[go: up one dir, main page]

CN101309503A - Wireless handover method, base station and terminal - Google Patents

Wireless handover method, base station and terminal Download PDF

Info

Publication number
CN101309503A
CN101309503A CNA2007101033727A CN200710103372A CN101309503A CN 101309503 A CN101309503 A CN 101309503A CN A2007101033727 A CNA2007101033727 A CN A2007101033727A CN 200710103372 A CN200710103372 A CN 200710103372A CN 101309503 A CN101309503 A CN 101309503A
Authority
CN
China
Prior art keywords
base station
terminal
information
source base
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CNA2007101033727A
Other languages
Chinese (zh)
Inventor
徐小英
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CNA2007101033727A priority Critical patent/CN101309503A/en
Publication of CN101309503A publication Critical patent/CN101309503A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

本发明涉及无线通信领域,公开了一种无线切换方法、基站及终端,提高了终端在进行无线切换时的安全性。本发明中,目标基站对安全信息和终端能力信息进行独立于源基站的加密,将加密后的信息通过该源基站发送到终端,该终端在所收到的终端能力信息与该终端能力匹配时,使用所收到的安全信息切换到目标基站。可以预先在源基站中存放目标基站的伪密钥,源基站在切换请求中携带目标基站的伪密钥给目标基站,目标基站对伪密钥进行解密得到与终端的共享密钥。目标基站也可以在收到切换请求时直接向MME获取与终端的共享密钥。

The invention relates to the field of wireless communication, discloses a wireless switching method, a base station and a terminal, and improves the security of the terminal when performing wireless switching. In the present invention, the target base station encrypts the security information and terminal capability information independently of the source base station, and sends the encrypted information to the terminal through the source base station. When the terminal capability information received matches the terminal capability , using the received security information to switch to the target base station. The pseudo key of the target base station can be stored in the source base station in advance, the source base station carries the pseudo key of the target base station to the target base station in the handover request, and the target base station decrypts the pseudo key to obtain the shared key with the terminal. The target base station may also directly obtain the shared key with the terminal from the MME when receiving the handover request.

Description

无线切换方法、基站及终端 Wireless handover method, base station and terminal

技术领域 technical field

本发明涉及无线通信领域,特别涉及切换技术。The invention relates to the field of wireless communication, in particular to switching technology.

背景技术 Background technique

随着通信的逐步发展,人们对于移动通信的要求愈来愈高,现有的第三代合作伙伴项目(3rd Generation Partnership Project,简称“3GPP”)的网络构架和协议已经无法满足用户对于移动通信的高要求,于是3GPP提出了一种服务于未来通信需求的演进网络的概念。With the gradual development of communication, people's requirements for mobile communication are getting higher and higher, and the existing network architecture and protocols of the 3rd Generation Partnership Project (3GPP for short) can no longer meet the needs of users for mobile communication. Therefore, 3GPP proposed a concept of an evolved network that serves future communication requirements.

为了保证未来10年以至更久的时间内3GPP系统的竞争力,特别是为了加强3GPP系统处理快速增长的IP数据业务的能力,3GPP从2004年下半年开始启动了长期演进(Long Term Evolution,简称“LTE”)项目,以及系统架构演进(System Architecture Evolution,简称“SAE”)项目。In order to ensure the competitiveness of the 3GPP system in the next 10 years or even longer, especially to strengthen the ability of the 3GPP system to handle the rapidly growing IP data services, 3GPP started the Long Term Evolution (LTE) from the second half of 2004 "LTE") project, and the System Architecture Evolution ("SAE") project.

LTE演进系统由三部分组成:演进无线接入网(Evolved Radio AccessNetwork,简称“E-RAN”)、演进分组核心网(Evolved Packet Core,简称“EPC”)和终端。The LTE evolution system consists of three parts: Evolved Radio Access Network (Evolved Radio Access Network, referred to as "E-RAN"), Evolved Packet Core Network (Evolved Packet Core, referred to as "EPC") and terminals.

其中,演进分组核心网中主要包括:移动管理实体(Mobility ManagementEntity,简称“MME”)、用户面实体(User Plane Entity,简称“UPE”)、3GPP锚点(3GPP Anchor)和分组数据网接入网关(Packet Data NetworkGateway,简称“PDN GW”)。Among them, the evolved packet core network mainly includes: Mobility Management Entity (MME for short), User Plane Entity (UPE for short), 3GPP Anchor (3GPP Anchor) and packet data network access Gateway (Packet Data Network Gateway, referred to as "PDN GW").

演进无线接入网主要包括演进后的基站(eNB)。终端通过演进后的基站(下文简称基站)接入核心网。在LTE系统中,终端在移动的过程中,同样需要在基站间进行切换。并且,由于在LTE系统里基站比较容易受到攻击,从而变得不安全,所以在LTE系统中,终端在基站间进行切换的过程中,需要对终端和基站间、以及进行切换的基站间相互传递的信息进行保护,增强基站间的安全独立性。LTE系统中涉及安全的网元如图1所示,这些网元组成两个安全层:安全层1和安全层2。并且,这些网元间的接口,如基站间的Xu接口、X2接口、以及基站与MME和UPE间的S1-C、S1-U接口均对安全都存在需求。The evolved radio access network mainly includes an evolved base station (eNB). The terminal accesses the core network through the evolved base station (hereinafter referred to as the base station). In the LTE system, the terminal also needs to switch between base stations when it is moving. In addition, since the base station is relatively vulnerable to attacks in the LTE system, it becomes insecure. Therefore, in the LTE system, during the handover process of the terminal between the base stations, it is necessary to transmit information between the terminal and the base station, and between the handover base stations. The information is protected and the security independence between base stations is enhanced. The security-related network elements in the LTE system are shown in Figure 1. These network elements form two security layers: security layer 1 and security layer 2. Moreover, the interfaces between these network elements, such as the Xu interface and X2 interface between the base stations, and the S1-C and S1-U interfaces between the base station and the MME and UPE all have security requirements.

在现有技术一中,终端从源基站切换到目标基站的流程如图2所示。In prior art 1, the flow of handover of a terminal from a source base station to a target base station is shown in FIG. 2 .

在步骤201中,源基站向终端发送测量控制消息。In step 201, the source base station sends a measurement control message to the terminal.

在步骤202中,终端向源基站发送测量报告。In step 202, the terminal sends a measurement report to the source base station.

在步骤203中,当源基站收到的测量报告达到门限值时,源基站根据测量报告决定向目标基站发起切换操作。In step 203, when the measurement report received by the source base station reaches a threshold value, the source base station decides to initiate a handover operation to the target base station according to the measurement report.

在步骤204中,源基站向目标基站发送切换请求,在该请求消息中包含终端能力和密钥等信息。密钥可以是源基站当前和终端共享的密钥,也可以是从该当前的共享密钥派生出的密钥,或者是由MME新派生的密钥。In step 204, the source base station sends a handover request to the target base station, and the request message includes information such as terminal capabilities and keys. The key may be a key currently shared by the source base station with the terminal, or a key derived from the current shared key, or a key newly derived by the MME.

在步骤205中,目标基站收到该切换请求后,进行准入控制,判断该终端是否能够切换到本基站,如果允许该终端切换到本基站,则进入步骤206。In step 205, after receiving the handover request, the target base station performs admission control to determine whether the terminal can be handed over to the base station, and if the terminal is allowed to handover to the base station, the process proceeds to step 206.

在步骤206中,目标基站根据终端的能力选择安全算法等内容组成上下文(CONTEXT),并通过X2接口向源基站发送切换请求确认消息,将该包含安全算法的CONTEXT携带在该切换请求确认消息中发送到源基站。该发送过程可能通过X2的安全保护。In step 206, the target base station selects content such as a security algorithm according to the capabilities of the terminal to form a context (CONTEXT), and sends a handover request confirmation message to the source base station through the X2 interface, and carries the CONTEXT containing the security algorithm in the handover request confirmation message sent to the source base station. The sending process may pass the security protection of X2.

在步骤207中,源基站向终端发送切换命令,将目标基站所选择的安全算法、以及其他目标基站需要通知终端的指示信息(如相关安全参数)携带在该切换命令中转发到终端。源基站和终端间用当前的密钥和算法保护。另外,源基站还可以将缓存的属于该终端的数据包、以及当前正发送给该终端的数据包转发给该目标基站,由目标基站发送这些数据包。In step 207, the source base station sends a handover command to the terminal, and forwards the security algorithm selected by the target base station and other indication information (such as relevant security parameters) that the target base station needs to notify the terminal to the terminal in the handover command. The current key and algorithm are used for protection between the source base station and the terminal. In addition, the source base station may also forward the cached data packets belonging to the terminal and data packets currently being sent to the terminal to the target base station, and the target base station sends these data packets.

在步骤208中,终端收到切换命令后,从源基站上断开,并与目标基站建立上行同步。In step 208, after receiving the handover command, the terminal disconnects from the source base station and establishes uplink synchronization with the target base station.

在步骤209中,目标基站向终端发送上行资源分配和时间提前量。In step 209, the target base station sends uplink resource allocation and timing advance to the terminal.

在步骤210中,收到目标基站的上行资源分配和时间提前量后,向目标基站发送切换确认消息。从这个消息开始包括这个消息的发送,可以开始使用目标基站和终端商定的密钥和算法对两者之间发送的信息进行保护。In step 210, after receiving the uplink resource allocation and timing advance of the target base station, a handover confirmation message is sent to the target base station. Starting from this message including the sending of this message, the key and algorithm agreed upon by the target base station and the terminal can be used to protect the information sent between the two.

在步骤211中,目标基站向核心网MME发送切换完成消息。In step 211, the target base station sends a handover completion message to the core network MME.

在步骤212中,MME向目标基站发送切换完成确认消息。In step 212, the MME sends a handover completion confirmation message to the target base station.

在步骤213中,目标基站收到该切换完成确认消息后,向源基站发送无线资源释放消息,通知源基站释放资源。In step 213, after receiving the handover completion confirmation message, the target base station sends a radio resource release message to the source base station, notifying the source base station to release resources.

在步骤214中,源基站把未向终端发送的下行数据转发给目标基站,并在转发完毕后释放为该终端分配的无线资源。In step 214, the source base station forwards the downlink data not sent to the terminal to the target base station, and releases the radio resources allocated for the terminal after the forwarding is completed.

在上述流程中,涉及目标基站和终端建立安全参数关联的相关步骤是步骤204、206、207和210。当终端完成切换后与目标基站发起通信时,在终端和目标基站间已经获得一个共享会话密钥。在上述流程中终端和目标基站的共享密钥可根据该终端和源基站间已经存在的共享密钥生成;或者,如果MME参与切换,目标基站也可从MME里获得一个与终端共享的新密钥。比如说,终端正和基站1通信,并和基站1共享一个密钥,如果终端切换到基站2,则终端和基站2可以通过使用和基站1共享的密钥来派生一个共享密钥。即终端和基站2的共享密钥是由终端和基站1的共享密钥派生出来。由终端和源基站间已经存在的共享密钥派生出终端和目标基站的共享密钥方法可以包括图3所示的三种方法:即源密钥(终端和源基站间的共享密钥)和目标密钥(终端和目标基站间的共享密钥)由同一个根密钥派生出来;或者,由根密钥派生源密钥,源密钥派生出目标密钥;或者,直接使用源密钥作为目标密钥。In the above process, the relevant steps involving the establishment of security parameter association between the target base station and the terminal are steps 204 , 206 , 207 and 210 . When the terminal initiates communication with the target base station after completing the handover, a shared session key has been obtained between the terminal and the target base station. In the above process, the shared key between the terminal and the target base station can be generated based on the existing shared key between the terminal and the source base station; or, if the MME participates in the handover, the target base station can also obtain a new key shared with the terminal from the MME. key. For example, the terminal is communicating with base station 1 and shares a key with base station 1. If the terminal switches to base station 2, the terminal and base station 2 can derive a shared key by using the key shared with base station 1. That is, the shared key of the terminal and base station 2 is derived from the shared key of the terminal and base station 1 . The method of deriving the shared key between the terminal and the target base station from the existing shared key between the terminal and the source base station may include three methods shown in FIG. 3: the source key (the shared key between the terminal and the source base station) and The target key (the shared key between the terminal and the target base station) is derived from the same root key; or, the source key is derived from the root key, and the source key derives the target key; or, the source key is directly used as the target key.

然而,本发明的发明人发现,在上述情况下,如果基站1(即源基站)是有安全隐患的,则基站2(即目标基站)的密钥也会受到影响变得不安全。这就是在终端切换到其他基站时可能会发生的domino效应。具体可能存在如下问题:However, the inventors of the present invention found that in the above situation, if the base station 1 (ie, the source base station) has security risks, the key of the base station 2 (ie, the target base station) will also be affected and become insecure. This is the domino effect that can occur when a terminal is handed over to another base station. Specifically, the following problems may exist:

1)如果源基站被攻击者控制,则可能发生源基站篡改终端的能力,导致终端切换后使用弱安全算法或不使用安全算法,导致BIDDING DOWN(安全降级)攻击。1) If the source base station is controlled by an attacker, the ability of the source base station to tamper with the terminal may occur, causing the terminal to use a weak security algorithm or not use a security algorithm after switching, resulting in a BIDDING DOWN (security downgrade) attack.

2)如果X2接口有安全隐患,可能被攻击者篡改X2接口上交换的信令,同样可能导致终端切换后使用弱安全算法或不使用安全算法,导致BIDDINGDOWN(安全降级)攻击。2) If the X2 interface has a security risk, the attacker may tamper with the signaling exchanged on the X2 interface, which may also cause the terminal to use a weak security algorithm or not use a security algorithm after switching, resulting in a BIDDINGDOWN (security downgrade) attack.

现有技术二在现有技术一的基础上进行了改进,主要步骤如下。The second prior art is improved on the basis of the first prior art, and the main steps are as follows.

步骤1:在源基站向目标基站发送切换请求消息时,在该切换请求消息里包含终端和目标基站共享的会话密钥内容(Session Key Context,简称“SKC”)。SKC是由IDBSV,EK_SN-C_BSV{SKUEk_BSV,KCT},MACK_SN-C_BSV三个成员组成的,IDBSV是指目标基站的标识,EK_SN-C_BSV是核心网给目标基站与终端共享的密钥,KCT是源基站和目标基站共享密钥,MACK_SN-C_BSV是核心网和目标基站间的消息鉴权码。Step 1: When the source base station sends a handover request message to the target base station, the handover request message includes the session key content (Session Key Context, referred to as "SKC") shared by the terminal and the target base station. SKC is composed of three members: IDBSV, EK_SN-C_BSV{SKUEk_BSV, KCT}, and MACK_SN-C_BSV. IDBSV refers to the identity of the target base station, EK_SN-C_BSV is the key shared by the core network with the target base station and the terminal, and KCT is the source The base station and the target base station share a secret key, and MACK_SN-C_BSV is the message authentication code between the core network and the target base station.

步骤2:目标基站向源基站响应切换确认时,传递所选择的安全算法等指示终端的信息。在传送到源基站时可能采用KCT进行保护。Step 2: When the target base station responds to the source base station with a handover confirmation, it transmits information indicating the terminal such as the selected security algorithm. KCT may be used for protection when transmitting to the source base station.

步骤3:源基站转发目标基站的算法以及相关安全参数等信息到终端,源基站和终端间用当前的密钥和算法保护。Step 3: The source base station forwards the target base station's algorithm and related security parameters to the terminal, and the source base station and the terminal are protected by the current key and algorithm.

步骤4:终端发送切换确认到目标基站。Step 4: The terminal sends a handover confirmation to the target base station.

然而,本发明的发明人发现,在上述切换方法中,如果源基站被攻击者控制,源基站可能修改终端的能力,同样会导致终端切换后使用弱安全算法或不使用安全算法,导致BIDDING DOWN攻击。However, the inventors of the present invention have found that in the above handover method, if the source base station is controlled by an attacker, the source base station may modify the capabilities of the terminal, which will also cause the terminal to use a weak security algorithm or not use a security algorithm after handover, resulting in BIDDING DOWN attack.

发明内容 Contents of the invention

本发明实施方式要解决的主要技术问题是提供一种无线切换方法、基站及终端,使得终端在进行无线切换时安全性得到提高。The main technical problem to be solved by the embodiments of the present invention is to provide a wireless handover method, a base station and a terminal, so that the security of the terminal is improved when performing wireless handover.

为解决上述技术问题,本发明的实施方式提供了一种无线切换方法,应用于在基站中对信令和/或用户数据进行安全保护处理的无线通信系统,包括以下步骤:In order to solve the above technical problems, the embodiment of the present invention provides a wireless handover method, which is applied to a wireless communication system for performing security protection processing on signaling and/or user data in a base station, including the following steps:

目标基站对安全信息和终端能力信息进行独立于源基站的加密,将加密后的信息通过该源基站发送到终端;The target base station encrypts the security information and terminal capability information independently of the source base station, and sends the encrypted information to the terminal through the source base station;

该终端在所收到的终端能力信息与该终端能力匹配时,使用所收到的安全信息切换到目标基站。When the received terminal capability information matches the terminal capability, the terminal uses the received security information to switch to the target base station.

本发明的实施方式还提供了一种基站,包括安全保护单元,用于对信令和/或用户数据进行安全保护处理,包括:Embodiments of the present invention also provide a base station, including a security protection unit, configured to perform security protection processing on signaling and/or user data, including:

加密单元,用于对要切换到本基站的终端的终端能力信息和安全保护单元需要使用的安全信息进行独立于源基站的加密;The encryption unit is used to encrypt the terminal capability information of the terminal to be handed over to the base station and the security information to be used by the security protection unit independently of the source base station;

发送单元,用于将经加密单元加密后的信息通过源基站发送到终端。The sending unit is configured to send the information encrypted by the encryption unit to the terminal through the source base station.

本发明的实施方式还提供了一种终端,包括:Embodiments of the present invention also provide a terminal, including:

接收单元,用于接收源自目标基站的安全信息和终端能力信息;a receiving unit, configured to receive security information and terminal capability information from the target base station;

解密单元,用于对接收单元收到的安全信息和终端能力信息以独立于源基站的方式进行解密;a decryption unit, configured to decrypt the security information and terminal capability information received by the receiving unit in a manner independent of the source base station;

比较单元,用于比较解密单元得到的终端能力信息与本终端能力;A comparison unit, configured to compare the terminal capability information obtained by the decryption unit with the terminal capability;

处理单元,用于在比较单元判定终端能力信息与本终端能力匹配时,使用解密单元得到的安全信息进行向目标基站切换的处理。The processing unit is configured to use the security information obtained by the decryption unit to perform handover processing to the target base station when the comparison unit judges that the terminal capability information matches the terminal capability.

本发明实施方式与现有技术相比,主要区别及其效果在于:Compared with the prior art, the embodiment of the present invention has the main difference and its effects in that:

目标基站对需要由源基站转发的信息以独立于源基站的方式进行加密,从而有效地防止了被恶意控制的源基站对相关信息进行篡改;目标基站将从源基站得到的终端能力信息加密后发送到终端,终端对收到的终端能力信息和自身能力进行比较,可以知道目标基站得到的终端能力信息是否曾被篡改,从而可以在终端能力信息被篡改时采取针对性的措施,有效地提高了终端在无线切换时的安全性。The target base station encrypts the information that needs to be forwarded by the source base station in a manner independent of the source base station, thereby effectively preventing the maliciously controlled source base station from tampering with relevant information; the target base station encrypts the terminal capability information obtained from the source base station After sending to the terminal, the terminal compares the received terminal capability information with its own capability, and can know whether the terminal capability information obtained by the target base station has been tampered with, so that it can take targeted measures when the terminal capability information has been tampered with, effectively improving It improves the security of the terminal during wireless switching.

附图说明 Description of drawings

图1是现有技术中在LTE系统中涉及安全的网元的示意图;FIG. 1 is a schematic diagram of security-related network elements in an LTE system in the prior art;

图2是现有技术中终端从源基站切换到目标基站的流程图;FIG. 2 is a flowchart of a handover of a terminal from a source base station to a target base station in the prior art;

图3是现有技术中源基站和目标基站间切换时密钥派生的三种可选方案示意图;FIG. 3 is a schematic diagram of three alternative schemes for key derivation when switching between a source base station and a target base station in the prior art;

图4是根据本发明第一实施方式的无线切换方法流程图;FIG. 4 is a flowchart of a wireless handover method according to a first embodiment of the present invention;

图5是根据本发明第二实施方式的无线切换方法流程图;5 is a flowchart of a wireless handover method according to a second embodiment of the present invention;

图6是根据本发明第四实施方式的无线切换系统结构图。Fig. 6 is a structural diagram of a wireless handover system according to a fourth embodiment of the present invention.

具体实施方式 Detailed ways

为使本发明的目的、技术方案和优点更加清楚,下面将结合附图对本发明的实施方式作进一步地详细描述。In order to make the purpose, technical solution and advantages of the present invention clearer, the following will further describe the implementation of the present invention in detail in conjunction with the accompanying drawings.

本发明第一实施方式涉及一种无线切换方法,应用于在基站中对信令和/或用户数据进行安全保护处理的无线通信系统,如LTE系统。The first embodiment of the present invention relates to a wireless handover method, which is applied to a wireless communication system, such as an LTE system, in which a base station performs security protection processing on signaling and/or user data.

具体流程如图4所示。在步骤401中,源基站根据终端发送的测量报告,决定发起切换。The specific process is shown in Figure 4. In step 401, the source base station decides to initiate handover according to the measurement report sent by the terminal.

在步骤402中,源基站向目标基站发送切换请求消息,在该切换请求消息中携带预先从MME获得的目标基站的伪密钥、以及终端的能力信息等。In step 402, the source base station sends a handover request message to the target base station, and the handover request message carries the pseudo-key of the target base station obtained from the MME in advance, the capability information of the terminal, and the like.

具体地说,伪密钥是指经加密的基站密钥(即该基站与终端之间的共享密钥),只能由该密钥所属的基站解密获得。在本实施方式中,MME在向源基站下发密钥的同时携带该源基站的相邻基站的伪密钥。在本步骤中,源基站在确定将终端切换到哪一个相邻基站后,即确定目标基站后,将属于该目标基站的伪密钥、以及该终端的能力信息携带在切换请求消息中发给该目标基站。可见,在本实施方式中,源基站并不能解密该伪密钥,获得目标基站的密钥,从而该目标基站的密钥的安全性得到了更好的保障。Specifically, the pseudo-key refers to the encrypted base station key (that is, the shared key between the base station and the terminal), which can only be obtained by deciphering the base station to which the key belongs. In this embodiment, the MME carries the pseudo key of the neighboring base station of the source base station while delivering the key to the source base station. In this step, after the source base station determines which adjacent base station to handover the terminal to, that is, after determining the target base station, it carries the pseudo key belonging to the target base station and the capability information of the terminal in the handover request message and sends it to the target base station. It can be seen that in this implementation manner, the source base station cannot decrypt the fake key to obtain the key of the target base station, so the security of the key of the target base station is better guaranteed.

在步骤403中,目标基站收到该切换请求消息后,从中获取本基站的伪密钥,对该伪密钥进行解密获得本目标基站与终端的共享密钥,同时,目标基站根据该终端的能力选择安全算法。In step 403, after receiving the handover request message, the target base station obtains the pseudo key of the base station, and decrypts the pseudo key to obtain the shared key between the target base station and the terminal. Ability to choose a security algorithm.

在步骤404中,目标基站使用该共享密钥(即该目标基站与终端间的共享密钥)对安全信息和终端的能力信息进行加密和/或完整性保护。这里的安全信息包括目标基站所选择的安全算法。In step 404, the target base station uses the shared key (that is, the shared key between the target base station and the terminal) to encrypt and/or integrity protect the security information and the capability information of the terminal. The security information here includes the security algorithm selected by the target base station.

确切地说,本步骤即是把目标基站需要传送到终端的而源基站无需解析的部分或者全部内容使用该共享密钥进行加密和/或完整性保护,这里所说的内容包括安全算法和终端的能力信息或者无线资源控制(Radio ResourceController,简称“RRC”)CONTAINER(RRC容器)等。To be precise, this step is to use the shared key to encrypt and/or integrity protect part or all of the content that the target base station needs to transmit to the terminal but that the source base station does not need to parse. The content mentioned here includes security algorithms and terminal Capability information or radio resource control (Radio Resource Controller, "RRC") CONTAINER (RRC container), etc.

由于该共享密钥是终端可知而源基站不可知的,因此,通过使用该共享密钥,对需要传送给终端而源基站无需解析的部分或全部内容进行加密和/或完整性保护,可以确保这部分内容在之后的转发过程中无法被源基站所篡改,从而即使在源基站被攻击者控制的情况下,也不会导致BIDDING DOWN攻击。Since the shared key is known by the terminal but not known by the source base station, by using the shared key to encrypt and/or integrity-protect some or all of the content that needs to be transmitted to the terminal but does not need to be parsed by the source base station, it can ensure This part of the content cannot be tampered with by the source base station during the subsequent forwarding process, so even if the source base station is controlled by the attacker, it will not cause a BIDDING DOWN attack.

在步骤405中,目标基站将加密后的安全信息和终端的能力信息通过基站间的X2接口发送给源基站,在该发送的过程中受到X2的安全协议的保护。In step 405, the target base station sends the encrypted security information and terminal capability information to the source base station through the X2 interface between the base stations, and is protected by the X2 security protocol during the sending process.

在步骤406中,源基站向该终端发送切换命令,将该加密后的终端的安全信息和能力信息携带在该切换命令中发送给终端。In step 406, the source base station sends a handover command to the terminal, carries the encrypted security information and capability information of the terminal in the handover command and sends it to the terminal.

在步骤407中,终端收到该切换命令后,根据目标基站的标识等信息从本地的根密钥派生出本终端与该目标基站的共享密钥,使用该派生出的共享密钥对收到的信息进行解密,得到目标基站发送给本终端的安全信息和终端能力信息,并比较解密得到的终端能力信息和本终端能力,如果解密得到的终端能力信息与本终端能力匹配,则进入步骤408;反之,如果不匹配则进入步骤409。In step 407, after receiving the handover command, the terminal derives the shared key between the terminal and the target base station from the local root key according to information such as the identity of the target base station, and uses the derived shared key to pair the received Decrypt the information to obtain the security information and terminal capability information sent by the target base station to the terminal, and compare the decrypted terminal capability information with the terminal capability, if the decrypted terminal capability information matches the terminal capability, go to step 408 ; Conversely, if it does not match, go to step 409.

在步骤408中,终端使用解密得到的安全信息切换到该目标基站。具体地说,终端可以使用该共享密钥、以及解密得到的安全算法向目标基站发送切换确认消息;目标基站收到后,同样使用该共享密钥和安全算法向该终端返回切换完成消息,并向MME发送终端位置更新消息。In step 408, the terminal uses the decrypted security information to switch to the target base station. Specifically, the terminal can use the shared key and the decrypted security algorithm to send a handover confirmation message to the target base station; after receiving it, the target base station also uses the shared key and the security algorithm to return a handover completion message to the terminal, and Send a terminal location update message to the MME.

在步骤409中,解密得到的终端能力信息与本终端能力不匹配,终端通知源基站切换失败,通知中携带表示收到的终端能力信息与实际终端能力不匹配的失败原因信息。In step 409, the decrypted terminal capability information does not match the terminal capability, and the terminal notifies the source base station of handover failure, and the notification carries failure reason information indicating that the received terminal capability information does not match the actual terminal capability.

在步骤410中,源基站收到该切换失败的通知后,重新向目标基站发送切换请求消息。In step 410, after receiving the notification of the handover failure, the source base station resends a handover request message to the target base station.

可以看出,在本实施方式中,目标基站对需要由源基站转发的信息均是以独立于源基站的方式进行加密,从而有效地防止了被恶意控制的源基站对相关信息进行篡改;目标基站将从源基站得到的终端能力信息加密后发送到终端,终端对收到的终端能力信息和自身能力进行比较,可以知道目标基站得到的终端能力信息是否曾被篡改,从而可以在终端能力信息被篡改时采取针对性的措施,有效地提高了终端在无线切换时的安全性。It can be seen that in this embodiment, the target base station encrypts the information that needs to be forwarded by the source base station in a manner independent of the source base station, thereby effectively preventing the maliciously controlled source base station from tampering with relevant information; The base station encrypts the terminal capability information obtained from the source base station and sends it to the terminal. The terminal compares the received terminal capability information with its own capability to know whether the terminal capability information obtained by the target base station has been tampered with. Taking targeted measures when tampered with effectively improves the security of the terminal during wireless switching.

本发明第二实施方式同样涉及一种无线切换方法,与第一实施方式大致相同,其区别在于,在第一实施方式中,预先在源基站中存放目标基站的伪密钥,源基站在发送切换请求时,将该目标基站的伪密钥携带在该切换请求中发送给目标基站,目标基站对伪密钥进行解密得到与终端的共享密钥,这种方式使目标基站不需要在切换时专门向MME获取与终端的共享密钥,减少了消息交互,缩短了切换的时延;而在本实施方式中,目标基站在收到切换请求时直接向MME获取与终端的共享密钥,因为是直接获取,减少了共享密钥经不可靠的源基站转发而被破解的可能性。The second embodiment of the present invention also relates to a wireless handover method, which is roughly the same as the first embodiment. The difference is that in the first embodiment, the pseudo key of the target base station is stored in the source base station in advance, and the source base station transmits When a handover request is made, the pseudo-key of the target base station is sent to the target base station in the handover request, and the target base station decrypts the pseudo-key to obtain a shared key with the terminal. In this way, the target base station does not need to Specifically obtain the shared key with the terminal from the MME, which reduces message interaction and shortens the handover delay; and in this embodiment, the target base station directly obtains the shared key with the terminal from the MME when receiving the handover request, because It is obtained directly, which reduces the possibility of the shared key being cracked by being forwarded by an unreliable source base station.

具体流程如图5所示,在步骤501中,源基站根据终端发送的测量报告,决定发起切换。The specific process is shown in FIG. 5. In step 501, the source base station decides to initiate handover according to the measurement report sent by the terminal.

在步骤502中,源基站向目标基站发送切换请求消息,在该切换请求消息中携带终端的能力信息等。In step 502, the source base station sends a handover request message to the target base station, and the handover request message carries terminal capability information and the like.

在步骤503中,目标基站收到该切换请求消息后,从MME获取本目标基站与终端的共享密钥。In step 503, after receiving the handover request message, the target base station obtains the shared key between the target base station and the terminal from the MME.

在步骤504中,目标基站根据该终端的能力选择安全算法。In step 504, the target base station selects a security algorithm according to the capability of the terminal.

在步骤505中,目标基站使用该共享密钥(即该目标基站与终端间的共享密钥)对安全信息和终端的能力信息进行加密和/或完整性保护。这里的安全信息包括目标基站所选择的安全算法。In step 505, the target base station uses the shared key (that is, the shared key between the target base station and the terminal) to encrypt and/or integrity protect the security information and the capability information of the terminal. The security information here includes the security algorithm selected by the target base station.

本步骤中,把目标基站需要传送到终端的、而源基站无需解析的部分或者全部内容使用该共享密钥进行加密和/或完整性保护,这里所说的内容包括安全算法和终端的能力信息或者无线资源控制(Radio Resource Controller,简称“RRC”)CONTAINER(RRC容器)等。In this step, some or all of the content that the target base station needs to transmit to the terminal and that the source base station does not need to parse is encrypted and/or integrity protected using the shared key. The content mentioned here includes security algorithms and terminal capability information Or radio resource control (Radio Resource Controller, referred to as "RRC") CONTAINER (RRC container), etc.

由于该共享密钥是从MME获取的,同样是终端可知而源基站不可知的,因此,通过使用该共享密钥对需要传送给终端而源基站无需解析的部分或全部内容进行加密和/或完整性保护,可以确保这部分内容无法在之后的转发过程中被源基站所篡改,从而即使在源基站被攻击者控制的情况下,也不会导致BIDDING DOWN攻击。Since the shared key is obtained from the MME, it is also known by the terminal but not known by the source base station. Therefore, by using the shared key, some or all of the content that needs to be transmitted to the terminal but does not need to be parsed by the source base station is encrypted and/or Integrity protection can ensure that this part of the content cannot be tampered with by the source base station during the subsequent forwarding process, so that even if the source base station is controlled by the attacker, it will not cause BIDDING DOWN attacks.

步骤506至步骤511与步骤405至步骤410完全相同,在此不再赘述。Steps 506 to 511 are completely the same as steps 405 to 410 , and will not be repeated here.

本发明第三实施方式同样涉及一种无线切换方法,与第一或第二实施方式大致相同,其区别在于,在第一或第二实施方式中,目标基站通过X2接口直接将加密后的安全信息和终端的能力信息发送给源基站,由源基站转发给终端,由于目标基站与源基站之间可以直接通信,通信效率较高;而在本实施方式中,目标基站将加密后的安全信息和终端的能力信息发送到核心网中的设备,由核心网中的设备(如MME)发送到源基站,再由该源基站发送到该终端。目标基站与源基站之间也可以通过核心网的MME等设备的中转而通信,适应面更广,尤其适用于目标基站与源基站之间没有X2接口的情况,例如跨MME切换的情况。The third embodiment of the present invention also relates to a wireless handover method, which is roughly the same as the first or second embodiment, and the difference is that in the first or second embodiment, the target base station directly transfers the encrypted secure The information and the capability information of the terminal are sent to the source base station, and the source base station forwards it to the terminal. Since the target base station and the source base station can communicate directly, the communication efficiency is high; and in this embodiment, the target base station sends the encrypted security information and the capability information of the terminal is sent to the equipment in the core network, which is sent to the source base station by the equipment (such as MME) in the core network, and then sent to the terminal by the source base station. The target base station and the source base station can also communicate through the relay of MME and other equipment in the core network, which has a wider range of adaptability, and is especially suitable for situations where there is no X2 interface between the target base station and the source base station, such as cross-MME handover.

在以上几个实施方式中,均是使用目标基站与终端间的共享密钥来对需要发送给终端的安全信息和终端能力信息进行加密,需要说明的是,在上述各实施方式中,还可以使用其它终端可知而源基站不可知的密钥对该安全信息和终端能力信息进行加密,只要是以独立于源基站的方式进行加密,即可有效地防止了被恶意控制的源基站对相关信息进行篡改。In the above several embodiments, the shared key between the target base station and the terminal is used to encrypt the security information and terminal capability information to be sent to the terminal. It should be noted that in the above embodiments, it is also possible to Encrypt the security information and terminal capability information using a key known to other terminals but unknown to the source base station. As long as the encryption is independent of the source base station, it can effectively prevent the maliciously controlled source base station from accessing relevant information. tampering.

本发明第四实施方式涉及一种无线切换系统,应用于在基站中对信令和/或用户数据进行安全保护处理的无线通信系统,如LTE系统。如图6所示,该无线切换系统包括源基站、目标基站和终端。其中该目标基站包括:安全保护单元,用于对信令和/或用户数据进行安全保护处理;加密单元,用于对要切换到本基站的终端的终端能力信息和安全保护单元需要使用的安全信息进行独立于源基站的加密;发送单元,用于将经加密单元加密后的信息通过源基站发送到终端。其中,该安全信息包括安全算法。由于目标基站对需要由源基站转发的信息以独立于源基站的方式进行加密,从而有效地防止了被恶意控制的源基站对相关信息进行篡改。The fourth embodiment of the present invention relates to a wireless handover system, which is applied to a wireless communication system, such as an LTE system, that performs security protection processing on signaling and/or user data in a base station. As shown in FIG. 6, the wireless handover system includes a source base station, a target base station and a terminal. Wherein the target base station includes: a security protection unit, which is used to perform security protection processing on signaling and/or user data; The information is encrypted independently of the source base station; the sending unit is configured to send the information encrypted by the encryption unit to the terminal through the source base station. Wherein, the security information includes a security algorithm. Since the target base station encrypts the information that needs to be forwarded by the source base station in a manner independent of the source base station, it effectively prevents the maliciously controlled source base station from tampering with relevant information.

该发送单元可以直接将加密后的信息通过X2接口发送到源基站,通过源基站转发到该终端,该方式的通信效率较高;该发送单元也可以将加密后的信息发送到核心网中的设备(如MME),由该核心网中的设备发送到源基站,再由该源基站发送到该终端,该方式的适应面更广,尤其适用于目标基站与源基站之间没有X2接口的情况,例如跨MME切换的情况。The sending unit can directly send the encrypted information to the source base station through the X2 interface, and forward it to the terminal through the source base station. This method has high communication efficiency; the sending unit can also send the encrypted information to the core network. The equipment (such as MME) is sent by the equipment in the core network to the source base station, and then sent to the terminal by the source base station. This method has wider adaptability, especially suitable for the X2 interface between the target base station and the source base station. situation, such as the situation of inter-MME handover.

该基站还可以包括第一接收单元,用于接收来自该源基站的切换请求,该切换请求中包括本基站的伪密钥;解密单元,用于对第一接收单元收到的伪密钥进行解密,得到本基站与该终端的共享密钥;该加密单元使用该解密单元解出的共享密钥对该安全信息和终端能力信息进行加密。这种方式使目标基站不需要在切换时专门向MME获取与终端的共享密钥,减少了消息交互,缩短了切换的时延。The base station may also include a first receiving unit, configured to receive a handover request from the source base station, where the handover request includes a pseudo-key of the base station; a decryption unit, configured to decrypt the pseudo-key received by the first receiving unit Decrypt to obtain the shared key between the base station and the terminal; the encryption unit uses the shared key deciphered by the decryption unit to encrypt the security information and terminal capability information. In this manner, the target base station does not need to obtain the shared key with the terminal from the MME during handover, which reduces message interaction and shortens handover delay.

或者,该基站还可以包括第二接收单元,用于从MME获取该目标基站与该终端的共享密钥;该加密单元使用第二接收单元获取的共享密钥对安全信息和终端能力信息进行加密。通过直接获取共享密钥,减少了共享密钥经不可靠的源基站转发而被破解的可能性。Alternatively, the base station may further include a second receiving unit, configured to obtain the shared key between the target base station and the terminal from the MME; the encryption unit uses the shared key obtained by the second receiving unit to encrypt the security information and terminal capability information . By directly obtaining the shared key, the possibility of the shared key being cracked by being forwarded by an unreliable source base station is reduced.

该终端包括:接收单元,用于接收源自目标基站的安全信息和终端能力信息;解密单元,用于对接收单元收到的安全信息和终端能力信息以独立于源基站的方式进行解密;比较单元,用于比较该解密单元得到的终端能力信息与本终端能力;处理单元,用于在该比较单元判定该解密得到的终端能力信息与本终端能力匹配时,使用该解密单元得到的安全信息进行向该目标基站切换的处理。通过对收到的终端能力信息和自身能力进行比较,可以知道目标基站得到的终端能力信息是否曾被篡改,从而可以在终端能力信息被篡改时采取针对性的措施,有效地提高了终端在无线切换时的安全性。The terminal includes: a receiving unit for receiving security information and terminal capability information from the target base station; a decryption unit for decrypting the security information and terminal capability information received by the receiving unit in a manner independent of the source base station; comparing A unit for comparing the terminal capability information obtained by the decryption unit with the terminal capability; a processing unit for using the security information obtained by the decryption unit when the comparison unit determines that the terminal capability information obtained by decryption matches the terminal capability Handover to the target base station is performed. By comparing the received terminal capability information with its own capability, it is possible to know whether the terminal capability information obtained by the target base station has been tampered with, so that targeted measures can be taken when the terminal capability information has been tampered with, effectively improving the terminal's wireless security. Security when switching.

该终端还可以包括还包括密钥派生单元,用于根据目标基站的信息从本地的根密钥派生成该终端与目标基站的共享密钥;该解密单元使用密钥派生单元生成的共享密钥进行解密。The terminal may also include a key derivation unit, configured to derive a shared key between the terminal and the target base station from a local root key according to the information of the target base station; the decryption unit uses the shared key generated by the key derivation unit to decrypt.

该终端还可以包括失败通知单元,用于在该比较单元判定解密得到的终端能力信息与本终端能力不匹配时,通知源基站切换失败,该通知中可以携带表示收到的终端能力信息与实际终端能力不匹配的失败原因信息。The terminal may also include a failure notification unit, configured to notify the source base station of handover failure when the comparison unit determines that the decrypted terminal capability information does not match the terminal capability. Information about the failure reason of terminal capability mismatch.

综上所述,在本发明的实施方式中,目标基站对需要由源基站转发的信息以独立于源基站的方式进行加密,从而有效地防止了被恶意控制的源基站对相关信息进行篡改;目标基站将从源基站得到的终端能力信息加密后发送到终端,终端对收到的终端能力信息和自身能力进行比较,可以知道目标基站得到的终端能力信息是否曾被篡改,从而可以在终端能力信息被篡改时采取针对性的措施,有效地提高了终端在无线切换时的安全性。To sum up, in the embodiment of the present invention, the target base station encrypts the information that needs to be forwarded by the source base station in a manner independent of the source base station, thereby effectively preventing the maliciously controlled source base station from tampering with relevant information; The target base station encrypts the terminal capability information obtained from the source base station and sends it to the terminal. The terminal compares the received terminal capability information with its own capability to know whether the terminal capability information obtained by the target base station has been tampered with. Taking targeted measures when the information is tampered with effectively improves the security of the terminal during wireless switching.

可以预先在源基站中存放目标基站的伪密钥,源基站在切换请求中携带目标基站的伪密钥给目标基站,目标基站对伪密钥进行解密得到与终端的共享密钥。这种方式使目标基站不需要在切换时专门向MME获取与终端的共享密钥,减少了消息交互,缩短了切换的时延。The pseudo key of the target base station can be stored in the source base station in advance, the source base station carries the pseudo key of the target base station to the target base station in the handover request, and the target base station decrypts the pseudo key to obtain the shared key with the terminal. In this manner, the target base station does not need to obtain the shared key with the terminal from the MME during handover, which reduces message interaction and shortens handover delay.

目标基站也可以在收到切换请求时直接向MME获取与终端的共享密钥,因为是直接获取,减少了共享密钥经不可靠的源基站转发而被破解的可能性。The target base station can also directly obtain the shared key with the terminal from the MME when receiving the handover request, because it is obtained directly, which reduces the possibility of the shared key being cracked by being forwarded by an unreliable source base station.

目标基站与源基站之间可以通过X2接口直接通信,通信效率较高;目标基站与源基站之间也可以通过核心网的MME等设备的中转而通信,适应面更广,尤其适用于目标基站与源基站之间没有X2接口的情况,例如跨MME切换的情况。The target base station and the source base station can communicate directly through the X2 interface, and the communication efficiency is high; the target base station and the source base station can also communicate through the transfer of MME and other equipment in the core network, which has a wider range of adaptation, especially for the target base station The case where there is no X2 interface with the source base station, such as the case of inter-MME handover.

虽然通过参照本发明的某些优选实施方式,已经对本发明进行了图示和描述,但本领域的普通技术人员应该明白,可以在形式上和细节上对其作各种改变,而不偏离本发明的精神和范围。Although the present invention has been illustrated and described with reference to certain preferred embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the present invention. The spirit and scope of the invention.

Claims (16)

1. wireless switching method is applied in the base station signaling and/or user data are carried out the wireless communication system of safe protection treatment, it is characterized in that, may further comprise the steps:
Target BS is independent of the encryption of source base station to security information and terminal ability information, and the information after encrypting is sent to terminal by described source base station;
Described terminal uses the security information of being received to switch to described target BS when the terminal ability information of being received and this terminal capability coupling.
2. wireless switching method according to claim 1 is characterized in that described wireless communication system is a long evolving system.
3. wireless switching method according to claim 2 is characterized in that, and is further comprising the steps of before the step of described encryption:
Described source base station sends handoff request to described target BS, wherein carries in advance the pseudo-key of the described target BS that obtains from mobile management entity;
The pseudo-key that described target BS carries described handoff request is decrypted, and obtains the shared key of this target BS and terminal;
In the step of described encryption, described target BS uses the shared key of described target BS and terminal that described security information and terminal ability information are encrypted.
4. wireless switching method according to claim 2 is characterized in that, and is further comprising the steps of before the step of described encryption:
Described source base station sends handoff request to described target BS,
Described target BS obtains the shared key of this target BS and described terminal from mobile management entity;
In the step of described encryption, described target BS uses the shared key of described target BS and terminal that security information and terminal ability information are encrypted.
5. wireless switching method according to claim 1, it is characterized in that, during in the terminal ability information of being received and this terminal capability coupling, use the security information of being received to switch to before the step of described target BS in described terminal, further comprising the steps of:
Described terminal derives from into the shared key of this terminal and described target BS from the root key of this locality according to the information of described target BS;
Described terminal uses derivative shared key that the information of receiving is decrypted, and obtains security information and terminal ability information;
Described terminal is relatively deciphered the terminal ability information that obtains and whether this terminal capability mates.
6. wireless switching method according to claim 5 is characterized in that, and is further comprising the steps of after described comparison step:
If described terminal ability information and described terminal capability do not match, then described terminal is notified described source base station handoff failure, carries terminal ability information and the unmatched failure cause information of physical end ability that expression is received in the notice.
7. wireless switching method according to claim 1, it is characterized in that, information after described will the encryption sends in the end step by described source base station, information after described target BS will be encrypted by and described source base station between interface send to this source base station, be forwarded to described terminal by this source base station.
8. wireless switching method according to claim 1, it is characterized in that, information after described will the encryption sends in the end step by described source base station, information after described target BS will be encrypted sends to the equipment in the core net, send to described source base station by the equipment in the core net, send to described terminal by this source base station again.
9. wireless switching method according to claim 1 is characterized in that described security information comprises security algorithm.
10. a base station comprises security protection unit, is used for signaling and/or user data are carried out safe protection treatment, it is characterized in that, comprising:
Ciphering unit is used for the terminal ability information of the terminal that will switch to this base station and security information that described security protection unit need be used are independent of the encryption of source base station;
Transmitting element is used for the information after encrypting through described ciphering unit is sent to terminal by described source base station.
11. base station according to claim 10 is characterized in that, described base station is the base station in the long evolving system.
12. base station according to claim 10 is characterized in that, also comprises first receiving element, is used to receive the handoff request from described source base station, comprises the pseudo-key of this base station in this handoff request;
Decrypting device is used for the pseudo-key that described first receiving element is received is decrypted, and obtains the shared key of this base station and described terminal;
The shared key that described ciphering unit uses described decrypting device to solve is encrypted described security information and terminal ability information.
13. base station according to claim 10 is characterized in that, also comprises second receiving element, is used for obtaining from mobile management entity the shared key of this target BS and described terminal;
The shared key that described ciphering unit uses described second receiving element to obtain is encrypted described security information and terminal ability information.
14. a terminal is characterized in that, comprising:
Receiving element is used for security information and the terminal ability information of reception sources from target BS;
Decrypting device, the security information and the terminal ability information that are used for described receiving element is received are decrypted in the mode that is independent of source base station;
Comparing unit is used for terminal ability information and this terminal capability that more described decrypting device obtains;
Processing unit is used for when described comparing unit is judged described terminal ability information and this terminal capability coupling, and the security information of using described decrypting device to obtain is carried out to described target BS switching processing.
15. terminal according to claim 14 is characterized in that, comprises that also the key derivation unit is used for deriving from into from the root key of this locality according to the information of described target BS the shared key of this terminal and described target BS;
The shared key that described decrypting device uses described key derivation unit to generate carries out described deciphering.
16. according to claim 14 or 15 described terminals, it is characterized in that, also comprise the failure notification unit, be used for when described comparing unit judges that described terminal ability information and this terminal capability do not match, notify described source base station handoff failure, carry terminal ability information and the unmatched failure cause information of physical end ability that expression is received in the notice.
CNA2007101033727A 2007-05-17 2007-05-17 Wireless handover method, base station and terminal Pending CN101309503A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNA2007101033727A CN101309503A (en) 2007-05-17 2007-05-17 Wireless handover method, base station and terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNA2007101033727A CN101309503A (en) 2007-05-17 2007-05-17 Wireless handover method, base station and terminal

Publications (1)

Publication Number Publication Date
CN101309503A true CN101309503A (en) 2008-11-19

Family

ID=40125672

Family Applications (1)

Application Number Title Priority Date Filing Date
CNA2007101033727A Pending CN101309503A (en) 2007-05-17 2007-05-17 Wireless handover method, base station and terminal

Country Status (1)

Country Link
CN (1) CN101309503A (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010105442A1 (en) * 2009-03-20 2010-09-23 深圳华为通信技术有限公司 Method, apparatus and system for generating key evolving parameters
WO2010142185A1 (en) * 2009-06-12 2010-12-16 中兴通讯股份有限公司 Method and system for generating cipher key during switching
CN101938797A (en) * 2009-06-29 2011-01-05 大唐移动通信设备有限公司 Method, device and system for acquiring radio capability information of user equipment (UE)
WO2011085682A1 (en) * 2010-01-14 2011-07-21 中兴通讯股份有限公司 Method and system for updating air interface keys
CN102340774A (en) * 2010-07-22 2012-02-01 中兴通讯股份有限公司 A switched key distribution method and system
CN101772100B (en) * 2008-12-29 2012-03-28 中国移动通信集团公司 Key update method, device and system when base station eNB is handed over in LTE system
CN102573070A (en) * 2010-12-13 2012-07-11 中兴通讯股份有限公司 Method and system for wireless resource allocation
WO2012116599A1 (en) * 2011-03-01 2012-09-07 华为技术有限公司 Security tunnel establishing method and enb
CN103997447A (en) * 2014-05-30 2014-08-20 宇龙计算机通信科技(深圳)有限公司 Access point switching method, access point equipment and terminal
CN105027495A (en) * 2014-01-14 2015-11-04 华为技术有限公司 Key verification method, base station, user device and core network element
CN105409263A (en) * 2013-08-08 2016-03-16 诺基亚技术有限公司 Method and device for proxy algorithm identification selection
CN108270560A (en) * 2017-01-03 2018-07-10 中兴通讯股份有限公司 A kind of cipher key transmission methods and device
CN110169103A (en) * 2017-05-04 2019-08-23 华为技术有限公司 A kind of key generation method and relevant device
WO2020097819A1 (en) * 2018-11-14 2020-05-22 Oppo广东移动通信有限公司 Method and apparatus for transmitting data upon handover, chip, and computer program

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101772100B (en) * 2008-12-29 2012-03-28 中国移动通信集团公司 Key update method, device and system when base station eNB is handed over in LTE system
WO2010105442A1 (en) * 2009-03-20 2010-09-23 深圳华为通信技术有限公司 Method, apparatus and system for generating key evolving parameters
US8666078B2 (en) 2009-06-12 2014-03-04 Zte Corporation Method and system for generating cipher key during switching
WO2010142185A1 (en) * 2009-06-12 2010-12-16 中兴通讯股份有限公司 Method and system for generating cipher key during switching
CN101938797A (en) * 2009-06-29 2011-01-05 大唐移动通信设备有限公司 Method, device and system for acquiring radio capability information of user equipment (UE)
WO2011085682A1 (en) * 2010-01-14 2011-07-21 中兴通讯股份有限公司 Method and system for updating air interface keys
CN102340774A (en) * 2010-07-22 2012-02-01 中兴通讯股份有限公司 A switched key distribution method and system
CN102340774B (en) * 2010-07-22 2016-05-11 中兴通讯股份有限公司 A kind of cryptographic key distribution method of switching and system
CN102573070A (en) * 2010-12-13 2012-07-11 中兴通讯股份有限公司 Method and system for wireless resource allocation
CN102573070B (en) * 2010-12-13 2015-05-13 中兴通讯股份有限公司 Method and system for wireless resource allocation
WO2012116599A1 (en) * 2011-03-01 2012-09-07 华为技术有限公司 Security tunnel establishing method and enb
CN105409263A (en) * 2013-08-08 2016-03-16 诺基亚技术有限公司 Method and device for proxy algorithm identification selection
CN105409263B (en) * 2013-08-08 2019-04-19 诺基亚技术有限公司 The method and apparatus for identifying selection for agent algorithms
CN105027495A (en) * 2014-01-14 2015-11-04 华为技术有限公司 Key verification method, base station, user device and core network element
CN103997447A (en) * 2014-05-30 2014-08-20 宇龙计算机通信科技(深圳)有限公司 Access point switching method, access point equipment and terminal
CN108270560A (en) * 2017-01-03 2018-07-10 中兴通讯股份有限公司 A kind of cipher key transmission methods and device
CN108270560B (en) * 2017-01-03 2023-06-09 中兴通讯股份有限公司 Key transmission method and device
CN110169103A (en) * 2017-05-04 2019-08-23 华为技术有限公司 A kind of key generation method and relevant device
WO2020097819A1 (en) * 2018-11-14 2020-05-22 Oppo广东移动通信有限公司 Method and apparatus for transmitting data upon handover, chip, and computer program

Similar Documents

Publication Publication Date Title
CN101309503A (en) Wireless handover method, base station and terminal
JP5597676B2 (en) Key material exchange
CN104661216B (en) The method and WTRU of NAS message are transmitted in WTRU
JP4820429B2 (en) Method and apparatus for generating a new key
US20170359719A1 (en) Key generation method, device, and system
JP2011526097A (en) Traffic encryption key generation method and update method
CN106664286B (en) Switching method and switching system between heterogeneous networks
WO2012083828A1 (en) Method, base station and system for implementing local routing
US8572384B2 (en) Method and apparatus for updating an authorization key in a communication system
CN101478752B (en) Cipher key replacing method, system and device
CN101005489A (en) Method for protecting mobile communication system network safety
CN101455054B (en) A method and apparatus for handling keys used for encryption and integrity
CN101167380A (en) Method and device for generating session key
WO2008152611A1 (en) Apparatus, method and computer program product providing transparent container
CN101742492B (en) Key processing method and system
US8713317B2 (en) Method and system for encrypting data in a wireless communication system
CN108712742B (en) Internet of Things network security optimization method, user terminal and network side equipment
CN1964259B (en) A method to manage secret key in the course of switch-over
CN101668289A (en) Method and system for updating air interface secret key in wireless communication system
CN102469454A (en) Key setting method in RNC handover and wireless network controller and terminal
CN100415059C (en) A processing method of AK context
CN110169128B (en) Communication method, device and system
TWI399068B (en) Systems and methods for key management for wireless communications systems
CN1988716B (en) Method for enshuring communication safety between mobile station and base station
KR20110041963A (en) Method and system for encrypting data in wireless communication system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20081119