Nothing Special   »   [go: up one dir, main page]

CN101917717B - The method and system of key are set up when interconnecting between a kind of GERAN and enhancing UTRAN - Google Patents

The method and system of key are set up when interconnecting between a kind of GERAN and enhancing UTRAN Download PDF

Info

Publication number
CN101917717B
CN101917717B CN201010267115.9A CN201010267115A CN101917717B CN 101917717 B CN101917717 B CN 101917717B CN 201010267115 A CN201010267115 A CN 201010267115A CN 101917717 B CN101917717 B CN 101917717B
Authority
CN
China
Prior art keywords
enhanced
key
sgsn
air interface
geran
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201010267115.9A
Other languages
Chinese (zh)
Other versions
CN101917717A (en
Inventor
李阳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201010267115.9A priority Critical patent/CN101917717B/en
Publication of CN101917717A publication Critical patent/CN101917717A/en
Priority to PCT/CN2011/078405 priority patent/WO2012025020A1/en
Application granted granted Critical
Publication of CN101917717B publication Critical patent/CN101917717B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/02Data link layer protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/14Backbone network devices

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The invention provides a kind of GERAN and strengthen the method setting up key when interconnecting between UTRAN, it is characterized in that, comprise: when subscriber equipment moves to enhancing UTRAN from GERAN, the enhancing SGSN served for described enhancing UTRAN obtains the relevant parameter of safety from described GERAN, generates the described air interface key strengthening UTRAN according to the parameter that described safety is correlated with; And/or, when subscriber equipment moves to GERAN from enhancing UTRAN, for the enhancing SGSN of described enhancing UTRAN service generates the air interface key of described GERAN and sends to described GERAN.The invention provides a kind of GERAN and strengthen the system setting up key when interconnecting between UTRAN.

Description

Method and system for establishing secret key during interconnecting GERAN and enhanced UTRAN
Technical Field
The invention relates to the field of wireless communication, in particular to a method and a system for establishing an enhanced air interface key when a terminal in a wireless communication system moves from GERAN to enhanced UTRAN and from the enhanced UTRAN to GERAN.
Background
The 3GPP (3rd generation partnership project) uses Orthogonal Frequency Division Multiplexing (OFDM) and Multiple-input Multiple-Output (MIMO) techniques in Release7 to implement future evolved link HSPA + of HSDPA (high speed downlink packet access) and HSUPA (high speed uplink packet access) in Release 7. HSPA + is an enhanced technology for 3gpp HSPA (including HSDPA and HSUPA) providing HSPA operators with a low complexity, low cost approach to the smooth evolution from HSPA to LTE.
HSPA + improves peak data rate and spectral efficiency by adopting high-order modulation (e.g., downstream 64QAM (quadrature amplitude modulation) and upstream 16QAM), MIMO, and a combination of high-order segment modulation and MIMO. On the other hand, in order to better support packet services, HSPA + also adopts a series of other enhanced technologies to achieve the goals of increasing user capacity, reducing time delay, reducing terminal power consumption, better supporting Voice Over IP (VOIP) and improving multicast/broadcast capability of the system, etc.
Compared with HSPA, HSPA + puts down the function of a Radio Network Controller (RNC) to a base station node b (nodeb) on a system architecture, forming a completely flat radio access network architecture, as shown in fig. 1. At this time, the NodeB integrated with the full RNC function is referred to as evolved hspnodeb, or enhanced node B (NodeB +) for short. SGSN + is an SGSN (serving GPRS support node; GPRS: general packet radio System) that is upgraded to support HSPA + functions. ME + is a user terminal device (also referred to as UE +) capable of supporting HSPA + functions. The evolved HSPA system can use 3GPPRel-5 and later air interface versions, and the air interface HSPA service is not modified. After the scheme is adopted, each NodeB + becomes a node equivalent to an RNC (radio network controller), an Iu-PS interface can be directly connected with a PSCN (core network), an Iu-PS user plane is terminated at an SGSN (service GPRS support node), and if the network supports a straight-through tunnel function, the Iu-PS user plane can also be terminated at a GGSN (gateway GPRS support node). Communication between evolved hspanodebs is performed over the Iur interface. The NodeB + has independent networking capabilities and supports complete mobility functions, including inter-system and intra-system handovers.
In HSPA +, NodeB + can be seen as a combination of NodeB and RNC. Both are one physical entity but are still 2 different logical entities. So the NodeB + here supporting HSPA + enhanced key hierarchy can also be equivalent to an upgraded RNC in UMTS. For the sake of differentiation, we can refer to as RNC +.
One HSPA + enhanced security key hierarchy currently proposed is shown in figure 2. Among them, definitions of K (Key, i.e., root Key), CK (ciphering Key), and IK (integrity Key) are completely consistent with those in UMTS (universal mobile telecommunications system). That is, K is a root key stored in the AuC (authentication center) and USIM (universal subscriber identity module), and CK and IK are an encryption key and an integrity key calculated by K when the user equipment performs AKA (authentication and key agreement) with the HSS. In UMTS, the RNC encrypts and integrity protects data using CK and IK. We can refer to CK and IK as traditional over-the-air security keys, or simply traditional keys.
In the HSPA + architecture, the whole function of the RNC is put down to the base station NodeB +, so the encryption and decryption are all performed at the NodeB +, and the NodeB + is located in an unsafe environment, so the security is not particularly high. HSPA + therefore introduces a key hierarchy similar to EUTRAN (evolved universal terrestrial radio access network), i.e. UTRAN key hierarchy. In the UTRAN key hierarchy, the intermediate key KRNC(also known as K)ASMEU) Is a new introduced key of HSPA + derived from the legacy keys CK and IK. Further, KRNCGenerating CKUAnd IKUWherein CKUFor encrypting user plane data and control plane signalling, IKUFor integrity protection of control plane signaling. We will CKUAnd IKUReferred to as enhanced air interface security key, enhanced key for shortA key.
Two further HSPA + enhanced security key hierarchies are proposed so far as shown in fig. 2a/2 b. K, IK/CK in these two key architectures (IK/CK here denotes IK and CK) is the same as in the key architecture shown in FIG. 2. CK in FIG. 2aUAnd IKUAnd CK in FIG. 2UAnd IKUSame, but different derivation, CK under the key structureUAnd IKUIs derived directly from CK/IK without any intermediate key. K in the Key architecture shown in FIG. 2bASMEUIs an intermediate key, and K in the key structure shown in FIG. 2RNCThe effects are the same, and are derived from IK/CK, except that the derivation formula may be slightly different; CK under the frameworkLAnd IKL、CKSAnd IKSAnd CK in the architecture of FIG. 2UAnd IKUSimilarly, they are all used for over-the-air ciphering integrity protection, where CKLAnd IKLFor use in existing UTRAN networks, CKSAnd IKSFor use in an enhanced UTRAN network.
GERAN: the GSM/EDGE radio access network is a GSM/EDGE radio access network, adopts the EDGE radio transmission technology, and has the same network composition as GPRS. The entire GERAN architecture is shown in figure 3. GERAN is the radio access part of GSM/EDGE and includes base stations (bases) and base station controllers (bases controllers) and their interfaces. GERAN is primarily responsible for wireless communications, wireless communications management, and management of mobility contexts. The core network includes MSC/SGSN, etc., and is responsible for operations related to the control plane, such as mobility management, non-access stratum signaling processing, and user security mode management.
When the user moves from GERAN to UTRAN, if the SGSN serving GERAN stores IK/CK after AKA, the SGSN transmits the IK/CK to the target SGSN, and the target SGSN directly uses the IK/CK as an air interface key. If the SGSN serving GERAN does not store IK/CK but stores Kc, then the Kc is directly transmitted to the target SGSN, and if the source SGSN is R99+, then the target SGSN deduces IK/CK from the Kc; if the source SGSN is R98-, the target SGSN re-initiates AKA to generate a new IK/CK.
When a user moves from UTRAN to GERAN, if a target SGSN is R99+, the source SGSN directly transmits IK/CK to the target SGSN, and the target SGSN deduces Kc for the target SGSN to use as an air interface key from the IK/CK; if the target SGSN is R98-, then the source SGSN deduces the Kc for the target SGSN to use according to the IK/CK and transfers to the target SGSN, and the target SGSN saves the Kc after receiving the Kc and uses the Kc as an air interface key.
With the introduction of HSPA + security, an enhanced key IK is used between a user and a network due to the addition of a key hierarchyUAnd CKUThe communication is protected. How to establish the key when the user moves between GERAN and HSPA +, and how to derive the key specifically when the user moves from GERAN to HSPA + and from HSPA + to GERAN are problems which need to be solved urgently.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a method and a system for establishing a secret key when a terminal moves between GERAN and enhanced UTRAN, so as to ensure that the terminal can safely and normally communicate in the enhanced UTRAN and GERAN.
In order to solve the above problem, the present invention provides a method for establishing a secret key when interconnecting GERAN and enhanced UTRAN, which comprises:
when user equipment moves from GERAN to enhanced UTRAN, an enhanced SGSN serving for the enhanced UTRAN acquires safety related parameters from the GERAN and generates an air interface key of the enhanced UTRAN according to the safety related parameters;
and/or when the user equipment moves from the enhanced UTRAN to the GERAN, generating an air interface key of the GERAN for the enhanced SGSN served by the enhanced UTRAN and sending the air interface key to the GERAN.
Further, the method can also have the following characteristics that the safety-related parameters are IK and CK or Kc;
the generating the air interface key of the enhanced UTRAN according to the parameters of the security-related parameters includes:
the enhanced SGSN generates an intermediate key K according to the IK and the CKRNC(ii) a Or, the enhanced SGSN generates IK and CK according to the Kc and then generates an intermediate key K according to the obtained IK and CKRNC
Further, the method can also have the following characteristics that the safety-related parameters are IK and CK or Kc;
the generating the air interface key of the enhanced UTRAN according to the security-related parameters includes:
the enhanced SGSN generates an intermediate key K according to the IK, the CK and a first parameterRNCOr, the enhanced SGSN generates IK and CK according to the Kc and then generates an intermediate key K according to the obtained IK and CK and the first parameterRNC
The first parameter is a random number or a count value generated by a counter.
Further, the method can also have the following characteristics that the safety-related parameters are IK and CK or Kc;
the generating the air interface key of the enhanced UTRAN according to the security-related parameters includes:
the enhanced SGSN generates an intermediate key K according to the IK and the CK, the first parameter and the second parameterRNCOr, the enhanced SGSN generates IK and CK according to the Kc and then generates an intermediate key K according to the obtained IK and CK and the first parameter and the second parameterRNC
The first parameter and the second parameter are random numbers or count values generated by a counter.
Further, the above method may further have the following features, and the method further includes:
the enhanced SGSN enables the KRNCSending the K to an enhanced RNC (radio network controller), wherein the enhanced RNC is used for transmitting the KRNCGenerating enhanced air interface integrity key IKUAnd/or air interface ciphering key CKU
Further, the method can also have the following characteristics that the safety-related parameters are IK and CK or Kc;
the generating the air interface key of the enhanced UTRAN according to the security-related parameters includes:
the enhanced SGSN generates an intermediate key K according to the IK and the CKRNCAccording to said KRNCGenerating enhanced air interface integrity key IKUAnd/or air interface ciphering key CKU(ii) a Or, the enhanced SGSN directly generates an enhanced air interface Integrity Key (IK) according to the IK and the CKUAnd/or air interface ciphering key CKU
Or, the enhanced SGSN generates IK and CK according to the Kc and then generates an intermediate key K according to the obtained IK and CKRNCThen according to said KRNCGenerating enhanced air interface integrity key IKUAnd/or air interface ciphering key CKU(ii) a Or, the reinforced SGSN generates IK and CK according to the Kc and then directly generates a reinforced air interface integrity key IK according to the obtained IK and CKUAnd/or air interface ciphering key CKU
Further, the method can also have the following characteristics that the safety-related parameters are IK and CK or Kc;
the generating the air interface key of the enhanced UTRAN according to the security-related parameters includes:
the enhanced SGSN generates an intermediate key K according to the IK and CK generated by the Kc or the IK and CK acquired from the GERAN and a first parameterRNCAccording to said KRNCGenerating enhanced air interface integrity key IKUAnd/or air interface ciphering key CKU
Or the enhanced SGSN generates an intermediate key K according to the IK and CK generated by Kc or the IK and CK acquired from GERANRNCAccording to said KRNCGenerating an enhanced air interface integrity key IK with a first parameterUAnd/or air interface ciphering key CKU
Or, the enhanced SGSN directly generates an enhanced air interface integrity key IK according to the IK and CK generated by Kc or the IK and CK acquired from GERAN, and the first parameterUAnd/or air interface ciphering key CKU
The first parameter is a random number or a count value generated by a counter.
Further, the method can also have the following characteristics that the safety-related parameters are IK and CK or Kc;
the step of generating the air interface key of the enhanced UTRAN according to the security-related parameters includes:
the enhanced SGSN generates an intermediate key K according to the IK and the CK generated by the Kc or the IK and the CK acquired from the GERAN, the first parameter and the second parameterRNCAccording to said KRNCGenerating enhanced air interface integrity key IKUAnd/or air interface ciphering key CKU
Or the enhanced SGSN generates an intermediate key K according to the IK and CK generated by Kc or the IK and CK acquired from GERANRNCAccording to said KRNCGenerating an enhanced air interface integrity key IK according to the first parameter and the second parameterUAnd/or air interface ciphering key CKU
Or, the enhanced SGSN directly generates an enhanced air interface integrity key IK according to the IK and CK generated by Kc or the IK and CK acquired from GERAN, and the first parameter and the second parameterUAnd/or air interface ciphering key CKU
The first parameter and the second parameter are random numbers or count values generated by a counter.
Further, the method may further have a feature that the first parameter is generated by the enhanced SGSN or generated by the user equipment and sent to the enhanced SGSN.
Further, the method may further include that the first parameter is generated by the enhanced SGSN, and the second parameter is generated by the user equipment and sent to the enhanced SGSN.
Further, the method may further have the following characteristic that, when the user equipment moves from the enhanced UTRAN to the GERAN, the enhanced SGSN generates an air interface key for the GERAN and sends the air interface key to the GERAN includes:
the enhanced SGSN generates Kc according to IK '/CK', or according to IKUAnd CKUAnd generating Kc and sending the Kc to the GERAN.
The invention also provides a system for establishing a secret key when interconnecting GERAN and enhanced UTRAN, the system comprises an enhanced SGSN, wherein:
the enhanced SGSN is used for acquiring security related parameters from GERAN when user equipment moves from GERAN to enhanced UTRAN served by the enhanced SGSN, and generating an air interface key of the enhanced UTRAN according to the security related parameters; and/or when the user equipment moves from the enhanced UTRAN served by the enhanced SGSN to the GERAN, generating an air interface key of the GERAN and sending the air interface key to the GERAN.
Further, the system may further have the following features, where the enhanced SGSN is configured to obtain IK and CK or Kc from the GERAN; generating an intermediate key K from the IK and CKRNC(ii) a Or, generating IK and CK according to the Kc, and generating an intermediate key K according to the IK and CKRNC
Further, the system may further have the following features, where the enhanced SGSN is configured to obtain IK and CK or Kc from the GERAN; generating an intermediate key K according to the IK, the CK and a first parameterRNCOr generating IK and CK according to the Kc and then generating an intermediate key K according to the obtained IK and CK and the first parameterRNC(ii) a The first parameter is a random number or a count value generated by a counter.
Further, the system may further have the following features, where the enhanced SGSN is configured to obtain IK and CK or Kc from the GERAN; generating an intermediate key K according to the IK and the CK and the first parameter and the second parameterRNCOr generating IK and CK according to the Kc, and then generating an intermediate key K according to the obtained IK and CK, the first parameter and the second parameterRNC
The first parameter and the second parameter are random numbers or count values generated by a counter.
Further, the system may further have a feature that the enhanced SGSN is further configured to apply the K toRNCSending the K to an enhanced RNC so that the enhanced RNC can obtain the K according to the KRNCGenerating enhanced air interface integrity key IKUAnd/or air interface ciphering key CKU
Further, the system may further have the following features, where the enhanced SGSN is configured to obtain IK and CK or Kc from the GERAN; generating an intermediate key K from the IK and CKRNCAccording to said KRNCGenerating enhanced air interface integrity key IKUAnd/or air interface ciphering key CKU(ii) a Or generating an enhanced air interface integrity key IK directly according to the IK and the CKUAnd/or air interface ciphering key CKU(ii) a Or, generating IK and CK according to the Kc, and generating an intermediate key K according to the IK and CKRNCThen according to said KRNCGenerating enhanced air interface integrity key IKUAnd/or air interface ciphering key CKU(ii) a Or generating IK and CK according to the Kc, and directly generating an enhanced air interface integrity key IK according to the obtained IK and CKUAnd/or air interface ciphering key CKU
Further, the above system may have the following features, thereforeThe enhanced SGSN is used for acquiring IK and CK or Kc from the GERAN; generating an intermediate key K from IK and CK generated by Kc or IK and CK obtained from GERAN, and a first parameterRNCAccording to said KRNCGenerating enhanced air interface integrity key IKUAnd/or air interface ciphering key CKU(ii) a Or,
generating an intermediate key K from IK and CK generated by Kc or IK and CK obtained from GERANRNCAccording to said KRNCGenerating an enhanced air interface integrity key IK with a first parameterUAnd/or air interface ciphering key CKU
Or generating an enhanced air interface integrity key IK directly according to the IK and CK generated by Kc or the IK and CK acquired from GERAN and the first parameterUAnd/or air interface ciphering key CKU
The first parameter is a random number or a count value generated by a counter.
Further, the system may further have the following features, where the enhanced SGSN is configured to obtain IK and CK or Kc from the GERAN; generating an intermediate key K from the IK and CK generated by Kc or obtained from GERAN, and the first and second parametersRNCAccording to said KRNCGenerating enhanced air interface integrity key IKUAnd/or air interface ciphering key CKU
Alternatively, an intermediate key K is generated from IK and CK generated by Kc or IK and CK obtained from GERANRNCAccording to said KRNCGenerating an enhanced air interface integrity key IK according to the first parameter and the second parameterUAnd/or air interface ciphering key CKU
Or generating an enhanced air interface integrity key IK directly according to the IK and CK generated by Kc or the IK and CK acquired from GERAN, the first parameter and the second parameterUAnd/or air interface ciphering key CKU
The first parameter and the second parameter are random numbers or count values generated by a counter.
Further, the system may further include the enhanced SGSN, configured to generate the first parameter, or receive the first parameter generated by the user equipment.
Further, the system may have the feature that the enhanced SGSN is configured to generate the first parameter and receive the second parameter generated by the user equipment.
Further, the system may have the feature that the enhanced SGSN is configured to generate Kc from IK '/CK' or IK when the user equipment moves from the enhanced UTRAN to the GERANUAnd CKUAnd generating Kc and sending the Kc to the GERAN.
By adopting the method of the invention, when the terminal moves from GERAN to enhanced UTRAN and from enhanced UTRAN to GERAN, the network side and the terminal can ensure the safety function of the existing GERAN system to be completely compatible, and can also establish the enhanced key system according to the existing key without performing AKA process again, thereby increasing the network compatibility, saving the network overhead, improving the system efficiency and ensuring that the terminal can safely communicate with the enhanced UTRAN and GERAN networks.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention.
Fig. 1 is a schematic diagram of a radio access network employing HSPA + technology in the prior art;
FIG. 2 is a diagram of a HSPA + enhanced security key hierarchy in the prior art;
FIG. 2a is a diagram illustrating a second enhanced security key hierarchy in HSPA + in the prior art;
FIG. 2b is a schematic diagram of a third enhanced security key hierarchy in HSPA + in the prior art;
fig. 3 is a schematic diagram of a GERAN architecture in the prior art;
FIG. 3a is a schematic diagram illustrating a GERAN and HSPA + hybrid networking architecture in the prior art;
FIG. 4 is a flowchart of example 1 of the present invention;
FIG. 5 is a flowchart of example 2 of the present invention;
FIG. 6 is a flowchart of example 3 of the present invention;
FIG. 7 is a flowchart of embodiment 4 of the present invention;
FIG. 8 is a flowchart of example 5 of the present invention;
FIG. 9 is a flowchart of example 6 of the present invention;
FIG. 10 is a flowchart of example 7 of the present invention;
FIG. 11 is a flowchart of example 8 of the present invention;
FIG. 12 is a flowchart of example 9 of the present invention;
FIG. 13 is a flowchart of example 10 of the present invention;
FIG. 14 is a flowchart of embodiment 11 of the present invention.
Detailed Description
The core idea of the invention is as follows: when the UE moves from GERAN to the enhanced UTRAN, the key of the enhanced UTRAN is derived at SGSN + serving the enhanced UTRAN; when the UE moves from enhanced UTRAN to GRAN, the key in GERAN is also derived at the SGSN + serving the enhanced UTRAN. As shown in fig. 3 a.
The present invention will be described in detail below with reference to the accompanying drawings, in which the terminal state in embodiments 1 to 6 is an active state, and the terminal state in embodiments 7 to 11 is an idle state.
Example 1
This embodiment illustrates an example of an air interface key management procedure when a terminal moves from GERAN to enhanced UTRAN, and in this embodiment, a target SGSN + is responsible for deriving KRNCThe target RNC + is responsible for deriving the enhanced Key CKUAnd IKUAs shown in fig. 3a and 4, the method comprises the following steps:
step 101, a source BSC decides to switch from a GERAN network to a target enhanced UTRAN network;
102, a source BSC sends a switching required message to a source SGSN;
103, the source SGSN sends a switching preparation message to the target SGSN +, and if the source SGSN is R99+ SGSN, the message carries a safety-related parameter CK/IK; if the source SGSN is R98-SGSN, the message carries security relevant parameters Kc;
step 104, if the target SGSN supports the HSPA + enhanced security function, that is: if the target SGSN is SGSN +, the target SGSN + deduces a middle key K according to the received IK/CKRNC(ii) a If the target SGSN + receives Kc, the target SGSN + firstly deduces IK/CK according to the Kc and then deduces KRNC based on the IK/CK; or the CK/IK is directly used as the CKU/IKU.
Optionally, the target SGSN + derives an intermediate key KRNCThen, according to the key IK/CK and the intermediate key KRNCDerivation of a warped intermediate Key KRNCThe modified intermediate key is used for updating an enhanced air interface key IK when the terminal carries out SRNC migration in the enhanced UTRAN networkUAnd CKU. Preferably, the intermediate key K is morphedRNCAssociated with a counter NCC for recording the generation of the intermediate key KRNCNumber of times, in this example, this timeThe morphed intermediate key KRNCAssociated NCC value is 1.
If the target SGSN does not support the HSPA + enhanced security function, the following procedure operates according to the procedure specified in the UMTS specification, which is not described herein again.
Step 105, the target SGSN + sends a migration request message to the target RNC + to request the target RNC + to establish a radio network resource for the terminal, where the message carries security-related information, and at least includes: kRNCAnd algorithm information;
the algorithm information comprises integrity algorithm information and/or encryption algorithm information, and the integrity algorithm can be an integrity algorithm supported by the terminal or an integrity algorithm selected by the network side; the encryption algorithm may be an encryption algorithm supported by the terminal or an encryption algorithm selected by the network side. If the integrity protection is required, the algorithm information at least comprises an integrity algorithm.
Optionally, if in step 104 the target SGSN + also derives a morphed intermediate key KRNCThen, the target SGSN + may also carry in the migration request message: morphed intermediate key KRNC*. If is KRNCThe set counter NCC may also carry the counter NCC value.
Step 106, the target RNC + allocates wireless resources for the terminal, and according to the received KRNCDeriving enhanced air interface integrity key IKUAnd/or air interface ciphering key CKUAnd storing the generated IKUAnd/or CKU
Step 107, the target RNC + sends a migration request confirmation message to the target SGSN +;
if the target SGSN + carries algorithm information in step 105, then in this step the RNC + needs to carry the RNC + selected algorithm (integrity algorithm and/or ciphering algorithm) in the migration request acknowledgement message.
In addition, the target RNC + may request acknowledgement at the migrationMessage addition indication for implicitly or explicitly indicating terminal to enhance key IKUAnd/or CKUDerivation of (e), for example: the migration request confirmation message is added with a network side security capability indication (implicit mode) or an enhanced key enabling indication (display mode).
The target SGSN + and serving gateway may then perform a create indirect data forwarding tunnel request message interaction procedure.
Step 108, the target SGSN + sends a switching preparation response message to the source SGSN +;
if the target SGSN + receives the algorithm selected by the target RNC +, the algorithm selected by the RNC + is carried in the handover preparation response message.
The target SGSN + may also add an indication in the prepare handover response message to implicitly or explicitly instruct the terminal to perform the enhanced key IKUAnd/or CKUDerivation of (e), for example: the preparation switching response message is added with a network side security capability indication (implicit mode) or an enhanced key enabling indication (display mode). If the indication is carried in the migration request acknowledgement message sent by the target RNC + to the target SGSN + in step 107, the target SGSN + may add the indication to the constructed prepare handover response message.
Step 109, the source SGSN sends a handover command message to the source BSC, instructing the network to complete the handover preparation process;
if the handover preparation response message sent by the target SGSN + to the source SGSN carries the RNC + selected algorithm, the handover command message sent by the source SGSN to the source BSC also carries a parameter indicating the algorithm.
In addition, the source SGSN carries an indication of target RNC + or target SGSN + addition in the handover command message to indicate the terminal to perform the enhanced key IKUAnd/or CKUAnd (4) derivation.
Step 110, the source BSC sends a GERAN handover command message to the terminal, and instructs the terminal to switch to the target access network;
the handover command message carries radio-related parameters assigned by the target RNC + to the terminal during the preparation phase, as well as algorithm information (including integrity algorithm and/or ciphering algorithm).
Preferably, the source BSC also carries an indication of target RNC + or target SGSN + addition in the message to instruct the terminal to perform the enhanced key IKUAnd CKUAnd (4) derivation.
Step 111, the terminal deduces an enhanced air interface integrity key IKUAnd/or air interface ciphering key CKU
Wherein the terminal can derive the intermediate key K from the IK/CKRNC(ii) a Alternatively, if there is only Kc in the terminal, the terminal first derives IK/CK from Kc and then derives K based on the IK/CKRNC
Then according to KRNCDeriving enhanced air interface integrity key IKUAnd/or air interface ciphering key CKU(ii) a Or the terminal directly derives the enhanced air interface integrity key IK according to the IK/CKUAnd/or air interface ciphering key CKU
In step 112, the terminal sends a handover to UTRAN complete message to the target RNC +, which uses the newly generated enhanced integrity key IKUIntegrity protection, and/or use of an enhanced ciphering key, CKUCarrying out encryption protection;
step 113, the target RNC + sends a migration completion message to the target SGSN +, indicating to the target SGSN + that the terminal has been successfully switched from GERAN to the target RNC +;
step 114, the target SGSN + and the source SGSN carry out message interaction and confirm that the migration is completed;
and step 115, the source SGSN and the source BSC perform message interaction and release related resources.
Example 2
This embodiment illustrates an example of an enhanced air interface key establishment procedure when a terminal moves from GERAN to enhanced UTRAN. The present example differs from example 1 in that: the source SGSN and the target SGSN + are the same SGSN, both enhanced SGSNs, i.e., SGSN +. As shown in fig. 5, the method comprises the following steps:
all the steps are basically the same as embodiment 1, except that the processing in the source SGSN and the target SGSN + in embodiment 1 is in the SGSN + in this embodiment, and there is no signaling interaction between the source SGSN and the target SGSN + in embodiment 1.
Example 3
This embodiment illustrates an example of an enhanced air interface key establishment procedure when a terminal moves from GERAN to enhanced UTRAN. The present example differs from example 1 in that: enhanced air interface integrity key IKUAnd an air interface encryption key CKUGenerated at the target SGSN + and sent to the target RNC + in the migration request message through the target SGSN +. As shown in fig. 6, the method comprises the following steps:
step 301-;
step 304, if the target SGSN supports the enhanced security function, that is: if the target SGSN is SGSN +, then:
the target SGSN + derives K from the received keys IK and CKRNC(ii) a If the target SGSN + receives Kc, the target SGSN + first derives IK/CK from Kc and then derives K based on the IK/CKRNC
Then according to the intermediate key KRNCDeriving enhanced air interface integrity key IKUAnd/or air interface ciphering key CKU(ii) a Or the target SGSN directly derives the enhanced air interface integrity key IK according to the IK/CKUAnd/or air interface ciphering key CKU
Optionally, the target SGSN + is further based on the mapped legacy keys IK, CK and the intermediate key KRNCDerivation of a warped intermediate Key KRNC*。
Step 305, the target SGSN + sends a migration request message to the target RNC + to request the target RNC + to establish a radio network resource for the terminal, where the message carries security-related information, and at least includes: enhanced air interface key information (enhanced air interface integrity key IK)UAnd/or air interface ciphering key CKU) And algorithm information;
the algorithm information includes integrity algorithm information and/or encryption algorithm information.
Optionally, if in step 304 the target SGSN + also derives a morphed intermediate key KRNCThen, the target SGSN + also carries in the information: morphed intermediate key KRNC*. If is KRNCThe set counter NCC may also carry the counter NCC value.
Step 306, the target RNC + stores the enhanced air interface key information;
step 307-.
Step 311, the terminal derives an intermediate key K according to the IK/CKRNC(ii) a If only Kc exists in the terminal, the terminal first derives IK/CK according to Kc and then derives K based on the IK/CKRNC(ii) a Then according to KRNCDeriving enhanced air interface integrity key IKUAnd/or air interface ciphering key CKU(ii) a Or the terminal directly derives the enhanced air interface integrity key IK according to the IK/CKUAnd/or air interface ciphering key CKU
Step 312-.
Example 4
This embodiment illustrates another example of an enhanced air interface key establishment procedure when a terminal moves from GERAN to enhanced UTRAN. This embodiment differs from embodiment 1 in that a random number NONCE is generated by the target SGSN +SGSNAnd using the random number NONCESGSNDeriving an intermediate key K from the sum keys IK and CKRNC. As shown in fig. 7, the method comprises the following steps:
step 401-;
step 404, if the target SGSN is SGSN +, the target SGSN + generates a random number NONCESGSNAnd generating a random number NONCE based on the received IK/CKSGSNDeriving an intermediate key KRNC(ii) a If the target SGSN + receives Kc, the target SGSN + first derives IK/CK according to Kc and then derives an IK/CK based on the IK/CK and a generated random number NONCESGSNDerivation of KRNC
Optionally, the target SGSN + derives an intermediate key KRNCThen, according to the keys IK, CK and the intermediate key KRNCDerivation of a warped intermediate Key KRNCThe modified intermediate key is used for updating an enhanced air interface key IK when the terminal carries out SRNC migration in the enhanced UTRAN networkUAnd CKU. Preferably, the intermediate key K is morphedRNCIs associated with a counter NCC. In the present embodiment, at this time, the modified intermediate key KASMEUAssociated NCC value is 1.
Step 405-;
step 408, the target SGSN + sends a handover preparation response message to the source SGSN, and the message carries parameters: random number NONCESGSNAnd algorithm information, the algorithm information comprising: integrity algorithm information and/or encryption algorithm information;
preferably, the target SGSN + may carry an indication in the message, indicating the terminal to perform the enhanced key IK via the source SGSN relayUAnd CKUThe derivation of (c) may be indicated implicitly or explicitly, for example: and adding a network side security capability indication (implicit mode) or an enhanced key enabling indication (display mode) into the forwarding migration response message.
Step 409, the source SGSN sends a handover to the source BSCAnd changing the command message, indicating the network to complete the switching preparation process, and carrying parameters in the message: random number NONCESGSNAnd algorithm information;
step 410, the source BSC sends a GERAN handover command message to the terminal, instructs the terminal to handover to the target access network, and carries the radio parameters of the target RNC + allocated to the terminal in the preparation phase in the message, including: random number NONCESGSNAnd algorithm information;
preferably, the source base station instructs the terminal to perform the enhanced key IK in the messageUAnd CKUThe derivation of (c) may be indicated implicitly or explicitly, for example: the network side security capability indication (implicit indication) or the enhanced key enabling indication (display indication) is added and contained in the switching command.
Step 411, the terminal is according to IK/CK and random number NONCESGSNDeriving an intermediate key KRNC(ii) a If there is only Kc in the terminal, the terminal first derives IK/CK from Kc and then derives IK/CK and random number NONCE based on the IK/CK and the random number NONCESGSNDerivation of KRNC(ii) a Then according to KRNCDeriving enhanced air interface integrity key IKUAnd/or air interface ciphering key CKU
Or the terminal directly bases on IK/CK and random number NONCESGSNDeriving enhanced air interface integrity key IKUAnd/or air interface ciphering key CKU
Step 412-.
Example 5
This embodiment illustrates an example of an enhanced air interface key establishment procedure when a terminal moves from GERAN to enhanced UTRAN. The present example differs from example 4 in that: enhanced air interface integrity key IKUAnd an air interface encryption key CKUGenerated at the target SGSN + and sent to the target RNC + in the migration request message through the target SGSN +.As shown in fig. 8, the method comprises the following steps:
step 501-;
step 504, if the target SGSN is SGSN +, the target SGSN + generates a random number NONCESGSNAnd generating a random number NONCE based on the received IK/CKSGSNDeriving an intermediate key KRNC(ii) a If the target SGSN + receives Kc, the target SGSN + first derives IK/CK according to Kc and then derives an IK/CK based on the IK/CK and a generated random number NONCESGSNDerivation of KRNC(ii) a Then according to the intermediate key KRNCDeriving enhanced air interface integrity key IKUAnd/or air interface ciphering key CKU(ii) a Or, the target SGSN + derives K according to the IK and CK of the access keyRNCThen according to the intermediate key KRNCAnd the generated random number NONCESGSNDeriving enhanced air interface integrity key IKUAnd/or air interface ciphering key CKU
Optionally, the target SGSN + is based on the keys IK, CK and the intermediate key KRNCDerivation of a warped intermediate Key KRNCAnd intermediate key K for the transformationRNCSet counter NCC.
Step 505, the target SGSN + sends a migration request message to the target RNC + to request the target RNC + to establish a radio network resource for the terminal, where the message carrying security related information at least includes: enhanced air interface key information (enhanced air interface integrity key IK)UAnd/or air interface ciphering key CKU) And algorithm information;
the algorithm information includes integrity algorithm information and/or encryption algorithm information.
Optionally, if in step 504, the target SGSN + also derives a morphed intermediate key KRNCThen, the target SGSN + also carries in the information: morphed intermediate key KRNC*. If is KRNCThe set counter NCC may also carry the counter NCC value.
Step 506, the target RNC + stores the enhanced air interface key information;
step 507-. In step 511, the terminal derives the enhanced key IK in the same way as the network sideUAnd/or CKU
Example 6
This embodiment describes an example of an air interface key management procedure when a terminal moves from an enhanced UTRAN to a GERAN, in this embodiment, a source SGSN + is responsible for deriving Kc, as shown in fig. 9, which includes the following steps:
601, the source RNC + decides to switch from the enhanced UMTS network to the target GERAN network;
step 602, the source RNC + sends a message for migration to the source SGSN +;
step 603, the source SGSN + derives Kc according to IK '/CK', and the derivation manner adopts the existing Kc derivation manner, which is not described herein. Or, if the air interface key IKUAnd CKUIs generated in SGSN + and can also pass through IKUAnd CKUKc is derived.
IK '/CK' is a key in SGSN +.
Step 604, the source SGSN + sends a handover preparation message to the target SGSN, where the message carries security-related parameter Kc;
step 605, the target SGSN sends a switching request message to the target BSC, and the target BSC is requested to establish wireless network resources for the terminal;
step 606, target BSC allocates wireless resource for terminal, sends switching request confirm message to target SGSN;
step 607, the target SGSN sends a prepare handover response message to the source SGSN +;
step 608, the source SGSN + sends a migration command message to the source RNC + to instruct the network to complete the handover preparation process;
step 609, the source BSC sends a UTRAN switching command message to the terminal to instruct the terminal to switch to the target access network;
step 610, the terminal deduces Kc by adopting the method of step 603;
step 611, the terminal sends a handover complete message to the target BSC;
step 612, the target BSC sends a handover complete message to the target SGSN, indicating to the target SGSN that the terminal has been successfully handed over from the enhanced UMTS to the target BSC;
step 613, the target SGSN and the source SGSN + perform message interaction to confirm that the migration is completed;
and step 614, the source SGSN + and the source RNC + perform message interaction to release related resources.
Example 7
This embodiment shows an example of an enhanced air interface key establishment when a terminal moves from GERAN to an enhanced UTRAN for routing area update in an idle mode, as shown in fig. 10, including the following steps:
step 701, when a routing area update triggering condition is met, a terminal sends a routing area update request message to a target SGSN + to request for routing area update;
step 702, the target SGSN + sends a context request message to the source SGSN of the terminal to request the context of the terminal;
step 703, the source SGSN sends a context response message to the target SGSN +, and if the source SGSN is R99+ SGSN, the message carries a security-related parameter CK/IK; if the source SGSN is R98-SGSN, the message carries security related parameters Kc.
Step 704, if the target SGSN + receives IK/CK, the target SGSN + derives K according to the received keys IK and CKRNC(ii) a If the target SGSN + receives Kc, then the target SGSN + firstFirst derive IK/CK from Kc, and then derive K based on the IK/CKRNC(ii) a Further optionally, the target SGSN + is further based on the intermediate key KRNCDeriving enhanced air interface integrity key IKUAnd/or air interface ciphering key CKU(ii) a Optionally, the target SGSN + derives the enhanced air interface integrity key IK directly from the IK/CKUAnd/or air interface ciphering key CKU
Step 705, the target SGSN + sends a routing area update accept message to the terminal;
preferably, the target SGSN + adds an indication in the routing area update accept message to implicitly or explicitly instruct the terminal to KRNCDerivation of (e), for example: the routing area updating acceptance message is added with a network side security capability indication (implicit mode) or an enhanced key enabling indication (display mode).
Step 706, the terminal derives K by the same method as step 704RNCOptionally further deriving an enhanced air interface integrity key IKUAnd/or air interface ciphering key CKU
Step 707, the terminal sends a routing area update complete message to the target SGSN +, and confirms that the routing area update is complete.
Example 8
This embodiment shows an example of establishing an enhanced air interface key when a terminal moves from GERAN to an enhanced UTRAN for a routing area update in idle mode. This embodiment differs from embodiment 7 in that a random number NONCE is generated by the target SGSN +SGSNThe target SGSN + and the terminal use the random number NONCESGSNDeriving intermediate key K from sum keys IK, CKRNC. As shown in fig. 11, the method comprises the following steps:
step 801-;
step 804, the target SGSN + generates a random number NONCESGSN(ii) a If the target SGSN + receives the IK/CK, the target SGSN + receives the key IK/CK and the random number NONCE according to the received key IK/CKSGSNDerivation of KRNC(ii) a If the target SGSN + receives Kc, the target SGSN + first derives IK/CK from Kc and then derives IK/CK based on the IK/CK and a random number NONCESGSNDerivation of KRNC(ii) a Optionally, the target SGSN + is further based on the intermediate key KRNCDeriving enhanced air interface integrity key IKUAnd/or air interface ciphering key CKU(ii) a Alternatively, the target SGSN + is directly based on IK/CK and random number NONCESGSNDeriving enhanced air interface integrity key IKUAnd/or air interface ciphering key CKU
Alternatively, the target SGSN + derives IK/CK from IK/CK (received or derived from Kc); then K is derived based on the IK/CKRNC(ii) a Further, based on the intermediate key KRNCAnd a random number NONCESGSNDeriving enhanced air interface integrity key IKUAnd/or air interface ciphering key CKU
Step 805, the target SGSN + sends a routing area update accept message to the terminal, and the message carries parameters: random number NONCESGSN
Preferably, the target SGSN + adds an indication in the routing area update accept message to implicitly or explicitly instruct the terminal to KRNCAnd (4) derivation.
Step 806, the terminal receives the NONCESGSNK is derived in the same way as step 804RNC(ii) a Optionally further deriving an enhanced air interface integrity key IKUAnd/or air interface ciphering key CKU
Step 807, the same as step 707 in example 7.
Optionally, the target SGSN is generating a NONCESGSNCan generate COUNT value COUNTSGSNInstead, the target SGSN uses the same message to COUNTSGSNTransmitted to the terminal, both sides using COUNT when deriving the keySGSNIn place of NONCESGSNThe same effect of key freshness is achieved. Subsequent two-sided concurrent maintenance of the COUNTSGSN。COUNTSGSNGenerated by a counter COUNT.
Example 9
This embodiment shows an example of establishing an enhanced air interface key when a terminal moves from GERAN to an enhanced UTRAN for a routing area update in idle mode. This embodiment differs from embodiment 7 in that a random number NONCE is generated by the terminalUEThe target SGSN + and the terminal use the random number NONCEUEDeriving intermediate key K from sum keys IK, CKRNC. As shown in fig. 12, the method comprises the following steps:
step 901, when the routing area updating triggering condition is satisfied, the terminal generates a random number NONCEUE
Step 902, the terminal sends a routing area update request message to the target SGSN + requesting routing area update, where the message carries parameters: random number NONCEUE
Step 903-;
step 905, if the target SGSN + receives IK/CK, the target SGSN + receives the key IK/CK and the random number NONCE according to the received key NONCEUEDerivation of KRNC(ii) a If the target SGSN + receives Kc, the target SGSN + first derives IK/CK from Kc and then derives IK/CK based on the IK/CK and a random number NONCEUEDerivation of KRNC(ii) a Optionally, the target SGSN + is further based on the intermediate key KRNCDeriving enhanced air interface integrity key IKUAnd/or air interface ciphering key CKU(ii) a Alternatively, the target SGSN + is directly based on IK/CK and random number NONCEUEDeriving enhanced air interface integrity key IKUAnd/or air interface ciphering key CKU(ii) a Alternatively, the target SGSN + derives IK/CK from IK/CK (received or derived from Kc); then K is derived based on the IK/CKRNC(ii) a Further, based on the intermediate key KRNCAnd a random number NONCEUEDeriving enhanced air interface integrity key IKUAnd/or air interface ciphering key CKU
Step 906, like step 705 in example 7;
step 907, the terminal generates a NONCE according to the previous stepUEDerivation of K in the same manner as in step 905RNC(ii) a Optionally further deriving an enhanced air interface integrity key IKUAnd/or air interface ciphering key CKU
Step 908 is the same as step 707 in example 7.
Optionally, the terminal is generating a NONCEUECan generate COUNTUEInstead, the terminal uses the same message to COUNTUEDelivered to the target SGSN, both sides use COUNT in deriving the keyUEIn place of NONCEUEThe same effect of key freshness is achieved. Subsequent two-sided concurrent maintenance of the COUNTUE
Example 10
This embodiment shows an example of establishing an enhanced air interface key when a terminal moves from GERAN to an enhanced UTRAN for a routing area update in idle mode. The difference between this embodiment and embodiment 7 is that in this embodiment, the terminal generates a random number NONCEUETarget SGSN + generates a random number NONCESGSNThe terminal and the target SGSN + use random numbers NONCE respectivelyUERandom number NONCESGSNDeriving intermediate key K from sum keys IK, CKRNC. As shown in fig. 13, the method comprises the following steps:
1001, when the routing area update triggering condition is satisfied, the terminal generates a random number NONCEUE
Step 1002, the terminal sends a routing area update request message to the target SGSN + requesting routing area update, where the message carries parameters: random number NONCEUE
Step 1003-;
step 1005, the target SGSN + generates a random number NONCESGSN(ii) a If the target SGSN + receives the IK/CK, the target SGSN + receives the key IK/CK and the random number NONCE according to the received key IK/CKSGSN、NONCEUEDerivation of KRNC(ii) a If the target SGSN + receives Kc, the target SGSN + first derives IK/CK from Kc and then derives IK/CK based on the IK/CK and a random number NONCESGSN、NONCEUEDerivation of KRNC(ii) a Optionally, the target SGSN + is further based on the intermediate key KRNCDeriving enhanced air interface integrity key IKUAnd/or air interface ciphering key CKU(ii) a Alternatively, the target SGSN + directly follows the IK/CK, random number NONCEUEAnd a random number NONCESGSNDeriving enhanced air interface integrity key IKUAnd/or air interface ciphering key CKU(ii) a Alternatively, the target SGSN + derives IK/CK from IK/CK (received or derived from Kc); then K is derived based on the IK/CKRNC(ii) a Further, based on the intermediate key KRNCAnd a random number NONCEUE,NONCESGSNDeriving enhanced air interface integrity key IKUAnd/or air interface ciphering key CKU
Step 1006, the target SGSN + sends a routing area update accept message to the terminal, and the message carries parameters: random number NONCESGSN
Preferably, the target SGSN + adds an indication in the routing area update accept message to implicitly or explicitly instruct the terminal to KRNCAnd (4) derivation.
Step 1007, the terminal generates a NONCE according to the previousUEDerivation of K in the same manner as in step 1005RNC(ii) a Optionally further deriving an enhanced air interface integrity key IKUAnd/or air interface ciphering key CKU
Step 1008 is the same as step 708 of example 7.
Optionally, the terminal is generating a NONCEUECan generate COUNTUEInstead, the target SGSN is generating a NONCESGSNCan generate COUNTSGSNInstead, the terminal uses the same message to COUNTUEDelivered to the target SGSN, which uses the same message to COUNTSGSNTransmitted to the terminal, both sides use COUNT simultaneously in deriving the keyUEAnd COUNTSGSNIn place of NONCEUEAnd NONCESGSNThe same effect of key freshness is achieved. Subsequent two-sided concurrent maintenance of the COUNTUEAnd COUNTSGSN。COUNTUEAnd COUNTSGSNGenerated by a counter.
Example 11
This embodiment shows an example of an enhanced air interface key establishment when a terminal moves from an enhanced UTRAN to a GERAN for routing area update in an idle mode, as shown in fig. 14, including the following steps:
step 1101, when the triggering condition of routing area update is satisfied, the terminal sends a routing area update request message to the target SGSN, and requests to update the routing area;
step 1102, the target SGSN sends a context request message to the source SGSN + of the terminal to request the context of the terminal;
in step 1103, the source SGSN + derives Kc according to IK '/CK', and the derivation manner adopts the existing Kc derivation manner, which is not described again. Or, if the air interface key IKUAnd CKUIs generated in SGSN + and can also pass through IKUAnd CKUKc is derived.
Step 1104, the source SGSN + sends a context response message to the target SGSN, where the message carries the security parameter Kc;
step 1105, the target SGSN sends a routing area update accept message to the terminal;
in step 1106, the terminal derives Kc in the same way as in step 1103.
Step 1107, the terminal sends a routing area update completion message to the target SGSN, and confirms that the routing area update is completed.
The foregoing is only a preferred embodiment of the invention. The scheme of the invention is not limited to the HSPA + system, and the relevant mode thereof can be applied to other wireless communication systems. Various modifications and alterations to this invention will become apparent to those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (8)

1. A method for establishing a secret key during interconnecting GERAN and enhanced UTRAN, which is characterized by comprising the following steps:
when user equipment moves from GERAN to enhanced UTRAN, an enhanced SGSN serving for the enhanced UTRAN acquires safety related parameters from the GERAN and generates an air interface key of the enhanced UTRAN according to the safety related parameters; or,
when user equipment moves from GERAN to enhanced UTRAN, an enhanced SGSN serving for the enhanced UTRAN acquires safety related parameters from the GERAN and generates an air interface key of the enhanced UTRAN according to the safety related parameters; when the user equipment moves from the enhanced UTRAN to the GERAN, generating an air interface key of the GERAN for the enhanced SGSN serving the enhanced UTRAN and sending the air interface key to the GERAN;
the security-related parameters are IK and CK or Kc;
the generating the air interface key of the enhanced UTRAN according to the security-related parameters includes:
the enhanced SGSN directly generates an enhanced air interface Integrity Key (IK) according to the IK and the CKUAnd/or air interface ciphering key CKU
Or,
the enhanced SGSN generates IK and CK according to the Kc, and then directly generates an enhanced air interface integrity key IK according to the obtained IK and CKUAnd/or air interface ciphering key CKU
Or,
the enhanced SGSN directly generates an enhanced air interface integrity key IK according to the IK and CK generated by the Kc or the IK and CK acquired from the GERAN and the first parameterUAnd/or air interface ciphering key CKU(ii) a The first parameter is a random number or a count value generated by a counter;
or,
the enhanced SGSN directly generates an enhanced air interface integrity key IK according to the IK and the CK generated by the Kc or the IK and the CK acquired from the GERAN, the first parameter and the second parameterUAnd/or air interface ciphering key CKU(ii) a The first parameter and the second parameter are random numbers or count values generated by a counter.
2. The method of claim 1, wherein the first parameter is generated by the enhanced SGSN or generated by the user equipment and sent to the enhanced SGSN.
3. The method of claim 1, wherein the first parameter is generated by the enhanced SGSN and the second parameter is generated by the user equipment and sent to the enhanced SGSN.
4. The method of claim 1, wherein when a user equipment moves from an enhanced UTRAN to a GERAN, an enhanced SGSN generates an air interface key for the GERAN and sends the GERAN with the air interface key, comprising:
the enhanced SGSN generates Kc according to IK '/CK', or according to IKUAnd CKUGenerating Kc and sending the Kc to the GERAN;
IK '/CK' is a key in the enhanced SGSN.
5. A system for establishing a secret key during interworking between GERAN and enhanced UTRAN, the system comprising an enhanced SGSN, wherein:
the enhanced SGSN is used for acquiring security related parameters from GERAN when user equipment moves from GERAN to enhanced UTRAN served by the enhanced SGSN, and generating an air interface key of the enhanced UTRAN according to the security related parameters; and/or when the user equipment moves from the enhanced UTRAN served by the enhanced SGSN to the GERAN, generating an air interface key of the GERAN and sending the air interface key to the GERAN;
the enhanced SGSN being configured to
Generating enhanced air interface integrity key IK directly according to IK and CKUAnd/or air interface ciphering key CKU
Or,
IK and CK are generated according to Kc, and then enhanced air interface integrity key IK is directly generated according to the obtained IK and CKUAnd/or air interface ciphering key CKU
Or,
generating an enhanced air interface integrity key IK directly from the IK and CK generated by Kc or the IK and CK obtained from GERAN and the first parameterUAnd/or air interface ciphering key CKU(ii) a The first parameter is a random number or a count value generated by a counter;
or,
generating enhancements directly from IK and CK generated by Kc or IK and CK obtained from GERAN, and first and second parametersOver-the-air integrity key IK ofUAnd/or air interface ciphering key CKU(ii) a The first parameter and the second parameter are random numbers or count values generated by a counter.
6. The system of claim 5, wherein the enhanced SGSN is configured to generate the first parameters or to receive the first parameters generated by the user equipment.
7. The system of claim 5, wherein the enhanced SGSN is configured to generate the first parameters and to receive the second parameters generated by the user equipment.
8. The system of claim 5, wherein the enhanced SGSN is configured to generate Kc from IK '/CK' or from IK when a user equipment moves from enhanced UTRAN to GERANUAnd CKUGenerating Kc and sending the Kc to the GERAN;
IK '/CK' is a key in the enhanced SGSN.
CN201010267115.9A 2010-08-24 2010-08-24 The method and system of key are set up when interconnecting between a kind of GERAN and enhancing UTRAN Expired - Fee Related CN101917717B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201010267115.9A CN101917717B (en) 2010-08-24 2010-08-24 The method and system of key are set up when interconnecting between a kind of GERAN and enhancing UTRAN
PCT/CN2011/078405 WO2012025020A1 (en) 2010-08-24 2011-08-15 Method, system and enhanced sgsn for creating key between geran and enhanced utran

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201010267115.9A CN101917717B (en) 2010-08-24 2010-08-24 The method and system of key are set up when interconnecting between a kind of GERAN and enhancing UTRAN

Publications (2)

Publication Number Publication Date
CN101917717A CN101917717A (en) 2010-12-15
CN101917717B true CN101917717B (en) 2016-03-30

Family

ID=43325076

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201010267115.9A Expired - Fee Related CN101917717B (en) 2010-08-24 2010-08-24 The method and system of key are set up when interconnecting between a kind of GERAN and enhancing UTRAN

Country Status (2)

Country Link
CN (1) CN101917717B (en)
WO (1) WO2012025020A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101917717B (en) * 2010-08-24 2016-03-30 中兴通讯股份有限公司 The method and system of key are set up when interconnecting between a kind of GERAN and enhancing UTRAN
CN102137398B (en) * 2011-03-10 2017-04-12 中兴通讯股份有限公司 Updating method, device and user facility of improved secret key

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101299888B (en) * 2008-06-16 2014-06-11 中兴通讯股份有限公司 Cryptographic key generation method, switching method, mobile management entity and customer equipment
CN101742498A (en) * 2009-12-18 2010-06-16 中兴通讯股份有限公司 Management method and system of vent key
CN101917717B (en) * 2010-08-24 2016-03-30 中兴通讯股份有限公司 The method and system of key are set up when interconnecting between a kind of GERAN and enhancing UTRAN

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Freshness for KRNC derivation;ZTE corporation;《3GPP TSG-SA3(security) S3-100835》;20100702;参见第1页至第2页 *
Proposal for UTRAN KH solution 2 interworking with GERAN;3GPP TSG SA;《3GPP TR 33.ukh v0.2.0》;20090731;参见第4-5节 *
Proposal for UTRAN KH solution 2 interworking with GERAN;Qualcomm incorporated;《3GPP TSG-SA3(security) S3-100854》;20100621;参见第1页至第4页 *

Also Published As

Publication number Publication date
WO2012025020A1 (en) 2012-03-01
CN101917717A (en) 2010-12-15

Similar Documents

Publication Publication Date Title
CN101715188B (en) A kind of update method of air interface key and system
JP5436694B2 (en) Method and system for establishing an enhanced key when a terminal moves to enhanced UTRAN
JP5158276B2 (en) Wireless communication system, wireless communication apparatus, and encryption method
US9848323B2 (en) Method for resolving security issues using NH and NCC pairs in mobile communication system
US20170359719A1 (en) Key generation method, device, and system
CN101841810B (en) The update method of air interface key, core net node and wireless access system
CN101742498A (en) Management method and system of vent key
EP2482487A1 (en) Method and system for deriving air interface encryption keys
JP5458456B2 (en) Method for establishing enhanced wireless interface key and system for establishing enhanced wireless interface key
CN101860862B (en) Method and system for establishing enhanced key in moving process from terminal to enhanced universal terrestrial radio access network (UTRAN)
CN101820622B (en) The method and system of managing empty mapping keys in wireless communication system
CN101917717B (en) The method and system of key are set up when interconnecting between a kind of GERAN and enhancing UTRAN
CN101902736A (en) Update method of air interface secret key, core net node and radio access system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20160330