WO2017070973A1 - Internet protocol security tunnel establishing method, user equipment and base station - Google Patents

Internet protocol security tunnel establishing method, user equipment and base station Download PDF

Info

Publication number
WO2017070973A1
WO2017070973A1 PCT/CN2015/093536 CN2015093536W WO2017070973A1 WO 2017070973 A1 WO2017070973 A1 WO 2017070973A1 CN 2015093536 W CN2015093536 W CN 2015093536W WO 2017070973 A1 WO2017070973 A1 WO 2017070973A1
Authority
WO
WIPO (PCT)
Prior art keywords
user equipment
parameter
base station
security
ipsec tunnel
Prior art date
Application number
PCT/CN2015/093536
Other languages
French (fr)
Chinese (zh)
Inventor
陈璟
李�赫
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to CN201580035366.5A priority Critical patent/CN107005410B/en
Priority to PCT/CN2015/093536 priority patent/WO2017070973A1/en
Publication of WO2017070973A1 publication Critical patent/WO2017070973A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to an internet protocol security (IPsec) tunnel establishment method, a user equipment, and a base station.
  • IPsec internet protocol security
  • LWA Long Term Evolution-Wireless Local Area Networks
  • MME Mobility Management Entity
  • S-GW Serving Gateway
  • the core network side is connected through the S1 interface, and the eNB is connected to the WLAN terminal (WT terminal) through the Xw interface.
  • WT terminal WLAN terminal
  • the WT is transparent and invisible, that is, the core network side does not know the existence of the WT.
  • a WT can be connected to multiple WLAN access nodes (APs), and the user equipment (User Equipment, UE for short) is connected to the AP to access the network.
  • APs WLAN access nodes
  • UE User Equipment
  • the eNB forwards the data to the UE through the WT to implement WLAN offloading.
  • Figure 1 shows the LWA technology under the new architecture, which requires compatibility with existing WLAN technologies under the new architecture.
  • the access mode of the existing WLAN is adopted by the architecture of FIG. 2, and is accessed through the S2a and S2b interfaces.
  • the S2a access mode is an interface used when the UE accesses a trusted WLAN.
  • a trusted WLAN means that the WLAN is deployed by the operator.
  • the UE can directly connect to the Packet Data Network-Gateway (P-GW) on the core network side to implement the WLAN access and data splitting.
  • P-GW Packet Data Network-Gateway
  • the S2b interface is the interface between the ePDG and the P-GW.
  • the UE uses this interface when accessing a non-trusted WLAN.
  • An untrusted WLAN refers to a WLAN node that is not deployed by the operator.
  • ePDG Evloved Packet Data Gateway
  • ePDG is a network element deployed by the carrier, so ePDG It is credible for the operator, which ensures that the untrusted WLAN has no way to see and modify the user data transmitted between the UE and the core network side, thereby ensuring that only the WLAN is used to transmit data, instead of providing other services by the WLAN. .
  • the new requirement is compatible with the existing WLAN, which means that it is compatible with the non-trusted WLAN access mode under the S2b access mode.
  • the ePDG is not deployed between the WT and the eNB, so that it is impossible to protect the data security of the user under the untrusted WLAN.
  • the embodiment of the present invention provides an IPsec tunnel establishment method, a user equipment and a base station, to establish an IPsec tunnel between the user equipment and the base station, to ensure that the user equipment securely accesses the core network, and ensures data transmission security.
  • a method for establishing an Internet Protocol security IPsec tunnel including:
  • the base station sends the first anti-replay parameter to the user equipment
  • the base station generates a first pre-shared key Kipsec according to the air interface key KeNB and the first anti-replay parameter, and generates first authentication information AUTH according to the first Kipsec;
  • IPsec tunnel establishment parameter includes a second AUTH
  • the user equipment generates a second Kipsec according to the KeNB and the second anti-replay parameter, and according to the second Kipsec generates the second AUTH
  • the base station verifies the first AUTH and the second AUTH, and the identity of the user equipment.
  • the base station and the user equipment negotiate anti-replay parameters and IPsec tunnel establishment parameters, and establish an IPsec tunnel, thereby realizing the user equipment to securely access the core network through the wireless local area network, thereby ensuring data transmission. Security.
  • the method further includes:
  • the base station receives an IP address of a wireless local area network to which the user equipment is connected, which is sent by the user equipment.
  • the IPsec tunnel establishment parameter further includes an IPsec tunnel transmission parameter, where the IPsec tunnel transmission parameter includes a first security parameter and an identifier TS of an ingress/egress port for identifying a data stream protected by IPsec, the first security
  • the parameters include a security algorithm, and the first Kipsec or the second Kipsec.
  • the determining, by the base station, an IPsec tunnel establishment parameter includes:
  • the IPsec tunnel establishment parameter further includes an identifier of the user equipment, and an Internet Key Exchange Protocol header HDR, where the HDR includes an identifier SPI for identifying an IPsec tunnel establishment procedure; the security algorithm is set There are security algorithms at the security algorithm level.
  • the base station and the user equipment negotiate an IPsec tunnel establishment parameter by using an IP data packet, specifically an Internet Key Exchange Protocol version 2 message.
  • the determining, by the base station, the identity of the user equipment includes:
  • the base station verifies whether the identity of the user equipment is consistent with the identity of the user equipment that has been obtained by the core network side.
  • the acquiring, by the base station, the IPsec tunnel establishment parameters that are negotiated with the user equipment including:
  • the at least one RRC message encapsulates the first IKEv2 message, the response message of the first IKEv2 message, the second IKEv2 message, and the response message of the second IKEv2 message.
  • the user equipment sends an IPsec tunnel establishment parameter to the base station by using an RRC message
  • the base station receives the IPsec tunnel establishment parameter sent by the user equipment, and the message of the entire IKEv2 of the IPsec tunnel is encapsulated and transmitted in the RRC message, and the RRC message can be guaranteed.
  • Transceiver is authenticated Over.
  • the determining, by the base station, an IPsec tunnel establishment parameter includes:
  • a level of a security algorithm of the first security parameter according to a list of security algorithm levels and a list of security algorithms supported by the user equipment, where the security algorithm level list includes multiple security algorithms and security algorithms Correspondence of levels;
  • the base station sends the IPsec tunnel establishment parameter to the user equipment.
  • the IPsec tunnel establishment necessary parameter is transmitted through the RRC message, and the IKEv2 message is not completely encapsulated.
  • the determining, by the base station, an IPsec tunnel establishment parameter includes:
  • the base station receives the IPsec tunnel establishment parameter sent by the user equipment.
  • the IPsec tunnel establishment necessary parameter is transmitted through the RRC message, and the IKEv2 message is not completely encapsulated.
  • a method for establishing an IPsec tunnel including:
  • the user equipment receives the first anti-replay parameter sent by the base station
  • the user equipment generates a second pre-shared key Kipsec according to the air interface key KeNB and the second anti-replay parameter, and generates second authentication information AUTH according to the second Kipsec, and sends the second AUTH to The base station;
  • the establishing parameter includes a first AUTH, wherein the base station generates a first Kipsec according to the KeNB and the first anti-replay parameter, and the base station generates the first AUTH according to the first Kipsec;
  • the user equipment verifies the first AUTH and the second AUTH.
  • the method further includes:
  • the user equipment sends an IP address of a wireless local area network to which the user equipment is connected to the base station.
  • the method further includes:
  • the user equipment sends a first IKEv2 message to the base station, where the first IKEv2 message includes a second security parameter;
  • the user equipment encrypts the second IKEv2 message according to the second security parameter, and sends the encrypted second IKEv2 message to the base station, where the second IKEv2 message includes the IPsec tunnel establishment parameter, the IPsec
  • the tunnel establishment parameter further includes an IPsec tunnel transmission parameter, an identity of the user equipment, and an Internet Key Exchange Protocol header HDR, where the HDR includes an identifier SPI for identifying an IPsec tunnel establishment procedure, where the IPsec tunnel transmission parameter includes a first security parameter and an identifier TS of an ingress/egress port for identifying an IPsec protected data stream, the first security parameter including a security algorithm, and the first Kipsec or the second Kipsec, the security algorithm is Set a security algorithm with a security algorithm level;
  • the user equipment receives a response message of the second IKEv2 message sent by the base station.
  • the method further includes:
  • the at least one RRC message encapsulates the first IKEv2 message, the response message of the first IKEv2 message, the second IKEv2 message, and the response message of the second IKEv2 message.
  • the method further includes:
  • the security algorithm list supported by the user equipment Sending, by the RRC message, the security algorithm list supported by the user equipment to the base station, so that the base station according to its own security algorithm level list, and the user equipment Supporting a list of security algorithms, determining a level of the security algorithm of the first security parameter, where the security algorithm level list includes a correspondence between multiple security algorithms and a security algorithm level;
  • the user equipment receives the IPsec tunnel establishment parameter sent by the base station, where the IPsec tunnel establishment parameter further includes an IPsec tunnel transmission parameter and an Internet Key Exchange Protocol header HDR, where the HDR includes an IPsec tunnel establishment procedure.
  • the method further includes:
  • a security algorithm level list of the base station that is sent by the base station by using an RRC message, where the security algorithm level list includes a correspondence between multiple security algorithms and a security algorithm level;
  • the user equipment sends the IPsec tunnel establishment parameter to the base station, where the IPsec tunnel establishment parameter further includes an IPsec tunnel transmission parameter and an Internet Key Exchange Protocol header HDR, where the HDR includes an IPsec tunnel establishment procedure.
  • a base station having a function of implementing a behavior of a base station in the above method.
  • the functions may be implemented by hardware or by corresponding software implemented by hardware.
  • the hardware or software includes one or more modules corresponding to the functions described above.
  • the base station includes: a transmitter and a processor; wherein
  • the transmitter is configured to send a first anti-replay parameter to the user equipment
  • the processor is configured to determine a second anti-replay parameter of the user equipment, where the first anti-replay parameter and the second anti-replay parameter are respectively used to prevent the base station and the user equipment from generating each time The same key;
  • the processor is configured to generate a first pre-shared key Kipsec according to the air interface key KeNB and the first anti-replay parameter, and generate first authentication information AUTH according to the first Kipsec;
  • the processor is further configured to determine an IPsec tunnel establishment parameter, where the IPsec tunnel establishment parameter includes a second AUTH, where the user equipment generates a second Kipsec according to the KeNB and the second anti-replay parameter, and according to The second Kipsec generates the second AUTH;
  • the processor is further configured to verify the first AUTH and the second AUTH and an identity of the user equipment.
  • the base station includes:
  • a sending unit configured to send a first anti-replay parameter to the user equipment
  • a determining unit configured to determine a second anti-replay parameter of the user equipment, where the first anti-replay parameter and the second anti-replay parameter are respectively used to prevent the base station and the user equipment from generating a secret each time The same key;
  • a generating unit configured to generate a first pre-shared key Kipsec according to the air interface key KeNB and the first anti-replay parameter, and generate first authentication information AUTH according to the first Kipsec;
  • the determining unit is further configured to determine an IPsec tunnel establishment parameter, where the IPsec tunnel establishment parameter includes a second AUTH, where the user equipment generates a second Kipsec according to the KeNB and the second anti-replay parameter, and according to The second Kipsec generates the second AUTH;
  • a verification unit configured to verify the first AUTH and the second AUTH and the identity of the user equipment.
  • a user equipment having a function of implementing user equipment behavior in the above method.
  • the functions may be implemented by hardware or by corresponding software implemented by hardware.
  • the hardware or software includes one or more modules corresponding to the functions described above.
  • the user equipment includes: a receiver, a transmitter, and a processor;
  • the receiver is configured to receive a first anti-replay parameter sent by the base station
  • the processor is configured to generate a second pre-shared key Kipsec according to the air interface key KeNB and the second anti-replay parameter, and generate second authentication information AUTH according to the second Kipsec;
  • the transmitter is further configured to send the second AUTH to the base station;
  • the receiver is further configured to receive an IPsec tunnel establishment parameter sent by the base station, where the IPsec tunnel establishment parameter includes a first AUTH, where the base station is configured according to the KeNB and the first anti- The playback parameter generates a first Kipsec, and the base station generates the first AUTH according to the first Kipsec;
  • the processor is further configured to verify the first AUTH and the second AUTH.
  • the user equipment includes:
  • a receiving unit configured to receive a first anti-playback parameter sent by the base station
  • a generating unit configured to generate a second pre-shared key Kipsec according to the air interface key KeNB and the second anti-playback parameter, and generate second authentication information AUTH according to the second Kipsec;
  • a sending unit configured to send the second AUTH to the base station
  • the receiving unit is further configured to receive an IPsec tunnel establishment parameter sent by the base station, where the IPsec tunnel establishment parameter includes a first AUTH, where the base station generates a first according to the KeNB and the first anti-replay parameter. Kipsec, the base station generates the first AUTH according to the first Kipsec;
  • a verification unit for verifying the first AUTH and the second AUTH.
  • an Internet Protocol security IPsec tunnel establishment method a user equipment and a base station, when a user equipment requests access to a core network through a wireless local area network, the base station negotiates anti-replay parameters and IPsec tunnel establishment parameters with the user equipment.
  • the IPsec tunnel is established, so that the user equipment can securely access the core network through the wireless local area network, thereby ensuring the security of data transmission.
  • LTE Long Term Evolution System-Wireless Local Area Network
  • FIG. 2 is a schematic diagram of an access mode of an existing wireless local area network WLAN
  • FIG. 3 is a schematic flowchart of a method for establishing an IPsec tunnel according to an embodiment of the present disclosure
  • FIG. 4 is a schematic flowchart of another IPsec tunnel establishment method according to an embodiment of the present invention.
  • FIG. 5 is a schematic flowchart of still another method for establishing an IPsec tunnel according to an embodiment of the present disclosure
  • FIG. 6 is a schematic structural diagram of a base station according to an embodiment of the present disclosure.
  • FIG. 7 is a schematic structural diagram of another base station according to an embodiment of the present disclosure.
  • FIG. 8 is a schematic structural diagram of a user equipment according to an embodiment of the present disclosure.
  • FIG. 9 is a schematic structural diagram of still another base station according to an embodiment of the present invention.
  • FIG. 10 is a schematic structural diagram of another user equipment according to an embodiment of the present invention.
  • the present invention requires that the new LWA architecture shown in FIG. 1 is compatible with the existing WLAN technology, that is, it is required to be compatible with the non-trusted WLAN access mode in the S2b access mode.
  • an IPsec tunnel is established between the user equipment and the base station to achieve the role of the ePDG on the S2b interface.
  • the user equipment Before the IPsec tunnel establishment method of the embodiment of the present invention is implemented, the user equipment has accessed the core network, and the authentication succeeds. At this time, the base station already has the identity of the user equipment, such as a Cell Radio Network Temporary Identifier (C-RNTI), and the base station can find the user equipment by using the identifier.
  • C-RNTI Cell Radio Network Temporary Identifier
  • the base station and the user equipment when the user equipment requests to access the core network through the wireless local area network, the base station and the user equipment negotiate anti-replay parameters and IPsec tunnel establishment parameters, establish an IPsec tunnel, and perform IPsec tunnel transmission parameters included in the tunnel establishment parameters in IPsec.
  • the data is transmitted in the tunnel, so that the user equipment can securely access the core network through the wireless local area network, thereby ensuring the security of data transmission.
  • FIG. 3 is a schematic flowchart of a method for establishing an IPsec tunnel according to an embodiment of the present invention, where the method includes the following steps:
  • the base station negotiates anti-replay parameters with the user equipment.
  • the anti-replay parameter is to prevent the base station or the user equipment from generating the same key each time, or the generated message is the same. If the key or the message is the same, the attacker can intercept the previous message and resend it again.
  • Anti-replay parameters are generally random numbers, time stamps, or counter values.
  • the base station may carry the anti-replay parameter in the RRC message of the user equipment sending the IP address of the base station.
  • the user equipment may carry the anti-replay parameter-2 when carrying the RRC message of the base station, or may not carry the anti-replay parameter-2, which is determined by the specific configuration, for example, if the anti-replay parameter is a random number, The anti-replay parameter-1 and the anti-replay parameter-2 may be the same or different. If the method of transmitting the random number is selected, the anti-replay parameter-2 is carried in the reply message; if a counter is used The base station can set the counter, and the user equipment does not set the counter.
  • the base station needs to transmit the value of the counter as the anti-replay parameter-1 to the user equipment, and the user equipment does not carry the anti-weight in the reply message because there is no timer. If the user equipment is also provided with a counter, the user equipment also needs to transmit the value of its counter as the anti-replay parameter-2 to the base station; if the time stamp is used, both parties need to transmit the anti-replay parameters.
  • the RRC message of the replying base station may include: an RRC reconfiguration complete message, an RRC completion message, and the like.
  • the base station generates a first pre-shared key Kipsec according to the air interface key KeNB and the first anti-replay parameter, and generates first authentication information AUTH according to the first Kipsec.
  • the user equipment generates a second Kipsec according to the KeNB and the second anti-playback parameter, and generates a second AUTH according to the second Kipsec.
  • the same air interface key KeNB is generated.
  • the base station and the user equipment respectively generate the first Kipsec and the second Kipsec according to the KeNB and the negotiated anti-replay parameters according to the set key generation function, and then generate the first AUTH according to the first Kipsec and the second Kipsec respectively (
  • the authentication and the second AUTH are the same as the key generation function, the KeNB is the same, and the anti-replay parameters are negotiated.
  • the base station and the user equipment know the anti-replay parameters of the opposite end. Therefore, the base station and the user equipment can respectively Verify the authentication information of the peer according to its own authentication information.
  • the base station negotiates an IPsec tunnel establishment parameter with the user equipment.
  • the IPsec tunnel establishment parameter includes an authentication information (AUTH) and an IPsec tunnel transmission parameter, where the IPsec tunnel transmission parameter includes a first security parameter and an identifier of an ingress/egress port for identifying a data stream protected by IPsec (Traffic Selector, TS for short)
  • the security parameter is also called the Security Association (SA).
  • SA Security Association
  • This parameter contains the security algorithm, and the first Kipsec or the second Kipsec.
  • the security algorithm has a security algorithm level. The security algorithm level is used to indicate which algorithm should be used. Priority is given to the use of the first Kipsec or the second Kipsec to encrypt the data stream transmitted in the IPsec tunnel in the security algorithm.
  • the IPsec tunnel setup parameters may also include the identity IDi of the user equipment, and the identity ID of the base station.
  • C-RNTI is used as IDi.
  • IDi represents the identity of the initiator, ie Identification-Initiator, and IDr represents the identity of the recipient, ie Identification-Responder.
  • the base station and the user equipment respectively verify the first AUTH and the second AUTH.
  • the base station verifies that the first AUTH and the second AUTH are consistent, verify the identity of the user equipment.
  • the base station and the user equipment respectively verify whether the authentication information of the peer end is consistent with the authentication information of the peer end. If the verification succeeds, the base station verifies the identity of the user equipment.
  • the base station verifies the identity of the user equipment, and compares the identity of the user equipment that has been acquired when the air interface is connected with the identity of the user equipment that is included in the IPsec tunnel establishment parameter, and if the RRC message is received, the identity of the user equipment is already received. Verification is performed when the RRC message is received.
  • the base station After the base station negotiates the IPsec tunnel transmission parameters with the user equipment, the work of establishing an IPsec tunnel is completed, so that data can be transmitted in the IPsec tunnel according to the IPsec tunnel transmission parameters.
  • an IPsec tunnel is established.
  • the base station and the user equipment negotiate anti-replay parameters and IPsec tunnel establishment parameters, establish an IPsec tunnel, and establish an tunnel according to the tunnel.
  • the IPsec tunnel transmission parameters included in the parameters transmit data in the IPsec tunnel, thereby enabling the user equipment to securely access the core network through the wireless LAN, thereby ensuring the security of data transmission.
  • FIG. 4 is a schematic flowchart of another method for establishing an IPsec tunnel according to an embodiment of the present invention, where the method includes the following steps:
  • the base station sends an IP address of the base station to the user equipment in the RRC reconfiguration message.
  • the anti-replay parameter-1 is carried in the RRC reconfiguration message.
  • the user equipment After receiving the RRC reconfiguration message of the base station, the user equipment returns an RRC reconfiguration complete message.
  • the anti-replay parameter-2 is carried in the RRC reconfiguration complete message.
  • the two parties need to know the IP address of the peer.
  • the base station needs to determine that the peer end that establishes the IPsec tunnel is the user equipment, instead of attacking.
  • the user device of the person or other person, that is, the identity of the user device is correct.
  • the base station transmits the IP address of the base station to the user equipment.
  • the base station may select one of a plurality of Radio Resource Control (RRC) messages for transmitting the IP of the base station.
  • RRC Radio Resource Control
  • the RRC message includes: an RRC reconfiguration message, an RRC setup request message, an RRC re-establishment message, and the like.
  • the choice of RRC messaging is based on a mobile network that has passed security authentication, which ensures the security of the transmitted message.
  • the user equipment sends the IP address of the WLAN connected to the user equipment to the base station.
  • the user equipment Before the user equipment sends the IP, the user equipment first needs to access the WLAN through the AP, and then obtain the IP address distributed by the WLAN.
  • the base station generates a first pre-shared key Kipsec according to the air interface key KeNB and the negotiated anti-replay parameter by using a set key generation function, and generates first authentication information AUTH according to the first Kipsec.
  • the user equipment uses the set key generation function to generate a second Kipsec according to the KeNB and the negotiated anti-replay parameter, and generate a second AUTH according to the second Kipsec.
  • the user equipment accesses the AP.
  • the user equipment obtains an IP address distributed by the AP.
  • the user equipment sends the IP address distributed by the AP to the base station.
  • the base station and the user equipment negotiate the second security parameter by using the first Internet Key Exchange Protocol version 2 message.
  • the user equipment sends an Internet Key Exchange Security Association parameter negotiation initial message IKE_SA_INIT message to the base station, where the IKE_SA_INIT message includes an Internet Key Exchange Protocol Header (HDR Header, HDR for short), and the second security parameter SAi1, the sender is substantially dense.
  • HDR Header Internet Key Exchange Protocol Header
  • SAi1 Internet Key Exchange Protocol Header
  • the base station replies with the IKE_SA_INIT message, and the reply message includes HDR, SAr1, and the reply party is basically dense.
  • the key KEl, the random number Nr completes the negotiation of the second security parameter between the base station and the user equipment.
  • the second security parameter also includes a security algorithm, a security algorithm level, and a key.
  • the security algorithm level of SAi1 and SAr1 is determined by the IKEv2 message.
  • SAi1 and SAr1 include multiple security algorithms, and the security algorithm is used to specify the security algorithm to be adopted.
  • the key is generated based on the base key (KEi and KEl) and the random number (Ni, Nr).
  • the second security parameter is used to encrypt the second IKEv2 message that transmits the IPsec tunnel establishment parameters.
  • the base station receives a second IKEv2 message that is sent by the user equipment according to the second security parameter.
  • the user equipment sends an IKE_AUTH message to the base station, and the IKE_AUTH message is encrypted and sent by the second security parameter.
  • the IKE_AUTH message includes HDR, SK ⁇ IDi, AUTH, SAi2, TSi, TSR ⁇ , where SK ⁇ indicates that the parameter in ⁇ is encrypted and protected by the security algorithm and the key in the second security parameter;
  • the base station replies to the IKR_AUTH message of the user equipment, and the reply message includes HDR, SK ⁇ IDr, AUTH, SAr2, TSi, TSR ⁇ .
  • the IP data packet is negotiated between the base station and the user equipment, specifically the Internet Key Exchange Protocol version 2 message, and the IPsec tunnel establishment parameter is negotiated. Since the IP data packet is transmitted, the identity of the peer end has not been verified. To ensure the security of the transmission process, the security parameters of the message for transmitting the IPsec tunnel establishment parameters need to be negotiated first, and then the message for sending the IPsec tunnel establishment parameters is encrypted by the negotiated security parameters.
  • the user equipment sends an IPsec tunnel establishment parameter to the base station by using an RRC message, and the base station receives the IPsec tunnel establishment parameter sent by the user equipment, and the message of the entire IKEv2 of the IPsec tunnel is encapsulated and transmitted in the RRC message. Since the RRC message can ensure that the transmitting and receiving peers are authenticated, it is not necessary to emphasize the authentication information AUTH and the identity IDi of the initiator.
  • the base station and the user equipment respectively verify the first AUTH and the second AUTH.
  • FIG. 5 is a schematic flowchart of still another method for establishing an IPsec tunnel according to an embodiment of the present invention, where the method includes the following steps:
  • the user equipment accesses the AP.
  • the user equipment obtains an IP address distributed by the AP.
  • the base station sends an IP address of the base station to the user equipment in the RRC reconfiguration message.
  • This message carries the anti-replay parameter -1.
  • the IP address of the AP connected to the user equipment and the anti-replay parameter-2 is the IP address of the AP connected to the user equipment and the anti-replay parameter-2.
  • the base station generates a first pre-shared key Kipsec according to the air interface key KeNB and the negotiated anti-replay parameter by using a set key generation function, and generates first authentication information AUTH according to the first Kipsec.
  • the user equipment uses the set key generation function to generate a second Kipsec according to the KeNB and the negotiated anti-replay parameter, and generate a second AUTH according to the second Kipsec.
  • the base station receives a second AUTH sent by the user equipment by using an RRC message, and a list of security algorithms supported by the user equipment.
  • the user equipment sends the necessary parameters of the IPsec tunnel establishment to the base station by using the RRC message, and the base station receives the necessary parameters for establishing the IPsec tunnel sent by the user equipment, and the necessary parameters for establishing the IPsec tunnel include: authentication information, and a list of security algorithms supported by the user equipment.
  • Security algorithms may include encryption algorithms and integrity protection algorithms.
  • the security algorithm list supported by the user equipment may be transmitted to the base station in advance in the process of attaching the user equipment to the core network, that is, before the user equipment, the user equipment carries the user in the Attach Request message.
  • the security algorithm list supported by the device is sent to the MME.
  • the MME transmits the security algorithm list supported by the user equipment to the base station, and then completes the Attach process of the user equipment to establish a default bearer.
  • the base station determines, according to its own security algorithm level list, and a list of security algorithms supported by the user equipment, the level of the security algorithm of the first security parameter.
  • a security algorithm level list is set in the base station, and the security algorithm level list includes a correspondence between multiple security algorithms and security algorithm levels.
  • the base station can determine the level of the security algorithm of the first security parameter from the security algorithm supported by the user equipment according to the security algorithm level list and the obtained security algorithm list supported by the user equipment, and the security algorithm acts as a security algorithm for protecting the IPsec tunnel transmission. For example, the security algorithm with the highest level of algorithm security capability in the list of security algorithms supported by the user equipment can be selected.
  • the base station may use the IP address of the base station and the determined security algorithm of the first security parameter in the RRC reconfiguration message.
  • the level is sent to the user device.
  • the base station sends an IPsec tunnel establishment parameter to the user equipment.
  • the base station After determining the authentication information and the first security algorithm, the base station sends an IPsec tunnel establishment parameter to the user equipment, where the IPsec tunnel establishment parameter includes a first security parameter and a TS, the first security parameter includes a security algorithm, and the A Kipsisec or the second Kipsec.
  • the RRC message is used to transmit the IPsec tunnel establishment necessary parameters, and the IKEv2 message is not completely encapsulated. Since the RRC message itself can ensure the security of the data transmission, there is no need to negotiate the second security parameter.
  • the IPsec tunnel establishment is initiated by the user equipment, as a type of S307-S309.
  • the base station may initiate IPsec tunnel establishment, that is, the base station sends the IPsec tunnel establishment necessary parameters to the user equipment through the RRC message, so that the user equipment according to the list of security algorithms supported by the user equipment, and the security algorithm level list of the base station. Determining a level of the security algorithm of the first security parameter, and then the user equipment sends an IPsec tunnel establishment parameter to the base station, where the base station receives an IPsec tunnel establishment parameter sent by the user equipment.
  • the base station and the user equipment respectively verify the first AUTH and the second AUTH.
  • FIG. 6 is a schematic structural diagram of a base station according to an embodiment of the present invention.
  • the base station 1000 includes a sending unit 11, a determining unit 12, a generating unit 13, and a verifying unit 14. among them:
  • the sending unit 11 is configured to send the first anti-replay parameter to the user equipment.
  • the determining unit 12 is configured to determine that the second anti-replay parameter of the user equipment may carry the anti-replay parameter-1 in the RRC message of the user equipment, and the user equipment may carry the anti-weight when replying to the RRC message of the base station.
  • the parameter-2 can also be placed without carrying the anti-replay parameter-2, which is determined by the specific configuration.
  • the RRC message of the replying base station may include: an RRC reconfiguration complete message, an RRC completion message, and the like.
  • the generating unit 13 is configured to generate a first pre-shared key Kipsec according to the air interface key KeNB and the first anti-replay parameter, and generate first authentication information AUTH according to the first Kipsec.
  • the same air interface key KeNB is generated.
  • the base station and the user equipment respectively generate the first Kipsec and the second Kipsec according to the KeNB and the negotiated anti-replay parameters, and then generate the first AUTH according to the first Kipsec and the second Kipsec respectively by using the set key generation function.
  • the second AUTH because the key generation function is the same, the KeNB is the same, and the anti-replay parameters are negotiated, and the base station and the user equipment know the anti-replay parameters of the opposite end. Therefore, the base station and the user equipment can respectively according to their own
  • the authentication information is used to verify the authentication information of the peer.
  • the determining unit 12 is further configured to determine an IPsec tunnel establishment parameter.
  • the IPsec tunnel establishment parameter includes an authentication information and an IPsec tunnel transmission parameter, where the IPsec tunnel transmission parameter includes a first security parameter and an identifier of an ingress/egress port for identifying a data stream protected by IPsec, and the security parameter is also called a security association parameter.
  • Security Association this parameter contains the security algorithm, and the first Kipsec or the second Kipsec, the security algorithm has a security algorithm level, the security algorithm level is used to indicate which algorithm should be prioritized, the first Kipsel or the second Kipsec is used to encrypt the data stream transmitted in an IPsec tunnel in a security algorithm.
  • the IPsec tunnel setup parameters may also include the identity IDi of the user equipment, and the identity ID of the base station.
  • the verification unit 14 is configured to verify the identity of the first AUTH and the second AUTH and the user equipment.
  • the base station and the user equipment respectively verify whether the authentication information of the peer end is consistent with the authentication information of the peer end. If the verification succeeds, the base station verifies the identity of the user equipment.
  • the base station verifies the identity of the user equipment, and compares the identity of the user equipment that has been acquired when the air interface is connected with the identity of the user equipment that is included in the IPsec tunnel establishment parameter, and if the RRC message is received, the identity of the user equipment is already received. Verification is performed when the RRC message is received.
  • the base station and the user equipment when a user equipment requests access to a core network through a wireless local area network, the base station and the user equipment negotiate anti-replay parameters and IPsec tunnel establishment parameters, establish an IPsec tunnel, and include parameters according to the tunnel establishment.
  • the IPsec tunnel transmission parameters transmit data in the IPsec tunnel, thereby enabling the user equipment to securely access the core network through the wireless LAN, thereby ensuring the security of data transmission.
  • the base station further includes a receiving unit, and a specific implementation manner of the receiving unit is provided below:
  • the receiving unit is specifically configured to obtain the first Internet Key Exchange Protocol version with the user equipment.
  • the second security parameter negotiated by this 2 message.
  • the user equipment sends an Internet Key Exchange Security Association parameter negotiation initial message IKE_SA_INIT message to the base station, where the IKE_SA_INIT message includes HDR, a second security parameter SAi1, a sender basic key KEi, and a random number Ni, wherein the HDR includes The SPI is used to identify the IPsec tunnel establishment process.
  • the base station replies to the IKE_SA_INIT message, and the replies include HDR, SAr1, the replies basic key KEr, and the random number Nr, thereby completing the negotiation of the second security parameter between the base station and the user equipment.
  • the second security parameter also includes a security algorithm, a security algorithm level, and a key.
  • the security algorithm level of SAi1 and SAr1 is determined by the IKEv2 message.
  • SAi1 and SAr1 include multiple security algorithms, and the security algorithm is used to specify the security algorithm to be adopted.
  • the key is generated based on the base key (KEi and KEl) and the random number (Ni, Nr).
  • the second security parameter is used to encrypt the second IKEv2 message that transmits the IPsec tunnel establishment parameters.
  • the receiving unit is further configured to receive a second IKEv2 message that is sent by the user equipment according to the second security parameter.
  • the user equipment sends an IKE_AUTH message to the base station, and the IKE_AUTH message is encrypted and sent by the second security parameter.
  • the IKE_AUTH message includes HDR, SK ⁇ IDi, AUTH, SAi2, TSi, TSR ⁇ , wherein the parameter in the ⁇ indicates that the parameter in the ⁇ is encrypted and protected by the security algorithm and the key in the second security parameter;
  • the IKR_AUTH message of the user equipment includes HDR, SK ⁇ IDr, AUTH, SAr2, TSi, TSR ⁇ .
  • the IP data packet is negotiated between the base station and the user equipment, specifically the Internet Key Exchange Protocol version 2 message, and the IPsec tunnel establishment parameter is negotiated. Since the IP data packet is transmitted, the identity of the peer end has not been verified. To ensure the security of the transmission process, the security parameters of the message for transmitting the IPsec tunnel establishment parameters need to be negotiated first, and then the message for sending the IPsec tunnel establishment parameters is encrypted by the negotiated security parameters.
  • the user equipment sends an IPsec tunnel establishment parameter to the base station by using an RRC message
  • the receiving unit receives the IPsec tunnel establishment parameter sent by the user equipment, and the message of the entire IKEv2 of the IPsec tunnel is encapsulated in the RRC message.
  • the transceiver end can be authenticated, and the authentication information AUTH and the identity IDi of the initiator need not be emphasized.
  • FIG. 7 is a schematic structural diagram of another base station according to an embodiment of the present disclosure, where the base station 2000 includes The sending unit 21, the receiving unit 22, the generating unit 23, the determining unit 24, and the verifying unit 25. among them:
  • the sending unit 21 is configured to send the Internet Protocol IP address and the anti-replay parameter of the base station to the user equipment in the RRC reconfiguration message.
  • the receiving unit 22 is configured to receive an IP address and an anti-replay parameter of the wireless local area network to which the user equipment is connected, which is sent by the user equipment.
  • the generating unit 23 is configured to generate a first pre-shared key Kipsec according to the air interface key KeNB and the negotiated anti-replay parameter by using a set key generation function, and generate first authentication information AUTH according to the first Kipsec.
  • the receiving unit 22 is further configured to receive a second AUTH sent by the user equipment by using an RRC message, and a list of security algorithms supported by the user equipment.
  • the user equipment sends the necessary parameters of the IPsec tunnel establishment to the base station by using the RRC message, and the base station receives the necessary parameters for establishing the IPsec tunnel sent by the user equipment, and the necessary parameters for establishing the IPsec tunnel include: authentication information, and a list of security algorithms supported by the user equipment.
  • Security algorithms may include encryption algorithms and integrity protection algorithms.
  • the security algorithm list supported by the user equipment may be transmitted to the base station in advance in the process of attaching the user equipment to the core network, that is, before the user equipment, the user equipment carries the user in the Attach Request message.
  • the security algorithm list supported by the device is sent to the MME.
  • the MME transmits the security algorithm list supported by the user equipment to the base station, and then completes the Attach process of the user equipment to establish a default bearer.
  • the determining unit 24 is configured to determine a level of the security algorithm of the first security parameter according to the security algorithm level list of the user and the security algorithm list supported by the user equipment.
  • a security algorithm level list is set in the base station, and the security algorithm level list includes a correspondence between multiple security algorithms and security algorithm levels.
  • the base station can determine the level of the security algorithm of the first security parameter from the security algorithm supported by the user equipment according to the security algorithm level list and the obtained security algorithm list supported by the user equipment, and the security algorithm acts as a security algorithm for protecting the IPsec tunnel transmission. For example, the security algorithm with the highest level of algorithm security capability in the list of security algorithms supported by the user equipment can be selected.
  • the base station may use the IP address of the base station and the determined security algorithm of the first security parameter in the RRC reconfiguration message.
  • the level is sent to the user device.
  • the sending unit 21 is further configured to send an IPsec tunnel establishment parameter to the user equipment.
  • the base station After determining the authentication information and the first security algorithm, the base station sends an IPsec tunnel establishment parameter to the user equipment, where the IPsec tunnel establishment parameter includes a first security parameter and a TS, the first security parameter includes a security algorithm, and the A Kipsisec or the second Kipsec. .
  • the RRC message is used to transmit the IPsec tunnel establishment necessary parameters, and the IKEv2 message is not completely encapsulated. Since the RRC message itself can ensure the security of the data transmission, there is no need to negotiate the second security parameter.
  • the user equipment initiates the establishment of the IPsec tunnel.
  • the base station may initiate the IPsec tunnel establishment, that is, the base station sends the necessary parameters for establishing the IPsec tunnel to the user equipment through the RRC message, so that the user equipment Determining a level of the security algorithm of the first security parameter according to a list of security algorithms supported by the base station, and a security algorithm level list of the base station, and then the user equipment sends the IPsec tunnel establishment parameter to the base station, where the base station receives the information sent by the user equipment.
  • the IPsec tunnel establishes parameters.
  • the verification unit 25 is configured to verify the first AUTH and the second AUTH.
  • the verification unit 25 is further configured to verify the identity of the user equipment if the first AUTH and the second AUTH are verified to be consistent.
  • FIG. 8 is a schematic structural diagram of a user equipment according to an embodiment of the present invention.
  • the user equipment 3000 includes a determining unit 31, a generating unit 32, a sending unit 33, a receiving unit 34, and a verifying unit 35.
  • a determining unit 31 configured to determine a second anti-replay parameter of the user equipment, where the first anti-replay parameter and the second anti-replay parameter are respectively used to prevent a key generated by the base station and the user equipment each time the same;
  • the generating unit 32 is configured to generate a second pre-shared key Kipsec according to the air interface key KeNB and the second anti-playback parameter, and generate second authentication information AUTH according to the second Kipsec;
  • a sending unit 33 configured to send the second AUTH to the base station
  • the receiving unit 34 is configured to receive an IPsec tunnel establishment parameter sent by the base station, where the IPsec tunnel establishment parameter includes a first AUTH, where the base station generates a first Kipsc according to the KeNB and the first anti-replay parameter.
  • the base station generates the first AUTH according to the first Kipsec;
  • the verification unit 35 is configured to verify the first AUTH and the second AUTH.
  • the receiving unit 34 is further configured to receive an internet protocol IP address of the base station that is sent by the base station;
  • the sending unit is further configured to send an IP address of a wireless local area network to which the user equipment is connected, to the base station.
  • the sending unit 33 is further configured to send a first IKEv2 message to the base station, where the first IKEv2 message includes a second security parameter;
  • the receiving unit 34 is further configured to receive a response message of the first IKEv2 message sent by the base station;
  • the sending unit 33 is further configured to: encrypt the second IKEv2 message according to the second security parameter, and send the encrypted second IKEv2 message to the base station, where the second IKEv2 message includes the IPsec tunnel establishment parameter
  • the IPsec tunnel establishment parameter further includes an IPsec tunnel transmission parameter, an identity of the user equipment, and an Internet Key Exchange Protocol header HDR, where the HDR includes an identifier SPI for identifying an IPsec tunnel establishment procedure, the IPsec
  • the tunnel transmission parameter includes a first security parameter and an identifier TS of an ingress/egress port for identifying a data stream protected by the IPsec, the first security parameter including a security algorithm, and the first Kipsel or the second Kipsec
  • the security algorithm is a security algorithm set with a security algorithm level;
  • the receiving unit 34 is further configured to receive a response message of the second IKEv2 message sent by the base station.
  • the sending unit 33 is further configured to send at least one RRC message to the base station;
  • the at least one RRC message encapsulates the first IKEv2 message, the response message of the first IKEv2 message, the second IKEv2 message, and the response message of the second IKEv2 message.
  • the sending unit 33 is further configured to send, by using an RRC message, a security algorithm list supported by the user equipment to the base station, so that the base station according to its own security algorithm level list, and the a security algorithm list supported by the user equipment, determining a level of the security algorithm of the first security parameter, where the security algorithm level list includes a correspondence between multiple security algorithms and a security algorithm level;
  • the receiving unit 34 is further configured to receive the IPsec tunnel establishment parameter sent by the base station, where the IPsec tunnel establishment parameter further includes an IPsec tunnel transmission parameter and an Internet key exchange protocol header.
  • the HDR includes an identifier SPI for identifying an IPsec tunnel establishment procedure
  • the IPsec tunnel transmission parameter includes a first security parameter and a TS
  • the first security parameter includes a security algorithm determining the level
  • the First Kipsec or the second Kipsec is further configured to receive the IPsec tunnel establishment parameter sent by the base station, where the IPsec tunnel establishment parameter further includes an IPsec tunnel transmission parameter and an Internet key exchange protocol header.
  • HDR includes an identifier SPI for identifying an IPsec tunnel establishment procedure
  • the IPsec tunnel transmission parameter includes a first security parameter and a TS
  • the first security parameter includes a security algorithm determining the level
  • the First Kipsec or the second Kipsec includes a security algorithm determining the level
  • the receiving unit 34 is further configured to receive a security algorithm level list of the base station that is sent by the base station by using an RRC message, where the security algorithm level list includes a correspondence between multiple security algorithms and a security algorithm level. relationship;
  • the determining unit 31 is further configured to determine a level of the security algorithm of the first security parameter according to a security algorithm list supported by the base and a security algorithm level list of the base station;
  • the sending unit 33 is further configured to send the IPsec tunnel establishment parameter to the base station, where the IPsec tunnel establishment parameter further includes an IPsec tunnel transmission parameter and an Internet Key Exchange Protocol header HDR, where the HDR includes An identification SPI of the IPsec tunnel establishment process, the IPsec tunnel transmission parameter includes a first security parameter and a TS, the first security parameter includes a security algorithm determining the level, and the first Kipsec or the second Kipsec.
  • the IPsec tunnel establishment parameter further includes an IPsec tunnel transmission parameter and an Internet Key Exchange Protocol header HDR, where the HDR includes An identification SPI of the IPsec tunnel establishment process, the IPsec tunnel transmission parameter includes a first security parameter and a TS, the first security parameter includes a security algorithm determining the level, and the first Kipsec or the second Kipsec.
  • the base station and the user equipment when a user equipment requests access to a core network through a wireless local area network, the base station and the user equipment negotiate anti-replay parameters and IPsec tunnel establishment parameters, establish an IPsec tunnel, and establish parameters according to the tunnel.
  • the included IPsec tunnel transmission parameters transmit data in the IPsec tunnel, thereby enabling the user equipment to securely access the core network through the wireless local area network, thereby ensuring the security of data transmission.
  • the base station 4000 includes a transmitter 41 and a processor 42 .
  • the transmitter 41 and the processor 42 are connected to each other via a bus 43. among them:
  • the transmitter is configured to send a first anti-replay parameter to the user equipment
  • the processor is configured to determine a second anti-replay parameter of the user equipment, where the first anti-replay parameter and the second anti-replay parameter are respectively used to prevent the base station and the user equipment from generating each time The same key;
  • the processor is further configured to generate a first pre-shared key Kipsec according to the air interface key KeNB and the first anti-replay parameter, and generate first authentication information AUTH according to the first Kipsec;
  • the processor is further configured to determine an IPsec tunnel establishment parameter, where the IPsec tunnel establishes a parameter packet
  • the second AUTH is generated, wherein the user equipment generates a second Kipsec according to the KeNB and the second anti-playback parameter, and generates the second AUTH according to the second Kipsec;
  • the processor is further configured to verify the first AUTH and the second AUTH, and an identity of the user equipment.
  • the transmitter is further configured to send an internet protocol IP address of the base station to the user equipment;
  • the base station further includes: a receiver
  • the receiver is further configured to receive an IP address of a wireless local area network to which the user equipment is connected, sent by the user equipment.
  • the IPsec tunnel establishment parameter further includes an IPsec tunnel transmission parameter, where the IPsec tunnel transmission parameter includes a first security parameter and an identifier TS of an ingress/egress port for identifying a data stream protected by IPsec, the first security
  • the parameters include a security algorithm, and the first Kipsec or the second Kipsec.
  • the receiver is further configured to receive a first Internet Key Exchange Protocol version 2 IKEv2 message sent by the user equipment, where the first IKEv2 message includes a second security parameter;
  • the transmitter is further configured to send a response message of the first IKEv2 message to the user equipment;
  • the receiver is further configured to receive a second IKEv2 message that is sent by the user equipment according to the second security parameter, where the second IKEv2 message includes the IPsec tunnel establishment parameter;
  • the transmitter is further configured to send a response message of the second IKEv2 message to the user equipment;
  • the IPsec tunnel establishment parameter further includes an identifier of the user equipment, and an Internet Key Exchange Protocol header HDR, where the HDR includes an identifier SPI for identifying an IPsec tunnel establishment procedure; the security algorithm is set There are security algorithms at the security algorithm level.
  • processor is further configured to:
  • the receiver is further configured to receive at least one radio resource control RRC message sent by the user equipment;
  • the at least one RRC message encapsulates the first IKEv2 message, the response message of the first IKEv2 message, the second IKEv2 message, and the response message of the second IKEv2 message.
  • the receiver is further configured to receive the second AUTH sent by the user equipment by using a radio resource control RRC message, and a list of security algorithms supported by the user equipment;
  • the processor is further configured to determine a level of the security algorithm of the first security parameter according to a list of security algorithm levels of the user and a list of security algorithms supported by the user equipment, where the security algorithm level list includes multiple security Correspondence between the algorithm and the level of the security algorithm;
  • the transmitter is further configured to send the IPsec tunnel establishment parameter to the user equipment.
  • the transmitter is further configured to send, by using an RRC message, the second AUTH and the security algorithm level list of the base station to the user equipment, so that the user equipment according to the security algorithm list supported by the user equipment, And determining, by the security algorithm level list of the base station, a level of the security algorithm of the first security parameter, where the security algorithm level list includes a correspondence between multiple security algorithms and a security algorithm level;
  • the receiver is further configured to receive the IPsec tunnel establishment parameter sent by the user equipment.
  • the base station and the user equipment when a user equipment requests access to a core network through a wireless local area network, the base station and the user equipment negotiate anti-replay parameters and IPsec tunnel establishment parameters, establish an IPsec tunnel, and include parameters according to the tunnel establishment.
  • the IPsec tunnel transmission parameters transmit data in the IPsec tunnel, thereby enabling the user equipment to securely access the core network through the wireless LAN, thereby ensuring the security of data transmission.
  • the user equipment 5000 includes a receiver 51, a transmitter 52, and processing.
  • the device 53 wherein the receiver 51, the transmitter 52 and the processor 53 are connected to each other by a bus 54. among them:
  • the processor is configured to determine a second anti-replay parameter of the user equipment, where the first anti-replay parameter and the second anti-replay parameter are respectively used to prevent the base station and the user equipment from generating a secret each time.
  • the processor is further configured to generate a second pre-shared key Kipsec according to the air interface key KeNB and the second anti-playback parameter, and generate second authentication information AUTH according to the second Kipsec;
  • a transmitter configured to send the second AUTH to the base station
  • a receiver configured to receive an IPsec tunnel establishment parameter sent by the base station, where the IPsec tunnel
  • the establishing parameter includes a first AUTH, wherein the base station generates a first Kipsec according to the KeNB and the first anti-replay parameter, and the base station generates the first AUTH according to the first Kipsec;
  • the processor is further configured to verify the first AUTH and the second AUTH.
  • the receiver is further configured to receive an internet protocol IP address of the base station sent by the base station;
  • the sending unit is further configured to send an IP address of a wireless local area network to which the user equipment is connected, to the base station.
  • the transmitter is further configured to send a first IKEv2 message to the base station, where the first IKEv2 message includes a second security parameter;
  • the receiver is further configured to receive a response message of the first IKEv2 message sent by the base station;
  • the transmitter is further configured to: encrypt the second IKEv2 message according to the second security parameter, and send the encrypted second IKEv2 message to the base station, where the second IKEv2 message includes the IPsec tunnel establishment parameter,
  • the IPsec tunnel establishment parameter further includes an IPsec tunnel transmission parameter, an identity of the user equipment, and an Internet Key Exchange Protocol header HDR, where the HDR includes an identifier SPI for identifying an IPsec tunnel establishment procedure, the IPsec tunnel
  • the transmission parameter includes a first security parameter and an identifier TS of an ingress/egress port for identifying a data stream protected by the IPsec, the first security parameter including a security algorithm, and the first Kipsec or the second Kipsec,
  • the security algorithm is a security algorithm set with a security algorithm level;
  • the receiver is further configured to receive a response message of the second IKEv2 message sent by the base station.
  • the transmitter is further configured to send at least one RRC message to the base station;
  • the at least one RRC message encapsulates the first IKEv2 message, the response message of the first IKEv2 message, the second IKEv2 message, and the response message of the second IKEv2 message.
  • the transmitter is further configured to send, by using an RRC message, a security algorithm list supported by the user equipment to the base station, so that the base station according to its own security algorithm level list, and supported by the user equipment a security algorithm list, determining a level of the security algorithm of the first security parameter, where the security algorithm level list includes a correspondence between multiple security algorithms and a security algorithm level;
  • the receiver is further configured to receive the IPsec tunnel establishment parameter sent by the base station, where the IPsec tunnel establishment parameter further includes an IPsec tunnel transmission parameter and an Internet Key Exchange Protocol header HDR, where the HDR includes an identifier for identifying IPsec Identification SPI of the tunnel establishment process, the IPsec tunnel transmission
  • the input parameter includes a first security parameter and a TS, the first security parameter including a security algorithm that determines the level, and the first Kipsel or the second Kipsec.
  • the receiver is further configured to receive a security algorithm level list of the base station that is sent by the base station by using an RRC message, where the security algorithm level list includes a correspondence between multiple security algorithms and a security algorithm level;
  • the processor is further configured to determine a level of the security algorithm of the first security parameter according to a list of security algorithms supported by the base and a security algorithm level list of the base station;
  • the transmitter is further configured to send the IPsec tunnel establishment parameter to the base station, where the IPsec tunnel establishment parameter further includes an IPsec tunnel transmission parameter and an Internet Key Exchange Protocol header HDR, where the HDR includes an identifier for identifying IPsec.
  • An identifier SPI of the tunnel establishment process where the IPsec tunnel transmission parameter includes a first security parameter and a TS, the first security parameter includes a security algorithm determining the level, and the first Kipsec or the second Kipsec.
  • the base station and the user equipment when a user equipment requests access to a core network through a wireless local area network, the base station and the user equipment negotiate anti-replay parameters and IPsec tunnel establishment parameters, establish an IPsec tunnel, and establish parameters according to the tunnel.
  • the included IPsec tunnel transmission parameters transmit data in the IPsec tunnel, thereby enabling the user equipment to securely access the core network through the wireless local area network, thereby ensuring the security of data transmission.
  • Computer readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one location to another.
  • a storage medium may be any available media that can be accessed by a computer.
  • the computer readable medium may include a random access memory (RAM), a read-only memory (ROM), and an electrically erasable programmable read-only memory (Electrically Erasable Programmable).
  • EEPROM Electrically erasable programmable read-only memory
  • Compact Disc Compact Disc Read-Only Memory
  • CD-ROM Compact Disc Read-Only Memory
  • Any connection may suitably be a computer readable medium.
  • the software is transmitted from a website, server, or other remote source using coaxial cable, fiber optic cable, twisted pair, Digital Subscriber Line (DSL), or wireless technologies such as infrared, radio, and microwave, Then coaxial cable, fiber optic cable, twisted pair, DSL or wireless technologies such as infrared, wireless and microwave are included in the fixing of the associated medium.
  • DSL Digital Subscriber Line
  • a disk and a disc include a compact disc (CD), a laser disc, a compact disc, a digital versatile disc (DVD), a floppy disk, and a Blu-ray disc, wherein the disc is usually magnetically copied, and the disc is The laser is used to optically replicate the data. Combinations of the above should also be included within the scope of the computer readable media.

Abstract

The embodiment of the present invention discloses an Internet protocol security IPsec tunnel establishing method, a user equipment and a base station. When the user equipment requests for access to a core network through a wireless local area network, the base station negotiates with the user equipment over an anti-replay parameter and an IPsec tunnel establishing parameter to establish an IPsec tunnel, and transmits data in the IPsec tunnel according to the IPsec tunnel transmission parameter included in the tunnel establishing parameter, thereby enabling the user equipment to securely access the core network through the wireless local area network and ensuring the security of data transmission.

Description

因特网协议安全性隧道建立方法,用户设备及基站Internet protocol security tunnel establishment method, user equipment and base station 技术领域Technical field
本发明涉及通信技术领域,尤其涉及一种因特网协议安全性(Internet Protocol security,简称IPsec)隧道建立方法,用户设备及基站。The present invention relates to the field of communications technologies, and in particular, to an internet protocol security (IPsec) tunnel establishment method, a user equipment, and a base station.
背景技术Background technique
长期演进系统-无线局域网络聚合(Long Term Evolution-Wireless Local Area Networks,简称LWA),是长期演进(Long Term Evolution,简称LTE)系统利用无线局域网(Wireless Local Area network,简称WLAN)的高数据传输效率特性进行下行传输数据,是数据分流的一种新型技术。其架构定义如图1所示。移动管理实体(Mobility Management Entity,简称MME)/服务网关(Serving Gateway,简称S-GW)为核心网侧节点,在架构中代表核心网侧,长期演进系统基站(Evolved Node B,简称eNB)与核心网侧之间通过S1接口连接,同时eNB与无线局域网络总站(WLAN Terminal,简称WT)通过Xw接口连接。这种架构下,WT和eNB是分开部署的。对于核心网侧来说,WT是透明的,不可见的,即核心网侧不知道WT的存在。一个WT可以连接多个无线局域网接入节点(Access Point,简称AP),用户设备(User Equipment,简称UE)通过与AP相连接入网络。当下行数据到来的时候,eNB通过WT,转发数据给UE,实现WLAN分流。Long Term Evolution-Wireless Local Area Networks (LWA) is a high-speed data transmission system of the Long Term Evolution (LTE) system using Wireless Local Area Network (WLAN). Efficiency characteristics for downlink transmission of data is a new technology for data offloading. Its architecture definition is shown in Figure 1. The Mobility Management Entity (MME)/Serving Gateway (S-GW) is the core network side node, which represents the core network side in the architecture, and the Evolved Node B (eNB) and The core network side is connected through the S1 interface, and the eNB is connected to the WLAN terminal (WT terminal) through the Xw interface. Under this architecture, the WT and the eNB are deployed separately. For the core network side, the WT is transparent and invisible, that is, the core network side does not know the existence of the WT. A WT can be connected to multiple WLAN access nodes (APs), and the user equipment (User Equipment, UE for short) is connected to the AP to access the network. When the downlink data arrives, the eNB forwards the data to the UE through the WT to implement WLAN offloading.
图1所示是在新架构下的LWA技术,要求在新架构下兼容现有WLAN技术。现有WLAN的接入方式是采用图2的架构,通过S2a和S2b接口的方式接入。Figure 1 shows the LWA technology under the new architecture, which requires compatibility with existing WLAN technologies under the new architecture. The access mode of the existing WLAN is adopted by the architecture of FIG. 2, and is accessed through the S2a and S2b interfaces.
S2a接入方式是UE接入可信的WLAN时所用的接口。可信的WLAN是指WLAN是运营商部署的。在S2a接入方式下,UE接入WLAN完成鉴权后,可以直接连接核心网侧的分组数据网关(Packet Data Network-Gateway,简称P-GW),进而实现使用WLAN上网,进行数据分流。The S2a access mode is an interface used when the UE accesses a trusted WLAN. A trusted WLAN means that the WLAN is deployed by the operator. In the S2a access mode, after the UE accesses the WLAN to complete the authentication, the UE can directly connect to the Packet Data Network-Gateway (P-GW) on the core network side to implement the WLAN access and data splitting.
S2b接口是ePDG和P-GW之间的接口。UE在接入非可信的WLAN的情况下使用此接口。非可信的WLAN指不是运营商部署的WLAN节点。当用户通过这类非可信的WLAN接入的时候,要通过演进的分组数据域网关(Evloved Packet Data Gateway,简称ePDG)辅助。ePDG是运营商部署的网元,因此ePDG 对于运营商来说是可信的,这样可以保证非可信的WLAN没有办法看到、修改UE和核心网侧之间传输的用户数据,进而保证只是利用WLAN传输数据,而不用WLAN提供其他服务。The S2b interface is the interface between the ePDG and the P-GW. The UE uses this interface when accessing a non-trusted WLAN. An untrusted WLAN refers to a WLAN node that is not deployed by the operator. When the user accesses through such an untrusted WLAN, it is assisted by an Evloved Packet Data Gateway (ePDG). ePDG is a network element deployed by the carrier, so ePDG It is credible for the operator, which ensures that the untrusted WLAN has no way to see and modify the user data transmitted between the UE and the core network side, thereby ensuring that only the WLAN is used to transmit data, instead of providing other services by the WLAN. .
新需求要求兼容现有WLAN,就是指要求兼容S2b接入方式下的非可信的WLAN接入方式。根据图1的架构,可以看到WT和eNB之间没有部署ePDG,因此无法保证在非可信WLAN下保护用户的数据安全。The new requirement is compatible with the existing WLAN, which means that it is compatible with the non-trusted WLAN access mode under the S2b access mode. According to the architecture of FIG. 1, it can be seen that the ePDG is not deployed between the WT and the eNB, so that it is impossible to protect the data security of the user under the untrusted WLAN.
发明内容Summary of the invention
本发明实施例提供了一种IPsec隧道建立方法,用户设备及基站,以建立用户设备与基站之间的IPsec隧道,保证用户设备安全地接入核心网,保证数据传输的安全性。The embodiment of the present invention provides an IPsec tunnel establishment method, a user equipment and a base station, to establish an IPsec tunnel between the user equipment and the base station, to ensure that the user equipment securely accesses the core network, and ensures data transmission security.
第一方面,提供了一种因特网协议安全性IPsec隧道建立方法,包括:In a first aspect, a method for establishing an Internet Protocol security IPsec tunnel is provided, including:
基站发送第一抗重放参数给用户设备;The base station sends the first anti-replay parameter to the user equipment;
所述基站确定所述用户设备的第二抗重放参数,所述第一抗重放参数和第二抗重放参数分别用于防止所述基站和所述用户设备每次生成的密钥相同;Determining, by the base station, a second anti-replay parameter of the user equipment, where the first anti-replay parameter and the second anti-replay parameter are respectively used to prevent the base station and the user equipment from generating the same key each time ;
所述基站根据空口密钥KeNB和所述第一抗重放参数生成第一预共享密钥Kipsec,并根据所述第一Kipsec生成第一鉴权信息AUTH;The base station generates a first pre-shared key Kipsec according to the air interface key KeNB and the first anti-replay parameter, and generates first authentication information AUTH according to the first Kipsec;
所述基站确定IPsec隧道建立参数,所述IPsec隧道建立参数包括第二AUTH,其中,所述用户设备根据所述KeNB和所述第二抗重放参数生成第二Kipsec,并根据所述第二Kipsec生成所述第二AUTH;Determining, by the base station, an IPsec tunnel establishment parameter, where the IPsec tunnel establishment parameter includes a second AUTH, wherein the user equipment generates a second Kipsec according to the KeNB and the second anti-replay parameter, and according to the second Kipsec generates the second AUTH;
所述基站验证所述第一AUTH和所述第二AUTH、以及所述用户设备的身份。The base station verifies the first AUTH and the second AUTH, and the identity of the user equipment.
在用户设备通过无线局域网请求接入核心网时,基站与用户设备协商抗重放参数及IPsec隧道建立参数,建立IPsec隧道,从而实现用户设备通过无线局域网安全地接入核心网,保证了数据传输的安全性。When the user equipment requests access to the core network through the wireless local area network, the base station and the user equipment negotiate anti-replay parameters and IPsec tunnel establishment parameters, and establish an IPsec tunnel, thereby realizing the user equipment to securely access the core network through the wireless local area network, thereby ensuring data transmission. Security.
在第一方面的第一种可能的实现方式中,所述方法还包括:In a first possible implementation manner of the first aspect, the method further includes:
所述基站将所述基站的互联网协议IP地址发送给所述用户设备;Sending, by the base station, an internet protocol IP address of the base station to the user equipment;
所述基站接收所述用户设备发送的所述用户设备连接的无线局域网的IP地址。The base station receives an IP address of a wireless local area network to which the user equipment is connected, which is sent by the user equipment.
结合第一方面或第一方面的第一种可能的实现方式,在第二种可能的实现 方式中,所述IPsec隧道建立参数还包括IPsec隧道传输参数,所述IPsec隧道传输参数包括第一安全参数和用于标识IPsec保护的数据流的出/入端口的标识TS,所述第一安全参数包括安全算法,以及所述第一Kipsec或所述第二Kipsec。In combination with the first aspect or the first possible implementation of the first aspect, in a second possible implementation In the mode, the IPsec tunnel establishment parameter further includes an IPsec tunnel transmission parameter, where the IPsec tunnel transmission parameter includes a first security parameter and an identifier TS of an ingress/egress port for identifying a data stream protected by IPsec, the first security The parameters include a security algorithm, and the first Kipsec or the second Kipsec.
结合第一方面的第二种可能的实现方式,在第一方面的第三种可能的实现方式中,所述基站确定IPsec隧道建立参数,包括:With reference to the second possible implementation of the first aspect, in a third possible implementation manner of the first aspect, the determining, by the base station, an IPsec tunnel establishment parameter includes:
所述基站接收所述用户设备发送的第一因特网密钥交换协议版本2IKEv2消息,所述第一IKEv2消息包括第二安全参数;Receiving, by the base station, a first Internet Key Exchange Protocol version 2 IKEv2 message sent by the user equipment, where the first IKEv2 message includes a second security parameter;
所述基站发送所述第一IKEv2消息的响应消息给所述用户设备;Sending, by the base station, a response message of the first IKEv2 message to the user equipment;
所述基站接收所述用户设备根据所述第二安全参数加密发送的第二IKEv2消息,所述第二IKEv2消息包括所述IPsec隧道建立参数;Receiving, by the base station, a second IKEv2 message that is sent by the user equipment according to the second security parameter, where the second IKEv2 message includes the IPsec tunnel establishment parameter;
所述基站发送所述第二IKEv2消息的响应消息给所述用户设备;Sending, by the base station, a response message of the second IKEv2 message to the user equipment;
其中,所述IPsec隧道建立参数中还包括所述用户设备的身份标识,和因特网密钥交换协议头HDR,所述HDR中包括用于标识IPsec隧道建立流程的标识SPI;所述安全算法为设置有安全算法级别的安全算法。The IPsec tunnel establishment parameter further includes an identifier of the user equipment, and an Internet Key Exchange Protocol header HDR, where the HDR includes an identifier SPI for identifying an IPsec tunnel establishment procedure; the security algorithm is set There are security algorithms at the security algorithm level.
本实现方式基站与用户设备之间通过IP数据包,具体的是因特网密钥交换协议版本2消息,协商IPsec隧道建立参数。In this implementation manner, the base station and the user equipment negotiate an IPsec tunnel establishment parameter by using an IP data packet, specifically an Internet Key Exchange Protocol version 2 message.
结合第一方面的第三种可能的实现方式,在第四种可能的实现方式中,所述基站验证所述用户设备的身份,包括:With reference to the third possible implementation of the first aspect, in a fourth possible implementation, the determining, by the base station, the identity of the user equipment includes:
所述基站验证所述用户设备的身份标识是否与核心网侧已获得的所述用户设备的身份一致。The base station verifies whether the identity of the user equipment is consistent with the identity of the user equipment that has been obtained by the core network side.
结合第一方面的第三种可能的实现方式,在第五种可能的实现方式中,所述基站获取与所述用户设备协商后的IPsec隧道建立参数,包括:With reference to the third possible implementation manner of the first aspect, in a fifth possible implementation, the acquiring, by the base station, the IPsec tunnel establishment parameters that are negotiated with the user equipment, including:
所述基站接收所述用户设备发送的至少一个无线资源控制RRC消息;Receiving, by the base station, at least one radio resource control RRC message sent by the user equipment;
其中,所述至少一个RRC消息封装所述第一IKEv2消息,所述第一IKEv2消息的响应消息,所述第二IKEv2消息,以及所述第二IKEv2消息的响应消息。The at least one RRC message encapsulates the first IKEv2 message, the response message of the first IKEv2 message, the second IKEv2 message, and the response message of the second IKEv2 message.
在本实现方式中,用户设备通过RRC消息发送IPsec隧道建立参数给基站,基站接收用户设备发送的IPsec隧道建立参数,即将建立IPsec隧道的整个IKEv2的消息封装在RRC消息中传递,RRC消息可以保证收发对端是认证 过的。In this implementation manner, the user equipment sends an IPsec tunnel establishment parameter to the base station by using an RRC message, and the base station receives the IPsec tunnel establishment parameter sent by the user equipment, and the message of the entire IKEv2 of the IPsec tunnel is encapsulated and transmitted in the RRC message, and the RRC message can be guaranteed. Transceiver is authenticated Over.
结合第一方面,在第一方面的第六种可能的实现方式中,所述基站确定IPsec隧道建立参数,包括:With reference to the first aspect, in a sixth possible implementation manner of the first aspect, the determining, by the base station, an IPsec tunnel establishment parameter includes:
所述基站接收所述用户设备通过无线资源控制RRC消息发送的所述第二AUTH和所述用户设备所支持的安全算法列表;Receiving, by the base station, the second AUTH sent by the user equipment by using a radio resource control RRC message, and a list of security algorithms supported by the user equipment;
所述基站根据自身的安全算法级别列表,以及所述用户设备所支持的安全算法列表,确定所述第一安全参数的安全算法的级别,所述安全算法级别列表包括多个安全算法与安全算法级别的对应关系;Determining, by the base station, a level of a security algorithm of the first security parameter according to a list of security algorithm levels and a list of security algorithms supported by the user equipment, where the security algorithm level list includes multiple security algorithms and security algorithms Correspondence of levels;
所述基站将所述IPsec隧道建立参数发送给所述用户设备。The base station sends the IPsec tunnel establishment parameter to the user equipment.
在本实现方式中,通过RRC消息来传输IPsec隧道建立必要参数,没有完全封装IKEv2消息。In this implementation manner, the IPsec tunnel establishment necessary parameter is transmitted through the RRC message, and the IKEv2 message is not completely encapsulated.
结合第一方面,在第一方面的第七种可能的实现方式中,所述基站确定IPsec隧道建立参数,包括:With reference to the first aspect, in a seventh possible implementation manner of the first aspect, the determining, by the base station, an IPsec tunnel establishment parameter includes:
所述基站通过RRC消息将所述第二AUTH和所述基站的安全算法级别列表发送给所述用户设备,以使所述用户设备根据自身所支持的安全算法列表,以及所述基站的安全算法级别列表,确定所述第一安全参数的安全算法的级别,所述安全算法级别列表包括多个安全算法与安全算法级别的对应关系;And sending, by the RRC message, the second AUTH and the security algorithm level list of the base station to the user equipment, so that the user equipment according to the security algorithm list supported by the user equipment, and the security algorithm of the base station a level list, determining a level of the security algorithm of the first security parameter, where the security algorithm level list includes a correspondence between multiple security algorithms and a security algorithm level;
所述基站接收所述用户设备发送的所述IPsec隧道建立参数。The base station receives the IPsec tunnel establishment parameter sent by the user equipment.
在本实现方式中,通过RRC消息来传输IPsec隧道建立必要参数,没有完全封装IKEv2消息。In this implementation manner, the IPsec tunnel establishment necessary parameter is transmitted through the RRC message, and the IKEv2 message is not completely encapsulated.
第二方面,提供了一种IPsec隧道建立方法,包括:In a second aspect, a method for establishing an IPsec tunnel is provided, including:
用户设备接收基站发送的第一抗重放参数;The user equipment receives the first anti-replay parameter sent by the base station;
所述用户设备确定所述用户设备的第二抗重放参数,所述第一抗重放参数和第二抗重放参数分别用于防止所述基站和所述用户设备每次生成的密钥相同;Determining, by the user equipment, a second anti-replay parameter of the user equipment, where the first anti-replay parameter and the second anti-replay parameter are respectively used to prevent a key generated by the base station and the user equipment each time the same;
所述用户设备根据空口密钥KeNB和所述第二抗重放参数生成第二预共享密钥Kipsec,并根据所述第二Kipsec生成第二鉴权信息AUTH,并发送所述第二AUTH给所述基站;The user equipment generates a second pre-shared key Kipsec according to the air interface key KeNB and the second anti-replay parameter, and generates second authentication information AUTH according to the second Kipsec, and sends the second AUTH to The base station;
所述用户设备接收所述基站发送的IPsec隧道建立参数,所述IPsec隧道 建立参数包括第一AUTH,其中,所述基站根据所述KeNB和所述第一抗重放参数生成第一Kipsec,所述基站根据第一Kipsec生成所述第一AUTH;Receiving, by the user equipment, an IPsec tunnel establishment parameter sent by the base station, where the IPsec tunnel The establishing parameter includes a first AUTH, wherein the base station generates a first Kipsec according to the KeNB and the first anti-replay parameter, and the base station generates the first AUTH according to the first Kipsec;
所述用户设备验证所述第一AUTH和所述第二AUTH。The user equipment verifies the first AUTH and the second AUTH.
结合第一方面,在第一种可能的实现方式中,所述方法还包括:In conjunction with the first aspect, in a first possible implementation, the method further includes:
所述用户设备接收所述基站发送的所述基站的互联网协议IP地址;Receiving, by the user equipment, an internet protocol IP address of the base station sent by the base station;
所述用户设备将所述用户设备连接的无线局域网的IP地址发送给所述基站。The user equipment sends an IP address of a wireless local area network to which the user equipment is connected to the base station.
结合第二方面或第二方面的第一种可能的实现方式,在第二种可能的实现方式中,所述方法还包括:With reference to the second aspect or the first possible implementation of the second aspect, in a second possible implementation, the method further includes:
所述用户设备发送第一IKEv2消息给所述基站,所述第一IKEv2消息包括第二安全参数;The user equipment sends a first IKEv2 message to the base station, where the first IKEv2 message includes a second security parameter;
所述用户设备接收所述基站发送的所述第一IKEv2消息的响应消息;Receiving, by the user equipment, a response message of the first IKEv2 message sent by the base station;
所述用户设备根据所述第二安全参数加密第二IKEv2消息,将加密后的所述第二IKEv2消息发送给所述基站,所述第二IKEv2消息包括所述IPsec隧道建立参数,所述IPsec隧道建立参数还包括IPsec隧道传输参数,所述用户设备的身份标识,和因特网密钥交换协议头HDR,所述HDR中包括用于标识IPsec隧道建立流程的标识SPI,所述IPsec隧道传输参数包括第一安全参数和用于标识IPsec保护的数据流的出/入端口的标识TS,所述第一安全参数包括安全算法,以及所述第一Kipsec或所述第二Kipsec,所述安全算法为设置有安全算法级别的安全算法;The user equipment encrypts the second IKEv2 message according to the second security parameter, and sends the encrypted second IKEv2 message to the base station, where the second IKEv2 message includes the IPsec tunnel establishment parameter, the IPsec The tunnel establishment parameter further includes an IPsec tunnel transmission parameter, an identity of the user equipment, and an Internet Key Exchange Protocol header HDR, where the HDR includes an identifier SPI for identifying an IPsec tunnel establishment procedure, where the IPsec tunnel transmission parameter includes a first security parameter and an identifier TS of an ingress/egress port for identifying an IPsec protected data stream, the first security parameter including a security algorithm, and the first Kipsec or the second Kipsec, the security algorithm is Set a security algorithm with a security algorithm level;
所述用户设备接收所述基站发送的所述第二IKEv2消息的响应消息。The user equipment receives a response message of the second IKEv2 message sent by the base station.
结合第二方面的第二种可能的实现方式,在第三种可能的实现方式中,所述方法还包括:In conjunction with the second possible implementation of the second aspect, in a third possible implementation, the method further includes:
所述用户设备发送至少一个RRC消息给所述基站;Transmitting, by the user equipment, at least one RRC message to the base station;
其中,所述至少一个RRC消息封装所述第一IKEv2消息,所述第一IKEv2消息的响应消息,所述第二IKEv2消息,以及所述第二IKEv2消息的响应消息。The at least one RRC message encapsulates the first IKEv2 message, the response message of the first IKEv2 message, the second IKEv2 message, and the response message of the second IKEv2 message.
结合第二方面,在第四种可能的实现方式中,所述方法还包括:With reference to the second aspect, in a fourth possible implementation, the method further includes:
所述用户设备通过RRC消息发送所述用户设备所支持的安全算法列表给所述基站,以使所述基站根据自身的安全算法级别列表,以及所述用户设备所 支持的安全算法列表,确定所述第一安全参数的安全算法的级别,所述安全算法级别列表包括多个安全算法与安全算法级别的对应关系;Sending, by the RRC message, the security algorithm list supported by the user equipment to the base station, so that the base station according to its own security algorithm level list, and the user equipment Supporting a list of security algorithms, determining a level of the security algorithm of the first security parameter, where the security algorithm level list includes a correspondence between multiple security algorithms and a security algorithm level;
所述用户设备接收所述基站发送的所述IPsec隧道建立参数,所述IPsec隧道建立参数还包括IPsec隧道传输参数和因特网密钥交换协议头HDR,所述HDR中包括用于标识IPsec隧道建立流程的标识SPI,所述IPsec隧道传输参数包括第一安全参数和TS,所述第一安全参数包括确定所述级别的安全算法,以及所述第一Kipsec或所述第二Kipsec。The user equipment receives the IPsec tunnel establishment parameter sent by the base station, where the IPsec tunnel establishment parameter further includes an IPsec tunnel transmission parameter and an Internet Key Exchange Protocol header HDR, where the HDR includes an IPsec tunnel establishment procedure. The identification SPI, the IPsec tunnel transmission parameter includes a first security parameter and a TS, the first security parameter includes a security algorithm determining the level, and the first Kipsec or the second Kipsec.
结合第二方面,在第五种可能的实现方式中,所述方法还包括:With reference to the second aspect, in a fifth possible implementation, the method further includes:
所述用户设备接收所述基站通过RRC消息发送的所述基站的安全算法级别列表,所述安全算法级别列表包括多个安全算法与安全算法级别的对应关系;Receiving, by the user equipment, a security algorithm level list of the base station that is sent by the base station by using an RRC message, where the security algorithm level list includes a correspondence between multiple security algorithms and a security algorithm level;
所述用户设备根据自身所支持的安全算法列表,以及所述基站的安全算法级别列表,确定所述第一安全参数的安全算法的级别;Determining, by the user equipment, a level of the security algorithm of the first security parameter according to a security algorithm list supported by the user equipment and a security algorithm level list of the base station;
所述用户设备将所述IPsec隧道建立参数发送给所述基站,所述IPsec隧道建立参数还包括IPsec隧道传输参数和因特网密钥交换协议头HDR,所述HDR中包括用于标识IPsec隧道建立流程的标识SPI,所述IPsec隧道传输参数包括第一安全参数和TS,所述第一安全参数包括确定所述级别的安全算法,以及所述第一Kipsec或所述第二Kipsec。The user equipment sends the IPsec tunnel establishment parameter to the base station, where the IPsec tunnel establishment parameter further includes an IPsec tunnel transmission parameter and an Internet Key Exchange Protocol header HDR, where the HDR includes an IPsec tunnel establishment procedure. The identification SPI, the IPsec tunnel transmission parameter includes a first security parameter and a TS, the first security parameter includes a security algorithm determining the level, and the first Kipsec or the second Kipsec.
第三方面,提供了一种基站,该基站具有实现上述方法中基站行为的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。In a third aspect, a base station is provided, the base station having a function of implementing a behavior of a base station in the above method. The functions may be implemented by hardware or by corresponding software implemented by hardware. The hardware or software includes one or more modules corresponding to the functions described above.
一种可能的实现方式中,所述基站包括:发送器和处理器;其中,In a possible implementation manner, the base station includes: a transmitter and a processor; wherein
所述发送器,用于发送第一抗重放参数给用户设备;The transmitter is configured to send a first anti-replay parameter to the user equipment;
所述处理器,用于确定所述用户设备的第二抗重放参数,所述第一抗重放参数和第二抗重放参数分别用于防止所述基站和所述用户设备每次生成的密钥相同;The processor is configured to determine a second anti-replay parameter of the user equipment, where the first anti-replay parameter and the second anti-replay parameter are respectively used to prevent the base station and the user equipment from generating each time The same key;
所述处理器,用于根据空口密钥KeNB和所述第一抗重放参数生成第一预共享密钥Kipsec,并根据所述第一Kipsec生成第一鉴权信息AUTH; The processor is configured to generate a first pre-shared key Kipsec according to the air interface key KeNB and the first anti-replay parameter, and generate first authentication information AUTH according to the first Kipsec;
所述处理器还用于确定IPsec隧道建立参数,所述IPsec隧道建立参数包括第二AUTH,其中,所述用户设备根据所述KeNB和所述第二抗重放参数生成第二Kipsec,并根据所述第二Kipsec生成所述第二AUTH;The processor is further configured to determine an IPsec tunnel establishment parameter, where the IPsec tunnel establishment parameter includes a second AUTH, where the user equipment generates a second Kipsec according to the KeNB and the second anti-replay parameter, and according to The second Kipsec generates the second AUTH;
所述处理器还用于验证所述第一AUTH和所述第二AUTH以及所述用户设备的身份。The processor is further configured to verify the first AUTH and the second AUTH and an identity of the user equipment.
另一种可能的实现方式中,所述基站包括:In another possible implementation manner, the base station includes:
发送单元,用于发送第一抗重放参数给用户设备;a sending unit, configured to send a first anti-replay parameter to the user equipment;
确定单元,用于确定所述用户设备的第二抗重放参数,所述第一抗重放参数和第二抗重放参数分别用于防止所述基站和所述用户设备每次生成的密钥相同;a determining unit, configured to determine a second anti-replay parameter of the user equipment, where the first anti-replay parameter and the second anti-replay parameter are respectively used to prevent the base station and the user equipment from generating a secret each time The same key;
生成单元,用于根据空口密钥KeNB和所述第一抗重放参数生成第一预共享密钥Kipsec,并根据所述第一Kipsec生成第一鉴权信息AUTH;a generating unit, configured to generate a first pre-shared key Kipsec according to the air interface key KeNB and the first anti-replay parameter, and generate first authentication information AUTH according to the first Kipsec;
所述确定单元还用于确定IPsec隧道建立参数,所述IPsec隧道建立参数包括第二AUTH,其中,所述用户设备根据所述KeNB和所述第二抗重放参数生成第二Kipsec,并根据所述第二Kipsec生成所述第二AUTH;The determining unit is further configured to determine an IPsec tunnel establishment parameter, where the IPsec tunnel establishment parameter includes a second AUTH, where the user equipment generates a second Kipsec according to the KeNB and the second anti-replay parameter, and according to The second Kipsec generates the second AUTH;
验证单元,用于验证所述第一AUTH和所述第二AUTH以及所述用户设备的身份。And a verification unit, configured to verify the first AUTH and the second AUTH and the identity of the user equipment.
第四方面,提供了一种用户设备,该用户设备具有实现上述方法中用户设备行为的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。In a fourth aspect, a user equipment is provided, the user equipment having a function of implementing user equipment behavior in the above method. The functions may be implemented by hardware or by corresponding software implemented by hardware. The hardware or software includes one or more modules corresponding to the functions described above.
一种可能的实现方式中,所述用户设备包括:接收器、发送器和处理器;其中,In a possible implementation, the user equipment includes: a receiver, a transmitter, and a processor;
所述接收器,用于接收基站发送的第一抗重放参数;The receiver is configured to receive a first anti-replay parameter sent by the base station;
所述处理器,用于根据空口密钥KeNB和所述第二抗重放参数生成第二预共享密钥Kipsec,并根据所述第二Kipsec生成第二鉴权信息AUTH;The processor is configured to generate a second pre-shared key Kipsec according to the air interface key KeNB and the second anti-replay parameter, and generate second authentication information AUTH according to the second Kipsec;
所述发送器还用于发送所述第二AUTH给所述基站;The transmitter is further configured to send the second AUTH to the base station;
所述接收器还用于接收所述基站发送的IPsec隧道建立参数,所述IPsec隧道建立参数包括第一AUTH,其中,所述基站根据所述KeNB和所述第一抗 重放参数生成第一Kipsec,所述基站根据第一Kipsec生成所述第一AUTH;The receiver is further configured to receive an IPsec tunnel establishment parameter sent by the base station, where the IPsec tunnel establishment parameter includes a first AUTH, where the base station is configured according to the KeNB and the first anti- The playback parameter generates a first Kipsec, and the base station generates the first AUTH according to the first Kipsec;
所述处理器还用于验证所述第一AUTH和所述第二AUTH。The processor is further configured to verify the first AUTH and the second AUTH.
另一种可能的实现方式中,所述用户设备包括:In another possible implementation manner, the user equipment includes:
接收单元,用于接收基站发送的第一抗重放参数;a receiving unit, configured to receive a first anti-playback parameter sent by the base station;
生成单元,用于根据空口密钥KeNB和所述第二抗重放参数生成第二预共享密钥Kipsec,并根据所述第二Kipsec生成第二鉴权信息AUTH;a generating unit, configured to generate a second pre-shared key Kipsec according to the air interface key KeNB and the second anti-playback parameter, and generate second authentication information AUTH according to the second Kipsec;
发送单元,用于发送所述第二AUTH给所述基站;a sending unit, configured to send the second AUTH to the base station;
所述接收单元还用于接收所述基站发送的IPsec隧道建立参数,所述IPsec隧道建立参数包括第一AUTH,其中,所述基站根据所述KeNB和所述第一抗重放参数生成第一Kipsec,所述基站根据第一Kipsec生成所述第一AUTH;The receiving unit is further configured to receive an IPsec tunnel establishment parameter sent by the base station, where the IPsec tunnel establishment parameter includes a first AUTH, where the base station generates a first according to the KeNB and the first anti-replay parameter. Kipsec, the base station generates the first AUTH according to the first Kipsec;
验证单元,用于验证所述第一AUTH和所述第二AUTH。a verification unit for verifying the first AUTH and the second AUTH.
根据本发明实施例提供的一种因特网协议安全性IPsec隧道建立方法,用户设备及基站,在用户设备通过无线局域网请求接入核心网时,基站与用户设备协商抗重放参数及IPsec隧道建立参数,建立IPsec隧道,从而实现用户设备通过无线局域网安全地接入核心网,保证了数据传输的安全性。According to an embodiment of the present invention, an Internet Protocol security IPsec tunnel establishment method, a user equipment and a base station, when a user equipment requests access to a core network through a wireless local area network, the base station negotiates anti-replay parameters and IPsec tunnel establishment parameters with the user equipment. The IPsec tunnel is established, so that the user equipment can securely access the core network through the wireless local area network, thereby ensuring the security of data transmission.
附图说明DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings to be used in the embodiments will be briefly described below. Obviously, the drawings in the following description are only some of the present invention. For the embodiments, those skilled in the art can obtain other drawings according to the drawings without any creative work.
图1为长期演进系统-无线局域网络聚合LWA示意图;1 is a schematic diagram of a Long Term Evolution System-Wireless Local Area Network (LTE) aggregation LWA;
图2为现有无线局域网WLAN的接入方式示意图;2 is a schematic diagram of an access mode of an existing wireless local area network WLAN;
图3为本发明实施例提供的一种IPsec隧道建立方法的流程示意图;FIG. 3 is a schematic flowchart of a method for establishing an IPsec tunnel according to an embodiment of the present disclosure;
图4为本发明实施例提供的另一种IPsec隧道建立方法的流程示意图;4 is a schematic flowchart of another IPsec tunnel establishment method according to an embodiment of the present invention;
图5为本发明实施例提供的又一种IPsec隧道建立方法的流程示意图;FIG. 5 is a schematic flowchart of still another method for establishing an IPsec tunnel according to an embodiment of the present disclosure;
图6为本发明实施例提供的一种基站的结构示意图;FIG. 6 is a schematic structural diagram of a base station according to an embodiment of the present disclosure;
图7为本发明实施例提供的另一种基站的结构示意图;FIG. 7 is a schematic structural diagram of another base station according to an embodiment of the present disclosure;
图8为本发明实施例提供的一种用户设备的结构示意图; FIG. 8 is a schematic structural diagram of a user equipment according to an embodiment of the present disclosure;
图9为本发明实施例提供又一种基站的结构示意图;FIG. 9 is a schematic structural diagram of still another base station according to an embodiment of the present invention;
图10为本发明实施例提供另一种用户设备的结构示意图。FIG. 10 is a schematic structural diagram of another user equipment according to an embodiment of the present invention.
具体实施方式detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, but not all embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
本发明要求图1所示的LWA新架构兼容现有的WLAN技术,即要求兼容S2b接入方式下的非可信的WLAN接入方式。本发明实施例要在用户设备和基站之间建立IPsec隧道,达到S2b接口下ePDG的作用。The present invention requires that the new LWA architecture shown in FIG. 1 is compatible with the existing WLAN technology, that is, it is required to be compatible with the non-trusted WLAN access mode in the S2b access mode. In the embodiment of the present invention, an IPsec tunnel is established between the user equipment and the base station to achieve the role of the ePDG on the S2b interface.
在实施本发明实施例的IPsec隧道建立方法之前,用户设备已经接入核心网,并且鉴权成功。此时,基站处已经有用户设备的身份标识,如小区无线网络临时标识(Cell Radio Network Temporary Identifier,简称C-RNTI),并且基站可以通过此标识找到用户设备。鉴权成功带来的结果是用户设备和基站之间的空口安全已经建立,即用户设备和基站之间已经持有相同的机密性密钥和完整性密钥,这些密钥用来保证用户设备和基站之间在通过移动网络传输消息的安全性。Before the IPsec tunnel establishment method of the embodiment of the present invention is implemented, the user equipment has accessed the core network, and the authentication succeeds. At this time, the base station already has the identity of the user equipment, such as a Cell Radio Network Temporary Identifier (C-RNTI), and the base station can find the user equipment by using the identifier. The result of successful authentication is that the air interface security between the user equipment and the base station has been established, that is, the user equipment and the base station already hold the same confidentiality key and integrity key, and these keys are used to ensure the user equipment. The security of transmitting messages over the mobile network with the base station.
本发明实施例在用户设备通过无线局域网请求接入核心网时,基站与用户设备协商抗重放参数及IPsec隧道建立参数,建立IPsec隧道,以及根据隧道建立参数中包括的IPsec隧道传输参数在IPsec隧道中传输数据,从而实现用户设备通过无线局域网安全地接入核心网,保证了数据传输的安全性。In the embodiment of the present invention, when the user equipment requests to access the core network through the wireless local area network, the base station and the user equipment negotiate anti-replay parameters and IPsec tunnel establishment parameters, establish an IPsec tunnel, and perform IPsec tunnel transmission parameters included in the tunnel establishment parameters in IPsec. The data is transmitted in the tunnel, so that the user equipment can securely access the core network through the wireless local area network, thereby ensuring the security of data transmission.
图3为本发明实施例提供的一种IPsec隧道建立方法的流程示意图,该方法包括以下步骤:FIG. 3 is a schematic flowchart of a method for establishing an IPsec tunnel according to an embodiment of the present invention, where the method includes the following steps:
S101、基站与用户设备协商抗重放参数。S101. The base station negotiates anti-replay parameters with the user equipment.
抗重放参数是为了防止基站或用户设备每次生成的密钥是相同的,或者生成的消息是相同的,如果密钥或消息相同的话,攻击者可以截获以前的消息,再次重新发送。抗重放参数一般是随机数,时间戳,或者计数器的值。The anti-replay parameter is to prevent the base station or the user equipment from generating the same key each time, or the generated message is the same. If the key or the message is the same, the attacker can intercept the previous message and resend it again. Anti-replay parameters are generally random numbers, time stamps, or counter values.
基站可以在发送基站的IP地址给用户设备的RRC消息中携带抗重放参数 -1,用户设备则可以在回复基站的RRC消息时携带抗重放参数-2,也可以不携带抗重放参数-2,这由具体配置决定,例如,如果抗重放参数是随机数,抗重放参数-1和抗重放参数-2有可能是相同的,也可能是不同的,如果选择传递随机数的方式,则在回复消息中要携带抗重放参数-2;如果采用计数器的方式,基站可以设置计数器,而用户设备不设置计数器,所以需要基站把计数器的值作为抗重放参数-1传给用户设备,而用户设备由于没有计时器,所以回复消息中没有携带抗重放参数;如果用户设备中也设置有计数器,则用户设备也需要将其计数器的值作为抗重放参数-2传给基站;如果采用时间戳的方式,则双方都需要传送抗重放参数。相应地,回复基站的RRC消息可以包括:RRC重配置完成消息,RRC完成消息等。The base station may carry the anti-replay parameter in the RRC message of the user equipment sending the IP address of the base station. -1, the user equipment may carry the anti-replay parameter-2 when carrying the RRC message of the base station, or may not carry the anti-replay parameter-2, which is determined by the specific configuration, for example, if the anti-replay parameter is a random number, The anti-replay parameter-1 and the anti-replay parameter-2 may be the same or different. If the method of transmitting the random number is selected, the anti-replay parameter-2 is carried in the reply message; if a counter is used The base station can set the counter, and the user equipment does not set the counter. Therefore, the base station needs to transmit the value of the counter as the anti-replay parameter-1 to the user equipment, and the user equipment does not carry the anti-weight in the reply message because there is no timer. If the user equipment is also provided with a counter, the user equipment also needs to transmit the value of its counter as the anti-replay parameter-2 to the base station; if the time stamp is used, both parties need to transmit the anti-replay parameters. Correspondingly, the RRC message of the replying base station may include: an RRC reconfiguration complete message, an RRC completion message, and the like.
S102、基站根据空口密钥KeNB和第一抗重放参数生成第一预共享密钥Kipsec,并根据第一Kipsec生成第一鉴权信息AUTH。S102. The base station generates a first pre-shared key Kipsec according to the air interface key KeNB and the first anti-replay parameter, and generates first authentication information AUTH according to the first Kipsec.
S103、用户设备根据该KeNB和第二抗重放参数生成第二Kipsec,并根据第二Kipsec生成第二AUTH。S103. The user equipment generates a second Kipsec according to the KeNB and the second anti-playback parameter, and generates a second AUTH according to the second Kipsec.
用户设备和基站在建立空口安全的时候,会生成相同的空口密钥KeNB。然后,基站、用户设备分别利用设定的密钥生成函数,根据KeNB和协商后的抗重放参数生成第一Kipsec和第二Kipsec,再分别根据第一Kipsec和第二Kipsec生成第一AUTH(Authentication)和第二AUTH,由于采用的密钥生成函数相同,KeNB相同,且抗重放参数是经过协商过的,基站和用户设备知道对端的抗重放参数,因此,基站、用户设备能够分别根据自己的鉴权信息,验证对端的鉴权信息。When the user equipment and the base station establish air interface security, the same air interface key KeNB is generated. Then, the base station and the user equipment respectively generate the first Kipsec and the second Kipsec according to the KeNB and the negotiated anti-replay parameters according to the set key generation function, and then generate the first AUTH according to the first Kipsec and the second Kipsec respectively ( The authentication and the second AUTH are the same as the key generation function, the KeNB is the same, and the anti-replay parameters are negotiated. The base station and the user equipment know the anti-replay parameters of the opposite end. Therefore, the base station and the user equipment can respectively Verify the authentication information of the peer according to its own authentication information.
S104、基站与用户设备协商IPsec隧道建立参数。S104. The base station negotiates an IPsec tunnel establishment parameter with the user equipment.
该IPsec隧道建立参数包括鉴权信息(AUTH)和IPsec隧道传输参数,该IPsec隧道传输参数包括第一安全参数和用于标识IPsec保护的数据流的出/入端口的标识(Traffic Selector,简称TS),安全参数又称安全联盟参数(Security Association,简称SA),此参数包含安全算法,以及第一Kipsec或第二Kipsec,该安全算法具有安全算法级别,安全算法级别用于表示哪种算法应该被优先考虑,第一Kipsec或第二Kipsec用于在安全算法中加密IPsec隧道中传输的数据流。IPsec隧道建立参数还可能包括用户设备的身份标识IDi,和基站的身份标识IDr。在此实施例中,为了使基站准确无误的判断用户设备的身份,可采用 C-RNTI作为IDi。其中,IDi表示发起方身份,即Identification-Initiator,IDr表示接收方身份,即Identification-Responder。The IPsec tunnel establishment parameter includes an authentication information (AUTH) and an IPsec tunnel transmission parameter, where the IPsec tunnel transmission parameter includes a first security parameter and an identifier of an ingress/egress port for identifying a data stream protected by IPsec (Traffic Selector, TS for short) The security parameter is also called the Security Association (SA). This parameter contains the security algorithm, and the first Kipsec or the second Kipsec. The security algorithm has a security algorithm level. The security algorithm level is used to indicate which algorithm should be used. Priority is given to the use of the first Kipsec or the second Kipsec to encrypt the data stream transmitted in the IPsec tunnel in the security algorithm. The IPsec tunnel setup parameters may also include the identity IDi of the user equipment, and the identity ID of the base station. In this embodiment, in order to enable the base station to accurately determine the identity of the user equipment, C-RNTI is used as IDi. Where IDi represents the identity of the initiator, ie Identification-Initiator, and IDr represents the identity of the recipient, ie Identification-Responder.
S105、基站、用户设备分别验证第一AUTH和第二AUTH。S105. The base station and the user equipment respectively verify the first AUTH and the second AUTH.
S106、若基站验证第一AUTH和第二AUTH一致,对用户设备的身份进行验证。S106. If the base station verifies that the first AUTH and the second AUTH are consistent, verify the identity of the user equipment.
在获得协商后的IPsec隧道建立参数后,基站、用户设备分别验证对端的鉴权信息是否与自身的鉴权信息一致,如果验证通过,基站再对用户设备的身份进行验证。基站验证用户设备的身份,可以将空口连接时已经获取的用户设备的身份以及IPsec隧道建立参数包含的用户设备的身份标识进行比较,而如果接收的是RRC消息,则用户设备的身份已经在接收RRC消息时进行验证。After obtaining the negotiated IPsec tunnel establishment parameters, the base station and the user equipment respectively verify whether the authentication information of the peer end is consistent with the authentication information of the peer end. If the verification succeeds, the base station verifies the identity of the user equipment. The base station verifies the identity of the user equipment, and compares the identity of the user equipment that has been acquired when the air interface is connected with the identity of the user equipment that is included in the IPsec tunnel establishment parameter, and if the RRC message is received, the identity of the user equipment is already received. Verification is performed when the RRC message is received.
基站与用户设备协商了IPsec隧道传输参数,则建立IPsec隧道的工作已经完成,从而可以根据IPsec隧道传输参数在IPsec隧道中传输数据。After the base station negotiates the IPsec tunnel transmission parameters with the user equipment, the work of establishing an IPsec tunnel is completed, so that data can be transmitted in the IPsec tunnel according to the IPsec tunnel transmission parameters.
根据本发明实施例提供的一种IPsec隧道建立方法,在用户设备通过无线局域网请求接入核心网时,基站与用户设备协商抗重放参数及IPsec隧道建立参数,建立IPsec隧道,以及根据隧道建立参数中包括的IPsec隧道传输参数在IPsec隧道中传输数据,从而实现用户设备通过无线局域网安全地接入核心网,保证了数据传输的安全性。According to an embodiment of the present invention, an IPsec tunnel is established. When a user equipment requests access to a core network through a wireless local area network, the base station and the user equipment negotiate anti-replay parameters and IPsec tunnel establishment parameters, establish an IPsec tunnel, and establish an tunnel according to the tunnel. The IPsec tunnel transmission parameters included in the parameters transmit data in the IPsec tunnel, thereby enabling the user equipment to securely access the core network through the wireless LAN, thereby ensuring the security of data transmission.
图4为本发明实施例提供的另一种IPsec隧道建立方法的流程示意图,该方法包括以下步骤:FIG. 4 is a schematic flowchart of another method for establishing an IPsec tunnel according to an embodiment of the present invention, where the method includes the following steps:
S201、基站在RRC重配置消息中发送基站的IP地址给用户设备。S201. The base station sends an IP address of the base station to the user equipment in the RRC reconfiguration message.
RRC重配置消息中携带抗重放参数-1。The anti-replay parameter-1 is carried in the RRC reconfiguration message.
S202、用户设备在收到基站的RRC重配置消息之后,回复RRC重配置完成消息。S202. After receiving the RRC reconfiguration message of the base station, the user equipment returns an RRC reconfiguration complete message.
RRC重配置完成消息中携带抗重放参数-2。The anti-replay parameter-2 is carried in the RRC reconfiguration complete message.
在建立用户设备与基站之间的IPsec隧道时,需要完成两个操作:第一,双方需要知道对端的IP地址,第二,基站需要确定建立IPsec隧道的对端是本用户设备,而不是攻击者或其他人的用户设备,即用户设备的身份是正确的。When establishing an IPsec tunnel between the user equipment and the base station, two operations need to be performed. First, the two parties need to know the IP address of the peer. Second, the base station needs to determine that the peer end that establishes the IPsec tunnel is the user equipment, instead of attacking. The user device of the person or other person, that is, the identity of the user device is correct.
首先,基站将基站的IP地址发送给用户设备。基站可以在多种无线资源控制(Radio Resource Control,简称RRC)消息中选择一个,用于发送基站的IP 地址,该RRC消息包括:RRC重配置消息,RRC建立请求消息,RRC重建立消息等。选择通过RRC消息传送是基于已通过安全认证的移动网络,可以确保发送的消息的安全性。First, the base station transmits the IP address of the base station to the user equipment. The base station may select one of a plurality of Radio Resource Control (RRC) messages for transmitting the IP of the base station. Address, the RRC message includes: an RRC reconfiguration message, an RRC setup request message, an RRC re-establishment message, and the like. The choice of RRC messaging is based on a mobile network that has passed security authentication, which ensures the security of the transmitted message.
同时,用户设备发送用户设备连接的无线局域网的IP地址给基站,在用户设备发送IP之前,用户设备首先要通过AP接入无线局域网,然后获得无线局域网分发的IP地址。At the same time, the user equipment sends the IP address of the WLAN connected to the user equipment to the base station. Before the user equipment sends the IP, the user equipment first needs to access the WLAN through the AP, and then obtain the IP address distributed by the WLAN.
S203、基站利用设定密钥生成函数,根据空口密钥KeNB和协商后的抗重放参数生成第一预共享密钥Kipsec,并根据第一Kipsec生成第一鉴权信息AUTH。S203. The base station generates a first pre-shared key Kipsec according to the air interface key KeNB and the negotiated anti-replay parameter by using a set key generation function, and generates first authentication information AUTH according to the first Kipsec.
S204、用户设备利用该设定密钥生成函数,根据该KeNB和协商后的抗重放参数生成第二Kipsec,并根据第二Kipsec生成第二AUTH。S204. The user equipment uses the set key generation function to generate a second Kipsec according to the KeNB and the negotiated anti-replay parameter, and generate a second AUTH according to the second Kipsec.
S205、用户设备接入AP。S205. The user equipment accesses the AP.
S206、用户设备获得AP分发的IP地址。S206. The user equipment obtains an IP address distributed by the AP.
S207、用户设备将AP分发的IP地址发送给基站。S207. The user equipment sends the IP address distributed by the AP to the base station.
S208、基站与用户设备通过第一因特网密钥交换协议版本2消息协商第二安全参数。S208. The base station and the user equipment negotiate the second security parameter by using the first Internet Key Exchange Protocol version 2 message.
具体地,用户设备发送因特网密钥交换安全联盟参数协商初始消息IKE_SA_INIT消息给基站,该IKE_SA_INIT消息中包括因特网密钥交换协议头(IKE Header,简称HDR),第二安全参数SAi1,发送方基本密钥KEi,随机数Ni,其中,HDR中包括安全参数索引(Security Parameter Indexes,简称SPI),用于标识IPsec隧道建立过程;基站回复IKE_SA_INIT消息,回复的消息中包括HDR,SAr1,回复方基本密钥KEr,随机数Nr,从而完成基站与用户设备的第二安全参数的协商。第二安全参数也包括安全算法,安全算法级别和密钥。这里的SAi1和SAr1的安全算法级别是通过IKEv2消息确定的,SAi1和SAr1中包括多个安全算法,通过安全算法级别来指定采用的安全算法。密钥是根据基本密钥(KEi和KEr),以及随机数(Ni,Nr)生成的。第二安全参数用于加密传输IPsec隧道建立参数的第二IKEv2消息。Specifically, the user equipment sends an Internet Key Exchange Security Association parameter negotiation initial message IKE_SA_INIT message to the base station, where the IKE_SA_INIT message includes an Internet Key Exchange Protocol Header (HDR Header, HDR for short), and the second security parameter SAi1, the sender is substantially dense. Key KEi, random number Ni, wherein HDR includes Security Parameter Indexes (SPI) for identifying the IPsec tunnel establishment process; the base station replies with the IKE_SA_INIT message, and the reply message includes HDR, SAr1, and the reply party is basically dense. The key KEl, the random number Nr, completes the negotiation of the second security parameter between the base station and the user equipment. The second security parameter also includes a security algorithm, a security algorithm level, and a key. The security algorithm level of SAi1 and SAr1 is determined by the IKEv2 message. SAi1 and SAr1 include multiple security algorithms, and the security algorithm is used to specify the security algorithm to be adopted. The key is generated based on the base key (KEi and KEl) and the random number (Ni, Nr). The second security parameter is used to encrypt the second IKEv2 message that transmits the IPsec tunnel establishment parameters.
S209、基站接收用户设备根据第二安全参数加密发送的第二IKEv2消息。S209. The base station receives a second IKEv2 message that is sent by the user equipment according to the second security parameter.
具体地,用户设备发送IKE_AUTH消息给基站该IKE_AUTH消息由第二安全参数进行加密发送。该IKE_AUTH消息中包括HDR,SK{IDi,AUTH,SAi2, TSi,TSr},其中,SK{}表示{}中的参数用第二安全参数中的安全算法和密钥进行加密保护了;基站回复用户设备的IKR_AUTH消息,回复的消息中包括HDR,SK{IDr,AUTH,SAr2,TSi,TSr}。Specifically, the user equipment sends an IKE_AUTH message to the base station, and the IKE_AUTH message is encrypted and sent by the second security parameter. The IKE_AUTH message includes HDR, SK{IDi, AUTH, SAi2, TSi, TSR}, where SK{} indicates that the parameter in {} is encrypted and protected by the security algorithm and the key in the second security parameter; the base station replies to the IKR_AUTH message of the user equipment, and the reply message includes HDR, SK{ IDr, AUTH, SAr2, TSi, TSR}.
在本实施例中,基站与用户设备之间通过IP数据包,具体的是因特网密钥交换协议版本2消息,协商IPsec隧道建立参数,由于是通过IP数据包传输,尚未验证对端的身份,不能保证传输过程的安全性,因此,需要先协商用于传输IPsec隧道建立参数的消息的安全参数,然后通过协商好的安全参数对发送IPsec隧道建立参数的消息进行加密。In this embodiment, the IP data packet is negotiated between the base station and the user equipment, specifically the Internet Key Exchange Protocol version 2 message, and the IPsec tunnel establishment parameter is negotiated. Since the IP data packet is transmitted, the identity of the peer end has not been verified. To ensure the security of the transmission process, the security parameters of the message for transmitting the IPsec tunnel establishment parameters need to be negotiated first, and then the message for sending the IPsec tunnel establishment parameters is encrypted by the negotiated security parameters.
作为S208-S209的一种替代方式,用户设备通过RRC消息发送IPsec隧道建立参数给基站,基站接收用户设备发送的IPsec隧道建立参数,即将建立IPsec隧道的整个IKEv2的消息封装在RRC消息中传递,由于RRC消息可以保证收发对端是认证过的,不需要强调鉴权信息AUTH和发起方的身份IDi。As an alternative to S208-S209, the user equipment sends an IPsec tunnel establishment parameter to the base station by using an RRC message, and the base station receives the IPsec tunnel establishment parameter sent by the user equipment, and the message of the entire IKEv2 of the IPsec tunnel is encapsulated and transmitted in the RRC message. Since the RRC message can ensure that the transmitting and receiving peers are authenticated, it is not necessary to emphasize the authentication information AUTH and the identity IDi of the initiator.
S210、基站、用户设备分别验证第一AUTH和第二AUTH。S210. The base station and the user equipment respectively verify the first AUTH and the second AUTH.
S211、若基站验证第一AUTH和第二AUTH一致,对用户设备的身份进行验证。S211. If the base station verifies that the first AUTH and the second AUTH are consistent, verify the identity of the user equipment.
图5为本发明实施例提供的又一种IPsec隧道建立方法的流程示意图,该方法包括以下步骤:FIG. 5 is a schematic flowchart of still another method for establishing an IPsec tunnel according to an embodiment of the present invention, where the method includes the following steps:
S301、用户设备接入AP。S301. The user equipment accesses the AP.
S302、用户设备获得AP分发的IP地址。S302. The user equipment obtains an IP address distributed by the AP.
S303、基站在RRC重配置消息中发送基站的IP地址给用户设备。S303. The base station sends an IP address of the base station to the user equipment in the RRC reconfiguration message.
此消息中携带抗重放参数-1。This message carries the anti-replay parameter -1.
S304、用户设备在收到基站的RRC重配置消息之后,回复RRC重配置完成消息。S304. After receiving the RRC reconfiguration message of the base station, the user equipment returns an RRC reconfiguration complete message.
携带用户设备连接的AP的IP地址和抗重放参数-2。The IP address of the AP connected to the user equipment and the anti-replay parameter-2.
S305、基站利用设定密钥生成函数,根据空口密钥KeNB和协商后的抗重放参数生成第一预共享密钥Kipsec,并根据第一Kipsec生成第一鉴权信息AUTH。S305. The base station generates a first pre-shared key Kipsec according to the air interface key KeNB and the negotiated anti-replay parameter by using a set key generation function, and generates first authentication information AUTH according to the first Kipsec.
S306、用户设备利用该设定密钥生成函数,根据该KeNB和协商后的抗重放参数生成第二Kipsec,并根据第二Kipsec生成第二AUTH。 S306. The user equipment uses the set key generation function to generate a second Kipsec according to the KeNB and the negotiated anti-replay parameter, and generate a second AUTH according to the second Kipsec.
S307、基站接收用户设备通过RRC消息发送的第二AUTH和用户设备所支持的安全算法列表。S307. The base station receives a second AUTH sent by the user equipment by using an RRC message, and a list of security algorithms supported by the user equipment.
用户设备通过RRC消息将IPsec隧道建立必要参数发送给基站,基站接收用户设备发送的IPsec隧道建立必要参数,该IPsec隧道建立必要参数包括:鉴权信息,以及用户设备所支持的安全算法列表,该安全算法可包括加密算法和完整性保护算法。The user equipment sends the necessary parameters of the IPsec tunnel establishment to the base station by using the RRC message, and the base station receives the necessary parameters for establishing the IPsec tunnel sent by the user equipment, and the necessary parameters for establishing the IPsec tunnel include: authentication information, and a list of security algorithms supported by the user equipment. Security algorithms may include encryption algorithms and integrity protection algorithms.
可选地,也可以在用户设备附着到核心网的过程中即attach过程中,将用户设备所支持的安全算法列表事先传输给基站,即可以在S301之前,用户设备在Attach Request消息中携带用户设备所支持的安全算法列表给MME,MME在Attach Accept消息中,将用户设备所支持的安全算法列表传输给基站,之后完成用户设备的Attach流程,建立默认承载。Optionally, the security algorithm list supported by the user equipment may be transmitted to the base station in advance in the process of attaching the user equipment to the core network, that is, before the user equipment, the user equipment carries the user in the Attach Request message. The security algorithm list supported by the device is sent to the MME. In the Attach Accept message, the MME transmits the security algorithm list supported by the user equipment to the base station, and then completes the Attach process of the user equipment to establish a default bearer.
S308、基站根据自身的安全算法级别列表,以及用户设备所支持的安全算法列表,确定第一安全参数的安全算法的级别。S308. The base station determines, according to its own security algorithm level list, and a list of security algorithms supported by the user equipment, the level of the security algorithm of the first security parameter.
基站中设置有安全算法级别列表,该安全算法级别列表中包括多个安全算法与安全算法级别的对应关系。基站根据该安全算法级别列表和获取的用户设备所支持的安全算法列表,可以从用户设备所支持的安全算法确定第一安全参数的安全算法的级别,该安全算法作为保护IPsec隧道传输的安全算法,例如,可以选取用户设备所支持的安全算法列表中算法安全能力级别最高的安全算法。A security algorithm level list is set in the base station, and the security algorithm level list includes a correspondence between multiple security algorithms and security algorithm levels. The base station can determine the level of the security algorithm of the first security parameter from the security algorithm supported by the user equipment according to the security algorithm level list and the obtained security algorithm list supported by the user equipment, and the security algorithm acts as a security algorithm for protecting the IPsec tunnel transmission. For example, the security algorithm with the highest level of algorithm security capability in the list of security algorithms supported by the user equipment can be selected.
可选地,如果用户设备在attach过程中事先将用户设备所支持的安全算法列表传输给基站,则基站可以在RRC重配置消息中将基站的IP地址和确定的第一安全参数的安全算法的级别发送给用户设备。Optionally, if the user equipment transmits the security algorithm list supported by the user equipment to the base station in advance in the attach process, the base station may use the IP address of the base station and the determined security algorithm of the first security parameter in the RRC reconfiguration message. The level is sent to the user device.
S309、基站将IPsec隧道建立参数发送给用户设备。S309. The base station sends an IPsec tunnel establishment parameter to the user equipment.
在确定了鉴权信息和第一安全算法后,基站将IPsec隧道建立参数发送给用户设备,该IPsec隧道建立参数包括第一安全参数和TS,该第一安全参数包括安全算法,以及所述第一Kipsec或所述第二Kipsec。After determining the authentication information and the first security algorithm, the base station sends an IPsec tunnel establishment parameter to the user equipment, where the IPsec tunnel establishment parameter includes a first security parameter and a TS, the first security parameter includes a security algorithm, and the A Kipsisec or the second Kipsec.
在本实施例中,通过RRC消息来传输IPsec隧道建立必要参数,没有完全封装IKEv2消息,由于RRC消息本身可以保证数据传输的安全性,无需协商第二安全参数。In this embodiment, the RRC message is used to transmit the IPsec tunnel establishment necessary parameters, and the IKEv2 message is not completely encapsulated. Since the RRC message itself can ensure the security of the data transmission, there is no need to negotiate the second security parameter.
在本实施例中,是由用户设备发起IPsec隧道建立,作为S307-S309的一种 替代方式,也可以由基站发起IPsec隧道建立,即基站通过RRC消息将IPsec隧道建立必要参数发送给用户设备,以使用户设备根据自身所支持的安全算法列表,以及所述基站的安全算法级别列表,确定所述第一安全参数的安全算法的级别,然后用户设备将IPsec隧道建立参数发送给基站,基站接收用户设备发送的IPsec隧道建立参数。In this embodiment, the IPsec tunnel establishment is initiated by the user equipment, as a type of S307-S309. Alternatively, the base station may initiate IPsec tunnel establishment, that is, the base station sends the IPsec tunnel establishment necessary parameters to the user equipment through the RRC message, so that the user equipment according to the list of security algorithms supported by the user equipment, and the security algorithm level list of the base station. Determining a level of the security algorithm of the first security parameter, and then the user equipment sends an IPsec tunnel establishment parameter to the base station, where the base station receives an IPsec tunnel establishment parameter sent by the user equipment.
S310、基站、用户设备分别验证第一AUTH和第二AUTH。S310. The base station and the user equipment respectively verify the first AUTH and the second AUTH.
S311、若基站验证第一AUTH和第二AUTH一致,对用户设备的身份进行验证。S311. If the base station verifies that the first AUTH and the second AUTH are consistent, verify the identity of the user equipment.
需要说明的是,对于前述的各方法实施例,为了简单描述,故将其都表述为一系列的动作组合,但是本领域技术人员应该知悉,本发明并不受所描述的动作顺序的限制,因为根据本发明,某些步骤可以采用其他顺序或者同时进行。其次,本领域技术人员也应该知悉,说明书中所描述的实施例均属于优选实施例,所涉及的动作和模块并不一定是本发明所必须的。It should be noted that, for the foregoing method embodiments, for the sake of simple description, they are all expressed as a series of action combinations, but those skilled in the art should understand that the present invention is not limited by the described action sequence. Because certain steps may be performed in other sequences or concurrently in accordance with the present invention. In addition, those skilled in the art should also understand that the embodiments described in the specification are all preferred embodiments, and the actions and modules involved are not necessarily required by the present invention.
在上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详述的部分,可以参见其他实施例的相关描述。In the above embodiments, the descriptions of the various embodiments are different, and the details that are not detailed in a certain embodiment can be referred to the related descriptions of other embodiments.
本发明实施例方法中的步骤可以根据实际需要进行顺序调整、合并和删减。The steps in the method of the embodiment of the present invention may be sequentially adjusted, merged, and deleted according to actual needs.
图6为本发明实施例提供的一种基站的结构示意图,该基站1000包括发送单元11、确定单元12、生成单元13和验证单元14。其中:FIG. 6 is a schematic structural diagram of a base station according to an embodiment of the present invention. The base station 1000 includes a sending unit 11, a determining unit 12, a generating unit 13, and a verifying unit 14. among them:
发送单元11,用于发送第一抗重放参数给用户设备。The sending unit 11 is configured to send the first anti-replay parameter to the user equipment.
确定单元12,用于确定所述用户设备的第二抗重放参数基站可以在给用户设备的RRC消息中携带抗重放参数-1,用户设备则可以在回复基站的RRC消息时携带抗重放参数-2,也可以不携带抗重放参数-2,这由具体配置决定。相应地,回复基站的RRC消息可以包括:RRC重配置完成消息,RRC完成消息等。The determining unit 12 is configured to determine that the second anti-replay parameter of the user equipment may carry the anti-replay parameter-1 in the RRC message of the user equipment, and the user equipment may carry the anti-weight when replying to the RRC message of the base station. The parameter-2 can also be placed without carrying the anti-replay parameter-2, which is determined by the specific configuration. Correspondingly, the RRC message of the replying base station may include: an RRC reconfiguration complete message, an RRC completion message, and the like.
生成单元13,用于根据空口密钥KeNB和第一抗重放参数生成第一预共享密钥Kipsec,并根据第一Kipsec生成第一鉴权信息AUTH。The generating unit 13 is configured to generate a first pre-shared key Kipsec according to the air interface key KeNB and the first anti-replay parameter, and generate first authentication information AUTH according to the first Kipsec.
用户设备和基站在建立空口安全的时候,会生成相同的空口密钥KeNB。 然后,基站、用户设备分别利用设定的密钥生成函数,根据KeNB和协商后的抗重放参数生成第一Kipsec和第二Kipsec,再分别根据第一Kipsec和第二Kipsec生成第一AUTH和第二AUTH,由于采用的密钥生成函数相同,KeNB相同,且抗重放参数是经过协商过的,基站和用户设备知道对端的抗重放参数,因此,基站、用户设备能够分别根据自己的鉴权信息,验证对端的鉴权信息。When the user equipment and the base station establish air interface security, the same air interface key KeNB is generated. Then, the base station and the user equipment respectively generate the first Kipsec and the second Kipsec according to the KeNB and the negotiated anti-replay parameters, and then generate the first AUTH according to the first Kipsec and the second Kipsec respectively by using the set key generation function. The second AUTH, because the key generation function is the same, the KeNB is the same, and the anti-replay parameters are negotiated, and the base station and the user equipment know the anti-replay parameters of the opposite end. Therefore, the base station and the user equipment can respectively according to their own The authentication information is used to verify the authentication information of the peer.
所述确定单元12还用于确定IPsec隧道建立参数。The determining unit 12 is further configured to determine an IPsec tunnel establishment parameter.
该IPsec隧道建立参数包括鉴权信息和IPsec隧道传输参数,该IPsec隧道传输参数包括第一安全参数和用于标识IPsec保护的数据流的出/入端口的标识,安全参数又称安全联盟参数(Security Association,简称SA),此参数包含安全算法,以及第一Kipsec或第二Kipsec,该安全算法具有安全算法级别,安全算法级别用于表示哪种算法应该被优先考虑,第一Kipsec或第二Kipsec用于在安全算法中加密IPsec隧道中传输的数据流。IPsec隧道建立参数还可能包括用户设备的身份标识IDi,和基站的身份标识IDr。The IPsec tunnel establishment parameter includes an authentication information and an IPsec tunnel transmission parameter, where the IPsec tunnel transmission parameter includes a first security parameter and an identifier of an ingress/egress port for identifying a data stream protected by IPsec, and the security parameter is also called a security association parameter. Security Association (SA), this parameter contains the security algorithm, and the first Kipsec or the second Kipsec, the security algorithm has a security algorithm level, the security algorithm level is used to indicate which algorithm should be prioritized, the first Kipsel or the second Kipsec is used to encrypt the data stream transmitted in an IPsec tunnel in a security algorithm. The IPsec tunnel setup parameters may also include the identity IDi of the user equipment, and the identity ID of the base station.
验证单元14,用于验证第一AUTH和第二AUTH以及用户设备的身份。The verification unit 14 is configured to verify the identity of the first AUTH and the second AUTH and the user equipment.
在获得协商后的IPsec隧道建立参数后,基站、用户设备分别验证对端的鉴权信息是否与自身的鉴权信息一致,如果验证通过,基站再对用户设备的身份进行验证。基站验证用户设备的身份,可以将空口连接时已经获取的用户设备的身份以及IPsec隧道建立参数包含的用户设备的身份标识进行比较,而如果接收的是RRC消息,则用户设备的身份已经在接收RRC消息时进行验证。After obtaining the negotiated IPsec tunnel establishment parameters, the base station and the user equipment respectively verify whether the authentication information of the peer end is consistent with the authentication information of the peer end. If the verification succeeds, the base station verifies the identity of the user equipment. The base station verifies the identity of the user equipment, and compares the identity of the user equipment that has been acquired when the air interface is connected with the identity of the user equipment that is included in the IPsec tunnel establishment parameter, and if the RRC message is received, the identity of the user equipment is already received. Verification is performed when the RRC message is received.
基站与用户设备协商了IPsec隧道传输参数,则建立IPsec隧道的工作已经完成。After the base station negotiates the IPsec tunnel transmission parameters with the user equipment, the work of establishing an IPsec tunnel is completed.
根据本发明实施例提供的一种基站,在用户设备通过无线局域网请求接入核心网时,基站与用户设备协商抗重放参数及IPsec隧道建立参数,建立IPsec隧道,以及根据隧道建立参数中包括的IPsec隧道传输参数在IPsec隧道中传输数据,从而实现用户设备通过无线局域网安全地接入核心网,保证了数据传输的安全性。According to an embodiment of the present invention, when a user equipment requests access to a core network through a wireless local area network, the base station and the user equipment negotiate anti-replay parameters and IPsec tunnel establishment parameters, establish an IPsec tunnel, and include parameters according to the tunnel establishment. The IPsec tunnel transmission parameters transmit data in the IPsec tunnel, thereby enabling the user equipment to securely access the core network through the wireless LAN, thereby ensuring the security of data transmission.
请继续参阅图6,基站还包括接收单元,下面提供接收单元的一种具体实现方式:Referring to FIG. 6 , the base station further includes a receiving unit, and a specific implementation manner of the receiving unit is provided below:
接收单元具体用于获取与所述用户设备通过第一因特网密钥交换协议版 本2消息协商的第二安全参数。The receiving unit is specifically configured to obtain the first Internet Key Exchange Protocol version with the user equipment. The second security parameter negotiated by this 2 message.
具体地,用户设备发送因特网密钥交换安全联盟参数协商初始消息IKE_SA_INIT消息给基站,该IKE_SA_INIT消息中包括HDR,第二安全参数SAi1,发送方基本密钥KEi,随机数Ni,其中,HDR中包括SPI,用于标识IPsec隧道建立过程;基站回复IKE_SA_INIT消息,回复的消息中包括HDR,SAr1,回复方基本密钥KEr,随机数Nr,从而完成基站与用户设备的第二安全参数的协商。第二安全参数也包括安全算法,安全算法级别和密钥。这里的SAi1和SAr1的安全算法级别是通过IKEv2消息确定的,SAi1和SAr1中包括多个安全算法,通过安全算法级别来指定采用的安全算法。密钥是根据基本密钥(KEi和KEr),以及随机数(Ni,Nr)生成的。第二安全参数用于加密传输IPsec隧道建立参数的第二IKEv2消息。Specifically, the user equipment sends an Internet Key Exchange Security Association parameter negotiation initial message IKE_SA_INIT message to the base station, where the IKE_SA_INIT message includes HDR, a second security parameter SAi1, a sender basic key KEi, and a random number Ni, wherein the HDR includes The SPI is used to identify the IPsec tunnel establishment process. The base station replies to the IKE_SA_INIT message, and the replies include HDR, SAr1, the replies basic key KEr, and the random number Nr, thereby completing the negotiation of the second security parameter between the base station and the user equipment. The second security parameter also includes a security algorithm, a security algorithm level, and a key. The security algorithm level of SAi1 and SAr1 is determined by the IKEv2 message. SAi1 and SAr1 include multiple security algorithms, and the security algorithm is used to specify the security algorithm to be adopted. The key is generated based on the base key (KEi and KEl) and the random number (Ni, Nr). The second security parameter is used to encrypt the second IKEv2 message that transmits the IPsec tunnel establishment parameters.
接收单元还具体用于接收用户设备根据第二安全参数加密发送的第二IKEv2消息。The receiving unit is further configured to receive a second IKEv2 message that is sent by the user equipment according to the second security parameter.
具体地,用户设备发送IKE_AUTH消息给基站该IKE_AUTH消息由第二安全参数进行加密发送。该IKE_AUTH消息中包括HDR,SK{IDi,AUTH,SAi2,TSi,TSr},其中,SK{}表示{}中的参数用第二安全参数中的安全算法和密钥进行加密保护了;基站回复用户设备的IKR_AUTH消息,回复的消息中包括HDR,SK{IDr,AUTH,SAr2,TSi,TSr}。Specifically, the user equipment sends an IKE_AUTH message to the base station, and the IKE_AUTH message is encrypted and sent by the second security parameter. The IKE_AUTH message includes HDR, SK{IDi, AUTH, SAi2, TSi, TSR}, wherein the parameter in the {{} indicates that the parameter in the {} is encrypted and protected by the security algorithm and the key in the second security parameter; The IKR_AUTH message of the user equipment includes HDR, SK{IDr, AUTH, SAr2, TSi, TSR}.
在本实施例中,基站与用户设备之间通过IP数据包,具体的是因特网密钥交换协议版本2消息,协商IPsec隧道建立参数,由于是通过IP数据包传输,尚未验证对端的身份,不能保证传输过程的安全性,因此,需要先协商用于传输IPsec隧道建立参数的消息的安全参数,然后通过协商好的安全参数对发送IPsec隧道建立参数的消息进行加密。In this embodiment, the IP data packet is negotiated between the base station and the user equipment, specifically the Internet Key Exchange Protocol version 2 message, and the IPsec tunnel establishment parameter is negotiated. Since the IP data packet is transmitted, the identity of the peer end has not been verified. To ensure the security of the transmission process, the security parameters of the message for transmitting the IPsec tunnel establishment parameters need to be negotiated first, and then the message for sending the IPsec tunnel establishment parameters is encrypted by the negotiated security parameters.
作为接收单元的另一种替代的实现方式,用户设备通过RRC消息发送IPsec隧道建立参数给基站,接收单元接收用户设备发送的IPsec隧道建立参数,即将建立IPsec隧道的整个IKEv2的消息封装在RRC消息中传递,由于RRC消息可以保证收发对端是认证过的,不需要强调鉴权信息AUTH和发起方的身份IDi。As an alternative implementation manner of the receiving unit, the user equipment sends an IPsec tunnel establishment parameter to the base station by using an RRC message, and the receiving unit receives the IPsec tunnel establishment parameter sent by the user equipment, and the message of the entire IKEv2 of the IPsec tunnel is encapsulated in the RRC message. In the RRC message, the transceiver end can be authenticated, and the authentication information AUTH and the identity IDi of the initiator need not be emphasized.
图7为本发明实施例提供的另一种基站的结构示意图,该基站2000包括发 送单元21、接收单元22、生成单元23、确定单元24和验证单元25。其中:FIG. 7 is a schematic structural diagram of another base station according to an embodiment of the present disclosure, where the base station 2000 includes The sending unit 21, the receiving unit 22, the generating unit 23, the determining unit 24, and the verifying unit 25. among them:
发送单元21,用于在RRC重配置消息中将基站的互联网协议IP地址和抗重放参数发送给用户设备。The sending unit 21 is configured to send the Internet Protocol IP address and the anti-replay parameter of the base station to the user equipment in the RRC reconfiguration message.
接收单元22,用于接收所述用户设备发送的所述用户设备连接的无线局域网的IP地址和抗重放参数。The receiving unit 22 is configured to receive an IP address and an anti-replay parameter of the wireless local area network to which the user equipment is connected, which is sent by the user equipment.
生成单元23,用于利用设定密钥生成函数,根据空口密钥KeNB和协商后的抗重放参数生成第一预共享密钥Kipsec,并根据第一Kipsec生成第一鉴权信息AUTH。The generating unit 23 is configured to generate a first pre-shared key Kipsec according to the air interface key KeNB and the negotiated anti-replay parameter by using a set key generation function, and generate first authentication information AUTH according to the first Kipsec.
接收单元22还用于接收用户设备通过RRC消息发送的第二AUTH和用户设备所支持的安全算法列表。The receiving unit 22 is further configured to receive a second AUTH sent by the user equipment by using an RRC message, and a list of security algorithms supported by the user equipment.
用户设备通过RRC消息将IPsec隧道建立必要参数发送给基站,基站接收用户设备发送的IPsec隧道建立必要参数,该IPsec隧道建立必要参数包括:鉴权信息,以及用户设备所支持的安全算法列表,该安全算法可包括加密算法和完整性保护算法。The user equipment sends the necessary parameters of the IPsec tunnel establishment to the base station by using the RRC message, and the base station receives the necessary parameters for establishing the IPsec tunnel sent by the user equipment, and the necessary parameters for establishing the IPsec tunnel include: authentication information, and a list of security algorithms supported by the user equipment. Security algorithms may include encryption algorithms and integrity protection algorithms.
可选地,也可以在用户设备附着到核心网的过程中即attach过程中,将用户设备所支持的安全算法列表事先传输给基站,即可以在S301之前,用户设备在Attach Request消息中携带用户设备所支持的安全算法列表给MME,MME在Attach Accept消息中,将用户设备所支持的安全算法列表传输给基站,之后完成用户设备的Attach流程,建立默认承载。Optionally, the security algorithm list supported by the user equipment may be transmitted to the base station in advance in the process of attaching the user equipment to the core network, that is, before the user equipment, the user equipment carries the user in the Attach Request message. The security algorithm list supported by the device is sent to the MME. In the Attach Accept message, the MME transmits the security algorithm list supported by the user equipment to the base station, and then completes the Attach process of the user equipment to establish a default bearer.
确定单元24,用于根据自身的安全算法级别列表,以及用户设备所支持的安全算法列表,确定第一安全参数的安全算法的级别。The determining unit 24 is configured to determine a level of the security algorithm of the first security parameter according to the security algorithm level list of the user and the security algorithm list supported by the user equipment.
基站中设置有安全算法级别列表,该安全算法级别列表中包括多个安全算法与安全算法级别的对应关系。基站根据该安全算法级别列表和获取的用户设备所支持的安全算法列表,可以从用户设备所支持的安全算法确定第一安全参数的安全算法的级别,该安全算法作为保护IPsec隧道传输的安全算法,例如,可以选取用户设备所支持的安全算法列表中算法安全能力级别最高的安全算法。A security algorithm level list is set in the base station, and the security algorithm level list includes a correspondence between multiple security algorithms and security algorithm levels. The base station can determine the level of the security algorithm of the first security parameter from the security algorithm supported by the user equipment according to the security algorithm level list and the obtained security algorithm list supported by the user equipment, and the security algorithm acts as a security algorithm for protecting the IPsec tunnel transmission. For example, the security algorithm with the highest level of algorithm security capability in the list of security algorithms supported by the user equipment can be selected.
可选地,如果用户设备在attach过程中事先将用户设备所支持的安全算法列表传输给基站,则基站可以在RRC重配置消息中将基站的IP地址和确定的第一安全参数的安全算法的级别发送给用户设备。 Optionally, if the user equipment transmits the security algorithm list supported by the user equipment to the base station in advance in the attach process, the base station may use the IP address of the base station and the determined security algorithm of the first security parameter in the RRC reconfiguration message. The level is sent to the user device.
发送单元21还用于将IPsec隧道建立参数发送给用户设备。The sending unit 21 is further configured to send an IPsec tunnel establishment parameter to the user equipment.
在确定了鉴权信息和第一安全算法后,基站将IPsec隧道建立参数发送给用户设备,该IPsec隧道建立参数包括第一安全参数和TS,该第一安全参数包括安全算法,以及所述第一Kipsec或所述第二Kipsec。。After determining the authentication information and the first security algorithm, the base station sends an IPsec tunnel establishment parameter to the user equipment, where the IPsec tunnel establishment parameter includes a first security parameter and a TS, the first security parameter includes a security algorithm, and the A Kipsisec or the second Kipsec. .
在本实施例中,通过RRC消息来传输IPsec隧道建立必要参数,没有完全封装IKEv2消息,由于RRC消息本身可以保证数据传输的安全性,无需协商第二安全参数。In this embodiment, the RRC message is used to transmit the IPsec tunnel establishment necessary parameters, and the IKEv2 message is not completely encapsulated. Since the RRC message itself can ensure the security of the data transmission, there is no need to negotiate the second security parameter.
在本实施例中,是由用户设备发起IPsec隧道建立,作为一种替代方式,也可以由基站发起IPsec隧道建立,即基站通过RRC消息将IPsec隧道建立必要参数发送给用户设备,以使用户设备根据自身所支持的安全算法列表,以及所述基站的安全算法级别列表,确定所述第一安全参数的安全算法的级别,然后用户设备将IPsec隧道建立参数发送给基站,基站接收用户设备发送的IPsec隧道建立参数。In this embodiment, the user equipment initiates the establishment of the IPsec tunnel. As an alternative, the base station may initiate the IPsec tunnel establishment, that is, the base station sends the necessary parameters for establishing the IPsec tunnel to the user equipment through the RRC message, so that the user equipment Determining a level of the security algorithm of the first security parameter according to a list of security algorithms supported by the base station, and a security algorithm level list of the base station, and then the user equipment sends the IPsec tunnel establishment parameter to the base station, where the base station receives the information sent by the user equipment. The IPsec tunnel establishes parameters.
验证单元25,用于验证第一AUTH和第二AUTH。The verification unit 25 is configured to verify the first AUTH and the second AUTH.
所述验证单元25还用于若验证第一AUTH和第二AUTH一致,对用户设备的身份进行验证。The verification unit 25 is further configured to verify the identity of the user equipment if the first AUTH and the second AUTH are verified to be consistent.
图8为本发明实施例提供的一种用户设备的结构示意图,该用户设备3000包括确定单元31、生成单元32、发送单元33、接收单元34和验证单元35;其中:FIG. 8 is a schematic structural diagram of a user equipment according to an embodiment of the present invention. The user equipment 3000 includes a determining unit 31, a generating unit 32, a sending unit 33, a receiving unit 34, and a verifying unit 35.
确定单元31,用于确定用户设备的第二抗重放参数,所述第一抗重放参数和第二抗重放参数分别用于防止所述基站和所述用户设备每次生成的密钥相同;a determining unit 31, configured to determine a second anti-replay parameter of the user equipment, where the first anti-replay parameter and the second anti-replay parameter are respectively used to prevent a key generated by the base station and the user equipment each time the same;
生成单元32,用于根据空口密钥KeNB和所述第二抗重放参数生成第二预共享密钥Kipsec,并根据所述第二Kipsec生成第二鉴权信息AUTH;The generating unit 32 is configured to generate a second pre-shared key Kipsec according to the air interface key KeNB and the second anti-playback parameter, and generate second authentication information AUTH according to the second Kipsec;
发送单元33,用于发送所述第二AUTH给所述基站;a sending unit 33, configured to send the second AUTH to the base station;
接收单元34,用于接收所述基站发送的IPsec隧道建立参数,所述IPsec隧道建立参数包括第一AUTH,其中,所述基站根据所述KeNB和所述第一抗重放参数生成第一Kipsec,所述基站根据第一Kipsec生成所述第一AUTH;The receiving unit 34 is configured to receive an IPsec tunnel establishment parameter sent by the base station, where the IPsec tunnel establishment parameter includes a first AUTH, where the base station generates a first Kipsc according to the KeNB and the first anti-replay parameter. The base station generates the first AUTH according to the first Kipsec;
验证单元35,用于验证所述第一AUTH和所述第二AUTH。 The verification unit 35 is configured to verify the first AUTH and the second AUTH.
进一步地,所述接收单元34还用于接收所述基站发送的所述基站的互联网协议IP地址;Further, the receiving unit 34 is further configured to receive an internet protocol IP address of the base station that is sent by the base station;
所述发送单元还用于将所述用户设备连接的无线局域网的IP地址发送给所述基站。The sending unit is further configured to send an IP address of a wireless local area network to which the user equipment is connected, to the base station.
作为一种实现方式,所述发送单元33还用于发送第一IKEv2消息给所述基站,所述第一IKEv2消息包括第二安全参数;As an implementation manner, the sending unit 33 is further configured to send a first IKEv2 message to the base station, where the first IKEv2 message includes a second security parameter;
所述接收单元34还用于接收所述基站发送的所述第一IKEv2消息的响应消息;The receiving unit 34 is further configured to receive a response message of the first IKEv2 message sent by the base station;
所述发送单元33还用于根据所述第二安全参数加密第二IKEv2消息,将加密后的所述第二IKEv2消息发送给所述基站,所述第二IKEv2消息包括所述IPsec隧道建立参数,所述IPsec隧道建立参数还包括IPsec隧道传输参数,所述用户设备的身份标识,和因特网密钥交换协议头HDR,所述HDR中包括用于标识IPsec隧道建立流程的标识SPI,所述IPsec隧道传输参数包括第一安全参数和用于标识IPsec保护的数据流的出/入端口的标识TS,所述第一安全参数包括安全算法,以及所述第一Kipsec或所述第二Kipsec,所述安全算法为设置有安全算法级别的安全算法;The sending unit 33 is further configured to: encrypt the second IKEv2 message according to the second security parameter, and send the encrypted second IKEv2 message to the base station, where the second IKEv2 message includes the IPsec tunnel establishment parameter The IPsec tunnel establishment parameter further includes an IPsec tunnel transmission parameter, an identity of the user equipment, and an Internet Key Exchange Protocol header HDR, where the HDR includes an identifier SPI for identifying an IPsec tunnel establishment procedure, the IPsec The tunnel transmission parameter includes a first security parameter and an identifier TS of an ingress/egress port for identifying a data stream protected by the IPsec, the first security parameter including a security algorithm, and the first Kipsel or the second Kipsec The security algorithm is a security algorithm set with a security algorithm level;
所述接收单元34还用于接收所述基站发送的所述第二IKEv2消息的响应消息。The receiving unit 34 is further configured to receive a response message of the second IKEv2 message sent by the base station.
作为另一种实现方式,所述发送单元33还用于发送至少一个RRC消息给所述基站;As another implementation manner, the sending unit 33 is further configured to send at least one RRC message to the base station;
其中,所述至少一个RRC消息封装所述第一IKEv2消息,所述第一IKEv2消息的响应消息,所述第二IKEv2消息,以及所述第二IKEv2消息的响应消息。The at least one RRC message encapsulates the first IKEv2 message, the response message of the first IKEv2 message, the second IKEv2 message, and the response message of the second IKEv2 message.
作为又一种实现方式,所述发送单元33还用于通过RRC消息发送所述用户设备所支持的安全算法列表给所述基站,以使所述基站根据自身的安全算法级别列表,以及所述用户设备所支持的安全算法列表,确定所述第一安全参数的安全算法的级别,所述安全算法级别列表包括多个安全算法与安全算法级别的对应关系;As a further implementation manner, the sending unit 33 is further configured to send, by using an RRC message, a security algorithm list supported by the user equipment to the base station, so that the base station according to its own security algorithm level list, and the a security algorithm list supported by the user equipment, determining a level of the security algorithm of the first security parameter, where the security algorithm level list includes a correspondence between multiple security algorithms and a security algorithm level;
所述接收单元34还用于接收所述基站发送的所述IPsec隧道建立参数,所述IPsec隧道建立参数还包括IPsec隧道传输参数和因特网密钥交换协议头 HDR,所述HDR中包括用于标识IPsec隧道建立流程的标识SPI,所述IPsec隧道传输参数包括第一安全参数和TS,所述第一安全参数包括确定所述级别的安全算法,以及所述第一Kipsec或所述第二Kipsec。The receiving unit 34 is further configured to receive the IPsec tunnel establishment parameter sent by the base station, where the IPsec tunnel establishment parameter further includes an IPsec tunnel transmission parameter and an Internet key exchange protocol header. HDR, the HDR includes an identifier SPI for identifying an IPsec tunnel establishment procedure, the IPsec tunnel transmission parameter includes a first security parameter and a TS, the first security parameter includes a security algorithm determining the level, and the First Kipsec or the second Kipsec.
作为又一种实现方式,所述接收单元34还用于接收所述基站通过RRC消息发送的所述基站的安全算法级别列表,所述安全算法级别列表包括多个安全算法与安全算法级别的对应关系;As a further implementation manner, the receiving unit 34 is further configured to receive a security algorithm level list of the base station that is sent by the base station by using an RRC message, where the security algorithm level list includes a correspondence between multiple security algorithms and a security algorithm level. relationship;
所述确定单元31还用于根据自身所支持的安全算法列表,以及所述基站的安全算法级别列表,确定所述第一安全参数的安全算法的级别;The determining unit 31 is further configured to determine a level of the security algorithm of the first security parameter according to a security algorithm list supported by the base and a security algorithm level list of the base station;
所述发送单元33还用于将所述IPsec隧道建立参数发送给所述基站,所述IPsec隧道建立参数还包括IPsec隧道传输参数和因特网密钥交换协议头HDR,所述HDR中包括用于标识IPsec隧道建立流程的标识SPI,所述IPsec隧道传输参数包括第一安全参数和TS,所述第一安全参数包括确定所述级别的安全算法,以及所述第一Kipsec或所述第二Kipsec。The sending unit 33 is further configured to send the IPsec tunnel establishment parameter to the base station, where the IPsec tunnel establishment parameter further includes an IPsec tunnel transmission parameter and an Internet Key Exchange Protocol header HDR, where the HDR includes An identification SPI of the IPsec tunnel establishment process, the IPsec tunnel transmission parameter includes a first security parameter and a TS, the first security parameter includes a security algorithm determining the level, and the first Kipsec or the second Kipsec.
根据本发明实施例提供的一种用户设备,在用户设备通过无线局域网请求接入核心网时,基站与用户设备协商抗重放参数及IPsec隧道建立参数,建立IPsec隧道,以及根据隧道建立参数中包括的IPsec隧道传输参数在IPsec隧道中传输数据,从而实现用户设备通过无线局域网安全地接入核心网,保证了数据传输的安全性。According to an embodiment of the present invention, when a user equipment requests access to a core network through a wireless local area network, the base station and the user equipment negotiate anti-replay parameters and IPsec tunnel establishment parameters, establish an IPsec tunnel, and establish parameters according to the tunnel. The included IPsec tunnel transmission parameters transmit data in the IPsec tunnel, thereby enabling the user equipment to securely access the core network through the wireless local area network, thereby ensuring the security of data transmission.
如图9所示,为本发明实施例提供又一种基站的结构示意图,用于实现上述IPsec隧道建立的功能,如图9所示,基站4000包括发送器41和处理器42,其中,所述发送器41和处理器42之间通过总线43相互连接。其中:As shown in FIG. 9 , a schematic structural diagram of another base station is provided for implementing the foregoing IPsec tunnel establishment function. As shown in FIG. 9 , the base station 4000 includes a transmitter 41 and a processor 42 . The transmitter 41 and the processor 42 are connected to each other via a bus 43. among them:
所述发送器,用于发送第一抗重放参数给用户设备;The transmitter is configured to send a first anti-replay parameter to the user equipment;
所述处理器,用于确定所述用户设备的第二抗重放参数,所述第一抗重放参数和第二抗重放参数分别用于防止所述基站和所述用户设备每次生成的密钥相同;The processor is configured to determine a second anti-replay parameter of the user equipment, where the first anti-replay parameter and the second anti-replay parameter are respectively used to prevent the base station and the user equipment from generating each time The same key;
所述处理器还用于用于根据空口密钥KeNB和所述第一抗重放参数生成第一预共享密钥Kipsec,并根据所述第一Kipsec生成第一鉴权信息AUTH;The processor is further configured to generate a first pre-shared key Kipsec according to the air interface key KeNB and the first anti-replay parameter, and generate first authentication information AUTH according to the first Kipsec;
所述处理器还用于确定IPsec隧道建立参数,所述IPsec隧道建立参数包 括第二AUTH,其中,所述用户设备根据所述KeNB和所述第二抗重放参数生成第二Kipsec,并根据所述第二Kipsec生成所述第二AUTH;The processor is further configured to determine an IPsec tunnel establishment parameter, where the IPsec tunnel establishes a parameter packet The second AUTH is generated, wherein the user equipment generates a second Kipsec according to the KeNB and the second anti-playback parameter, and generates the second AUTH according to the second Kipsec;
所述处理器还用于验证所述第一AUTH和所述第二AUTH、以及所述用户设备的身份。The processor is further configured to verify the first AUTH and the second AUTH, and an identity of the user equipment.
进一步地,所述发送器还用于将所述基站的互联网协议IP地址发送给所述用户设备;Further, the transmitter is further configured to send an internet protocol IP address of the base station to the user equipment;
所述基站还包括:接收器;The base station further includes: a receiver;
所述接收器还用于接收所述用户设备发送的所述用户设备连接的无线局域网的IP地址。The receiver is further configured to receive an IP address of a wireless local area network to which the user equipment is connected, sent by the user equipment.
进一步地,所述IPsec隧道建立参数还包括IPsec隧道传输参数,所述IPsec隧道传输参数包括第一安全参数和用于标识IPsec保护的数据流的出/入端口的标识TS,所述第一安全参数包括安全算法,以及所述第一Kipsec或所述第二Kipsec。Further, the IPsec tunnel establishment parameter further includes an IPsec tunnel transmission parameter, where the IPsec tunnel transmission parameter includes a first security parameter and an identifier TS of an ingress/egress port for identifying a data stream protected by IPsec, the first security The parameters include a security algorithm, and the first Kipsec or the second Kipsec.
进一步地,所述接收器还用于接收所述用户设备发送的第一因特网密钥交换协议版本2IKEv2消息,所述第一IKEv2消息包括第二安全参数;Further, the receiver is further configured to receive a first Internet Key Exchange Protocol version 2 IKEv2 message sent by the user equipment, where the first IKEv2 message includes a second security parameter;
所述发送器还用于发送所述第一IKEv2消息的响应消息给所述用户设备;The transmitter is further configured to send a response message of the first IKEv2 message to the user equipment;
所述接收器还用于接收所述用户设备根据所述第二安全参数加密发送的第二IKEv2消息,所述第二IKEv2消息包括所述IPsec隧道建立参数;The receiver is further configured to receive a second IKEv2 message that is sent by the user equipment according to the second security parameter, where the second IKEv2 message includes the IPsec tunnel establishment parameter;
所述发送器还用于发送所述第二IKEv2消息的响应消息给所述用户设备;The transmitter is further configured to send a response message of the second IKEv2 message to the user equipment;
其中,所述IPsec隧道建立参数中还包括所述用户设备的身份标识,和因特网密钥交换协议头HDR,所述HDR中包括用于标识IPsec隧道建立流程的标识SPI;所述安全算法为设置有安全算法级别的安全算法。The IPsec tunnel establishment parameter further includes an identifier of the user equipment, and an Internet Key Exchange Protocol header HDR, where the HDR includes an identifier SPI for identifying an IPsec tunnel establishment procedure; the security algorithm is set There are security algorithms at the security algorithm level.
进一步地,所述处理器还用于:Further, the processor is further configured to:
验证所述用户设备的身份标识是否与核心网侧已获得的所述用户设备的身份一致。Verifying whether the identity of the user equipment is consistent with the identity of the user equipment that has been obtained by the core network side.
进一步地,所述接收器还用于接收所述用户设备发送的至少一个无线资源控制RRC消息;Further, the receiver is further configured to receive at least one radio resource control RRC message sent by the user equipment;
其中,所述至少一个RRC消息封装所述第一IKEv2消息,所述第一IKEv2消息的响应消息,所述第二IKEv2消息,以及所述第二IKEv2消息的响应消息。 The at least one RRC message encapsulates the first IKEv2 message, the response message of the first IKEv2 message, the second IKEv2 message, and the response message of the second IKEv2 message.
进一步地,所述接收器还用于接收所述用户设备通过无线资源控制RRC消息发送的所述第二AUTH和所述用户设备所支持的安全算法列表;Further, the receiver is further configured to receive the second AUTH sent by the user equipment by using a radio resource control RRC message, and a list of security algorithms supported by the user equipment;
所述处理器还用于根据自身的安全算法级别列表,以及所述用户设备所支持的安全算法列表,确定所述第一安全参数的安全算法的级别,所述安全算法级别列表包括多个安全算法与安全算法级别的对应关系;The processor is further configured to determine a level of the security algorithm of the first security parameter according to a list of security algorithm levels of the user and a list of security algorithms supported by the user equipment, where the security algorithm level list includes multiple security Correspondence between the algorithm and the level of the security algorithm;
所述发送器还用于将所述IPsec隧道建立参数发送给所述用户设备。The transmitter is further configured to send the IPsec tunnel establishment parameter to the user equipment.
进一步地,所述发送器还用于通过RRC消息将所述第二AUTH和所述基站的安全算法级别列表发送给所述用户设备,以使所述用户设备根据自身所支持的安全算法列表,以及所述基站的安全算法级别列表,确定所述第一安全参数的安全算法的级别,所述安全算法级别列表包括多个安全算法与安全算法级别的对应关系;Further, the transmitter is further configured to send, by using an RRC message, the second AUTH and the security algorithm level list of the base station to the user equipment, so that the user equipment according to the security algorithm list supported by the user equipment, And determining, by the security algorithm level list of the base station, a level of the security algorithm of the first security parameter, where the security algorithm level list includes a correspondence between multiple security algorithms and a security algorithm level;
所述接收器还用于接收所述用户设备发送的所述IPsec隧道建立参数。The receiver is further configured to receive the IPsec tunnel establishment parameter sent by the user equipment.
根据本发明实施例提供的一种基站,在用户设备通过无线局域网请求接入核心网时,基站与用户设备协商抗重放参数及IPsec隧道建立参数,建立IPsec隧道,以及根据隧道建立参数中包括的IPsec隧道传输参数在IPsec隧道中传输数据,从而实现用户设备通过无线局域网安全地接入核心网,保证了数据传输的安全性。According to an embodiment of the present invention, when a user equipment requests access to a core network through a wireless local area network, the base station and the user equipment negotiate anti-replay parameters and IPsec tunnel establishment parameters, establish an IPsec tunnel, and include parameters according to the tunnel establishment. The IPsec tunnel transmission parameters transmit data in the IPsec tunnel, thereby enabling the user equipment to securely access the core network through the wireless LAN, thereby ensuring the security of data transmission.
如图10所示,为本发明实施例提供另一种用户设备的结构示意图,用于实现上述IPsec隧道建立的功能,如图10所示,用户设备5000包括接收器51,发送器52和处理器53,其中,所述接收器51,发送器52和处理器53之间通过总线54相互连接。其中:As shown in FIG. 10, a schematic structural diagram of another user equipment is provided for implementing the foregoing IPsec tunnel establishment function. As shown in FIG. 10, the user equipment 5000 includes a receiver 51, a transmitter 52, and processing. The device 53, wherein the receiver 51, the transmitter 52 and the processor 53 are connected to each other by a bus 54. among them:
所述处理器,用于确定用户设备的第二抗重放参数,所述第一抗重放参数和第二抗重放参数分别用于防止所述基站和所述用户设备每次生成的密钥相同;The processor is configured to determine a second anti-replay parameter of the user equipment, where the first anti-replay parameter and the second anti-replay parameter are respectively used to prevent the base station and the user equipment from generating a secret each time. The same key;
所述处理器还用于根据空口密钥KeNB和所述第二抗重放参数生成第二预共享密钥Kipsec,并根据所述第二Kipsec生成第二鉴权信息AUTH;The processor is further configured to generate a second pre-shared key Kipsec according to the air interface key KeNB and the second anti-playback parameter, and generate second authentication information AUTH according to the second Kipsec;
发送器,用于发送所述第二AUTH给所述基站;a transmitter, configured to send the second AUTH to the base station;
接收器,用于接收所述基站发送的IPsec隧道建立参数,所述IPsec隧道 建立参数包括第一AUTH,其中,所述基站根据所述KeNB和所述第一抗重放参数生成第一Kipsec,所述基站根据第一Kipsec生成所述第一AUTH;a receiver, configured to receive an IPsec tunnel establishment parameter sent by the base station, where the IPsec tunnel The establishing parameter includes a first AUTH, wherein the base station generates a first Kipsec according to the KeNB and the first anti-replay parameter, and the base station generates the first AUTH according to the first Kipsec;
所述处理器还用于验证所述第一AUTH和所述第二AUTH。The processor is further configured to verify the first AUTH and the second AUTH.
进一步地,所述接收器还用于接收所述基站发送的所述基站的互联网协议IP地址;Further, the receiver is further configured to receive an internet protocol IP address of the base station sent by the base station;
所述发送单元还用于将所述用户设备连接的无线局域网的IP地址发送给所述基站。The sending unit is further configured to send an IP address of a wireless local area network to which the user equipment is connected, to the base station.
进一步地,所述发送器还用于发送第一IKEv2消息给所述基站,所述第一IKEv2消息包括第二安全参数;Further, the transmitter is further configured to send a first IKEv2 message to the base station, where the first IKEv2 message includes a second security parameter;
所述接收器还用于接收所述基站发送的所述第一IKEv2消息的响应消息;The receiver is further configured to receive a response message of the first IKEv2 message sent by the base station;
所述发送器还用于根据所述第二安全参数加密第二IKEv2消息,将加密后的所述第二IKEv2消息发送给所述基站,所述第二IKEv2消息包括所述IPsec隧道建立参数,所述IPsec隧道建立参数还包括IPsec隧道传输参数,所述用户设备的身份标识,和因特网密钥交换协议头HDR,所述HDR中包括用于标识IPsec隧道建立流程的标识SPI,所述IPsec隧道传输参数包括第一安全参数和用于标识IPsec保护的数据流的出/入端口的标识TS,所述第一安全参数包括安全算法,以及所述第一Kipsec或所述第二Kipsec,所述安全算法为设置有安全算法级别的安全算法;The transmitter is further configured to: encrypt the second IKEv2 message according to the second security parameter, and send the encrypted second IKEv2 message to the base station, where the second IKEv2 message includes the IPsec tunnel establishment parameter, The IPsec tunnel establishment parameter further includes an IPsec tunnel transmission parameter, an identity of the user equipment, and an Internet Key Exchange Protocol header HDR, where the HDR includes an identifier SPI for identifying an IPsec tunnel establishment procedure, the IPsec tunnel The transmission parameter includes a first security parameter and an identifier TS of an ingress/egress port for identifying a data stream protected by the IPsec, the first security parameter including a security algorithm, and the first Kipsec or the second Kipsec, The security algorithm is a security algorithm set with a security algorithm level;
所述接收器还用于接收所述基站发送的所述第二IKEv2消息的响应消息。The receiver is further configured to receive a response message of the second IKEv2 message sent by the base station.
进一步地,所述发送器还用于发送至少一个RRC消息给所述基站;Further, the transmitter is further configured to send at least one RRC message to the base station;
其中,所述至少一个RRC消息封装所述第一IKEv2消息,所述第一IKEv2消息的响应消息,所述第二IKEv2消息,以及所述第二IKEv2消息的响应消息。The at least one RRC message encapsulates the first IKEv2 message, the response message of the first IKEv2 message, the second IKEv2 message, and the response message of the second IKEv2 message.
进一步地,所述发送器还用于通过RRC消息发送所述用户设备所支持的安全算法列表给所述基站,以使所述基站根据自身的安全算法级别列表,以及所述用户设备所支持的安全算法列表,确定所述第一安全参数的安全算法的级别,所述安全算法级别列表包括多个安全算法与安全算法级别的对应关系;Further, the transmitter is further configured to send, by using an RRC message, a security algorithm list supported by the user equipment to the base station, so that the base station according to its own security algorithm level list, and supported by the user equipment a security algorithm list, determining a level of the security algorithm of the first security parameter, where the security algorithm level list includes a correspondence between multiple security algorithms and a security algorithm level;
所述接收器还用于接收所述基站发送的所述IPsec隧道建立参数,所述IPsec隧道建立参数还包括IPsec隧道传输参数和因特网密钥交换协议头HDR,所述HDR中包括用于标识IPsec隧道建立流程的标识SPI,所述IPsec隧道传 输参数包括第一安全参数和TS,所述第一安全参数包括确定所述级别的安全算法,以及所述第一Kipsec或所述第二Kipsec。The receiver is further configured to receive the IPsec tunnel establishment parameter sent by the base station, where the IPsec tunnel establishment parameter further includes an IPsec tunnel transmission parameter and an Internet Key Exchange Protocol header HDR, where the HDR includes an identifier for identifying IPsec Identification SPI of the tunnel establishment process, the IPsec tunnel transmission The input parameter includes a first security parameter and a TS, the first security parameter including a security algorithm that determines the level, and the first Kipsel or the second Kipsec.
进一步地,所述接收器还用于接收所述基站通过RRC消息发送的所述基站的安全算法级别列表,所述安全算法级别列表包括多个安全算法与安全算法级别的对应关系;Further, the receiver is further configured to receive a security algorithm level list of the base station that is sent by the base station by using an RRC message, where the security algorithm level list includes a correspondence between multiple security algorithms and a security algorithm level;
所述处理器还用于根据自身所支持的安全算法列表,以及所述基站的安全算法级别列表,确定所述第一安全参数的安全算法的级别;The processor is further configured to determine a level of the security algorithm of the first security parameter according to a list of security algorithms supported by the base and a security algorithm level list of the base station;
所述发送器还用于将所述IPsec隧道建立参数发送给所述基站,所述IPsec隧道建立参数还包括IPsec隧道传输参数和因特网密钥交换协议头HDR,所述HDR中包括用于标识IPsec隧道建立流程的标识SPI,所述IPsec隧道传输参数包括第一安全参数和TS,所述第一安全参数包括确定所述级别的安全算法,以及所述第一Kipsec或所述第二Kipsec。The transmitter is further configured to send the IPsec tunnel establishment parameter to the base station, where the IPsec tunnel establishment parameter further includes an IPsec tunnel transmission parameter and an Internet Key Exchange Protocol header HDR, where the HDR includes an identifier for identifying IPsec. An identifier SPI of the tunnel establishment process, where the IPsec tunnel transmission parameter includes a first security parameter and a TS, the first security parameter includes a security algorithm determining the level, and the first Kipsec or the second Kipsec.
根据本发明实施例提供的一种用户设备,在用户设备通过无线局域网请求接入核心网时,基站与用户设备协商抗重放参数及IPsec隧道建立参数,建立IPsec隧道,以及根据隧道建立参数中包括的IPsec隧道传输参数在IPsec隧道中传输数据,从而实现用户设备通过无线局域网安全地接入核心网,保证了数据传输的安全性。According to an embodiment of the present invention, when a user equipment requests access to a core network through a wireless local area network, the base station and the user equipment negotiate anti-replay parameters and IPsec tunnel establishment parameters, establish an IPsec tunnel, and establish parameters according to the tunnel. The included IPsec tunnel transmission parameters transmit data in the IPsec tunnel, thereby enabling the user equipment to securely access the core network through the wireless local area network, thereby ensuring the security of data transmission.
本发明实施例装置中的单元可以根据实际需要进行合并、划分和删减。本领域的技术人员可以将本说明书中描述的不同实施例以及不同实施例的特征进行结合或组合。The units in the apparatus of the embodiment of the present invention may be combined, divided, and deleted according to actual needs. Those skilled in the art can combine or combine the different embodiments described in the specification and the features of the different embodiments.
通过以上的实施方式的描述,所属领域的技术人员可以清楚地了解到本发明可以用硬件实现,或固件实现,或它们的组合方式来实现。当使用软件实现时,可以将上述功能存储在计算机可读介质中或作为计算机可读介质上的一个或多个指令或代码进行传输。计算机可读介质包括计算机存储介质和通信介质,其中通信介质包括便于从一个地方向另一个地方传送计算机程序的任何介质。存储介质可以是计算机能够存取的任何可用介质。以此为例但不限于:计算机可读介质可以包括随机存取存储器(Random Access Memory,RAM)、只读存储器(Read-Only Memory,ROM)、电可擦可编程只读存储器(Electrically Erasable Programmable Read-Only Memory,EEPROM)、只读光盘(Compact Disc  Read-Only Memory,CD-ROM)或其他光盘存储、磁盘存储介质或者其他磁存储设备、或者能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质。此外。任何连接可以适当的成为计算机可读介质。例如,如果软件是使用同轴电缆、光纤光缆、双绞线、数字用户线(Digital Subscriber Line,DSL)或者诸如红外线、无线电和微波之类的无线技术从网站、服务器或者其他远程源传输的,那么同轴电缆、光纤光缆、双绞线、DSL或者诸如红外线、无线和微波之类的无线技术包括在所属介质的定影中。如本发明所使用的,盘(Disk)和碟(disc)包括压缩光碟(CD)、激光碟、光碟、数字通用光碟(DVD)、软盘和蓝光光碟,其中盘通常磁性的复制数据,而碟则用激光来光学的复制数据。上面的组合也应当包括在计算机可读介质的保护范围之内。Through the description of the above embodiments, those skilled in the art can clearly understand that the present invention can be implemented in hardware, firmware implementation, or a combination thereof. When implemented in software, the functions described above may be stored in or transmitted as one or more instructions or code on a computer readable medium. Computer readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one location to another. A storage medium may be any available media that can be accessed by a computer. For example, but not limited to, the computer readable medium may include a random access memory (RAM), a read-only memory (ROM), and an electrically erasable programmable read-only memory (Electrically Erasable Programmable). Read-Only Memory, EEPROM), Read-Only Disc (Compact Disc) Read-Only Memory (CD-ROM) or other optical disc storage, disk storage media or other magnetic storage device, or any other device that can be used to carry or store desired program code in the form of instructions or data structures and accessible by a computer. medium. Also. Any connection may suitably be a computer readable medium. For example, if the software is transmitted from a website, server, or other remote source using coaxial cable, fiber optic cable, twisted pair, Digital Subscriber Line (DSL), or wireless technologies such as infrared, radio, and microwave, Then coaxial cable, fiber optic cable, twisted pair, DSL or wireless technologies such as infrared, wireless and microwave are included in the fixing of the associated medium. As used in the present invention, a disk and a disc include a compact disc (CD), a laser disc, a compact disc, a digital versatile disc (DVD), a floppy disk, and a Blu-ray disc, wherein the disc is usually magnetically copied, and the disc is The laser is used to optically replicate the data. Combinations of the above should also be included within the scope of the computer readable media.
总之,以上所述仅为本发明技术方案的较佳实施例而已,并非用于限定本发明的保护范围。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。 In summary, the above description is only a preferred embodiment of the technical solution of the present invention, and is not intended to limit the scope of the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Claims (42)

  1. 一种因特网协议安全性IPsec隧道建立方法,其特征在于,包括:An Internet Protocol Security IPsec Tunnel Establishment Method, comprising:
    基站发送第一抗重放参数给用户设备;The base station sends the first anti-replay parameter to the user equipment;
    所述基站确定所述用户设备的第二抗重放参数,所述第一抗重放参数和第二抗重放参数分别用于防止所述基站和所述用户设备每次生成的密钥相同;Determining, by the base station, a second anti-replay parameter of the user equipment, where the first anti-replay parameter and the second anti-replay parameter are respectively used to prevent the base station and the user equipment from generating the same key each time ;
    所述基站根据空口密钥KeNB和所述第一抗重放参数生成第一预共享密钥Kipsec,并根据所述第一Kipsec生成第一鉴权信息AUTH;The base station generates a first pre-shared key Kipsec according to the air interface key KeNB and the first anti-replay parameter, and generates first authentication information AUTH according to the first Kipsec;
    所述基站确定IPsec隧道建立参数,所述IPsec隧道建立参数包括第二AUTH,其中,所述用户设备根据所述KeNB和所述第二抗重放参数生成第二Kipsec,并根据所述第二Kipsec生成所述第二AUTH;Determining, by the base station, an IPsec tunnel establishment parameter, where the IPsec tunnel establishment parameter includes a second AUTH, wherein the user equipment generates a second Kipsec according to the KeNB and the second anti-replay parameter, and according to the second Kipsec generates the second AUTH;
    所述基站验证所述第一AUTH和所述第二AUTH、以及所述用户设备的身份。The base station verifies the first AUTH and the second AUTH, and the identity of the user equipment.
  2. 如权利要求1所述的方法,其特征在于,还包括:The method of claim 1 further comprising:
    所述基站将所述基站的互联网协议IP地址发送给所述用户设备;Sending, by the base station, an internet protocol IP address of the base station to the user equipment;
    所述基站接收所述用户设备发送的所述用户设备连接的无线局域网的IP地址。The base station receives an IP address of a wireless local area network to which the user equipment is connected, which is sent by the user equipment.
  3. 如权利要求1或2所述的方法,其特征在于,所述IPsec隧道建立参数还包括IPsec隧道传输参数,所述IPsec隧道传输参数包括第一安全参数和用于标识IPsec保护的数据流的出/入端口的标识TS,所述第一安全参数包括安全算法,以及所述第一Kipsec或所述第二Kipsec。The method according to claim 1 or 2, wherein the IPsec tunnel establishment parameter further comprises an IPsec tunnel transmission parameter, the IPsec tunnel transmission parameter comprising a first security parameter and a data flow for identifying IPsec protection ID of the in/out port, the first security parameter including a security algorithm, and the first Kipsec or the second Kipsec.
  4. 如权利要求3所述的方法,其特征在于,所述基站确定IPsec隧道建立参数,包括:The method of claim 3, wherein the base station determines IPsec tunnel establishment parameters, including:
    所述基站接收所述用户设备发送的第一因特网密钥交换协议版本2IKEv2消息,所述第一IKEv2消息包括第二安全参数;Receiving, by the base station, a first Internet Key Exchange Protocol version 2 IKEv2 message sent by the user equipment, where the first IKEv2 message includes a second security parameter;
    所述基站发送所述第一IKEv2消息的响应消息给所述用户设备; Sending, by the base station, a response message of the first IKEv2 message to the user equipment;
    所述基站接收所述用户设备根据所述第二安全参数加密发送的第二IKEv2消息,所述第二IKEv2消息包括所述IPsec隧道建立参数;Receiving, by the base station, a second IKEv2 message that is sent by the user equipment according to the second security parameter, where the second IKEv2 message includes the IPsec tunnel establishment parameter;
    所述基站发送所述第二IKEv2消息的响应消息给所述用户设备;Sending, by the base station, a response message of the second IKEv2 message to the user equipment;
    其中,所述IPsec隧道建立参数中还包括所述用户设备的身份标识,和因特网密钥交换协议头HDR,所述HDR中包括用于标识IPsec隧道建立流程的标识SPI;所述安全算法为设置有安全算法级别的安全算法。The IPsec tunnel establishment parameter further includes an identifier of the user equipment, and an Internet Key Exchange Protocol header HDR, where the HDR includes an identifier SPI for identifying an IPsec tunnel establishment procedure; the security algorithm is set There are security algorithms at the security algorithm level.
  5. 如权利要求4所述的方法,其特征在于,所述基站验证所述用户设备的身份,包括:The method according to claim 4, wherein the base station verifies the identity of the user equipment, including:
    所述基站验证所述用户设备的身份标识是否与核心网侧已获得的所述用户设备的身份一致。The base station verifies whether the identity of the user equipment is consistent with the identity of the user equipment that has been obtained by the core network side.
  6. 如权利要求4所述的方法,其特征在于,所述基站确定IPsec隧道建立参数,包括:The method of claim 4, wherein the base station determines IPsec tunnel establishment parameters, including:
    所述基站接收所述用户设备发送的至少一个无线资源控制RRC消息;Receiving, by the base station, at least one radio resource control RRC message sent by the user equipment;
    其中,所述至少一个RRC消息封装所述第一IKEv2消息,所述第一IKEv2消息的响应消息,所述第二IKEv2消息,以及所述第二IKEv2消息的响应消息。The at least one RRC message encapsulates the first IKEv2 message, the response message of the first IKEv2 message, the second IKEv2 message, and the response message of the second IKEv2 message.
  7. 如权利要求3所述的方法,其特征在于,所述基站确定IPsec隧道建立参数,包括:The method of claim 3, wherein the base station determines IPsec tunnel establishment parameters, including:
    所述基站接收所述用户设备通过无线资源控制RRC消息发送的所述第二AUTH和所述用户设备所支持的安全算法列表;Receiving, by the base station, the second AUTH sent by the user equipment by using a radio resource control RRC message, and a list of security algorithms supported by the user equipment;
    所述基站根据自身的安全算法级别列表,以及所述用户设备所支持的安全算法列表,确定所述第一安全参数的安全算法的级别,所述安全算法级别列表包括多个安全算法与安全算法级别的对应关系;Determining, by the base station, a level of a security algorithm of the first security parameter according to a list of security algorithm levels and a list of security algorithms supported by the user equipment, where the security algorithm level list includes multiple security algorithms and security algorithms Correspondence of levels;
    所述基站将所述IPsec隧道建立参数发送给所述用户设备。The base station sends the IPsec tunnel establishment parameter to the user equipment.
  8. 如权利要求3所述的方法,其特征在于,所述基站确定IPsec隧道建立参数,包括: The method of claim 3, wherein the base station determines IPsec tunnel establishment parameters, including:
    所述基站通过RRC消息将所述第二AUTH和所述基站的安全算法级别列表发送给所述用户设备,以使所述用户设备根据自身所支持的安全算法列表,以及所述基站的安全算法级别列表,确定所述第一安全参数的安全算法的级别,所述安全算法级别列表包括多个安全算法与安全算法级别的对应关系;And sending, by the RRC message, the second AUTH and the security algorithm level list of the base station to the user equipment, so that the user equipment according to the security algorithm list supported by the user equipment, and the security algorithm of the base station a level list, determining a level of the security algorithm of the first security parameter, where the security algorithm level list includes a correspondence between multiple security algorithms and a security algorithm level;
    所述基站接收所述用户设备发送的所述IPsec隧道建立参数。The base station receives the IPsec tunnel establishment parameter sent by the user equipment.
  9. 一种IPsec隧道建立方法,其特征在于,包括:An IPsec tunnel establishing method, comprising:
    用户设备接收基站发送的第一抗重放参数;The user equipment receives the first anti-replay parameter sent by the base station;
    所述用户设备确定所述用户设备的第二抗重放参数,所述第一抗重放参数和第二抗重放参数分别用于防止所述基站和所述用户设备每次生成的密钥相同;Determining, by the user equipment, a second anti-replay parameter of the user equipment, where the first anti-replay parameter and the second anti-replay parameter are respectively used to prevent a key generated by the base station and the user equipment each time the same;
    所述用户设备根据空口密钥KeNB和所述第二抗重放参数生成第二预共享密钥Kipsec,并根据所述第二Kipsec生成第二鉴权信息AUTH,并发送所述第二AUTH给所述基站;The user equipment generates a second pre-shared key Kipsec according to the air interface key KeNB and the second anti-replay parameter, and generates second authentication information AUTH according to the second Kipsec, and sends the second AUTH to The base station;
    所述用户设备接收所述基站发送的IPsec隧道建立参数,所述IPsec隧道建立参数包括第一AUTH,其中,所述基站根据所述KeNB和所述第一抗重放参数生成第一Kipsec,所述基站根据第一Kipsec生成所述第一AUTH;Receiving, by the user equipment, an IPsec tunnel establishment parameter sent by the base station, where the IPsec tunnel establishment parameter includes a first AUTH, where the base station generates a first Kipsec according to the KeNB and the first anti-replay parameter, where The base station generates the first AUTH according to the first Kipsec;
    所述用户设备验证所述第一AUTH和所述第二AUTH。The user equipment verifies the first AUTH and the second AUTH.
  10. 如权利要求9所述的方法,其特征在于,还包括:The method of claim 9 further comprising:
    所述用户设备接收所述基站发送的所述基站的互联网协议IP地址;Receiving, by the user equipment, an internet protocol IP address of the base station sent by the base station;
    所述用户设备将所述用户设备连接的无线局域网的IP地址发送给所述基站。The user equipment sends an IP address of a wireless local area network to which the user equipment is connected to the base station.
  11. 如权利要求9或10所述的方法,其特征在于,还包括:The method of claim 9 or 10, further comprising:
    所述用户设备发送第一IKEv2消息给所述基站,所述第一IKEv2消息包括第二安全参数;The user equipment sends a first IKEv2 message to the base station, where the first IKEv2 message includes a second security parameter;
    所述用户设备接收所述基站发送的所述第一IKEv2消息的响应消息;Receiving, by the user equipment, a response message of the first IKEv2 message sent by the base station;
    所述用户设备根据所述第二安全参数加密第二IKEv2消息,将加密后的所述第二IKEv2消息发送给所述基站,所述第二IKEv2消息包括所述IPsec 隧道建立参数,所述IPsec隧道建立参数还包括IPsec隧道传输参数,所述用户设备的身份标识,和因特网密钥交换协议头HDR,所述HDR中包括用于标识IPsec隧道建立流程的标识SPI,所述IPsec隧道传输参数包括第一安全参数和用于标识IPsec保护的数据流的出/入端口的标识TS,所述第一安全参数包括安全算法,以及所述第一Kipsec或所述第二Kipsec,所述安全算法为设置有安全算法级别的安全算法;The user equipment encrypts the second IKEv2 message according to the second security parameter, and sends the encrypted second IKEv2 message to the base station, where the second IKEv2 message includes the IPsec a tunnel establishment parameter, where the IPsec tunnel establishment parameter further includes an IPsec tunnel transmission parameter, an identity of the user equipment, and an Internet Key Exchange Protocol header HDR, where the HDR includes an identifier SPI for identifying an IPsec tunnel establishment procedure. The IPsec tunnel transmission parameter includes a first security parameter and an identifier TS of an ingress/egress port for identifying a data stream protected by IPsec, the first security parameter including a security algorithm, and the first Kipsel or the second Kipsec, the security algorithm is a security algorithm set with a security algorithm level;
    所述用户设备接收所述基站发送的所述第二IKEv2消息的响应消息。The user equipment receives a response message of the second IKEv2 message sent by the base station.
  12. 如权利要求11所述的方法,其特征在于,还包括:The method of claim 11 further comprising:
    所述用户设备发送至少一个RRC消息给所述基站;Transmitting, by the user equipment, at least one RRC message to the base station;
    其中,所述至少一个RRC消息封装所述第一IKEv2消息,所述第一IKEv2消息的响应消息,所述第二IKEv2消息,以及所述第二IKEv2消息的响应消息。The at least one RRC message encapsulates the first IKEv2 message, the response message of the first IKEv2 message, the second IKEv2 message, and the response message of the second IKEv2 message.
  13. 如权利要求9或10所述的方法,其特征在于,还包括:The method of claim 9 or 10, further comprising:
    所述用户设备通过RRC消息发送所述用户设备所支持的安全算法列表给所述基站,以使所述基站根据自身的安全算法级别列表,以及所述用户设备所支持的安全算法列表,确定所述第一安全参数的安全算法的级别,所述安全算法级别列表包括多个安全算法与安全算法级别的对应关系;And the user equipment sends the security algorithm list supported by the user equipment to the base station by using an RRC message, so that the base station determines, according to its own security algorithm level list, and a list of security algorithms supported by the user equipment. a level of a security algorithm of the first security parameter, where the security algorithm level list includes a correspondence between a plurality of security algorithms and a security algorithm level;
    所述用户设备接收所述基站发送的所述IPsec隧道建立参数,所述IPsec隧道建立参数还包括IPsec隧道传输参数和因特网密钥交换协议头HDR,所述HDR中包括用于标识IPsec隧道建立流程的标识SPI,所述IPsec隧道传输参数包括第一安全参数和TS,所述第一安全参数包括确定所述级别的安全算法,以及所述第一Kipsec或所述第二Kipsec。The user equipment receives the IPsec tunnel establishment parameter sent by the base station, where the IPsec tunnel establishment parameter further includes an IPsec tunnel transmission parameter and an Internet Key Exchange Protocol header HDR, where the HDR includes an IPsec tunnel establishment procedure. The identification SPI, the IPsec tunnel transmission parameter includes a first security parameter and a TS, the first security parameter includes a security algorithm determining the level, and the first Kipsec or the second Kipsec.
  14. 如权利要求9或10所述的方法,其特征在于,还包括:The method of claim 9 or 10, further comprising:
    所述用户设备接收所述基站通过RRC消息发送的所述基站的安全算法级别列表,所述安全算法级别列表包括多个安全算法与安全算法级别的对应关系;Receiving, by the user equipment, a security algorithm level list of the base station that is sent by the base station by using an RRC message, where the security algorithm level list includes a correspondence between multiple security algorithms and a security algorithm level;
    所述用户设备根据自身所支持的安全算法列表,以及所述基站的安全算法 级别列表,确定所述第一安全参数的安全算法的级别;The user equipment according to a list of security algorithms supported by itself, and a security algorithm of the base station a level list, determining a level of the security algorithm of the first security parameter;
    所述用户设备将所述IPsec隧道建立参数发送给所述基站,所述IPsec隧道建立参数还包括IPsec隧道传输参数和因特网密钥交换协议头HDR,所述HDR中包括用于标识IPsec隧道建立流程的标识SPI,所述IPsec隧道传输参数包括第一安全参数和TS,所述第一安全参数包括确定所述级别的安全算法,以及所述第一Kipsec或所述第二Kipsec。The user equipment sends the IPsec tunnel establishment parameter to the base station, where the IPsec tunnel establishment parameter further includes an IPsec tunnel transmission parameter and an Internet Key Exchange Protocol header HDR, where the HDR includes an IPsec tunnel establishment procedure. The identification SPI, the IPsec tunnel transmission parameter includes a first security parameter and a TS, the first security parameter includes a security algorithm determining the level, and the first Kipsec or the second Kipsec.
  15. 一种基站,其特征在于,包括:A base station, comprising:
    发送单元,用于发送第一抗重放参数给用户设备;a sending unit, configured to send a first anti-replay parameter to the user equipment;
    确定单元,用于确定所述用户设备的第二抗重放参数,所述第一抗重放参数和第二抗重放参数分别用于防止所述基站和所述用户设备每次生成的密钥相同;a determining unit, configured to determine a second anti-replay parameter of the user equipment, where the first anti-replay parameter and the second anti-replay parameter are respectively used to prevent the base station and the user equipment from generating a secret each time The same key;
    生成单元,用于根据空口密钥KeNB和所述第一抗重放参数生成第一预共享密钥Kipsec,并根据所述第一Kipsec生成第一鉴权信息AUTH;a generating unit, configured to generate a first pre-shared key Kipsec according to the air interface key KeNB and the first anti-replay parameter, and generate first authentication information AUTH according to the first Kipsec;
    所述确定单元还用于确定IPsec隧道建立参数,所述IPsec隧道建立参数包括第二AUTH,其中,所述用户设备根据所述KeNB和所述第二抗重放参数生成第二Kipsec,并根据所述第二Kipsec生成所述第二AUTH;The determining unit is further configured to determine an IPsec tunnel establishment parameter, where the IPsec tunnel establishment parameter includes a second AUTH, where the user equipment generates a second Kipsec according to the KeNB and the second anti-replay parameter, and according to The second Kipsec generates the second AUTH;
    验证单元,用于验证所述第一AUTH和所述第二AUTH、以及所述用户设备的身份。And a verification unit, configured to verify the first AUTH and the second AUTH, and an identity of the user equipment.
  16. 如权利要求14所述的基站,其特征在于:The base station of claim 14 wherein:
    所述发送单元还用于将所述基站的互联网协议IP地址发送给所述用户设备;The sending unit is further configured to send an internet protocol IP address of the base station to the user equipment;
    所述基站还包括:接收单元;The base station further includes: a receiving unit;
    所述接收单元还用于接收所述用户设备发送的所述用户设备连接的无线局域网的IP地址。The receiving unit is further configured to receive an IP address of a wireless local area network that is connected by the user equipment and sent by the user equipment.
  17. 如权利要求15所述的基站,其特征在于,所述IPsec隧道建立参数还包括IPsec隧道传输参数,所述IPsec隧道传输参数包括第一安全参数和用于标识IPsec保护的数据流的出/入端口的标识TS,所述第一安全参数包括安 全算法,以及所述第一Kipsec或所述第二Kipsec。The base station according to claim 15, wherein said IPsec tunnel establishment parameter further comprises an IPsec tunnel transmission parameter, said IPsec tunnel transmission parameter comprising a first security parameter and an in/out of a data stream for identifying IPsec protection The identifier TS of the port, the first security parameter includes an The full algorithm, and the first Kipsec or the second Kipsec.
  18. 如权利要求16所述的基站,其特征在于:The base station of claim 16 wherein:
    所述接收单元还用于接收所述用户设备发送的第一因特网密钥交换协议版本2IKEv2消息,所述第一IKEv2消息包括第二安全参数;The receiving unit is further configured to receive a first Internet Key Exchange Protocol version 2 IKEv2 message sent by the user equipment, where the first IKEv2 message includes a second security parameter;
    所述发送单元还用于发送所述第一IKEv2消息的响应消息给所述用户设备;The sending unit is further configured to send a response message of the first IKEv2 message to the user equipment;
    所述接收单元还用于接收所述用户设备根据所述第二安全参数加密发送的第二IKEv2消息,所述第二IKEv2消息包括所述IPsec隧道建立参数;The receiving unit is further configured to receive a second IKEv2 message that is sent by the user equipment according to the second security parameter, where the second IKEv2 message includes the IPsec tunnel establishment parameter;
    所述发送单元还用于发送所述第二IKEv2消息的响应消息给所述用户设备;The sending unit is further configured to send a response message of the second IKEv2 message to the user equipment;
    其中,所述IPsec隧道建立参数中还包括所述用户设备的身份标识,和因特网密钥交换协议头HDR,所述HDR中包括用于标识IPsec隧道建立流程的标识SPI;所述安全算法为设置有安全算法级别的安全算法。The IPsec tunnel establishment parameter further includes an identifier of the user equipment, and an Internet Key Exchange Protocol header HDR, where the HDR includes an identifier SPI for identifying an IPsec tunnel establishment procedure; the security algorithm is set There are security algorithms at the security algorithm level.
  19. 如权利要求17所述的基站,其特征在于,所述验证单元具体用于:The base station according to claim 17, wherein the verification unit is specifically configured to:
    验证所述用户设备的身份标识是否与核心网侧已获得的所述用户设备的身份一致。Verifying whether the identity of the user equipment is consistent with the identity of the user equipment that has been obtained by the core network side.
  20. 如权利要求16所述的基站,其特征在于:The base station of claim 16 wherein:
    所述接收单元还用于接收所述用户设备发送的至少一个无线资源控制RRC消息;The receiving unit is further configured to receive at least one radio resource control RRC message sent by the user equipment;
    其中,所述至少一个RRC消息封装所述第一IKEv2消息,所述第一IKEv2消息的响应消息,所述第二IKEv2消息,以及所述第二IKEv2消息的响应消息。The at least one RRC message encapsulates the first IKEv2 message, the response message of the first IKEv2 message, the second IKEv2 message, and the response message of the second IKEv2 message.
  21. 如权利要求16所述的基站,其特征在于:The base station of claim 16 wherein:
    所述接收单元还用于接收所述用户设备通过无线资源控制RRC消息发送的所述第二AUTH和所述用户设备所支持的安全算法列表;The receiving unit is further configured to receive the second AUTH sent by the user equipment by using a radio resource control RRC message, and a list of security algorithms supported by the user equipment;
    所述确定单元还用于根据自身的安全算法级别列表,以及所述用户设备所 支持的安全算法列表,确定所述第一安全参数的安全算法的级别,所述安全算法级别列表包括多个安全算法与安全算法级别的对应关系;The determining unit is further configured to: according to its own security algorithm level list, and the user equipment Supporting a list of security algorithms, determining a level of the security algorithm of the first security parameter, where the security algorithm level list includes a correspondence between multiple security algorithms and a security algorithm level;
    所述发送单元还用于将所述IPsec隧道建立参数发送给所述用户设备。The sending unit is further configured to send the IPsec tunnel establishment parameter to the user equipment.
  22. 如权利要求16所述的基站,其特征在于:The base station of claim 16 wherein:
    所述发送单元还用于通过RRC消息将所述第二AUTH和所述基站的安全算法级别列表发送给所述用户设备,以使所述用户设备根据自身所支持的安全算法列表,以及所述基站的安全算法级别列表,确定所述第一安全参数的安全算法的级别,所述安全算法级别列表包括多个安全算法与安全算法级别的对应关系;The sending unit is further configured to send, by using an RRC message, the second AUTH and the security algorithm level list of the base station to the user equipment, so that the user equipment according to the security algorithm list supported by the user equipment, and the a security algorithm level list of the base station, determining a level of the security algorithm of the first security parameter, where the security algorithm level list includes a correspondence between multiple security algorithms and a security algorithm level;
    所述接收单元还用于接收所述用户设备发送的所述IPsec隧道建立参数。The receiving unit is further configured to receive the IPsec tunnel establishment parameter sent by the user equipment.
  23. 一种用户设备,其特征在于,包括:A user equipment, comprising:
    确定单元,用于确定用户设备的第二抗重放参数,所述第一抗重放参数和第二抗重放参数分别用于防止所述基站和所述用户设备每次生成的密钥相同;a determining unit, configured to determine a second anti-replay parameter of the user equipment, where the first anti-replay parameter and the second anti-replay parameter are respectively used to prevent the base station and the user equipment from generating the same key each time ;
    生成单元,用于根据空口密钥KeNB和所述第二抗重放参数生成第二预共享密钥Kipsec,并根据所述第二Kipsec生成第二鉴权信息AUTH;a generating unit, configured to generate a second pre-shared key Kipsec according to the air interface key KeNB and the second anti-playback parameter, and generate second authentication information AUTH according to the second Kipsec;
    发送单元,用于发送所述第二AUTH给所述基站;a sending unit, configured to send the second AUTH to the base station;
    接收单元,用于接收所述基站发送的IPsec隧道建立参数,所述IPsec隧道建立参数包括第一AUTH,其中,所述基站根据所述KeNB和所述第一抗重放参数生成第一Kipsec,所述基站根据第一Kipsec生成所述第一AUTH;a receiving unit, configured to receive an IPsec tunnel establishment parameter sent by the base station, where the IPsec tunnel establishment parameter includes a first AUTH, where the base station generates a first Kipsec according to the KeNB and the first anti-replay parameter, The base station generates the first AUTH according to the first Kipsec;
    验证单元,用于验证所述第一AUTH和所述第二AUTH。a verification unit for verifying the first AUTH and the second AUTH.
  24. 如权利要求22所述的用户设备,其特征在于:The user equipment of claim 22, wherein:
    所述接收单元还用于接收所述基站发送的所述基站的互联网协议IP地址;The receiving unit is further configured to receive an internet protocol IP address of the base station sent by the base station;
    所述发送单元还用于将所述用户设备连接的无线局域网的IP地址发送给所述基站。The sending unit is further configured to send an IP address of a wireless local area network to which the user equipment is connected, to the base station.
  25. 如权利要求22或23所述的用户设备,其特征在于: A user equipment according to claim 22 or 23, wherein:
    所述发送单元还用于发送第一IKEv2消息给所述基站,所述第一IKEv2消息包括第二安全参数;The sending unit is further configured to send a first IKEv2 message to the base station, where the first IKEv2 message includes a second security parameter;
    所述接收单元还用于接收所述基站发送的所述第一IKEv2消息的响应消息;The receiving unit is further configured to receive a response message of the first IKEv2 message sent by the base station;
    所述发送单元还用于根据所述第二安全参数加密第二IKEv2消息,将加密后的所述第二IKEv2消息发送给所述基站,所述第二IKEv2消息包括所述IPsec隧道建立参数,所述IPsec隧道建立参数还包括IPsec隧道传输参数,所述用户设备的身份标识,和因特网密钥交换协议头HDR,所述HDR中包括用于标识IPsec隧道建立流程的标识SPI,所述IPsec隧道传输参数包括第一安全参数和用于标识IPsec保护的数据流的出/入端口的标识TS,所述第一安全参数包括安全算法,以及所述第一Kipsec或所述第二Kipsec,所述安全算法为设置有安全算法级别的安全算法;The sending unit is further configured to: encrypt the second IKEv2 message according to the second security parameter, and send the encrypted second IKEv2 message to the base station, where the second IKEv2 message includes the IPsec tunnel establishment parameter, The IPsec tunnel establishment parameter further includes an IPsec tunnel transmission parameter, an identity of the user equipment, and an Internet Key Exchange Protocol header HDR, where the HDR includes an identifier SPI for identifying an IPsec tunnel establishment procedure, the IPsec tunnel The transmission parameter includes a first security parameter and an identifier TS of an ingress/egress port for identifying a data stream protected by the IPsec, the first security parameter including a security algorithm, and the first Kipsec or the second Kipsec, The security algorithm is a security algorithm set with a security algorithm level;
    所述接收单元还用于接收所述基站发送的所述第二IKEv2消息的响应消息。The receiving unit is further configured to receive a response message of the second IKEv2 message sent by the base station.
  26. 如权利要求24所述的用户设备,其特征在于:The user equipment of claim 24, wherein:
    所述发送单元还用于发送至少一个RRC消息给所述基站;The sending unit is further configured to send at least one RRC message to the base station;
    其中,所述至少一个RRC消息封装所述第一IKEv2消息,所述第一IKEv2消息的响应消息,所述第二IKEv2消息,以及所述第二IKEv2消息的响应消息。The at least one RRC message encapsulates the first IKEv2 message, the response message of the first IKEv2 message, the second IKEv2 message, and the response message of the second IKEv2 message.
  27. 如权利要求22或23所述的用户设备,其特征在于:A user equipment according to claim 22 or 23, wherein:
    所述发送单元还用于通过RRC消息发送所述用户设备所支持的安全算法列表给所述基站,以使所述基站根据自身的安全算法级别列表,以及所述用户设备所支持的安全算法列表,确定所述第一安全参数的安全算法的级别,所述安全算法级别列表包括多个安全算法与安全算法级别的对应关系;The sending unit is further configured to send, by using an RRC message, a security algorithm list supported by the user equipment to the base station, so that the base station according to its own security algorithm level list, and a list of security algorithms supported by the user equipment Determining a level of the security algorithm of the first security parameter, where the security algorithm level list includes a correspondence between multiple security algorithms and a security algorithm level;
    所述接收单元还用于接收所述基站发送的所述IPsec隧道建立参数,所述IPsec隧道建立参数还包括IPsec隧道传输参数和因特网密钥交换协议头HDR,所述HDR中包括用于标识IPsec隧道建立流程的标识SPI,所述IPsec隧道传输参数包括第一安全参数和TS,所述第一安全参数包括确定所述级别的安全 算法,以及所述第一Kipsec或所述第二Kipsec。The receiving unit is further configured to receive the IPsec tunnel establishment parameter sent by the base station, where the IPsec tunnel establishment parameter further includes an IPsec tunnel transmission parameter and an Internet Key Exchange Protocol header HDR, where the HDR includes an identifier for identifying IPsec An identifier SPI of the tunnel establishment process, where the IPsec tunnel transmission parameter includes a first security parameter and a TS, and the first security parameter includes determining the level of security An algorithm, and the first Kipsec or the second Kipsec.
  28. 如权利要求22或23所述的用户设备,其特征在于:A user equipment according to claim 22 or 23, wherein:
    所述接收单元还用于接收所述基站通过RRC消息发送的所述基站的安全算法级别列表,所述安全算法级别列表包括多个安全算法与安全算法级别的对应关系;The receiving unit is further configured to receive a security algorithm level list of the base station that is sent by the base station by using an RRC message, where the security algorithm level list includes a correspondence between multiple security algorithms and a security algorithm level;
    所述确定单元还用于根据自身所支持的安全算法列表,以及所述基站的安全算法级别列表,确定所述第一安全参数的安全算法的级别;The determining unit is further configured to determine a level of the security algorithm of the first security parameter according to a security algorithm list supported by the base station and a security algorithm level list of the base station;
    所述发送单元还用于将所述IPsec隧道建立参数发送给所述基站,所述IPsec隧道建立参数还包括IPsec隧道传输参数和因特网密钥交换协议头HDR,所述HDR中包括用于标识IPsec隧道建立流程的标识SPI,所述IPsec隧道传输参数包括第一安全参数和TS,所述第一安全参数包括确定所述级别的安全算法,以及所述第一Kipsec或所述第二Kipsec。The sending unit is further configured to send the IPsec tunnel establishment parameter to the base station, where the IPsec tunnel establishment parameter further includes an IPsec tunnel transmission parameter and an Internet Key Exchange Protocol header HDR, where the HDR includes identifier for identifying IPsec An identifier SPI of the tunnel establishment process, where the IPsec tunnel transmission parameter includes a first security parameter and a TS, the first security parameter includes a security algorithm determining the level, and the first Kipsec or the second Kipsec.
  29. 一种基站,其特征在于,包括:发送器和处理器;A base station, comprising: a transmitter and a processor;
    所述发送器,用于发送第一抗重放参数给用户设备;The transmitter is configured to send a first anti-replay parameter to the user equipment;
    所述处理器,用于确定所述用户设备的第二抗重放参数,所述第一抗重放参数和第二抗重放参数分别用于防止所述基站和所述用户设备每次生成的密钥相同;The processor is configured to determine a second anti-replay parameter of the user equipment, where the first anti-replay parameter and the second anti-replay parameter are respectively used to prevent the base station and the user equipment from generating each time The same key;
    所述处理器还用于用于根据空口密钥KeNB和所述第一抗重放参数生成第一预共享密钥Kipsec,并根据所述第一Kipsec生成第一鉴权信息AUTH;The processor is further configured to generate a first pre-shared key Kipsec according to the air interface key KeNB and the first anti-replay parameter, and generate first authentication information AUTH according to the first Kipsec;
    所述处理器还用于确定IPsec隧道建立参数,所述IPsec隧道建立参数包括第二AUTH,其中,所述用户设备根据所述KeNB和所述第二抗重放参数生成第二Kipsec,并根据所述第二Kipsec生成所述第二AUTH;The processor is further configured to determine an IPsec tunnel establishment parameter, where the IPsec tunnel establishment parameter includes a second AUTH, where the user equipment generates a second Kipsec according to the KeNB and the second anti-replay parameter, and according to The second Kipsec generates the second AUTH;
    所述处理器还用于验证所述第一AUTH和所述第二AUTH、以及所述用户设备的身份。The processor is further configured to verify the first AUTH and the second AUTH, and an identity of the user equipment.
  30. 如权利要求28所述的基站,其特征在于:A base station according to claim 28, wherein:
    所述发送器还用于将所述基站的互联网协议IP地址发送给所述用户设备; The transmitter is further configured to send an internet protocol IP address of the base station to the user equipment;
    所述基站还包括:接收器;The base station further includes: a receiver;
    所述接收器还用于接收所述用户设备发送的所述用户设备连接的无线局域网的IP地址。The receiver is further configured to receive an IP address of a wireless local area network to which the user equipment is connected, sent by the user equipment.
  31. 如权利要求29所述的基站,其特征在于,所述IPsec隧道建立参数还包括IPsec隧道传输参数,所述IPsec隧道传输参数包括第一安全参数和用于标识IPsec保护的数据流的出/入端口的标识TS,所述第一安全参数包括安全算法,以及所述第一Kipsec或所述第二Kipsec。The base station according to claim 29, wherein said IPsec tunnel establishment parameter further comprises an IPsec tunnel transmission parameter, said IPsec tunnel transmission parameter comprising a first security parameter and an in/out of a data stream for identifying IPsec protection The identifier TS of the port, the first security parameter includes a security algorithm, and the first Kipsec or the second Kipsec.
  32. 如权利要求30所述的基站,其特征在于:A base station according to claim 30, wherein:
    所述接收器还用于接收所述用户设备发送的第一因特网密钥交换协议版本2IKEv2消息,所述第一IKEv2消息包括第二安全参数;The receiver is further configured to receive a first Internet Key Exchange Protocol version 2 IKEv2 message sent by the user equipment, where the first IKEv2 message includes a second security parameter;
    所述发送器还用于发送所述第一IKEv2消息的响应消息给所述用户设备;The transmitter is further configured to send a response message of the first IKEv2 message to the user equipment;
    所述接收器还用于接收所述用户设备根据所述第二安全参数加密发送的第二IKEv2消息,所述第二IKEv2消息包括所述IPsec隧道建立参数;The receiver is further configured to receive a second IKEv2 message that is sent by the user equipment according to the second security parameter, where the second IKEv2 message includes the IPsec tunnel establishment parameter;
    所述发送器还用于发送所述第二IKEv2消息的响应消息给所述用户设备;The transmitter is further configured to send a response message of the second IKEv2 message to the user equipment;
    其中,所述IPsec隧道建立参数中还包括所述用户设备的身份标识,和因特网密钥交换协议头HDR,所述HDR中包括用于标识IPsec隧道建立流程的标识SPI;所述安全算法为设置有安全算法级别的安全算法。The IPsec tunnel establishment parameter further includes an identifier of the user equipment, and an Internet Key Exchange Protocol header HDR, where the HDR includes an identifier SPI for identifying an IPsec tunnel establishment procedure; the security algorithm is set There are security algorithms at the security algorithm level.
  33. 如权利要求31所述的基站,其特征在于,所述处理器还用于:The base station according to claim 31, wherein the processor is further configured to:
    验证所述用户设备的身份标识是否与核心网侧已获得的所述用户设备的身份一致。Verifying whether the identity of the user equipment is consistent with the identity of the user equipment that has been obtained by the core network side.
  34. 如权利要求30所述的基站,其特征在于:A base station according to claim 30, wherein:
    所述接收器还用于接收所述用户设备发送的至少一个无线资源控制RRC消息;The receiver is further configured to receive at least one radio resource control RRC message sent by the user equipment;
    其中,所述至少一个RRC消息封装所述第一IKEv2消息,所述第一IKEv2消息的响应消息,所述第二IKEv2消息,以及所述第二IKEv2消息的响应消息。 The at least one RRC message encapsulates the first IKEv2 message, the response message of the first IKEv2 message, the second IKEv2 message, and the response message of the second IKEv2 message.
  35. 如权利要求30所述的基站,其特征在于:A base station according to claim 30, wherein:
    所述接收器还用于接收所述用户设备通过无线资源控制RRC消息发送的所述第二AUTH和所述用户设备所支持的安全算法列表;The receiver is further configured to receive the second AUTH sent by the user equipment by using a radio resource control RRC message, and a list of security algorithms supported by the user equipment;
    所述处理器还用于根据自身的安全算法级别列表,以及所述用户设备所支持的安全算法列表,确定所述第一安全参数的安全算法的级别,所述安全算法级别列表包括多个安全算法与安全算法级别的对应关系;The processor is further configured to determine a level of the security algorithm of the first security parameter according to a list of security algorithm levels of the user and a list of security algorithms supported by the user equipment, where the security algorithm level list includes multiple security Correspondence between the algorithm and the level of the security algorithm;
    所述发送器还用于将所述IPsec隧道建立参数发送给所述用户设备。The transmitter is further configured to send the IPsec tunnel establishment parameter to the user equipment.
  36. 如权利要求30所述的基站,其特征在于:A base station according to claim 30, wherein:
    所述发送器还用于通过RRC消息将所述第二AUTH和所述基站的安全算法级别列表发送给所述用户设备,以使所述用户设备根据自身所支持的安全算法列表,以及所述基站的安全算法级别列表,确定所述第一安全参数的安全算法的级别,所述安全算法级别列表包括多个安全算法与安全算法级别的对应关系;The transmitter is further configured to send, by using an RRC message, the second AUTH and the security algorithm level list of the base station to the user equipment, so that the user equipment according to the security algorithm list supported by the user equipment, and the a security algorithm level list of the base station, determining a level of the security algorithm of the first security parameter, where the security algorithm level list includes a correspondence between multiple security algorithms and a security algorithm level;
    所述接收器还用于接收所述用户设备发送的所述IPsec隧道建立参数。The receiver is further configured to receive the IPsec tunnel establishment parameter sent by the user equipment.
  37. 一种用户设备,其特征在于,包括:处理器、发送器和接收器;其中,A user equipment, comprising: a processor, a transmitter, and a receiver; wherein
    所述处理器,用于确定用户设备的第二抗重放参数,所述第一抗重放参数和第二抗重放参数分别用于防止所述基站和所述用户设备每次生成的密钥相同;The processor is configured to determine a second anti-replay parameter of the user equipment, where the first anti-replay parameter and the second anti-replay parameter are respectively used to prevent the base station and the user equipment from generating a secret each time. The same key;
    所述处理器还用于根据空口密钥KeNB和所述第二抗重放参数生成第二预共享密钥Kipsec,并根据所述第二Kipsec生成第二鉴权信息AUTH;The processor is further configured to generate a second pre-shared key Kipsec according to the air interface key KeNB and the second anti-playback parameter, and generate second authentication information AUTH according to the second Kipsec;
    发送器,用于发送所述第二AUTH给所述基站;a transmitter, configured to send the second AUTH to the base station;
    接收器,用于接收所述基站发送的IPsec隧道建立参数,所述IPsec隧道建立参数包括第一AUTH,其中,所述基站根据所述KeNB和所述第一抗重放参数生成第一Kipsec,所述基站根据第一Kipsec生成所述第一AUTH;a receiver, configured to receive an IPsec tunnel establishment parameter sent by the base station, where the IPsec tunnel establishment parameter includes a first AUTH, where the base station generates a first Kipsec according to the KeNB and the first anti-replay parameter, The base station generates the first AUTH according to the first Kipsec;
    所述处理器还用于验证所述第一AUTH和所述第二AUTH。The processor is further configured to verify the first AUTH and the second AUTH.
  38. 如权利要求36所述的用户设备,其特征在于:The user equipment of claim 36, wherein:
    所述接收器还用于接收所述基站发送的所述基站的互联网协议IP地址; The receiver is further configured to receive an internet protocol IP address of the base station sent by the base station;
    所述发送单元还用于将所述用户设备连接的无线局域网的IP地址发送给所述基站。The sending unit is further configured to send an IP address of a wireless local area network to which the user equipment is connected, to the base station.
  39. 如权利要求36或37所述的用户设备,其特征在于:A user equipment according to claim 36 or 37, wherein:
    所述发送器还用于发送第一IKEv2消息给所述基站,所述第一IKEv2消息包括第二安全参数;The transmitter is further configured to send a first IKEv2 message to the base station, where the first IKEv2 message includes a second security parameter;
    所述接收器还用于接收所述基站发送的所述第一IKEv2消息的响应消息;The receiver is further configured to receive a response message of the first IKEv2 message sent by the base station;
    所述发送器还用于根据所述第二安全参数加密第二IKEv2消息,将加密后的所述第二IKEv2消息发送给所述基站,所述第二IKEv2消息包括所述IPsec隧道建立参数,所述IPsec隧道建立参数还包括IPsec隧道传输参数,所述用户设备的身份标识,和因特网密钥交换协议头HDR,所述HDR中包括用于标识IPsec隧道建立流程的标识SPI,所述IPsec隧道传输参数包括第一安全参数和用于标识IPsec保护的数据流的出/入端口的标识TS,所述第一安全参数包括安全算法,以及所述第一Kipsec或所述第二Kipsec,所述安全算法为设置有安全算法级别的安全算法;The transmitter is further configured to: encrypt the second IKEv2 message according to the second security parameter, and send the encrypted second IKEv2 message to the base station, where the second IKEv2 message includes the IPsec tunnel establishment parameter, The IPsec tunnel establishment parameter further includes an IPsec tunnel transmission parameter, an identity of the user equipment, and an Internet Key Exchange Protocol header HDR, where the HDR includes an identifier SPI for identifying an IPsec tunnel establishment procedure, the IPsec tunnel The transmission parameter includes a first security parameter and an identifier TS of an ingress/egress port for identifying a data stream protected by the IPsec, the first security parameter including a security algorithm, and the first Kipsec or the second Kipsec, The security algorithm is a security algorithm set with a security algorithm level;
    所述接收器还用于接收所述基站发送的所述第二IKEv2消息的响应消息。The receiver is further configured to receive a response message of the second IKEv2 message sent by the base station.
  40. 如权利要求38所述的用户设备,其特征在于:The user equipment of claim 38, wherein:
    所述发送器还用于发送至少一个RRC消息给所述基站;The transmitter is further configured to send at least one RRC message to the base station;
    其中,所述至少一个RRC消息封装所述第一IKEv2消息,所述第一IKEv2消息的响应消息,所述第二IKEv2消息,以及所述第二IKEv2消息的响应消息。The at least one RRC message encapsulates the first IKEv2 message, the response message of the first IKEv2 message, the second IKEv2 message, and the response message of the second IKEv2 message.
  41. 如权利要求36或37所述的用户设备,其特征在于:A user equipment according to claim 36 or 37, wherein:
    所述发送器还用于通过RRC消息发送所述用户设备所支持的安全算法列表给所述基站,以使所述基站根据自身的安全算法级别列表,以及所述用户设备所支持的安全算法列表,确定所述第一安全参数的安全算法的级别,所述安全算法级别列表包括多个安全算法与安全算法级别的对应关系;The transmitter is further configured to send, by using an RRC message, a security algorithm list supported by the user equipment to the base station, so that the base station according to its own security algorithm level list, and a list of security algorithms supported by the user equipment Determining a level of the security algorithm of the first security parameter, where the security algorithm level list includes a correspondence between multiple security algorithms and a security algorithm level;
    所述接收器还用于接收所述基站发送的所述IPsec隧道建立参数,所述IPsec隧道建立参数还包括IPsec隧道传输参数和因特网密钥交换协议头HDR, 所述HDR中包括用于标识IPsec隧道建立流程的标识SPI,所述IPsec隧道传输参数包括第一安全参数和TS,所述第一安全参数包括确定所述级别的安全算法,以及所述第一Kipsec或所述第二Kipsec。The receiver is further configured to receive the IPsec tunnel establishment parameter sent by the base station, where the IPsec tunnel establishment parameter further includes an IPsec tunnel transmission parameter and an Internet key exchange protocol header HDR. The HDR includes an identifier SPI for identifying an IPsec tunnel establishment procedure, where the IPsec tunnel transmission parameter includes a first security parameter and a TS, the first security parameter includes a security algorithm that determines the level, and the first Kipsec or the second Kipsec.
  42. 如权利要求36或37所述的用户设备,其特征在于:A user equipment according to claim 36 or 37, wherein:
    所述接收器还用于接收所述基站通过RRC消息发送的所述基站的安全算法级别列表,所述安全算法级别列表包括多个安全算法与安全算法级别的对应关系;The receiver is further configured to receive a security algorithm level list of the base station that is sent by the base station by using an RRC message, where the security algorithm level list includes a correspondence between multiple security algorithms and a security algorithm level;
    所述处理器还用于根据自身所支持的安全算法列表,以及所述基站的安全算法级别列表,确定所述第一安全参数的安全算法的级别;The processor is further configured to determine a level of the security algorithm of the first security parameter according to a list of security algorithms supported by the base and a security algorithm level list of the base station;
    所述发送器还用于将所述IPsec隧道建立参数发送给所述基站,所述IPsec隧道建立参数还包括IPsec隧道传输参数和因特网密钥交换协议头HDR,所述HDR中包括用于标识IPsec隧道建立流程的标识SPI,所述IPsec隧道传输参数包括第一安全参数和TS,所述第一安全参数包括确定所述级别的安全算法,以及所述第一Kipsec或所述第二Kipsec。 The transmitter is further configured to send the IPsec tunnel establishment parameter to the base station, where the IPsec tunnel establishment parameter further includes an IPsec tunnel transmission parameter and an Internet Key Exchange Protocol header HDR, where the HDR includes an identifier for identifying IPsec. An identifier SPI of the tunnel establishment process, where the IPsec tunnel transmission parameter includes a first security parameter and a TS, the first security parameter includes a security algorithm determining the level, and the first Kipsec or the second Kipsec.
PCT/CN2015/093536 2015-10-31 2015-10-31 Internet protocol security tunnel establishing method, user equipment and base station WO2017070973A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201580035366.5A CN107005410B (en) 2015-10-31 2015-10-31 Internet protocol security tunnel establishment method, user equipment and base station
PCT/CN2015/093536 WO2017070973A1 (en) 2015-10-31 2015-10-31 Internet protocol security tunnel establishing method, user equipment and base station

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2015/093536 WO2017070973A1 (en) 2015-10-31 2015-10-31 Internet protocol security tunnel establishing method, user equipment and base station

Publications (1)

Publication Number Publication Date
WO2017070973A1 true WO2017070973A1 (en) 2017-05-04

Family

ID=58629757

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/093536 WO2017070973A1 (en) 2015-10-31 2015-10-31 Internet protocol security tunnel establishing method, user equipment and base station

Country Status (2)

Country Link
CN (1) CN107005410B (en)
WO (1) WO2017070973A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114422205A (en) * 2021-12-30 2022-04-29 广西电网有限责任公司电力科学研究院 Method for establishing data tunnel of network layer of CPU chip special for electric power

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101272251A (en) * 2007-03-22 2008-09-24 华为技术有限公司 Authentication and cryptographic key negotiation method, authentication method, system and equipment
CN101945387A (en) * 2010-09-17 2011-01-12 中兴通讯股份有限公司 Method and system of binding access layer secret key and device
CN103312668A (en) * 2012-03-09 2013-09-18 中兴通讯股份有限公司 Message transmission method and device based on link management protocol security alliance
CN104104510A (en) * 2013-04-09 2014-10-15 罗伯特·博世有限公司 Method for recognizing a manipulation of a sensor and/or sensor data of the sensor
CN104184675A (en) * 2014-09-12 2014-12-03 成都卫士通信息产业股份有限公司 Load-balanced IPSec VPN device trunking system and working method of load-balanced IPSec VPN device trunking system
US20150281254A1 (en) * 2014-03-31 2015-10-01 EXILANT Technologies Private Limited Increased communication security
CN104969578A (en) * 2013-04-17 2015-10-07 华为技术有限公司 Data transmission method, device and system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7159242B2 (en) * 2002-05-09 2007-01-02 International Business Machines Corporation Secure IPsec tunnels with a background system accessible via a gateway implementing NAT
JP5319575B2 (en) * 2010-02-23 2013-10-16 日本電信電話株式会社 Communication method and communication system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101272251A (en) * 2007-03-22 2008-09-24 华为技术有限公司 Authentication and cryptographic key negotiation method, authentication method, system and equipment
CN101945387A (en) * 2010-09-17 2011-01-12 中兴通讯股份有限公司 Method and system of binding access layer secret key and device
CN103312668A (en) * 2012-03-09 2013-09-18 中兴通讯股份有限公司 Message transmission method and device based on link management protocol security alliance
CN104104510A (en) * 2013-04-09 2014-10-15 罗伯特·博世有限公司 Method for recognizing a manipulation of a sensor and/or sensor data of the sensor
CN104969578A (en) * 2013-04-17 2015-10-07 华为技术有限公司 Data transmission method, device and system
US20150281254A1 (en) * 2014-03-31 2015-10-01 EXILANT Technologies Private Limited Increased communication security
CN104184675A (en) * 2014-09-12 2014-12-03 成都卫士通信息产业股份有限公司 Load-balanced IPSec VPN device trunking system and working method of load-balanced IPSec VPN device trunking system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114422205A (en) * 2021-12-30 2022-04-29 广西电网有限责任公司电力科学研究院 Method for establishing data tunnel of network layer of CPU chip special for electric power
CN114422205B (en) * 2021-12-30 2024-03-01 广西电网有限责任公司电力科学研究院 Method for establishing network layer data tunnel of special CPU chip for electric power

Also Published As

Publication number Publication date
CN107005410B (en) 2020-06-26
CN107005410A (en) 2017-08-01

Similar Documents

Publication Publication Date Title
JP6903006B2 (en) User plane security for next-generation cellular networks
US9554270B2 (en) Enhanced security for direct link communications
JP5597676B2 (en) Key material exchange
US10027636B2 (en) Data transmission method, apparatus, and system
US20150256335A1 (en) Encryption Realization Method and System
EP3231151B1 (en) Commissioning of devices in a network
EP2770778B1 (en) Method, system, and enb for establishing secure x2 channel
CN107005410B (en) Internet protocol security tunnel establishment method, user equipment and base station
CN114245372B (en) Authentication method, device and system
WO2016176902A1 (en) Terminal authentication method, management terminal and application terminal
WO2016091574A1 (en) Secure message exchange in a network
WO2018176273A1 (en) Communication method, apparatus and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15907034

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15907034

Country of ref document: EP

Kind code of ref document: A1