WO2018202117A1 - Key updating method and device - Google Patents

Key updating method and device Download PDF

Info

Publication number
WO2018202117A1
WO2018202117A1 PCT/CN2018/085568 CN2018085568W WO2018202117A1 WO 2018202117 A1 WO2018202117 A1 WO 2018202117A1 CN 2018085568 W CN2018085568 W CN 2018085568W WO 2018202117 A1 WO2018202117 A1 WO 2018202117A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
base station
information
indication information
indication
Prior art date
Application number
PCT/CN2018/085568
Other languages
French (fr)
Chinese (zh)
Inventor
戴明增
彭文杰
刘菁
郭轶
曾清海
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2018202117A1 publication Critical patent/WO2018202117A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0055Transmission or use of information for re-establishing the radio link

Definitions

  • the present application relates to communication technologies, and in particular, to a secret key update method and device.
  • LTE Long Term Evolution
  • NR New Radio
  • a dual connectivity (DC) transmission system is generally formed between LTE and NR, which may be referred to as an LTE NR DC transmission system.
  • the access network root key is needed.
  • the access network root key based on the primary base station is called a KeNB
  • the access network root key based on the secondary base station is called an S-K eNB, where the S-K eNB is based on the KeNB and the secondary cell group.
  • SCG Secondary Cell Group
  • the primary base station generates a 32-bit random number as the value of the SCG Counter, and sends the value of the SCG Counter to the UE, and the UE derives the S-KeNB by using the values of the KeNB and the SCG Counter.
  • the S-KeNB needs to be updated, and the S-KeNB is updated every time.
  • the Packet Data Convergence Protocol (PDCP) layer needs to be re-established, which will cause service interruption and delay, and cannot guarantee the service quality of the service.
  • PDCP Packet Data Convergence Protocol
  • the present invention provides a key update method and device for solving the problem that the service interruption time is caused when the key is updated in the prior art, and the service quality of the service cannot be guaranteed.
  • a first aspect of the present application provides a method for updating a secret key, the method comprising:
  • the user equipment UE acquires first indication information; the first indication information includes information about a key update; and the secret key is used for communication between the UE and the secondary base station;
  • the UE completes the key update or keeps the key unchanged according to the first indication information.
  • the UE acquires first indication information including information about the key update, completes the key update or keeps the key unchanged according to the first indication information, and uses the first indication information to flexibly control the UE to complete.
  • the UE does not need to establish a PDCP layer. Therefore, the service is not interrupted and the service quality of the service is guaranteed.
  • the acquiring, by the UE, the first indication information includes:
  • the UE receives the first indication information sent by the primary base station or the secondary base station; the first indication information includes an indication that the key does not need to be updated;
  • the UE completes the key update or keeps the key unchanged according to the first indication information, including:
  • the UE keeps the key unchanged according to the first indication information.
  • the first indication information further includes handover indication information, where the handover indication information is used to indicate that the UE performs base station handover or cell handover.
  • the UE when the first indication information indicates that the key does not need to be updated, the UE continues to use the original key to communicate with the secondary base station, and the UE does not need to establish the PDCP layer, so the service is not interrupted, and the service is guaranteed. Quality of service.
  • the acquiring, by the UE, the first indication information includes:
  • the UE Receiving, by the UE, first indication information sent by the primary base station; the first indication information includes an indication that the key needs to be updated;
  • the UE completes the key update or keeps the key unchanged according to the first indication information, including:
  • the UE completes the key update according to the first indication information.
  • the first indication information further includes configuration information, counter information, and handover indication information
  • the configuration information includes packet data convergence protocol PDCP layer configuration information and algorithm information;
  • the handover indication information is used to indicate that the UE performs base station handover or cell handover.
  • the counter information is information that is determined by the secondary base station according to the access network root key and the secret key update list of the secondary base station, where the secret key update list includes the access network root key and the counter information of the secondary base station.
  • the mapping relationship between them The secondary base station can quickly obtain new key and counter information directly from the key update list, which can improve the speed of the key update.
  • the counter information is information generated by the primary base station according to an indication that the key needs to be updated.
  • the primary base station sends the counter information to the UE, so that the UE generates a new key according to the counter information, which avoids the risk that the primary base station directly transmits the new key may cause the key to be leaked, and improves the reliability and security of the key.
  • the UE includes a first communication module that is a module that performs a communication function with the primary base station, and a second communication module that is a module that performs a communication function with the secondary base station. ;
  • the UE completes the key update according to the first indication information, including:
  • the first communication module generates a second key according to at least the counter information and the first key, and sends the second key to the second communication module;
  • the first key is the access network root key of the primary base station;
  • the second communication module establishes a PDCP layer according to PDCP layer configuration information
  • the second communication module generates a third key according to at least the second key and the algorithm information, and the third key is applied to data transmission between the UE and the secondary base station.
  • the UE includes a first communication module that is a module that performs a communication function with the primary base station, and a second communication module that is a module that performs a communication function with the secondary base station. ;
  • the UE completes the key update according to the first indication information, including:
  • the first communication module sends the configuration information, the counter information, and the first key to the second communication module; the first key is the access network root key of the primary base station;
  • the second communication module generates a second key according to at least the counter information and the first key
  • the second communication module establishes a PDCP layer according to PDCP layer configuration information
  • the second communication module generates a third key according to at least the second key and the algorithm information, and the third key is applied to data transmission between the UE and the secondary base station.
  • the UE when the key needs to be updated, the UE timely updates the key according to the first indication information to ensure the security and reliability of the transmission data between the UE and the secondary base station.
  • a second aspect of the present application provides a method for updating a secret key, the method comprising:
  • the primary base station acquires first indication information; the first indication information includes information about a key update; and the secret key is used for communication between the UE and the secondary base station;
  • the primary base station sends the first indication information to the user equipment UE, so that the UE completes the key update or keeps the key unchanged according to the first indication information.
  • the first indication information includes an indication that the key does not need to be updated, and the indication that the key does not need to be updated is used to indicate that the UE keeps the key unchanged.
  • the first indication information further includes handover indication information, where the handover indication information is used to indicate that the UE performs base station handover or cell handover.
  • the first indication information includes an indication that the key needs to be updated, and the indication that the key needs to be updated is used to instruct the UE to complete the key update.
  • the first indication information further includes configuration information, counter information, and handover indication information
  • the configuration information includes packet data convergence protocol PDCP layer configuration information and algorithm information;
  • the handover indication information is used to indicate that the UE performs base station handover or cell handover.
  • the counter information is information that is determined by the secondary base station according to the access network root key and the secret key update list of the secondary base station, where the secret key update list includes the access network root key and the counter information of the secondary base station. The mapping relationship between them.
  • the counter information is information generated by the primary base station according to an indication that the key needs to be updated.
  • the primary base station obtains the first indication information, including:
  • the primary base station receives the second indication information sent by the secondary base station;
  • the second indication information includes an indication that the key needs to be updated, configuration information, and handover indication information;
  • the primary base station generates counter information according to an indication that the key needs to be updated
  • the primary base station generates first indication information according to the counter information, the configuration information, and the handover indication information.
  • the primary base station generates the first indication information according to the counter information, the configuration information, and the handover indication information, including:
  • the primary base station sends the counter information to the secondary base station, so that the secondary base station encapsulates the counter information.
  • the primary base station generates first indication information according to the encapsulated counter information, configuration information, and handover indication information.
  • a third aspect of the present application provides a method for updating a secret key, the method comprising:
  • the secondary base station acquires first indication information; the first indication information includes information about a key update; and the secret key is used for communication between the UE and the secondary base station;
  • the secondary base station sends the first indication information to the user equipment UE, so that the UE completes the key update or keeps the key unchanged according to the first indication information.
  • the first indication information includes an indication that the key does not need to be updated, and the indication that the key does not need to be updated is used to indicate that the UE keeps the key unchanged.
  • the first indication information further includes handover indication information, where the handover indication information is used to indicate that the UE performs base station handover or cell handover.
  • the first indication information includes an indication that the key needs to be updated, and the indication that the key needs to be updated is used to instruct the UE to complete the key update.
  • the first indication information further includes configuration information and handover indication information
  • the configuration information includes packet data convergence protocol PDCP layer configuration information and algorithm information;
  • the handover indication information is used to indicate that the UE performs base station handover or cell handover.
  • the first indication information further includes counter information, where the counter information is information determined by the secondary base station according to the access network root key and the secret key update list of the secondary base station, where the secret key update list includes the secondary base station The mapping relationship between the access network root key and the counter information.
  • the secondary base station sends the first indication information to the user equipment UE, including:
  • the secondary base station sends the first indication information to the UE by using the primary base station.
  • a fourth aspect of the present application provides a key update apparatus, where the apparatus includes:
  • An acquiring module configured to obtain first indication information; the first indication information includes information about a key update; and the secret key is used for communication between the UE and the secondary base station;
  • a processing module configured to complete the key update or keep the key unchanged according to the first indication information.
  • the acquiring module is specifically configured to receive first indication information sent by the primary base station or the secondary base station; the first indication information includes an indication that the key does not need to be updated;
  • the processing module is specifically configured to keep the key unchanged according to the first indication information.
  • the first indication information further includes handover indication information, where the handover indication information is used to indicate that the UE performs base station handover or cell handover.
  • the acquiring module is specifically configured to receive first indication information that is sent by the primary base station, where the first indication information includes an indication that the key needs to be updated;
  • the processing module is specifically configured to complete the key update according to the first indication information.
  • the first indication information further includes configuration information, counter information, and handover indication information
  • the configuration information includes packet data convergence protocol PDCP layer configuration information and algorithm information;
  • the handover indication information is used to indicate that the UE performs base station handover or cell handover.
  • the counter information is information that is determined by the secondary base station according to the access network root key and the secret key update list of the secondary base station, where the secret key update list includes the access network root key and the counter information of the secondary base station. The mapping relationship between them.
  • the counter information is information generated by the primary base station according to an indication that the key needs to be updated.
  • the processing module includes a first communication module that is a module that performs a communication function with the primary base station, and a second communication module that performs a communication function with the secondary base station.
  • a first communication module that is a module that performs a communication function with the primary base station
  • a second communication module that performs a communication function with the secondary base station.
  • the first communication module is configured to generate a second key according to at least the counter information and the first key, and send the second key to the second communication module;
  • the first key is an access network root key of the primary base station;
  • the second communication module is configured to establish a PDCP layer according to PDCP layer configuration information
  • the second communication module is configured to generate a third key according to at least a second key and algorithm information, where the third key is applied to data transmission between the UE and the secondary base station.
  • the processing module includes a first communication module that is a module that performs a communication function with the primary base station, and a second communication module that performs a communication function with the secondary base station.
  • a first communication module that is a module that performs a communication function with the primary base station
  • a second communication module that performs a communication function with the secondary base station.
  • the first communication module is configured to send the configuration information, the counter information, and the first key to the second communication module; the first key is an access network root key of the primary base station;
  • the second communication module is configured to generate a second key according to at least the counter information and the first key
  • the second communication module is configured to establish a PDCP layer according to PDCP layer configuration information
  • the second communication module is configured to generate a third key according to at least a second key and algorithm information, where the third key is applied to data transmission between the UE and the secondary base station.
  • a fifth aspect of the present application provides a key update apparatus, including:
  • An acquiring module configured to obtain first indication information; the first indication information includes information about a key update; and the secret key is used for communication between the UE and the secondary base station;
  • a sending module configured to send the first indication information to the user equipment UE, so that the UE completes the key update or keeps the key unchanged according to the first indication information.
  • the first indication information includes an indication that the key does not need to be updated, and the indication that the key does not need to be updated is used to indicate that the UE keeps the key unchanged.
  • the first indication information further includes handover indication information, where the handover indication information is used to indicate that the UE performs base station handover or cell handover.
  • the first indication information includes an indication that the key needs to be updated, and the indication that the key needs to be updated is used to instruct the UE to complete the key update.
  • the first indication information further includes configuration information, counter information, and handover indication information
  • the configuration information includes packet data convergence protocol PDCP layer configuration information and algorithm information;
  • the handover indication information is used to indicate that the UE performs base station handover or cell handover.
  • the counter information is information that is determined by the secondary base station according to the access network root key and the secret key update list of the secondary base station, where the secret key update list includes the access network root key and the counter information of the secondary base station. The mapping relationship between them.
  • the counter information is information generated by the primary base station according to an indication that the key needs to be updated.
  • the acquiring module is specifically configured to receive the second indication information sent by the secondary base station, generate the counter information according to the indication that the key needs to be updated, and generate the first indication information according to the counter information, the configuration information, and the handover indication information.
  • the second indication information includes an indication that the key needs to be updated, configuration information, and handover indication information.
  • the acquiring module generates the first indication information according to the counter information, the configuration information, and the handover indication information, including:
  • the acquiring module sends the counter information to the secondary base station, so that the secondary base station encapsulates the counter information, and generates the first indication information according to the encapsulated counter information, the configuration information, and the handover indication information.
  • a sixth aspect of the present application provides a key update apparatus, including:
  • An acquiring module configured to obtain first indication information; the first indication information includes information about a key update; and the secret key is used for communication between the UE and the secondary base station;
  • a sending module configured to send the first indication information to the user equipment UE, so that the UE completes the key update or keeps the key unchanged according to the first indication information.
  • the first indication information includes an indication that the key does not need to be updated, and the indication that the key does not need to be updated is used to indicate that the UE keeps the key unchanged.
  • the first indication information further includes handover indication information, where the handover indication information is used to indicate that the UE performs base station handover or cell handover.
  • the first indication information includes an indication that the key needs to be updated, and the indication that the key needs to be updated is used to instruct the UE to complete the key update.
  • the first indication information further includes configuration information and handover indication information
  • the configuration information includes packet data convergence protocol PDCP layer configuration information and algorithm information;
  • the handover indication information is used to indicate that the UE performs base station handover or cell handover.
  • the first indication information further includes counter information, where the counter information is information determined by the secondary base station according to the access network root key and the secret key update list of the secondary base station, where the secret key update list includes the secondary base station The mapping relationship between the access network root key and the counter information.
  • the sending module is specifically configured to send the first indication information to the UE by using the primary base station.
  • the sixth aspect of the application further provides an apparatus, including a processor and a memory;
  • the memory is for storing instructions
  • the processor is for executing instructions stored in the memory
  • the device is configured to perform the method as provided in any one of the first to third aspects.
  • a seventh aspect of the present application provides a secret key updating apparatus including at least one processing element (or chip) for performing the methods of the above first to third aspects.
  • An eighth aspect of the present application provides a program for performing the methods of the above first to third aspects when executed by a processor.
  • a ninth aspect of the present application provides a program product, such as a computer readable storage medium, comprising the program of the eighth aspect.
  • a tenth aspect of the present application provides a computer readable storage medium having stored therein instructions that, when executed on a computer, cause the computer to perform the methods of the first to third aspects described above.
  • the eleventh aspect of the present application further provides a communication system, where the communication system includes: a primary base station and a secondary base station;
  • the primary base station is configured to perform the secret key update method provided by the second aspect
  • the secondary base station is configured to perform the secret key update method provided by the third aspect.
  • FIG. 1 is a schematic diagram of an application scenario of a method for updating a secret key according to an embodiment of the present application
  • FIG. 2 is a flowchart of a method for updating a secret key according to an embodiment of the present application
  • FIG. 3 is a flowchart of a method for updating a secret key according to another embodiment of the present application.
  • FIG. 4 is a flowchart of a method for updating a secret key according to another embodiment of the present application.
  • FIG. 5 is a flowchart of a method for updating a secret key according to another embodiment of the present application.
  • FIG. 6 is a flowchart of a method for updating a secret key according to still another embodiment of the present application.
  • FIG. 7 is a flowchart of a method for updating a secret key according to still another embodiment of the present application.
  • FIG. 8 is a flowchart of a method for updating a secret key according to still another embodiment of the present application.
  • FIG. 9 is a flowchart of a method for updating a secret key according to another embodiment of the present application.
  • FIG. 10 is a flowchart of a method for updating a secret key according to another embodiment of the present application.
  • FIG. 11 is a flowchart of a method for updating a secret key according to another embodiment of the present application.
  • FIG. 12 is a schematic diagram of a key update apparatus according to an embodiment of the present application.
  • FIG. 13 is a remote key updating apparatus according to another embodiment of the present application.
  • FIG. 14 is a key update apparatus according to still another embodiment of the present application.
  • FIG. 15 is a device according to an embodiment of the present application.
  • FIG. 1 is a schematic diagram of an application scenario of a method for updating a secret key according to an embodiment of the present disclosure.
  • an application scenario of the method for updating a key includes a UE1, a primary base station 2, a secondary base station 3, and a core network 4, where A control plane and a user plane connection may be established between the base station 2 and the core network 4, and a user plane connection may be established between the secondary base station 3 and the core network 4.
  • FIG. 2 is a flowchart of a method for updating a secret key according to an embodiment of the present application. This embodiment relates to a specific implementation process in which the UE completes the key update or keeps the key unchanged according to the first indication information. As shown in FIG. 2, the key update method includes the following steps:
  • Step 101 The UE acquires first indication information.
  • the first indication information includes information about a key update.
  • the secret key is used for communication between the UE and the secondary base station.
  • the secret key is used for communication between the UE and the secondary base station.
  • the UE and the secondary base station use the secret key or use the secret key derived based on the secret key to encrypt, decrypt, and complete the transmission data. Protection, integrity check, etc., the UE may obtain first indication information including information about the key update from the primary base station or the secondary base station.
  • the information about the key update is used to indicate whether the UE key needs to be updated, and the secondary base station can determine whether the key needs to be updated based on whether there is a security risk. For example, if the existing key has been used for a long time and exceeds the validity period, it is required.
  • the security of the transmitted data may be ensured by updating the key; or when the UE switches the main In the cell/primary and secondary cells, the original key is still valid, and the key does not need to be updated.
  • the information about the key update may be implicit or displayed.
  • the information about the key update is implicit, and the information about the key update carried in the first indication information indicates that the key needs to be updated.
  • the information indicating that the key update is not carried in the indication information indicates that the key does not need to be updated; the information about the key update is explicit, and the key may be indicated in a certain field of the first indication information, for example, secret.
  • Whether the key update field is 1 indicates that the key needs to be updated, and whether the key update field is 0 indicates that the key does not need to be updated, and other methods may be used to indicate whether the key needs to be updated, which is not used in this application. Limited.
  • Step 102 The UE completes the key update or keeps the key unchanged according to the first indication information.
  • the UE acquires information about the key update from the first indication information, and determines whether the key needs to be updated according to the information about the key update, thereby completing the key update or keeping the key unchanged.
  • the UE acquires the first indication information including the information about the key update, and completes the key update or keeps the key unchanged according to the first indication information, and adopts the first indication information.
  • the UE can be flexibly controlled to complete the key update or keep the key unchanged.
  • the UE does not need to establish a Packet Data Convergence Protocol (PDCP) layer, so Business interruption ensures the quality of service of the business.
  • PDCP Packet Data Convergence Protocol
  • a method for updating a key does not need to be updated as follows:
  • Step 101 The UE acquires the first indication information, where the UE receives the first indication information sent by the primary base station or the secondary base station, where the first indication information includes an indication that the key does not need to be updated.
  • the first indication information may be sent by the primary base station to the UE, or the secondary base station may send the first indication information to the primary base station, and then sent by the primary base station to the UE, or the secondary base station will include the key.
  • the new indication is not sent to the primary base station, and the primary base station does not need to generate the first indication information according to the new indication according to the key, and then sends the first indication information to the UE.
  • the first indication information further includes handover indication information, where the handover indication information is used to indicate that the UE performs base station handover or cell handover.
  • the base station handover includes a handover between a primary base station, a handover in a primary base station, a handover between a secondary base station, and a handover in a secondary base station, and the handover of the cell includes a handover between the primary intra-cell and a handover between the primary cells.
  • the handover indication information is information that is determined by the secondary base station according to factors such as a measurement report.
  • the secondary base station may send the handover indication information to the UE, and instruct the UE to perform the primary cell in the secondary base station.
  • the primary base station may send the handover indication information to the UE, and instruct the UE to perform cell handover of the primary base station.
  • Step 102 “The UE completes the key update or keeps the key unchanged according to the first indication information”, and the method includes: the UE keeps the key unchanged according to the first indication information.
  • the UE continues to communicate with the secondary base station by using the original key. or;
  • the UE continues to communicate with the secondary base station by using the original key. or;
  • the UE continues to communicate with the secondary base station by using the original key.
  • FIG. 3 is a flowchart of a method for updating a secret key according to another embodiment of the present application.
  • the embodiment relates to an interaction manner between a UE, a primary base station, and a secondary base station when the key does not need to be updated, as shown in FIG. 3 .
  • the method includes the following steps:
  • Step 201 The secondary base station sends first indication information to the primary base station.
  • the first indication information includes an indication that the key does not need to be updated, and the handover indication information, where the handover indication information is used to instruct the UE to perform the primary cell handover in the secondary base station.
  • Step 202 The primary base station determines to perform primary cell handover in the secondary base station according to the handover indication information, and keeps the counter information unchanged.
  • Step 203 The primary base station sends the first indication information to the UE.
  • Step 204 The primary base station sends a handover indication response message to the secondary base station.
  • step 203 and step 204 may be performed simultaneously or sequentially.
  • Step 205 The UE performs primary cell handover in the secondary base station according to the handover indication information.
  • Step 206 The UE communicates with the secondary base station by using the old secret key.
  • the method for updating the key provided by the embodiment of the present application, when the key does not need to be updated, the UE continues to use the original key to communicate with the secondary base station, and the UE does not need to establish the PDCP layer. Therefore, the service is not interrupted. The quality of service of the business.
  • a method for updating a secret key is as follows:
  • Step 101 The UE acquires the first indication information, where the UE includes the first indication information sent by the primary base station, where the first indication information includes an indication that the key needs to be updated.
  • the first indication information is obtained by the primary base station from the secondary base station, and the first indication information may be sent by the secondary base station to the primary base station and forwarded by the primary base station to the UE, or the secondary base station may include the secret key.
  • the information indicating the indication to be updated is sent to the primary base station, and the primary base station generates first indication information according to the indication that the key needs to be updated, and sends the first indication information to the UE.
  • the indication information that the key needs to be updated may be a display indication or an implicit indication.
  • an embodiment of the implicit indication is that the secondary base station sends the cell handover indication information to the UE, and the default key needs to be updated.
  • the first indication information further includes configuration information, counter information, and handover indication information;
  • the configuration information includes Packet Data Convergence Protocol (PDCP) layer configuration information and algorithm information; and the counter information is used to complete the key update;
  • the handover indication information is used to indicate that the UE performs base station handover or cell handover.
  • the PDCP layer configuration information is used by the UE to establish a PDCP layer or re-establish a PDCP layer
  • the algorithm information is an encryption, decryption, integrity protection, integrity check and other algorithms selected by the secondary base station according to the security capability of the UE and its own policy.
  • the handover indication information is information that the secondary base station determines according to factors such as a measurement report.
  • the counter information is information that is determined by the secondary base station according to the access network root key and the secret key update list of the secondary base station, and the key update list includes a mapping relationship between the access network root key and the counter information of the secondary base station.
  • the key update list may be pre-generated and sent to the secondary base station for storage by the primary base station, or may be generated by the secondary base station for storage.
  • the slave list is selected.
  • a suitable key and corresponding counter information are sent to the UE.
  • the secondary base station can quickly obtain new key and counter information directly from the key update list, which can improve the speed of the key update.
  • the counter information is information generated by the primary base station according to an indication that the key needs to be updated.
  • the primary base station when the secondary base station determines to perform the primary cell handover in the secondary base station, the primary base station transmits information including an indication that the key needs to be updated, and when the primary base station determines that the key needs to be updated, the counter information is generated.
  • the primary base station sends the counter information to the UE, so that the UE generates a new key according to the counter information, which avoids the risk that the primary base station directly transmits the new key may cause the key to be leaked, and improves the reliability and security of the key.
  • Step 102 “The UE completes the key update or keeps the key unchanged according to the first indication information”, and the method includes: the UE completes the key update according to the first indication information.
  • the UE determines, according to the first indication information, that the key needs to be updated, the UE generates a new key, and uses the new key to communicate with the secondary base station.
  • the key update method provided by the embodiment of the present invention, when the key needs to be updated, the UE timely updates the key according to the first indication information to ensure the security and reliability of the transmission data between the UE and the secondary base station.
  • the implementation manner of performing the key update on the UE side may be implemented by different functional modules, as shown in FIG. 4 and FIG. 5 .
  • a method for updating a secret key is as shown in FIG. 4, and may include the following steps:
  • Step 301 The secondary base station sends second indication information to the primary base station.
  • the second indication information may include configuration information, handover indication information, and an indication that the key needs to be updated.
  • Step 302 The primary base station generates counter information according to an indication that the key needs to be updated.
  • Step 303 The primary base station generates first indication information according to the counter information, the configuration information, and the handover indication information.
  • Step 304 The primary base station sends the first indication information to the UE.
  • the UE includes a first communication module, which is a module that performs a communication function with the primary base station, and a second communication module, which is a module that performs a communication function with the secondary base station;
  • a first communication module which is a module that performs a communication function with the primary base station
  • a second communication module which is a module that performs a communication function with the secondary base station
  • Step 305 The first communications module generates a second key according to at least the counter information and the first key.
  • the first key is the access network root key of the primary base station.
  • Step 306 The first communication module sends the second key to the second communication module.
  • Step 307 The second communications module establishes a PDCP layer according to PDCP layer configuration information.
  • Step 308 The second communication module generates a third key according to at least a second key and algorithm information.
  • the third key is applied to data transmission between the UE and the secondary base station.
  • Step 309 The second communication module uses the third key to communicate with the secondary base station.
  • the primary base station is a base station of a Long Term Evolution (LTE) network
  • the secondary base station is a base station of a new generation Radio (NR) network
  • the corresponding first communication module adopts an LTE protocol stack.
  • the second communication module completes steps 307, 308, and 309 using the NR protocol stack.
  • FIG. 5 Another method for updating the secret key is shown in FIG. 5, which may include the following steps:
  • Step 401 The secondary base station sends third indication information to the primary base station.
  • the third indication information may include an indication that the handover indication information and the secret key need to be updated.
  • Step 402 The primary base station generates counter information according to the indication that the key needs to be updated.
  • Step 403 The primary base station sends the counter information to the secondary base station.
  • Step 404 The secondary base station generates first indication information according to the counter information, the indication that the key needs to be updated, and the configuration information.
  • Step 405 The secondary base station sends the first indication information to the primary base station.
  • Step 406 The primary base station sends the first indication information to the UE.
  • the UE includes a first communication module, which is a module that performs a communication function with the primary base station, and a second communication module, which is a module that performs a communication function with the secondary base station;
  • a first communication module which is a module that performs a communication function with the primary base station
  • a second communication module which is a module that performs a communication function with the secondary base station
  • Step 407 The first communication module sends the configuration information, the counter information, and the first key to the second communication module.
  • the first key is the access network root key of the primary base station.
  • Step 408 The second communication module generates a second key according to at least the counter information and the first key.
  • Step 409 The second communication module establishes a PDCP layer according to PDCP layer configuration information.
  • Step 4010 The second communication module generates a third key according to at least a second key and algorithm information.
  • the third key is applied to data transmission between the UE and the secondary base station.
  • Step 4011 The second communication module uses the third key to communicate with the secondary base station.
  • the corresponding first communication module uses the LTE protocol stack to complete the foregoing step 407, and the second communication module uses the NR protocol stack to complete step 408.
  • FIG. 6 is a flowchart of a method for updating a secret key according to still another embodiment of the present application.
  • the embodiment relates to a process in which the primary base station acquires the first indication information, and sends the first indication information to the UE, so that the UE completes the key update or keeps the key unchanged according to the first indication information, as shown in FIG.
  • the key update method includes the following steps:
  • Step 501 The primary base station acquires first indication information, where the first indication information includes information about a key update, and the secret key is used for communication between the UE and the secondary base station.
  • Step 502 The primary base station sends the first indication information to the user equipment UE, so that the UE completes the key update or keeps the key unchanged according to the first indication information.
  • the first indication information includes an indication that the key does not need to be updated, and the indication that the key does not need to be updated is used to indicate that the UE keeps the key unchanged.
  • the first indication information further includes handover indication information, where the handover indication information is used to indicate that the UE performs base station handover or cell handover.
  • the first indication information includes an indication that the key needs to be updated, and the indication that the key needs to be updated is used to instruct the UE to complete the key update.
  • the indication information that the key needs to be updated may also be a display indication or an implicit indication.
  • an embodiment of the implicit indication is that the secondary base station sends the cell handover indication information to the UE, and the default key needs to be updated.
  • the first indication information further includes configuration information, counter information, and handover indication information;
  • the configuration information includes packet data convergence protocol PDCP layer configuration information and algorithm information;
  • the counter information is used to complete the key update;
  • the handover indication information is used to indicate the UE Perform base station handover or cell handover.
  • the counter information is information that is determined by the secondary base station according to the access network root key and the secret key update list of the secondary base station, and the key update list includes a mapping relationship between the access network root key and the counter information of the secondary base station.
  • the counter information is information generated by the primary base station according to an indication that the key needs to be updated.
  • the key update method may further include: the primary base station sending the counter information to the secondary base station, so that the secondary base station according to at least the counter information and the A secret key generates a second secret key, and then generates a third secret key according to at least the second secret key and the algorithm information. or,
  • the key update method may further include: the primary base station generates a second key according to at least the counter information and the first key, and sends the second key to the secondary base station, so that the secondary base station generates the second key according to at least the second key and the algorithm information.
  • the third key may further include: the primary base station generates a second key according to at least the counter information and the first key, and sends the second key to the secondary base station, so that the secondary base station generates the second key according to at least the second key and the algorithm information.
  • the first key is the access network root key of the primary base station
  • the third key is applied to data transmission between the UE and the secondary base station.
  • the primary base station sends the counter information to the secondary base station, or sends the second key to the secondary base station, so that the secondary base station generates the third key, and the third key is used between the UE and the secondary base station. Communication ensures the accuracy of data transmission.
  • the step “the primary base station acquires the first indication information” includes:
  • Step 601 The primary base station receives the second indication information sent by the secondary base station, where the second indication information may include an indication that the key needs to be updated, configuration information, and handover indication information.
  • Step 602 The primary base station generates counter information according to an indication that the key needs to be updated.
  • Step 603 The primary base station generates first indication information according to the counter information, the configuration information, and the handover indication information.
  • the step “the primary base station generates the first indication information according to the counter information, the configuration information, and the handover indication information” includes:
  • Step 6031 The primary base station sends the counter information to the secondary base station, so that the secondary base station encapsulates the counter information.
  • Step 6032 The primary base station generates first indication information according to the encapsulated counter information, configuration information, and handover indication information.
  • the key update method provided by the embodiment of the present application is the implementation method of the primary base station side corresponding to the embodiment shown in FIG. 2 to FIG. 5 , and the implementation principle and the beneficial effects thereof can be referred to the implementation principles of the embodiments shown in FIG. 2 and FIG. 5 .
  • the beneficial effects will not be described here.
  • FIG. 9 is a flowchart of a method for updating a secret key according to another embodiment of the present application.
  • the embodiment relates to a process in which the secondary base station acquires the first indication information, and sends the first indication information to the UE, so that the UE completes the key update or keeps the key unchanged according to the first indication information, as shown in FIG.
  • the embodiment includes the following steps:
  • Step 701 The secondary base station acquires first indication information, where the first indication information includes information about a key update, and the secret key is used for communication between the UE and the secondary base station.
  • Step 702 The secondary base station sends the first indication information to the user equipment UE, so that the UE completes the key update or keeps the key unchanged according to the first indication information.
  • the secondary base station sends the first indication information to the user equipment UE, where the secondary base station sends the first indication information to the UE by using the primary base station.
  • the secondary base station may send the first indication information to the UE by using the primary base station, or may directly send the first indication information to the UE. For example, when the first indication information indicates that the key does not need to be updated, the secondary base station may directly send the first indication information to the UE, and when the first indication information indicates that the key needs to be updated, the secondary base station sends the first indication information to the primary The base station processes the first indication information by the primary base station and then sends the first indication information to the UE.
  • the first indication information includes an indication that the key does not need to be updated, and the indication that the key does not need to be updated is used to indicate that the UE keeps the key unchanged.
  • the first indication information further includes handover indication information, where the handover indication information is used to indicate that the UE performs base station handover or cell handover.
  • the first indication information includes an indication that the key needs to be updated, and the indication that the key needs to be updated is used to instruct the UE to complete the key update.
  • the first indication information further includes configuration information and handover indication information;
  • the configuration information includes packet data convergence protocol PDCP layer configuration information and algorithm information; and the handover indication information is used to indicate that the UE performs base station handover or cell handover.
  • the first indication information further includes counter information, where the counter information is information determined by the secondary base station according to the access network root key and the secret key update list of the secondary base station, and the key update list includes the access network root of the secondary base station. The mapping between key and counter information.
  • the key update method provided by the embodiment of the present application is the implementation method of the secondary base station side corresponding to the embodiment shown in FIG. 2 to FIG. 5 , and the implementation principle and the beneficial effects thereof can be referred to the implementation principles of the embodiments shown in FIG. 2 to FIG. 5 .
  • the beneficial effects will not be described here.
  • FIG. 10 is a flowchart of a method for updating a secret key according to another embodiment of the present application. This embodiment relates to a process in which a primary base station encrypts and transmits a first NR radio resource control to a UE. As shown in FIG. 10, the method includes the following steps:
  • Step 801 The secondary base station sends first NR radio resource control (RRC) information to the primary base station.
  • RRC radio resource control
  • the first NR RRC information includes first indication information, and the first means that the information includes information about a key update.
  • Step 802 The primary base station performs encryption and integrity protection processing on the first NR RRC information by using the primary base station secret key to generate second NR RRC information.
  • Step 803 The primary base station sends the second NR RRC information to the UE.
  • the UE includes a first communication module that is a module that performs a communication function with the primary base station, and a second communication module that is a module that performs a communication function with the secondary base station.
  • Step 804 The first communication module decrypts and completes the second NR RRC information by using the primary base station secret key, and obtains the first indication information.
  • Step 805 The first communications module sends the first indication information to the second communications module.
  • Step 806 The second communication module completes the key update or keeps the key unchanged according to the first indication information, and generates a first NR RRC response message.
  • Step 807 The second communications module sends the first NR RRC response message to the first communications module.
  • Step 808 The first communications module encrypts the first NR RRC response information by using a primary base station secret key to generate a second NR RRC response message.
  • Step 809 The first communications module sends the second NR RRC response message to the primary base station.
  • Step 8010 The primary base station decrypts and completes the second NR RRC response information by using the primary base station secret key, and obtains the first NR RRC response information.
  • Step 8011 The primary base station sends the first NR RRC response information to the secondary base station.
  • FIG. 11 is a flowchart of a method for updating a secret key according to another embodiment of the present application. This embodiment relates to a process in which a secondary base station encrypts and transmits a first NR radio resource control to a UE. As shown in FIG. 11, the method includes the following steps:
  • Step 901 The secondary base station performs encryption and integrity protection processing on the first NR RRC information by using the secondary base station secret key to generate second NR RRC information.
  • the first NR RRC information includes first indication information, and the first means that the information includes information about a key update.
  • Step 902 The secondary base station sends the second NR RRC information to the primary base station.
  • Step 903 The primary base station sends the second NR RRC information to the UE.
  • the UE includes a first communication module that is a module that performs a communication function with the primary base station, and a second communication module that is a module that performs a communication function with the secondary base station.
  • Step 904 The first communications module sends the second NR RRC information to the second communications module.
  • Step 905 The second communication module decrypts and completes the second NR RRC information by using the secondary base station secret key, and obtains the first indication information.
  • Step 906 The second communication module completes the key update or keeps the key unchanged according to the first indication information, and generates a first NR RRC response message.
  • Step 907 The second communication module encrypts the first NR RRC response information by using the secondary base station secret key to generate a second NR RRC response message.
  • Step 908 The second communications module sends the second NR RRC response message to the first communications module.
  • Step 909 The first communications module sends the second NR RRC response message to the primary base station.
  • Step 9010 The primary base station sends the second NR RRC response message to the secondary base station.
  • Step 9011 The secondary base station uses the secondary base station secret key to perform decryption and integrity check on the second NR RRC response information, and obtains the first NR RRC response information.
  • the key update method provided by FIG. 10 and FIG. 11 is that the primary base station or the secondary base station performs encryption and integrity protection processing on the first NR radio resource control including the first indication information, thereby ensuring reliability and security of the key update. .
  • FIG. 12 is a device for updating a secret key according to an embodiment of the present invention.
  • the device includes an obtaining module 11 and a processing module 12.
  • the obtaining module 11 is configured to obtain the first indication information; the first indication information includes information about the key update; the secret key is used for communication between the UE and the secondary base station; and the processing module 12 is configured to complete the key update according to the first indication information. Or keep the key unchanged.
  • the obtaining module 11 is specifically configured to receive the first indication information that is sent by the primary base station or the secondary base station, where the first indication information includes an indication that the key does not need to be updated, and the processing module 12 is specifically configured to: maintain the key according to the first indication information. constant.
  • the first indication information further includes handover indication information, where the handover indication information is used to indicate that the UE performs base station handover or cell handover.
  • the obtaining module 11 is configured to receive the first indication information sent by the primary base station, where the first indication information includes an indication that the key needs to be updated, and the processing module 12 is specifically configured to complete the key update according to the first indication information.
  • the first indication information further includes configuration information, counter information, and handover indication information
  • the configuration information includes packet data convergence protocol PDCP layer configuration information and algorithm information;
  • the handover indication information is used to indicate that the UE performs base station handover or cell handover.
  • the counter information is information that is determined by the secondary base station according to the access network root key and the secret key update list of the secondary base station, and the key update list includes a mapping relationship between the access network root key and the counter information of the secondary base station.
  • the counter information is information generated by the primary base station according to an indication that the key needs to be updated.
  • the processing module 12 includes a first communication module 121 and a second communication module 122.
  • the first communication module 121 is a module that performs a communication function with the primary base station
  • the second communication module 122 is configured to perform a module for performing communication functions by the secondary base station;
  • the first communication module 121 is configured to generate a second key according to at least the counter information and the first key, and send the second key to the second communication module 122; the first key is the access network root key of the primary base station. ;
  • the second communication module 122 is configured to establish a PDCP layer according to PDCP layer configuration information
  • the second communication module 122 is configured to generate a third key according to at least a second key and algorithm information, where the third key is applied to data transmission between the UE and the secondary base station.
  • FIG. 13 Another implementation of FIG. 13 is as follows:
  • the first communication module 121 sends the configuration information, the counter information, and the first key to the second communication module 122; the first key is the access network root key of the primary base station;
  • the second communication module 122 generates a second key according to at least the counter information and the first key
  • the second communication module 122 establishes a PDCP layer according to PDCP layer configuration information
  • the second communication module 122 generates a third key according to at least a second key and algorithm information, and the third key is applied to data transmission between the UE and the secondary base station.
  • FIG. 14 is a device for updating a secret key according to another embodiment of the present application.
  • the device includes an obtaining module 21 and a sending module 22.
  • the obtaining module 21 is configured to obtain the first indication information; the first indication information includes information about the key update; the secret key is used for communication between the UE and the secondary base station; and the sending module 22 is configured to send the first indication information to the user equipment.
  • the UE so that the UE completes the key update or keeps the key unchanged according to the first indication information.
  • the first indication information includes an indication that the key does not need to be updated, and the indication that the key does not need to be updated is used to indicate that the UE keeps the key unchanged.
  • the first indication information further includes handover indication information, where the handover indication information is used to indicate that the UE performs base station handover or cell handover.
  • the first indication information includes an indication that the key needs to be updated, and the indication that the key needs to be updated is used to instruct the UE to complete the key update.
  • the first indication information further includes configuration information, counter information, and handover indication information
  • the configuration information includes packet data convergence protocol PDCP layer configuration information and algorithm information;
  • the handover indication information is used to indicate that the UE performs base station handover or cell handover.
  • the counter information is information that is determined by the secondary base station according to the access network root key and the secret key update list of the secondary base station, and the key update list includes a mapping relationship between the access network root key and the counter information of the secondary base station.
  • the counter information is information generated by the primary base station according to an indication that the key needs to be updated.
  • the obtaining module 21 is specifically configured to receive second indication information that is sent by the secondary base station, generate counter information according to the indication that the key needs to be updated, and generate first indication information according to the counter information, the configuration information, and the handover indication information;
  • the indication information includes an indication that the key needs to be updated, configuration information, and handover indication information.
  • the acquiring module 21 generates the first indication information according to the counter information, the configuration information, and the handover indication information, where the acquiring module 21 sends the counter information to the secondary base station, so that the secondary base station encapsulates the counter information;
  • the counter information, the configuration information, and the handover indication information generate first indication information.
  • the apparatus includes an acquisition module 21 and a transmission module 22.
  • the obtaining module 21 acquires the first indication information; the first indication information includes information about the key update; the secret key is used for communication between the UE and the secondary base station; and the sending module 22 is configured to send the first indication information to the UE, so that The UE completes the key update or keeps the key unchanged according to the first indication information.
  • the first indication information includes an indication that the key does not need to be updated, and the indication that the key does not need to be updated is used to indicate that the UE keeps the key unchanged.
  • the first indication information further includes handover indication information, where the handover indication information is used to indicate that the UE performs base station handover or cell handover.
  • the first indication information includes an indication that the key needs to be updated, and the indication that the key needs to be updated is used to instruct the UE to complete the key update.
  • the first indication information further includes configuration information and handover indication information
  • the configuration information includes packet data convergence protocol PDCP layer configuration information and algorithm information;
  • the handover indication information is used to indicate that the UE performs base station handover or cell handover.
  • the first indication information further includes counter information, where the counter information is information determined by the secondary base station according to the access network root key and the secret key update list of the secondary base station, and the key update list includes the access network root of the secondary base station. The mapping between key and counter information.
  • the sending module 22 is specifically configured to send the first indication information to the UE by using the primary base station.
  • FIG. 15 is a device according to an embodiment of the present invention. As shown in FIG. 15, the device includes a processor 31 and a memory 32.
  • the memory 32 is used to store instructions, and the processor 31 is configured to execute the memory. 32 stored instructions, when the processor 31 executes the instructions stored by the memory 32, the apparatus is operative to perform the method of any of the embodiments of FIGS.
  • the processor may be a central processing unit (CPU), or may be other general-purpose processors, a digital signal processor (DSP), an application specific integrated circuit ( Application Specific Integrated Circuit (ASIC), etc.
  • the general purpose processor may be a microprocessor or the processor or any conventional processor or the like. The steps of the method disclosed in connection with the present application may be directly embodied by hardware processor execution or by a combination of hardware and software modules in a processor.
  • All or part of the steps of implementing the above method embodiments may be performed by hardware associated with the program instructions.
  • the aforementioned program can be stored in a readable memory.
  • the steps including the foregoing method embodiments are performed; and the foregoing memory (storage medium) includes: read-only memory (English: read-only memory, abbreviation: ROM), RAM, flash memory, hard disk, Solid state drive, magnetic tape (English: magnetic tape), floppy disk (English: floppy disk), optical disc (English: optical disc) and any combination thereof.
  • the embodiment of the present application further provides a communication system, where the communication system includes: a primary base station and a secondary base station; the primary base station is configured to perform the method for updating a secret key according to any of the embodiments in FIG. 6 to FIG. The secret key updating method described in the embodiment.
  • the embodiment of the present application further provides a secret key updating apparatus including at least one processing element (or chip) for performing the method described in any of the above Figures 2-11.
  • the embodiment of the present application further provides a program, when executed by a processor, for performing the method described in any of the above Figures 2-11.
  • the embodiment of the present application further provides a program product, such as a computer readable storage medium, including the program of the previous embodiment.
  • the embodiment of the present application further provides a computer readable storage medium having instructions stored therein that, when run on a computer, cause the computer to perform the method of any of the above-described FIGS. 2-11.

Abstract

The present application provides a key updating method and device, the method comprising: acquiring by a user equipment (UE) first indication information, the first indication information comprising information about key update, and the key being used for communication between the UE and a secondary base station; and completing the key update or keeping the key unchanged by the UE according to the first indication information. The UE can be flexibly controlled by means of the first indication information to complete the key update or keep the key unchanged; in particular when the key is not required to be updated, the UE does not need to establish a PDCP layer, therefore, service will not be interrupted and service quality will be guaranteed.

Description

秘钥更新方法和设备Secret key update method and device
本申请要求于2017年05月05日提交中国专利局、申请号为201710313965.X、申请名称为“秘钥更新方法和设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese Patent Application, filed on May 5, 2017, filed on Jan. 05,,,,,,,,,,,,,,,,,,,,,,,,,,, in.
技术领域Technical field
本申请涉及通信技术,尤其涉及一种秘钥更新方法和设备。The present application relates to communication technologies, and in particular, to a secret key update method and device.
背景技术Background technique
为了实现用户设备(User Equipment,UE)同时从长期演进(Long Term Evolution,LTE)和新一代无线(New Radio,NR)NR接入空口获得无线资源进行数据传输,以获得较大的传输速率增益,通常在LTE与NR之间形成双连接(Dual Connectivity,DC)传输系统,可称之为LTE NR DC传输系统。In order to implement user equipment (User Equipment, UE) to obtain radio resources from Long Term Evolution (LTE) and New Radio (NR) NR access air ports for data transmission, to obtain a larger transmission rate gain. A dual connectivity (DC) transmission system is generally formed between LTE and NR, which may be referred to as an LTE NR DC transmission system.
当UE接入网络时,需要用到接入网根秘钥。在LTE NR DC传输系统中,基于主基站的接入网根秘钥称为KeNB,基于辅基站的接入网根秘钥称为S-KeNB,其中,S-KeNB是基于KeNB和辅小区组(Secondary Cell Group,SCG)计数器(Counter)衍生出的秘钥。例如,当需要衍生S-KeNB时,主基站产生出一个32bits的随机数作为SCG Counter的值,将该SCG Counter的值发送给UE,UE利用KeNB和该SCG Counter的值衍生出S-KeNB。When the UE accesses the network, the access network root key is needed. In the LTE NR DC transmission system, the access network root key based on the primary base station is called a KeNB, and the access network root key based on the secondary base station is called an S-K eNB, where the S-K eNB is based on the KeNB and the secondary cell group. (Secondary Cell Group, SCG) Counter derived from the counter. For example, when the S-KeNB needs to be derived, the primary base station generates a 32-bit random number as the value of the SCG Counter, and sends the value of the SCG Counter to the UE, and the UE derives the S-KeNB by using the values of the KeNB and the SCG Counter.
在LTE NR DC传输系统中,当UE进行主基站间切换、主基站内切换、主小区内切换、辅基站间切换以及辅基站内切换时,都需要更新S-KeNB,每一次更新S-KeNB都需要重新建立分组数据汇聚协议(Packet Data Convergence Protocol,PDCP)层,会造成业务中断时延,无法保证业务的服务质量。In the LTE NR DC transmission system, when the UE performs handover between the primary base station, the handover in the primary base station, the handover in the primary cell, the handover between the secondary base station, and the handover in the secondary base station, the S-KeNB needs to be updated, and the S-KeNB is updated every time. The Packet Data Convergence Protocol (PDCP) layer needs to be re-established, which will cause service interruption and delay, and cannot guarantee the service quality of the service.
发明内容Summary of the invention
本申请提供一种秘钥更新方法和设备,用于解决现有技术中秘钥更新时会造成业务中断时延,无法保证业务的服务质量得问题。The present invention provides a key update method and device for solving the problem that the service interruption time is caused when the key is updated in the prior art, and the service quality of the service cannot be guaranteed.
本申请第一方面提供一种秘钥更新方法,该方法包括:A first aspect of the present application provides a method for updating a secret key, the method comprising:
用户设备UE获取第一指示信息;第一指示信息包括关于秘钥更新的信息;秘钥用于UE与辅基站之间进行通信;The user equipment UE acquires first indication information; the first indication information includes information about a key update; and the secret key is used for communication between the UE and the secondary base station;
UE根据第一指示信息完成秘钥更新或保持秘钥不变。The UE completes the key update or keeps the key unchanged according to the first indication information.
在上述方案中,UE获取包括关于秘钥更新的信息的第一指示信息,根据第一指示信息来完成秘钥更新或保持秘钥不变,采用第一指示信息的方式可以灵活的控制UE完成秘钥更新或保持秘钥不变,尤其是,当不需要更新秘钥时,UE不需要建立PDCP层,因此,不会造成业务中断,保证了业务的服务质量。In the above solution, the UE acquires first indication information including information about the key update, completes the key update or keeps the key unchanged according to the first indication information, and uses the first indication information to flexibly control the UE to complete. The key update or keep the key unchanged. In particular, when the key is not required to be updated, the UE does not need to establish a PDCP layer. Therefore, the service is not interrupted and the service quality of the service is guaranteed.
在一种可能的实现方式中,UE获取第一指示信息,包括:In a possible implementation manner, the acquiring, by the UE, the first indication information includes:
UE接收主基站或辅基站发送的第一指示信息;第一指示信息包括秘钥不需要更新的指示;The UE receives the first indication information sent by the primary base station or the secondary base station; the first indication information includes an indication that the key does not need to be updated;
UE根据第一指示信息完成秘钥更新或保持秘钥不变,包括:The UE completes the key update or keeps the key unchanged according to the first indication information, including:
UE根据第一指示信息保持秘钥不变。The UE keeps the key unchanged according to the first indication information.
在一种可能的实现方式中,第一指示信息还包括切换指示信息,切换指示信息用于指示UE进行基站切换或小区切换。In a possible implementation, the first indication information further includes handover indication information, where the handover indication information is used to indicate that the UE performs base station handover or cell handover.
在上述方案中,当第一指示信息指示秘钥不需要更新的时候,UE继续使用原来的秘钥与辅基站进行通信,UE不需要建立PDCP层,因此,不会造成业务中断,保证了业务的服务质量。In the foregoing solution, when the first indication information indicates that the key does not need to be updated, the UE continues to use the original key to communicate with the secondary base station, and the UE does not need to establish the PDCP layer, so the service is not interrupted, and the service is guaranteed. Quality of service.
在一种可能的实现方式中,UE获取第一指示信息,包括:In a possible implementation manner, the acquiring, by the UE, the first indication information includes:
UE接收主基站发送的第一指示信息;第一指示信息包括秘钥需要更新的指示;Receiving, by the UE, first indication information sent by the primary base station; the first indication information includes an indication that the key needs to be updated;
UE根据第一指示信息完成秘钥更新或保持秘钥不变,包括:The UE completes the key update or keeps the key unchanged according to the first indication information, including:
UE根据第一指示信息完成秘钥更新。The UE completes the key update according to the first indication information.
在一种可能的实现方式中,第一指示信息还包括配置信息、计数器信息和切换指示信息;In a possible implementation manner, the first indication information further includes configuration information, counter information, and handover indication information;
配置信息包括分组数据汇聚协议PDCP层配置信息和算法信息;The configuration information includes packet data convergence protocol PDCP layer configuration information and algorithm information;
计数器信息用于完成秘钥更新;Counter information is used to complete the key update;
切换指示信息用于指示UE进行基站切换或小区切换。The handover indication information is used to indicate that the UE performs base station handover or cell handover.
在一种可能的实现方式中,计数器信息为辅基站根据辅基站的接入网根秘钥与秘钥更新列表确定的信息,秘钥更新列表包括辅基站的接入网根秘钥与计数器信息之间的映射关系。辅基站可以快速的从秘钥更新列表中直接获取到新的秘钥和计数器信息,能够提高秘钥更新的速度。In a possible implementation manner, the counter information is information that is determined by the secondary base station according to the access network root key and the secret key update list of the secondary base station, where the secret key update list includes the access network root key and the counter information of the secondary base station. The mapping relationship between them. The secondary base station can quickly obtain new key and counter information directly from the key update list, which can improve the speed of the key update.
在一种可能的实现方式中,计数器信息为主基站根据秘钥需要更新的指示生成的信息。主基站将计数器信息发送给UE,使得UE根据计数器信息生成新的秘钥,避免了主基站直接传输新的秘钥可能造成秘钥泄露的风险,提高了秘钥的可靠性和安全性。In a possible implementation manner, the counter information is information generated by the primary base station according to an indication that the key needs to be updated. The primary base station sends the counter information to the UE, so that the UE generates a new key according to the counter information, which avoids the risk that the primary base station directly transmits the new key may cause the key to be leaked, and improves the reliability and security of the key.
在一种可能的实现方式中,UE包括第一通信模块和第二通信模块,第一通信模块为执行与主基站进行通信功能的模块,第二通信模块为执行与辅基站进行通信功能的模块;In a possible implementation manner, the UE includes a first communication module that is a module that performs a communication function with the primary base station, and a second communication module that is a module that performs a communication function with the secondary base station. ;
UE根据第一指示信息完成秘钥更新,包括:The UE completes the key update according to the first indication information, including:
第一通信模块根据至少计数器信息和第一秘钥生成第二秘钥,并将第二秘钥发送给第二通信模块;第一秘钥为主基站的接入网根秘钥;The first communication module generates a second key according to at least the counter information and the first key, and sends the second key to the second communication module; the first key is the access network root key of the primary base station;
第二通信模块根据PDCP层配置信息建立PDCP层;The second communication module establishes a PDCP layer according to PDCP layer configuration information;
第二通信模块根据至少第二秘钥和算法信息生成第三秘钥,第三秘钥应用于UE和辅基站之间的数据传输。The second communication module generates a third key according to at least the second key and the algorithm information, and the third key is applied to data transmission between the UE and the secondary base station.
在一种可能的实现方式中,UE包括第一通信模块和第二通信模块,第一通信模块为执行与主基站进行通信功能的模块,第二通信模块为执行与辅基站进行通信功能的模块;In a possible implementation manner, the UE includes a first communication module that is a module that performs a communication function with the primary base station, and a second communication module that is a module that performs a communication function with the secondary base station. ;
UE根据第一指示信息完成秘钥更新,包括:The UE completes the key update according to the first indication information, including:
第一通信模块将配置信息、计数器信息和第一秘钥发送给第二通信模块;第一秘钥为主基站的接入网根秘钥;The first communication module sends the configuration information, the counter information, and the first key to the second communication module; the first key is the access network root key of the primary base station;
第二通信模块根据至少计数器信息和第一秘钥生成第二秘钥;The second communication module generates a second key according to at least the counter information and the first key;
第二通信模块根据PDCP层配置信息建立PDCP层;The second communication module establishes a PDCP layer according to PDCP layer configuration information;
第二通信模块根据至少第二秘钥和算法信息生成第三秘钥,第三秘钥应用于UE和辅基站之间的数据传输。The second communication module generates a third key according to at least the second key and the algorithm information, and the third key is applied to data transmission between the UE and the secondary base station.
在上述方案中,当秘钥需要更新的时候,UE根据第一指示信息及时的更新秘钥,保证UE与辅基站之间的传输数据的安全性和可靠性。In the above solution, when the key needs to be updated, the UE timely updates the key according to the first indication information to ensure the security and reliability of the transmission data between the UE and the secondary base station.
本申请第二方面提供一种秘钥更新方法,该方法包括:A second aspect of the present application provides a method for updating a secret key, the method comprising:
主基站获取第一指示信息;第一指示信息包括关于秘钥更新的信息;秘钥用于UE与辅基站之间进行通信;The primary base station acquires first indication information; the first indication information includes information about a key update; and the secret key is used for communication between the UE and the secondary base station;
主基站将第一指示信息发送给用户设备UE,以使UE根据第一指示信息完成秘钥更新或保持秘钥不变。The primary base station sends the first indication information to the user equipment UE, so that the UE completes the key update or keeps the key unchanged according to the first indication information.
在一种可能的实现方式中,第一指示信息包括秘钥不需要更新的指示,秘钥不需要更新的指示用于指示UE保持秘钥不变。In a possible implementation manner, the first indication information includes an indication that the key does not need to be updated, and the indication that the key does not need to be updated is used to indicate that the UE keeps the key unchanged.
在一种可能的实现方式中,第一指示信息还包括切换指示信息,切换指示信息用于指示UE进行基站切换或小区切换。In a possible implementation, the first indication information further includes handover indication information, where the handover indication information is used to indicate that the UE performs base station handover or cell handover.
在一种可能的实现方式中,第一指示信息包括秘钥需要更新的指示,秘钥需要更新的指示用于指示UE完成秘钥更新。In a possible implementation manner, the first indication information includes an indication that the key needs to be updated, and the indication that the key needs to be updated is used to instruct the UE to complete the key update.
在一种可能的实现方式中,第一指示信息还包括配置信息、计数器信息和切换指示信息;In a possible implementation manner, the first indication information further includes configuration information, counter information, and handover indication information;
配置信息包括分组数据汇聚协议PDCP层配置信息和算法信息;The configuration information includes packet data convergence protocol PDCP layer configuration information and algorithm information;
计数器信息用于完成秘钥更新;Counter information is used to complete the key update;
切换指示信息用于指示UE进行基站切换或小区切换。The handover indication information is used to indicate that the UE performs base station handover or cell handover.
在一种可能的实现方式中,计数器信息为辅基站根据辅基站的接入网根秘钥与秘钥更新列表确定的信息,秘钥更新列表包括辅基站的接入网根秘钥与计数器信息之间的映射关系。In a possible implementation manner, the counter information is information that is determined by the secondary base station according to the access network root key and the secret key update list of the secondary base station, where the secret key update list includes the access network root key and the counter information of the secondary base station. The mapping relationship between them.
在一种可能的实现方式中,计数器信息为主基站根据秘钥需要更新的指示生成的信息。In a possible implementation manner, the counter information is information generated by the primary base station according to an indication that the key needs to be updated.
在一种可能的实现方式中,主基站获取第一指示信息,包括:In a possible implementation, the primary base station obtains the first indication information, including:
主基站接收辅基站发送的第二指示信息;第二指示信息包括秘钥需要更新的指示、配置信息和切换指示信息;The primary base station receives the second indication information sent by the secondary base station; the second indication information includes an indication that the key needs to be updated, configuration information, and handover indication information;
主基站根据秘钥需要更新的指示生成计数器信息;The primary base station generates counter information according to an indication that the key needs to be updated;
主基站根据计数器信息、配置信息和切换指示信息生成第一指示信息。The primary base station generates first indication information according to the counter information, the configuration information, and the handover indication information.
在一种可能的实现方式中,主基站根据计数器信息、配置信息和切换指示信息生成第一指示信息,包括:In a possible implementation manner, the primary base station generates the first indication information according to the counter information, the configuration information, and the handover indication information, including:
主基站将计数器信息发送给辅基站,以使所辅基站对计数器信息进行封装;The primary base station sends the counter information to the secondary base station, so that the secondary base station encapsulates the counter information.
主基站根据封装后的计数器信息、配置信息和切换指示信息生成第一指示信息。The primary base station generates first indication information according to the encapsulated counter information, configuration information, and handover indication information.
本申请第二方面提供的秘钥更新方法的有益效果与第一方面提供的方法的有益效果类似,此处不再赘述。The beneficial effects of the secret key updating method provided by the second aspect of the present application are similar to those of the first aspect, and are not described herein again.
本申请第三方面提供一种秘钥更新方法,该方法包括:A third aspect of the present application provides a method for updating a secret key, the method comprising:
辅基站获取第一指示信息;第一指示信息包括关于秘钥更新的信息;秘钥用于UE与 辅基站之间进行通信;The secondary base station acquires first indication information; the first indication information includes information about a key update; and the secret key is used for communication between the UE and the secondary base station;
辅基站将第一指示信息发送给用户设备UE,以使UE根据第一指示信息完成秘钥更新或保持秘钥不变。The secondary base station sends the first indication information to the user equipment UE, so that the UE completes the key update or keeps the key unchanged according to the first indication information.
在一种可能的实现方式中,第一指示信息包括秘钥不需要更新的指示,秘钥不需要更新的指示用于指示UE保持秘钥不变。In a possible implementation manner, the first indication information includes an indication that the key does not need to be updated, and the indication that the key does not need to be updated is used to indicate that the UE keeps the key unchanged.
在一种可能的实现方式中,第一指示信息还包括切换指示信息,切换指示信息用于指示UE进行基站切换或小区切换。In a possible implementation, the first indication information further includes handover indication information, where the handover indication information is used to indicate that the UE performs base station handover or cell handover.
在一种可能的实现方式中,第一指示信息包括秘钥需要更新的指示,秘钥需要更新的指示用于指示UE完成秘钥更新。In a possible implementation manner, the first indication information includes an indication that the key needs to be updated, and the indication that the key needs to be updated is used to instruct the UE to complete the key update.
在一种可能的实现方式中,第一指示信息还包括配置信息和切换指示信息;In a possible implementation manner, the first indication information further includes configuration information and handover indication information;
配置信息包括分组数据汇聚协议PDCP层配置信息和算法信息;The configuration information includes packet data convergence protocol PDCP layer configuration information and algorithm information;
切换指示信息用于指示UE进行基站切换或小区切换。The handover indication information is used to indicate that the UE performs base station handover or cell handover.
在一种可能的实现方式中,第一指示信息还包括计数器信息,计数器信息为辅基站根据辅基站的接入网根秘钥与秘钥更新列表确定的信息,秘钥更新列表包括辅基站的接入网根秘钥与计数器信息之间的映射关系。In a possible implementation manner, the first indication information further includes counter information, where the counter information is information determined by the secondary base station according to the access network root key and the secret key update list of the secondary base station, where the secret key update list includes the secondary base station The mapping relationship between the access network root key and the counter information.
在一种可能的实现方式中,辅基站将第一指示信息发送给用户设备UE,包括:In a possible implementation manner, the secondary base station sends the first indication information to the user equipment UE, including:
辅基站通过主基站将第一指示信息发送给UE。The secondary base station sends the first indication information to the UE by using the primary base station.
本申请第三方面提供的秘钥更新方法的有益效果与第一方面提供的方法的有益效果类似,此处不再赘述。The beneficial effects of the secret key updating method provided by the third aspect of the present application are similar to those of the first aspect, and are not described herein again.
本申请第四方面提供一种秘钥更新装置,该装置包括:A fourth aspect of the present application provides a key update apparatus, where the apparatus includes:
获取模块,用于获取第一指示信息;第一指示信息包括关于秘钥更新的信息;秘钥用于UE与辅基站之间进行通信;An acquiring module, configured to obtain first indication information; the first indication information includes information about a key update; and the secret key is used for communication between the UE and the secondary base station;
处理模块,用于根据第一指示信息完成秘钥更新或保持秘钥不变。And a processing module, configured to complete the key update or keep the key unchanged according to the first indication information.
在一种可能的实现方式中,获取模块具体用于接收主基站或辅基站发送的第一指示信息;第一指示信息包括秘钥不需要更新的指示;In a possible implementation, the acquiring module is specifically configured to receive first indication information sent by the primary base station or the secondary base station; the first indication information includes an indication that the key does not need to be updated;
处理模块具体用于根据第一指示信息保持秘钥不变。The processing module is specifically configured to keep the key unchanged according to the first indication information.
在一种可能的实现方式中,第一指示信息还包括切换指示信息,切换指示信息用于指示UE进行基站切换或小区切换。In a possible implementation, the first indication information further includes handover indication information, where the handover indication information is used to indicate that the UE performs base station handover or cell handover.
在一种可能的实现方式中,获取模块具体用于接收主基站发送的第一指示信息;第一指示信息包括秘钥需要更新的指示;In a possible implementation manner, the acquiring module is specifically configured to receive first indication information that is sent by the primary base station, where the first indication information includes an indication that the key needs to be updated;
处理模块具体用于根据第一指示信息完成秘钥更新。The processing module is specifically configured to complete the key update according to the first indication information.
在一种可能的实现方式中,第一指示信息还包括配置信息、计数器信息和切换指示信息;In a possible implementation manner, the first indication information further includes configuration information, counter information, and handover indication information;
配置信息包括分组数据汇聚协议PDCP层配置信息和算法信息;The configuration information includes packet data convergence protocol PDCP layer configuration information and algorithm information;
计数器信息用于完成秘钥更新;Counter information is used to complete the key update;
切换指示信息用于指示UE进行基站切换或小区切换。The handover indication information is used to indicate that the UE performs base station handover or cell handover.
在一种可能的实现方式中,计数器信息为辅基站根据辅基站的接入网根秘钥与秘钥更新列表确定的信息,秘钥更新列表包括辅基站的接入网根秘钥与计数器信息之间的映射关系。In a possible implementation manner, the counter information is information that is determined by the secondary base station according to the access network root key and the secret key update list of the secondary base station, where the secret key update list includes the access network root key and the counter information of the secondary base station. The mapping relationship between them.
在一种可能的实现方式中,计数器信息为主基站根据秘钥需要更新的指示生成的信息。In a possible implementation manner, the counter information is information generated by the primary base station according to an indication that the key needs to be updated.
在一种可能的实现方式中,处理模块包括第一通信模块和第二通信模块,第一通信模块为执行与主基站进行通信功能的模块,第二通信模块为执行与辅基站进行通信功能的模块;In a possible implementation manner, the processing module includes a first communication module that is a module that performs a communication function with the primary base station, and a second communication module that performs a communication function with the secondary base station. Module
第一通信模块用于根据至少计数器信息和第一秘钥生成第二秘钥,并将第二秘钥发送给第二通信模块;第一秘钥为主基站的接入网根秘钥;The first communication module is configured to generate a second key according to at least the counter information and the first key, and send the second key to the second communication module; the first key is an access network root key of the primary base station;
第二通信模块用于根据PDCP层配置信息建立PDCP层;The second communication module is configured to establish a PDCP layer according to PDCP layer configuration information;
第二通信模块用于根据至少第二秘钥和算法信息生成第三秘钥,第三秘钥应用于UE和辅基站之间的数据传输。The second communication module is configured to generate a third key according to at least a second key and algorithm information, where the third key is applied to data transmission between the UE and the secondary base station.
在一种可能的实现方式中,处理模块包括第一通信模块和第二通信模块,第一通信模块为执行与主基站进行通信功能的模块,第二通信模块为执行与辅基站进行通信功能的模块;In a possible implementation manner, the processing module includes a first communication module that is a module that performs a communication function with the primary base station, and a second communication module that performs a communication function with the secondary base station. Module
第一通信模块用于将配置信息、计数器信息和第一秘钥发送给第二通信模块;第一秘钥为主基站的接入网根秘钥;The first communication module is configured to send the configuration information, the counter information, and the first key to the second communication module; the first key is an access network root key of the primary base station;
第二通信模块用于根据至少计数器信息和第一秘钥生成第二秘钥;The second communication module is configured to generate a second key according to at least the counter information and the first key;
第二通信模块用于根据PDCP层配置信息建立PDCP层;The second communication module is configured to establish a PDCP layer according to PDCP layer configuration information;
第二通信模块用于根据至少第二秘钥和算法信息生成第三秘钥,第三秘钥应用于UE和辅基站之间的数据传输。The second communication module is configured to generate a third key according to at least a second key and algorithm information, where the third key is applied to data transmission between the UE and the secondary base station.
本申请第四方面提供的秘钥更新装置的有益效果与第一方面提供的方法的有益效果类似,此处不再赘述。The beneficial effects of the secret key updating apparatus provided by the fourth aspect of the present application are similar to those of the first aspect, and are not described herein again.
本申请第五方面提供一种秘钥更新装置,包括:A fifth aspect of the present application provides a key update apparatus, including:
获取模块,用于获取第一指示信息;第一指示信息包括关于秘钥更新的信息;秘钥用于UE与辅基站之间进行通信;An acquiring module, configured to obtain first indication information; the first indication information includes information about a key update; and the secret key is used for communication between the UE and the secondary base station;
发送模块,用于将第一指示信息发送给用户设备UE,以使UE根据第一指示信息完成秘钥更新或保持秘钥不变。And a sending module, configured to send the first indication information to the user equipment UE, so that the UE completes the key update or keeps the key unchanged according to the first indication information.
在一种可能的实现方式中,第一指示信息包括秘钥不需要更新的指示,秘钥不需要更新的指示用于指示UE保持秘钥不变。In a possible implementation manner, the first indication information includes an indication that the key does not need to be updated, and the indication that the key does not need to be updated is used to indicate that the UE keeps the key unchanged.
在一种可能的实现方式中,第一指示信息还包括切换指示信息,切换指示信息用于指示UE进行基站切换或小区切换。In a possible implementation, the first indication information further includes handover indication information, where the handover indication information is used to indicate that the UE performs base station handover or cell handover.
在一种可能的实现方式中,第一指示信息包括秘钥需要更新的指示,秘钥需要更新的指示用于指示UE完成秘钥更新。In a possible implementation manner, the first indication information includes an indication that the key needs to be updated, and the indication that the key needs to be updated is used to instruct the UE to complete the key update.
在一种可能的实现方式中,第一指示信息还包括配置信息、计数器信息和切换指示信息;In a possible implementation manner, the first indication information further includes configuration information, counter information, and handover indication information;
配置信息包括分组数据汇聚协议PDCP层配置信息和算法信息;The configuration information includes packet data convergence protocol PDCP layer configuration information and algorithm information;
计数器信息用于完成秘钥更新;Counter information is used to complete the key update;
切换指示信息用于指示UE进行基站切换或小区切换。The handover indication information is used to indicate that the UE performs base station handover or cell handover.
在一种可能的实现方式中,计数器信息为辅基站根据辅基站的接入网根秘钥与秘钥更新列表确定的信息,秘钥更新列表包括辅基站的接入网根秘钥与计数器信息之间的映射关 系。In a possible implementation manner, the counter information is information that is determined by the secondary base station according to the access network root key and the secret key update list of the secondary base station, where the secret key update list includes the access network root key and the counter information of the secondary base station. The mapping relationship between them.
在一种可能的实现方式中,计数器信息为主基站根据秘钥需要更新的指示生成的信息。In a possible implementation manner, the counter information is information generated by the primary base station according to an indication that the key needs to be updated.
在一种可能的实现方式中,获取模块具体用于接收辅基站发送的第二指示信息;根据秘钥需要更新的指示生成计数器信息;根据计数器信息、配置信息和切换指示信息生成第一指示信息;第二指示信息包括秘钥需要更新的指示、配置信息和切换指示信息。In a possible implementation, the acquiring module is specifically configured to receive the second indication information sent by the secondary base station, generate the counter information according to the indication that the key needs to be updated, and generate the first indication information according to the counter information, the configuration information, and the handover indication information. The second indication information includes an indication that the key needs to be updated, configuration information, and handover indication information.
在一种可能的实现方式中,获取模块根据计数器信息、配置信息和切换指示信息生成第一指示信息,包括:In a possible implementation, the acquiring module generates the first indication information according to the counter information, the configuration information, and the handover indication information, including:
获取模块将计数器信息发送给辅基站,以使所辅基站对计数器信息进行封装;并根据封装后的计数器信息、配置信息和切换指示信息生成第一指示信息。The acquiring module sends the counter information to the secondary base station, so that the secondary base station encapsulates the counter information, and generates the first indication information according to the encapsulated counter information, the configuration information, and the handover indication information.
本申请第五方面提供的秘钥更新装置的有益效果与第二方面提供的方法的有益效果类似,此处不再赘述。The beneficial effects of the key updating apparatus provided by the fifth aspect of the present application are similar to those of the method provided by the second aspect, and are not described herein again.
本申请第六方面提供一种秘钥更新装置,包括:A sixth aspect of the present application provides a key update apparatus, including:
获取模块,用于获取第一指示信息;第一指示信息包括关于秘钥更新的信息;秘钥用于UE与辅基站之间进行通信;An acquiring module, configured to obtain first indication information; the first indication information includes information about a key update; and the secret key is used for communication between the UE and the secondary base station;
发送模块,用于将第一指示信息发送给用户设备UE,以使UE根据第一指示信息完成秘钥更新或保持秘钥不变。And a sending module, configured to send the first indication information to the user equipment UE, so that the UE completes the key update or keeps the key unchanged according to the first indication information.
在一种可能的实现方式中,第一指示信息包括秘钥不需要更新的指示,秘钥不需要更新的指示用于指示UE保持秘钥不变。In a possible implementation manner, the first indication information includes an indication that the key does not need to be updated, and the indication that the key does not need to be updated is used to indicate that the UE keeps the key unchanged.
在一种可能的实现方式中,第一指示信息还包括切换指示信息,切换指示信息用于指示UE进行基站切换或小区切换。In a possible implementation, the first indication information further includes handover indication information, where the handover indication information is used to indicate that the UE performs base station handover or cell handover.
在一种可能的实现方式中,第一指示信息包括秘钥需要更新的指示,秘钥需要更新的指示用于指示UE完成秘钥更新。In a possible implementation manner, the first indication information includes an indication that the key needs to be updated, and the indication that the key needs to be updated is used to instruct the UE to complete the key update.
在一种可能的实现方式中,第一指示信息还包括配置信息和切换指示信息;In a possible implementation manner, the first indication information further includes configuration information and handover indication information;
配置信息包括分组数据汇聚协议PDCP层配置信息和算法信息;The configuration information includes packet data convergence protocol PDCP layer configuration information and algorithm information;
切换指示信息用于指示UE进行基站切换或小区切换。The handover indication information is used to indicate that the UE performs base station handover or cell handover.
在一种可能的实现方式中,第一指示信息还包括计数器信息,计数器信息为辅基站根据辅基站的接入网根秘钥与秘钥更新列表确定的信息,秘钥更新列表包括辅基站的接入网根秘钥与计数器信息之间的映射关系。In a possible implementation manner, the first indication information further includes counter information, where the counter information is information determined by the secondary base station according to the access network root key and the secret key update list of the secondary base station, where the secret key update list includes the secondary base station The mapping relationship between the access network root key and the counter information.
在一种可能的实现方式中,发送模块具体用于通过主基站将第一指示信息发送给UE。In a possible implementation, the sending module is specifically configured to send the first indication information to the UE by using the primary base station.
本申请第六方面提供的秘钥更新装置的有益效果与第二方面提供的方法的有益效果类似,此处不再赘述。The beneficial effects of the secret key updating apparatus provided by the sixth aspect of the present application are similar to those of the method provided by the second aspect, and are not described herein again.
本申请第六方面还提供一种设备,包括处理器和存储器;The sixth aspect of the application further provides an apparatus, including a processor and a memory;
存储器用于存储指令,处理器用于执行存储器存储的指令,当处理器执行存储器存储的指令时,设备用于执行如第一方面至第三方面任一实施例提供的方法。The memory is for storing instructions, the processor is for executing instructions stored in the memory, and when the processor executes the instructions stored in the memory, the device is configured to perform the method as provided in any one of the first to third aspects.
本申请第七方面提供一种秘钥更新装置,包括用于执行以上第一方面至第三方面的方法的至少一个处理元件(或芯片)。A seventh aspect of the present application provides a secret key updating apparatus including at least one processing element (or chip) for performing the methods of the above first to third aspects.
本申请第八方面提供一种程序,该程序在被处理器执行时用于执行以上第一方面至第三方面的方法。An eighth aspect of the present application provides a program for performing the methods of the above first to third aspects when executed by a processor.
本申请第九方面提供一种程序产品,例如计算机可读存储介质,包括第八方面的程序。A ninth aspect of the present application provides a program product, such as a computer readable storage medium, comprising the program of the eighth aspect.
本申请第十方面提供一种计算机可读存储介质,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机执行上述第一方面至第三方面的方法。A tenth aspect of the present application provides a computer readable storage medium having stored therein instructions that, when executed on a computer, cause the computer to perform the methods of the first to third aspects described above.
本申请第十一方面还提供一种通信系统,该通信系统包括:主基站和辅基站;The eleventh aspect of the present application further provides a communication system, where the communication system includes: a primary base station and a secondary base station;
主基站用于执行第二方面提供的秘钥更新方法;The primary base station is configured to perform the secret key update method provided by the second aspect;
辅基站用于执行第三方面提供的秘钥更新方法。The secondary base station is configured to perform the secret key update method provided by the third aspect.
附图说明DRAWINGS
图1为本申请实施例提供的秘钥更新方法的应用场景示意图;FIG. 1 is a schematic diagram of an application scenario of a method for updating a secret key according to an embodiment of the present application;
图2为本申请一实施例提供的秘钥更新方法流程图;2 is a flowchart of a method for updating a secret key according to an embodiment of the present application;
图3为本申请另一实施例提供的秘钥更新方法流程图;FIG. 3 is a flowchart of a method for updating a secret key according to another embodiment of the present application;
图4为本申请另一实施例提供的秘钥更新方法流程图;4 is a flowchart of a method for updating a secret key according to another embodiment of the present application;
图5为本申请另一实施例提供的秘钥更新方法流程图;FIG. 5 is a flowchart of a method for updating a secret key according to another embodiment of the present application;
图6为本申请再一实施例提供的秘钥更新方法流程图;FIG. 6 is a flowchart of a method for updating a secret key according to still another embodiment of the present application;
图7为本申请再一实施例提供的秘钥更新方法流程图;FIG. 7 is a flowchart of a method for updating a secret key according to still another embodiment of the present application;
图8为本申请再一实施例提供的秘钥更新方法流程图;FIG. 8 is a flowchart of a method for updating a secret key according to still another embodiment of the present application;
图9为本申请又一实施例提供的秘钥更新方法流程图;FIG. 9 is a flowchart of a method for updating a secret key according to another embodiment of the present application;
图10为本申请又一实施例提供的秘钥更新方法流程图;FIG. 10 is a flowchart of a method for updating a secret key according to another embodiment of the present application;
图11为本申请又一实施例提供的秘钥更新方法流程图;FIG. 11 is a flowchart of a method for updating a secret key according to another embodiment of the present application;
图12为本申请一实施例提供的一种秘钥更新装置;FIG. 12 is a schematic diagram of a key update apparatus according to an embodiment of the present application;
图13为本申请另一实施例提供的一种秘钥更新装置;FIG. 13 is a remote key updating apparatus according to another embodiment of the present application;
图14为本申请再一实施例提供的一种秘钥更新装置;FIG. 14 is a key update apparatus according to still another embodiment of the present application;
图15为本申请一实施例提供的一种设备。FIG. 15 is a device according to an embodiment of the present application.
具体实施方式detailed description
本申请提供的秘钥更新方法应用于无线通信系统,尤其是可应用于第五代移动通信技术(The 5th Generation mobile communication technology,5G)系统中。图1为本申请实施例提供的秘钥更新方法的应用场景示意图,如图1所示,该秘钥更新方法的应用场景包括UE1、主基站2、辅基站3和核心网4,其中,主基站2与核心网4之间可以为UE1建立控制面和用户面连接,辅基站3与核心网4之间可以为UE建立用户面连接。The secret key updating method provided by the present application is applied to a wireless communication system, and particularly to the 5th Generation mobile communication technology (5G) system. FIG. 1 is a schematic diagram of an application scenario of a method for updating a secret key according to an embodiment of the present disclosure. As shown in FIG. 1 , an application scenario of the method for updating a key includes a UE1, a primary base station 2, a secondary base station 3, and a core network 4, where A control plane and a user plane connection may be established between the base station 2 and the core network 4, and a user plane connection may be established between the secondary base station 3 and the core network 4.
图2为本申请一实施例提供的秘钥更新方法流程图。该实施例涉及的是UE根据第一指示信息完成秘钥更新或保持秘钥不变的具体实现过程,如图2所示,该秘钥更新方法包括以下步骤:FIG. 2 is a flowchart of a method for updating a secret key according to an embodiment of the present application. This embodiment relates to a specific implementation process in which the UE completes the key update or keeps the key unchanged according to the first indication information. As shown in FIG. 2, the key update method includes the following steps:
步骤101、UE获取第一指示信息;第一指示信息包括关于秘钥更新的信息;秘钥用于UE与辅基站之间进行通信。Step 101: The UE acquires first indication information. The first indication information includes information about a key update. The secret key is used for communication between the UE and the secondary base station.
在本实施例中,秘钥用于UE与辅基站之间进行通信,例如,UE与辅基站采用该秘钥或者采用基于该秘钥衍生出的秘钥对传输数据进行加密、解密、完整性保护、完整性校验等,UE可以从主基站或者辅基站获取包含关于秘钥更新的信息的第一指示信息。关于秘 钥更新的信息用于指示UE秘钥是否需要更新,辅基站可以基于是否有安全风险来判断秘钥是否需要更新,例如,现有的秘钥已使用较长时间且超过有效期,则需要更新秘钥;或者,用于安全保护的承载身份标识(IDentification,ID)等参数不能继续保证传输数据的安全性时,可以通过更新秘钥来保证传输数据的安全性;或者,当UE切换主小区/主辅小区时,原来的秘钥还在有效期,则秘钥不需要更新。In this embodiment, the secret key is used for communication between the UE and the secondary base station. For example, the UE and the secondary base station use the secret key or use the secret key derived based on the secret key to encrypt, decrypt, and complete the transmission data. Protection, integrity check, etc., the UE may obtain first indication information including information about the key update from the primary base station or the secondary base station. The information about the key update is used to indicate whether the UE key needs to be updated, and the secondary base station can determine whether the key needs to be updated based on whether there is a security risk. For example, if the existing key has been used for a long time and exceeds the validity period, it is required. If the parameters such as the IDentification (ID) for security protection cannot continue to ensure the security of the transmitted data, the security of the transmitted data may be ensured by updating the key; or when the UE switches the main In the cell/primary and secondary cells, the original key is still valid, and the key does not need to be updated.
其中,关于秘钥更新的信息可以为隐式或显示,例如,关于秘钥更新的信息为隐式,在第一指示信息中携带关于秘钥更新的信息则表示秘钥需要更新,在第一指示信息中不携带关于秘钥更新的信息则表示秘钥不需要更新;关于秘钥更新的信息为显式,可在第一指示信息的某个字段中指示秘钥是否需要更新,比如,秘钥是否更新字段为1表示秘钥需要更新,秘钥是否更新字段为0表示秘钥不需要更新,本领域技术人员还可以采用其它的方式来指示秘钥是否需要更新,本申请中不以此为限。The information about the key update may be implicit or displayed. For example, the information about the key update is implicit, and the information about the key update carried in the first indication information indicates that the key needs to be updated. The information indicating that the key update is not carried in the indication information indicates that the key does not need to be updated; the information about the key update is explicit, and the key may be indicated in a certain field of the first indication information, for example, secret. Whether the key update field is 1 indicates that the key needs to be updated, and whether the key update field is 0 indicates that the key does not need to be updated, and other methods may be used to indicate whether the key needs to be updated, which is not used in this application. Limited.
步骤102、UE根据第一指示信息完成秘钥更新或保持秘钥不变。Step 102: The UE completes the key update or keeps the key unchanged according to the first indication information.
在本实施例中,UE从第一指示信息中获取关于秘钥更新的信息,根据关于秘钥更新的信息确定秘钥是否需要更新,从而完成秘钥更新或保持秘钥不变。In this embodiment, the UE acquires information about the key update from the first indication information, and determines whether the key needs to be updated according to the information about the key update, thereby completing the key update or keeping the key unchanged.
本申请实施例提供的秘钥更新方法,UE获取包括关于秘钥更新的信息的第一指示信息,根据第一指示信息来完成秘钥更新或保持秘钥不变,采用第一指示信息的方式可以灵活的控制UE完成秘钥更新或保持秘钥不变,尤其是,当不需要更新秘钥时,UE不需要建立分组数据汇聚协议(Packet Data Convergence Protocol,PDCP)层,因此,不会造成业务中断,保证了业务的服务质量。In the secret key update method provided by the embodiment of the present application, the UE acquires the first indication information including the information about the key update, and completes the key update or keeps the key unchanged according to the first indication information, and adopts the first indication information. The UE can be flexibly controlled to complete the key update or keep the key unchanged. In particular, when the key is not required to be updated, the UE does not need to establish a Packet Data Convergence Protocol (PDCP) layer, so Business interruption ensures the quality of service of the business.
可选地,在图2所示实施例中,一种秘钥不需要更新的方法如下:Optionally, in the embodiment shown in FIG. 2, a method for updating a key does not need to be updated as follows:
步骤101“UE获取第一指示信息”包括:UE接收主基站或辅基站发送的第一指示信息;第一指示信息包括秘钥不需要更新的指示。Step 101: The UE acquires the first indication information, where the UE receives the first indication information sent by the primary base station or the secondary base station, where the first indication information includes an indication that the key does not need to be updated.
在本实施例中,第一指示信息可以是主基站发送给UE的,也可以是辅基站将第一指示信息发送给主基站,再由主基站发送给UE,或者,辅基站将包含秘钥不需要跟新的指示发送给主基站,主基站根据秘钥不需要跟新的指示生成第一指示信息,再将第一指示信息发送给UE。In this embodiment, the first indication information may be sent by the primary base station to the UE, or the secondary base station may send the first indication information to the primary base station, and then sent by the primary base station to the UE, or the secondary base station will include the key. The new indication is not sent to the primary base station, and the primary base station does not need to generate the first indication information according to the new indication according to the key, and then sends the first indication information to the UE.
进一步地,第一指示信息还包括切换指示信息,切换指示信息用于指示UE进行基站切换或小区切换。其中,基站切换包括主基站间切换、主基站内切换、辅基站间切换和辅基站内切换,小区切换包括主小区内切换和主小区间切换。例如,切换指示信息为辅基站根据测量报告等因素确定的信息,例如,当辅基站内的主小区需要切换时,辅基站可以向UE发送该切换指示信息,指示UE进行辅基站内的主小区切换。又如切换指示信息为主基站根据测量报告等因素确定的信息,例如,当主基站内小区需要切换时,主基站可以向UE发送该切换指示信息,指示UE进行主基站的小区切换。Further, the first indication information further includes handover indication information, where the handover indication information is used to indicate that the UE performs base station handover or cell handover. The base station handover includes a handover between a primary base station, a handover in a primary base station, a handover between a secondary base station, and a handover in a secondary base station, and the handover of the cell includes a handover between the primary intra-cell and a handover between the primary cells. For example, the handover indication information is information that is determined by the secondary base station according to factors such as a measurement report. For example, when the primary cell in the secondary base station needs to be handed over, the secondary base station may send the handover indication information to the UE, and instruct the UE to perform the primary cell in the secondary base station. Switch. For example, when the handover indication information is determined by the primary base station according to factors such as the measurement report, for example, when the cell in the primary base station needs to be handed over, the primary base station may send the handover indication information to the UE, and instruct the UE to perform cell handover of the primary base station.
步骤102“UE根据第一指示信息完成秘钥更新或保持秘钥不变”,包括:UE根据第一指示信息保持秘钥不变。Step 102: “The UE completes the key update or keeps the key unchanged according to the first indication information”, and the method includes: the UE keeps the key unchanged according to the first indication information.
在本实施例中,若第一指示信息中包括秘钥不需要更新的指示,则UE继续使用原来的秘钥与辅基站进行通信。或者;In this embodiment, if the first indication information includes an indication that the key does not need to be updated, the UE continues to communicate with the secondary base station by using the original key. or;
在本实施例中,若第一指示信息中不携带关于秘钥更新的信息,则UE继续使用原来的秘钥与辅基站进行通信。或者;In this embodiment, if the information about the key update is not carried in the first indication information, the UE continues to communicate with the secondary base station by using the original key. or;
在本实施例中,若第一指示信息中携带秘钥更新的信息和原来的一样,则UE继续使用原来的秘钥与辅基站进行通信。In this embodiment, if the information carrying the key update in the first indication information is the same as the original, the UE continues to communicate with the secondary base station by using the original key.
图3为本申请另一实施例提供的秘钥更新方法流程图,该实施例涉及的是当秘钥不需要更新时,UE、主基站与辅基站之间的一种交互方式,如图3所示,该方法包括以下步骤:FIG. 3 is a flowchart of a method for updating a secret key according to another embodiment of the present application. The embodiment relates to an interaction manner between a UE, a primary base station, and a secondary base station when the key does not need to be updated, as shown in FIG. 3 . As shown, the method includes the following steps:
步骤201、辅基站向主基站发送第一指示信息。Step 201: The secondary base station sends first indication information to the primary base station.
其中,第一指示信息包括秘钥不需要更新的指示和切换指示信息,切换指示信息用于指示UE进行辅基站内的主小区切换。The first indication information includes an indication that the key does not need to be updated, and the handover indication information, where the handover indication information is used to instruct the UE to perform the primary cell handover in the secondary base station.
步骤202、主基站根据切换指示信息确定进行辅基站内的主小区切换,并保持计数器信息不变。Step 202: The primary base station determines to perform primary cell handover in the secondary base station according to the handover indication information, and keeps the counter information unchanged.
步骤203、主基站将第一指示信息发送给UE。Step 203: The primary base station sends the first indication information to the UE.
步骤204、主基站向辅基站发送切换指示应答消息。Step 204: The primary base station sends a handover indication response message to the secondary base station.
可选地,步骤203与步骤204可同时执行,也可以顺序执行。Optionally, step 203 and step 204 may be performed simultaneously or sequentially.
步骤205、UE根据切换指示信息进行辅基站内的主小区切换。Step 205: The UE performs primary cell handover in the secondary base station according to the handover indication information.
步骤206、UE使用旧的秘钥与辅基站进行通信。Step 206: The UE communicates with the secondary base station by using the old secret key.
本申请实施例提供的秘钥更新方法,当秘钥不需要更新的时候,UE继续使用原来的秘钥与辅基站进行通信,UE不需要建立PDCP层,因此,不会造成业务中断,保证了业务的服务质量。The method for updating the key provided by the embodiment of the present application, when the key does not need to be updated, the UE continues to use the original key to communicate with the secondary base station, and the UE does not need to establish the PDCP layer. Therefore, the service is not interrupted. The quality of service of the business.
可选地,在图2所示实施例中,一种秘钥需要更新的方法如下:Optionally, in the embodiment shown in FIG. 2, a method for updating a secret key is as follows:
步骤101“UE获取第一指示信息”,包括:UE接收主基站发送的第一指示信息;第一指示信息包括秘钥需要更新的指示。Step 101: The UE acquires the first indication information, where the UE includes the first indication information sent by the primary base station, where the first indication information includes an indication that the key needs to be updated.
在本实施例中,第一指示信息是主基站从辅基站获取到的,第一指示信息可以是辅基站发送给主基站,并由主基站转发给UE,也可以是辅基站将包含秘钥需要更新的指示的信息发送给主基站,主基站根据秘钥需要更新的指示生成第一指示信息,将第一指示信息发送给UE。所述秘钥需要更新的指示信息可以为显示指示或者隐式指示,如,隐式指示的一种体现方式为辅基站向UE发送了小区切换指示信息则默认秘钥需要更新。In this embodiment, the first indication information is obtained by the primary base station from the secondary base station, and the first indication information may be sent by the secondary base station to the primary base station and forwarded by the primary base station to the UE, or the secondary base station may include the secret key. The information indicating the indication to be updated is sent to the primary base station, and the primary base station generates first indication information according to the indication that the key needs to be updated, and sends the first indication information to the UE. The indication information that the key needs to be updated may be a display indication or an implicit indication. For example, an embodiment of the implicit indication is that the secondary base station sends the cell handover indication information to the UE, and the default key needs to be updated.
进一步地,第一指示信息还包括配置信息、计数器信息和切换指示信息;配置信息包括分组数据汇聚协议(Packet Data Convergence Protocol,PDCP)层配置信息和算法信息;计数器信息用于完成秘钥更新;切换指示信息用于指示UE进行基站切换或小区切换。其中,PDCP层配置信息用于UE建立PDCP层或者重新建立PDCP层,算法信息为辅基站根据UE的安全能力和自身策略选择的加密、解密、完整性保护、完整性校验等算法。切换指示信息为辅基站根据测量报告等因素确定的信息。Further, the first indication information further includes configuration information, counter information, and handover indication information; the configuration information includes Packet Data Convergence Protocol (PDCP) layer configuration information and algorithm information; and the counter information is used to complete the key update; The handover indication information is used to indicate that the UE performs base station handover or cell handover. The PDCP layer configuration information is used by the UE to establish a PDCP layer or re-establish a PDCP layer, and the algorithm information is an encryption, decryption, integrity protection, integrity check and other algorithms selected by the secondary base station according to the security capability of the UE and its own policy. The handover indication information is information that the secondary base station determines according to factors such as a measurement report.
可选地,计数器信息为辅基站根据辅基站的接入网根秘钥与秘钥更新列表确定的信息,秘钥更新列表包括辅基站的接入网根秘钥与计数器信息之间的映射关系。Optionally, the counter information is information that is determined by the secondary base station according to the access network root key and the secret key update list of the secondary base station, and the key update list includes a mapping relationship between the access network root key and the counter information of the secondary base station. .
在本实施例中,秘钥更新列表可以为主基站预先生成并发送给辅基站存储,也可以由辅基站生成进行存储,当辅基站决定进行辅基站内的主小区切换时,从列表是选择合适的秘钥和对应的计数器信息,并将该计数器信息发送给UE。辅基站可以快速的从秘钥更新列表中直接获取到新的秘钥和计数器信息,能够提高秘钥更新的速度。In this embodiment, the key update list may be pre-generated and sent to the secondary base station for storage by the primary base station, or may be generated by the secondary base station for storage. When the secondary base station determines to perform primary cell handover in the secondary base station, the slave list is selected. A suitable key and corresponding counter information are sent to the UE. The secondary base station can quickly obtain new key and counter information directly from the key update list, which can improve the speed of the key update.
可选地,计数器信息为主基站根据秘钥需要更新的指示生成的信息。Optionally, the counter information is information generated by the primary base station according to an indication that the key needs to be updated.
在本实施例中,当辅基站确定进行辅基站内的主小区切换时,向主基站发送包含秘钥 需要更新的指示的信息,主基站确定秘钥需要更新时,生成计数器信息。主基站将计数器信息发送给UE,使得UE根据计数器信息生成新的秘钥,避免了主基站直接传输新的秘钥可能造成秘钥泄露的风险,提高了秘钥的可靠性和安全性。In this embodiment, when the secondary base station determines to perform the primary cell handover in the secondary base station, the primary base station transmits information including an indication that the key needs to be updated, and when the primary base station determines that the key needs to be updated, the counter information is generated. The primary base station sends the counter information to the UE, so that the UE generates a new key according to the counter information, which avoids the risk that the primary base station directly transmits the new key may cause the key to be leaked, and improves the reliability and security of the key.
步骤102“UE根据第一指示信息完成秘钥更新或保持秘钥不变”,包括:UE根据第一指示信息完成秘钥更新。Step 102: “The UE completes the key update or keeps the key unchanged according to the first indication information”, and the method includes: the UE completes the key update according to the first indication information.
在本实施例中,UE根据第一指示信息确定秘钥需要更新,则UE生成新的秘钥,采用新的秘钥与辅基站进行通信。In this embodiment, the UE determines, according to the first indication information, that the key needs to be updated, the UE generates a new key, and uses the new key to communicate with the secondary base station.
本申请实施例提供的秘钥更新方法,当秘钥需要更新的时候,UE根据第一指示信息及时的更新秘钥,保证UE与辅基站之间的传输数据的安全性和可靠性。The key update method provided by the embodiment of the present invention, when the key needs to be updated, the UE timely updates the key according to the first indication information to ensure the security and reliability of the transmission data between the UE and the secondary base station.
进一步地,当秘钥需要更新时,UE侧进行秘钥更新的实现方式可以由不同的功能模块来实现,具体如图4和图5所示。Further, when the key needs to be updated, the implementation manner of performing the key update on the UE side may be implemented by different functional modules, as shown in FIG. 4 and FIG. 5 .
一种秘钥的更新方法如图4所示,可以包括以下步骤:A method for updating a secret key is as shown in FIG. 4, and may include the following steps:
步骤301、辅基站向主基站发送第二指示信息。Step 301: The secondary base station sends second indication information to the primary base station.
其中,第二指示信息可包括配置信息、切换指示信息和秘钥需要更新的指示。The second indication information may include configuration information, handover indication information, and an indication that the key needs to be updated.
步骤302、主基站根据秘钥需要更新的指示生成计数器信息。Step 302: The primary base station generates counter information according to an indication that the key needs to be updated.
步骤303、主基站根据计数器信息、配置信息和切换指示信息生成第一指示信息。Step 303: The primary base station generates first indication information according to the counter information, the configuration information, and the handover indication information.
步骤304、主基站将第一指示信息发送给UE。Step 304: The primary base station sends the first indication information to the UE.
本实施例中辅基站与主基站的实现方式仅为一种示例性说明,还可以采用其它的方式来实现。The implementation manners of the secondary base station and the primary base station in this embodiment are only an exemplary description, and may also be implemented in other manners.
在本实施例中,UE包括第一通信模块和第二通信模块,第一通信模块为执行与主基站进行通信功能的模块,第二通信模块为执行与辅基站进行通信功能的模块;则UE根据第一指示信息完成秘钥更新,包括:In this embodiment, the UE includes a first communication module, which is a module that performs a communication function with the primary base station, and a second communication module, which is a module that performs a communication function with the secondary base station; Complete the key update according to the first indication information, including:
步骤305、第一通信模块根据至少计数器信息和第一秘钥生成第二秘钥。Step 305: The first communications module generates a second key according to at least the counter information and the first key.
其中,第一秘钥为主基站的接入网根秘钥。The first key is the access network root key of the primary base station.
步骤306、第一通信模块将第二秘钥发送给第二通信模块。Step 306: The first communication module sends the second key to the second communication module.
步骤307、第二通信模块根据PDCP层配置信息建立PDCP层。Step 307: The second communications module establishes a PDCP layer according to PDCP layer configuration information.
步骤308、第二通信模块根据至少第二秘钥和算法信息生成第三秘钥。Step 308: The second communication module generates a third key according to at least a second key and algorithm information.
其中,第三秘钥应用于UE和辅基站之间的数据传输。The third key is applied to data transmission between the UE and the secondary base station.
步骤309、第二通信模块采用第三秘钥与辅基站进行通信。Step 309: The second communication module uses the third key to communicate with the secondary base station.
在本实施例中,若主基站为长期演进(Long Term Evolution,LTE)网络的基站,辅基站为新一代无线(New Radio,NR)网络的基站,则对应的第一通信模块采用LTE协议栈完成上述步骤305和306,第二通信模块采用NR协议栈完成步骤307、308、309。In this embodiment, if the primary base station is a base station of a Long Term Evolution (LTE) network, and the secondary base station is a base station of a new generation Radio (NR) network, the corresponding first communication module adopts an LTE protocol stack. After completing the above steps 305 and 306, the second communication module completes steps 307, 308, and 309 using the NR protocol stack.
另一种秘钥的更新方法如图5所示,可以包括以下步骤:Another method for updating the secret key is shown in FIG. 5, which may include the following steps:
步骤401、辅基站向主基站发送第三指示信息。Step 401: The secondary base station sends third indication information to the primary base station.
其中,第三指示信息可包括切换指示信息和秘钥需要更新的指示。The third indication information may include an indication that the handover indication information and the secret key need to be updated.
步骤402、主基站根据秘钥需要更新的指示生成计数器信息。Step 402: The primary base station generates counter information according to the indication that the key needs to be updated.
步骤403、主基站将计数器信息发送给辅基站。Step 403: The primary base station sends the counter information to the secondary base station.
步骤404、辅基站根据计数器信息、秘钥需要更新的指示和配置信息生成第一指示信息。Step 404: The secondary base station generates first indication information according to the counter information, the indication that the key needs to be updated, and the configuration information.
步骤405、辅基站将第一指示信息发送给主基站。Step 405: The secondary base station sends the first indication information to the primary base station.
步骤406、主基站将第一指示信息发送给UE。Step 406: The primary base station sends the first indication information to the UE.
本实施例中辅基站与主基站的实现方式仅为一种示例性说明,还可以采用其它的方式来实现。The implementation manners of the secondary base station and the primary base station in this embodiment are only an exemplary description, and may also be implemented in other manners.
在本实施例中,UE包括第一通信模块和第二通信模块,第一通信模块为执行与主基站进行通信功能的模块,第二通信模块为执行与辅基站进行通信功能的模块;则UE根据第一指示信息完成秘钥更新,包括:In this embodiment, the UE includes a first communication module, which is a module that performs a communication function with the primary base station, and a second communication module, which is a module that performs a communication function with the secondary base station; Complete the key update according to the first indication information, including:
步骤407、第一通信模块将配置信息、计数器信息和第一秘钥发送给第二通信模块。Step 407: The first communication module sends the configuration information, the counter information, and the first key to the second communication module.
其中,第一秘钥为主基站的接入网根秘钥。The first key is the access network root key of the primary base station.
步骤408、第二通信模块根据至少计数器信息和第一秘钥生成第二秘钥。Step 408: The second communication module generates a second key according to at least the counter information and the first key.
步骤409、第二通信模块根据PDCP层配置信息建立PDCP层。Step 409: The second communication module establishes a PDCP layer according to PDCP layer configuration information.
步骤4010、第二通信模块根据至少第二秘钥和算法信息生成第三秘钥。Step 4010: The second communication module generates a third key according to at least a second key and algorithm information.
其中,第三秘钥应用于UE和辅基站之间的数据传输。The third key is applied to data transmission between the UE and the secondary base station.
步骤4011、第二通信模块采用第三秘钥与辅基站进行通信。Step 4011: The second communication module uses the third key to communicate with the secondary base station.
在本实施例中,若主基站为LTE网络的基站,辅基站为NR网络的基站,则对应的第一通信模块采用LTE协议栈完成上述步骤407,第二通信模块采用NR协议栈完成步骤408~4011。In this embodiment, if the primary base station is the base station of the LTE network and the secondary base station is the base station of the NR network, the corresponding first communication module uses the LTE protocol stack to complete the foregoing step 407, and the second communication module uses the NR protocol stack to complete step 408. ~ 4011.
图6为本申请再一实施例提供的秘钥更新方法流程图。该实施例涉及的是主基站获取第一指示信息,并将第一指示信息发送给UE,使得UE根据第一指示信息完成秘钥更新或保持秘钥不变的过程,如图6所示,该秘钥更新方法包括以下步骤:FIG. 6 is a flowchart of a method for updating a secret key according to still another embodiment of the present application. The embodiment relates to a process in which the primary base station acquires the first indication information, and sends the first indication information to the UE, so that the UE completes the key update or keeps the key unchanged according to the first indication information, as shown in FIG. The key update method includes the following steps:
步骤501、主基站获取第一指示信息;第一指示信息包括关于秘钥更新的信息;秘钥用于UE与辅基站之间进行通信。Step 501: The primary base station acquires first indication information, where the first indication information includes information about a key update, and the secret key is used for communication between the UE and the secondary base station.
步骤502、主基站将第一指示信息发送给用户设备UE,以使UE根据第一指示信息完成秘钥更新或保持秘钥不变。Step 502: The primary base station sends the first indication information to the user equipment UE, so that the UE completes the key update or keeps the key unchanged according to the first indication information.
可选地,在图6所示实施例中,第一指示信息包括秘钥不需要更新的指示,秘钥不需要更新的指示用于指示UE保持秘钥不变。Optionally, in the embodiment shown in FIG. 6, the first indication information includes an indication that the key does not need to be updated, and the indication that the key does not need to be updated is used to indicate that the UE keeps the key unchanged.
进一步地,第一指示信息还包括切换指示信息,切换指示信息用于指示UE进行基站切换或小区切换。Further, the first indication information further includes handover indication information, where the handover indication information is used to indicate that the UE performs base station handover or cell handover.
可选地,在图6所示实施例中,第一指示信息包括秘钥需要更新的指示,秘钥需要更新的指示用于指示UE完成秘钥更新。所述秘钥需要更新的指示信息也可以为显示指示或者隐式指示,如,隐式指示的一种体现方式为辅基站向UE发送了小区切换指示信息则默认秘钥需要更新。Optionally, in the embodiment shown in FIG. 6, the first indication information includes an indication that the key needs to be updated, and the indication that the key needs to be updated is used to instruct the UE to complete the key update. The indication information that the key needs to be updated may also be a display indication or an implicit indication. For example, an embodiment of the implicit indication is that the secondary base station sends the cell handover indication information to the UE, and the default key needs to be updated.
进一步地,第一指示信息还包括配置信息、计数器信息和切换指示信息;配置信息包括分组数据汇聚协议PDCP层配置信息和算法信息;计数器信息用于完成秘钥更新;切换指示信息用于指示UE进行基站切换或小区切换。Further, the first indication information further includes configuration information, counter information, and handover indication information; the configuration information includes packet data convergence protocol PDCP layer configuration information and algorithm information; the counter information is used to complete the key update; and the handover indication information is used to indicate the UE Perform base station handover or cell handover.
可选地,计数器信息为辅基站根据辅基站的接入网根秘钥与秘钥更新列表确定的信息,秘钥更新列表包括辅基站的接入网根秘钥与计数器信息之间的映射关系。Optionally, the counter information is information that is determined by the secondary base station according to the access network root key and the secret key update list of the secondary base station, and the key update list includes a mapping relationship between the access network root key and the counter information of the secondary base station. .
可选地,计数器信息为主基站根据秘钥需要更新的指示生成的信息。Optionally, the counter information is information generated by the primary base station according to an indication that the key needs to be updated.
可选地,若计数器信息为主基站根据秘钥需要更新的指示生成的信息,则该秘钥更新 方法还可以包括:主基站将计数器信息发送给辅基站,使得辅基站根据至少计数器信息和第一秘钥生成第二秘钥,再根据至少第二秘钥和算法信息生成第三秘钥。或者,Optionally, if the counter information is generated by the primary base station according to the indication that the key needs to be updated, the key update method may further include: the primary base station sending the counter information to the secondary base station, so that the secondary base station according to at least the counter information and the A secret key generates a second secret key, and then generates a third secret key according to at least the second secret key and the algorithm information. or,
该秘钥更新方法还可以包括:主基站根据至少计数器信息和第一秘钥生成第二秘钥,将第二秘钥发送给辅基站,以使辅基站根据至少第二秘钥和算法信息生成第三秘钥。The key update method may further include: the primary base station generates a second key according to at least the counter information and the first key, and sends the second key to the secondary base station, so that the secondary base station generates the second key according to at least the second key and the algorithm information. The third key.
其中,第一秘钥为主基站的接入网根秘钥,第三秘钥应用于UE和辅基站之间的数据传输。The first key is the access network root key of the primary base station, and the third key is applied to data transmission between the UE and the secondary base station.
在本实施例中,主基站将计数器信息发送给辅基站,或者将第二秘钥发送给辅基站,使得辅基站生成第三秘钥,则UE与辅基站之间均使用第三秘钥进行通信,保证了数据传输的准确性。In this embodiment, the primary base station sends the counter information to the secondary base station, or sends the second key to the secondary base station, so that the secondary base station generates the third key, and the third key is used between the UE and the secondary base station. Communication ensures the accuracy of data transmission.
进一步地,当秘钥需要更新时,如图7所示,步骤“主基站获取第一指示信息”,包括:Further, when the key needs to be updated, as shown in FIG. 7, the step “the primary base station acquires the first indication information” includes:
步骤601、主基站接收辅基站发送的第二指示信息;第二指示信息可包括秘钥需要更新的指示、配置信息和切换指示信息。Step 601: The primary base station receives the second indication information sent by the secondary base station, where the second indication information may include an indication that the key needs to be updated, configuration information, and handover indication information.
步骤602、主基站根据秘钥需要更新的指示生成计数器信息。Step 602: The primary base station generates counter information according to an indication that the key needs to be updated.
步骤603、主基站根据计数器信息、配置信息和切换指示信息生成第一指示信息。Step 603: The primary base station generates first indication information according to the counter information, the configuration information, and the handover indication information.
再进一步地,如图8所示,步骤“主基站根据计数器信息、配置信息和切换指示信息生成第一指示信息”,包括:Further, as shown in FIG. 8, the step “the primary base station generates the first indication information according to the counter information, the configuration information, and the handover indication information” includes:
步骤6031、主基站将计数器信息发送给辅基站,以使所辅基站对计数器信息进行封装。Step 6031: The primary base station sends the counter information to the secondary base station, so that the secondary base station encapsulates the counter information.
步骤6032、主基站根据封装后的计数器信息、配置信息和切换指示信息生成第一指示信息。Step 6032: The primary base station generates first indication information according to the encapsulated counter information, configuration information, and handover indication information.
本申请实施例提供的秘钥更新方法是图2-图5所示实施例对应的主基站侧的实现方法,其实现原理和有益效果可参照图2-图5所示实施例的实现原理和有益效果,此处不再赘述。The key update method provided by the embodiment of the present application is the implementation method of the primary base station side corresponding to the embodiment shown in FIG. 2 to FIG. 5 , and the implementation principle and the beneficial effects thereof can be referred to the implementation principles of the embodiments shown in FIG. 2 and FIG. 5 . The beneficial effects will not be described here.
图9为本申请又一实施例提供的秘钥更新方法流程图。该实施例涉及的是辅基站获取第一指示信息,将第一指示信息发送给UE,使得UE根据第一指示信息完成秘钥更新或保持秘钥不变的过程,如图9所示,该实施例包括以下步骤:FIG. 9 is a flowchart of a method for updating a secret key according to another embodiment of the present application. The embodiment relates to a process in which the secondary base station acquires the first indication information, and sends the first indication information to the UE, so that the UE completes the key update or keeps the key unchanged according to the first indication information, as shown in FIG. The embodiment includes the following steps:
步骤701、辅基站获取第一指示信息;第一指示信息包括关于秘钥更新的信息;秘钥用于UE与辅基站之间进行通信。Step 701: The secondary base station acquires first indication information, where the first indication information includes information about a key update, and the secret key is used for communication between the UE and the secondary base station.
步骤702、辅基站将第一指示信息发送给用户设备UE,以使UE根据第一指示信息完成秘钥更新或保持秘钥不变。Step 702: The secondary base station sends the first indication information to the user equipment UE, so that the UE completes the key update or keeps the key unchanged according to the first indication information.
可选地,辅基站将第一指示信息发送给用户设备UE,包括:辅基站通过主基站将第一指示信息发送给UE。Optionally, the secondary base station sends the first indication information to the user equipment UE, where the secondary base station sends the first indication information to the UE by using the primary base station.
在本实施例中,辅基站可以通过主基站将第一指示信息发送给UE,也可以直接将第一指示信息发送给UE。例如,当第一指示信息指示秘钥不需要更新时,辅基站可以直接将第一指示信息发送给UE,当第一指示信息指示秘钥需要更新时,辅基站将第一指示信息发送给主基站,由主基站对第一指示信息进行处理后再发送给UE。In this embodiment, the secondary base station may send the first indication information to the UE by using the primary base station, or may directly send the first indication information to the UE. For example, when the first indication information indicates that the key does not need to be updated, the secondary base station may directly send the first indication information to the UE, and when the first indication information indicates that the key needs to be updated, the secondary base station sends the first indication information to the primary The base station processes the first indication information by the primary base station and then sends the first indication information to the UE.
可选地,在图9所示实施例中,第一指示信息包括秘钥不需要更新的指示,秘钥不需要更新的指示用于指示UE保持秘钥不变。Optionally, in the embodiment shown in FIG. 9, the first indication information includes an indication that the key does not need to be updated, and the indication that the key does not need to be updated is used to indicate that the UE keeps the key unchanged.
进一步地,第一指示信息还包括切换指示信息,切换指示信息用于指示UE进行基站 切换或小区切换。Further, the first indication information further includes handover indication information, where the handover indication information is used to indicate that the UE performs base station handover or cell handover.
可选地,在图9所示实施例中,第一指示信息包括秘钥需要更新的指示,秘钥需要更新的指示用于指示UE完成秘钥更新。Optionally, in the embodiment shown in FIG. 9, the first indication information includes an indication that the key needs to be updated, and the indication that the key needs to be updated is used to instruct the UE to complete the key update.
进一步地,第一指示信息还包括配置信息和切换指示信息;配置信息包括分组数据汇聚协议PDCP层配置信息和算法信息;切换指示信息用于指示UE进行基站切换或小区切换。Further, the first indication information further includes configuration information and handover indication information; the configuration information includes packet data convergence protocol PDCP layer configuration information and algorithm information; and the handover indication information is used to indicate that the UE performs base station handover or cell handover.
再进一步地,第一指示信息还包括计数器信息,计数器信息为辅基站根据辅基站的接入网根秘钥与秘钥更新列表确定的信息,秘钥更新列表包括辅基站的接入网根秘钥与计数器信息之间的映射关系。Further, the first indication information further includes counter information, where the counter information is information determined by the secondary base station according to the access network root key and the secret key update list of the secondary base station, and the key update list includes the access network root of the secondary base station. The mapping between key and counter information.
本申请实施例提供的秘钥更新方法是图2-图5所示实施例对应的辅基站侧的实现方法,其实现原理和有益效果可参照图2-图5所示实施例的实现原理和有益效果,此处不再赘述。The key update method provided by the embodiment of the present application is the implementation method of the secondary base station side corresponding to the embodiment shown in FIG. 2 to FIG. 5 , and the implementation principle and the beneficial effects thereof can be referred to the implementation principles of the embodiments shown in FIG. 2 to FIG. 5 . The beneficial effects will not be described here.
图10为本申请又一实施例提供的秘钥更新方法流程图。该实施例涉及的是主基站对第一NR无线资源控制进行加密发送给UE的过程,如图10所示,该方法包括以下步骤:FIG. 10 is a flowchart of a method for updating a secret key according to another embodiment of the present application. This embodiment relates to a process in which a primary base station encrypts and transmits a first NR radio resource control to a UE. As shown in FIG. 10, the method includes the following steps:
步骤801、辅基站向主基站发送第一NR无线资源控制(Radio Resource Control,RRC)信息。Step 801: The secondary base station sends first NR radio resource control (RRC) information to the primary base station.
其中,可选的,第一NR RRC信息包括第一指示信息,第一是指信息包括关于秘钥更新的信息。Optionally, the first NR RRC information includes first indication information, and the first means that the information includes information about a key update.
步骤802、主基站采用主基站秘钥对第一NR RRC信息进行加密和完整性保护处理,生成第二NR RRC信息。Step 802: The primary base station performs encryption and integrity protection processing on the first NR RRC information by using the primary base station secret key to generate second NR RRC information.
步骤803、主基站将第二NR RRC信息发送给UE。Step 803: The primary base station sends the second NR RRC information to the UE.
在本实施例中,UE包括第一通信模块和第二通信模块,第一通信模块为执行与主基站进行通信功能的模块,第二通信模块为执行与辅基站进行通信功能的模块。In this embodiment, the UE includes a first communication module that is a module that performs a communication function with the primary base station, and a second communication module that is a module that performs a communication function with the secondary base station.
步骤804、第一通信模块使用主基站秘钥对第二NR RRC信息进行解密和完整性校验,获取第一指示信息。Step 804: The first communication module decrypts and completes the second NR RRC information by using the primary base station secret key, and obtains the first indication information.
步骤805、第一通信模块将第一指示信息发送给第二通信模块。Step 805: The first communications module sends the first indication information to the second communications module.
步骤806、第二通信模块根据第一指示信息完成秘钥更新或保持秘钥不变,并生成第一NR RRC应答信息。Step 806: The second communication module completes the key update or keeps the key unchanged according to the first indication information, and generates a first NR RRC response message.
步骤807、第二通信模块向第一通信模块发送第一NR RRC应答信息。Step 807: The second communications module sends the first NR RRC response message to the first communications module.
步骤808、第一通信模块采用主基站秘钥对第一NR RRC应答信息进行加密,生成第二NR RRC应答信息。Step 808: The first communications module encrypts the first NR RRC response information by using a primary base station secret key to generate a second NR RRC response message.
步骤809、第一通信模块将第二NR RRC应答信息发送给主基站。Step 809: The first communications module sends the second NR RRC response message to the primary base station.
步骤8010、主基站采用主基站秘钥对第二NR RRC应答信息进行解密和完整性校验,获取第一NR RRC应答信息。Step 8010: The primary base station decrypts and completes the second NR RRC response information by using the primary base station secret key, and obtains the first NR RRC response information.
步骤8011、主基站将第一NR RRC应答信息发送给辅基站。Step 8011: The primary base station sends the first NR RRC response information to the secondary base station.
图11为本申请又一实施例提供的秘钥更新方法流程图。该实施例涉及的是辅基站对第一NR无线资源控制进行加密发送给UE的过程,如图11所示,该方法包括以下步骤:FIG. 11 is a flowchart of a method for updating a secret key according to another embodiment of the present application. This embodiment relates to a process in which a secondary base station encrypts and transmits a first NR radio resource control to a UE. As shown in FIG. 11, the method includes the following steps:
步骤901、辅基站采用辅基站秘钥对第一NR RRC信息进行加密和完整性保护处理,生成第二NR RRC信息。Step 901: The secondary base station performs encryption and integrity protection processing on the first NR RRC information by using the secondary base station secret key to generate second NR RRC information.
其中,可选地,第一NR RRC信息包括第一指示信息,第一是指信息包括关于秘钥更新的信息。Optionally, the first NR RRC information includes first indication information, and the first means that the information includes information about a key update.
步骤902、辅基站将第二NR RRC信息发送给主基站。Step 902: The secondary base station sends the second NR RRC information to the primary base station.
步骤903、主基站将第二NR RRC信息发送给UE。Step 903: The primary base station sends the second NR RRC information to the UE.
在本实施例中,UE包括第一通信模块和第二通信模块,第一通信模块为执行与主基站进行通信功能的模块,第二通信模块为执行与辅基站进行通信功能的模块。In this embodiment, the UE includes a first communication module that is a module that performs a communication function with the primary base station, and a second communication module that is a module that performs a communication function with the secondary base station.
步骤904、第一通信模块将第二NR RRC信息发送给第二通信模块。Step 904: The first communications module sends the second NR RRC information to the second communications module.
步骤905、第二通信模块使用辅基站秘钥对第二NR RRC信息进行解密和完整性校验,获取第一指示信息。Step 905: The second communication module decrypts and completes the second NR RRC information by using the secondary base station secret key, and obtains the first indication information.
步骤906、第二通信模块根据第一指示信息完成秘钥更新或保持秘钥不变,并生成第一NR RRC应答信息。Step 906: The second communication module completes the key update or keeps the key unchanged according to the first indication information, and generates a first NR RRC response message.
步骤907、第二通信模块采用辅基站秘钥对第一NR RRC应答信息进行加密,生成第二NR RRC应答信息。Step 907: The second communication module encrypts the first NR RRC response information by using the secondary base station secret key to generate a second NR RRC response message.
步骤908、第二通信模块将第二NR RRC应答信息发送给第一通信模块。Step 908: The second communications module sends the second NR RRC response message to the first communications module.
步骤909、第一通信模块将第二NR RRC应答信息发送给主基站。Step 909: The first communications module sends the second NR RRC response message to the primary base station.
步骤9010、主基站将第二NR RRC应答信息发送给辅基站。Step 9010: The primary base station sends the second NR RRC response message to the secondary base station.
步骤9011、辅基站采用辅基站秘钥对第二NR RRC应答信息进行解密和完整性校验,获取第一NR RRC应答信息。Step 9011: The secondary base station uses the secondary base station secret key to perform decryption and integrity check on the second NR RRC response information, and obtains the first NR RRC response information.
图10和图11提供的秘钥更新方法,由主基站或者辅基站对包含第一指示信息的第一NR无线资源控制进行加密和完整性保护处理,保证了秘钥更新的可靠性和安全性。The key update method provided by FIG. 10 and FIG. 11 is that the primary base station or the secondary base station performs encryption and integrity protection processing on the first NR radio resource control including the first indication information, thereby ensuring reliability and security of the key update. .
图12为本申请一实施例提供的一种秘钥更新装置,如图12所示,该装置包括获取模块11和处理模块12。获取模块11用于获取第一指示信息;第一指示信息包括关于秘钥更新的信息;秘钥用于UE与辅基站之间进行通信;处理模块12用于根据第一指示信息完成秘钥更新或保持秘钥不变。FIG. 12 is a device for updating a secret key according to an embodiment of the present invention. As shown in FIG. 12, the device includes an obtaining module 11 and a processing module 12. The obtaining module 11 is configured to obtain the first indication information; the first indication information includes information about the key update; the secret key is used for communication between the UE and the secondary base station; and the processing module 12 is configured to complete the key update according to the first indication information. Or keep the key unchanged.
可选地,获取模块11具体用于接收主基站或辅基站发送的第一指示信息;第一指示信息包括秘钥不需要更新的指示;处理模块12具体用于根据第一指示信息保持秘钥不变。Optionally, the obtaining module 11 is specifically configured to receive the first indication information that is sent by the primary base station or the secondary base station, where the first indication information includes an indication that the key does not need to be updated, and the processing module 12 is specifically configured to: maintain the key according to the first indication information. constant.
进一步地,第一指示信息还包括切换指示信息,切换指示信息用于指示UE进行基站切换或小区切换。Further, the first indication information further includes handover indication information, where the handover indication information is used to indicate that the UE performs base station handover or cell handover.
可选地,获取模块11具体用于接收主基站发送的第一指示信息;第一指示信息包括秘钥需要更新的指示;处理模块12具体用于根据第一指示信息完成秘钥更新。Optionally, the obtaining module 11 is configured to receive the first indication information sent by the primary base station, where the first indication information includes an indication that the key needs to be updated, and the processing module 12 is specifically configured to complete the key update according to the first indication information.
进一步地,第一指示信息还包括配置信息、计数器信息和切换指示信息;Further, the first indication information further includes configuration information, counter information, and handover indication information;
配置信息包括分组数据汇聚协议PDCP层配置信息和算法信息;The configuration information includes packet data convergence protocol PDCP layer configuration information and algorithm information;
计数器信息用于完成秘钥更新;Counter information is used to complete the key update;
切换指示信息用于指示UE进行基站切换或小区切换。The handover indication information is used to indicate that the UE performs base station handover or cell handover.
可选地,计数器信息为辅基站根据辅基站的接入网根秘钥与秘钥更新列表确定的信息,秘钥更新列表包括辅基站的接入网根秘钥与计数器信息之间的映射关系。Optionally, the counter information is information that is determined by the secondary base station according to the access network root key and the secret key update list of the secondary base station, and the key update list includes a mapping relationship between the access network root key and the counter information of the secondary base station. .
可选地,计数器信息为主基站根据秘钥需要更新的指示生成的信息。Optionally, the counter information is information generated by the primary base station according to an indication that the key needs to be updated.
可选地,如图13所示,处理模块12包括第一通信模块121和第二通信模块122,第一通信模块121为执行与主基站进行通信功能的模块,第二通信模块122为执行与辅基站 进行通信功能的模块;Optionally, as shown in FIG. 13, the processing module 12 includes a first communication module 121 and a second communication module 122. The first communication module 121 is a module that performs a communication function with the primary base station, and the second communication module 122 is configured to perform a module for performing communication functions by the secondary base station;
第一通信模块121用于根据至少计数器信息和第一秘钥生成第二秘钥,并将第二秘钥发送给第二通信模块122;第一秘钥为主基站的接入网根秘钥;The first communication module 121 is configured to generate a second key according to at least the counter information and the first key, and send the second key to the second communication module 122; the first key is the access network root key of the primary base station. ;
第二通信模块122用于根据PDCP层配置信息建立PDCP层;The second communication module 122 is configured to establish a PDCP layer according to PDCP layer configuration information;
第二通信模块122用于根据至少第二秘钥和算法信息生成第三秘钥,第三秘钥应用于UE和辅基站之间的数据传输。The second communication module 122 is configured to generate a third key according to at least a second key and algorithm information, where the third key is applied to data transmission between the UE and the secondary base station.
可选地,图13的另一种实现方式如下:Alternatively, another implementation of FIG. 13 is as follows:
第一通信模块121将配置信息、计数器信息和第一秘钥发送给第二通信模块122;第一秘钥为主基站的接入网根秘钥;The first communication module 121 sends the configuration information, the counter information, and the first key to the second communication module 122; the first key is the access network root key of the primary base station;
第二通信模块122根据至少计数器信息和第一秘钥生成第二秘钥;The second communication module 122 generates a second key according to at least the counter information and the first key;
第二通信模块122根据PDCP层配置信息建立PDCP层;The second communication module 122 establishes a PDCP layer according to PDCP layer configuration information;
第二通信模块122根据至少第二秘钥和算法信息生成第三秘钥,第三秘钥应用于UE和辅基站之间的数据传输。The second communication module 122 generates a third key according to at least a second key and algorithm information, and the third key is applied to data transmission between the UE and the secondary base station.
本申请实施例提供的秘钥更新装置的实现原理和有益效果与图2-图5所示秘钥更新方法的实现原理和有益效果类似,此处不再赘述。The implementation principle and beneficial effects of the key update device provided by the embodiment of the present application are similar to the implementation principles and beneficial effects of the key update method shown in FIG. 2 to FIG. 5, and details are not described herein again.
图14为本申请再一实施例提供的一种秘钥更新装置,如图14所示,该装置包括获取模块21和发送模块22。获取模块21用于获取第一指示信息;第一指示信息包括关于秘钥更新的信息;秘钥用于UE与辅基站之间进行通信;发送模块22用于将第一指示信息发送给用户设备UE,以使UE根据第一指示信息完成秘钥更新或保持秘钥不变。FIG. 14 is a device for updating a secret key according to another embodiment of the present application. As shown in FIG. 14, the device includes an obtaining module 21 and a sending module 22. The obtaining module 21 is configured to obtain the first indication information; the first indication information includes information about the key update; the secret key is used for communication between the UE and the secondary base station; and the sending module 22 is configured to send the first indication information to the user equipment. The UE, so that the UE completes the key update or keeps the key unchanged according to the first indication information.
可选地,第一指示信息包括秘钥不需要更新的指示,秘钥不需要更新的指示用于指示UE保持秘钥不变。Optionally, the first indication information includes an indication that the key does not need to be updated, and the indication that the key does not need to be updated is used to indicate that the UE keeps the key unchanged.
进一步地,第一指示信息还包括切换指示信息,切换指示信息用于指示UE进行基站切换或小区切换。Further, the first indication information further includes handover indication information, where the handover indication information is used to indicate that the UE performs base station handover or cell handover.
可选地,第一指示信息包括秘钥需要更新的指示,秘钥需要更新的指示用于指示UE完成秘钥更新。Optionally, the first indication information includes an indication that the key needs to be updated, and the indication that the key needs to be updated is used to instruct the UE to complete the key update.
进一步地,第一指示信息还包括配置信息、计数器信息和切换指示信息;Further, the first indication information further includes configuration information, counter information, and handover indication information;
配置信息包括分组数据汇聚协议PDCP层配置信息和算法信息;The configuration information includes packet data convergence protocol PDCP layer configuration information and algorithm information;
计数器信息用于完成秘钥更新;Counter information is used to complete the key update;
切换指示信息用于指示UE进行基站切换或小区切换。The handover indication information is used to indicate that the UE performs base station handover or cell handover.
可选地,计数器信息为辅基站根据辅基站的接入网根秘钥与秘钥更新列表确定的信息,秘钥更新列表包括辅基站的接入网根秘钥与计数器信息之间的映射关系。Optionally, the counter information is information that is determined by the secondary base station according to the access network root key and the secret key update list of the secondary base station, and the key update list includes a mapping relationship between the access network root key and the counter information of the secondary base station. .
可选地,计数器信息为主基站根据秘钥需要更新的指示生成的信息。Optionally, the counter information is information generated by the primary base station according to an indication that the key needs to be updated.
可选地,获取模块21具体用于接收辅基站发送的第二指示信息;根据秘钥需要更新的指示生成计数器信息;并根据计数器信息、配置信息和切换指示信息生成第一指示信息;第二指示信息包括秘钥需要更新的指示、配置信息和切换指示信息。Optionally, the obtaining module 21 is specifically configured to receive second indication information that is sent by the secondary base station, generate counter information according to the indication that the key needs to be updated, and generate first indication information according to the counter information, the configuration information, and the handover indication information; The indication information includes an indication that the key needs to be updated, configuration information, and handover indication information.
进一步地,获取模块21根据计数器信息、配置信息和切换指示信息生成第一指示信息,包括:获取模块21将计数器信息发送给辅基站,以使所辅基站对计数器信息进行封装;根据封装后的计数器信息、配置信息和切换指示信息生成第一指示信息。Further, the acquiring module 21 generates the first indication information according to the counter information, the configuration information, and the handover indication information, where the acquiring module 21 sends the counter information to the secondary base station, so that the secondary base station encapsulates the counter information; The counter information, the configuration information, and the handover indication information generate first indication information.
本申请实施例提供的秘钥更新装置的实现原理和有益效果与图6-图8所示秘钥更新方 法的实现原理和有益效果类似,此处不再赘述。The implementation principle and beneficial effects of the key update device provided by the embodiment of the present application are similar to the implementation principles and beneficial effects of the key update method shown in FIG. 6-8, and details are not described herein again.
本申请再一实施例还提供的一种秘钥更新装置,该装置的结构框图与图14相同。如图14所示,该装置包括获取模块21和发送模块22。获取模块21获取第一指示信息;第一指示信息包括关于秘钥更新的信息;秘钥用于UE与辅基站之间进行通信;发送模块22用于将第一指示信息发送给UE,以使UE根据第一指示信息完成秘钥更新或保持秘钥不变。Another embodiment of the present application further provides a key update apparatus, and the structural block diagram of the apparatus is the same as that of FIG. 14. As shown in FIG. 14, the apparatus includes an acquisition module 21 and a transmission module 22. The obtaining module 21 acquires the first indication information; the first indication information includes information about the key update; the secret key is used for communication between the UE and the secondary base station; and the sending module 22 is configured to send the first indication information to the UE, so that The UE completes the key update or keeps the key unchanged according to the first indication information.
可选地,第一指示信息包括秘钥不需要更新的指示,秘钥不需要更新的指示用于指示UE保持秘钥不变。Optionally, the first indication information includes an indication that the key does not need to be updated, and the indication that the key does not need to be updated is used to indicate that the UE keeps the key unchanged.
进一步地,第一指示信息还包括切换指示信息,切换指示信息用于指示UE进行基站切换或小区切换。Further, the first indication information further includes handover indication information, where the handover indication information is used to indicate that the UE performs base station handover or cell handover.
可选地,第一指示信息包括秘钥需要更新的指示,秘钥需要更新的指示用于指示UE完成秘钥更新。Optionally, the first indication information includes an indication that the key needs to be updated, and the indication that the key needs to be updated is used to instruct the UE to complete the key update.
进一步地,第一指示信息还包括配置信息和切换指示信息;Further, the first indication information further includes configuration information and handover indication information;
配置信息包括分组数据汇聚协议PDCP层配置信息和算法信息;The configuration information includes packet data convergence protocol PDCP layer configuration information and algorithm information;
切换指示信息用于指示UE进行基站切换或小区切换。The handover indication information is used to indicate that the UE performs base station handover or cell handover.
再进一步地,第一指示信息还包括计数器信息,计数器信息为辅基站根据辅基站的接入网根秘钥与秘钥更新列表确定的信息,秘钥更新列表包括辅基站的接入网根秘钥与计数器信息之间的映射关系。Further, the first indication information further includes counter information, where the counter information is information determined by the secondary base station according to the access network root key and the secret key update list of the secondary base station, and the key update list includes the access network root of the secondary base station. The mapping between key and counter information.
可选地,发送模块22具体用于通过主基站将第一指示信息发送给UE。Optionally, the sending module 22 is specifically configured to send the first indication information to the UE by using the primary base station.
本申请实施例提供的秘钥更新装置的实现原理和有益效果与图9所示秘钥更新方法的实现原理和有益效果类似,此处不再赘述。The implementation principle and beneficial effects of the key update device provided by the embodiment of the present application are similar to the implementation principles and beneficial effects of the key update method shown in FIG. 9 , and details are not described herein again.
图15为本申请一实施例提供的一种设备,如图15所示,该设备包括处理器31和存储器32;所述存储器32用于存储指令,所述处理器31用于执行所述存储器32存储的指令,当处理器31执行所述存储器32存储的指令时,所述设备用于执行如图2-图11任意一实施例所述的方法。FIG. 15 is a device according to an embodiment of the present invention. As shown in FIG. 15, the device includes a processor 31 and a memory 32. The memory 32 is used to store instructions, and the processor 31 is configured to execute the memory. 32 stored instructions, when the processor 31 executes the instructions stored by the memory 32, the apparatus is operative to perform the method of any of the embodiments of FIGS.
在上述设备的具体实现中,应理解,处理器可以是中央处理单元(Central Processing Unit,CPU),还可以是其他通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。结合本申请所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。In the specific implementation of the foregoing device, it should be understood that the processor may be a central processing unit (CPU), or may be other general-purpose processors, a digital signal processor (DSP), an application specific integrated circuit ( Application Specific Integrated Circuit (ASIC), etc. The general purpose processor may be a microprocessor or the processor or any conventional processor or the like. The steps of the method disclosed in connection with the present application may be directly embodied by hardware processor execution or by a combination of hardware and software modules in a processor.
实现上述各方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成。前述的程序可以存储于一可读取存储器中。该程序在执行时,执行包括上述各方法实施例的步骤;而前述的存储器(存储介质)包括:只读存储器(英文:read-only memory,缩写:ROM)、RAM、快闪存储器、硬盘、固态硬盘、磁带(英文:magnetic tape)、软盘(英文:floppy disk)、光盘(英文:optical disc)及其任意组合。All or part of the steps of implementing the above method embodiments may be performed by hardware associated with the program instructions. The aforementioned program can be stored in a readable memory. When the program is executed, the steps including the foregoing method embodiments are performed; and the foregoing memory (storage medium) includes: read-only memory (English: read-only memory, abbreviation: ROM), RAM, flash memory, hard disk, Solid state drive, magnetic tape (English: magnetic tape), floppy disk (English: floppy disk), optical disc (English: optical disc) and any combination thereof.
本申请实施例还提供一种通信系统,该通信系统包括:主基站和辅基站;主基站用于执行图6~图8任一实施例所述的秘钥更新方法,辅基站用于执行图9实施例所述的秘钥更新方法。The embodiment of the present application further provides a communication system, where the communication system includes: a primary base station and a secondary base station; the primary base station is configured to perform the method for updating a secret key according to any of the embodiments in FIG. 6 to FIG. The secret key updating method described in the embodiment.
本申请实施例还提供一种秘钥更新装置,包括用于执行以上图2-图11任一所述的方 法的至少一个处理元件(或芯片)。The embodiment of the present application further provides a secret key updating apparatus including at least one processing element (or chip) for performing the method described in any of the above Figures 2-11.
本申请实施例还提供一种程序,该程序在被处理器执行时用于执行以上图2-图11任一所述的方法。The embodiment of the present application further provides a program, when executed by a processor, for performing the method described in any of the above Figures 2-11.
本申请实施例还提供一种程序产品,例如计算机可读存储介质,包括上一实施例的程序。The embodiment of the present application further provides a program product, such as a computer readable storage medium, including the program of the previous embodiment.
本申请实施例还提供一种计算机可读存储介质,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机执行上述图2-图11任一所述的方法。The embodiment of the present application further provides a computer readable storage medium having instructions stored therein that, when run on a computer, cause the computer to perform the method of any of the above-described FIGS. 2-11.

Claims (26)

  1. 一种秘钥更新方法,其特征在于,所述方法包括:A method for updating a secret key, the method comprising:
    用户设备UE获取第一指示信息;所述第一指示信息包括关于所述秘钥更新的信息;所述秘钥用于所述UE与辅基站之间进行通信;The user equipment UE acquires first indication information; the first indication information includes information about the key update; the secret key is used for communication between the UE and the secondary base station;
    所述UE根据所述第一指示信息完成所述秘钥更新或保持所述秘钥不变。The UE completes the key update or keeps the key unchanged according to the first indication information.
  2. 根据权利要求1所述的方法,其特征在于,所述UE获取第一指示信息,包括:The method according to claim 1, wherein the acquiring, by the UE, the first indication information comprises:
    所述UE接收主基站或所述辅基站发送的所述第一指示信息;所述第一指示信息包括所述秘钥不需要更新的指示;Receiving, by the UE, the first indication information sent by the primary base station or the secondary base station; the first indication information includes an indication that the key does not need to be updated;
    所述UE根据所述第一指示信息完成所述秘钥更新或保持所述秘钥不变,包括:The UE completes the key update or keeps the key unchanged according to the first indication information, including:
    所述UE根据所述第一指示信息保持所述秘钥不变。The UE keeps the key unchanged according to the first indication information.
  3. 根据权利要求2所述的方法,其特征在于,所述第一指示信息还包括切换指示信息,所述切换指示信息用于指示所述UE进行基站切换或小区切换。The method according to claim 2, wherein the first indication information further includes handover indication information, where the handover indication information is used to indicate that the UE performs base station handover or cell handover.
  4. 根据权利要求1所述的方法,其特征在于,所述UE获取第一指示信息,包括:The method according to claim 1, wherein the acquiring, by the UE, the first indication information comprises:
    所述UE接收主基站发送的所述第一指示信息;所述第一指示信息包括所述秘钥需要更新的指示;Receiving, by the UE, the first indication information sent by the primary base station; the first indication information includes an indication that the key needs to be updated;
    所述UE根据所述第一指示信息完成所述秘钥更新或保所述持秘钥不变,包括:The UE completes the key update or keeps the key unchanged according to the first indication information, and includes:
    所述UE根据所述第一指示信息完成所述秘钥更新。The UE completes the key update according to the first indication information.
  5. 根据权利要求4所述的方法,其特征在于,所述第一指示信息还包括配置信息、计数器信息和切换指示信息;The method according to claim 4, wherein the first indication information further comprises configuration information, counter information, and handover indication information;
    所述配置信息包括分组数据汇聚协议PDCP层配置信息和算法信息;The configuration information includes packet data convergence protocol PDCP layer configuration information and algorithm information;
    所述计数器信息用于完成所述秘钥更新;The counter information is used to complete the key update;
    所述切换指示信息用于指示所述UE进行基站切换或小区切换。The handover indication information is used to indicate that the UE performs base station handover or cell handover.
  6. 根据权利要求5所述的方法,其特征在于,所述计数器信息为所述辅基站根据所述辅基站的接入网根秘钥与秘钥更新列表确定的信息,所述秘钥更新列表包括所述辅基站的接入网根秘钥与所述计数器信息之间的映射关系。The method according to claim 5, wherein the counter information is information determined by the secondary base station according to an access network root key and a secret key update list of the secondary base station, where the key update list includes a mapping relationship between the access network root key of the secondary base station and the counter information.
  7. 根据权利要求5所述的方法,其特征在于,所述计数器信息为所述主基站根据所述秘钥需要更新的指示生成的信息。The method according to claim 5, wherein the counter information is information generated by the primary base station according to an indication that the key needs to be updated.
  8. 根据权利要求5-7任一项所述的方法,其特征在于,所述UE包括第一通信模块和第二通信模块,所述第一通信模块为执行与所述主基站进行通信功能的模块,所述第二通信模块为执行与所述辅基站进行通信功能的模块;The method according to any one of claims 5 to 7, wherein the UE comprises a first communication module and a second communication module, and the first communication module is a module that performs a communication function with the primary base station The second communication module is a module that performs a communication function with the secondary base station;
    所述UE根据所述第一指示信息完成所述秘钥更新,包括:The UE completes the key update according to the first indication information, including:
    所述第一通信模块根据至少所述计数器信息和第一秘钥生成第二秘钥,并将所述第二秘钥发送给所述第二通信模块;所述第一秘钥为主基站的接入网根秘钥;The first communication module generates a second key according to at least the counter information and the first key, and sends the second key to the second communication module; the first key is a primary base station Access network root key;
    所述第二通信模块根据所述PDCP层配置信息建立PDCP层;The second communication module establishes a PDCP layer according to the PDCP layer configuration information;
    所述第二通信模块根据至少所述第二秘钥和所述算法信息生成第三秘钥,所述第三秘钥应用于所述UE和所述辅基站之间的数据传输。The second communication module generates a third key according to at least the second key and the algorithm information, and the third key is applied to data transmission between the UE and the secondary base station.
  9. 根据权利要求5-7任一项所述的方法,其特征在于,所述UE包括第一通信模块和第二通信模块,所述第一通信模块为执行与所述主基站进行通信功能的模块,所述第二通 信模块为执行与所述辅基站进行通信功能的模块;The method according to any one of claims 5 to 7, wherein the UE comprises a first communication module and a second communication module, and the first communication module is a module that performs a communication function with the primary base station The second communication module is a module that performs a communication function with the secondary base station;
    所述UE根据所述第一指示信息完成所述秘钥更新,包括:The UE completes the key update according to the first indication information, including:
    所述第一通信模块将所述配置信息、所述计数器信息和第一秘钥发送给所述第二通信模块;所述第一秘钥为主基站的接入网根秘钥;The first communication module sends the configuration information, the counter information, and the first key to the second communication module; the first key is an access network root key of the primary base station;
    所述第二通信模块根据至少所述计数器信息和所述第一秘钥生成第二秘钥;The second communication module generates a second key according to at least the counter information and the first key;
    所述第二通信模块根据所述PDCP层配置信息建立PDCP层;The second communication module establishes a PDCP layer according to the PDCP layer configuration information;
    所述第二通信模块根据至少所述第二秘钥和所述算法信息生成第三秘钥,所述第三秘钥应用于所述UE和所述辅基站之间的数据传输。The second communication module generates a third key according to at least the second key and the algorithm information, and the third key is applied to data transmission between the UE and the secondary base station.
  10. 一种秘钥更新方法,其特征在于,所述方法包括:A method for updating a secret key, the method comprising:
    主基站获取第一指示信息;所述第一指示信息包括关于所述秘钥更新的信息;所述秘钥用于所述UE与辅基站之间进行通信;The primary base station acquires first indication information; the first indication information includes information about the key update; the secret key is used for communication between the UE and the secondary base station;
    所述主基站将所述第一指示信息发送给用户设备UE,以使所述UE根据所述第一指示信息完成所述秘钥更新或保持所述秘钥不变。The primary base station sends the first indication information to the user equipment UE, so that the UE completes the key update or keeps the key unchanged according to the first indication information.
  11. 根据权利要求10所述的方法,其特征在于,所述第一指示信息包括所述秘钥不需要更新的指示,所述秘钥不需要更新的指示用于指示所述UE保持所述秘钥不变。The method according to claim 10, wherein the first indication information comprises an indication that the key does not need to be updated, and the indication that the key does not need to be updated is used to indicate that the UE keeps the key constant.
  12. 根据权利要求11所述的方法,其特征在于,所述第一指示信息还包括切换指示信息,所述切换指示信息用于指示所述UE进行基站切换或小区切换。The method according to claim 11, wherein the first indication information further includes handover indication information, where the handover indication information is used to indicate that the UE performs base station handover or cell handover.
  13. 根据权利要求10所述的方法,其特征在于,所述第一指示信息包括所述秘钥需要更新的指示,所述秘钥需要更新的指示用于指示所述UE完成所述秘钥更新。The method according to claim 10, wherein the first indication information comprises an indication that the key needs to be updated, and the indication that the key needs to be updated is used to instruct the UE to complete the key update.
  14. 根据权利要求13所述的方法,其特征在于,所述第一指示信息还包括配置信息、计数器信息和切换指示信息;The method according to claim 13, wherein the first indication information further comprises configuration information, counter information, and handover indication information;
    所述配置信息包括分组数据汇聚协议PDCP层配置信息和算法信息;The configuration information includes packet data convergence protocol PDCP layer configuration information and algorithm information;
    所述计数器信息用于完成所述秘钥更新;The counter information is used to complete the key update;
    所述切换指示信息用于指示所述UE进行基站切换或小区切换。The handover indication information is used to indicate that the UE performs base station handover or cell handover.
  15. 根据权利要求14所述的方法,其特征在于,所述计数器信息为辅基站根据所述辅基站的接入网根秘钥与秘钥更新列表确定的信息,所述秘钥更新列表包括所述辅基站的接入网根秘钥与所述计数器信息之间的映射关系。The method according to claim 14, wherein the counter information is information determined by the secondary base station according to the access network root key and the secret key update list of the secondary base station, where the key update list includes the A mapping relationship between the access network root key of the secondary base station and the counter information.
  16. 根据权利要求14所述的方法,其特征在于,所述计数器信息为所述主基站根据所述秘钥需要更新的指示生成的信息。The method according to claim 14, wherein the counter information is information generated by the primary base station according to an indication that the key needs to be updated.
  17. 根据权利要求16所述的方法,其特征在于,所述主基站获取第一指示信息,包括:The method according to claim 16, wherein the acquiring, by the primary base station, the first indication information comprises:
    所述主基站接收辅基站发送的第二指示信息;所述第二指示信息包括所述秘钥需要更新的指示、所述配置信息和所述切换指示信息;The primary base station receives the second indication information sent by the secondary base station; the second indication information includes an indication that the key needs to be updated, the configuration information, and the handover indication information;
    所述主基站根据所述秘钥需要更新的指示生成所述计数器信息;The primary base station generates the counter information according to an indication that the key needs to be updated;
    所述主基站根据所述计数器信息、所述配置信息和所述切换指示信息生成所述第一指示信息。The primary base station generates the first indication information according to the counter information, the configuration information, and the handover indication information.
  18. 根据权利要求17所述的方法,其特征在于,所述主基站根据所述计数器信息、所述配置信息和所述切换指示信息生成所述第一指示信息,包括:The method according to claim 17, wherein the generating, by the primary base station, the first indication information according to the counter information, the configuration information, and the handover indication information comprises:
    所述主基站将所述计数器信息发送给所述辅基站,以使所辅基站对所述计数器信息进 行封装;Sending, by the primary base station, the counter information to the secondary base station, so that the secondary base station encapsulates the counter information;
    所述主基站根据封装后的计数器信息、所述配置信息和所述切换指示信息生成所述第一指示信息。The primary base station generates the first indication information according to the encapsulated counter information, the configuration information, and the handover indication information.
  19. 一种秘钥更新方法,其特征在于,所述方法包括:A method for updating a secret key, the method comprising:
    辅基站获取第一指示信息;所述第一指示信息包括关于所述秘钥更新的信息;所述秘钥用于所述UE与辅基站之间进行通信;The secondary base station acquires first indication information, where the first indication information includes information about the key update, and the secret key is used for communication between the UE and the secondary base station;
    所述辅基站将所述第一指示信息发送给用户设备UE,以使所述UE根据所述第一指示信息完成所述秘钥更新或保持所述秘钥不变。The secondary base station sends the first indication information to the user equipment UE, so that the UE completes the key update or keeps the key unchanged according to the first indication information.
  20. 根据权利要求19所述的方法,其特征在于,所述第一指示信息包括所述秘钥不需要更新的指示,所述秘钥不需要更新的指示用于指示所述UE保持所述秘钥不变。The method according to claim 19, wherein the first indication information comprises an indication that the key does not need to be updated, and the indication that the key does not need to be updated is used to indicate that the UE keeps the key constant.
  21. 根据权利要求20所述的方法,其特征在于,所述第一指示信息还包括切换指示信息,所述切换指示信息用于指示所述UE进行基站切换或小区切换。The method according to claim 20, wherein the first indication information further comprises handover indication information, and the handover indication information is used to indicate that the UE performs base station handover or cell handover.
  22. 根据权利要求19所述的方法,其特征在于,所述第一指示信息包括所述秘钥需要更新的指示,所述秘钥需要更新的指示用于指示所述UE完成所述秘钥更新。The method according to claim 19, wherein the first indication information comprises an indication that the key needs to be updated, and the indication that the key needs to be updated is used to instruct the UE to complete the key update.
  23. 根据权利要求22所述的方法,其特征在于,所述第一指示信息还包括配置信息和切换指示信息;The method according to claim 22, wherein the first indication information further comprises configuration information and handover indication information;
    所述配置信息包括分组数据汇聚协议PDCP层配置信息和算法信息;The configuration information includes packet data convergence protocol PDCP layer configuration information and algorithm information;
    所述切换指示信息用于指示所述UE进行基站切换或小区切换。The handover indication information is used to indicate that the UE performs base station handover or cell handover.
  24. 根据权利要求23所述的方法,其特征在于,所述第一指示信息还包括计数器信息,所述计数器信息为辅基站根据所述辅基站的接入网根秘钥与秘钥更新列表确定的信息,所述秘钥更新列表包括所述辅基站的接入网根秘钥与所述计数器信息之间的映射关系。The method according to claim 23, wherein the first indication information further comprises counter information, where the counter information is determined by the secondary base station according to the access network root key and the secret key update list of the secondary base station. The information, the key update list includes a mapping relationship between the access network root key of the secondary base station and the counter information.
  25. 根据权利要求19-24任一项所述的方法,其特征在于,所述辅基站将所述第一指示信息发送给用户设备UE,包括:The method according to any one of claims 19 to 24, wherein the sending, by the secondary base station, the first indication information to the user equipment UE includes:
    所述辅基站通过主基站将所述第一指示信息发送给所述UE。The secondary base station sends the first indication information to the UE by using a primary base station.
  26. 一种设备,其特征在于,包括处理器和存储器;An apparatus, comprising: a processor and a memory;
    所述存储器用于存储指令,所述处理器用于执行所述存储器存储的指令,当所述处理器执行所述存储器存储的指令时,所述设备用于执行如权利要求1至25任意一项所述的方法。The memory is for storing instructions for executing the memory stored instructions, the apparatus for performing any one of claims 1 to 25 when the processor executes the memory stored instructions Said method.
PCT/CN2018/085568 2017-05-05 2018-05-04 Key updating method and device WO2018202117A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710313965.X 2017-05-05
CN201710313965.XA CN108810888B (en) 2017-05-05 2017-05-05 Key updating method and device

Publications (1)

Publication Number Publication Date
WO2018202117A1 true WO2018202117A1 (en) 2018-11-08

Family

ID=64016423

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/085568 WO2018202117A1 (en) 2017-05-05 2018-05-04 Key updating method and device

Country Status (2)

Country Link
CN (1) CN108810888B (en)
WO (1) WO2018202117A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112690010B (en) * 2019-01-29 2023-05-05 Oppo广东移动通信有限公司 Key information processing method, access network node and terminal equipment
CN111866870B (en) * 2019-04-26 2022-02-01 华为技术有限公司 Key management method and device
WO2021227835A1 (en) * 2020-05-15 2021-11-18 华为技术有限公司 Key updating method, network device, system and storage medium
CN116367153A (en) * 2021-12-27 2023-06-30 华为技术有限公司 Communication method, device and system

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015113207A1 (en) * 2014-01-28 2015-08-06 华为技术有限公司 Security password changing method, base station, and user equipment

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2939456B1 (en) * 2014-01-17 2021-03-03 Samsung Electronics Co., Ltd. Dual connectivity mode of operation of a user equipment in a wireless communication network
CN104918242B (en) * 2014-03-14 2020-04-03 中兴通讯股份有限公司 Slave base station key updating method, slave base station, terminal and communication system
EP4009704A1 (en) * 2015-05-29 2022-06-08 Apple Inc. Seamless mobility for 5g and lte systems and devices

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015113207A1 (en) * 2014-01-28 2015-08-06 华为技术有限公司 Security password changing method, base station, and user equipment

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
ERICSSON: "Security Algorithm Negotiation for dual connectivity", 3GPP TSG-RAN WG3 MEETING #85BIS R3-142585, 10 October 2014 (2014-10-10), XP050886949 *
NSN ET AL.: "Security Overview for the Stage 2", 3GPP TSG-RAN WG2 MEETING #86 R2-142864, 23 May 2014 (2014-05-23), XP050819136 *

Also Published As

Publication number Publication date
CN108810888A (en) 2018-11-13
CN108810888B (en) 2020-09-18

Similar Documents

Publication Publication Date Title
TWI708513B (en) Network security architecture
CN108029015B (en) Wireless access point and terminal device in communication network
WO2018202117A1 (en) Key updating method and device
US11564099B2 (en) RRC connection resume method and apparatus
US20090209259A1 (en) System and method for performing handovers, or key management while performing handovers in a wireless communication system
WO2018201946A1 (en) Anchor key generation method, device and system
US20180160467A1 (en) Communication method, network-side device, and user equipment
WO2018137351A1 (en) Method, relevant device and system for processing network key
CN105794243B (en) Security key generation for simultaneous multi-cell connectivity for mobile devices
CN111448813B (en) System and method for communicating with configured security protection
US11589235B2 (en) Radio access capabilities of a wireless device
SG177392A1 (en) Systems, methods, and apparatuses for ciphering error detection and recovery
WO2017133021A1 (en) Security processing method and relevant device
WO2020221218A1 (en) Information acquisition method and device
CN109964500B (en) Method, apparatus, system, and non-transitory computer readable storage medium for deriving a security key for relay communication
JP2018536333A (en) Node for use in a communication network and method for operating the same
US11863977B2 (en) Key generation method, device, and system
EP3738331B1 (en) Configuring radio resources
US11916925B2 (en) Method for improving data transmission security
US20220303762A1 (en) Serving Network Controlled Network Slice Privacy
JP7410930B2 (en) Securing non-access layer communications in wireless communication networks
CN114390492A (en) Timing method, device, equipment and storage medium
US20230092744A1 (en) Ckey obtaining method and apparatus
WO2020029745A1 (en) Data transmission method and device
WO2020153889A1 (en) Methods providing authentication using a request commit message and related user equipment and network nodes

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18794128

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18794128

Country of ref document: EP

Kind code of ref document: A1