WO2009149666A1 - Method, device and system for negotiating algorithm - Google Patents
Method, device and system for negotiating algorithm Download PDFInfo
- Publication number
- WO2009149666A1 WO2009149666A1 PCT/CN2009/072237 CN2009072237W WO2009149666A1 WO 2009149666 A1 WO2009149666 A1 WO 2009149666A1 CN 2009072237 W CN2009072237 W CN 2009072237W WO 2009149666 A1 WO2009149666 A1 WO 2009149666A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- algorithm
- information
- user equipment
- hss
- mme
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Ceased
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Definitions
- the present invention relates to wireless communication technologies, and in particular, to a method, apparatus, and system for algorithm negotiation.
- the 3rd Generation Partnership Project defines a third-generation wireless communication network technology standard UMTS (Univers al Mobile Telecommunication System
- USIM UMTS Subscriber Identity Module UMTS User Identification Card
- Network Side AuC Authentication Centre
- Authentication Center Shared Key K
- USIM and AuC derive keys CK and IK based on shared key ⁇
- Au C sends CK and IK to HSS (Home Subscriber Server Home Client Server).
- UE User Equipment
- KASME KASME based on CK and IK.
- the algorithm for deriving KASME between UE and HSS is the default.
- the algorithm that deduces KASME is also referred to as the key deduction algorithm.
- UE upgrades, HSS and UEs produced by different manufacturers may support a variety of more secure algorithms for deriving KASME.
- the algorithm for deriving KASME between UE and HSS is the default, so it is difficult to meet multiple types of support. The need for a key deduction algorithm.
- the embodiment of the invention provides a method, device and system for algorithm negotiation, so that the HSS and the user equipment The key derivation algorithm used by both can be negotiated.
- the embodiment of the present invention discloses a method for algorithm negotiation, which includes: acquiring, by a network side, information about an algorithm for deriving a key KASME supported by a user equipment; and supporting the user equipment and the home client server HSS. Algorithm information, selection algorithm; The selected algorithm is used as an algorithm for deriving the key KASME between the user equipment and the HSS.
- the embodiment of the present invention discloses a network side device, including: a transceiver unit, configured to acquire information about an algorithm for deriving a key KASME supported by a user equipment; and a selecting unit, configured to use the user equipment and the attribution The information of the algorithm that the client server HSS can support, select the algorithm, and use the selected algorithm as the algorithm for deriving the key KASME between the user equipment and the HSS.
- the embodiment of the present invention discloses a user equipment negotiated by an algorithm, including: a transceiver unit, configured to send, to a network side device, information about an algorithm for deriving a key KASME supported by the user equipment, and receiving the foregoing Information about the selected algorithm sent by the network side device after selecting the algorithm.
- the embodiment of the present invention discloses a network side device negotiated by an algorithm, including: a transceiver unit, configured to acquire information about an algorithm for deriving a key KASME supported by a user equipment; and a selecting unit, configured to be used according to the user
- the embodiment of the present invention discloses a system for negotiating an algorithm, including: a user equipment: configured to send, to a network side device, information about an algorithm for deriving a key KASME supported by the user equipment, and receive the network side.
- the embodiment of the present invention discloses a system for negotiating an algorithm, which can communicate with a user equipment, including: an HSS and an MME, where: an HSS is used to obtain an authentication data request message sent by the MME to obtain a support that the user equipment can support.
- the information of the algorithm is selected according to the information of the algorithm used by the user equipment and the HSS to derive the key KASM E, and the information of the selected algorithm is sent to the MME through the authentication data response message; the MME is used to Acquiring information of an algorithm for deriving the key KASME supported by the user equipment, and transmitting information of an algorithm for deriving the key KASME supported by the user equipment to the attachment or location update request of the user equipment forwarded by the base station HSS; and after the HSS selection algorithm, The information of the selected algorithm is received, and the information of the selected algorithm is sent to the user equipment by the base station.
- the information about the algorithm for deriving the key KASME supported by the user equipment is obtained by the network side; and the algorithm is selected according to the information of the algorithm supported by the user equipment and the home client server HSS; The selected algorithm is used as an algorithm for deriving the key KASME between the user equipment and the HSS; thus, the algorithm is negotiated between the HSS and the user equipment, which is convenient for flexible selection of the key derivation algorithm.
- FIG. 1 is a flowchart of a method for algorithm negotiation according to an embodiment of the present invention
- FIG. 2 is a flowchart of a method for negotiating an algorithm according to Embodiment 1 of the present invention
- FIG. 3 is a flowchart of a method for negotiating an algorithm according to Embodiment 2 of the present invention
- FIG. 4 is a schematic diagram of a manner in which an HSS sets a selected algorithm in an AV according to Embodiment 2 of the present invention
- FIG. 5 is a flowchart of a method for negotiating an algorithm according to Embodiment 3 of the present invention.
- FIG. 6 is a flowchart of a method for negotiating an algorithm according to Embodiment 4 of the present invention.
- FIG. 7 is a network architecture diagram of an application scenario according to Embodiment 5 of the present invention.
- FIG. 8 is a diagram showing an algorithm negotiation system and apparatus according to an embodiment of the present invention.
- FIG. 9 is a diagram showing another algorithm negotiation system and apparatus according to an embodiment of the present invention.
- FIG. 10 is a schematic diagram of a network side device provided by an embodiment of the present invention.
- An embodiment of the present invention provides a method for algorithm negotiation, which specifically includes:
- Step a The network side obtains information about an algorithm for deriving the key KASME that the user equipment can support;
- Step b Select an algorithm based on the information of the algorithm supported by the user equipment and the home client server HSS;
- Step c The selected algorithm is used as an algorithm for deriving the key KASME between the user equipment and the HSS.
- the embodiment of the present invention provides a method for algorithm negotiation, as shown in FIG. 1: [36]
- the HSS acquires information about an algorithm that the user equipment can support;
- step 102 the HSS selects an algorithm according to information of an algorithm that the user equipment can support;
- step 103 the HSS transmits information of the selected algorithm to the user equipment.
- the information of the above algorithm may specifically be information for deriving the algorithm of KASME.
- HSS can pass MM E (Mobility Management Entity
- the mobility management entity) and the base station acquire information of a key derivation algorithm supported by the user equipment and transmit information of the selected algorithm.
- FIG. 2 is a flowchart of a method for negotiating an algorithm according to Embodiment 1 of the present invention, including:
- Step 201 The UE sends an Attach/TAU to the eNB (eNodeB evolved base station)
- eNB eNodeB evolved base station
- the Request carries the information of the key derivation algorithm supported by the UE.
- the specific carrying method can be: Due to Attach/TAU
- Request carries the temporary identity of the UE, such as UE Network
- Capability the network capability of the UE
- Step 202 After receiving the Attach/TAU Request, the eNB forwards the message to the MME.
- Step 203 MME decides to trigger AKA (Authentication and Key Agreed)
- Step 204 During the execution of the AKA, the MME sends an Authentication Data to the HSS.
- the Request carries the information of the key derivation algorithm supported by the UE.
- the Authentication Information Request sent by the MME to the HSS includes a Requesting Node.
- the IE is mainly used to indicate the type of the node requesting the authentication vector, such as: MME, SG SN, MME/SGSN, and the like.
- the IE may be extended, for example, by extending 4 bits to represent an algorithm supported by the UE, for example: 0001 indicates support algorithm 1, 0011 indicates support algorithm 1 and algorithm 2, 0111 indicates support algorithm 1, algorithm 2, algorithm 3, and 1111 indicates support Algorithm 1, Algorithm 2, Algorithm 3, and Algorithm 4 are four algorithms.
- Step 205 The HSS selects a key deduction algorithm supported by the user equipment.
- Step 206 In the process of performing the AKA, the information of the algorithm selected in step 205 is sent to the MME through an Authentication Data Response message.
- Step 207 After receiving the authentication data response sent by the HSS, the MME performs a subsequent AKA process with the UE.
- Step 208 After the AKA process is successful, a NAS (Non-Access Stratum non-access stratum) SMC (Security Mode Command) is established between the MME and the UE.
- NAS Non-Access Stratum non-access stratum
- SMC Security Mode Command
- the MME sends the NAS to the UE through the eNB.
- the SMC message carries the information of the key deduction algorithm selected by the HSS in the message.
- Step 209 After receiving the NAS SMC message of the MME, the eNB establishes RRC (Radio Resource) with the UE.
- RRC Radio Resource
- SMC message is forwarded to the UE; UE is sent from the NAS
- the information of the key deduction algorithm selected by the HSS is obtained in the SMC message.
- step 208 the MME puts the algorithm supported by the UE received in step 202 into the NAS.
- the SMC message is transmitted to the UE; or, in step 205, the HSS utilizes AMF (Authentication Management Field) in the AV (Authentication Vector Authentication Vector)
- Any 4 bits in the authentication management domain indicates the algorithm supported by the UE received from the MME in step 204, and is transmitted to the UE through step 206 and step 207.
- the above AMF is AUTN (Authentication token) in AV (Authentication Vector)
- the included authentication management domain which is sent to the M in the authentication data response included in step 206.
- the UE reports the information of the supported key deduction algorithm to the HSS, and the HSS selects from the foregoing algorithm and feeds back to the UE, thereby establishing an algorithm negotiation mechanism between the UE and the HSS. Achieved
- the flexible selection of the key derivation algorithm, and the modification of the uplink interface protocol between the MME and the HSS in the prior art is small.
- FIG. 3 is a flowchart of a method for negotiating an algorithm according to Embodiment 2 of the present invention.
- HSS uses different key derivation algorithms to carry information of a selected algorithm. . Specifically include:
- Steps 301, 302, 303, and 304 are the same as steps 201, 202, 203, and 204 in Embodiment 1, respectively.
- Step 305 After the HSS selects a key deduction algorithm supported by the UE, the information that the AV carries the selected algorithm to specifically carry the information of the selected algorithm may be: one or several bits of the AMF included in the AUTN in the AV. To represent the information of the selected algorithm.
- AMF has 16bit, and the 0th position has been specified as separation.
- bit (separated bit), the set of this bit indicates the AV of the SAE, the remaining 1 to 7 bits are the standardized reserved bits, and the 8 to 15 bits are used for the purpose of proprietary (private). Therefore, some of the 8 to 15 bits can be selected to represent the key derivation algorithm.
- the HSS indicates the information of the selected algorithm by setting these algorithms. The following is an example:
- FIG. 4 is a schematic diagram showing a manner in which an HSS sets a selected algorithm in an AV in step 305 according to Embodiment 2 of the present invention, including:
- the UE supports four key deduction algorithms A, B, C, and D for HSS.
- the selection, and the HSS convention are represented by 00, 01, 10, and 11 respectively; after the HSS selects among the four algorithms, the selected algorithm is recorded in the AMF in a set manner. For example: If HSS selects algorithm A, you can choose to set the 14th and 15th bits of AMF to 0 and 0 respectively to indicate the result of selection. If HSS sets bits 14 and 15 to 0 and 1, respectively, it means selecting Algorithm B.
- the HSS may also agree with other representation methods of the UE according to factors such as the number of algorithms of the UE, or select one or more other AMFs to carry the selection result.
- Step 306 During the execution of the AKA, the HSS sends the AV carrying the information of the selected algorithm to the MME through an Authentication Data Response message.
- Step 307 During the subsequent AKA process, the MME and the eNB forward the AV to the UE, and the UE passes the A.
- FIG. 4 referred to in Embodiment 2 of the present invention is a case where the HSS indicates a selected algorithm by setting, and is merely an example for convenience of understanding.
- the types and names of the UE algorithms in FIG. 4, such as B, C, D, 00, 01, 10, 11 and the like, cannot limit the scope of application of the embodiments of the present invention, that is, in some systems, the above algorithms may not be used.
- Kind and name however, it cannot be considered that the technical solutions in the embodiments of the present invention are not applicable to these systems.
- the HSS uses the information of the selected algorithm to be represented by some bits of the AMF, and is carried in the AUTN and sent to the user equipment, fully utilizing the existing resources, and implementing flexible selection of the key derivation algorithm.
- the HSS informs the UE of the selected algorithm, and the method has less modification to the downlink protocol.
- FIG. 5 is a flowchart of a method for negotiating an algorithm according to Embodiment 3 of the present invention.
- MME decides which key derivation algorithm to specifically select. Specifically include:
- Steps 501, 502 are the same as steps 201 and 202 in Embodiment 1, and are not mentioned here.
- Step 503 The MME decides to perform AKA, and selects according to an algorithm supported by the UE and the HSS and a local policy.
- the method for the MME to learn the algorithm supported by the HSS may be: Configuring on the MME in advance
- the HSS reports the supported algorithm to the MME by using a newly added message before the step 503.
- the above local policy may be: The MME selects one of the most secure algorithms from the algorithms supported by both the UE and the HSS.
- Step 504 The MME sends an authentication data request carrying the algorithm selected in step 503 to the HSS.
- Step 505 The HSS derives the KASME from CK and IK according to the algorithm selected by the MME, and sends an Authentication Data Response message to the MME.
- the KASME that HSS can perform can be carried in the Authentication Data Response.
- Step 506 After receiving the authentication data response sent by the HSS, the MME performs a subsequent AKA process with the UE.
- Step 507 After the AKA process is successful, a NAS (Non-Access Stratum non-access stratum) SMC (Security Mode Command) is established between the MME and the UE.
- NAS Non-Access Stratum non-access stratum
- SMC Security Mode Command
- the MME sends the NAS to the UE through the eNB.
- the SMC message carries the information of the selected key deduction algorithm in the message.
- Step 508 After receiving the NAS SMC message of the MME, the eNB establishes an RRC (Radio Resource Control) bearer with the UE, and uses the RRC bearer to connect the NAS.
- RRC Radio Resource Control
- the SMC message is forwarded to the UE; the UE obtains information of the selected key deduction algorithm from the NAS SMC message.
- the MME needs to return the algorithm supported by the UE from the network side to the UE for verification.
- the method of the backhaul is substantially the same as the method in which the MME returns the algorithm supported by the UE in Embodiment 1, and is not mentioned here.
- the MME selects an algorithm for deriving the key KASME between the UE and the HSS according to a key deduction algorithm supported by the UE and the HSS, thereby establishing an algorithm negotiation mechanism between the UE and the HSS.
- a flexible selection of the key deduction algorithm is implemented.
- Embodiment 6 is a flowchart of a method for algorithm negotiation according to Embodiment 4 of the present invention, which mainly relates to an algorithm negotiation method between a UE and an HSS in an EPS inter-network handover scenario. Specifically include:
- Step 601 The source eNB in the network where the UE is currently located decides to perform handover.
- Step 602 The source eNB sends a Handover Required to the source MME.
- Step 603 The source MME sends a Forward Relocation to the target MME in the handover target network.
- Request forwarded relocation request
- carrying the information of the UE's key deduction algorithm carrying the information of the UE's key deduction algorithm.
- the Request includes the security capability of the UE, and the security capability of the UE may include a key deduction algorithm supported by the UE.
- the source MME may notify the target MME of the algorithm supported by the HSS by using the message.
- Steps 604-610 completing the subsequent handover process. among them:
- Step 604 The target MME sends a handover request to the target eNB.
- Step 605 The target eNB sends a handover request response to the target MME.
- Step 606 The target MME forwards the relocation response to the source MME.
- Step 607 The source MME sends a handover command to the source eNB.
- Step 608 The source eNB sends a handover command to the UE.
- Step 609 The UE performs handover confirmation to the target eNB.
- Step 610 The target eNB sends a handover announcement to the target MME.
- Step 611 After the handover succeeds, the UE sends a TAU (Tracking Area Update Location Update) request to the target eNB.
- TAU Track Area Update Location Update
- Step 612 The target eNB forwards the TAU request to the target MME.
- Step 613 The target MME decides to perform an AKA authentication process; the target MME selects an algorithm from the algorithms supported by the UE and the HSS according to the local policy.
- the target MME Since the target MME has learned the algorithm supported by the UE in step 603, if the target MME further obtains the HSS-supported algorithm from step 603, the target MME may select a UE and an HSS-supported algorithm according to the local policy. . If the target MME does not obtain the HSS-supported algorithm from the source MME in step 603, the method for the target MME to learn the algorithm supported by the HSS may be: configured on the target MME in advance, or may be newly added by the HSS before step 613. The message reports the supported algorithm to the target MME.
- Step 614 The target MME sends an authentication data request to the HSS.
- the authentication data request also includes an algorithm selected by the target MME.
- gP the target MME informs the HSS of the algorithm selected in step 613 by this message.
- Step 615 The HSS derives the KASME from the CK and the IK according to the algorithm selected by the target MME, and sends an Authentication Data Response message to the target MME.
- Step 616 Perform a subsequent AKA authentication process between the target MME and the UE.
- Step 617 After the AKA process is successful, a NAS (Non-Access) is established between the target MME and the UE.
- NAS Non-Access
- the target MME sends the NAS to the UE through the target eNB.
- the SMC message carries the information of the selected key deduction algorithm in the message.
- Step 618 The target eNB receives the NAS of the target MME.
- the RRC bearer is established with the UE, and the NAS is carried over by the RRC bearer.
- the SMC message is forwarded to the UE; the UE obtains information of the selected key deduction algorithm from the NAS SMC message.
- step 617 the target MME needs to transmit the algorithm supported by the UE from the network side to the UE for verification.
- the MME participates in the algorithm selection, and the UE and the HSS are implemented in the handover scenario between the EPS networks.
- the algorithm negotiation method provided by Embodiment 5 of the present invention mainly relates to a key deduction algorithm negotiation method between a UE and an HSS in an EPS to 2G/3G network handover scenario.
- the IWF and the UE respectively report the algorithms supported by the UE to the MME, and the reporting method is similar to the process in which the HSS and the UE report the algorithm to the MME in Embodiment 3, and the main difference is that the IWF is used instead of the HSS to perform the algorithm negotiation function.
- the MME determines an algorithm between the UE and the IWF according to the local policy, and notifies the UE to the UE and the IWF, and the notification process is the same as the method in which the MME in the third embodiment informs the UE and the HSS after selecting the algorithm.
- the MME may return the algorithm supported by the UE from the network side to the UE for verification.
- the method of the backhaul is substantially the same as the method in which the MME returns the algorithm supported by the UE in Embodiment 1, and is not mentioned here.
- This embodiment solves the problem of the negotiation of the key derivation algorithm between the UE and the HSS in the EPS to 2G/3G network handover scenario.
- FIG. 10 is a schematic diagram of a network side device provided by an embodiment of the present invention.
- the network side device specifically includes a transceiver unit 1001 and a selection unit 1002.
- the transceiver unit 1001 is configured to obtain information about an algorithm that can be used by the user equipment to derive the key KASME.
- the selecting unit 1002 is configured to select an algorithm according to information about an algorithm that the user equipment and the home client server HSS can support; And the selected algorithm An algorithm for deriving the key KASME between the user equipment and the HSS.
- the network side device may be an HSS or an MME.
- the transceiver unit 1001 is further configured to send an algorithm selected by the selecting unit 1002 to the UE.
- the transceiver unit 1001 is further configured to acquire algorithm information supported by the HSS, and send the algorithm selected by the selecting unit 1002 to the UE and the HSS, respectively.
- the system 80 includes a user equipment 81 and a network side device HSS 82 in communication therewith, where:
- the user equipment 81 includes a transceiver unit 811 for the network side device HSS
- the 82 includes a transceiver unit 821 and a selection unit 822, wherein the transceiver unit 821 is configured to acquire information about an algorithm supported by the user equipment 81, and send information of the algorithm selected by the selection unit 822 to the user equipment 81;
- the algorithm is selected according to the information of the algorithm that the user equipment 81 can support; the selecting unit 822 can be further configured to set the information of the selected algorithm to the authentication vector AV in a set manner.
- the transceiver unit 821 can obtain the information of the algorithm supported by the user equipment by using the authentication data request message sent by the MME, and send the information of the algorithm selected by the selecting unit 822 to the MME through the authentication data response message.
- FIG. 9 is a schematic diagram of another system 90 according to an embodiment of the present invention.
- the system 90 includes a user equipment 91 and a network side device MME 92 communicating therewith, where:
- the user equipment 91 includes a transceiver unit 911 for the network side device MME
- the 92 includes a transceiver unit 921 and a selection unit 922, wherein the transceiver unit 921 is configured to acquire information about the algorithm supported by the user equipment 91 and the HSS, and send information of the algorithm selected by the selection unit 922 to the HSS and the user equipment 91;
- the selection unit 922 is configured to select an algorithm based on information of an algorithm that the user equipment 91 can support.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
说明书 算法协商的方法、 装置及系统 Method, device and system for algorithm negotiation
[1] 本申请要求于 2008年 9月 12日提交中国专利局、 申请号为 200810160852.1、 发明 名称为 "算法协商的方法、 装置及系统"的中国专利申请, 以及于 2008年 6月 13日 提交中国专利局、 申请号为 200810067758.1、 发明名称为"算法协商的方法、 装 置及系统"的中国专利申请的优先权, 其全部内容通过引用结合在本申请中。 [1] This application requires a Chinese patent application filed on September 12, 2008, with the application number 200810160852.1, the invention titled "Methods, Devices and Systems for Algorithm Negotiation", and submitted on June 13, 2008. Priority is claimed on Chinese Patent Application No. 200810067758.
[2] 技术领域 [2] Technical field
[3] 本发明涉及无线通信技术, 尤其涉及算法协商的方法、 装置及系统。 [3] The present invention relates to wireless communication technologies, and in particular, to a method, apparatus, and system for algorithm negotiation.
[4] 发明背景 [4] Background of the invention
[5] 3GPP (Third Generation Partnership Project [5] 3GPP (Third Generation Partnership Project
第三代合作伙伴计划) 定义了一种第三代无线通信网络技术标准 UMTS (Univers al Mobile Telecommunication System The 3rd Generation Partnership Project) defines a third-generation wireless communication network technology standard UMTS (Univers al Mobile Telecommunication System
通用移动通信系统) 。 为了保证 3GPP在未来的竞争力, 目前在 3GPP中, 各厂商 积极研究 EPS (Evolved Packet System演进的分组系统) 。 Universal Mobile Telecommunications System). In order to ensure the competitiveness of 3GPP in the future, in 3GPP, various vendors are actively studying EPS (Evolved Packet System).
[6] 在 EPS网络的密钥架构中, USIM (UMTS Subscriber Identity Module UMTS 用户识别卡) 和网络侧的 AuC (Authentication Centre [6] In the key architecture of the EPS network, USIM (UMTS Subscriber Identity Module UMTS User Identification Card) and Network Side AuC (Authentication Centre)
鉴权中心) 共享密钥 K; USIM和 AuC基于共享密钥 Κ推演得到密钥 CK和 IK; Au C将 CK和 IK发送到 HSS (Home Subscriber Server归属客户服务器) 。 UE (User Equipment Authentication Center) Shared Key K; USIM and AuC derive keys CK and IK based on shared key Κ; Au C sends CK and IK to HSS (Home Subscriber Server Home Client Server). UE (User Equipment
用户设备) 和 HSS基于 CK和 IK推演 KASME。 UE和 HSS之间推演 KASME的算法 是默认的, 以下将推演 KASME的算法也简称为密钥推演算法。 User equipment) and HSS derive KASME based on CK and IK. The algorithm for deriving KASME between UE and HSS is the default. The algorithm that deduces KASME is also referred to as the key deduction algorithm.
[7] 在实现本发明过程中, 发明人发现现有技术中至少存在如下问题: 随着 HSS和[7] In the process of implementing the present invention, the inventors found that at least the following problems exist in the prior art: With HSS and
UE的升级, HSS和不同厂家生产的 UE可能支持多种更加安全的推演 KASME的 算法, 然而, 现有技术中 UE和 HSS之间推演 KASME的算法是默认的, 所以很难 满足支持多种密钥推演算法的需求。 UE upgrades, HSS and UEs produced by different manufacturers may support a variety of more secure algorithms for deriving KASME. However, in the prior art, the algorithm for deriving KASME between UE and HSS is the default, so it is difficult to meet multiple types of support. The need for a key deduction algorithm.
[8] 发明内容 [8] Summary of the invention
[9] 本发明实施例提供了一种算法协商的方法、 装置及系统, 使得 HSS和用户设备 之间能够对二者所使用的密钥推演算法进行协商。 [9] The embodiment of the invention provides a method, device and system for algorithm negotiation, so that the HSS and the user equipment The key derivation algorithm used by both can be negotiated.
[10] 本发明实施例公开了一种算法协商的方法, 包括: 网络侧获取用户设备所能支 持的用于推演密钥 KASME的算法的信息; 根据用户设备和归属客户服务器 HSS 所能支持的算法的信息, 选择算法; 将所选算法作为用户设备和 HSS之间用于推 演密钥 KASME的算法。 [10] The embodiment of the present invention discloses a method for algorithm negotiation, which includes: acquiring, by a network side, information about an algorithm for deriving a key KASME supported by a user equipment; and supporting the user equipment and the home client server HSS. Algorithm information, selection algorithm; The selected algorithm is used as an algorithm for deriving the key KASME between the user equipment and the HSS.
[11] 本发明实施例公开了一种网络侧设备, 包括: 收发单元, 用于获取用户设备所 能支持的用于推演密钥 KASME的算法的信息; 选择单元, 用于根据用户设备和 归属客户服务器 HSS所能支持的算法的信息, 选择算法, 并将所选的算法作为用 户设备和 HSS之间用于推演密钥 KASME的算法。 [11] The embodiment of the present invention discloses a network side device, including: a transceiver unit, configured to acquire information about an algorithm for deriving a key KASME supported by a user equipment; and a selecting unit, configured to use the user equipment and the attribution The information of the algorithm that the client server HSS can support, select the algorithm, and use the selected algorithm as the algorithm for deriving the key KASME between the user equipment and the HSS.
[12] 本发明实施例公开了一种算法协商的用户设备, 包括: 收发单元, 用于向网络 侧设备发送本用户设备所能支持的用于推演密钥 KASME的算法的信息, 以及接 收上述网络侧设备在选择算法后发送的所选算法的信息。 [12] The embodiment of the present invention discloses a user equipment negotiated by an algorithm, including: a transceiver unit, configured to send, to a network side device, information about an algorithm for deriving a key KASME supported by the user equipment, and receiving the foregoing Information about the selected algorithm sent by the network side device after selecting the algorithm.
[13] 本发明实施例公开了一种算法协商的网络侧设备, 包括: 收发单元, 用于获取 用户设备所能支持的用于推演密钥 KASME的算法的信息; 选择单元, 用于根据 用户设备和归属客户服务器 HSS所能支持的算法的信息, 选择算法; 并将所选的 算法作为用户设备和 HSS之间用于推演密钥 KASME的算法。 [13] The embodiment of the present invention discloses a network side device negotiated by an algorithm, including: a transceiver unit, configured to acquire information about an algorithm for deriving a key KASME supported by a user equipment; and a selecting unit, configured to be used according to the user The device and the information of the algorithm that the home server HSS can support, select an algorithm; and use the selected algorithm as an algorithm for deriving the key KASME between the user equipment and the HSS.
[14] 本发明实施例公开了一种算法协商的系统, 包括: 用户设备: 用于向网络侧设 备发送本用户设备所能支持的用于推演密钥 KASME的算法的信息, 并接收网络 侧设备在选择算法后发送的所选算法的信息; 网络侧设备: 用于获取用户设备 所能支持的用于推演密钥 KASME的算法的信息, 根据用户设备所能支持的算法 的信息进行算法选择, 并向用户设备发送所选算法的信息。 [14] The embodiment of the present invention discloses a system for negotiating an algorithm, including: a user equipment: configured to send, to a network side device, information about an algorithm for deriving a key KASME supported by the user equipment, and receive the network side. The information of the selected algorithm sent by the device after selecting the algorithm; the network side device: used to obtain the information of the algorithm for deriving the key KASME supported by the user equipment, and perform algorithm selection according to the information of the algorithm that the user equipment can support And send the information of the selected algorithm to the user equipment.
[15] 本发明实施例公开了一种算法协商的系统, 能够与用户设备进行通信, 包括: HSS和 MME, 其中: HSS , 用于通过 MME发送的认证数据请求消息获取用户设 备所能支持的算法的信息, 根据用户设备和 HSS所能支持的用于推演密钥 KASM E的算法的信息, 选择算法, 并将所选算法的信息通过认证数据响应消息发送给 MME; 该 MME, 用于从基站转发的用户设备的附着或位置更新请求中获取用户 设备所能支持的用于推演密钥 KASME的算法的信息, 并将用户设备所能支持的 用于推演密钥 KASME的算法的信息发送给 HSS; 以及在 HSS选择算法之后, 接 收所选算法的信息, 并通过基站向用户设备发送所选算法的信息。 [15] The embodiment of the present invention discloses a system for negotiating an algorithm, which can communicate with a user equipment, including: an HSS and an MME, where: an HSS is used to obtain an authentication data request message sent by the MME to obtain a support that the user equipment can support. The information of the algorithm is selected according to the information of the algorithm used by the user equipment and the HSS to derive the key KASM E, and the information of the selected algorithm is sent to the MME through the authentication data response message; the MME is used to Acquiring information of an algorithm for deriving the key KASME supported by the user equipment, and transmitting information of an algorithm for deriving the key KASME supported by the user equipment to the attachment or location update request of the user equipment forwarded by the base station HSS; and after the HSS selection algorithm, The information of the selected algorithm is received, and the information of the selected algorithm is sent to the user equipment by the base station.
[16] 通过比较可以发现, 上述技术方案中的任一个技术方案与现有技术相比, 具有 如下优点或有益效果: [16] By comparison, it can be found that any one of the above technical solutions has the following advantages or benefits compared with the prior art:
[17] 本发明实施例中, 通过网络侧获取用户设备所能支持的用于推演密钥 KASME 的算法的信息; 根据用户设备和归属客户服务器 HSS所能支持的算法的信息, 选 择算法; 将所选算法作为用户设备和 HSS之间用于推演密钥 KASME的算法; 从 而实现了 HSS和用户设备之间对算法的协商, 方便于对密钥推演算法的灵活选择 [17] In the embodiment of the present invention, the information about the algorithm for deriving the key KASME supported by the user equipment is obtained by the network side; and the algorithm is selected according to the information of the algorithm supported by the user equipment and the home client server HSS; The selected algorithm is used as an algorithm for deriving the key KASME between the user equipment and the HSS; thus, the algorithm is negotiated between the HSS and the user equipment, which is convenient for flexible selection of the key derivation algorithm.
[18] 附图简要说明 [18] BRIEF DESCRIPTION OF THE DRAWINGS
[19] 图 1为本发明实施例所提供的算法协商的方法的流程图; FIG. 1 is a flowchart of a method for algorithm negotiation according to an embodiment of the present invention; FIG.
[20] 图 2为本发明实施例 1所提供的算法协商的方法流程图; 2 is a flowchart of a method for negotiating an algorithm according to Embodiment 1 of the present invention;
[21] 图 3为本发明实施例 2所提供的算法协商的方法流程图; FIG. 3 is a flowchart of a method for negotiating an algorithm according to Embodiment 2 of the present invention; FIG.
[22] 图 4为本发明实施例 2中一种 HSS将所选算法在 AV中设置的方式示意图; [22] FIG. 4 is a schematic diagram of a manner in which an HSS sets a selected algorithm in an AV according to Embodiment 2 of the present invention;
[23] 图 5为本发明实施例 3所提供的算法协商的方法流程图; FIG. 5 is a flowchart of a method for negotiating an algorithm according to Embodiment 3 of the present invention; FIG.
[24] 图 6为本发明实施例 4所提供的算法协商的方法流程图; 6 is a flowchart of a method for negotiating an algorithm according to Embodiment 4 of the present invention;
[25] 图 7为本发明实施例 5应用场景下的网络架构图; FIG. 7 is a network architecture diagram of an application scenario according to Embodiment 5 of the present invention; FIG.
[26] 图 8为依据本发明实施例的算法协商系统及装置图; FIG. 8 is a diagram showing an algorithm negotiation system and apparatus according to an embodiment of the present invention; FIG.
[27] 图 9为依据本发明实施例提供的另一种算法协商系统及装置图; FIG. 9 is a diagram showing another algorithm negotiation system and apparatus according to an embodiment of the present invention; FIG.
[28] 图 10所示为实现本发明实施例所提供的网络侧设备示意图。 FIG. 10 is a schematic diagram of a network side device provided by an embodiment of the present invention.
[29] 实施本发明的方式 [29] Mode for carrying out the invention
[30] 为使本发明的目的、 技术方案和优点更加清楚, 下面结合附图对本发明各实施 例作进一步的详细描述。 [30] In order to make the objects, the technical solutions and the advantages of the present invention more comprehensible, the embodiments of the present invention are further described in detail below with reference to the accompanying drawings.
[31] 本发明实施例提供了一种算法协商的方法, 具体包括: An embodiment of the present invention provides a method for algorithm negotiation, which specifically includes:
[32] 步骤 a、 网络侧获取用户设备所能支持的用于推演密钥 KASME的算法的信息; [32] Step a: The network side obtains information about an algorithm for deriving the key KASME that the user equipment can support;
[33] 步骤 b、 根据用户设备和归属客户服务器 HSS所能支持的算法的信息, 选择算 法; [33] Step b. Select an algorithm based on the information of the algorithm supported by the user equipment and the home client server HSS;
[34] 步骤 c、 将所选的算法作为用户设备和 HSS之间用于推演密钥 KASME的算法。 [34] Step c. The selected algorithm is used as an algorithm for deriving the key KASME between the user equipment and the HSS.
[35] 本发明实施例提供了一种算法协商的方法, 如图 1所示: [36] 在步骤 101中, HSS获取用户设备所能支持的算法的信息; [35] The embodiment of the present invention provides a method for algorithm negotiation, as shown in FIG. 1: [36] In step 101, the HSS acquires information about an algorithm that the user equipment can support;
[37] 在步骤 102中, HSS根据用户设备所能支持的算法的信息, 选择算法; [37] In step 102, the HSS selects an algorithm according to information of an algorithm that the user equipment can support;
[38] 在步骤 103中, HSS向用户设备发送所选算法的信息。 [38] In step 103, the HSS transmits information of the selected algorithm to the user equipment.
[39] 上述算法的信息具体可以为用于推演 KASME的算法的信息。 HSS可以通过 MM E (Mobility Management Entity [39] The information of the above algorithm may specifically be information for deriving the algorithm of KASME. HSS can pass MM E (Mobility Management Entity
移动管理实体) 和基站获取用户设备所能支持的密钥推演算法的信息并发送所 选算法的信息。 The mobility management entity) and the base station acquire information of a key derivation algorithm supported by the user equipment and transmit information of the selected algorithm.
[40] 图 2所示为本发明实施例 1所提供的算法协商的方法流程, 包括: [2] FIG. 2 is a flowchart of a method for negotiating an algorithm according to Embodiment 1 of the present invention, including:
[41] 步骤 201、 UE向 eNB (eNodeB演进基站) 发送 Attach/TAU [41] Step 201: The UE sends an Attach/TAU to the eNB (eNodeB evolved base station)
Request (附着 /位置更新请求) , 在该 Attach/TAU Request (attach / location update request), in the Attach/TAU
Request中携带 UE支持的密钥推演算法的信息。 The Request carries the information of the key derivation algorithm supported by the UE.
[42] 具体的携带方式可以是: 由于在 Attach/TAU [42] The specific carrying method can be: Due to Attach/TAU
Request中携带着 UE的临吋身份, 如 UE Network Request carries the temporary identity of the UE, such as UE Network
Capability (UE的网络能力) 等信息, 因此可以在该 UE的网络能力信息中携带 U Information such as Capability (the network capability of the UE), so it can carry U in the network capability information of the UE.
E支持的密钥推演算法的信息。 Information supported by the key deduction algorithm supported by E.
[43] 步骤 202、 eNB收到 Attach/TAU Request后, 将此消息转发给 MME。 [42] Step 202: After receiving the Attach/TAU Request, the eNB forwards the message to the MME.
[44] 步骤 203、 MME决定触发 AKA (Authentication and Key Agreed [44] Step 203, MME decides to trigger AKA (Authentication and Key Agreed)
认证和密钥协商) 过程。 Authentication and key agreement) process.
[45] 步骤 204、 在执行 AKA过程中, MME向 HSS发送 Authentication Data [45] Step 204: During the execution of the AKA, the MME sends an Authentication Data to the HSS.
Request (认证数据请求), 在该 Authentication Data Request (authentication data request), in the Authentication Data
Request中携带 UE支持的密钥推演算法的信息。 The Request carries the information of the key derivation algorithm supported by the UE.
[46] MME向 HSS发送的 Authentication Information Request包含有 Requesting Node[46] The Authentication Information Request sent by the MME to the HSS includes a Requesting Node.
Type的 IE (information Element Type of IE (information Element
信息元素) 。 该 IE主要是用来指示请求认证向量的节点类型, 比如: MME、 SG SN、 MME/SGSN等。 可以对该 IE进行扩展, 比如扩展 4bit来表示 UE支持的算法 , 比如: 0001表示支持算法 1, 0011表示支持算法 1和算法 2, 0111表示支持算法 1、 算法 2、 算法 3, 1111表示可以支持算法 1、 算法 2、 算法 3、 算法 4四种算法。 Information element). The IE is mainly used to indicate the type of the node requesting the authentication vector, such as: MME, SG SN, MME/SGSN, and the like. The IE may be extended, for example, by extending 4 bits to represent an algorithm supported by the UE, for example: 0001 indicates support algorithm 1, 0011 indicates support algorithm 1 and algorithm 2, 0111 indicates support algorithm 1, algorithm 2, algorithm 3, and 1111 indicates support Algorithm 1, Algorithm 2, Algorithm 3, and Algorithm 4 are four algorithms.
[47] 需要特别说明的是, 上述算法 1、 算法 2、 算法 3、 算法 4代表四种不同的可支持 算法, 仅仅是为方便理解而进行的举例说明, 不能够对本发明实施例适用的范 围进行限定, 即在某些系统中也许没有釆用上述算法种类和名称, 但是, 不能 由此认为本发明实施例中的技术方案不能够适用于这些系统。 [47] It should be specially noted that the above algorithm 1, algorithm 2, algorithm 3, and algorithm 4 represent four different types of support. The algorithm is merely an example for the convenience of understanding, and the scope of application of the embodiments of the present invention cannot be limited. That is, the type and name of the above algorithm may not be used in some systems, but the present invention cannot be considered as implemented. The technical solutions in the examples are not applicable to these systems.
[48] 步骤 205、 HSS选择一种用户设备支持的密钥推演算法。 [48] Step 205: The HSS selects a key deduction algorithm supported by the user equipment.
[49] 步骤 206、 在执行 AKA过程中, 将步骤 205中选择出的算法的信息通过 Authentic ation Data Response (认证数据响应)消息发送给 MME。 [49] Step 206: In the process of performing the AKA, the information of the algorithm selected in step 205 is sent to the MME through an Authentication Data Response message.
[50] 步骤 207、 MME收到 HSS发送的认证数据响应后, 和 UE执行后续的 AKA过程。 [50] Step 207: After receiving the authentication data response sent by the HSS, the MME performs a subsequent AKA process with the UE.
[51] 步骤 208、 AKA过程成功后, MME和 UE之间建立 NAS (Non- Access Stratum 非接入层) SMC (Security Mode Command [51] Step 208: After the AKA process is successful, a NAS (Non-Access Stratum non-access stratum) SMC (Security Mode Command) is established between the MME and the UE.
安全模式命令) 过程。 MME通过 eNB向 UE发送 NAS Safe mode command) process. The MME sends the NAS to the UE through the eNB.
SMC消息, 在该消息中携带 HSS选择的密钥推演算法的信息。 The SMC message carries the information of the key deduction algorithm selected by the HSS in the message.
[52] 步骤 209、 eNB收到 MME的 NAS SMC消息后, 和 UE建立 RRC (Radio Resource[52] Step 209: After receiving the NAS SMC message of the MME, the eNB establishes RRC (Radio Resource) with the UE.
Control无线资源控制) 承载, 通过 RRC承载将 NAS Control radio resource control) bearer, NAS over RRC bearer
SMC消息转发给 UE; UE从 NAS SMC message is forwarded to the UE; UE is sent from the NAS
SMC消息中获取 HSS选择的密钥推演算法的信息。 The information of the key deduction algorithm selected by the HSS is obtained in the SMC message.
[53] 值得一提的是: 由于 eNB有可能篡改 UE的算法, 所以有必要将 UE支持的算法 从网络侧回传给 UE进行验证。 回传的方法可以是: 在步骤 208中, MME将在步 骤 202中收到的 UE所支持的算法放入 NAS [53] It is worth mentioning that: Since the eNB may tamper with the UE's algorithm, it is necessary to transmit the algorithm supported by the UE from the network side to the UE for verification. The method of returning may be: In step 208, the MME puts the algorithm supported by the UE received in step 202 into the NAS.
SMC消息中传送给 UE; 还可以是, 在步骤 205中 HSS利用 AV (Authentication Vector认证向量) 中的 AMF (Authentication Management Field The SMC message is transmitted to the UE; or, in step 205, the HSS utilizes AMF (Authentication Management Field) in the AV (Authentication Vector Authentication Vector)
认证管理域) 中的任意 4bit来表示在步骤 204中从 MME收到的 UE支持的算法, 通 过步骤 206和步骤 207传送给 UE。 Any 4 bits in the authentication management domain) indicates the algorithm supported by the UE received from the MME in step 204, and is transmitted to the UE through step 206 and step 207.
[54] 上述 AMF是 AV (Authentication Vector认证向量) 中的 AUTN (Authentication token [54] The above AMF is AUTN (Authentication token) in AV (Authentication Vector)
认证令牌) 包含的认证管理域, 它被包含在步骤 206的认证数据响应中发送给 M Authentication token) The included authentication management domain, which is sent to the M in the authentication data response included in step 206.
[55] 在本实施例中, UE将支持的密钥推演算法的信息上报给 HSS, HSS从上述算法 中做出选择并反馈给 UE, 从而建立起了 UE和 HSS之间的算法协商机制, 实现了 密钥推演算法的灵活选择, 而且对现有技术中 MME和 HSS之间的上行接口协议 修改较小。 [55] In this embodiment, the UE reports the information of the supported key deduction algorithm to the HSS, and the HSS selects from the foregoing algorithm and feeds back to the UE, thereby establishing an algorithm negotiation mechanism between the UE and the HSS. Achieved The flexible selection of the key derivation algorithm, and the modification of the uplink interface protocol between the MME and the HSS in the prior art is small.
图 3所示为本发明实施例 2所提供的算法协商的方法流程, 与实施例 1的主要区 别在于: HSS在选择一种密钥推演算法后, 用于携带所选算法的信息的方式不同 。 具体包括: FIG. 3 is a flowchart of a method for negotiating an algorithm according to Embodiment 2 of the present invention. The main difference from Embodiment 1 is: HSS uses different key derivation algorithms to carry information of a selected algorithm. . Specifically include:
步骤 301、 302、 303、 304分别与实施例 1中步骤 201、 202、 203、 204对应相同 Steps 301, 302, 303, and 304 are the same as steps 201, 202, 203, and 204 in Embodiment 1, respectively.
, 在此不再赞述。 , no longer praise here.
步骤 305、 HSS选择一种 UE支持的密钥推演算法后, 用 AV携带所选算法的信息 具体携带所选算法的信息的方式可以是: 用 AV中的 AUTN包含的 AMF的一位 或几位来表示选择的算法的信息。 Step 305: After the HSS selects a key deduction algorithm supported by the UE, the information that the AV carries the selected algorithm to specifically carry the information of the selected algorithm may be: one or several bits of the AMF included in the AUTN in the AV. To represent the information of the selected algorithm.
目前 AMF有 16bit, 已经规定第 0位是 separation At present, AMF has 16bit, and the 0th position has been specified as separation.
bit (分离比特) , 用该位的置位表示是 SAE的 AV, 其余的 1到 7bit是为标准化预 留位, 8到 15bit是为 proprietary (私有) 的目的来使用。 因此可以选择 8到 15bit中 的某几位来表示密钥推演算法。 HSS通过对这些算法进行置位来表示所选择的算 法的信息。 下面进行举例说明: Bit (separated bit), the set of this bit indicates the AV of the SAE, the remaining 1 to 7 bits are the standardized reserved bits, and the 8 to 15 bits are used for the purpose of proprietary (private). Therefore, some of the 8 to 15 bits can be selected to represent the key derivation algorithm. The HSS indicates the information of the selected algorithm by setting these algorithms. The following is an example:
如图 4所示为本发明实施例 2的步骤 305中一种 HSS将所选算法在 AV中设置的方 式示意图, 包括: 假设 UE支持 A、 B、 C、 D四种密钥推演算法供 HSS选择, 并和 HSS约定分别用 00、 01、 10、 11来表示; 贝 l」HSS在四种算法中做出选择后, 将所 选算法以置位的方式记录在 AMF中。 例如: HSS选择了算法 A, 则可选择将 AMF 的第 14、 15位分别置位成 0、 0来表示选择结果; 如果 HSS将第 14、 15位分别置位 成 0、 1, 则表示选择了算法 B。 FIG. 4 is a schematic diagram showing a manner in which an HSS sets a selected algorithm in an AV in step 305 according to Embodiment 2 of the present invention, including: Suppose the UE supports four key deduction algorithms A, B, C, and D for HSS. The selection, and the HSS convention are represented by 00, 01, 10, and 11 respectively; after the HSS selects among the four algorithms, the selected algorithm is recorded in the AMF in a set manner. For example: If HSS selects algorithm A, you can choose to set the 14th and 15th bits of AMF to 0 and 0 respectively to indicate the result of selection. If HSS sets bits 14 and 15 to 0 and 1, respectively, it means selecting Algorithm B.
需要特别指出的是: HSS还可以根据 UE的算法种类数量等因素, 与 UE约定其 它的表示方法, 或者选择 AMF其它一位或几位携带选择结果。 It should be specially pointed out that: The HSS may also agree with other representation methods of the UE according to factors such as the number of algorithms of the UE, or select one or more other AMFs to carry the selection result.
步骤 306、 在执行 AKA过程中, HSS将携带所选算法的信息的 AV通过 Authentic ation Data Response (认证数据响应)消息发送给 MME。 Step 306: During the execution of the AKA, the HSS sends the AV carrying the information of the selected algorithm to the MME through an Authentication Data Response message.
步骤 307、 在执行后续的 AKA过程中, MME和 eNB将 AV转发给 UE, UE通过 A [65] 需要特别说明的是, 本发明实施例 2中涉及的图 4是 HSS通过置位来表示所选算 法的一种情况, 仅仅是为方便理解而进行的举例说明。 图 4中 UE算法的种类、 名 称, 如 、 B、 C、 D、 00、 01、 10、 11等不能够对本发明实施例适用的范围进行 限定, 即在某些系统中也许没有釆用上述算法种类和名称, 但是, 不能由此认 为本发明实施例中的技术方案不能够适用于这些系统。 Step 307: During the subsequent AKA process, the MME and the eNB forward the AV to the UE, and the UE passes the A. [65] It should be particularly noted that FIG. 4 referred to in Embodiment 2 of the present invention is a case where the HSS indicates a selected algorithm by setting, and is merely an example for convenience of understanding. The types and names of the UE algorithms in FIG. 4, such as B, C, D, 00, 01, 10, 11 and the like, cannot limit the scope of application of the embodiments of the present invention, that is, in some systems, the above algorithms may not be used. Kind and name, however, it cannot be considered that the technical solutions in the embodiments of the present invention are not applicable to these systems.
[66] 值得一提的是: 由于 eNB有可能篡改 UE的算法, 所以有必要将 UE支持的算法 从网络侧回传给 UE进行验证。 回传的方法与实施例 1大致相同, 在此不再赞述。 [66] It is worth mentioning that: Since the eNB may tamper with the UE's algorithm, it is necessary to transmit the algorithm supported by the UE from the network side to the UE for verification. The method of returning is substantially the same as that of Embodiment 1, and will not be described here.
[67] 在本实施例中, HSS将所选算法的信息用 AMF的某几位表示, 携带在 AUTN中 发送给用户设备, 充分利用了现有资源, 实现了密钥推演算法的灵活选择。 同 吋, 通过对 AMF置位的方法让 HSS将选择的算法告知给 UE, 该方法对下行协议 修改较小。 [67] In this embodiment, the HSS uses the information of the selected algorithm to be represented by some bits of the AMF, and is carried in the AUTN and sent to the user equipment, fully utilizing the existing resources, and implementing flexible selection of the key derivation algorithm. In the same way, by setting the AMF, the HSS informs the UE of the selected algorithm, and the method has less modification to the downlink protocol.
[68] 图 5所示为本发明实施例 3所提供的算法协商的方法流程, 与实施例 1的主要区 别在于: 由 MME决定具体选择哪种密钥推演算法。 具体包括: FIG. 5 is a flowchart of a method for negotiating an algorithm according to Embodiment 3 of the present invention. The main difference from Embodiment 1 is that: MME decides which key derivation algorithm to specifically select. Specifically include:
[69] 步骤 501、 502分别与实施例 1中步骤 201、 202对应相同, 在此不再赞述。 [69] Steps 501, 502 are the same as steps 201 and 202 in Embodiment 1, and are not mentioned here.
[70] 步骤 503、 MME决定执行 AKA, 并根据 UE和 HSS支持的算法以及本地策略选择[70] Step 503: The MME decides to perform AKA, and selects according to an algorithm supported by the UE and the HSS and a local policy.
UE和 HSS支持的算法。 Algorithms supported by UE and HSS.
[71] 需要说明的是, MME获知 HSS支持的算法的方法可以是: 提前在 MME上配置[71] It should be noted that the method for the MME to learn the algorithm supported by the HSS may be: Configuring on the MME in advance
, 也可以是在步骤 503之前 HSS通过单独新增的消息将支持的算法上报给 MME。 It is also possible that the HSS reports the supported algorithm to the MME by using a newly added message before the step 503.
[72] 上述本地策略可以是: MME从 UE和 HSS都支持的算法中选择一个安全性最高 的算法。 [72] The above local policy may be: The MME selects one of the most secure algorithms from the algorithms supported by both the UE and the HSS.
[73] 步骤 504、 MME向 HSS发送携带步骤 503中所选算法的认证数据请求。 [73] Step 504: The MME sends an authentication data request carrying the algorithm selected in step 503 to the HSS.
[74] 步骤 505、 HSS根据 MME选择的算法, 从 CK和 IK推演出 KASME, 并向 MME发 送 Authentication Data Response (认证数据响应)消息。 [74] Step 505: The HSS derives the KASME from CK and IK according to the algorithm selected by the MME, and sends an Authentication Data Response message to the MME.
[75] 该 Authentication Data Response中可以携带 HSS推演出的 KASME。 [75] The KASME that HSS can perform can be carried in the Authentication Data Response.
[76] 步骤 506、 MME收到 HSS发送的认证数据响应后, 和 UE执行后续的 AKA过程。 [76] Step 506: After receiving the authentication data response sent by the HSS, the MME performs a subsequent AKA process with the UE.
步骤 507、 AKA过程成功后, MME和 UE之间建立 NAS (Non- Access Stratum 非接入层) SMC (Security Mode Command Step 507: After the AKA process is successful, a NAS (Non-Access Stratum non-access stratum) SMC (Security Mode Command) is established between the MME and the UE.
安全模式命令) 过程。 MME通过 eNB向 UE发送 NAS SMC消息, 在该消息中携带选择的密钥推演算法的信息。 Safe mode command) process. The MME sends the NAS to the UE through the eNB. The SMC message carries the information of the selected key deduction algorithm in the message.
[78] 步骤 508、 eNB收到 MME的 NAS SMC消息后, 和 UE建立 RRC (Radio Resource Control无线资源控制) 承载, 通过 RRC承载将 NAS [78] Step 508: After receiving the NAS SMC message of the MME, the eNB establishes an RRC (Radio Resource Control) bearer with the UE, and uses the RRC bearer to connect the NAS.
SMC消息转发给 UE; UE从 NAS SMC消息中获取被选的密钥推演算法的信息。 The SMC message is forwarded to the UE; the UE obtains information of the selected key deduction algorithm from the NAS SMC message.
[79] 值得一提的是: 由于 eNB有可能篡改 UE的算法, 所以在步骤 507中 MME有必要 将 UE支持的算法从网络侧回传给 UE进行验证。 回传的方法与实施例 1中 MME回 传 UE支持的算法的方法大致相同, 在此不再赞述。 [79] It is worth mentioning that: Because the eNB may tamper with the UE algorithm, in step 507, the MME needs to return the algorithm supported by the UE from the network side to the UE for verification. The method of the backhaul is substantially the same as the method in which the MME returns the algorithm supported by the UE in Embodiment 1, and is not mentioned here.
[80] 在本实施例中, 由 MME根据 UE和 HSS支持的密钥推演算法选择 UE和 HSS之间 用于推演密钥 KASME的算法, 从而建立起了 UE和 HSS之间的算法协商机制, 实 现了密钥推演算法的灵活选择。 [80] In this embodiment, the MME selects an algorithm for deriving the key KASME between the UE and the HSS according to a key deduction algorithm supported by the UE and the HSS, thereby establishing an algorithm negotiation mechanism between the UE and the HSS. A flexible selection of the key deduction algorithm is implemented.
[81] 图 6所示为本发明实施例 4所提供的算法协商的方法流程, 主要涉及 EPS网络间 切换场景下 UE和 HSS之间的算法协商方法。 具体包括: 6 is a flowchart of a method for algorithm negotiation according to Embodiment 4 of the present invention, which mainly relates to an algorithm negotiation method between a UE and an HSS in an EPS inter-network handover scenario. Specifically include:
[82] 步骤 601、 UE当前所在网络中的源 eNB决定执行切换。 [82] Step 601: The source eNB in the network where the UE is currently located decides to perform handover.
[83] 步骤 602、 源 eNB向源 MME发送 Handover Required (切换请求) 。 [83] Step 602: The source eNB sends a Handover Required to the source MME.
[84] 步骤 603、 源 MME向切换目标网络中的目标 MME发送 Forward Relocation [84] Step 603: The source MME sends a Forward Relocation to the target MME in the handover target network.
Request (转发的重定位请求) , 携带 UE的密钥推演算法的信息。 Request (forwarded relocation request), carrying the information of the UE's key deduction algorithm.
[85] 该 Forward Relocation [85] The Forward Relocation
Request包含 UE的安全能力, 而 UE的安全能力中可以包含 UE支持的密钥推演算 法。 The Request includes the security capability of the UE, and the security capability of the UE may include a key deduction algorithm supported by the UE.
[86] 可选的, 源 MME可以将 HSS支持的算法通过该消息通知给目标 MME。 [86] Optionally, the source MME may notify the target MME of the algorithm supported by the HSS by using the message.
[87] 步骤 604-610, 完成后续的切换过程。 其中: [87] Steps 604-610, completing the subsequent handover process. among them:
[88] 步骤 604、 目标 MME向目标 eNB发送切换请求。 [88] Step 604: The target MME sends a handover request to the target eNB.
[89] 步骤 605、 目标 eNB向目标 MME发送切换请求应答。 [89] Step 605: The target eNB sends a handover request response to the target MME.
[90] 步骤 606、 目标 MME向源 MME转发重定位响应。 [90] Step 606: The target MME forwards the relocation response to the source MME.
[91] 步骤 607、 源 MME向源 eNB发送切换命令。 [91] Step 607: The source MME sends a handover command to the source eNB.
[92] 步骤 608、 源 eNB向 UE发送切换命令。 [92] Step 608: The source eNB sends a handover command to the UE.
[93] 步骤 609、 UE向目标 eNB进行切换确认。 [93] Step 609: The UE performs handover confirmation to the target eNB.
[94] 步骤 610、 目标 eNB向目标 MME发送切换通告。 [95] 步骤 611、 切换成功后, UE向目标 eNB发送 TAU (Tracking Area Update 位置更新) 请求。 [94] Step 610: The target eNB sends a handover announcement to the target MME. [95] Step 611: After the handover succeeds, the UE sends a TAU (Tracking Area Update Location Update) request to the target eNB.
[96] 步骤 612、 目标 eNB将 TAU请求转发给目标 MME. [96] Step 612: The target eNB forwards the TAU request to the target MME.
[97] 步骤 613、 目标 MME决定执行 AKA认证过程; 目标 MME根据本地策略从 UE和 HSS支持的算法中选择一个算法。 [97] Step 613: The target MME decides to perform an AKA authentication process; the target MME selects an algorithm from the algorithms supported by the UE and the HSS according to the local policy.
[98] 由于在步骤 603中, 目标 MME已经获知了 UE支持的算法, 如果目标 MME还从 步骤 603中获得了 HSS支持的算法, 那么目标 MME就可以根据本地策略选择一个 UE和 HSS支持的算法。 如果步骤 603中目标 MME没有从源 MME获得 HSS支持的 算法, 那么目标 MME获知 HSS支持的算法的方法可以是: 提前在目标 MME上配 置, 或者也可以是在步骤 613之前 HSS通过单独新增的消息将支持的算法上报给 目标 MME。 [98] Since the target MME has learned the algorithm supported by the UE in step 603, if the target MME further obtains the HSS-supported algorithm from step 603, the target MME may select a UE and an HSS-supported algorithm according to the local policy. . If the target MME does not obtain the HSS-supported algorithm from the source MME in step 603, the method for the target MME to learn the algorithm supported by the HSS may be: configured on the target MME in advance, or may be newly added by the HSS before step 613. The message reports the supported algorithm to the target MME.
[99] 步骤 614、 目标 MME向 HSS发送认证数据请求。 该认证数据请求中还要包含目 标 MME选择的算法。 gP, 目标 MME通过这个消息将步骤 613中选择的算法告知 给 HSS。 [99] Step 614: The target MME sends an authentication data request to the HSS. The authentication data request also includes an algorithm selected by the target MME. gP, the target MME informs the HSS of the algorithm selected in step 613 by this message.
[100] 步骤 615、 HSS根据目标 MME选择的算法, 从 CK和 IK推演出 KASME, 并向目 标 MME发送 Authentication Data Response (认证数据响应)消息。 [100] Step 615: The HSS derives the KASME from the CK and the IK according to the algorithm selected by the target MME, and sends an Authentication Data Response message to the target MME.
[101] 步骤 616、 目标 MME和 UE之间执行后续的 AKA认证过程。 [101] Step 616: Perform a subsequent AKA authentication process between the target MME and the UE.
[102] 步骤 617、 AKA过程成功后, 目标 MME和 UE之间建立 NAS (Non-Access [102] Step 617: After the AKA process is successful, a NAS (Non-Access) is established between the target MME and the UE.
Stratum非接入层) SMC (Security Mode Command Stratum non-access layer) SMC (Security Mode Command
安全模式命令) 过程。 目标 MME通过目标 eNB向 UE发送 NAS Safe mode command) process. The target MME sends the NAS to the UE through the target eNB.
SMC消息, 在该消息中携带选择的密钥推演算法的信息。 The SMC message carries the information of the selected key deduction algorithm in the message.
[103] 步骤 618、 目标 eNB收到目标 MME的 NAS [103] Step 618: The target eNB receives the NAS of the target MME.
SMC消息后, 和 UE建立 RRC承载, 通过 RRC承载将 NAS After the SMC message, the RRC bearer is established with the UE, and the NAS is carried over by the RRC bearer.
SMC消息转发给 UE; UE从 NAS SMC消息中获取被选的密钥推演算法的信息。 The SMC message is forwarded to the UE; the UE obtains information of the selected key deduction algorithm from the NAS SMC message.
[104] 值得一提的是: 由于 eNB有可能篡改 UE的算法, 所以在步骤 617中目标 MME有 必要将 UE支持的算法从网络侧回传给 UE进行验证。 回传的方法与实施例 1中 MM[104] It is worth mentioning that: Since the eNB may tamper with the UE algorithm, in step 617, the target MME needs to transmit the algorithm supported by the UE from the network side to the UE for verification. The method of returning and the MM in the first embodiment
E回传 UE支持的算法的方法大致相同, 在此不再赞述。 The method of E backhauling the algorithms supported by the UE is roughly the same, and will not be mentioned here.
[105] 本实施例通过 MME参与算法选择, 实现了 EPS网络间切换场景下, UE和 HSS 之间的算法协商的问题。 [105] In this embodiment, the MME participates in the algorithm selection, and the UE and the HSS are implemented in the handover scenario between the EPS networks. The problem between the algorithm negotiation.
[106] 本发明实施例 5所提供的算法协商的方法流程主要涉及 EPS到 2G/3G网络切换场 景下 UE和 HSS之间的密钥推演算法协商方法。 [106] The algorithm negotiation method provided by Embodiment 5 of the present invention mainly relates to a key deduction algorithm negotiation method between a UE and an HSS in an EPS to 2G/3G network handover scenario.
[107] 在 2G/3G系统中, 有可能运营商没有来得及升级 HLR (Home Location Register 位置归属寄存器) 至具备 HSS的功能, 所以釆用 IWF(Interworking Function 网络互通功能单元)来实现 HLR与 EPS系统的互通, 即 IWF与 HLR联合起来起到 H SS的作用。 此吋, UE和 HSS之间密钥推演算法协商要在 UE和代表 HSS部分功能 的 IWF之间进行, 由 IWF实现 CK/IK到 KASME的推演。 网络架构如图 7所示。 具 体算法协商方法包括: [107] In the 2G/3G system, it is possible that the operator has no time to upgrade the HLR (Home Location Register) to the HSS function, so the IWF (Interworking Function Interworking Function Unit) is used to implement the HLR and EPS system. Interworking, that is, the IWF and the HLR are combined to function as H SS. In this case, the key derivation algorithm negotiation between the UE and the HSS is performed between the UE and the IWF representing the HSS part function, and the IWF implements the derivation of CK/IK to KASME. The network architecture is shown in Figure 7. Specific algorithm negotiation methods include:
[108] IWF、 UE分别上报自己支持的算法给 MME, 上报方法同实施例 3中 HSS和 UE向 MME上报算法的过程大致对应相同, 主要区别在于用 IWF代替 HSS执行算法协 商功能。 然后 MME根据本地策略决定一种 UE和 IWF之间的算法, 并将此算法告 知给 UE和 IWF, 其告知过程与实施例 3中 MME在选择算法后告知 UE和 HSS的方 式对应相同。 [108] The IWF and the UE respectively report the algorithms supported by the UE to the MME, and the reporting method is similar to the process in which the HSS and the UE report the algorithm to the MME in Embodiment 3, and the main difference is that the IWF is used instead of the HSS to perform the algorithm negotiation function. Then, the MME determines an algorithm between the UE and the IWF according to the local policy, and notifies the UE to the UE and the IWF, and the notification process is the same as the method in which the MME in the third embodiment informs the UE and the HSS after selecting the algorithm.
[109] 本实施例为避免 eNB篡改 UE的算法, MME可以将 UE支持的算法从网络侧回传 给 UE进行验证。 回传的方法与实施例 1中 MME回传 UE支持的算法的方法大致相 同, 在此不再赞述。 In this embodiment, in order to avoid the eNB tampering with the UE, the MME may return the algorithm supported by the UE from the network side to the UE for verification. The method of the backhaul is substantially the same as the method in which the MME returns the algorithm supported by the UE in Embodiment 1, and is not mentioned here.
[110] 本实施例解决了 EPS到 2G/3G网络切换场景下 UE和 HSS之间的密钥推演算法协 商的问题。 [110] This embodiment solves the problem of the negotiation of the key derivation algorithm between the UE and the HSS in the EPS to 2G/3G network handover scenario.
[111] 本领域普通技术人员可以理解, 上述各实施例中的全部或部分步骤可以通过程 序指令相关的硬件来实现, 所述的程序可以存储于计算机可读取存储介质中, 所述的存储介质, 可以是 ROM/RAM、 磁碟、 光盘等。 [111] It will be understood by those skilled in the art that all or part of the steps in the foregoing embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and the storage may be performed. The medium can be ROM/RAM, disk, CD, etc.
[112] 还可以理解的是, 虽然上述说明中, 为便于理解, 对方法的步骤釆用了顺序性 描述, 但是应当指出的是, 对于上述步骤的顺序并不做严格的限制。 It will also be understood that, although the above description uses sequential descriptions of the steps of the method for ease of understanding, it should be noted that the order of the above steps is not strictly limited.
[113] 图 10所示为实现本发明实施例所提供的网络侧设备示意图。 该网络侧设备具体 包括收发单元 1001、 选择单元 1002。 其中收发单元 1001, 用于获取用户设备所 能支持的用于推演密钥 KASME的算法的信息; 选择单元 1002, 用于根据用户设 备和归属客户服务器 HSS所能支持的算法的信息, 选择算法; 并将所选的算法作 为用户设备和 HSS之间用于推演密钥 KASME的算法。 FIG. 10 is a schematic diagram of a network side device provided by an embodiment of the present invention. The network side device specifically includes a transceiver unit 1001 and a selection unit 1002. The transceiver unit 1001 is configured to obtain information about an algorithm that can be used by the user equipment to derive the key KASME. The selecting unit 1002 is configured to select an algorithm according to information about an algorithm that the user equipment and the home client server HSS can support; And the selected algorithm An algorithm for deriving the key KASME between the user equipment and the HSS.
[114] 该网络侧设备可以是 HSS或者 MME。 [114] The network side device may be an HSS or an MME.
[115] 当该网络侧设备为 HSS吋, 上述收发单元 1001进一步用于将选择单元 1002选择 的算法发送给 UE。 [115] When the network side device is an HSS, the transceiver unit 1001 is further configured to send an algorithm selected by the selecting unit 1002 to the UE.
[116] 当该网络侧设备为 MME吋, 上述收发单元 1001进一步用于获取 HSS支持的算法 信息, 并将选择单元 1002选择的算法分别发送给 UE和 HSS。 [116] When the network side device is the MME, the transceiver unit 1001 is further configured to acquire algorithm information supported by the HSS, and send the algorithm selected by the selecting unit 1002 to the UE and the HSS, respectively.
[117] 下面介绍本发明实施例涉及的移动通讯系统实施例, 该系统可以实现如上述方 法实施例中所描述的步骤, 可以理解的是, 本发明实施例中的该系统还可以包 含实现通信功能的其它众多实体, 对于其它现有技术中可能揭示的技术属于通 信领域内已规范化的技术, 本实施例中不再赞述细节; 但是为了介绍本发明实 施例中的实现方案, 这里仅指出了该系统中主要部分。 请参阅图 8, 该系统 80包 括用户设备 81和与其通讯的网络侧设备 HSS 82, 其中: [117] The following describes an embodiment of a mobile communication system according to an embodiment of the present invention. The system can implement the steps as described in the foregoing method embodiments. It can be understood that the system in the embodiment of the present invention may further include implementing communication. For the other embodiments of the present invention, the details are not mentioned in the embodiment of the present invention. The main part of the system. Referring to Figure 8, the system 80 includes a user equipment 81 and a network side device HSS 82 in communication therewith, where:
[118] 用户设备 81包括收发单元 811, 用于向网络侧设备 HSS [118] The user equipment 81 includes a transceiver unit 811 for the network side device HSS
82发送用户设备所能支持的算法的信息, 并接收 HSS 82 transmitting information of an algorithm supported by the user equipment, and receiving the HSS
82在选择算法后发送的所选算法的信息。 82 Information of the selected algorithm sent after the algorithm is selected.
[119] 网络侧设备 HSS [119] Network side equipment HSS
82包括收发单元 821以及选择单元 822, 其中收发单元 821, 用于获取用户设备 81 所能支持的算法的信息, 并将由选择单元 822选出的算法的信息发送给用户设备 81; 选择单元 822用于根据用户设备 81所能支持的算法的信息, 选择算法; 该选 择单元 822, 可以进一步用于将所选算法的信息以置位的方式设置到认证向量 AV 中。 82 includes a transceiver unit 821 and a selection unit 822, wherein the transceiver unit 821 is configured to acquire information about an algorithm supported by the user equipment 81, and send information of the algorithm selected by the selection unit 822 to the user equipment 81; The algorithm is selected according to the information of the algorithm that the user equipment 81 can support; the selecting unit 822 can be further configured to set the information of the selected algorithm to the authentication vector AV in a set manner.
[120] 收发单元 821可以通过 MME发送的认证数据请求消息获取用户设备所能支持的 算法的信息, 并将由选择单元 822选出的算法的信息通过认证数据响应消息发送 给 MME。 The transceiver unit 821 can obtain the information of the algorithm supported by the user equipment by using the authentication data request message sent by the MME, and send the information of the algorithm selected by the selecting unit 822 to the MME through the authentication data response message.
[121] 图 9所示为本发明实施例提供的另一种系统 90的示意图, 该系统 90包括用户设 备 91和与其通讯的网络侧设备 MME 92, 其中: FIG. 9 is a schematic diagram of another system 90 according to an embodiment of the present invention. The system 90 includes a user equipment 91 and a network side device MME 92 communicating therewith, where:
[122] 用户设备 91包括收发单元 911, 用于向网络侧设备 MME [122] The user equipment 91 includes a transceiver unit 911 for the network side device MME
92发送用户设备所能支持的算法的信息, 并接收 MME 92在选择算法后发送的所选算法的信息。 92 transmitting information of an algorithm that the user equipment can support, and receiving the MME 92 Information of the selected algorithm sent after the algorithm is selected.
[123] 网络侧设备 MME [123] Network side device MME
92包括收发单元 921以及选择单元 922, 其中收发单元 921, 用于获取用户设备 91 以及 HSS所能支持的算法的信息, 并将由选择单元 922选出的算法的信息发送给 HSS以及用户设备 91 ; 选择单元 922用于根据用户设备 91所能支持的算法的信息 , 选择算法。 92 includes a transceiver unit 921 and a selection unit 922, wherein the transceiver unit 921 is configured to acquire information about the algorithm supported by the user equipment 91 and the HSS, and send information of the algorithm selected by the selection unit 922 to the HSS and the user equipment 91; The selection unit 922 is configured to select an algorithm based on information of an algorithm that the user equipment 91 can support.
[124] 可以理解的是, 附图中所示的结构仅仅是示意性的, 表示逻辑结构, 其中所述 作为分离部件显示的单元可能是或者可能不是物理上分开的, 作为单元显示的 部件可能是或者可能不是物理单元, 即可以位于一个地方或者分布到几个网络 单元上。 [124] It will be understood that the structures shown in the drawings are merely schematic, and represent logical structures in which the units displayed as separate components may or may not be physically separated, and the components displayed as units may Yes or may not be a physical unit, that is, it can be located in one place or distributed to several network units.
[125] 附图和相关描述只是为了说明本发明的原理, 并非用于限定本发明的保护范围 。 例如, 本发明各实施例中的消息名称可以根据网络的不同而有所变化, 一些 消息也可以省略。 因此, 凡在本发明的精神和原则之内所作的任何修改、 等同 替换、 改进等, 均包含在本发明的保护范围内。 The drawings and the related description are merely illustrative of the principles of the invention and are not intended to limit the scope of the invention. For example, the message names in various embodiments of the present invention may vary depending on the network, and some messages may be omitted. Therefore, any modifications, equivalents, improvements, etc. made within the spirit and scope of the present invention are included in the scope of the present invention.
[126] 虽然通过参照本发明的某些优选实施例, 已经对本发明进行了图示和描述, 但 本领域的普通技术人员应该明白, 可以在形式上和细节上对其作各种改变, 而 不偏离本发明的精神和范围。 The present invention has been illustrated and described with reference to the preferred embodiments of the present invention, and those skilled in the art The spirit and scope of the invention are not departed.
Claims
Applications Claiming Priority (4)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810067758.1 | 2008-06-13 | ||
| CN200810067758 | 2008-06-13 | ||
| CN200810160852.1 | 2008-09-12 | ||
| CN2008101608521A CN101605324B (en) | 2008-06-13 | 2008-09-12 | Method, device and system for negotiating algorithm |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| WO2009149666A1 true WO2009149666A1 (en) | 2009-12-17 |
Family
ID=41416382
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/CN2009/072237 Ceased WO2009149666A1 (en) | 2008-06-13 | 2009-06-11 | Method, device and system for negotiating algorithm |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101605324B (en) |
| WO (1) | WO2009149666A1 (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102595369B (en) | 2012-02-29 | 2015-02-25 | 大唐移动通信设备有限公司 | Transmission method and device of non-access stratum (NAS) algorithm |
| CN104754577B (en) * | 2013-12-31 | 2019-05-03 | 华为技术有限公司 | A method, device and system for selecting an authentication algorithm |
| CN106664195B (en) * | 2014-08-01 | 2020-05-15 | 广州小熊信息科技有限公司 | A data processing method, device and system |
| MX2022015025A (en) * | 2020-05-29 | 2023-03-10 | Huawei Tech Co Ltd | Key negotiation method, apparatus and system. |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101001252A (en) * | 2006-06-25 | 2007-07-18 | 华为技术有限公司 | Registration method and consultation method and device of user safety algorithmic |
| CN101039261A (en) * | 2006-03-16 | 2007-09-19 | 华为技术有限公司 | Method, system and apparatus for processing user terminal accessing network and loading establishing process |
| CN101064719A (en) * | 2006-04-27 | 2007-10-31 | 华为技术有限公司 | Cryptographic algorithm negotiating method in PON system |
-
2008
- 2008-09-12 CN CN2008101608521A patent/CN101605324B/en active Active
-
2009
- 2009-06-11 WO PCT/CN2009/072237 patent/WO2009149666A1/en not_active Ceased
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101039261A (en) * | 2006-03-16 | 2007-09-19 | 华为技术有限公司 | Method, system and apparatus for processing user terminal accessing network and loading establishing process |
| CN101064719A (en) * | 2006-04-27 | 2007-10-31 | 华为技术有限公司 | Cryptographic algorithm negotiating method in PON system |
| CN101001252A (en) * | 2006-06-25 | 2007-07-18 | 华为技术有限公司 | Registration method and consultation method and device of user safety algorithmic |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101605324B (en) | 2011-06-01 |
| CN101605324A (en) | 2009-12-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US12490176B2 (en) | Handling a UE that is in the idle state | |
| EP3576446B1 (en) | Key derivation method | |
| CN101399767B (en) | Method, system and apparatus for security capability negotiation during terminal moving | |
| TWI724132B (en) | Method of wireless communication, apparatus for wireless communication and computer program for performing the method | |
| EP2584802B1 (en) | Methods and apparatuses for security control in a mobile communication system supporting emergency calls | |
| CN105934926B (en) | Method and apparatus for session and service control of wireless devices using common subscriber information | |
| US9667413B2 (en) | Encryption realization method and system | |
| CN109906624B (en) | Method for supporting authentication in wireless communication network and related network nodes and wireless terminals | |
| US10798082B2 (en) | Network authentication triggering method and related device | |
| WO2018170617A1 (en) | Network access authentication method based on non-3gpp network, and related device and system | |
| US20170359719A1 (en) | Key generation method, device, and system | |
| WO2009030155A1 (en) | Method, system and apparatus for negotiating the security ability when a terminal is moving | |
| CN101926151A (en) | Method and communication network system for establishing security association | |
| WO2011029388A1 (en) | Method, network element and mobile station for encryption algorithm negotiation | |
| CN115244892B (en) | Security authentication method, device, equipment and storage medium | |
| WO2013174267A1 (en) | Method, system, and device for securely establishing wireless local area network | |
| CN101925050A (en) | A method and device for generating a security context | |
| WO2009149666A1 (en) | Method, device and system for negotiating algorithm | |
| KR20150042686A (en) | Security and information supporting method and system for proximity based service in mobile telecommunication system environment | |
| CN102378168B (en) | The method of multisystem core net notice key and multisystem network | |
| WO2023126296A1 (en) | Authentication support for an electronic device to connect to a telecommunications network | |
| KR20100021690A (en) | Method and system for supporting authentication and security protected non-access stratum protocol in mobile telecommunication system | |
| EP4457975B1 (en) | Authentication support for an electronic device to connect to a telecommunications network | |
| EP4203392B1 (en) | Authentication support for an electronic device to connect to a telecommunications network | |
| WO2023205978A1 (en) | Key generation method and apparatus for proximity-based service, and device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| 121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 09761291 Country of ref document: EP Kind code of ref document: A1 |
|
| NENP | Non-entry into the national phase |
Ref country code: DE |
|
| 122 | Ep: pct application non-entry in european phase |
Ref document number: 09761291 Country of ref document: EP Kind code of ref document: A1 |