[go: up one dir, main page]

CN102869007B - The method of secure algorithm negotiation, device and network system - Google Patents

The method of secure algorithm negotiation, device and network system Download PDF

Info

Publication number
CN102869007B
CN102869007B CN201210351794.7A CN201210351794A CN102869007B CN 102869007 B CN102869007 B CN 102869007B CN 201210351794 A CN201210351794 A CN 201210351794A CN 102869007 B CN102869007 B CN 102869007B
Authority
CN
China
Prior art keywords
security algorithm
user terminal
security
base station
mark
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201210351794.7A
Other languages
Chinese (zh)
Other versions
CN102869007A (en
Inventor
杨艳梅
陈璟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jingshi Intellectual Property Management Co ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201210351794.7A priority Critical patent/CN102869007B/en
Publication of CN102869007A publication Critical patent/CN102869007A/en
Application granted granted Critical
Publication of CN102869007B publication Critical patent/CN102869007B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a kind of method of secure algorithm negotiation, in system evolved framework/long evolving system, the method comprises: receive the security algorithm information that user terminal can be supported; According to described security algorithm information, select security algorithm; The mark representing described security algorithm is sent to described user terminal.Meanwhile, the invention also discloses device and the network system of secure algorithm negotiation, use technical scheme provided by the invention, Non-Access Stratum security algorithm and Access Layer security algorithm can be negotiated in SAE/LTE system.

Description

安全算法协商的方法、装置及网络系统Method, device and network system for security algorithm negotiation

技术领域 technical field

本发明涉及通信技术领域,特别涉及安全算法协商的方法、装置及网络系统。The invention relates to the field of communication technology, in particular to a method, device and network system for negotiation of security algorithms.

背景技术 Background technique

在通用移动通信系统(UniversalMobileTelecommunicationSystem,UMTS)中,需要无线网络控制器(RadioNetworkController,RNC)和用户终端(UserEquipment,UE)执行加密/解密和完整性保护操作,即对UE的数据提供机密性保护,UE和RNC之间的信令提供机密性和完整性保护。由于不同UE所支持的加密/解密和完整性算法不同,因此,在加密/解密和完整性保护之前,需要协商加密/解密算法和完整性算法。由于UMTS系统仅需在接入(AccessStratum,AS)层提供保护,因此,UMTS系统在UE和RNC之间协商了加密/解密和完整性算法。In the Universal Mobile Telecommunications System (UMTS), the radio network controller (RadioNetworkController, RNC) and the user terminal (UserEquipment, UE) are required to perform encryption/decryption and integrity protection operations, that is, to provide confidentiality protection for UE data, The signaling between UE and RNC provides confidentiality and integrity protection. Since the encryption/decryption and integrity algorithms supported by different UEs are different, the encryption/decryption algorithm and the integrity algorithm need to be negotiated before encryption/decryption and integrity protection. Since the UMTS system only needs to provide protection at the access (Access Stratum, AS) layer, the UMTS system negotiates encryption/decryption and integrity algorithms between the UE and the RNC.

在系统演进架构(SystemArchitectureEvolution,SAE)/长期演进(LongTermEvolution,LTE)系统中,如图1所示,核心网包括:移动性管理实体(MobilityManagementEntity,MME)、用户面实体(UserPlaneEntity,UPE)和接入系统间锚点(InterAccessSystemAnchor,IASA),其中,MME用于负责控制面的移动性管理,包括用户上下文和移动状态管理,分配用户临时身份标识、安全信息等;UPE负责空闲状态下为下行数据发起寻呼,管理保存IP承载参数和网络内部信息等;IASA作为不同系统间的用户间锚点,接入网由演进基站(EvolvedNodeBase,eNodeB)构成;在该系统中,信令面的接入层信令的安全终结在eNodeB上,信令面的非接入层的安全,即核心网信令面的安全终结在MME上,用户面的安全终结在UPE上。因此,信令面的安全终结点有:eNodeB,MME,而安全终结点在对数据或者信令执行相应的安全保护之前,需要协商该安全终结点与用户终端(UserEquipment,UE)都支持的安全算法,即eNodeB与UE之间需要协商接入层AS安全算法,MME与UE之间需要协商非接入层(NoneAccessStratum,NAS)安全算法。In the System Architecture Evolution (SAE)/Long Term Evolution (Long Term Evolution, LTE) system, as shown in Figure 1, the core network includes: Mobility Management Entity (MME), User Plane Entity (User Plane Entity, UPE) and interface InterAccessSystemAnchor (IASA), where the MME is responsible for the mobility management of the control plane, including user context and mobility state management, assigning user temporary identity, security information, etc.; UPE is responsible for downlink data in idle state Initiate paging, manage and save IP bearer parameters and network internal information, etc.; IASA serves as the anchor point between users of different systems, and the access network is composed of evolved base stations (EvolvedNodeBase, eNodeB); in this system, the access of the signaling plane The security of layer signaling is terminated on the eNodeB, the security of the non-access layer of the signaling plane, that is, the security of the signaling plane of the core network is terminated on the MME, and the security of the user plane is terminated on the UPE. Therefore, the security endpoints on the signaling plane include: eNodeB, MME, and before the security endpoint performs corresponding security protection on data or signaling, it needs to negotiate the security endpoints supported by both the security endpoint and the user equipment (UE). Algorithm, that is, the AS security algorithm of the access stratum needs to be negotiated between the eNodeB and the UE, and the security algorithm of the Non-Access Stratum (None Access Stratum, NAS) needs to be negotiated between the MME and the UE.

现有的SAE/LTE系统中无法协商出安全算法,即接入层AS安全算法和非接入层NAS安全算法。In the existing SAE/LTE system, no security algorithm can be negotiated, that is, the access layer AS security algorithm and the non-access layer NAS security algorithm.

发明内容 Contents of the invention

本发明实施例的目的是提供一种安全算法协商的方法、装置及网络系统,能够在SAE/LTE系统中协商出安全算法。The purpose of the embodiments of the present invention is to provide a security algorithm negotiation method, device and network system, which can negotiate a security algorithm in an SAE/LTE system.

为解决上述技术问题,本发明实施例的目的是通过以下技术方案实现的:In order to solve the above technical problems, the purpose of the embodiments of the present invention is achieved through the following technical solutions:

一种安全算法协商的方法,用于系统演进架构/长期演进系统中,该方法包括:A method for security algorithm negotiation, used in a system evolution architecture/long-term evolution system, the method includes:

接收用户终端所能支持的安全算法信息;Receive the security algorithm information that the user terminal can support;

根据所述安全算法信息,选择安全算法;Selecting a security algorithm according to the security algorithm information;

向所述用户终端发送表示所述安全算法的标识。Sending the identifier representing the security algorithm to the user terminal.

一种安全算法协商的装置,用于系统演进架构/长期演进系统中,该装置包括:A device for negotiating a security algorithm, used in a system evolution architecture/long-term evolution system, the device includes:

信息接收单元,用于接收用户终端所能支持的安全算法信息;An information receiving unit, configured to receive information about security algorithms supported by the user terminal;

安全算法选择单元,用于根据所述安全算法信息,选择安全算法;A security algorithm selection unit, configured to select a security algorithm according to the security algorithm information;

发送单元,用于向所述用户终端发送表示所述安全算法的标识。A sending unit, configured to send the identifier representing the security algorithm to the user terminal.

一种网络系统,该系统包括:演进基站,移动性管理实体,其中,A network system, the system includes: an evolved base station, a mobility management entity, wherein,

所述演进基站,用于向所述移动性管理实体发送用户终端支持的安全算法信息;将来自所述移动性管理实体的第一标识发送给所述用户终端;The evolved base station is configured to send the security algorithm information supported by the user terminal to the mobility management entity; send the first identifier from the mobility management entity to the user terminal;

所述移动性管理实体,用于根据所述安全算法信息和网络允许用户使用的算法信息,选择非接入层安全算法,输出表示所述非接入层安全算法的第一标识。The mobility management entity is configured to select a non-access stratum security algorithm according to the security algorithm information and the algorithm information that the network allows users to use, and output a first identifier representing the non-access stratum security algorithm.

以上技术方案可以看出,本发明实施例通过根据用户终端所能支持的安全算法信息,选择安全算法,并向用户终端发送表示所选择的安全算法的标识,能够在SAE/LTE系统中协商安全算法。It can be seen from the above technical solutions that the embodiment of the present invention can negotiate security in the SAE/LTE system by selecting a security algorithm according to the security algorithm information that the user terminal can support, and sending an identifier indicating the selected security algorithm to the user terminal. algorithm.

附图说明 Description of drawings

图1为现有技术中SAE/LTE系统结构图;Fig. 1 is a SAE/LTE system structural diagram in the prior art;

图2为本发明实施例一所提供的安全算法协商的方法流程图;FIG. 2 is a flowchart of a method for negotiating a security algorithm provided by Embodiment 1 of the present invention;

图3为本发明实施例二所提供的安全算法协商的方法流程图;FIG. 3 is a flowchart of a method for negotiating a security algorithm provided by Embodiment 2 of the present invention;

图4为本发明实施例三所提供的安全算法协商的方法流程图;FIG. 4 is a flowchart of a method for negotiating a security algorithm provided by Embodiment 3 of the present invention;

图5为本发明实施例四所提供的安全算法协商的方法流程图;FIG. 5 is a flowchart of a method for negotiating a security algorithm provided by Embodiment 4 of the present invention;

图6为本发明实施例五所提供的安全算法协商的方法流程图;FIG. 6 is a flowchart of a method for negotiating a security algorithm provided in Embodiment 5 of the present invention;

图7为本发明实施例六所提供的安全算法协商的方法流程图;FIG. 7 is a flowchart of a method for negotiating a security algorithm provided by Embodiment 6 of the present invention;

图8为本发明实施例七所提供的安全算法协商的方法流程图;FIG. 8 is a flowchart of a method for negotiating a security algorithm provided by Embodiment 7 of the present invention;

图9为本发明实施例八所提供的安全算法协商的方法流程图;FIG. 9 is a flowchart of a method for negotiating a security algorithm provided in Embodiment 8 of the present invention;

图10为本发明实施例九所提供的安全算法协商的装置结构图;FIG. 10 is a structural diagram of a device for negotiating a security algorithm provided by Embodiment 9 of the present invention;

图11为本发明实施例十所提供的网络系统结构图。FIG. 11 is a structural diagram of a network system provided by Embodiment 10 of the present invention.

具体实施方式 Detailed ways

下面参照附图,对本发明的实施例进行详细说明。Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.

参阅图2,本发明的实施例一所提供的安全算法协商的方法包括:Referring to Fig. 2, the method for security algorithm negotiation provided by Embodiment 1 of the present invention includes:

实施一中层3消息以初始层3消息为例,初始层3消息在无线资源连接(RadioResourceConnection,RRC)请求消息中携带,将初始层3响应信息在RRC建立消息中携带,由MME选择NAS安全算法,eNodeB选择AS安全算法;Implement a middle layer 3 message Take the initial layer 3 message as an example, the initial layer 3 message is carried in the radio resource connection (RadioResourceConnection, RRC) request message, the initial layer 3 response information is carried in the RRC establishment message, and the NAS security algorithm is selected by the MME , the eNodeB selects the AS security algorithm;

步骤201、UE向eNodeB发送无线资源连接RRC请求消息,该请求消息中包括:AS安全能力和初始层3消息,初始层3消息携带NAS安全能力;其中,AS安全能力是UE所能支持的AS安全算法信息,即AS安全算法列表,NAS安全能力是UE所能支持的NAS安全算法信息,即NAS安全算法列表;Step 201, the UE sends a radio resource connection RRC request message to the eNodeB, the request message includes: AS security capability and initial layer 3 message, the initial layer 3 message carries NAS security capability; wherein, the AS security capability is the AS that the UE can support Security algorithm information, that is, the AS security algorithm list, and NAS security capability is the NAS security algorithm information that the UE can support, that is, the NAS security algorithm list;

步骤202、eNodeB保存AS安全能力;Step 202, the eNodeB saves the security capability of the AS;

步骤203、eNodeB向MME发送RANAP消息,该消息中携带初始层3消息,初始层3消息中携带UE的NAS安全能力;Step 203, the eNodeB sends a RANAP message to the MME, the message carries an initial layer 3 message, and the initial layer 3 message carries the NAS security capability of the UE;

步骤204、MME根据UE的NAS安全能力和网络允许用户使用的算法信息,选择出NAS安全算法;或者,根据NAS安全能力、网络允许用户使用的算法信息和用户的签约信息,选择出NAS安全算法;其中,网络允许用户使用的算法信息至少包括允许用户使用的AS安全算法信息和NAS安全算法信息,其中,网络允许用户使用的AS安全算法信息包括:该eNodeB自身支持的算法信息;Step 204: The MME selects a NAS security algorithm according to the NAS security capability of the UE and the algorithm information that the network allows the user to use; or, selects the NAS security algorithm according to the NAS security capability, the algorithm information that the network allows the user to use, and the user's subscription information ; Wherein, the algorithm information that the network allows users to use includes at least AS security algorithm information and NAS security algorithm information that users are allowed to use, wherein the AS security algorithm information that the network allows users to use includes: algorithm information supported by the eNodeB itself;

步骤205、MME创建NAS安全模式命令和第一AS安全模式命令,向eNodeB发送RANAP消息,该RANAP消息中携带初始层3响应消息,NAS安全模式命令和第一AS安全模式命令,其中,NAS安全模式命令携带表示选择的NAS安全算法的第一标识,第一AS安全模式命令携带网络允许用户使用的算法信息;Step 205: The MME creates a NAS security mode command and a first AS security mode command, and sends a RANAP message to the eNodeB, and the RANAP message carries an initial layer 3 response message, a NAS security mode command, and the first AS security mode command, wherein, the NAS security mode command The mode command carries the first identifier representing the selected NAS security algorithm, and the first AS security mode command carries the algorithm information that the network allows the user to use;

步骤206、eNodeB根据AS安全能力和该eNodeB预存的自身支持的算法信息,选择AS安全算法,或者,根据AS安全能力,和网络允许用户使用的算法信息中的eNodeB自身支持的算法信息,选择AS安全算法;Step 206: The eNodeB selects the AS security algorithm according to the AS security capability and the self-supported algorithm information pre-stored by the eNodeB, or selects the AS according to the AS security capability and the algorithm information supported by the eNodeB itself in the algorithm information that the network allows users to use. security algorithm;

步骤207、eNodeB创建第二AS安全模式命令,该第二AS安全模式命令中包括表示所选的AS安全算法的第二标识,向UE发送RRC建立消息,该消息中携带AS安全模式命令,NAS安全模式命令和初始层3响应信息;Step 207: The eNodeB creates a second AS security mode command, the second AS security mode command includes a second identifier indicating the selected AS security algorithm, and sends an RRC establishment message to the UE, the message carries the AS security mode command, NAS Safe Mode Command and Initial Layer 3 Response Message;

步骤208、UE向eNodeB发送RRC确认消息,该消息中携带层3确认消息,NAS安全模式命令响应,第二AS安全模式命令响应;Step 208, the UE sends an RRC confirmation message to the eNodeB, the message carries a layer 3 confirmation message, a NAS security mode command response, and a second AS security mode command response;

步骤209、eNodeB向MME发送RANAP消息,该消息中携带层3确认消息和NAS安全模式命令响应。Step 209, the eNodeB sends a RANAP message to the MME, and the message carries a layer 3 confirmation message and a NAS security mode command response.

其中,UE所支持的算法可并不区分AS算法和NAS算法,即UE所支持的算法既是AS算法又是NAS算法,那么NAS安全能力和AS安全能力是相同的,通称为UE的安全能力。当UE所支持算法不区分AS算法和NAS算法时,该步骤201中的RRC请求消息可以包括:UE安全能力和初始层3消息,初始层3消息中携带UE安全能力,UE安全能力中可以只携带一个IE;步骤202可以为eNodeB保存UE的安全能力;或者,步骤201中的初始层3消息不携带UE安全能力,步骤203的eNodeB向MME发送的RANAP消息包括:初始层3消息和UE的安全能力。Among them, the algorithm supported by the UE may not distinguish between the AS algorithm and the NAS algorithm, that is, the algorithm supported by the UE is both the AS algorithm and the NAS algorithm, then the NAS security capability and the AS security capability are the same, and are generally referred to as the UE security capability. When the algorithm supported by the UE does not distinguish between the AS algorithm and the NAS algorithm, the RRC request message in step 201 may include: the UE security capability and the initial layer 3 message, the initial layer 3 message carries the UE security capability, and the UE security capability may only include Carry an IE; step 202 can save the security capability of the UE for the eNodeB; or, the initial layer 3 message in step 201 does not carry the UE security capability, and the RANAP message sent by the eNodeB to the MME in step 203 includes: the initial layer 3 message and the UE's security capabilities.

参阅图3,本发明的实施例二所提供的安全算法协商的方法包括:Referring to Fig. 3, the method for security algorithm negotiation provided by Embodiment 2 of the present invention includes:

实施二中的初始层3消息在RRC请求消息中携带,由MME选择NAS安全算法,eNodeB选择AS安全算法;The initial layer 3 message in the second implementation is carried in the RRC request message, the MME selects the NAS security algorithm, and the eNodeB selects the AS security algorithm;

其中,步骤301-步骤303与实施例一中的步骤201-步骤203相同;Wherein, step 301-step 303 is the same as step 201-step 203 in the first embodiment;

步骤304、MME创建第一AS安全模式命令,向eNodeB发送RANAP消息,该消息中携带第一AS安全模式命令,第一AS安全模式命令中携带网络允许用户使用的算法信息;Step 304, the MME creates a first AS security mode command, and sends a RANAP message to the eNodeB, the message carries the first AS security mode command, and the first AS security mode command carries algorithm information that the network allows users to use;

步骤305、eNodeB根据AS安全能力和该eNodeB预存的自身支持的算法信息,选择AS安全算法,或者,根据AS安全能力,和网络允许用户使用的算法信息中的eNodeB自身支持的算法信息,选择AS安全算法;Step 305: The eNodeB selects the AS security algorithm according to the AS security capability and the self-supported algorithm information pre-stored by the eNodeB, or selects the AS according to the AS security capability and the algorithm information supported by the eNodeB itself in the algorithm information that the network allows users to use. security algorithm;

步骤306、eNodeB创建第二AS安全模式命令,向UE发送RRC建立消息,该消息中携带第二AS安全模式命令,该第二AS安全模式命令中含有表示所选择的AS安全算法的第二标识;Step 306, the eNodeB creates a second AS security mode command, and sends an RRC setup message to the UE, the message carries the second AS security mode command, and the second AS security mode command contains a second identifier representing the selected AS security algorithm ;

步骤307、UE向eNodeB发送RRC确认消息,该消息中携带第二AS安全模式命令响应;Step 307, the UE sends an RRC confirmation message to the eNodeB, and the message carries the second AS security mode command response;

步骤308、MME根据UE的NAS安全能力和网络允许用户使用的算法信息,选择出NAS安全算法;或者,根据NAS安全能力、网络允许用户使用的算法信息和用户的签约信息,选择出NAS安全算法;Step 308: The MME selects a NAS security algorithm according to the NAS security capability of the UE and the algorithm information that the network allows the user to use; or, selects the NAS security algorithm according to the NAS security capability, the algorithm information that the network allows the user to use, and the user's subscription information ;

步骤309、MME创建NAS安全模式命令,向eNodeB发送RANAP消息,该RANAP消息中携带NAS安全模式命令,该NAS安全模式命令携带表示所选择的NAS安全算法的第一标识;Step 309, the MME creates a NAS security mode command, and sends a RANAP message to the eNodeB, the RANAP message carries the NAS security mode command, and the NAS security mode command carries the first identifier indicating the selected NAS security algorithm;

步骤310、eNodeB向UE发送RRC消息,该消息中携带NAS安全模式命令,该NAS安全模式命令携带表示所选择的NAS安全算法的第一标识;Step 310, the eNodeB sends an RRC message to the UE, the message carries a NAS security mode command, and the NAS security mode command carries a first identifier representing the selected NAS security algorithm;

步骤311、UE向eNodeB发送RRC消息,该消息中携带NAS安全模式命令响应;Step 311, the UE sends an RRC message to the eNodeB, and the message carries a NAS security mode command response;

步骤312、eNodeB向MME发送RANAP消息,该消息中携带NAS安全模式命令响应;Step 312, the eNodeB sends a RANAP message to the MME, and the message carries a NAS security mode command response;

步骤313、MME向eNodeB发送RANAP消息,该消息中携带初始层3响应消息;Step 313, the MME sends a RANAP message to the eNodeB, and the message carries an initial layer 3 response message;

步骤314、eNodeB向UE发送RRC消息,该消息中携带初始层3响应消息。Step 314, the eNodeB sends an RRC message to the UE, and the message carries an initial layer 3 response message.

其中,步骤313和步骤314中的初始层3响应消息,可以和步骤309和步骤310中的NAS安全模式命令一起发送;或者,和步骤304和步骤306中的AS安全模式命令一起发送;或者,步骤309和步骤310中的NAS安全模式命令可以和步骤304和步骤306中的AS安全模式命令一起发送,不影响本发明的实现。Wherein, the initial layer 3 response message in step 313 and step 314 may be sent together with the NAS security mode command in step 309 and step 310; or, be sent together with the AS security mode command in step 304 and step 306; or, The NAS security mode command in step 309 and step 310 can be sent together with the AS security mode command in step 304 and step 306, without affecting the implementation of the present invention.

参阅图4,本发明的实施例三所提供的安全算法协商的方法包括:Referring to Fig. 4, the method for security algorithm negotiation provided by Embodiment 3 of the present invention includes:

实施三的初始层3消息在RRC请求消息中携带,由MME选择NAS安全算法,eNodeB选择AS安全算法;The initial layer 3 message of implementation 3 is carried in the RRC request message, the MME selects the NAS security algorithm, and the eNodeB selects the AS security algorithm;

其中,步骤401-步骤404与实施例一中的步骤201-步骤204相同;Wherein, step 401-step 404 is the same as step 201-step 204 in the first embodiment;

步骤405、MME向eNodeB发送RANAP消息,该消息中携带初始层3响应消息,初始层3响应消息中携带表示所选择的NAS安全算法的第一标识;Step 405, the MME sends a RANAP message to the eNodeB, the message carries an initial layer 3 response message, and the initial layer 3 response message carries a first identifier indicating the selected NAS security algorithm;

步骤406、eNodeB向UE发送RRC建立消息,该消息中包括:携带第一标识的初始层3响应消息;Step 406, the eNodeB sends an RRC establishment message to the UE, and the message includes: an initial layer 3 response message carrying the first identifier;

步骤407、MME创建第一AS安全模式命令,向eNodeB发送RANAP消息,该消息中携带第一AS安全模式命令,第一AS安全模式命令中携带网络允许用户使用的算法信息;Step 407, the MME creates a first AS security mode command, and sends a RANAP message to the eNodeB, the message carries the first AS security mode command, and the first AS security mode command carries algorithm information that the network allows users to use;

步骤408、eNodeB根据AS安全能力和该eNodeB预存的自身支持的算法信息,选择AS安全算法,或者,根据AS安全能力,和网络允许用户使用的算法信息中的eNodeB自身支持的算法信息,选择AS安全算法;Step 408: The eNodeB selects the AS security algorithm according to the AS security capability and the self-supported algorithm information pre-stored by the eNodeB, or selects the AS according to the AS security capability and the algorithm information supported by the eNodeB itself in the algorithm information that the network allows users to use. security algorithm;

步骤409、eNodeB创建第二AS安全模式命令,向UE发送RRC消息,该消息中携带第二AS安全模式命令,该第二AS安全模式命令中携带表示所选择的AS安全算法的第一标识;Step 409, the eNodeB creates a second AS security mode command, and sends an RRC message to the UE, the message carries the second AS security mode command, and the second AS security mode command carries the first identifier representing the selected AS security algorithm;

步骤410、UE向eNodeB发送RRC消息,该消息中携带第二AS安全模式命令响应。Step 410, the UE sends an RRC message to the eNodeB, and the message carries the second AS security mode command response.

参阅图5,本发明的实施例四所提供的安全算法协商的方法包括:Referring to FIG. 5 , the security algorithm negotiation method provided by Embodiment 4 of the present invention includes:

实施四的初始层3消息在RRC请求消息中携带,将初始层3响应信息在RRC建立消息中携带,由MME选择NAS安全算法和AS安全算法;The initial layer 3 message of implementation 4 is carried in the RRC request message, and the initial layer 3 response information is carried in the RRC setup message, and the MME selects the NAS security algorithm and the AS security algorithm;

步骤501、UE向eNodeB发送RRC请求消息,该请求消息中包括:初始层3消息,初始层3消息携带NAS安全能力和AS安全能力;即在初始层3消息中需要定义两个IE,分别传送AS安全能力和NAS安全能力;Step 501, the UE sends an RRC request message to the eNodeB, the request message includes: the initial layer 3 message, the initial layer 3 message carries the NAS security capability and the AS security capability; that is, two IEs need to be defined in the initial layer 3 message, and are transmitted separately AS security capabilities and NAS security capabilities;

UE所支持的算法可不区分AS算法和NAS算法,那么NAS安全能力和AS安全能力是相同的,通称为UE的安全能力。当UE所支持算法不区分AS算法和NAS算法时,初始层3消息中携带UE安全能力,UE安全能力中可以只携带一个IE;The algorithm supported by the UE may not distinguish between the AS algorithm and the NAS algorithm, then the NAS security capability and the AS security capability are the same, and are generally referred to as the UE security capability. When the algorithm supported by the UE does not distinguish between the AS algorithm and the NAS algorithm, the initial layer 3 message carries the UE security capability, and the UE security capability can only carry one IE;

步骤502、eNodeB向MME发送RANAP消息,该消息中携带初始层3消息,还可能携带自身支持的算法信息,该初始层3消息携带NAS安全能力和AS安全能力,或UE安全能力;Step 502. The eNodeB sends a RANAP message to the MME. The message carries an initial layer 3 message and may also carry algorithm information supported by itself. The initial layer 3 message carries NAS security capabilities and AS security capabilities, or UE security capabilities;

步骤503、MME根据UE的NAS安全能力和网络允许用户使用的算法,选择出NAS安全算法,或者,根据NAS安全能力、网络允许用户使用的算法和用户的签约信息选择NAS安全算法;根据AS安全能力和接收的RANAP消息中的eNodeB自身支持的算法信息,选择AS安全算法,或者,根据AS安全能力,和网络允许用户使用的算法信息中的eNodeB自身支持的算法信息,选择AS安全算法;Step 503: The MME selects a NAS security algorithm according to the NAS security capability of the UE and the algorithm that the network allows the user to use, or selects a NAS security algorithm according to the NAS security capability, the algorithm that the network allows the user to use, and the subscription information of the user; The capability and the algorithm information supported by the eNodeB itself in the received RANAP message, select the AS security algorithm, or select the AS security algorithm according to the AS security capability and the algorithm information supported by the eNodeB itself in the algorithm information that the network allows users to use;

步骤504、MME创建NAS安全模式命令和第三AS安全模式命令,向eNodeB发送RANAP消息,该RANAP消息中携带初始层3响应消息,NAS安全模式命令和第三AS安全模式命令,其中,NAS安全模式命令携带表示选择的NAS安全算法的第一标识,第三AS安全模式命令携带表示选择的AS安全算法的第二标识;Step 504: The MME creates a NAS security mode command and a third AS security mode command, and sends a RANAP message to the eNodeB. The RANAP message carries an initial layer 3 response message, a NAS security mode command, and a third AS security mode command, wherein, the NAS security mode command The mode command carries the first identification representing the selected NAS security algorithm, and the third AS security mode command carries the second identification representing the selected AS security algorithm;

步骤505、eNodeB根据第三AS安全模式命令携带的第二标识获知所选的AS安全算法;Step 505, the eNodeB acquires the selected AS security algorithm according to the second identifier carried in the third AS security mode command;

步骤506、eNodeB创建第四AS安全模式命令,向UE发送RRC建立消息,该消息包括:第四AS安全模式命令、NAS安全模式命令和初始层3响应消息;其中,第四AS安全模式命令携带第二标识;Step 506, eNodeB creates a fourth AS security mode command, and sends an RRC establishment message to the UE, the message includes: the fourth AS security mode command, NAS security mode command and initial layer 3 response message; wherein, the fourth AS security mode command carries Second logo;

步骤507、UE向eNodeB发送RRC确认消息,该消息中携带层3确认消息,NAS安全模式命令响应,第四AS安全模式命令响应;Step 507, the UE sends an RRC confirmation message to the eNodeB, the message carries a layer 3 confirmation message, a NAS security mode command response, and a fourth AS security mode command response;

步骤508、eNodeB向MME发送RANAP消息,该消息中携带层3确认消息和NAS安全模式命令响应。In step 508, the eNodeB sends a RANAP message to the MME, and the message carries a layer 3 confirmation message and a NAS security mode command response.

其中,步骤502中eNodeB向MME发送RANAP消息中可以不携带自身支持的算法信息,eNodeB自身支持的算法信息可以直接配置在MME上;Wherein, in step 502, the RANAP message sent by the eNodeB to the MME may not carry the algorithm information supported by itself, and the algorithm information supported by the eNodeB itself may be directly configured on the MME;

同理,对于实施例二和实施例三,也可以采用由MME选择NAS安全算法和AS安全算法实现安全算法协商,不影响本发明的实现。Similarly, for Embodiment 2 and Embodiment 3, the MME may also use the NAS security algorithm and the AS security algorithm to implement security algorithm negotiation, which does not affect the realization of the present invention.

参阅图6,本发明的实施例五所提供的安全算法协商的方法包括:Referring to FIG. 6, the method for negotiating a security algorithm provided by Embodiment 5 of the present invention includes:

实施五先进行无线接入网的连接,即RRC连接,再进行核心网的连接,由MME选择NAS安全算法,eNodeB选择AS安全算法;Implementation 5: Connect the wireless access network first, that is, the RRC connection, and then connect to the core network. The MME selects the NAS security algorithm, and the eNodeB selects the AS security algorithm;

步骤601、UE向eNodeB发送RRC请求消息,该RRC请求消息中携带UE的安全能力;Step 601, the UE sends an RRC request message to the eNodeB, and the RRC request message carries the security capability of the UE;

步骤602、eNodeB保存UE的安全能力;Step 602, the eNodeB saves the security capability of the UE;

步骤603、eNodeB向UE发送RRC建立消息;Step 603, the eNodeB sends an RRC setup message to the UE;

步骤604、UE向eNodeB发送RRC完成消息;Step 604, the UE sends an RRC completion message to the eNodeB;

步骤605、UE向eNodeB发初始层3消息;Step 605, the UE sends an initial layer 3 message to the eNodeB;

步骤606、eNodeB向MME发送RANAP消息,eNodeB需要向RANAP消息中添加UE安全能力,因此该消息包括:初始层3消息,UE的安全能力;Step 606. The eNodeB sends a RANAP message to the MME. The eNodeB needs to add the UE security capability to the RANAP message, so the message includes: initial layer 3 message, UE security capability;

步骤607、MME根据UE的安全能力和网络允许用户使用的算法信息,选择出NAS安全算法,或者,根据UE的安全能力、网络允许用户使用的算法信息和用户的签约信息选择出NAS安全算法;Step 607: The MME selects a NAS security algorithm according to the security capability of the UE and the algorithm information that the network allows the user to use, or selects a NAS security algorithm according to the security capability of the UE, the algorithm information that the network allows the user to use, and the subscription information of the user;

步骤608、MME向eNodeB发送RANAP消息,该消息中携带:初始层3响应消息,该初始层3响应消息中携带表示所选择的NAS安全算法的第一标识;Step 608, the MME sends a RANAP message to the eNodeB, and the message carries: an initial layer 3 response message, and the initial layer 3 response message carries a first identifier representing the selected NAS security algorithm;

步骤609、eNodeB向UE发送初始层3响应消息,该初始层3响应消息中携带第一标识;Step 609, the eNodeB sends an initial layer 3 response message to the UE, and the initial layer 3 response message carries the first identifier;

步骤610-步骤613与实施例三中的步骤407-步骤410相同;Step 610-step 613 are the same as step 407-step 410 in the third embodiment;

参阅图7,本发明的实施例六所提供的安全算法协商的方法包括:Referring to FIG. 7 , the security algorithm negotiation method provided by Embodiment 6 of the present invention includes:

实施六先进行无线接入网的连接,即RRC连接,再进行核心网的连接,由MME选择NAS安全算法,eNodeB选择AS安全算法;与实施例5不同之处在于,本实施将初始层3响应消息与AS安全模式命令合并成一条消息发送,而实施例5中是分开发送的;Implementation 6 First connect the wireless access network, that is, the RRC connection, and then connect to the core network. The MME selects the NAS security algorithm, and the eNodeB selects the AS security algorithm; The response message and the AS security mode command are combined into one message and sent, while in Embodiment 5 they are sent separately;

步骤701-步骤707与步骤601-步骤607相同;Step 701-step 707 is the same as step 601-step 607;

步骤708、MME创建安全模式命令,向eNodeB发送RANAP消息,该消息中携带:初始层3响应消息,第一安全模式命令消息,其中,第一安全模式命令消息中携带表示所选择的NAS安全算法的第一标识和网络允许用户使用的算法信息;Step 708: The MME creates a security mode command, and sends a RANAP message to the eNodeB, which carries: an initial layer 3 response message, and a first security mode command message, where the first security mode command message carries the selected NAS security algorithm The first identification and the algorithm information that the network allows users to use;

步骤709、eNodeB根据UE的安全能力和预存的eNodeB自身支持的算法信息,选择出AS安全算法,或者,根据UE的安全能力和网络允许用户使用的算法信息中的eNodeB自身支持的算法信息,选择AS安全算法;Step 709: The eNodeB selects an AS security algorithm according to the security capability of the UE and the pre-stored algorithm information supported by the eNodeB itself, or selects an AS security algorithm according to the security capability of the UE and the algorithm information supported by the eNodeB itself in the algorithm information that the network allows users to use. AS security algorithm;

步骤710、eNodeB向UE发送RRC消息,该消息中携带:初始层3响应消息和第二安全模式命令,其中,第二安全模式命令携带第一标识和表示所选择的AS安全算法的第二标识;Step 710, the eNodeB sends an RRC message to the UE, and the message carries: an initial layer 3 response message and a second security mode command, wherein the second security mode command carries the first identifier and the second identifier representing the selected AS security algorithm ;

步骤711、UE向eNodeB发送RRC消息,该消息中携带第二安全模式命令响应;Step 711, the UE sends an RRC message to the eNodeB, and the message carries a second security mode command response;

步骤712、eNodeB向MME发送RANAP消息,该消息中携带第一安全模式命令响应。Step 712, the eNodeB sends a RANAP message to the MME, and the message carries the first security mode command response.

参阅图8,本发明的实施例七所提供的安全算法协商的方法包括:Referring to FIG. 8 , the security algorithm negotiation method provided by Embodiment 7 of the present invention includes:

实施七先进行无线接入网的连接,即RRC连接,再进行核心网的连接,由MME选择NAS安全算法,eNodeB选择AS安全算法;Implementation Seven: Connect the wireless access network first, that is, the RRC connection, and then connect to the core network. The MME selects the NAS security algorithm, and the eNodeB selects the AS security algorithm;

步骤801-步骤806与步骤601-步骤606相同;Step 801-step 806 is the same as step 601-step 606;

步骤807、MME根据网络允许用户采用的算法和UE的安全能力,同时也可以考虑用户的签约信息,选择出NAS安全算法;Step 807, the MME selects a NAS security algorithm according to the algorithm that the network allows the user to adopt and the security capability of the UE, and may also consider the user's subscription information;

步骤808、MME向eNodeB发送RANAP消息,该消息中携带:初始层3响应信息、网络允许用户采用的算法信息,其中初始层3响应信息中携带表示所选择的NAS安全算法的第一标识;Step 808, the MME sends a RANAP message to the eNodeB, which carries: initial layer 3 response information, algorithm information that the network allows users to adopt, wherein the initial layer 3 response information carries the first identifier indicating the selected NAS security algorithm;

步骤809、eNodeB根据UE的安全能力和预存的eNodeB自身支持的算法信息,选择出AS安全算法,或者,根据UE的安全能力和网络允许用户使用的算法信息中的eNodeB自身支持的算法信息,选择AS安全算法;Step 809: The eNodeB selects the AS security algorithm according to the security capability of the UE and the pre-stored algorithm information supported by the eNodeB itself, or selects the AS security algorithm according to the security capability of the UE and the algorithm information supported by the eNodeB itself in the algorithm information that the network allows users to use. AS security algorithm;

步骤810、eNodeB向UE发送RRC消息,该RRC消息中携带:表示所选择的AS安全算法的第二标识和初始层3响应消息,该初始层3响应消息中携带第一标识。In step 810, the eNodeB sends an RRC message to the UE, the RRC message carrying: the second identifier representing the selected AS security algorithm and an initial layer 3 response message, the initial layer 3 response message carrying the first identifier.

参阅图9,本发明的实施例八所提供的安全算法协商的方法包括:Referring to FIG. 9, the method for negotiating a security algorithm provided by Embodiment 8 of the present invention includes:

实施八先进行无线接入网的连接,即RRC连接,再进行核心网的连接,由MME选择NAS安全算法和AS安全算法;Implementation Eight First connect the wireless access network, that is, RRC connection, and then connect to the core network, and the MME selects the NAS security algorithm and the AS security algorithm;

步骤901、UE向eNodeB发送RRC请求消息;Step 901, the UE sends an RRC request message to the eNodeB;

步骤902、eNodeB向UE发送RRC建立消息;Step 902, the eNodeB sends an RRC setup message to the UE;

步骤903、UE向eNodeB发送RRC完成消息;Step 903, the UE sends an RRC completion message to the eNodeB;

步骤904、UE向eNodeB发送初始层3消息;该消息中包括:UE的安全能力;Step 904, the UE sends an initial layer 3 message to the eNodeB; the message includes: the security capability of the UE;

步骤905、eNodeB向MME发送RANAP消息,该消息包括:初始层3消息和eNodeB自身支持的算法信息,其中初始层3消息中携带UE的安全能力;Step 905, the eNodeB sends a RANAP message to the MME, the message includes: the initial layer 3 message and the algorithm information supported by the eNodeB itself, wherein the initial layer 3 message carries the security capability of the UE;

步骤906、MME根据UE的安全能力和网络允许用户使用的算法,选择出NAS安全算法,或者,根据UE的安全能力、网络允许用户使用的算法和用户的签约信息选择NAS安全算法;根据UE的安全能力和RANAP消息中的eNodeB自身支持的算法信息,选择出AS安全算法,或者,根据UE的安全能力和网络允许用户使用的算法信息中的eNodeB自身支持的算法信息,选择AS安全算法;Step 906: The MME selects a NAS security algorithm according to the security capability of the UE and the algorithm that the network allows the user to use, or selects a NAS security algorithm according to the security capability of the UE, the algorithm that the network allows the user to use, and the subscription information of the user; Select the AS security algorithm based on the security capability and the algorithm information supported by the eNodeB itself in the RANAP message, or select the AS security algorithm based on the security capability of the UE and the algorithm information supported by the eNodeB itself in the algorithm information that the network allows users to use;

步骤907、MME向eNodeB发送RANAP消息,该消息中携带:初始层3响应消息和表示所选择的AS安全算法的第二标识;初始层3响应消息中携带表示所选择的NAS安全算法的第一标识;Step 907: The MME sends a RANAP message to the eNodeB, and the message carries: an initial layer 3 response message and a second identifier representing the selected AS security algorithm; the initial layer 3 response message carries the first identifier representing the selected NAS security algorithm; logo;

步骤908、eNodeB根据第二标识获知AS安全算法;Step 908, the eNodeB learns the AS security algorithm according to the second identifier;

步骤909、eNodeB向UE发送RRC消息,该RRC消息中包括:初始层3响应消息和第二标识;初始层3响应信息中携带第一标识。In step 909, the eNodeB sends an RRC message to the UE, and the RRC message includes: an initial layer 3 response message and a second identifier; the initial layer 3 response message carries the first identifier.

其中,步骤905中eNodeB向MME发送RANAP消息中可以不携带自身支持的算法信息,eNodeB自身支持的算法信息可以直接配置在MME上;Wherein, in step 905, the RANAP message sent by the eNodeB to the MME may not carry the algorithm information supported by itself, and the algorithm information supported by the eNodeB itself may be directly configured on the MME;

同理,对于实施例六和实施例七,也可以采用由MME选择NAS安全算法和AS安全算法实现安全算法协商,不影响本发明的实现。Similarly, for Embodiment 6 and Embodiment 7, the MME may also use the NAS security algorithm and the AS security algorithm to implement security algorithm negotiation, which does not affect the implementation of the present invention.

其中,UE的安全能力可以不在RRC请求消息中携带,可以在UE向eNodeB发送RRC完成消息中携带;或者,当UE的安全能力区分为AS安全能力和NAS安全能力时,UE的AS安全能力可在RRC请求消息或RRC完成消息中携带,UE的NAS安全能力可在UE向eNodeB发送的初始层3消息中携带,不影响本发明的实现。Wherein, the security capability of the UE may not be carried in the RRC request message, but may be carried in the RRC completion message sent by the UE to the eNodeB; or, when the security capability of the UE is divided into AS security capability and NAS security capability, the AS security capability of the UE may be Carried in the RRC request message or RRC complete message, the NAS security capability of the UE can be carried in the initial layer 3 message sent by the UE to the eNodeB, without affecting the implementation of the present invention.

参阅图10,本发明的实施例九提供一种安全算法协商的装置,用于系统演进架构/长期演进系统中,该装置包括:Referring to FIG. 10, Embodiment 9 of the present invention provides a device for negotiating a security algorithm, which is used in a system evolution architecture/long-term evolution system. The device includes:

信息接收单元1001,用于接收用户终端所能支持的安全算法信息;An information receiving unit 1001, configured to receive information about security algorithms supported by the user terminal;

安全算法选择单元1002,用于根据信息接收单元1001中安全算法信息,选择安全算法;A security algorithm selection unit 1002, configured to select a security algorithm according to the security algorithm information in the information receiving unit 1001;

发送单元1003,用于向用户终端发送表示安全算法选择单元1002所选择的安全算法的标识。The sending unit 1003 is configured to send the identifier representing the security algorithm selected by the security algorithm selection unit 1002 to the user terminal.

其中,信息接收单元1001、安全算法选择单元1002和发送单元1003位于移动性管理实体,用于协商非接入层安全算法,此时,Wherein, the information receiving unit 1001, the security algorithm selection unit 1002 and the sending unit 1003 are located in the mobility management entity, and are used to negotiate the non-access stratum security algorithm. At this time,

信息接收单元1001,用于接收用户终端所能支持的安全算法信息,该安全算法信息可以为非接入层安全算法信息,该安全算法信息可以通过初始层3消息携带;The information receiving unit 1001 is configured to receive security algorithm information supported by the user terminal, the security algorithm information may be non-access stratum security algorithm information, and the security algorithm information may be carried by an initial layer 3 message;

安全算法选择单元1002,用于根据安全算法信息和网路允许用户使用的算法信息,也可以考虑用户签约的信息,选择非接入层安全算法;The security algorithm selection unit 1002 is used to select the non-access stratum security algorithm according to the security algorithm information and the algorithm information that the network allows the user to use, and may also consider the information signed by the user;

发送单元1003,用于向用户终端发送表示安全算法选择单元1002所选择的非接入层安全算法的第一标识,该第一标识可以在初始层3响应消息中携带,也可以在NAS模式命令中携带;The sending unit 1003 is configured to send to the user terminal a first identifier representing the non-access stratum security algorithm selected by the security algorithm selection unit 1002, the first identifier may be carried in the initial layer 3 response message, or may be included in the NAS mode command carry in

其中,信息接收单元1001、安全算法选择单元1002和发送单元1003位于移动性管理实体,用于协商接入层安全算法,该装置还包括:演进基站算法信息接收单元1004,演进基站算法信息配置单元1005,其中,Wherein, the information receiving unit 1001, the security algorithm selection unit 1002 and the sending unit 1003 are located in the mobility management entity, and are used for negotiating the security algorithm of the access layer. The device also includes: an evolved base station algorithm information receiving unit 1004, an evolved base station algorithm information configuration unit 1005, of which,

信息接收单元1001,用于接收用户终端所能支持的安全算法信息,该安全算法信息可以为接入层安全算法信息,该安全算法信息可以在初始层3消息中携带;The information receiving unit 1001 is configured to receive security algorithm information supported by the user terminal, the security algorithm information may be access layer security algorithm information, and the security algorithm information may be carried in the initial layer 3 message;

安全算法选择单元1002,用于根据安全算法信息和演进基站支持的算法信息,选择接入层安全算法;A security algorithm selection unit 1002, configured to select an access layer security algorithm according to the security algorithm information and the algorithm information supported by the evolved base station;

发送单元1003,用于发送表示安全算法选择单元1002所选择的接入层安全算法的第二标识,该第二标识可以在第三NAS安全模式命令中携带;The sending unit 1003 is configured to send a second identifier representing the access layer security algorithm selected by the security algorithm selection unit 1002, and the second identifier may be carried in the third NAS security mode command;

演进基站算法信息接收单元1004,用于接收演进基站支持的算法信息并输出到安全算法选择单元1002;The evolved base station algorithm information receiving unit 1004 is configured to receive the algorithm information supported by the evolved base station and output it to the security algorithm selection unit 1002;

演进基站算法信息配置单元1005,用于配置演进基站支持的算法信息并输出到安全算法选择单元1002。The evolved base station algorithm information configuration unit 1005 is configured to configure the algorithm information supported by the evolved base station and output it to the security algorithm selection unit 1002 .

其中,信息接收单元1001、安全算法选择单元1002和发送单元1003位于演进基站,用于协商接入层安全算法,Wherein, the information receiving unit 1001, the security algorithm selection unit 1002 and the sending unit 1003 are located in the evolved base station, and are used to negotiate the access layer security algorithm,

信息接收单元1001,用于接收用户终端所能支持的安全算法信息,该安全算法信息可以为接入层安全算法信息,该安全算法信息可以在RRC请求消息中携带;The information receiving unit 1001 is configured to receive security algorithm information supported by the user terminal, the security algorithm information may be access layer security algorithm information, and the security algorithm information may be carried in the RRC request message;

安全算法选择单元1002,用于根据安全算法信息和演进基站支持的算法信息,选择接入层安全算法;A security algorithm selection unit 1002, configured to select an access layer security algorithm according to the security algorithm information and the algorithm information supported by the evolved base station;

发送单元1003,用于向用户终端发送表示接入层安全算法的第二标识。The sending unit 1003 is configured to send the second identifier representing the security algorithm of the access layer to the user terminal.

参阅图11,本发明的实施例十提供一种网络系统,该系统包括:Referring to FIG. 11, Embodiment 10 of the present invention provides a network system, which includes:

演进基站1101,用于向移动性管理实体1102发送用户终端支持的安全算法信息;将来自移动性管理实体1102的第一标识发送给用户终端;The evolved base station 1101 is configured to send security algorithm information supported by the user terminal to the mobility management entity 1102; send the first identifier from the mobility management entity 1102 to the user terminal;

移动性管理实体1102,用于根据安全算法信息和网络允许用户使用的算法信息,选择非接入层安全算法,输出表示非接入层安全算法的第一标识。The mobility management entity 1102 is configured to select a non-access stratum security algorithm according to the security algorithm information and the algorithm information that the network allows users to use, and output a first identifier representing the non-access stratum security algorithm.

当该网络系统还要协商接入层安全算法时,演进基站1101,还用于将来自移动性管理实体1102的第二标识发送给用户终端,并根据第二标识获得接入层算法;移动性管理实体1102,还用于根据安全算法信息和演进基站1101自身支持的算法信息,选择接入层安全算法,输出表示所选择的接入层安全算法的第二标识。When the network system needs to negotiate the access layer security algorithm, the evolved base station 1101 is also used to send the second identification from the mobility management entity 1102 to the user terminal, and obtain the access layer algorithm according to the second identification; mobility The management entity 1102 is further configured to select an access layer security algorithm according to the security algorithm information and the algorithm information supported by the evolved base station 1101 itself, and output a second identifier representing the selected access layer security algorithm.

当该网络系统还要协商接入层安全算法时,且当安全算法信息为非接入层安全算法信息时,演进基站1101,还用于接收接入层安全算法信息并转发到移动性管理实体1102,将来自移动性管理实体1102的第二标识发送给用户终端,并根据第二标识获得接入层算法;移动性管理实体1102,还用于根据接入层安全算法信息和演进基站1101自身支持的算法信息,选择接入层安全算法,输出表示接入层安全算法的第二标识。When the network system needs to negotiate the access layer security algorithm, and when the security algorithm information is non-access layer security algorithm information, the evolved base station 1101 is also used to receive the access layer security algorithm information and forward it to the mobility management entity 1102. Send the second identifier from the mobility management entity 1102 to the user terminal, and obtain an access layer algorithm according to the second identifier; the mobility management entity 1102 is further configured to use the access layer security algorithm information and the eNB 1101 itself Supported algorithm information, select an access layer security algorithm, and output a second identifier representing the access layer security algorithm.

当该网络系统还要协商接入层安全算法时,演进基站1101,还用于根据安全算法信息和自身支持的算法信息,选择接入层安全算法,将表示接入层安全算法的第二标识发送给用户终端。When the network system needs to negotiate the security algorithm of the access layer, the evolved base station 1101 is also used to select the security algorithm of the access layer according to the security algorithm information and the algorithm information supported by itself, and will indicate the second identifier of the security algorithm of the access layer sent to the user terminal.

当该网络系统还要协商接入层安全算法时,且当安全算法信息为非接入层安全算法信息时,演进基站1101,还用于接收接入层安全算法信息,根据接入层安全算法信息和自身支持的算法信息,选择接入层安全算法,将表示接入层安全算法的第二标识发送给用户终端。When the network system needs to negotiate the access layer security algorithm, and when the security algorithm information is non-access layer security algorithm information, the evolved base station 1101 is also used to receive the access layer security algorithm information, according to the access layer security algorithm information information and the algorithm information supported by itself, select the security algorithm of the access layer, and send the second identifier representing the security algorithm of the access layer to the user terminal.

以上分析可以看出,本发明的实施例中MME根据UE所能支持的NAS安全能力和网络允许用户使用的算法信息,选择NAS安全算法,并向用户终端发送表示所选择的NAS安全算法的第一标识,能够在SAE/LTE系统中协商出NAS安全算法;本发明的实施例中MME或者eNodeB根据UE所能支持的AS安全能力和eNodeB自身支持的算法信息,选择AS安全算法,且UE和eNodeB获得表示所选择的AS安全算法的第二标识,达到在SAE/LTE系统中协商AS安全算法的目的;本发明的实施例采用在RRC请求消息中携带初始层3消息,初始层3消息中可以携带NAS安全能力,在RRC建立消息中携带初始层3响应消息和第一标识,简化了流程,节约了协商安全算法所用的时间。From the above analysis, it can be seen that in the embodiment of the present invention, the MME selects a NAS security algorithm according to the NAS security capabilities supported by the UE and the algorithm information that the network allows users to use, and sends the selected NAS security algorithm to the user terminal. One identifier, which can negotiate the NAS security algorithm in the SAE/LTE system; in the embodiment of the present invention, the MME or eNodeB selects the AS security algorithm according to the AS security capabilities supported by the UE and the algorithm information supported by the eNodeB itself, and the UE and the eNodeB select an AS security algorithm. The eNodeB obtains the second identifier representing the selected AS security algorithm, so as to achieve the purpose of negotiating the AS security algorithm in the SAE/LTE system; the embodiment of the present invention adopts the method of carrying the initial layer 3 message in the RRC request message, and the initial layer 3 message in the initial layer 3 message The NAS security capability can be carried, and the initial layer 3 response message and the first identifier can be carried in the RRC setup message, which simplifies the process and saves the time spent in negotiating the security algorithm.

以上对本发明实施例所提供的安全算法协商的方法、装置及网络系统进行了详细介绍,本文中应用了具体个例对本发明实施例的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本发明实施例的方法;同时,对于本领域的一般技术人员,依据本发明实施例的思想,在具体实施方式及应用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本发明实施例的限制。The method, device, and network system for security algorithm negotiation provided by the embodiment of the present invention have been introduced in detail above. In this paper, specific examples are used to illustrate the principle and implementation of the embodiment of the present invention. The description of the above embodiment is only used To help understand the method of the embodiment of the present invention; at the same time, for those of ordinary skill in the art, according to the idea of the embodiment of the present invention, there will be changes in the specific implementation and application scope. In summary, this specification The content should not be construed as limiting the embodiments of the present invention.

Claims (19)

1. a method for secure algorithm negotiation, in system evolved framework/long evolving system, it is characterized in that, the method comprises:
User terminal sends the security algorithm information that this user terminal can be supported;
Mobility Management Entity receives the security algorithm information that described user terminal can be supported;
The algorithm information that described Mobility Management Entity allows user to use according to described security algorithm information and network, selects Non-Access Stratum security algorithm; Or, according to the algorithm information that described security algorithm information and evolution base station are supported, select Access Layer security algorithm;
Described Mobility Management Entity sends the first mark representing described Non-Access Stratum security algorithm or the second mark representing described Access Layer security algorithm to described user terminal;
Described user terminal receives described first mark or described second mark.
2. method according to claim 1, is characterized in that: described Mobility Management Entity sends described first to described user terminal and is designated:
Send described first mark to described evolution base station, described evolution base station sends described first mark to described user terminal.
3. method according to claim 2, is characterized in that:
Described evolution base station sends described first mark to described user terminal and is specially:
Described evolution base station sends Radio Resource connection establishment message to described user terminal, carries Non-Access Stratum safe mode command in described Radio Resource connection establishment message, carries described first mark in described Non-Access Stratum safe mode command.
4. method according to claim 2, is characterized in that:
Described evolution base station sends described first mark to described user terminal and is specially:
Described evolution base station sends Radio Resource connection establishment message to described user terminal, carries initiation layer 3 response message in described Radio Resource connection establishment message, carries described first mark in described initiation layer 3 response message.
5. method according to claim 1, is characterized in that:
Described security algorithm information is Non-Access Stratum security algorithm information.
6. method according to claim 1, is characterized in that:
At the algorithm information that Mobility Management Entity is supported according to described security algorithm information and evolution base station self, before selecting Access Layer security algorithm, the method also comprises:
Described Mobility Management Entity receives the algorithm information that the described evolution base station self from described evolution base station is supported.
7. method according to claim 1, is characterized in that:
At the algorithm information that Mobility Management Entity is supported according to described security algorithm information and evolution base station self, before selecting Access Layer security algorithm, the method also comprises:
Described Mobility Management Entity configures the algorithm information that described evolution base station self is supported.
8. method according to claim 1, is characterized in that: described Mobility Management Entity sends described second to described user terminal and is designated:
Send described second mark to described evolution base station, described evolution base station knows described Access Layer security algorithm according to described second mark, and sends described second mark to described user terminal.
9. method according to claim 8, is characterized in that:
Described mark to described evolution base station transmission described second is specially: send the 3rd Access Layer safe mode command of carrying described second mark to described evolution base station;
Described evolution base station sends described second mark to described user terminal and is specially:
Described evolution base station sends the 4th Access Layer safe mode command of carrying described second mark to described user terminal.
10., according to the method one of claim 1-9 Suo Shu, it is characterized in that:
The security algorithm information that described reception user terminal can be supported is specially:
Receive initiation layer 3 message from described user terminal, described initiation layer 3 message carries the security algorithm information that described user terminal can be supported.
11. methods according to claim 10, is characterized in that:
Described reception is specially from initiation layer 3 message of described user terminal:
Described evolution base station receives the Radio Resource connection request message from described user terminal, carries described initiation layer 3 message in described Radio Resource connection request message;
Described Mobility Management Entity receives described initiation layer 3 message from described evolution base station.
The method of 12. 1 kinds of secure algorithm negotiations, in system evolved framework/long evolving system, it is characterized in that, the method comprises:
User terminal sends the security algorithm information that this user terminal can be supported;
Evolution base station receives the security algorithm information that described user terminal can be supported;
The algorithm information that described evolution base station is supported according to described security algorithm information and described evolution base station self, selects Access Layer security algorithm;
Described evolution base station sends the second mark representing described Access Layer security algorithm to described user terminal;
Described user terminal receives described second mark.
13. methods according to claim 12, is characterized in that:
Described transmission to described user terminal represents that the second mark of described Access Layer security algorithm is specially:
The second Access Layer safe mode command of carrying described second mark is sent to described user terminal.
14. methods according to claim 12, is characterized in that:
The security algorithm information that described reception user terminal can be supported is specially:
Receive the security capabilities of user terminal, described security capabilities carries described Access Layer security algorithm information and Non-Access Stratum security algorithm information, and distinguishes described Access Layer security algorithm information and described Non-Access Stratum security algorithm information by mark.
15. 1 kinds of network systems, is characterized in that, this system comprises: Mobility Management Entity, user terminal, wherein,
Described Mobility Management Entity comprises:
Information receiving unit, for receiving the security algorithm information that user terminal can be supported;
Security algorithm selected cell, for the algorithm information allowing user to use according to described security algorithm information and network, selects Non-Access Stratum security algorithm; Or, for the algorithm information supported according to described security algorithm information and evolution base station, select Access Layer security algorithm;
Transmitting element, for sending the first mark representing described Non-Access Stratum security algorithm or the second mark representing described Access Layer security algorithm to described user terminal; And
Described user terminal, for sending the security algorithm information that this user terminal can be supported; Also for receiving described first mark or the second mark.
16. systems according to claim 15, is characterized in that:
Described system also comprises evolution base station, for the second mark from described Mobility Management Entity is sent to described user terminal, and obtains described Access Layer algorithm according to described second mark.
17. systems according to claim 15, when described security algorithm information is Non-Access Stratum security algorithm information, is characterized in that:
Described system also comprises evolution base station, for receiving Access Layer security algorithm information and being forwarded to described Mobility Management Entity, the second mark from described Mobility Management Entity is sent to described user terminal, and obtains described Access Layer algorithm according to described second mark.
18. 1 kinds of network systems, is characterized in that, this system comprises: evolution base station, user terminal, wherein,
Described evolution base station, comprising:
Information receiving unit, for receiving the security algorithm information that user terminal can be supported;
Security algorithm selected cell, for the algorithm information supported according to described security algorithm information and described evolution base station self, selects Access Layer security algorithm;
Transmitting element, for sending the second mark representing described Access Layer security algorithm to described user terminal; And
Described user terminal, for sending the security algorithm information that this user terminal can be supported; Also for receiving the second mark of described Access Layer security algorithm.
19. systems according to claim 18, is characterized in that:
Second of described Access Layer security algorithm is designated: the second Access Layer safe mode command.
CN201210351794.7A 2007-02-05 2007-02-05 The method of secure algorithm negotiation, device and network system Active CN102869007B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210351794.7A CN102869007B (en) 2007-02-05 2007-02-05 The method of secure algorithm negotiation, device and network system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201210351794.7A CN102869007B (en) 2007-02-05 2007-02-05 The method of secure algorithm negotiation, device and network system
CN200710003493A CN101242630B (en) 2007-02-05 2007-02-05 Method, device and network system for security algorithm negotiation

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
CN200710003493A Division CN101242630B (en) 2007-02-05 2007-02-05 Method, device and network system for security algorithm negotiation

Publications (2)

Publication Number Publication Date
CN102869007A CN102869007A (en) 2013-01-09
CN102869007B true CN102869007B (en) 2015-12-09

Family

ID=39681275

Family Applications (2)

Application Number Title Priority Date Filing Date
CN201210351794.7A Active CN102869007B (en) 2007-02-05 2007-02-05 The method of secure algorithm negotiation, device and network system
CN200710003493A Active CN101242630B (en) 2007-02-05 2007-02-05 Method, device and network system for security algorithm negotiation

Family Applications After (1)

Application Number Title Priority Date Filing Date
CN200710003493A Active CN101242630B (en) 2007-02-05 2007-02-05 Method, device and network system for security algorithm negotiation

Country Status (2)

Country Link
CN (2) CN102869007B (en)
WO (1) WO2008095428A1 (en)

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101378591B (en) 2007-08-31 2010-10-27 华为技术有限公司 Method, system and device for security capability negotiation when terminal moves
GB2462615A (en) * 2008-08-12 2010-02-17 Nec Corp Optional Access Stratum security activation depending on purpose of request or message parameter in an evolved UTRAN communication network.
CN101686233B (en) * 2008-09-24 2013-04-03 电信科学技术研究院 Method, system and device for processing mismatching of user equipment (UE) and network security algorithm
CN101686463B (en) * 2008-09-28 2013-10-09 华为技术有限公司 Method for protecting ability of user terminal, device and system
CN101841807B (en) * 2009-03-19 2013-01-23 电信科学技术研究院 Execution method and system of security process
CN102083063B (en) * 2009-11-30 2013-07-10 电信科学技术研究院 Method, system and equipment for confirming AS key
CN102264065A (en) * 2010-05-27 2011-11-30 中兴通讯股份有限公司 Method and system for synchronizing access stratum security algorithms
CN102448058B (en) 2011-01-10 2014-04-30 华为技术有限公司 Method and device for protecting data on Un interface
CN102833742B (en) * 2011-06-17 2016-03-30 华为技术有限公司 The machinery of consultation of equipment for machine type communication group algorithm and equipment
WO2014071585A1 (en) * 2012-11-08 2014-05-15 华为技术有限公司 Method and device for obtaining public key
CN104244247B (en) * 2013-06-07 2019-02-05 华为技术有限公司 Non-access layer, access layer security algorithm processing method and device
EP3031225B1 (en) 2013-08-08 2018-09-19 Nokia Technologies Oy A method and apparatus for proxy algorithm identity selection
WO2018132952A1 (en) * 2017-01-17 2018-07-26 华为技术有限公司 Wireless communication method and apparatus
CN115004634B (en) * 2020-04-03 2023-12-19 Oppo广东移动通信有限公司 Information processing method, device, equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1571540A (en) * 2004-04-23 2005-01-26 中兴通讯股份有限公司 Method for selecting aerial interface encryption algorithm by negotiation
CN1601943A (en) * 2003-09-25 2005-03-30 华为技术有限公司 Method of selecting safety communication algorithm
CN1859422A (en) * 2006-03-16 2006-11-08 华为技术有限公司 Method for processing user terminal cut-in evolution network

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7213144B2 (en) * 2001-08-08 2007-05-01 Nokia Corporation Efficient security association establishment negotiation technique

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1601943A (en) * 2003-09-25 2005-03-30 华为技术有限公司 Method of selecting safety communication algorithm
CN1571540A (en) * 2004-04-23 2005-01-26 中兴通讯股份有限公司 Method for selecting aerial interface encryption algorithm by negotiation
CN1859422A (en) * 2006-03-16 2006-11-08 华为技术有限公司 Method for processing user terminal cut-in evolution network

Also Published As

Publication number Publication date
CN102869007A (en) 2013-01-09
CN101242630A (en) 2008-08-13
WO2008095428A1 (en) 2008-08-14
CN101242630B (en) 2012-10-17

Similar Documents

Publication Publication Date Title
CN102869007B (en) The method of secure algorithm negotiation, device and network system
JP6733746B2 (en) Apparatus for providing communication based on device-to-device relay service in mobile communication system
TWI442757B (en) Telecommunications system, call management method and computer readable medium
EP3346762B1 (en) Handling a pdn connection in lte to nr/5g inter-system mobility
EP3596996B1 (en) Method and apparatus for handling a ue that is in the idle state
CN110167018B (en) Security protection method, device and access network equipment
EP3735029B1 (en) Methods and devices for establishing control plane session
EP2966895B1 (en) Method and system for transmitting data packet, terminal device and network device
JP2014511168A (en) Mobile communication network and method
EP3565287B1 (en) Multi-link communication method and device, and terminal
WO2018014741A1 (en) Data transmission, reception and transfer method and apparatus
CN109246708B (en) Information transmission method and device
US9877307B2 (en) Method for implementing radio resource control protocol function, macro base station, and micro cell node
EP3346761B1 (en) Device and method for handling a packet flow in inter-system mobility
EP3396981B1 (en) Security parameter transmission method and related device
EP3536027B1 (en) Handover of a device which uses another device as relay
CN114258104A (en) Method for layer 2 user equipment to transmit signaling through network relay
WO2014023269A1 (en) Switching control method and apparatus
CN108616880A (en) A kind of method, apparatus and system of data transmission
CN101272315B (en) Packet data package transmission method, system and network appliance
CN101925050A (en) A method and device for generating a security context
CN101483516A (en) Security control method and system thereof
CN101836494B (en) Mobile communication system, communication method, and mobile station, radio base station, and high-order device of the radio base station used in the mobile communication system and communication method
US20240306248A1 (en) Managing an early data communication configuration
US20250126674A1 (en) Managing Radio Functions in the Inactive State

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20230424

Address after: Unit 04-06, Unit 1, Unit 2101, Building 1, No.1 East Third Ring Middle Road, Chaoyang District, Beijing, 100020

Patentee after: Beijing Heyi Management Consulting Co.,Ltd.

Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd.

TR01 Transfer of patent right
CP03 Change of name, title or address

Address after: Unit 03, Room 1501, 15th Floor, Unit 1, Building 1, No.1 East Third Ring Middle Road, Chaoyang District, Beijing, 100020

Patentee after: Beijing Jingshi Intellectual Property Management Co.,Ltd.

Address before: Unit 04-06, Unit 1, Unit 2101, Building 1, No.1 East Third Ring Middle Road, Chaoyang District, Beijing, 100020

Patentee before: Beijing Heyi Management Consulting Co.,Ltd.

CP03 Change of name, title or address