WO2021043130A1 - Key generation method and apparatus, computer-readable storage medium and mme - Google Patents

Key generation method and apparatus, computer-readable storage medium and mme Download PDF

Info

Publication number
WO2021043130A1
WO2021043130A1 PCT/CN2020/112842 CN2020112842W WO2021043130A1 WO 2021043130 A1 WO2021043130 A1 WO 2021043130A1 CN 2020112842 W CN2020112842 W CN 2020112842W WO 2021043130 A1 WO2021043130 A1 WO 2021043130A1
Authority
WO
WIPO (PCT)
Prior art keywords
mme
key
key generation
initial
generation method
Prior art date
Application number
PCT/CN2020/112842
Other languages
French (fr)
Chinese (zh)
Inventor
陶望胜
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2021043130A1 publication Critical patent/WO2021043130A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • H04W36/0033Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
    • H04W36/0038Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information of security context information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/14Reselecting a network or an air interface
    • H04W36/144Reselecting a network or an air interface over a different radio air interface technology
    • H04W36/1443Reselecting a network or an air interface over a different radio air interface technology between licensed networks

Definitions

  • the embodiments of the present application relate to, but are not limited to, mobile communication technology, in particular to a key generation method, device, computer-readable storage medium, and MME.
  • Access and Mobility Management Function need to map 5G security context to 4G security context, for example: through 5G security context key Kamf and uplink non-access stratum (NAS, Non Access Stratum)
  • the serial number is used to generate the basic key Kasme in the 4G security context.
  • the AMF will pass the generated mapped 4G security context to the Mobility Management Entity (MME, Mobility Management Entity) of the 4G core network, so that the 4G network can encrypt and protect the message when it subsequently interacts with the UE.
  • MME Mobility Management Entity
  • an Initial Context Setup Request (Initial Context Setup Request) will be sent to the evolved UMTS Terrestrial Radio Access Network (E-UTRAN) at the same time, and it will be included in the Initial Context Setup Request.
  • E-UTRAN evolved UMTS Terrestrial Radio Access Network
  • the MME will generate the initial key KeNB according to the basic key Kasme and the uplink NAS count (Count) in the mapped 4G security context delivered by 5G AMF.
  • the value rule of the uplink NAS Count is:
  • the uplink NAS Count is the NAS Count associated with the TAU Request message; otherwise, the uplink NAS Count is the security mode completion of the UE reply (Security Mode Complete) NAS Count associated with the message.
  • the UE uses the 5G security context generated by the UE itself on the 5G side to protect the TAU Request message sent by itself, that is, the NAS Count associated with the TAU Request is not 4G Upstream NAS Count of the security context. Therefore, if the MME does not execute the Security Mode Command process before issuing TAU Accept to the UE, the UE and MME will not be able to obtain the uplink NAS Count, resulting in the failure to generate the key KeNB, or the generation of the UE and MME is inconsistent The key KeNB, which leads to the failure of AS layer security activation, which in turn causes the UE to fail to switch from 5G to 4G.
  • the embodiments of the present application provide a key generation method, device, computer-readable storage medium, and MME.
  • the embodiment of the present application provides a key generation method, including: the mobility management entity MME generates an initial key KeNB by using a fixed value of the uplink non-access stratum count NASCount.
  • An embodiment of the present application also provides a computer-readable storage medium that stores computer-executable instructions, and the computer-executable instructions are used to execute any one of the key generation methods described above.
  • the embodiment of the present application further provides a device for realizing key generation, including a processor and a memory; wherein a computer program that can run on the processor is stored in the memory: it is used to execute any of the above-mentioned keys. Steps to generate method.
  • the embodiment of the present application further provides a mobility management entity MME, which at least includes the above-mentioned device for realizing key generation.
  • FIG. 1 is a schematic flowchart of a first embodiment of a key generation method according to an embodiment of the application
  • FIG. 2 is a schematic flowchart of a second embodiment of a key generation method according to an embodiment of the application
  • FIG. 3 is a schematic diagram of a device for realizing key generation according to an embodiment of the application.
  • Fig. 4 is a schematic diagram of a mobility management entity MME according to an embodiment of the application.
  • the computing device includes one or more processors (CPU), input/output interfaces, network interfaces, and memory.
  • processors CPU
  • input/output interfaces network interfaces
  • memory volatile and non-volatile memory
  • the memory may include non-permanent memory in a computer readable medium, random access memory (RAM) and/or non-volatile memory, such as read-only memory (ROM) or flash memory (flash RAM).
  • RAM random access memory
  • ROM read-only memory
  • flash RAM flash memory
  • Computer-readable media include permanent and non-permanent, removable and non-removable media, and information storage can be realized by any method or technology.
  • the information can be computer-readable instructions, data structures, program modules, or other data.
  • Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, CD-ROM, digital versatile disc (DVD) or other optical storage, Magnetic cassettes, magnetic tape disk storage or other magnetic storage devices or any other non-transmission media can be used to store information that can be accessed by computing devices.
  • computer-readable media does not include non-transitory computer-readable media (transitory media), such as modulated data signals and carrier waves.
  • the inventor of the present application found that for the UE from 5G TAU to 4G, when the 4G MME determines that the initial key KeNB needs to be generated and sent to the E-UTRAN in the Initial Context Setup Request, in some cases the initial key is not explicitly generated.
  • the specific value of the uplink NAS Count used by the key KeNB Therefore, it is likely that the UE and the MME may use different values of the uplink NAS Count to calculate an inconsistent initial key KeNB, which will cause the UE to fail to successfully transfer from 5G. TAU to 4G.
  • an embodiment of the present application provides a key generation method, including:
  • the MME generates the initial key KeNB by using the fixed value of the uplink NAS Count.
  • the MME generates the initial key KeNB by using the uplink NAS Count with a fixed value, which may include:
  • the MME generates the initial key KeNB according to the basic key Kasme and the fixed value of the uplink NAS Count; where the basic key Kasme comes from the mapped 4G security context (Mapped 4G Security Context) of the AMF of the 5G core network.
  • mapped 4G security context Mapped 4G Security Context
  • the fixed value of the uplink NAS Count may be, for example, 2 32 -1, or 0.
  • the initial key KeNB can still be generated, and it is ensured that both the UE and the MME generate consistent secrets.
  • the key KeNB provides a guarantee for the successful handover of the UE from 5G to 4G.
  • the method of the embodiment of the present application further includes:
  • the MME carries the generated initial key KeNB in the Initial Context Setup Request and sends it to the E-UTRAN.
  • the method before generating the initial key KeNB in the embodiment of the present application, the method further includes:
  • the MME needs to issue an Initial Context Setup Request carrying the initial key KeNB.
  • the Initial Context Setup Request carrying the initial key KeNB needs to be issued, which may include:
  • the MME learns that the UE is from 5G TAU to 4G, and determines that the UE has uplink data or uplink signaling that needs to be uploaded, or determines that the user plane needs to be activated.
  • the MME determining that the UE has uplink data or uplink signaling that needs to be uploaded may include:
  • the MME receives the TAU Request message carrying the activation flag from the UE.
  • the MME determines that the user plane needs to be activated, which may include:
  • the MME receives the TAU Request message without the activation flag from the UE, but due to the local configuration of the MME or other reasons, the MME determines that the user plane needs to be activated.
  • the MME may determine that the user plane needs to be activated.
  • other reasons for activating the user plane may be that the MME has received the downlink data notification from the SGW, dedicated load activation, etc.; the local configuration of the MME may be a switch, such as whether to support the activation of the user plane in the TAU process.
  • An embodiment of the present application also provides a computer-readable storage medium that stores computer-executable instructions, and the computer-executable instructions are used to execute any one of the key generation methods described above.
  • an embodiment of the present application also provides a device for realizing key generation, including a processor 301 and a memory 302; wherein, the memory 302 stores a computer program that can run on the processor 301: it is used to execute any of the foregoing.
  • a device for realizing key generation including a processor 301 and a memory 302; wherein, the memory 302 stores a computer program that can run on the processor 301: it is used to execute any of the foregoing.
  • an embodiment of the present application also provides a mobility management entity MME 400, which includes any one of the above-mentioned apparatuses 401 for realizing key generation.
  • the key generation method of the embodiment of the present application may include:
  • Step 100 The UE has been registered to the 5G system.
  • Step 101 The UE detects that the 4G system needs to be started.
  • the UE assuming that the UE has uplink data that needs to be uploaded at this time, the UE sends a TAU Request message to the MME.
  • the TAU Request message carries an Active Flag (Active Flag). ).
  • Step 102 The MME calculates and generates the initial key KeNB according to the basic key Kasme in the mapped 4G security context from the AMF of the 5G core network and the fixed NAS Count such as 2 32 -1 or 0.
  • Step 103 The MME carries the calculated initial key KeNB in the Initial Context Setup Request and sends it to the E-UTRAN.
  • the key generation method of the embodiment of the present application may include:
  • Step 200 The UE has been registered to the 5G system.
  • Step 201 The UE detects that the 4G system needs to be started. In the second embodiment, it is assumed that the UE sends a TAU Request message to the MME, and the TAU Request message does not carry an activation flag.
  • Step 202 In the second embodiment, assuming that it is determined that the user plane needs to be activated due to the local configuration of the MME or other reasons, the basic key Kasme in the 4G security context will be mapped from the AMF of the 5G core network and the value A fixed NAS Count such as 2 32 -1 or 0 is calculated to generate the initial key KeNB.
  • the MME has received the downlink data notification from the SGW, dedicated load activation, etc.; the local configuration of the MME may be a switch, such as whether to support the activation of the user plane in the TAU process.
  • Step 203 The MME carries the calculated initial key KeNB in the Initial Context Setup Request and sends it to the E-UTRAN.
  • the embodiments of the present application provide a key generation method, device, computer readable storage medium, and MME, which can ensure that both the UE and the MME generate a consistent key, and provide guarantee for the successful handover of the UE from 5G to 4G.
  • the initial key KeNB can still be generated, and it is ensured that the UE and MME generate the same
  • the key KeNB for the UE provides a guarantee for the successful handover from 5G to 4G.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A key generation method and apparatus, a computer-readable storage medium and an MME. By setting the value of an NAS Count for generating an initial key KeNB as a fixed value, the initial key KeNB can still be generated when there is no available uplink NAS Count, ensuring that a UE and an MME generate a consistent key KeNB.

Description

一种密钥生成方法、装置、计算机可读存储介质和MMEKey generation method, device, computer readable storage medium and MME
相关申请的交叉引用Cross-references to related applications
本申请基于申请号为201910835444.X、申请日为2019年09月02日的中国专利申请提出,并要求该中国专利申请的优先权,该中国专利申请的全部内容在此引入本申请作为参考。This application is based on a Chinese patent application with an application number of 201910835444.X and an application date of September 02, 2019, and claims the priority of the Chinese patent application. The entire content of the Chinese patent application is hereby incorporated into this application by reference.
技术领域Technical field
本申请实施例涉及但不限于移动通信技术,尤指一种密钥生成方法、装置、计算机可读存储介质和MME。The embodiments of the present application relate to, but are not limited to, mobile communication technology, in particular to a key generation method, device, computer-readable storage medium, and MME.
背景技术Background technique
空闲模式下,用户设备(UE,User Equipment)从第五代移动通信(5G,The 5th Generation Mobile Communications)移动到第四代移动通信(4G,The 4th Generation Mobile Communications)时,5G核心网的接入和移动性管理功能(AMF,Access and Mobility Management Function)需要将5G安全上下文映射为4G安全上下文,比如:通过5G安全上下文中的密钥Kamf和上行非接入层(NAS,Non Access Stratum)序列号,生成4G安全上下文中的基础密钥Kasme。随后,AMF会将生成的映射4G安全上下文传递给4G核心网的移动管理实体(MME,Mobility Management Entity),以便4G网络在随后与UE进行消息交互时,对消息进行加密和完保。In idle mode, when the user equipment (UE, User Equipment) moves from the fifth generation mobile communications (5G, The 5th Generation Mobile Communications) to the fourth generation mobile communications (4G, The 4th Generation Mobile Communications), the 5G core network is connected. Access and Mobility Management Function (AMF, Access and Mobility Management Function) need to map 5G security context to 4G security context, for example: through 5G security context key Kamf and uplink non-access stratum (NAS, Non Access Stratum) The serial number is used to generate the basic key Kasme in the 4G security context. Subsequently, the AMF will pass the generated mapped 4G security context to the Mobility Management Entity (MME, Mobility Management Entity) of the 4G core network, so that the 4G network can encrypt and protect the message when it subsequently interacts with the UE.
空闲模式下,当UE从5G移动4G时,如果UE存在上行数据或者上行信令需要传递,那么,UE会在发送的请求消息如跟踪区更新请求(TAU Request)中携带激活标记,这样,MME在向UE下发TAU接受(TAU Accept)消息时,会同时向演进的UMTS陆地无线接入网(E-UTRAN)下发初始上下文建立请求(Initial Context Setup Request),并在Initial Context Setup Request中携带初始密钥KeNB,以便E-UTRAN激活接入层(AS,Access Stratum)安全上下文。In idle mode, when the UE moves from 5G to 4G, if the UE has uplink data or uplink signaling that needs to be transmitted, then the UE will send the request message such as the tracking area update request (TAU Request) with the activation flag. In this way, the MME When the TAU Accept (TAU Accept) message is sent to the UE, an Initial Context Setup Request (Initial Context Setup Request) will be sent to the evolved UMTS Terrestrial Radio Access Network (E-UTRAN) at the same time, and it will be included in the Initial Context Setup Request. Carry the initial key KeNB so that E-UTRAN can activate the Access Stratum (AS, Access Stratum) security context.
根据3GPP 33.501规范中初始密钥KeNB的生成定义,MME会根据5G AMF传递过来的映射4G安全上下文中的基础密钥Kasme以及上行NAS计数(Count)来生成初始密钥KeNB。根据规范,上行NAS Count取值规则为:According to the definition of generating the initial key KeNB in the 3GPP 33.501 specification, the MME will generate the initial key KeNB according to the basic key Kasme and the uplink NAS count (Count) in the mapped 4G security context delivered by 5G AMF. According to the specification, the value rule of the uplink NAS Count is:
如果在下发TAU Accept之前,MME未触发安全模式命令(Security Mode Command)过程,则上行NAS Count为TAU Request消息关联的NAS Count;否则,上行NAS Count为UE回复的安全模式完成(Security Mode Complete)消息所关联的NAS Count。If the MME does not trigger the Security Mode Command process before TAU Accept is issued, the uplink NAS Count is the NAS Count associated with the TAU Request message; otherwise, the uplink NAS Count is the security mode completion of the UE reply (Security Mode Complete) NAS Count associated with the message.
但是,对于空闲模式下5G切换到4G的场景,UE使用UE自身在5G侧生成的5G安全上下文对自身发送的TAU Request消息进行安全保护,也就是说,TAU Request所关联的NAS Count并不是4G安全上下文的上行NAS Count。因此,当MME在下发TAU Accept给UE之前,如果没有执行Security Mode Command过程,那么,UE和MME将会由于无法取得上行NAS Count,而导致无法生成密钥KeNB,或者UE和MME二者生成不一致的密钥KeNB,从而导致AS层安全激活失败,进而导致UE从5G切换至4G失败。However, for the scenario where the 5G is switched to 4G in idle mode, the UE uses the 5G security context generated by the UE itself on the 5G side to protect the TAU Request message sent by itself, that is, the NAS Count associated with the TAU Request is not 4G Upstream NAS Count of the security context. Therefore, if the MME does not execute the Security Mode Command process before issuing TAU Accept to the UE, the UE and MME will not be able to obtain the uplink NAS Count, resulting in the failure to generate the key KeNB, or the generation of the UE and MME is inconsistent The key KeNB, which leads to the failure of AS layer security activation, which in turn causes the UE to fail to switch from 5G to 4G.
发明内容Summary of the invention
本申请实施例提供一种密钥生成方法、装置、计算机可读存储介质和MME。The embodiments of the present application provide a key generation method, device, computer-readable storage medium, and MME.
本申请实施例提供了一种密钥生成方法,包括:移动管理实体MME利用取值固定的上行非接入层计数NAS Count生成初始密钥KeNB。The embodiment of the present application provides a key generation method, including: the mobility management entity MME generates an initial key KeNB by using a fixed value of the uplink non-access stratum count NASCount.
本申请实施例还提供了一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令用于执行上述任一项所述的密钥生成方法。An embodiment of the present application also provides a computer-readable storage medium that stores computer-executable instructions, and the computer-executable instructions are used to execute any one of the key generation methods described above.
本申请实施例又提供了一种实现密钥生成的装置,包括处理器、存储器;其中,存储器上存储有可在处理器上运行的计算机程序:用于执行上述任一项所述的密钥生成方法的步骤。The embodiment of the present application further provides a device for realizing key generation, including a processor and a memory; wherein a computer program that can run on the processor is stored in the memory: it is used to execute any of the above-mentioned keys. Steps to generate method.
本申请实施例再提供了一种移动管理实体MME,至少包括上述实现密钥生成的装置。The embodiment of the present application further provides a mobility management entity MME, which at least includes the above-mentioned device for realizing key generation.
本申请的其它特征和优点将在随后的说明书中阐述,并且,部分地从说明书中变得显而易见,或者通过实施本申请而了解。本申请的目的和其他优点可通过在说明书、权利要求书以及附图中所特别指出的结构来实现和获得。Other features and advantages of the present application will be described in the following description, and partly become obvious from the description, or understood by implementing the present application. The purpose and other advantages of the application can be realized and obtained through the structures specifically pointed out in the specification, claims and drawings.
附图说明Description of the drawings
附图用来提供对本申请技术方案的进一步理解,并且构成说明书的一部分,与本申请的实施例一起用于解释本申请的技术方案,并不构成对本申请技术方案的限制。The accompanying drawings are used to provide a further understanding of the technical solution of the present application, and constitute a part of the specification. Together with the embodiments of the present application, they are used to explain the technical solution of the present application, and do not constitute a limitation to the technical solution of the present application.
图1为本申请实施例的密钥生成方法的第一实施例的流程示意图;FIG. 1 is a schematic flowchart of a first embodiment of a key generation method according to an embodiment of the application;
图2为本申请实施例的密钥生成方法的第二实施例的流程示意图;2 is a schematic flowchart of a second embodiment of a key generation method according to an embodiment of the application;
图3为本申请实施例的实现密钥生成的装置的示意图;FIG. 3 is a schematic diagram of a device for realizing key generation according to an embodiment of the application;
图4为本申请实施例的移动管理实体MME的示意图。Fig. 4 is a schematic diagram of a mobility management entity MME according to an embodiment of the application.
具体实施方式detailed description
在本申请实施例的一个典型的配置中,计算设备包括一个或多个处理器(CPU)、输入/输出接口、网络接口和内存。In a typical configuration of the embodiment of the present application, the computing device includes one or more processors (CPU), input/output interfaces, network interfaces, and memory.
内存可能包括计算机可读介质中的非永久性存储器,随机存取存储器(RAM)和/或非易失性内存等形式,如只读存储器(ROM)或闪存(flash RAM)。内存是计算机可读介质的 示例。The memory may include non-permanent memory in a computer readable medium, random access memory (RAM) and/or non-volatile memory, such as read-only memory (ROM) or flash memory (flash RAM). The memory is an example of a computer readable medium.
计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带,磁带磁盘存储或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。按照本文中的界定,计算机可读介质不包括非暂存电脑可读媒体(transitory media),如调制的数据信号和载波。Computer-readable media include permanent and non-permanent, removable and non-removable media, and information storage can be realized by any method or technology. The information can be computer-readable instructions, data structures, program modules, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, CD-ROM, digital versatile disc (DVD) or other optical storage, Magnetic cassettes, magnetic tape disk storage or other magnetic storage devices or any other non-transmission media can be used to store information that can be accessed by computing devices. According to the definition in this article, computer-readable media does not include non-transitory computer-readable media (transitory media), such as modulated data signals and carrier waves.
为使本申请的目的、技术方案和优点更加清楚明白,下文中将结合附图对本申请的实施例进行详细说明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互任意组合。In order to make the objectives, technical solutions, and advantages of the present application clearer, the embodiments of the present application will be described in detail below in conjunction with the accompanying drawings. It should be noted that the embodiments in this application and the features in the embodiments can be combined with each other arbitrarily if there is no conflict.
本申请发明人发现,对于UE从5G TAU到4G的情况,当4G MME判断需要生成初始密钥KeNB并携带在Initial Context Setup Request中发送给E-UTRAN时,在一些情况中没有明确生成初始密钥KeNB所使用的上行NAS Count的具体取值,因此,很可能会导致由于UE和MME双方采用不同取值的上行NAS Count,从而计算出不一致的初始密钥KeNB,从而引起UE无法成功从5G TAU到4G。The inventor of the present application found that for the UE from 5G TAU to 4G, when the 4G MME determines that the initial key KeNB needs to be generated and sent to the E-UTRAN in the Initial Context Setup Request, in some cases the initial key is not explicitly generated. The specific value of the uplink NAS Count used by the key KeNB. Therefore, it is likely that the UE and the MME may use different values of the uplink NAS Count to calculate an inconsistent initial key KeNB, which will cause the UE to fail to successfully transfer from 5G. TAU to 4G.
对于UE从5G TAU到4G的场景,为了保证UE和MME生成一致的初始密钥KeNB,本申请实施例提供一种密钥生成方法,包括:For the scenario where the UE goes from 5G TAU to 4G, in order to ensure that the UE and the MME generate a consistent initial key KeNB, an embodiment of the present application provides a key generation method, including:
MME利用取值固定的上行NAS Count生成初始密钥KeNB。The MME generates the initial key KeNB by using the fixed value of the uplink NAS Count.
在一种实例中,MME利用取值固定的上行NAS Count生成初始密钥KeNB,可以包括:In an example, the MME generates the initial key KeNB by using the uplink NAS Count with a fixed value, which may include:
MME根据基础密钥Kasme和取值固定的上行NAS Count,生成初始密钥KeNB;其中,基础密钥Kasme来自5G核心网的AMF的映射4G安全上下文(Mapped 4G Security Context)。The MME generates the initial key KeNB according to the basic key Kasme and the fixed value of the uplink NAS Count; where the basic key Kasme comes from the mapped 4G security context (Mapped 4G Security Context) of the AMF of the 5G core network.
在一种实例中,取值固定的上行NAS Count可以为如:2 32-1,或者0等。 In an example, the fixed value of the uplink NAS Count may be, for example, 2 32 -1, or 0.
本申请通过将用于生成初始密钥KeNB的NAS Count设置为一个固定取值,在无可用的上行NAS Count时,仍然能够生成初始密钥KeNB,而且保证了UE和MME二者生成一致的密钥KeNB,为UE成功从5G切换到4G提供了保障。In this application, by setting the NAS Count used to generate the initial key KeNB to a fixed value, when there is no available uplink NAS Count, the initial key KeNB can still be generated, and it is ensured that both the UE and the MME generate consistent secrets. The key KeNB provides a guarantee for the successful handover of the UE from 5G to 4G.
在一种实例中,本申请实施例方法还包括:In an example, the method of the embodiment of the present application further includes:
MME将生成的初始密钥KeNB携带在Initial Context Setup Request中发送给E-UTRAN。The MME carries the generated initial key KeNB in the Initial Context Setup Request and sends it to the E-UTRAN.
在一种实例中,本申请实施例中生成初始密钥KeNB之前,还包括:In an example, before generating the initial key KeNB in the embodiment of the present application, the method further includes:
MME需要下发携带有初始密钥KeNB的Initial Context Setup Request。The MME needs to issue an Initial Context Setup Request carrying the initial key KeNB.
在一种实例中,需要下发携带有初始密钥KeNB的Initial Context Setup Request,可以包括:In an example, the Initial Context Setup Request carrying the initial key KeNB needs to be issued, which may include:
MME获知UE从5G TAU到4G,并判断出UE存在需要上传的上行数据或者上行信令或者确定出需要激活用户面。The MME learns that the UE is from 5G TAU to 4G, and determines that the UE has uplink data or uplink signaling that needs to be uploaded, or determines that the user plane needs to be activated.
在一种实例中,MME判断出UE存在需要上传的上行数据或者上行信令,可以包括:In an example, the MME determining that the UE has uplink data or uplink signaling that needs to be uploaded may include:
MME接收到来自UE的携带有激活标记的TAU Request消息。The MME receives the TAU Request message carrying the activation flag from the UE.
在一种实例中,MME确定出需要激活用户面,可以包括:In an example, the MME determines that the user plane needs to be activated, which may include:
MME接收到来自UE的未携带激活标记的TAU Request消息,但由于MME本地配置或其他原因,MME确定出需要激活用户面。这里,需要激活用户面的其他原因可能是MME已经收到SGW的下行数据通知、专载激活等;MME的本地配置可以是一个开关,比如是否支持在TAU过程中激活用户面等。The MME receives the TAU Request message without the activation flag from the UE, but due to the local configuration of the MME or other reasons, the MME determines that the user plane needs to be activated. Here, other reasons for activating the user plane may be that the MME has received the downlink data notification from the SGW, dedicated load activation, etc.; the local configuration of the MME may be a switch, such as whether to support the activation of the user plane in the TAU process.
本申请实施例还提供一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令用于执行上述任一项所述的密钥生成方法。An embodiment of the present application also provides a computer-readable storage medium that stores computer-executable instructions, and the computer-executable instructions are used to execute any one of the key generation methods described above.
参照图3,本申请实施例还提供一种实现密钥生成的装置,包括处理器301、存储器302;其中,存储器302上存储有可在处理器301上运行的计算机程序:用于执行上述任一项所述的密钥生成方法的步骤。3, an embodiment of the present application also provides a device for realizing key generation, including a processor 301 and a memory 302; wherein, the memory 302 stores a computer program that can run on the processor 301: it is used to execute any of the foregoing. One of the steps of the key generation method.
参照图4,本申请实施例还提供一种移动管理实体MME400,包括上述任一项实现密钥生成的装置401。Referring to FIG. 4, an embodiment of the present application also provides a mobility management entity MME 400, which includes any one of the above-mentioned apparatuses 401 for realizing key generation.
下面结合具体实施例对本申请实施例的密钥生成方法的应用进行详细描述。The application of the key generation method of the embodiment of the present application will be described in detail below in conjunction with specific embodiments.
第一实施例,如图1所示,本申请实施例的密钥生成方法可以包括:In the first embodiment, as shown in FIG. 1, the key generation method of the embodiment of the present application may include:
步骤100:UE已注册到5G系统。Step 100: The UE has been registered to the 5G system.
步骤101:UE检测到需要启动4G系统,第一实施例中,假设UE此时存在需要上传的上行数据,那么,UE向MME发送TAU Request消息,在TAU Request消息中携带有激活标记(Active Flag)。Step 101: The UE detects that the 4G system needs to be started. In the first embodiment, assuming that the UE has uplink data that needs to be uploaded at this time, the UE sends a TAU Request message to the MME. The TAU Request message carries an Active Flag (Active Flag). ).
步骤102:MME根据来自5G核心网的AMF的映射4G安全上下文中的基础密钥Kasme,以及取值固定的NAS Count如2 32-1或0,计算生成初始密钥KeNB。 Step 102: The MME calculates and generates the initial key KeNB according to the basic key Kasme in the mapped 4G security context from the AMF of the 5G core network and the fixed NAS Count such as 2 32 -1 or 0.
步骤103:MME将计算得到的初始密钥KeNB携带在Initial Context Setup Request中发送给E-UTRAN。Step 103: The MME carries the calculated initial key KeNB in the Initial Context Setup Request and sends it to the E-UTRAN.
第二实施例,如图2所示,本申请实施例的密钥生成方法可以包括:In the second embodiment, as shown in FIG. 2, the key generation method of the embodiment of the present application may include:
步骤200:UE已注册到5G系统。Step 200: The UE has been registered to the 5G system.
步骤201:UE检测到需要启动4G系统,第二实施例中,假设UE向MME发送TAU Request消息,并且在TAU Request消息中未携带激活标记。Step 201: The UE detects that the 4G system needs to be started. In the second embodiment, it is assumed that the UE sends a TAU Request message to the MME, and the TAU Request message does not carry an activation flag.
步骤202:第二实施例中,假设由于MME本地配置或其他原因,确定出需要激活用户面,那么,会根据来自5G核心网的AMF的映射4G安全上下文中的基础密钥Kasme,以及取值固定的NAS Count如2 32-1或0,计算生成初始密钥KeNB。 Step 202: In the second embodiment, assuming that it is determined that the user plane needs to be activated due to the local configuration of the MME or other reasons, the basic key Kasme in the 4G security context will be mapped from the AMF of the 5G core network and the value A fixed NAS Count such as 2 32 -1 or 0 is calculated to generate the initial key KeNB.
这里,需要激活用户面的其他原因可能是MME已经收到SGW的下行数据通知、专载激活等;MME的本地配置可以是一个开关,比如是否支持在TAU过程中激活用户面等。Here, other reasons for activating the user plane may be that the MME has received the downlink data notification from the SGW, dedicated load activation, etc.; the local configuration of the MME may be a switch, such as whether to support the activation of the user plane in the TAU process.
步骤203:MME将计算得到的初始密钥KeNB携带在Initial Context Setup Request中发送给E-UTRAN。Step 203: The MME carries the calculated initial key KeNB in the Initial Context Setup Request and sends it to the E-UTRAN.
本申请实施例提供一种密钥生成方法、及装置、计算机可读存储介质和MME,能够保证UE和MME二者生成一致的密钥,为UE成功从5G切换到4G提供保障。The embodiments of the present application provide a key generation method, device, computer readable storage medium, and MME, which can ensure that both the UE and the MME generate a consistent key, and provide guarantee for the successful handover of the UE from 5G to 4G.
本申请实施例通过将用于生成初始密钥KeNB的NAS Count设置为一个固定取值,在无可用的上行NAS Count时,仍然能够生成初始密钥KeNB,而且保证了UE和MME二者生成一致的密钥KeNB,为UE成功从5G切换到4G提供了保障。In the embodiment of this application, by setting the NAS Count used to generate the initial key KeNB to a fixed value, when there is no available uplink NAS Count, the initial key KeNB can still be generated, and it is ensured that the UE and MME generate the same The key KeNB for the UE provides a guarantee for the successful handover from 5G to 4G.
以上所述,仅为本申请的若干实例而已,并非用于限定本申请的保护范围。凡在本申请的范围和原则之内,所做的任何修改、等同替换、改进等,均应包含在本申请的保护范围之内。The above are only a few examples of this application, and are not used to limit the protection scope of this application. Any modification, equivalent replacement, improvement, etc. made within the scope and principles of this application shall be included in the protection scope of this application.

Claims (11)

  1. 一种密钥生成方法,包括:A key generation method, including:
    移动管理实体MME利用取值固定的上行非接入层计数NAS Count生成初始密钥KeNB。The mobility management entity MME generates the initial key KeNB by using the fixed value of the uplink non-access stratum count NASCount.
  2. 根据权利要求1所述的密钥生成方法,其中,所述MME利用取值固定的上行NAS Count生成初始密钥KeNB,包括:The method for generating a key according to claim 1, wherein the MME generating the initial key KeNB by using an uplink NAS Count with a fixed value comprises:
    所述MME根据基础密钥Kasme和所述取值固定的上行NAS Count,生成所述初始密钥KeNB;其中,基础密钥Kasme来自第五代移动通信5G核心网的接入和移动性管理功能AMF的映射第四代移动通信4G安全上下文。The MME generates the initial key KeNB according to the basic key Kasme and the fixed value of the uplink NAS Count; where the basic key Kasme comes from the access and mobility management function of the 5G core network of the fifth generation mobile communication AMF maps the 4G security context of the fourth-generation mobile communication.
  3. 根据权利要求1所述的密钥生成方法,在所述的生成初始密钥KeNB的步骤之前,还包括:The key generation method according to claim 1, before the step of generating the initial key KeNB, further comprising:
    所述MME需要下发携带有所述初始密钥KeNB的初始上下文建立请求。The MME needs to issue an initial context establishment request carrying the initial key KeNB.
  4. 根据权利要求3所述的密钥生成方法,其中,所述需要下发携带有初始密钥KeNB的初始上下文建立请求,包括:The key generation method according to claim 3, wherein the initial context establishment request carrying the initial key KeNB needs to be issued includes:
    所述MME获知用户设备UE从5G跟踪区更新到4G,并判断出UE存在需要上传的上行数据或者上行信令。The MME learns that the user equipment UE is updated from the 5G tracking area to 4G, and determines that the UE has uplink data or uplink signaling that needs to be uploaded.
  5. 根据权利要求4所述的密钥生成方法,其中,所述判断出UE存在需要上传的上行数据或者上行信令,包括:The key generation method according to claim 4, wherein the determining that the UE has uplink data or uplink signaling that needs to be uploaded includes:
    所述MME接收到来自所述UE的携带有激活标记的跟踪区更新TAU请求消息。The MME receives a tracking area update TAU request message carrying an activation flag from the UE.
  6. 根据权利要求3所述的密钥生成方法,其中,所述需要下发携带有初始密钥KeNB的初始上下文建立请求,包括:The key generation method according to claim 3, wherein the initial context establishment request carrying the initial key KeNB needs to be issued includes:
    所述MME获知用户设备UE从5G跟踪区更新TAU到4G,并确定出需要激活用户面。The MME learns that the user equipment UE updates the TAU to 4G from the 5G tracking area, and determines that the user plane needs to be activated.
  7. 根据权利要求6所述的密钥生成方法,其中,所述确定出需要激活用户面,包括:The key generation method according to claim 6, wherein the determining that the user plane needs to be activated includes:
    所述MME根据所述MME本地配置或其他原因,确定出需要激活用户面。The MME determines that the user plane needs to be activated according to the local configuration of the MME or other reasons.
  8. 根据权利要求1~7任一项所述的方法,其中,所述取值固定的上行NAS Count为:2 32-1,或者0。 The method according to any one of claims 1 to 7, wherein the fixed value of the uplink NAS Count is: 2 32 -1, or 0.
  9. 一种计算机可读存储介质,存储有计算机可执行指令,其中,所述计算机可执行指令用于执行权利要求1~权利要求8任一项所述的密钥生成方法。A computer-readable storage medium storing computer-executable instructions, wherein the computer-executable instructions are used to execute the key generation method according to any one of claims 1 to 8.
  10. 一种实现密钥生成的装置,包括处理器、存储器;其中,存储器上存储有可在处理器上运行的计算机程序:用于执行权利要求1~权利要求8任一项所述的密钥生成方法的步骤。A device for realizing key generation, including a processor and a memory; wherein a computer program that can be run on the processor is stored in the memory: for executing the key generation according to any one of claims 1 to 8 Method steps.
  11. 一种移动管理实体MME,包括权利要求10所述实现密钥生成的装置。A mobility management entity MME, comprising the device for realizing key generation according to claim 10.
PCT/CN2020/112842 2019-09-02 2020-09-01 Key generation method and apparatus, computer-readable storage medium and mme WO2021043130A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910835444.X 2019-09-02
CN201910835444.XA CN112533198A (en) 2019-09-02 2019-09-02 Key generation method and device and MME

Publications (1)

Publication Number Publication Date
WO2021043130A1 true WO2021043130A1 (en) 2021-03-11

Family

ID=74852433

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/112842 WO2021043130A1 (en) 2019-09-02 2020-09-01 Key generation method and apparatus, computer-readable storage medium and mme

Country Status (2)

Country Link
CN (1) CN112533198A (en)
WO (1) WO2021043130A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101355507A (en) * 2008-09-12 2009-01-28 中兴通讯股份有限公司 Method and system for generating cipher key for updating tracking zonetime
CN102316451A (en) * 2010-07-02 2012-01-11 电信科学技术研究院 Method and device for processing next hop chain counter
CN103476028A (en) * 2013-08-30 2013-12-25 大唐移动通信设备有限公司 NAS (Non Access Stratum) message treatment method and device during rollover of NAS COUNT
US20180213403A1 (en) * 2015-07-20 2018-07-26 Zte Corporation Method for implementing access stratum security, user equipment, and small radio access network node

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101478743B (en) * 2008-01-03 2010-08-25 大唐移动通信设备有限公司 Method and apparatus for EPS bearing management
CN106658492A (en) * 2015-07-23 2017-05-10 中兴通讯股份有限公司 Cipher key updating method and cipher key updating device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101355507A (en) * 2008-09-12 2009-01-28 中兴通讯股份有限公司 Method and system for generating cipher key for updating tracking zonetime
CN102316451A (en) * 2010-07-02 2012-01-11 电信科学技术研究院 Method and device for processing next hop chain counter
CN103476028A (en) * 2013-08-30 2013-12-25 大唐移动通信设备有限公司 NAS (Non Access Stratum) message treatment method and device during rollover of NAS COUNT
US20180213403A1 (en) * 2015-07-20 2018-07-26 Zte Corporation Method for implementing access stratum security, user equipment, and small radio access network node

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
ERICSSON: "EUTRA connected to 5GC: clause 8 and Annex A", 3GPP DRAFT; S3-190435_WAS_S3-190280_EUTRA CONNECTED TO 5GC_CLAUSE 8 AND ANNEX A, vol. SA WG3, 30 January 2019 (2019-01-30), Kochi (India), pages 1 - 6, XP051595861 *
INTEL DEUTSCHLAND GMBH; QUALCOMM: "Correction of handling of 5G security contexts during EPS to 5GS idle mode mobilit", 3GPP DRAFT; S3-192997, vol. 3GPP Draft; S3-192997 SA WG3, 30 August 2019 (2019-08-30), Wroclaw, Poland, pages 1 - 7, XP051760394 *

Also Published As

Publication number Publication date
CN112533198A (en) 2021-03-19

Similar Documents

Publication Publication Date Title
WO2017133297A1 (en) Data transmission method, device and system
US20150043537A1 (en) Security processing method and system in network handover process
CN109729524B (en) RRC (radio resource control) connection recovery method and device
US11589235B2 (en) Radio access capabilities of a wireless device
CN111418260B (en) Method and apparatus for performing a resume request procedure
KR102117644B1 (en) Methods and devices for re-establishing radio resource control (RRC) connections
US20220345296A1 (en) Managing Security Keys in a Communication System
ES2885749T3 (en) Reestablishing a radio resource control connection
US9585013B2 (en) Generation of multiple shared keys by user equipment and base station using key expansion multiplier
US11324068B2 (en) Data transmission method and device, and storage medium
US20240267973A1 (en) Link re-establishment method, apparatus, and system
CN102833741A (en) Safety parameter modification method and base station
WO2019062392A1 (en) Data radio bearer recovery method, terminal, base station and core network device
WO2021043130A1 (en) Key generation method and apparatus, computer-readable storage medium and mme
WO2017118397A1 (en) Ue context management method and device
JP7192107B2 (en) Method and apparatus for handling security context during intersystem changes
WO2018130053A1 (en) Flow conflict processing method and device
CN109842484B (en) Method, device and equipment for updating next-hop chain counter
US20210135863A1 (en) Method, device and system for encrypting interactive data
WO2020173451A1 (en) Method, device, and storage medium for implementing forward security
US20200045536A1 (en) Communication method, apparatus, and system
WO2022041943A1 (en) Method and apparatus for managing wireless mode capability, and electronic device and storage medium
WO2019096265A1 (en) Method and device for requesting connection recovery

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20859799

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20859799

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 20859799

Country of ref document: EP

Kind code of ref document: A1