WO2016019586A1 - Dispositif de mise à jour d'élément de flux de clés de cryptage, procédé et système de connexion double - Google Patents

Dispositif de mise à jour d'élément de flux de clés de cryptage, procédé et système de connexion double Download PDF

Info

Publication number
WO2016019586A1
WO2016019586A1 PCT/CN2014/084023 CN2014084023W WO2016019586A1 WO 2016019586 A1 WO2016019586 A1 WO 2016019586A1 CN 2014084023 W CN2014084023 W CN 2014084023W WO 2016019586 A1 WO2016019586 A1 WO 2016019586A1
Authority
WO
WIPO (PCT)
Prior art keywords
access node
bearer
generation element
key stream
update
Prior art date
Application number
PCT/CN2014/084023
Other languages
English (en)
Chinese (zh)
Inventor
张冬梅
张丽佳
陈璟
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2014/084023 priority Critical patent/WO2016019586A1/fr
Priority to CN201480031309.5A priority patent/CN105900471B/zh
Publication of WO2016019586A1 publication Critical patent/WO2016019586A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/065Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation

Definitions

  • the present invention relates to the field of mobile communications, and in particular, to a key stream element updating apparatus, method, and dual connectivity system. Background technique
  • the dual-connection system includes a primary base station (Macro eNB, referred to as Me B) and a secondary base station (Secondary eNB, referred to as SeNB).
  • Me B primary base station
  • SeNB secondary base station
  • the user equipment (User Equipment, UE for short) can establish a bearer access network through the primary base station or the secondary base station.
  • the bearer may also be transferred to the bearer, for example, the bearer is switched from the MeNB to the Se B, or the Se B is switched to the MeNB, thereby achieving the purpose of alleviating the capacity pressure of the base station.
  • user plane data transmitted between the UE and the MeNB and between the UE and the SeNB is encrypted to ensure data transmission security.
  • the key stream elements that affect the key stream generation are: encryption key (Kupenc), Packet Data Convergence Protocol Count (PDCP COUNT for short), Data Radio Bearer Identity (DRB ID for short) ), data flow (Direction) and key stream length (Length).
  • Direction has uplink and downlink directions. Length is a specific value depending on the encryption algorithm. Therefore, corresponding to a specific encryption algorithm, in each transmission direction, if Kupenc, PDCP COUNT value and DRB ID are the same, then generate The key stream will be the same. For example, if the encryption algorithm EEA1 is selected for all bearers, in the uplink direction of the SeNB, if the first bearer with the DRB ID of 1 is released and the second bearer with the DRB ID of 1 is established, the PDCP COUNT of the second bearer will be re-established. count.
  • the SeNB's root key S-KeNB is not updated, Kupenc will not change, resulting in two different bearers having the same Kupenc, PDCP COUNT value and DRB ID, which will produce the same for two different bearers.
  • Key stream the method adopted in the prior art is: if the previously established bearer has been released, assigning different DRB IDs to consecutive bearers, and the MeNB and the SeNB share one DRB ID resource pool, when the DRB When the ID is used up, the key update is triggered. In this way, different bearers can be avoided to have the same DRB ID, thereby avoiding The problem of free key stream duplication.
  • the following situation may occur: when the PDCP COUNT of the third bearer is 1000, the MeNB switches to the Se B, and the bearer ID does not change before and after the bearer handover; during the third bearer, the SeNB generates a key update.
  • the PDCP COUNT of the third bearer is restarted to count; when the PDCP COUNT of the third bearer is 100, the SeNB is switched back to the MeNB, and the PDCP COUNT continues counting from 101.
  • the key stream of the data packet of the PDCP COUNT of 101 to 1000 after the third bearer is switched back from the SeNB to the MeNB, and the The key stream of the data packet with the PDCP COUNT of 101 to 1000 before the handover from the MeNB to the SeNB is repeated.
  • An embodiment of the present invention provides a key stream element update apparatus, method, and dual connectivity system to solve the problem that a key stream repetition occurs when a bearer performs handover of a base station by using the prior art.
  • an embodiment of the present invention provides a key stream generation element updating apparatus of a dual connectivity system, where the first access node and the second access node are simultaneously
  • the user equipment UE provides a wireless connection, and the device includes:
  • a receiving unit configured to acquire a trigger message from the second access node, where the trigger message is used to trigger an update of a key stream generating element
  • a processing unit configured to perform key stream generation according to the trigger message Element update.
  • the processing unit configured to perform the key stream generation element update according to the trigger message, is configured to: when acquiring the first information used to indicate the second access node key update, The first access node performs key stream generation element update.
  • the processing unit is configured to: when used to indicate the second access And performing the key stream generation element update on the first access node, where the method includes: when acquiring the first information used to indicate the second access node key update And if there is a transfer bearer on the second access node, performing a key stream generation element update on the first access node, where the transfer bearer refers to the first access node Transfer to the bearer of the second access node.
  • the processing unit is configured to perform a key stream generation element update on the first access node when acquiring the first information that is used to indicate the second access node key update, including: For acquiring the first information of the second access node key update, if the first information carries the presence indication, performing key stream generation element update on the first access node, The presence indication is used to indicate that a transfer bearer exists on the second access node.
  • the processing unit is configured to perform a key stream generation element update on the first access node when acquiring the first information used to indicate the second access node key update, including: For acquiring a bearer transfer record, where the bearer transfer record is used to record a transfer bearer, where the transfer bearer refers to a bearer transferred from the first access node to the second access node; Recording all current bearers on the second access node, determining that there is a transfer bearer on the second access node, and performing key stream generation element update on the first access node. [17] In combination with the fourth possible implementation manner of the first aspect, in a fifth possible implementation manner of the first aspect,
  • the processing unit is configured to acquire a bearer transfer record; if it is determined that the transfer bearer exists on the second access node according to the bearer transfer record and all current bearers on the second access node, The first access node performs the key stream generation element update, and further includes: deleting the bearer transfer record after performing the key stream generation element update on the first access node.
  • the processing unit configured to perform a key stream generation element update on the first access node, includes: updating a key of the first access node.
  • the processing unit configured to perform a key stream generation element update on the first access node, includes: used to re-allocate a DRB ID for the transfer bearer.
  • the processing unit configured to perform a key stream generation element update according to the trigger message, and the method includes: when used to indicate that the target bearer is transferred from the second access node to the first interface When the second information of the node is entered, the key stream generation element update is performed on the first access node.
  • the processing unit is configured to: when acquiring the second information used to indicate that the target bearer is transferred from the second access node to the first access node, perform the first access node And the key stream generating element is updated, if: when the second information used to indicate that the target bearer is transferred from the second access node to the first access node is obtained, if according to the second information
  • the switchback indication indicates that the target bearer is a transfer bearer, and the first access node performs a key stream generation element update, where the cutback indication is used to indicate that the target bearer is a transfer bearer.
  • the processing unit is configured to: when acquiring the second information used to indicate that the target bearer is transferred from the second access node to the first access node, perform the first access node
  • the key stream generation element update includes: acquiring a bearer transfer record; and if the target bearer is determined to be a transfer bearer according to the bearer transfer record, performing key stream generation element update on the first access node.
  • the processing unit configured to perform a key stream generation element update on the first access node, includes: determining, according to the reset indication in the second information, that the target bearer is in the A PDCP COUNT reset occurs during the second access node, and a key stream generation element update is performed on the first access node.
  • the processing unit configured to perform a key stream generation element update on the first access node, to be: configured to determine, according to the reset identifier in the bearer transfer record, that the target bearer is in the A PDCP COUNT reset occurs during the second access node, and a key stream generation element update is performed on the first access node.
  • the processing unit configured to perform a key stream generation element update on the first access node, including: acquiring a current PDCP COUNT value of the target bearer, and the target bearer from the first connection a PDCP COUNT value when the ingress node transfers to the second access node; if the current PDCP COUNT value of the target bearer is less than or equal to the PDCP COUNT when the first access node is transferred to the second access node And performing a key stream generation element update on the first access node.
  • the processing unit configured to The first access node performs the key stream generation element update, including: updating the key of the first access node or reallocating the DRB ID for the target bearer.
  • an embodiment of the present invention provides a key stream generation element updating apparatus of a dual connectivity system, where the first access node and the second access node are simultaneously
  • the UE provides a wireless connection
  • the device includes: [38] a processing unit, configured to generate a trigger message when the preset condition is met, where the trigger message is used to instruct the first access node to trigger an update of a key stream generation element
  • a sending unit configured to send a trigger message to the first access node.
  • the processing unit configured to generate a trigger message when the preset condition is met, the method includes: generating, when the second access node performs a key update, generating first information;
  • the sending the trigger message to the first access node includes: sending the first information to the first access node.
  • the processing unit configured to: when the second access node performs a key update, generate the first information, where: the method is: when the second access node performs a key update, if A transfer bearer exists on the second access node to generate first information.
  • the processing unit configured to generate a trigger message when the preset condition is met, the method includes: generating, when the target bearer is switched from the second access node to the first access node, generating a second The sending unit, configured to send the trigger message to the first access node, where: the method is: sending, to the first access node, the first Two information.
  • the processing unit configured to: when the target bearer is handed over from the second access node to the first access node, generate the second information, including: when the target bearer is from the second When the ingress node switches to the first access node, if the target bearer is a transfer bearer, the second information carrying the switchback indication is generated.
  • the processing unit configured to: when the target bearer is switched from the second access node to the first access node, generate the second information, where: the method is: when the target bearer is from the second When the ingress node switches to the first access node, if the target bearer is a transfer bearer, and the target bearer has a PDCP COUNT reset during the second access node, generating a carry-back indication and a heavy Set the second information indicated.
  • an embodiment of the present invention provides a method for updating a key stream generation element of a dual connectivity system, where the first access node and the second access node are simultaneously
  • the UE provides a wireless connection, the method includes: the first access node acquires a trigger message from the second access node, where the trigger message is used to trigger an update of a key stream generation element; the first access node The key stream generation element update is performed according to the trigger message.
  • the first access node performs the key stream generation element update on the first access node according to the trigger message, and includes: when acquiring, indicating that the second access node is updated by the key When a message is received, the key stream generation element update is performed on the first access node.
  • the performing the key stream generation element update on the first access node includes: if there is a transfer bearer on the second access node, performing key stream generation element update on the first access node .
  • the performing the key stream generation element update on the first access node includes: performing keystream generation element update on the first access node if the first information carries a presence indication.
  • the performing the key stream generation element update on the first access node includes: acquiring a bearer transfer record; determining, according to the bearer transfer record and all current bearers on the second access node, Second access There is a transfer bearer on the node, and the key flow generation element update is performed on the first access node.
  • the method further includes: deleting the bearer transfer record.
  • the performing a key stream generation element update on the first access node includes: updating a key of the first access node.
  • the performing a key stream generation element update on the first access node includes: reassigning a DRB ID to the transfer bearer.
  • the first access node performs a key stream generation element on the first access node according to the trigger message.
  • the updating includes: performing keystream generation element update to the first access node when acquiring second information indicating that the target bearer is transferred from the second access node to the first access node.
  • the performing the key stream generation element update on the first access node includes: determining, according to the switchback indication in the second information, that the target bearer is a transfer bearer, to the first access
  • the node performs key stream generation element update.
  • the performing the key stream generation element update on the first access node includes: acquiring a bearer transfer record, where the bearer transfer record is used to record a transfer bearer; and determining the target bearer according to the bearer transfer record To transfer the bearer, the key stream generation element update is performed on the first access node.
  • the performing the key stream generation element update on the first access node includes: determining that the target bearer occurred during the second access node according to the reset indication in the second information The PDCP COUNT is reset, and the key stream generation element update is performed on the first access node.
  • the performing the key stream generation element update on the first access node includes: determining that the target bearer has a PDCP COUNT during the second access node according to the reset identifier in the bearer transfer record And performing key stream generation element update on the first access node.
  • the performing a key stream generation element update on the first access node includes: acquiring a current PDCP COUNT value of the target bearer, and transferring the target bearer from the first access node to the a PDCP COUNT value when the second access node is; if the current PDCP COUNT value of the target bearer is less than or equal to a PDCP COUNT value when the first access node is transferred to the second access node, An access node performs key stream generation element update.
  • the first access node Performing the key stream generation element update includes: updating a key of the first access node or reallocating a DRB ID for the target bearer.
  • an embodiment of the present invention provides a method for updating a key stream generation element of a dual connectivity system, where the first access node and the second access node are simultaneously
  • the UE provides a wireless connection, and the method includes: the second access node generates a trigger message when the preset condition is met, where the trigger message is used to instruct the first access node to trigger an update of the key stream generation element; Sending a trigger message to the first access node.
  • the generating the triggering message includes: when the second access node performs the key update, generating the first information; the sending the trigger message to the first access node includes: The ingress node sends the first letter Interest.
  • the generating the first information includes: generating a first information if a transfer bearer exists on the second access node.
  • the generating the trigger message includes: generating, when the target bearer is handed over from the second access node to the first access node, second information; sending the trigger message to the first access node The method includes: transmitting the second information to the first access node.
  • the generating the second information includes: if the target bearer is a transfer bearer, generating and carrying Switching back the indicated second information.
  • the generating the second information includes: if the target bearer is a transfer bearer, and the target bearer has a PDCP COUNT reset during the second access node, generating a carry-back indication and a reset indication The second message.
  • an embodiment of the present invention provides a dual connectivity system, where the first access node and the second access node simultaneously provide a wireless connection for a UE, where , including:
  • the second access node is configured to generate a trigger message when the preset condition is met, where the trigger message is used to instruct the first access node to trigger an update of a key stream generation element;
  • the first access node sends a trigger message;
  • the first access node is configured to acquire a trigger message from the second access node; and perform key stream generation element update according to the trigger message.
  • the first access node may perform the key stream generation element update on the first access node when the second access node changes the bearer state that may cause the key stream to be duplicated. Thereby avoiding the occurrence of key stream repetition.
  • FIG. 1 is a schematic diagram of an embodiment of a key stream generation element updating apparatus according to the present invention
  • FIG. 2 is a schematic diagram of another embodiment of a key stream generation element updating apparatus according to the present invention
  • FIG. 4 is a flowchart of another embodiment of a method for updating a key stream generation element according to the present invention
  • FIG. 5 is a key stream generation method of the present invention.
  • FIG. 6 is a flowchart of another embodiment of a method for updating a key stream generation element according to the present invention;
  • FIG. 7 is a schematic diagram of an embodiment of a dual connectivity system according to the present invention;
  • FIG. 8 is a schematic diagram of another embodiment of a key stream generation element updating apparatus according to the present invention;
  • FIG. 9 is a schematic diagram of another embodiment of a key stream generation element updating apparatus according to the present invention.
  • FIG. 1 is a schematic diagram of an embodiment of a key stream generation element updating apparatus according to the present invention.
  • the apparatus includes a receiving unit 101 and a processing unit 102.
  • the device is disposed on a first access node.
  • the receiving unit 101 is configured to acquire a trigger message from the second access node, where the trigger message is used to trigger an update of a key stream generation element.
  • the receiving unit 101 first obtains a trigger message from the second access node, where the first access node may be Se B or Me B, and correspondingly, the second access node is MeNB or Se B.
  • the trigger information is used to indicate that a state change occurs on a bearer on the second access node.
  • the PDCP COUNT reset caused by the key update may cause the key stream to be duplicated, and the trigger message may be used to indicate the second access node key.
  • the first information may carry a presence indication, where the presence indication is used to indicate that a transfer bearer exists on the second access node.
  • the trigger message may also be used to indicate that the target bearer is transferred from the second access node to the a second information of the first access node, where the second message may carry a switchback indication, where the switchback indication is used to indicate that the target bearer is a transfer bearer, and further, the second message may further carry a reset indication The reset indication is used to indicate that the target bearer has undergone a PDCP COUNT reset during the second access node.
  • the trigger message may also be used to indicate that the second access node has other information that may cause the key stream to be repeated, and details are not described herein.
  • the processing unit 102 is configured to perform a key stream generation element update according to the trigger message.
  • the processing unit 102 may initiate a key stream generation element update procedure, perform key stream generation element update on the first access node, such as updating an encryption key or reconfiguring a DRB ID, thereby preventing key stream repetition.
  • the processing unit 102 may further determine whether the state change of the bearer on the second access node may cause key stream repetition. If not, the first connection is not performed.
  • the ingress node performs key stream generation element update; if possible, the first access node performs key stream generation element update. This can reduce the number of times the first access node performs key stream generation element update and save system resources.
  • the processing unit 102 may determine, according to the information about the bearer transfer record, the presence indication, and the like, whether the transfer bearer exists on the second access node. If not, it indicates that the PDCP COUNT reset caused by the key update of the second access node does not cause the key stream to be duplicated. At this time, the first access node is not required to perform the key stream generation element update; if yes, The key update PDCP COUNT reset of the second access node may cause the key stream to be duplicated.
  • the processing unit 102 may perform a key stream generation element update, where the transfer bearer refers to the first The bearer transferred to the bearer of the second access node; wherein the presence indication is used to indicate that there is a transfer bearer on the second access node; and the bearer transfer record is used to record the transfer bearer.
  • the processing unit 102 may perform key stream generation element update on the first access node when acquiring the first information used to indicate the second access node key update. .
  • the processing unit 102 may also be configured to: when the second access node key update is obtained a message, and when there is a transfer bearer on the second access node, performing a key stream generation element update on the first access node, where the transfer bearer refers to transferring from the first access node to the The bearer of the second access node.
  • the processing unit 102 may also, when acquiring the first information used to indicate the second access node key update, and the first information carries the presence indication, to the first access
  • the node performs a key stream generation element update, where the presence indication is used to indicate that a transfer bearer exists on the second access node.
  • the processing unit 102 may also determine, when the transfer bearer exists on the second access node, according to the obtained bearer transfer record and all current bearers on the second access node, The access node performs key stream generation element update. And deleting the bearer transfer record after performing key stream generation element update on the first access node.
  • the processing unit 102 may perform a key stream generation element on the first access node by updating the key of the first access node. Update. Or performing key stream generation element update on the first access node in a manner of reassigning the DRB ID to the transfer bearer.
  • the second access node may determine, according to information such as a bearer transfer record and a switchback indication, whether the target bearer is a transfer bearer, if the target If the bearer is not a transfer bearer, the combination of the DRB ID of the target bearer and the first access node key does not occur, and the key bearer does not occur in the target bearer. In this case, the first access node does not need to perform the key.
  • the stream generation element is updated; if the target bearer is a transfer bearer, it indicates that the target bearer may have a key stream repetition, and the processing unit 102 may perform the key stream generation element update.
  • the key stream generation element update may be directly performed on the first access node.
  • the processing unit 102 may further determine whether the target bearer has a PDCP COUNT reset during the second access node. If no, it indicates that the DCP COUNT carried by the target does not overlap, and the key bearer does not repeat the key stream. In this case, the first access node does not need to perform key stream generation element update; if yes, the target bearer The PDCP COUNT may be duplicated, and the key bearer may be duplicated in the target bearer. At this time, the first access node may perform key stream generation element update.
  • the processing unit 102 may be configured as a transfer bearer in the target bearer, and determine, according to the reset indication in the second information, that the target bearer has undergone a PDCP COUNT reset during the second access node. And performing key stream generation element update on the first access node.
  • the processing unit 102 may be configured as a transfer bearer in the target bearer, and determine, according to the reset identifier in the bearer transfer record, that the target bearer has undergone a PDCP COUNT reset during the second access node. And performing key stream generation element update on the first access node.
  • the processing unit 102 may further determine whether the target bearer current PDCP COUNT value is greater than the transfer from the first access node to the first The PDCP COUNT value of the two access nodes. If yes, it indicates that the PDCP COUNT will not be duplicated, and the target bearer will not repeat the key stream. If not, the PDCP COUNT of the target bearer may be duplicated. In other words, key stream repetition may occur, and the first access node may perform key stream generation element update.
  • the receiving unit is configured to acquire a trigger message from the second access node, where the trigger message is used to trigger an update of a key stream generation element;
  • the trigger message performs key stream generation element update.
  • the first access node may perform key stream generation element update on the first access node when the second access node changes the bearer status that may cause the key stream to be duplicated, thereby avoiding the key. The flow of repetition occurs.
  • FIG. 2 it is a schematic diagram of another embodiment of a key stream generation element updating apparatus according to the present invention.
  • the apparatus includes a processing unit 201 and a transmitting unit 202.
  • the device is disposed on a second access node.
  • the processing unit 201 is configured to generate a trigger message when the preset condition is met, where the trigger message is used to instruct the first access node to trigger an update of the key stream generation element.
  • the preset condition may be that the second access node generates a key update, or may be the first access node that carries the transfer on the second access node, or may be caused by another second access node.
  • the bearer status of the key stream is changed.
  • the processing unit 201 may generate first information when the second access node performs key update, or perform key update on the second access node, and the second access node The first information is generated when there is a transfer bearer.
  • the processing unit 201 may generate second information when the target bearer switches from the second access node to the first access node.
  • the second information may also carry a switchback indication if the target bearer is a transfer bearer. And if the target bearer is a transfer bearer, and the target bearer has a PDCP COUNT reset during the second access node, the second information may further carry a switchback indication and a reset indication.
  • the sending unit 202 is configured to send a trigger message to the first access node.
  • the trigger message can
  • the first message may also be a second message, or may be another trigger message generated by the processing unit.
  • the first access node may perform the key stream generation element update immediately after receiving the trigger information, or may further determine whether the key stream is repeated according to the content of the trigger information and/or the trigger information.
  • the key stream generation element update is performed when a key stream duplication may be sent.
  • the processing unit is configured to generate a trigger message when the preset condition is met, where the trigger message is used to indicate that the first access node triggers update of the key stream generation element; Sending a trigger message to the first access node.
  • the second access node may send the trigger information to the first node when the bearer state change that may cause the key stream to be repeated, indicating that the first access node performs the key stream generation element update, thereby Avoid the occurrence of duplicate key streams.
  • the embodiment of the present invention further provides a method for updating a key stream generation element of a dual connectivity system, where the first access node and the second access node simultaneously provide a wireless connection for the UE.
  • FIG. 3 it is a flowchart of an embodiment of a method for updating a key stream generation element according to the present invention.
  • Step 301 The first access node acquires a trigger message from the second access node, where the trigger message is used to trigger an update of a key stream generation element.
  • the first access node first obtains a trigger message from the second access node, where the first access node may be Se B or Me B, and the second access node is Me B or Se B.
  • the trigger information is used to indicate that a status change occurs on a bearer on the second access node.
  • the PDCP COUNT reset due to the key update may cause the key stream to be duplicated, so the trigger message may be used to indicate the second access node key.
  • the first information may carry a presence indication, where the presence indication is used to indicate that a transfer bearer exists on the second access node.
  • the trigger message may also be used to indicate that the target bearer is transferred from the second access node to the a second information of the first access node, where the second message may carry a switchback indication, where the switchback indication is used to indicate that the target bearer is a transfer bearer, and further, the second message may further carry a reset indication The reset indication is used to indicate that the target bearer has undergone a PDCP COUNT reset during the second access node.
  • the trigger message may also be used to indicate that the second access node has other information that may cause the key stream to be repeated, and details are not described herein.
  • Step 302 The first access node performs key stream generation element update according to the trigger message.
  • the key stream generation element update process performs key stream generation element update on the first access node, such as updating an encryption key or reconfiguring a DRB ID, thereby preventing the key stream from being duplicated.
  • the first access node may further determine whether the change of the bearer status on the second access node may cause the key stream to be duplicated. If not, the first connection is not performed.
  • the ingress node performs key stream generation element update; if possible, the first access node performs key stream generation element update. This can reduce the number of times the first access node performs key stream generation element update and save resources.
  • the first access node may determine, according to information such as a bearer transfer record and a presence indication, whether the transfer bearer exists on the second access node. If not, it indicates that the PDCP COUNT reset caused by the key update of the second access node does not cause the key stream to be duplicated. At this time, the first access node is not required to perform the key stream generation element update; if yes, The key update PDCP COUNT reset of the second access node may cause the key stream to be duplicated.
  • the first access node may perform key stream generation element update, where the transfer bearer refers to the first The bearer transferred to the bearer of the second access node; wherein the presence indication is used to indicate that there is a transfer bearer on the second access node; and the bearer transfer record is used to record the transfer bearer.
  • the second access node may determine, according to information such as the bearer transfer record and the switchback indication, whether the target bearer is a transfer bearer, if the target If the bearer is not a transfer bearer, the combination of the DRB ID of the target bearer and the first access node key does not occur, and the key bearer does not occur in the target bearer. In this case, the first access node does not need to perform the key. If the target bearer is a transfer bearer, the key bearer may be duplicated. The first access node may perform key stream generation element update.
  • the first access node may further determine whether the target bearer has a PDCP COUNT reset during the second access node, If no, it indicates that the DCP COUNT of the target bearer does not overlap, and the key bearer does not repeat the key stream. In this case, the first access node does not need to perform key stream generation element update; if yes, the target bearer The PDCP COUNT may be duplicated, and the key bearer may be duplicated in the target bearer. At this time, the first access node may perform key stream generation element update.
  • the first access node may further enter Step determining whether the target bearer current PDCP COUNT value is greater than a PDCP COUNT value when transferring from the first access node to the second access node, and if yes, indicating that PDCP COUNT does not repeat, the target bearer does not
  • the key stream is duplicated. If not, the PDCP COUNT of the target bearer may be duplicated, and the key bearer may be duplicated.
  • the first access node may perform key stream generation element update.
  • the first access node acquires a trigger message from the second access node, where the trigger message is used to trigger an update of a key stream generation element; the first access node The key stream generation element update is performed according to the trigger message.
  • the first access node may perform key stream generation element update on the first access node when the second access node changes the bearer status that may cause the key stream to be duplicated, thereby avoiding the key. The flow of repetition occurs.
  • FIG. 4 it is a flowchart of another embodiment of a method for updating a key stream generation element according to the present invention.
  • Step 401 Acquire a key stream generation element update trigger message from the second access node.
  • Step 402 When obtaining the first information used to indicate the second access node key update, detecting whether there is a transfer bearer on the second access node.
  • the first access node may determine whether the second access node exists according to the bearer transfer record and all current bearers on the second access node, or according to the presence indication carried by the first information. Transfer the bearer.
  • the bearer transfer record may be a list or other data structure for describing a transfer bearer, where the transfer bearer refers to a bearer transferred from the first access node to the second access node. .
  • the bearer transfer record records the DRB ID of the transfer bearer. Generating a bearer transfer record containing the DRB ID of the bearer or adding the DRB ID of the bearer to the bearer transfer record when a bearer is transferred from the first access node to the second, when the first access node generates a key flow When the element is updated, delete or empty the bearer transfer record.
  • the presence indication is used to indicate that there is a transfer bearer on the second access node.
  • the presence indication may be added to the generated first information, or the preset field in the first information may be set to a preset value.
  • the first access node determines that there is a transfer bearer on the second access node according to whether the first information includes a presence indication, or whether the preset field is a preset value.
  • Step 403 If there is a transfer bearer on the second access node, perform keystream generation element update on the first access node.
  • the first access node may perform the key stream generation element update on the first access node.
  • the key is updated or only the DRB ID is reassigned for the transfer bearer to reduce system overhead.
  • the key stream generation element update trigger message is obtained from the second access node; when the first information for indicating the second access node key update is acquired, detecting Whether there is a transfer bearer on the second access node; if there is a transfer bearer on the second access node, performing keystream generation element update on the first access node.
  • the key stream generation element update may be performed on the first access node when the second access node generates a key update, thereby avoiding the occurrence of the key stream repetition caused by the key update.
  • Step 501 Acquire a key stream generation element update trigger message from the second access node.
  • Step 502 When acquiring the second information used to indicate that the target bearer is transferred from the second access node to the first access node, detecting whether the target bearer is a transfer bearer.
  • the first access node may determine whether the target bearer is a transfer bearer according to the bearer transfer record or according to the switchback indication carried by the second information. If the target bearer is a transfer bearer, the target bearer may have a key stream repetition. If the target bearer is not a transfer bearer, the target bearer does not have a key stream repetition.
  • the bearer transfer record may also be used to record whether the transfer bearer and the transfer bearer have undergone PDCP COUNT reset, and may also be used to record when the transfer bearer is transferred from the first access node to the second access node. PDCP COUNT.
  • the bearer transfer record may record the DRB ID of the transfer bearer and the reset flag bit.
  • the value of the reset flag is set to a preset value, and when the key stream element is updated by the first access node, the bearer transfer record is deleted or emptied.
  • the first access node determines, according to the bearer transfer record and the DRB ID of the target bearer, whether the target bearer is a transfer bearer.
  • the switchback indication is used to indicate that the target bearer is a transfer bearer.
  • the switchback indication may be added to the generated second information, or the preset field in the first information may be set to a preset value.
  • the first access node determines whether the target bearer is a transfer bearer according to whether the second information includes a switchback indication, or whether the preset field is a preset value.
  • Step 503 If the target bearer is a transfer bearer, the key stream generation element update may be directly performed on the first access node, or step 303 may be performed to perform further judgment. [164] Step 503: If the target bearer is a transfer bearer, detecting whether the target bearer PDCP COUNT has been reset.
  • the first access node may determine that the target bearer PDCP COUNT by detecting whether the reset flag of the target bearer in the bearer transfer record is a predetermined value, or detecting whether the second information includes a reset indication. Has a reset occurred?
  • Step 504 The target bearer has undergone a PDCP COUNT reset, and the first access node performs a key stream generation element update.
  • the PDCP COUNT of the target bearer may be duplicated, which may cause the key stream to be duplicated. Therefore, if the PDCP COUNT reset occurs in the target bearer, the key stream generation element update can be performed on the first access node.
  • the target bearer PDCP COUNT does not necessarily have a key stream repetition even if a reset occurs, for example, the current PDCP COUNT value of the target bearer is greater than the transfer from the first access node to the The PDCP COUNT value of the second access node does not cause the key stream to be duplicated on the target bearer.
  • the target bearer is a transfer bearer, it may not detect whether the target bearer PDCP COUNT has been reset, but acquire the current PDCP COUNT value of the target bearer, and the target bearer from the a PDCP COUNT value when the first access node transfers to the second access node; if the current PDCP COUNT value of the target bearer is less than or equal to the transfer from the first access node to the second access node.
  • the PDCP COUNT value is used to perform key stream generation element update on the first access node.
  • acquiring a keystream generation element update trigger message from the second access node when acquiring, indicating that the target bearer is transferred from the second access node to the first interface
  • the second information of the ingress node is sent, detecting whether the target bearer is a transfer bearer; if the target bearer is a transfer bearer, detecting whether the target bearer PDCP COUNT has been reset; the target bearer has undergone PDCP COUNT reset
  • performing key stream generation element update on the first access node the key stream generation element update may be performed on the first access node when the target bearer is a transfer bearer and the PDCP COUNT reset occurs, so that the key flow caused by the bearer transfer can be avoided. Repeated occurrences can also reduce the number of key stream generation element updates and reduce system resource consumption.
  • the invention is further described below from the second access node side.
  • FIG. 6 is a flowchart of another embodiment of a method for updating a key stream generation element according to the present invention.
  • Step 601 The second access node generates a trigger message when the preset condition is met, where the trigger message is generated. And used to instruct the first access node to trigger an update of a key stream generation element.
  • the preset condition may be that the second access node generates a key update, or may be the first access node that carries the transfer on the second access node, or may be the second access node. Other bearer state changes that may cause duplicate key streams.
  • the trigger message may be the first information.
  • the first information may be generated when the second access node performs a key update, or may be generated when the second access node performs a key update and a transfer bearer exists on the second access node.
  • the first information may carry a presence indication, where the presence indication is used to indicate that a transfer bearer exists on the second access node.
  • the trigger message may be the second information.
  • the first information may be generated when the target bearer is transferred from the second access node to the first access node.
  • the second information may also carry a switchback indication if the target bearer is a transfer bearer.
  • the second information may also carry a reset indication if the target bearer has undergone a PDCP COUNT reset.
  • Step 602 Send a trigger message to the first access node.
  • the first access node may perform the key stream generation element update immediately after receiving the trigger information, or may further determine whether the key stream is repeated according to the content of the trigger information and/or the trigger information.
  • the key stream generation element update is performed when a key stream duplication may be sent.
  • the specific process can participate in the foregoing embodiments, and will not be described again here.
  • the second access node generates a trigger message when the preset condition is met, where the trigger message is used to indicate that the first access node triggers update of the key stream generation element. Sending a trigger message to the first access node.
  • the second access node may send a trigger message to the first access node to indicate that the first access node performs the key stream generation element update when a bearer state change that may cause the key stream to be duplicated occurs. , to avoid the occurrence of key stream duplication.
  • the embodiment of the present invention further provides a dual connectivity system, where the dual connectivity system includes: a first access node 701 and a second access node 702, the first interface The ingress node 701 and the second access node 702 simultaneously provide a wireless connection to the UE.
  • the second access node 702 is configured to generate a trigger message when the preset condition is met, where The trigger message is used to instruct the first access node 701 to trigger an update of the key stream generation element; and send a trigger message to the first access node 701.
  • the second access node 702 is further configured to: when the key is updated, generate first information; and send the first information to the first access node 701.
  • the second access node 702 is further configured to generate the first information if the transfer bearer exists on the second access node 702 when the key update is performed.
  • the second access node 702 is further configured to: when the target bearer switches from the second access node 702 to the first access node 701, generate second information; to the first access The node 701 sends the second information.
  • the second access node 702 is further configured to: when the target bearer is switched from the second access node 702 to the first access node 701, if the target bearer is a transfer bearer, generate a bearer Returning the second information indicated.
  • the second access node 702 is further configured to: when the target bearer is switched from the second access node 702 to the first access node 701, if the target bearer is a transfer bearer, and The target bearer has undergone PDCP COUNT reset during the second access node 702, and generates second information carrying the switchback indication and the reset indication.
  • the first access node 701 is configured to acquire a trigger message from the second access node 702, and perform key stream generation element update according to the trigger message.
  • the first access node 701 is further configured to acquire a trigger message from the second access node 702, where the trigger message is used to trigger an update of a key stream generation element; and perform a key according to the trigger message.
  • the stream generates element updates.
  • the first access node 701 is further configured to perform key flow on the first access node 701 when acquiring the first information used to indicate the key update of the second access node 702. Generate element updates.
  • the first access node 701 is further configured to perform a key stream generation element update on the first access node 701 if there is a transfer bearer on the second access node 702, where the transfer bearer is Refers to a bearer that is transferred from the first access node 701 to the second access node 702.
  • the first access node 701 is further configured to perform a key stream generation element update on the first access node 701 if the first information carries a presence indication, where the presence indication is used to indicate There is a transfer bearer on the second access node 702.
  • the first access node 701 is further configured to acquire a bearer transfer record; if the second access node 702 is determined according to the bearer transfer record and all current bearers on the second access node 702, There is a transfer bearer, and the first access node 701 performs key stream generation element update.
  • the first access node 701 is further configured to delete the bearer transfer record after performing key stream generation element update on the first access node 701.
  • the first access node 701 may only update the key of the first access node 701 when performing key stream generation element update on the first access node 701.
  • the first access node 701 When the first access node 701 further performs key stream generation element update on the first access node 701, it may also re-allocate the DRB ID only for the transfer bearer.
  • the second access node may send a trigger message to the first access node when the bearer state change that may cause the key stream to be duplicated, and the first access node receives the trigger message. After that, the key stream generation element is updated to avoid the occurrence of key stream repetition.
  • FIG. 8 is a schematic structural diagram of a key stream generation element updating apparatus of a dual connectivity system according to an embodiment of the present invention. As shown in FIG. 8, the device includes: a processor 801, a memory 802, and a communication interface 803, and modules are connected to each other.
  • the memory 802 is used to store programs.
  • the program can include program code, the program code including computer operating instructions.
  • the memory 802 may include a random access memory (RAM) memory, and may also include a non-volatile memory such as at least one disk memory.
  • the communication interface 803 is configured to acquire a trigger message from the second access node, where the trigger message is used to trigger an update of a key stream generation element.
  • the processor 801 is configured to execute the memory 802 storage program, and perform key stream generation element update according to the trigger message.
  • the processor 801 is further configured to perform a key stream generation element update on the first access node when acquiring the first information used to indicate the second access node key update.
  • the processor 801 is further configured to perform a key stream generation element update on the first access node if a transfer bearer exists on the second access node, where the transfer bearer refers to the Transferring the first access node to the The bearer of the second access node.
  • the processor 801 is further configured to: if the first information carries a presence indication, perform a key stream generation element update on the first access node, where the presence indication is used to indicate the second There is a transfer bearer on the access node. [208] The processor 801 is further configured to acquire a bearer transfer record, and determine, if the transfer bearer exists on the second access node, according to the bearer transfer record and all current bearers on the second access node, Performing a key stream generation element update on the first access node.
  • the processor 801 is further configured to delete the bearer transfer record after performing key stream generation element update on the first access node.
  • the processor 801 is further configured to update a key of the first access node.
  • the processor 801 is further configured to re-allocate the DRB ID for the transfer bearer.
  • the processor 801 is further configured to, when acquiring the second information used to indicate that the target bearer is transferred from the second access node to the first access node, to the first access
  • the node performs key stream generation element update.
  • the processor 801 is further configured to: if the target bearer is determined to be a transfer bearer according to the switchback indication in the second information, perform keystream generation element update on the first access node, where The switchback indication is used to indicate that the target bearer is a transfer bearer.
  • the processor 801 is further configured to acquire a bearer transfer record, where the bearer transfer record is used to record a transfer bearer, and if the target bearer is determined to be a transfer bearer according to the bearer transfer record, the first connection is performed.
  • the ingress node performs key stream generation element update.
  • the processor 801 is further configured to: if it is determined that the target bearer has a PDCP COUNT reset during the second access node according to the reset indication in the second information, to the first The access node performs key stream generation element update.
  • the processor 801 is further configured to: if it is determined that the target bearer has undergone a PDCP COUNT reset during the second access node according to the reset identifier in the bearer transfer record, to the first The access node performs key stream generation element update.
  • the processor 801 is further configured to acquire a current PDCP COUNT value of the target bearer, and a PDCP COUNT value when the target bearer is transferred from the first access node to the second access node. And if the current PDCP COUNT value carried by the target is less than or equal to the transfer from the first access node to the second connection The PDCP COUNT value at the time of the ingress, the key stream generation element update is performed on the first access node.
  • the processor 801 is further configured to update a key of the first access node or re-allocate a DRB ID for the target bearer.
  • FIG. 9 is a schematic structural diagram of a key stream generation element updating apparatus of a dual connectivity system according to an embodiment of the present invention.
  • the device includes: a processor 901, a memory 902, and a communication interface 903, and the modules are connected to each other.
  • the memory 902 is used to store programs.
  • the program can include program code, the program code including computer operating instructions.
  • the memory 902 may include a random access memory (RAM) memory, and may also include a non-volatile memory such as at least one disk memory.
  • the processor 901 is configured to execute the memory 802 storage program, and when the preset condition is met, generate a trigger message, where the trigger message is used to instruct the first access node to trigger a key stream generation element. Update
  • the processor 901 is further configured to generate first information when the second access node performs a key update.
  • the processor 901 is further configured to: when the second access node performs a key update, if the transfer bearer exists on the second access node, generating the first information.
  • the processor 901 is further configured to generate second information when the target bearer switches from the second access node to the first access node.
  • the processor 901 is further configured to: when the target bearer is handed over from the second access node to the first access node, if the target bearer is a transfer bearer, generate a bearer indication The second information is described.
  • the processor 901 is further configured to: when the target bearer is handed over from the second access node to the first access node, if the target bearer is a transfer bearer, and the target bearer is in the A PDCP COUNT reset occurs during the second access node, and generates second information carrying the switchback indication and the reset indication.
  • the communication interface 903 is configured to acquire a trigger message from the second access node, where the trigger message is used to trigger an update of a key stream generation element.
  • the trigger message may be the first message or the second message.
  • the present invention further provides a computer storage medium, wherein the computer storage medium may store a program, and the program may include some or all of the steps in each embodiment of the calling method provided by the present invention.
  • the storage medium may be a magnetic disk, an optical disk, or a read-only memory (ROM). Or random access memory (RAM), etc.
  • the techniques in the embodiments of the present invention can be implemented by means of software plus the necessary general hardware platform. Based on such understanding, the technical solution in the embodiments of the present invention may be embodied in the form of a software product in essence or in the form of a software product, which may be stored in a storage medium such as a ROM/RAM. , a disk, an optical disk, etc., including instructions for causing a computer device (which may be a personal computer, server, or network device, etc.) to perform the methods described in various embodiments of the present invention or portions of the embodiments.
  • a computer device which may be a personal computer, server, or network device, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un dispositif de mise à jour d'élément de flux de clés de cryptage, un procédé et un système de connexion double. Un premier nœud d'accès et un second nœud d'accès dans le système de connexion double assurent une connexion sans fil à un équipement d'utilisateur (UE), et le dispositif de mise à jour est caractérisé par le fait qu'il comprend: une unité de réception pour acquérir un message de déclenchement depuis le second nœud d'accès, le message de déclenchement étant utilisé pour déclencher la mise à jour d'un élément de génération de flux de clés de cryptage; et une unité de traitement pour mettre à jour l'élément de génération de flux de clés de cryptage en fonction du message de déclenchement. Le mode de réalisation de la présente invention permet de mettre à jour l'élément de génération de flux de clés de cryptage lorsqu'un changement provoquant potentiellement une répétition du flux de clés de cryptage se produit dans un état de support, empêchant ainsi la répétition du flux de clés de cryptage due à la commutation de support.
PCT/CN2014/084023 2014-08-08 2014-08-08 Dispositif de mise à jour d'élément de flux de clés de cryptage, procédé et système de connexion double WO2016019586A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2014/084023 WO2016019586A1 (fr) 2014-08-08 2014-08-08 Dispositif de mise à jour d'élément de flux de clés de cryptage, procédé et système de connexion double
CN201480031309.5A CN105900471B (zh) 2014-08-08 2014-08-08 密钥流元素更新装置、方法及双连接系统

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2014/084023 WO2016019586A1 (fr) 2014-08-08 2014-08-08 Dispositif de mise à jour d'élément de flux de clés de cryptage, procédé et système de connexion double

Publications (1)

Publication Number Publication Date
WO2016019586A1 true WO2016019586A1 (fr) 2016-02-11

Family

ID=55263062

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/084023 WO2016019586A1 (fr) 2014-08-08 2014-08-08 Dispositif de mise à jour d'élément de flux de clés de cryptage, procédé et système de connexion double

Country Status (2)

Country Link
CN (1) CN105900471B (fr)
WO (1) WO2016019586A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018126905A1 (fr) * 2017-01-06 2018-07-12 中兴通讯股份有限公司 Procédé de transmission de données pendant un processus de déplacement, et terminal et station de base

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140192740A1 (en) * 2013-01-10 2014-07-10 Texas Instruments Incorporated Methods and apparatus for dual connectivity operation in a wireless communication network
CN103959829A (zh) * 2013-11-01 2014-07-30 华为技术有限公司 一种双连接模式下的密钥处理方法和设备

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7873710B2 (en) * 2007-02-06 2011-01-18 5O9, Inc. Contextual data communication platform
CN104956644B (zh) * 2013-01-30 2018-01-16 瑞典爱立信有限公司 用于安全密钥生成的方法和锚基站
CN103747442B (zh) * 2013-12-27 2017-06-30 华为技术有限公司 一种安全密钥上下文分发方法,移动管理实体及基站

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140192740A1 (en) * 2013-01-10 2014-07-10 Texas Instruments Incorporated Methods and apparatus for dual connectivity operation in a wireless communication network
CN103959829A (zh) * 2013-11-01 2014-07-30 华为技术有限公司 一种双连接模式下的密钥处理方法和设备

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
3GPP TSG-SA: "3GPP System Architecture Evolution (SAE); Security Architecture (Release 12", 3GPP TS 33.401 V12.11.0, 30 June 2014 (2014-06-30), pages 119-120 - 122-124 *
ALCATEL -LUCENT ET AL., SECURITY FUNCTIONALITY FOR DUAL CONNECTIVITY, 16 May 2014 (2014-05-16), pages 2,5 - 7 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018126905A1 (fr) * 2017-01-06 2018-07-12 中兴通讯股份有限公司 Procédé de transmission de données pendant un processus de déplacement, et terminal et station de base

Also Published As

Publication number Publication date
CN105900471A (zh) 2016-08-24
CN105900471B (zh) 2019-06-21

Similar Documents

Publication Publication Date Title
US9578556B2 (en) Long term evolution (LTE) communications over trusted hardware
US20190141585A1 (en) Method of Distributing Security Key Context, Mobility Management Entity, and Base Station
CN105557006B (zh) 通信系统中的用户设备及由其进行通信的方法
KR101147067B1 (ko) 키 파생 방법, 장치 및 시스템
CN110365470B (zh) 一种密钥生成方法和相关装置
CN104219722B (zh) 双连接无线承载的迁移处理、迁移方法及装置
EP2884803B1 (fr) Procédé et appareil de commande de commutation
EP2897398B1 (fr) Procédé et dispositif d'isolation de clé
CN103428787B (zh) 一种基站切换方法及装置
EP3965446B1 (fr) Procédé de communication et dispositif associé
CN107079516B (zh) 承载释放
WO2011137805A1 (fr) Procédé, appareil et système permettant un traitement sécuritaire dans un processus de commutation
WO2011088787A1 (fr) Procédé et dispositif adaptés pour réaliser un transfert intercellulaire dans un réseau de points d'accès
CN109246696B (zh) 密钥处理方法以及相关装置
JP2009049815A (ja) 無線通信システム、無線通信方法及び無線端末
KR20210017761A (ko) 무선 통신 시스템에서 조건부 핸드오버를 지원하기 위한 장치 및 방법
WO2012171281A1 (fr) Procédé de modification de paramètre de sécurité, et station de base
RU2748314C1 (ru) Конфигурирование радиоресурсов
WO2013064069A1 (fr) Procédé de commutation de support, passerelle de nœud b local et nœud b local
KR20150103063A (ko) Scell 및 ue 사이의 암호화 정보 동기 방법
CN105103577B (zh) 一种加密数据的装置和方法
TW201824936A (zh) 上下文釋放方法、設備及系統
WO2008022498A1 (fr) Procédé servant à modifier l'algorithme de cryptage en réadressage
WO2016019586A1 (fr) Dispositif de mise à jour d'élément de flux de clés de cryptage, procédé et système de connexion double
CN113557699B (zh) 通信装置、基础设施设备、核心网络设备和方法

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14899348

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14899348

Country of ref document: EP

Kind code of ref document: A1