WO2009094942A1 - Method and communication network system for establishing security conjunction - Google Patents
Method and communication network system for establishing security conjunction Download PDFInfo
- Publication number
- WO2009094942A1 WO2009094942A1 PCT/CN2009/070273 CN2009070273W WO2009094942A1 WO 2009094942 A1 WO2009094942 A1 WO 2009094942A1 CN 2009070273 W CN2009070273 W CN 2009070273W WO 2009094942 A1 WO2009094942 A1 WO 2009094942A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- security
- relay station
- terminal
- base station
- key
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/162—Implementing security features at a particular protocol layer at the data link layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
Definitions
- the present invention relates to the field of wireless communications, and in particular, to a method and a communication network system for establishing a security association. Background technique
- the user terminal can receive the service through the relay station, and the introduction of the relay station derives a new function of the air interface, and further enhances the distributed processing characteristics of the system.
- the deployment of the relay station can improve the wireless access performance of the system, cover the shadow area, expand the wired coverage radius of the base station, and enhance the data rate of the specific area.
- the wireless access technology itself is enhanced in multiple directions.
- the wireless relay station is an important direction. Since a relay station is introduced in the LTE system, the process of establishing a security association between the terminal and the network inevitably involves the relay station.
- the security protection in the LTE system is divided into two parts: the access network and the core network. Therefore, it is necessary to ensure the complexity and security of the LTE system design after the introduction of the relay station, and to realize the excellent mobile communication system by utilizing the good characteristics of the relay system. .
- the terminal synchronizes and registers with the network side through the relay station, and obtains a basic key sequence (MSK) with the authentication server through the public key management protocol; the authentication server sends the MSK to the base station, and the base station derives according to the MSK.
- MSK basic key sequence
- AK Jian Authorization Key
- the base station sends the authentication key to the terminal through the relay station;
- the terminal and the relay station synchronize the AK by means of a three-way handshake, and according to the AK, a Key Encryption Key (KEK) of the Data Encryption Key (TEK) is derived, and the TEK is generated by the base station;
- KEK Key Encryption Key
- TEK Data Encryption Key
- the TEK is obtained between the terminal and the relay through the TEK request procedure.
- the inventors have found that the prior art has at least the following problems:
- the key of the LTE system is more than the security key in the IEEE 16j system, and the process of key generation is compared.
- Complex therefore, when the LTE system introduces a relay station, there is no suitable method for establishing a security association between the terminal and the network, and the security process in the prior art is not applicable to establish a security association between the terminal and the network.
- the embodiment of the present invention provides a method for establishing a security association between a terminal and a network side. After the relay station is introduced in the LTE evolution system, a security association is established between the terminal and the network.
- An embodiment of the present invention provides a method for establishing a security association between a terminal and a network side, including: receiving an access request message sent by a relay station, and obtaining a shared root key after authenticating the terminal according to the access request message; Selecting a security algorithm, the security algorithm is an algorithm supported by the terminal and the network side; and deriving a base station key according to the shared root key; sending, by the relay station, a security mode command to the terminal, the security mode command
- the security algorithm is included.
- the embodiment of the invention further discloses a communication network system, comprising: a first receiving unit, configured to receive an access request message sent by a relay station, and a key obtaining unit, configured to receive according to the first receiving unit
- the access request message obtains the shared root key after the terminal authentication is authenticated;
- the selecting unit is configured to select a security algorithm, the security algorithm is an algorithm supported by both the terminal and the network side; and the deriving unit is configured according to the a shared root key derived by the key obtaining unit to derive a base station key;
- a first sending unit configured to pass the middle
- the relay station sends a security mode command to the terminal, where the security mode command includes a security algorithm selected by the selection unit.
- the embodiment of the invention has the following advantages:
- the network side after receiving the access request sent by the terminal through the relay station, the network side selects a security algorithm for establishing a security association, and sends a security mode command to the terminal through the relay station, where the security is performed.
- the mode command includes the selected security algorithm, and the terminal establishes a security association with the network side after obtaining the security algorithm, and solves the problem that a security association is established between the terminal and the network side after the introduction of the relay station in the LTE system, and the embodiment of the present invention
- the technical solution provided inherits the security mechanism of the LTE system, and ensures the security of the mobile communication system after joining the relay station without changing the existing security mechanism and without increasing the complexity of the system.
- FIG. 1 is a schematic diagram of a method for establishing a security association between a terminal and a network side in the IEEE 16j standard in the prior art
- FIG. 2 is a schematic diagram of a method for establishing a security association between a terminal and a network side according to a first embodiment of the present invention
- FIG. 3 is a schematic diagram of a method for establishing a security association between a terminal and a network side according to a second embodiment of the present invention
- FIG. 4 is a schematic diagram of a method for establishing a security association between a terminal and a network side according to a third embodiment of the present invention.
- FIG. 5 is a schematic diagram of a method for establishing a security association between a terminal and a network side according to a fourth embodiment of the present invention.
- FIG. 6 is a schematic diagram of a method for establishing a security association between a terminal and a network side according to a fifth embodiment of the present invention.
- FIG. 7 is a schematic structural diagram of a communication network system according to a sixth embodiment of the present invention.
- the technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
- a first embodiment of the present invention is introduced, and a method for establishing a terminal and a network side security association is firstly applied to an LTE system and an evolved system thereof. Specifically include:
- Step 201 Receive an access request message sent by the relay station forwarding terminal.
- Step 202 Obtain a shared root key after authenticating the terminal according to the access request message.
- Step 203 Select a security algorithm, where the security algorithm is an algorithm supported by the terminal and the network side.
- Step 204 Deriving a base station key according to the shared root key.
- Step 205 Send a security mode command to the terminal by using the relay station, where the security mode command includes the security algorithm.
- the network side selects a security algorithm for establishing a security association, and sends a security mode command to the terminal through the relay station, in the security mode.
- the command includes the selected security algorithm, and after obtaining the security algorithm, the terminal can establish a security association with the network side, and solves the problem that a security association is established between the terminal and the network side after the introduction of the relay station in the LTE system, and the present invention is implemented.
- the technical solution provided by the example inherits the security mechanism of the LTE system, and ensures the security of the mobile communication system after joining the relay station without substantially changing the existing security mechanism and without increasing the complexity of the system.
- Step 301 The terminal sends an access request message to the relay station, where the access request message includes the terminal capability and the terminal identity.
- the terminal capabilities may include algorithms supported by the terminal itself.
- the terminal identity may be an identifier of a terminal identity such as a Temporary Mobile Subscriber Identity (TMSI) or an International Mobile Subscriber Identity (IMSI).
- TMSI Temporary Mobile Subscriber Identity
- IMSI International Mobile Subscriber Identity
- Step 302 The relay station sends an access request message sent by the terminal to the base station.
- Step 303 After receiving the access request message sent by the relay station, the base station forwards the access request message to the mobility management entity.
- the base station may further notify the mobile management entity of the base station capability of the base station, and the base station capability may include the base station.
- the algorithms supported by itself are not limited to:
- Step 304 The mobility management entity sends the relay identifier in the received access request message to the home subscriber server.
- Step 305 The home subscriber server generates an authentication vector according to the identity of the terminal, where the authentication vector is used for mutual authentication between the terminal and the network side, including a random number RAND, an expected response XRES (EXpected user RESponse), and an authentication symbol AUTN (AUTN).
- RAND random number
- XRES EXpected user RESponse
- AUTN AUTN
- SQNIIAMFIIMAC Shared Root Key (Key Access System Management Entity, Kasme ).
- Step 306 The home subscriber server sends the authentication vector to the mobility management entity after generating the authentication vector.
- Step 307 The mobility management entity sends the random number RAND and the authentication symbol AUTN to the base station.
- Step 308 The base station sends the received random number RAND and the authentication symbol AUTN to the relay station.
- Step 309 The relay station sends the received random number RAND and the authentication symbol AUTN to the terminal.
- Step 311 The terminal sends a response message to the relay station, where the response message includes the RES.
- Step 312 The relay station sends a response message sent by the terminal to the base station.
- Step 313 The base station sends the received response message to the mobility management entity.
- Step 314 The mobility management entity verifies whether the RES is the same as the XRES in the authentication vector. If they are the same, the terminal and the mobility management entity obtain the shared root key Kasme by authenticating the terminal.
- Step 315 The mobility management entity selects a security algorithm according to the terminal capability and the base station capability, where the security algorithm is an algorithm supported by the terminal and the network side, including an access layer security algorithm, and the access layer security algorithm may include radio resource control. (Radio Resource Control, RRC) algorithm and User Plane (UP) algorithm, etc.; base station key can be derived according to the security algorithm selected by the mobility management entity and the shared root key Kasme.
- RRC Radio Resource Control
- UP User Plane
- the security algorithm may further include: a Non-Access Stratum (NAS) algorithm.
- NAS Non-Access Stratum
- Step 316 The mobility management entity sends a security algorithm and a base station key.
- the security algorithm and base station key may be included in a message sent by the mobility management entity to the base station.
- Step 317 The base station sends a security algorithm and an integrity check code to the relay station.
- the security algorithm and integrity check code may be included in a security mode command.
- the base station may perform security protection on the transmitted content through the base station key, generate an integrity check code, and send the integrity check code to the relay station.
- Step 318 The relay station sends the received security algorithm and integrity check code to the terminal.
- Step 319 After receiving the security algorithm and the integrity check code, the terminal performs integrity verification on the message forwarded by the relay station, and after the verification succeeds, sends a verification confirmation message to the relay station.
- Step 320 The relay station sends the received verification confirmation message to the base station.
- Step 321 The base station sends the received verification confirmation message to the mobility management entity.
- Step 322 After the mobile management entity receives the verification confirmation message, the terminal and the The security algorithm negotiation and key agreement are completed between the base stations, and the establishment of the security association is completed.
- the relay station when the relay station sends the access request message, the relay station may send its own relay capability to the mobility management entity.
- the mobility management entity may perform the terminal capability. , relay capabilities and base station capabilities to select security algorithms.
- the relay station has no security association between the terminal and the base station, and there is no information about the terminal.
- the relay station transparently transmits the message between the terminal and the network side.
- the embodiment may further include full association to establish a security association between the terminal and the relay station, so that communication between the terminal and the relay station is more secure.
- Step 323 The base station sends a security association key (such as an RRC key and an UP key) established by the terminal and the base station to the relay station, and a security algorithm (such as an RRC algorithm and an UP algorithm), where the security association key is generated by the base station; the relay station and the base station
- a security association key such as an RRC key and an UP key
- the security association key is generated by the base station; the relay station and the base station
- the message sent between the relay station and the base station can be protected by a security association between the relay station and the base station.
- the security association between the relay station and the base station is pre-existing between the relay station and the base station, and is established by the relay station after accessing the network, to protect the base station and The security of sending information between relay stations.
- Step 324 After receiving the key and related algorithm sent by the base station, the relay station uses the security association established between the relay station and the base station to perform verification, and returns an acknowledgement message to the base station.
- the base station may send a base station key and a security algorithm, such as an RRC algorithm and an UP algorithm, to the relay station.
- the message sent between the relay station and the base station can be protected by a security association between the relay station and the base station.
- the relay station after receiving the base station key and algorithm sent by the base station, the relay station derives a security association key, such as an RRC key and an UP key, based on the base station key and the C-RNTI, and sends a message between the relay station and the base station. It can be protected by a security association between the relay station and the base station.
- the security association established between the relay station and the terminal is different from the security association between the base station and the relay station.
- the relay station needs to firstly be based on the security between the relay station and the terminal.
- the association is decrypted, and then re-encrypted by using the security association between the relay station and the base station, and then forwarded.
- the relay station receives the message sent by the base station, it first decrypts according to the security association between the relay station and the base station, and then uses the relay station.
- the security association with the terminal is encrypted and sent to the terminal.
- step 323 and step 324 the relay station passively receives the message from the base station, and obtains the security association between the terminal and the network side.
- the relay station may actively request the base station to obtain the relevant security association. Therefore, step 323 and step 324 may be respectively Step 323, and step 324, are as follows:
- Step 323 The relay station sends a terminal security association request to the base station, requesting the base station to send the security association related information that the terminal and the base station have established, and the message sent between the relay station and the base station can be protected by the security association between the relay station and the base station.
- Step 324 The base station sends a request response message to the relay station, where the message includes a security algorithm, such as an RRC algorithm and an UP algorithm, and a security association key generated by the base station, such as an RRC key and an UP key; if the relay station can generate C - RNTI, the base station may not directly transmit the RRC key and the UP key, and the security message and the base station key are included in the response message. Based on the received information, the relay station can obtain security association information between the terminal and the base station.
- a security algorithm such as an RRC algorithm and an UP algorithm
- a security association key generated by the base station such as an RRC key and an UP key
- a third embodiment of the present invention is described.
- the method for establishing a security association between a terminal and a network is described.
- the terminal has passed the initial access network and is in an idle state to enter an active state (idle to active). ), the method includes:
- Step 401 The terminal sends an access request message to the network side by using the relay station, where the message includes a TMSI and a Key Set Identifier Access System Management Entity (KSIasme).
- KKIasme Key Set Identifier Access System Management Entity
- the device has already learned the terminal capability of the terminal. Therefore, the terminal capability may not be included in the access request message unless the terminal capability is changed.
- Steps 402 through 414 may refer to the contents described in steps 302 through 314 of the second embodiment.
- Step 415 The mobility management entity derives the base station key according to the shared root key.
- Step 416 The mobility management entity sends the base station key to the base station.
- Step 417 The base station sends a security mode command to the relay station, and includes a security algorithm and an integrity check code in the command.
- Step 418 The relay station sends the received security algorithm and integrity check code to the terminal.
- Step 419 After receiving the security algorithm and the integrity check code sent by the relay station, the terminal performs integrity verification on the message forwarded by the relay station. After the verification succeeds, the terminal sends a horse complete certificate confirmation message to the relay station.
- Step 420 The relay station forwards the verification confirmation message to the base station.
- Step 421 After receiving the verification confirmation message, the base station performs security check, and the security algorithm and key agreement are completed between the terminal and the base station.
- Step 422 The base station sends an acknowledgement message to the mobility management entity to inform the establishment of the security association.
- the relay station does not have a security association between the terminal and the base station, and the relay station transparently transmits the message between the terminal and the base station.
- the embodiment may further include the following steps, so that the relay station in this embodiment can obtain the security association between the terminal and the base station:
- Step 423 The base station sends, to the relay station, a security association key generated by the base station itself, such as an RRC key and an UP key, and a security algorithm, such as an RRC algorithm and an UP algorithm.
- a security association key generated by the base station itself, such as an RRC key and an UP key
- a security algorithm such as an RRC algorithm and an UP algorithm.
- the message sent between the relay station and the base station may pass through the relay station and the base station. Protection between the security associations.
- Step 424 After receiving the key and algorithm sent by the base station, the relay station uses the security association established between the relay station and the base station to perform verification, and returns the confirmation information to the base station.
- the base station may send the base station key and the security algorithm, such as the RRC algorithm and the UP algorithm, to the relay station; the message sent between the relay station and the base station may pass through the relay station. Protection with the security association between the base station.
- the relay station after receiving the base station key and algorithm sent by the base station, the relay station derives a security association key, such as an RRC key and an UP key, based on the base station key and the C-RNTI, and sends a message between the relay station and the base station. It can be protected by a security association between the relay station and the base station.
- the relay station obtains the terminal
- the security association established between the base station and the relay station is different.
- the relay station needs to first decrypt according to the security association between the relay station and the terminal, and then utilize the security between the relay station and the base station. The association performs re-encryption and then forwards.
- the relay station receives the message sent by the base station, it first decrypts according to the security association between the relay station and the base station, and then encrypts by using the security association between the relay station and the terminal, and then sends the message to the terminal. terminal.
- step 423 and step 424 the relay station passively receives the message from the base station, and obtains the access layer security association information between the terminal and the network side.
- the relay station may actively request the base station to acquire the relevant security association. Therefore, step 423 and steps are performed.
- 424 can be step 423, and step 424, respectively, as follows:
- Step 423 The relay station sends a terminal security association request to the base station, requesting the base station to send the security association key that the terminal and the base station have established, and the message sent between the relay station and the base station can be protected by the security association between the relay station and the base station.
- Step 424 The base station sends a request response message to the relay station, where the message includes a security algorithm, such as an RRC algorithm and an UP algorithm, and a security association key generated by the base station, such as an RRC key and an UP key; if the relay station can generate C - RNTI, the base station may not directly transmit the security association key, and the security message and the base station key are included in the response message.
- the relay station derives a security association key, such as an RRC key and an UP key, based on the base station key and the C-RNTI, so that a security association with the terminal can be obtained.
- the method for establishing a security association between a terminal and a base station can speed up the establishment of a security association time in the entire system.
- This embodiment includes step 501.
- Step 522 is substantially the same as step 301 to step 322 in the second embodiment, except that in step 517, the base station generates the security association generated by the base station while transmitting the security algorithm and the integrity check code to the relay station.
- the key such as the RRC key and the UP key, is sent to the relay station; in step 520, the relay station forwards the terminal confirmation command and also transmits a confirmation message that the relay station receives the terminal security association.
- the base station sends the security algorithm and the integrity check code to the relay station, and sends the base station key to the middle.
- the relay station may derive a security association key according to the base station key and the C-RNTI.
- the relay station forwards the terminal confirmation command and also sends a confirmation message that the relay station receives the terminal security association.
- the establishment of a security association between the terminal and the base station is achieved, and the establishment of a security association between the terminal and the relay station is also achieved, thereby saving the time for the entire system to establish a security association.
- the embodiment includes steps 601 to 622, which are basically the same as steps 401 to 422 in the third embodiment, except that in step 617, the base station is transmitting.
- the security association key generated by the base station itself such as the RRC key and the UP key, is sent to the relay station; in step 620, the relay station forwards the terminal confirmation command, and also sends the relay station to receive the terminal security association.
- a confirmation message for the message is sent to the terminal security association.
- the base station sends the base station key to the relay station while transmitting the security mode command, and the relay station can derive the security association key according to the base station key and the C-RNTI.
- the relay station forwards the terminal confirmation command, and also sends a confirmation message that the relay station receives the terminal security association.
- the establishment of a security association between the terminal and the base station is achieved, and the establishment of a security association between the terminal and the relay station is also achieved, thereby saving the time for the entire system to establish a security association.
- the technical solution provided by the embodiment of the present invention solves the problem that the terminal establishes a security association between the relay station and the base station after the introduction of the relay station in the LTE system, and not only enables the terminal to establish a security association with the base station through the relay station, and further, the terminal and the relay station can be established.
- the security association between the two systems makes the communication of the entire system more secure, and at the same time, the time for establishing a security association in the LTE relay system can be saved.
- the technical solution provided by the embodiment of the present invention inherits the security mechanism of the LTE system, and combines the forwarding feature and the distributed feature of the relay station without substantially changing the existing security mechanism, without increasing the complexity of the system.
- a sixth embodiment of the present invention relates to a communication network system 700, including a first receiving unit 701, configured to receive an access request message sent by a relay station forwarding terminal, and a key obtaining unit 702, configured to The access request message received by the first receiving unit 701 obtains the shared root key after the terminal authentication and authentication; the selecting unit 703 is configured to select a security algorithm, where the security algorithm is an algorithm supported by both the terminal and the base station; a deriving unit 704, configured to derive a base station key according to the shared root key obtained by the key obtaining unit 702.
- the first sending unit 705 is configured to send, by using a relay station, a security mode command, where the security mode command includes a selection The security algorithm selected by unit 703.
- the first receiving unit 701 is further configured to receive an authentication confirmation message sent by the terminal through the relay station.
- the relay station does not have a security association between the terminal and the base station, and there is no information about the terminal.
- the relay station only transparently transmits the message between the terminal and the base station.
- the communication network system further includes a second sending unit and a second receiving unit; the deriving unit is further configured to generate a network side security association key;
- the second sending unit is configured to: after the first receiving unit receives the verification confirmation message sent by the terminal, send the security algorithm and the network side security association key to the relay station;
- the second receiving unit is configured to receive an acknowledgment message sent by the relay station, where the acknowledgment message is an acknowledgment message sent by the relay station to the network side after obtaining the security association key between the terminal and the terminal according to the security algorithm and the security association key.
- Security association to establish a security association between the terminal and the relay station, making communication between the terminal and the relay station more secure.
- the communication network system can further include a third transmitting unit and a third receiving unit.
- the third sending unit is configured to: after receiving the verification confirmation message sent by the terminal, the first receiving unit sends a security algorithm and a base station key to the relay station, where the relay station generates a C-RNTI;
- the third receiving unit is configured to receive an acknowledgement message sent by the relay station, where the acknowledgement message is The acknowledgment message sent by the relay station to the network side after obtaining the security association key with the terminal according to the C-RNTI and the received base station key and security algorithm.
- the relay station can passively receive the relevant security association information sent by the communication network system, and can also actively request the relevant security association information to the communication network system.
- the communication network system further includes a fourth sending unit and a fourth receiving unit;
- the fourth receiving unit is configured to receive a terminal security association request sent by the relay station; the derivative unit is further configured to generate a network side security association key;
- the fourth sending unit is configured to send a request response message to the relay station, where the message includes a security algorithm and a security association key on the network side.
- the communication network system when the relay station can generate the C-RNTI, when the communication network system receives the request of the relay station, the security association key may not be directly sent, but the base station key may be sent.
- the communication network system further includes a fifth sending unit and a fifth receiving unit;
- the fifth receiving unit is configured to receive a terminal security association request sent by the relay station to the network side;
- the fifth sending unit is configured to send a request response message to the relay station, where the message includes a security algorithm and a base station key;
- the fifth receiving unit is further configured to receive a confirmation message sent by the relay station to the base station after obtaining the security association key of the terminal according to the C-RNTI and the received base station key and the security algorithm.
- the communication network system is provided in the embodiment of the present invention, so that the terminal can establish a security association between the terminal and the network side in the LTE evolution system, and further establish a security association between the terminal and the relay station, so that the communication is more secure, and
- the technical solution provided by the embodiment of the present invention inherits the security mechanism of the LTE system, and ensures the security of the mobile communication system after joining the relay station without substantially changing the existing security mechanism and without increasing the complexity of the system.
- the present invention can be implemented by hardware, or by software plus necessary general hardware platform. Based on such understanding, the technical solution of the present invention can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (In the case of a CD-ROM, a USB flash drive, a mobile hard disk, etc., a number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform the methods described in various embodiments of the present invention.
- a computer device which may be a personal computer, server, or network device, etc.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
A method for establishing security conjunction is provided, comprising: receiving the access request message which is transmitted by the terminal and transferred by the relay station (201); obtaining the share root key after the authentication to the terminal according to the access request message (202); selecting the security arithmetic, which is supported by both the terminal and the network side (203); and deriving the base station key according to the share root key (204); transmitting the security mode command to the terminal through the relay station, the security mode command includes the security arithmetic (205). A communication network system is also provided. Application of the solution of the present invention solves the problem of establishing security conjunction between the terminal and the network after introducing the relay station in the LTE system, and the security mechanism of the LTE is inherited, in the case of without increasing the complicacy of the system, the security and the wieldy capability of the system is ensured.
Description
建立安全关联的方法和通信网络系统 本申请要求于 2008 年 1 月 30 日提交中国专利局, 申请号为 200810065263.5 , 发明名称为"建立安全关联的方法和通信网络系统" 的中国专利申请的优先权, 其全部内容通过引用结合在本申请中。 技术领域 Method for establishing security association and communication network system The present application claims to be filed on January 30, 2008 with the Chinese Patent Office, application number 200810065263.5, the priority of the Chinese patent application entitled "Method of Establishing Security Association and Communication Network System" The entire contents of which are incorporated herein by reference. Technical field
本发明涉及无线通信领域,尤其涉及一种建立安全关联的方法和 通信网络系统。 背景技术 The present invention relates to the field of wireless communications, and in particular, to a method and a communication network system for establishing a security association. Background technique
为了提高链路预算和蜂窝系统的覆盖,用户终端可以通过中继站 来接收服务, 中继站的引入衍生了空中接口的新功能, 并进一步增强 了系统的分布式处理特性。中继站的部署可以提升系统的无线接入性 能, 可以覆盖阴影区域, 扩大基站的有线覆盖半径, 增强特定区域数 据速率。 In order to improve the link budget and the coverage of the cellular system, the user terminal can receive the service through the relay station, and the introduction of the relay station derives a new function of the air interface, and further enhances the distributed processing characteristics of the system. The deployment of the relay station can improve the wireless access performance of the system, cover the shadow area, expand the wired coverage radius of the base station, and enhance the data rate of the specific area.
在长期演进 ( Long Term Evolution, LTE ) 系统之后的进一步演 进中, 无线接入技术自身进行多方位的强化, 其中, 无线中继站是其 中一个重要方向。 由于在 LTE 系统中引入了中继站, 因此, 终端和 网络之间建立安全关联的过程不可避免地涉及到中继站。 LTE系统中 的安全保护分为接入网和核心网两部分, 因此, 需要保证引入中继站 后的 LTE系统设计的复杂性和安全性, 并利用中继系统的良好特性, 实现优良的移动通信系统。 In the further development after the Long Term Evolution (LTE) system, the wireless access technology itself is enhanced in multiple directions. Among them, the wireless relay station is an important direction. Since a relay station is introduced in the LTE system, the process of establishing a security association between the terminal and the network inevitably involves the relay station. The security protection in the LTE system is divided into two parts: the access network and the core network. Therefore, it is necessary to ensure the complexity and security of the LTE system design after the introduction of the relay station, and to realize the excellent mobile communication system by utilizing the good characteristics of the relay system. .
如图 1所示, 在电气电子工程师协会 ( Institute of Electrical and Electronics Engineers , IEEE ) 16j标准中介绍了关于终端通过中继与 网络侧建立安全关联的方法, 具体如下: As shown in Figure 1, a method for establishing a security association between a terminal and a network side through a relay is described in the Institute of Electrical and Electronics Engineers (IEEE) 16j standard, as follows:
终端通过中继站向网络侧进行同步和注册,通过公共密钥管理协 议, 与鉴权服务器获得基本密钥序列 (Master Session Key, MSK ); 鉴权服务器把 MSK发送给基站, 基站根据该 MSK派生得到鉴
权密钥 ( Authentication Key, AK ); The terminal synchronizes and registers with the network side through the relay station, and obtains a basic key sequence (MSK) with the authentication server through the public key management protocol; the authentication server sends the MSK to the base station, and the base station derives according to the MSK. Jian Authorization Key ( AK );
基站通过中继站将该鉴权密钥发送给终端; The base station sends the authentication key to the terminal through the relay station;
终端和中继站通过三方握手的方式同步 AK, ^据 AK派生得到 数据加密密钥 (Traffic Encryption Key , TEK ) 的加密密钥 (Key Encryption Key , KEK ) , TEK由基站产生; The terminal and the relay station synchronize the AK by means of a three-way handshake, and according to the AK, a Key Encryption Key (KEK) of the Data Encryption Key (TEK) is derived, and the TEK is generated by the base station;
终端和中继站之间通过 TEK请求过程获得 TEK。 The TEK is obtained between the terminal and the relay through the TEK request procedure.
在实现本发明的过程中, 发明人发现现有技术至少存在以下问 题: 在现有的 LTE系统中, LTE系统的密钥比 IEEE 16j系统中的安 全密钥多, 而且密钥产生的过程比较复杂, 因此, 当 LTE 系统引入 中继站后, 没有适合的建立终端和网络之间的安全关联的方法, 也不 适用采用现有技术中的安全流程来建立终端与网络之间的安全关联。 发明内容 In the process of implementing the present invention, the inventors have found that the prior art has at least the following problems: In the existing LTE system, the key of the LTE system is more than the security key in the IEEE 16j system, and the process of key generation is compared. Complex, therefore, when the LTE system introduces a relay station, there is no suitable method for establishing a security association between the terminal and the network, and the security process in the prior art is not applicable to establish a security association between the terminal and the network. Summary of the invention
本发明实施例提供了一种建立终端和网络侧安全关联的方法网 络侧, 在 LTE演进系统中引入中继站后, 在终端和网络之间建立安 全关联。 The embodiment of the present invention provides a method for establishing a security association between a terminal and a network side. After the relay station is introduced in the LTE evolution system, a security association is established between the terminal and the network.
本发明实施例提供一种建立终端和网络侧安全关联的方法, 包 括: 接收由中继站转发终端发送的接入请求消息; 根据所述接入请求 消息对终端鉴权认证后获得共享根密钥; 选择安全算法, 所述安全算 法为所述终端和网络侧支持的算法;并根据所述共享根密钥派生基站 密钥; 通过所述中继站向所述终端发送安全模式命令, 所述安全模式 命令中包含所述安全算法。 An embodiment of the present invention provides a method for establishing a security association between a terminal and a network side, including: receiving an access request message sent by a relay station, and obtaining a shared root key after authenticating the terminal according to the access request message; Selecting a security algorithm, the security algorithm is an algorithm supported by the terminal and the network side; and deriving a base station key according to the shared root key; sending, by the relay station, a security mode command to the terminal, the security mode command The security algorithm is included.
本发明实施例还公开了一种通信网络系统,包括:第一接收单元, 用于接收由中继站转发终端发送的接入请求消息; 密钥获取单元, 用 于根据所述第一接收单元接收到的接入请求消息对终端鉴权认证后 获得共享根密钥; 选择单元, 用于选择安全算法, 所述安全算法为所 述终端和网络侧都支持的算法; 派生单元, 用于根据所述密钥获取单 元得到的共享根密钥派生基站密钥; 第一发送单元, 用于通过所述中
继站向终端发送安全模式命令,所述安全模式命令中包含所述选择单 元选择的安全算法。 The embodiment of the invention further discloses a communication network system, comprising: a first receiving unit, configured to receive an access request message sent by a relay station, and a key obtaining unit, configured to receive according to the first receiving unit The access request message obtains the shared root key after the terminal authentication is authenticated; the selecting unit is configured to select a security algorithm, the security algorithm is an algorithm supported by both the terminal and the network side; and the deriving unit is configured according to the a shared root key derived by the key obtaining unit to derive a base station key; a first sending unit, configured to pass the middle The relay station sends a security mode command to the terminal, where the security mode command includes a security algorithm selected by the selection unit.
与现有技术相比, 本发明实施例具有以下优点: Compared with the prior art, the embodiment of the invention has the following advantages:
根据本发明实施例提供的方案, 网络侧在接收到终端通过中继站 发送的接入请求后, 选择用于建立安全关联的安全算法, 并通过中继 站向所述终端发送安全模式命令,在所述安全模式命令中包括所选择 的安全算法, 终端在得到安全算法后, 与网络侧建立安全关联, 解决 了 LTE 系统中引入中继站后, 终端与网络侧之间建立安全关联的问 题, 而且本发明实施例提供的技术方案继承了 LTE系统的安全机制, 在基本不改变现有的安全机制下和不增加系统复杂度的前提下,保证 了加入中继站后的移动通信系统的安全性。 附图说明 According to the solution provided by the embodiment of the present invention, after receiving the access request sent by the terminal through the relay station, the network side selects a security algorithm for establishing a security association, and sends a security mode command to the terminal through the relay station, where the security is performed. The mode command includes the selected security algorithm, and the terminal establishes a security association with the network side after obtaining the security algorithm, and solves the problem that a security association is established between the terminal and the network side after the introduction of the relay station in the LTE system, and the embodiment of the present invention The technical solution provided inherits the security mechanism of the LTE system, and ensures the security of the mobile communication system after joining the relay station without changing the existing security mechanism and without increasing the complexity of the system. DRAWINGS
图 1所示为现有技术中 IEEE 16j标准中终端与网络侧建立安全 关联的方法示意图; FIG. 1 is a schematic diagram of a method for establishing a security association between a terminal and a network side in the IEEE 16j standard in the prior art;
图 2 所示为本发明第一实施例中终端与网络侧建立安全关联的 方法示意图; 2 is a schematic diagram of a method for establishing a security association between a terminal and a network side according to a first embodiment of the present invention;
图 3 所示为本发明第二实施例中终端与网络侧建立安全关联的 方法示意图; 3 is a schematic diagram of a method for establishing a security association between a terminal and a network side according to a second embodiment of the present invention;
图 4 所示为本发明第三实施例中终端与网络侧建立安全关联的 方法示意图; 4 is a schematic diagram of a method for establishing a security association between a terminal and a network side according to a third embodiment of the present invention;
图 5 所示为本发明第四实施例中终端与网络侧建立安全关联的 方法示意图; FIG. 5 is a schematic diagram of a method for establishing a security association between a terminal and a network side according to a fourth embodiment of the present invention;
图 6 所示为本发明第五实施例中终端与网络侧建立安全关联的 方法示意图; 6 is a schematic diagram of a method for establishing a security association between a terminal and a network side according to a fifth embodiment of the present invention;
图 7为本发明第六实施例中一种通信网络系统的结构示意图。 具体实施例
下面将结合本发明实施例中的附图,对本发明实施例中的技术方 案进行清楚、 完整地描述, 显然, 所描述的实施例仅是本发明一部分 实施例, 而不是全部的实施例。 基于本发明中的实施例, 本领域普通 技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都 属于本发明保护的范围。 FIG. 7 is a schematic structural diagram of a communication network system according to a sixth embodiment of the present invention. Specific embodiment The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
为了使本发明的具体技术方案、发明目的更加清楚, 下面结合具 体的实施例和附图作进一步说明。 In order to make the specific technical solutions and the objects of the present invention more clear, the following description will be further described in conjunction with the specific embodiments and drawings.
参照图 2, 介绍本发明第一实施例, 关于一种建立终端和网络侧 安全关联的方法, 该方法优先应用于 LTE 系统及其演进系统中。 具 体包括: Referring to FIG. 2, a first embodiment of the present invention is introduced, and a method for establishing a terminal and a network side security association is firstly applied to an LTE system and an evolved system thereof. Specifically include:
步骤 201: 接收由中继站转发终端发送的接入请求消息。 Step 201: Receive an access request message sent by the relay station forwarding terminal.
步骤 202: 根据所述接入请求消息对终端鉴权认证后获得共享根 密钥。 Step 202: Obtain a shared root key after authenticating the terminal according to the access request message.
步骤 203: 选择安全算法, 所述安全算法为所述终端和网络侧支 持的算法。 Step 203: Select a security algorithm, where the security algorithm is an algorithm supported by the terminal and the network side.
步骤 204: 根据所述共享根密钥派生基站密钥。 Step 204: Deriving a base station key according to the shared root key.
步骤 205: 通过所述中继站向所述终端发送安全模式命令, 所述 安全模式命令中包含所述安全算法。 Step 205: Send a security mode command to the terminal by using the relay station, where the security mode command includes the security algorithm.
通过本实施例提供的方法,网络侧在接收到终端通过中继站发送 的接入请求后, 选择用于建立安全关联的安全算法, 并通过中继站向 所述终端发送安全模式命令,在所述安全模式命令中包括所选择的安 全算法, 终端在得到安全算法后, 就可以与网络侧建立安全关联, 解 决了 LTE 系统中引入中继站后, 终端与网络侧之间建立安全关联的 问题, 而且本发明实施例提供的技术方案继承了 LTE 系统的安全机 制, 在基本不改变现有的安全机制下和不增加系统复杂度的前提下, 保证了加入中继站后的移动通信系统的安全性。 With the method provided in this embodiment, after receiving the access request sent by the terminal through the relay station, the network side selects a security algorithm for establishing a security association, and sends a security mode command to the terminal through the relay station, in the security mode. The command includes the selected security algorithm, and after obtaining the security algorithm, the terminal can establish a security association with the network side, and solves the problem that a security association is established between the terminal and the network side after the introduction of the relay station in the LTE system, and the present invention is implemented. The technical solution provided by the example inherits the security mechanism of the LTE system, and ensures the security of the mobile communication system after joining the relay station without substantially changing the existing security mechanism and without increasing the complexity of the system.
参照图 3, 介绍本发明第二实施例, 关于一种建立终端和网络侧 安全关联的方法。 在该实施例中, 终端为初次接入网络( detached to active ), 具体过程包括:
步骤 301: 终端向中继站发送接入请求消息, 该接入请求消息中 包括终端能力和终端身份。 Referring to FIG. 3, a second embodiment of the present invention will be described with respect to a method for establishing a terminal and a network side security association. In this embodiment, the terminal is detached to active, and the specific process includes: Step 301: The terminal sends an access request message to the relay station, where the access request message includes the terminal capability and the terminal identity.
终端能力可以包括终端自身所支持的算法。终端身份可以为临时 移动用户识别号码( Temporary Mobile Subscriber Identify, TMSI )或 国际移动用户识别号码 ( International Mobile Subscriber Identity , IMSI )等表示终端身份的标识。 The terminal capabilities may include algorithms supported by the terminal itself. The terminal identity may be an identifier of a terminal identity such as a Temporary Mobile Subscriber Identity (TMSI) or an International Mobile Subscriber Identity (IMSI).
步骤 302: 中继站将终端发送的接入请求消息发送给基站。 Step 302: The relay station sends an access request message sent by the terminal to the base station.
步骤 303: 基站接收到中继站发送的接入请求消息后, 将该接入 请求消息转发给移动管理实体; 基站在转发时, 还可以将基站自身的 基站能力告知移动管理实体,基站能力可以包括基站自身所支持的算 法。 Step 303: After receiving the access request message sent by the relay station, the base station forwards the access request message to the mobility management entity. When forwarding, the base station may further notify the mobile management entity of the base station capability of the base station, and the base station capability may include the base station. The algorithms supported by itself.
步骤 304: 移动管理实体将接收到的接入请求消息中的中继标识 发送给归属用户服务器。 Step 304: The mobility management entity sends the relay identifier in the received access request message to the home subscriber server.
步骤 305: 归属用户服务器根据终端身份生成鉴权向量, 该鉴权 向量用于终端和网络侧之间的交互认证, 包括随机数 RAND、期望响 应 XRES ( EXpected user RESponse ), 鉴权符号 AUTN ( AUTN = SQNIIAMFIIMAC ), 共享根密钥 (Key Access System Management Entity, Kasme )。 Step 305: The home subscriber server generates an authentication vector according to the identity of the terminal, where the authentication vector is used for mutual authentication between the terminal and the network side, including a random number RAND, an expected response XRES (EXpected user RESponse), and an authentication symbol AUTN (AUTN). = SQNIIAMFIIMAC ), Shared Root Key (Key Access System Management Entity, Kasme ).
步骤 306: 归属用户服务器在生成鉴权向量之后, 将鉴权向量发 送给移动管理实体。 Step 306: The home subscriber server sends the authentication vector to the mobility management entity after generating the authentication vector.
步骤 307: 移动管理实体将随机数 RAND和鉴权符号 AUTN发 送给基站。 Step 307: The mobility management entity sends the random number RAND and the authentication symbol AUTN to the base station.
步骤 308: 基站将接收到的随机数 RAND和鉴权符号 AUTN发 送给中继站。 Step 308: The base station sends the received random number RAND and the authentication symbol AUTN to the relay station.
步骤 309: 中继站将接收到的随机数 RAND和鉴权符号 AUTN 发送给终端。 Step 309: The relay station sends the received random number RAND and the authentication symbol AUTN to the terminal.
步骤 310: 终端验证 AUTN , 终端计算期望完整性校验码 XMAC = f ( SQNIIRANDIIAMF ), 若等于 AUTN中的完整性校验码 MAC, 并且序列号 SQN在有效范围, 则认为对网络鉴权成功, 若验证成功,
则根据 RAND计算得到响应值 RES。 Step 310: The terminal verifies the AUTN, and the terminal calculates the expected integrity check code XMAC = f (SQNIIRANDIIAMF). If the integrity check code MAC in the AUTN is equal, and the sequence number SQN is in the valid range, the network authentication is considered to be successful. If the verification is successful, Then, the response value RES is obtained according to the RAND calculation.
步骤 311 : 终端向中继站发送响应消息, 响应消息中包含 RES。 步骤 312: 中继站将终端发送的响应消息发送给基站。 Step 311: The terminal sends a response message to the relay station, where the response message includes the RES. Step 312: The relay station sends a response message sent by the terminal to the base station.
步骤 313: 基站将接收到的响应消息发送给移动管理实体。 Step 313: The base station sends the received response message to the mobility management entity.
步骤 314: 移动管理实体验证 RES是否和鉴权向量中的 XRES 相同, 如果相同, 则通过对终端的认证, 终端和移动管理实体获得共 享根密钥 Kasme。 Step 314: The mobility management entity verifies whether the RES is the same as the XRES in the authentication vector. If they are the same, the terminal and the mobility management entity obtain the shared root key Kasme by authenticating the terminal.
步骤 315: 移动管理实体根据终端能力和基站能力, 选择安全算 法, 所述安全算法为所述终端和网络侧都支持的算法, 包括接入层安 全算法, 接入层安全算法可以包括无线资源控制 (Radio Resource Control, RRC )算法和用户面 (User Plane, UP ) 算法等; 可以根据 移动管理实体选择的安全算法以及共享根密钥 Kasme派生得到基站 密钥。 Step 315: The mobility management entity selects a security algorithm according to the terminal capability and the base station capability, where the security algorithm is an algorithm supported by the terminal and the network side, including an access layer security algorithm, and the access layer security algorithm may include radio resource control. (Radio Resource Control, RRC) algorithm and User Plane (UP) algorithm, etc.; base station key can be derived according to the security algorithm selected by the mobility management entity and the shared root key Kasme.
所述安全算法还可以包括:非接入层( Non- Access Stratum, NAS ) 算法。 The security algorithm may further include: a Non-Access Stratum (NAS) algorithm.
步骤 316: 移动管理实体发送安全算法和基站密钥。 Step 316: The mobility management entity sends a security algorithm and a base station key.
所述安全算法和基站密钥可以包含在移动管理实体发送给基站 的消息中。 The security algorithm and base station key may be included in a message sent by the mobility management entity to the base station.
步骤 317: 基站发送安全算法和完整性校验码发送给中继站。 所述安全算法和完整性校验码可以包含在安全模式命令中。 Step 317: The base station sends a security algorithm and an integrity check code to the relay station. The security algorithm and integrity check code may be included in a security mode command.
基站在发送安全算法时,可以通过基站密钥对将发送的内容进行 安全保护, 生成完整性校验码, 并将该完整性校验码发送给中继站。 When transmitting the security algorithm, the base station may perform security protection on the transmitted content through the base station key, generate an integrity check code, and send the integrity check code to the relay station.
步骤 318: 中继站将接收到的安全算法和完整性校验码发送给终 端。 Step 318: The relay station sends the received security algorithm and integrity check code to the terminal.
步骤 319: 终端接收到安全算法和完整性校验码后, 对中继站转 发的消息进行完整性验证,验证成功后,向中继站发送验证确认消息。 Step 319: After receiving the security algorithm and the integrity check code, the terminal performs integrity verification on the message forwarded by the relay station, and after the verification succeeds, sends a verification confirmation message to the relay station.
步骤 320: 中继站向基站发送接收到的验证确认消息。 Step 320: The relay station sends the received verification confirmation message to the base station.
步骤 321 : 基站将接收到的验证确认消息发送给移动管理实体。 步骤 322: 移动管理实体接收到验证确认消息后, 至此, 终端和
基站之间完成了安全算法协商和密钥协商, 完成了安全关联的建立。 在本实施例中, 可选的, 在步骤 302中, 中继站在发送接入请求 消息时, 可以将自身的中继能力发送给移动管理实体, 则在步骤 315 中, 移动管理实体可以根据终端能力、 中继能力和基站能力进行选择 安全算法。 Step 321: The base station sends the received verification confirmation message to the mobility management entity. Step 322: After the mobile management entity receives the verification confirmation message, the terminal and the The security algorithm negotiation and key agreement are completed between the base stations, and the establishment of the security association is completed. In this embodiment, optionally, in step 302, when the relay station sends the access request message, the relay station may send its own relay capability to the mobility management entity. In step 315, the mobility management entity may perform the terminal capability. , relay capabilities and base station capabilities to select security algorithms.
在本实施例步骤 301至步骤 322所提供的方案中,中继站没有终 端和基站之间的安全关联, 也没有关于终端的任何信息, 中继站仅仅 透明地传送终端和网络侧之间的消息。本实施例还可以进一步包括以 全关联, 以建立终端和中继站之间的安全关联, 使得终端和中继站之 间的通信更加安全。 In the solution provided in steps 301 to 322 of this embodiment, the relay station has no security association between the terminal and the base station, and there is no information about the terminal. The relay station transparently transmits the message between the terminal and the network side. The embodiment may further include full association to establish a security association between the terminal and the relay station, so that communication between the terminal and the relay station is more secure.
步骤 323:基站向中继站发送终端和基站建立的安全关联密钥(如 RRC密钥和 UP密钥)以及安全算法(如 RRC算法和 UP算法 ), 该 安全关联密钥由基站生成; 中继站和基站之间发送的消息可以通过中 继站和基站之间的安全关联进行保护, 中继站和基站之间的安全关联 是中继站和基站之间预先存在的, 由中继站在接入网络后确立, 用以 保护基站和中继站之间发送信息的安全。 Step 323: The base station sends a security association key (such as an RRC key and an UP key) established by the terminal and the base station to the relay station, and a security algorithm (such as an RRC algorithm and an UP algorithm), where the security association key is generated by the base station; the relay station and the base station The message sent between the relay station and the base station can be protected by a security association between the relay station and the base station. The security association between the relay station and the base station is pre-existing between the relay station and the base station, and is established by the relay station after accessing the network, to protect the base station and The security of sending information between relay stations.
步骤 324: 中继站收到基站发送的密钥和相关算法后, 使用中继 站和基站间建立的安全关联做校验, 向基站返回确认消息。 Step 324: After receiving the key and related algorithm sent by the base station, the relay station uses the security association established between the relay station and the base station to perform verification, and returns an acknowledgement message to the base station.
本实施例中,如果中继站具有产生小区无线网络临时标识( Radio Network Temporary Identifier, C-RNTI ) 的功能, 则步骤 323中, 基 站可向中继站发送基站密钥以及安全算法, 如 RRC算法和 UP算法; 中继站和基站之间发送的消息可以通过中继站和基站之间的安全关 联进行保护。 在步骤 324中, 中继站接收到基站发送的基站密钥和算 法后, 根据基站密钥和 C-RNTI派生得到安全关联密钥, 如 RRC密 钥和 UP密钥, 中继站和基站之间发送的消息可以通过中继站和基站 之间的安全关联进行保护。 在这种情况下, 中继站获得的与终端之间 建立的安全关联与基站和中继站之间的安全关联不同, 当中继站接收 到终端发送的消息时,中继站需要首先根据中继站和终端之间的安全
关联进行解密, 然后利用中继站和基站之间的安全关联进行重新加 密, 再进行转发; 同样, 当中继站接收到基站发送的消息时, 首先根 据中继站和基站之间的安全关联进行解密,然后利用中继站和终端之 间的安全关联进行加密, 再发送给终端。 In this embodiment, if the relay station has a function of generating a radio network Temporary Identifier (C-RNTI), in step 323, the base station may send a base station key and a security algorithm, such as an RRC algorithm and an UP algorithm, to the relay station. The message sent between the relay station and the base station can be protected by a security association between the relay station and the base station. In step 324, after receiving the base station key and algorithm sent by the base station, the relay station derives a security association key, such as an RRC key and an UP key, based on the base station key and the C-RNTI, and sends a message between the relay station and the base station. It can be protected by a security association between the relay station and the base station. In this case, the security association established between the relay station and the terminal is different from the security association between the base station and the relay station. When the relay station receives the message sent by the terminal, the relay station needs to firstly be based on the security between the relay station and the terminal. The association is decrypted, and then re-encrypted by using the security association between the relay station and the base station, and then forwarded. Similarly, when the relay station receives the message sent by the base station, it first decrypts according to the security association between the relay station and the base station, and then uses the relay station. The security association with the terminal is encrypted and sent to the terminal.
步骤 323和步骤 324中, 中继站被动地从基站接收消息, 并获得 终端与网络侧的安全关联, 该方法中, 中继站可以主动向基站请求获 取相关安全关联, 因此, 步骤 323和步骤 324可以分别为步骤 323, 和步骤 324,, 具体如下: In step 323 and step 324, the relay station passively receives the message from the base station, and obtains the security association between the terminal and the network side. In this method, the relay station may actively request the base station to obtain the relevant security association. Therefore, step 323 and step 324 may be respectively Step 323, and step 324, are as follows:
步骤 323,: 中继站向基站发送终端安全关联请求,请求基站发送 终端和基站已经建立好的安全关联相关信息, 中继站和基站之间发送 的消息可以通过中继站和基站之间的安全关联进行保护。 Step 323: The relay station sends a terminal security association request to the base station, requesting the base station to send the security association related information that the terminal and the base station have established, and the message sent between the relay station and the base station can be protected by the security association between the relay station and the base station.
步骤 324,: 基站向中继站发送请求回应消息,该消息中包含安全 算法, 如 RRC算法和 UP算法, 以及基站生成的安全关联密钥, 如 RRC密钥和 UP密钥; 若该中继站可以产生 C-RNTI, 基站可以不直 接发送 RRC密钥和 UP密钥, 而在该回应消息中包含安全算法和基 站密钥。 中继站根据接收到的信息, 可以获得终端和基站之间的安全 关联信息。 Step 324: The base station sends a request response message to the relay station, where the message includes a security algorithm, such as an RRC algorithm and an UP algorithm, and a security association key generated by the base station, such as an RRC key and an UP key; if the relay station can generate C - RNTI, the base station may not directly transmit the RRC key and the UP key, and the security message and the base station key are included in the response message. Based on the received information, the relay station can obtain security association information between the terminal and the base station.
参照图 4, 下面介绍本发明第三实施例, 关于建立终端和网络侧 安全关联的方法, 在本实施例中, 终端已经经过初始接入网络, 处于 空闲状态进入激活状态的过程 ( idle to active ), 该方法包括: Referring to FIG. 4, a third embodiment of the present invention is described. The method for establishing a security association between a terminal and a network is described. In this embodiment, the terminal has passed the initial access network and is in an idle state to enter an active state (idle to active). ), the method includes:
步骤 401: 终端通过中继站向网络侧发送接入请求消息, 该消息 中包括 TMSI、和共享根密钥标识符( Key Set Identifier Access System Management Entity, KSIasme ), 由于终端已经接入过网络, 网络侧设 备都已经获知终端的终端能力, 因此, 在接入请求消息中可以不包括 终端能力, 除非终端能力发生更改。 Step 401: The terminal sends an access request message to the network side by using the relay station, where the message includes a TMSI and a Key Set Identifier Access System Management Entity (KSIasme). The device has already learned the terminal capability of the terminal. Therefore, the terminal capability may not be included in the access request message unless the terminal capability is changed.
步骤 402至步骤 414可以参照第二实施例中步骤 302至步骤 314 描述的内容。 Steps 402 through 414 may refer to the contents described in steps 302 through 314 of the second embodiment.
步骤 415: 移动管理实体根据共享根密钥派生基站密钥。 Step 415: The mobility management entity derives the base station key according to the shared root key.
步骤 416: 移动管理实体将基站密钥发送给基站。
步骤 417: 基站发送安全模式命令给中继站, 并在该命令中包含 安全算法和完整性校验码。 Step 416: The mobility management entity sends the base station key to the base station. Step 417: The base station sends a security mode command to the relay station, and includes a security algorithm and an integrity check code in the command.
步骤 418: 中继站将接收到的安全算法和完整性校验码发送给终 端。 Step 418: The relay station sends the received security algorithm and integrity check code to the terminal.
步骤 419:终端接收到中继站发送的安全算法和完整性校验码后, 对中继站转发的消息进行完整性验证, 验证成功后, 终端向中继站发 送马全证确认消息。 Step 419: After receiving the security algorithm and the integrity check code sent by the relay station, the terminal performs integrity verification on the message forwarded by the relay station. After the verification succeeds, the terminal sends a horse complete certificate confirmation message to the relay station.
步骤 420: 中继站向基站转发验证确认消息。 Step 420: The relay station forwards the verification confirmation message to the base station.
步骤 421: 基站接收到验证确认消息后, 进行安全校验, 则终端 和基站之间完成了安全算法和密钥协商。 Step 421: After receiving the verification confirmation message, the base station performs security check, and the security algorithm and key agreement are completed between the terminal and the base station.
步骤 422: 基站发送确认消息给移动管理实体, 告知其安全关联 建立。 Step 422: The base station sends an acknowledgement message to the mobility management entity to inform the establishment of the security association.
在本实施例步骤 401至步骤 422所提供的方案中,中继站不存在 终端和基站之间的安全关联, 中继站仅仅透明地传送终端和基站之间 的消息。 本实施例还可以进一步包括以下步骤, 可以使得本实施例中 的中继站可以获得终端和基站之间的安全关联: In the solution provided in steps 401 to 422 of this embodiment, the relay station does not have a security association between the terminal and the base station, and the relay station transparently transmits the message between the terminal and the base station. The embodiment may further include the following steps, so that the relay station in this embodiment can obtain the security association between the terminal and the base station:
步骤 423: 基站向中继站发送基站自身生成的安全关联密钥, 如 RRC密钥和 UP密钥, 以及安全算法, 如 RRC算法和 UP算法; 中 继站和基站之间发送的消息可以通过中继站和基站之间的安全关联 进行保护。 Step 423: The base station sends, to the relay station, a security association key generated by the base station itself, such as an RRC key and an UP key, and a security algorithm, such as an RRC algorithm and an UP algorithm. The message sent between the relay station and the base station may pass through the relay station and the base station. Protection between the security associations.
步骤 424: 中继站收到基站发送的密钥和算法后, 使用中继站和 基站间建立的安全关联做校验, 向基站返回确认信息。 Step 424: After receiving the key and algorithm sent by the base station, the relay station uses the security association established between the relay station and the base station to perform verification, and returns the confirmation information to the base station.
本实施例中, 如果中继站具有产生 C-RNTI的功能, 则步骤 423 中,基站可向中继站发送基站密钥以及安全算法, 如 RRC算法和 UP 算法; 中继站和基站之间发送的消息可以通过中继站和基站之间的安 全关联进行保护。 在步骤 424中, 中继站接收到基站发送的基站密钥 和算法后,根据基站密钥和 C-RNTI派生得到安全关联密钥,如 RRC 密钥和 UP密钥, 中继站和基站之间发送的消息可以通过中继站和基 站之间的安全关联进行保护。 在这种情况下, 中继站获得的与终端之
间建立的安全关联与基站和中继站之间的安全关联不同, 当中继站接 收到终端发送的消息时,中继站需要首先根据中继站和终端之间的安 全关联进行解密,然后利用中继站和基站之间的安全关联进行重新加 密, 再进行转发; 同样, 当中继站接收到基站发送的消息时, 首先根 据中继站和基站之间的安全关联进行解密,然后利用中继站和终端之 间的安全关联进行加密, 再发送给终端。 In this embodiment, if the relay station has the function of generating the C-RNTI, in step 423, the base station may send the base station key and the security algorithm, such as the RRC algorithm and the UP algorithm, to the relay station; the message sent between the relay station and the base station may pass through the relay station. Protection with the security association between the base station. In step 424, after receiving the base station key and algorithm sent by the base station, the relay station derives a security association key, such as an RRC key and an UP key, based on the base station key and the C-RNTI, and sends a message between the relay station and the base station. It can be protected by a security association between the relay station and the base station. In this case, the relay station obtains the terminal The security association established between the base station and the relay station is different. When the relay station receives the message sent by the terminal, the relay station needs to first decrypt according to the security association between the relay station and the terminal, and then utilize the security between the relay station and the base station. The association performs re-encryption and then forwards. Similarly, when the relay station receives the message sent by the base station, it first decrypts according to the security association between the relay station and the base station, and then encrypts by using the security association between the relay station and the terminal, and then sends the message to the terminal. terminal.
步骤 423和步骤 424中, 中继站被动地从基站接收消息, 并获得 终端与网络侧的接入层安全关联信息, 该方法中, 中继站可以主动向 基站请求获取相关安全关联, 因此, 步骤 423和步骤 424可以分别为 步骤 423,和步骤 424,, 具体如下: In step 423 and step 424, the relay station passively receives the message from the base station, and obtains the access layer security association information between the terminal and the network side. In this method, the relay station may actively request the base station to acquire the relevant security association. Therefore, step 423 and steps are performed. 424 can be step 423, and step 424, respectively, as follows:
步骤 423,: 中继站向基站发送终端安全关联请求,请求基站发送 终端和基站已经建立好的安全关联密钥,中继站和基站之间发送的消 息可以通过中继站和基站之间的安全关联进行保护。 Step 423: The relay station sends a terminal security association request to the base station, requesting the base station to send the security association key that the terminal and the base station have established, and the message sent between the relay station and the base station can be protected by the security association between the relay station and the base station.
步骤 424,: 基站向中继站发送请求回应消息, 该消息中包含安 全算法, 如 RRC算法和 UP算法, 以及基站生成的安全关联密钥, 如 RRC密钥和 UP密钥; 若该中继站可以产生 C-RNTI, 基站可以不 直接发送安全关联密钥, 而在该回应消息中包含安全算法和基站密 钥。 中继站根据基站密钥和 C-RNTI派生得到安全关联密钥,如 RRC 密钥和 UP密钥, 从而可以获得和终端之间的安全关联。 Step 424: The base station sends a request response message to the relay station, where the message includes a security algorithm, such as an RRC algorithm and an UP algorithm, and a security association key generated by the base station, such as an RRC key and an UP key; if the relay station can generate C - RNTI, the base station may not directly transmit the security association key, and the security message and the base station key are included in the response message. The relay station derives a security association key, such as an RRC key and an UP key, based on the base station key and the C-RNTI, so that a security association with the terminal can be obtained.
下面介绍本发明第四实施例, 如图 5所示, 关于终端和基站建立 安全关联的方法, 根据本实施例提供的技术方案, 可以加快整个系统 建立安全关联的时间, 本实施例包含步骤 501至步骤 522, 与第二实 施例中的步骤 301至步骤 322基本相同, 区别在于在步骤 517中, 基 站在将安全算法和完整性校验码发送给中继站的同时,将基站自身生 成的安全关联密钥, 如 RRC密钥和 UP密钥, 发送给中继站; 在步 骤 520中, 中继站转发终端确认命令的同时, 还发送中继站接收到终 端安全关联的确认消息。 The following is a description of the fourth embodiment of the present invention. As shown in FIG. 5, the method for establishing a security association between a terminal and a base station, according to the technical solution provided in this embodiment, can speed up the establishment of a security association time in the entire system. This embodiment includes step 501. Step 522 is substantially the same as step 301 to step 322 in the second embodiment, except that in step 517, the base station generates the security association generated by the base station while transmitting the security algorithm and the integrity check code to the relay station. The key, such as the RRC key and the UP key, is sent to the relay station; in step 520, the relay station forwards the terminal confirmation command and also transmits a confirmation message that the relay station receives the terminal security association.
若该中继站具备产生 C-RNTI的功能, 则在步骤 517中, 基站将 安全算法和完整性校验码发送给中继站的同时,将基站密钥发送给中
继站, 中继站可以根据基站密钥和 C-RNTI派生得到安全关联密钥; 在步骤 520中, 中继站转发终端确认命令的同时, 还发送中继站接收 到终端安全关联的确认消息。 If the relay station has the function of generating a C-RNTI, in step 517, the base station sends the security algorithm and the integrity check code to the relay station, and sends the base station key to the middle. The relay station may derive a security association key according to the base station key and the C-RNTI. In step 520, the relay station forwards the terminal confirmation command and also sends a confirmation message that the relay station receives the terminal security association.
在本实施例中, 实现了终端和基站之间建立安全关联同时, 也实 现终端和中继站之间安全关联的建立, 因此, 节省了整个系统建立安 全关联的时间。 In this embodiment, the establishment of a security association between the terminal and the base station is achieved, and the establishment of a security association between the terminal and the relay station is also achieved, thereby saving the time for the entire system to establish a security association.
下面介绍本发明第五实施例, 如图 6 所示, 本实施例包含步骤 601至步骤 622, 与第三实施例中的步骤 401至步骤 422基本相同, 区别在于在步骤 617中,基站在发送安全模式命令的同时, 把基站自 身生成的安全关联密钥, 如 RRC密钥和 UP密钥, 发送给中继站; 在步骤 620中, 中继站转发终端确认命令的同时, 还发送中继站接收 到终端安全关联信息的确认消息。 The fifth embodiment of the present invention is described below. As shown in FIG. 6, the embodiment includes steps 601 to 622, which are basically the same as steps 401 to 422 in the third embodiment, except that in step 617, the base station is transmitting. At the same time as the security mode command, the security association key generated by the base station itself, such as the RRC key and the UP key, is sent to the relay station; in step 620, the relay station forwards the terminal confirmation command, and also sends the relay station to receive the terminal security association. A confirmation message for the message.
若该中继站具备产生 C-RNTI的功能, 则在步骤 617中, 基站在 发送安全模式命令的同时, 将基站密钥发送给中继站, 中继站可以根 据基站密钥和 C-RNTI派生得到安全关联密钥; 在步骤 620中, 中继 站转发终端确认命令的同时,还发送中继站接收到终端安全关联的确 认消息。 If the relay station has the function of generating the C-RNTI, in step 617, the base station sends the base station key to the relay station while transmitting the security mode command, and the relay station can derive the security association key according to the base station key and the C-RNTI. In step 620, the relay station forwards the terminal confirmation command, and also sends a confirmation message that the relay station receives the terminal security association.
在本实施例中, 实现了终端和基站之间建立安全关联同时, 也实 现终端和中继站之间安全关联的建立, 因此, 节省了整个系统建立安 全关联的时间。 In this embodiment, the establishment of a security association between the terminal and the base station is achieved, and the establishment of a security association between the terminal and the relay station is also achieved, thereby saving the time for the entire system to establish a security association.
本发明实施例提供的技术方案, 解决了 LTE 系统中引入中继站 后, 终端经过中继站和基站实现安全关联的建立的问题, 不仅可以使 得终端通过中继站与基站建立安全关联, 进一步, 可以建立终端和中 继站之间的安全关联, 从而使得整个系统的通信更加安全, 同时, 还 可以节省在 LTE 中继系统中建立安全关联的时间。 另外, 本发明实 施例提供的技术方案继承了 LTE 系统的安全机制, 在基本不改变现 有的安全机制下, 融合了中继站的转发特征和分布式特性, 在不增加 系统复杂度的前提下, 保证了加入中继站后的移动通信系统的安全 性。
本发明第六实施例, 参照图 7, 关于一种通信网络系统 700, 包 括第一接收单元 701 , 用于接收由中继站转发终端发送的接入请求消 息; 密钥获取单元 702, 用于根据所述第一接收单元 701接收到的接 入请求消息对终端鉴权认证后获得共享根密钥; 选择单元 703, 用于 选择安全算法, 所述安全算法为所述终端和基站都支持的算法; 派生 单元 704, 用于根据所述密钥获取单元 702得到的共享根密钥派生基 站密钥; 第一发送单元 705, 用于通过中继站向终端发送安全模式命 令, 所述安全模式命令中包含选择单元 703选择的安全算法。 The technical solution provided by the embodiment of the present invention solves the problem that the terminal establishes a security association between the relay station and the base station after the introduction of the relay station in the LTE system, and not only enables the terminal to establish a security association with the base station through the relay station, and further, the terminal and the relay station can be established. The security association between the two systems makes the communication of the entire system more secure, and at the same time, the time for establishing a security association in the LTE relay system can be saved. In addition, the technical solution provided by the embodiment of the present invention inherits the security mechanism of the LTE system, and combines the forwarding feature and the distributed feature of the relay station without substantially changing the existing security mechanism, without increasing the complexity of the system. The security of the mobile communication system after joining the relay station is guaranteed. A sixth embodiment of the present invention, with reference to FIG. 7, relates to a communication network system 700, including a first receiving unit 701, configured to receive an access request message sent by a relay station forwarding terminal, and a key obtaining unit 702, configured to The access request message received by the first receiving unit 701 obtains the shared root key after the terminal authentication and authentication; the selecting unit 703 is configured to select a security algorithm, where the security algorithm is an algorithm supported by both the terminal and the base station; a deriving unit 704, configured to derive a base station key according to the shared root key obtained by the key obtaining unit 702. The first sending unit 705 is configured to send, by using a relay station, a security mode command, where the security mode command includes a selection The security algorithm selected by unit 703.
进一步,第一接收单元 701还用于接收终端通过中继站发送的验 证确认消息。 Further, the first receiving unit 701 is further configured to receive an authentication confirmation message sent by the terminal through the relay station.
以上实施例提供的方案中,中继站没有终端和基站之间的安全关 联, 也没有关于终端的任何信息, 中继站仅仅透明地传送终端和基站 之间的消息, 优选的, 该通信网络系统还包括第二发送单元和第二接 收单元; 派生单元还用于生成网络侧安全关联密钥; In the solution provided by the foregoing embodiment, the relay station does not have a security association between the terminal and the base station, and there is no information about the terminal. The relay station only transparently transmits the message between the terminal and the base station. Preferably, the communication network system further includes a second sending unit and a second receiving unit; the deriving unit is further configured to generate a network side security association key;
第二发送单元用于在第一接收单元接收到终端发送的验证确认 消息后, 发送安全算法和网络侧安全关联密钥给中继站; The second sending unit is configured to: after the first receiving unit receives the verification confirmation message sent by the terminal, send the security algorithm and the network side security association key to the relay station;
第二接收单元用于接收中继站发送的确认消息,所述确认消息为 所述中继站在根据安全算法、 安全关联密钥, 得到和终端之间的安全 关联密钥后向网络侧发送的确认消息。 安全关联, 以建立终端和中继站之间的安全关联, 使得终端和中继站 之间的通信更加安全。 The second receiving unit is configured to receive an acknowledgment message sent by the relay station, where the acknowledgment message is an acknowledgment message sent by the relay station to the network side after obtaining the security association key between the terminal and the terminal according to the security algorithm and the security association key. Security association to establish a security association between the terminal and the relay station, making communication between the terminal and the relay station more secure.
如果中继站可以产生 C-RNTI, 则在建立中继站和终端之间的安 全关联时, 优选的, 该通信网络系统还可以包括第三发送单元和第三 接收单元, If the relay station can generate a C-RNTI, when establishing a security association between the relay station and the terminal, preferably, the communication network system can further include a third transmitting unit and a third receiving unit.
第三发送单元用于在第一接收单元接收到终端发送的验证确认 消息后, 发送安全算法和基站密钥给中继站, 所述中继站产生 C-RNTI; The third sending unit is configured to: after receiving the verification confirmation message sent by the terminal, the first receiving unit sends a security algorithm and a base station key to the relay station, where the relay station generates a C-RNTI;
第三接收单元用于接收中继站发送的确认消息,所述确认消息为
所述中继站在根据 C-RNTI以及接收到的基站密钥和安全算法得到和 所述终端之间的安全关联密钥后向网络侧发送的确认消息。 The third receiving unit is configured to receive an acknowledgement message sent by the relay station, where the acknowledgement message is The acknowledgment message sent by the relay station to the network side after obtaining the security association key with the terminal according to the C-RNTI and the received base station key and security algorithm.
中继站除了可以被动地接收通信网络系统发送的相关安全关联 信息外, 还可以主动地向通信网络系统请求相关安全关联信息, 优选 的, 该通信网络系统还包括第四发送单元和第四接收单元; The relay station can passively receive the relevant security association information sent by the communication network system, and can also actively request the relevant security association information to the communication network system. Preferably, the communication network system further includes a fourth sending unit and a fourth receiving unit;
第四接收单元用于接收中继站发送的终端安全关联请求;派生单 元还用于生成网络侧安全关联密钥; The fourth receiving unit is configured to receive a terminal security association request sent by the relay station; the derivative unit is further configured to generate a network side security association key;
第四发送单元用于向中继站发送请求回应消息,该消息包括安全 算法和网络侧的安全关联密钥。 The fourth sending unit is configured to send a request response message to the relay station, where the message includes a security algorithm and a security association key on the network side.
当中继站可以产生 C-RNTI时, 当通信网络系统接收到中继站的 请求时,可以不直接发送安全关联密钥,而是发送基站密钥,优选的, 该通信网络系统还包括第五发送单元和第五接收单元; When the relay station can generate the C-RNTI, when the communication network system receives the request of the relay station, the security association key may not be directly sent, but the base station key may be sent. Preferably, the communication network system further includes a fifth sending unit and a fifth receiving unit;
第五接收单元用于接收中继站向网络侧发送的终端安全关联请 求; The fifth receiving unit is configured to receive a terminal security association request sent by the relay station to the network side;
第五发送单元用于向中继站发送请求回应消息,该消息包括安全 算法和基站密钥; The fifth sending unit is configured to send a request response message to the relay station, where the message includes a security algorithm and a base station key;
第五接收单元还用于接收中继站在根据 C-RNTI以及接收到的基 站密钥和安全算法得到终端的安全关联密钥后向基站发送的确认消 息。 The fifth receiving unit is further configured to receive a confirmation message sent by the relay station to the base station after obtaining the security association key of the terminal according to the C-RNTI and the received base station key and the security algorithm.
通过本发明实施例提供通信网络系统, 可以使得在 LTE演进系 统中实现终端通过中继站与网络侧之间建立安全关联,并且进一步可 以建立终端和中继站之间的安全关联, 使得通信更加安全, 另外, 本 发明实施例提供的技术方案继承了 LTE 系统的安全机制, 在基本不 改变现有的安全机制下和不增加系统复杂度的前提下,保证了加入中 继站后的移动通信系统的安全性。 The communication network system is provided in the embodiment of the present invention, so that the terminal can establish a security association between the terminal and the network side in the LTE evolution system, and further establish a security association between the terminal and the relay station, so that the communication is more secure, and The technical solution provided by the embodiment of the present invention inherits the security mechanism of the LTE system, and ensures the security of the mobile communication system after joining the relay station without substantially changing the existing security mechanism and without increasing the complexity of the system.
通过以上的实施例的描述,本领域的技术人员可以清楚地了解到 本发明, 可以通过硬件实现, 也可以借助软件加必要的通用硬件平台 的方式来实现。基于这样的理解, 本发明的技术方案可以以软件产品 的形式体现出来, 该软件产品可以存储在一个非易失性存储介质(可
以是 CD-ROM, U盘, 移动硬盘等) 中, 包括若干指令用以使得一 台计算机设备(可以是个人计算机, 服务器, 或者网络设备等)执行 本发明各个实施例所述的方法。 Through the description of the above embodiments, those skilled in the art can clearly understand that the present invention can be implemented by hardware, or by software plus necessary general hardware platform. Based on such understanding, the technical solution of the present invention can be embodied in the form of a software product, which can be stored in a non-volatile storage medium ( In the case of a CD-ROM, a USB flash drive, a mobile hard disk, etc., a number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform the methods described in various embodiments of the present invention.
总之, 以上所述仅为本发明的较佳实施例而已, 并非用于限定本 发明的保护范围。 凡在本发明的精神和原则之内所作的任何修改、 等 同替换、 改进等, 均应包含在本发明的保护范围之内。
In conclusion, the above description is only a preferred embodiment of the present invention and is not intended to limit the scope of the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.
Claims
1、 一种建立安全关联的方法, 其特征在于, 包括: A method for establishing a security association, the method comprising:
接收由中继站转发终端发送的接入请求消息; Receiving an access request message sent by the relay station forwarding terminal;
根据所述接入请求消息对终端鉴权认证后获得共享根密钥; 选择安全算法, 所述安全算法为所述终端和网络侧支持的算法; 根据所述共享根密钥派生基站密钥; Obtaining a shared root key after authenticating the terminal according to the access request message; selecting a security algorithm, where the security algorithm is an algorithm supported by the terminal and the network side; and deriving a base station key according to the shared root key;
通过所述中继站向所述终端发送所述安全算法。 The security algorithm is transmitted to the terminal by the relay station.
2、 如权利要求 1所述建立安全关联的方法, 其特征在于, 所述 通过所述中继站向所述终端发送安全模式命令的步骤之后, 还包括: 接收所述中继站转发终端发送的验证确认消息。 2. The method for establishing a security association according to claim 1, wherein after the step of transmitting the security mode command to the terminal by the relay station, the method further comprises: receiving the verification confirmation message sent by the relay station forwarding terminal .
3、 如权利要求 2所述建立安全关联的方法, 其特征在于, 所述 通过所述中继站向所述终端发送所述安全算法, 包括: The method for establishing a security association according to claim 2, wherein the transmitting the security algorithm to the terminal by using the relay station includes:
基站通过中继站向终端发送安全模式命令,所述安全模式命令包 括所述安全算法。 The base station transmits a security mode command to the terminal through the relay station, the security mode command including the security algorithm.
4、 如权利要求 2所述建立安全关联的方法, 其特征在于, 当所 述接入请求消息为初始接入请求消息 ,所述通过所述中继站向所述终 端发送所述安全算法, 包括: The method for establishing a security association according to claim 2, wherein, when the access request message is an initial access request message, the sending the security algorithm to the terminal by using the relay station includes:
移动管理实体向基站发送安全模式命令; The mobility management entity sends a security mode command to the base station;
基站接收到所述安全模式命令后,通过中继站向终端发送所述安 全模式命令, 所述安全命令中包括所述安全算法。 After receiving the security mode command, the base station sends the security mode command to the terminal through the relay station, where the security command includes the security algorithm.
5、 如权利要求 3或 4所述建立安全关联的方法, 其特征在于, 在接收所述中继站转发终端发送的验证确认消息之后, 还包括: 所述基站向所述中继站发送安全模式命令,所述安全模式命令包 括所述安全算法, 和由所述基站生成的安全关联密钥; 所述基站接收 所述中继站发送的确认消息,所述确认消息为所述中继站在根据所述 安全算法、 安全关联密钥, 得到和所述终端之间的安全关联密钥后向 基站发送的消息; 或 The method for establishing a security association according to claim 3 or 4, wherein after receiving the verification confirmation message sent by the relay station, the method further includes: the base station sending a security mode command to the relay station, where The security mode command includes the security algorithm, and a security association key generated by the base station; the base station receives an acknowledgement message sent by the relay station, and the acknowledgement message is that the relay station is secure according to the security algorithm Correlating a key, obtaining a message sent to the base station after the security association key with the terminal; or
所述基站接收中继站发送的终端安全关联请求;所述基站向中继
站发送请求回应消息 ,该消息包括安全算法和基站生成的安全关联密 钥。 Receiving, by the base station, a terminal security association request sent by the relay station; The station sends a request response message, which includes a security algorithm and a security association key generated by the base station.
6、 如权利要求 3或 4所述建立安全关联的方法, 其特征在于, 当所述中继站产生小区无线网络临时标识 C-RNTI时, 在接收所述中 继站转发终端发送的验证确认消息之后, 还包括: The method for establishing a security association according to claim 3 or 4, wherein, when the relay station generates a cell radio network temporary identifier C-RNTI, after receiving the verification confirmation message sent by the relay station forwarding terminal, Includes:
所述基站发送基站密钥和安全模式命令,所述安全模式命令包括 所述安全算法, 给所述中继站; 所述基站接收所述中继站发送的确认 消息, 所述确认消息为所述中继站在根据所述 C-RNTI以及接收到的 基站密钥和安全算法得到和所述终端之间的安全关联密钥后向基站 发送的消息; 或 The base station sends a base station key and a security mode command, where the security mode command includes the security algorithm to the relay station; the base station receives an acknowledgement message sent by the relay station, and the acknowledgement message is the relay station according to the The C-RNTI and the received base station key and the security algorithm obtain a message sent to the base station after obtaining a security association key with the terminal; or
所述基站接收所述中继站向基站发送的终端安全关联请求;所述 基站向所述中继站发送请求回应消息,该消息包括安全算法和基站密 钥; 所述基站接收所述中继站发送的确认消息, 所述确认消息为所述 中继站在根据所述 C-RNTI以及接收到的基站密钥和安全算法得到和 所述终端之间的安全关联密钥后向基站发送的消息。 Receiving, by the base station, a terminal security association request sent by the relay station to the base station; the base station sending a request response message to the relay station, where the message includes a security algorithm and a base station key; the base station receiving the acknowledgement message sent by the relay station, The acknowledgement message is a message that the relay station sends to the base station after obtaining the security association key with the terminal according to the C-RNTI and the received base station key and the security algorithm.
7、 如权利要求 3或 4所述建立安全关联的方法, 其特征在于, 所述基站通过所述中继站向终端发送安全模式命令时,还发送所述基 站生成的安全关联密钥。 The method for establishing a security association according to claim 3 or 4, wherein the base station further transmits a security association key generated by the base station when the relay station sends a security mode command to the terminal.
8、 如权利要求 3或 4所述建立安全关联的方法, 其特征在于, 当所述中继站产生 C-RNTI时, 所述基站通过所述中继站向终端发送 安全模式命令时, 还发送基站密钥。 The method for establishing a security association according to claim 3 or 4, wherein when the relay station generates a C-RNTI, the base station further transmits a base station key when the relay station sends a security mode command to the terminal. .
9、 一种通信网络系统, 其特征在于, 包括: 9. A communication network system, comprising:
第一接收单元, 用于接收由中继站转发终端发送的接入请求消 息; a first receiving unit, configured to receive an access request message sent by the relay station forwarding terminal;
密钥获取单元,用于根据所述第一接收单元接收到的接入请求消 息对终端鉴权认证后获得共享根密钥; a key obtaining unit, configured to obtain a shared root key after authenticating the terminal according to the access request message received by the first receiving unit;
选择单元, 用于选择安全算法, 所述安全算法为所述终端和网络 侧都支持的算法; a selection unit, configured to select a security algorithm, where the security algorithm is an algorithm supported by both the terminal and the network side;
派生单元,用于根据所述密钥获取单元得到的共享根密钥派生基
站密钥; 择的安全算法。 a derivation unit for deriving a base based on the shared root key obtained by the key acquisition unit Station key; the chosen security algorithm.
10、 如权利要求 9所述的通信网络系统, 其特征在于, 所述第一 接收单元还用于接收所述终端通过所述中继站发送的验证确认消息。 The communication network system according to claim 9, wherein the first receiving unit is further configured to receive a verification confirmation message sent by the terminal through the relay station.
11、 如权利要求 10所述的通信网络系统, 其特征在于, 所述系 统还包括第二发送单元和第二接收单元;所述派生单元还用于生成安 全关联密钥; The communication network system according to claim 10, wherein the system further comprises a second sending unit and a second receiving unit; the deriving unit is further configured to generate a security association key;
所述第二发送单元用于在所述第一接收单元接收到所述终端发 送的验证确认消息后, 发送安全模式命令, 所述安全模式命令包括所 述安全算法, 和安全关联密钥给所述中继站; The second sending unit is configured to: after the first receiving unit receives the verification confirmation message sent by the terminal, send a security mode command, where the security mode command includes the security algorithm, and a security association key to the Relay station
所述第二接收单元用于接收所述中继站发送的确认消息,所述确 认消息为所述中继站在根据所述安全算法、 安全关联密钥, 得到和所 述终端之间的安全关联密钥后向网络侧发送的消息。 The second receiving unit is configured to receive an acknowledgment message sent by the relay station, where the acknowledgment message is that the relay station obtains a security association key with the terminal according to the security algorithm and a security association key. A message sent to the network side.
12、 如权利要求 10所述的通信网络系统, 其特征在于, 所述系 统还包括第三发送单元和第三接收单元; 12. The communication network system according to claim 10, wherein the system further comprises a third transmitting unit and a third receiving unit;
所述第三发送单元用于在所述第一接收单元接收到所述终端发 送的验证确认消息后, 发送安全模式命令, 所述安全模式命令包括所 述安全算法, 和基站密钥给所述中继站, 所述中继站产生 C-RNTI; 所述第三接收单元用于接收所述中继站发送的确认消息,所述确 认消息为所述中继站在根据所述 C-RNTI以及接收到的基站密钥和安 全算法得到和所述终端之间的安全关联密钥后向网络侧发送的消息。 The third sending unit is configured to: after the first receiving unit receives the verification confirmation message sent by the terminal, send a security mode command, where the security mode command includes the security algorithm, and a base station key to the a relay station, the relay station generates a C-RNTI; the third receiving unit is configured to receive an acknowledgement message sent by the relay station, where the acknowledgement message is that the relay station according to the C-RNTI and the received base station key and The security algorithm obtains a message sent to the network side after the security association key between the terminal and the terminal.
13、 如权利要求 10所述的通信网络系统, 其特征在于, 所述系 统还包括第四发送单元和第四接收单元; The communication network system according to claim 10, wherein the system further comprises a fourth transmitting unit and a fourth receiving unit;
所述第四接收单元用于接收所述中继站发送的终端安全关联请 求; 所述派生单元还用于生成网络侧安全关联密钥; The fourth receiving unit is configured to receive a terminal security association request sent by the relay station; the derivation unit is further configured to generate a network side security association key;
所述第四发送单元用于向所述中继站发送请求回应消息,该消息 包括安全算法和网络侧的安全关联密钥。 The fourth sending unit is configured to send a request response message to the relay station, where the message includes a security algorithm and a security association key on the network side.
14、 如权利要求 10所述的通信网络系统, 其特征在于, 所述网
络侧还包括第五发送单元和第五接收单元; 14. The communication network system according to claim 10, wherein: said network The network side further includes a fifth sending unit and a fifth receiving unit;
所述第五接收单元用于接收所述中继站向网络侧发送的终端安 全关联请求; The fifth receiving unit is configured to receive a terminal security association request sent by the relay station to the network side;
所述第五发送单元用于向所述中继站发送请求回应消息,该消息 包括安全算法和基站密钥。
The fifth sending unit is configured to send a request response message to the relay station, where the message includes a security algorithm and a base station key.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200980102466.XA CN101926151B (en) | 2008-01-30 | 2009-01-22 | Method and communication network system for establishing security conjunction |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200810065263.5 | 2008-01-30 | ||
CN2008100652635A CN101500229B (en) | 2008-01-30 | 2008-01-30 | Method for establishing security association and communication network system |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2009094942A1 true WO2009094942A1 (en) | 2009-08-06 |
Family
ID=40912286
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2009/070273 WO2009094942A1 (en) | 2008-01-30 | 2009-01-22 | Method and communication network system for establishing security conjunction |
Country Status (2)
Country | Link |
---|---|
CN (2) | CN101500229B (en) |
WO (1) | WO2009094942A1 (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107071768A (en) * | 2012-02-22 | 2017-08-18 | 华为技术有限公司 | Set up method, the apparatus and system of safe context |
EP3675541A4 (en) * | 2017-09-25 | 2020-09-23 | Huawei Technologies Co., Ltd. | Authentication method and device |
EP4358601A1 (en) * | 2022-10-18 | 2024-04-24 | Nokia Technologies Oy | Implementation of attachment for passive iot device communication with ambient energy source |
Families Citing this family (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2010124474A1 (en) | 2009-04-30 | 2010-11-04 | 华为技术有限公司 | Method and device for establishing security mechanism of air interface link |
TWI430674B (en) * | 2009-08-14 | 2014-03-11 | Ind Tech Res Inst | Security method in wireless communication method having relay node |
US8605904B2 (en) | 2009-08-14 | 2013-12-10 | Industrial Technology Research Institute | Security method in wireless communication system having relay node |
CN102056160B (en) * | 2009-11-03 | 2013-10-09 | 华为技术有限公司 | Method, device and system for generating key |
US8904167B2 (en) * | 2010-01-22 | 2014-12-02 | Qualcomm Incorporated | Method and apparatus for securing wireless relay nodes |
CN101951554A (en) * | 2010-08-25 | 2011-01-19 | 中兴通讯股份有限公司 | Method and system for realizing pre-access of encrypted conference call |
CN101931955B (en) * | 2010-09-03 | 2015-01-28 | 中兴通讯股份有限公司 | Authentication method, device and system |
CN101945386B (en) * | 2010-09-10 | 2015-12-16 | 中兴通讯股份有限公司 | A kind of method and system realizing safe key synchronous binding |
CN101945387B (en) * | 2010-09-17 | 2015-10-21 | 中兴通讯股份有限公司 | The binding method of a kind of access layer secret key and equipment and system |
CN101931953B (en) * | 2010-09-20 | 2015-09-16 | 中兴通讯股份有限公司 | Generate the method and system with the safe key of apparatus bound |
CN101977378B (en) * | 2010-09-30 | 2015-08-12 | 中兴通讯股份有限公司 | Information transferring method, network side and via node |
WO2014075238A1 (en) * | 2012-11-14 | 2014-05-22 | 华为技术有限公司 | Security processing method for mobile communication, macro base station, micro base station and user equipment |
CN104160777B (en) * | 2013-03-13 | 2018-01-23 | 华为技术有限公司 | The transmission method of data, device and system |
CN104581710B (en) * | 2014-12-18 | 2018-11-23 | 中国科学院信息工程研究所 | It is a kind of in the method and system of upper safe transmission LTE user IMSI of eating dishes without rice or wine |
JP2019511154A (en) * | 2016-02-04 | 2019-04-18 | 華為技術有限公司Huawei Technologies Co.,Ltd. | Security parameter transmission method and related devices |
WO2018126452A1 (en) * | 2017-01-06 | 2018-07-12 | 华为技术有限公司 | Authorization verification method and device |
CN109842881B (en) * | 2017-09-15 | 2021-08-31 | 华为技术有限公司 | Communication method, related equipment and system |
CN110381608B (en) * | 2018-04-13 | 2021-06-15 | 华为技术有限公司 | Data transmission method and device of relay network |
CN111866884B (en) * | 2019-04-26 | 2022-05-24 | 华为技术有限公司 | Safety protection method and device |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1764195A (en) * | 2005-11-15 | 2006-04-26 | 中兴通讯股份有限公司 | Non peer-to-peer entity safety grade arranging method |
CN1773904A (en) * | 2004-11-08 | 2006-05-17 | 中兴通讯股份有限公司 | Universal safety grade consulting method |
WO2006096017A1 (en) * | 2005-03-09 | 2006-09-14 | Electronics And Telecommunications Research Institute | Authentication method and key generating method in wireless portable internet system |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100525156C (en) * | 2003-09-25 | 2009-08-05 | 华为技术有限公司 | Method of selecting safety communication algorithm |
CN100561914C (en) * | 2005-08-25 | 2009-11-18 | 华为技术有限公司 | Obtain the method for key |
-
2008
- 2008-01-30 CN CN2008100652635A patent/CN101500229B/en not_active Expired - Fee Related
-
2009
- 2009-01-22 CN CN200980102466.XA patent/CN101926151B/en not_active Expired - Fee Related
- 2009-01-22 WO PCT/CN2009/070273 patent/WO2009094942A1/en active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1773904A (en) * | 2004-11-08 | 2006-05-17 | 中兴通讯股份有限公司 | Universal safety grade consulting method |
WO2006096017A1 (en) * | 2005-03-09 | 2006-09-14 | Electronics And Telecommunications Research Institute | Authentication method and key generating method in wireless portable internet system |
CN1764195A (en) * | 2005-11-15 | 2006-04-26 | 中兴通讯股份有限公司 | Non peer-to-peer entity safety grade arranging method |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107071768A (en) * | 2012-02-22 | 2017-08-18 | 华为技术有限公司 | Set up method, the apparatus and system of safe context |
US10735185B2 (en) | 2012-02-22 | 2020-08-04 | Huawei Technologies Co., Ltd. | Method, apparatus, and system for performing an establishment of a security context between user equipment and an access node by a base station |
EP3675541A4 (en) * | 2017-09-25 | 2020-09-23 | Huawei Technologies Co., Ltd. | Authentication method and device |
EP4358601A1 (en) * | 2022-10-18 | 2024-04-24 | Nokia Technologies Oy | Implementation of attachment for passive iot device communication with ambient energy source |
Also Published As
Publication number | Publication date |
---|---|
CN101926151B (en) | 2013-01-02 |
CN101500229A (en) | 2009-08-05 |
CN101926151A (en) | 2010-12-22 |
CN101500229B (en) | 2012-05-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2009094942A1 (en) | Method and communication network system for establishing security conjunction | |
CN108781366B (en) | Authentication mechanism for 5G technology | |
JP6262308B2 (en) | System and method for performing link setup and authentication | |
JP6727294B2 (en) | User equipment UE access method, access device, and access system | |
EP2421292B1 (en) | Method and device for establishing security mechanism of air interface link | |
US7793103B2 (en) | Ad-hoc network key management | |
TWI388180B (en) | Key generation in a communication system | |
US7734280B2 (en) | Method and apparatus for authentication of mobile devices | |
US20190149990A1 (en) | Unified authentication for heterogeneous networks | |
US9392453B2 (en) | Authentication | |
US20130298209A1 (en) | One round trip authentication using sngle sign-on systems | |
WO2009097789A1 (en) | Method and communication system for establishing security association | |
WO2016134536A1 (en) | Key generation method, device and system | |
WO2019029531A1 (en) | Method for triggering network authentication, and related device | |
WO2013166908A1 (en) | Method, system, terminal equipment and access network apparatus for generating key information | |
WO2016023198A1 (en) | Switching method and switching system between heterogeneous networks | |
WO2012028043A1 (en) | Method, device and system for authentication | |
CN104602229A (en) | Efficient initial access authentication method for WLAN and 5G integration networking application scenarios | |
WO2022027476A1 (en) | Key management method and communication apparatus | |
WO2014117524A1 (en) | Method and system for transmitting pairwise master key in wlan access network | |
WO2013104301A1 (en) | Method for transmitting message, method for establishing secure connection, access point and workstation | |
WO2010133036A1 (en) | Communication method, device and communication system between base stations | |
WO2012159356A1 (en) | Method, apparatus and system for simplifying wireless local area network authentication |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 200980102466.X Country of ref document: CN |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 09705742 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 09705742 Country of ref document: EP Kind code of ref document: A1 |