WO2016134536A1 - 密钥生成方法、设备及系统 - Google Patents
密钥生成方法、设备及系统 Download PDFInfo
- Publication number
- WO2016134536A1 WO2016134536A1 PCT/CN2015/073400 CN2015073400W WO2016134536A1 WO 2016134536 A1 WO2016134536 A1 WO 2016134536A1 CN 2015073400 W CN2015073400 W CN 2015073400W WO 2016134536 A1 WO2016134536 A1 WO 2016134536A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- network
- standard network
- key
- standard
- access
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
- H04L9/0847—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving identity based encryption [IBE] schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/062—Pre-authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/0005—Control or signalling for completing the hand-off
- H04W36/0011—Control or signalling for completing the hand-off for data sessions of end-to-end connection
- H04W36/0033—Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
- H04W36/0038—Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information of security context information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/061—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying further key derivation, e.g. deriving traffic keys from a pair-wise master key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/0005—Control or signalling for completing the hand-off
- H04W36/0055—Transmission or use of information for re-establishing the radio link
- H04W36/0066—Transmission or use of information for re-establishing the radio link of control information between different types of networks in order to establish a new radio link in the target network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W88/00—Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
- H04W88/02—Terminal devices
- H04W88/06—Terminal devices adapted for operation in multiple networks or having at least two operational modes, e.g. multi-mode terminals
Definitions
- the present invention relates to the field of communications, and in particular, to a key generation method, device, and system.
- Mobile communication networks are constantly evolving to meet the needs of users.
- mobile communication networks have evolved from the second generation mobile communication technology (English: 2rd-Generation; 2G), the third generation mobile communication technology (English: 3rd-Generation; 3G) to the fourth generation mobile communication technology.
- 2G the second generation mobile communication technology
- 3rd-Generation 3rd-Generation
- 4G Mobile communication network
- wireless fidelity English: WIreless-Fidelity; referred to as: WiFi
- the future network will be a heterogeneous network where multiple mobile communication networks coexist.
- the hybrid network may include a WiFi network, a Global System for Mobile Communication (GSM) network, a Universal Mobile Telecommunications System (UMTS) network, and a general packet radio service technology.
- GSM Global System for Mobile Communication
- UMTS Universal Mobile Telecommunications System
- GPRS General Packet Radio Service
- LTE Long Term Evolution
- the user equipment (English: User Equipment; UE) moves between different mobile communication networks in the hybrid network.
- UE User Equipment
- the UE when accessing or switching to any network in a hybrid network, the UE needs to perform a complete security authentication process with the network to generate a key required for the network, for example, in a WiFi network and LTE.
- the UE In a hybrid network composed of networks, the UE is accessing the LTE network.
- the security authentication process is performed with the LTE network to generate a key of the LTE network
- the UE switches from the LTE network to the WiFi network a security authentication process needs to be performed with the WiFi network to generate a key of the WiFi network.
- the present invention provides a key generation method, device and system.
- the technical solution is as follows:
- a method for generating a key comprising:
- the user equipment UE located in the first-standard network After receiving the first command, the user equipment UE located in the first-standard network acquires a type identifier of a second-standard network that needs to provide services for the UE, where the first command is a service request response message, or a handover command , or any message during the air interface security activation process;
- the UE determines the access density by using a preset key deduction algorithm according to the type identifier of the second standard network, the key of the first standard network, and the non-access stratum NAS serial number of the first standard network. key;
- the UE generates an access stratum AS key of the second standard network according to the access key.
- the UE shares the NAS serial number and a key of the first standard network with a first network device of the first standard network.
- the first command includes a cryptographic algorithm
- the generating, by the UE, the access layer AS key of the second standard network according to the access key includes:
- the UE generates an AS key of the second standard network according to the cryptographic algorithm and the access key.
- the first command is a service request response message Or any of the messages in the air interface security activation process, before the receiving the first command, the method further includes:
- the first network device of the network sends the second-standard network indication information, where the second-standard network indication information includes the type identifier of the second-standard network that needs to provide services for the UE, or the need to be the UE The identity of the second-standard network providing the service;
- a service request message is sent to the first network device of the first standard network; wherein the second service request message includes a type identifier or the requirement of the second standard network that needs to provide service for the UE An identity of the second-standard network that provides service to the UE.
- the first standard network is a long term evolution LTE network
- the second standard network is at least one of a global mobile communication system GSM network, a universal mobile communication system UMTS network, a general packet radio service technology GPRS network, and a wireless fidelity WiFi network.
- a method for generating a key comprising:
- the first network device of the first-standard network After receiving the request message sent by the second network device of the first standard network, the first network device of the first-standard network acquires a second-standard network that needs to provide services for the user equipment UE located in the first-standard network.
- Type identifier wherein the request message is a service request message or a handover request message;
- the first network device of the first-standard network adopts a preset according to the type identifier of the second-standard network, the key of the first-standard network, and the non-access stratum NAS serial number of the first-standard network.
- the key deduction algorithm determines the access key
- the first network device of the first-standard network sends the access key to a network device of the second-standard network, so that the network device of the second-standard network generates a site according to the access key.
- the access layer AS key of the second standard network is a key of the second standard network.
- the first network device of the first-standard network shares the NAS serial number and the key of the first-standard network with the UE.
- the acquiring needs to provide a service for the user equipment UE located in the first standard network.
- the method further includes:
- the first network device of the first-standard network acquires capability information of the UE, where the capability information of the UE includes the capability of the UE in the second-standard network;
- the first network device of the first-standard network sends the access key to a network device of the second-standard network, so that the network device of the second-standard network generates a site according to the access key.
- the access layer AS key of the second standard network includes:
- the first network device of the first-standard network sends the capability information of the UE and the access key to the network device of the second-standard network, so that the network device of the second-standard network is configured according to the network device. Determining the capability information of the UE, determining a cryptographic algorithm, and generating the cipher algorithm according to the cryptographic algorithm and the access key The AS key of the second standard network.
- the request message includes the need to be located
- Obtaining a type identifier of the second-standard network that needs to provide a service for the user equipment UE located in the first-standard network includes:
- the first network device of the first-standard network obtains the type identifier of the second-standard network from the request message;
- the first network device of the first-standard network determines the type identifier of the second-standard network according to the identity identifier of the second-standard network.
- the acquiring needs to be located at the first
- the type identifier of the second-standard network in which the user equipment UE of the system network provides the service includes:
- the first network device of the first-standard network receives the second-standard network indication information sent by the second network device of the first-standard network, where the second-standard network indication information includes the type identifier of the second-standard network ;or,
- the first network device of the first-standard network receives the second-standard network indication information sent by the second network device of the first-standard network, where the second-standard network indication information includes the identity of the second-standard network
- the first network device of the first-standard network determines the type identifier of the second-standard network according to the identity of the second-standard network.
- the first network device of the first system network Access secret is sent to the network device of the second standard network, including:
- the first network device of the first-standard network sends the access key to the network device of the second-standard network through a second network device of the first-standard network.
- the first standard network is a long term evolution LTE network
- the second standard network is at least one of a global mobile communication system GSM network, a universal mobile communication system UMTS network, a general packet radio service technology GPRS network, and a wireless fidelity WiFi network.
- a method for generating a key comprising:
- the network device of the second-standard network receives the access key sent by the first network device of the first-standard network; wherein the access key is the first network device of the first-standard network according to the second system a type identifier of the network, a key of the first-standard network, and a non-access stratum NAS serial number of the first-standard network;
- the network device of the second standard network generates an access layer AS key of the second standard network according to the access key; wherein the UE shares with the first network device of the first standard network
- the NAS serial number and the key of the first system network are the same.
- the network device of the second standard network generates an access layer AS key of the second standard network according to the access key, including :
- the network device of the second-standard network receives the capability information of the UE that is sent by the first network device of the first-standard network, where the capability information of the UE includes the capability of the UE in the second-standard network;
- the network device of the second standard network determines a cryptographic algorithm according to the capability information of the UE;
- the network device of the second standard network generates an AS key of the second standard network according to the cryptographic algorithm and the access key.
- the network device of the second standard network receives the first network device that sends the first standard network Access key, including:
- the network device of the second-standard network receives an access key sent by the first network device of the first-standard network through the second network device of the first-standard network.
- the first standard network is a long term evolution
- the LTE network is at least one of a global mobile communication system GSM network, a universal mobile communication system UMTS network, a general packet radio service technology GPRS network, and a wireless fidelity WiFi network.
- a key generation device where the key generation device is located in a first-standard network, and the key generation device includes:
- An acquiring unit configured to acquire, after receiving the first command, a type identifier of a second-standard network that needs to provide a service for the key generating device, where the first command is a service request response message, or a switching command, Or any message during the air interface security activation process;
- a determining unit configured to determine, according to the type identifier of the second standard network, the key of the first standard network, and the non-access stratum NAS serial number of the first standard network, by using a preset key deduction algorithm Entry key
- a generating unit configured to generate an access stratum AS key of the second standard network according to the access key.
- the key generating device shares the NAS serial number and the first standard network with a first network device of the first standard network Key.
- the first command includes a cryptographic algorithm
- the generating unit is specifically configured to:
- the first command is a service request response message
- the key generation device further includes:
- a service request message is sent to the first network device of the first standard network; wherein the second service request message includes a type identifier or the requirement of the second standard network that needs to provide service for the UE An identity of the second-standard network that provides service to the UE.
- the first standard network is a long term evolution LTE network
- the second standard network is at least one of a global mobile communication system GSM network, a universal mobile communication system UMTS network, a general packet radio service technology GPRS network, and a wireless fidelity WiFi network.
- a key generation device where the key generation device is located in a first-standard network, the key generation device includes:
- An acquiring unit configured to acquire, after receiving the request message sent by the second network device of the first-standard network, a type identifier of a second-standard network that needs to provide a service for the user equipment UE located in the first-standard network;
- the request message is a service request message or a handover request message;
- a determining unit configured to determine, according to the type identifier of the second standard network, the key of the first standard network, and the non-access stratum NAS serial number of the first standard network, by using a preset key deduction algorithm Entry key
- a sending unit configured to send the access key to a network device of the second standard network, so that a network device of the second standard network generates the second standard network according to the access key Access layer AS key.
- the key generating device shares the NAS serial number and a key of the first standard network with the UE.
- the acquiring unit is further configured to: acquire capability information of the UE, and the capability of the UE The information includes the capabilities of the UE in the second system network;
- the sending unit is specifically configured to: send the capability information of the UE and the access key to a network device of the second standard network, so that the network device of the second standard network is configured according to the UE
- the capability information determines a cryptographic algorithm and generates an AS key of the second standard network based on the cryptographic algorithm and the access key.
- the request message includes the need to be located The type identifier of the second-standard network served by the UE of the first-standard network or the identifier of the second-standard network that needs to provide services for the UE located in the first-standard network;
- the acquisition unit is specifically used to:
- the acquiring unit is specifically configured to:
- the second-standard network indication information includes a type identifier of the second-standard network
- Second system network indication information sent by the second network device of the first standard network, where the second system network indication information includes an identity identifier of the second system network; and an identity identifier according to the second system network Determining the type identification of the second standard network.
- the sending unit is specifically configured to:
- the first standard network is a long term evolution LTE network
- the second standard network is at least one of a global mobile communication system GSM network, a universal mobile communication system UMTS network, a general packet radio service technology GPRS network, and a wireless fidelity WiFi network.
- a key generation device where the key generation device is located in a second-standard network, and the key generation device includes:
- a receiving unit configured to receive an access key sent by a first network device of the first standard network, where the access key is a first network device of the first standard network according to the second standard network Type identifier, a key of the first-standard network, and a non-access stratum NAS sequence of the first-standard network Determined by the column number;
- a generating unit configured to generate an access stratum AS key of the second standard network according to the access key
- the UE located in the first-standard network shares the NAS serial number and the key of the first-standard network with the first network device of the first-standard network.
- the generating unit is specifically configured to:
- the receiving unit is specifically configured to:
- the first standard network is a long term evolution
- the LTE network is at least one of a global mobile communication system GSM network, a universal mobile communication system UMTS network, a general packet radio service technology GPRS network, and a wireless fidelity WiFi network.
- a key generation system comprising:
- a key generation device according to any of the fifth aspects.
- the key generation system further includes: the key generation device of any of the sixth aspects.
- a key generation network key generation system comprising:
- a key generation device according to any of the sixth aspects.
- a key generation network key generation system comprising:
- a key generation device according to any of the third aspects
- a key generation device according to any of the sixth aspects.
- the key generation method, device and system provided by the present invention can generate the AS key of the second standard network according to the access key after determining the access key, so that the key of the first standard network can be utilized.
- the NAS information generates the AS key of the second-standard network, which avoids the security authentication process before the generation of the AS key of the second-standard network in the prior art, and also ensures security, thereby correspondingly reducing the overall communication of the hybrid network. Delay, reducing the communication load of the hybrid network.
- FIG. 1 is a network environment of a hybrid network involved in a key generation method according to an embodiment of the present invention
- FIG. 2 is a flowchart of a key generation method according to an embodiment of the present invention.
- FIG. 3 is a flowchart of still another method for generating a key according to an embodiment of the present invention.
- FIG. 4 is a flowchart of still another method for generating a key according to an embodiment of the present invention.
- FIG. 5 is a flowchart of still another method for generating a key according to an embodiment of the present invention.
- FIG. 6 is a flowchart of a method for an MME to generate an access key according to an embodiment of the present invention
- FIG. 7 is a flowchart of a method for a UE to generate an AS key of a second standard network according to an embodiment of the present invention
- FIG. 8 is a flowchart of a method for generating a key according to an embodiment of the present invention.
- FIG. 9 is a flowchart of a method for generating an access key by an MME according to an embodiment of the present invention.
- FIG. 10 is a flowchart of a method for a UE to generate an AS key of a second standard network according to an embodiment of the present invention
- FIG. 11 is a schematic structural diagram of a key generation device according to an embodiment of the present disclosure.
- FIG. 12 is a schematic structural diagram of still another key generation device according to an embodiment of the present disclosure.
- FIG. 13 is a schematic structural diagram of still another key generation device according to an embodiment of the present disclosure.
- FIG. 14 is a schematic structural diagram of still another key generation device according to an embodiment of the present disclosure.
- FIG. 15 is a schematic structural diagram of a key generation device according to an embodiment of the present invention.
- FIG. 16 is a schematic structural diagram of still another key generation device according to an embodiment of the present disclosure.
- FIG. 17 is a schematic structural diagram of still another key generation device according to an embodiment of the present disclosure.
- FIG. 18 is a schematic structural diagram of still another key generation device according to an embodiment of the present invention.
- FIG. 1 provides a network environment of a hybrid network involved in a key generation method according to an embodiment of the present invention.
- the hybrid network 0 includes a first standard network 01 and at least one second standard network 02.
- the first system network 01 may indicate that the first network device 011 of the first standard network and the second network device 012 of the first standard network, usually, the UE 03 and the first standard network located in the first system network 01
- the first network device 011 can implement information interaction through the second network device 012 of the first standard network; optionally, the first network device 011 of the first standard network can share non-access stratum signaling with the UE 03 (English: Non-Access Stratum; abbreviated as: NAS) serial number, NAS serial number is a serial number of NAS signaling;
- the second standard network 02 may include at least one network device, for example, a network device 021 including a second standard network, The network device 021 of the second-standard network can communicate with the first network device 011 of the first-standard network.
- the network device 021 of the second-standard network can pass through the second network device 012 of the first-standard network and the first-standard network.
- the first network device 011 communicates; for example, the network device 021 of the second standard network can directly communicate with the first network device 011 of the first standard network; for example, the second
- the network device 021 of the standard network may communicate with the first network device 011 of the first standard network via a first system network or other network device of the second standard network (not shown).
- the first standard network 01 may be an LTE network, and may also be a next-generation (eg, 4.5G or 5G) network or a network of other network standards in the future.
- the at least one second-standard network 02 may be At least one of a WiFi network, a GSM, a UMTS, and a GPRS network.
- the first-standard network may be more advanced than the second-standard network, that is, the first-standard network has a later date than the second-standard network, and the first-standard network is generally backward compatible with the second-standard network.
- the first standard network 01 when the first standard network 01 is an LTE network, the first The first network device 011 of the standard network may be a mobility management entity (English: Mobility Management Entity; MME for short), and the second network device 012 of the first standard network may be an evolved base station (English: Evolved Node B; abbreviated as: eNodB)
- the network device 021 of the second system network may be a wireless access point (English: Wireless Access Point; abbreviation: AP) or an AP controller (English: AP Controller; AC for short)
- the second mode network 02 is a GSM, UMTS or GPRS network
- the network device 021 of the second-standard network may be a base station or a base station controller, etc., which is not limited herein.
- the embodiment of the present invention provides a key generation method, as shown in FIG. 2, which can be applied to a UE of a first standard network in the hybrid network shown in FIG. 1.
- the method includes:
- Step 201 After receiving the first command, the UE located in the first-standard network acquires the type identifier of the second-standard network that needs to provide services for the UE.
- the first command is a service request response message, or a handover command, or any message in the air interface security activation process.
- the service request response message may be sent by the first network device of the first-standard network to notify the UE that the service request message is received, and the handover command may be sent by the second network device of the first-standard network. Instructing the UE to switch from the first-standard network to the second-standard network, any message in the air interface security activation process may be sent by the network device of the second-standard network, and the air interface security activation process is used to implement AS security context negotiation and activation.
- the first standard network may be an LTE network
- the second standard network may be at least one of a GSM network, a universal mobile communication system UMTS network, a GPRS network, and a WiFi network.
- Step 202 The UE determines the access key by using a preset key deduction algorithm according to the type identifier of the second standard network, the key of the first standard network, and the NAS serial number of the first standard network.
- the NAS serial number may be an uplink NAS (uplink NAS count) serial number. If the first command is a handover command, the NAS serial number may be The NAS number of the downlink NAS (optional), optionally, the UE and the first network device of the first-standard network can share the NAS serial number and the key of the first-standard network.
- Step 203 The UE generates an access layer (English: Access Stratum; AS for short) key of the second standard network according to the access key.
- an access layer English: Access Stratum; AS for short
- the AS key can be used to protect signaling and/or user data.
- the access key is different from the AS key, and is a key required for generating an AS key of the second standard network, specifically according to the second
- the type identifier of the standard network, the key of the first-standard network, and the NAS serial number of the first-standard network are determined by a preset key deduction algorithm.
- the UE can generate the AS key of the second standard network according to the access key after determining the access key by using the NAS information, the first can be utilized.
- the key of the standard network and the NAS information are used to generate the AS key of the second-standard network, which avoids the security authentication process before the generation of the AS key of the second-standard network in the prior art, and also ensures security and correspondingly reduces
- the delay of the overall communication of the hybrid network reduces the communication load of the hybrid network.
- the first command in step 201 may include a cryptographic algorithm
- step 203 may include: the UE generates an AS key of the second-standard network according to the cryptographic algorithm and the access key.
- the method may further include:
- a network device sends a second-standard network indication information, where the second-standard network indication information includes a type identifier of a second-standard network that needs to provide services for the UE or an identifier of a second-standard network that needs to provide services for the UE; or
- the second network device of the first-standard network sends a first service request message for requesting a service, so that the second network device of the first-standard network sends the second service request message to the first-standard network according to the first service request message.
- the first network device; wherein the second service request message includes a type identifier of a second-standard network that needs to provide services for the UE or an identity of a second-standard network that needs to provide services for the UE.
- the UE can generate the AS key of the second standard network according to the access key after determining the access key by using the NAS information, the first can be utilized.
- the key of the standard network and the NAS information are used to generate the AS key of the second-standard network, which avoids the security authentication process before the generation of the AS key of the second-standard network in the prior art, and also ensures security and correspondingly reduces
- the delay of the overall communication of the hybrid network reduces the communication load of the hybrid network.
- the present invention provides a key generation method, as shown in FIG. 3, applied to a first network device of a first-standard network in the hybrid network shown in FIG. 1.
- the method includes:
- Step 301 After receiving the request message sent by the second network device of the first standard network, the first network device of the first-standard network acquires a type identifier of the second-standard network that needs to provide services for the UE located in the first-standard network. .
- the request message may be a service request message or a handover request message.
- Step 302 The first network device of the first-standard network determines the access key by using a preset key deduction algorithm according to the type identifier of the second-standard network, the key of the first-standard network, and the NAS serial number of the first-standard network. .
- the NAS serial number is an uplink NAS serial number
- the NAS sequence number is a downlink NAS sequence number
- Step 303 The first network device of the first-standard network sends the access key to the network device of the second-standard network, so that the network device of the second-standard network generates the AS key of the second-standard network according to the access key.
- the first network device of the first-standard network shares the NAS serial number and the key of the first-standard network with the UE located in the first-standard network.
- the method for generating a key after the first network device of the first-standard network determines the access key through the NAS information, sends the access key to the second-standard network.
- the network device enables the network device to generate an AS key of the second standard network according to the access key, and the network device in the second standard network can generate the second standard network by using the key of the first standard network and the NAS information.
- the AS key not only avoids the security authentication process before the generation of the AS key of the second standard network in the prior art, but also ensures the security, correspondingly reduces the delay of the overall communication of the hybrid network, and reduces the hybrid network. Communication load.
- the method further includes: acquiring, by the first network device of the first-standard network, the capability information of the UE
- the capability information of the UE includes the capability of the UE in the second-standard network; correspondingly, step 303 includes:
- the first network device of the first-standard network sends the capability information and the access key of the UE to the network device of the second-standard network, so that the network device of the second-standard network determines the cryptographic algorithm according to the capability information of the UE, and according to the password
- the algorithm and the access key generate an AS key for the second standard network.
- step 301 there may be multiple methods for obtaining the type identifier of the second standard network in step 301, and the present invention schematically provides the following:
- the request message includes a type identification of a second-standard network that needs to provide services to the UE or
- the identity of the second-standard network that needs to provide services for the UE; the type identifier of the second-standard network that needs to provide services for the UE located in the first-standard network includes:
- the first network device of the first-standard network obtains, from the request message, a type identifier of the second-standard network that needs to provide services for the UE located in the first-standard network; or the first network device of the first-standard network provides the UE as needed
- the identity of the second-standard network of the service determines the type identification of the second-standard network that needs to provide services for the UEs located in the first-standard network.
- obtaining the type identifier of the second-standard network that needs to provide services for the UE located in the first-standard network includes: receiving, by the first network device of the first-standard network, the second system sent by the second network device of the first-standard network Network indication information, the second-standard network indication information includes a type identifier of a second-standard network that needs to provide services for UEs located in the first-standard network; or the first network device of the first-standard network receives the second-type network a second-standard network indication information sent by the network device, where the second-standard network indication information includes an identity of the second-standard network that needs to provide services for the UE located in the first-standard network; the first network device of the first-standard network according to the requirement The identity of the second-standard network serving the UE determines the type identification of the second-standard network that needs to provide service to the UEs located in the first-standard network.
- the first network device of the first-standard network sends the access key to the network device of the second-standard network, including:
- the first network device of the first-standard network transmits the access key to the network device of the second-standard network through the second network device of the first-standard network.
- the first standard network is a long term evolution LTE network
- the second standard network is at least one of a GSM network, a UMTS network, a GPRS network, and a WiFi network.
- the method further includes: acquiring, by the first network device of the first-standard network, a NAS security context, where the NAS security context includes at least: a preset network The network key and the NAS serial number, the NAS security context acquired by the first network device of the first-standard network is the same as the NAS security context stored by the UE.
- the method for generating a key after the first network device of the first-standard network determines the access key through the NAS information, sends the access key to the second-standard network.
- the network device enables the network device to generate an AS key of the second standard network according to the access key, and the network device in the second standard network can generate the second standard network by using the key of the first standard network and the NAS information.
- the AS key not only avoids the security authentication process before the generation of the AS key of the second standard network in the prior art, but also ensures the security, correspondingly reduces the delay of the overall communication of the hybrid network, and reduces the hybrid network. Communication load.
- the embodiment of the present invention provides a key generation method, as shown in FIG. 4, which can be applied to a network device of a second standard network in the hybrid network shown in FIG. 1, the method includes:
- Step 401 The network device of the second standard network receives the access key sent by the first network device of the first standard network.
- the first network device whose access key is the first-standard network is determined according to the type identifier of the second-standard network, the key of the first-standard network, and the NAS serial number.
- the network device of the second-standard network may receive the access key sent by the first network device of the first-standard network through the second network device of the first-standard network.
- Step 402 The network device of the second standard network generates an AS key of the second standard network according to the access key.
- the UE shares the NAS serial number and the key of the first standard network with the first network device of the first standard network.
- the method for generating a key after the network device of the second standard network receives the access key sent by the first network device of the first standard network, generates the access key according to the access key.
- An access layer AS key of the second standard network wherein the first network device whose access key is the first standard network is determined according to the type identifier of the second standard network, the key of the first standard network, and the NAS serial number.
- the network device in the second-standard network can generate the AS key of the second-standard network by using the key of the first-standard network and the NAS information, thereby avoiding the AS key for generating the second-standard network in the prior art.
- the security authentication process before the generation also ensures security, correspondingly reduces the delay of the overall communication of the hybrid network, and reduces the communication load of the hybrid network.
- step 402 the network device of the second-standard network generates the AS key of the second-standard network according to the access key, including:
- the network device of the second standard network receives capability information of the UE sent by the first network device of the first standard network, where the capability information of the UE includes the capability of the UE in the second standard network; and the network device of the second standard network according to the capability of the UE The information determines a cryptographic algorithm; the network device of the second-standard network generates an AS key of the second-standard network according to the cryptographic algorithm and the access key.
- the first standard network may be an LTE network
- the second standard network may be at least one of a GSM network, a UMTS network, a GPRS network, and a WiFi network.
- the method for generating a key after the network device of the second standard network receives the access key sent by the first network device of the first standard network, generates a second according to the access key.
- the access layer AS key of the standard network wherein the first network device whose access key is the first standard network is determined according to the type identifier of the second standard network, the key of the first standard network, and the NAS serial number, That is, the network device in the second-standard network can use the key of the first-standard network and the NAS information to generate the AS key of the second-standard network, which avoids the generation of the AS key before generating the second-standard network in the prior art.
- the security certification process also ensures security, correspondingly reduces the delay of the overall communication of the hybrid network, and reduces the communication load of the hybrid network.
- a hybrid network when a UE located in a first-standard network moves to a second network in a first-standard network The network device request service or the second network device in the first-standard network determines that the UE performs network handover, and needs to generate an AS key. On the one hand, the UE requests the service of the second-standard network (ie, the UE).
- the second standard network is used as an example.
- the request message is a service request message
- the first command is a service request response message or any message in the air interface security activation process
- the first standard network is assumed to be an LTE network.
- the access device of the first-standard network is a mobility management entity (English: Mobility Management Entity; MME for short), and the second network device in the first-standard network in this embodiment is an evolved base station in the LTE network, such as As shown in FIG. 5, the embodiment of the present invention assumes that the network device that needs to provide services for the UE in the second-standard network is the network device A.
- the embodiment of the present invention provides a key generation method, including:
- Step 501 The UE and the evolved base station establish a radio resource control (English: Radio Resource Control; RRC for short) connection.
- a radio resource control English: Radio Resource Control; RRC for short
- the UE may send a connection setup request message to the evolved base station, and the evolved base station generates a corresponding connection setup response message according to the connection setup request message, and sends the message to the UE. After the UE receives the connection setup response message, the UE sends the message. An acknowledgment message is established to the evolved base station connection, and the RRC connection between the UE and the evolved base station is established.
- Step 502 The UE sends capability information of the UE to the MME.
- the capability information of the UE includes the capabilities of the UE in the second mode network.
- the UE may send the capability information of the UE to the MME by attaching a NAS message of the process.
- the capability information of the UE includes the capability of the UE in the second-standard network, which refers to an algorithm supported by the UE in the second-standard network.
- the algorithm has at least one type.
- the capabilities of the UE may be as shown in Table 1.
- the second standard network is a WiFi network
- the algorithm supported by the UE is L3, and the capability of the UE in the WiFi network is L3
- the algorithms supported by the UE are L1 and L5, and the UE is in GSM.
- the capabilities are L1 and L5
- the second standard network is UMTS
- the UE supports The algorithms are L2 and L4, and the UE's capabilities in UMTS are L2 and L4.
- the second-standard network is a GPRS network
- the UE supports an algorithm of L4, and the UE's capability in the GPRS network is L4.
- the NAS security context may further include: Knas.int (integrity protection key) or Knas.enc (decryption key), and Knas.int is used to protect the integrity of the NAS signaling message between the UE and the MME. Sex, Knas.enc is used to protect the confidentiality of NAS signaling messages between the UE and the MME.
- Step 503 The UE and the MME perform an evolved packet network (English: Evolved Packet System; EPS) AKA authentication process and a NAS security mode command (English: Security Mode Command; SMC).
- EPS Evolved Packet System
- SMC Security Mode Command
- the process of EPS AKA is described in the 3GPP TS 33.401 protocol.
- the protocol uses the challenge response mechanism to complete identity authentication and key agreement between the user and the network, and negotiates the communication encryption key based on the identity authentication.
- the AKA authentication process in the embodiment of the present invention is based on the protocol.
- the MME obtains an authentication vector ⁇ RAND, AUTN, XRES, Kasme ⁇ from the HSS (Home Subscription Server), where RAND is a random number, AUTN is an authentication token, XRES is a desired response, and Kasme is a preset network key.
- the MME sends the RAND and the AUT to the MME; the UE checks whether the AUTN is correct to complete the authentication of the network; if the AUTN is correct, the UE calculates a response according to the RAND (English: response; RES for short) and sends the RES to the MME; The MME checks whether the expected response (English: expected response; XRES) in the RES and the authentication vector received from the UE is the same. If they are the same, the authentication to the UE is successful. After the EPS AKA authentication process is completed, the preset network key Kasme is shared between the UE and the MME.
- the NAS SMC security mode command flow is executed between the UE and the MME to negotiate and activate the NAS security context.
- the UE and the MME share a NAS security context, where the security context refers to a set of security related parameters.
- the NAS security context includes at least: a preset network key and a NAS serial number.
- the NAS security context acquired by the MME is the same as the NAS security context stored by the UE.
- the preset network key is Kasme;
- the NAS serial number can be an uplink NAS serial number or a downlink NAS serial number.
- Step 504 The UE sends a service request message to the evolved base station.
- the service request message is used to request a service from an evolved base station, and is secured by using a NAS security context, that is, integrity protection is performed using Knas.int.
- the service request information may be sent to the evolved base station to request the service.
- Step 505 The evolved base station sends a service request response message to the UE.
- the evolved base station may specify, for the UE, a second-standard network that provides services for the UE, and the service device in the network, generate a corresponding service response message, and send the service to the UE.
- the service response message is used to inform the UE that the service request message has been received, and informs the UE of the type of network that provides the service for the UE.
- the evolved base station may also not send a service request response message to the UE.
- Step 506 The evolved base station sends a service request message of the UE to the MME.
- the evolved base station may not directly process the service request message sent by the UE, and directly send it to the MME, and may also process the service request message, such as adding a service that needs to provide services for the UE located in the first-standard network.
- the type identifier of the two-standard network or the identity of the second-standard network that needs to be served by the UE located in the first-standard network, and the like if the evolved base station processes the service request message, in the embodiment of the present invention, the UE is used.
- the service request message sent is considered to be the first
- a service request message is used to treat the first service request message processed by the evolved base station as a second service request message.
- Step 507 The MME generates an access key of the second standard network.
- the method for the MME to generate an access key may include:
- Step 5011 The MME acquires a type identifier of a second-standard network that needs to provide services for the UE located in the first-standard network.
- the type identifier of the second-standard network that needs to provide the service for the UE may be added to the service request message or the service needs to be provided for the UE.
- the identity of the second-standard network, wherein the type identifier of the second-standard network that needs to provide services for the UE is used to indicate the type of the second-standard network that needs to provide services for the UE, such as WiFi type, GSM type, UMTS type, or GPRS.
- Type the identity of the second-standard network that needs to provide services for the UE is used to uniquely identify the identity of the second-standard network that needs to serve the UE.
- the MME may obtain, from the service request message, a type identifier of the second-standard network that needs to provide services for the UE, or an identity of the second-standard network that needs to provide services for the UE, or an identifier of the network device A, if the network device A is obtained.
- the identity of the network in which the network device A is located is determined as the type identifier of the second-standard network that needs to provide services for the UE; if the identity of the second-standard network that needs to provide services for the UE is obtained, The identity of the second-standard network that needs to provide services for the UE may be determined according to the identity of the second-standard network that provides the UE with the service.
- the type identifier of the second-standard network that needs to provide services for the UE or the identity identifier of the second-standard network that needs to provide services for the UE is carried in the service request message without generating a new message, and the message may be reduced. Quantity, reducing network load.
- the evolved base station can generate a second standard network after receiving the service request message. Instructing information, and then transmitting second mode network indication information to the MME, where the second standard network indication information may include a type identifier of a second-standard network that needs to provide services for the UE or an identity of a second-standard network that needs to provide services for the UE Or the identity of the network device A, after the MME receives the second-standard network indication information, when the second-standard network indication information includes the type identifier of the second-standard network that needs to provide services for the UE, the MME can directly access the second-standard network.
- the second standard network indication information may include a type identifier of a second-standard network that needs to provide services for the UE or an identity of a second-standard network that needs to provide services for the UE Or the identity of the network device A
- the MME may directly indicate from the second-standard network.
- the second mode network indication information includes the identity of the network device A, and the MME sets the network.
- B identifies the type of the network type identifier determines where the need to provide services for the UE a second standard network.
- Step 5072 The MME determines the access key by using a preset key deduction algorithm according to the type identifier of the second standard network, the preset network key, and the uplink NAS sequence number.
- the MME may obtain an access key according to a relevant parameter in the NAS security context acquired in step 502 by using a key calculation formula, where the key is calculated as:
- K KDF(uplink NAS count, Kasme, X);
- K is the access key
- uplink NAS count is the uplink NAS serial number
- Kasme is the default network key
- X is the type identifier of the second standard network, indicating that the second standard network can be a WiFi network, GSM.
- KDF indicates a preset key derivation algorithm, such as the HMAC-SHA256 algorithm. It should be noted that the derivation process of the above key K may include not only "uplink NAS count", “Kasme” and "X" parameters, but also other parameters.
- Step 508 The MME sends the capability information and the access key of the UE to the network device A in the second standard network.
- the MME sends the capability information and the access key of the UE to the evolved base station. Since the network device in the second-standard network serving the UE is specified by the evolved base station in step 505, the evolved base station can Obtaining the address or the identity of the network device A in the second-standard network, and forwarding the capability information and the access key of the UE to the network device A in the second-standard network according to the network device address or the identity identifier.
- the MME may directly send the capability information and the access key of the UE to the network device A according to the identity of the network device A.
- Step 509 The network device A determines a cryptographic algorithm according to the capability information of the UE.
- the network device A locally stores a list of algorithms, and the algorithm list records various cryptographic algorithms supported by the second-standard network.
- the cryptographic algorithms are arranged in order of priority from low to high or high to low.
- the network device A can match the capability of the UE in the second-standard network with the algorithm list to obtain the same cryptographic algorithm that the UE has the same capability in the second-standard network as the algorithm list, and then obtain these The algorithm with the highest priority in the algorithm is used as the cryptographic algorithm for the second system network selection.
- the cryptographic algorithms supported by the network devices of the GSM network are A5/1, A5/3, and A5/4 (A5/1, A5/3, and A5/4 are three algorithms in the A5 algorithm, and the A5 algorithm is a Sequence cipher, which is an encryption algorithm specified in the European GSM standard for encryption of digital cellular mobile phones, encrypts the link from the user equipment to the base station.
- the cryptographic algorithms supported by the network devices of the UMTS network are SNOW 3G, Kasumi.
- the cryptographic algorithms supported by the network devices of the GPRS network are GEA3 and GEA4.
- the cryptographic algorithms supported by the network devices of the WiFi network are AES (AES is the 21st century encryption standard designed by the National Institute of Standards and Technology to replace DES), assuming that The two-standard network is GSM, then the capability of the UE acquired by network device A in GSM is L1 and L5, assuming GSM calculation
- the list of methods is shown in Table 2.
- the cryptographic algorithms in Table 2 are arranged in descending order of priority, in turn, algorithms L1, L4, L5, and L2, and network equipment A uses the capabilities of the UE in GSM and GSM.
- the algorithm list matching shows that the cryptographic algorithms of the UE in the GSM capability are the same as those in the GSM algorithm list, and L1 and L5 are obtained. According to Table 2, the algorithm with the highest priority among these algorithms is L1, and L1 can be determined as the final password. algorithm.
- Step 510 The network device A generates an AS key of the second standard network according to the cryptographic algorithm and the access key.
- the corresponding cryptographic algorithm is different.
- the embodiment of the present invention assumes that the cryptographic algorithm selected by the GSM network device is L1, and the cryptographic algorithm selected by the UMTS network device is L2, the network of the WiFi network.
- the cryptographic algorithm selected by the device is L3.
- the calculation formula of the AS key calculation is:
- Kc KDF (K, L1, "GSM");
- Kc is the AS key in GSM
- K is the access key
- L1 is the algorithm identifier corresponding to the cryptographic algorithm selected according to the capabilities of the UE
- GSM indicates that the second standard network is GSM
- KDF indicates that L1 is used. Corresponding algorithm.
- CK/IK KDF(K, L2, "UMTS");
- CK/IK is the AS key in UMTS
- K is the access key
- L2 is the algorithm identifier corresponding to the cryptographic algorithm (encryption algorithm or integrity protection algorithm) selected according to the capability of the UE
- the type identifier is “UMTS”. "Indicating that the second-standard network is UMTS, the KDF indicates that the algorithm corresponding to L2 is adopted.
- the calculation formula of the AS key calculation is:
- the PMK is an AS key in the WiFi network
- K is an access key
- L3 is an algorithm identifier corresponding to a cryptographic algorithm selected according to the capability of the UE
- WiFi network indicates that the second standard network is a WiFi network
- KDF Indicates the algorithm corresponding to L3.
- the UE and the network device A can perform the air interface security activation process by using the generated key to complete the negotiation and activation of the AS security context.
- the Cipher Mode Command under GSM the Security Mode Command under UMTS, or the 4-way handshake procedure under the WiFi network.
- Step 511 The UE generates an AS key of the second standard network.
- the process of the UE generating the AS key of the second standard network may include:
- Step 5111 The UE acquires a type identifier of a second-standard network that needs to provide services for the UE.
- the evolved base station may determine, according to the current network status, communication quality, and the like of the hybrid network, a network that can provide services for the UE, and the type identifier of the network passes the service response message.
- the UE may extract the type identifier of the network from the service response message, and determine the second system network according to the type identifier, where the second system network may be any one of a WiFi network, a GSM, a UMTS, and a GPRS network.
- the internet the internet.
- step 505 the UE may obtain the type identifier of the second-standard network from the signaling of the air interface security activation process sent by the MME.
- Step 5122 The UE determines the access key by using a preset key deduction algorithm according to the type identifier of the second standard network, the preset network key, and the uplink NAS sequence number.
- the UE may obtain an access key according to a relevant parameter in the NAS security context acquired in step 502 by using a key calculation formula, where the key is calculated as:
- K KDF(uplink NAS count, Kasme, X)
- K is the access key
- uplink NAS count is the uplink NAS serial number
- Kasme is the default network key
- X is the type identifier of the second standard network, which can be in the WiFi network, GSM, UMTS, and GPRS networks. Any one of them, KDF indicates a preset key derivation algorithm which is the same as the key deduction algorithm adopted by the MME in step 507, such as the HMAC-SHA256 algorithm.
- Step 5113 The UE generates an AS key of the second standard network according to the cryptographic algorithm and the access key.
- the cryptographic algorithm is determined by the network device A according to the capability information of the UE in step 509. After the network device A selects the cryptographic algorithm, the cryptographic algorithm is sent to the UE. Generally, the network device A can be in the service request response message or the air interface security. The cryptographic algorithm is carried in any message in the activation process, and the UE can obtain the cryptographic algorithm by parsing the corresponding message.
- the method for calculating the AS key corresponding to the different second-standard networks is different.
- the embodiment of the present invention assumes that the cryptographic algorithm selected by the GSM network device is L1, and the cryptographic algorithm selected by the UMTS network device is L2, and the password selected by the network device of the WiFi network.
- the algorithm is L3.
- the calculation formula of the AS key calculation is:
- Kc KDF (K, L1, "GSM");
- Kc is the AS key in GSM
- K is the access key
- L1 is the algorithm identifier corresponding to the cryptographic algorithm selected by network device A according to the capabilities of the UE
- GSM indicates that the second standard network is GSM
- KDF Indicates the algorithm corresponding to L1.
- CK/IK KDF(K, L2, "UMTS");
- CK/IK is the AS key in the UMTS
- K is the access key
- L2 is the algorithm identifier corresponding to the cryptographic algorithm (encryption algorithm or integrity protection algorithm) selected by the network device A according to the capability of the UE.
- the identifier "UMTS" indicates that the second-standard network is UMTS
- the KDF indicates that the algorithm corresponding to L2 is adopted.
- the calculation formula of the AS key calculation is:
- the PMK is the AS key in the WiFi network
- K is the access key
- L3 is the algorithm identifier corresponding to the cryptographic algorithm selected by the network device A according to the capability of the UE
- WiFi network indicates that the second standard network is the WiFi.
- KDF indicates the algorithm corresponding to L3.
- step 505 may be an optional step.
- step 505 and step 506 may also be performed after step 507 or step 508, step 5111 to step 5113 may be performed before step 506, and the like.
- step 510 network device A and the UE perform an activation process of the AS security context. Through the activated procedure of the AS security context, the UE may also obtain the type identifier of the second standard network. The process of deriving the AS key on the UE side in step 501 can be performed simultaneously with the process of AS security context activation after step 510. Any method that can be easily conceived within the scope of the present invention within the technical scope of the present invention is well within the scope of the present invention, and therefore will not be described again.
- the AS and the NAS are coupled together, that is, NAS signaling of one network. It can only be used with the AS signaling of the network.
- the NAS signaling of one network cannot be used to generate AS signaling of other networks.
- the AS signaling can be independently evolved, and the NAS signaling and the AS signaling need to be decoupled, that is, the NAS signaling of one network can be used together with the AS signaling of other networks.
- keys used to protect AS signaling in each network are generated through their corresponding NAS signaling procedures.
- the GSM network and the GPRS network need to generate an encryption key (English: key encryption; abbreviation: Kc) according to the GSM authentication and key agreement (English: Authentication and Key Agreement; AKA) protocol, and pass the encryption mode command (English: Cipher Mode Command; referred to as CMC) process or GSM AKA process determines the encryption algorithm and activates the encryption algorithm.
- the UMTS network needs to generate an encryption key (English: Cipher Key; CK for short) and an integrity key IK (English: Integrity Key; IK) according to the UMTS AKA protocol, and determine the encryption algorithm and the integrity protection algorithm through the SMC process. And activate these algorithms.
- an encryption key English: Cipher Key; CK for short
- an integrity key IK English: Integrity Key; IK
- the first network device of the first standard network may generate according to the type identifier of the second standard network, the preset network key, and the NAS serial number.
- An access key the network device of the second-standard network may determine a cryptographic algorithm according to the capability information of the UE sent by the first network device of the first-standard network, and generate a second-standard network according to the cryptographic algorithm and the access key.
- the AS key indicates that the NAS signaling in the first-standard network can be used for generating the AS key in the second-standard network, and the AS key is a security key in the AS signaling, thus implementing In terms of security authentication, the decoupling of NAS signaling and AS signaling.
- the method for generating a key after the first network device of the first-standard network determines the access key according to the NAS information, sends the access key to the second-standard network.
- the network device enables the network device to generate an AS key of the second standard network according to the access key, and the network device in the second standard network can generate the second standard network by using the key of the first standard network and the NAS information.
- the AS key avoids the security authentication process before the generation of the AS key in the second-standard network in the prior art, and also ensures the security, thereby correspondingly reducing the overall communication of the hybrid network.
- the delay reduces the communication load of the hybrid network and realizes the decoupling of NAS signaling and AS signaling in terms of security authentication.
- the embodiment of the present invention uses the UE in the first-standard network to perform network handover as an example. It is assumed that the UE is switched from the first-standard network to the second-standard network. At this time, the request message is a handover request message.
- a command is a handover command
- the first system is an LTE network
- the access device of the first-standard network is the MME.
- the second network device in the first-standard network in this embodiment is an evolved base station in the LTE network.
- the embodiment of the present invention assumes that the network device that needs to provide services for the UE in the second-standard network is the network device B.
- the embodiment of the present invention provides a key generation method, including:
- Step 801 The evolved base station sends a handover request message to the MME.
- the evolved base station can monitor the state of the UE and the state of the evolved base station in real time. When the UE moves out of the preset cell range, or the load of the evolved base station is too large, the UE or a part of the data flow of the UE needs to be switched to other standards. In the network to alleviate the burden of the evolved base station, the evolved base station sends a handover request message to the MME.
- Step 802 The MME generates an access key of the second standard network.
- the method for the MME to generate an access key includes:
- Step 8021 The MME obtains a type identifier of a second-standard network that needs to provide services for the UE.
- the type identifier of the second standard network that needs to provide services for the UE or the identity of the network device B may be added to the handover request message;
- the type identifier of the second-standard network that needs to be served by the UE or the identity of the network device B or the identity of the second-standard network that needs to provide services for the UE may be obtained from the handover request message, if the network device B is obtained.
- the identity identifier determines the type identifier of the network where the network device B is located as a second standard network that needs to provide services for the UE.
- the identifier of the type of the network if the identity of the second-standard network that needs to provide services for the UE is obtained, the type identifier of the second-standard network that needs to provide services for the UE may be determined according to the identity of the second-standard network.
- the evolved base station may generate the second-standard network indication information, and send the second-standard network indication information to the MME, where the second-standard network indication information may include a type identifier or a requirement of the second-standard network that needs to provide services for the UE.
- the identity of the second-standard network serving the UE or the identity of the network device B after the MME receives the second-standard network indication information, when the second-standard network indication information includes the second-standard network that needs to provide services for the UE
- the type identifier the MME may directly obtain the type identifier of the second-standard network that needs to provide services for the UE from the second-standard network indication information; and when the second-standard network indication information includes the identity of the second-standard network that needs to provide services for the UE
- the MME may directly obtain the identity of the second-standard network that needs to provide services for the UE from the second-standard network indication information, and determine the second standard that needs to provide services for the UE according to the identity identifier of the second-standard network.
- Type identification of the network when the second mode network indication information includes the identity of the network device A
- the MME determines the type identifier of the network in which the network device B is located as the type identifier of the second-standard network that needs to provide services for the UE.
- Step 8022 The MME determines the access key by using a preset key deduction algorithm according to the type identifier of the second standard network, the preset network key, and the downlink NAS sequence number.
- the MME has The NAS security context is obtained.
- the NAS security context includes at least: a preset network key and a NAS serial number.
- the NAS security context acquired by the MME is the same as the NAS security context stored by the UE.
- the MME may obtain a key calculation formula according to relevant parameters in the security context. Take the access key, which is calculated as:
- K KDF(downlink NAS count, Kasme, X);
- K is the access key
- “downlink NAS count” is the downlink NAS serial number
- Kasme is the default network key
- X is the type identifier of the second standard network, which can be WiFi network, GSM network, UMTS network, and GPRS.
- KDF indicates a preset key derivation algorithm, such as the HMAC-SHA256 algorithm. It should be noted that the derivation process of the above key K may include not only parameters such as “downlink NAS count”, “Kasme” and “X”, but also other parameters.
- Step 803 The MME sends the capability information and the access key of the UE to the network device B in the second standard network.
- the MME sends the capability information and the access key of the UE to the evolved base station. Since the evolved base station sends a handover request message to the MME in step 801, the evolved base station specifies a new network that provides services for the UE. The device, that is, the destination device of the handover, so that the evolved base station can obtain the address or identity of the network device B in the second-standard network, and can forward the network device B to the network device B in the second-standard network according to the network device address or the identity identifier. Capability information and access key of the UE.
- the MME sends the capability information and the access key of the UE to the network device B according to the identity of the network device B.
- Step 804 The network device B determines a cryptographic algorithm according to the capability information of the UE.
- the network device B locally stores a list of algorithms of the second standard network, and the algorithm list records various cryptographic algorithms supported by the second standard network, and the cryptographic algorithms are arranged according to the order of priority from low to high or high to low.
- the network device B may match the capability of the UE in the second-standard network with the algorithm list to obtain the UE in the second-standard network.
- the ability is the same as the cryptographic algorithm in the algorithm list, and then the algorithm with the highest priority among these algorithms is obtained as the cryptographic algorithm selected by the second standard network.
- the cryptographic algorithms supported by the network devices of the GSM network are A5/1, A5/3, and A5/4.
- the cryptographic algorithms supported by the network devices of the UMTS network are SNOW3G, Kasumi, and the cryptographic algorithms supported by the network devices of the GPRS network are GEA3.
- the cryptographic algorithm supported by the network devices of the GEA4 and WiFi networks is AES.
- AES For the specific process, reference may be made to step 509 in the foregoing embodiment.
- Step 805 The network device B generates an AS key of the second standard network according to the password and the access key.
- the corresponding cryptographic algorithm is different.
- the embodiment of the present invention assumes that the cryptographic algorithm selected by the GSM network device is L1, and the cryptographic algorithm selected by the UMTS network device is L2, the network of the WiFi network.
- the cryptographic algorithm selected by the device is L3.
- the calculation formula of the AS key calculation is:
- Kc KDF (K, L1, "GSM");
- Kc is the AS key in GSM
- K is the access key
- L1 is the algorithm identifier corresponding to the cryptographic algorithm selected according to the capabilities of the UE
- GSM indicates that the second standard network is GSM
- KDF indicates that L1 is used. Corresponding algorithm.
- CK/IK KDF(K, L2, "UMTS");
- CK/IK is the AS key in UMTS
- K is the access key
- L2 is the algorithm identifier corresponding to the cryptographic algorithm (encryption algorithm or integrity protection algorithm) selected according to the capability of the UE
- the type identifier is “UMTS”. "Indicating that the second-standard network is UMTS, the KDF indicates that the algorithm corresponding to L2 is adopted.
- the calculation formula of the AS key calculation is:
- the PMK is an AS key in the WiFi network
- K is an access key
- L3 is based on the UE.
- the algorithm identifier corresponding to the cryptographic algorithm of the capability selection indicates that the second standard network is a WiFi network
- the KDF indicates that the algorithm corresponding to L3 is adopted.
- Step 806 The network device B sends a handover command to the MME.
- the network device B is a new network device that is provided for the UE by the evolved base station, and the handover command is used to indicate that the UE switches from the first-standard network to the second-standard network, and may include a cryptographic algorithm selected by the network device B.
- the cryptographic algorithm can also be sent to the evolved base station by other commands or messages, and forwarded to the UE by the evolved base station.
- Step 807 The MME sends a handover command to the evolved base station.
- Step 808 The evolved base station sends a handover command to the UE.
- Step 809 The UE generates an AS key of the second standard network.
- the process of the UE generating the AS key of the second standard network may include:
- Step 8091 The UE acquires a type identifier of a second-standard network that needs to provide services for the UE.
- the evolved base station can monitor the status of the UE and the local state in real time.
- the network that can provide the service for the UE is used as the network to be switched by the UE (ie, the second-standard network), and the type identifier of the network is sent to the UE by using the handover command, so the UE can extract the type identifier of the network from the handover command.
- the second standard network is determined according to the type identifier, and the second standard network may be any one of a WiFi network, a GSM network, a UMTS network, and a GPRS network.
- Step 8092 The UE determines the access key by using a preset key deduction algorithm according to the type identifier of the second standard network, the preset network key, and the downlink NAS sequence number.
- the UE may obtain an access key according to a related parameter in the NAS security context acquired in step 503 by using a key calculation formula, and the key is calculated as:
- K KDF(downlink NAS count, Kasme, X)
- K is the access key
- downlink NAS count is the downlink NAS serial number
- Kasme is the default network key
- X is the type identifier of the second standard network, which can be in the WiFi network, GSM, UMTS, and GPRS networks.
- KDF indicates a preset key derivation algorithm which is the same as the key derivation algorithm used by the MME in step 8022, such as the HMAC-SHA256 algorithm.
- Step 8093 The UE generates an AS key of the second standard network according to the cryptographic algorithm and the access key.
- the cryptographic algorithm is determined by the network device B according to the capability information of the UE in step 804. After the network device B selects the cryptographic algorithm, the cryptographic algorithm is sent to the UE. Generally, the network device B may be in the handover command generated in step 806. Carrying the cryptographic algorithm, the UE obtains a cryptographic algorithm by parsing the handover command.
- the method for calculating the AS key corresponding to the different second-standard networks is different.
- the embodiment of the present invention assumes that the cryptographic algorithm selected by the GSM network device is L1, and the cryptographic algorithm selected by the UMTS network device is L2, and the password selected by the network device of the WiFi network.
- the algorithm is L3.
- the calculation formula of the AS key calculation is:
- Kc KDF (K, L1, "GSM");
- Kc is the AS key in GSM
- K is the access key
- L1 is the algorithm identifier corresponding to the cryptographic algorithm selected by network device B according to the capabilities of the UE
- GSM indicates that the second standard network is GSM
- KDF Indicates the algorithm corresponding to L1.
- CK/IK KDF(K, L2, "UMTS");
- CK/IK is the AS key in the UMTS
- K is the access key
- L2 is the algorithm identifier corresponding to the cryptographic algorithm selected by the network device B according to the capability of the UE
- type identifier “UMTS” refers to The second standard network is shown as UMTS, and the KDF indicates that the algorithm corresponding to L2 is used.
- the calculation formula of the AS key calculation is:
- the PMK is the AS key in the WiFi network
- K is the access key
- L3 is the algorithm identifier corresponding to the cryptographic algorithm selected by the network device B according to the capability of the UE
- WiFi network indicates that the second standard network is the WiFi.
- KDF indicates the algorithm corresponding to L3.
- sequence of steps of the key generation method provided by the embodiment of the present invention may be appropriately adjusted, and the steps may be correspondingly increased or decreased according to the situation.
- Any method that can be easily conceived within the scope of the present invention within the technical scope of the present invention is well within the scope of the present invention, and therefore will not be described again.
- the first network device of the first standard network may identify, preset the network key, and the NAS serial number according to the type of the second standard network.
- the network device of the second-standard network may determine a cryptographic algorithm according to the capability information of the UE sent by the first network device of the first-standard network, and generate a second-standard network according to the cryptographic algorithm and the access key.
- the AS key indicates that the NAS signaling in the first-standard network can be used for generating the AS key in the second-standard network, and the AS key is a security key in the AS signaling, thus implementing In terms of security authentication, the decoupling of NAS signaling and AS signaling.
- the WiFi network is connected to the hybrid network formed by the core network of the LTE network, and when the UE accesses the WiFi network, the UE needs to perform a security authentication process with the WiFi network to generate a key, when the UE is from the WiFi.
- the network switches to the LTE network and needs to re-execute the complete security authentication process with the LTE network.
- the AS key of the WiFi network is generated according to the access key determined by the LTE, when the UE switches from the WiFi network to the LTE.
- the network, the first network device (ie, the MME) of the LTE network may select a cryptographic algorithm according to the capability of the UE in the LTE network, and generate an AS key of the LTE network according to the cryptographic algorithm and the pre-generated access key, without re-implementing the complete Safety certification process. Therefore, the delay of the overall communication of the hybrid network is reduced, and the communication load of the hybrid network is reduced.
- the method for generating a key after the first network device of the first-standard network determines the access key according to the NAS information, sends the access key to the second-standard network.
- the network device enables the network device to generate an AS key of the second standard network according to the access key, and the network device in the second standard network can generate the second standard network by using the key of the first standard network and the NAS information.
- the AS key not only avoids the security authentication process before the generation of the AS key of the second standard network in the prior art, but also ensures the security, correspondingly reduces the delay of the overall communication of the hybrid network, and reduces the hybrid network.
- the communication load and the decoupling of NAS signaling and AS signaling in terms of security authentication are implemented.
- the embodiment of the present invention provides a key generation device 1 which is located in a first-standard network, and the key generation device 1 may be part or all of the UE located in the first-standard network, as shown in FIG.
- the key generation device 1 may include:
- the obtaining unit 11 is configured to: after receiving the first command, acquire a type identifier of a second-standard network that needs to provide a service for the key generation device 1; wherein the first command is a service request response message, or switch Command, or any message in the air interface security activation process;
- the determining unit 12 is configured to determine, according to the type identifier of the second standard network, the key of the first standard network, and the non-access stratum NAS serial number of the first standard network, by using a preset key deduction algorithm Access key
- the generating unit 13 is configured to generate an access layer AS of the second standard network according to the access key Key.
- the key generation device 1 shares the NAS serial number and the key of the first standard network with the first network device of the first standard network.
- the generating unit can generate the AS key of the second standard network according to the access key, and thus can The AS key of the second-standard network is generated by using the key of the first-standard network and the NAS information, which avoids the security authentication process before the generation of the AS key of the second-standard network in the prior art, and also ensures security.
- the delay of the overall communication of the hybrid network is reduced, and the communication load of the hybrid network is reduced.
- the first command includes a cryptographic algorithm
- the generating unit 13 is specifically configured to: generate an AS key of the second standard network according to the cryptographic algorithm and the access key.
- the first command is a service request response message or any one of the air interface security activation processes.
- the key generation device 1 may further include:
- the sending unit 14 is configured to:
- the first standard network is an LTE network
- the second standard network is at least one of a GSM network, a UMTS network, a GPRS network, and a WiFi network.
- the generating unit can generate the AS key of the second standard network according to the access key, and thus can The AS key of the second-standard network is generated by using the key of the first-standard network and the NAS information, which avoids the security authentication process before the generation of the AS key of the second-standard network in the prior art, and also ensures security.
- the delay of the overall communication of the hybrid network is reduced, and the communication load of the hybrid network is reduced.
- the embodiment of the present invention provides a key generation device 2, where the key generation device 2 is located in a first-standard network, and the key generation device 2 may be part or all of the first network device of the first-standard network, as shown in the figure. As shown in FIG. 13, the key generation device 2 may include:
- the acquisition unit 21, the determination unit 22 and the transmission unit 23 are the acquisition unit 21, the determination unit 22 and the transmission unit 23.
- the obtaining unit 21 is configured to acquire, after receiving the request message sent by the second network device of the first standard network, a type identifier of a second-standard network that needs to provide a service for the UE located in the first-standard network;
- the request message is a service request message or a handover request message;
- the determining unit 22 is configured to determine, according to the type identifier of the second standard network, the key of the first standard network, and the non-access stratum NAS serial number of the first standard network, by using a preset key deduction algorithm Access key
- a sending unit 23 configured to send the access key to a network device of the second standard network, so that a network device of the second standard network generates the second standard network according to the access key Access layer AS key.
- the key generation device shares the NAS serial number and the first with the UE The key of the standard network.
- the sending unit sends the access key to the network device in the second standard network, so that the The network device can generate the AS key of the second standard network according to the access key, and the network device in the second standard network can generate the AS key of the second standard network by using the key of the first standard network and the NAS information.
- the security authentication process before the generation of the AS key of the second standard network in the prior art is avoided, the security is also ensured, the delay of the overall communication of the hybrid network is reduced, and the communication load of the hybrid network is reduced.
- the acquiring unit 21 is further configured to: acquire capability information of the UE, where the capability information of the UE includes the capability of the UE in the second standard network; and the sending unit 23 is specifically configured to: Transmitting the capability information of the UE and the access key to the network device of the second standard network, so that the network device of the second standard network determines a cryptographic algorithm according to the capability information of the UE, and Generating an AS key of the second standard network according to the cryptographic algorithm and the access key.
- the request message includes the type identifier of the second-standard network that needs to provide services for the UE located in the first-standard network, or the that needs to provide services for the UE located in the first-standard network.
- the identifier of the second-standard network is used to: obtain the type identifier of the second-standard network from the request message; or determine the identifier according to the identity identifier of the second-standard network.
- the type identifier of the second standard network is used to: obtain the type identifier of the second-standard network from the request message; or determine the identifier according to the identity identifier of the second-standard network.
- the obtaining unit 21 is specifically configured to:
- the second-standard network indication information includes a type identifier of the second-standard network
- the second standard network indication information includes an identity of the second standard network
- an identity according to the second standard network The identifier determines a type identifier of the second system network.
- the sending unit 23 is specifically configured to: send, by using a second network device of the first standard network, the access key to a network device of the second standard network.
- the first standard network is an LTE network
- the second standard network is at least one of a GSM network, a UMTS network, a GPRS network, and a wireless fidelity WiFi network.
- the sending unit sends the access key to the network device in the second standard network, so that the The network device can generate the AS key of the second standard network according to the access key, and the network device in the second standard network can generate the AS key of the second standard network by using the key of the first standard network and the NAS information.
- the security authentication process before the generation of the AS key of the second standard network in the prior art is avoided, the security is also ensured, the delay of the overall communication of the hybrid network is reduced, and the communication load of the hybrid network is reduced.
- the embodiment of the present invention provides a key generation device 3, which is located in a second standard network, and the key generation device 3 can be a network device of a second standard network, as shown in FIG.
- the key generation device 3 may include a receiving unit 31 and a generating unit 32.
- the receiving unit 31 is configured to receive an access key sent by the first network device of the first-standard network, where the access key is the first network device of the first-standard network according to the second-standard network Type identification, a key of the first-standard network, and a non-access stratum NAS serial number of the first-standard network;
- the generating unit 32 is configured to generate an access stratum AS key of the second standard network according to the access key.
- the UE located in the first-standard network shares the NAS serial number and the key of the first-standard network with the first network device of the first-standard network.
- the generating unit after the receiving unit receives the access key sent by the first network device of the first standard network, the generating unit generates the second standard network according to the access key.
- Access layer AS key wherein the access key is determined by the first network device of the first-standard network according to the type identifier of the second-standard network, the key of the first-standard network, and the NAS serial number, that is, the first
- the network device in the two-standard network can use the key of the first-standard network and the NAS information to generate the AS key of the second-standard network, which avoids the security before generating the AS key of the second-standard network in the prior art.
- the authentication process also ensures security, which reduces the delay of the overall communication of the hybrid network and reduces the communication load of the hybrid network.
- the generating unit 32 is specifically configured to: receive capability information of the UE sent by the first network device of the first standard network, where the capability information of the UE includes the UE in the second standard network. Capturing; determining a cryptographic algorithm according to the capability information of the UE; generating an AS key of the second standard network according to the cryptographic algorithm and the access key.
- the receiving unit 31 is specifically configured to: receive an access key sent by the first network device of the first standard network by using the second network device of the first standard network.
- the first standard network is an LTE network
- the second standard network is at least one of a GSM network, a UMTS network, a GPRS network, and a WiFi network.
- the generating unit after the receiving unit receives the access key sent by the first network device of the first standard network, the generating unit generates the second standard network according to the access key.
- Access layer AS key wherein the access key is determined by the first network device of the first-standard network according to the type identifier of the second-standard network, the key of the first-standard network, and the NAS serial number, that is, the first
- the network device in the two-standard network can use the key of the first-standard network and the NAS information to generate the AS key of the second-standard network, which avoids the security before generating the AS key of the second-standard network in the prior art.
- the certification process also ensures security and reduces the overall communication of the hybrid network accordingly. Delay, reducing the communication load of the hybrid network.
- the first standard network is an LTE network
- the second standard network is at least one of a GSM network, a UMTS network, a GPRS network, and a WiFi network.
- the key generation device provided by the embodiment of the present invention can generate the AS key of the second standard network according to the access key after the processor determines the access key by using the NAS information, and thus can utilize the first
- the key of the one-standard network and the NAS information generate the AS key of the second-standard network, which avoids the security authentication process before the generation of the AS key of the second-standard network in the prior art, and also ensures security, and accordingly
- the delay of the overall communication of the hybrid network is reduced, and the communication load of the hybrid network is reduced.
- the embodiment of the present invention provides a key generation device 4, which is located in a first-standard network, and the key generation device 4 may be all or part of a UE of a first-standard network, as shown in FIG.
- the key generation device may include a receiver 41, a processor 42 (for example, a CPU), a bus 43 and a memory 44 for connecting the receiver 41, the processor 42, and the memory 44.
- the processor 42 is configured to execute the program 441 stored in the memory 44.
- the memory 44 may include a high speed random access memory (English Random Access Memory; abbreviation: RAM), and may also include a non-unstable memory (non -volatile memory), such as at least one disk storage.
- the processor 42 is configured to acquire, after the receiver 41 receives the first command, a type identifier of a second-standard network that needs to provide a service for the key generation device 4, where the first command is Service request response message, or switch command, or any message in the air interface security activation process;
- the processor 42 is further configured to use a preset key to derive according to the type identifier of the second standard network, the key of the first standard network, and the non-access stratum NAS serial number of the first standard network.
- the algorithm determines an access key
- the processor 42 is further configured to generate an access stratum AS key of the second standard network according to the access key.
- the key generation device provided by the embodiment of the present invention can generate the AS key of the second standard network according to the access key after the processor determines the access key by using the NAS information, and thus can utilize the first
- the key of the one-standard network and the NAS information generate the AS key of the second-standard network, which avoids the security authentication process before the generation of the AS key of the second-standard network in the prior art, and also ensures security, and accordingly
- the delay of the overall communication of the hybrid network is reduced, and the communication load of the hybrid network is reduced.
- the key generation device shares the NAS serial number and the key of the first standard network with the first network device of the first standard network.
- the first command includes a cryptographic algorithm
- the processor 42 is specifically configured to: generate an AS key of the second standard network according to the cryptographic algorithm and the access key.
- the first command is a service request response message or any one of the air interface security activation processes
- the key generation device 4 may further include:
- the first standard network is an LTE network
- the second standard network is at least one of a GSM network, a UMTS network, a GPRS network, and a WiFi network.
- the key generation device provided by the embodiment of the present invention can generate the AS key of the second standard network according to the access key after the processor determines the access key by using the NAS information, and thus can utilize the first
- the key of the one-standard network and the NAS information generate the AS key of the second-standard network, which avoids the security authentication process before the generation of the AS key of the second-standard network in the prior art, and also ensures security, and accordingly
- the delay of the overall communication of the hybrid network is reduced, and the communication load of the hybrid network is reduced.
- the embodiment of the present invention provides a key generation device 5, as shown in FIG. 17, the key generation device 5 is located in a first-standard network, and the key generation device 5 may be part of a first network device of a first-standard network.
- the key generation device 5 includes: a receiver 51, a transmitter 52, a processor 53, a bus 54, and a memory 55; the bus 54 is configured to connect the receiver 51, the transmitter 52, and the The processor 53 and the memory 55, the processor 53 is used to execute the program 551 stored in the memory 55;
- the processor 53 is configured to acquire, after the receiver receives the request message sent by the second network device of the first standard network, a second standard that needs to provide services for the UE located in the first standard network. a type identifier of the network; wherein the request message is a service request message or a handover request message;
- the processor 53 is further configured to adopt a preset key according to the type identifier of the second standard network, the key of the first standard network, and the non-access stratum NAS serial number of the first standard network. Deduction The algorithm determines an access key;
- the transmitter 52 is configured to send the access key to a network device of the second standard network, so that a network device of the second standard network generates the second according to the access key Access layer AS key for the standard network.
- the transmitter sends the access key to the network device in the second standard network, so that the The network device can generate the AS key of the second standard network according to the access key, and the processor can generate the AS key of the second standard network by using the key of the first standard network and the NAS information, thereby avoiding the prior art.
- the security authentication process before the generation of the AS key of the second-standard network is also ensured, the delay of the overall communication of the hybrid network is reduced, and the communication load of the hybrid network is reduced.
- the key generation device 5 shares the NAS serial number and the key of the first standard network with the UE.
- the processor 53 is further configured to acquire capability information of the UE, where the capability information of the UE includes the capability of the UE in the second standard network;
- the transmitter 52 is specifically configured to send the capability information of the UE and the access key to a network device of the second standard network, so that the network device of the second standard network is configured according to the UE.
- the capability information determines a cryptographic algorithm and generates an AS key of the second standard network based on the cryptographic algorithm and the access key.
- the request message includes the type identifier of the second standard network that needs to provide services for a UE located in the first standard network, or the need to provide a service for a UE located in the first standard network.
- the identity of the second-standard network; the processor 53 is specifically configured to:
- the receiver 51 is specifically configured to:
- the second-standard network indication information includes a type identifier of the second-standard network
- Second system network indication information sent by the second network device of the first standard network, where the second system network indication information includes an identity identifier of the second system network; and the first network of the first system network
- the device determines the type identifier of the second standard network according to the identity of the second standard network.
- the transmitter 52 is specifically configured to:
- the first standard network is an LTE network
- the second standard network is at least one of a GSM network, a UMTS network, a GPRS network, and a WiFi network.
- the transmitter sends the access key to the network device in the second standard network, so that the The network device can generate the AS key of the second standard network according to the access key, and the processor can generate the AS key of the second standard network by using the key of the first standard network and the NAS information, thereby avoiding the prior art.
- the security authentication process before the generation of the AS key of the second-standard network is also ensured, the delay of the overall communication of the hybrid network is reduced, and the communication load of the hybrid network is reduced.
- the embodiment of the present invention provides a key generation device 6.
- the key generation device 6 is located in a second standard network, and the key generation device 6 may be part or all of the network device of the second standard network.
- the key generation device 6 may include: a receiver 61, a processor 62, a bus 63, and a memory 64; the bus 63 is configured to connect the receiver 61, the processor 62, and the memory 64, the processor 62 is used to execute the program 641 stored in the memory 64;
- the receiver 61 is configured to receive an access key sent by the first network device of the first standard network, where the access key is the first network device of the first standard network according to the second a type identifier of the standard network, a key of the first-standard network, and a non-access stratum NAS serial number of the first-standard network;
- the processor 62 is configured to generate an access stratum AS key of the second standard network according to the access key;
- the UE located in the first-standard network shares the NAS serial number and the key of the first-standard network with the first network device of the first-standard network.
- the processor after the receiver receives the access key sent by the first network device of the first standard network, the processor generates the second standard network according to the access key.
- An access layer AS key where the access key is determined by the first network device of the first-standard network according to the type identifier of the second-standard network, the key of the first-standard network, and the NAS serial number, that is, the second
- the network device in the standard network can generate the AS key of the second standard network by using the key of the first standard network and the NAS information, thereby avoiding the security authentication before generating the AS key of the second standard network in the prior art.
- the process also ensures security, correspondingly reduces the delay of the overall communication of the hybrid network, and reduces the communication load of the hybrid network.
- the receiver 61 is further configured to:
- the processor 62 is specifically configured to: determine a cryptographic algorithm according to the capability information of the UE; and generate an AS key of the second standard network according to the cryptographic algorithm and the access key.
- the receiver 61 is specifically configured to:
- the first standard network is an LTE network
- the second standard network is at least one of a GSM network, a UMTS network, a GPRS network, and a WiFi network.
- the processor after the receiver receives the access key sent by the first network device of the first standard network, the processor generates the second standard network according to the access key.
- An access layer AS key where the access key is determined by the first network device of the first-standard network according to the type identifier of the second-standard network, the key of the first-standard network, and the NAS serial number, that is, the second
- the network device in the standard network can generate the AS key of the second standard network by using the key of the first standard network and the NAS information, thereby avoiding the security authentication before generating the AS key of the second standard network in the prior art.
- the process also ensures security, correspondingly reduces the delay of the overall communication of the hybrid network, and reduces the communication load of the hybrid network.
- the embodiment of the invention provides a key generation system, which may include:
- the key generation system may further include: the key generation device 3 shown in FIG.
- the key generation system may include at least one of the key generation device 1 shown in FIG. 11 or FIG. 12, the key generation device 2 shown in FIG. 13, and the key generation device 3 shown in FIG.
- the device for example, the key generation system may include: the key generation device 1 shown in FIG. 11 or FIG. 12 and the key generation device 3 shown in FIG. 14. Further, for example, the key generation system may include: The illustrated key generation device 2 and the key generation device 3 shown in FIG.
- the embodiment of the invention provides a key generation system, which may include:
- the key generation system may further include: the key generation device 6 shown in FIG. 18.
- the key generation system may include at least one of the key generation device 4 shown in FIG. 15 or FIG. 16, the key generation device 5 shown in FIG. 17, and the key generation device 6 shown in FIG.
- the device for example, the key generation system may include: the key generation device 4 shown in FIG. 15 or FIG. 16 and the key generation device 6 shown in FIG. 18. Further, for example, the key generation system may include: The illustrated key generation device 5 and the key generation device 6 shown in FIG.
- the disclosed system, apparatus, and method may be implemented in other manners.
- the device embodiments described above are merely illustrative.
- the division of the unit is only a logical function division.
- there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
- the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
- the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
- each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may be physically included separately, or two or more units may be integrated into one unit.
- the above integrated unit can be implemented in the form of hardware or hardware plus software. The form of the unit is implemented.
- a person skilled in the art may understand that all or part of the steps of implementing the above embodiments may be completed by hardware, or may be instructed by a program to execute related hardware, and the program may be stored in a computer readable storage medium.
- the storage medium mentioned may be a read only memory, a magnetic disk or an optical disk or the like.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
本发明实施例提供了一种密钥生成方法、设备及系统,涉及通信领域,该方法包括:位于第一制式网络的UE在接收到第一命令之后,获取需要为UE提供服务的第二制式网络的类型标识;其中,第一命令为服务请求响应消息,或者切换命令,或者空口安全激活过程中的任一消息;UE根据第二制式网络的类型标识、第一制式网络的密钥和第一制式网络的非接入层NAS序列号,采用预设密钥推演算法确定接入密钥;UE根据接入密钥生成第二制式网络的接入层AS密钥。本发明能够解决混合网络的整体通信的时延较长,混合网络的通信负荷较大的问题,实现降低混合网络整体通信的时延,减少混合网络的通信负荷的效果。本发明用于混合网络的通信。
Description
本发明涉及通信领域,特别涉及一种密钥生成方法、设备及系统。
随着社会发展和科技进步,用户对移动终端接入技术提出更高的要求。移动通信网络不断的进行演进以满足用户的需求。目前,移动通信网络已经从第二代移动通信技术(英文:2rd-Generation;简称:2G)、第三代移动通信技术(英文:3rd-Generation;简称:3G)发展到了第四代移动通信技术(英文:4rd-Generation;简称:4G)移动通信网络,同时存在另一种部署广泛的移动通信网络:无线保真(英文:WIreless-Fidelity;简称:WiFi)网络。未来的网络将是多种移动通信网络并存的混合网络(heterogeneous network)。该混合网络可以包括WiFi网络、全球移动通信系统(英文:Global System for Mobile Communication;简称:GSM)网络、通用移动通信系统(英文:Universal Mobile Telecommunications System;简称:UMTS)网络、通用分组无线服务技术(英文:General Packet Radio Service;简称:GPRS)网络、长期演进(英文:Long Term Evolution;简称:LTE)网络等不同移动通信网络中的至少两种网络。
为了降低运营商的部署成本,提高用户获得的服务质量,需要设计用户设备(英文:User Equipment;简称:UE)在混合网络内不同的移动通信网络间移动时的互操作机制。现有的技术中,UE在接入或者切换至混合网络中的任一网络时,都需要与该网络执行完整的安全认证流程以生成该网络所需的密钥,例如,在WiFi网络和LTE网络组成的混合网络中,UE在接入LTE网络
时,需要与LTE网络执行安全认证流程以生成LTE网络的密钥,当UE从LTE网络切换至WiFi网络,需要与WiFi网络执行安全认证流程以生成WiFi网络的密钥。
现有技术中,UE在每次进行网络接入或者网络切换时,都必需与需要为该UE提供服务的网络执行完整的安全认证流程以生成该网络的密钥,而完整的安全认证流程的步骤较多,这样导致混合网络的整体通信的时延较长,混合网络的通信负荷较大。
发明内容
为了解决混合网络的整体通信的时延较长,混合网络的通信负荷较大的问题,本发明提供了一种密钥生成方法、设备及系统。所述技术方案如下:
本发明提供的技术方案的有益效果是:
第一方面,提供一种密钥生成方法,所述方法包括:
位于第一制式网络的用户设备UE在接收到第一命令之后,获取需要为所述UE提供服务的第二制式网络的类型标识;其中,所述第一命令为服务请求响应消息,或者切换命令,或者空口安全激活过程中的任一消息;
所述UE根据所述第二制式网络的类型标识、所述第一制式网络的密钥和所述第一制式网络的非接入层NAS序列号,采用预设密钥推演算法确定接入密钥;
所述UE根据所述接入密钥生成所述第二制式网络的接入层AS密钥。
结合第一方面,在第一方面的第一种可实现方式中,所述UE与所述第一制式网络的第一网络设备共享所述NAS序列号和所述第一制式网络的密钥。
结合第一方面或第一方面的第一种可实现方式,在第一方面的第二种可实现方式中,所述第一命令包括密码算法,
则所述UE根据所述接入密钥生成所述第二制式网络的接入层AS密钥包括:
所述UE根据所述密码算法和所述接入密钥生成所述第二制式网络的AS密钥。
结合第一方面或第一方面的第一种可实现方式或第一方面的第二种可实现方式,在第一方面的第三种可实现方式中,所述第一命令为服务请求响应消息或者为空口安全激活过程中的任一消息,则在接收所述第一命令之前,所述方法还包括:
所述UE向所述第一制式网络的第二网络设备发送用于请求服务的服务请求消息,以便于所述第一制式网络的第二网络设备根据所述服务请求消息向所述第一制式网络的第一网络设备发送第二制式网络指示信息,所述第二制式网络指示信息包括所述需要为所述UE提供服务的所述第二制式网络的类型标识或者所述需要为所述UE提供服务的所述第二制式网络的身份标识;
或者,向所述第一制式网络的第二网络设备发送用于请求服务的第一服务请求消息,以便于所述第一制式网络的第二网络设备根据所述第一服务请求消息将第二服务请求消息发送给所述第一制式网络的第一网络设备;其中,所述第二服务请求消息包括所述需要为所述UE提供服务的所述第二制式网络的类型标识或者所述需要为所述UE提供服务的所述第二制式网络的身份标识。
结合第一方面、第一方面的第一至三种可实现方式种的任意一种,在第一方面的第四种可实现方式中,所述第一制式网络为长期演进LTE网络,所述第二制式网络为全球移动通信系统GSM网络、通用移动通信系统UMTS网络、通用分组无线服务技术GPRS网络和无线保真WiFi网络中的至少一种。
第二方面,提供一种密钥生成方法,所述方法包括:
第一制式网络的第一网络设备在接收到所述第一制式网络的第二网络设备发送的请求消息之后,获取需要为位于所述第一制式网络的用户设备UE提供服务的第二制式网络的类型标识;其中,所述请求消息为服务请求消息或者切换请求消息;
所述第一制式网络的第一网络设备根据所述第二制式网络的类型标识、所述第一制式网络的密钥和所述第一制式网络的非接入层NAS序列号,采用预设密钥推演算法确定接入密钥;
所述第一制式网络的第一网络设备将所述接入密钥发送至所述第二制式网络的网络设备,以便于所述第二制式网络的网络设备根据所述接入密钥生成所述第二制式网络的接入层AS密钥。
结合第二方面,在第二方面的第一种可实现方式中,所述第一制式网络的第一网络设备与所述UE共享所述NAS序列号和所述第一制式网络的密钥。
结合第二方面或第二方面的第一种可实现方式,在第二方面的第二种可实现方式中,在所述获取需要为位于所述第一制式网络的用户设备UE提供服务的第二制式网络的类型标识之前,所述方法还包括:
所述第一制式网络的第一网络设备获取所述UE的能力信息,所述UE的能力信息包括所述UE在所述第二制式网络中的能力;
所述第一制式网络的第一网络设备将所述接入密钥发送至所述第二制式网络的网络设备,以便于所述第二制式网络的网络设备根据所述接入密钥生成所述第二制式网络的接入层AS密钥包括:
所述第一制式网络的第一网络设备将所述UE的能力信息和所述接入密钥发送至所述第二制式网络的网络设备,以便于所述第二制式网络的网络设备根据所述UE的能力信息确定密码算法,并根据所述密码算法和所述接入密钥生
成所述第二制式网络的AS密钥。
结合第二方面或第二方面的第一种可实现方式或第二方面的第二种可实现方式,在第二方面的第三种可实现方式中,所述请求消息包括所述需要为位于所述第一制式网络的UE提供服务的所述第二制式网络的类型标识或者所述需要为位于所述第一制式网络的UE提供服务的所述第二制式网络的身份标识;则所述获取需要为位于所述第一制式网络的用户设备UE提供服务的第二制式网络的类型标识包括:
所述第一制式网络的第一网络设备从所述请求消息中获取所述第二制式网络的类型标识;
或者,所述第一制式网络的第一网络设备根据所述第二制式网络的身份标识,确定所述第二制式网络的类型标识。
结合第二方面或第二方面的第一种可实现方式或第二方面的第二种可实现方式,在第二方面的第四种可实现方式中,所述获取需要为位于所述第一制式网络的用户设备UE提供服务的第二制式网络的类型标识包括:
所述第一制式网络的第一网络设备接收所述第一制式网络的第二网络设备发送的第二制式网络指示信息,所述第二制式网络指示信息包括所述第二制式网络的类型标识;或者,
所述第一制式网络的第一网络设备接收所述第一制式网络的第二网络设备发送的第二制式网络指示信息,所述第二制式网络指示信息包括所述第二制式网络的身份标识;所述第一制式网络的第一网络设备根据所述第二制式网络的身份标识确定所述第二制式网络的类型标识。
结合第二方面、第二方面的第一至四种可实现方式中的任意一种,在第二方面的第五种可实现方式中,所述第一制式网络的第一网络设备将所述接入密
钥发送至所述第二制式网络的网络设备,包括:
所述第一制式网络的第一网络设备通过所述第一制式网络的第二网络设备将所述接入密钥发送至所述第二制式网络的网络设备。
结合第二方面、第二方面的第一至五种可实现方式中的任意一种,在第二方面的第六种可实现方式中,所述第一制式网络为长期演进LTE网络,所述第二制式网络为全球移动通信系统GSM网络、通用移动通信系统UMTS网络、通用分组无线服务技术GPRS网络和无线保真WiFi网络中的至少一种。
第三方面,提供一种密钥生成方法,所述方法包括:
第二制式网络的网络设备接收第一制式网络的第一网络设备发送的接入密钥;其中,所述接入密钥为所述第一制式网络的第一网络设备根据所述第二制式网络的类型标识、所述第一制式网络的密钥和所述第一制式网络的非接入层NAS序列号所确定的;
所述第二制式网络的网络设备根据所述接入密钥生成所述第二制式网络的接入层AS密钥;其中,所述UE与所述第一制式网络的第一网络设备共享所述NAS序列号和所述第一制式网络的密钥。
结合第三方面,在第三方面的第一种可实现方式中,所述第二制式网络的网络设备根据所述接入密钥生成所述第二制式网络的接入层AS密钥,包括:
所述第二制式网络的网络设备接收所述第一制式网络的第一网络设备发送的UE的能力信息,所述UE的能力信息包括所述UE在所述第二制式网络中的能力;
所述第二制式网络的网络设备根据所述UE的能力信息确定密码算法;
所述第二制式网络的网络设备根据所述密码算法和所述接入密钥生成所述第二制式网络的AS密钥。
结合第三方面或第三方面的第一种可实现方式中,在第三方面的第二种可实现方式中,所述第二制式网络的网络设备接收第一制式网络的第一网络设备发送的接入密钥,包括:
所述第二制式网络的网络设备接收所述第一制式网络的第一网络设备通过所述第一制式网络的第二网络设备发送的接入密钥。
结合第三方面或第三方面的第一种可实现方式或第三方面的第二种可实现方式中,在第三方面的第三种可实现方式中,所述第一制式网络为长期演进LTE网络,所述第二制式网络为全球移动通信系统GSM网络、通用移动通信系统UMTS网络、通用分组无线服务技术GPRS网络和无线保真WiFi网络中的至少一种。
第四方面,提供一种密钥生成设备,所述密钥生成设备位于第一制式网络,所述密钥生成设备包括:
获取单元,用于在接收到第一命令之后,获取需要为所述密钥生成设备提供服务的第二制式网络的类型标识;其中,所述第一命令为服务请求响应消息,或者切换命令,或者空口安全激活过程中的任一消息;
确定单元,用于根据所述第二制式网络的类型标识、所述第一制式网络的密钥和所述第一制式网络的非接入层NAS序列号,采用预设密钥推演算法确定接入密钥;
生成单元,用于根据所述接入密钥生成所述第二制式网络的接入层AS密钥。
结合第四方面,在第四方面的第一种可实现方式中,所述密钥生成设备与所述第一制式网络的第一网络设备共享所述NAS序列号和所述第一制式网络的密钥。
结合第四方面或第四方面的第一种可实现方式,在第四方面的第二种可实现方式中,所述第一命令包括密码算法,则所述生成单元具体用于:
根据所述密码算法和所述接入密钥生成所述第二制式网络的AS密钥。
结合第四方面或第四方面的第一种可实现方式或第四方面的第二种可实现方式,在第四方面的第三种可实现方式中,所述第一命令为服务请求响应消息或者为空口安全激活过程中的任一消息,则所述密钥生成设备还包括:
发送单元,用于:
向所述第一制式网络的第二网络设备发送用于请求服务的服务请求消息,以便于所述第一制式网络的第二网络设备根据所述服务请求消息向所述第一制式网络的第一网络设备发送第二制式网络指示信息,所述第二制式网络指示信息包括所述需要为所述UE提供服务的所述第二制式网络的类型标识或者所述需要为所述UE提供服务的所述第二制式网络的身份标识;
或者,向所述第一制式网络的第二网络设备发送用于请求服务的第一服务请求消息,以便于所述第一制式网络的第二网络设备根据所述第一服务请求消息将第二服务请求消息发送给所述第一制式网络的第一网络设备;其中,所述第二服务请求消息包括所述需要为所述UE提供服务的所述第二制式网络的类型标识或者所述需要为所述UE提供服务的所述第二制式网络的身份标识。
结合第四方面、第四方面的第一至三种可实现方式种的任意一种,在第四方面的第四种可实现方式中,所述第一制式网络为长期演进LTE网络,所述第二制式网络为全球移动通信系统GSM网络、通用移动通信系统UMTS网络、通用分组无线服务技术GPRS网络和无线保真WiFi网络中的至少一种。
第五方面,一种密钥生成设备,所述密钥生成设备位于第一制式网络,所述密钥生成设备包括:
获取单元,用于在接收到所述第一制式网络的第二网络设备发送的请求消息之后,获取需要为位于所述第一制式网络的用户设备UE提供服务的第二制式网络的类型标识;其中,所述请求消息为服务请求消息或者切换请求消息;
确定单元,用于根据所述第二制式网络的类型标识、所述第一制式网络的密钥和所述第一制式网络的非接入层NAS序列号,采用预设密钥推演算法确定接入密钥;
发送单元,用于将所述接入密钥发送至所述第二制式网络的网络设备,以便于所述第二制式网络的网络设备根据所述接入密钥生成所述第二制式网络的接入层AS密钥。
结合第五方面,在第五方面的第一种可实现方式中,所述密钥生成设备与所述UE共享所述NAS序列号和所述第一制式网络的密钥。
结合第五方面或第五方面的第一种可实现方式,在第五方面的第二种可实现方式中,所述获取单元还用于:获取所述UE的能力信息,所述UE的能力信息包括所述UE在所述第二制式网络中的能力;
所述发送单元具体用于:将所述UE的能力信息和所述接入密钥发送至所述第二制式网络的网络设备,以便于所述第二制式网络的网络设备根据所述UE的能力信息确定密码算法,并根据所述密码算法和所述接入密钥生成所述第二制式网络的AS密钥。
结合第五方面或第五方面的第一种可实现方式或第五方面的第二种可实现方式,在第五方面的第三种可实现方式中,所述请求消息包括所述需要为位于所述第一制式网络的UE提供服务的所述第二制式网络的类型标识或者所述需要为位于所述第一制式网络的UE提供服务的所述第二制式网络的身份标识;则所述获取单元具体用于:
从所述请求消息中获取所述第二制式网络的类型标识;
或者,根据所述第二制式网络的身份标识,确定所述第二制式网络的类型标识。
结合第五方面或第五方面的第一种可实现方式或第五方面的第二种可实现方式,在第五方面的第四种可实现方式中,所述获取单元具体用于:
接收所述第一制式网络的第二网络设备发送的第二制式网络指示信息,所述第二制式网络指示信息包括所述第二制式网络的类型标识;或者,
接收所述第一制式网络的第二网络设备发送的第二制式网络指示信息,所述第二制式网络指示信息包括所述第二制式网络的身份标识;根据所述第二制式网络的身份标识确定所述第二制式网络的类型标识。
结合第五方面、第五方面的第一至四种可实现方式中的任意一种,在第五方面的第五种可实现方式中,所述发送单元具体用于:
通过所述第一制式网络的第二网络设备将所述接入密钥发送至所述第二制式网络的网络设备。
结合第五方面、第五方面的第一至五种可实现方式中的任意一种,在第五方面的第六种可实现方式中,所述第一制式网络为长期演进LTE网络,所述第二制式网络为全球移动通信系统GSM网络、通用移动通信系统UMTS网络、通用分组无线服务技术GPRS网络和无线保真WiFi网络中的至少一种。
第六方面,提供一种密钥生成设备,所述密钥生成设备位于第二制式网络,所述密钥生成设备包括:
接收单元,用于接收第一制式网络的第一网络设备发送的接入密钥;其中,所述接入密钥为所述第一制式网络的第一网络设备根据所述第二制式网络的类型标识、所述第一制式网络的密钥和所述第一制式网络的非接入层NAS序
列号所确定的;
生成单元,用于根据所述接入密钥生成所述第二制式网络的接入层AS密钥;
其中,位于第一制式网络的UE与所述第一制式网络的第一网络设备共享所述NAS序列号和所述第一制式网络的密钥。
结合第六方面,在第六方面的第一种可实现方式中,所述生成单元具体用于:
接收所述第一制式网络的第一网络设备发送的UE的能力信息,所述UE的能力信息包括所述UE在所述第二制式网络中的能力;
根据所述UE的能力信息确定密码算法;
根据所述密码算法和所述接入密钥生成所述第二制式网络的AS密钥。
结合第六方面或第六方面的第一种可实现方式中,在第六方面的第二种可实现方式中,所述接收单元具体用于:
接收所述第一制式网络的第一网络设备通过所述第一制式网络的第二网络设备发送的接入密钥。
结合第六方面或第六方面的第一种可实现方式或第六方面的第二种可实现方式中,在第六方面的第三种可实现方式中,所述第一制式网络为长期演进LTE网络,所述第二制式网络为全球移动通信系统GSM网络、通用移动通信系统UMTS网络、通用分组无线服务技术GPRS网络和无线保真WiFi网络中的至少一种。
第七方面,提供一种密钥生成系统,所述系统包括:
第四方面任一所述的密钥生成设备;
第五方面任一所述的密钥生成设备。
结合第七方面,在第七方面的第一种可实现方式中,所述密钥生成系统还包括:第六方面任一所述的密钥生成设备。
第八方面,提供一种密钥生成网络密钥生成系统,所述系统包括:
第四方面任一所述的密钥生成设备;
第六方面任一所述的密钥生成设备。
第九方面,提供一种密钥生成网络密钥生成系统,所述系统包括:
第三方面任一所述的密钥生成设备;
第六方面任一所述的密钥生成设备。
本发明提供的密钥生成方法、设备及系统,由于UE在确定接入密钥后,能够根据接入密钥生成第二制式网络的AS密钥,因此能够利用第一制式网络的密钥和NAS信息,生成第二制式网络的AS密钥,既避免了现有技术中生成第二制式网络的AS密钥生成前的安全认证流程,也保障了安全,相应地降低了混合网络整体通信的时延,减少了混合网络的通信负荷。
应当理解的是,以上的一般描述和后文的细节描述仅是示例性和解释性的,并不能限制本发明。
为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。
图1是本发明实施例提供的一种密钥生成方法所涉及的混合网络的网络环境;
图2是本发明实施例提供的一种密钥生成方法流程图;
图3是本发明实施例提供的又一种密钥生成方法流程图;
图4是本发明实施例提供的又一种密钥生成方法流程图;
图5是本发明实施例提供的又一种密钥生成方法流程图;
图6是本发明实施例提供的一种MME生成接入密钥的方法流程图;
图7是本发明实施例提供的一种UE生成第二制式网络的AS密钥的方法流程图;
图8是本发明实施例提供的一种密钥生成方法流程图;
图9是本发明实施例提供的一种MME生成接入密钥的方法流程图;
图10是本发明实施例提供的一种UE生成第二制式网络的AS密钥的方法流程图;
图11是本发明实施例提供的一种密钥生成设备结构示意图;
图12是本发明实施例提供的又一种密钥生成设备结构示意图;
图13是本发明实施例提供的又一种密钥生成设备结构示意图;
图14是本发明实施例提供的又一种密钥生成设备结构示意图;
图15是本发明实施例提供的一种密钥生成设备结构示意图;
图16是本发明实施例提供的又一种密钥生成设备结构示意图;
图17是本发明实施例提供的又一种密钥生成设备结构示意图;
图18是本发明实施例提供的又一种密钥生成设备结构示意图。
通过上述附图,已示出本发明明确的实施例,后文中将有更详细的描述。这些附图和文字描述并不是为了通过任何方式限制本发明构思的范围,而是通过参考特定实施例为本领域技术人员说明本发明的概念。
为使本发明的目的、技术方案和优点更加清楚,下面将结合附图对本发明实施方式作进一步地详细描述。
图1提供了本发明实施例提供的一种密钥生成方法所涉及的混合网络的网络环境,混合网络0包括第一制式网络01和至少一个第二制式网络02。该第一制式网络01中可以指示包括:第一制式网络的第一网络设备011和第一制式网络的第二网络设备012,通常,位于第一制式网络01中的UE 03和第一制式网络的第一网络设备011能够通过第一制式网络的第二网络设备012实现信息交互;可选地,该第一制式网络的第一网络设备011可以与UE03共享非接入层信令(英文:Non-Access Stratum;简称:NAS)序列号,NAS序列号是NAS信令的一种序列号;该第二制式网络02中可以包括至少一个网络设备,例如包括第二制式网络的网络设备021,该第二制式网络的网络设备021可以与第一制式网络的第一网络设备011通信,例如该第二制式网络的网络设备021可以通过第一制式网络的第二网络设备012与第一制式网络的第一网络设备011通信;又例如该第二制式网络的网络设备021可以直接与第一制式网络的第一网络设备011通信;又例如该第二制式网络的网络设备021可以通过第一制式网络或者第二制式网络的其它网络设备(图中未示出)与第一制式网络的第一网络设备011通信。
在本发明各实施例中,该第一制式网络01可以为LTE网络,还可以为下一代(例如4.5G或者5G)网络或者未来其他网络制式的网络,该至少一个第二制式网络02可以为WiFi网络、GSM、UMTS和GPRS网络中的至少一种。可选地,该第一制式网络的新兴程度可以高于第二制式网络,即第一制式网络的出现日期晚于第二制式网络,第一制式网络通常能够对第二制式网络向下兼容。具体地,在本发明各实施例中,当第一制式网络01为LTE网络时,第一
制式网络的第一网络设备011可以为移动管理实体(英文:Mobility Management Entity;简称:MME),第一制式网络的第二网络设备012可以为演进型基站(英文:Evolved Node B;简称:eNodB);当第二制式网络02为WiFi网络时,第二制式网络的网络设备021可以为无线访问接入点(英文:WirelessAccessPoint;简称:AP)或者AP控制器(英文:AP Controller;简称AC);当第二制式网络02为GSM、UMTS或者GPRS网络时,第二制式网络的网络设备021可以为基站或者基站控制器等,本发明实施例在此不作限定。
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述。
本发明实施例提供一种密钥生成方法,如图2所示,可以应用于图1所示的混合网络中的第一制式网络的UE。该方法包括:
步骤201、位于第一制式网络的UE在接收到第一命令之后,获取需要为UE提供服务的第二制式网络的类型标识。
其中,第一命令为服务请求响应消息,或者切换命令,或者空口安全激活过程中的任一消息。该服务请求响应消息可以是第一制式网络的第一网络设备发送的,用于告知UE收到了服务请求消息,切换命令(Handover command)可以是第一制式网络的第二网络设备发送的,用于指示UE从第一制式网络切换至第二制式网络,空口安全激活过程中的任一消息可以是第二制式网络的网络设备发送的,该空口安全激活过程用于实现AS安全上下文的协商和激活。
并且,第一制式网络可以为LTE网络,第二制式网络可以为GSM网络、通用移动通信系统UMTS网络、GPRS网络和WiFi网络中的至少一种。
步骤202、UE根据第二制式网络的类型标识、第一制式网络的密钥和第一制式网络的NAS序列号,采用预设密钥推演算法确定接入密钥。
其中,若第一命令为服务请求响应消息或者空口安全激活过程中的任一消息,NAS序列号可以为上行NAS(uplink NAS count)序列号,若第一命令为切换命令,NAS序列号可以为下行NAS(downlink NAS count)序列号,可选的,UE与第一制式网络的第一网络设备可以共享NAS序列号和第一制式网络的密钥。
步骤203、UE根据接入密钥生成第二制式网络的接入层(英文:Access Stratum;简称:AS)密钥。
该AS密钥可用于保护信令和/或用户数据,具体请参考LTE接入过程中的安全机制,如规范3GPP TS 33.401中的解释。需要注意的是,在本发明实施例中,所述接入密钥不同于AS密钥,是生成所述第二制式网络的AS密钥时所需要的密钥,具体是根据所述第二制式网络的类型标识、所述第一制式网络的密钥和所述第一制式网络的NAS序列号,采用预设密钥推演算法确定的。
综上所述,本发明实施例提供的密钥生成方法,由于UE在通过NAS信息确定接入密钥后,能够根据接入密钥生成第二制式网络的AS密钥,因此能够利用第一制式网络的密钥和NAS信息,生成第二制式网络的AS密钥,既避免了现有技术中生成第二制式网络的AS密钥生成前的安全认证流程,也保障了安全,相应地降低了混合网络整体通信的时延,减少了混合网络的通信负荷。
示例的,步骤201中的第一命令可以包括密码算法,则步骤203可以包括:UE根据密码算法和接入密钥生成第二制式网络的AS密钥。
进一步的,若第一命令为服务请求响应消息或者为空口安全激活过程中的任一消息,则在步骤201之前,该方法还可以包括:
UE向第一制式网络的第二网络设备发送用于请求服务的服务请求消息,以便于第一制式网络的第二网络设备根据服务请求消息向第一制式网络的第
一网络设备发送第二制式网络指示信息,该第二制式网络指示信息包括需要为UE提供服务的第二制式网络的类型标识或者需要为UE提供服务的第二制式网络的身份标识;或者,向第一制式网络的第二网络设备发送用于请求服务的第一服务请求消息,以便于第一制式网络的第二网络设备根据第一服务请求消息将第二服务请求消息发送给第一制式网络的第一网络设备;其中,第二服务请求消息包括需要为UE提供服务的第二制式网络的类型标识或者需要为所述UE提供服务的第二制式网络的身份标识。
综上所述,本发明实施例提供的密钥生成方法,由于UE在通过NAS信息确定接入密钥后,能够根据接入密钥生成第二制式网络的AS密钥,因此能够利用第一制式网络的密钥和NAS信息,生成第二制式网络的AS密钥,既避免了现有技术中生成第二制式网络的AS密钥生成前的安全认证流程,也保障了安全,相应地降低了混合网络整体通信的时延,减少了混合网络的通信负荷。
本发明提供一种密钥生成方法,如图3所示,应用于图1所示的混合网络中的第一制式网络的第一网络设备。该方法包括:
步骤301、第一制式网络的第一网络设备在接收到第一制式网络的第二网络设备发送的请求消息之后,获取需要为位于第一制式网络的UE提供服务的第二制式网络的类型标识。
其中,请求消息可以为服务请求(Service Request)消息或者切换请求消息。
步骤302、第一制式网络的第一网络设备根据第二制式网络的类型标识、第一制式网络的密钥和第一制式网络的NAS序列号,采用预设密钥推演算法确定接入密钥。
其中,若请求消息为服务请求消息,则NAS序列号为上行NAS序列号,
若请求消息为切换请求消息,则NAS序列号为下行NAS序列号。
步骤303、第一制式网络的第一网络设备将接入密钥发送至第二制式网络的网络设备,以便于第二制式网络的网络设备根据接入密钥生成第二制式网络的AS密钥。
可选的,第一制式网络的第一网络设备与位于该第一制式网络的UE共享NAS序列号和第一制式网络的密钥。
综上所述,本发明实施例提供的密钥生成方法,由于第一制式网络的第一网络设备在通过NAS信息确定接入密钥后,将接入密钥发送至第二制式网络中的网络设备,使得该网络设备可以根据接入密钥生成第二制式网络的AS密钥,则第二制式网络中的网络设备能够利用第一制式网络的密钥和NAS信息,生成第二制式网络的AS密钥,既避免了现有技术中生成第二制式网络的AS密钥生成前的安全认证流程,也保障了安全,相应地降低了混合网络整体通信的时延,减少了混合网络的通信负荷。
特别的,在步骤301中获取需要为位于第一制式网络的UE提供服务的第二制式网络的类型标识的步骤之前,该方法还包括:第一制式网络的第一网络设备获取UE的能力信息,UE的能力信息包括UE在第二制式网络中的能力;相应的,步骤303包括:
第一制式网络的第一网络设备将UE的能力信息和接入密钥发送至第二制式网络的网络设备,以便于第二制式网络的网络设备根据UE的能力信息确定密码算法,并根据密码算法和接入密钥生成第二制式网络的AS密钥。
需要说明的是,步骤301中获取第二制式网络的类型标识的方法可以有多种,本发明示意性地提供如下几种:
一方面,请求消息包括需要为UE提供服务的第二制式网络的类型标识或
者需要为UE提供服务的第二制式网络的身份标识;则获取需要为位于第一制式网络的UE提供服务的第二制式网络的类型标识包括:
第一制式网络的第一网络设备从请求消息中获取需要为位于第一制式网络的UE提供服务的第二制式网络的类型标识;或者,第一制式网络的第一网络设备根据需要为UE提供服务的第二制式网络的身份标识,确定需要为位于第一制式网络的UE提供服务的第二制式网络的类型标识。
另一方面,获取需要为位于第一制式网络的UE提供服务的第二制式网络的类型标识包括:第一制式网络的第一网络设备接收第一制式网络的第二网络设备发送的第二制式网络指示信息,第二制式网络指示信息包括需要为位于第一制式网络的UE提供服务的第二制式网络的类型标识;或者,第一制式网络的第一网络设备接收第一制式网络的第二网络设备发送的第二制式网络指示信息,第二制式网络指示信息包括需要为位于第一制式网络的UE提供服务的第二制式网络的身份标识;第一制式网络的第一网络设备根据该需要为UE提供服务的第二制式网络的身份标识确定需要为位于第一制式网络的UE提供服务的第二制式网络的类型标识。
进一步的,在步骤303中,第一制式网络的第一网络设备将接入密钥发送至第二制式网络的网络设备,包括:
第一制式网络的第一网络设备通过第一制式网络的第二网络设备将接入密钥发送至第二制式网络的网络设备。
本发明实施例中第一制式网络为长期演进LTE网络,第二制式网络为GSM网络、UMTS网络、GPRS网络和WiFi网络中的至少一种。
可选地,在步骤301之前,该方法还包括:第一制式网络的第一网络设备获取NAS安全上下文(Security Context),NAS安全上下文至少包括:预设网
络密钥和NAS序列号,第一制式网络的第一网络设备获取的NAS安全上下文与UE存储的NAS安全上下文相同。
综上所述,本发明实施例提供的密钥生成方法,由于第一制式网络的第一网络设备在通过NAS信息确定接入密钥后,将接入密钥发送至第二制式网络中的网络设备,使得该网络设备可以根据接入密钥生成第二制式网络的AS密钥,则第二制式网络中的网络设备能够利用第一制式网络的密钥和NAS信息,生成第二制式网络的AS密钥,既避免了现有技术中生成第二制式网络的AS密钥生成前的安全认证流程,也保障了安全,相应地降低了混合网络整体通信的时延,减少了混合网络的通信负荷。
本发明实施例提供一种密钥生成方法,如图4所示,可以应用于图1所示的混合网络中的第二制式网络的网络设备,该方法包括:
步骤401、第二制式网络的网络设备接收第一制式网络的第一网络设备发送的接入密钥。
其中,接入密钥为第一制式网络的第一网络设备根据第二制式网络的类型标识、第一制式网络的密钥和NAS序列号所确定的。
示例的,第二制式网络的网络设备可以接收第一制式网络的第一网络设备通过第一制式网络的第二网络设备发送的接入密钥。
步骤402、第二制式网络的网络设备根据接入密钥生成第二制式网络的AS密钥。
其中,所述UE与所述第一制式网络的第一网络设备共享所述NAS序列号和所述第一制式网络的密钥。
综上所述,本发明实施例提供的密钥生成方法,由于第二制式网络的网络设备接收第一制式网络的第一网络设备发送的接入密钥后,根据接入密钥生成
第二制式网络的接入层AS密钥,其中,接入密钥为第一制式网络的第一网络设备根据第二制式网络的类型标识、第一制式网络的密钥和NAS序列号所确定的,即第二制式网络中的网络设备能够利用第一制式网络的密钥和NAS信息,生成第二制式网络的AS密钥,既避免了现有技术中生成第二制式网络的AS密钥生成前的安全认证流程,也保障了安全,相应地降低了混合网络整体通信的时延,减少了混合网络的通信负荷。
在步骤402中,第二制式网络的网络设备根据接入密钥生成第二制式网络的AS密钥,包括:
第二制式网络的网络设备接收第一制式网络的第一网络设备发送的UE的能力信息,UE的能力信息包括UE在第二制式网络中的能力;第二制式网络的网络设备根据UE的能力信息确定密码算法;第二制式网络的网络设备根据密码算法和接入密钥生成第二制式网络的AS密钥。
可选的,第一制式网络可以为LTE网络,第二制式网络可以为GSM网络、UMTS网络、GPRS网络和WiFi网络中的至少一种。
综上所述,本发明实施例提供的密钥生成方法,由于第二制式网络的网络设备接收第一制式网络的第一网络设备发送的接入密钥后,根据接入密钥生成第二制式网络的接入层AS密钥,其中,接入密钥为第一制式网络的第一网络设备根据第二制式网络的类型标识、第一制式网络的密钥和NAS序列号所确定的,即第二制式网络中的网络设备能够利用第一制式网络的密钥和NAS信息,生成第二制式网络的AS密钥,既避免了现有技术中生成第二制式网络的AS密钥生成前的安全认证流程,也保障了安全,相应地降低了混合网络整体通信的时延,减少了混合网络的通信负荷。
在混合网络中,当位于第一制式网络中的UE向第一制式网络中的第二网
络设备请求服务或者第一制式网络中的第二网络设备确定该UE进行网络切换时,需要进行AS密钥的生成,一方面,本发明实施例以UE请求第二制式网络的服务(即UE接入第二制式网络)为例进行说明,此时,请求消息为服务请求消息,第一命令为服务请求响应消息或者空口安全激活过程中的任一消息,假设第一制式网络为LTE网络,则第一制式网络的接入设备为移动管理实体(英文:Mobility Management Entity;简称:MME),本实施例中的第一制式网络中的第二网络设备为LTE网络中的演进型基站,如图5所示,本发明实施例假设第二制式网络中需要为UE提供服务的网络设备为网络设备A,本发明实施例提供一种密钥生成方法,包括:
步骤501、UE和演进型基站建立无线资源控制(英文:Radio Resource Control;简称:RRC)连接。
示例的,UE可以向演进型基站发送连接建立请求消息,演进型基站根据该连接建立请求消息生成相应的连接建立响应消息,并发送给UE,在UE收到该连接建立响应消息后,UE发送向演进型基站连接建立确认消息,则UE和演进型基站的RRC连接建立。
步骤502、UE向MME发送UE的能力信息。
UE的能力信息包括该UE在第二制式网络中的能力。示例的,UE可以通过附着(attach)流程的NAS消息将UE的能力信息发送至MME。
UE的能力信息包括该UE在第二制式网络中的能力,其指的是UE在第二制式网络中所支持的算法,该算法至少有一种,示例的,UE的能力可以如表1所示,当第二制式网络为WiFi网络时,UE支持的算法为L3,则UE在WiFi网络的能力为L3;当第二制式网络为GSM时,UE支持的算法为L1和L5,则UE在GSM的能力为L1和L5;当第二制式网络为UMTS时,UE支持的
算法为L2和L4,则UE在UMTS的能力为L2和L4;当第二制式网络为GPRS网络时,UE支持的算法为L4,则UE在GPRS网络的能力为L4。
表1
需要说明的是,NAS安全上下文还可以包括:Knas.int(完整性保护密钥)或者Knas.enc(解密密钥),Knas.int用来保护UE与MME之间的NAS信令消息的完整性,Knas.enc用来保护UE与MME之间的NAS信令消息的机密性。
步骤503、UE和MME进行演进的分组网络(英文:Evolved Packet System;简称:EPS)AKA认证流程和NAS安全模式命令(英文:Security Mode Command;简称SMC)流程。
EPS AKA的流程参见3GPP TS 33.401协议。该协议使用挑战应答机制,完成用户和网络间的身份认证和密钥协商,同时基于身份认证对通信加密密钥进行协商。本发明实施例中的AKA认证流程是基于该协议的。示例的,MME从HSS(Home Subscription Server)获得认证向量{RAND、AUTN、XRES、Kasme},其中,RAND为随机数,AUTN为认证令牌,XRES为期望响应,Kasme为预设网络密钥;MME将RAND和AUTN发送给UE;UE检查AUTN是否正确,以完成对网络的认证;若AUTN正确,则UE根据RAND计算响应(英文:response;简称:RES),并将该RES发送给MME;MME检查从UE收到的RES和认证向量中的期望响应(英文:expect response;简称:XRES)是否相同,若相同,则对UE的认证成功。在EPS AKA认证流程完成后,UE和MME之间共享上述预设网络密钥Kasme。
EPS AKA认证成功后,UE和MME之间执行NAS SMC安全模式命令流程,协商并激活NAS安全上下文。NAS SMC流程完成后,UE和MME共享了NAS安全上下文,其中,安全上下文指的是一组安全相关参数的集合。
在本发明实施例中,NAS安全上下文至少包括:预设网络密钥和NAS序列号。MME获取的NAS安全上下文与UE存储的NAS安全上下文相同。根据3GPP TS33.401协议可知,预设网络密钥为Kasme;NAS序列号可以为上行NAS序列号或者下行NAS序列号。
步骤504、UE向演进型基站发送服务请求消息。
该服务请求消息用于向演进型基站请求服务,使用NAS安全上下文进行安全保护,即利用Knas.int进行完整性保护。在UE需要相应的网络提供服务时,可以向演进型基站发送服务请求信息来请求服务。
步骤505、演进型基站向UE发送服务请求响应消息。
可选地,演进型基站在收到服务请求消息之后,可以为UE指定为UE提供服务的第二制式网络,及该网络中的服务设备,生成相应的服务响应消息,并向UE发送该服务响应消息,该服务响应消息用于告知UE收到了服务请求消息,并告知UE为该UE提供服务的网络类型。实际应用中,演进型基站也可以不向UE发送服务请求响应消息。
步骤506、演进型基站向MME发送UE的服务请求消息。
需要说明的是,演进型基站可以对UE发送的服务请求消息不进行处理,直接发送给MME,也可以对该服务请求消息进行处理,如添加需要为位于第一制式网络的UE提供服务的第二制式网络的类型标识或者需要为位于第一制式网络的UE提供服务的第二制式网络的身份标识等等,若演进型基站对该服务请求消息进行处理,则本发明实施例中,将UE发送的服务请求消息视为第
一服务请求消息,将演进型基站处理后的第一服务请求消息视为第二服务请求消息。
步骤507、MME生成第二制式网络的接入密钥。
具体的,如图6所示,MME生成接入密钥的方法,可以包括:
步骤5071、MME获取需要为位于第一制式网络的UE提供服务的第二制式网络的类型标识。
第一方面,在步骤506中,演进型基站向MME发送UE的服务请求消息时,可以在该服务请求消息中添加需要为UE提供服务的第二制式网络的类型标识或者需要为UE提供服务的第二制式网络的身份标识,其中,需要为UE提供服务的第二制式网络的类型标识用于指示需要为UE提供服务的第二制式网络的类型,如WiFi类型、GSM类型、UMTS类型或者GPRS类型,需要为UE提供服务的第二制式网络的身份标识用于唯一标识需要为UE提供服务的第二制式网络的身份。MME可以从服务请求消息中获取需要为UE提供服务的第二制式网络的类型标识或者需要为UE提供服务的第二制式网络的身份标识或者网络设备A的身份标识,若获取的是网络设备A的身份标识,则将该网络设备A所在的网络的类型标识确定为需要为UE提供服务的第二制式网络的类型标识;若获取的是需要为UE提供服务的第二制式网络的身份标识,可以根据该需要为UE提供服务的第二制式网络的身份标识确定需要为UE提供服务的第二制式网络的类型标识。在本发明实施例中,将需要为UE提供服务的第二制式网络的类型标识或者需要为UE提供服务的第二制式网络的身份标识携带在服务请求消息中无需生成新的消息,可以减少消息数量,降低网络负荷。
第二方面,在接收到服务请求消息后,演进型基站可以生成第二制式网络
指示信息,然后向MME发送第二制式网络指示信息,该第二制式网络指示信息可以包括需要为UE提供服务的第二制式网络的类型标识或者需要为UE提供服务的第二制式网络的身份标识或者网络设备A的身份标识,MME接收该第二制式网络指示信息后,当第二制式网络指示信息包括需要为UE提供服务的第二制式网络的类型标识,则MME可以直接从第二制式网络指示信息中获取需要为UE提供服务的第二制式网络的类型标识;当第二制式网络指示信息包括需要为UE提供服务的第二制式网络的身份标识,则MME可以直接从第二制式网络指示信息中获取需要为UE提供服务的第二制式网络的身份标识,并根据该需要为UE提供服务的第二制式网络的身份标识,确定需要为UE提供服务的第二制式网络的类型标识;当第二制式网络指示信息包括网络设备A的身份标识,则MME将该网络设备B所在的网络的类型标识确定为需要为UE提供服务的第二制式网络的类型标识。
步骤5072、MME根据第二制式网络的类型标识、预设网络密钥和上行NAS序列号,采用预设密钥推演算法确定接入密钥。
示例的,MME可以根据在步骤502中获取的NAS安全上下文中的相关参数,采用密钥计算公式获取接入密钥,该密钥计算公式为:
K=KDF(uplink NAS count,Kasme,X);
其中,K为接入密钥,“uplink NAS count”为上行NAS序列号,Kasme为预设网络密钥,X为第二制式网络的类型标识,指示第二制式网络可以为WiFi网络、GSM、UMTS和GPRS网络中的任意一种,KDF指示预设密钥推演算法,如HMAC-SHA256算法。需要说明的是,上述密钥K的推演过程不仅可以包括“uplink NAS count”,“Kasme”和“X”等参数,也可以包括其他参数。
步骤508、MME将UE的能力信息和接入密钥发送至第二制式网络中网络设备A。
第一方面,MME将UE的能力信息和接入密钥发送至演进型基站,由于步骤505中,为UE提供服务的第二制式网络中的网络设备由演进型基站指定,因此演进型基站能够获取该第二制式网络中的网络设备A的地址或者身份标识,可以根据该网络设备地址或者身份标识向第二制式网络中网络设备A转发UE的能力信息和接入密钥。
第二方面,若MME获取了网络设备A的身份标识,MME可以根据网络设备A的身份标识,直接将UE的能力信息和接入密钥发送至网络设备A。
步骤509、网络设备A根据UE的能力信息确定密码算法。
网络设备A本地保存有算法列表,该算法列表记录有第二制式网络所支持的各种密码算法,这些密码算法按照优先级由低到高或者由高到低的顺序排布,在获取与第二制式网络的密码算法时,网络设备A可以将UE在该第二制式网络的能力与该算法列表匹配得到UE在该第二制式网络的能力与该算法列表中相同的密码算法,再获取这些算法中优先级最高的算法作为该第二制式网络选择的密码算法。示例的,GSM网络的网络设备支持的密码算法有A5/1、A5/3、A5/4(A5/1、A5/3、A5/4是A5算法中的三种算法,A5算法是一种序列密码,它是欧洲GSM标准中规定的加密算法,用于数字蜂窝移动电话的加密,加密从用户设备到基站之间的链路),UMTS网络的网络设备支持的密码算法有SNOW 3G、Kasumi,GPRS网络的网络设备支持的密码算法有GEA3、GEA4,WiFi网络的网络设备支持的密码算法有AES(AES是美国国家标准技术研究所NIST旨在取代DES的21世纪的加密标准),假设第二制式网络为GSM,则网络设备A获取的UE在GSM的能力为L1和L5,假设GSM的算
法列表如表2所示,该表2中的密码算法按照优先级由高到低的顺序排布,依次为算法L1、L4、L5和L2,则网络设备A将UE在GSM的能力与GSM的算法列表匹配得到UE在GSM的能力与GSM的算法列表中相同的密码算法为L1和L5,再根据表2获取这些算法中优先级最高的算法为L1,则可以将L1确定为最终的密码算法。
表2
步骤510、网络设备A根据密码算法和接入密钥生成第二制式网络的AS密钥。
当网络设备A处于的第二制式网络不同,其对应的密码算法不同,本发明实施例假设GSM的网络设备选择的密码算法为L1,UMTS的网络设备选择的密码算法为L2,WiFi网络的网络设备选择的密码算法为L3,示例的,当第二制式网络为GSM时,AS密钥计算的计算公式为:
Kc=KDF(K,L1,“GSM”);
其中,Kc为GSM中的AS密钥,K为接入密钥,L1为根据UE的能力选择的密码算法所对应的算法标识符,“GSM”指示第二制式网络为GSM,KDF指示采用L1对应的算法。
当第二制式网络为UMTS时,AS密钥计算的计算公式为:
CK/IK=KDF(K,L2,“UMTS”);
其中,CK/IK为UMTS中的AS密钥,K为接入密钥,L2为根据UE的能力选择的密码算法(加密算法或者完整性保护算法)所对应的算法标识符,类型标识“UMTS”指示第二制式网络为UMTS,KDF指示采用L2对应的算法。
当第二制式网络为WiFi网络时,AS密钥计算的计算公式为:
PMK=KDF(K,L3,“WiFi”)
其中,PMK为WiFi网络中的AS密钥,K为接入密钥,L3为根据UE的能力选择的密码算法所对应的算法标识符,“WiFi网络”指示第二制式网络为WiFi网络,KDF指示采用L3对应的算法。
需要说明的是,在UE和网络设备A均生成了第二制式网络的AS密钥之后,UE和网络设备A可以利用生成的密钥进行空口安全激活过程,完成AS安全上下文的协商和激活,如执行GSM下的加密模式命令(Cipher Mode Command)、UMTS下的安全模式命令(Security Mode Command)或者WiFi网络下的四次握手(4-way handshake)流程。
步骤511、UE生成第二制式网络的AS密钥。
示例的,如图7所示,UE生成第二制式网络的AS密钥的过程可以包括:
步骤5111、UE获取需要为UE提供服务的第二制式网络的类型标识。
若执行了步骤505,则在步骤505中,演进型基站可以根据混合网络当前的网络状况、通信质量等多种情况,确定可以为UE提供服务的网络,将该网络的类型标识通过服务响应消息发送至UE,因此UE可以从该服务响应消息中提取网络的类型标识,根据该类型标识来确定第二制式网络,该第二制式网络可以为WiFi网络、GSM、UMTS和GPRS网络中的任意一个网络。
若未执行步骤505,则UE可以从MME发送的空口安全激活过程的信令中获得第二制式网络的类型标识。
步骤5112、UE根据第二制式网络的类型标识、预设网络密钥和上行NAS序列号,采用预设密钥推演算法确定接入密钥。
示例的,UE可以根据在步骤502中获取的NAS安全上下文中的相关参数,采用密钥计算公式获取接入密钥,该密钥计算公式为:
K=KDF(uplink NAS count,Kasme,X)
其中,K为接入密钥,“uplink NAS count”为上行NAS序列号,Kasme为预设网络密钥,X为第二制式网络的类型标识,可以为WiFi网络、GSM、UMTS和GPRS网络中的任意一种,KDF指示预设密钥推演算法,该密钥推演算法与MME在步骤507中采用的密钥推演算法相同,如HMAC-SHA256算法。
步骤5113、UE根据密码算法和接入密钥生成第二制式网络的AS密钥。
该密码算法是步骤509中网络设备A根据UE的能力信息确定的,在网络设备A选择了密码算法后,会向UE发该密码算法,通常,网络设备A可以在服务请求响应消息或者空口安全激活过程中的任一消息中携带该密码算法,UE可以通过解析相应的消息来获取密码算法。
不同的第二制式网络对应的AS密钥计算方法不同,本发明实施例假设GSM的网络设备选择的密码算法为L1,UMTS的网络设备选择的密码算法为L2,WiFi网络的网络设备选择的密码算法为L3,示例的,当第二制式网络为GSM时,AS密钥计算的计算公式为:
Kc=KDF(K,L1,“GSM”);
其中,Kc为GSM中的AS密钥,K为接入密钥,L1为网络设备A根据UE的能力选择的密码算法所对应的算法标识符,“GSM”指示第二制式网络为GSM,KDF指示采用L1对应的算法。
当第二制式网络为UMTS时,AS密钥计算的计算公式为:
CK/IK=KDF(K,L2,“UMTS”);
其中,CK/IK为UMTS中的AS密钥,K为接入密钥,L2为网络设备A根据UE的能力选择的密码算法(加密算法或者完整性保护算法)所对应的算法标识符,类型标识“UMTS”指示第二制式网络为UMTS,KDF指示采用L2对应的算法。
当第二制式网络为WiFi网络时,AS密钥计算的计算公式为:
PMK=KDF(K,L3,“WiFi”)
其中,PMK为WiFi网络中的AS密钥,K为接入密钥,L3为网络设备A根据UE的能力选择的密码算法所对应的算法标识符,“WiFi网络”指示第二制式网络为WiFi网络,KDF指示采用L3对应的算法。
特别的,本发明实施例提供的密钥生成方法步骤的先后顺序可以进行适当调整,步骤也可以根据情况进行相应增减,例如,步骤505可以是可选的步骤。另外,步骤505和步骤506也可以在步骤507或者步骤508后执行,步骤5111至步骤5113可以在步骤506之前执行等等。此外,步骤510后,网络设备A会和UE进行AS安全上下文的激活过程。通过该AS安全上下文的激活的流程,UE也可以获取第二制式网络的类型标识。步骤501中UE侧的AS密钥推演过程可以与步骤510后的AS安全上下文激活的流程中同时执行。任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化的方法,都应涵盖在本发明的保护范围之内,因此不再赘述。
现有技术中,在2G GSM网络、GPRS网络、3G UMTS网络、4G LTE网络等网络中的至少两个所组成的混合网络中,AS和NAS是耦合在一起的,即一个网络的NAS信令只能和该网络的AS信令配合使用,一个网络的NAS信令不能用于生成其他网络的AS信令。为了提高网络的性能,使得NAS信令
和AS信令可以独立演进,需要对NAS信令和AS信令解耦,即,使得一个网络的NAS信令可以和其他网络的AS信令配合使用。但现有方案中,在安全认证方面,各个网络中的用于保护AS信令的密钥都是通过其对应的NAS信令流程生成的。例如,GSM网络和GPRS网络需要根据GSM认证与密钥协商(英文:Authentication and Key Agreement;简称:AKA)协议生成加密密钥(英文:key encryption;简称:Kc),通过加密模式命令(英文:Cipher Mode Command;简称:CMC)流程或者GSM AKA流程确定加密算法并激活该加密算法。UMTS网络需要根据UMTS AKA协议生成加密密钥(英文:Cipher Key;简称:CK)和完整性密钥IK(英文:Integrity Key;简称:IK),通过SMC流程确定加密算法和完整性保护算法,并激活这些算法。
本发明实施例中,由于NAS序列号是NAS信令的一种序列号,而第一制式网络的第一网络设备可以根据第二制式网络的类型标识、预设网络密钥和NAS序列号生成接入密钥,第二制式网络的网络设备可以根据该第一制式网络的第一网络设备发送的UE的能力信息确定密码算法,并根据该密码算法和接入密钥生成第二制式网络的AS密钥,则表明第一制式网络中的NAS信令可以用于第二制式网络中的AS密钥的生成,而AS密钥是AS信令中的一种安全密钥,因此实现了在安全认证方面,NAS信令和AS信令的解耦。
综上所述,本发明实施例提供的密钥生成方法,由于第一制式网络的第一网络设备在根据NAS信息确定接入密钥后,将接入密钥发送至第二制式网络中的网络设备,使得该网络设备可以根据接入密钥生成第二制式网络的AS密钥,则第二制式网络中的网络设备能够利用第一制式网络的密钥和NAS信息,生成第二制式网络的AS密钥,既避免了现有技术中生成第二制式网络的AS密钥生成前的安全认证流程,也保障了安全,相应地降低了混合网络整体通信
的时延,减少了混合网络的通信负荷,并且实现了安全认证方面NAS信令和AS信令的解耦。
另一方面,本发明实施例以位于第一制式网络中的UE进行网络切换为例进行说明,假设UE从第一制式网络切换至第二制式网络,此时,请求消息为切换请求消息,第一命令为切换命令,假设第一制式网络为LTE网络,则第一制式网络的接入设备为MME,本实施例中的第一制式网络中的第二网络设备为LTE网络中的演进型基站,如图8所示,本发明实施例假设第二制式网络中需要为UE提供服务的网络设备为网络设备B,本发明实施例提供一种密钥生成方法,包括:
步骤801、演进型基站向MME发送切换请求消息。
演进型基站可以实时监测UE的状态和演进型基站本地的状态,当UE移动出预设小区范围,或者演进型基站的负荷过大,需要将该UE或者该UE的一部分数据流量切换至其他制式网络中以减轻演进型基站的负担,此时演进型基站向MME发送切换请求消息。
步骤802、MME生成第二制式网络的接入密钥。
具体的,如图9所示,MME生成接入密钥的方法,包括:
步骤8021、MME获取需要为UE提供服务的第二制式网络的类型标识。
第一方面,在步骤801中演进型基站向MME发送的切换请求消息时,可以在该切换请求消息中添加需要为UE提供服务的第二制式网络的类型标识或者网络设备B的身份标识;MME可以从切换请求消息中获取需要为UE提供服务的第二制式网络的类型标识或者网络设备B的身份标识或者需要为UE提供服务的第二制式网络的身份标识,若获取的是网络设备B的身份标识,则将该网络设备B所在的网络的类型标识确定为需要为UE提供服务的第二制式网
络的类型标识;若获取的是需要为UE提供服务的第二制式网络的身份标识,可以根据该第二制式网络的身份标识确定需要为UE提供服务的第二制式网络的类型标识。
第二方面,演进型基站可以生成第二制式网络指示信息,向MME发送第二制式网络指示信息,该第二制式网络指示信息可以包括需要为UE提供服务的第二制式网络的类型标识或者需要为UE提供服务的第二制式网络的身份标识或者网络设备B的身份标识,MME接收该第二制式网络指示信息后,当第二制式网络指示信息包括需要为UE提供服务的第二制式网络的类型标识,则MME可以直接从第二制式网络指示信息中获取需要为UE提供服务的第二制式网络的类型标识;当第二制式网络指示信息包括需要为UE提供服务的第二制式网络的身份标识,则MME可以直接从第二制式网络指示信息中获取需要为UE提供服务的第二制式网络的身份标识,并根据该第二制式网络的身份标识,确定需要为UE提供服务的第二制式网络的类型标识;当第二制式网络指示信息包括网络设备A的身份标识,则MME将该网络设备B所在的网络的类型标识确定为需要为UE提供服务的第二制式网络的类型标识。
步骤8022、MME根据第二制式网络的类型标识、预设网络密钥和下行NAS序列号,采用预设密钥推演算法确定接入密钥。
由于在UE请求服务时,UE和MME需要进行AKA认证流程和NAS SMC流程,以实现UE和MME之间的NAS安全上下文共享,具体步骤可以参考上述实施例中步骤503,因此,此时MME已获取了NAS安全上下文,在本发明实施例中,NAS安全上下文至少包括:预设网络密钥和NAS序列号。MME获取的NAS安全上下文与UE存储的NAS安全上下文相同。
示例的,MME可以根据安全上下文中的相关参数,采用密钥计算公式获
取接入密钥,该密钥计算公式为:
K=KDF(downlink NAS count,Kasme,X);
其中,K为接入密钥,“downlink NAS count”为下行NAS序列号,Kasme为预设网络密钥,X为第二制式网络的类型标识,可以为WiFi网络、GSM网络、UMTS网络和GPRS网络中的任意一种,KDF指示预设密钥推演算法,如HMAC-SHA256算法。需要说明的是,上述密钥K的推演过程不仅可以包括“downlink NAS count”,“Kasme”和“X”等参数,也可以包括其他参数。
步骤803、MME将UE的能力信息和接入密钥发送至第二制式网络中网络设备B。
第一方面,MME将UE的能力信息和接入密钥发送至演进型基站,由于步骤801中,演进型基站向MME发送切换请求消息,则演进型基站会指定新的为UE提供服务的网络设备,即切换的目的设备,因此演进型基站能够获取该第二制式网络中的网络设备B的地址或者身份标识,可以根据该网络设备地址或者身份标识可以向第二制式网络中网络设备B转发UE的能力信息和接入密钥。
第二方面,若MME获取了网络设备B的身份标识,MME根据网络设备B的身份标识,将UE的能力信息和接入密钥发送至网络设备B。
步骤804、网络设备B根据UE的能力信息确定密码算法。
网络设备B本地保存有第二制式网络的算法列表,该算法列表记录有第二制式网络所支持的各种密码算法,这些密码算法按照优先级由低到高或者由高到低的顺序排布,在获取与第二制式网络的密码算法时,网络设备B可以将UE在该第二制式网络的能力与该算法列表匹配得到UE在该第二制式网络的
能力与该算法列表中相同的密码算法,再获取这些算法中优先级最高的算法作为该第二制式网络选择的密码算法。示例的,GSM网络的网络设备支持的密码算法有A5/1、A5/3、A5/4,UMTS网络的网络设备支持的密码算法有SNOW3G、Kasumi,GPRS网络的网络设备支持的密码算法有GEA3、GEA4,WiFi网络的网络设备支持的密码算法有AES。具体过程可以参考上述实施例中步骤509。
步骤805、网络设备B根据密码和接入密钥生成第二制式网络的AS密钥。
当网络设备B处于的第二制式网络不同,其对应的密码算法不同,本发明实施例假设GSM的网络设备选择的密码算法为L1,UMTS的网络设备选择的密码算法为L2,WiFi网络的网络设备选择的密码算法为L3,示例的,当第二制式网络为GSM时,AS密钥计算的计算公式为:
Kc=KDF(K,L1,“GSM”);
其中,Kc为GSM中的AS密钥,K为接入密钥,L1为根据UE的能力选择的密码算法所对应的算法标识符,“GSM”指示第二制式网络为GSM,KDF指示采用L1对应的算法。
当第二制式网络为UMTS时,AS密钥计算的计算公式为:
CK/IK=KDF(K,L2,“UMTS”);
其中,CK/IK为UMTS中的AS密钥,K为接入密钥,L2为根据UE的能力选择的密码算法(加密算法或者完整性保护算法)所对应的算法标识符,类型标识“UMTS”指示第二制式网络为UMTS,KDF指示采用L2对应的算法。
当第二制式网络为WiFi网络时,AS密钥计算的计算公式为:
PMK=KDF(K,L3,“WiFi”)
其中,PMK为WiFi网络中的AS密钥,K为接入密钥,L3为根据UE的
能力选择的密码算法所对应的算法标识符,“WiFi网络”指示第二制式网络为WiFi网络,KDF指示采用L3对应的算法。
步骤806、网络设备B向MME发送切换命令。
网络设备B为演进型基站指定的新的为UE提供服务的网络设备,该切换命令用于指示UE从第一制式网络切换至第二制式网络,可以包括网络设备B选择的密码算法。特别的,该密码算法也可以通过其他命令或者消息发送至演进型基站,并由该演进型基站转发给UE。
步骤807、MME向演进型基站发送切换命令。
步骤808、演进型基站向UE发送切换命令。
步骤809、UE生成第二制式网络的AS密钥。
示例的,如图10所示,UE生成第二制式网络的AS密钥的过程可以包括:
步骤8091、UE获取需要为UE提供服务的第二制式网络的类型标识。
在步骤801中,演进型基站可以实时监测UE的状态和本地的状态,当UE移动出预设小区范围,或者演进型基站的负荷过大,根据混合网络当前的网络状况、通信质量等多种情况,确定可以为UE提供服务的网络作为UE要切换的网络(即第二制式网络),将该网络的类型标识通过切换命令发送至UE,因此UE可以从该切换命令中提取网络的类型标识,根据该类型标识来确定第二制式网络,该第二制式网络可以为WiFi网络、GSM网络、UMTS网络和GPRS网络中的任意一个网络。
步骤8092、UE根据第二制式网络的类型标识、预设网络密钥和下行NAS序列号,采用预设密钥推演算法确定接入密钥。
示例的,UE可以根据在步骤503中获取的NAS安全上下文中的相关参数,采用密钥计算公式获取接入密钥,该密钥计算公式为:
K=KDF(downlink NAS count,Kasme,X)
其中,K为接入密钥,“downlink NAS count”为下行NAS序列号,Kasme为预设网络密钥,X为第二制式网络的类型标识,可以为WiFi网络、GSM、UMTS和GPRS网络中的任意一种,KDF指示预设密钥推演算法,该密钥推演算法与MME在步骤8022中采用的密钥推演算法相同,如HMAC-SHA256算法。
步骤8093、UE根据密码算法和接入密钥生成第二制式网络的AS密钥。
密码算法是步骤804中网络设备B根据UE的能力信息确定的,在网络设备B选择了密码算法后,会向UE发该密码算法,通常的,网络设备B可以在步骤806生成的切换命令中携带该密码算法,UE通过解析该切换命令得到密码算法。
不同的第二制式网络对应的AS密钥计算方法不同,本发明实施例假设GSM的网络设备选择的密码算法为L1,UMTS的网络设备选择的密码算法为L2,WiFi网络的网络设备选择的密码算法为L3,示例的,当第二制式网络为GSM时,AS密钥计算的计算公式为:
Kc=KDF(K,L1,“GSM”);
其中,Kc为GSM中的AS密钥,K为接入密钥,L1为网络设备B根据UE的能力选择的密码算法所对应的算法标识符,“GSM”指示第二制式网络为GSM,KDF指示采用L1对应的算法。
当第二制式网络为UMTS时,AS密钥计算的计算公式为:
CK/IK=KDF(K,L2,“UMTS”);
其中,CK/IK为UMTS中的AS密钥,K为接入密钥,L2为网络设备B根据UE的能力选择的密码算法所对应的算法标识符,类型标识“UMTS”指
示第二制式网络为UMTS,KDF指示采用L2对应的算法。
当第二制式网络为WiFi网络时,AS密钥计算的计算公式为:
PMK=KDF(K,L3,“WiFi”)
其中,PMK为WiFi网络中的AS密钥,K为接入密钥,L3为网络设备B根据UE的能力选择的密码算法所对应的算法标识符,“WiFi网络”指示第二制式网络为WiFi网络,KDF指示采用L3对应的算法。
特别的,本发明实施例提供的密钥生成方法步骤的先后顺序可以进行适当调整,步骤也可以根据情况进行相应增减。任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化的方法,都应涵盖在本发明的保护范围之内,因此不再赘述。
现有技术中,一个网络的NAS信令不能用于生成其他网络的AS信令。而本发明实施例中,由于NAS序列号是NAS信令的一种序列号,而第一制式网络的第一网络设备可以根据第二制式网络的类型标识、预设网络密钥和NAS序列号生成接入密钥,第二制式网络的网络设备可以根据该第一制式网络的第一网络设备发送的UE的能力信息确定密码算法,并根据该密码算法和接入密钥生成第二制式网络的AS密钥,则表明第一制式网络中的NAS信令可以用于第二制式网络中的AS密钥的生成,而AS密钥是AS信令中的一种安全密钥,因此实现了在安全认证方面,NAS信令和AS信令的解耦。
进一步的,现有的技术中,将WiFi网络接入到LTE网络的核心网形成的混合网络,UE在接入WiFi网络时,需要与WiFi网络执行安全认证流程以生成密钥,当UE从WiFi网络切换至LTE网络,需要与LTE网络重新执行完整的安全认证流程。而本发明实施例中,UE在接入WiFi网络时,WiFi网络的AS密钥是根据LTE确定的接入密钥生成的,当UE从WiFi网络切换至LTE
网络,LTE网络的第一网络设备(即MME)可以根据UE在LTE网络的能力选择密码算法,根据该密码算法和预先生成的接入密钥生成LTE网络的AS密钥,无需重新执行完整的安全认证流程。因此,降低了混合网络整体通信的时延,减少了混合网络的通信负荷。
综上所述,本发明实施例提供的密钥生成方法,由于第一制式网络的第一网络设备在根据NAS信息确定接入密钥后,将接入密钥发送至第二制式网络中的网络设备,使得该网络设备可以根据接入密钥生成第二制式网络的AS密钥,则第二制式网络中的网络设备能够利用第一制式网络的密钥和NAS信息,生成第二制式网络的AS密钥,既避免了现有技术中生成第二制式网络的AS密钥生成前的安全认证流程,也保障了安全,相应地降低了混合网络整体通信的时延,减少了混合网络的通信负荷,并且实现了安全认证方面NAS信令和AS信令的解耦。
本发明实施例提供一种密钥生成设备1,该密钥生成设备1位于第一制式网络,密钥生成设备1可以为位于第一制式网络的UE的部分或全部,如图11所示,所述密钥生成设备1可以包括:
获取单元11,确定单元12和生成单元13。
获取单元11,用于在接收到第一命令之后,获取需要为所述密钥生成设备1提供服务的第二制式网络的类型标识;其中,所述第一命令为服务请求响应消息,或者切换命令,或者空口安全激活过程中的任一消息;
确定单元12,用于根据所述第二制式网络的类型标识、所述第一制式网络的密钥和所述第一制式网络的非接入层NAS序列号,采用预设密钥推演算法确定接入密钥;
生成单元13,用于根据所述接入密钥生成所述第二制式网络的接入层AS
密钥。
可选的,所述密钥生成设备1与所述第一制式网络的第一网络设备共享所述NAS序列号和所述第一制式网络的密钥。
综上所述,本发明实施例提供的密钥生成设备,由于在确定单元通过NAS信息确定接入密钥后,生成单元能够根据接入密钥生成第二制式网络的AS密钥,因此能够利用第一制式网络的密钥和NAS信息,生成第二制式网络的AS密钥,既避免了现有技术中生成第二制式网络的AS密钥生成前的安全认证流程,也保障了安全,相应地降低了混合网络整体通信的时延,减少了混合网络的通信负荷。
可选地,所述第一命令包括密码算法,则所述生成单元13具体用于:根据所述密码算法和所述接入密钥生成所述第二制式网络的AS密钥。
可选地,所述第一命令为服务请求响应消息或者为空口安全激活过程中的任一消息,如图12所示,所述密钥生成设备1还可以包括:
发送单元14,该发送单元14用于:
向所述第一制式网络的第二网络设备发送用于请求服务的服务请求消息,以便于所述第一制式网络的第二网络设备根据所述服务请求消息向所述第一制式网络的第一网络设备发送第二制式网络指示信息,所述第二制式网络指示信息包括所述需要为所述UE提供服务的所述第二制式网络的类型标识或者所述需要为所述UE提供服务的所述第二制式网络的身份标识;或者,向所述第一制式网络的第二网络设备发送用于请求服务的第一服务请求消息,以便于所述第一制式网络的第二网络设备根据所述第一服务请求消息将第二服务请求消息发送给所述第一制式网络的第一网络设备;其中,所述第二服务请求消息包括所述需要为所述UE提供服务的所述第二制式网络的类型标识或者所述需
要为所述UE提供服务的所述第二制式网络的身份标识。
需要说明的是,所述第一制式网络为LTE网络,所述第二制式网络为GSM网络、UMTS网络、GPRS网络和WiFi网络中的至少一种。
综上所述,本发明实施例提供的密钥生成设备,由于在确定单元通过NAS信息确定接入密钥后,生成单元能够根据接入密钥生成第二制式网络的AS密钥,因此能够利用第一制式网络的密钥和NAS信息,生成第二制式网络的AS密钥,既避免了现有技术中生成第二制式网络的AS密钥生成前的安全认证流程,也保障了安全,相应地降低了混合网络整体通信的时延,减少了混合网络的通信负荷。
本发明实施例提供一种密钥生成设备2,所述密钥生成设备2位于第一制式网络,该密钥生成设备2可以为第一制式网络的第一网络设备的部分或全部,如图13所示,所述密钥生成设备2可以包括:
获取单元21,确定单元22和发送单元23。
获取单元21,用于在接收到所述第一制式网络的第二网络设备发送的请求消息之后,获取需要为位于所述第一制式网络的UE提供服务的第二制式网络的类型标识;其中,所述请求消息为服务请求消息或者切换请求消息;
确定单元22,用于根据所述第二制式网络的类型标识、所述第一制式网络的密钥和所述第一制式网络的非接入层NAS序列号,采用预设密钥推演算法确定接入密钥;
发送单元23,用于将所述接入密钥发送至所述第二制式网络的网络设备,以便于所述第二制式网络的网络设备根据所述接入密钥生成所述第二制式网络的接入层AS密钥。
可选的,所述密钥生成设备与所述UE共享所述NAS序列号和所述第一
制式网络的密钥。
综上所述,本发明实施例提供的密钥生成设备,由于在确定单元通过NAS信息确定接入密钥后,发送单元将接入密钥发送至第二制式网络中的网络设备,使得该网络设备可以根据接入密钥生成第二制式网络的AS密钥,则第二制式网络中的网络设备能够利用第一制式网络的密钥和NAS信息,生成第二制式网络的AS密钥,既避免了现有技术中生成第二制式网络的AS密钥生成前的安全认证流程,也保障了安全,相应地降低了混合网络整体通信的时延,减少了混合网络的通信负荷。
可选地,所述获取单元21还用于:获取所述UE的能力信息,所述UE的能力信息包括所述UE在所述第二制式网络中的能力;所述发送单元23具体用于:将所述UE的能力信息和所述接入密钥发送至所述第二制式网络的网络设备,以便于所述第二制式网络的网络设备根据所述UE的能力信息确定密码算法,并根据所述密码算法和所述接入密钥生成所述第二制式网络的AS密钥。
可选地,所述请求消息包括所述需要为位于所述第一制式网络的UE提供服务的第二制式网络的类型标识或者所述需要为位于所述第一制式网络的UE提供服务的第二制式网络的身份标识;则所述获取单元21具体用于:从所述请求消息中获取所述第二制式网络的类型标识;或者,根据所述第二制式网络的身份标识,确定所述第二制式网络的类型标识。
进一步的,所述获取单元21具体用于:
接收所述第一制式网络的第二网络设备发送的第二制式网络指示信息,所述第二制式网络指示信息包括所述第二制式网络的类型标识;或者,接收所述第一制式网络的第二网络设备发送的第二制式网络指示信息,所述第二制式网络指示信息包括所述第二制式网络的身份标识;根据所述第二制式网络的身份
标识确定所述第二制式网络的类型标识。
所述发送单元23具体用于:通过所述第一制式网络的第二网络设备将所述接入密钥发送至所述第二制式网络的网络设备。
所述第一制式网络为LTE网络,所述第二制式网络为GSM网络、UMTS网络、GPRS网络和无线保真WiFi网络中的至少一种。
综上所述,本发明实施例提供的密钥生成设备,由于在确定单元通过NAS信息确定接入密钥后,发送单元将接入密钥发送至第二制式网络中的网络设备,使得该网络设备可以根据接入密钥生成第二制式网络的AS密钥,则第二制式网络中的网络设备能够利用第一制式网络的密钥和NAS信息,生成第二制式网络的AS密钥,既避免了现有技术中生成第二制式网络的AS密钥生成前的安全认证流程,也保障了安全,相应地降低了混合网络整体通信的时延,减少了混合网络的通信负荷。
本发明实施例提供一种密钥生成设备3,该密钥生成设备3位于第二制式网络,该密钥生成设备3可以为第二制式网络的网络设备,如图14所示,所述密钥生成设备3可以包括:接收单元31和生成单元32。
接收单元31,用于接收第一制式网络的第一网络设备发送的接入密钥;其中,所述接入密钥为所述第一制式网络的第一网络设备根据所述第二制式网络的类型标识、所述第一制式网络的密钥和所述第一制式网络的非接入层NAS序列号所确定的;
生成单元32,用于根据所述接入密钥生成所述第二制式网络的接入层AS密钥。
其中,位于第一制式网络的UE与所述第一制式网络的第一网络设备共享所述NAS序列号和所述第一制式网络的密钥。
综上所述,本发明实施例提供的密钥生成设备,由于在接收单元接收第一制式网络的第一网络设备发送的接入密钥后,生成单元根据接入密钥生成第二制式网络的接入层AS密钥,其中,接入密钥为第一制式网络的第一网络设备根据第二制式网络的类型标识、第一制式网络的密钥和NAS序列号所确定的,即第二制式网络中的网络设备能够利用第一制式网络的密钥和NAS信息,生成第二制式网络的AS密钥,既避免了现有技术中生成第二制式网络的AS密钥生成前的安全认证流程,也保障了安全,相应地降低了混合网络整体通信的时延,减少了混合网络的通信负荷。
进一步的,所述生成单元32具体用于:接收所述第一制式网络的第一网络设备发送的UE的能力信息,所述UE的能力信息包括所述UE在所述第二制式网络中的能力;根据所述UE的能力信息确定密码算法;根据所述密码算法和所述接入密钥生成所述第二制式网络的AS密钥。
可选地,所述接收单元31具体用于:接收所述第一制式网络的第一网络设备通过所述第一制式网络的第二网络设备发送的接入密钥。
其中,所述第一制式网络为LTE网络,所述第二制式网络为GSM网络、UMTS网络、GPRS网络和WiFi网络中的至少一种。
综上所述,本发明实施例提供的密钥生成设备,由于在接收单元接收第一制式网络的第一网络设备发送的接入密钥后,生成单元根据接入密钥生成第二制式网络的接入层AS密钥,其中,接入密钥为第一制式网络的第一网络设备根据第二制式网络的类型标识、第一制式网络的密钥和NAS序列号所确定的,即第二制式网络中的网络设备能够利用第一制式网络的密钥和NAS信息,生成第二制式网络的AS密钥,既避免了现有技术中生成第二制式网络的AS密钥生成前的安全认证流程,也保障了安全,相应地降低了混合网络整体通信的
时延,减少了混合网络的通信负荷。
其中,所述第一制式网络为LTE网络,所述第二制式网络为GSM网络、UMTS网络、GPRS网络和WiFi网络中的至少一种。
综上所述,本发明实施例提供的密钥生成设备,由于处理器在通过NAS信息确定接入密钥后,能够根据接入密钥生成第二制式网络的AS密钥,因此能够利用第一制式网络的密钥和NAS信息,生成第二制式网络的AS密钥,既避免了现有技术中生成第二制式网络的AS密钥生成前的安全认证流程,也保障了安全,相应地降低了混合网络整体通信的时延,减少了混合网络的通信负荷。
本发明实施例提供一种密钥生成设备4,该密钥生成设备4位于第一制式网络,该密钥生成设备4可以为第一制式网络的UE的全部或部分,如图15所示,所述密钥生成设备可以包括:接收器41、处理器42(例如CPU)、总线43和存储器44;所述总线43用于连接所述接收器41、所述处理器42和所述存储器44,所述处理器42用于执行所述存储器44中存储的程序441,存储器44可能包含高速随机存取存储器(英文Random Access Memory;缩写:RAM),也可能还包括非不稳定的存储器(non-volatile memory),例如至少一个磁盘存储器。
所述处理器42,用于在所述接收器41接收到第一命令之后,获取需要为所述密钥生成设备4提供服务的第二制式网络的类型标识;其中,所述第一命令为服务请求响应消息,或者切换命令,或者空口安全激活过程中的任一消息;
所述处理器42还用于根据所述第二制式网络的类型标识、所述第一制式网络的密钥和所述第一制式网络的非接入层NAS序列号,采用预设密钥推演
算法确定接入密钥;
所述处理器42还用于根据所述接入密钥生成所述第二制式网络的接入层AS密钥。
综上所述,本发明实施例提供的密钥生成设备,由于处理器在通过NAS信息确定接入密钥后,能够根据接入密钥生成第二制式网络的AS密钥,因此能够利用第一制式网络的密钥和NAS信息,生成第二制式网络的AS密钥,既避免了现有技术中生成第二制式网络的AS密钥生成前的安全认证流程,也保障了安全,相应地降低了混合网络整体通信的时延,减少了混合网络的通信负荷。
可选的,所述密钥生成设备与所述第一制式网络的第一网络设备共享所述NAS序列号和所述第一制式网络的密钥。
可选的,所述第一命令包括密码算法,则所述处理器42具体用于:根据所述密码算法和所述接入密钥生成所述第二制式网络的AS密钥。
可选的,如图16所示,所述第一命令为服务请求响应消息或者为空口安全激活过程中的任一消息,所述密钥生成设备4还可以包括:
发射器45,所述发射器45用于:
向所述第一制式网络的第二网络设备发送用于请求服务的服务请求消息,以便于所述第一制式网络的第二网络设备根据所述服务请求消息向所述第一制式网络的第一网络设备发送第二制式网络指示信息,所述第二制式网络指示信息包括所述需要为所述UE提供服务的所述第二制式网络的类型标识或者所述需要为所述UE提供服务的所述第二制式网络的身份标识;
或者,向所述第一制式网络的第二网络设备发送用于请求服务的第一服务请求消息,以便于所述第一制式网络的第二网络设备根据所述第一服务请求消
息将第二服务请求消息发送给所述第一制式网络的第一网络设备;其中,所述第二服务请求消息包括所述需要为所述UE提供服务的所述第二制式网络的类型标识或者所述需要为所述UE提供服务的所述第二制式网络的身份标识。
其中,所述第一制式网络为LTE网络,所述第二制式网络为GSM网络、UMTS网络、GPRS网络和WiFi网络中的至少一种。
综上所述,本发明实施例提供的密钥生成设备,由于处理器在通过NAS信息确定接入密钥后,能够根据接入密钥生成第二制式网络的AS密钥,因此能够利用第一制式网络的密钥和NAS信息,生成第二制式网络的AS密钥,既避免了现有技术中生成第二制式网络的AS密钥生成前的安全认证流程,也保障了安全,相应地降低了混合网络整体通信的时延,减少了混合网络的通信负荷。
本发明实施例提供一种密钥生成设备5,如图17所示,该密钥生成设备5位于第一制式网络,该密钥生成设备5可以为第一制式网络的第一网络设备的部分或全部,所述密钥生成设备5包括:接收器51、发射器52、处理器53、总线54和存储器55;所述总线54用于连接所述接收器51、所述发射器52、所述处理器53和所述存储器55,所述处理器53用于执行所述存储器55中存储的程序551;
所述处理器53,用于在所述接收器接收到所述第一制式网络的第二网络设备发送的请求消息之后,获取需要为位于所述第一制式网络的UE提供服务的第二制式网络的类型标识;其中,所述请求消息为服务请求消息或者切换请求消息;
所述处理器53,还用于根据所述第二制式网络的类型标识、所述第一制式网络的密钥和所述第一制式网络的非接入层NAS序列号,采用预设密钥推演
算法确定接入密钥;
所述发射器52,用于将所述接入密钥发送至所述第二制式网络的网络设备,以便于所述第二制式网络的网络设备根据所述接入密钥生成所述第二制式网络的接入层AS密钥。
综上所述,本发明实施例提供的密钥生成设备,由于在处理器根据NAS信息确定接入密钥后,发射器将接入密钥发送至第二制式网络中的网络设备,使得该网络设备可以根据接入密钥生成第二制式网络的AS密钥,则处理器能够利用第一制式网络的密钥和NAS信息,生成第二制式网络的AS密钥,既避免了现有技术中生成第二制式网络的AS密钥生成前的安全认证流程,也保障了安全,相应地降低了混合网络整体通信的时延,减少了混合网络的通信负荷。
可选的,所述密钥生成设备5与所述UE共享所述NAS序列号和所述第一制式网络的密钥。
可选的,所述处理器53还用于获取所述UE的能力信息,所述UE的能力信息包括所述UE在所述第二制式网络中的能力;
所述发射器52具体用于将所述UE的能力信息和所述接入密钥发送至所述第二制式网络的网络设备,以便于所述第二制式网络的网络设备根据所述UE的能力信息确定密码算法,并根据所述密码算法和所述接入密钥生成所述第二制式网络的AS密钥。
可选的,所述请求消息包括所述需要为位于所述第一制式网络的UE提供服务的所述第二制式网络的类型标识或者所述需要为位于所述第一制式网络的UE提供服务的所述第二制式网络的身份标识;则所述处理器53具体用于:
从所述请求消息中获取所述第二制式网络的类型标识;
或者,根据所述第二制式网络的身份标识,确定所述第二制式网络的类型
标识。
可选的,所述接收器51具体用于:
接收所述第一制式网络的第二网络设备发送的第二制式网络指示信息,所述第二制式网络指示信息包括所述第二制式网络的类型标识;或者,
接收所述第一制式网络的第二网络设备发送的第二制式网络指示信息,所述第二制式网络指示信息包括所述第二制式网络的身份标识;所述第一制式网络的第一网络设备根据所述第二制式网络的身份标识确定所述第二制式网络的类型标识。
可选的,所述发射器52具体用于:
通过所述第一制式网络的第二网络设备将所述接入密钥发送至所述第二制式网络的网络设备。
其中,所述第一制式网络为LTE网络,所述第二制式网络为GSM网络、UMTS网络、GPRS网络和WiFi网络中的至少一种。
综上所述,本发明实施例提供的密钥生成设备,由于在处理器根据NAS信息确定接入密钥后,发射器将接入密钥发送至第二制式网络中的网络设备,使得该网络设备可以根据接入密钥生成第二制式网络的AS密钥,则处理器能够利用第一制式网络的密钥和NAS信息,生成第二制式网络的AS密钥,既避免了现有技术中生成第二制式网络的AS密钥生成前的安全认证流程,也保障了安全,相应地降低了混合网络整体通信的时延,减少了混合网络的通信负荷。
本发明实施例提供一种密钥生成设备6,如图18所示,该密钥生成设备6位于第二制式网络,该密钥生成设备6可以为第二制式网络的网络设备的部分或全部,所述密钥生成设备6可以包括:接收器61、处理器62、总线63和存储器64;所述总线63用于连接所述接收器61、所述处理器62和所述存储器
64,所述处理器62用于执行所述存储器64中存储的程序641;
所述接收器61,用于接收第一制式网络的第一网络设备发送的接入密钥;其中,所述接入密钥为所述第一制式网络的第一网络设备根据所述第二制式网络的类型标识、所述第一制式网络的密钥和所述第一制式网络的非接入层NAS序列号所确定的;
处理器62,用于根据所述接入密钥生成所述第二制式网络的接入层AS密钥;
其中,位于第一制式网络的UE与所述第一制式网络的第一网络设备共享所述NAS序列号和所述第一制式网络的密钥。
综上所述,本发明实施例提供的密钥生成设备,由于接收器接收第一制式网络的第一网络设备发送的接入密钥后,处理器根据接入密钥生成第二制式网络的接入层AS密钥,其中,接入密钥为第一制式网络的第一网络设备根据第二制式网络的类型标识、第一制式网络的密钥和NAS序列号所确定的,即第二制式网络中的网络设备能够利用第一制式网络的密钥和NAS信息,生成第二制式网络的AS密钥,既避免了现有技术中生成第二制式网络的AS密钥生成前的安全认证流程,也保障了安全,相应地降低了混合网络整体通信的时延,减少了混合网络的通信负荷。
可选的,所述接收器61还用于:
接收所述第一制式网络的第一网络设备发送的UE的能力信息,所述UE的能力信息包括所述UE在所述第二制式网络中的能力;
所述处理器62具体用于:根据所述UE的能力信息确定密码算法;根据所述密码算法和所述接入密钥生成所述第二制式网络的AS密钥。
可选的,所述接收器61具体用于:
接收所述第一制式网络的第一网络设备通过所述第一制式网络的第二网络设备发送的接入密钥。
其中,所述第一制式网络为LTE网络,所述第二制式网络为GSM网络、UMTS网络、GPRS网络和WiFi网络中的至少一种。
综上所述,本发明实施例提供的密钥生成设备,由于接收器接收第一制式网络的第一网络设备发送的接入密钥后,处理器根据接入密钥生成第二制式网络的接入层AS密钥,其中,接入密钥为第一制式网络的第一网络设备根据第二制式网络的类型标识、第一制式网络的密钥和NAS序列号所确定的,即第二制式网络中的网络设备能够利用第一制式网络的密钥和NAS信息,生成第二制式网络的AS密钥,既避免了现有技术中生成第二制式网络的AS密钥生成前的安全认证流程,也保障了安全,相应地降低了混合网络整体通信的时延,减少了混合网络的通信负荷。
本发明实施例提供一种密钥生成系统,该密钥生成系统可以包括:
图11或图12所示的密钥生成设备1;图13所示的密钥生成设备2。
进一步的,该密钥生成系统还可以包括:图14所示的密钥生成设备3。
实际应用中,密钥生成系统可以包括:图11或图12所示的密钥生成设备1,图13所示的密钥生成设备2和图14所示的密钥生成设备3中的至少一种设备,例如,密钥生成系统可以包括:图11或图12所示的密钥生成设备1及图14所示的密钥生成设备3,再例如,密钥生成系统可以包括:图13所示的密钥生成设备2和图14所示的密钥生成设备3。
本发明实施例提供一种密钥生成系统,该密钥生成系统可以包括:
图15或图16所示的密钥生成设备4;图17所示的密钥生成设备5。
进一步的,该密钥生成系统还可以包括:图18所示的密钥生成设备6。
实际应用中,密钥生成系统可以包括:图15或图16所示的密钥生成设备4,图17所示的密钥生成设备5和图18所示的密钥生成设备6中的至少一种设备,例如,密钥生成系统可以包括:图15或图16所示的密钥生成设备4及图18所示的密钥生成设备6,再例如,密钥生成系统可以包括:图17所示的密钥生成设备5和图18所示的密钥生成设备6。
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,设备和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。
在本申请所提供的几个实施例中,应该理解到,所揭露的系统,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理包括,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能
单元的形式实现。
本领域普通技术人员可以理解实现上述实施例的全部或者部分步骤可以通过硬件来完成,也可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算机可读存储介质中,上述提到的存储介质可以是只读存储器,磁盘或者光盘等。
以上所述仅为本发明的较佳实施例,并不用以限制本发明,凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。
Claims (47)
- 一种密钥生成方法,其特征在于,所述方法包括:位于第一制式网络的用户设备UE在接收到第一命令之后,获取需要为所述UE提供服务的第二制式网络的类型标识;其中,所述第一命令为服务请求响应消息,或者切换命令,或者空口安全激活过程中的任一消息;所述UE根据所述第二制式网络的类型标识、所述第一制式网络的密钥和所述第一制式网络的非接入层NAS序列号,采用预设密钥推演算法确定接入密钥;所述UE根据所述接入密钥生成所述第二制式网络的接入层AS密钥。
- 根据权利要求1所述的方法,其特征在于,所述UE与所述第一制式网络的第一网络设备共享所述NAS序列号和所述第一制式网络的密钥。
- 根据权利要求1或者2所述的方法,其特征在于,所述第一命令包括密码算法,则所述UE根据所述接入密钥生成所述第二制式网络的接入层AS密钥包括:所述UE根据所述密码算法和所述接入密钥生成所述第二制式网络的AS密钥。
- 根据权利要求1-3任一项所述的方法,其特征在于,所述第一制式网络为长期演进LTE网络,所述第二制式网络为全球移动通信系统GSM网络、通用移动通信系统UMTS网络、通用分组无线服务技术GPRS网络和无线保真WiFi网络中的至少一种。
- 一种密钥生成方法,其特征在于,所述方法包括:第一制式网络的第一网络设备在接收到所述第一制式网络的第二网络设备发送的请求消息之后,获取需要为位于所述第一制式网络的用户设备UE提供服务的第二制式网络的类型标识;其中,所述请求消息为服务请求消息或者切换请求消息;所述第一制式网络的第一网络设备根据所述第二制式网络的类型标识、所述第一制式网络的密钥和所述第一制式网络的非接入层NAS序列号,采用预设密钥推演算法确定接入密钥;所述第一制式网络的第一网络设备将所述接入密钥发送至所述第二制式网络的网络设备,以便于所述第二制式网络的网络设备根据所述接入密钥生成所述第二制式网络的接入层AS密钥。
- 根据权利要求5所述的方法,其特征在于,所述第一制式网络的第一网络设备与所述UE共享所述NAS序列号和所述第一制式网络的密钥。
- 根据权利要求5或者6所述的方法,其特征在于,在所述获取需要为位于所述第一制式网络的用户设备UE提供服务的第二制式网络的类型标识之前,所述方法还包括:所述第一制式网络的第一网络设备获取所述UE的能力信息,所述UE的能力信息包括所述UE在所述第二制式网络中的能力;所述第一制式网络的第一网络设备将所述接入密钥发送至所述第二制式网络的网络设备,以便于所述第二制式网络的网络设备根据所述接入密钥生成所述第二制式网络的接入层AS密钥包括:所述第一制式网络的第一网络设备将所述UE的能力信息和所述接入密钥发送至所述第二制式网络的网络设备,以便于所述第二制式网络的网络设备根据所述UE的能力信息确定密码算法,并根据所述密码算法和所述接入密钥生成所述第二制式网络的AS密钥。
- 根据权利要求5-7任一项所述的方法,其特征在于,所述请求消息包括所述需要为位于所述第一制式网络的UE提供服务的所述第二制式网络的类型标识或者所述需要为位于所述第一制式网络的UE提供服务的所述第二制式网络的身份标识;则所述获取需要为位于所述第一制式网络的用户设备UE提供服务的第二制式网络的类型标识包括:所述第一制式网络的第一网络设备从所述请求消息中获取所述第二制式网络的类型标识;或者,所述第一制式网络的第一网络设备根据所述第二制式网络的身份标识,确定所述第二制式网络的类型标识。
- 根据权利要求5-7任一项所述的方法,其特征在于,所述获取需要为位于所述第一制式网络的用户设备UE提供服务的第二制式网络的类型标识包括:所述第一制式网络的第一网络设备接收所述第一制式网络的第二网络设备发送的第二制式网络指示信息,所述第二制式网络指示信息包括所述第二制式网络的类型标识;或者,所述第一制式网络的第一网络设备接收所述第一制式网络的第二网络设备发送的第二制式网络指示信息,所述第二制式网络指示信息包括所述第二制式网络的身份标识;所述第一制式网络的第一网络设备根据所述第二制式网络的 身份标识确定所述第二制式网络的类型标识。
- 根据权利要求5-9任一项所述的方法,其特征在于,所述第一制式网络的第一网络设备将所述接入密钥发送至所述第二制式网络的网络设备,包括:所述第一制式网络的第一网络设备通过所述第一制式网络的第二网络设备将所述接入密钥发送至所述第二制式网络的网络设备。
- 根据权利要求5-10任一项所述的方法,其特征在于,所述第一制式网络为长期演进LTE网络,所述第二制式网络为全球移动通信系统GSM网络、通用移动通信系统UMTS网络、通用分组无线服务技术GPRS网络和无线保真WiFi网络中的至少一种。
- 一种密钥生成方法,其特征在于,所述方法包括:第二制式网络的网络设备接收第一制式网络的第一网络设备发送的接入密钥;其中,所述接入密钥为所述第一制式网络的第一网络设备根据所述第二制式网络的类型标识、所述第一制式网络的密钥和所述第一制式网络的非接入层NAS序列号所确定的;所述第二制式网络的网络设备根据所述接入密钥生成所述第二制式网络的接入层AS密钥。
- 根据权利要求12所述的方法,其特征在于,所述第二制式网络的网络设备根据所述接入密钥生成所述第二制式网络的接入层AS密钥,包括:所述第二制式网络的网络设备接收所述第一制式网络的第一网络设备发送的UE的能力信息,所述UE的能力信息包括所述UE在所述第二制式网络中的 能力;所述第二制式网络的网络设备根据所述UE的能力信息确定密码算法;所述第二制式网络的网络设备根据所述密码算法和所述接入密钥生成所述第二制式网络的AS密钥。
- 根据权利要求12或者13所述的方法,其特征在于,所述第二制式网络的网络设备接收第一制式网络的第一网络设备发送的接入密钥,包括:所述第二制式网络的网络设备接收所述第一制式网络的第一网络设备通过所述第一制式网络的第二网络设备发送的接入密钥。
- 根据权利要求12至14任一项所述的方法,其特征在于,所述第一制式网络为长期演进LTE网络,所述第二制式网络为全球移动通信系统GSM网络、通用移动通信系统UMTS网络、通用分组无线服务技术GPRS网络和无线保真WiFi网络中的至少一种。
- 一种密钥生成设备,其特征在于,所述密钥生成设备位于第一制式网络,所述密钥生成设备包括:获取单元,用于在接收到第一命令之后,获取需要为所述密钥生成设备提供服务的第二制式网络的类型标识;其中,所述第一命令为服务请求响应消息,或者切换命令,或者空口安全激活过程中的任一消息;确定单元,用于根据所述第二制式网络的类型标识、所述第一制式网络的密钥和所述第一制式网络的非接入层NAS序列号,采用预设密钥推演算法确定接入密钥;生成单元,用于根据所述接入密钥生成所述第二制式网络的接入层AS密 钥。
- 根据权利要求16所述的密钥生成设备,其特征在于,所述密钥生成设备与所述第一制式网络的第一网络设备共享所述NAS序列号和所述第一制式网络的密钥。
- 根据权利要求16或者17所述的密钥生成设备,其特征在于,所述第一命令包括密码算法,则所述生成单元具体用于:根据所述密码算法和所述接入密钥生成所述第二制式网络的AS密钥。
- 根据权利要求16-18任一项所述的设备,其特征在于,所述第一制式网络为长期演进LTE网络,所述第二制式网络为全球移动通信系统GSM网络、通用移动通信系统UMTS网络、通用分组无线服务技术GPRS网络和无线保真WiFi网络中的至少一种。
- 一种密钥生成设备,其特征在于,所述密钥生成设备位于第一制式网络,所述密钥生成设备包括:获取单元,用于在接收到所述第一制式网络的第二网络设备发送的请求消息之后,获取需要为位于所述第一制式网络的用户设备UE提供服务的第二制式网络的类型标识;其中,所述请求消息为服务请求消息或者切换请求消息;确定单元,用于根据所述第二制式网络的类型标识、所述第一制式网络的密钥和所述第一制式网络的非接入层NAS序列号,采用预设密钥推演算法确定接入密钥;发送单元,用于将所述接入密钥发送至所述第二制式网络的网络设备,以 便于所述第二制式网络的网络设备根据所述接入密钥生成所述第二制式网络的接入层AS密钥。
- 根据权利要求20所述的设备,其特征在于,所述密钥生成设备与所述UE共享所述NAS序列号和所述第一制式网络的密钥。
- 根据权利要求20或者21所述的设备,其特征在于,所述获取单元还用于:获取所述UE的能力信息,所述UE的能力信息包括所述UE在所述第二制式网络中的能力;所述发送单元具体用于:将所述UE的能力信息和所述接入密钥发送至所述第二制式网络的网络设备,以便于所述第二制式网络的网络设备根据所述UE的能力信息确定密码算法,并根据所述密码算法和所述接入密钥生成所述第二制式网络的AS密钥。
- 根据权利要求20-22任一项所述的设备,其特征在于,所述请求消息包括所述需要为位于所述第一制式网络的UE提供服务的所述第二制式网络的类型标识或者所述需要为位于所述第一制式网络的UE提供服务的所述第二制式网络的身份标识;则所述获取单元具体用于:从所述请求消息中获取所述第二制式网络的类型标识;或者,根据所述第二制式网络的身份标识,确定所述第二制式网络的类型标识。
- 根据权利要求20-22任一项所述的设备,其特征在于,所述获取单元具体用于:接收所述第一制式网络的第二网络设备发送的第二制式网络指示信息,所述第二制式网络指示信息包括所述第二制式网络的类型标识;或者,接收所述第一制式网络的第二网络设备发送的第二制式网络指示信息,所述第二制式网络指示信息包括所述第二制式网络的身份标识;根据所述第二制式网络的身份标识确定所述第二制式网络的类型标识。
- 根据权利要求20-24任一项所述的设备,其特征在于,所述发送单元具体用于:通过所述第一制式网络的第二网络设备将所述接入密钥发送至所述第二制式网络的网络设备。
- 根据权利要求20-25任一项所述的设备,其特征在于,所述第一制式网络为长期演进LTE网络,所述第二制式网络为全球移动通信系统GSM网络、通用移动通信系统UMTS网络、通用分组无线服务技术GPRS网络和无线保真WiFi网络中的至少一种。
- 一种密钥生成设备,其特征在于,所述密钥生成设备位于第二制式网络,所述密钥生成设备包括:接收单元,用于接收第一制式网络的第一网络设备发送的接入密钥;其中,所述接入密钥为所述第一制式网络的第一网络设备根据所述第二制式网络的类型标识、所述第一制式网络的密钥和所述第一制式网络的非接入层NAS序列号所确定的;生成单元,用于根据所述接入密钥生成所述第二制式网络的接入层AS密钥。
- 根据权利要求27所述的设备,其特征在于,所述生成单元具体用于:接收所述第一制式网络的第一网络设备发送的UE的能力信息,所述UE的能力信息包括所述UE在所述第二制式网络中的能力;根据所述UE的能力信息确定密码算法;根据所述密码算法和所述接入密钥生成所述第二制式网络的AS密钥。
- 根据权利要求27或者28所述的设备,其特征在于,所述接收单元具体用于:接收所述第一制式网络的第一网络设备通过所述第一制式网络的第二网络设备发送的接入密钥。
- 根据权利要求27至29任一项所述的设备,其特征在于,所述第一制式网络为长期演进LTE网络,所述第二制式网络为全球移动通信系统GSM网络、通用移动通信系统UMTS网络、通用分组无线服务技术GPRS网络和无线保真WiFi网络中的至少一种。
- 一种密钥生成设备,其特征在于,所述密钥生成设备位于第一制式网络,所述密钥生成设备包括:接收器、处理器、总线和存储器;所述总线用于连接所述接收器、所述处理器和所述存储器,所述处理器用于执行所述存储器中存储的程序;所述处理器,用于在所述接收器接收到第一命令之后,获取需要为所述密钥生成设备提供服务的第二制式网络的类型标识;其中,所述第一命令为服务请求响应消息,或者切换命令,或者空口安全激活过程中的任一消息;所述处理器还用于根据所述第二制式网络的类型标识、所述第一制式网络的密钥和所述第一制式网络的非接入层NAS序列号,采用预设密钥推演算法确定接入密钥;所述处理器还用于根据所述接入密钥生成所述第二制式网络的接入层AS密钥。
- 根据权利要求31所述的设备,其特征在于,所述密钥生成设备与所述第一制式网络的第一网络设备共享所述NAS序列号和所述第一制式网络的密钥。
- 根据权利要求31或者32所述的设备,其特征在于,所述第一命令包括密码算法,则所述处理器具体用于:根据所述密码算法和所述接入密钥生成所述第二制式网络的AS密钥。
- 根据权利要求31-33任一项所述的设备,其特征在于,所述第一制式网络为长期演进LTE网络,所述第二制式网络为全球移动通信系统GSM网络、通用移动通信系统UMTS网络、通用分组无线服务技术GPRS网络和无线保真WiFi网络中的至少一种。
- 一种密钥生成设备,其特征在于,所述密钥生成设备位于第一制式网络,所述密钥生成设备包括:接收器、发射器、处理器、总线和存储器;所述总线用于连接所述接收器、所述发射器、所述处理器和所述存储器,所述处理器用于执行所述存储器中存储的程序;所述处理器,用于在所述接收器接收到所述第一制式网络的第二网络设备 发送的请求消息之后,获取需要为位于所述第一制式网络的用户设备UE提供服务的第二制式网络的类型标识;其中,所述请求消息为服务请求消息或者切换请求消息;所述处理器,还用于根据所述第二制式网络的类型标识、所述第一制式网络的密钥和所述第一制式网络的非接入层NAS序列号,采用预设密钥推演算法确定接入密钥;所述发射器,用于将所述接入密钥发送至所述第二制式网络的网络设备,以便于所述第二制式网络的网络设备根据所述接入密钥生成所述第二制式网络的接入层AS密钥。
- 根据权利要求35所述的设备,其特征在于,所述密钥生成设备与所述UE共享所述NAS序列号和所述第一制式网络的密钥。
- 根据权利要求35或者36所述的设备,其特征在于,所述处理器还用于获取所述UE的能力信息,所述UE的能力信息包括所述UE在所述第二制式网络中的能力;所述发射器具体用于将所述UE的能力信息和所述接入密钥发送至所述第二制式网络的网络设备,以便于所述第二制式网络的网络设备根据所述UE的能力信息确定密码算法,并根据所述密码算法和所述接入密钥生成所述第二制式网络的AS密钥。
- 根据权利要求35-37任一项所述的设备,其特征在于,所述请求消息包括所述需要为位于所述第一制式网络的UE提供服务的所述第二制式网络的类型标识或者所述需要为位于所述第一制式网络的UE提供服务的所述第二制式 网络的身份标识;则所述处理器具体用于:从所述请求消息中获取所述第二制式网络的类型标识;或者,根据所述第二制式网络的身份标识,确定所述第二制式网络的类型标识。
- 根据权利要求35-37任一项所述的设备,其特征在于,所述接收器具体用于:接收所述第一制式网络的第二网络设备发送的第二制式网络指示信息,所述第二制式网络指示信息包括所述第二制式网络的类型标识;或者,接收所述第一制式网络的第二网络设备发送的第二制式网络指示信息,所述第二制式网络指示信息包括所述第二制式网络的身份标识;根据所述第二制式网络的身份标识确定所述第二制式网络的类型标识。
- 根据权利要求35-39任一项所述的设备,其特征在于,所述发射器具体用于:通过所述第一制式网络的第二网络设备将所述接入密钥发送至所述第二制式网络的网络设备。
- 根据权利要求35-40任一项所述的设备,其特征在于,所述第一制式网络为长期演进LTE网络,所述第二制式网络为全球移动通信系统GSM网络、通用移动通信系统UMTS网络、通用分组无线服务技术GPRS网络和无线保真WiFi网络中的至少一种。
- 一种密钥生成设备,其特征在于,所述密钥生成设备位于第二制式网络,所述密钥生成设备包括:接收器、处理器、总线和存储器;所述总线用于连接所述接收器、所述处理器和所述存储器,所述处理器用于执行所述存储器中存储的程序;所述接收器,用于接收第一制式网络的第一网络设备发送的接入密钥;其中,所述接入密钥为所述第一制式网络的第一网络设备根据所述第二制式网络的类型标识、所述第一制式网络的密钥和所述第一制式网络的非接入层NAS序列号所确定的;处理器,用于根据所述接入密钥生成所述第二制式网络的接入层AS密钥。
- 根据权利要求42所述的设备,其特征在于,所述接收器还用于:接收所述第一制式网络的第一网络设备发送的UE的能力信息,所述UE的能力信息包括所述UE在所述第二制式网络中的能力;所述处理器具体用于:根据所述UE的能力信息确定密码算法;根据所述密码算法和所述接入密钥生成所述第二制式网络的AS密钥。
- 根据权利要求42或者43所述的设备,其特征在于,所述接收器具体用于:接收所述第一制式网络的第一网络设备通过所述第一制式网络的第二网络设备发送的接入密钥。
- 根据权利要求42至44任一项所述的设备,其特征在于,所述第一制式网络为长期演进LTE网络,所述第二制式网络为全球移动通 信系统GSM网络、通用移动通信系统UMTS网络、通用分组无线服务技术GPRS网络和无线保真WiFi网络中的至少一种。
- 一种密钥生成系统,其特征在于,所述系统包括:权利要求16-19任一所述的密钥生成设备;权利要求20-26任一所述的密钥生成设备。
- 根据权利要求46所述的网络,其特征在于,所述密钥生成系统还包括:权利要求27-29任一所述的密钥生成设备。
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201580006942.3A CN106134231B (zh) | 2015-02-28 | 2015-02-28 | 密钥生成方法、设备及系统 |
PCT/CN2015/073400 WO2016134536A1 (zh) | 2015-02-28 | 2015-02-28 | 密钥生成方法、设备及系统 |
EP15882974.7A EP3255914A4 (en) | 2015-02-28 | 2015-02-28 | Key generation method, device and system |
US15/688,343 US20170359719A1 (en) | 2015-02-28 | 2017-08-28 | Key generation method, device, and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2015/073400 WO2016134536A1 (zh) | 2015-02-28 | 2015-02-28 | 密钥生成方法、设备及系统 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/688,343 Continuation US20170359719A1 (en) | 2015-02-28 | 2017-08-28 | Key generation method, device, and system |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2016134536A1 true WO2016134536A1 (zh) | 2016-09-01 |
Family
ID=56787779
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2015/073400 WO2016134536A1 (zh) | 2015-02-28 | 2015-02-28 | 密钥生成方法、设备及系统 |
Country Status (4)
Country | Link |
---|---|
US (1) | US20170359719A1 (zh) |
EP (1) | EP3255914A4 (zh) |
CN (1) | CN106134231B (zh) |
WO (1) | WO2016134536A1 (zh) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2019066692A1 (en) * | 2017-09-26 | 2019-04-04 | Telefonaktiebolaget Lm Ericsson (Publ) | MANAGING SECURITY CONTEXTS AND PROVIDING KEY DERIVATION DURING INTERCELLULAR TRANSFER IN A WIRELESS COMMUNICATION SYSTEM |
CN109699028A (zh) * | 2017-10-23 | 2019-04-30 | 华为技术有限公司 | 一种生成密钥的方法、装置及系统 |
WO2019101898A1 (en) * | 2017-11-24 | 2019-05-31 | Sony Mobile Communications Inc. | Transfer/cloning of security context |
WO2019192460A1 (zh) * | 2018-04-04 | 2019-10-10 | 华为技术有限公司 | 通信方法和装置 |
WO2020052613A1 (zh) * | 2018-09-15 | 2020-03-19 | 华为技术有限公司 | 切换方法和终端设备 |
CN112771815A (zh) * | 2020-03-31 | 2021-05-07 | 华为技术有限公司 | 密钥处理方法和装置 |
CN114630381A (zh) * | 2017-09-15 | 2022-06-14 | 瑞典爱立信有限公司 | 无线通信系统中的安全性上下文 |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117354802A (zh) * | 2015-11-02 | 2024-01-05 | 瑞典爱立信有限公司 | 无线通信 |
US10182387B2 (en) | 2016-06-01 | 2019-01-15 | At&T Intellectual Property I, L.P. | Method and apparatus for distributing content via diverse networks |
CN109462847B (zh) * | 2017-07-28 | 2019-08-02 | 华为技术有限公司 | 安全实现方法、相关装置以及系统 |
US12052358B2 (en) | 2018-01-12 | 2024-07-30 | Qualcomm Incorporated | Method and apparatus for multiple registrations |
US11553381B2 (en) | 2018-01-12 | 2023-01-10 | Qualcomm Incorporated | Method and apparatus for multiple registrations |
JP2021524167A (ja) * | 2018-01-12 | 2021-09-09 | クゥアルコム・インコーポレイテッドQualcomm Incorporated | 複数の登録のための方法および装置 |
CN110830997B (zh) * | 2018-08-10 | 2022-08-19 | 中兴通讯股份有限公司 | 密钥的确定方法及装置、存储介质、电子装置 |
WO2021031015A1 (zh) * | 2019-08-16 | 2021-02-25 | 华为技术有限公司 | 一种通信方法、设备及系统 |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2010077007A2 (en) * | 2008-12-29 | 2010-07-08 | Samsung Electronics Co., Ltd. | Handover method of mobile terminal between heterogeneous networks |
CN102413467A (zh) * | 2011-11-29 | 2012-04-11 | 中兴通讯股份有限公司 | 一种srvcc切换处理方法、装置及其终端 |
CN103428690A (zh) * | 2012-05-23 | 2013-12-04 | 华为技术有限公司 | 无线局域网络的安全建立方法及系统、设备 |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2007160A1 (en) * | 2007-06-19 | 2008-12-24 | Nokia Siemens Networks Oy | Method and device for performing a handover and communication system comprising such device |
CN101635909A (zh) * | 2008-07-21 | 2010-01-27 | 中国移动通信集团公司 | 在不同制式网络间漫游时的鉴权方法、系统及终端 |
CN101931951B (zh) * | 2009-06-26 | 2012-11-07 | 华为技术有限公司 | 密钥推演方法、设备及系统 |
US9655012B2 (en) * | 2012-12-21 | 2017-05-16 | Qualcomm Incorporated | Deriving a WLAN security context from a WWAN security context |
-
2015
- 2015-02-28 CN CN201580006942.3A patent/CN106134231B/zh active Active
- 2015-02-28 EP EP15882974.7A patent/EP3255914A4/en not_active Withdrawn
- 2015-02-28 WO PCT/CN2015/073400 patent/WO2016134536A1/zh active Application Filing
-
2017
- 2017-08-28 US US15/688,343 patent/US20170359719A1/en not_active Abandoned
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2010077007A2 (en) * | 2008-12-29 | 2010-07-08 | Samsung Electronics Co., Ltd. | Handover method of mobile terminal between heterogeneous networks |
CN102413467A (zh) * | 2011-11-29 | 2012-04-11 | 中兴通讯股份有限公司 | 一种srvcc切换处理方法、装置及其终端 |
CN103428690A (zh) * | 2012-05-23 | 2013-12-04 | 华为技术有限公司 | 无线局域网络的安全建立方法及系统、设备 |
Non-Patent Citations (1)
Title |
---|
See also references of EP3255914A4 * |
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114630381B (zh) * | 2017-09-15 | 2024-06-04 | 瑞典爱立信有限公司 | 无线通信系统中的安全性上下文 |
CN114630381A (zh) * | 2017-09-15 | 2022-06-14 | 瑞典爱立信有限公司 | 无线通信系统中的安全性上下文 |
US11122427B2 (en) | 2017-09-26 | 2021-09-14 | Telefonaktiebolaget Lm Ericsson (Publ) | Managing security contexts and performing key derivation at handover in a wireless communication system |
JP7232250B2 (ja) | 2017-09-26 | 2023-03-02 | テレフオンアクチーボラゲット エルエム エリクソン(パブル) | 無線通信システムのハンドオーバにおけるセキュリティコンテキストの管理およびキー導出の実施 |
WO2019066692A1 (en) * | 2017-09-26 | 2019-04-04 | Telefonaktiebolaget Lm Ericsson (Publ) | MANAGING SECURITY CONTEXTS AND PROVIDING KEY DERIVATION DURING INTERCELLULAR TRANSFER IN A WIRELESS COMMUNICATION SYSTEM |
EP4047865A1 (en) * | 2017-09-26 | 2022-08-24 | Telefonaktiebolaget LM Ericsson (publ) | Managing security contexts and performing key derivation at handover in a wireless communication system |
JP2020535732A (ja) * | 2017-09-26 | 2020-12-03 | テレフオンアクチーボラゲット エルエム エリクソン(パブル) | 無線通信システムのハンドオーバにおけるセキュリティコンテキストの管理およびキー導出の実施 |
US11576038B2 (en) | 2017-10-23 | 2023-02-07 | Huawei Technologies Co., Ltd. | Key generation method, apparatus, and system |
CN109699028B (zh) * | 2017-10-23 | 2020-08-25 | 华为技术有限公司 | 一种生成密钥的方法、装置及系统 |
US11882436B2 (en) | 2017-10-23 | 2024-01-23 | Huawei Technologies Co., Ltd. | Key generation method, apparatus, and system |
CN109699028A (zh) * | 2017-10-23 | 2019-04-30 | 华为技术有限公司 | 一种生成密钥的方法、装置及系统 |
WO2019101898A1 (en) * | 2017-11-24 | 2019-05-31 | Sony Mobile Communications Inc. | Transfer/cloning of security context |
US11523308B2 (en) | 2018-04-04 | 2022-12-06 | Huawei Technologies Co., Ltd. | Methods, apparatuses, and systems for voice service handover |
WO2019192460A1 (zh) * | 2018-04-04 | 2019-10-10 | 华为技术有限公司 | 通信方法和装置 |
WO2020052613A1 (zh) * | 2018-09-15 | 2020-03-19 | 华为技术有限公司 | 切换方法和终端设备 |
CN112771815A (zh) * | 2020-03-31 | 2021-05-07 | 华为技术有限公司 | 密钥处理方法和装置 |
Also Published As
Publication number | Publication date |
---|---|
CN106134231B (zh) | 2019-10-01 |
CN106134231A (zh) | 2016-11-16 |
EP3255914A1 (en) | 2017-12-13 |
EP3255914A4 (en) | 2018-02-14 |
US20170359719A1 (en) | 2017-12-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2016134536A1 (zh) | 密钥生成方法、设备及系统 | |
CN109511113B (zh) | 安全实现方法、相关装置以及系统 | |
CN110830991B (zh) | 安全会话方法和装置 | |
US11178584B2 (en) | Access method, device and system for user equipment (UE) | |
CN103391541B (zh) | 无线设备的配置方法及装置、系统 | |
US10687213B2 (en) | Secure establishment method, system and device of wireless local area network | |
US10798082B2 (en) | Network authentication triggering method and related device | |
WO2018137351A1 (zh) | 一种网络密钥处理的方法、相关设备及系统 | |
US20200228977A1 (en) | Parameter Protection Method And Device, And System | |
WO2020248624A1 (zh) | 一种通信方法、网络设备、用户设备和接入网设备 | |
JP2019527504A (ja) | 異種ネットワークのための統一認証 | |
WO2014169451A1 (zh) | 数据传输方法和装置 | |
CN106797559B (zh) | 一种接入认证方法及装置 | |
WO2013166908A1 (zh) | 密钥信息生成方法及系统、终端设备、接入网设备 | |
EP2648437B1 (en) | Method, apparatus and system for key generation | |
CN102378174A (zh) | 一种sim卡的用户终端的接入方法、装置及系统 | |
US20240089728A1 (en) | Communication method and apparatus | |
WO2022027476A1 (zh) | 密钥管理方法及通信装置 | |
CN107925874B (zh) | 超密集网络安全架构和方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 15882974 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
REEP | Request for entry into the european phase |
Ref document number: 2015882974 Country of ref document: EP |