WO2018137671A1 - Authentication method, base station, user equipment, core network, system, device and data storage medium - Google Patents

Authentication method, base station, user equipment, core network, system, device and data storage medium Download PDF

Info

Publication number
WO2018137671A1
WO2018137671A1 PCT/CN2018/074053 CN2018074053W WO2018137671A1 WO 2018137671 A1 WO2018137671 A1 WO 2018137671A1 CN 2018074053 W CN2018074053 W CN 2018074053W WO 2018137671 A1 WO2018137671 A1 WO 2018137671A1
Authority
WO
WIPO (PCT)
Prior art keywords
base station
token1
information
key
algorithm information
Prior art date
Application number
PCT/CN2018/074053
Other languages
French (fr)
Chinese (zh)
Inventor
谢振华
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2018137671A1 publication Critical patent/WO2018137671A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security

Abstract

The invention discloses an authentication method, a base station, user equipment, a core network, a system, a device and a data storage medium. The method comprises: a first base station receiving algorithm information and a key from a core network network element and with respect to user equipment (UE); the first base station receiving a first token Token1 from a second base station and with respect to the UE, wherein the first token Token1 is first received by the second base station from the UE, and is verified on the basis of the algorithm information and the key; or, the first base station receiving a request from the second base station and with respect to the UE, and transmitting to the second base station a second token Token2 and the algorithm information, wherein the second token Token2 is generated on the basis of the algorithm information and the key, and used to verify, at the second base station, the first token Token1 transmitted from the UE.

Description

认证方法、基站、用户设备、核心网及系统、装置及存储介质Authentication method, base station, user equipment, core network and system, device and storage medium
相关申请的交叉引用Cross-reference to related applications
本申请基于申请号为201710060338.X、申请日为2017年01月24日的中国专利申请提出,并要求该中国专利申请的优先权,该中国专利申请的全部内容在此引入本申请作为参考。The present application is based on a Chinese patent application filed on Jan.
技术领域Technical field
本申请涉及通信领域,具体涉及一种连接重建的认证方法、基站、用户设备(UE)、核心网及系统、通信装置及存储介质。The present application relates to the field of communications, and in particular, to a connection reestablishment authentication method, a base station, a user equipment (UE), a core network and system, a communication device, and a storage medium.
背景技术Background technique
第三代合作伙伴计划(3rd Generation Partnership Project,3GPP)提出了一种移动网络连接重建的认证方案,其中,包括:首先UE向核心网网元(比如移动网络实体MME)发送附着请求,然后核心网网元对UE进行认证,在认证过程中协商密钥以及安全算法,并基于密钥生成Key;核心网网元利用协商的key和安全算法计算得到令牌(Token)1,将携带有令牌1的连接建立指示发送给UE的源基站;源基站基于令牌1向UE发送下传数据消息;当UE需要与目标基站建立连接时,会向目标基站发送包含有令牌1的重建立请求信息,目标基站与源基站验证令牌1之后,收到核心网发来的包含有重新计算得到的令牌2的切换指令。The 3rd Generation Partnership Project (3GPP) proposes an authentication scheme for mobile network connection reestablishment, which includes: first, the UE sends an attach request to a core network element (such as a mobile network entity MME), and then the core The network element performs authentication on the UE, negotiates a key and a security algorithm in the authentication process, and generates a Key based on the key; the core network element calculates the token (Token) 1 by using the negotiated key and the security algorithm, and carries the order The connection establishment of the card 1 indicates the source base station sent to the UE; the source base station transmits a downlink data message to the UE based on the token 1; when the UE needs to establish a connection with the target base station, the re-establishment including the token 1 is sent to the target base station. After the request information, the target base station and the source base station verify the token 1, and receive a handover instruction from the core network that includes the recalculated token 2.
可以看出,在现有技术中进行重连接的认证过程中,需要核心网网元重复执行计算得到令牌的处理。It can be seen that in the authentication process of reconnecting in the prior art, the core network element needs to repeatedly perform calculation to obtain the token processing.
发明内容Summary of the invention
本发明的主要目的在于提出一种连接重建的认证方法、基站、用户设备、核心网及系统、通信装置及存储介质,旨在解决现有技术中存在的上述问题。The main object of the present invention is to provide a connection re-establishment authentication method, a base station, a user equipment, a core network and system, a communication device, and a storage medium, which are intended to solve the above problems in the prior art.
为实现上述目的,本发明实施例提供了一种连接重建的认证方法,应用于第一基站,所述方法包括:To achieve the above object, an embodiment of the present invention provides a connection reestablishment authentication method, which is applied to a first base station, and the method includes:
第一基站收到来自核心网网元的针对终端UE的算法信息和密钥;The first base station receives algorithm information and a key for the terminal UE from the core network element;
所述第一基站收到来自第二基站的针对所述UE的第一令牌Token1,所述Token1由所述第二基站接收自所述UE,并由所述第一基站基于所述算法信息和所述密钥对其进行校验;Receiving, by the first base station, a first token Token1 for the UE from the second base station, where the Token1 is received by the second base station, and the first base station is based on the algorithm information. And verifying with the key;
或者,所述第一基站收到来自第二基站针对所述UE的请求,向第二基站发送第二令牌Token2及所述算法信息,所述Token2基于所述算法信息和所述密钥生成,并用于在所述第二基站侧校验所述UE发来的所述Token1。Or the first base station receives a request from the second base station for the UE, and sends a second token Token2 and the algorithm information to the second base station, where the Token2 is generated based on the algorithm information and the key And for verifying, by the second base station side, the Token1 sent by the UE.
上述方案中,所述方法还包括:所述第一基站基于所述算法信息和所述密钥生成第二令牌Token2;将生成的所述Token2与所述Token1进行比较。In the above solution, the method further includes: the first base station generates a second token Token2 based on the algorithm information and the key; and compare the generated Token2 with the Token1.
上述方案中,所述方法还包括:当所述第一基站校验所述Token1成功时,向所述第二基站发送所述算法信息。In the foregoing solution, the method further includes: when the first base station verifies that the Token1 is successful, sending the algorithm information to the second base station.
上述方案中,所述方法还包括:所述第一基站向所述UE发送所述算法信息。In the foregoing solution, the method further includes: the first base station sending the algorithm information to the UE.
上述方案中,所述方法还包括:所述第一基站向所述核心网网元发送所述第一基站的安全能力信息;其中,所述安全能力信息用于在所述核心网网元侧,基于其选择所述算法信息。In the above solution, the method further includes: the first base station transmitting the security capability information of the first base station to the core network element, where the security capability information is used on the core network side of the core network Based on its selection of the algorithm information.
本发明实施例又提供了一种连接重建的认证方法,应用于第二基站, 所述方法包括:The embodiment of the present invention further provides an authentication method for connection reestablishment, which is applied to a second base station, where the method includes:
第二基站收到来自终端UE的第一令牌Token1;The second base station receives the first token Token1 from the terminal UE;
所述第二基站向第一基站转发所述Token1;或者,Transmitting, by the second base station, the Token1 to the first base station; or
所述第二基站向第一基站请求发送第二令牌Token2,所述Token2用于在所述第二基站侧校验所述Token1。The second base station requests the first base station to send a second token Token2, and the Token2 is used to check the Token1 on the second base station side.
本发明实施例又提供了一种连接重建的认证方法,应用于终端UE,所述方法包括:The embodiment of the present invention further provides an authentication method for connection reestablishment, which is applied to a terminal UE, and the method includes:
终端UE收到来自核心网网元的算法信息和密钥生成信息;The terminal UE receives algorithm information and key generation information from a core network element;
所述UE向第二基站发送第一令牌Token1,所述Token1基于所述算法信息及基于所述密钥生成信息生成的密钥生成。The UE sends a first token Token1 to the second base station, and the Token1 is generated based on the algorithm information and a key generated based on the key generation information.
本发明实施例又提供了一种连接重建的认证方法,应用于核心网,所述方法包括:The embodiment of the present invention further provides an authentication method for connection reestablishment, which is applied to a core network, and the method includes:
核心网网元与终端UE协商密钥生成信息和算法信息;The core network element negotiates key generation information and algorithm information with the terminal UE;
向第一基站发送所述算法信息和基于所述密钥生成信息生成的密钥。The algorithm information and a key generated based on the key generation information are transmitted to the first base station.
上述方案中,所述核心网网元收到来自所述第一基站的安全能力信息,所述安全能力信息用于所述核心网网元基于其选择所述算法信息。In the above solution, the core network element receives the security capability information from the first base station, and the security capability information is used by the core network element to select the algorithm information based on the core network element.
本发明实施例还提供了一种第一基站,所述第一基站包括:The embodiment of the present invention further provides a first base station, where the first base station includes:
第一接收单元,配置为收到来自核心网网元的算法信息和密钥;a first receiving unit, configured to receive algorithm information and a key from a core network element;
第二接收单元,配置为收到来自第二基站的第一令牌Token1;所述Token1由所述第二基站接收自所述UE,并由所述第一基站基于所述算法信息和所述密钥对其进行校验;a second receiving unit, configured to receive a first token Token1 from the second base station; the Token1 is received by the second base station from the UE, and the first base station is based on the algorithm information and the The key is verified;
或者,or,
所述第二接收单元,配置为收到来自第二基站的请求;The second receiving unit is configured to receive a request from the second base station;
相应的,发送单元,配置为向第二基站发送第二令牌Token2及所述算法信息,所述Token2基于所述算法信息和所述密钥生成,并配置为在所述 第二基站侧校验所述UE发来的所述Token1。Correspondingly, the sending unit is configured to send the second token Token2 and the algorithm information to the second base station, where the Token2 is generated based on the algorithm information and the key, and configured to be in the second base station side school The Token1 sent by the UE is checked.
上述方案中,所述第一基站还包括:处理单元,配置为将生成的所述Token2与所述Token1进行比较;基于所述算法信息和所述密钥生成第二令牌Token2。In the foregoing solution, the first base station further includes: a processing unit configured to compare the generated Token2 with the Token1; and generate a second token Token2 based on the algorithm information and the key.
上述方案中,所述发送单元,配置为当所述第一基站校验所述Token1成功时,向所述第二基站发送算法信息。In the foregoing solution, the sending unit is configured to: when the first base station checks that the Token1 is successful, send the algorithm information to the second base station.
上述方案中,所述发送单元,配置为向UE发送所述算法信息。In the above solution, the sending unit is configured to send the algorithm information to the UE.
上述方案中,所述发送单元,配置为向所述核心网网元发送所述第一基站的安全能力信息;其中,所述安全能力信息用于在所述核心网网元侧,基于其选择所述算法信息。In the above solution, the sending unit is configured to send the security capability information of the first base station to the core network element, where the security capability information is used on the core network side of the core network, based on the selection The algorithm information.
本发明实施例还提供了一种第二基站,所述第二基站包括:The embodiment of the present invention further provides a second base station, where the second base station includes:
接收单元,配置为收到来自UE的第一令牌Token1;a receiving unit, configured to receive a first token Token1 from the UE;
发送单元,配置为向第一基站转发所述Token1;或者,a sending unit, configured to forward the Token1 to the first base station; or
向第一基站请求发送第二令牌Token2。The second base station Token2 is requested to be sent to the first base station.
本发明实施例还提供了一种UE,所述UE包括:An embodiment of the present invention further provides a UE, where the UE includes:
信息接收单元,配置为收到来自核心网网元的算法信息和密钥生成信息;An information receiving unit configured to receive algorithm information and key generation information from a core network element;
信息发送单元,配置为向第二基站发送第一令牌Token1,所述Token1基于所述算法信息及基于所述密钥生成信息生成的密钥生成。The information sending unit is configured to send a first token Token1 to the second base station, and the Token1 is generated based on the algorithm information and a key generated based on the key generation information.
本发明实施例还提供了一种核心网,所述核心网包括:The embodiment of the invention further provides a core network, where the core network includes:
协商单元,配置为与UE协商密钥生成信息和算法信息;a negotiating unit configured to negotiate key generation information and algorithm information with the UE;
通信单元,配置为向第一基站发送所述算法信息和基于所述密钥生成信息生成的密钥。And a communication unit configured to send the algorithm information and a key generated based on the key generation information to the first base station.
上述方案中,所述通信单元,配置为收到来自第一基站的安全能力信息,所述安全能力信息用于所述核心网网元选择所述算法信息。In the above solution, the communication unit is configured to receive security capability information from the first base station, where the security capability information is used by the core network element to select the algorithm information.
本发明实施例又提供了一种连接重建的认证系统,所述系统包括:The embodiment of the invention further provides an authentication system for connection reconstruction, the system comprising:
第一基站,配置为收到来自核心网网元的算法信息和密钥;收到来自第二基站的针对所述UE的第一令牌Token1,所述Token1由所述第二基站接收自所述UE,并基于所述算法信息和所述密钥对其进行校验;或者,收到来自第二基站针对所述UE的请求,向第二基站发送第二令牌Token2及所述算法信息,所述Token2基于所述算法信息和所述密钥生成,并用于在所述第二基站侧校验所述UE发来的所述Token1;a first base station configured to receive algorithm information and a key from a core network element; receive a first token Token1 from the second base station for the UE, and the Token1 is received by the second base station Determining the UE and verifying it based on the algorithm information and the key; or receiving a request from the second base station for the UE, sending a second token Token2 and the algorithm information to the second base station The Token2 is generated based on the algorithm information and the key, and is used to check the Token1 sent by the UE at the second base station side;
第二基站,配置为收到来自UE的第一令牌Token1;向第一基站转发所述Token1;或者,向第一基站请求发送第二令牌Token2;The second base station is configured to receive the first token Token1 from the UE; to forward the Token1 to the first base station; or to send a second token Token2 to the first base station;
UE,配置为收到来自核心网网元的算法信息和密钥生成信息;向第二基站发送第一令牌Token1,所述Token1基于所述算法信息及基于所述密钥生成信息生成的密钥生成;The UE is configured to receive the algorithm information and the key generation information from the core network element, and send the first token Token1 to the second base station, where the Token1 is based on the algorithm information and the secret generated based on the key generation information. Key generation
核心网,配置为与终端UE协商密钥生成信息和算法信息;向第一基站发送所述算法信息和基于所述密钥生成信息生成的密钥。The core network is configured to negotiate key generation information and algorithm information with the terminal UE; and send the algorithm information and a key generated based on the key generation information to the first base station.
本发明实施例还提供了一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令被执行时实现以下处理:The embodiment of the present invention further provides a computer readable storage medium storing computer executable instructions, and when the computer executable instructions are executed, the following processing is implemented:
收到来自核心网网元的针对终端UE的算法信息和密钥;Receiving algorithm information and a key for the terminal UE from the core network element;
收到来自第二基站的针对所述UE的第一令牌Token1,所述Token1由所述第二基站接收自所述UE,并基于所述算法信息和所述密钥对其进行校验;Receiving, by the second base station, a first token Token1 for the UE, where the Token1 is received by the second base station from the UE, and is verified according to the algorithm information and the key;
或者,收到来自第二基站针对所述UE的请求,向第二基站发送第二令牌Token2及所述算法信息,所述Token2基于所述算法信息和所述密钥生成,并用于在所述第二基站侧校验所述UE发来的所述Token1。Or receiving a request from the second base station for the UE, sending a second token Token2 and the algorithm information to the second base station, where the Token2 is generated based on the algorithm information and the key, and is used in the The second base station side checks the Token1 sent by the UE.
一种通信装置,包括:处理器和配置为存储能够在处理器上运行的计算机程序的存储器,A communication device comprising: a processor and a memory configured to store a computer program executable on the processor,
其中,所述处理器配置为运行所述计算机程序时,执行前述方法的步骤。Wherein the processor is configured to perform the steps of the foregoing method when the computer program is run.
本发明实施例提供的方案,网络侧将所选择切片网络的切片安全参数发送给终端,使得网络侧和终端能够分别针对不同的切片网络生成其专用的密钥,使得每个切片网络都有且专用的安全保护手段,实现了切片网络间的安全隔离,提高了切片网络通信的安全性。In the solution provided by the embodiment of the present invention, the network side sends the slice security parameter of the selected slice network to the terminal, so that the network side and the terminal can respectively generate their dedicated keys for different slice networks, so that each slice network has The special security protection means realizes the security isolation between the slice networks and improves the security of the slice network communication.
附图说明DRAWINGS
图1为本发明实施例一种连接重建的认证方法的流程示意图;1 is a schematic flowchart of a method for establishing connection reestablishment according to an embodiment of the present invention;
图2为本发明实施例一的连接重建的认证方法的流程示意图1;2 is a schematic flowchart 1 of a connection reestablishment authentication method according to Embodiment 1 of the present invention;
图3为本发明实施例一的连接重建的认证方法的流程示意图2;3 is a schematic flowchart 2 of a connection reestablishment authentication method according to Embodiment 1 of the present invention;
图4为本发明实施例一种连接重建的认证方法的流程示意图;4 is a schematic flowchart of a method for establishing connection reestablishment according to an embodiment of the present invention;
图5为本发明实施例一种连接重建的认证方法的流程示意图;FIG. 5 is a schematic flowchart of a method for establishing connection reestablishment according to an embodiment of the present invention;
图6为本发明实施例一种连接重建的认证方法的流程示意图;FIG. 6 is a schematic flowchart of a connection reestablishment authentication method according to an embodiment of the present invention;
图7为本发明实施例第一基站的组成结构示意图;FIG. 7 is a schematic structural diagram of a structure of a first base station according to an embodiment of the present invention;
图8为本发明实施例第二基站的组成结构示意图;FIG. 8 is a schematic structural diagram of a second base station according to an embodiment of the present invention;
图9为本发明实施例UE的组成结构示意图;FIG. 9 is a schematic structural diagram of a structure of a UE according to an embodiment of the present invention;
图10为本发明实施例核心网的组成结构示意图;10 is a schematic structural diagram of a core network according to an embodiment of the present invention;
图11为本发明实施例一种连接重建的认证系统的组成结构示意图。FIG. 11 is a schematic structural diagram of a structure of a connection reestablishment authentication system according to an embodiment of the present invention.
具体实施方式detailed description
下面结合附图和具体实施例对本发明作进一步详细说明。The present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments.
本发明实施例提供了一种连接重建的认证方法,应用于第一基站,如图1所示,包括:An embodiment of the present invention provides a connection reestablishment authentication method, which is applied to a first base station, as shown in FIG. 1 , and includes:
步骤101:第一基站收到来自核心网网元的针对终端UE的算法信息和密钥;其中,所述第一基站为自身管理的用户设备UE的源基站;Step 101: The first base station receives the algorithm information and the key for the terminal UE from the core network element, where the first base station is the source base station of the user equipment UE that is managed by itself;
步骤102:所述第一基站收到来自第二基站的针对所述UE的第一令牌Token1,所述Token1由所述第二基站接收自所述UE,并由所述第一基站基于所述算法信息和所述密钥对其进行校验;Step 102: The first base station receives a first token Token1 for the UE from a second base station, where the Token1 is received by the second base station from the UE, and is based on the first base station. The algorithm information and the key are used to verify it;
或者,所述第一基站收到来自第二基站针对所述UE的请求,向第二基站发送第二令牌Token2及所述算法信息,所述Token2基于所述算法信息和所述密钥生成,并用于在所述第二基站侧校验所述UE发来的所述Token1;Or the first base station receives a request from the second base station for the UE, and sends a second token Token2 and the algorithm information to the second base station, where the Token2 is generated based on the algorithm information and the key And for verifying, by the second base station side, the Token1 sent by the UE;
其中,所述第二基站为所述UE所要切换的目标基站。The second base station is a target base station to be handed over by the UE.
上述实施例中,所述第一基站与第二基站可以为相同基站也可以为不同基站。In the foregoing embodiment, the first base station and the second base station may be the same base station or different base stations.
在执行步骤101之前,UE还需要向核心网网元发送附着请求;具体来说,可以通过第一基站(也就是源基站)向核心网网元发送附着请求。Before performing step 101, the UE also needs to send an attach request to the core network element. Specifically, the first base station (that is, the source base station) may send an attach request to the core network element.
然后由第一基站向核心网网元发送安全能力信息,其中可以包括有能够支持的算法信息。所述第一基站向所述核心网网元发送所述第一基站的安全能力信息;其中,所述安全能力信息用于在所述核心网网元侧,基于其选择所述算法信息。The first base station then sends security capability information to the core network element, which may include algorithm information that can be supported. The first base station sends the security capability information of the first base station to the core network element, where the security capability information is used to select the algorithm information based on the core network element side.
第一基站从核心网接收到算法信息以及密钥。The first base station receives the algorithm information and the key from the core network.
第一基站与UE之间能够通过算法信息以及密钥生成初始令牌进行认证,之后,第一基站与UE进行信息传输。The first base station and the UE can be authenticated by using the algorithm information and the key to generate an initial token, and then the first base station and the UE perform information transmission.
比如,可以包括:For example, it can include:
核心网网元与UE执行认证过程,通过该过程与UE协商了密钥生成信息和使用的安全算法Algorithm,并基于密钥生成信息生成了Key,核心网网元可根据策略选择源基站系统也支持的安全算法,也可根据收到的源基站系统的安全能力信息选择;The core network element and the UE perform an authentication process, and the key generation information and the used security algorithm Algorithm are negotiated with the UE through the process, and a Key is generated based on the key generation information, and the core network element can select the source base station system according to the policy. The supported security algorithm may also be selected according to the received security capability information of the source base station system;
核心网网元向源基站系统(比如eNB)发送连接建立指示,比如发送 Connection Establishment Indication消息,消息携带Key及协商好的Algorithm;The core network element sends a connection establishment indication to the source base station system (such as an eNB), for example, sends a Connection Establishment Indication message, and the message carries the Key and the negotiated algorithm;
源基站系统存储该Algorithm和Key,并向UE发送下传数据消息,比如发送RRC DL Information Transfer消息。The source base station system stores the Algorithm and the Key, and sends a downlink data message to the UE, for example, sending an RRC DL Information Transfer message.
在完成上述处理之后,当UE需要切换至目标基站也就是第二基站时,可以使用协商的密钥生成信息生成Key,并和协商好的Algorithm以及相关参数(比如源或目标基站系统标识,或源基站系统分配的用户标识等)计算得到第一令牌Token1,然后向目标基站发送连接重建请求,比如发送RRC Connection Re-establishment Request消息,携带Token1。After the foregoing processing is completed, when the UE needs to handover to the target base station, that is, the second base station, the Key generated by the negotiated key generation information may be generated, and the negotiated Algorithm and related parameters (such as the source or target base station system identifier, or The user identifier assigned by the source base station system, etc.) calculates the first token Token1, and then sends a connection reestablishment request to the target base station, for example, sends an RRC Connection Re-establishment Request message, carrying Token1.
此后,可以包括有:所述基于所述算法信息和所述密钥校验所述Token1,包括:Thereafter, the method may include: the verifying the Token1 based on the algorithm information and the key, including:
所述第一基站基于所述算法信息和所述密钥生成第二令牌Token2;The first base station generates a second token Token2 based on the algorithm information and the key;
将生成的所述Token2与所述Token1进行比较,以得到验证结果。The generated Token2 is compared with the Token1 to obtain a verification result.
目标基站(第二基站)向源基站(第一基站)请求UE上下文,比如发送Retrieve UE Context Request消息,可以携带收到的Token1;第一基站系统使用Key和Algorithm以及相关参数(比如源或目标基站系统标识,或源基站系统分配的用户标识等)计算Token1,如果源基站系统收到Token1,则源基站系统将计算出的Token2和收到的Token1进行比较,如果相等则认证UE成功,否则认证失败。The target base station (the second base station) requests the source base station (the first base station) to request the UE context, for example, sends a Retrieve UE Context Request message, which may carry the received Token1; the first base station system uses the Key and Algorithm and related parameters (such as the source or target). The base station system identifier, or the user identifier assigned by the source base station system, etc., calculates Token1. If the source base station system receives the Token1, the source base station system compares the calculated Token2 with the received Token1, and if they are equal, the UE is authenticated successfully, otherwise Authentication failed.
进一步地,认证成功之后,或源基站系统未收到Token1,则第一基站(源基站)返回UE上下文,比如发送Retrieve UE Context Response消息,如果源基站系统未收到Token1则携带计算出的Token2;Further, after the authentication succeeds, or the source base station system does not receive the Token1, the first base station (the source base station) returns the UE context, for example, sends a Retrieve UE Context Response message, and if the source base station system does not receive the Token1, carries the calculated Token2. ;
具体的,所述第一基站收到来自第二基站的请求,基于所述算法信息和所述密钥生成第二令牌Token2,向第二基站发送所述Token2,以使得所述第二基站基于所述Token2针对所述UE发来的连接重建立请求中包含的 Token1进行验证;具体来说,就是目标基站系统收到来自源基站系统的Token,则比较收到的来自源基站系统的Token2和来自UE的Token1,如果相等则认证UE成功,否则认证失败,如果认证成功或目标基站未收到来自源基站系统的Token,目标基站系统向UE发送连接重建响应,比如发送RRC Connection Re-establishment消息.Specifically, the first base station receives a request from the second base station, generates a second token Token2 based on the algorithm information and the key, and sends the Token2 to the second base station, so that the second base station And verifying, according to the Token2, the Token1 included in the connection re-establishment request sent by the UE; specifically, the target base station system receives the Token from the source base station system, and compares the received Token2 from the source base station system. And Token1 from the UE, if the UE is equal, the UE is authenticated successfully, otherwise the authentication fails. If the authentication is successful or the target base station does not receive the Token from the source base station system, the target base station system sends a connection reestablishment response to the UE, for example, sends an RRC Connection Re-establishment. Message.
上述处理流程可以参见图2是本发明实施例一的连接重建的认证方法的流程示意图1,该流程包括:FIG. 2 is a schematic flowchart 1 of a connection reestablishment authentication method according to Embodiment 1 of the present invention, where the process includes:
步骤201:UE向核心网网元(比如移动网络实体MME)发送附着请求,比如发送Attach Request消息,消息途径源基站系统(比如eNB);Step 201: The UE sends an attach request to the core network element (such as the mobile network entity MME), for example, sends an Attach Request message, and the message path source base station system (such as an eNB);
步骤202:源基站系统转发附着请求给核心网网元,可携带源基站系统的安全能力信息,比如支持的安全算法信息;Step 202: The source base station system forwards the attach request to the core network element, and may carry the security capability information of the source base station system, such as the supported security algorithm information.
步骤203:核心网网元与UE执行认证过程,通过该过程与UE协商了密钥生成信息和使用的安全算法Algorithm,并基于密钥生成信息生成了Key,核心网网元可根据策略选择源基站系统也支持的安全算法,也可根据收到的源基站系统的安全能力信息选择;Step 203: The core network element and the UE perform an authentication process, and the key generation information and the used security algorithm Algorithm are negotiated with the UE through the process, and a key is generated based on the key generation information, and the core network element can select a source according to the policy. The security algorithm also supported by the base station system may also be selected according to the received security capability information of the source base station system;
步骤204:核心网网元向源基站系统(比如eNB)发送连接建立指示,比如发送Connection Establishment Indication消息,消息携带Key及协商好的Algorithm;Step 204: The core network element sends a connection establishment indication to the source base station system (such as an eNB), for example, sends a Connection Establishment Indication message, and the message carries a Key and a negotiated algorithm.
步骤205:源基站系统存储该Algorithm和Key,并向UE发送下传数据消息,比如发送RRC DL Information Transfer消息;Step 205: The source base station system stores the Algorithm and the Key, and sends a downlink data message to the UE, for example, sending an RRC DL Information Transfer message.
步骤206:UE在某个时候希望和其他基站系统(目标基站系统)建立连接,于是使用协商的密钥生成信息生成Key,并和协商好的Algorithm以及相关参数(比如源或目标基站系统标识,或源基站系统分配的用户标识等)计算Token,然后向目标基站发送连接重建请求,比如发送RRC Connection Re-establishment Request消息,携带Token;Step 206: The UE wants to establish a connection with other base station systems (target base station systems) at a certain time, and then uses the negotiated key generation information to generate a Key, and the negotiated algorithm and related parameters (such as the source or target base station system identifier, Or the user identifier assigned by the source base station system, etc., calculates a Token, and then sends a connection reestablishment request to the target base station, for example, sending an RRC Connection Re-establishment Request message, carrying the Token;
步骤207:目标基站系统向源基站系统请求UE上下文,比如发送Retrieve UE Context Request消息,可以携带收到的Token;Step 207: The target base station system requests the UE context from the source base station system, for example, sends a Retrieve UE Context Request message, which may carry the received Token.
步骤208:源基站系统使用Key和Algorithm以及相关参数(比如源或目标基站系统标识,或源基站系统分配的用户标识等)计算Token,如果源基站系统收到Token,则源基站系统将计算出的Token和收到的Token进行比较,如果相等则认证UE成功,否则认证失败,如果认证成功或源基站系统未收到Token,源基站返回UE上下文,比如发送Retrieve UE Context Response消息,如果源基站系统未收到Token则携带计算出的Token;Step 208: The source base station system uses the Key and Algorithm and related parameters (such as the source or target base station system identifier, or the user identifier allocated by the source base station system, etc.) to calculate the Token. If the source base station system receives the Token, the source base station system calculates the Token. The Token is compared with the received Token. If the UE is equal, the UE is authenticated successfully. Otherwise, the authentication fails. If the authentication succeeds or the source base station system does not receive the Token, the source base station returns the UE context, such as sending a Retrieve UE Context Response message, if the source base station The system does not receive the Token and carries the calculated Token;
步骤209:目标基站系统收到来自源基站系统的Token,则比较收到的来自源基站系统的Token和来自UE的Token,如果相等则认证UE成功,否则认证失败,如果认证成功或目标基站未收到来自源基站系统的Token,目标基站系统向UE发送连接重建响应,比如发送RRC Connection Re-establishment消息;Step 209: The target base station system receives the Token from the source base station system, and compares the received Token from the source base station system with the Token from the UE. If they are equal, the UE is authenticated successfully, otherwise the authentication fails. If the authentication succeeds or the target base station does not. Receiving a Token from the source base station system, the target base station system sends a connection reestablishment response to the UE, for example, sending an RRC Connection Re-establishment message;
步骤210:目标基站系统向核心网网元发送路径切换请求,比如发送Path Switch消息;Step 210: The target base station system sends a path switch request to the core network element, for example, sends a Path Switch message.
步骤211:核心网网元向目标基站系统发送路径切换响应,比如发送Path Switch ACK消息。Step 211: The core network element sends a path switch response to the target base station system, for example, sends a Path Switch ACK message.
另外,本实施例还提供一种与前述不同的处理方式,也就是说,所述第一基站收到来自第二基站的第一令牌Token1之前,所述方法还包括:In addition, the embodiment further provides a different processing manner from the foregoing, that is, before the first base station receives the first token Token1 from the second base station, the method further includes:
基于核心网网元发来的第一算法信息,发送所述第一算法信息发送至所述UE,与所述UE之间通过所述第一算法信息确定初始令牌,并基于所述初始令牌进行交互。Sending, according to the first algorithm information sent by the core network element, the first algorithm information, to the UE, and determining, by using the first algorithm information, an initial token, and determining, according to the initial order, Cards interact.
所述第一基站收到来自第二基站的第一令牌Token1之前,所述方法还包括:接收到核心网网元发来的第二算法信息;Before the first base station receives the first token Token1 from the second base station, the method further includes: receiving second algorithm information sent by the core network element;
相应的,所述方法还包括:当所述第一基站校验所述Token1成功时, 向所述第二基站发送所述第二算法信息;Correspondingly, the method further includes: when the first base station verifies that the Token1 is successful, sending the second algorithm information to the second base station;
或者,还可以基于所述第二算法信息计算得到第二令牌,利用第二令牌与第一令牌比较以得到验证结果;Alternatively, the second token may be calculated based on the second algorithm information, and the second token is compared with the first token to obtain a verification result;
或者,将第二算法发送至第二基站,使得第二基站基于第二算法信息计算得到第二令牌以进行验证,得到验证结果。Or sending the second algorithm to the second base station, so that the second base station calculates the second token based on the second algorithm information for verification, and obtains the verification result.
图3是本发明实施例一的连接重建的认证方法的流程示意图2,该流程包括:FIG. 3 is a schematic flowchart 2 of a connection reestablishment authentication method according to Embodiment 1 of the present invention, where the process includes:
步骤301:UE向核心网网元(比如移动网络实体MME)发送附着请求,比如发送Attach Request消息,消息途径源基站系统(比如eNB);Step 301: The UE sends an attach request to the core network element (such as the mobile network entity MME), for example, sends an Attach Request message, and the message path source base station system (such as an eNB);
步骤302:源基站系统转发附着请求给核心网网元,可携带源基站系统的安全能力信息,比如支持的安全算法信息;Step 302: The source base station system forwards the attach request to the core network element, and may carry the security capability information of the source base station system, such as the supported security algorithm information.
步骤303:核心网网元与UE执行认证过程,通过该过程与UE协商了密钥生成信息和使用的安全算法Algorithm1,并基于密钥生成信息生成了Key,核心网网元可根据策略选择源基站系统也支持的安全算法,也可根据收到的源基站系统的安全能力信息选择;Step 303: The core network element and the UE perform an authentication process, and the key generation information and the used security algorithm Algorithm1 are negotiated with the UE, and a key is generated based on the key generation information, and the core network element can select a source according to the policy. The security algorithm also supported by the base station system may also be selected according to the received security capability information of the source base station system;
步骤304:核心网网元向源基站系统(比如eNB)发送连接建立指示,比如发送Connection Establishment Indication消息,消息携带Key及Algorithm2;Step 304: The core network element sends a connection establishment indication to the source base station system (such as an eNB), for example, sends a Connection Establishment Indication message, and the message carries a Key and an Algorithm2;
步骤305:源基站系统存储该Key和Algorithm2,并向UE发送下传数据消息,比如发送RRC DL Information Transfer消息,消息携带Algorithm2;Step 305: The source base station system stores the Key and Algorithm2, and sends a downlink data message to the UE, for example, sends an RRC DL Information Transfer message, and the message carries Algorithm2;
步骤306:UE在某个时候希望和其他基站系统(目标基站系统)建立连接,于是使用协商的密钥生成信息生成Key,并和Algorithm2以及相关参数(比如源或目标基站系统标识,或源基站系统分配的用户标识等)计算Token,然后向目标基站系统发送连接重建请求,比如发送RRC Connection Re-establishment Request消息,携带Token;Step 306: The UE wants to establish a connection with other base station systems (target base station systems) at a certain time, and then uses the negotiated key generation information to generate a Key, and the Algorithm2 and related parameters (such as the source or target base station system identifier, or the source base station). The user identifier assigned by the system, etc.) calculates the Token, and then sends a connection reestablishment request to the target base station system, for example, sending an RRC Connection Re-establishment Request message, carrying the Token;
步骤307:目标基站系统向源基站系统请求UE上下文,比如发送Retrieve UE Context Request消息,可以携带收到的Token;Step 307: The target base station system requests the UE context from the source base station system, for example, sends a Retrieve UE Context Request message, which may carry the received Token.
步骤308:源基站系统使用Key和Algorithm2以及相关参数(比如源或目标基站系统标识,或源基站系统分配的用户标识等)计算Token,如果源基站系统收到Token2,则源基站系统将计算出的Token2和收到的Token进行比较,如果相等则认证UE成功,否则认证失败,如果认证成功或源基站系统未收到Token,源基站系统返回UE上下文,比如发送Retrieve UE Context Response消息,如果源基站系统未收到Token则携带计算出的Token;Step 308: The source base station system calculates the Token by using the Key and Algorithm2 and related parameters (such as the source or target base station system identifier, or the user identifier allocated by the source base station system, etc.). If the source base station system receives the Token2, the source base station system calculates the token. The Token2 is compared with the received Token. If the UE is equal, the UE is authenticated successfully. Otherwise, the authentication fails. If the authentication succeeds or the source base station system does not receive the Token, the source base station system returns the UE context, such as sending a Retrieve UE Context Response message. The base station system carries the calculated Token without receiving the Token;
步骤309:目标基站系统收到来自源基站系统的Token,则比较收到的来自源基站系统的Token和来自UE的Token,如果相等则认证UE成功,否则认证失败,如果认证成功或目标基站系统未收到来自源基站系统的Token,目标基站系统向UE发送连接重建响应,比如发送RRC Connection Re-establishment消息;Step 309: The target base station system receives the Token from the source base station system, and compares the received Token from the source base station system with the Token from the UE. If they are equal, the UE is authenticated successfully, otherwise the authentication fails, if the authentication succeeds or the target base station system The Token from the source base station system is not received, and the target base station system sends a connection reestablishment response to the UE, for example, sending an RRC Connection Re-establishment message;
步骤310:目标基站系统向核心网网元发送路径切换请求,比如发送Path Switch消息;Step 310: The target base station system sends a path switch request to the core network element, for example, sends a Path Switch message.
步骤311:核心网网元向目标基站系统发送路径切换响应,比如发送Path Switch ACK消息。Step 311: The core network element sends a path switch response to the target base station system, for example, sends a Path Switch ACK message.
在完成前述步骤之后,第二基站系统向核心网网元发送路径切换请求,比如发送Path Switch消息;核心网网元向目标基站系统发送路径切换响应,比如发送Path Switch ACK消息。After the foregoing steps are completed, the second base station system sends a path switch request to the core network element, for example, sends a Path Switch message; the core network element sends a path switch response to the target base station system, for example, sends a Path Switch ACK message.
本实施例与前述实施例相对应的,分别从第二基站、UE、以及核心网侧分别针对一种连接重建的认证方法进行说明。Corresponding to the foregoing embodiments, the present embodiment describes an authentication method for a connection re-establishment from the second base station, the UE, and the core network side, respectively.
应用于第二基站时,参见图4,所述方法包括:When applied to the second base station, referring to FIG. 4, the method includes:
步骤401:第二基站收到来自UE的第一令牌Token1;Step 401: The second base station receives the first token Token1 from the UE;
步骤402:所述第二基站向第一基站转发所述Token1;或者,Step 402: The second base station forwards the Token1 to the first base station; or
所述第二基站向第一基站请求发送第二令牌Token2。The second base station requests the first base station to send the second token Token2.
所述第二基站向第一基站请求发送第二令牌Token2之后,所述方法还包括:After the second base station requests the first base station to send the second token Token2, the method further includes:
所述第二基站接收到所述Token2之后,比较所述Token1和所述Token2以得到验证结果。After receiving the Token2, the second base station compares the Token1 and the Token2 to obtain a verification result.
本实施例一种连接重建的认证方法,应用于UE,如图5所示,所述方法包括:In this embodiment, a connection re-establishment authentication method is applied to the UE. As shown in FIG. 5, the method includes:
步骤501:UE通过第一基站或直接收到来自核心网网元的算法信息和密钥生成信息;Step 501: The UE generates information by using the first base station or directly receiving algorithm information and a key from the core network element.
步骤502:所述UE向第二基站发送第一令牌Token1,所述Token1基于所述算法信息及基于所述密钥生成信息生成的密钥生成;Step 502: The UE sends a first token Token1 to the second base station, where the Token1 is generated based on the algorithm information and a key generated based on the key generation information.
其中,所述第一基站为用户设备UE的源基站,所述第二基站为所述UE的目标基站。The first base station is a source base station of the user equipment UE, and the second base station is a target base station of the UE.
本实施例提供的一种连接重建的认证方法,应用于核心网,参见图6,所述方法包括:An authentication method for connection reestablishment provided in this embodiment is applied to a core network. Referring to FIG. 6, the method includes:
步骤601:核心网网元与UE协商密钥生成信息和算法信息;Step 601: The core network element negotiates key generation information and algorithm information with the UE.
步骤602:向第一基站发送所述算法信息和基于所述密钥生成信息生成的密钥;其中,所述第一基站为自身管理的用户设备UE的源基站。Step 602: Send the algorithm information and the key generated based on the key generation information to the first base station, where the first base station is a source base station of the user equipment UE managed by itself.
所述核心网网元收到来自第一基站的安全能力信息,所述安全能力信息用于所述核心网网元选择所述算法信息。The core network element receives security capability information from the first base station, and the security capability information is used by the core network element to select the algorithm information.
可见,通过采用上述方案,就能够由基站侧在进行重连接时进行令牌的验证;如此,避免了核心网侧重复多次的进行令牌的生成,减少了核心网网元的负荷。It can be seen that, by adopting the foregoing solution, the token can be verified by the base station side when performing reconnection; thus, the generation of the token is repeated repeatedly on the core network side, and the load of the core network element is reduced.
本发明实施例提供了一种第一基站,所述第一基站包括:An embodiment of the present invention provides a first base station, where the first base station includes:
第一接收单元,配置为收到来自核心网网元的算法信息和密钥;a first receiving unit, configured to receive algorithm information and a key from a core network element;
第二接收单元,配置为收到来自第二基站的第一令牌Token1;所述Token1由所述第二基站接收自所述UE,并基于所述算法信息和所述密钥对其进行校验;a second receiving unit, configured to receive a first token Token1 from the second base station; the Token1 is received by the second base station from the UE, and is calibrated based on the algorithm information and the key Test
或者,or,
所述第二接收单元,配置为收到来自第二基站的请求;The second receiving unit is configured to receive a request from the second base station;
相应的,发送单元,配置为向第二基站发送第二令牌Token2及所述算法信息,所述Token2基于所述算法信息和所述密钥生成,并用于在所述第二基站侧校验所述UE发来的所述Token1。Correspondingly, the sending unit is configured to send the second token Token2 and the algorithm information to the second base station, where the Token2 is generated based on the algorithm information and the key, and is used to check at the second base station side. The Token1 sent by the UE.
具体来说,如图7所示,所述第一基站包括:第一接收单元71,配置为收到来自核心网网元的算法信息和密钥;其中,所述第一基站为自身管理的用户设备UE的源基站;Specifically, as shown in FIG. 7, the first base station includes: a first receiving unit 71 configured to receive algorithm information and a key from a core network element; wherein the first base station is managed by itself a source base station of the user equipment UE;
第二接收单元72,配置为收到来自第二基站的第一令牌Token1;相应的,处理单元73,配置为基于所述算法信息和所述密钥校验所述Token1;The second receiving unit 72 is configured to receive the first token Token1 from the second base station; correspondingly, the processing unit 73 is configured to check the Token1 based on the algorithm information and the key;
或者,or,
所述第二接收单元72,配置为收到来自第二基站的请求;The second receiving unit 72 is configured to receive a request from the second base station;
相应的,所述处理单元73,配置为基于所述算法信息和所述密钥生成第二令牌Token2;Correspondingly, the processing unit 73 is configured to generate a second token Token2 based on the algorithm information and the key;
发送单元74,配置为向第二基站发送所述Token2;The sending unit 74 is configured to send the Token2 to the second base station;
其中,所述第二基站为所述UE所要切换的目标基站。The second base station is a target base station to be handed over by the UE.
上述实施例中,所述第一基站与第二基站可以为相同基站也可以为不同基站。In the foregoing embodiment, the first base station and the second base station may be the same base station or different base stations.
UE还需要向核心网网元发送附着请求;具体来说,可以通过第一基站(也就是源基站)向核心网网元发送附着请求。The UE also needs to send an attach request to the core network element. Specifically, the first base station (that is, the source base station) can send an attach request to the core network element.
然后由第一基站向核心网网元发送安全能力信息,其中可以包括有能 够支持的算法信息。The first base station then sends security capability information to the core network element, which may include algorithm information that can be supported.
第一基站从核心网接收到算法信息以及密钥。The first base station receives the algorithm information and the key from the core network.
第一基站与UE之间能够通过算法信息以及密钥生成初始令牌进行认证,之后,第一基站与UE进行信息传输。The first base station and the UE can be authenticated by using the algorithm information and the key to generate an initial token, and then the first base station and the UE perform information transmission.
比如,可以包括:For example, it can include:
核心网网元与UE执行认证过程,通过该过程与UE协商了密钥生成信息和使用的安全算法Algorithm,并基于密钥生成信息生成了Key,核心网网元可根据策略选择源基站系统也支持的安全算法,也可根据收到的源基站系统的安全能力信息选择;The core network element and the UE perform an authentication process, and the key generation information and the used security algorithm Algorithm are negotiated with the UE through the process, and a Key is generated based on the key generation information, and the core network element can select the source base station system according to the policy. The supported security algorithm may also be selected according to the received security capability information of the source base station system;
核心网网元向源基站系统(比如eNB)发送连接建立指示,比如发送Connection Establishment Indication消息,消息携带Key及协商好的Algorithm;The core network element sends a connection establishment indication to the source base station system (such as an eNB), for example, sends a Connection Establishment Indication message, and the message carries the Key and the negotiated algorithm;
源基站系统存储该Algorithm和Key,并向UE发送下传数据消息,比如发送RRC DL Information Transfer消息。The source base station system stores the Algorithm and the Key, and sends a downlink data message to the UE, for example, sending an RRC DL Information Transfer message.
在完成上述处理之后,当UE需要切换至目标基站也就是第二基站时,可以使用协商的密钥生成信息生成Key,并和协商好的Algorithm以及相关参数(比如源或目标基站系统标识,或源基站系统分配的用户标识等)计算得到第一令牌Token1,然后向目标基站发送连接重建请求,比如发送RRC Connection Re-establishment Request消息,携带Token1。After the foregoing processing is completed, when the UE needs to handover to the target base station, that is, the second base station, the Key generated by the negotiated key generation information may be generated, and the negotiated Algorithm and related parameters (such as the source or target base station system identifier, or The user identifier assigned by the source base station system, etc.) calculates the first token Token1, and then sends a connection reestablishment request to the target base station, for example, sends an RRC Connection Re-establishment Request message, carrying Token1.
此后,所述第二接收单元,配置为基于所述算法信息和所述密钥生成第二令牌Token2;Thereafter, the second receiving unit is configured to generate a second token Token2 based on the algorithm information and the key;
将生成的所述Token2与所述Token1进行比较,以得到验证结果。The generated Token2 is compared with the Token1 to obtain a verification result.
目标基站(第二基站)向源基站(第一基站)请求UE上下文,比如发送Retrieve UE Context Request消息,可以携带收到的Token1;第一基站系统使用Key和Algorithm以及相关参数(比如源或目标基站系统标识,或源 基站系统分配的用户标识等)计算Token1,如果源基站系统收到Token1,则源基站系统将计算出的Token2和收到的Token1进行比较,如果相等则认证UE成功,否则认证失败。The target base station (the second base station) requests the source base station (the first base station) to request the UE context, for example, sends a Retrieve UE Context Request message, which may carry the received Token1; the first base station system uses the Key and Algorithm and related parameters (such as the source or target). The base station system identifier, or the user identifier assigned by the source base station system, etc., calculates Token1. If the source base station system receives the Token1, the source base station system compares the calculated Token2 with the received Token1, and if they are equal, the UE is authenticated successfully, otherwise Authentication failed.
进一步地,认证成功之后,或源基站系统未收到Token1,则第一基站(源基站)返回UE上下文,比如发送Retrieve UE Context Response消息,如果源基站系统未收到Token1则携带计算出的Token2;Further, after the authentication succeeds, or the source base station system does not receive the Token1, the first base station (the source base station) returns the UE context, for example, sends a Retrieve UE Context Response message, and if the source base station system does not receive the Token1, carries the calculated Token2. ;
具体的,所述第一基站收到来自第二基站的请求,基于所述算法信息和所述密钥生成第二令牌Token2,向第二基站发送所述Token2,以使得所述第二基站基于所述Token2针对所述UE发来的连接重建立请求中包含的Token1进行验证;具体来说,就是目标基站系统收到来自源基站系统的Token,则比较收到的来自源基站系统的Token2和来自UE的Token1,如果相等则认证UE成功,否则认证失败,如果认证成功或目标基站未收到来自源基站系统的Token,目标基站系统向UE发送连接重建响应,比如发送RRC Connection Re-establishment消息.Specifically, the first base station receives a request from the second base station, generates a second token Token2 based on the algorithm information and the key, and sends the Token2 to the second base station, so that the second base station And verifying, according to the Token2, the Token1 included in the connection re-establishment request sent by the UE; specifically, the target base station system receives the Token from the source base station system, and compares the received Token2 from the source base station system. And Token1 from the UE, if the UE is equal, the UE is authenticated successfully, otherwise the authentication fails. If the authentication is successful or the target base station does not receive the Token from the source base station system, the target base station system sends a connection reestablishment response to the UE, for example, sends an RRC Connection Re-establishment. Message.
另外,本实施例还提供一种与前述不同的处理方式,也就是说,所述第一基站收到来自第二基站的第一令牌Token1之前,所述方法还包括:In addition, the embodiment further provides a different processing manner from the foregoing, that is, before the first base station receives the first token Token1 from the second base station, the method further includes:
所述处理单元,配置为基于核心网网元发来的第一算法信息,发送所述第一算法信息发送至所述UE,与所述UE之间通过所述第一算法信息确定初始令牌,并基于所述初始令牌进行交互。The processing unit is configured to send the first algorithm information to the UE according to the first algorithm information sent by the core network element, and determine an initial token by using the first algorithm information between the UE and the UE. And interact based on the initial token.
所述第一基站收到来自第二基站的第一令牌Token1之前,所述第一接收单元,配置为接收到核心网网元发来的第二算法信息;Before the first base station receives the first token Token1 from the second base station, the first receiving unit is configured to receive second algorithm information sent by the core network element;
相应的,所述发送单元,配置为当所述第一基站校验所述Token1成功时,向所述第二基站发送所述第二算法信息。Correspondingly, the sending unit is configured to: when the first base station verifies that the Token1 is successful, send the second algorithm information to the second base station.
或者,还可以基于所述第二算法信息计算得到第二令牌,利用第二令牌与第一令牌比较以得到验证结果;Alternatively, the second token may be calculated based on the second algorithm information, and the second token is compared with the first token to obtain a verification result;
或者,将第二算法发送至第二基站,使得第二基站基于第二算法信息计算得到第二令牌以进行验证,得到验证结果。Or sending the second algorithm to the second base station, so that the second base station calculates the second token based on the second algorithm information for verification, and obtains the verification result.
本实施例与前述实施例相对应的,分别从第二基站、UE、以及核心网侧分别针对一种连接重建的认证方法进行说明。Corresponding to the foregoing embodiments, the present embodiment describes an authentication method for a connection re-establishment from the second base station, the UE, and the core network side, respectively.
应用于第二基站时,参见图8,所述第二基站包括:When applied to the second base station, referring to FIG. 8, the second base station includes:
接收单元81,配置为收到来自UE的第一令牌Token1;The receiving unit 81 is configured to receive the first token Token1 from the UE;
发送单元82,配置为向第一基站转发所述Token1;或者,The sending unit 82 is configured to forward the Token1 to the first base station; or
向第一基站请求发送第二令牌Token2。The second base station Token2 is requested to be sent to the first base station.
所述第二基站向第一基站请求发送第二令牌Token2之后,所述方法还包括:After the second base station requests the first base station to send the second token Token2, the method further includes:
所述第二基站还包括:The second base station further includes:
处理单元,配置为接收到所述Token2之后,比较所述Token1和所述Token2以得到验证结果。The processing unit is configured to compare the Token1 and the Token2 to obtain a verification result after receiving the Token2.
如图9所示,一种UE,所述UE包括:As shown in FIG. 9, a UE includes:
信息接收单元91,配置为通过第一基站或直接收到来自核心网网元的算法信息和密钥生成信息;The information receiving unit 91 is configured to: through the first base station or directly receive algorithm information and key generation information from the core network element;
信息发送单元92,配置为向第二基站发送第一令牌Token1,所述Token1基于所述算法信息及基于所述密钥生成信息生成的密钥生成;The information sending unit 92 is configured to send a first token Token1 to the second base station, where the Token1 is generated based on the algorithm information and a key generated based on the key generation information;
其中,所述第一基站为用户设备UE的源基站,所述第二基站为所述UE的目标基站。The first base station is a source base station of the user equipment UE, and the second base station is a target base station of the UE.
本实施例提供的一种核心网,参见图10,包括:A core network provided in this embodiment, see FIG. 10, includes:
协商单元1001,配置为与UE协商密钥生成信息和算法信息;The negotiating unit 1001 is configured to negotiate key generation information and algorithm information with the UE;
通信单元1002,配置为向第一基站发送所述算法信息和基于所述密钥生成信息生成的密钥;其中,所述第一基站为自身管理的用户设备UE的源基站。The communication unit 1002 is configured to send the algorithm information and a key generated based on the key generation information to the first base station, where the first base station is a source base station of the user equipment UE that is managed by itself.
所述核心网网元收到来自第一基站的安全能力信息,所述安全能力信息用于所述核心网网元选择所述算法信息。The core network element receives security capability information from the first base station, and the security capability information is used by the core network element to select the algorithm information.
参见图11,本实施例提供了一种连接重建的认证系统,所述系统包括:Referring to FIG. 11, the embodiment provides an authentication system for connection reestablishment, and the system includes:
第一基站1101,配置为收到来自核心网网元的算法信息和密钥;其中,所述第一基站为自身管理的用户设备UE的源基站;收到来自第二基站的第一令牌Token1,基于所述算法信息和所述密钥校验所述Token1;The first base station 1101 is configured to receive the algorithm information and the key from the core network element, where the first base station is the source base station of the user equipment UE managed by itself, and the first token is received from the second base station. Token1, verifying the Token1 based on the algorithm information and the key;
或者,收到来自第二基站的请求,基于所述算法信息和所述密钥生成第二令牌Token2,向第二基站发送所述Token2,以使得所述第二基站基于所述Token2针对所述UE发来的连接重建立请求中包含的Token1进行验证;其中,所述第二基站为所述UE所要切换的目标基站;Or receiving a request from the second base station, generating a second token Token2 based on the algorithm information and the key, and sending the Token2 to the second base station, so that the second base station is based on the Token2 The Token1 included in the connection re-establishment request sent by the UE is used for verification; wherein the second base station is a target base station to be handed over by the UE;
第二基站1102,配置为收到来自UE的第一令牌Token1;向第一基站转发所述Token1;或者,向第一基站请求发送第二令牌Token2;The second base station 1102 is configured to receive the first token Token1 from the UE; forward the Token1 to the first base station; or request the first base station to send the second token Token2;
UE1103,配置为通过第一基站或直接收到来自核心网网元的算法信息和密钥生成信息;向第二基站发送第一令牌Token1,所述Token1基于所述算法信息及基于所述密钥生成信息生成的密钥生成;The UE1103 is configured to: through the first base station or directly receive algorithm information and key generation information from the core network element; send a first token Token1 to the second base station, where the Token1 is based on the algorithm information and based on the secret Key generation generated by key generation information;
核心网1104,配置为与UE协商密钥生成信息和算法信息;向第一基站发送所述算法信息和基于所述密钥生成信息生成的密钥;其中,所述第一基站为自身管理的用户设备UE的源基站。The core network 1104 is configured to negotiate key generation information and algorithm information with the UE, and send the algorithm information and a key generated based on the key generation information to the first base station, where the first base station manages itself Source base station of the user equipment UE.
本实施例还提供一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令被执行时实现以下处理:The embodiment further provides a computer readable storage medium storing computer executable instructions that, when executed, implement the following processing:
收到来自核心网网元的算法信息和密钥;Receiving algorithm information and a key from a core network element;
收到来自第二基站的第一令牌Token1,基于所述算法信息和所述密钥校验所述Token1;Receiving a first token Token1 from the second base station, and verifying the Token1 based on the algorithm information and the key;
或者,收到来自第二基站的请求,基于所述算法信息和所述密钥生成第二令牌Token2,向第二基站发送所述Token2,以使得所述第二基站基于 所述Token2针对所述UE发来的连接重建立请求中包含的Token1进行验证;Or receiving a request from the second base station, generating a second token Token2 based on the algorithm information and the key, and sending the Token2 to the second base station, so that the second base station is based on the Token2 The Token1 included in the connection re-establishment request sent by the UE is verified;
其中,所述第二基站为所述UE所要切换的目标基站。The second base station is a target base station to be handed over by the UE.
可见,通过采用上述方案,就能够由基站侧在进行重连接时进行令牌的验证;如此,避免了核心网侧重复多次的进行令牌的生成,减少了核心网网元的负荷。It can be seen that, by adopting the foregoing solution, the token can be verified by the base station side when performing reconnection; thus, the generation of the token is repeated repeatedly on the core network side, and the load of the core network element is reduced.
本发明实施例还提供了一种通信装置,包括:处理器和配置为存储能够在处理器上运行的计算机程序的存储器,Embodiments of the present invention also provide a communication apparatus including: a processor and a memory configured to store a computer program executable on the processor,
其中,所述处理器配置为运行所述计算机程序时,执行前述实施例中方法的步骤。Wherein the processor is configured to perform the steps of the method in the foregoing embodiments when the computer program is run.
本领域普通技术人员可以理解上述方法中的全部或部分步骤可通过程序来指令相关硬件(例如处理器)完成,所述程序可以存储于计算机可读存储介质中,如只读存储器、磁盘或光盘等。可选地,上述实施例的全部或部分步骤也可以使用一个或多个集成电路来实现。相应地,上述实施例中的各模块/单元可以采用硬件的形式实现,例如通过集成电路来实现其相应功能,也可以采用软件功能模块的形式实现,例如通过处理器执行存储于存储器中的程序/指令来实现其相应功能。本申请不限制于任何指定形式的硬件和软件的结合。One of ordinary skill in the art will appreciate that all or a portion of the above steps may be performed by a program to instruct related hardware, such as a processor, which may be stored in a computer readable storage medium, such as a read only memory, disk or optical disk. Wait. Alternatively, all or part of the steps of the above embodiments may also be implemented using one or more integrated circuits. Correspondingly, each module/unit in the above embodiment may be implemented in the form of hardware, for example, by implementing an integrated circuit to implement its corresponding function, or may be implemented in the form of a software function module, for example, executing a program stored in the memory by a processor. / instruction to achieve its corresponding function. This application is not limited to any combination of the specified forms of hardware and software.
以上显示和描述了本申请的基本原理和主要特征和本申请的优点。本申请不受上述实施例的限制,上述实施例和说明书中描述的只是说明本申请的原理,在不脱离本申请精神和范围的前提下,本申请还会有各种变化和改进,这些变化和改进都落入要求保护的本申请范围内。The basic principles and main features of the present application and the advantages of the present application are shown and described above. The present application is not limited by the above-described embodiments, and the above-described embodiments and the description are only for explaining the principles of the present application, and various changes and modifications may be made to the present application without departing from the spirit and scope of the application. And improvements are within the scope of the claimed invention.
工业实用性Industrial applicability
本发明提供的切片网络的密钥生成方法及装置,网络侧将所选择切片网络的切片安全参数发送给终端,使得网络侧和终端能够分别针对不同的 切片网络生成其专用的密钥,使得每个切片网络都有且专用的安全保护手段,实现了切片网络间的安全隔离,提高了切片网络通信的安全性。The method and device for generating a key of a slice network provided by the present invention, the network side sends a slice security parameter of the selected slice network to the terminal, so that the network side and the terminal can respectively generate their own dedicated keys for different slice networks, so that each Each slice network has and has a special security protection means, which realizes the security isolation between the slice networks and improves the security of the slice network communication.

Claims (21)

  1. 一种连接重建的认证方法,应用于第一基站,所述方法包括:An authentication method for connection reestablishment is applied to a first base station, and the method includes:
    第一基站收到来自核心网网元的针对终端UE的算法信息和密钥;The first base station receives algorithm information and a key for the terminal UE from the core network element;
    所述第一基站收到来自第二基站的针对所述UE的第一令牌Token1,所述Token1由所述第二基站接收自所述UE,并由所述第一基站基于所述算法信息和所述密钥对其进行校验;Receiving, by the first base station, a first token Token1 for the UE from the second base station, where the Token1 is received by the second base station, and the first base station is based on the algorithm information. And verifying with the key;
    或者,所述第一基站收到来自第二基站针对所述UE的请求,向第二基站发送第二令牌Token2及所述算法信息,所述Token2基于所述算法信息和所述密钥生成,并用于在所述第二基站侧校验所述UE发来的所述Token1。Or the first base station receives a request from the second base station for the UE, and sends a second token Token2 and the algorithm information to the second base station, where the Token2 is generated based on the algorithm information and the key And for verifying, by the second base station side, the Token1 sent by the UE.
  2. 根据权利要求1所述的方法,其中,所述方法还包括:The method of claim 1 wherein the method further comprises:
    所述第一基站基于所述算法信息和所述密钥生成第二令牌Token2;The first base station generates a second token Token2 based on the algorithm information and the key;
    将生成的所述Token2与所述Token1进行比较。The generated Token2 is compared with the Token1.
  3. 根据权利要求1所述的方法,其中,所述方法还包括:The method of claim 1 wherein the method further comprises:
    当所述第一基站校验所述Token1成功时,向所述第二基站发送所述算法信息。And when the first base station verifies that the Token1 is successful, sending the algorithm information to the second base station.
  4. 根据权利要求1所述的方法,其中,所述方法还包括:The method of claim 1 wherein the method further comprises:
    所述第一基站向所述UE发送所述算法信息。The first base station sends the algorithm information to the UE.
  5. 根据权利要求1所述的方法,其中,所述方法还包括:The method of claim 1 wherein the method further comprises:
    所述第一基站向所述核心网网元发送所述第一基站的安全能力信息;其中,所述安全能力信息用于在所述核心网网元侧,基于其选择所述算法信息。The first base station sends the security capability information of the first base station to the core network element, where the security capability information is used to select the algorithm information based on the core network element side.
  6. 一种连接重建的认证方法,应用于第二基站,所述方法包括:An authentication method for connection reestablishment is applied to a second base station, and the method includes:
    第二基站收到来自终端UE的第一令牌Token1;The second base station receives the first token Token1 from the terminal UE;
    所述第二基站向第一基站转发所述Token1;或者,Transmitting, by the second base station, the Token1 to the first base station; or
    所述第二基站向第一基站请求发送第二令牌Token2,所述Token2用于在所述第二基站侧校验所述Token1。The second base station requests the first base station to send a second token Token2, and the Token2 is used to check the Token1 on the second base station side.
  7. 一种连接重建的认证方法,应用于终端UE,所述方法包括:An authentication method for connection reestablishment is applied to a terminal UE, and the method includes:
    终端UE收到来自核心网网元的算法信息和密钥生成信息;The terminal UE receives algorithm information and key generation information from a core network element;
    所述UE向第二基站发送第一令牌Token1,所述Token1基于所述算法信息及基于所述密钥生成信息生成的密钥生成。The UE sends a first token Token1 to the second base station, and the Token1 is generated based on the algorithm information and a key generated based on the key generation information.
  8. 一种连接重建的认证方法,应用于核心网,所述方法包括:An authentication method for connection reconstruction is applied to a core network, and the method includes:
    核心网网元与终端UE协商密钥生成信息和算法信息;The core network element negotiates key generation information and algorithm information with the terminal UE;
    向第一基站发送所述算法信息和基于所述密钥生成信息生成的密钥。The algorithm information and a key generated based on the key generation information are transmitted to the first base station.
  9. 根据权利要求8所述的方法,其中,所述核心网网元收到来自所述第一基站的安全能力信息,所述安全能力信息用于所述核心网网元基于其选择所述算法信息。The method according to claim 8, wherein the core network element receives security capability information from the first base station, and the security capability information is used by the core network element to select the algorithm information based on the method .
  10. 一种第一基站,所述第一基站包括:A first base station, the first base station includes:
    第一接收单元,配置为收到来自核心网网元的算法信息和密钥;a first receiving unit, configured to receive algorithm information and a key from a core network element;
    第二接收单元,配置为收到来自第二基站的第一令牌Token1;所述Token1由所述第二基站接收自所述UE,并由所述第一基站基于所述算法信息和所述密钥对其进行校验;a second receiving unit, configured to receive a first token Token1 from the second base station; the Token1 is received by the second base station from the UE, and the first base station is based on the algorithm information and the The key is verified;
    或者,or,
    所述第二接收单元,配置为收到来自第二基站的请求;The second receiving unit is configured to receive a request from the second base station;
    相应的,发送单元,配置为向第二基站发送第二令牌Token2及所述算法信息,所述Token2基于所述算法信息和所述密钥生成,并用于在所述第二基站侧校验所述UE发来的所述Token1。Correspondingly, the sending unit is configured to send the second token Token2 and the algorithm information to the second base station, where the Token2 is generated based on the algorithm information and the key, and is used to check at the second base station side. The Token1 sent by the UE.
  11. 根据权利要求10所述的第一基站,其中,所述第一基站还包括:The first base station according to claim 10, wherein the first base station further comprises:
    处理单元,配置为将生成的所述Token2与所述Token1进行比较;基 于所述算法信息和所述密钥生成第二令牌Token2。And a processing unit configured to compare the generated Token2 with the Token1; generate a second token Token2 based on the algorithm information and the key.
  12. 根据权利要求10所述的第一基站,其中,The first base station according to claim 10, wherein
    所述发送单元,配置为当所述第一基站校验所述Token1成功时,向所述第二基站发送算法信息。The sending unit is configured to: when the first base station verifies that the Token1 is successful, send the algorithm information to the second base station.
  13. 根据权利要求10所述的第一基站,其中,所述发送单元,配置为向UE发送所述算法信息。The first base station according to claim 10, wherein the sending unit is configured to send the algorithm information to a UE.
  14. 根据权利要求10所述的第一基站,其中,所述发送单元,配置为向所述核心网网元发送所述第一基站的安全能力信息;其中,所述安全能力信息用于在所述核心网网元侧,基于其选择所述算法信息。The first base station according to claim 10, wherein the sending unit is configured to send security capability information of the first base station to the core network element; wherein the security capability information is used in the The core network element side selects the algorithm information based on it.
  15. 一种第二基站,所述第二基站包括:A second base station, the second base station includes:
    接收单元,配置为收到来自UE的第一令牌Token1;a receiving unit, configured to receive a first token Token1 from the UE;
    发送单元,配置为向第一基站转发所述Token1;或者,a sending unit, configured to forward the Token1 to the first base station; or
    向第一基站请求发送第二令牌Token2。The second base station Token2 is requested to be sent to the first base station.
  16. 一种UE,所述UE包括:A UE, the UE includes:
    信息接收单元,配置为收到来自核心网网元的算法信息和密钥生成信息;An information receiving unit configured to receive algorithm information and key generation information from a core network element;
    信息发送单元,配置为向第二基站发送第一令牌Token1,所述Token1基于所述算法信息及基于所述密钥生成信息生成的密钥生成。The information sending unit is configured to send a first token Token1 to the second base station, and the Token1 is generated based on the algorithm information and a key generated based on the key generation information.
  17. 一种核心网,所述核心网包括:A core network, the core network comprising:
    协商单元,配置为与UE协商密钥生成信息和算法信息;a negotiating unit configured to negotiate key generation information and algorithm information with the UE;
    通信单元,配置为向第一基站发送所述算法信息和基于所述密钥生成信息生成的密钥。And a communication unit configured to send the algorithm information and a key generated based on the key generation information to the first base station.
  18. 根据权利要求17所述的核心网,其中,所述通信单元,配置为收到来自第一基站的安全能力信息,所述安全能力信息用于所述核心网网元选择所述算法信息。The core network according to claim 17, wherein the communication unit is configured to receive security capability information from the first base station, and the security capability information is used by the core network element to select the algorithm information.
  19. 一种连接重建的认证系统,所述系统包括:A connection reconstruction authentication system, the system comprising:
    第一基站,配置为收到来自核心网网元的算法信息和密钥;收到来自第二基站的针对所述UE的第一令牌Token1,所述Token1由所述第二基站接收自所述UE,并基于所述算法信息和所述密钥对其进行校验;或者,收到来自第二基站针对所述UE的请求,向第二基站发送第二令牌Token2及所述算法信息,所述Token2基于所述算法信息和所述密钥生成,并配置为在所述第二基站侧校验所述UE发来的所述Token1;a first base station configured to receive algorithm information and a key from a core network element; receive a first token Token1 from the second base station for the UE, and the Token1 is received by the second base station Determining the UE and verifying it based on the algorithm information and the key; or receiving a request from the second base station for the UE, sending a second token Token2 and the algorithm information to the second base station The Token2 is generated based on the algorithm information and the key, and configured to check the Token1 sent by the UE on the second base station side;
    第二基站,配置为收到来自UE的第一令牌Token1;向第一基站转发所述Token1;或者,向第一基站请求发送第二令牌Token2;The second base station is configured to receive the first token Token1 from the UE; to forward the Token1 to the first base station; or to send a second token Token2 to the first base station;
    UE,配置为收到来自核心网网元的算法信息和密钥生成信息;向第二基站发送第一令牌Token1,所述Token1基于所述算法信息及基于所述密钥生成信息生成的密钥生成;The UE is configured to receive the algorithm information and the key generation information from the core network element, and send the first token Token1 to the second base station, where the Token1 is based on the algorithm information and the secret generated based on the key generation information. Key generation
    核心网,配置为与终端UE协商密钥生成信息和算法信息;向第一基站发送所述算法信息和基于所述密钥生成信息生成的密钥。The core network is configured to negotiate key generation information and algorithm information with the terminal UE; and send the algorithm information and a key generated based on the key generation information to the first base station.
  20. 一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令被执行时实现以下处理:A computer readable storage medium storing computer executable instructions that, when executed, implement the following processing:
    收到来自核心网网元的针对终端UE的算法信息和密钥;Receiving algorithm information and a key for the terminal UE from the core network element;
    收到来自第二基站的针对所述UE的第一令牌Token1,所述Token1由所述第二基站接收自所述UE,并基于所述算法信息和所述密钥对其进行校验;Receiving, by the second base station, a first token Token1 for the UE, where the Token1 is received by the second base station from the UE, and is verified according to the algorithm information and the key;
    或者,收到来自第二基站针对所述UE的请求,向第二基站发送第二令牌Token2及所述算法信息,所述Token2基于所述算法信息和所述密钥生成,并用于在所述第二基站侧校验所述UE发来的所述Token1。Or receiving a request from the second base station for the UE, sending a second token Token2 and the algorithm information to the second base station, where the Token2 is generated based on the algorithm information and the key, and is used in the The second base station side checks the Token1 sent by the UE.
  21. 一种通信装置,包括:处理器和配置为存储能够在处理器上运行的计算机程序的存储器,A communication device comprising: a processor and a memory configured to store a computer program executable on the processor,
    其中,所述处理器配置为运行所述计算机程序时,执行权利要求1-9任一项所述方法的步骤。Wherein the processor is configured to perform the steps of the method of any one of claims 1-9 when the computer program is run.
PCT/CN2018/074053 2017-01-24 2018-01-24 Authentication method, base station, user equipment, core network, system, device and data storage medium WO2018137671A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710060338.XA CN108616881A (en) 2017-01-24 2017-01-24 Authentication method, base station, user equipment, core net and the system of connection reconstruction
CN201710060338.X 2017-01-24

Publications (1)

Publication Number Publication Date
WO2018137671A1 true WO2018137671A1 (en) 2018-08-02

Family

ID=62978094

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/074053 WO2018137671A1 (en) 2017-01-24 2018-01-24 Authentication method, base station, user equipment, core network, system, device and data storage medium

Country Status (2)

Country Link
CN (1) CN108616881A (en)
WO (1) WO2018137671A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080181411A1 (en) * 2007-01-26 2008-07-31 Karl Norrman Method and system for protecting signaling information
CN101378591A (en) * 2007-08-31 2009-03-04 华为技术有限公司 Method, system and device for negotiating safety capability when terminal is moving
US20090258631A1 (en) * 2008-04-14 2009-10-15 Nokia Corporation Mobility related control signalling authentication in mobile communications system
CN102067642A (en) * 2008-06-13 2011-05-18 诺基亚公司 Methods, apparatuses, and computer program products for providing fresh security context during intersystem mobility
CN105027626A (en) * 2013-02-18 2015-11-04 Lg电子株式会社 Method and apparatus for performing data transmission in wireless communication system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080181411A1 (en) * 2007-01-26 2008-07-31 Karl Norrman Method and system for protecting signaling information
CN101378591A (en) * 2007-08-31 2009-03-04 华为技术有限公司 Method, system and device for negotiating safety capability when terminal is moving
US20090258631A1 (en) * 2008-04-14 2009-10-15 Nokia Corporation Mobility related control signalling authentication in mobile communications system
CN102067642A (en) * 2008-06-13 2011-05-18 诺基亚公司 Methods, apparatuses, and computer program products for providing fresh security context during intersystem mobility
CN105027626A (en) * 2013-02-18 2015-11-04 Lg电子株式会社 Method and apparatus for performing data transmission in wireless communication system

Also Published As

Publication number Publication date
CN108616881A (en) 2018-10-02

Similar Documents

Publication Publication Date Title
KR102354626B1 (en) Connection resume request method and device
US11496320B2 (en) Registration method and apparatus based on service-based architecture
JP4965671B2 (en) Distribution of user profiles, policies and PMIP keys in wireless communication networks
CN110192399B (en) Re-establishing radio resource control connections
CN112105021B (en) Authentication method, device and system
WO2020216338A1 (en) Parameter sending method and apparatus
US11689922B2 (en) Re-establishing a radio resource control connection
CN109891921B (en) Method, apparatus and computer-readable storage medium for authentication of next generation system
WO2021179617A1 (en) Authentication and authorization method and corresponding device
US20230232228A1 (en) Method and apparatus for establishing secure communication
US11943830B2 (en) Link re-establishment method, apparatus, and system
WO2019192275A1 (en) Authentication method and network element
WO2018137671A1 (en) Authentication method, base station, user equipment, core network, system, device and data storage medium
US20230370292A1 (en) Session establishment method and apparatus, access network device and storage medium
CN110830996A (en) Key updating method, network equipment and terminal
CN112400335A (en) Method and computing device for performing data integrity protection
CN114071624B (en) Switching method, switching device and communication equipment
TW202245442A (en) Communication method and apparatus
CN115915124A (en) Key updating method, network element, user equipment and storage medium
CN113810903A (en) Communication method and device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18744638

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18744638

Country of ref document: EP

Kind code of ref document: A1