WO2016019586A1 - Encryption keystream element updating device, method and double connection system - Google Patents

Encryption keystream element updating device, method and double connection system Download PDF

Info

Publication number
WO2016019586A1
WO2016019586A1 PCT/CN2014/084023 CN2014084023W WO2016019586A1 WO 2016019586 A1 WO2016019586 A1 WO 2016019586A1 CN 2014084023 W CN2014084023 W CN 2014084023W WO 2016019586 A1 WO2016019586 A1 WO 2016019586A1
Authority
WO
WIPO (PCT)
Prior art keywords
access node
bearer
generation element
key stream
update
Prior art date
Application number
PCT/CN2014/084023
Other languages
French (fr)
Chinese (zh)
Inventor
张冬梅
张丽佳
陈璟
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to CN201480031309.5A priority Critical patent/CN105900471B/en
Priority to PCT/CN2014/084023 priority patent/WO2016019586A1/en
Publication of WO2016019586A1 publication Critical patent/WO2016019586A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/065Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation

Definitions

  • the present invention relates to the field of mobile communications, and in particular, to a key stream element updating apparatus, method, and dual connectivity system. Background technique
  • the dual-connection system includes a primary base station (Macro eNB, referred to as Me B) and a secondary base station (Secondary eNB, referred to as SeNB).
  • Me B primary base station
  • SeNB secondary base station
  • the user equipment (User Equipment, UE for short) can establish a bearer access network through the primary base station or the secondary base station.
  • the bearer may also be transferred to the bearer, for example, the bearer is switched from the MeNB to the Se B, or the Se B is switched to the MeNB, thereby achieving the purpose of alleviating the capacity pressure of the base station.
  • user plane data transmitted between the UE and the MeNB and between the UE and the SeNB is encrypted to ensure data transmission security.
  • the key stream elements that affect the key stream generation are: encryption key (Kupenc), Packet Data Convergence Protocol Count (PDCP COUNT for short), Data Radio Bearer Identity (DRB ID for short) ), data flow (Direction) and key stream length (Length).
  • Direction has uplink and downlink directions. Length is a specific value depending on the encryption algorithm. Therefore, corresponding to a specific encryption algorithm, in each transmission direction, if Kupenc, PDCP COUNT value and DRB ID are the same, then generate The key stream will be the same. For example, if the encryption algorithm EEA1 is selected for all bearers, in the uplink direction of the SeNB, if the first bearer with the DRB ID of 1 is released and the second bearer with the DRB ID of 1 is established, the PDCP COUNT of the second bearer will be re-established. count.
  • the SeNB's root key S-KeNB is not updated, Kupenc will not change, resulting in two different bearers having the same Kupenc, PDCP COUNT value and DRB ID, which will produce the same for two different bearers.
  • Key stream the method adopted in the prior art is: if the previously established bearer has been released, assigning different DRB IDs to consecutive bearers, and the MeNB and the SeNB share one DRB ID resource pool, when the DRB When the ID is used up, the key update is triggered. In this way, different bearers can be avoided to have the same DRB ID, thereby avoiding The problem of free key stream duplication.
  • the following situation may occur: when the PDCP COUNT of the third bearer is 1000, the MeNB switches to the Se B, and the bearer ID does not change before and after the bearer handover; during the third bearer, the SeNB generates a key update.
  • the PDCP COUNT of the third bearer is restarted to count; when the PDCP COUNT of the third bearer is 100, the SeNB is switched back to the MeNB, and the PDCP COUNT continues counting from 101.
  • the key stream of the data packet of the PDCP COUNT of 101 to 1000 after the third bearer is switched back from the SeNB to the MeNB, and the The key stream of the data packet with the PDCP COUNT of 101 to 1000 before the handover from the MeNB to the SeNB is repeated.
  • An embodiment of the present invention provides a key stream element update apparatus, method, and dual connectivity system to solve the problem that a key stream repetition occurs when a bearer performs handover of a base station by using the prior art.
  • an embodiment of the present invention provides a key stream generation element updating apparatus of a dual connectivity system, where the first access node and the second access node are simultaneously
  • the user equipment UE provides a wireless connection, and the device includes:
  • a receiving unit configured to acquire a trigger message from the second access node, where the trigger message is used to trigger an update of a key stream generating element
  • a processing unit configured to perform key stream generation according to the trigger message Element update.
  • the processing unit configured to perform the key stream generation element update according to the trigger message, is configured to: when acquiring the first information used to indicate the second access node key update, The first access node performs key stream generation element update.
  • the processing unit is configured to: when used to indicate the second access And performing the key stream generation element update on the first access node, where the method includes: when acquiring the first information used to indicate the second access node key update And if there is a transfer bearer on the second access node, performing a key stream generation element update on the first access node, where the transfer bearer refers to the first access node Transfer to the bearer of the second access node.
  • the processing unit is configured to perform a key stream generation element update on the first access node when acquiring the first information that is used to indicate the second access node key update, including: For acquiring the first information of the second access node key update, if the first information carries the presence indication, performing key stream generation element update on the first access node, The presence indication is used to indicate that a transfer bearer exists on the second access node.
  • the processing unit is configured to perform a key stream generation element update on the first access node when acquiring the first information used to indicate the second access node key update, including: For acquiring a bearer transfer record, where the bearer transfer record is used to record a transfer bearer, where the transfer bearer refers to a bearer transferred from the first access node to the second access node; Recording all current bearers on the second access node, determining that there is a transfer bearer on the second access node, and performing key stream generation element update on the first access node. [17] In combination with the fourth possible implementation manner of the first aspect, in a fifth possible implementation manner of the first aspect,
  • the processing unit is configured to acquire a bearer transfer record; if it is determined that the transfer bearer exists on the second access node according to the bearer transfer record and all current bearers on the second access node, The first access node performs the key stream generation element update, and further includes: deleting the bearer transfer record after performing the key stream generation element update on the first access node.
  • the processing unit configured to perform a key stream generation element update on the first access node, includes: updating a key of the first access node.
  • the processing unit configured to perform a key stream generation element update on the first access node, includes: used to re-allocate a DRB ID for the transfer bearer.
  • the processing unit configured to perform a key stream generation element update according to the trigger message, and the method includes: when used to indicate that the target bearer is transferred from the second access node to the first interface When the second information of the node is entered, the key stream generation element update is performed on the first access node.
  • the processing unit is configured to: when acquiring the second information used to indicate that the target bearer is transferred from the second access node to the first access node, perform the first access node And the key stream generating element is updated, if: when the second information used to indicate that the target bearer is transferred from the second access node to the first access node is obtained, if according to the second information
  • the switchback indication indicates that the target bearer is a transfer bearer, and the first access node performs a key stream generation element update, where the cutback indication is used to indicate that the target bearer is a transfer bearer.
  • the processing unit is configured to: when acquiring the second information used to indicate that the target bearer is transferred from the second access node to the first access node, perform the first access node
  • the key stream generation element update includes: acquiring a bearer transfer record; and if the target bearer is determined to be a transfer bearer according to the bearer transfer record, performing key stream generation element update on the first access node.
  • the processing unit configured to perform a key stream generation element update on the first access node, includes: determining, according to the reset indication in the second information, that the target bearer is in the A PDCP COUNT reset occurs during the second access node, and a key stream generation element update is performed on the first access node.
  • the processing unit configured to perform a key stream generation element update on the first access node, to be: configured to determine, according to the reset identifier in the bearer transfer record, that the target bearer is in the A PDCP COUNT reset occurs during the second access node, and a key stream generation element update is performed on the first access node.
  • the processing unit configured to perform a key stream generation element update on the first access node, including: acquiring a current PDCP COUNT value of the target bearer, and the target bearer from the first connection a PDCP COUNT value when the ingress node transfers to the second access node; if the current PDCP COUNT value of the target bearer is less than or equal to the PDCP COUNT when the first access node is transferred to the second access node And performing a key stream generation element update on the first access node.
  • the processing unit configured to The first access node performs the key stream generation element update, including: updating the key of the first access node or reallocating the DRB ID for the target bearer.
  • an embodiment of the present invention provides a key stream generation element updating apparatus of a dual connectivity system, where the first access node and the second access node are simultaneously
  • the UE provides a wireless connection
  • the device includes: [38] a processing unit, configured to generate a trigger message when the preset condition is met, where the trigger message is used to instruct the first access node to trigger an update of a key stream generation element
  • a sending unit configured to send a trigger message to the first access node.
  • the processing unit configured to generate a trigger message when the preset condition is met, the method includes: generating, when the second access node performs a key update, generating first information;
  • the sending the trigger message to the first access node includes: sending the first information to the first access node.
  • the processing unit configured to: when the second access node performs a key update, generate the first information, where: the method is: when the second access node performs a key update, if A transfer bearer exists on the second access node to generate first information.
  • the processing unit configured to generate a trigger message when the preset condition is met, the method includes: generating, when the target bearer is switched from the second access node to the first access node, generating a second The sending unit, configured to send the trigger message to the first access node, where: the method is: sending, to the first access node, the first Two information.
  • the processing unit configured to: when the target bearer is handed over from the second access node to the first access node, generate the second information, including: when the target bearer is from the second When the ingress node switches to the first access node, if the target bearer is a transfer bearer, the second information carrying the switchback indication is generated.
  • the processing unit configured to: when the target bearer is switched from the second access node to the first access node, generate the second information, where: the method is: when the target bearer is from the second When the ingress node switches to the first access node, if the target bearer is a transfer bearer, and the target bearer has a PDCP COUNT reset during the second access node, generating a carry-back indication and a heavy Set the second information indicated.
  • an embodiment of the present invention provides a method for updating a key stream generation element of a dual connectivity system, where the first access node and the second access node are simultaneously
  • the UE provides a wireless connection, the method includes: the first access node acquires a trigger message from the second access node, where the trigger message is used to trigger an update of a key stream generation element; the first access node The key stream generation element update is performed according to the trigger message.
  • the first access node performs the key stream generation element update on the first access node according to the trigger message, and includes: when acquiring, indicating that the second access node is updated by the key When a message is received, the key stream generation element update is performed on the first access node.
  • the performing the key stream generation element update on the first access node includes: if there is a transfer bearer on the second access node, performing key stream generation element update on the first access node .
  • the performing the key stream generation element update on the first access node includes: performing keystream generation element update on the first access node if the first information carries a presence indication.
  • the performing the key stream generation element update on the first access node includes: acquiring a bearer transfer record; determining, according to the bearer transfer record and all current bearers on the second access node, Second access There is a transfer bearer on the node, and the key flow generation element update is performed on the first access node.
  • the method further includes: deleting the bearer transfer record.
  • the performing a key stream generation element update on the first access node includes: updating a key of the first access node.
  • the performing a key stream generation element update on the first access node includes: reassigning a DRB ID to the transfer bearer.
  • the first access node performs a key stream generation element on the first access node according to the trigger message.
  • the updating includes: performing keystream generation element update to the first access node when acquiring second information indicating that the target bearer is transferred from the second access node to the first access node.
  • the performing the key stream generation element update on the first access node includes: determining, according to the switchback indication in the second information, that the target bearer is a transfer bearer, to the first access
  • the node performs key stream generation element update.
  • the performing the key stream generation element update on the first access node includes: acquiring a bearer transfer record, where the bearer transfer record is used to record a transfer bearer; and determining the target bearer according to the bearer transfer record To transfer the bearer, the key stream generation element update is performed on the first access node.
  • the performing the key stream generation element update on the first access node includes: determining that the target bearer occurred during the second access node according to the reset indication in the second information The PDCP COUNT is reset, and the key stream generation element update is performed on the first access node.
  • the performing the key stream generation element update on the first access node includes: determining that the target bearer has a PDCP COUNT during the second access node according to the reset identifier in the bearer transfer record And performing key stream generation element update on the first access node.
  • the performing a key stream generation element update on the first access node includes: acquiring a current PDCP COUNT value of the target bearer, and transferring the target bearer from the first access node to the a PDCP COUNT value when the second access node is; if the current PDCP COUNT value of the target bearer is less than or equal to a PDCP COUNT value when the first access node is transferred to the second access node, An access node performs key stream generation element update.
  • the first access node Performing the key stream generation element update includes: updating a key of the first access node or reallocating a DRB ID for the target bearer.
  • an embodiment of the present invention provides a method for updating a key stream generation element of a dual connectivity system, where the first access node and the second access node are simultaneously
  • the UE provides a wireless connection, and the method includes: the second access node generates a trigger message when the preset condition is met, where the trigger message is used to instruct the first access node to trigger an update of the key stream generation element; Sending a trigger message to the first access node.
  • the generating the triggering message includes: when the second access node performs the key update, generating the first information; the sending the trigger message to the first access node includes: The ingress node sends the first letter Interest.
  • the generating the first information includes: generating a first information if a transfer bearer exists on the second access node.
  • the generating the trigger message includes: generating, when the target bearer is handed over from the second access node to the first access node, second information; sending the trigger message to the first access node The method includes: transmitting the second information to the first access node.
  • the generating the second information includes: if the target bearer is a transfer bearer, generating and carrying Switching back the indicated second information.
  • the generating the second information includes: if the target bearer is a transfer bearer, and the target bearer has a PDCP COUNT reset during the second access node, generating a carry-back indication and a reset indication The second message.
  • an embodiment of the present invention provides a dual connectivity system, where the first access node and the second access node simultaneously provide a wireless connection for a UE, where , including:
  • the second access node is configured to generate a trigger message when the preset condition is met, where the trigger message is used to instruct the first access node to trigger an update of a key stream generation element;
  • the first access node sends a trigger message;
  • the first access node is configured to acquire a trigger message from the second access node; and perform key stream generation element update according to the trigger message.
  • the first access node may perform the key stream generation element update on the first access node when the second access node changes the bearer state that may cause the key stream to be duplicated. Thereby avoiding the occurrence of key stream repetition.
  • FIG. 1 is a schematic diagram of an embodiment of a key stream generation element updating apparatus according to the present invention
  • FIG. 2 is a schematic diagram of another embodiment of a key stream generation element updating apparatus according to the present invention
  • FIG. 4 is a flowchart of another embodiment of a method for updating a key stream generation element according to the present invention
  • FIG. 5 is a key stream generation method of the present invention.
  • FIG. 6 is a flowchart of another embodiment of a method for updating a key stream generation element according to the present invention;
  • FIG. 7 is a schematic diagram of an embodiment of a dual connectivity system according to the present invention;
  • FIG. 8 is a schematic diagram of another embodiment of a key stream generation element updating apparatus according to the present invention;
  • FIG. 9 is a schematic diagram of another embodiment of a key stream generation element updating apparatus according to the present invention.
  • FIG. 1 is a schematic diagram of an embodiment of a key stream generation element updating apparatus according to the present invention.
  • the apparatus includes a receiving unit 101 and a processing unit 102.
  • the device is disposed on a first access node.
  • the receiving unit 101 is configured to acquire a trigger message from the second access node, where the trigger message is used to trigger an update of a key stream generation element.
  • the receiving unit 101 first obtains a trigger message from the second access node, where the first access node may be Se B or Me B, and correspondingly, the second access node is MeNB or Se B.
  • the trigger information is used to indicate that a state change occurs on a bearer on the second access node.
  • the PDCP COUNT reset caused by the key update may cause the key stream to be duplicated, and the trigger message may be used to indicate the second access node key.
  • the first information may carry a presence indication, where the presence indication is used to indicate that a transfer bearer exists on the second access node.
  • the trigger message may also be used to indicate that the target bearer is transferred from the second access node to the a second information of the first access node, where the second message may carry a switchback indication, where the switchback indication is used to indicate that the target bearer is a transfer bearer, and further, the second message may further carry a reset indication The reset indication is used to indicate that the target bearer has undergone a PDCP COUNT reset during the second access node.
  • the trigger message may also be used to indicate that the second access node has other information that may cause the key stream to be repeated, and details are not described herein.
  • the processing unit 102 is configured to perform a key stream generation element update according to the trigger message.
  • the processing unit 102 may initiate a key stream generation element update procedure, perform key stream generation element update on the first access node, such as updating an encryption key or reconfiguring a DRB ID, thereby preventing key stream repetition.
  • the processing unit 102 may further determine whether the state change of the bearer on the second access node may cause key stream repetition. If not, the first connection is not performed.
  • the ingress node performs key stream generation element update; if possible, the first access node performs key stream generation element update. This can reduce the number of times the first access node performs key stream generation element update and save system resources.
  • the processing unit 102 may determine, according to the information about the bearer transfer record, the presence indication, and the like, whether the transfer bearer exists on the second access node. If not, it indicates that the PDCP COUNT reset caused by the key update of the second access node does not cause the key stream to be duplicated. At this time, the first access node is not required to perform the key stream generation element update; if yes, The key update PDCP COUNT reset of the second access node may cause the key stream to be duplicated.
  • the processing unit 102 may perform a key stream generation element update, where the transfer bearer refers to the first The bearer transferred to the bearer of the second access node; wherein the presence indication is used to indicate that there is a transfer bearer on the second access node; and the bearer transfer record is used to record the transfer bearer.
  • the processing unit 102 may perform key stream generation element update on the first access node when acquiring the first information used to indicate the second access node key update. .
  • the processing unit 102 may also be configured to: when the second access node key update is obtained a message, and when there is a transfer bearer on the second access node, performing a key stream generation element update on the first access node, where the transfer bearer refers to transferring from the first access node to the The bearer of the second access node.
  • the processing unit 102 may also, when acquiring the first information used to indicate the second access node key update, and the first information carries the presence indication, to the first access
  • the node performs a key stream generation element update, where the presence indication is used to indicate that a transfer bearer exists on the second access node.
  • the processing unit 102 may also determine, when the transfer bearer exists on the second access node, according to the obtained bearer transfer record and all current bearers on the second access node, The access node performs key stream generation element update. And deleting the bearer transfer record after performing key stream generation element update on the first access node.
  • the processing unit 102 may perform a key stream generation element on the first access node by updating the key of the first access node. Update. Or performing key stream generation element update on the first access node in a manner of reassigning the DRB ID to the transfer bearer.
  • the second access node may determine, according to information such as a bearer transfer record and a switchback indication, whether the target bearer is a transfer bearer, if the target If the bearer is not a transfer bearer, the combination of the DRB ID of the target bearer and the first access node key does not occur, and the key bearer does not occur in the target bearer. In this case, the first access node does not need to perform the key.
  • the stream generation element is updated; if the target bearer is a transfer bearer, it indicates that the target bearer may have a key stream repetition, and the processing unit 102 may perform the key stream generation element update.
  • the key stream generation element update may be directly performed on the first access node.
  • the processing unit 102 may further determine whether the target bearer has a PDCP COUNT reset during the second access node. If no, it indicates that the DCP COUNT carried by the target does not overlap, and the key bearer does not repeat the key stream. In this case, the first access node does not need to perform key stream generation element update; if yes, the target bearer The PDCP COUNT may be duplicated, and the key bearer may be duplicated in the target bearer. At this time, the first access node may perform key stream generation element update.
  • the processing unit 102 may be configured as a transfer bearer in the target bearer, and determine, according to the reset indication in the second information, that the target bearer has undergone a PDCP COUNT reset during the second access node. And performing key stream generation element update on the first access node.
  • the processing unit 102 may be configured as a transfer bearer in the target bearer, and determine, according to the reset identifier in the bearer transfer record, that the target bearer has undergone a PDCP COUNT reset during the second access node. And performing key stream generation element update on the first access node.
  • the processing unit 102 may further determine whether the target bearer current PDCP COUNT value is greater than the transfer from the first access node to the first The PDCP COUNT value of the two access nodes. If yes, it indicates that the PDCP COUNT will not be duplicated, and the target bearer will not repeat the key stream. If not, the PDCP COUNT of the target bearer may be duplicated. In other words, key stream repetition may occur, and the first access node may perform key stream generation element update.
  • the receiving unit is configured to acquire a trigger message from the second access node, where the trigger message is used to trigger an update of a key stream generation element;
  • the trigger message performs key stream generation element update.
  • the first access node may perform key stream generation element update on the first access node when the second access node changes the bearer status that may cause the key stream to be duplicated, thereby avoiding the key. The flow of repetition occurs.
  • FIG. 2 it is a schematic diagram of another embodiment of a key stream generation element updating apparatus according to the present invention.
  • the apparatus includes a processing unit 201 and a transmitting unit 202.
  • the device is disposed on a second access node.
  • the processing unit 201 is configured to generate a trigger message when the preset condition is met, where the trigger message is used to instruct the first access node to trigger an update of the key stream generation element.
  • the preset condition may be that the second access node generates a key update, or may be the first access node that carries the transfer on the second access node, or may be caused by another second access node.
  • the bearer status of the key stream is changed.
  • the processing unit 201 may generate first information when the second access node performs key update, or perform key update on the second access node, and the second access node The first information is generated when there is a transfer bearer.
  • the processing unit 201 may generate second information when the target bearer switches from the second access node to the first access node.
  • the second information may also carry a switchback indication if the target bearer is a transfer bearer. And if the target bearer is a transfer bearer, and the target bearer has a PDCP COUNT reset during the second access node, the second information may further carry a switchback indication and a reset indication.
  • the sending unit 202 is configured to send a trigger message to the first access node.
  • the trigger message can
  • the first message may also be a second message, or may be another trigger message generated by the processing unit.
  • the first access node may perform the key stream generation element update immediately after receiving the trigger information, or may further determine whether the key stream is repeated according to the content of the trigger information and/or the trigger information.
  • the key stream generation element update is performed when a key stream duplication may be sent.
  • the processing unit is configured to generate a trigger message when the preset condition is met, where the trigger message is used to indicate that the first access node triggers update of the key stream generation element; Sending a trigger message to the first access node.
  • the second access node may send the trigger information to the first node when the bearer state change that may cause the key stream to be repeated, indicating that the first access node performs the key stream generation element update, thereby Avoid the occurrence of duplicate key streams.
  • the embodiment of the present invention further provides a method for updating a key stream generation element of a dual connectivity system, where the first access node and the second access node simultaneously provide a wireless connection for the UE.
  • FIG. 3 it is a flowchart of an embodiment of a method for updating a key stream generation element according to the present invention.
  • Step 301 The first access node acquires a trigger message from the second access node, where the trigger message is used to trigger an update of a key stream generation element.
  • the first access node first obtains a trigger message from the second access node, where the first access node may be Se B or Me B, and the second access node is Me B or Se B.
  • the trigger information is used to indicate that a status change occurs on a bearer on the second access node.
  • the PDCP COUNT reset due to the key update may cause the key stream to be duplicated, so the trigger message may be used to indicate the second access node key.
  • the first information may carry a presence indication, where the presence indication is used to indicate that a transfer bearer exists on the second access node.
  • the trigger message may also be used to indicate that the target bearer is transferred from the second access node to the a second information of the first access node, where the second message may carry a switchback indication, where the switchback indication is used to indicate that the target bearer is a transfer bearer, and further, the second message may further carry a reset indication The reset indication is used to indicate that the target bearer has undergone a PDCP COUNT reset during the second access node.
  • the trigger message may also be used to indicate that the second access node has other information that may cause the key stream to be repeated, and details are not described herein.
  • Step 302 The first access node performs key stream generation element update according to the trigger message.
  • the key stream generation element update process performs key stream generation element update on the first access node, such as updating an encryption key or reconfiguring a DRB ID, thereby preventing the key stream from being duplicated.
  • the first access node may further determine whether the change of the bearer status on the second access node may cause the key stream to be duplicated. If not, the first connection is not performed.
  • the ingress node performs key stream generation element update; if possible, the first access node performs key stream generation element update. This can reduce the number of times the first access node performs key stream generation element update and save resources.
  • the first access node may determine, according to information such as a bearer transfer record and a presence indication, whether the transfer bearer exists on the second access node. If not, it indicates that the PDCP COUNT reset caused by the key update of the second access node does not cause the key stream to be duplicated. At this time, the first access node is not required to perform the key stream generation element update; if yes, The key update PDCP COUNT reset of the second access node may cause the key stream to be duplicated.
  • the first access node may perform key stream generation element update, where the transfer bearer refers to the first The bearer transferred to the bearer of the second access node; wherein the presence indication is used to indicate that there is a transfer bearer on the second access node; and the bearer transfer record is used to record the transfer bearer.
  • the second access node may determine, according to information such as the bearer transfer record and the switchback indication, whether the target bearer is a transfer bearer, if the target If the bearer is not a transfer bearer, the combination of the DRB ID of the target bearer and the first access node key does not occur, and the key bearer does not occur in the target bearer. In this case, the first access node does not need to perform the key. If the target bearer is a transfer bearer, the key bearer may be duplicated. The first access node may perform key stream generation element update.
  • the first access node may further determine whether the target bearer has a PDCP COUNT reset during the second access node, If no, it indicates that the DCP COUNT of the target bearer does not overlap, and the key bearer does not repeat the key stream. In this case, the first access node does not need to perform key stream generation element update; if yes, the target bearer The PDCP COUNT may be duplicated, and the key bearer may be duplicated in the target bearer. At this time, the first access node may perform key stream generation element update.
  • the first access node may further enter Step determining whether the target bearer current PDCP COUNT value is greater than a PDCP COUNT value when transferring from the first access node to the second access node, and if yes, indicating that PDCP COUNT does not repeat, the target bearer does not
  • the key stream is duplicated. If not, the PDCP COUNT of the target bearer may be duplicated, and the key bearer may be duplicated.
  • the first access node may perform key stream generation element update.
  • the first access node acquires a trigger message from the second access node, where the trigger message is used to trigger an update of a key stream generation element; the first access node The key stream generation element update is performed according to the trigger message.
  • the first access node may perform key stream generation element update on the first access node when the second access node changes the bearer status that may cause the key stream to be duplicated, thereby avoiding the key. The flow of repetition occurs.
  • FIG. 4 it is a flowchart of another embodiment of a method for updating a key stream generation element according to the present invention.
  • Step 401 Acquire a key stream generation element update trigger message from the second access node.
  • Step 402 When obtaining the first information used to indicate the second access node key update, detecting whether there is a transfer bearer on the second access node.
  • the first access node may determine whether the second access node exists according to the bearer transfer record and all current bearers on the second access node, or according to the presence indication carried by the first information. Transfer the bearer.
  • the bearer transfer record may be a list or other data structure for describing a transfer bearer, where the transfer bearer refers to a bearer transferred from the first access node to the second access node. .
  • the bearer transfer record records the DRB ID of the transfer bearer. Generating a bearer transfer record containing the DRB ID of the bearer or adding the DRB ID of the bearer to the bearer transfer record when a bearer is transferred from the first access node to the second, when the first access node generates a key flow When the element is updated, delete or empty the bearer transfer record.
  • the presence indication is used to indicate that there is a transfer bearer on the second access node.
  • the presence indication may be added to the generated first information, or the preset field in the first information may be set to a preset value.
  • the first access node determines that there is a transfer bearer on the second access node according to whether the first information includes a presence indication, or whether the preset field is a preset value.
  • Step 403 If there is a transfer bearer on the second access node, perform keystream generation element update on the first access node.
  • the first access node may perform the key stream generation element update on the first access node.
  • the key is updated or only the DRB ID is reassigned for the transfer bearer to reduce system overhead.
  • the key stream generation element update trigger message is obtained from the second access node; when the first information for indicating the second access node key update is acquired, detecting Whether there is a transfer bearer on the second access node; if there is a transfer bearer on the second access node, performing keystream generation element update on the first access node.
  • the key stream generation element update may be performed on the first access node when the second access node generates a key update, thereby avoiding the occurrence of the key stream repetition caused by the key update.
  • Step 501 Acquire a key stream generation element update trigger message from the second access node.
  • Step 502 When acquiring the second information used to indicate that the target bearer is transferred from the second access node to the first access node, detecting whether the target bearer is a transfer bearer.
  • the first access node may determine whether the target bearer is a transfer bearer according to the bearer transfer record or according to the switchback indication carried by the second information. If the target bearer is a transfer bearer, the target bearer may have a key stream repetition. If the target bearer is not a transfer bearer, the target bearer does not have a key stream repetition.
  • the bearer transfer record may also be used to record whether the transfer bearer and the transfer bearer have undergone PDCP COUNT reset, and may also be used to record when the transfer bearer is transferred from the first access node to the second access node. PDCP COUNT.
  • the bearer transfer record may record the DRB ID of the transfer bearer and the reset flag bit.
  • the value of the reset flag is set to a preset value, and when the key stream element is updated by the first access node, the bearer transfer record is deleted or emptied.
  • the first access node determines, according to the bearer transfer record and the DRB ID of the target bearer, whether the target bearer is a transfer bearer.
  • the switchback indication is used to indicate that the target bearer is a transfer bearer.
  • the switchback indication may be added to the generated second information, or the preset field in the first information may be set to a preset value.
  • the first access node determines whether the target bearer is a transfer bearer according to whether the second information includes a switchback indication, or whether the preset field is a preset value.
  • Step 503 If the target bearer is a transfer bearer, the key stream generation element update may be directly performed on the first access node, or step 303 may be performed to perform further judgment. [164] Step 503: If the target bearer is a transfer bearer, detecting whether the target bearer PDCP COUNT has been reset.
  • the first access node may determine that the target bearer PDCP COUNT by detecting whether the reset flag of the target bearer in the bearer transfer record is a predetermined value, or detecting whether the second information includes a reset indication. Has a reset occurred?
  • Step 504 The target bearer has undergone a PDCP COUNT reset, and the first access node performs a key stream generation element update.
  • the PDCP COUNT of the target bearer may be duplicated, which may cause the key stream to be duplicated. Therefore, if the PDCP COUNT reset occurs in the target bearer, the key stream generation element update can be performed on the first access node.
  • the target bearer PDCP COUNT does not necessarily have a key stream repetition even if a reset occurs, for example, the current PDCP COUNT value of the target bearer is greater than the transfer from the first access node to the The PDCP COUNT value of the second access node does not cause the key stream to be duplicated on the target bearer.
  • the target bearer is a transfer bearer, it may not detect whether the target bearer PDCP COUNT has been reset, but acquire the current PDCP COUNT value of the target bearer, and the target bearer from the a PDCP COUNT value when the first access node transfers to the second access node; if the current PDCP COUNT value of the target bearer is less than or equal to the transfer from the first access node to the second access node.
  • the PDCP COUNT value is used to perform key stream generation element update on the first access node.
  • acquiring a keystream generation element update trigger message from the second access node when acquiring, indicating that the target bearer is transferred from the second access node to the first interface
  • the second information of the ingress node is sent, detecting whether the target bearer is a transfer bearer; if the target bearer is a transfer bearer, detecting whether the target bearer PDCP COUNT has been reset; the target bearer has undergone PDCP COUNT reset
  • performing key stream generation element update on the first access node the key stream generation element update may be performed on the first access node when the target bearer is a transfer bearer and the PDCP COUNT reset occurs, so that the key flow caused by the bearer transfer can be avoided. Repeated occurrences can also reduce the number of key stream generation element updates and reduce system resource consumption.
  • the invention is further described below from the second access node side.
  • FIG. 6 is a flowchart of another embodiment of a method for updating a key stream generation element according to the present invention.
  • Step 601 The second access node generates a trigger message when the preset condition is met, where the trigger message is generated. And used to instruct the first access node to trigger an update of a key stream generation element.
  • the preset condition may be that the second access node generates a key update, or may be the first access node that carries the transfer on the second access node, or may be the second access node. Other bearer state changes that may cause duplicate key streams.
  • the trigger message may be the first information.
  • the first information may be generated when the second access node performs a key update, or may be generated when the second access node performs a key update and a transfer bearer exists on the second access node.
  • the first information may carry a presence indication, where the presence indication is used to indicate that a transfer bearer exists on the second access node.
  • the trigger message may be the second information.
  • the first information may be generated when the target bearer is transferred from the second access node to the first access node.
  • the second information may also carry a switchback indication if the target bearer is a transfer bearer.
  • the second information may also carry a reset indication if the target bearer has undergone a PDCP COUNT reset.
  • Step 602 Send a trigger message to the first access node.
  • the first access node may perform the key stream generation element update immediately after receiving the trigger information, or may further determine whether the key stream is repeated according to the content of the trigger information and/or the trigger information.
  • the key stream generation element update is performed when a key stream duplication may be sent.
  • the specific process can participate in the foregoing embodiments, and will not be described again here.
  • the second access node generates a trigger message when the preset condition is met, where the trigger message is used to indicate that the first access node triggers update of the key stream generation element. Sending a trigger message to the first access node.
  • the second access node may send a trigger message to the first access node to indicate that the first access node performs the key stream generation element update when a bearer state change that may cause the key stream to be duplicated occurs. , to avoid the occurrence of key stream duplication.
  • the embodiment of the present invention further provides a dual connectivity system, where the dual connectivity system includes: a first access node 701 and a second access node 702, the first interface The ingress node 701 and the second access node 702 simultaneously provide a wireless connection to the UE.
  • the second access node 702 is configured to generate a trigger message when the preset condition is met, where The trigger message is used to instruct the first access node 701 to trigger an update of the key stream generation element; and send a trigger message to the first access node 701.
  • the second access node 702 is further configured to: when the key is updated, generate first information; and send the first information to the first access node 701.
  • the second access node 702 is further configured to generate the first information if the transfer bearer exists on the second access node 702 when the key update is performed.
  • the second access node 702 is further configured to: when the target bearer switches from the second access node 702 to the first access node 701, generate second information; to the first access The node 701 sends the second information.
  • the second access node 702 is further configured to: when the target bearer is switched from the second access node 702 to the first access node 701, if the target bearer is a transfer bearer, generate a bearer Returning the second information indicated.
  • the second access node 702 is further configured to: when the target bearer is switched from the second access node 702 to the first access node 701, if the target bearer is a transfer bearer, and The target bearer has undergone PDCP COUNT reset during the second access node 702, and generates second information carrying the switchback indication and the reset indication.
  • the first access node 701 is configured to acquire a trigger message from the second access node 702, and perform key stream generation element update according to the trigger message.
  • the first access node 701 is further configured to acquire a trigger message from the second access node 702, where the trigger message is used to trigger an update of a key stream generation element; and perform a key according to the trigger message.
  • the stream generates element updates.
  • the first access node 701 is further configured to perform key flow on the first access node 701 when acquiring the first information used to indicate the key update of the second access node 702. Generate element updates.
  • the first access node 701 is further configured to perform a key stream generation element update on the first access node 701 if there is a transfer bearer on the second access node 702, where the transfer bearer is Refers to a bearer that is transferred from the first access node 701 to the second access node 702.
  • the first access node 701 is further configured to perform a key stream generation element update on the first access node 701 if the first information carries a presence indication, where the presence indication is used to indicate There is a transfer bearer on the second access node 702.
  • the first access node 701 is further configured to acquire a bearer transfer record; if the second access node 702 is determined according to the bearer transfer record and all current bearers on the second access node 702, There is a transfer bearer, and the first access node 701 performs key stream generation element update.
  • the first access node 701 is further configured to delete the bearer transfer record after performing key stream generation element update on the first access node 701.
  • the first access node 701 may only update the key of the first access node 701 when performing key stream generation element update on the first access node 701.
  • the first access node 701 When the first access node 701 further performs key stream generation element update on the first access node 701, it may also re-allocate the DRB ID only for the transfer bearer.
  • the second access node may send a trigger message to the first access node when the bearer state change that may cause the key stream to be duplicated, and the first access node receives the trigger message. After that, the key stream generation element is updated to avoid the occurrence of key stream repetition.
  • FIG. 8 is a schematic structural diagram of a key stream generation element updating apparatus of a dual connectivity system according to an embodiment of the present invention. As shown in FIG. 8, the device includes: a processor 801, a memory 802, and a communication interface 803, and modules are connected to each other.
  • the memory 802 is used to store programs.
  • the program can include program code, the program code including computer operating instructions.
  • the memory 802 may include a random access memory (RAM) memory, and may also include a non-volatile memory such as at least one disk memory.
  • the communication interface 803 is configured to acquire a trigger message from the second access node, where the trigger message is used to trigger an update of a key stream generation element.
  • the processor 801 is configured to execute the memory 802 storage program, and perform key stream generation element update according to the trigger message.
  • the processor 801 is further configured to perform a key stream generation element update on the first access node when acquiring the first information used to indicate the second access node key update.
  • the processor 801 is further configured to perform a key stream generation element update on the first access node if a transfer bearer exists on the second access node, where the transfer bearer refers to the Transferring the first access node to the The bearer of the second access node.
  • the processor 801 is further configured to: if the first information carries a presence indication, perform a key stream generation element update on the first access node, where the presence indication is used to indicate the second There is a transfer bearer on the access node. [208] The processor 801 is further configured to acquire a bearer transfer record, and determine, if the transfer bearer exists on the second access node, according to the bearer transfer record and all current bearers on the second access node, Performing a key stream generation element update on the first access node.
  • the processor 801 is further configured to delete the bearer transfer record after performing key stream generation element update on the first access node.
  • the processor 801 is further configured to update a key of the first access node.
  • the processor 801 is further configured to re-allocate the DRB ID for the transfer bearer.
  • the processor 801 is further configured to, when acquiring the second information used to indicate that the target bearer is transferred from the second access node to the first access node, to the first access
  • the node performs key stream generation element update.
  • the processor 801 is further configured to: if the target bearer is determined to be a transfer bearer according to the switchback indication in the second information, perform keystream generation element update on the first access node, where The switchback indication is used to indicate that the target bearer is a transfer bearer.
  • the processor 801 is further configured to acquire a bearer transfer record, where the bearer transfer record is used to record a transfer bearer, and if the target bearer is determined to be a transfer bearer according to the bearer transfer record, the first connection is performed.
  • the ingress node performs key stream generation element update.
  • the processor 801 is further configured to: if it is determined that the target bearer has a PDCP COUNT reset during the second access node according to the reset indication in the second information, to the first The access node performs key stream generation element update.
  • the processor 801 is further configured to: if it is determined that the target bearer has undergone a PDCP COUNT reset during the second access node according to the reset identifier in the bearer transfer record, to the first The access node performs key stream generation element update.
  • the processor 801 is further configured to acquire a current PDCP COUNT value of the target bearer, and a PDCP COUNT value when the target bearer is transferred from the first access node to the second access node. And if the current PDCP COUNT value carried by the target is less than or equal to the transfer from the first access node to the second connection The PDCP COUNT value at the time of the ingress, the key stream generation element update is performed on the first access node.
  • the processor 801 is further configured to update a key of the first access node or re-allocate a DRB ID for the target bearer.
  • FIG. 9 is a schematic structural diagram of a key stream generation element updating apparatus of a dual connectivity system according to an embodiment of the present invention.
  • the device includes: a processor 901, a memory 902, and a communication interface 903, and the modules are connected to each other.
  • the memory 902 is used to store programs.
  • the program can include program code, the program code including computer operating instructions.
  • the memory 902 may include a random access memory (RAM) memory, and may also include a non-volatile memory such as at least one disk memory.
  • the processor 901 is configured to execute the memory 802 storage program, and when the preset condition is met, generate a trigger message, where the trigger message is used to instruct the first access node to trigger a key stream generation element. Update
  • the processor 901 is further configured to generate first information when the second access node performs a key update.
  • the processor 901 is further configured to: when the second access node performs a key update, if the transfer bearer exists on the second access node, generating the first information.
  • the processor 901 is further configured to generate second information when the target bearer switches from the second access node to the first access node.
  • the processor 901 is further configured to: when the target bearer is handed over from the second access node to the first access node, if the target bearer is a transfer bearer, generate a bearer indication The second information is described.
  • the processor 901 is further configured to: when the target bearer is handed over from the second access node to the first access node, if the target bearer is a transfer bearer, and the target bearer is in the A PDCP COUNT reset occurs during the second access node, and generates second information carrying the switchback indication and the reset indication.
  • the communication interface 903 is configured to acquire a trigger message from the second access node, where the trigger message is used to trigger an update of a key stream generation element.
  • the trigger message may be the first message or the second message.
  • the present invention further provides a computer storage medium, wherein the computer storage medium may store a program, and the program may include some or all of the steps in each embodiment of the calling method provided by the present invention.
  • the storage medium may be a magnetic disk, an optical disk, or a read-only memory (ROM). Or random access memory (RAM), etc.
  • the techniques in the embodiments of the present invention can be implemented by means of software plus the necessary general hardware platform. Based on such understanding, the technical solution in the embodiments of the present invention may be embodied in the form of a software product in essence or in the form of a software product, which may be stored in a storage medium such as a ROM/RAM. , a disk, an optical disk, etc., including instructions for causing a computer device (which may be a personal computer, server, or network device, etc.) to perform the methods described in various embodiments of the present invention or portions of the embodiments.
  • a computer device which may be a personal computer, server, or network device, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Provided are an encryption keystream element updating device, method and double connection system. A first access node and a second access node in the double connection system provide a wireless connection to a user equipment (UE), and the updating device is characterized by comprising: a receiving unit for acquiring a triggering message from the second access node, the triggering message being used to trigger the updating of an encryption keystream generation element; and a processing unit for updating the encryption keystream generation element according to the triggering message. The embodiment of the present invention updates the encryption keystream generation element when a change potentially causing a repetition of the encryption keystream occurs in a bearing state, thus preventing encryption keystream repetition caused by bearing switching.

Description

密钥流元素更新装置、 方法及双连接系统 技术领域  Key stream element updating device, method and dual connection system
[01] 本发明涉及移动通信领域, 尤其涉及密钥流元素更新装置、 方法及双连接系统。 背景技术  [01] The present invention relates to the field of mobile communications, and in particular, to a key stream element updating apparatus, method, and dual connectivity system. Background technique
[02] 随着移动通信技术的发展及移动终端数量的不断增加, 移动运营商的基站容量 压力越来越大。为缓解基站的容量压力, 3GPP ( The 3rd Generation Partnership Project) 标准组织新引入了双连接系统。双连接系统中包括主基站(Macro eNB,简称 Me B ) 和辅基站(Secondary eNB , 简称 SeNB), 用户设备(User Equipment, 简称 UE)可 以通过主基站或辅基站建立承载接入网络,在需要时,还可以对承载还进行基站转移, 例如将承载从 MeNB切换到 Se B, 或者从 Se B切换到 MeNB, 从而达到缓解基站 的容量压力的目的。 [02] With the development of mobile communication technologies and the increasing number of mobile terminals, mobile operators' base station capacity pressure is increasing. To alleviate the capacity pressure on base stations, the 3GPP (The 3rd Generation Partnership Project) standards organization has introduced a dual connectivity system. The dual-connection system includes a primary base station (Macro eNB, referred to as Me B) and a secondary base station (Secondary eNB, referred to as SeNB). The user equipment (User Equipment, UE for short) can establish a bearer access network through the primary base station or the secondary base station. At the same time, the bearer may also be transferred to the bearer, for example, the bearer is switched from the MeNB to the Se B, or the Se B is switched to the MeNB, thereby achieving the purpose of alleviating the capacity pressure of the base station.
[03] 在双连接系统中, UE与 MeNB以及 UE与 SeNB之间的传输的用户面数据都会 被加密, 以保证数据传输的安全性。 为进一步保证数据传输的安全性, 在 LTE 的安 全处理中, 需要避免加密用户面数据所用的密钥流重复出现。影响密钥流生成的密钥 流元素有: 加密密钥 (Kupenc), 分组数据汇聚协议计数值(Packet Data Convergence Protocol Count , 简称 PDCP COUNT ) , 数据无线承载标识 (Data Radio Bearer Identity , 简称 DRB ID) 、 数据流向 (Direction) 及密钥流长度 (Length)。  [03] In the dual connectivity system, user plane data transmitted between the UE and the MeNB and between the UE and the SeNB is encrypted to ensure data transmission security. To further ensure the security of data transmission, in the security processing of LTE, it is necessary to avoid the repetition of the key stream used to encrypt the user plane data. The key stream elements that affect the key stream generation are: encryption key (Kupenc), Packet Data Convergence Protocol Count (PDCP COUNT for short), Data Radio Bearer Identity (DRB ID for short) ), data flow (Direction) and key stream length (Length).
[04] Direction有上行, 下行两个方向, Length为依赖于加密算法的特定值, 因此对 应于特定的加密算法, 在每个发送方向上, 如果 Kupenc, PDCP COUNT值以及 DRB ID相同, 则生成的密钥流会相同。 例如, 如果为所有承载选定了加密算法 EEA1 , 在 SeNB上行方向上, 如果 DRB ID为 1的第一承载被释放之后又建立 DRB ID为 1的 第二承载, 第二承载的 PDCP COUNT会重新计数。 这个过程中, 如果 SeNB的根密 钥 S-KeNB没有更新, 则 Kupenc不会改变, 导致两个不同承载具有相同的 Kupenc, PDCP COUNT值以及 DRB ID, 从而会给两个不同的承载产生相同的密钥流。为防止 密钥流重复, 现有技术中采用的方式是: 即使之前的建立的承载已经被释放, 为连续 的承载分配不同的 DRB ID,并且, MeNB和 SeNB共用一个 DRB ID资源池,当 DRB ID用完时, 触发密钥更新。 这样就可以避免不同的承载具有相同的 DRB ID, 从而避 免密钥流重复的问题。 [04] Direction has uplink and downlink directions. Length is a specific value depending on the encryption algorithm. Therefore, corresponding to a specific encryption algorithm, in each transmission direction, if Kupenc, PDCP COUNT value and DRB ID are the same, then generate The key stream will be the same. For example, if the encryption algorithm EEA1 is selected for all bearers, in the uplink direction of the SeNB, if the first bearer with the DRB ID of 1 is released and the second bearer with the DRB ID of 1 is established, the PDCP COUNT of the second bearer will be re-established. count. In this process, if the SeNB's root key S-KeNB is not updated, Kupenc will not change, resulting in two different bearers having the same Kupenc, PDCP COUNT value and DRB ID, which will produce the same for two different bearers. Key stream. To prevent the repetition of the key stream, the method adopted in the prior art is: if the previously established bearer has been released, assigning different DRB IDs to consecutive bearers, and the MeNB and the SeNB share one DRB ID resource pool, when the DRB When the ID is used up, the key update is triggered. In this way, different bearers can be avoided to have the same DRB ID, thereby avoiding The problem of free key stream duplication.
[05] 但是发明人在研究过程中发现, 采用现有技术, 当承载进行基站切换时, 同一 个承载可能会出现 DRB ID及 Kupenc相同, 并且 PDCP COUNT重复的情况, 造成 密钥流重复。 例如, 在实际使用中可能出现如下情况: 第三承载在的 PDCP COUNT 为 1000时从 MeNB切换到 Se B,承载切换前后承载 ID没有改变;第三承载在 Se B 期间, SeNB发生密钥更新, 使得第三承载的 PDCP COUNT重新开始计数; 当第三 承载的 PDCP COUNT为 100时再从 SeNB切换回 MeNB, PDCP COUNT从 101开始 继续计数。如果在第三承载两次切换期间, MeNB的加密密钥 Kupenc没有发生变化, 那么就会造成第三承载的从 SeNB切换回 MeNB之后 PDCP COUNT为 101至 1000 的数据包的密钥流, 与第三承载从 MeNB切换到 SeNB之前 PDCP COUNT为 101至 1000的数据包的密钥流重复。 发明内容 [05] However, the inventor found in the research process that with the prior art, when the bearer performs base station handover, the same bearer may have the same DRB ID and Kupenc, and the PDCP COUNT is repeated, causing the key stream to be duplicated. For example, in actual use, the following situation may occur: when the PDCP COUNT of the third bearer is 1000, the MeNB switches to the Se B, and the bearer ID does not change before and after the bearer handover; during the third bearer, the SeNB generates a key update. The PDCP COUNT of the third bearer is restarted to count; when the PDCP COUNT of the third bearer is 100, the SeNB is switched back to the MeNB, and the PDCP COUNT continues counting from 101. If the encryption key Kupenc of the MeNB does not change during the two handovers of the third bearer, the key stream of the data packet of the PDCP COUNT of 101 to 1000 after the third bearer is switched back from the SeNB to the MeNB, and the The key stream of the data packet with the PDCP COUNT of 101 to 1000 before the handover from the MeNB to the SeNB is repeated. Summary of the invention
[06] 本发明实施例提供了密钥流元素更新装置、 方法及双连接系统, 以解决采用现 有技术当承载进行基站切换时, 会出现密钥流重复的问题。 [07] 第一方面, 本发明实施例提供了一种双连接系统的密钥流生成元素更新装置, 所述双连接系统中所述第一接入节点和所述第二接入节点同时为用户设备 UE提供无 线连接, 该装置包括:  An embodiment of the present invention provides a key stream element update apparatus, method, and dual connectivity system to solve the problem that a key stream repetition occurs when a bearer performs handover of a base station by using the prior art. [07] In a first aspect, an embodiment of the present invention provides a key stream generation element updating apparatus of a dual connectivity system, where the first access node and the second access node are simultaneously The user equipment UE provides a wireless connection, and the device includes:
[08] 接收单元, 用于从所述第二接入节点获取触发消息, 所述触发消息用于触发密 钥流生成元素的更新; 处理单元, 用于根据所述触发消息进行密钥流生成元素更新。 [09] 结合第一方面, 在第一方面第一种可能的实现方式中, a receiving unit, configured to acquire a trigger message from the second access node, where the trigger message is used to trigger an update of a key stream generating element, and a processing unit, configured to perform key stream generation according to the trigger message Element update. [09] In combination with the first aspect, in a first possible implementation manner of the first aspect,
[10] 所述处理单元, 用于根据所述触发消息进行密钥流生成元素更新, 包括: 用于 当获取到用于指示所述第二接入节点密钥更新的第一信息时,对所述第一接入节点进 行密钥流生成元素更新。 [10] The processing unit, configured to perform the key stream generation element update according to the trigger message, is configured to: when acquiring the first information used to indicate the second access node key update, The first access node performs key stream generation element update.
[11] 结合第一方面第一种可能的实现方式, 在第一方面第二种可能的实现方式中, [12] 所述处理单元, 用于当获取到用于指示所述第二接入节点密钥更新的第一信息 时, 对所述第一接入节点进行密钥流生成元素更新, 包括: 用于当获取到用于指示所 述第二接入节点密钥更新的第一信息时, 如果所述第二接入节点上存在转移承载,对 所述第一接入节点进行密钥流生成元素更新,所述转移承载是指从所述第一接入节点 转移到所述第二接入节点的承载。 [11] In combination with the first possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, [12] the processing unit is configured to: when used to indicate the second access And performing the key stream generation element update on the first access node, where the method includes: when acquiring the first information used to indicate the second access node key update And if there is a transfer bearer on the second access node, performing a key stream generation element update on the first access node, where the transfer bearer refers to the first access node Transfer to the bearer of the second access node.
[13] 结合第一方面第一种可能的实现方式, 在第一方面第三种可能的实现方式中, [13] In combination with the first possible implementation of the first aspect, in a third possible implementation manner of the first aspect,
[14] 所述处理单元, 用于当获取到用于指示所述第二接入节点密钥更新的第一信息 时, 对所述第一接入节点进行密钥流生成元素更新, 包括: 用于当获取到用于指示所 述第二接入节点密钥更新的第一信息时, 如果所述第一信息携带存在指示,对所述第 一接入节点进行密钥流生成元素更新,其中所述存在指示用于指示所述第二接入节点 上存在转移承载。 [14] The processing unit is configured to perform a key stream generation element update on the first access node when acquiring the first information that is used to indicate the second access node key update, including: For acquiring the first information of the second access node key update, if the first information carries the presence indication, performing key stream generation element update on the first access node, The presence indication is used to indicate that a transfer bearer exists on the second access node.
[15] 结合第一方面第一种可能的实现方式, 在第一方面第四种可能的实现方式中,  [15] In combination with the first possible implementation manner of the first aspect, in a fourth possible implementation manner of the first aspect,
[16] 所述处理单元, 用于当获取到用于指示所述第二接入节点密钥更新的第一信息 时, 对所述第一接入节点进行密钥流生成元素更新, 包括: 用于获取承载转移记录, 所述承载转移记录用于记载转移承载,所述转移承载是指从所述第一接入节点转移到 所述第二接入节点的承载;如果根据所述承载转移记录及所述第二接入节点上当前所 有承载,确定所述第二接入节点上存在转移承载,对所述第一接入节点进行密钥流生 成元素更新。 [17] 结合第一方面第四种可能的实现方式, 在第一方面第五种可能的实现方式中, [16] The processing unit is configured to perform a key stream generation element update on the first access node when acquiring the first information used to indicate the second access node key update, including: For acquiring a bearer transfer record, where the bearer transfer record is used to record a transfer bearer, where the transfer bearer refers to a bearer transferred from the first access node to the second access node; Recording all current bearers on the second access node, determining that there is a transfer bearer on the second access node, and performing key stream generation element update on the first access node. [17] In combination with the fourth possible implementation manner of the first aspect, in a fifth possible implementation manner of the first aspect,
[18] 所述处理单元, 用于获取承载转移记录; 如果根据所述承载转移记录及所述第 二接入节点上当前所有承载,确定所述第二接入节点上存在转移承载,对所述第一接 入节点进行密钥流生成元素更新,还包括: 用于在对所述第一接入节点进行密钥流生 成元素更新后, 删除所述承载转移记录。 [19] 结合第一方面、 第一方面第一种可能的实现方式、 第一方面第二种可能的实现 方式、第一方面第三种可能的实现方式、第一方面第四种可能的实现方式或第一方面 第五种可能的实现方式, 在第一方面第六种可能的实现方式中, [18] the processing unit is configured to acquire a bearer transfer record; if it is determined that the transfer bearer exists on the second access node according to the bearer transfer record and all current bearers on the second access node, The first access node performs the key stream generation element update, and further includes: deleting the bearer transfer record after performing the key stream generation element update on the first access node. [19] combining the first aspect, the first possible implementation manner of the first aspect, the second possible implementation manner of the first aspect, the third possible implementation manner of the first aspect, and the fourth possible implementation of the first aspect The fifth possible implementation manner of the first aspect, in the sixth possible implementation manner of the first aspect,
[20] 所述处理单元, 用于对所述第一接入节点进行密钥流生成元素更新, 包括: 用 于对所述第一接入节点的密钥进行更新。 [21] 结合第一方面第四种可能的实现方式或第一方面第五种可能的实现方式, 在第 一方面第七种可能的实现方式中, [20] The processing unit, configured to perform a key stream generation element update on the first access node, includes: updating a key of the first access node. [21] In combination with the fourth possible implementation manner of the first aspect or the fifth possible implementation manner of the first aspect, in the seventh possible implementation manner of the first aspect,
[22] 所述处理单元, 用于对所述第一接入节点进行密钥流生成元素更新, 包括: 用 于为所述转移承载重新分配 DRB ID。 [23] 结合第一方面, 在第一方面第八种可能的实现方式中, [22] The processing unit, configured to perform a key stream generation element update on the first access node, includes: used to re-allocate a DRB ID for the transfer bearer. [23] In combination with the first aspect, in the eighth possible implementation manner of the first aspect,
[24] 所述处理单元, 用于根据所述触发消息进行密钥流生成元素更新, 包括: 用于 当获取到用于指示目标承载从所述第二接入节点转移至所述第一接入节点的第二信 息时, 对所述第一接入节点进行密钥流生成元素更新。 [25] 结合第一方面第八种可能的实现方式中,在第一方面第九种可能的实现方式中, [24] the processing unit, configured to perform a key stream generation element update according to the trigger message, and the method includes: when used to indicate that the target bearer is transferred from the second access node to the first interface When the second information of the node is entered, the key stream generation element update is performed on the first access node. [25] In combination with the eighth possible implementation manner of the first aspect, in the ninth possible implementation manner of the first aspect,
[26] 所述处理单元, 用于当获取到用于指示目标承载从所述第二接入节点转移至所 述第一接入节点的第二信息时,对所述第一接入节点进行密钥流生成元素更新,包括: 用于当获取到用于指示目标承载从所述第二接入节点转移至所述第一接入节点的第 二信息时, 如果根据所述第二信息中的切回指示判定所述目标承载为转移承载,对所 述第一接入节点进行密钥流生成元素更新,所述切回指示用于指示所述目标承载为转 移承载。 [26] the processing unit is configured to: when acquiring the second information used to indicate that the target bearer is transferred from the second access node to the first access node, perform the first access node And the key stream generating element is updated, if: when the second information used to indicate that the target bearer is transferred from the second access node to the first access node is obtained, if according to the second information The switchback indication indicates that the target bearer is a transfer bearer, and the first access node performs a key stream generation element update, where the cutback indication is used to indicate that the target bearer is a transfer bearer.
[27] 结合第一方面第八种可能的实现方式中,在第一方面第十种可能的实现方式中, [27] In combination with the eighth possible implementation manner of the first aspect, in the tenth possible implementation manner of the first aspect,
[28] 所述处理单元, 用于当获取到用于指示目标承载从所述第二接入节点转移至所 述第一接入节点的第二信息时,对所述第一接入节点进行密钥流生成元素更新,包括: 获取承载转移记录; 如果根据所述承载转移记录判定所述目标承载为转移承载,对所 述第一接入节点进行密钥流生成元素更新。 [28] the processing unit is configured to: when acquiring the second information used to indicate that the target bearer is transferred from the second access node to the first access node, perform the first access node The key stream generation element update includes: acquiring a bearer transfer record; and if the target bearer is determined to be a transfer bearer according to the bearer transfer record, performing key stream generation element update on the first access node.
[29] 结合第一方面第九种可能的实现方式或第一方面第十种可能的实现方式, 在第 一方面第十一种可能的实现方式中, [29] In combination with the ninth possible implementation manner of the first aspect or the tenth possible implementation manner of the first aspect, in the eleventh possible implementation manner of the first aspect,
[30] 所述处理单元, 用于对所述第一接入节点进行密钥流生成元素更新, 包括: 用 于如果根据所述第二信息中的重置指示判断所述目标承载在所述第二接入节点期间 发生过 PDCP COUNT重置, 对所述第一接入节点进行密钥流生成元素更新。 [30] The processing unit, configured to perform a key stream generation element update on the first access node, includes: determining, according to the reset indication in the second information, that the target bearer is in the A PDCP COUNT reset occurs during the second access node, and a key stream generation element update is performed on the first access node.
[31] 结合第一方面第九种可能的实现方式或第一方面第十种可能的实现方式, 在第 一方面第十二种可能的实现方式中, [31] In combination with the ninth possible implementation of the first aspect or the tenth possible implementation of the first aspect, in a twelfth possible implementation manner of the first aspect,
[32] 所述处理单元, 用于对所述第一接入节点进行密钥流生成元素更新, 包括: 用 于如果根据所述承载转移记录中的重置标识判断所述目标承载在所述第二接入节点 期间发生过 PDCP COUNT重置, 对所述第一接入节点进行密钥流生成元素更新。  [32] The processing unit, configured to perform a key stream generation element update on the first access node, to be: configured to determine, according to the reset identifier in the bearer transfer record, that the target bearer is in the A PDCP COUNT reset occurs during the second access node, and a key stream generation element update is performed on the first access node.
[33] 结合第一方面第九种可能的实现方式或第一方面第十种可能的实现方式, 在第 一方面第十三种可能的实现方式中, [34] 所述处理单元, 用于对所述第一接入节点进行密钥流生成元素更新, 包括: 获 取所述目标承载的当前 PDCP COUNT值, 及所述目标承载从所述第一接入节点转移 至所述第二接入节点时的 PDCP COUNT值;如果所述目标承载的当前 PDCP COUNT 值小于等于从所述第一接入节点转移至所述第二接入节点时的 PDCP COUNT值, 对 所述第一接入节点进行密钥流生成元素更新。 [33] In combination with the ninth possible implementation manner of the first aspect or the tenth possible implementation manner of the first aspect, in the thirteenth possible implementation manner of the first aspect, [34] the processing unit, configured to perform a key stream generation element update on the first access node, including: acquiring a current PDCP COUNT value of the target bearer, and the target bearer from the first connection a PDCP COUNT value when the ingress node transfers to the second access node; if the current PDCP COUNT value of the target bearer is less than or equal to the PDCP COUNT when the first access node is transferred to the second access node And performing a key stream generation element update on the first access node.
[35] 结合第一方面第八种可能的实现方式、 第一方面第九种可能的实现方式、 第一 方面第十种可能的实现方式、第一方面第十一种可能的实现方式、第一方面第十二种 可能的实现方式或第一方面第十三种可能的实现方式,在第一方面第十四种可能的实 现方式中, [36] 所述处理单元, 用于对所述第一接入节点进行密钥流生成元素更新, 包括: 对 所述第一接入节点的密钥进行更新或为所述目标承载重新分配 DRB ID。 [35] combining the eighth possible implementation manner of the first aspect, the ninth possible implementation manner of the first aspect, the tenth possible implementation manner of the first aspect, the eleventh possible implementation manner of the first aspect, The twelfth possible implementation manner of the first aspect or the thirteenth possible implementation manner of the first aspect, in the fourteenth possible implementation manner of the first aspect, [36] the processing unit, configured to The first access node performs the key stream generation element update, including: updating the key of the first access node or reallocating the DRB ID for the target bearer.
[37] 第二方面, 本发明实施例提供了一种双连接系统的密钥流生成元素更新装置, 所述双连接系统中所述第一接入节点和所述第二接入节点同时为 UE提供无线连接, 该装置包括: [38] 处理单元, 用于在符合预设条件时, 生成触发消息, 所述触发消息用于指示所 述第一接入节点触发密钥流生成元素的更新; 发送单元,用于向所述第一接入节点发 送触发消息。 [37] In a second aspect, an embodiment of the present invention provides a key stream generation element updating apparatus of a dual connectivity system, where the first access node and the second access node are simultaneously The UE provides a wireless connection, and the device includes: [38] a processing unit, configured to generate a trigger message when the preset condition is met, where the trigger message is used to instruct the first access node to trigger an update of a key stream generation element And a sending unit, configured to send a trigger message to the first access node.
[39] 结合第二方面, 在第二方面第一种可能的实现方式中,  [39] In combination with the second aspect, in a first possible implementation manner of the second aspect,
[40] 所述处理单元, 用于在符合预设条件时, 生成触发消息, 包括: 用于当所述第 二接入节点进行密钥更新时, 生成第一信息; 所述发送单元, 用于向所述第一接入节 点发送触发消息, 包括: 用于向所述第一接入节点发送所述第一信息。 [40] The processing unit, configured to generate a trigger message when the preset condition is met, the method includes: generating, when the second access node performs a key update, generating first information; The sending the trigger message to the first access node includes: sending the first information to the first access node.
[41] 结合第二第一种可能的实现方式方面, 在第二方面第二种可能的实现方式中, [41] In combination with the second first possible implementation aspect, in the second possible implementation manner of the second aspect,
[42] 所述处理单元, 用于当所述第二接入节点进行密钥更新时, 生成第一信息, 包 括: 用于当所述第二接入节点进行密钥更新时, 如果所述第二接入节点上存在转移承 载, 生成第一信息。 [42] the processing unit, configured to: when the second access node performs a key update, generate the first information, where: the method is: when the second access node performs a key update, if A transfer bearer exists on the second access node to generate first information.
[43] 结合第二方面, 在第二方面第三种可能的实现方式中, [43] In combination with the second aspect, in a third possible implementation of the second aspect,
[44] 所述处理单元, 用于在符合预设条件时, 生成触发消息, 包括: 用于当目标承 载从所述第二接入节点切换到所述第一接入节点时, 生成第二信息; 所述发送单元, 用于向所述第一接入节点发送触发消息,包括: 用于向所述第一接入节点发送所述第 二信息。 [44] the processing unit, configured to generate a trigger message when the preset condition is met, the method includes: generating, when the target bearer is switched from the second access node to the first access node, generating a second The sending unit, configured to send the trigger message to the first access node, where: the method is: sending, to the first access node, the first Two information.
[45] 结合第二方面第三种可能的实现方式, 在第二方面第四种可能的实现方式中, [45] In combination with the third possible implementation manner of the second aspect, in the fourth possible implementation manner of the second aspect,
[46] 所述处理单元, 用于当目标承载从所述第二接入节点切换到所述第一接入节点 时, 生成第二信息, 包括: 用于当目标承载从所述第二接入节点切换到所述第一接入 节点时, 如果所述目标承载为转移承载, 生成携带切回指示的所述第二信息。 [46] the processing unit, configured to: when the target bearer is handed over from the second access node to the first access node, generate the second information, including: when the target bearer is from the second When the ingress node switches to the first access node, if the target bearer is a transfer bearer, the second information carrying the switchback indication is generated.
[47] 结合第二方面第三种可能的实现方式, 在第二方面第五种可能的实现方式中, [47] In combination with the third possible implementation manner of the second aspect, in a fifth possible implementation manner of the second aspect,
[48] 所述处理单元, 用于当目标承载从所述第二接入节点切换到所述第一接入节点 时, 生成第二信息, 包括: 用于当目标承载从所述第二接入节点切换到所述第一接入 节点时, 如果所述目标承载为转移承载, 且所述目标承载在所述第二接入节点期间发 生过 PDCP COUNT重置, 生成携带切回指示及重置指示的第二信息。 [48] the processing unit, configured to: when the target bearer is switched from the second access node to the first access node, generate the second information, where: the method is: when the target bearer is from the second When the ingress node switches to the first access node, if the target bearer is a transfer bearer, and the target bearer has a PDCP COUNT reset during the second access node, generating a carry-back indication and a heavy Set the second information indicated.
[49] 第三方面, 本发明实施例提供了一种双连接系统的密钥流生成元素更新方法, 所述双连接系统中所述第一接入节点和所述第二接入节点同时为 UE提供无线连接, 该方法包括: 所述第一接入节点从所述第二接入节点获取触发消息,所述触发消息用 于触发密钥流生成元素的更新;所述第一接入节点根据所述触发消息进行密钥流生成 元素更新。 In a third aspect, an embodiment of the present invention provides a method for updating a key stream generation element of a dual connectivity system, where the first access node and the second access node are simultaneously The UE provides a wireless connection, the method includes: the first access node acquires a trigger message from the second access node, where the trigger message is used to trigger an update of a key stream generation element; the first access node The key stream generation element update is performed according to the trigger message.
[50] 结合第三方面, 在第三方面第一种可能的实现方式中, [50] In combination with the third aspect, in a first possible implementation manner of the third aspect,
[51] 所述第一接入节点根据所述触发消息对所述第一接入节点进行密钥流生成元素 更新包括: 当获取到用于指示所述第二接入节点密钥更新的第一信息时,对所述第一 接入节点进行密钥流生成元素更新。 [52] 结合第三方面第一种可能的实现方式, 在第三方面第二种可能的实现方式中, [51] The first access node performs the key stream generation element update on the first access node according to the trigger message, and includes: when acquiring, indicating that the second access node is updated by the key When a message is received, the key stream generation element update is performed on the first access node. [52] In combination with the first possible implementation manner of the third aspect, in a second possible implementation manner of the third aspect,
[53] 所述对所述第一接入节点进行密钥流生成元素更新包括: 如果所述第二接入节 点上存在转移承载, 对所述第一接入节点进行密钥流生成元素更新。 [53] The performing the key stream generation element update on the first access node includes: if there is a transfer bearer on the second access node, performing key stream generation element update on the first access node .
[54] 结合第三方面第一种可能的实现方式, 在第三方面第三种可能的实现方式中, [54] In combination with the first possible implementation manner of the third aspect, in a third possible implementation manner of the third aspect,
[55] 所述对所述第一接入节点进行密钥流生成元素更新包括: 如果所述第一信息携 带存在指示, 对所述第一接入节点进行密钥流生成元素更新。 [55] The performing the key stream generation element update on the first access node includes: performing keystream generation element update on the first access node if the first information carries a presence indication.
[56] 结合第三方面第一种可能的实现方式, 在第三方面第四种可能的实现方式中, [56] In combination with the first possible implementation manner of the third aspect, in a fourth possible implementation manner of the third aspect,
[57] 所述对所述第一接入节点进行密钥流生成元素更新包括: 获取承载转移记录; 如果根据所述承载转移记录及所述第二接入节点上当前所有承载,确定所述第二接入 节点上存在转移承载, 对所述第一接入节点进行密钥流生成元素更新。 [57] The performing the key stream generation element update on the first access node includes: acquiring a bearer transfer record; determining, according to the bearer transfer record and all current bearers on the second access node, Second access There is a transfer bearer on the node, and the key flow generation element update is performed on the first access node.
[58] 结合第三方面第四种可能的实现方式, 在第三方面第五种可能的实现方式中, [58] In combination with the fourth possible implementation manner of the third aspect, in a fifth possible implementation manner of the third aspect,
[59] 在对所述第一接入节点进行密钥流生成元素更新之后还包括: 删除所述承载转 移记录。 [60] 结合第三方面、 第三方面第一种可能的实现方式、 第三方面第二种可能的实现 方式、第三方面第三种可能的实现方式、第三方面第四种可能的实现方式或第三方面 第五种可能的实现方式, 在第三方面第六种可能的实现方式中, After performing the key stream generation element update on the first access node, the method further includes: deleting the bearer transfer record. [60] combining the third aspect, the first possible implementation manner of the third aspect, the second possible implementation manner of the third aspect, the third possible implementation manner of the third aspect, and the fourth possible implementation of the third aspect The fifth possible implementation manner of the third aspect, in the sixth possible implementation manner of the third aspect,
[61] 所述对所述第一接入节点进行密钥流生成元素更新包括: 对所述第一接入节点 的密钥进行更新。 [62] 结合第三方面第四种可能的实现方式或第三方面第五种可能的实现方式, 在第 三方面第七种可能的实现方式中, [61] The performing a key stream generation element update on the first access node includes: updating a key of the first access node. [62] In combination with the fourth possible implementation manner of the third aspect or the fifth possible implementation manner of the third aspect, in the seventh possible implementation manner of the third aspect,
[63] 所述对所述第一接入节点进行密钥流生成元素更新包括: 为所述转移承载重新 分配 DRB ID。 [63] The performing a key stream generation element update on the first access node includes: reassigning a DRB ID to the transfer bearer.
[64] 结合第三方面, 在第三方面第八种可能的实现方式中, [65] 所述第一接入节点根据所述触发消息对所述第一接入节点进行密钥流生成元素 更新包括:当获取到用于指示目标承载从所述第二接入节点转移至所述第一接入节点 的第二信息时, 对所述第一接入节点进行密钥流生成元素更新。  With reference to the third aspect, in an eighth possible implementation manner of the third aspect, [65] the first access node performs a key stream generation element on the first access node according to the trigger message. The updating includes: performing keystream generation element update to the first access node when acquiring second information indicating that the target bearer is transferred from the second access node to the first access node.
[66] 结合第三方面第八种可能的实现方式中,在第三方面第九种可能的实现方式中, [66] In combination with the eighth possible implementation manner of the third aspect, in a ninth possible implementation manner of the third aspect,
[67] 所述对所述第一接入节点进行密钥流生成元素更新包括: 如果根据所述第二信 息中的切回指示判定所述目标承载为转移承载,对所述第一接入节点进行密钥流生成 元素更新。 [67] The performing the key stream generation element update on the first access node includes: determining, according to the switchback indication in the second information, that the target bearer is a transfer bearer, to the first access The node performs key stream generation element update.
[68] 结合第三方面第八种可能的实现方式中,在第三方面第十种可能的实现方式中, [68] In combination with the eighth possible implementation manner of the third aspect, in a tenth possible implementation manner of the third aspect,
[69] 所述对所述第一接入节点进行密钥流生成元素更新包括: 获取承载转移记录, 所述承载转移记录用于记载转移承载;如果根据所述承载转移记录判定所述目标承载 为转移承载, 对所述第一接入节点进行密钥流生成元素更新。 [69] The performing the key stream generation element update on the first access node includes: acquiring a bearer transfer record, where the bearer transfer record is used to record a transfer bearer; and determining the target bearer according to the bearer transfer record To transfer the bearer, the key stream generation element update is performed on the first access node.
[70] 结合第三方面第九种可能的实现方式或第三方面第十种可能的实现方式, 在第 三方面第十一种可能的实现方式中, [71] 所述对所述第一接入节点进行密钥流生成元素更新包括: 如果根据所述第二信 息中的重置指示判断所述目标承载在所述第二接入节点期间发生过 PDCP COUNT重 置, 对所述第一接入节点进行密钥流生成元素更新。 [70] In combination with the ninth possible implementation manner of the third aspect or the tenth possible implementation manner of the third aspect, [71] The performing the key stream generation element update on the first access node includes: determining that the target bearer occurred during the second access node according to the reset indication in the second information The PDCP COUNT is reset, and the key stream generation element update is performed on the first access node.
[72] 结合第三方面第九种可能的实现方式或第三方面第十种可能的实现方式, 在第 三方面第十二种可能的实现方式中, [72] In combination with the ninth possible implementation manner of the third aspect or the tenth possible implementation manner of the third aspect, in the twelfth possible implementation manner of the third aspect,
所述对所述第一接入节点进行密钥流生成元素更新包括:如果根据所述承载转移记录 中的重置标识判断所述目标承载在所述第二接入节点期间发生过 PDCP COUNT 重 置, 对所述第一接入节点进行密钥流生成元素更新。 The performing the key stream generation element update on the first access node includes: determining that the target bearer has a PDCP COUNT during the second access node according to the reset identifier in the bearer transfer record And performing key stream generation element update on the first access node.
[73] 结合第三方面第九种可能的实现方式或第三方面第十种可能的实现方式, 在第 三方面第十三种可能的实现方式中,  [73] In combination with the ninth possible implementation manner of the third aspect or the tenth possible implementation manner of the third aspect, in the thirteenth possible implementation manner of the third aspect,
[74] 所述对所述第一接入节点进行密钥流生成元素更新包括: 获取所述目标承载的 当前 PDCP COUNT值, 及所述目标承载从所述第一接入节点转移至所述第二接入节 点时的 PDCP COUNT值; 如果所述目标承载的当前 PDCP COUNT值小于等于从所 述第一接入节点转移至所述第二接入节点时的 PDCP COUNT值, 对所述第一接入节 点进行密钥流生成元素更新。 [74] The performing a key stream generation element update on the first access node includes: acquiring a current PDCP COUNT value of the target bearer, and transferring the target bearer from the first access node to the a PDCP COUNT value when the second access node is; if the current PDCP COUNT value of the target bearer is less than or equal to a PDCP COUNT value when the first access node is transferred to the second access node, An access node performs key stream generation element update.
[75] 结合第三方面第八种可能的实现方式、 第三方面第九种可能的实现方式、 第三 方面第十种可能的实现方式、第三方面第十一种可能的实现方式、第三方面第十二种 可能的实现方式或第三方面第十三种可能的实现方式,在第三方面第十四种可能的实 现方式中, [76] 所述对所述第一接入节点进行密钥流生成元素更新包括: 对所述第一接入节点 的密钥进行更新或为所述目标承载重新分配 DRB ID。 [75] combining the eighth possible implementation manner of the third aspect, the ninth possible implementation manner of the third aspect, the tenth possible implementation manner of the third aspect, the eleventh possible implementation manner of the third aspect, The twelfth possible implementation manner of the third aspect or the thirteenth possible implementation manner of the third aspect, in the fourteenth possible implementation manner of the third aspect, [76] the first access node Performing the key stream generation element update includes: updating a key of the first access node or reallocating a DRB ID for the target bearer.
[77] 第四方面, 本发明实施例提供了一种双连接系统的密钥流生成元素更新方法, 所述双连接系统中所述第一接入节点和所述第二接入节点同时为 UE提供无线连接, 该方法包括: 所述第二接入节点在符合预设条件时, 生成触发消息, 所述触发消息用 于指示所述第一接入节点触发密钥流生成元素的更新;向所述第一接入节点发送触发 消息。 [77] In a fourth aspect, an embodiment of the present invention provides a method for updating a key stream generation element of a dual connectivity system, where the first access node and the second access node are simultaneously The UE provides a wireless connection, and the method includes: the second access node generates a trigger message when the preset condition is met, where the trigger message is used to instruct the first access node to trigger an update of the key stream generation element; Sending a trigger message to the first access node.
[78] 结合第四方面, 在第四方面第一种可能的实现方式中, [78] In combination with the fourth aspect, in a first possible implementation manner of the fourth aspect,
[79] 所述生成触发消息包括: 当所述第二接入节点进行密钥更新时, 生成第一信息; 所述向所述第一接入节点发送触发消息包括: 向所述第一接入节点发送所述第一信 息。 The generating the triggering message includes: when the second access node performs the key update, generating the first information; the sending the trigger message to the first access node includes: The ingress node sends the first letter Interest.
[80] 结合第四第一种可能的实现方式方面, 在第四方面第二种可能的实现方式中, [80] In combination with the fourth first possible implementation aspect, in a second possible implementation manner of the fourth aspect,
[81] 所述生成第一信息包括: 如果所述第二接入节点上存在转移承载, 生成第一信 息。 [82] 结合第四方面, 在第四方面第三种可能的实现方式中, [81] The generating the first information includes: generating a first information if a transfer bearer exists on the second access node. [82] In combination with the fourth aspect, in a third possible implementation manner of the fourth aspect,
[83] 所述生成触发消息包括: 当目标承载从所述第二接入节点切换到所述第一接入 节点时, 生成第二信息; 所述向所述第一接入节点发送触发消息包括: 向所述第一接 入节点发送所述第二信息。 [83] The generating the trigger message includes: generating, when the target bearer is handed over from the second access node to the first access node, second information; sending the trigger message to the first access node The method includes: transmitting the second information to the first access node.
[84] 结合第四方面第三种可能的实现方式, 在第四方面第四种可能的实现方式中, [85] 所述生成第二信息包括: 如果所述目标承载为转移承载, 生成携带切回指示的 所述第二信息。 [84] In combination with the third possible implementation manner of the fourth aspect, in the fourth possible implementation manner of the fourth aspect, the generating the second information includes: if the target bearer is a transfer bearer, generating and carrying Switching back the indicated second information.
[86] 结合第四方面第三种可能的实现方式, 在第四方面第五种可能的实现方式中, [86] In combination with the third possible implementation manner of the fourth aspect, in a fifth possible implementation manner of the fourth aspect,
[87] 所述生成第二信息包括: 如果所述目标承载为转移承载, 且所述目标承载在所 述第二接入节点期间发生过 PDCP COUNT重置, 生成携带切回指示及重置指示的第 二信息。 [87] The generating the second information includes: if the target bearer is a transfer bearer, and the target bearer has a PDCP COUNT reset during the second access node, generating a carry-back indication and a reset indication The second message.
[88] 第五方面, 本发明实施例提供了一种双连接系统, 所述双连接系统中所述第一 接入节点和所述第二接入节点同时为 UE提供无线连接, 其特征在于, 包括: In a fifth aspect, an embodiment of the present invention provides a dual connectivity system, where the first access node and the second access node simultaneously provide a wireless connection for a UE, where , including:
[89] 所述第二接入节点, 用于在符合预设条件时, 生成触发消息, 所述触发消息用 于指示所述第一接入节点触发密钥流生成元素的更新;向所述第一接入节点发送触发 消息; 所述第一接入节点, 用于从所述第二接入节点获取触发消息; 根据所述触发消 息进行密钥流生成元素更新。 [89] the second access node is configured to generate a trigger message when the preset condition is met, where the trigger message is used to instruct the first access node to trigger an update of a key stream generation element; The first access node sends a trigger message; the first access node is configured to acquire a trigger message from the second access node; and perform key stream generation element update according to the trigger message.
[90] 采用本发明实施例, 第一接入节点可以在第二接入节点发生了可能会造成密钥 流重复的承载状态变化时,对第一接入节点进行密钥流生成元素更新, 从而避免密钥 流重复情况的发生。 附图说明 According to the embodiment of the present invention, the first access node may perform the key stream generation element update on the first access node when the second access node changes the bearer state that may cause the key stream to be duplicated. Thereby avoiding the occurrence of key stream repetition. DRAWINGS
[91] 为了更清楚地说明本发明实施例或现有技术中的技术方案, 下面将对实施例或 现有技术描述中所需要使用的附图作简单地介绍, 显而易见地,对于本领域普通技术 人员而言, 在不付出创造性劳动性的前提下, 还可以根据这些附图获得其他的附图。 [91] In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that it is common in the art. Technology For the personnel, other drawings can be obtained based on these drawings without paying for creative labor.
[92] 图 1为本发明密钥流生成元素更新装置一个实施例的示意图; [93] 图 2为本发明密钥流生成元素更新装置另一个实施例的示意图; [94] 图 3为本发明密钥流生成元素更新方法一个实施例的流程图; [95] 图 4为本发明密钥流生成元素更新方法另一个实施例的流程图; [96] 图 5为本发明密钥流生成元素更新方法另一个实施例的流程图; [97] 图 6为本发明密钥流生成元素更新方法另一个实施例的流程图; [98] 图 7为本发明双连接系统一个实施例的示意图; [99] 图 8为本发明密钥流生成元素更新装置另一个实施例的示意图; [100]图 9为本发明密钥流生成元素更新装置另一个实施例的示意图。 具体实施方式 1 is a schematic diagram of an embodiment of a key stream generation element updating apparatus according to the present invention; [93] FIG. 2 is a schematic diagram of another embodiment of a key stream generation element updating apparatus according to the present invention; [94] FIG. FIG. 4 is a flowchart of another embodiment of a method for updating a key stream generation element according to the present invention; [96] FIG. 5 is a key stream generation method of the present invention. FIG. 6 is a flowchart of another embodiment of a method for updating a key stream generation element according to the present invention; [98] FIG. 7 is a schematic diagram of an embodiment of a dual connectivity system according to the present invention; [99] FIG. 8 is a schematic diagram of another embodiment of a key stream generation element updating apparatus according to the present invention; [100] FIG. 9 is a schematic diagram of another embodiment of a key stream generation element updating apparatus according to the present invention. detailed description
[101]为了使本领域技术人员更好地理解本发明方案, 下面将结合本发明实施例中的 附图, 对本发明实施例中的技术方案进行清楚、 完整地描述, 显然, 所述描述的实施 例仅是本发明一部分实施例, 而不是全部的实施例。基于本发明中的实施例, 本领域 普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明 保护的范围。  The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. The embodiments are only a part of the embodiments of the invention, and not all of the embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
[102]参见图 1, 为本发明密钥流生成元素更新装置一个实施例的示意图。 Referring to FIG. 1, FIG. 1 is a schematic diagram of an embodiment of a key stream generation element updating apparatus according to the present invention.
[103]如图 1所示, 所述装置包括接收单元 101, 处理单元 102。 所述装置设置在第一 接入节点上。 [104]其中, 所述接收单元 101, 用于从所述第二接入节点获取触发消息, 所述触发消 息用于触发密钥流生成元素的更新。 As shown in FIG. 1, the apparatus includes a receiving unit 101 and a processing unit 102. The device is disposed on a first access node. [104] The receiving unit 101 is configured to acquire a trigger message from the second access node, where the trigger message is used to trigger an update of a key stream generation element.
[105]所述接收单元 101 首先从第二接入节点获取触发消息, 其中, 第一接入节点可 以是 Se B或 Me B, 对应的, 第二接入节点为 MeNB或 Se B。 所述触发信息用于 指示第二接入节点上的承载发生了状态变化。 The receiving unit 101 first obtains a trigger message from the second access node, where the first access node may be Se B or Me B, and correspondingly, the second access node is MeNB or Se B. The trigger information is used to indicate that a state change occurs on a bearer on the second access node.
[106]在一种可能的实现方式中,由于密钥更新带来的 PDCP COUNT重置可能会导致 密钥流重复,因此所述触发消息可以是用于指示所述第二接入节点密钥更新的第一信 息。其中, 所述第一信息可以携带存在指示, 所述存在指示用于指示所述第二接入节 点上存在转移承载。 [106] In a possible implementation manner, the PDCP COUNT reset caused by the key update may cause the key stream to be duplicated, and the trigger message may be used to indicate the second access node key. Updated first letter Interest. The first information may carry a presence indication, where the presence indication is used to indicate that a transfer bearer exists on the second access node.
[107]在另一种可能的实现方式中, 由于承载转移也可能会导致密钥流重复, 因此所 述触发消息也可以是用于指示目标承载从所述第二接入节点转移至所述第一接入节 点的第二信息, 其中, 第二消息可以携带切回指示, 所述切回指示用于指示所述目标 承载为转移承载, 进一步, 所述第二消息还可以携带重置指示, 所述重置指示用于指 示所述目标承载在所述第二接入节点期间发生过 PDCP COUNT重置。 In another possible implementation manner, since the bearer transfer may also cause the key stream to be repeated, the trigger message may also be used to indicate that the target bearer is transferred from the second access node to the a second information of the first access node, where the second message may carry a switchback indication, where the switchback indication is used to indicate that the target bearer is a transfer bearer, and further, the second message may further carry a reset indication The reset indication is used to indicate that the target bearer has undergone a PDCP COUNT reset during the second access node.
[108]所述触发消息也可以是用于指示第二接入节点发生了其它可能会引起密钥流重 复情况的其它信息, 在此就不再赘述。  [108] The trigger message may also be used to indicate that the second access node has other information that may cause the key stream to be repeated, and details are not described herein.
[109]所述处理单元 102, 用于根据所述触发消息进行密钥流生成元素更新。 [109] The processing unit 102 is configured to perform a key stream generation element update according to the trigger message.
[110]当所述接收单元 101获取到第一信息或第二消息或其他消息时, 说明第二接入 节点发生了可能会引起密钥流重复的承载状态变化,此时,所述处理单元 102可以发 起密钥流生成元素更新流程,对所述第一接入节点进行密钥流生成元素更新,例如更 新加密密钥或重新配置 DRB ID, 从而防止密钥流重复。 [111]所述处理单元 102在接收到触发信息后, 也可以进一步判断第二接入节点上的 承载发生状态变化是否有可能会带来密钥流重复, 如果不可能, 则不对第一接入节点 进行密钥流生成元素更新; 如果有可能, 则第一接入节点进行密钥流生成元素更新。 这样可以减少第一接入节点进行密钥流生成元素更新的次数, 节省系统资源。 When the receiving unit 101 acquires the first information or the second message or other message, it indicates that the second access node has a bearer status change that may cause the key stream to be repeated. At this time, the processing unit 102 may initiate a key stream generation element update procedure, perform key stream generation element update on the first access node, such as updating an encryption key or reconfiguring a DRB ID, thereby preventing key stream repetition. After receiving the trigger information, the processing unit 102 may further determine whether the state change of the bearer on the second access node may cause key stream repetition. If not, the first connection is not performed. The ingress node performs key stream generation element update; if possible, the first access node performs key stream generation element update. This can reduce the number of times the first access node performs key stream generation element update and save system resources.
[112]在第一种可能的实现方式中,如果所述触发消息为第一消息,所述处理单元 102 可以根据承载转移记录、 存在指示等信息, 判断第二接入节点上是否存在转移承载, 如果没有, 则说明第二接入节点的密钥更新引发的 PDCP COUNT重置不会造成密钥 流重复, 此时不需第一接入节点进行密钥流生成元素更新; 如果有, 则说明第二接入 节点的密钥更新 PDCP COUNT重置可能会造成密钥流重复, 此时所述处理单元 102 可以进行密钥流生成元素更新,其中所述转移承载是指从所述第一接入节点转移到所 述第二接入节点的承载;其中所述存在指示用于指示所述第二接入节点上存在转移承 载; 所述承载转移记录用于记载转移承载。 In a first possible implementation manner, if the trigger message is the first message, the processing unit 102 may determine, according to the information about the bearer transfer record, the presence indication, and the like, whether the transfer bearer exists on the second access node. If not, it indicates that the PDCP COUNT reset caused by the key update of the second access node does not cause the key stream to be duplicated. At this time, the first access node is not required to perform the key stream generation element update; if yes, The key update PDCP COUNT reset of the second access node may cause the key stream to be duplicated. At this time, the processing unit 102 may perform a key stream generation element update, where the transfer bearer refers to the first The bearer transferred to the bearer of the second access node; wherein the presence indication is used to indicate that there is a transfer bearer on the second access node; and the bearer transfer record is used to record the transfer bearer.
[113]具体来说, 所述处理单元 102可以在获取到用于指示所述第二接入节点密钥更 新的第一信息时, 对所述第一接入节点进行密钥流生成元素更新。  Specifically, the processing unit 102 may perform key stream generation element update on the first access node when acquiring the first information used to indicate the second access node key update. .
[114]所述处理单元 102也可以在当获取到用于指示所述第二接入节点密钥更新的第 一信息, 并且所述第二接入节点上存在转移承载时,对所述第一接入节点进行密钥流 生成元素更新,所述转移承载是指从所述第一接入节点转移到所述第二接入节点的承 载。 [114] The processing unit 102 may also be configured to: when the second access node key update is obtained a message, and when there is a transfer bearer on the second access node, performing a key stream generation element update on the first access node, where the transfer bearer refers to transferring from the first access node to the The bearer of the second access node.
[115]所述处理单元 102,也可以在获取到用于指示所述第二接入节点密钥更新的第一 信息, 并且所述第一信息携带存在指示时,对所述第一接入节点进行密钥流生成元素 更新, 其中所述存在指示用于指示所述第二接入节点上存在转移承载。  The processing unit 102 may also, when acquiring the first information used to indicate the second access node key update, and the first information carries the presence indication, to the first access The node performs a key stream generation element update, where the presence indication is used to indicate that a transfer bearer exists on the second access node.
[116]所述处理单元 102也可以在根据获取到的承载转移记录及所述第二接入节点上 当前所有承载,确定所述第二接入节点上存在转移承载时,对所述第一接入节点进行 密钥流生成元素更新。并且可以在对所述第一接入节点进行密钥流生成元素更新后删 除所述承载转移记录。 [116] The processing unit 102 may also determine, when the transfer bearer exists on the second access node, according to the obtained bearer transfer record and all current bearers on the second access node, The access node performs key stream generation element update. And deleting the bearer transfer record after performing key stream generation element update on the first access node.
[117]在进行密钥流生成元素更新时, 所述处理单元 102可以采用对所述第一接入节 点的密钥进行更新的方式,对所述第一接入节点进行密钥流生成元素更新。或者采用 为所述转移承载重新分配 DRB ID的方式,对所述第一接入节点进行密钥流生成元素 更新。 [117] When the key stream generation element is updated, the processing unit 102 may perform a key stream generation element on the first access node by updating the key of the first access node. Update. Or performing key stream generation element update on the first access node in a manner of reassigning the DRB ID to the transfer bearer.
[118]在第二种可能的实现方式中, 如果所述触发消息为第二消息, 第二接入节点可 以根据承载转移记录、 切回指示等信息, 判断目标承载是否为转移承载, 如果目标承 载不是转移承载,则说明目标承载的 DRB ID与第一接入节点密钥的组合没有出现过, 目标承载也就不会发生密钥流重复, 此时不需第一接入节点进行密钥流生成元素更 新; 如果目标承载是转移承载, 则说明目标承载可能会发生密钥流重复, 此时所述处 理单元 102可以进行密钥流生成元素更新。或者也可以在获取到第二信息时,直接对 所述第一接入节点进行密钥流生成元素更新。 In a second possible implementation manner, if the trigger message is the second message, the second access node may determine, according to information such as a bearer transfer record and a switchback indication, whether the target bearer is a transfer bearer, if the target If the bearer is not a transfer bearer, the combination of the DRB ID of the target bearer and the first access node key does not occur, and the key bearer does not occur in the target bearer. In this case, the first access node does not need to perform the key. The stream generation element is updated; if the target bearer is a transfer bearer, it indicates that the target bearer may have a key stream repetition, and the processing unit 102 may perform the key stream generation element update. Alternatively, when the second information is obtained, the key stream generation element update may be directly performed on the first access node.
[119]在第二种可能的实现方式中,在判定目标承载为转移承载后,所述处理单元 102 还可以进一步判断目标承载在所述第二接入节点期间是否发生过 PDCP COUNT 重 置, 如果否, 说明目标承载的 DCP COUNT不会发生重复, 目标承载也就不会发生密 钥流重复, 此时不需第一接入节点进行密钥流生成元素更新; 如果是, 则说明目标承 载的 PDCP COUNT可能会发生重复, 目标承载也就可能会发生密钥流重复, 此时第 一接入节点可以进行密钥流生成元素更新。  In a second possible implementation manner, after determining that the target bearer is a transfer bearer, the processing unit 102 may further determine whether the target bearer has a PDCP COUNT reset during the second access node. If no, it indicates that the DCP COUNT carried by the target does not overlap, and the key bearer does not repeat the key stream. In this case, the first access node does not need to perform key stream generation element update; if yes, the target bearer The PDCP COUNT may be duplicated, and the key bearer may be duplicated in the target bearer. At this time, the first access node may perform key stream generation element update.
[120]所述处理单元 102可以在所述目标承载为转移承载, 并且根据所述第二信息中 的重置指示判断所述目标承载在所述第二接入节点期间发生过 PDCP COUNT 重置 时, 对所述第一接入节点进行密钥流生成元素更新。 [121]所述处理单元 102可以在所述目标承载为转移承载, 并且根据所述承载转移记 录中的重置标识判断所述目标承载在所述第二接入节点期间发生过 PDCP COUNT重 置时, 对所述第一接入节点进行密钥流生成元素更新。 [120] The processing unit 102 may be configured as a transfer bearer in the target bearer, and determine, according to the reset indication in the second information, that the target bearer has undergone a PDCP COUNT reset during the second access node. And performing key stream generation element update on the first access node. The processing unit 102 may be configured as a transfer bearer in the target bearer, and determine, according to the reset identifier in the bearer transfer record, that the target bearer has undergone a PDCP COUNT reset during the second access node. And performing key stream generation element update on the first access node.
[122]在第二种可能的中, 在判定目标承载为转移承载后, 所述处理单元 102也可以 进一步判断目标承载当前 PDCP COUNT值是否大于从所述第一接入节点转移至所述 第二接入节点时的 PDCP COUNT值, 如果是, 说明 PDCP COUNT不会发生重复, 目标承载也就不会发生密钥流重复, 如果否, 则说明目标承载的 PDCP COUNT可能 会发生重复, 目标承载也就可能会发生密钥流重复,此时第一接入节点可以进行密钥 流生成元素更新。 [123]在本实施例中, 所述接收单元用于从所述第二接入节点获取触发消息, 所述触 发消息用于触发密钥流生成元素的更新;所述处理单元用于根据所述触发消息进行密 钥流生成元素更新。采用本实施例,第一接入节点可以在第二接入节点发生了可能会 造成密钥流重复的承载状态变化时,对第一接入节点进行密钥流生成元素更新, 从而 避免密钥流重复情况的发生。 [124]参见图 2, 为本发明密钥流生成元素更新装置另一个实施例的示意图。  [122] In the second possibility, after determining that the target bearer is a transfer bearer, the processing unit 102 may further determine whether the target bearer current PDCP COUNT value is greater than the transfer from the first access node to the first The PDCP COUNT value of the two access nodes. If yes, it indicates that the PDCP COUNT will not be duplicated, and the target bearer will not repeat the key stream. If not, the PDCP COUNT of the target bearer may be duplicated. In other words, key stream repetition may occur, and the first access node may perform key stream generation element update. [123] In this embodiment, the receiving unit is configured to acquire a trigger message from the second access node, where the trigger message is used to trigger an update of a key stream generation element; The trigger message performs key stream generation element update. With the embodiment, the first access node may perform key stream generation element update on the first access node when the second access node changes the bearer status that may cause the key stream to be duplicated, thereby avoiding the key. The flow of repetition occurs. Referring to FIG. 2, it is a schematic diagram of another embodiment of a key stream generation element updating apparatus according to the present invention.
[125]如图 2所示, 所述装置包括处理单元 201, 发送单元 202。 所述装置设置在第二 接入节点上。 As shown in FIG. 2, the apparatus includes a processing unit 201 and a transmitting unit 202. The device is disposed on a second access node.
[126]其中, 所述处理单元 201, 用于在符合预设条件时, 生成触发消息, 所述触发消 息用于指示所述第一接入节点触发密钥流生成元素的更新。所述预设条件可以是第二 接入节点发生密钥更新, 也可以是第二接入节点上的承载转移的第一接入节点, 也可 以是第二接入节点发生了其它可能会造成密钥流重复的承载状态变化。 The processing unit 201 is configured to generate a trigger message when the preset condition is met, where the trigger message is used to instruct the first access node to trigger an update of the key stream generation element. The preset condition may be that the second access node generates a key update, or may be the first access node that carries the transfer on the second access node, or may be caused by another second access node. The bearer status of the key stream is changed.
[127]所述处理单元 201可以在所述第二接入节点进行密钥更新时, 生成第一信息; 或者在所述第二接入节点进行密钥更新, 且所述第二接入节点上存在转移承载时, 生 成第一信息。 [128]所述处理单元 201可以在目标承载从所述第二接入节点切换到所述第一接入节 点时, 生成第二信息。 如果所述目标承载为转移承载, 所述第二信息还可以携带切回 指示。如果所述目标承载为转移承载, 且所述目标承载在所述第二接入节点期间发生 过 PDCP COUNT重置, 所述第二信息还可以携带切回指示及重置指示。  The processing unit 201 may generate first information when the second access node performs key update, or perform key update on the second access node, and the second access node The first information is generated when there is a transfer bearer. The processing unit 201 may generate second information when the target bearer switches from the second access node to the first access node. The second information may also carry a switchback indication if the target bearer is a transfer bearer. And if the target bearer is a transfer bearer, and the target bearer has a PDCP COUNT reset during the second access node, the second information may further carry a switchback indication and a reset indication.
[129]所述发送单元 202,用于向所述第一接入节点发送触发消息。所述触发消息可以 为第一消息也可以为第二消息, 也可以是处理单元生成的其他触发消息。 The sending unit 202 is configured to send a trigger message to the first access node. The trigger message can The first message may also be a second message, or may be another trigger message generated by the processing unit.
[130]第一接入节点可以在接收所述触发信息后立刻进行密钥流生成元素更新, 也可 以根据触发信息和 /或触发信息所包含的内容, 进一步判断是否会发送密钥流重复, 在可能会发送密钥流重复时进行密钥流生成元素更新。 具体过程可以参加前述实施 例, 在此就不再赘述。 [130] The first access node may perform the key stream generation element update immediately after receiving the trigger information, or may further determine whether the key stream is repeated according to the content of the trigger information and/or the trigger information. The key stream generation element update is performed when a key stream duplication may be sent. The specific process can participate in the foregoing embodiments, and will not be described again here.
[131]在本实施例中, 处理单元用于在符合预设条件时, 生成触发消息, 所述触发消 息用于指示所述第一接入节点触发密钥流生成元素的更新;发送单元用于向所述第一 接入节点发送触发消息。采用本实施例,第二接入节点可以在发生了可能会造成密钥 流重复的承载状态变化时, 向第一节点发送触发信息,指示第一接入节点进行密钥流 生成元素更新, 从而避免密钥流重复情况的发生。 In the embodiment, the processing unit is configured to generate a trigger message when the preset condition is met, where the trigger message is used to indicate that the first access node triggers update of the key stream generation element; Sending a trigger message to the first access node. With the embodiment, the second access node may send the trigger information to the first node when the bearer state change that may cause the key stream to be repeated, indicating that the first access node performs the key stream generation element update, thereby Avoid the occurrence of duplicate key streams.
[132]本发明实施例还提供了双连接系统的密钥流生成元素更新方法, 所述双连接系 统中所述第一接入节点和所述第二接入节点同时为 UE提供无线连接。 The embodiment of the present invention further provides a method for updating a key stream generation element of a dual connectivity system, where the first access node and the second access node simultaneously provide a wireless connection for the UE.
[133]参见图 3, 为本发明密钥流生成元素更新方法一个实施例的流程图。 Referring to FIG. 3, it is a flowchart of an embodiment of a method for updating a key stream generation element according to the present invention.
[134]步骤 301,所述第一接入节点从所述第二接入节点获取触发消息,所述触发消息 用于触发密钥流生成元素的更新。 [134] Step 301: The first access node acquires a trigger message from the second access node, where the trigger message is used to trigger an update of a key stream generation element.
[135]第一接入节点首先从第二接入节点获取触发消息, 其中, 第一接入节点可以是 Se B或 Me B, 对应的, 第二接入节点为 Me B或 Se B。 所述触发信息用于指示 第二接入节点上的承载发生了状态变化。 The first access node first obtains a trigger message from the second access node, where the first access node may be Se B or Me B, and the second access node is Me B or Se B. The trigger information is used to indicate that a status change occurs on a bearer on the second access node.
[136]在一种可能的实现方式中,由于密钥更新带来的 PDCP COUNT重置可能会导致 密钥流重复,因此所述触发消息可以是用于指示所述第二接入节点密钥更新的第一信 息。其中, 所述第一信息可以携带存在指示, 所述存在指示用于指示所述第二接入节 点上存在转移承载。  In a possible implementation, the PDCP COUNT reset due to the key update may cause the key stream to be duplicated, so the trigger message may be used to indicate the second access node key. Updated first information. The first information may carry a presence indication, where the presence indication is used to indicate that a transfer bearer exists on the second access node.
[137]在另一种可能的实现方式中, 由于承载转移也可能会导致密钥流重复, 因此所 述触发消息也可以是用于指示目标承载从所述第二接入节点转移至所述第一接入节 点的第二信息, 其中, 第二消息可以携带切回指示, 所述切回指示用于指示所述目标 承载为转移承载, 进一步, 所述第二消息还可以携带重置指示, 所述重置指示用于指 示所述目标承载在所述第二接入节点期间发生过 PDCP COUNT重置。 In another possible implementation manner, the trigger message may also be used to indicate that the target bearer is transferred from the second access node to the a second information of the first access node, where the second message may carry a switchback indication, where the switchback indication is used to indicate that the target bearer is a transfer bearer, and further, the second message may further carry a reset indication The reset indication is used to indicate that the target bearer has undergone a PDCP COUNT reset during the second access node.
[138]所述触发消息也可以是用于指示第二接入节点发生了其它可能会引起密钥流重 复情况的其它信息, 在此就不再赘述。 [139]步骤 302, 所述第一接入节点根据所述触发消息进行密钥流生成元素更新。 [138] The trigger message may also be used to indicate that the second access node has other information that may cause the key stream to be repeated, and details are not described herein. [139] Step 302: The first access node performs key stream generation element update according to the trigger message.
[140]当第一接入节点获取到第一信息或第二消息时, 说明第二接入节点发生了可能 会引起密钥流重复的承载状态变化,此时,第一接入节点可以发起密钥流生成元素更 新流程,对所述第一接入节点进行密钥流生成元素更新,例如更新加密密钥或重新配 置 DRB ID, 从而防止密钥流重复。 When the first access node obtains the first information or the second message, it indicates that the second access node has a bearer status change that may cause the key stream to be duplicated. At this time, the first access node may initiate. The key stream generation element update process performs key stream generation element update on the first access node, such as updating an encryption key or reconfiguring a DRB ID, thereby preventing the key stream from being duplicated.
[141]第一接入节点在接收到触发信息后, 也可以进一步判断第二接入节点上的承载 发生状态变化是否有可能会带来密钥流重复, 如果不可能, 则不对第一接入节点进行 密钥流生成元素更新; 如果有可能, 则第一接入节点进行密钥流生成元素更新。这样 可以减少第一接入节点进行密钥流生成元素更新的次数, 节省资源。 After receiving the trigger information, the first access node may further determine whether the change of the bearer status on the second access node may cause the key stream to be duplicated. If not, the first connection is not performed. The ingress node performs key stream generation element update; if possible, the first access node performs key stream generation element update. This can reduce the number of times the first access node performs key stream generation element update and save resources.
[142]在第一种可能的实现方式中, 如果所述触发消息为第一消息, 第一接入节点可 以根据承载转移记录、存在指示等信息, 判断第二接入节点上是否存在转移承载, 如 果没有, 则说明第二接入节点的密钥更新引发的 PDCP COUNT重置不会造成密钥流 重复, 此时不需第一接入节点进行密钥流生成元素更新; 如果有, 则说明第二接入节 点的密钥更新 PDCP COUNT重置可能会造成密钥流重复, 此时第一接入节点可以进 行密钥流生成元素更新,其中所述转移承载是指从所述第一接入节点转移到所述第二 接入节点的承载; 其中所述存在指示用于指示所述第二接入节点上存在转移承载; 所 述承载转移记录用于记载转移承载。 [142] In a first possible implementation manner, if the trigger message is the first message, the first access node may determine, according to information such as a bearer transfer record and a presence indication, whether the transfer bearer exists on the second access node. If not, it indicates that the PDCP COUNT reset caused by the key update of the second access node does not cause the key stream to be duplicated. At this time, the first access node is not required to perform the key stream generation element update; if yes, The key update PDCP COUNT reset of the second access node may cause the key stream to be duplicated. At this time, the first access node may perform key stream generation element update, where the transfer bearer refers to the first The bearer transferred to the bearer of the second access node; wherein the presence indication is used to indicate that there is a transfer bearer on the second access node; and the bearer transfer record is used to record the transfer bearer.
[143]在第二种可能的实现方式中, 如果所述触发消息为第二消息, 第二接入节点可 以根据承载转移记录、 切回指示等信息, 判断目标承载是否为转移承载, 如果目标承 载不是转移承载,则说明目标承载的 DRB ID与第一接入节点密钥的组合没有出现过, 目标承载也就不会发生密钥流重复, 此时不需第一接入节点进行密钥流生成元素更 新; 如果目标承载是转移承载, 则说明目标承载可能会发生密钥流重复, 此时第一接 入节点可以进行密钥流生成元素更新。  [143] In the second possible implementation manner, if the trigger message is the second message, the second access node may determine, according to information such as the bearer transfer record and the switchback indication, whether the target bearer is a transfer bearer, if the target If the bearer is not a transfer bearer, the combination of the DRB ID of the target bearer and the first access node key does not occur, and the key bearer does not occur in the target bearer. In this case, the first access node does not need to perform the key. If the target bearer is a transfer bearer, the key bearer may be duplicated. The first access node may perform key stream generation element update.
[144]在第二种可能的实现方式中, 在判定目标承载为转移承载后, 第一接入节点还 可以进一步判断目标承载在所述第二接入节点期间是否发生过 PDCP COUNT重置, 如果否,说明目标承载的 DCP COUNT不会发生重复, 目标承载也就不会发生密钥流 重复, 此时不需第一接入节点进行密钥流生成元素更新; 如果是, 则说明目标承载的 PDCP COUNT可能会发生重复, 目标承载也就可能会发生密钥流重复, 此时第一接 入节点可以进行密钥流生成元素更新。  In a second possible implementation manner, after determining that the target bearer is a transfer bearer, the first access node may further determine whether the target bearer has a PDCP COUNT reset during the second access node, If no, it indicates that the DCP COUNT of the target bearer does not overlap, and the key bearer does not repeat the key stream. In this case, the first access node does not need to perform key stream generation element update; if yes, the target bearer The PDCP COUNT may be duplicated, and the key bearer may be duplicated in the target bearer. At this time, the first access node may perform key stream generation element update.
[145]在第二种可能的中, 在判定目标承载为转移承载后, 第一接入节点也可以进一 步判断目标承载当前 PDCP COUNT值是否大于从所述第一接入节点转移至所述第二 接入节点时的 PDCP COUNT值, 如果是, 说明 PDCP COUNT不会发生重复, 目标 承载也就不会发生密钥流重复, 如果否, 则说明目标承载的 PDCP COUNT可能会发 生重复, 目标承载也就可能会发生密钥流重复,此时第一接入节点可以进行密钥流生 成元素更新。 [145] In the second possibility, after determining that the target bearer is a transfer bearer, the first access node may further enter Step determining whether the target bearer current PDCP COUNT value is greater than a PDCP COUNT value when transferring from the first access node to the second access node, and if yes, indicating that PDCP COUNT does not repeat, the target bearer does not The key stream is duplicated. If not, the PDCP COUNT of the target bearer may be duplicated, and the key bearer may be duplicated. The first access node may perform key stream generation element update.
[146]在本实施例中, 所述第一接入节点从所述第二接入节点获取触发消息, 所述触 发消息用于触发密钥流生成元素的更新;所述第一接入节点根据所述触发消息进行密 钥流生成元素更新。采用本实施例,第一接入节点可以在第二接入节点发生了可能会 造成密钥流重复的承载状态变化时,对第一接入节点进行密钥流生成元素更新, 从而 避免密钥流重复情况的发生。 [146] In this embodiment, the first access node acquires a trigger message from the second access node, where the trigger message is used to trigger an update of a key stream generation element; the first access node The key stream generation element update is performed according to the trigger message. With the embodiment, the first access node may perform key stream generation element update on the first access node when the second access node changes the bearer status that may cause the key stream to be duplicated, thereby avoiding the key. The flow of repetition occurs.
[147]下面对本发明密钥流生成元素更新方法做进一步说明。 [147] The method for updating the key stream generation element of the present invention will be further described below.
[148]参见图 4, 为本发明密钥流生成元素更新方法另一个实施例的流程图。 [148] Referring to FIG. 4, it is a flowchart of another embodiment of a method for updating a key stream generation element according to the present invention.
[149]步骤 401, 从所述第二接入节点获取密钥流生成元素更新触发消息。 [149] Step 401: Acquire a key stream generation element update trigger message from the second access node.
[150]步骤 402, 当获取到用于指示所述第二接入节点密钥更新的第一信息时,检测所 述第二接入节点上是否存在转移承载。 [150] Step 402: When obtaining the first information used to indicate the second access node key update, detecting whether there is a transfer bearer on the second access node.
[151]第一接入节点可以根据承载转移记录及所述第二接入节点上当前所有承载, 或 者,根据所述第一信息携带的存在指示,确定所述第二接入节点上是否存在转移承载。 [151] The first access node may determine whether the second access node exists according to the bearer transfer record and all current bearers on the second access node, or according to the presence indication carried by the first information. Transfer the bearer.
[152]其中, 所述承载转移记录可以为一个列表或其它数据结构, 用于记载转移承载, 所述转移承载是指从所述第一接入节点转移到所述第二接入节点的承载。承载转移记 录可以记载转移承载的 DRB ID。 当有承载从第一接入节点转移到第二时, 生成包含 该承载的 DRB ID的承载转移记录或将该承载的 DRB ID添加进承载转移记录中, 当 第一接入节点发生密钥流元素更新时, 删除或清空承载转移记录。 [152] The bearer transfer record may be a list or other data structure for describing a transfer bearer, where the transfer bearer refers to a bearer transferred from the first access node to the second access node. . The bearer transfer record records the DRB ID of the transfer bearer. Generating a bearer transfer record containing the DRB ID of the bearer or adding the DRB ID of the bearer to the bearer transfer record when a bearer is transferred from the first access node to the second, when the first access node generates a key flow When the element is updated, delete or empty the bearer transfer record.
[153]所述存在指示, 用于指示第二接入节点上存在转移承载。 当第二接入节点上存 在转移承载时,可以在生成的第一信息中加入存在指示, 或者将第一信息中的预设字 段设置为预设值。第一接入节点根据第一信息是否包含存在指示, 或预设字段是否为 预设值, 判定第二接入节点上存在转移承载。  [153] The presence indication is used to indicate that there is a transfer bearer on the second access node. When the transfer bearer exists on the second access node, the presence indication may be added to the generated first information, or the preset field in the first information may be set to a preset value. The first access node determines that there is a transfer bearer on the second access node according to whether the first information includes a presence indication, or whether the preset field is a preset value.
[154]步骤 403,如果所述第二接入节点上存在转移承载,对所述第一接入节点进行密 钥流生成元素更新。 [154] Step 403: If there is a transfer bearer on the second access node, perform keystream generation element update on the first access node.
[155]所述第一接入节点在进行密钥流生成元素更新时, 可以对所述第一接入节点的 密钥进行更新或只为所述转移承载重新分配 DRB ID以减小系统开销。 [155] The first access node may perform the key stream generation element update on the first access node. The key is updated or only the DRB ID is reassigned for the transfer bearer to reduce system overhead.
[156]在本实施例中, 从所述第二接入节点获取密钥流生成元素更新触发消息; 当获 取到用于指示所述第二接入节点密钥更新的第一信息时,检测所述第二接入节点上是 否存在转移承载; 如果所述第二接入节点上存在转移承载,对所述第一接入节点进行 密钥流生成元素更新。采用本实施例, 可以在第二接入节点发生密钥更新时, 对第一 接入节点进行密钥流生成元素更新, 从而避免密钥更新造成的密钥流重复情况的发 生。 [156] In this embodiment, the key stream generation element update trigger message is obtained from the second access node; when the first information for indicating the second access node key update is acquired, detecting Whether there is a transfer bearer on the second access node; if there is a transfer bearer on the second access node, performing keystream generation element update on the first access node. With this embodiment, the key stream generation element update may be performed on the first access node when the second access node generates a key update, thereby avoiding the occurrence of the key stream repetition caused by the key update.
[157]参见图 5, 为本发明密钥流生成元素更新方法一个实施例的流程图。 [158]步骤 501, 从所述第二接入节点获取密钥流生成元素更新触发消息。 [159]步骤 502,当获取到用于指示目标承载从所述第二接入节点转移至所述第一接入 节点的第二信息时, 检测所述目标承载是否为转移承载。 [157] Referring to FIG. 5, it is a flowchart of an embodiment of a method for updating a key stream generation element according to the present invention. [158] Step 501: Acquire a key stream generation element update trigger message from the second access node. [159] Step 502: When acquiring the second information used to indicate that the target bearer is transferred from the second access node to the first access node, detecting whether the target bearer is a transfer bearer.
[160]第一接入节点可以根据承载转移记录, 或者, 根据所述第二信息携带的切回指 示, 确定所述目标承载是否为转移承载。 如果所述目标承载为转移承载, 那么目标承 载就有可能出现密钥流重复, 如果目标承载不为转移承载,那么目标承载就不会出现 密钥流重复。  The first access node may determine whether the target bearer is a transfer bearer according to the bearer transfer record or according to the switchback indication carried by the second information. If the target bearer is a transfer bearer, the target bearer may have a key stream repetition. If the target bearer is not a transfer bearer, the target bearer does not have a key stream repetition.
[161]其中,所述承载转移记录还可以用于记载转移承载及转移承载是否发生过 PDCP COUNT 重置, 还可以用于记载转移承载从第一接入节点转移到第二接入节点时的 PDCP COUNT。例如, 承载转移记录可以记载转移承载的 DRB ID及重置标识位。 当 有承载从第一接入节点转移到第二时,生成包含该承载的 DRB ID及重置标识位的承 载转移记录或将该承载的 DRB ID及重置标识位添加进承载转移记录中, 当该承载的 PDCP COUNT发生重置时, 将重置标识位的值设为预设值, 当第一接入节点发生密 钥流元素更新时,删除或清空承载转移记录。第一接入节点根据承载转移记录及目标 承载的 DRB ID判断目标承载是否为转移承载。 [161] The bearer transfer record may also be used to record whether the transfer bearer and the transfer bearer have undergone PDCP COUNT reset, and may also be used to record when the transfer bearer is transferred from the first access node to the second access node. PDCP COUNT. For example, the bearer transfer record may record the DRB ID of the transfer bearer and the reset flag bit. When a bearer is transferred from the first access node to the second, the bearer transfer record including the DRB ID of the bearer and the reset identifier bit is generated, or the DRB ID and the reset flag bit of the bearer are added to the bearer transfer record. When the PDCP COUNT of the bearer is reset, the value of the reset flag is set to a preset value, and when the key stream element is updated by the first access node, the bearer transfer record is deleted or emptied. The first access node determines, according to the bearer transfer record and the DRB ID of the target bearer, whether the target bearer is a transfer bearer.
[162]所述切回指示用于指示所述目标承载为转移承载。 当第二接入节点判定第二接 入节点上存在转移承载时,可以在生成的第二信息中加入切回指示, 或者将第一信息 中的预设字段设置为预设值。第一接入节点根据第二信息是否包含切回指示, 或预设 字段是否为预设值, 判定所述目标承载是否为转移承载。 [162] The switchback indication is used to indicate that the target bearer is a transfer bearer. When the second access node determines that there is a transfer bearer on the second access node, the switchback indication may be added to the generated second information, or the preset field in the first information may be set to a preset value. The first access node determines whether the target bearer is a transfer bearer according to whether the second information includes a switchback indication, or whether the preset field is a preset value.
[163]如果目标承载为转移承载, 可直接对所述第一接入节点进行密钥流生成元素更 新, 也可以执行步骤 303, 进行进一步判断。 [164]步骤 503, 如果所述目标承载为转移承载, 检测所述目标承载 PDCP COUNT是 否发生过重置。 [163] If the target bearer is a transfer bearer, the key stream generation element update may be directly performed on the first access node, or step 303 may be performed to perform further judgment. [164] Step 503: If the target bearer is a transfer bearer, detecting whether the target bearer PDCP COUNT has been reset.
[165]第一接入节点可以通过检测承载转移记录中所述目标承载的重置标识位是否为 预定值, 或者检测第二信息中是否包含有重置指示, 来判断所述目标承载 PDCP COUNT是否发生过重置。 [165] The first access node may determine that the target bearer PDCP COUNT by detecting whether the reset flag of the target bearer in the bearer transfer record is a predetermined value, or detecting whether the second information includes a reset indication. Has a reset occurred?
[166]步骤 504, 所述目标承载发生过 PDCP COUNT重置, 对所述第一接入节点进行 密钥流生成元素更新。 [166] Step 504: The target bearer has undergone a PDCP COUNT reset, and the first access node performs a key stream generation element update.
[167]由于目标承载的 PDCP COUNT发生重置,可能会导致目标承载的 PDCP COUNT 出现重复, 从而可能会导致密钥流重复。 因此, 如果目标承载发生过 PDCP COUNT 重置, 可以对第一接入节点进行密钥流生成元素更新。 [167] Due to the reset of the PDCP COUNT of the target bearer, the PDCP COUNT of the target bearer may be duplicated, which may cause the key stream to be duplicated. Therefore, if the PDCP COUNT reset occurs in the target bearer, the key stream generation element update can be performed on the first access node.
[168]由于目标承载的 PDCP COUNT即使发生过重置, 目标承载也未必会出现密钥流 重复, 例如, 所述目标承载的当前 PDCP COUNT值大于从所述第一接入节点转移至 所述第二接入节点时的 PDCP COUNT值, 不会导致目标承载出现密钥流重复。 [168] Since the target bearer PDCP COUNT does not necessarily have a key stream repetition even if a reset occurs, for example, the current PDCP COUNT value of the target bearer is greater than the transfer from the first access node to the The PDCP COUNT value of the second access node does not cause the key stream to be duplicated on the target bearer.
[169]因此如果所述目标承载为转移承载, 也可以不检测所述目标承载 PDCP COUNT 是否发生过重置, 而是获取所述目标承载的当前 PDCP COUNT值, 及所述目标承载 从所述第一接入节点转移至所述第二接入节点时的 PDCP COUNT值; 如果所述目标 承载的当前 PDCP COUNT值小于等于从所述第一接入节点转移至所述第二接入节点 时的 PDCP COUNT值, 对所述第一接入节点进行密钥流生成元素更新。 [169] Therefore, if the target bearer is a transfer bearer, it may not detect whether the target bearer PDCP COUNT has been reset, but acquire the current PDCP COUNT value of the target bearer, and the target bearer from the a PDCP COUNT value when the first access node transfers to the second access node; if the current PDCP COUNT value of the target bearer is less than or equal to the transfer from the first access node to the second access node The PDCP COUNT value is used to perform key stream generation element update on the first access node.
[170]在本实施例中, 从所述第二接入节点获取密钥流生成元素更新触发消息; 当获 取到用于指示目标承载从所述第二接入节点转移至所述第一接入节点的第二信息时, 检测所述目标承载是否为转移承载; 如果所述目标承载为转移承载,检测所述目标承 载 PDCP COUNT是否发生过重置; 所述目标承载发生过 PDCP COUNT重置, 对所 述第一接入节点进行密钥流生成元素更新。采用本实施例,可以在目标承载为转移承 载, 且发生过 PDCP COUNT重置的情况下, 对所述第一接入节点进行密钥流生成元 素更新, 不但能够避免承载转移造成的密钥流重复情况的发生,还能够减少密钥流生 成元素更新的次数, 减小系统资源消耗。 [170] In this embodiment, acquiring a keystream generation element update trigger message from the second access node; when acquiring, indicating that the target bearer is transferred from the second access node to the first interface When the second information of the ingress node is sent, detecting whether the target bearer is a transfer bearer; if the target bearer is a transfer bearer, detecting whether the target bearer PDCP COUNT has been reset; the target bearer has undergone PDCP COUNT reset And performing key stream generation element update on the first access node. With this embodiment, the key stream generation element update may be performed on the first access node when the target bearer is a transfer bearer and the PDCP COUNT reset occurs, so that the key flow caused by the bearer transfer can be avoided. Repeated occurrences can also reduce the number of key stream generation element updates and reduce system resource consumption.
[171]下面从第二接入节点侧对本发明所进一步说明。 The invention is further described below from the second access node side.
[172]参见图 6, 为本发明密钥流生成元素更新方法另一个实施例的流程图。 [172] FIG. 6 is a flowchart of another embodiment of a method for updating a key stream generation element according to the present invention.
[173]步骤 601, 所述第二接入节点在符合预设条件时, 生成触发消息, 所述触发消息 用于指示所述第一接入节点触发密钥流生成元素的更新。 [173] Step 601: The second access node generates a trigger message when the preset condition is met, where the trigger message is generated. And used to instruct the first access node to trigger an update of a key stream generation element.
[174]其中, 所述预设条件可以是第二接入节点发生密钥更新, 也可以是第二接入节 点上的承载转移的第一接入节点,也可以是第二接入节点发生了其它可能会造成密钥 流重复的承载状态变化。 [175]在一种可能的实现方式中, 触发消息可以为第一信息。  [174] The preset condition may be that the second access node generates a key update, or may be the first access node that carries the transfer on the second access node, or may be the second access node. Other bearer state changes that may cause duplicate key streams. [175] In one possible implementation, the trigger message may be the first information.
[176]第一信息可以在所述第二接入节点进行密钥更新时生成, 也可以在所述第二接 入节点进行密钥更新且第二接入节点上存在转移承载时生成。其中,所述第一信息可 以携带有存在指示, 所述存在指示用于指示所述第二接入节点上存在转移承载。 The first information may be generated when the second access node performs a key update, or may be generated when the second access node performs a key update and a transfer bearer exists on the second access node. The first information may carry a presence indication, where the presence indication is used to indicate that a transfer bearer exists on the second access node.
[177]在另一种可能的实现方式中, 触发消息可以为第二信息。 [178]第一信息可以在目标承载从所述第二接入节点转移到第一接入节点时生成。 如 果所述目标承载为转移承载,那么所述第二信息还可以携带切回指示。如果所述目标 承载发生过 PDCP COUNT重置, 那么所述第二信息还可以携带重置指示。 In another possible implementation manner, the trigger message may be the second information. The first information may be generated when the target bearer is transferred from the second access node to the first access node. The second information may also carry a switchback indication if the target bearer is a transfer bearer. The second information may also carry a reset indication if the target bearer has undergone a PDCP COUNT reset.
[179]目标承载是否为转移承载,及目标承载是否发生过 PDCP COUNT重置都可以根 据承载转移记录进行判断, 具体的判断过程可以参见前述实施例, 在此就不再赘述。 [180]步骤 602, 向所述第一接入节点发送触发消息。 [179] Whether the target bearer is a transfer bearer, and whether the target bearer has undergone PDCP COUNT reset can be judged according to the bearer transfer record. For the specific judgment process, refer to the foregoing embodiment, and details are not described herein again. [180] Step 602: Send a trigger message to the first access node.
[181]第一接入节点可以在接收所述触发信息后立刻进行密钥流生成元素更新, 也可 以根据触发信息和 /或触发信息所包含的内容, 进一步判断是否会发送密钥流重复, 在可能会发送密钥流重复时进行密钥流生成元素更新。 具体过程可以参加前述实施 例, 在此就不再赘述。 [182]在本实施例中, 所述第二接入节点在符合预设条件时, 生成触发消息, 所述触 发消息用于指示所述第一接入节点触发密钥流生成元素的更新;向所述第一接入节点 发送触发消息。采用本实施例,第二接入节点可以在发生了可能会造成密钥流重复的 承载状态变化时, 向第一接入节点发送触发消息,指示第一接入节点进行密钥流生成 元素更新, 从而避免密钥流重复情况的发生。 [183]如图 7所示, 本发明实施例还提供了一种双连接系统, 所述双连接系统包括: 第一接入节点 701和所述第二接入节点 702, 所述第一接入节点 701和所述第二接入 节点 702同时为 UE提供无线连接。 [181] The first access node may perform the key stream generation element update immediately after receiving the trigger information, or may further determine whether the key stream is repeated according to the content of the trigger information and/or the trigger information. The key stream generation element update is performed when a key stream duplication may be sent. The specific process can participate in the foregoing embodiments, and will not be described again here. [182] In this embodiment, the second access node generates a trigger message when the preset condition is met, where the trigger message is used to indicate that the first access node triggers update of the key stream generation element. Sending a trigger message to the first access node. With this embodiment, the second access node may send a trigger message to the first access node to indicate that the first access node performs the key stream generation element update when a bearer state change that may cause the key stream to be duplicated occurs. , to avoid the occurrence of key stream duplication. As shown in FIG. 7, the embodiment of the present invention further provides a dual connectivity system, where the dual connectivity system includes: a first access node 701 and a second access node 702, the first interface The ingress node 701 and the second access node 702 simultaneously provide a wireless connection to the UE.
[184]其中, 所述第二接入节点 702, 用于在符合预设条件时, 生成触发消息, 所述 触发消息用于指示所述第一接入节点 701触发密钥流生成元素的更新;向所述第一接 入节点 701发送触发消息。 The second access node 702 is configured to generate a trigger message when the preset condition is met, where The trigger message is used to instruct the first access node 701 to trigger an update of the key stream generation element; and send a trigger message to the first access node 701.
[185]所述第二接入节点 702还用于在进行密钥更新时, 生成第一信息; 向所述第一 接入节点 701发送所述第一信息。 [186]所述第二接入节点 702还用于在进行密钥更新时, 如果所述第二接入节点 702 上存在转移承载, 生成第一信息。 The second access node 702 is further configured to: when the key is updated, generate first information; and send the first information to the first access node 701. The second access node 702 is further configured to generate the first information if the transfer bearer exists on the second access node 702 when the key update is performed.
[187]所述第二接入节点 702还用于当目标承载从所述第二接入节点 702切换到所述 第一接入节点 701时, 生成第二信息; 向所述第一接入节点 701发送所述第二信息。  The second access node 702 is further configured to: when the target bearer switches from the second access node 702 to the first access node 701, generate second information; to the first access The node 701 sends the second information.
[188]所述第二接入节点 702还用于当目标承载从所述第二接入节点 702切换到所述 第一接入节点 701时, 如果所述目标承载为转移承载, 生成携带切回指示的所述第二 信息。 The second access node 702 is further configured to: when the target bearer is switched from the second access node 702 to the first access node 701, if the target bearer is a transfer bearer, generate a bearer Returning the second information indicated.
[189]所述第二接入节点 702还用于当目标承载从所述第二接入节点 702切换到所述 第一接入节点 701时, 如果所述目标承载为转移承载, 且所述目标承载在所述第二接 入节点 702期间发生过 PDCP COUNT重置, 生成携带切回指示及重置指示的第二信 息。  The second access node 702 is further configured to: when the target bearer is switched from the second access node 702 to the first access node 701, if the target bearer is a transfer bearer, and The target bearer has undergone PDCP COUNT reset during the second access node 702, and generates second information carrying the switchback indication and the reset indication.
[190]所述第一接入节点 701,用于从所述第二接入节点 702获取触发消息;根据所述 触发消息进行密钥流生成元素更新。 The first access node 701 is configured to acquire a trigger message from the second access node 702, and perform key stream generation element update according to the trigger message.
[191]所述第一接入节点 701还用于从所述第二接入节点 702获取触发消息, 所述触 发消息用于触发密钥流生成元素的更新; 根据所述触发消息进行密钥流生成元素更 新。  The first access node 701 is further configured to acquire a trigger message from the second access node 702, where the trigger message is used to trigger an update of a key stream generation element; and perform a key according to the trigger message. The stream generates element updates.
[192]所述第一接入节点 701还用于当获取到用于指示所述第二接入节点 702密钥更 新的第一信息时, 对所述第一接入节点 701进行密钥流生成元素更新。 The first access node 701 is further configured to perform key flow on the first access node 701 when acquiring the first information used to indicate the key update of the second access node 702. Generate element updates.
[193]所述第一接入节点 701还用于如果所述第二接入节点 702上存在转移承载, 对 所述第一接入节点 701进行密钥流生成元素更新,所述转移承载是指从所述第一接入 节点 701转移到所述第二接入节点 702的承载。 The first access node 701 is further configured to perform a key stream generation element update on the first access node 701 if there is a transfer bearer on the second access node 702, where the transfer bearer is Refers to a bearer that is transferred from the first access node 701 to the second access node 702.
[194]所述第一接入节点 701还用于如果所述第一信息携带存在指示, 对所述第一接 入节点 701进行密钥流生成元素更新,其中所述存在指示用于指示所述第二接入节点 702上存在转移承载。 [195]所述第一接入节点 701还用于获取承载转移记录; 如果根据所述承载转移记录 及所述第二接入节点 702上当前所有承载,确定所述第二接入节点 702上存在转移承 载, 对所述第一接入节点 701进行密钥流生成元素更新。 The first access node 701 is further configured to perform a key stream generation element update on the first access node 701 if the first information carries a presence indication, where the presence indication is used to indicate There is a transfer bearer on the second access node 702. The first access node 701 is further configured to acquire a bearer transfer record; if the second access node 702 is determined according to the bearer transfer record and all current bearers on the second access node 702, There is a transfer bearer, and the first access node 701 performs key stream generation element update.
[196]所述第一接入节点 701还用于在对所述第一接入节点 701进行密钥流生成元素 更新之后删除所述承载转移记录。 The first access node 701 is further configured to delete the bearer transfer record after performing key stream generation element update on the first access node 701.
[197]所述第一接入节点 701在对所述第一接入节点 701进行密钥流生成元素更新时, 可以只对所述第一接入节点 701的密钥进行更新。 The first access node 701 may only update the key of the first access node 701 when performing key stream generation element update on the first access node 701.
[198]所述第一接入节点 701还对所述第一接入节点 701进行密钥流生成元素更新时, 也可以只为所述转移承载重新分配 DRB ID。 [198] When the first access node 701 further performs key stream generation element update on the first access node 701, it may also re-allocate the DRB ID only for the transfer bearer.
[199]采用本实施例, 第二接入节点可以在发生了可能会造成密钥流重复的承载状态 变化时, 向第一接入节点发送触发消息, 第一接入节点在接收到触发消息后, 进行密 钥流生成元素更新, 从而避免密钥流重复情况的发生。 In this embodiment, the second access node may send a trigger message to the first access node when the bearer state change that may cause the key stream to be duplicated, and the first access node receives the trigger message. After that, the key stream generation element is updated to avoid the occurrence of key stream repetition.
[200]参见图 8为本发明实施例提供的双连接系统的密钥流生成元素更新装置的结构 示意图。 [201]如图 8所示, 所述装置包括: 处理器 801、 存储器 802及通信接口 803等模块, 各个模块之间相互连接。 FIG. 8 is a schematic structural diagram of a key stream generation element updating apparatus of a dual connectivity system according to an embodiment of the present invention. As shown in FIG. 8, the device includes: a processor 801, a memory 802, and a communication interface 803, and modules are connected to each other.
[202]所述存储器 802用于存放程序。 具体地, 程序可以包括程序代码, 所述程序代 码包括计算机操作指令。 存储器 802 可能包含随机存取存储器 (random access memory, 简称 RAM)存储器, 也可能还包括非易失性存储器(non-volatile memory), 例如至少一个磁盘存储器。 The memory 802 is used to store programs. In particular, the program can include program code, the program code including computer operating instructions. The memory 802 may include a random access memory (RAM) memory, and may also include a non-volatile memory such as at least one disk memory.
[203]所述通信接口 803,用于从所述第二接入节点获取触发消息,所述触发消息用于 触发密钥流生成元素的更新。 The communication interface 803 is configured to acquire a trigger message from the second access node, where the trigger message is used to trigger an update of a key stream generation element.
[204]所述处理器 801,用于执行所述存储器 802存放程序,根据所述触发消息进行密 钥流生成元素更新。 [205]所述处理器 801,还用于当获取到用于指示所述第二接入节点密钥更新的第一信 息时, 对所述第一接入节点进行密钥流生成元素更新。 The processor 801 is configured to execute the memory 802 storage program, and perform key stream generation element update according to the trigger message. The processor 801 is further configured to perform a key stream generation element update on the first access node when acquiring the first information used to indicate the second access node key update.
[206]所述处理器 801,还用于如果所述第二接入节点上存在转移承载,对所述第一接 入节点进行密钥流生成元素更新,所述转移承载是指从所述第一接入节点转移到所述 第二接入节点的承载。 [206] The processor 801 is further configured to perform a key stream generation element update on the first access node if a transfer bearer exists on the second access node, where the transfer bearer refers to the Transferring the first access node to the The bearer of the second access node.
[207]所述处理器 801,还用于如果所述第一信息携带存在指示,对所述第一接入节点 进行密钥流生成元素更新,其中所述存在指示用于指示所述第二接入节点上存在转移 承载。 [208]所述处理器 801,还用于获取承载转移记录;如果根据所述承载转移记录及所述 第二接入节点上当前所有承载,确定所述第二接入节点上存在转移承载,对所述第一 接入节点进行密钥流生成元素更新。  [207] The processor 801 is further configured to: if the first information carries a presence indication, perform a key stream generation element update on the first access node, where the presence indication is used to indicate the second There is a transfer bearer on the access node. [208] The processor 801 is further configured to acquire a bearer transfer record, and determine, if the transfer bearer exists on the second access node, according to the bearer transfer record and all current bearers on the second access node, Performing a key stream generation element update on the first access node.
[209]所述处理器 801, 还用于在对所述第一接入节点进行密钥流生成元素更新之后, 删除所述承载转移记录。  The processor 801 is further configured to delete the bearer transfer record after performing key stream generation element update on the first access node.
[210]所述处理器 801, 还用于对所述第一接入节点的密钥进行更新。 [211]所述处理器 801, 还用于为所述转移承载重新分配 DRB ID。 The processor 801 is further configured to update a key of the first access node. The processor 801 is further configured to re-allocate the DRB ID for the transfer bearer.
[212]所述处理器 801,还用于当获取到用于指示目标承载从所述第二接入节点转移至 所述第一接入节点的第二信息时, 对所述第一接入节点进行密钥流生成元素更新。  [212] The processor 801 is further configured to, when acquiring the second information used to indicate that the target bearer is transferred from the second access node to the first access node, to the first access The node performs key stream generation element update.
[213]所述处理器 801,还用于如果根据所述第二信息中的切回指示判定所述目标承载 为转移承载,对所述第一接入节点进行密钥流生成元素更新,所述切回指示用于指示 所述目标承载为转移承载。  [213] The processor 801 is further configured to: if the target bearer is determined to be a transfer bearer according to the switchback indication in the second information, perform keystream generation element update on the first access node, where The switchback indication is used to indicate that the target bearer is a transfer bearer.
[214]所述处理器 801,还用于获取承载转移记录,所述承载转移记录用于记载转移承 载; 如果根据所述承载转移记录判定所述目标承载为转移承载,对所述第一接入节点 进行密钥流生成元素更新。 The processor 801 is further configured to acquire a bearer transfer record, where the bearer transfer record is used to record a transfer bearer, and if the target bearer is determined to be a transfer bearer according to the bearer transfer record, the first connection is performed. The ingress node performs key stream generation element update.
[215]所述处理器 801,还用于如果根据所述第二信息中的重置指示判断所述目标承载 在所述第二接入节点期间发生过 PDCP COUNT重置, 对所述第一接入节点进行密钥 流生成元素更新。 The processor 801 is further configured to: if it is determined that the target bearer has a PDCP COUNT reset during the second access node according to the reset indication in the second information, to the first The access node performs key stream generation element update.
[216]所述处理器 801,还用于如果根据所述承载转移记录中的重置标识判断所述目标 承载在所述第二接入节点期间发生过 PDCP COUNT重置, 对所述第一接入节点进行 密钥流生成元素更新。 The processor 801 is further configured to: if it is determined that the target bearer has undergone a PDCP COUNT reset during the second access node according to the reset identifier in the bearer transfer record, to the first The access node performs key stream generation element update.
[217]所述处理器 801, 还用于获取所述目标承载的当前 PDCP COUNT值, 及所述目 标承载从所述第一接入节点转移至所述第二接入节点时的 PDCP COUNT值; 如果所 述目标承载的当前 PDCP COUNT值小于等于从所述第一接入节点转移至所述第二接 入节点时的 PDCP COUNT值, 对所述第一接入节点进行密钥流生成元素更新。 The processor 801 is further configured to acquire a current PDCP COUNT value of the target bearer, and a PDCP COUNT value when the target bearer is transferred from the first access node to the second access node. And if the current PDCP COUNT value carried by the target is less than or equal to the transfer from the first access node to the second connection The PDCP COUNT value at the time of the ingress, the key stream generation element update is performed on the first access node.
[218]所述处理器 801,还用于对所述第一接入节点的钥进行更新或为所述目标承载重 新分配 DRB ID。 The processor 801 is further configured to update a key of the first access node or re-allocate a DRB ID for the target bearer.
[219]参见图 9为本发明实施例提供的双连接系统的密钥流生成元素更新装置的结构 示意图。  FIG. 9 is a schematic structural diagram of a key stream generation element updating apparatus of a dual connectivity system according to an embodiment of the present invention.
[220]如图 9所示, 所述装置包括: 处理器 901、 存储器 902及通信接口 903等模块, 各个模块之间相互连接。 As shown in FIG. 9, the device includes: a processor 901, a memory 902, and a communication interface 903, and the modules are connected to each other.
[221]所述存储器 902用于存放程序。 具体地, 程序可以包括程序代码, 所述程序代 码包括计算机操作指令。 存储器 902 可能包含随机存取存储器 (random access memory, 简称 RAM)存储器, 也可能还包括非易失性存储器(non-volatile memory), 例如至少一个磁盘存储器。 The memory 902 is used to store programs. In particular, the program can include program code, the program code including computer operating instructions. The memory 902 may include a random access memory (RAM) memory, and may also include a non-volatile memory such as at least one disk memory.
[222]所述处理器 901, 用于执行所述存储器 802存放程序, 在符合预设条件时, 生成 触发消息, 所述触发消息用于指示所述第一接入节点触发密钥流生成元素的更新 The processor 901 is configured to execute the memory 802 storage program, and when the preset condition is met, generate a trigger message, where the trigger message is used to instruct the first access node to trigger a key stream generation element. Update
[223]所述处理器 901, 还用于当所述第二接入节点进行密钥更新时, 生成第一信息。 [224]所述处理器 901,还用于当所述第二接入节点进行密钥更新时,如果所述第二接 入节点上存在转移承载, 生成第一信息。 The processor 901 is further configured to generate first information when the second access node performs a key update. The processor 901 is further configured to: when the second access node performs a key update, if the transfer bearer exists on the second access node, generating the first information.
[225]所述处理器 901,还用于当目标承载从所述第二接入节点切换到所述第一接入节 点时, 生成第二信息。 The processor 901 is further configured to generate second information when the target bearer switches from the second access node to the first access node.
[226]所述处理器 901,还用于当目标承载从所述第二接入节点切换到所述第一接入节 点时, 如果所述目标承载为转移承载, 生成携带切回指示的所述第二信息。 The processor 901 is further configured to: when the target bearer is handed over from the second access node to the first access node, if the target bearer is a transfer bearer, generate a bearer indication The second information is described.
[227]所述处理器 901,还用于当目标承载从所述第二接入节点切换到所述第一接入节 点时, 如果所述目标承载为转移承载, 且所述目标承载在所述第二接入节点期间发生 过 PDCP COUNT重置, 生成携带切回指示及重置指示的第二信息。 The processor 901 is further configured to: when the target bearer is handed over from the second access node to the first access node, if the target bearer is a transfer bearer, and the target bearer is in the A PDCP COUNT reset occurs during the second access node, and generates second information carrying the switchback indication and the reset indication.
[228]所述通信接口 903,用于从所述第二接入节点获取触发消息,所述触发消息用于 触发密钥流生成元素的更新。其中,所述触发消息可以是第一消息也可以是第二消息。 The communication interface 903 is configured to acquire a trigger message from the second access node, where the trigger message is used to trigger an update of a key stream generation element. The trigger message may be the first message or the second message.
[229]具体实现中, 本发明还提供一种计算机存储介质, 其中, 该计算机存储介质可 存储有程序,该程序执行时可包括本发明提供的呼叫方法的各实施例中的部分或全部 步骤。所述的存储介质可为磁碟、光盘、只读存储记忆体(Read-Only Memory, ROM) 或随机存储记忆体 (Random Access Memory, RAM) 等。 In a specific implementation, the present invention further provides a computer storage medium, wherein the computer storage medium may store a program, and the program may include some or all of the steps in each embodiment of the calling method provided by the present invention. . The storage medium may be a magnetic disk, an optical disk, or a read-only memory (ROM). Or random access memory (RAM), etc.
[230]本领域的技术人员可以清楚地了解到本发明实施例中的技术可借助软件加必需 的通用硬件平台的方式来实现。基于这样的理解,本发明实施例中的技术方案本质上 或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产 品可以存储在存储介质中, 如 ROM/RAM、磁碟、光盘等, 包括若干指令用以使得一 台计算机设备(可以是个人计算机, 服务器, 或者网络设备等)执行本发明各个实施 例或者实施例的某些部分所述的方法。 It will be apparent to those skilled in the art that the techniques in the embodiments of the present invention can be implemented by means of software plus the necessary general hardware platform. Based on such understanding, the technical solution in the embodiments of the present invention may be embodied in the form of a software product in essence or in the form of a software product, which may be stored in a storage medium such as a ROM/RAM. , a disk, an optical disk, etc., including instructions for causing a computer device (which may be a personal computer, server, or network device, etc.) to perform the methods described in various embodiments of the present invention or portions of the embodiments.
[231]本说明书中的各个实施例均采用递进的方式描述, 各个实施例之间相同相似的 部分互相参见即可, 每个实施例重点说明的都是与其他实施例的不同之处。尤其, 对 于装置、 服务器、 系统实施例而言, 由于其基本相似于方法实施例, 所以描述的比较 简单, 相关之处参见方法实施例的部分说明即可。  The various embodiments in the present specification are described in a progressive manner, and the same or similar parts of the various embodiments may be referred to each other, and each embodiment focuses on differences from other embodiments. In particular, for the device, the server, and the system embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.
[232]以上所述的本发明实施方式, 并不构成对本发明保护范围的限定。 任何在本发 明的精神和原则之内所作的修改、等同替换和改进等,均应包含在本发明的保护范围 之内。  The embodiments of the invention described above are not intended to limit the scope of the invention. Any modifications, equivalent substitutions and improvements made within the spirit and scope of the invention are intended to be included within the scope of the invention.

Claims

权 利 要 求 Rights request
1.一种双连接系统的密钥流生成元素更新装置, 所述双连接系统中所述第一 接入节点和所述第二接入节点同时为用户设备 UE提供无线连接, 其特征在于, 包括:  A key stream generation element updating apparatus of a dual connectivity system, in which the first access node and the second access node simultaneously provide a wireless connection for a user equipment UE, wherein Includes:
接收单元, 用于从所述第二接入节点获取触发消息, 所述触发消息用于触发 密钥流生成元素的更新;  a receiving unit, configured to acquire a trigger message from the second access node, where the trigger message is used to trigger an update of a key stream generating element;
处理单元, 用于根据所述触发消息进行密钥流生成元素更新。  And a processing unit, configured to perform key stream generation element update according to the trigger message.
2.如权利要求 1所述的装置, 其特征在于, 2. Apparatus according to claim 1 wherein:
所述处理单元, 用于根据所述触发消息进行密钥流生成元素更新, 包括: 用 于当获取到用于指示所述第二接入节点密钥更新的第一信息时,对所述第一接入 节点进行密钥流生成元素更新。  The processing unit, configured to perform a key stream generation element update according to the trigger message, to be used to: when acquiring the first information used to indicate the second access node key update, An access node performs key stream generation element update.
3.如权利要求 2所述的装置, 其特征在于, 3. Apparatus according to claim 2 wherein:
所述处理单元,用于当获取到用于指示所述第二接入节点密钥更新的第一信 息时, 对所述第一接入节点进行密钥流生成元素更新, 包括: 用于当获取到用于 指示所述第二接入节点密钥更新的第一信息时,如果所述第二接入节点上存在转 移承载, 对所述第一接入节点进行密钥流生成元素更新, 所述转移承载是指从所 述第一接入节点转移到所述第二接入节点的承载。  The processing unit is configured to perform a key stream generation element update on the first access node when acquiring the first information used to indicate the second access node key update, including: When the first information indicating the second access node key update is obtained, if there is a transfer bearer on the second access node, performing key stream generation element update on the first access node, The transfer bearer refers to a bearer that is transferred from the first access node to the second access node.
4.如权利要求 2所述的装置, 其特征在于, 4. Apparatus according to claim 2 wherein:
所述处理单元,用于当获取到用于指示所述第二接入节点密钥更新的第一信 息时, 对所述第一接入节点进行密钥流生成元素更新, 包括: 用于当获取到用于 指示所述第二接入节点密钥更新的第一信息时, 如果所述第一信息携带存在指 示, 对所述第一接入节点进行密钥流生成元素更新, 其中所述存在指示用于指示 所述第二接入节点上存在转移承载。  The processing unit is configured to perform a key stream generation element update on the first access node when acquiring the first information used to indicate the second access node key update, including: When the first information indicating the second access node key update is obtained, if the first information carries a presence indication, performing key stream generation element update on the first access node, where A presence indication is used to indicate the presence of a transfer bearer on the second access node.
5. 如权利要求 2所述的装置, 其特征在于, 5. Apparatus according to claim 2 wherein:
所述处理单元,用于当获取到用于指示所述第二接入节点密钥更新的第一信 息时, 对所述第一接入节点进行密钥流生成元素更新, 包括: 用于获取承载转移 记录, 所述承载转移记录用于记载转移承载, 所述转移承载是指从所述第一接入 节点转移到所述第二接入节点的承载;如果根据所述承载转移记录及所述第二接 入节点上当前所有承载, 确定所述第二接入节点上存在转移承载, 对所述第一接 入节点进行密钥流生成元素更新。 The processing unit is configured to perform a key stream generation element update on the first access node when acquiring the first information used to indicate the second access node key update, including: Carrying a transfer record, the bearer transfer record is used to record a transfer bearer, and the transfer bearer refers to the first access Transferring the node to the bearer of the second access node; if it is determined that there is a transfer bearer on the second access node according to the bearer transfer record and all current bearers on the second access node, An access node performs key stream generation element update.
6. 如权利要求 5所述的装置, 其特征在于, 6. Apparatus according to claim 5 wherein:
所述处理单元, 用于获取承载转移记录; 如果根据所述承载转移记录及所述 第二接入节点上当前所有承载, 确定所述第二接入节点上存在转移承载, 对所述 第一接入节点进行密钥流生成元素更新, 还包括: 用于在对所述第一接入节点进 行密钥流生成元素更新后, 删除所述承载转移记录。  The processing unit is configured to acquire a bearer transfer record, and determine, if the transfer bearer exists on the second access node, according to the bearer transfer record and all current bearers on the second access node, to the first The access node performs the key stream generation element update, and further includes: deleting the bearer transfer record after performing the key stream generation element update on the first access node.
7.如权利要求 1至 6任一所述的装置, 其特征在于, 7. Apparatus according to any one of claims 1 to 6 wherein:
所述处理单元, 用于对所述第一接入节点进行密钥流生成元素更新, 包括: 用于对所述第一接入节点的密钥进行更新。  The processing unit, configured to perform a key stream generation element update on the first access node, includes: configured to update a key of the first access node.
8.如权利要求 5或 6所述的装置, 其特征在于, 8. Apparatus according to claim 5 or claim 6 wherein:
所述处理单元, 用于对所述第一接入节点进行密钥流生成元素更新, 包括: 用于为所述转移承载重新分配 DRB ID。  The processing unit, configured to perform a key stream generation element update on the first access node, includes: configured to re-allocate a DRB ID for the transfer bearer.
9.如权利要求 1所述的装置, 其特征在于, 9. Apparatus according to claim 1 wherein:
所述处理单元, 用于根据所述触发消息进行密钥流生成元素更新, 包括: 用 于当获取到用于指示目标承载从所述第二接入节点转移至所述第一接入节点的 第二信息时, 对所述第一接入节点进行密钥流生成元素更新。  The processing unit, configured to perform a key stream generation element update according to the trigger message, to: when used to indicate that a target bearer is transferred from the second access node to the first access node In the second information, the key stream generation element update is performed on the first access node.
10.如权利要求 9所述的装置, 其特征在于, 10. Apparatus according to claim 9 wherein:
所述处理单元,用于当获取到用于指示目标承载从所述第二接入节点转移至 所述第一接入节点的第二信息时, 对所述第一接入节点进行密钥流生成元素更 新, 包括: 用于当获取到用于指示目标承载从所述第二接入节点转移至所述第一 接入节点的第二信息时,如果根据所述第二信息中的切回指示判定所述目标承载 为转移承载, 对所述第一接入节点进行密钥流生成元素更新, 所述切回指示用于 指示所述目标承载为转移承载。  The processing unit is configured to perform key flow on the first access node when acquiring second information indicating that the target bearer is transferred from the second access node to the first access node Generating an element update, comprising: when acquiring, according to the second information in the second information, the second information in the second information is used to indicate that the target bearer is transferred from the second access node to the first access node And indicating that the target bearer is a transfer bearer, and performing a key stream generation element update on the first access node, where the switchback indication is used to indicate that the target bearer is a transfer bearer.
11. 如权利要求 9所述的装置, 其特征在于, 所述处理单元,用于当获取到用于指示目标承载从所述第二接入节点转移至 所述第一接入节点的第二信息时, 对所述第一接入节点进行密钥流生成元素更 新, 包括: 获取承载转移记录; 如果根据所述承载转移记录判定所述目标承载为 转移承载, 对所述第一接入节点进行密钥流生成元素更新。 11. Apparatus according to claim 9 wherein: The processing unit is configured to perform key flow on the first access node when acquiring second information indicating that the target bearer is transferred from the second access node to the first access node Generating an element update includes: acquiring a bearer transfer record; and if the target bearer is determined to be a transfer bearer according to the bearer transfer record, performing key stream generation element update on the first access node.
12. 如权利要求 10或 11所述的装置, 其特征在于, 12. Apparatus according to claim 10 or claim 11 wherein:
所述处理单元, 用于对所述第一接入节点进行密钥流生成元素更新, 包括: 用于如果根据所述第二信息中的重置指示判断所述目标承载在所述第二接入节 点期间发生过 PDCP COUNT重置, 对所述第一接入节点进行密钥流生成元素更 新。  The processing unit, configured to perform a key stream generation element update on the first access node, includes: determining, if the target bearer is in the second connection, according to a reset indication in the second information A PDCP COUNT reset occurs during the ingress, and a key stream generation element update is performed on the first access node.
13. 如权利要求 10或 11所述的装置, 其特征在于, 13. Apparatus according to claim 10 or claim 11 wherein:
所述处理单元, 用于对所述第一接入节点进行密钥流生成元素更新, 包括: 用于如果根据所述承载转移记录中的重置标识判断所述目标承载在所述第二接 入节点期间发生过 PDCP COUNT重置, 对所述第一接入节点进行密钥流生成元 素更新。  The processing unit, configured to perform the key stream generation element update on the first access node, includes: determining, if the target bearer is in the second connection, according to the reset identifier in the bearer transfer record A PDCP COUNT reset occurs during the ingress, and a key stream generation element update is performed on the first access node.
14. 如权利要求 10或 11所述的装置, 其特征在于, 14. Apparatus according to claim 10 or claim 11 wherein:
所述处理单元, 用于对所述第一接入节点进行密钥流生成元素更新, 包括: 获取所述目标承载的当前 PDCP COUNT值, 及所述目标承载从所述第一接入节 点转移至所述第二接入节点时的 PDCP COUNT 值; 如果所述目标承载的当前 PDCP COUNT 值小于等于从所述第一接入节点转移至所述第二接入节点时的 PDCP COUNT值, 对所述第一接入节点进行密钥流生成元素更新。  The processing unit, configured to perform a key stream generation element update on the first access node, includes: acquiring a current PDCP COUNT value of the target bearer, and transferring the target bearer from the first access node a PDCP COUNT value to the second access node; if the current PDCP COUNT value of the target bearer is less than or equal to a PDCP COUNT value when the first access node is transferred to the second access node, The first access node performs key stream generation element update.
15.如权利要求 9至 14任一权利要求所述的装置, 其特征在于, 15. Apparatus according to any of claims 9 to 14, wherein:
所述处理单元, 用于对所述第一接入节点进行密钥流生成元素更新, 包括: 对所述第一接入节点的密钥进行更新或为所述目标承载重新分配 DRB ID。  The processing unit, configured to perform a key stream generation element update on the first access node, includes: updating a key of the first access node or re-allocating a DRB ID for the target bearer.
16. 一种双连接系统的密钥流生成元素更新装置, 所述双连接系统中所述第 一接入节点和所述第二接入节点同时为 UE提供无线连接, 其特征在于, 包括: 处理单元, 用于在符合预设条件时, 生成触发消息, 所述触发消息用于指示 所述第一接入节点触发密钥流生成元素的更新; 发送单元, 用于向所述第一接入节点发送触发消息。 A key stream generation element updating apparatus of a dual connectivity system, wherein the first access node and the second access node provide a wireless connection to a UE in the dual connectivity system, and the method includes: a processing unit, configured to generate a trigger message when the preset condition is met, where the trigger message is used to instruct the first access node to trigger an update of a key stream generation element; And a sending unit, configured to send a trigger message to the first access node.
17.如权利要求 16所述的装置, 其特征在于, 17. Apparatus according to claim 16 wherein:
所述处理单元, 用于在符合预设条件时, 生成触发消息, 包括: 用于当所述 第二接入节点进行密钥更新时, 生成第一信息;  The processing unit is configured to generate a trigger message when the preset condition is met, and the method is configured to: when the second access node performs a key update, generate the first information;
所述发送单元, 用于向所述第一接入节点发送触发消息, 包括: 用于向所述 第一接入节点发送所述第一信息。  The sending unit, configured to send the trigger message to the first access node, includes: sending, by the first access node, the first information.
18.如权利要求 17所述的装置, 其特征在于, 18. Apparatus according to claim 17 wherein:
所述处理单元, 用于当所述第二接入节点进行密钥更新时, 生成第一信息, 包括: 用于当所述第二接入节点进行密钥更新时, 如果所述第二接入节点上存在 转移承载, 生成第一信息。  The processing unit, configured to: when the second access node performs a key update, generate the first information, where: the method is: when the second access node performs a key update, if the second connection A transfer bearer exists on the ingress node to generate the first information.
19.如权利要求 16所述的装置, 其特征在于, 19. Apparatus according to claim 16 wherein:
所述处理单元, 用于在符合预设条件时, 生成触发消息, 包括: 用于当目标 承载从所述第二接入节点切换到所述第一接入节点时, 生成第二信息;  The processing unit, configured to generate a trigger message when the preset condition is met, includes: configured to generate second information when the target bearer is handed over from the second access node to the first access node;
所述发送单元, 用于向所述第一接入节点发送触发消息, 包括: 用于向所述 第一接入节点发送所述第二信息。  The sending unit, configured to send the trigger message to the first access node, includes: sending the second information to the first access node.
20.如权利要求 19所述的装置, 其特征在于, 20. Apparatus according to claim 19, wherein:
所述处理单元,用于当目标承载从所述第二接入节点切换到所述第一接入节 点时, 生成第二信息, 包括: 用于当目标承载从所述第二接入节点切换到所述第 一接入节点时, 如果所述目标承载为转移承载, 生成携带切回指示的所述第二信 息。  The processing unit, configured to: when the target bearer is handed over from the second access node to the first access node, generate second information, including: used to switch when the target bearer is switched from the second access node When the first access node is sent to the first access node, if the target bearer is a transfer bearer, the second information carrying the switchback indication is generated.
21.如权利要求 19所述的装置, 其特征在于, 21. Apparatus according to claim 19, wherein
所述处理单元,用于当目标承载从所述第二接入节点切换到所述第一接入节 点时, 生成第二信息, 包括: 用于当目标承载从所述第二接入节点切换到所述第 一接入节点时, 如果所述目标承载为转移承载, 且所述目标承载在所述第二接入 节点期间发生过 PDCP COUNT重置,生成携带切回指示及重置指示的第二信息。  The processing unit, configured to: when the target bearer is handed over from the second access node to the first access node, generate second information, including: used to switch when the target bearer is switched from the second access node And when the target bearer is a transfer bearer, and the target bearer has a PDCP COUNT reset during the second access node, generating a carry-back indication and a reset indication Second message.
22.—种双连接系统的密钥流生成元素更新方法, 所述双连接系统中所述第 一接入节点和所述第二接入节点同时为 UE提供无线连接, 其特征在于, 包括: 所述第一接入节点从所述第二接入节点获取触发消息,所述触发消息用于触 发密钥流生成元素的更新; 22. A method for updating a key stream generation element of a dual connectivity system, said method in said dual connectivity system An access node and the second access node provide a wireless connection for the UE at the same time, the method includes: the first access node acquiring a trigger message from the second access node, where the trigger message is used Triggering an update of the keystream generation element;
所述第一接入节点根据所述触发消息进行密钥流生成元素更新。  The first access node performs key stream generation element update according to the trigger message.
23.如权利要求 22所述的方法, 其特征在于, 所述第一接入节点根据所述触 发消息对所述第一接入节点进行密钥流生成元素更新包括: The method according to claim 22, wherein the performing, by the first access node, the key stream generation element update to the first access node according to the triggering message comprises:
当获取到用于指示所述第二接入节点密钥更新的第一信息时,对所述第一接 入节点进行密钥流生成元素更新。  When the first information indicating the second access node key update is obtained, the key stream generation element update is performed on the first access node.
24.如权利要求 23所述的方法, 其特征在于, 所述对所述第一接入节点进行 密钥流生成元素更新包括: The method according to claim 23, wherein the performing the key stream generation element update on the first access node comprises:
如果所述第二接入节点上存在转移承载,对所述第一接入节点进行密钥流生 成元素更新。  If there is a transfer bearer on the second access node, the key stream generation element update is performed on the first access node.
25.如权利要求 23所述的方法, 其特征在于, 所述对所述第一接入节点进行 密钥流生成元素更新包括: The method according to claim 23, wherein the performing the key stream generation element update on the first access node comprises:
如果所述第一信息携带存在指示,对所述第一接入节点进行密钥流生成元素 更新。  And if the first information carries a presence indication, performing keystream generation element update on the first access node.
26.如权利要求 23所述的方法, 其特征在于, 所述对所述第一接入节点进行 密钥流生成元素更新包括: The method according to claim 23, wherein the performing the key stream generation element update on the first access node comprises:
获取承载转移记录;  Obtain a bearer transfer record;
如果根据所述承载转移记录及所述第二接入节点上当前所有承载,确定所述 第二接入节点上存在转移承载, 对所述第一接入节点进行密钥流生成元素更新。  And determining, according to the bearer transfer record and all current bearers on the second access node, that there is a transfer bearer on the second access node, and performing key stream generation element update on the first access node.
27.如权利要求 26所述的方法, 其特征在于, 在对所述第一接入节点进行密 钥流生成元素更新之后还包括: The method according to claim 26, further comprising: after performing the keystream generation element update on the first access node, further comprising:
删除所述承载转移记录。  Delete the bearer transfer record.
28.如权利要求 22至 27任一权利要求所述的方法, 其特征在于, 所述对所 述第一接入节点进行密钥流生成元素更新包括: 对所述第一接入节点的密钥进行更新。 The method according to any one of claims 22 to 27, wherein the performing the key stream generation element update on the first access node comprises: Updating the key of the first access node.
29.如权利要求 24至 27任一权利要求所述的方法, 其特征在于, 所述对所 述第一接入节点进行密钥流生成元素更新包括: The method according to any one of claims 24 to 27, wherein the performing the key stream generation element update on the first access node comprises:
为所述转移承载重新分配 DRB ID。  Reassign the DRB ID for the transfer bearer.
30.如权利要求 22所述的方法, 其特征在于, 所述第一接入节点根据所述触 发消息对所述第一接入节点进行密钥流生成元素更新包括: The method according to claim 22, wherein the performing, by the first access node, the key stream generation element update to the first access node according to the triggering message comprises:
当获取到用于指示目标承载从所述第二接入节点转移至所述第一接入节点 的第二信息时, 对所述第一接入节点进行密钥流生成元素更新。  When the second information indicating that the target bearer is transferred from the second access node to the first access node is obtained, the key flow generation element update is performed on the first access node.
31.如权利要求 30所述的方法, 其特征在于, 所述对所述第一接入节点进行 密钥流生成元素更新包括: The method according to claim 30, wherein the performing the key stream generation element update on the first access node comprises:
如果根据所述第二信息中的切回指示判定所述目标承载为转移承载,对所述 第一接入节点进行密钥流生成元素更新。  And if the target bearer is determined to be a transfer bearer according to the switchback indication in the second information, performing keystream generation element update on the first access node.
32.如权利要求 30所述的方法, 其特征在于, 所述对所述第一接入节点进行 密钥流生成元素更新包括: The method according to claim 30, wherein the performing the key stream generation element update on the first access node comprises:
获取承载转移记录, 所述承载转移记录用于记载转移承载;  Obtaining a bearer transfer record, where the bearer transfer record is used to record a transfer bearer;
如果根据所述承载转移记录判定所述目标承载为转移承载,对所述第一接入 节点进行密钥流生成元素更新。  And if the target bearer is determined to be a transfer bearer according to the bearer transfer record, performing keystream generation element update on the first access node.
33.如权利要求 31或 32所述的方法, 其特征在于, 所述对所述第一接入节 点进行密钥流生成元素更新包括: The method according to claim 31 or 32, wherein the performing the key stream generation element update on the first access node comprises:
如果根据所述第二信息中的重置指示判断所述目标承载在所述第二接入节 点期间发生过 PDCP COUNT重置, 对所述第一接入节点进行密钥流生成元素更 新。  If it is determined according to the reset indication in the second information that the target bearer has undergone a PDCP COUNT reset during the second access node, the key flow generation element is updated to the first access node.
34.如权利要求 31或 32所述的方法, 其特征在于, 所述对所述第一接入节 点进行密钥流生成元素更新包括: The method according to claim 31 or 32, wherein the performing the key stream generation element update on the first access node comprises:
如果根据所述承载转移记录中的重置标识判断所述目标承载在所述第二接 入节点期间发生过 PDCP COUNT重置, 对所述第一接入节点进行密钥流生成元 素更新。 If it is determined that the target bearer has undergone PDCP COUNT reset during the second access node according to the reset identifier in the bearer transfer record, performing keystream generation on the first access node Updated.
35.如权利要求 31或 32所述的方法, 其特征在于, 所述对所述第一接入节 点进行密钥流生成元素更新包括: The method according to claim 31 or 32, wherein the performing the key stream generation element update on the first access node comprises:
获取所述目标承载的当前 PDCP COUNT值, 及所述目标承载从所述第一接 入节点转移至所述第二接入节点时的 PDCP COUNT值;  Obtaining a current PDCP COUNT value carried by the target, and a PDCP COUNT value when the target bearer is transferred from the first access node to the second access node;
如果所述目标承载的当前 PDCP COUNT值小于等于从所述第一接入节点转 移至所述第二接入节点时的 PDCP COUNT值, 对所述第一接入节点进行密钥流 生成元素更新。  And if the current PDCP COUNT value of the target bearer is less than or equal to a PDCP COUNT value when the first access node is transferred to the second access node, performing key stream generation element update on the first access node. .
36.如权利要求 30至 35任一权利要求所述的方法, 其特征在于, 所述对所 述第一接入节点进行密钥流生成元素更新包括: The method according to any one of claims 30 to 35, wherein the performing the key stream generation element update on the first access node comprises:
对所述第一接入节点的密钥进行更新或为所述目标承载重新分配 DRB ID。  Updating a key of the first access node or reallocating a DRB ID for the target bearer.
37.—种双连接系统的密钥流生成元素更新方法, 所述双连接系统中所述第 一接入节点和所述第二接入节点同时为 UE提供无线连接, 其特征在于, 包括: 所述第二接入节点在符合预设条件时, 生成触发消息, 所述触发消息用于指 示所述第一接入节点触发密钥流生成元素的更新; 37. A method for updating a key stream generation element of a dual connectivity system, wherein the first access node and the second access node provide a wireless connection for the UE in the dual connectivity system, and the method includes: And generating, by the second access node, a trigger message, where the triggering message is used to instruct the first access node to trigger an update of a key stream generating element;
向所述第一接入节点发送触发消息。  Sending a trigger message to the first access node.
38.如权利要求 37所述的方法, 其特征在于, 38. The method of claim 37, wherein
所述生成触发消息包括:  The generating trigger message includes:
当所述第二接入节点进行密钥更新时, 生成第一信息;  Generating first information when the second access node performs key update;
所述向所述第一接入节点发送触发消息包括:  The sending the trigger message to the first access node includes:
向所述第一接入节点发送所述第一信息。  Sending the first information to the first access node.
39.如权利要求 38所述的方法, 其特征在于, 所述生成第一信息包括: 如果所述第二接入节点上存在转移承载, 生成第一信息。 The method of claim 38, wherein the generating the first information comprises: generating a first information if a transfer bearer exists on the second access node.
40.如权利要求 37所述的方法, 其特征在于, 40. The method of claim 37, wherein
所述生成触发消息包括:  The generating trigger message includes:
当目标承载从所述第二接入节点切换到所述第一接入节点时, 生成第二信 息; Generating a second letter when the target bearer switches from the second access node to the first access node Interest rate
所述向所述第一接入节点发送触发消息包括:  The sending the trigger message to the first access node includes:
向所述第一接入节点发送所述第二信息。  Sending the second information to the first access node.
41. 如权利要求 40所述的方法, 其特征在于, 所述生成第二信息包括: 如果所述目标承载为转移承载, 生成携带切回指示的所述第二信息。 The method of claim 40, wherein the generating the second information comprises: generating the second information carrying the switchback indication if the target bearer is a transfer bearer.
42.如权利要求 40所述的方法, 其特征在于, 所述生成第二信息包括: 如果所述目标承载为转移承载,且所述目标承载在所述第二接入节点期间发 生过 PDCP COUNT重置, 生成携带切回指示及重置指示的第二信息。 The method of claim 40, wherein the generating the second information comprises: if the target bearer is a transfer bearer, and the target bearer has a PDCP COUNT during the second access node Reset, generating a second message carrying a switchback indication and a reset indication.
43.—种双连接系统, 所述双连接系统中所述第一接入节点和所述第二接入 节点同时为 UE提供无线连接, 其特征在于, 包括: 43. A dual connectivity system, wherein the first access node and the second access node provide a wireless connection to the UE in the dual connectivity system, and the method includes:
所述第二接入节点, 用于在符合预设条件时, 生成触发消息, 所述触发消息 用于指示所述第一接入节点触发密钥流生成元素的更新;向所述第一接入节点发 送触发消息;  The second access node is configured to generate a trigger message when the preset condition is met, where the trigger message is used to instruct the first access node to trigger an update of a key stream generation element; The ingress node sends a trigger message;
所述第一接入节点, 用于从所述第二接入节点获取触发消息; 根据所述触发 消息进行密钥流生成元素更新。  The first access node is configured to acquire a trigger message from the second access node, and perform key stream generation element update according to the trigger message.
PCT/CN2014/084023 2014-08-08 2014-08-08 Encryption keystream element updating device, method and double connection system WO2016019586A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201480031309.5A CN105900471B (en) 2014-08-08 2014-08-08 Key stream element updating device, method and doubly-linked welding system
PCT/CN2014/084023 WO2016019586A1 (en) 2014-08-08 2014-08-08 Encryption keystream element updating device, method and double connection system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2014/084023 WO2016019586A1 (en) 2014-08-08 2014-08-08 Encryption keystream element updating device, method and double connection system

Publications (1)

Publication Number Publication Date
WO2016019586A1 true WO2016019586A1 (en) 2016-02-11

Family

ID=55263062

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/084023 WO2016019586A1 (en) 2014-08-08 2014-08-08 Encryption keystream element updating device, method and double connection system

Country Status (2)

Country Link
CN (1) CN105900471B (en)
WO (1) WO2016019586A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018126905A1 (en) * 2017-01-06 2018-07-12 中兴通讯股份有限公司 Data transmission method during process of movement, and terminal and base station

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140192740A1 (en) * 2013-01-10 2014-07-10 Texas Instruments Incorporated Methods and apparatus for dual connectivity operation in a wireless communication network
CN103959829A (en) * 2013-11-01 2014-07-30 华为技术有限公司 Key processing method and device in double-connection mode

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7873710B2 (en) * 2007-02-06 2011-01-18 5O9, Inc. Contextual data communication platform
MX351237B (en) * 2013-01-30 2017-10-06 Ericsson Telefon Ab L M Security key generation for dual connectivity.
CN103747442B (en) * 2013-12-27 2017-06-30 华为技术有限公司 A kind of security key context distribution, mobile management entity and base station

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140192740A1 (en) * 2013-01-10 2014-07-10 Texas Instruments Incorporated Methods and apparatus for dual connectivity operation in a wireless communication network
CN103959829A (en) * 2013-11-01 2014-07-30 华为技术有限公司 Key processing method and device in double-connection mode

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
3GPP TSG-SA: "3GPP System Architecture Evolution (SAE); Security Architecture (Release 12", 3GPP TS 33.401 V12.11.0, 30 June 2014 (2014-06-30), pages 119-120 - 122-124 *
ALCATEL -LUCENT ET AL., SECURITY FUNCTIONALITY FOR DUAL CONNECTIVITY, 16 May 2014 (2014-05-16), pages 2,5 - 7 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018126905A1 (en) * 2017-01-06 2018-07-12 中兴通讯股份有限公司 Data transmission method during process of movement, and terminal and base station

Also Published As

Publication number Publication date
CN105900471B (en) 2019-06-21
CN105900471A (en) 2016-08-24

Similar Documents

Publication Publication Date Title
US20190141585A1 (en) Method of Distributing Security Key Context, Mobility Management Entity, and Base Station
US9578556B2 (en) Long term evolution (LTE) communications over trusted hardware
CN105557006B (en) User equipment in communication system and method for communication by same
KR101147067B1 (en) Method, apparatus and system for key derivation
CN110365470B (en) Key generation method and related device
CN104219722B (en) Migration process, moving method and the device of dual link radio bearer
EP2884803B1 (en) Switching control method and apparatus
EP2897398B1 (en) Key isolation method and device
CN103428787B (en) A kind of base station switch method and device
CN107079516B (en) Bearer release
WO2011137805A1 (en) Method, apparatus and system for security processing in switch process
KR20160010520A (en) Network nodes and methods
EP3965446B1 (en) Communication method and device thereof
WO2011088787A1 (en) Method and device for handover in access point network
CN109246696B (en) Key processing method and related device
JP2009049815A (en) Radio communication system, radio communication method and radio terminal
WO2012171281A1 (en) Security parameter modification method and base station
RU2748314C1 (en) Radio resource configuration
WO2013064069A1 (en) Bearer switching method, home nodeb gateway and home nodeb
KR20150103063A (en) Method for synchronizing encryption information between scell and ue
CN105103577B (en) A kind of device and method of encryption data
TW201824936A (en) Method, apparatus, and system for releasing context
WO2008022498A1 (en) A method for changing the encryption algorithm in relocation
WO2016019586A1 (en) Encryption keystream element updating device, method and double connection system
CN113557699B (en) Communication apparatus, infrastructure equipment, core network equipment and method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14899348

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14899348

Country of ref document: EP

Kind code of ref document: A1