UE均参与安全算法的协商过程,从基站可以根据UE的安全能力信息以及主基站是否向自身推荐安全算法由自身决定选取安全算法的方式,由此解决了相关技术中的UE与SeNB之间的加密安全保护不是由SeNB自身决定且实现过程较为复杂的问题,进而可以实现由SeNB决定自身选用的安全算法,并且能够有效地降低UE与SeNB之间的加密安全保护的复杂度。 The cryptographic security protection between the UE and the SeNB in the related art is not determined by the SeNB itself and the implementation process is complicated. As shown in FIG. 2, the primary base station, the secondary base station, and the UE participate in the negotiation process of the security algorithm, and the secondary base station can determine the manner of selecting the security algorithm according to the security capability information of the UE and whether the primary base station recommends the security algorithm to itself. Therefore, the problem that the encryption security protection between the UE and the SeNB in the related art is not determined by the SeNB itself and the implementation process is complicated, and the SeNB determines the security algorithm selected by the SeNB, and can effectively reduce the UE and the UE. The complexity of cryptographic security protection between SeNBs.
在优选实施过程中,上述推荐的安全算法可以是当前在主基站与UE之间进行通信所使用的安全算法。In a preferred implementation, the above-mentioned recommended security algorithm may be a security algorithm currently used for communication between the primary base station and the UE.
在优选实施过程中,主基站向从基站发送推荐的安全算法的方式可以为以下之一:In a preferred implementation process, the manner in which the primary base station sends the recommended security algorithm to the secondary base station may be one of the following:
方式一、主基站在请求消息的预设字段中配置参数,其中,参数用于指示主基站向从基站提供的安全算法;例如:在预设字段中写入0表示推荐安全算法1,而写入1表示推荐安全算法2。Manner 1: The primary base station configures parameters in a preset field of the request message, where the parameter is used to indicate a security algorithm provided by the primary base station to the secondary base station; for example, writing 0 in the preset field indicates that the security algorithm 1 is recommended, and writing Enter 1 to recommend the security algorithm 2.
方式二、主基站通过向从基站发送请求消息,对UE的安全能力信息中支持的多种安全算法的优先级排序进行调整。例如:UE支持安全算法1、安全算法2以及安全算法3,且优先级由高到低依次为安全算法1、安全算法2以及安全算法3。主基站通过向从基站发送请求消息,可以对上述优先级排序进行调整,将安全算法2调整为优先级最高的安全算法。Manner 2: The primary base station adjusts the priority order of multiple security algorithms supported by the security capability information of the UE by sending a request message to the secondary base station. For example, the UE supports the security algorithm 1, the security algorithm 2, and the security algorithm 3, and the priority is from high to low, which are security algorithm 1, security algorithm 2, and security algorithm 3. The primary base station can adjust the prioritization by sending a request message to the secondary base station, and adjust the security algorithm 2 to the security algorithm with the highest priority.
优选地,在步骤S204中,从基站确定待使用的安全算法可以包括以下操作:Preferably, in step S204, determining, by the base station, the security algorithm to be used may include the following operations:
步骤S1:从基站根据本地支持的安全算法和UE支持的安全算法确定本地与UE均支持的多种安全算法;Step S1: The base station determines multiple security algorithms supported by the local and the UE according to the locally supported security algorithm and the security algorithm supported by the UE.
步骤S2:如果请求消息没有携带推荐的安全算法,从基站按照预设的对多种安全算法的优先级排序选取优先级最高的安全算法作为待使用的安全算法。Step S2: If the request message does not carry the recommended security algorithm, the base station selects the security algorithm with the highest priority as the security algorithm to be used according to the preset priority order of the multiple security algorithms.
在优选实施例中,假设从基站本地支持安全算法1、安全算法2、安全算法3、安全算法4、安全算法5、而UE支持安全算法1、安全算法3、安全算法4,那么两者的交集(即共同支持的安全算法)为安全算法1、安全算法3和安全算法4。而从基站本地预先设定的优先级从高到低排序为:安全算法3、安全算法1、安全算法4。因此,从基站将从中选取优先级最高的安全算法3。In a preferred embodiment, it is assumed that the security algorithm 1, the security algorithm 2, the security algorithm 3, the security algorithm 4, the security algorithm 5, and the UE support the security algorithm 1, the security algorithm 3, and the security algorithm 4 are supported locally from the base station. The intersection (ie, the commonly supported security algorithms) is Security Algorithm 1, Security Algorithm 3, and Security Algorithm 4. The priorities preset from the base station are preset from high to low: security algorithm 3, security algorithm 1, and security algorithm 4. Therefore, the slave station will select the security algorithm 3 with the highest priority.
优选地,在从基站确定待使用的安全算法之后,还可以包括以下步骤:Preferably, after determining the security algorithm to be used from the base station, the following steps may also be included:
步骤S3:从基站经由主基站将待使用的安全算法发送至UE。即从基站可以向主基站发送响应消息,该响应消息中携带有从基站选定的待使用的安全算法;然后再由主基站向UE返回响应消息,该响应消息中携带有从基站选定的待使用的安全算法。Step S3: The security algorithm to be used is sent from the base station to the UE via the primary base station. That is, the base station can send a response message to the primary base station, where the response message carries the security algorithm to be used selected from the base station; and then the primary base station returns a response message to the UE, where the response message carries the selected from the base station. The security algorithm to be used.
优选地,在步骤S204中,从基站选取待使用的安全算法可以包括以下步骤:Preferably, in step S204, selecting a security algorithm to be used from the base station may include the following steps:
步骤S4:从基站根据本地支持的安全算法和UE支持的安全算法确定本地与UE均支持的多种安全算法; Step S4: The base station determines multiple security algorithms supported by the local and the UE according to the locally supported security algorithm and the security algorithm supported by the UE.
步骤S5:如果请求消息携带有推荐的安全算法,从基站判断在多种安全算法中是否包括推荐的安全算法;Step S5: If the request message carries the recommended security algorithm, the base station determines whether the recommended security algorithm is included in the multiple security algorithms.
步骤S6:如果是,则从基站选取推荐的安全算法作为待使用的安全算法。Step S6: If yes, the recommended security algorithm is selected from the base station as the security algorithm to be used.
在优选实施例中,假设从基站本地支持安全算法1、安全算法2、安全算法3、安全算法4、安全算法5、而UE支持安全算法1、安全算法3、安全算法4,那么两者的交集(即共同支持的安全算法)为安全算法1、安全算法3和安全算法4。主基站向从基站推荐的安全算法为安全算法1,从基站经过判断发现安全算法1为本地与UE共同支持的安全算法,因而选取安全算法1作为待选用的安全算法。In a preferred embodiment, it is assumed that the security algorithm 1, the security algorithm 2, the security algorithm 3, the security algorithm 4, the security algorithm 5, and the UE support the security algorithm 1, the security algorithm 3, and the security algorithm 4 are supported locally from the base station. The intersection (ie, the commonly supported security algorithms) is Security Algorithm 1, Security Algorithm 3, and Security Algorithm 4. The security algorithm recommended by the primary base station to the secondary base station is the security algorithm 1, and the base station determines that the security algorithm 1 is a security algorithm supported by the local and the UE. Therefore, the security algorithm 1 is selected as the security algorithm to be selected.
优选地,在步骤S204,从基站选取待使用的安全算法之后,还可以包括以下操作:Preferably, after the security algorithm to be used is selected from the base station in step S204, the following operations may also be included:
步骤S7:从基站在向主基站返回的响应消息中不携带待使用的安全算法;Step S7: The slave base station does not carry the security algorithm to be used in the response message returned to the primary base station;
步骤S8:UE继续使用当前与主基站进行通信所使用的安全算法。Step S8: The UE continues to use the security algorithm currently used for communication with the primary base station.
在优选实施例中,如果从基站选用了主基站推荐的安全算法,而该推荐的安全算法通常为当前UE与主基站进行通信所使用的安全算法,因此,从基站在向主基站返回的响应消息中以及主基站向UE返回的响应消息中均无需携带上述推荐的安全算法。而UE直接继续使用当前与主基站进行通信所使用的安全算法即可。In a preferred embodiment, if the security algorithm recommended by the primary base station is selected from the base station, and the recommended security algorithm is usually a security algorithm used by the current UE to communicate with the primary base station, the response of the secondary base station to the primary base station is returned. The recommended security algorithm is not required to be carried in the message and in the response message returned by the primary base station to the UE. The UE can continue to use the security algorithm currently used to communicate with the primary base station.
优选地,在步骤S204中,从基站选取待使用的安全算法可以包括以下步骤:Preferably, in step S204, selecting a security algorithm to be used from the base station may include the following steps:
步骤S9:从基站根据本地支持的安全算法和UE支持的安全算法确定本地与UE均支持的多种安全算法;Step S9: The base station determines multiple security algorithms supported by the local and the UE according to the locally supported security algorithm and the security algorithm supported by the UE.
步骤S10:如果请求消息携带有推荐的安全算法,从基站判断在多种安全算法中是否包括推荐的安全算法;Step S10: If the request message carries the recommended security algorithm, the base station determines whether the recommended security algorithm is included in the multiple security algorithms.
步骤S11:如果否,则从基站按照预设的对多种安全算法的优先级排序选取优先级最高的安全算法作为待使用的安全算法。Step S11: If no, the base station selects the security algorithm with the highest priority according to the preset priority order of the multiple security algorithms as the security algorithm to be used.
在优选实施例中,假设从基站本地支持安全算法1、安全算法2、安全算法3、安全算法4、安全算法5、而UE支持安全算法1、安全算法3、安全算法4,那么两者的交集(即共同支持的安全算法)为安全算法1、安全算法3和安全算法4。主基站向从基站推荐的安全算法为安全算法6,从基站经过判断发现安全算法6并非为本地与UE共同支持的安全算法,而从基站本地预先设定的优先级从高到低排序为:安全算法3、安全算法1、安全算法4。因此,从基站将从中选取优先级最高的安全算法3。 In a preferred embodiment, it is assumed that the security algorithm 1, the security algorithm 2, the security algorithm 3, the security algorithm 4, the security algorithm 5, and the UE support the security algorithm 1, the security algorithm 3, and the security algorithm 4 are supported locally from the base station. The intersection (ie, the commonly supported security algorithms) is Security Algorithm 1, Security Algorithm 3, and Security Algorithm 4. The security algorithm recommended by the primary base station to the secondary base station is the security algorithm 6. The base station determines that the security algorithm 6 is not a security algorithm supported by the local and the UE, and the priorities preset from the base station are preset from high to low: Security algorithm 3, security algorithm 1, security algorithm 4. Therefore, the slave station will select the security algorithm 3 with the highest priority.
需要说明的是,从基站在选取自身待使用的安全算法时,通常应该首先选用从基站本地与UE均支持的且主基站向从基站推荐的安全算法;其次,在从基站无法支持主基站推荐的安全算法的情况下,再选用从基站本地与UE均支持的优先级最高的安全算法。It should be noted that when the base station selects the security algorithm to be used by the base station, the security algorithm recommended by the base station and the UE and recommended by the primary base station to the secondary base station should be selected first. Secondly, the secondary base station cannot support the primary base station recommendation. In the case of the security algorithm, the security algorithm with the highest priority supported by both the base station and the UE is selected.
优选地,在步骤S204,从基站选取待使用的安全算法之后,还可以包括以下操作:Preferably, after the security algorithm to be used is selected from the base station in step S204, the following operations may also be included:
步骤S12:从基站经由主基站将待使用的安全算法发送至UE;Step S12: The security algorithm to be used is sent from the base station to the UE via the primary base station;
步骤S13:UE在该UE与从基站之间使用待使用的安全算法。Step S13: The UE uses a security algorithm to be used between the UE and the secondary base station.
作为本发明的一个优选实施例,图3是根据本发明优选实施例的带有MeNB推荐的算法协商流程图。如图3所示,在该优选实施例中描述了MeNB向SeNB推荐一个安全算法以及SeNB与UE协商安全算法的场景。该流程可以包括以下处理步骤:As a preferred embodiment of the present invention, FIG. 3 is a flowchart of algorithm negotiation with MeNB recommendation in accordance with a preferred embodiment of the present invention. As shown in FIG. 3, a scenario in which the MeNB recommends a security algorithm to the SeNB and the SeNB negotiates a security algorithm with the UE is described in the preferred embodiment. The process can include the following processing steps:
步骤S302:UE与MeNB之间建立无线资源控制(RRC)连接和DRBs,UE向MeNB上报安全能力信息,其中,安全能力信息可以包括:安全算法信息,安全算法信息可以包括:加密算法和完整性保护算法。Step S302: The radio resource control (RRC) connection and the DRBs are established between the UE and the MeNB, and the UE reports the security capability information to the MeNB, where the security capability information may include: security algorithm information, and the security algorithm information may include: an encryption algorithm and integrity. Protection algorithm.
步骤S304:MeNB向SeNB发送添加/修改DRB请求消息,其中,该请求消息中携带有UE的安全能力信息和MeNB向SeNB推荐的加密算法。Step S304: The MeNB sends an add/modify DRB request message to the SeNB, where the request message carries the security capability information of the UE and an encryption algorithm recommended by the MeNB to the SeNB.
在该优选实施例中,MeNB推荐的算法也可以通过调整UE支持算法的优先级来实现,这样SeNB只需要根据UE支持的算法和SeNB本地支持的算法来协商即可。In the preferred embodiment, the algorithm recommended by the MeNB can also be implemented by adjusting the priority of the UE supporting algorithm, so that the SeNB only needs to negotiate according to the algorithm supported by the UE and the algorithm supported by the SeNB.
步骤S306:SeNB可以优先选择UE安全能力支持、SeNB支持以及MeNB推荐的算法;其次,再选择UE安全能力支持、SeNB支持的以及高优先级的算法。Step S306: The SeNB may preferentially select the UE security capability support, the SeNB support, and the algorithm recommended by the MeNB. Secondly, the UE security capability support, the SeNB supported, and the high priority algorithm are selected.
如果SeNB选择的算法是由MeNB推荐的,那么在后续的步骤中可以不需要携带安全算法,由此UE即可使用与MeNB通信所用的算法。If the algorithm selected by the SeNB is recommended by the MeNB, it may not be necessary to carry a security algorithm in subsequent steps, whereby the UE can use the algorithm used to communicate with the MeNB.
步骤S308:SeNB向MeNB发送添加/修改DRB命令消息,其中,该命令消息中携带有安全算法,该安全算法可以采用算法标识来加以标识。Step S308: The SeNB sends an add/modify DRB command message to the MeNB, where the command message carries a security algorithm, and the security algorithm may be identified by using an algorithm identifier.
步骤S310:MeNB通过RRC连接重配置请求消息指示UE连接SeNB,其中,该请求消息中携带有安全算法的标识信息。Step S310: The MeNB instructs the UE to connect to the SeNB by using an RRC connection reconfiguration request message, where the request message carries the identification information of the security algorithm.
步骤S312:UE向MeNB返回RRC连接重配置响应消息。 Step S312: The UE returns an RRC connection reconfiguration response message to the MeNB.
作为本发明的另一个优选实施例,图4是根据本发明优选实施例的不带MeNB推荐的算法协商流程图。如图4所示,在该优选实施例中描述了MeNB不向SeNB推荐安全算法以及SeNB与UE协商安全算法的场景。该流程可以包括以下处理步骤:As another preferred embodiment of the present invention, FIG. 4 is a flow chart of algorithm negotiation without MeNB recommendation in accordance with a preferred embodiment of the present invention. As shown in FIG. 4, a scenario in which the MeNB does not recommend a security algorithm to the SeNB and the SeNB negotiates a security algorithm with the UE is described in the preferred embodiment. The process can include the following processing steps:
步骤S402:UE与MeNB之间建立无线资源控制(RRC)连接和DRBs,UE向MeNB上报安全能力信息,其中,安全能力信息可以包括:安全算法信息,安全算法信息可以包括:加密算法和完整性保护算法。Step S402: The radio resource control (RRC) connection and the DRBs are established between the UE and the MeNB, and the UE reports the security capability information to the MeNB, where the security capability information may include: security algorithm information, and the security algorithm information may include: an encryption algorithm and integrity. Protection algorithm.
步骤S404:MeNB向SeNB发送添加/修改DRB请求消息,其中,该请求消息中仅携带有UE的安全能力信息。Step S404: The MeNB sends an add/modify DRB request message to the SeNB, where the request message carries only the security capability information of the UE.
在该优选实施例中,MeNB推荐的算法也可以通过调整UE支持算法的优先级来实现,这样SeNB只需要根据UE支持的算法和SeNB本地支持的算法来协商即可。In the preferred embodiment, the algorithm recommended by the MeNB can also be implemented by adjusting the priority of the UE supporting algorithm, so that the SeNB only needs to negotiate according to the algorithm supported by the UE and the algorithm supported by the SeNB.
步骤S406:SeNB可以选择UE安全能力支持、SeNB支持的高优先级的算法。Step S406: The SeNB may select a UE with high security priority support and a high priority algorithm supported by the SeNB.
步骤S408:SeNB向MeNB发送添加/修改DRB命令消息,其中,该命令消息中携带有安全算法,该安全算法可以采用算法标识来加以标识。Step S408: The SeNB sends an add/modify DRB command message to the MeNB, where the command message carries a security algorithm, and the security algorithm may be identified by using an algorithm identifier.
步骤S410:MeNB通过RRC连接重配置请求消息指示UE连接SeNB,其中,该请求消息中携带有安全算法的标识信息。Step S410: The MeNB indicates that the UE is connected to the SeNB by using an RRC connection reconfiguration request message, where the request message carries the identification information of the security algorithm.
步骤S412:UE向MeNB返回RRC连接重配置响应消息。Step S412: The UE returns an RRC connection reconfiguration response message to the MeNB.
图5是根据本发明实施例的安全算法的确定装置的结构框图。该装置可以设置于从基站侧,如图5所示,该安全算法的确定装置可以包括:接收模块10,设置为接收来自于主基站的请求消息;确定模块20,设置为根据请求消息中携带的UE的安全能力信息、请求消息是否携带有主基站向自身推荐的安全算法以及从基站自身支持的安全算法确定自身待使用的安全算法。FIG. 5 is a structural block diagram of a determining apparatus of a security algorithm according to an embodiment of the present invention. The device may be disposed on the slave base station side. As shown in FIG. 5, the determining apparatus of the security algorithm may include: a receiving module 10 configured to receive a request message from the primary base station; and a determining module 20 configured to carry according to the request message The security capability information of the UE, whether the request message carries the security algorithm recommended by the primary base station to itself, and the security algorithm supported by the base station itself determine the security algorithm to be used by itself.
采用如图5所示的装置,解决了相关技术中的UE与SeNB之间的加密安全保护不是由SeNB自身决定且实现过程较为复杂的问题,进而可以实现由SeNB决定自身选用的安全算法,并且能够有效地降低UE与SeNB之间的加密安全保护的复杂度。The apparatus shown in FIG. 5 solves the problem that the encryption security protection between the UE and the SeNB in the related art is not determined by the SeNB itself and the implementation process is complicated, and the security algorithm selected by the SeNB can be implemented, and The complexity of encryption security protection between the UE and the SeNB can be effectively reduced.
在优选实施过程中,上述推荐的安全算法可以是当前在主基站与UE之间进行通信所使用的安全算法。In a preferred implementation, the above-mentioned recommended security algorithm may be a security algorithm currently used for communication between the primary base station and the UE.
在优选实施过程中,主基站向从基站发送推荐的安全算法的方式可以为以下之一: In a preferred implementation process, the manner in which the primary base station sends the recommended security algorithm to the secondary base station may be one of the following:
方式一、主基站在请求消息的预设字段中配置参数,其中,参数用于指示主基站向从基站提供的安全算法;Manner 1: The primary base station configures parameters in a preset field of the request message, where the parameter is used to indicate a security algorithm provided by the primary base station to the secondary base station;
方式二、主基站通过向从基站发送请求消息,对UE的安全能力信息中支持的多种安全算法的优先级排序进行调整。Manner 2: The primary base station adjusts the priority order of multiple security algorithms supported by the security capability information of the UE by sending a request message to the secondary base station.
优选地,如图6所示,确定模块20可以包括:第一确定单元200,设置为根据本地支持的安全算法和UE支持的安全算法确定本地与UE均支持的多种安全算法;第一选取单元202,设置为在请求消息没有携带推荐的安全算法时,按照预设的对多种安全算法的优先级排序选取优先级最高的安全算法作为待使用的安全算法。Preferably, as shown in FIG. 6, the determining module 20 may include: a first determining unit 200, configured to determine multiple security algorithms supported by the local and the UE according to the locally supported security algorithm and the security algorithm supported by the UE; The unit 202 is configured to select the security algorithm with the highest priority as the security algorithm to be used according to the preset priority ranking of the multiple security algorithms when the request message does not carry the recommended security algorithm.
优选地,如图6所示,确定模块20可以包括:第二确定单元204,设置为根据本地支持的安全算法和UE支持的安全算法确定本地与UE均支持的多种安全算法;第一判断单元206,设置为在请求消息携带有推荐的安全算法时,判断在多种安全算法中是否包括推荐的安全算法;第二选取单元208,设置为在第一判断单元输出为是时,选取推荐的安全算法作为待使用的安全算法。Preferably, as shown in FIG. 6, the determining module 20 may include: a second determining unit 204, configured to determine multiple security algorithms supported by the local and the UE according to the locally supported security algorithm and the security algorithm supported by the UE; The unit 206 is configured to determine whether the recommended security algorithm is included in the multiple security algorithms when the request message carries the recommended security algorithm. The second selecting unit 208 is configured to select the recommendation when the output of the first determining unit is yes. The security algorithm acts as a security algorithm to be used.
优选地,如图6所示,确定模块20可以包括:第三确定单元210,设置为根据本地支持的安全算法和UE支持的安全算法确定本地与UE均支持的多种安全算法;第二判断单元212,设置为在请求消息携带有推荐的安全算法时,判断在多种安全算法中是否包括推荐的安全算法;第三选取单元214,设置为在第二判断单元输出为否时,按照预设的对多种安全算法的优先级排序选取优先级最高的安全算法作为待使用的安全算法。Preferably, as shown in FIG. 6, the determining module 20 may include: a third determining unit 210, configured to determine, according to the locally supported security algorithm and the security algorithm supported by the UE, multiple security algorithms supported by the local and the UE; The unit 212 is configured to determine whether the recommended security algorithm is included in the multiple security algorithms when the request message carries the recommended security algorithm. The third selecting unit 214 is configured to: when the output of the second determining unit is negative, The priority ranking of multiple security algorithms is set to select the security algorithm with the highest priority as the security algorithm to be used.
优选地,如图6所示,上述装置还可以包括:发送模块30,设置为经由主基站将待使用的安全算法发送至UE。Preferably, as shown in FIG. 6, the apparatus may further include: a sending module 30, configured to send a security algorithm to be used to the UE via the primary base station.
从以上的描述中,可以看出,上述实施例实现了如下技术效果(需要说明的是这些效果是某些优选实施例可以达到的效果):采用本发明实施例所提供的技术方案,可以使得基站与终端之间协商最优的加密算法,由于该协商过程有主基站、从基站以及终端的参与,主基站可以向从基站推荐算法,从基站可以对UE安全能力支持的算法、自身支持的算法以及主基站推荐的算法进行综合考虑,最终决定自身采用的安全算法,因此更加易于实现UE与SeNB之间的加密安全保护。From the above description, it can be seen that the above embodiments achieve the following technical effects (it is required that the effects are achievable by some preferred embodiments): by using the technical solution provided by the embodiment of the present invention, The base station and the terminal negotiate an optimal encryption algorithm. Since the negotiation process has the participation of the primary base station, the secondary base station, and the terminal, the primary base station can recommend an algorithm to the secondary base station, and the secondary base station can support the algorithm of the UE security capability and support itself. The algorithm and the algorithm recommended by the primary base station are comprehensively considered, and finally the security algorithm adopted by itself is determined, so that the encryption security protection between the UE and the SeNB is more easily realized.
显然,本领域的技术人员应该明白,上述的本发明的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执行的程序代码来实现,从而,可以 将它们存储在存储装置中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本发明不限制于任何特定的硬件和软件结合。It will be apparent to those skilled in the art that the various modules or steps of the present invention described above can be implemented by a general-purpose computing device that can be centralized on a single computing device or distributed across a network of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device, thereby Storing them in a storage device is performed by a computing device, and in some cases, the steps shown or described may be performed in an order different than that herein, or separately fabricated into individual integrated circuit modules, or Multiple of these modules or steps are fabricated as a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software.
以上所述仅为本发明的优选实施例而已,并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above description is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.
工业实用性Industrial applicability
如上所述,本发明实施例提供的一种安全算法的确定方法及装置具有以下有益效果:使得基站与终端之间协商最优的加密算法,由于该协商过程有主基站、从基站以及终端的参与,主基站可以向从基站推荐算法,从基站可以对UE安全能力支持的算法、自身支持的算法以及主基站推荐的算法进行综合考虑,最终决定自身采用的安全算法,因此更加易于实现UE与SeNB之间的加密安全保护。 As described above, the method and apparatus for determining a security algorithm provided by the embodiments of the present invention have the following beneficial effects: the base station and the terminal negotiate an optimal encryption algorithm, and the negotiation process includes a primary base station, a secondary base station, and a terminal. Participating, the primary base station can recommend an algorithm to the secondary base station, and the base station can comprehensively consider the algorithm supported by the UE security capability, the algorithm supported by itself, and the algorithm recommended by the primary base station, and finally determine the security algorithm adopted by itself, so it is easier to implement the UE and Encryption security protection between SeNBs.

Claims (16)

  1. 一种安全算法的确定方法,包括:A method for determining a security algorithm, comprising:
    从基站接收来自于主基站的请求消息;Receiving a request message from the base station from the base station;
    所述从基站根据所述请求消息中携带的用户设备UE的安全能力信息、所述请求消息是否携带有所述主基站向所述从基站推荐的安全算法以及所述从基站自身支持的安全算法确定自身待使用的安全算法。The slave base station according to the security capability information of the user equipment UE carried in the request message, whether the request message carries a security algorithm recommended by the primary base station to the secondary base station, and a security algorithm supported by the slave base station itself Determine the security algorithm you want to use.
  2. 根据权利要求1所述的方法,其中,所述从基站确定所述待使用的安全算法包括:The method of claim 1, wherein the determining, by the base station, the security algorithm to be used comprises:
    所述从基站根据本地支持的安全算法和所述UE支持的安全算法确定本地与所述UE均支持的多种安全算法;Determining, by the base station, multiple security algorithms supported by the local and the UE according to the locally supported security algorithm and the security algorithm supported by the UE;
    如果所述请求消息没有携带所述推荐的安全算法,所述从基站按照预设的对所述多种安全算法的优先级排序选取优先级最高的安全算法作为所述待使用的安全算法。If the request message does not carry the recommended security algorithm, the slave base station selects the security algorithm with the highest priority as the security algorithm to be used according to the preset priority order of the multiple security algorithms.
  3. 根据权利要求2所述的方法,其中,在所述从基站确定所述待使用的安全算法之后,还包括:The method according to claim 2, wherein after the determining, by the base station, the security algorithm to be used, the method further comprises:
    所述从基站经由所述主基站将所述待使用的安全算法发送至所述UE。The slave base station transmits the to-be-used security algorithm to the UE via the primary base station.
  4. 根据权利要求1所述的方法,其中,所述从基站选取所述待使用的安全算法包括:The method according to claim 1, wherein the selecting the security algorithm to be used from the base station comprises:
    所述从基站根据本地支持的安全算法和所述UE支持的安全算法确定本地与所述UE均支持的多种安全算法;Determining, by the base station, multiple security algorithms supported by the local and the UE according to the locally supported security algorithm and the security algorithm supported by the UE;
    如果所述请求消息携带有所述推荐的安全算法,所述从基站判断在所述多种安全算法中是否包括所述推荐的安全算法;If the request message carries the recommended security algorithm, the slave base station determines whether the recommended security algorithm is included in the multiple security algorithms;
    如果是,则所述从基站选取所述推荐的安全算法作为所述待使用的安全算法。If yes, the slave base station selects the recommended security algorithm as the security algorithm to be used.
  5. 根据权利要求4所述的方法,其中,在所述从基站选取所述待使用的安全算法之后,还包括: The method according to claim 4, wherein after the slave base station selects the security algorithm to be used, the method further includes:
    所述从基站在向所述主基站返回的响应消息中不携带所述待使用的安全算法;The slave base station does not carry the security algorithm to be used in the response message returned to the primary base station;
    所述UE继续使用当前与所述主基站进行通信所使用的安全算法。The UE continues to use the security algorithm currently used to communicate with the primary base station.
  6. 根据权利要求1所述的方法,其中,所述从基站选取所述待使用的安全算法包括:The method according to claim 1, wherein the selecting the security algorithm to be used from the base station comprises:
    所述从基站根据本地支持的安全算法和所述UE支持的安全算法确定本地与所述UE均支持的多种安全算法;Determining, by the base station, multiple security algorithms supported by the local and the UE according to the locally supported security algorithm and the security algorithm supported by the UE;
    如果所述请求消息携带有所述推荐的安全算法,所述从基站判断在所述多种安全算法中是否包括所述推荐的安全算法;If the request message carries the recommended security algorithm, the slave base station determines whether the recommended security algorithm is included in the multiple security algorithms;
    如果否,则所述从基站按照预设的对所述多种安全算法的优先级排序选取优先级最高的安全算法作为所述待使用的安全算法。If not, the slave base station selects the security algorithm with the highest priority according to the preset priority order of the multiple security algorithms as the security algorithm to be used.
  7. 根据权利要求6所述的方法,其中,在所述从基站选取所述待使用的安全算法之后,还包括:The method according to claim 6, wherein after the slave base station selects the security algorithm to be used, the method further includes:
    所述从基站经由所述主基站将所述待使用的安全算法发送至所述UE;Sending, by the base station, the security algorithm to be used to the UE via the primary base station;
    所述UE在该UE与所述从基站之间使用所述待使用的安全算法。The UE uses the security algorithm to be used between the UE and the secondary base station.
  8. 根据权利要求1至7中任一项所述的方法,其中,所述推荐的安全算法是当前在所述主基站与所述UE之间进行通信所使用的安全算法。The method according to any one of claims 1 to 7, wherein the recommended security algorithm is a security algorithm currently used for communication between the primary base station and the UE.
  9. 根据权利要求1至7中任一项所述的方法,其中,所述主基站向所述从基站发送所述推荐的安全算法的方式为以下之一:The method according to any one of claims 1 to 7, wherein the manner in which the primary base station transmits the recommended security algorithm to the secondary base station is one of the following:
    所述主基站在所述请求消息的预设字段中配置参数,其中,所述参数用于指示所述主基站向所述从基站提供的安全算法;The primary base station configures a parameter in a preset field of the request message, where the parameter is used to indicate a security algorithm that is provided by the primary base station to the secondary base station;
    所述主基站通过向所述从基站发送所述请求消息,对所述UE的安全能力信息中支持的多种安全算法的优先级排序进行调整。The primary base station adjusts a priority order of multiple security algorithms supported by the security capability information of the UE by sending the request message to the secondary base station.
  10. 一种安全算法的确定装置,包括:A determining device for a security algorithm, comprising:
    接收模块,设置为接收来自于主基站的请求消息;a receiving module, configured to receive a request message from the primary base station;
    确定模块,设置为根据所述请求消息中携带的用户设备UE的安全能力信息、所述请求消息是否携带有所述主基站向自身推荐的安全算法以及所述从基站自身支持的安全算法确定自身待使用的安全算法。 a determining module, configured to determine, according to security capability information of the user equipment UE carried in the request message, whether the request message carries a security algorithm recommended by the primary base station to itself, and a security algorithm supported by the base station itself The security algorithm to be used.
  11. 根据权利要求10所述的装置,其中,所述确定模块包括:The apparatus of claim 10, wherein the determining module comprises:
    第一确定单元,设置为根据本地支持的安全算法和所述UE支持的安全算法确定本地与所述UE均支持的多种安全算法;a first determining unit, configured to determine, according to the locally supported security algorithm and the security algorithm supported by the UE, multiple security algorithms supported by the local and the UE;
    第一选取单元,设置为在所述请求消息没有携带所述推荐的安全算法时,按照预设的对所述多种安全算法的优先级排序选取优先级最高的安全算法作为所述待使用的安全算法。a first selecting unit, configured to: when the request message does not carry the recommended security algorithm, select a security algorithm with the highest priority according to a preset priority ranking of the multiple security algorithms as the to-be-used Security algorithm.
  12. 根据权利要求10所述的装置,其中,所述确定模块包括:The apparatus of claim 10, wherein the determining module comprises:
    第二确定单元,设置为根据本地支持的安全算法和所述UE支持的安全算法确定本地与所述UE均支持的多种安全算法;a second determining unit, configured to determine, according to the locally supported security algorithm and the security algorithm supported by the UE, multiple security algorithms supported by the local and the UE;
    第一判断单元,设置为在所述请求消息携带有所述推荐的安全算法时,判断在所述多种安全算法中是否包括所述推荐的安全算法;a first determining unit, configured to determine, when the request message carries the recommended security algorithm, whether the recommended security algorithm is included in the multiple security algorithms;
    第二选取单元,设置为在所述第一判断单元输出为是时,选取所述推荐的安全算法作为所述待使用的安全算法。And a second selecting unit, configured to: when the output of the first determining unit is YES, select the recommended security algorithm as the security algorithm to be used.
  13. 根据权利要求10所述的装置,其中,所述确定模块包括:The apparatus of claim 10, wherein the determining module comprises:
    第三确定单元,设置为根据本地支持的安全算法和所述UE支持的安全算法确定本地与所述UE均支持的多种安全算法;a third determining unit, configured to determine, according to the locally supported security algorithm and the security algorithm supported by the UE, multiple security algorithms supported by the local and the UE;
    第二判断单元,设置为在所述请求消息携带有所述推荐的安全算法时,判断在所述多种安全算法中是否包括所述推荐的安全算法;a second determining unit, configured to determine, when the request message carries the recommended security algorithm, whether the recommended security algorithm is included in the multiple security algorithms;
    第三选取单元,设置为在所述第二判断单元输出为否时,按照预设的对所述多种安全算法的优先级排序选取优先级最高的安全算法作为所述待使用的安全算法。And a third selecting unit, configured to: when the output of the second determining unit is negative, select a security algorithm with the highest priority according to a preset priority order of the multiple security algorithms as the security algorithm to be used.
  14. 根据权利要求10所述的装置,其中,所述装置还包括:The device of claim 10, wherein the device further comprises:
    发送模块,设置为经由所述主基站将所述待使用的安全算法发送至所述UE。And a sending module, configured to send the to-be-used security algorithm to the UE via the primary base station.
  15. 根据权利要求10至14中任一项所述的装置,其中,所述推荐的安全算法是当前在所述主基站与所述UE之间进行通信所使用的安全算法。The apparatus of any one of claims 10 to 14, wherein the recommended security algorithm is a security algorithm currently used for communication between the primary base station and the UE.
  16. 根据权利要求10至14中任一项所述的装置,其中,所述主基站向所述从基站发送所述推荐的安全算法的方式为以下之一: The apparatus according to any one of claims 10 to 14, wherein the manner in which the primary base station transmits the recommended security algorithm to the secondary base station is one of the following:
    所述主基站在所述请求消息的预设字段中配置参数,其中,所述参数用于指示所述主基站向所述从基站提供的安全算法;The primary base station configures a parameter in a preset field of the request message, where the parameter is used to indicate a security algorithm that is provided by the primary base station to the secondary base station;
    所述主基站通过向所述从基站发送所述请求消息,对所述UE的安全能力信息中支持的多种安全算法的优先级排序进行调整。 The primary base station adjusts a priority order of multiple security algorithms supported by the security capability information of the UE by sending the request message to the secondary base station.
PCT/CN2014/086764 2014-03-21 2014-09-17 Method and apparatus for determining a security algorithm WO2015139434A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410107966.5A CN104936171B (en) 2014-03-21 2014-03-21 The determination method and device of security algorithm
CN201410107966.5 2014-03-21

Publications (1)

Publication Number Publication Date
WO2015139434A1 true WO2015139434A1 (en) 2015-09-24

Family

ID=54123076

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/086764 WO2015139434A1 (en) 2014-03-21 2014-09-17 Method and apparatus for determining a security algorithm

Country Status (2)

Country Link
CN (1) CN104936171B (en)
WO (1) WO2015139434A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3749017A4 (en) * 2018-02-11 2021-04-07 Huawei Technologies Co., Ltd. Security protection method, apparatus, and access network device
RU2782345C2 (en) * 2018-02-11 2022-10-26 Хуавей Текнолоджиз Ко., Лтд. Safety protection method, device, and network access device

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018201506A1 (en) * 2017-05-05 2018-11-08 华为技术有限公司 Communication method and related device
CN109246692A (en) * 2017-06-16 2019-01-18 华为技术有限公司 Connection management method, terminal and wireless access network equipment
CN110958650B (en) * 2018-09-26 2021-06-08 维沃移动通信有限公司 User equipment capacity determination method and node

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009057730A2 (en) * 2007-10-31 2009-05-07 Nec Corporation System and method for selection of security algorithms
CN101534506A (en) * 2008-03-14 2009-09-16 中兴通讯股份有限公司 Method for indicating base station security information
CN103188663A (en) * 2011-12-27 2013-07-03 华为技术有限公司 Secure communication method for carrier aggregation between base stations and equipment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102340772B (en) * 2010-07-15 2014-04-16 华为技术有限公司 Security processing method, device and system in conversion process

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009057730A2 (en) * 2007-10-31 2009-05-07 Nec Corporation System and method for selection of security algorithms
CN101534506A (en) * 2008-03-14 2009-09-16 中兴通讯股份有限公司 Method for indicating base station security information
CN103188663A (en) * 2011-12-27 2013-07-03 华为技术有限公司 Secure communication method for carrier aggregation between base stations and equipment

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3749017A4 (en) * 2018-02-11 2021-04-07 Huawei Technologies Co., Ltd. Security protection method, apparatus, and access network device
RU2782345C2 (en) * 2018-02-11 2022-10-26 Хуавей Текнолоджиз Ко., Лтд. Safety protection method, device, and network access device

Also Published As

Publication number Publication date
CN104936171B (en) 2019-07-16
CN104936171A (en) 2015-09-23

Similar Documents

Publication Publication Date Title
JP7359231B2 (en) Target radio access network node and method thereof
JP6844679B2 (en) Radio access network nodes, wireless terminals, and methods
JP7100115B2 (en) Security implementation methods, related devices and systems
WO2018014741A1 (en) Data transmission, reception and transfer method and apparatus
US10582381B2 (en) Implementing radio access network slicing in a mobile network
JP6416918B2 (en) Security key changing method, base station, and user equipment
EP3567797A1 (en) Data security processing method and apparatus
US10530573B2 (en) System and method for wireless network access protection and security architecture
WO2014032502A1 (en) Terminal access method and system, and terminal
WO2015015300A2 (en) Method of supporting security handling for dual connectivity
EP2922362B1 (en) Method and system for sending rrc signaling
CN107079361A (en) Integrated Enode B/AP are switched to using context transfer
WO2015135292A1 (en) Key update method, sub base station, terminal, communication system and storage medium
WO2021232852A1 (en) Method and apparatus for terminal to access network
WO2015139434A1 (en) Method and apparatus for determining a security algorithm
WO2014173355A1 (en) Service management method and device
TW201513712A (en) Method and system for managing cell radio network temporary identifiers, computer program product
WO2015018122A1 (en) Message transmission method and device
WO2015169076A1 (en) Authorization information configuration method and apparatus, network element device and computer storage medium
TW201844046A (en) Device and Method of Handling a Dual Connectivity
JP2018129812A (en) Synchronization of radio configuration parameters
US20180026837A1 (en) Data transmission method and apparatus
WO2020220862A1 (en) Communication method and device
CN111328066B (en) Heterogeneous wireless network fast roaming method and system, master and slave access point devices
WO2021088090A1 (en) Access control method and communication apparatus

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14886636

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14886636

Country of ref document: EP

Kind code of ref document: A1