[go: up one dir, main page]

WO2011098048A1 - Radio node accessing network method, system and relay node - Google Patents

Radio node accessing network method, system and relay node Download PDF

Info

Publication number
WO2011098048A1
WO2011098048A1 PCT/CN2011/070948 CN2011070948W WO2011098048A1 WO 2011098048 A1 WO2011098048 A1 WO 2011098048A1 CN 2011070948 W CN2011070948 W CN 2011070948W WO 2011098048 A1 WO2011098048 A1 WO 2011098048A1
Authority
WO
WIPO (PCT)
Prior art keywords
relay node
certificate
base station
donor base
mobility management
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2011/070948
Other languages
French (fr)
Chinese (zh)
Inventor
陈璟
张爱琴
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of WO2011098048A1 publication Critical patent/WO2011098048A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a wireless node access method, system, and relay node. Background of the invention
  • a relay node (Relay Node, RN for short) is introduced in the Long Term Evolution - Advanced (LTE-A).
  • LTE-A Long Term Evolution - Advanced
  • the RN is used to improve the throughput of the communication cell edge and facilitate the temporary network of operators or users.
  • the RN can be deployed in hotspots or blind spots in rural areas, cities, indoors, and the like.
  • the RN when the RN accesses the network, the RN is similar to an additional User Equipment (UE). Therefore, when the RN enters the network, the certificate-based authentication method cannot be implemented.
  • RAN Radio Access Network
  • UE User Equipment
  • the purpose of the embodiments of the present invention is to provide a wireless node access method, system, and relay node, so as to implement a certificate-based authentication method when the RN enters the network.
  • the embodiment of the invention provides a wireless node network access method, including:
  • the embodiment of the invention further provides a relay node, including:
  • a sending module configured to send, in the process of establishing a radio resource control connection between the relay node and the donor base station integrated with the home subscriber server, the certificate of the relay node and the relay node of the relay node a Philippine-Hellman parameter, such that the donor base station authenticates the relay node according to a certificate of the relay node;
  • Receiving an authentication module configured to receive a certificate of the donor base station sent by the donor base station and a Diffie-Hellman parameter of the donor base station, and perform authentication on the donor base station according to the certificate of the donor base station;
  • a calculation module configured to: according to the Diffie-Hellman parameter of the relay node and the Diffie-Hier of the donor base station received by the receiving module, if the relay node and the donor base station are successfully authenticated The base parameter calculation base key K;
  • a bearer establishing module configured to perform authentication and key negotiation with the mobility management entity based on the basic key K calculated by the computing module, and configured to perform non-access stratum security mode control with the mobility management entity, and The access layer security mode control between the donor base stations establishes a wireless bearer with the donor base station.
  • the embodiment of the invention further provides a wireless node network access system, comprising: a mobility management entity, a donor base station integrated with a home subscriber server, and a relay node as described above,
  • the donor base station integrated with the home subscriber server is configured to receive the sending by the relay node a certificate of the relay node and a Diffie-Hellman parameter of the relay node, and transmitting a certificate of the donor base station and a Diffie-Hellman parameter of the donor base station to the relay node; Calculating the base key K according to a Diffie-Hellman parameter of the relay node and a Diffie-Hellman parameter of the donor base station; an access layer key calculated according to the base key K, Performing access layer security mode control with the relay node;
  • the mobility management entity is configured to obtain an authentication vector calculated by the donor base station integrated with the home subscriber server based on the basic key K, and perform authentication and key negotiation with the relay node according to the authentication vector; And used for non-access stratum security mode control with the relay node according to the non-access stratum key calculated by the basic key K.
  • the embodiment of the invention further provides a wireless node network access method, including:
  • the embodiment of the invention further provides a relay node, including:
  • a sending module configured to send, by the donor base station, a certificate of the relay node to the home subscriber server and the foregoing, in a process of establishing a radio resource control connection between the relay node and the donor base station a Diffie-Hellman parameter of the relay node, so that the home subscriber server authenticates the relay node according to the certificate of the relay node;
  • Receiving an authentication module configured to receive, by the donor base station, a certificate of the home subscriber server sent by the home subscriber server and a Diffie-Hellman parameter of the home subscriber server, and according to the certificate of the home subscriber server Authenticating the home subscriber server;
  • a calculation module configured to: according to the Diffie-Hellman parameter of the relay node and the Diffy of the home subscriber server received by the receiving module, if the relay node and the home subscriber server are successfully authenticated - Herman parameter calculation base key K;
  • a bearer establishing module configured to perform authentication and key negotiation with the mobility management entity based on the basic key K calculated by the computing module, and configured to perform non-access stratum security mode control with the mobility management entity, and
  • the donor base station performs access layer security mode control to establish a radio bearer with the donor base station.
  • the embodiment of the invention further provides a wireless node network access system, comprising: a mobility management entity, a home subscriber server, a donor base station, and a relay node as described above,
  • the home subscriber server is configured to receive a certificate of the relay node sent by the relay node and a Diffie-Hellman parameter of the relay node, and send the certificate of the home subscriber server and the Calculating the basis of the Diffie-Hellman parameter of the home server to the relay node; calculating the basis according to the Diffie-Hellman parameter of the relay node and the Diffie-Hellman parameter of the home subscriber server Key K;
  • the mobility management entity is configured to acquire an authentication vector calculated by the home subscriber server based on the basic key K, perform authentication and key negotiation with the relay node according to the authentication vector, and use the a non-access stratum key calculated by the base key K, and performing non-access stratum security mode control with the relay node;
  • the donor base station is configured to acquire an access layer key calculated by the home subscriber server based on the basic key K, and perform access layer security mode control with the relay node according to the access layer key.
  • the embodiment of the invention further provides a wireless node network access method, including:
  • the embodiment of the invention further provides a relay node, including:
  • connection establishing module configured to complete establishment of a radio resource control connection between the relay node and the donor base station
  • a sending module configured to send an attach request message carrying a certificate of the relay node and a Diffie-Hellman parameter of the relay node to a mobility management entity integrated with a home subscriber server, to enable the mobility management Entity authenticating the relay node according to the certificate of the relay node;
  • Receiving an authentication module configured to receive, by the mobility management entity, a non-access stratum message carrying a certificate of a mobility management entity and a Diffie-Hellman parameter of the mobility management entity, and according to the mobility management entity
  • the certificate authenticates the mobile management entity
  • a calculation module configured to: according to the Diffie-Hellman parameter of the relay node and the Diffy of the mobile management entity received by the receiving module, if the relay node and the mobility management entity are successfully authenticated - Herman parameters calculate the shared key;
  • a bearer establishing module configured to calculate the shared key based on the computing module, and
  • the mobility management entity performs non-access stratum security mode control, and performs access layer security mode control with the donor base station to establish a radio bearer with the donor base station.
  • the embodiment of the invention further provides a wireless node network access system, comprising: a mobility management entity integrated with a home subscriber server, a donor base station, and a relay node as described above,
  • the mobility management entity integrated with the home subscriber server is configured to receive a certificate of the relay node sent by the relay node and a Diffie-Hellman parameter of the relay node, and send the mobility management entity a certificate and a Diffie-Hellman parameter of the mobility management entity to the relay node; a Diffie-Hellman parameter of the relay node and a Diffie-Hellman parameter of the mobility management entity Calculating the shared key; performing the non-access stratum security mode control with the relay node according to the non-access stratum key calculated by the shared key;
  • the donor base station is configured to acquire an access layer key calculated by the mobility management entity integrated with the home subscriber server based on the shared key, and connect to the relay node according to the access layer key Intrusion security mode control.
  • the embodiment of the invention further provides a wireless node network access method, including:
  • the authentication key AK is used as a temporary key KeNB shared by the relay node and the donor base station, and based on the temporary key KeNB, performs access layer security mode control with the donor base station.
  • the embodiment of the invention further provides a relay node, including: a sending module, configured to send, by the donor base station, a certificate of the relay node and the relay node in a process of establishing a radio resource control connection and/or establishing a radio bearer between the relay node and the donor base station a Diffie-Hellman parameter, such that the donor base station authenticates the relay node according to the certificate of the relay node;
  • a sending module configured to send, by the donor base station, a certificate of the relay node and the relay node in a process of establishing a radio resource control connection and/or establishing a radio bearer between the relay node and the donor base station a Diffie-Hellman parameter, such that the donor base station authenticates the relay node according to the certificate of the relay node;
  • Receiving an authentication module configured to receive a certificate of the donor base station sent by the donor base station and a Diffie-Hellman parameter of the donor base station, and perform authentication on the donor base station according to the certificate of the donor base station;
  • a calculation module configured to: according to the Diffie-Hellman parameter of the relay node and the Diffie-Hier of the donor base station received by the receiving module, if the relay node and the donor base station are successfully authenticated
  • the Manchester parameter calculation authentication key AK
  • a bearer establishing module configured to use the authentication key AK calculated by the calculating module as a temporary key KeNB shared by the relay node and the donor base station, and based on the temporary key KeNB, The donor base station performs access layer security mode control.
  • the embodiment of the invention further provides a wireless node network access system, comprising: a donor base station and a relay node as described above,
  • the donor base station is configured to receive a certificate of the relay node sent by the relay node and a Diffie-Hellman parameter of the relay node, and send the certificate of the donor base station and the donor base station a Diffie-Hellman parameter to the relay node; calculating the authentication key AK according to the Diffie-Hellman parameter of the relay node and the Diffie-Hellman parameter of the donor base station;
  • the authentication key AK is used as the temporary key KeNB shared by the relay node and the donor base station, and performs access layer security mode control with the relay node according to the temporary key KeNB.
  • the embodiment of the invention further provides a wireless node network access method, including:
  • the key exchange security association initial negotiation response message to exchange the Diffie-Hellman parameter of the relay node and the Diffie-Hellman parameter of the donor base station,
  • the Diffie-Hellman parameter is used to negotiate a security protection alliance between the relay node and the donor base station;
  • the embodiment of the invention further provides a relay node, including:
  • a parameter exchange module configured to send an Internet Key Exchange Security Association Initial Negotiation Request message to the donor base station after completing the process of establishing a radio resource control connection and establishing a radio bearer between the relay node and the donor base station, and receiving the Determining an Internet Key Exchange Security Association Initial Negotiation Response message replied by the donor base station to exchange a Diffie-Hellman parameter of the relay node and a Diffie-Hellman parameter of the donor base station, the Diffie- The Herman parameter is used to negotiate a security protection alliance between the relay node and the donor base station;
  • a first sending module configured to send an Internet Key Exchange Authentication Request message to the donor base station, where the Internet Key Exchange Authentication Request message carries information requesting a certificate of the donor base station; and receiving an authentication module, configured to receive Determining, by the donor base station, an Internet Key Exchange Authentication Response message carrying the certificate of the donor base station, and authenticating the donor base station according to the certificate of the donor base station, where the Internet Key Exchange Authentication Response message further carries a request Information of the certificate of the relay node;
  • An embodiment of the present invention further provides a wireless node network access system, including: a donor base station and a relay node as described above,
  • the donor base station is configured to receive the Internet Key Exchange Security Association Initial Negotiation Request message sent by the relay node, and return the Internet Key Exchange Security Association Initial Negotiation Response message to the relay node, to Exchanging a Diffie-Hellman parameter of the relay node and a Diffie-Hellman parameter of the donor base station, the Diffie-Hellman parameter being used to negotiate the relay node and the donor base station a security protection alliance between the two; receiving the Internet Key Exchange Authentication Request message sent by the relay node, where the Internet Key Exchange Authentication Request message carries information requesting a certificate of the donor base station; The relay node returns the Internet Key Exchange Authentication Response message carrying the certificate of the donor base station, where the Internet Key Exchange Authentication Response message further carries information requesting the certificate of the relay node; receiving the relay The Internet key exchange authentication response message sent by the node carrying the certificate of the relay node, and according to the certificate of the relay node Said relay node authentication.
  • the wireless node network access method, system, and relay node carry a relay by carrying a certificate in a message exchanged between the relay node and the donor base station or the home subscriber server or the mobility management entity.
  • the key is used to establish a radio bearer between the relay node and the donor base station, thereby implementing a certificate-based authentication method for the relay node to access the network, and making the network-side relay node more secure.
  • FIG. 1 is a schematic flowchart diagram of a first embodiment of a wireless node network access method according to the present invention
  • FIG. 2 is a signaling flowchart of a second embodiment of a wireless node network access method according to the present invention.
  • FIG. 3 is a signaling flowchart of a third embodiment of a wireless node network access method according to the present invention.
  • FIG. 4 is a schematic structural diagram of a first embodiment of a relay node according to the present invention
  • 5 is a schematic structural diagram of a first embodiment of a wireless node network access system according to the present invention
  • FIG. 6 is a schematic flowchart of a fourth embodiment of a wireless node network access method according to the present invention
  • FIG. 7 is a signaling flowchart of a fifth embodiment of a wireless node network access method according to the present invention.
  • FIG. 8 is a schematic structural diagram of a second embodiment of a relay node according to the present invention.
  • FIG. 9 is a schematic structural diagram of a second embodiment of a wireless node network access system according to the present invention.
  • FIG. 10 is a schematic flowchart diagram of a sixth embodiment of a wireless node network access method according to the present invention.
  • FIG. 11 is a signaling flowchart of a seventh embodiment of a wireless node network access method according to the present invention.
  • FIG. 12 is a schematic structural diagram of a third embodiment of a relay node according to the present invention.
  • FIG. 13 is a schematic structural diagram of a third embodiment of a wireless node network access system according to the present invention.
  • FIG. 14 is a schematic flowchart of an eighth embodiment of a wireless node network access method according to the present invention.
  • FIG. 15 is a signaling flowchart of a ninth embodiment of a wireless node network access method according to the present invention.
  • 16 is a signaling flowchart of a tenth embodiment of a wireless node network access method according to the present invention.
  • 17 is a signaling flowchart of an eleventh embodiment of a wireless node network access method according to the present invention.
  • FIG. 18 is a schematic structural diagram of a fourth embodiment of a relay node according to the present invention.
  • FIG. 19 is a schematic structural diagram of a fourth embodiment of a wireless node network access system according to the present invention.
  • FIG. 20 is a schematic flowchart diagram of a twelfth embodiment of a wireless node network access method according to the present invention.
  • 21 is a schematic structural diagram of a fifth embodiment of a relay node according to the present invention.
  • FIG. 22 is a schematic structural diagram of a fifth embodiment of a wireless node network access system according to the present invention. Mode for carrying out the invention
  • FIG. 1 is a schematic flowchart diagram of a first embodiment of a wireless node network access method according to the present invention. As shown in Figure 1, the following steps are included: Step 101: A radio resource between a relay node (RN) and a donor base station (Doner Node B, DeNB for short) integrated with a Home Subscriber Server (HSS) In the process of establishing a Radio Resource Control (RRC) connection, the RN's certificate and the RN's Diffie Hell-man (DH) parameter are sent to the DeNB, so that the DeNB performs the RN according to the RN's certificate. Certification.
  • RRC Radio Resource Control
  • DH Diffie Hell-man
  • Step 102 The RN receives the DeNB certificate sent by the DeNB and the DH parameter of the DeNB, and performs authentication on the DeNB according to the certificate of the DeNB.
  • the RN and the DeNB respectively send their own certificates to the peer to implement certificate-based authentication between the RN and the DeNB.
  • Step 103 If the RN and the DeNB are successfully authenticated, calculate the basic key K according to the DH parameter of the RN and the DH parameter of the DeNB.
  • the basic key ⁇ is similar to the basic key carried in the Universal Subscriber Identity Module (USIM) of the UE when the UE enters the traditional LTE.
  • K KDF(K DH );
  • the DeNB also calculates the base key K according to the DH parameter of the RN and the DH parameter of the DeNB, that is, the same algorithm is used to generate the base on the DeNB side. Key K.
  • Step 104 Perform authentication and key agreement (AKA) with the Mobile Management Entity (MME) based on the basic key, and perform non-access stratum with the MME (Non-Access Stratum)
  • the NAS is referred to as the Security Mode Control (SMC), and performs an Access Stratum (AS) SMC with the DeNB to establish a radio bearer between the RN and the DeNB.
  • AKA authentication and key agreement
  • MME Mobile Management Entity
  • AS Access Stratum
  • the AKA process between the RN and the MME is performed, according to the basic key.
  • K calculates the obtained non-access stratum key, performs the NAS SMC process, and calculates the obtained access stratum key based on the basic key K, and performs AS SMC between the RN and the DeNB.
  • the process is similar to the process in which the UE enters the network in the legacy LTE.
  • the RN is similar to the process in the LTE in the LTE, and the process of establishing the RN and the security mode is not described herein.
  • the wireless node network access method provided in this embodiment carries the certificate between the RN and the DeNB integrated with the HSS function in the RRC connection establishment process, and performs authentication between the RN and the DeNB, and passes the RN and the DeNB.
  • the DH parameter exchanged between the two is similar to the basic key K carried in the USIM card when the UE enters the network, and finally completes the establishment of the radio bearer between the RN and the DeNB, thereby implementing the certificate-based authentication method when the RN enters the network, and making the network Side RN access to the network is more secure.
  • FIG. 2 is a signaling flowchart of a second embodiment of a wireless node network access method according to the present invention.
  • the DeNB and the HSS are integrated on the same entity.
  • the RN uses the air interface message to carry the certificate and the key negotiation parameter, and negotiates the basic key K between the RN and the DeNB/HSS, and then the RN.
  • the AKA is mutually authenticated with the MME, and the subsequent SMC process is completely consistent with the existing SMC process of the legacy UE entering the network.
  • the method for accessing the wireless node includes the following steps:
  • Step 201 The RN sends an RRC connection setup request message to the DeNB integrated with the HSS function, where the RRC connection setup request message carries information such as the certificate of the RN and the DH parameter of the RN, so that the DeNB authenticates the RN according to the certificate of the RN.
  • the RRC Connection Setup Request message may also carry an Authentication (AUTH) parameter, which is used to prove that the secret associated with the entity's own ID is known, while protecting the previous and current data packets.
  • AUTH Authentication
  • Step 202 After receiving the RRC connection setup request message, the DeNB sends an RRC connection setup message to the RN that sends the message, where the RRC connection setup message carries information such as the DeNB certificate and the DH parameter of the DeNB, according to the DeNB certificate pair.
  • the DeNB performs authentication.
  • the RRC connection setup message may also carry an AUTH parameter, which is used to prove that the secret associated with the entity's own ID is known, while protecting the previous and current data packets.
  • the HSS integrated on the DeNB can also allocate an international RN to the RN.
  • An International Subscriber Identity (IMSI) if assigned, the IMSI is also sent to the RN along with the foregoing RRC Connection Setup message to uniquely identify the RN.
  • IMSI International Subscriber Identity
  • Step 203 The RN and the DeNB respectively calculate and generate the basic key K locally according to the DH parameter of the RN and the DH parameter of the DeNB in the two messages in the foregoing steps 201 and 202.
  • the basic key ⁇ is similar to the basic key K carried in the USIM card of the UE when the UE enters the legacy LTE.
  • Step 204 The RN sends an RRC connection setup complete message to the DeNB, where the RRC connection setup complete message carries a NAS attach request message.
  • Step 205 The DeNB forwards the NAS attach request message of the RN to the MME.
  • Step 206 The MME finds that the RN is attached, initiates the AKA authentication process, and first sends an authentication data request message to the HSS.
  • Step 207 The HSS sends the authentication vector calculated according to the basic key K to the MME, and the authentication vector may include ⁇ RAND, XRES, KASME, AUTN ⁇ .
  • Step 208 After obtaining the authentication vector, the MME sends an authentication request to the RN, and carries the AUTN and XRES for authentication and the RAND required to calculate the key.
  • Step 209 The MME receives the authentication response carrying the RES returned by the RN, and verifies the RES in the authentication response, so as to complete the AKA authentication between the RN and the MME.
  • Step 210 The SMC process is performed by using the SMC to perform the negotiation of the NAS encryption algorithm between the RN and the MME.
  • the SMC process is the same as the SMC process when the UE enters the traditional LTE network.
  • Step 211 The MME sends an initial context setup message of the RN to the DeNB, where the initial context setup message carries the AS key calculated in the AKA authentication process between the RN and the MME.
  • Step 212 The SMC process is performed by using the SMC to perform the AS-Secure algorithm between the DeNB and the RN.
  • the SMC process is the same as the SMC process in the traditional LTE when the UE enters the network.
  • Step 213 Perform a radio bearer setup process between the RN and the DeNB, and complete the RN network access authentication.
  • the length of the RRC connection setup request message or the RRC connection setup message is limited. Therefore, in step 201 and step 202, the certificate of the RN and/or the certificate of the DeNB may also be replaced by a certificate identifier with a shorter bit length. Not the certificate itself.
  • the RRC connection setup request message or the RRC connection setup message carries the certificate identifier instead of the certificate itself, the entity receiving the message needs to complete the registration association (RA) / certificate center (Certificate).
  • the association referred to as CA, interacts to obtain the content of the certificate indicated by the certificate identifier, and then authenticates the certificate-based content of the peer.
  • the method for the network access of the wireless node describes the signaling procedure of the certificate authentication between the RN and the DeNB integrated with the HSS.
  • the RRC connection setup request message carries the certificate of the RN, and is carried in the RRC connection setup message.
  • the certificate of the DeNB performs certificate-based authentication between the RN and the DeNB, and exchanges DH parameters through an RRC connection setup request message and an RRC connection setup message between the RN and the DeNB, and calculates a basic value similar to that carried by the USIM card when the UE enters the network.
  • the key K is used to complete the establishment of the radio bearer between the RN and the DeNB, thereby implementing a certificate-based authentication method for the RN to access the network, and making the network-side RN more secure.
  • FIG. 3 is a signaling flowchart of a third embodiment of a wireless node network access method according to the present invention.
  • the DeNB and the HSS are integrated on the same entity, and the RN carries the information required for the key negotiation in the RRC connection setup request message, and the RN carries the AUTH parameter of the DeNB in the RRC connection setup complete message to verify The transmitted RRC Connection Setup Request message.
  • the following steps are included:
  • Step 301 The RN carries information such as a certificate of the RN and a DH parameter of the RN in an RRC connection setup request message sent by the DeNB integrated with the HSS function.
  • Step 302 The DeNB calculates and obtains the basic key K according to the received DH parameter of the RN and the DH parameter of the local DeNB, and calculates an AUTH parameter according to the K, and sends an RRC connection setup message to the RN, where the RRC connection setup message is carried.
  • the certificate of the DeNB, the DH parameter of the DeNB, and the AUTH parameter are used to authenticate the DeNB according to the certificate of the DeNB.
  • the HSS integrated on the DeNB may also allocate an IMSI to the RN. If assigned, the IMSI is also sent to the RN along with the aforementioned RRC Connection Setup message to uniquely identify the RN.
  • Step 303 The RN sends an RRC connection setup complete message to the DeNB, where the RRC connection setup complete message carries the AUTH parameter of the RN to the DeNB, so that the DeNB completes the authentication of the RRC connection setup request message sent before the RN according to the value, and After the authentication succeeds, the RN is authenticated according to the RN's certificate.
  • the RRC connection setup complete message also carries the NAS attach request message of the RN.
  • Step 304 The RN calculates and generates the base key K locally according to the DH parameter of the RN and the DH parameter of the DeNB in the message in the foregoing steps 301 to 303.
  • the basic key ⁇ is similar to the basic key K carried in the USIM card of the UE when the UE enters the traditional LTE network.
  • Step 305 The DeNB forwards the NAS attach request message of the RN to the MME.
  • Step 306 The MME finds that the RN is attached, initiates the AKA authentication process, and first sends an authentication data request message to the HSS.
  • Step 307 The HSS sends the authentication vector calculated according to the basic key K to the MME, and the authentication vector may include ⁇ RAND, XRES, KASME, AUTN ⁇ .
  • Step 308 After obtaining the authentication vector, the MME sends an authentication request to the RN, and carries the AUTN and XRES for authentication and the RAND required to calculate the key.
  • Step 309 The MME receives the authentication response carrying the RES returned by the RN, and verifies the RES in the authentication response to complete the AKA authentication between the RN and the MME.
  • Step 310 Perform a negotiation of the NAS encryption algorithm between the RN and the MME by using the SMC.
  • the SMC process is the same as the SMC process when the UE enters the traditional LTE network in the prior art.
  • Step 311 The MME sends an initial context setup message of the RN to the DeNB, where the initial context setup message carries the AS key calculated in the AKA authentication process between the RN and the MME.
  • Step 312 Perform, by using the SMC, negotiation of an AS secret algorithm between the DeNB and the RN, where The SMC process is the same as the SMC process in the prior art when the UE enters the traditional LTE network.
  • Step 313 Perform a radio bearer setup process between the RN and the DeNB, and complete the RN network access authentication.
  • the RN certificate and/or the DeNB certificate may also be replaced by a certificate identifier with a shorter bit length instead of The certificate itself.
  • the entity receiving the message needs to complete the interaction with the RA/CA to obtain the certificate indicated by the certificate identifier. And then perform peer-based certificate-based authentication.
  • the wireless node network access method provided in this embodiment describes the signaling process of the certificate authentication between the RN and the DSS integrated with the HSS.
  • the embodiment obtains the same beneficial effects as the second embodiment of the wireless node network access method.
  • the certificate-based authentication method is implemented when the RN enters the network, so that the network-side RN is more secure.
  • FIG. 4 is a schematic structural diagram of a first embodiment of a relay node according to the present invention.
  • the relay node includes: a sending module 41, a receiving authentication module 42, a calculating module 43, and a bearer establishing module 44.
  • the sending module 41 is configured to send, in the process of establishing a radio resource control connection of the relay node and the donor base station integrated with the home subscriber server, the certificate of the relay node and the relay node to the donor base station.
  • the receiving authentication module 42 is configured to receive the donor base station sent by the donor base station a certificate and a Diffie-Hellman parameter of the donor base station, and authenticating the donor base station according to the certificate of the donor base station; and a calculating module 43, configured to: if the relay node and the donor base station are successfully authenticated And calculating a base key K according to the Diffie-Hellman parameter of the relay node and the Diffie-Hellman parameter of the donor base station received by the receiving module 42; the bearer establishing module 44 is configured to The basic key K calculated by the calculating module 43 is used for authentication and key negotiation with the mobility management entity, and is used for performing non-access stratum security mode control with the mobility management entity, and The donor base station performs access layer security mode control, and establishes with the donor base station Wireless bearer.
  • the specific method for implementing the wireless node network access is described in the foregoing method embodiment.
  • the message exchanged between the RN and the DeNB integrated with the HSS function carries the certificate, and the RN is performed.
  • the certificate-based authentication method is adopted when accessing the network, and the network-side RN is more secure.
  • FIG. 5 is a schematic structural diagram of a first embodiment of a wireless node network access system according to the present invention. As shown in FIG. 5, the method includes: a mobility management entity 51, a donor base station 52 integrated with a home subscriber server, and a relay node 53.
  • the relay node 53 is as described in the first embodiment of the foregoing relay node, and details are not described herein again.
  • the donor base station 52 integrated with the home subscriber server is configured to receive the certificate of the relay node sent by the relay node 53 and the Diffie-Hellman parameter of the relay node, and send the donor a certificate of the base station and a Diffie-Hellman parameter of the donor base station to the relay node 53; a Diffie-Hellman parameter according to the relay node and a Diffie-Hermann of the donor base station
  • the parameter calculates the base key K; and performs an access layer security mode control with the relay node 53 according to the access layer key calculated by the base key K.
  • the mobility management entity 51 is configured to acquire an authentication vector calculated by the donor base station 52 integrated with the home subscriber server based on the basic key K, and perform authentication and confidentiality with the relay node 53 according to the authentication vector. Key negotiation; and for the non-access stratum key calculated according to the basic key K, and performing non-access stratum security mode control with the relay node 53.
  • the wireless node network access system provided in this embodiment, and the specific method for implementing the wireless node network access refer to the foregoing method embodiment, where the certificate is carried in the message exchanged between the RN and the DeNB integrated with the HSS function in the RRC connection establishment process.
  • the authentication between the RN and the DeNB, and the DH parameter exchanged between the RN and the DeNB is similar to the basic key K carried in the USIM card when the UE enters the network, and finally completes the establishment of the radio bearer between the RN and the DeNB.
  • the certificate-based authentication method is adopted when the RN accesses the network, and the network-side RN is more secure.
  • FIG. 6 is a schematic flowchart diagram of a fourth embodiment of a wireless node network access method according to the present invention. As shown in Figure 6, Including the following steps:
  • Step 601 In the RRC connection establishment process between the RN and the DeNB, the DeNB sends the RN certificate and the DH parameter of the RN to the HSS, so that the HSS authenticates the RN according to the RN certificate.
  • Step 602 The RN receives the HSS certificate sent by the HSS and the DH parameter of the HSS through the DeNB, and authenticates the HSS according to the HSS certificate.
  • the RN and the HSS respectively send their own certificates to the peer to implement certificate-based authentication between the RN and the HSS.
  • Step 603 If the RN and the HSS are successfully authenticated, the basic key K is calculated according to the DH parameter of the RN and the DH parameter of the HSS.
  • the basic key ⁇ is similar to the basic key carried in the Universal Subscriber Identity Module (USIM) of the UE when the UE enters the traditional LTE.
  • K KDF(K DH ); in addition, the HSS also calculates the base key K according to the DH parameter of the RN and the DH parameter of the HSS, that is, the same algorithm is used to generate the base key on the DeNB side. K.
  • Step 604 Perform a MME based on the base key ⁇ , perform a NAS SMC with the MME, and perform an AS SMC with the DeNB to establish a radio bearer between the RN and the DeNB.
  • the RN side In this step 604, the RN side generates the basic key K, and the subsequent authentication vector calculated according to the basic key K performs an AKA process between the RN and the MME, and the non-access stratum calculated according to the basic key K.
  • the key performs the NAS SMC process, and performs the AS SMC process between the RN and the DeNB according to the access layer key calculated by the basic key K.
  • the process is similar to the process of the UE entering the traditional LTE network, and the RN is similar to the traditional LTE. The UE in the process of completing the RN network access authentication and security mode establishment is not described here.
  • the wireless node network access method provided in this embodiment carries the certificate between the RN and the HSS in the RRC connection establishment process, performs authentication between the RN and the HSS, and performs DH exchange between the RN and the HSS.
  • the calculation is similar to the USIM card carried when the UE enters the network.
  • the basic key K which finally completes the establishment of the radio bearer between the RN and the DeNB, thereby implementing the certificate-based authentication method when the RN enters the network, and making the network-side RN more secure.
  • FIG. 7 is a signaling flowchart of a fifth embodiment of a wireless node network access method according to the present invention.
  • the HSS is an independent physical entity, rather than being located on the DeNB.
  • the RN and the HSS still pass the certificate authentication, and negotiate the basic key K.
  • the DeNB forwards the corresponding message between the RN and the HSS.
  • the method for accessing the wireless node includes the following steps:
  • Step 701 The RN sends an RRC connection setup request message to the DeNB, where the RRC connection setup request message carries information such as a certificate of the RN, a DH parameter of the RN, and an AUTH parameter.
  • Step 702 The DeNB forwards the information of the RN, the DH parameter, and the AUTH parameter of the RN in the received RRC connection setup request message to the HSS, so that the HSS authenticates the RN according to the certificate of the RN.
  • Step 703 The HSS sends a message carrying the certificate of the HSS, the DH parameter of the HSS, and the AUTH parameter to the DeNB.
  • Step 704 After receiving the certificate of the HSS, the DH parameter of the HSS, and the AUTH parameter, the DeNB sends an RRC connection setup message to the RN, where the RRC connection setup message carries the HSS certificate, the DH parameter of the HSS, and the AUTH parameter, according to the HSS.
  • the certificate certifies the HSS.
  • the HSS may allocate an IMSI to the RN. If allocated, the DeNB also sends the IMSI to the RN in an RRC Connection Setup message to uniquely identify the RN.
  • Step 705 The RN and the HSS calculate the generated base key K locally according to the DH parameter of the RN and the DH parameter of the HSS in the message in the above steps 501 to 504, respectively.
  • the basic key ⁇ is similar to the basic key K carried in the USIM card of the UE when the UE enters the legacy LTE.
  • Step 706 The RN sends an RRC connection setup complete message to the DeNB, where the RRC connection setup complete message carries a NAS attach request message.
  • Step 707 The DeNB forwards the NAS attach request message of the RN to the MME.
  • Step 708 The MME finds that the RN is attached, and starts the AKA authentication process, first to the HSS. Issue an authentication data request message.
  • Step 709 The HSS sends the authentication vector calculated according to the basic key K to the MME, and the authentication vector may include ⁇ RAND, XRES, KASME, AUTN ⁇ .
  • Step 710 After obtaining the authentication vector, the MME sends an authentication request to the RN, and carries the AUTN and XRES for authentication and the RAND required to calculate the key.
  • Step 711 The MME receives the authentication response carrying the RES returned by the RN, and verifies the RES in the authentication response to complete the AKA authentication between the RN and the MME.
  • Step 712 Perform a negotiation of the NAS encryption algorithm between the RN and the MME by using the SMC.
  • the SMC process is the same as the SMC process when the UE enters the traditional LTE network in the prior art.
  • Step 713 The MME sends an initial context setup message of the RN to the DeNB, where the initial context setup message carries the AS key calculated in the AKA authentication process between the RN and the MME.
  • Step 714 The SMC process is performed by using the SMC to perform the AS confidentiality algorithm between the DeNB and the RN.
  • the SMC process is the same as the SMC process when the UE enters the traditional LTE network in the prior art.
  • Step 715 Perform a radio bearer setup process between the RN and the DeNB, and complete the RN network access authentication.
  • the certificate of the RN and/or the certificate of the HSS may also be replaced by a certificate identifier having a shorter bit length. Not the certificate itself.
  • the entity receiving the message needs to complete the interaction with the RA/CA to obtain the certificate indicated by the certificate identifier. And then perform peer-based certificate-based authentication.
  • the DeNB and the HSS are two separate entities.
  • This embodiment describes the signaling process of the certificate authentication between the RN and the HSS in detail, and carries the RN in the RRC connection setup request message.
  • the certificate carries the certificate of the HSS in the RRC connection setup message, performs certificate-based authentication between the RN and the HSS, and exchanges DH parameters between the RRC connection establishment request message and the RRC connection setup message between the RN and the HSS, and the calculation is similar.
  • the basic key K carried in the network-time USIM card finally completes the establishment of the radio bearer between the RN and the DeNB, thereby implementing a certificate-based authentication method for the RN to access the network, and making the network-side RN more secure.
  • FIG. 8 is a schematic structural diagram of a second embodiment of a relay node according to the present invention.
  • the relay node includes: a sending module 81, a receiving authentication module 82, a calculating module 83, and a bearer establishing module 84.
  • the sending module 81 is configured to send, by the donor base station, the certificate of the relay node and the relay node to the home subscriber server during a radio resource control connection establishment process between the relay node and the donor base station.
  • a Diffie-Hellman parameter such that the home subscriber server authenticates the relay node according to the certificate of the relay node
  • a receiving authentication module 82 configured to receive the home subscriber server by using the donor base station Transmitting the certificate of the home subscriber server and the Diffie-Hellman parameter of the home subscriber server, and authenticating the home subscriber server according to the certificate of the home subscriber server; The relay node and the home subscriber server are successfully authenticated, and then calculated according to the Diffie-Hellman parameter of the relay node and the Diffie-Hellman parameter of the home subscriber server received by the receiving module 82.
  • a base key K a base key K
  • a bearer establishing module 84 configured to calculate the base key K based on the calculation module 83, and mobility management Body authentication and key agreement; and a non-access stratum security mode control and the mobility management entity, a security mode control access layer and the donor base station, and establish a radio bearer between the donor base station.
  • the specific method for implementing the wireless node accessing network is as shown in the foregoing method embodiment.
  • the message exchanged between the RN and the HSS carries the certificate, and the RN and the HSS are performed.
  • Authentication, and through the DH parameters exchanged between the RN and the HSS the calculation is similar to the basic key K carried in the USIM card when the UE enters the network, and finally completes the establishment of the radio bearer between the RN and the DeNB, thereby implementing the certificate based on the RN entering the network.
  • the authentication method makes the network side RN more secure.
  • FIG. 9 is a schematic structural diagram of a second embodiment of a wireless node network access system according to the present invention. As shown in FIG. 9, the method includes: a mobility management entity 91, a home subscriber server 92, a donor base station 93, and a relay node 94.
  • the relay node 94 is as described in the second embodiment of the foregoing relay node, and details are not described herein again.
  • the home subscriber server 92 is configured to receive a certificate of the relay node sent by the relay node 94 and a Diffie-Hellman parameter of the relay node, and send a certificate of the home subscriber server and Defi-Herman parameter of the home subscriber server to the relay node 94; calculating according to the Diffie-Hellman parameter of the relay node and the Diffie-Hellman parameter of the home subscriber server
  • the base management key 91 is configured to acquire an authentication vector calculated by the home subscriber server 92 based on the basic key K, and perform authentication with the relay node 94 according to the authentication vector.
  • the donor base station 93 configured to acquire the The home subscriber server 92 performs access layer security mode control with the relay node 94 based on the access layer key calculated based on the base key K.
  • the specific method for implementing the wireless node network access is described in the foregoing method embodiment.
  • the message exchanged between the RN and the HSS carries a certificate between the RN and the HSS.
  • the authentication, and the DH parameter exchanged between the RN and the HSS is similar to the basic key K carried in the USIM card when the UE enters the network, and finally completes the establishment of the radio bearer between the RN and the DeNB, thereby implementing the certificate based on the certificate when the RN enters the network.
  • the authentication method of the network side makes the network side RN more secure.
  • FIG. 10 is a schematic flowchart diagram of a sixth embodiment of a wireless node network access method according to the present invention.
  • the HSS and the MME are integrated on the same entity. As shown in Figure 10, the following steps are included:
  • Step 1001 Complete an RRC connection establishment between the RN and the DeNB.
  • Step 1002 The RN sends an attach request message carrying the certificate of the RN and the DH parameter of the RN to the MME integrated with the HSS, so that the MME authenticates the RN according to the certificate of the RN.
  • Step 1003 The RN receives the non-access stratum message that is sent by the MME and carries the certificate of the MME and the DH parameter of the MME, and authenticates the MME according to the certificate of the MME.
  • Step 1004 If the RN and the MME are successfully authenticated, the shared key is calculated according to the DH parameter of the RN and the DH of the MME.
  • the MME calculates the shared key according to the DH parameter of the RN and the DH parameter of the MME.
  • Step 1005 Based on the shared key, the RN performs NAS SMC with the MME, and performs AS SMC with the DeNB to establish a radio bearer between the RN and the DeNB.
  • the RN completes the process of establishing the RN network access authentication and the security mode, similar to the UE in the traditional LTE, and is not described here.
  • the wireless node network access method provided in this embodiment performs the authentication between the RN and the MME by carrying the certificate in the message exchanged between the RN and the MME integrated with the HSS, and calculates the DH parameter exchanged between the RN and the MME. Similar to the shared key carried in the USIM card when the UE enters the network, the radio bearer between the RN and the DeNB is finally established, thereby implementing the certificate-based authentication method when the RN enters the network, and making the network-side RN more secure.
  • FIG. 11 is a signaling flowchart of a seventh embodiment of a wireless node network access method according to the present invention. This embodiment is a specific signaling procedure of the foregoing sixth embodiment, and the HSS and the MME are integrated on the same entity. As shown in Figure 11, the following steps are included:
  • Step 1101 The RN initiates an RRC connection setup request message to the DeNB.
  • Step 1102 The DeNB sends an RRC connection setup message to the RN.
  • Step 1103 The RN returns an RRC connection setup complete message to the DeNB.
  • Step 1104 The RN sends a NAS attach request message to the MME integrated with the HSS, where the NAS attach request message carries the certificate of the RN and the DH parameter of the RN.
  • Step 1105 The MME sends an IMSI request message to the RN, where the IMSI request message carries the certificate of the MME, the DH parameter of the MME, and the AUTH parameter used for the authentication.
  • the HSS integrated on the MME may also allocate an IMSI to the RN. If allocated, the IMSI is also carried in the foregoing IMSI request message and sent to the RN to uniquely identify the RN.
  • Step 1106 After receiving the certificate of the MME, the RN completes the authentication of the MME, and then the IMSI.
  • the AUTN parameter carried in the response message is sent to the MME, so that the MME performs certificate authentication on the RN according to the certificate of the RN sent in step 1104.
  • the subsequent security process is completed between the RN and the MME based on the shared key K1, and specifically includes two scenarios:
  • Step 1108a The MME integrated with the HSS function calculates an authentication vector according to the basic key K, and the authentication vector may include ⁇ RAND, XRES, KASME, AUTN ⁇ .
  • Step 1108b The MME integrated with the HSS function obtains an authentication vector including the root key KASME from the HSS, and the authentication vector may include ⁇ RAND, XRES, KASME, AUTN ⁇ .
  • Step 1109 After obtaining the authentication vector, the MME sends an authentication request to the RN, and carries the AUTN and XRES for authentication and the RAND required to calculate the key.
  • Step 1110 The MME receives the authentication response carrying the RES returned by the RN, and verifies the RES in the authentication response to complete the AKA authentication between the RN and the MME.
  • Step 1111 Perform a negotiation of the NAS encryption algorithm between the RN and the MME by using the SMC.
  • the SMC process is the same as the SMC process when the UE enters the traditional LTE network in the prior art.
  • Step 1112 The MME sends an initial context setup message of the RN to the DeNB, where the initial context setup message carries the AS key calculated in the AKA authentication process between the RN and the MME.
  • Step 1113 The SMC process is performed by using the SMC to perform the AS confidentiality algorithm between the DeNB and the RN.
  • the SMC process is the same as the SMC process in the traditional LTE when the UE enters the network.
  • Step 1114 Perform a radio bearer setup process between the RN and the DeNB, and complete the RN network access authentication.
  • the certificate of the RN and/or the certificate of the MME may also consider a certificate with a shorter bit length. Instead of the certificate itself, the entity receiving the message needs to first complete the interaction with the RA/CA to obtain the content of the certificate indicated by the certificate identifier, and then authenticate the certificate-based content of the peer.
  • the method for the network access of the wireless node describes the signaling procedure of the certificate authentication between the RN and the MME integrated with the HSS, which is similar to the sixth embodiment of the method for accessing the wireless node, and can also implement the certificate based on the RN when accessing the network.
  • FIG. 12 is a schematic structural diagram of a third embodiment of a relay node according to the present invention.
  • the relay node includes: a connection establishing module 121, a sending module 122, a receiving authentication module 123, a computing module 124, and a bearer establishing module 125.
  • the connection establishing module 121 is configured to complete the establishment of the radio resource control connection between the relay node and the donor base station, and the sending module 122 is configured to send the certificate carrying the relay node and the Diffie-He of the relay node.
  • the Diffie-Hellman parameter of the management entity calculates a shared key;
  • a bearer establishment module 125 is configured to calculate based on the calculation module 124 Said shared key, non-secure mode access control layer and the mobility management entity, and the access layer security mode control and the donor base station, establishing a radio bearer between the donor and the base
  • the specific method for implementing the wireless node network access is described in the foregoing method embodiment, and the certificate is carried in the message exchanged between the RN and the MME integrated with the HSS, and the authentication between the RN and the MME is performed, and The DH parameter exchanged between the RN and the MME is similar to the shared key carried in the USIM card when the UE enters the network, and finally the radio bearer between the RN and the DeNB is established, thereby implementing a certificate-based authentication method when the RN accesses the network, and Make the network side RN into The network is more secure.
  • FIG. 13 is a schematic structural diagram of a third embodiment of a wireless node network access system according to the present invention. As shown in FIG. 13, the method includes: a mobility management entity 131 integrated with a home subscriber server, a donor base station 132, and a relay node 133.
  • the relay node 133 is as described in the foregoing third embodiment of the relay node, and details are not described herein again.
  • the mobility management entity 131 integrated with the home subscriber server is configured to receive the certificate of the relay node sent by the relay node 133 and the Diffie-Hellman parameter of the relay node, and send the mobility management a certificate of the entity and a Diffie-Hellman parameter of the mobility management entity to the relay node 133; a Diffie-Hellman parameter of the relay node and a Diffie-Hier of the mobility management entity a shared key; the non-access stratum key calculated according to the shared key, and the non-access stratum security mode control with the relay node 133; the donor base station 132, configured to Obtaining an access layer key calculated by the mobility management entity integrated with the home subscriber server based on the shared key, and performing an access layer security mode control with the relay node 133 according to the access layer key.
  • the wireless node network access system provided in this embodiment and the specific method for implementing the wireless node network access, as described in the foregoing method embodiment, carries the authentication between the RN and the MME by carrying the certificate in the message exchanged between the RN and the MME integrated with the HSS. And the DH parameter exchanged between the RN and the MME is used to calculate a shared key that is carried in the USIM card when the UE enters the network, and finally completes the establishment of the radio bearer between the RN and the DeNB, thereby implementing a certificate-based authentication method when the RN enters the network. Moreover, the network side RN is more secure.
  • FIG. 14 is a schematic flowchart diagram of an eighth embodiment of a wireless node network access method according to the present invention. As shown in Figure 14, the following steps are included:
  • Step 1401 In the process of establishing an RRC connection and/or establishing a radio bearer between the RN and the DeNB, send the certificate of the RN and the DH parameter of the RN to the DeNB, so that the DeNB authenticates the RN according to the certificate of the RN.
  • Step 1402 Receive a DeNB certificate sent by the DeNB and a DH parameter of the DeNB, and perform authentication on the DeNB according to the certificate of the DeNB.
  • the RN and the DeNB respectively send their own certificates to the peer to implement certificate authentication between the RN and the DeNB.
  • Step 1403 If the RN and the DeNB are successfully authenticated, calculate the authentication key AK according to the DH parameter of the RN and the DH parameter of the DeNB.
  • the DeNB calculates the authentication key according to the DH parameter of the RN and the DH parameter of the DeNB.
  • Step 1404 The authentication key AK is used as a temporary key KeNB shared by the RN and the DeNB, and based on the temporary key KeNB, performs AS SMC with the DeNB.
  • the message exchanged between the RN and the DeNB carries a certificate between the RN and the DeNB.
  • Authentication, and through the DH parameters exchanged between the RN and the DeNB calculate the temporary key KeNB calculated when the UE enters the network, and finally complete the establishment of the radio bearer between the RN and the DeNB, thereby implementing certificate-based authentication when the RN enters the network.
  • the method makes the network side RN more secure.
  • FIG. 15 is a signaling flowchart of a ninth embodiment of a wireless node network access method according to the present invention.
  • the RN and the DeNB do not need to perform signaling interaction with the HSS to perform calculation of the basic key K, only need to pass certificate authentication between the RN and the DeNB, and perform calculation of the temporary key KeNB between the RN and the DeNB. And using the generated temporary key KeNB to protect the AS message between the RN and the DeNB.
  • the following steps are included:
  • Step 1501 The RN initiates an RRC connection setup request message to the DeNB to which the RN belongs, and the RRC connection setup request message carries information such as a certificate of the RN, a random number (nonce) 1, a DH parameter of the RN, and an AUTH parameter, so that the DeNB according to the RN
  • the certificate authenticates the RN.
  • the random number is to make the shared key obtained in the subsequent calculation different every time.
  • the RN's certificate can also be considered instead of a certificate with a shorter bit length than the certificate itself.
  • the method further includes: Step 1501: The RN needs to complete the message interaction with the RA/CA. To get the content of the certificate indicated by the certificate identifier. Then, the authentication of the peer-based certificate-based content is performed.
  • Step 1502 The DeNB returns an RRC connection setup message to the RN, where the RRC connection setup message carries information such as a certificate of the DeNB, a random number (nonce) 2, a DH parameter of the DeNB, and an AUTH parameter, so that the RN performs the DeNB according to the certificate of the DeNB. Certification.
  • the DeNB's certificate can also be considered instead of a certificate with a shorter bit length than the certificate itself.
  • the method further includes: Step 1502: The DeNB needs to complete the message interaction with the RA/CA to obtain the content of the certificate indicated by the certificate identifier. . Then, the authentication of the peer-based certificate-based content is performed.
  • Step 1503 The RN and the DeNB respectively calculate and generate the authentication key AK according to the DH parameter of the RN and the DH parameter of the DeNB in the two messages in the step 1501 and the step 1502, and use the authentication key AK as the temporary key.
  • the KeNB calculates an encryption key and an integrity protection key of the AS signaling.
  • Step 1504 The RN initiates an RRC connection setup complete message to the DeNB to which the RN belongs, and carries a NAS attach request message.
  • Step 1505 The DeNB to which the RN belongs forwards the NAS attach request message to the MME.
  • Step 1506 The MME sends an initial context setup message of the RN to the DeNB.
  • Step 1507 The AS SMC process is performed between the DeNB and the RN to which the RN belongs, and the AS algorithm negotiation between the DeNB and the RN is completed, and the AS protection is activated.
  • Step 1508 Perform a radio bearer setup process between the RN and the DeNB, and complete the RN network access authentication.
  • the wireless node network access method provided in this embodiment describes the certificate between the RN and the DeNB in detail.
  • the signaling process of the book authentication is similar to the eighth embodiment of the wireless network access method, and the certificate-based authentication method for the RN to access the network is also implemented, and the network-side RN is more secure.
  • FIG. 16 is a signaling flowchart of a tenth embodiment of a wireless node network access method according to the present invention. As shown in Figure 16, the following steps are included:
  • Step 1601 The RN sends an RRC Connection Setup Request message to the DeNB to which it belongs.
  • Step 1602 The DeNB to which the RN belongs restores an RRC connection setup message to the RN, and completes a connection establishment process of the random access channel.
  • Step 1603 The RN sends an RRC connection setup complete message to the DeNB to which the RN belongs, where the NAS attach request message is carried.
  • Step 1604 The DeNB to which the RN belongs encapsulates the NAS attach request message in an S1-AP message and transmits the message to the MME.
  • Step 1605 The MME sends a message such as a Serving Gateway (S-GW) address, an S1-TEID, a Bearer QoS, a security context, and the like to the DeNB to which the RN belongs, and activates for all the eNBs.
  • S-GW Serving Gateway
  • S1-TEID an S1-TEID
  • Bearer QoS a Bearer QoS
  • security context a security context, and the like.
  • EPS Evolved Packet System
  • Step 1606 The DeNB to which the RN belongs sends the RRC radio bearer setup message to the RN, and the RN authenticates the DeNB.
  • the RRC radio bearer setup message may also carry a random number (nonce). DH parameters and AUTH parameters.
  • the DeNB's certificate can also be considered instead of a certificate with a shorter bit length than the certificate itself.
  • the method further includes: Step 1606', the DeNB needs to complete the message interaction with the RA/CA to obtain the certificate indicated by the certificate identifier. content. Then, the authentication of the peer-based certificate-based content is performed.
  • Step 1607 The DeNB to which the RN belongs receives the RRC radio bearer setup complete message sent by the RN, where the RRC radio bearer setup complete message includes the RN certificate, the random number (nonce) 2, the DH parameter of the RN, and the AUTH parameter, so that the DeNB Authenticate the RN according to the certificate of the RN. Complete the establishment of the wireless 7-load.
  • the RN's certificate can also be considered instead of a certificate with a shorter bit length than the certificate itself.
  • the method further includes: Step 1607: The RN needs to complete the message interaction with the RA/CA to obtain the certificate indicated by the certificate identifier. Content. Then, the authentication of the certificate-based content of the peer is performed.
  • Step 1608 The RN and the DeNB respectively calculate and generate the authentication key AK according to the DH parameter of the RN and the DH parameter of the DeNB in the two messages in the step 1606 and the step 1607, and use the authentication key AK as the temporary key.
  • the KeNB calculates an encryption key and an integrity protection key of the AS signaling.
  • Step 1609 Perform an AS SMC process between the DeNB and the RN to which the RN belongs, complete the negotiation of the AS algorithm between the DeNB and the RN, and activate the AS protection.
  • the wireless node access method in this embodiment is a certificate-based authentication completed when the radio bearer is established, and the air interface protocol needs to be modified.
  • the process of certificate authentication may be that the certificate of the DeNB is not sent in step 1606, and the certificate of the DeNB is carried in the downlink message of the DeNB to the RN in the interaction message of step 1609, thereby implementing authentication of the DeNB.
  • the DeNB if the RN and the DeNB fail to be authenticated, the DeNB is triggered to initiate an RRC connection release procedure, or the DeNB is triggered to instruct the MME to initiate a process of de-attaching the RN, thereby disconnecting the radio bearer connection between the RN and the DeNB.
  • the method for the network access of the wireless node described the signaling procedure of the certificate authentication between the RN and the DeNB in detail. Similar to the eighth embodiment of the method for accessing the wireless node, the method for authenticating the certificate when the RN enters the network is also implemented. Moreover, the network side RN is more secure.
  • FIG. 17 is a signaling flowchart of an eleventh embodiment of a method for accessing a wireless node according to the present invention. As shown in Figure 17, the following steps are included:
  • Step 1701 The RN sends an RRC Connection Setup Request message to the DeNB to which it belongs.
  • Step 1702 The DeNB to which the RN belongs restores an RRC connection setup message to the RN, and completes randomization.
  • Step 1703 The RN sends an RRC connection setup complete message to the DeNB to which the RN belongs.
  • the RRC connection setup complete message carries the certificate of the RN, and is used by the DeNB to which the RN belongs to authenticate the RN.
  • the RRC connection setup complete message also carries a random number (nonce) 1, a DH parameter of the RN, and an AUTH parameter, which also carries a NAS attach request message.
  • the RN's certificate can also be considered instead of a certificate with a shorter bit length than the certificate itself.
  • the method further includes: Step 1703: The RN needs to complete the message interaction with the RA/CA to obtain the certificate indicated by the certificate identifier. content. Then, the authentication of the peer-based certificate-based content is performed.
  • Step 1704 The DeNB to which the RN belongs encapsulates the NAS attach request message in an S1-AP message and transmits the message to the MME.
  • Step 1705 The MME sends a message such as a serving gateway (S-GW) address, an S1-TEID, a bearer QoS, a security context, and the like to the DeNB to which the RN belongs, by using an S1-AP message, and is activated for all The radio bearer and SI bearer of the activated Evolved Packet System (EPS).
  • S-GW serving gateway
  • EPS Evolved Packet System
  • Step 1706 The DeNB to which the RN belongs sends the RRC radio bearer setup message to the RN, and the RN authenticates the DeNB.
  • the RRC radio bearer setup message may also carry a random number (nonce). DH parameters and AUTH parameters.
  • the DeNB's certificate can also be considered instead of a certificate with a shorter bit length than the certificate itself.
  • the method further includes: Step 1706: The DeNB needs to complete the message interaction with the RA/CA to obtain the certificate indicated by the certificate identifier. content. Then, the authentication of the peer-based certificate-based content is performed.
  • Step 1707 The RN and the DeNB respectively calculate and generate an authentication key AK according to the DH parameter of the RN and the DH parameter of the DeNB in the two messages in step 1703 and step 1706, and
  • the authentication key AK is used as the temporary key KeNB, and the encryption key and integrity protection key of the AS signaling are calculated.
  • step 1703 and step 1706 Through the interaction of the two messages in step 1703 and step 1706, the authentication based on the certificate when the RN enters the network is completed.
  • Step 1708 The DeNB to which the RN belongs receives the RRC radio bearer setup complete message sent by the RN, and completes the establishment of the radio bearer between the RN and the DeNB.
  • Step 1709 The AS SMC process is performed between the DeNB and the RN to which the RN belongs, and the AS algorithm negotiation between the DeNB and the RN is completed, and the AS protection is activated.
  • the method for the network access of the wireless node described the signaling procedure of the certificate authentication between the RN and the DeNB in detail. Similar to the eighth embodiment of the method for accessing the wireless node, the method for authenticating the certificate when the RN enters the network is also implemented. Moreover, the network side RN is more secure.
  • FIG. 18 is a schematic structural diagram of a fourth embodiment of a relay node according to the present invention.
  • the relay node includes: a sending module 181, a receiving authentication module 182, a calculating module 183, and a bearer establishing module 184.
  • the sending module 181 is configured to send, in the process of establishing a radio resource control connection and/or establishing a radio bearer between the relay node and the donor base station, the certificate of the relay node and the middle to the donor base station.
  • the receiving authentication module 182 is configured to receive the a certificate of the donor base station and a Diffie-Hellman parameter of the donor base station, and authenticating the donor base station according to the certificate of the donor base station; a calculation module 183, configured to: if the relay node and the donor After the base station authentication succeeds, the authentication key AK is calculated according to the Diffie-Hellman parameter of the relay node and the Diffie-Hellman parameter of the donor base station received by the receiving module 182; the bearer establishing module 184, The authentication key AK calculated by the calculation module 183 is used as a temporary key KeNB shared by the relay node and the donor base station, and based on the temporary key KeNB, The donor base station performs access layer security mode control. In addition, the mobility management entity also interacts with the relay node through the donor base station.
  • the method for implementing the wireless node access network is as described in the above method.
  • the message exchanged between the RN and the DeNB carries a certificate, performs authentication between the RN and the DeNB, and passes the RN and the RN.
  • the DH parameters exchanged between the DeNBs are calculated similarly to the temporary key KeNB calculated when the UE enters the network, and finally the radio bearer establishment between the RN and the DeNB is completed, thereby implementing a certificate-based authentication method when the RN accesses the network, and the network side RN is implemented. Access to the network is more secure.
  • FIG. 19 is a schematic structural diagram of a fourth embodiment of a wireless node network access system according to the present invention. As shown in FIG. 19, the method includes: a mobility management entity 191, a donor base station 192, and a relay node 193.
  • the relay node 193 is as described in the fourth embodiment of the foregoing relay node, and details are not described herein again.
  • the mobility management entity 191 interacts with the relay node 193 via the donor base station 192.
  • the donor base station 192 is configured to receive a certificate of the relay node sent by the relay node 193 and a Diffie-Hellman parameter of the relay node, and send the certificate of the donor base station and the a Diffie-Hellman parameter of the donor base station to the relay node 193; calculating the authentication secret according to the Diffie-Hellman parameter of the relay node and the Diffie-Hellman parameter of the donor base station Key AK; using the authentication key AK as a temporary key KeNB shared by the relay node and the donor base station, and performing an access layer security mode with the relay node 193 according to the temporary key KeNB control.
  • the specific method for implementing the wireless node network access is described in the foregoing method embodiment.
  • the interactive message carries the certificate, performs authentication between the RN and the DeNB, and calculates a temporary key KeNB calculated by the UE when the UE enters the network through the DH parameter exchanged between the RN and the DeNB, and finally completes the relationship between the RN and the DeNB.
  • the radio bearer is set up to implement the certificate-based authentication method when the RN accesses the network, and the network-side RN is more secure.
  • FIG. 20 is a schematic flowchart diagram of a twelfth embodiment of a wireless node network access method according to the present invention.
  • the authentication process in this embodiment is based on the authentication with the USIM card in the RN, and the RN is similar to the secondary UE.
  • the RN first completes the process of establishing a radio bearer according to the USIM card therein, establishes an IP connection of the user plane/signaling plane, and then starts the second version (Internet Key Exchange version 2, referred to as IKEv2) of the IP layer based Internet Key Exchange Protocol 2 Certificate-based authentication process, establishing RN and its affiliated DeNB
  • IKEv2 Internet Key Exchange version 2 Certificate-based authentication process
  • Step 2001 The RN sends an IKE Security Association Initial Negotiation (IKE_SA_INIT) request message to the DeNB, where the parameter ⁇ HDR, SAil, Kei, Ni ⁇ is included in the IKE SA INIT request message.
  • IKE_SA_INIT IKE Security Association Initial Negotiation
  • the message header HDR includes a Security Parameter Index (SPIs), a version number, and a required flag.
  • SPIs Security Parameter Index
  • the SAil includes an encryption algorithm supported by the initiator to establish an IKE security association, Kei is the DH parameter of the initiator, and Ni is initiated. Square random number load.
  • Step 2002 The DeNB replies to the IKE-SA-INIT response message to the RN, and the parameters ⁇ HDR, SArl, KEr, Nr, [CERTREQ] ⁇ are included in the IKE-SA_INIT response message.
  • the DeNB places the selected algorithm in the SArl.
  • the initiator and the responder negotiate the required encryption algorithm and authentication algorithm.
  • Ni/Nr and Kei/Ker By exchanging Ni/Nr and Kei/Ker, The DH exchange is completed, so that both parties can calculate the shared key, which is used to protect the subsequent data and the key required to generate the IPsec security association; [CERTREQ] is the certificate request identifier.
  • Step 2003 The RN sends an IKE-AUTH request message to the DeNB to which it belongs, and the IKE AUTH request message includes parameters ⁇ HDR, SK, AUTH, SAi2, TSi, TSr, CFG_REQUEST ⁇ .
  • HDR contains SPIs, version number and required flags
  • SAi includes the encryption algorithm supported by the initiator to establish an IKE security association
  • SK indicates that the message is protected, AUTH is used to prove that ID-related secrets, integrity protection of both previous and current data packets
  • SAi2 carries a list of cryptographic algorithms for IPsec security associations
  • TSi/TSr represents data flows protected by IPsec security associations
  • CFG-REQUEST is used to The DeNB attached to the RN requests a certificate for authentication.
  • Step 2004 The DeNB to which the RN belongs sends an IKE-AUTH response message to the RN, where the IKE AUTH response message includes parameters ⁇ HDR, SK, AUTH, SAr2, TSi, TSr, [CERT], Config Payload, CFG_REQUEST ⁇ .
  • Step 050 The RN sends an IKE-AUTH response message to the DeNB to which the RN belongs, and the IKE AUTH response message includes parameters ⁇ HDR, SK, AUTH, SAr2, Tsi, TSr, [CERT], Config Payload ⁇ , and the RN
  • the certificate is sent to the DeNB to which the RN belongs, so that the DeNB to which the RN belongs completes the authentication of the RN.
  • the certificate of the RN and the certificate of the DeNB may also be replaced by a certificate identifier with a shorter bit length instead of the certificate itself, then the entity receiving the message needs to first The interaction with the RA/CA is completed to obtain the content of the certificate indicated by the certificate identifier, and then the authentication of the certificate-based content of the peer is performed.
  • the certificate authentication process is also required. As described in the above steps. On the network side node DeNB/MME of the certificate authentication, if the certificate authentication of the RN fails, the wireless connection/IPSec connection that triggers the Un interface between the RN and the DeNB/MME should be released or the MME initiates the process of registering the RN Detach. . Only after the RN's certificate is successfully authenticated, the RN can act as a network node to activate the bearer function of the Un interface. Otherwise, any UE cannot access the network through the RN.
  • FIG. 21 is a schematic structural diagram of a fifth embodiment of a relay node according to the present invention.
  • the relay node includes: a parameter switching module 2101, a first sending module 2102, a receiving authentication module 2103, and a second sending module 2104.
  • the parameter exchange module 2101 is configured to send an Internet Key Exchange Security Association Initial Negotiation Request message to the donor base station after completing the process of establishing a radio resource control connection and establishing a radio bearer between the relay node and the donor base station, And receiving an Internet Key Exchange Security Association Initial Negotiation Response message replied by the donor base station to exchange a Diffie-Hellman parameter of the relay node and a Diffie-Hellman parameter of the donor base station, The Diffie-Hellman parameter is used to negotiate a security protection alliance between the relay node and the donor base station; the first sending module 2102 is configured to send an Internet Key Exchange Authentication Request message to the donor base station, where Internet The key exchange authentication request message carries information for requesting the certificate of the donor base station; the receiving authentication module 2103 is configured to receive an Internet key exchange authentication response message that is returned by the donor base station and that carries the certificate of the donor base station, and according to The certificate of the donor base station authenticates the donor base station, the Internet key exchange authentication response message further carries information
  • the relay node provided in this embodiment which specifically implements the wireless node network access method, is described in the foregoing method.
  • the twelfth embodiment can implement the certificate-based authentication method when the RN accesses the network, and makes the network-side RN more secure.
  • FIG. 22 is a schematic structural diagram of a fifth embodiment of a wireless node network access system according to the present invention.
  • the wireless node network access system includes: a donor base station 2201 and a relay node 2202 as described in the fifth embodiment of the relay node described above.
  • the donor base station 2201 is configured to receive the Internet Key Exchange Security Association Initial Negotiation Request message sent by the relay node 2202, and return the Internet Key Exchange Security Association Initiality to the relay node 2202.
  • the wireless node network access system provided in this embodiment, and the wireless node network access method are specifically implemented in the twelfth embodiment of the foregoing method, which can implement the certificate-based authentication method when the RN accesses the network, and makes the network The network side RN is more secure.
  • the storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiments in the present invention provide a radio node accessing a network method, a system and a relay node. In the radio node accessing a network method, the system and the relay node of the embodiments in the present invention, the authentication between the relay node and a donor evolved NodeB, a home subscriber server, or a mobility management entity is performed by carrying a certificate in messages exchanged between the relay node and the donor evolved NodeB, the home subscriber server, or the mobility management entity; a shared key similar to the one used when a user equipment accesses a network is calculated according to a Diffie Hell-man (DH) parameter exchanged between the relay node and the donor evolved NodeB, the home subscriber server, or the mobility management entity; and finally a radio bearer is established between the relay node and the donor evolved NodeB. Accordingly, the authentication method based on a certificate when a relay node accesses a network is implemented, and it is safer for a relay node at a network side to access a network.

Description

无线节点入网方法、 系统及中继节点 本申请要求于 2010 年 2 月 12 日提交中国专利局、 申请号为 201010111422.8、 发明名称为 "无线节点入网方法、 系统及中继节点" 的中国 专利申请的优先权, 其全部内容通过引用结合在本申请中。 技术领域  Wireless node access method, system and relay node The present application claims to be filed on February 12, 2010 in the Chinese Patent Office, the application number is 201010111422.8, and the invention is entitled "Wireless Node Access Method, System and Relay Node" Priority is hereby incorporated by reference in its entirety. Technical field

本发明涉及通信技术领域, 特别涉及一种无线节点入网方法、 系统及中 继节点。 发明背景  The present invention relates to the field of communications technologies, and in particular, to a wireless node access method, system, and relay node. Background of the invention

长期演进的后续演进( Long Term Evolution - Advanced , 简称 LTE- A )中 引入了中继节点(Relay Node, 简称 RN ), RN是为了提高通信小区边缘的吞 吐量、 方便运营商或用户的临时网络部署的需求、 以及支持群移动功能而设 置的。 RN可以部署在乡村、 城市、 室内等的热点区域或者盲点区域。  A relay node (Relay Node, RN for short) is introduced in the Long Term Evolution - Advanced (LTE-A). The RN is used to improve the throughput of the communication cell edge and facilitate the temporary network of operators or users. The requirements for deployment, as well as support for group mobility. The RN can be deployed in hotspots or blind spots in rural areas, cities, indoors, and the like.

在现有的无线接入网 (Radio Access Network, 简称 RAN ) 中, 在 RN入 网时, RN类似一个附加用户设备 ( User Equipment, 简称 UE )。 因此, RN入 网时, 并不能实现基于证书的认证方法。 发明内容  In the existing Radio Access Network (RAN), when the RN accesses the network, the RN is similar to an additional User Equipment (UE). Therefore, when the RN enters the network, the certificate-based authentication method cannot be implemented. Summary of the invention

本发明实施例的目的在于提供一种无线节点入网方法、 系统及中继节点, 以实现 RN入网时基于证书的认证方法。  The purpose of the embodiments of the present invention is to provide a wireless node access method, system, and relay node, so as to implement a certificate-based authentication method when the RN enters the network.

本发明实施例提供了一种无线节点入网方法, 包括:  The embodiment of the invention provides a wireless node network access method, including:

在中继节点与集成有归属用户服务器的施主基站之间的无线资源控制连 接建立过程中, 向所述施主基站发送所述中继节点的证书和所述中继节点的 迪菲-赫尔曼参数, 以使所述施主基站根据所述中继节点的证书对所述中继节 点进行认证; Transmitting the certificate of the relay node and the Diffie-Herman of the relay node to the donor base station during a radio resource control connection establishment process between the relay node and the donor base station integrated with the home subscriber server a parameter, such that the donor base station pairs the relay section according to a certificate of the relay node Point for authentication;

接收所述施主基站发送的所述施主基站的证书和所述施主基站的迪菲-赫 尔曼参数, 并根据所述施主基站的证书对所述施主基站进行认证;  Receiving, by the donor base station, a certificate of the donor base station and a Diffie-Hellman parameter of the donor base station, and authenticating the donor base station according to the certificate of the donor base station;

若所述中继节点和所述施主基站认证成功, 则根据所述中继节点的迪菲 - 赫尔曼参数和所述施主基站的迪菲-赫尔曼参数计算基础密钥 K;  If the relay node and the donor base station are successfully authenticated, calculating a base key K according to a Diffie-Hellman parameter of the relay node and a Diffie-Hellman parameter of the donor base station;

基于所述基础密钥 K, 与移动管理实体进行认证与密钥协商; 与所述移 动管理实体进行非接入层安全模式控制, 并与所述施主基站进行接入层安全 模式控制, 建立与所述施主基站之间的无线承载。  Performing authentication and key negotiation with the mobility management entity based on the basic key K; performing non-access stratum security mode control with the mobility management entity, and performing access layer security mode control with the donor base station, establishing and A radio bearer between the donor base stations.

本发明实施例还提供了一种中继节点, 包括:  The embodiment of the invention further provides a relay node, including:

发送模块, 用于在中继节点与集成有归属用户服务器的施主基站之间的 无线资源控制连接建立过程中, 向所述施主基站发送所述中继节点的证书和 所述中继节点的迪菲 -赫尔曼参数, 以使所述施主基站根据所述中继节点的证 书对所述中继节点进行认证;  a sending module, configured to send, in the process of establishing a radio resource control connection between the relay node and the donor base station integrated with the home subscriber server, the certificate of the relay node and the relay node of the relay node a Philippine-Hellman parameter, such that the donor base station authenticates the relay node according to a certificate of the relay node;

接收认证模块, 用于接收所述施主基站发送的所述施主基站的证书和所 述施主基站的迪菲-赫尔曼参数, 并根据所述施主基站的证书对所述施主基站 进行认证;  Receiving an authentication module, configured to receive a certificate of the donor base station sent by the donor base station and a Diffie-Hellman parameter of the donor base station, and perform authentication on the donor base station according to the certificate of the donor base station;

计算模块, 用于若所述中继节点和所述施主基站认证成功, 则根据所述 中继节点的迪菲 -赫尔曼参数和所述接收模块接收的所述施主基站的迪菲-赫 尔曼参数计算基础密钥 K;  a calculation module, configured to: according to the Diffie-Hellman parameter of the relay node and the Diffie-Hier of the donor base station received by the receiving module, if the relay node and the donor base station are successfully authenticated The base parameter calculation base key K;

承载建立模块, 用于基于所述计算模块计算得到的所述基础密钥 K, 与 移动管理实体进行认证与密钥协商; 并用于与所述移动管理实体进行非接入 层安全模式控制 , 与所述施主基站之间的接入层安全模式控制 , 建立与所述 施主基站之间的无线 7 载。  a bearer establishing module, configured to perform authentication and key negotiation with the mobility management entity based on the basic key K calculated by the computing module, and configured to perform non-access stratum security mode control with the mobility management entity, and The access layer security mode control between the donor base stations establishes a wireless bearer with the donor base station.

本发明实施例还提供了一种无线节点入网系统, 包括: 移动管理实体、 集成有归属用户服务器的施主基站和如上所述的中继节点,  The embodiment of the invention further provides a wireless node network access system, comprising: a mobility management entity, a donor base station integrated with a home subscriber server, and a relay node as described above,

所述集成有归属用户服务器的施主基站, 用于接收所述中继节点发送的 所述中继节点的证书和所述中继节点的迪菲-赫尔曼参数, 并发送所述施主基 站的证书和所述施主基站的迪菲 -赫尔曼参数至所述中继节点; 根据所述中继 节点的迪菲-赫尔曼参数和所述施主基站的迪菲-赫尔曼参数计算所述基础密 钥 K; 根据所述基础密钥 K计算的接入层密钥, 与所述中继节点进行接入层 安全模式控制; The donor base station integrated with the home subscriber server is configured to receive the sending by the relay node a certificate of the relay node and a Diffie-Hellman parameter of the relay node, and transmitting a certificate of the donor base station and a Diffie-Hellman parameter of the donor base station to the relay node; Calculating the base key K according to a Diffie-Hellman parameter of the relay node and a Diffie-Hellman parameter of the donor base station; an access layer key calculated according to the base key K, Performing access layer security mode control with the relay node;

所述移动管理实体, 用于获取所述集成有归属用户服务器的施主基站基 于所述基础密钥 K计算的认证矢量, 根据所述认证矢量, 与所述中继节点进 行认证与密钥协商; 并用于根据所述基础密钥 K计算的非接入层密钥, 与所 述中继节点进行非接入层安全模式控制。  The mobility management entity is configured to obtain an authentication vector calculated by the donor base station integrated with the home subscriber server based on the basic key K, and perform authentication and key negotiation with the relay node according to the authentication vector; And used for non-access stratum security mode control with the relay node according to the non-access stratum key calculated by the basic key K.

本发明实施例还提供了一种无线节点入网方法, 包括:  The embodiment of the invention further provides a wireless node network access method, including:

在中继节点与施主基站之间的无线资源控制连接建立过程中, 通过所述 施主基站向归属用户服务器发送所述中继节点的证书和所述中继节点的迪菲- 赫尔曼参数, 以使所述归属用户服务器根据所述中继节点的证书对所述中继 节点进行认证;  Transmitting, by the donor base station, a certificate of the relay node and a Diffie-Hellman parameter of the relay node by the donor base station during a radio resource control connection establishment process between the relay node and the donor base station, So that the home subscriber server authenticates the relay node according to the certificate of the relay node;

通过所述施主基站接收所述归属用户服务器发送的所述归属用户服务器 的证书和所述归属用户服务器的迪菲-赫尔曼参数, 并根据所述归属用户服务 器的证书对所述归属用户服务器进行认证;  Receiving, by the donor base station, a certificate of the home subscriber server sent by the home subscriber server and a Diffie-Hellman parameter of the home subscriber server, and using the certificate of the home subscriber server to the home subscriber server Authenticate;

若所述中继节点和所述归属用户服务器认证成功, 则根据所述中继节点 的迪菲-赫尔曼参数和所述归属用户服务器的迪菲-赫尔曼参数计算基础密钥 If the relay node and the home subscriber server are successfully authenticated, calculating a base key according to the Diffie-Hellman parameter of the relay node and the Diffie-Hellman parameter of the home subscriber server

K; K;

基于所述基础密钥 K, 与移动管理实体进行认证与密钥协商; 与所述移 动管理实体进行非接入层安全模式控制, 并与所述施主基站进行接入层安全 模式控制, 建立与所述施主基站之间的无线承载。  Performing authentication and key negotiation with the mobility management entity based on the basic key K; performing non-access stratum security mode control with the mobility management entity, and performing access layer security mode control with the donor base station, establishing and A radio bearer between the donor base stations.

本发明实施例还提供了一种中继节点, 包括:  The embodiment of the invention further provides a relay node, including:

发送模块, 用于在中继节点与施主基站之间的无线资源控制连接建立过 程中, 通过所述施主基站向归属用户服务器发送所述中继节点的证书和所述 中继节点的迪菲-赫尔曼参数, 以使所述归属用户服务器根据所述中继节点的 证书对所述中继节点进行认证; a sending module, configured to send, by the donor base station, a certificate of the relay node to the home subscriber server and the foregoing, in a process of establishing a radio resource control connection between the relay node and the donor base station a Diffie-Hellman parameter of the relay node, so that the home subscriber server authenticates the relay node according to the certificate of the relay node;

接收认证模块, 用于通过所述施主基站接收所述归属用户服务器发送的 所述归属用户服务器的证书和所述归属用户服务器的迪菲-赫尔曼参数, 并根 据所述归属用户服务器的证书对所述归属用户服务器进行认证;  Receiving an authentication module, configured to receive, by the donor base station, a certificate of the home subscriber server sent by the home subscriber server and a Diffie-Hellman parameter of the home subscriber server, and according to the certificate of the home subscriber server Authenticating the home subscriber server;

计算模块, 用于若所述中继节点和所述归属用户服务器认证成功, 则根 据所述中继节点的迪菲-赫尔曼参数和所述接收模块接收的所述归属用户服务 器的迪菲 -赫尔曼参数计算基础密钥 K;  a calculation module, configured to: according to the Diffie-Hellman parameter of the relay node and the Diffy of the home subscriber server received by the receiving module, if the relay node and the home subscriber server are successfully authenticated - Herman parameter calculation base key K;

承载建立模块, 用于基于所述计算模块计算得到的所述基础密钥 K, 与 移动管理实体进行认证与密钥协商; 并用于与所述移动管理实体进行非接入 层安全模式控制, 与所述施主基站进行接入层安全模式控制, 建立与所述施 主基站之间的无线承载。  a bearer establishing module, configured to perform authentication and key negotiation with the mobility management entity based on the basic key K calculated by the computing module, and configured to perform non-access stratum security mode control with the mobility management entity, and The donor base station performs access layer security mode control to establish a radio bearer with the donor base station.

本发明实施例还提供了一种无线节点入网系统, 包括: 移动管理实体、 归属用户服务器、 施主基站和如上所述的中继节点,  The embodiment of the invention further provides a wireless node network access system, comprising: a mobility management entity, a home subscriber server, a donor base station, and a relay node as described above,

所述归属用户服务器, 用于接收所述中继节点发送的所述中继节点的证 书和所述中继节点的迪菲-赫尔曼参数, 并发送所述归属用户服务器的证书和 所述归属用户服务器的迪菲-赫尔曼参数至所述中继节点; 根据所述中继节点 的迪菲-赫尔曼参数和所述归属用户服务器的迪菲-赫尔曼参数计算所述基础 密钥 K;  The home subscriber server is configured to receive a certificate of the relay node sent by the relay node and a Diffie-Hellman parameter of the relay node, and send the certificate of the home subscriber server and the Calculating the basis of the Diffie-Hellman parameter of the home server to the relay node; calculating the basis according to the Diffie-Hellman parameter of the relay node and the Diffie-Hellman parameter of the home subscriber server Key K;

所述移动管理实体, 用于获取所述归属用户服务器基于所述基础密钥 K 计算的认证矢量, 根据所述认证矢量, 与所述中继节点进行认证与密钥协商; 并用于根据所述基础密钥 K计算的非接入层密钥, 与所述中继节点进行非接 入层安全模式控制;  The mobility management entity is configured to acquire an authentication vector calculated by the home subscriber server based on the basic key K, perform authentication and key negotiation with the relay node according to the authentication vector, and use the a non-access stratum key calculated by the base key K, and performing non-access stratum security mode control with the relay node;

所述施主基站, 用于获取所述归属用户服务器基于所述基础密钥 K计算 的接入层密钥, 根据所述接入层密钥, 与所述中继节点进行接入层安全模式 控制。 本发明实施例还提供了一种无线节点入网方法, 包括: The donor base station is configured to acquire an access layer key calculated by the home subscriber server based on the basic key K, and perform access layer security mode control with the relay node according to the access layer key. . The embodiment of the invention further provides a wireless node network access method, including:

完成中继节点与施主基站之间的无线资源控制连接建立;  Complete establishment of a radio resource control connection between the relay node and the donor base station;

发送携带有所述中继节点的证书和所述中继节点的迪菲 -赫尔曼参数的附 着请求消息至集成有归属用户服务器的移动管理实体, 以使所述移动管理实 体根据所述中继节点的证书对所述中继节点进行认证;  Sending an attach request message carrying the certificate of the relay node and the Diffie-Hellman parameter of the relay node to a mobility management entity integrated with a home subscriber server, so that the mobility management entity is according to the middle Passing the certificate of the node to authenticate the relay node;

接收所述移动管理实体发送的携带有移动管理实体的证书和所述移动管 理实体的迪菲-赫尔曼参数的非接入层消息, 并根据所述移动管理实体的证书 对所述移动管理实体进行认证;  Receiving, by the mobility management entity, a non-access stratum message carrying a certificate of the mobility management entity and a Diffie-Hellman parameter of the mobility management entity, and managing the mobility according to the certificate of the mobility management entity Entity for authentication;

若所述中继节点和所述移动管理实体认证成功, 则根据所述中继节点的 迪菲-赫尔曼参数和所述移动管理实体的迪菲-赫尔曼参数计算共享密钥;  And if the relay node and the mobility management entity are successfully authenticated, calculating a shared key according to a Diffie-Hellman parameter of the relay node and a Diffie-Hellman parameter of the mobility management entity;

基于所述共享密钥, 与所述移动管理实体进行非接入层安全模式控制, 并与所述施主基站进行接入层安全模式控制, 建立与所述施主基站之间的无 线承载。  And performing non-access stratum security mode control with the mobility management entity based on the shared key, and performing access layer security mode control with the donor base station to establish a radio bearer with the donor base station.

本发明实施例还提供了一种中继节点, 包括:  The embodiment of the invention further provides a relay node, including:

连接建立模块, 用于完成中继节点与施主基站之间的无线资源控制连接 建立;  a connection establishing module, configured to complete establishment of a radio resource control connection between the relay node and the donor base station;

发送模块, 用于发送携带有所述中继节点的证书和所述中继节点的迪菲 - 赫尔曼参数的附着请求消息至集成有归属用户服务器的移动管理实体, 以使 所述移动管理实体根据所述中继节点的证书对所述中继节点进行认证;  a sending module, configured to send an attach request message carrying a certificate of the relay node and a Diffie-Hellman parameter of the relay node to a mobility management entity integrated with a home subscriber server, to enable the mobility management Entity authenticating the relay node according to the certificate of the relay node;

接收认证模块, 用于接收所述移动管理实体发送的携带有移动管理实体 的证书和所述移动管理实体的迪菲-赫尔曼参数的非接入层消息, 并根据所述 移动管理实体的证书对所述移动管理实体进行认证;  Receiving an authentication module, configured to receive, by the mobility management entity, a non-access stratum message carrying a certificate of a mobility management entity and a Diffie-Hellman parameter of the mobility management entity, and according to the mobility management entity The certificate authenticates the mobile management entity;

计算模块, 用于若所述中继节点和所述移动管理实体认证成功, 则根据 所述中继节点的迪菲-赫尔曼参数和所述接收模块接收的所述移动管理实体的 迪菲-赫尔曼参数计算共享密钥;  a calculation module, configured to: according to the Diffie-Hellman parameter of the relay node and the Diffy of the mobile management entity received by the receiving module, if the relay node and the mobility management entity are successfully authenticated - Herman parameters calculate the shared key;

承载建立模块, 用于基于所述计算模块计算得到的所述共享密钥, 与所 述移动管理实体进行非接入层安全模式控制, 并与所述施主基站进行接入层 安全模式控制, 建立与所述施主基站之间的无线承载。 a bearer establishing module, configured to calculate the shared key based on the computing module, and The mobility management entity performs non-access stratum security mode control, and performs access layer security mode control with the donor base station to establish a radio bearer with the donor base station.

本发明实施例还提供了一种无线节点入网系统, 包括: 集成有归属用户 服务器的移动管理实体、 施主基站和如上所述的中继节点,  The embodiment of the invention further provides a wireless node network access system, comprising: a mobility management entity integrated with a home subscriber server, a donor base station, and a relay node as described above,

所述集成有归属用户服务器的移动管理实体, 用于接收所述中继节点发 送的所述中继节点的证书和所述中继节点的迪菲-赫尔曼参数, 并发送移动管 理实体的证书和所述移动管理实体的迪菲-赫尔曼参数至所述中继节点; 根据 所述中继节点的迪菲-赫尔曼参数和所述移动管理实体的迪菲-赫尔曼参数计 算所述共享密钥; 根据所述共享密钥计算得到的非接入层密钥, 与所述中继 节点进行非接入层安全模式控制;  The mobility management entity integrated with the home subscriber server is configured to receive a certificate of the relay node sent by the relay node and a Diffie-Hellman parameter of the relay node, and send the mobility management entity a certificate and a Diffie-Hellman parameter of the mobility management entity to the relay node; a Diffie-Hellman parameter of the relay node and a Diffie-Hellman parameter of the mobility management entity Calculating the shared key; performing the non-access stratum security mode control with the relay node according to the non-access stratum key calculated by the shared key;

所述施主基站, 用于获取所述集成有归属用户服务器的移动管理实体基 于所述共享密钥计算的接入层密钥, 根据所述接入层密钥, 与所述中继节点 进行接入层安全模式控制。  The donor base station is configured to acquire an access layer key calculated by the mobility management entity integrated with the home subscriber server based on the shared key, and connect to the relay node according to the access layer key Intrusion security mode control.

本发明实施例还提供了一种无线节点入网方法, 包括:  The embodiment of the invention further provides a wireless node network access method, including:

在中继节点与施主基站之间的无线资源控制连接建立和 /或无线承载建立 的过程中, 向所述施主基站发送所述中继节点的证书和所述中继节点的迪菲 - 赫尔曼参数, 以使所述施主基站根据所述中继节点的证书对所述中继节点进 行认证;  Transmitting the certificate of the relay node and the Diffie-Hell of the relay node to the donor base station in a process of establishing a radio resource control connection and/or establishing a radio bearer between the relay node and the donor base station a Manchester parameter, such that the donor base station authenticates the relay node according to a certificate of the relay node;

接收所述施主基站发送的所述施主基站的证书和所述施主基站的迪菲-赫 尔曼参数, 并根据所述施主基站的证书对所述施主基站进行认证;  Receiving, by the donor base station, a certificate of the donor base station and a Diffie-Hellman parameter of the donor base station, and authenticating the donor base station according to the certificate of the donor base station;

若所述中继节点和所述施主基站认证成功, 则根据所述中继节点的迪菲 - 赫尔曼参数和所述施主基站的迪菲-赫尔曼参数计算认证密钥 AK;  If the relay node and the donor base station are successfully authenticated, calculate an authentication key AK according to the Diffie-Hellman parameter of the relay node and the Diffie-Hellman parameter of the donor base station;

将所述认证密钥 AK作为所述中继节点和所述施主基站共享的临时密钥 KeNB, 并基于所述临时密钥 KeNB, 与所述施主基站进行接入层安全模式控 制。  The authentication key AK is used as a temporary key KeNB shared by the relay node and the donor base station, and based on the temporary key KeNB, performs access layer security mode control with the donor base station.

本发明实施例还提供了一种中继节点, 包括: 发送模块, 用于在中继节点与施主基站之间的无线资源控制连接建立和 / 或无线承载建立的过程中, 向所述施主基站发送所述中继节点的证书和所述 中继节点的迪菲 -赫尔曼参数, 以使所述施主基站根据所述中继节点的证书对 所述中继节点进行认证; The embodiment of the invention further provides a relay node, including: a sending module, configured to send, by the donor base station, a certificate of the relay node and the relay node in a process of establishing a radio resource control connection and/or establishing a radio bearer between the relay node and the donor base station a Diffie-Hellman parameter, such that the donor base station authenticates the relay node according to the certificate of the relay node;

接收认证模块, 用于接收所述施主基站发送的所述施主基站的证书和所 述施主基站的迪菲-赫尔曼参数, 并根据所述施主基站的证书对所述施主基站 进行认证;  Receiving an authentication module, configured to receive a certificate of the donor base station sent by the donor base station and a Diffie-Hellman parameter of the donor base station, and perform authentication on the donor base station according to the certificate of the donor base station;

计算模块, 用于若所述中继节点和所述施主基站认证成功, 则根据所述 中继节点的迪菲 -赫尔曼参数和所述接收模块接收的所述施主基站的迪菲-赫 尔曼参数计算认证密钥 AK;  a calculation module, configured to: according to the Diffie-Hellman parameter of the relay node and the Diffie-Hier of the donor base station received by the receiving module, if the relay node and the donor base station are successfully authenticated The Manchester parameter calculation authentication key AK;

承载建立模块, 用于将所述计算模块计算得到的所述认证密钥 AK作为 所述中继节点和所述施主基站共享的临时密钥 KeNB, 并基于所述临时密钥 KeNB, 与所述施主基站进行接入层安全模式控制。  a bearer establishing module, configured to use the authentication key AK calculated by the calculating module as a temporary key KeNB shared by the relay node and the donor base station, and based on the temporary key KeNB, The donor base station performs access layer security mode control.

本发明实施例还提供了一种无线节点入网系统, 包括: 施主基站和如上 所述的中继节点,  The embodiment of the invention further provides a wireless node network access system, comprising: a donor base station and a relay node as described above,

所述施主基站, 用于接收所述中继节点发送的所述中继节点的证书和所 述中继节点的迪菲-赫尔曼参数, 并发送所述施主基站的证书和所述施主基站 的迪菲 -赫尔曼参数至所述中继节点;根据所述中继节点的迪菲 -赫尔曼参数和 所述施主基站的迪菲-赫尔曼参数计算所述认证密钥 AK;将所述认证密钥 AK 作为所述中继节点和所述施主基站共享的临时密钥 KeNB,并根据所述临时密 钥 KeNB, 与所述中继节点进行接入层安全模式控制。  The donor base station is configured to receive a certificate of the relay node sent by the relay node and a Diffie-Hellman parameter of the relay node, and send the certificate of the donor base station and the donor base station a Diffie-Hellman parameter to the relay node; calculating the authentication key AK according to the Diffie-Hellman parameter of the relay node and the Diffie-Hellman parameter of the donor base station; The authentication key AK is used as the temporary key KeNB shared by the relay node and the donor base station, and performs access layer security mode control with the relay node according to the temporary key KeNB.

本发明实施例还提供了一种无线节点入网方法, 包括:  The embodiment of the invention further provides a wireless node network access method, including:

在完成中继节点与施主基站之间的无线资源控制连接建立和无线承载建 立的过程后, 向所述施主基站发送因特网密钥交换安全关联初始协商请求消 息, 并接收所述施主基站回复的因特网密钥交换安全关联初始协商响应消息, 以交换所述中继节点的迪菲-赫尔曼参数和所述施主基站的迪菲-赫尔曼参数, 所述迪菲-赫尔曼参数用于协商所述中继节点与所述施主基站之间的安全保护 联盟; After completing the process of establishing a radio resource control connection and establishing a radio bearer between the relay node and the donor base station, transmitting an Internet Key Exchange Security Association Initial Negotiation Request message to the donor base station, and receiving the Internet replied by the donor base station The key exchange security association initial negotiation response message to exchange the Diffie-Hellman parameter of the relay node and the Diffie-Hellman parameter of the donor base station, The Diffie-Hellman parameter is used to negotiate a security protection alliance between the relay node and the donor base station;

向所述施主基站发送因特网密钥交换认证请求消息, 所述因特网密钥交 换认证请求消息中携带请求所述施主基站的证书的信息;  Sending an Internet Key Exchange Authentication Request message to the donor base station, where the Internet Key Exchange Authentication Request message carries information requesting a certificate of the donor base station;

接收所述施主基站返回的携带所述施主基站的证书的因特网密钥交换认 证响应消息, 并根据所述施主基站的证书对所述施主基站进行认证, 所述因 特网密钥交换认证响应消息中还携带请求所述中继节点的证书的信息;  Receiving an Internet Key Exchange Authentication Response message carrying the certificate of the donor base station returned by the donor base station, and authenticating the donor base station according to the certificate of the donor base station, where the Internet Key Exchange Authentication Response message is further Carrying information requesting a certificate of the relay node;

向所述施主基站发送携带所述中继节点的证书的因特网密钥交换认证响 应消息, 以使所述施主基站根据所述中继节点的证书对所述中继节点进行认 证。  And transmitting, by the donor base station, an Internet Key Exchange Authentication Response message carrying a certificate of the relay node, so that the donor base station authenticates the relay node according to a certificate of the relay node.

本发明实施例还提供了一种中继节点, 包括:  The embodiment of the invention further provides a relay node, including:

参数交换模块, 用于在完成中继节点与施主基站之间的无线资源控制连 接建立和无线承载建立的过程后, 向所述施主基站发送因特网密钥交换安全 关联初始协商请求消息, 并接收所述施主基站回复的因特网密钥交换安全关 联初始协商响应消息, 以交换所述中继节点的迪菲-赫尔曼参数和所述施主基 站的迪菲-赫尔曼参数,所述迪菲-赫尔曼参数用于协商所述中继节点与所述施 主基站之间的安全保护联盟;  a parameter exchange module, configured to send an Internet Key Exchange Security Association Initial Negotiation Request message to the donor base station after completing the process of establishing a radio resource control connection and establishing a radio bearer between the relay node and the donor base station, and receiving the Determining an Internet Key Exchange Security Association Initial Negotiation Response message replied by the donor base station to exchange a Diffie-Hellman parameter of the relay node and a Diffie-Hellman parameter of the donor base station, the Diffie- The Herman parameter is used to negotiate a security protection alliance between the relay node and the donor base station;

第一发送模块, 用于向所述施主基站发送因特网密钥交换认证请求消息, 所述因特网密钥交换认证请求消息中携带请求所述施主基站的证书的信息; 接收认证模块, 用于接收所述施主基站返回的携带所述施主基站的证书 的因特网密钥交换认证响应消息, 并根据所述施主基站的证书对所述施主基 站进行认证, 所述因特网密钥交换认证响应消息中还携带请求所述中继节点 的证书的信息;  a first sending module, configured to send an Internet Key Exchange Authentication Request message to the donor base station, where the Internet Key Exchange Authentication Request message carries information requesting a certificate of the donor base station; and receiving an authentication module, configured to receive Determining, by the donor base station, an Internet Key Exchange Authentication Response message carrying the certificate of the donor base station, and authenticating the donor base station according to the certificate of the donor base station, where the Internet Key Exchange Authentication Response message further carries a request Information of the certificate of the relay node;

第二发送模块, 用于向所述施主基站发送携带所述中继节点的证书的因 特网密钥交换认证响应消息, 以使所述施主基站根据所述中继节点的证书对 所述中继节点进行认证。 本发明实施例还提供了一种无线节点入网系统, 包括: 施主基站和如上 所述的中继节点, a second sending module, configured to send, to the donor base station, an Internet Key Exchange Authentication Response message carrying a certificate of the relay node, so that the donor base station sends the relay node according to a certificate of the relay node Certify. An embodiment of the present invention further provides a wireless node network access system, including: a donor base station and a relay node as described above,

所述施主基站, 用于接收所述中继节点发送的所述因特网密钥交换安全 关联初始协商请求消息, 并向所述中继节点返回所述因特网密钥交换安全关 联初始协商响应消息, 以交换所述中继节点的迪菲-赫尔曼参数和所述施主基 站的迪菲-赫尔曼参数,所述迪菲-赫尔曼参数用于协商所述中继节点与所述施 主基站之间的安全保护联盟; 接收所述中继节点发送的所述因特网密钥交换 认证请求消息, 所述因特网密钥交换认证请求消息中携带请求所述施主基站 的证书的信息; 并向所述中继节点返回携带所述施主基站的证书的所述因特 网密钥交换认证响应消息, 所述因特网密钥交换认证响应消息中还携带请求 所述中继节点的证书的信息; 接收所述中继节点发送的携带所述中继节点的 证书的所述因特网密钥交换认证响应消息, 并根据所述中继节点的证书对所 述中继节点进行认证。  The donor base station is configured to receive the Internet Key Exchange Security Association Initial Negotiation Request message sent by the relay node, and return the Internet Key Exchange Security Association Initial Negotiation Response message to the relay node, to Exchanging a Diffie-Hellman parameter of the relay node and a Diffie-Hellman parameter of the donor base station, the Diffie-Hellman parameter being used to negotiate the relay node and the donor base station a security protection alliance between the two; receiving the Internet Key Exchange Authentication Request message sent by the relay node, where the Internet Key Exchange Authentication Request message carries information requesting a certificate of the donor base station; The relay node returns the Internet Key Exchange Authentication Response message carrying the certificate of the donor base station, where the Internet Key Exchange Authentication Response message further carries information requesting the certificate of the relay node; receiving the relay The Internet key exchange authentication response message sent by the node carrying the certificate of the relay node, and according to the certificate of the relay node Said relay node authentication.

由以上技术方案可知, 本发明实施例的无线节点入网方法、 系统及中继 节点, 通过在中继节点和施主基站或归属用户服务器或移动管理实体之间交 互的消息中携带证书, 进行中继节点与施主基站或归属用户服务器或移动管 理实体之间的认证, 并通过中继节点和施主基站或归属用户服务器或移动管 理实体之间交换的 DH参数, 计算类似于用户设备入网时的共享密钥, 最终 完成中继节点与施主基站之间的无线承载建立, 从而实现中继节点入网时基 于证书的认证方法, 且使得网络侧中继节点入网更加安全。 附图简要说明  According to the above technical solution, the wireless node network access method, system, and relay node according to the embodiment of the present invention carry a relay by carrying a certificate in a message exchanged between the relay node and the donor base station or the home subscriber server or the mobility management entity. Authentication between the node and the donor base station or the home subscriber server or the mobility management entity, and calculating the shared secret similar to the user equipment when accessing the network through the DH parameters exchanged between the relay node and the donor base station or the home subscriber server or the mobility management entity The key is used to establish a radio bearer between the relay node and the donor base station, thereby implementing a certificate-based authentication method for the relay node to access the network, and making the network-side relay node more secure. BRIEF DESCRIPTION OF THE DRAWINGS

图 1为本发明无线节点入网方法第一实施例的流程示意图  FIG. 1 is a schematic flowchart diagram of a first embodiment of a wireless node network access method according to the present invention;

图 2为本发明无线节点入网方法第二实施例的信令流程图  2 is a signaling flowchart of a second embodiment of a wireless node network access method according to the present invention;

图 3为本发明无线节点入网方法第三实施例的信令流程图  FIG. 3 is a signaling flowchart of a third embodiment of a wireless node network access method according to the present invention;

图 4为本发明中继节点第一实施例的结构示意图; 图 5为本发明无线节点入网系统第一实施例的结构示意图; 图 6为本发明无线节点入网方法第四实施例的流程示意图; 4 is a schematic structural diagram of a first embodiment of a relay node according to the present invention; 5 is a schematic structural diagram of a first embodiment of a wireless node network access system according to the present invention; FIG. 6 is a schematic flowchart of a fourth embodiment of a wireless node network access method according to the present invention;

图 7为本发明无线节点入网方法第五实施例的信令流程图;  7 is a signaling flowchart of a fifth embodiment of a wireless node network access method according to the present invention;

图 8为本发明中继节点第二实施例的结构示意图;  8 is a schematic structural diagram of a second embodiment of a relay node according to the present invention;

图 9为本发明无线节点入网系统第二实施例的结构示意图;  9 is a schematic structural diagram of a second embodiment of a wireless node network access system according to the present invention;

图 10为本发明无线节点入网方法第六实施例的流程示意图;  FIG. 10 is a schematic flowchart diagram of a sixth embodiment of a wireless node network access method according to the present invention; FIG.

图 11为本发明无线节点入网方法第七实施例的信令流程图;  11 is a signaling flowchart of a seventh embodiment of a wireless node network access method according to the present invention;

图 12为本发明中继节点第三实施例的结构示意图;  12 is a schematic structural diagram of a third embodiment of a relay node according to the present invention;

图 13为本发明无线节点入网系统第三实施例的结构示意图;  13 is a schematic structural diagram of a third embodiment of a wireless node network access system according to the present invention;

图 14为本发明无线节点入网方法第八实施例的流程示意图;  14 is a schematic flowchart of an eighth embodiment of a wireless node network access method according to the present invention;

图 15为本发明无线节点入网方法第九实施例的信令流程图;  15 is a signaling flowchart of a ninth embodiment of a wireless node network access method according to the present invention;

图 16为本发明无线节点入网方法第十实施例的信令流程图;  16 is a signaling flowchart of a tenth embodiment of a wireless node network access method according to the present invention;

图 17为本发明无线节点入网方法第十一实施例的信令流程图;  17 is a signaling flowchart of an eleventh embodiment of a wireless node network access method according to the present invention;

图 18为本发明中继节点第四实施例的结构示意图;  18 is a schematic structural diagram of a fourth embodiment of a relay node according to the present invention;

图 19为本发明无线节点入网系统第四实施例的结构示意图;  19 is a schematic structural diagram of a fourth embodiment of a wireless node network access system according to the present invention;

图 20为本发明无线节点入网方法第十二实施例的流程示意图;  20 is a schematic flowchart diagram of a twelfth embodiment of a wireless node network access method according to the present invention;

图 21为本发明中继节点第五实施例的结构示意图;  21 is a schematic structural diagram of a fifth embodiment of a relay node according to the present invention;

图 22为本发明无线节点入网系统第五实施例的结构示意图。 实施本发明的方式  FIG. 22 is a schematic structural diagram of a fifth embodiment of a wireless node network access system according to the present invention. Mode for carrying out the invention

下面将结合本发明实施例中的附图, 对本发明实施例中的技术方案进行 清楚、 完整地描述, 显然, 所描述的实施例仅仅是本发明一部分实施例, 而 不是全部的实施例。 基于本发明中的实施例, 本领域普通技术人员在没有作 出创造性劳动前提下所获得的所有其他实施例 , 都属于本发明保护的范围。  The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.

图 1为本发明无线节点入网方法第一实施例的流程示意图。 如图 1所示, 包括如下步骤: 步骤 101、 在中继节点 (Relay Node, 简称 RN )与集成有归属用户服务 器(Home Subscriber Server, 简称 HSS ) 的施主基站(施主增强型节点 B, Dorner Node B , 简称 DeNB )之间的无线资源控制 ( Radio Resource Control , 简称 RRC )连接建立过程中 , 向 DeNB发送 RN的证书和 RN的迪菲-赫尔曼 ( Diffie Hell-man, 简称 DH )参数, 以使 DeNB根据 RN的证书对 RN进行 认证。 FIG. 1 is a schematic flowchart diagram of a first embodiment of a wireless node network access method according to the present invention. As shown in Figure 1, the following steps are included: Step 101: A radio resource between a relay node (RN) and a donor base station (Doner Node B, DeNB for short) integrated with a Home Subscriber Server (HSS) In the process of establishing a Radio Resource Control (RRC) connection, the RN's certificate and the RN's Diffie Hell-man (DH) parameter are sent to the DeNB, so that the DeNB performs the RN according to the RN's certificate. Certification.

步骤 102、 RN接收 DeNB发送的 DeNB的证书和 DeNB的 DH参数, 并 根据 DeNB的证书对 DeNB进行认证。  Step 102: The RN receives the DeNB certificate sent by the DeNB and the DH parameter of the DeNB, and performs authentication on the DeNB according to the certificate of the DeNB.

上述步骤 101和步骤 102中, RN和 DeNB分别将其自身的证书发送至对 端 , 以便实现 RN和 DeNB之间基于证书的认证。  In the foregoing steps 101 and 102, the RN and the DeNB respectively send their own certificates to the peer to implement certificate-based authentication between the RN and the DeNB.

步骤 103、 若 RN和 DeNB认证成功, 则根据 RN的 DH参数和 DeNB的 DH参数计算基础密钥 K。  Step 103: If the RN and the DeNB are successfully authenticated, calculate the basic key K according to the DH parameter of the RN and the DH parameter of the DeNB.

该基础密钥 Κ 类似于 UE入网传统 LTE 时, UE 的全球用户识别卡 ( Universal Subscriber Identity Module , 简称 USIM )中携带的基础密钥 Κ。 本 步骤 103中, K=KDF(KDH); 另夕卜, DeNB也会根据 RN的 DH参数和 DeNB 的 DH参数计算该基础密钥 K, 即在 DeNB侧也釆用同样的算法生成该基础 密钥 K。 The basic key Κ is similar to the basic key carried in the Universal Subscriber Identity Module (USIM) of the UE when the UE enters the traditional LTE. In this step 103, K=KDF(K DH ); In addition, the DeNB also calculates the base key K according to the DH parameter of the RN and the DH parameter of the DeNB, that is, the same algorithm is used to generate the base on the DeNB side. Key K.

步骤 104、 基于该基础密钥 Κ, 与移动管理实体(Mobile Management Entity, 简称 MME )进行认证与密钥协商( Authentication and Key Agreement, 简称 AKA ), 与 MME进行非接入层( Non-Access Stratum, 简称 NAS )安全 模式控制( Security Mode Control,简称 SMC ),并与 DeNB进行接入层( Access Stratum, 简称 AS ) SMC, 建立 RN与 DeNB之间的无线承载。  Step 104: Perform authentication and key agreement (AKA) with the Mobile Management Entity (MME) based on the basic key, and perform non-access stratum with the MME (Non-Access Stratum) The NAS is referred to as the Security Mode Control (SMC), and performs an Access Stratum (AS) SMC with the DeNB to establish a radio bearer between the RN and the DeNB.

在该步骤 104中, 由于 RN侧和集成有 HSS的 DeNB侧均产生了基础密 钥 K, 后续根据基础密钥 K计算得到的认证矢量, 进行 RN与 MME之间的 AKA过程,根据基础密钥 K计算得到的非接入层密钥,进行 NAS SMC过程, 并根据基础密钥 K计算得到的接入层密钥,进行 RN与 DeNB之间的 AS SMC 的过程, 上述过程类似于 UE入网传统 LTE的过程, RN类似传统 LTE中的 UE完成了 RN入网认证和安全模式建立的过程, 在此不再赘述。 In this step 104, since the base key K is generated by both the RN side and the DeNB side integrated with the HSS, and the authentication vector calculated according to the basic key K is subsequently performed, the AKA process between the RN and the MME is performed, according to the basic key. K calculates the obtained non-access stratum key, performs the NAS SMC process, and calculates the obtained access stratum key based on the basic key K, and performs AS SMC between the RN and the DeNB. The process is similar to the process in which the UE enters the network in the legacy LTE. The RN is similar to the process in the LTE in the LTE, and the process of establishing the RN and the security mode is not described herein.

本实施例提供的无线节点入网方法, 通过在 RRC 连接建立过程中, 在 RN和集成有 HSS功能的 DeNB之间交互的消息中携带证书,进行 RN和 DeNB 之间的认证, 并通过 RN和 DeNB之间交换的 DH参数, 计算类似于 UE入网 时 USIM卡中携带的基础密钥 K, 最终完成了 RN与 DeNB之间的无线承载 建立,从而实现 RN入网时基于证书的认证方法,且使得网络侧 RN入网更加 安全。  The wireless node network access method provided in this embodiment carries the certificate between the RN and the DeNB integrated with the HSS function in the RRC connection establishment process, and performs authentication between the RN and the DeNB, and passes the RN and the DeNB. The DH parameter exchanged between the two is similar to the basic key K carried in the USIM card when the UE enters the network, and finally completes the establishment of the radio bearer between the RN and the DeNB, thereby implementing the certificate-based authentication method when the RN enters the network, and making the network Side RN access to the network is more secure.

图 2为本发明无线节点入网方法第二实施例的信令流程图。 本实施例中, DeNB和 HSS集成在同一实体上, RN在建立 RRC连接过程中, 利用空口消 息携带证书及密钥协商参数, 在 RN和 DeNB/HSS之间协商出基础密钥 K, 然后 RN基于此基础密钥 K釆用 AKA方式与 MME进行相互认证,后续 SMC 流程完全和现有的 UE入网传统 LTE的 SMC流程一致。 如图 2所示, 该无线 节点入网方法包括如下步骤:  FIG. 2 is a signaling flowchart of a second embodiment of a wireless node network access method according to the present invention. In this embodiment, the DeNB and the HSS are integrated on the same entity. In the process of establishing an RRC connection, the RN uses the air interface message to carry the certificate and the key negotiation parameter, and negotiates the basic key K between the RN and the DeNB/HSS, and then the RN. Based on the basic key K, the AKA is mutually authenticated with the MME, and the subsequent SMC process is completely consistent with the existing SMC process of the legacy UE entering the network. As shown in FIG. 2, the method for accessing the wireless node includes the following steps:

步骤 201、 RN向集成有 HSS功能的 DeNB发送 RRC连接建立请求消息, 该 RRC连接建立请求消息中携带 RN的证书和 RN的 DH参数等信息, 以使 DeNB根据 RN的证书对 RN进行认证。  Step 201: The RN sends an RRC connection setup request message to the DeNB integrated with the HSS function, where the RRC connection setup request message carries information such as the certificate of the RN and the DH parameter of the RN, so that the DeNB authenticates the RN according to the certificate of the RN.

在该 RRC连接建立请求消息中还可以携带认证 ( AUTH )参数,该 AUTH 参数用来证明知道与实体本身 ID相关的秘密, 同时对之前和当前的数据包进 行完整性保护。  The RRC Connection Setup Request message may also carry an Authentication (AUTH) parameter, which is used to prove that the secret associated with the entity's own ID is known, while protecting the previous and current data packets.

步骤 202、 DeNB收到 RRC连接建立请求消息后, 会向发送该消息的 RN 发送 RRC连接建立消息,该 RRC连接建立消息中携带 DeNB的证书和 DeNB 的 DH参数等信息, 以根据 DeNB的证书对 DeNB进行认证。  Step 202: After receiving the RRC connection setup request message, the DeNB sends an RRC connection setup message to the RN that sends the message, where the RRC connection setup message carries information such as the DeNB certificate and the DH parameter of the DeNB, according to the DeNB certificate pair. The DeNB performs authentication.

在该 RRC连接建立消息中还可以携带 AUTH参数, 该 AUTH参数用来 证明知道与实体本身 ID相关的秘密, 同时对之前和当前的数据包进行完整性 保护。 在该步骤 202中, 集成在 DeNB上的 HSS还可以为 RN分配一个国际 移动用户识别码 ( International Mobile Subscriber Identity, 简称 IMSI ), 如果 分配了, IMSI也会携带在前述 RRC连接建立消息一起发送给 RN, 用来唯一 标识该 RN。 The RRC connection setup message may also carry an AUTH parameter, which is used to prove that the secret associated with the entity's own ID is known, while protecting the previous and current data packets. In this step 202, the HSS integrated on the DeNB can also allocate an international RN to the RN. An International Subscriber Identity (IMSI), if assigned, the IMSI is also sent to the RN along with the foregoing RRC Connection Setup message to uniquely identify the RN.

步骤 203、 RN和 DeNB根据上面步骤 201和步骤 202中的两条消息里的 RN的 DH参数和 DeNB的 DH参数, 分别在本地计算生成基础密钥 K。  Step 203: The RN and the DeNB respectively calculate and generate the basic key K locally according to the DH parameter of the RN and the DH parameter of the DeNB in the two messages in the foregoing steps 201 and 202.

该基础密钥 Κ类似于 UE入网传统 LTE时,UE的 USIM卡中携带的基础 密钥 K。

Figure imgf000015_0001
The basic key Κ is similar to the basic key K carried in the USIM card of the UE when the UE enters the legacy LTE.
Figure imgf000015_0001

步骤 204、 RN向 DeNB发送 RRC连接建立完成消息 , 该 RRC连接建立 完成消息中携带有 NAS附着请求消息。  Step 204: The RN sends an RRC connection setup complete message to the DeNB, where the RRC connection setup complete message carries a NAS attach request message.

步骤 205、 DeNB向 MME转发 RN的 NAS附着请求消息。  Step 205: The DeNB forwards the NAS attach request message of the RN to the MME.

步骤 206、 MME发现附着的是 RN, 启动 AKA认证过程, 首先向 HSS 发出认证数据请求消息。  Step 206: The MME finds that the RN is attached, initiates the AKA authentication process, and first sends an authentication data request message to the HSS.

步骤 207、 HSS 会将其根据该基础密钥 K计算得到的认证向量发送至 MME, 该认证向量可以包括 {RAND, XRES, KASME, AUTN}。  Step 207: The HSS sends the authentication vector calculated according to the basic key K to the MME, and the authentication vector may include {RAND, XRES, KASME, AUTN}.

步骤 208、 MME获取到认证向量后, 向 RN发送认证请求, 携带认证用 的 AUTN、 XRES以及计算密钥需要的 RAND。  Step 208: After obtaining the authentication vector, the MME sends an authentication request to the RN, and carries the AUTN and XRES for authentication and the RAND required to calculate the key.

步骤 209、 MME接收 RN计算后返回的携带 RES的认证响应 , 验证该认 证响应中的 RES, 从而完成 RN和 MME之间的 AKA认证。  Step 209: The MME receives the authentication response carrying the RES returned by the RN, and verifies the RES in the authentication response, so as to complete the AKA authentication between the RN and the MME.

步骤 210、 通过 SMC进行 RN和 MME之间的 NAS加密算法的协商, 该 SMC过程和现有技术中 UE入网传统 LTE时的 SMC过程相同。  Step 210: The SMC process is performed by using the SMC to perform the negotiation of the NAS encryption algorithm between the RN and the MME. The SMC process is the same as the SMC process when the UE enters the traditional LTE network.

步骤 211、 MME向 DeNB发送 RN的初始上下文建立消息, 该初始上下 文建立消息中携带有 RN和 MME之间 AKA认证过程中计算得到的 AS密钥。  Step 211: The MME sends an initial context setup message of the RN to the DeNB, where the initial context setup message carries the AS key calculated in the AKA authentication process between the RN and the MME.

步骤 212、 通过 SMC进行 DeNB与 RN之间的 AS机密算法的协商, 该 SMC过程和现有技术中 UE入网传统 LTE时的 SMC过程相同。  Step 212: The SMC process is performed by using the SMC to perform the AS-Secure algorithm between the DeNB and the RN. The SMC process is the same as the SMC process in the traditional LTE when the UE enters the network.

步骤 213、 进行 RN与 DeNB之间的无线承载建立过程, 至此完成 RN入 网认证。 由于 RRC连接建立请求消息或 RRC连接建立消息的长度受限, 所以, 在步骤 201、 步骤 202中, RN的证书和 /或 DeNB的证书也可以考虑用一个位 长更短的证书标识来替代, 而不是证书本身。 当上述的认证过程中 RRC连接 建立请求消息或 RRC连接建立消息中携带的是证书标识而不是证书本身, 那 接收消息的实体需要首先完成和注册中心( Registration Association,简称 RA ) /证书中心 (Certificate Association, 简称 CA ) 的交互, 来获得证书标识所指 示的证书的内容, 然后进行对端的基于证书的内容的认证。 Step 213: Perform a radio bearer setup process between the RN and the DeNB, and complete the RN network access authentication. The length of the RRC connection setup request message or the RRC connection setup message is limited. Therefore, in step 201 and step 202, the certificate of the RN and/or the certificate of the DeNB may also be replaced by a certificate identifier with a shorter bit length. Not the certificate itself. When the RRC connection setup request message or the RRC connection setup message carries the certificate identifier instead of the certificate itself, the entity receiving the message needs to complete the registration association (RA) / certificate center (Certificate). The association, referred to as CA, interacts to obtain the content of the certificate indicated by the certificate identifier, and then authenticates the certificate-based content of the peer.

本实施例提供的无线节点入网方法, 详细描述了 RN和集成有 HSS 的 DeNB之间的证书认证的信令流程,通过在 RRC连接建立请求消息中携带 RN 的证书, 在 RRC连接建立消息中携带 DeNB的证书, 进行 RN和 DeNB之间 的基于证书的认证,并通过 RN和 DeNB之间 RRC连接建立请求消息和 RRC 连接建立消息交互交换 DH参数,计算类似于 UE入网时 USIM卡中携带的基 础密钥 K, 最终完成 RN与 DeNB之间的无线承载建立 ,从而实现 RN入网时 基于证书的认证方法, 且使得网络侧 RN入网更加安全。  The method for the network access of the wireless node provided in this embodiment describes the signaling procedure of the certificate authentication between the RN and the DeNB integrated with the HSS. The RRC connection setup request message carries the certificate of the RN, and is carried in the RRC connection setup message. The certificate of the DeNB performs certificate-based authentication between the RN and the DeNB, and exchanges DH parameters through an RRC connection setup request message and an RRC connection setup message between the RN and the DeNB, and calculates a basic value similar to that carried by the USIM card when the UE enters the network. The key K is used to complete the establishment of the radio bearer between the RN and the DeNB, thereby implementing a certificate-based authentication method for the RN to access the network, and making the network-side RN more secure.

图 3为本发明无线节点入网方法第三实施例的信令流程图。 本实施例中, DeNB和 HSS集成在同一实体上, RN在 RRC连接建立请求消息里携带密钥 协商所需的信息, RN对 DeNB的 AUTH参数放在 RRC连接建立完成消息里 携带, 以验证之前发送的 RRC连接建立请求消息。 如图 3所示, 包括如下步 骤:  FIG. 3 is a signaling flowchart of a third embodiment of a wireless node network access method according to the present invention. In this embodiment, the DeNB and the HSS are integrated on the same entity, and the RN carries the information required for the key negotiation in the RRC connection setup request message, and the RN carries the AUTH parameter of the DeNB in the RRC connection setup complete message to verify The transmitted RRC Connection Setup Request message. As shown in Figure 3, the following steps are included:

步骤 301、 RN在向集成有 HSS功能的 DeNB发送的 RRC连接建立请求 消息里携带 RN的证书和 RN的 DH参数等信息。  Step 301: The RN carries information such as a certificate of the RN and a DH parameter of the RN in an RRC connection setup request message sent by the DeNB integrated with the HSS function.

步骤 302、 DeNB根据收到的 RN的 DH参数以及本地的 DeNB的 DH参 数, 计算获得基础密钥 K, 并根据 K计算出 AUTH参数, 向 RN发送 RRC连 接建立消息, 该 RRC连接建立消息中携带 DeNB的证书、 DeNB的 DH参数 以及 AUTH参数, 以根据 DeNB的证书对 DeNB进行认证。  Step 302: The DeNB calculates and obtains the basic key K according to the received DH parameter of the RN and the DH parameter of the local DeNB, and calculates an AUTH parameter according to the K, and sends an RRC connection setup message to the RN, where the RRC connection setup message is carried. The certificate of the DeNB, the DH parameter of the DeNB, and the AUTH parameter are used to authenticate the DeNB according to the certificate of the DeNB.

在该步骤 302中, 集成在 DeNB上的 HSS还可以为 RN分配一个 IMSI, 如果分配了, IMSI也会携带在前述 RRC连接建立消息一起发送给 RN, 用来 唯一标识该 RN。 该基础密钥 K类似于 UE入网传统 LTE时, UE的 USIM卡 中携带的基础密钥 K, K=KDF(KDH)。 In this step 302, the HSS integrated on the DeNB may also allocate an IMSI to the RN. If assigned, the IMSI is also sent to the RN along with the aforementioned RRC Connection Setup message to uniquely identify the RN. The basic key K is similar to the basic key K, K=KDF(K DH ) carried in the USIM card of the UE when the UE enters the traditional LTE.

步骤 303、 RN发送 RRC连接建立完成消息至 DeNB, 在该 RRC连接建 立完成消息里携带 RN对 DeNB的 AUTH参数, 以使 DeNB根据此值完成对 RN之前发送的 RRC连接建立请求消息的认证, 并在认证成功后, 根据 RN 的证书对 RN进行认证。 在该 RRC连接建立完成消息里还携带有 RN的 NAS 附着请求消息。  Step 303: The RN sends an RRC connection setup complete message to the DeNB, where the RRC connection setup complete message carries the AUTH parameter of the RN to the DeNB, so that the DeNB completes the authentication of the RRC connection setup request message sent before the RN according to the value, and After the authentication succeeds, the RN is authenticated according to the RN's certificate. The RRC connection setup complete message also carries the NAS attach request message of the RN.

步骤 304、 RN根据上面步骤 301-步骤 303中的消息里的 RN的 DH参数 和 DeNB的 DH参数, 在本地计算生成基础密钥 K。  Step 304: The RN calculates and generates the base key K locally according to the DH parameter of the RN and the DH parameter of the DeNB in the message in the foregoing steps 301 to 303.

该基础密钥 Κ类似于 UE入网传统 LTE时,UE的 USIM卡中携带的基础 密钥 K,

Figure imgf000017_0001
The basic key Κ is similar to the basic key K carried in the USIM card of the UE when the UE enters the traditional LTE network.
Figure imgf000017_0001

步骤 305、 DeNB向 MME转发 RN的 NAS附着请求消息。  Step 305: The DeNB forwards the NAS attach request message of the RN to the MME.

步骤 306、 MME发现附着的是 RN, 启动 AKA认证过程, 首先向 HSS 发出认证数据请求消息。  Step 306: The MME finds that the RN is attached, initiates the AKA authentication process, and first sends an authentication data request message to the HSS.

步骤 307、 HSS 会将其根据该基础密钥 K计算得到的认证向量发送至 MME, 该认证向量可以包括 {RAND, XRES, KASME, AUTN}。  Step 307: The HSS sends the authentication vector calculated according to the basic key K to the MME, and the authentication vector may include {RAND, XRES, KASME, AUTN}.

步骤 308、 MME获取到认证向量后, 向 RN发送认证请求, 携带认证用 的 AUTN、 XRES以及计算密钥需要的 RAND。  Step 308: After obtaining the authentication vector, the MME sends an authentication request to the RN, and carries the AUTN and XRES for authentication and the RAND required to calculate the key.

步骤 309、 MME接收 RN计算后返回的携带 RES的认证响应 , 验证该认 证响应中的 RES , 以完成 RN和 MME之间的 AKA认证。  Step 309: The MME receives the authentication response carrying the RES returned by the RN, and verifies the RES in the authentication response to complete the AKA authentication between the RN and the MME.

步骤 310、 通过 SMC进行 RN和 MME之间的 NAS加密算法的协商, 该 SMC过程和现有技术中 UE入网传统 LTE时的 SMC过程相同。  Step 310: Perform a negotiation of the NAS encryption algorithm between the RN and the MME by using the SMC. The SMC process is the same as the SMC process when the UE enters the traditional LTE network in the prior art.

步骤 311、 MME向 DeNB发送 RN的初始上下文建立消息, 该初始上下 文建立消息中携带有 RN和 MME之间 AKA认证过程中计算得到的 AS密钥。  Step 311: The MME sends an initial context setup message of the RN to the DeNB, where the initial context setup message carries the AS key calculated in the AKA authentication process between the RN and the MME.

步骤 312、 通过 SMC进行 DeNB与 RN之间的 AS机密算法的协商, 该 SMC过程和现有技术中 UE入网传统 LTE时的 SMC过程相同。 Step 312: Perform, by using the SMC, negotiation of an AS secret algorithm between the DeNB and the RN, where The SMC process is the same as the SMC process in the prior art when the UE enters the traditional LTE network.

步骤 313、 进行 RN与 DeNB之间的无线承载建立过程, 至此完成 RN入 网认证。  Step 313: Perform a radio bearer setup process between the RN and the DeNB, and complete the RN network access authentication.

由于 RRC连接建立请求消息或 RRC连接建立消息的长度受限, 所以, 在步骤 301、 步骤 302中, RN证书和 /或 DeNB证书也可以考虑用一个位长更 短的证书标识来替代, 而不是证书本身。 当上述的认证过程中 RRC连接建立 请求消息或 RRC链接建立消息中携带的是证书标识而不是证书本身, 那接收 消息的实体需要首先完成和 RA/CA的交互, 来获得证书标识所指示的证书, 然后进行对端的基于证书的认证。  Since the length of the RRC connection setup request message or the RRC connection setup message is limited, in step 301, step 302, the RN certificate and/or the DeNB certificate may also be replaced by a certificate identifier with a shorter bit length instead of The certificate itself. When the RRC connection establishment request message or the RRC link setup message carries the certificate identifier instead of the certificate itself, the entity receiving the message needs to complete the interaction with the RA/CA to obtain the certificate indicated by the certificate identifier. And then perform peer-based certificate-based authentication.

本实施例提供的无线节点入网方法, 详细描述了 RN和集成有 HSS 的 DeNB之间的证书认证的信令流程,本实施例获得了与无线节点入网方法第二 实施例大致相同的有益效果, 实现了 RN入网时基于证书的认证方法,使得网 络侧 RN入网更加安全。  The wireless node network access method provided in this embodiment describes the signaling process of the certificate authentication between the RN and the DSS integrated with the HSS. The embodiment obtains the same beneficial effects as the second embodiment of the wireless node network access method. The certificate-based authentication method is implemented when the RN enters the network, so that the network-side RN is more secure.

图 4为本发明中继节点第一实施例的结构示意图。 如图 4所示, 该中继 节点包括: 发送模块 41、接收认证模块 42、 计算模块 43和承载建立模块 44。 其中, 发送模块 41 , 用于在中继节点与集成有归属用户服务器的施主基站的 无线资源控制连接建立过程中, 向所述施主基站发送所述中继节点的证书和 所述中继节点的迪菲 -赫尔曼参数, 以使所述施主基站根据所述中继节点的证 书对所述中继节点进行认证; 接收认证模块 42, 用于接收所述施主基站发送 的所述施主基站的证书和所述施主基站的迪菲-赫尔曼参数, 并根据所述施主 基站的证书对所述施主基站进行认证; 计算模块 43 , 用于若所述中继节点和 所述施主基站认证成功, 则根据所述中继节点的迪菲-赫尔曼参数和所述接收 模块 42接收的所述施主基站的迪菲 -赫尔曼参数计算基础密钥 K;承载建立模 块 44, 用于基于所述计算模块 43计算得到的所述基础密钥 K, 与移动管理实 体进行认证与密钥协商; 并用于与所述移动管理实体进行非接入层安全模式 控制, 与所述施主基站进行接入层安全模式控制, 建立与所述施主基站之间 的无线承载。 FIG. 4 is a schematic structural diagram of a first embodiment of a relay node according to the present invention. As shown in FIG. 4, the relay node includes: a sending module 41, a receiving authentication module 42, a calculating module 43, and a bearer establishing module 44. The sending module 41 is configured to send, in the process of establishing a radio resource control connection of the relay node and the donor base station integrated with the home subscriber server, the certificate of the relay node and the relay node to the donor base station. a Diffie-Hellman parameter, so that the donor base station authenticates the relay node according to the certificate of the relay node; and the receiving authentication module 42 is configured to receive the donor base station sent by the donor base station a certificate and a Diffie-Hellman parameter of the donor base station, and authenticating the donor base station according to the certificate of the donor base station; and a calculating module 43, configured to: if the relay node and the donor base station are successfully authenticated And calculating a base key K according to the Diffie-Hellman parameter of the relay node and the Diffie-Hellman parameter of the donor base station received by the receiving module 42; the bearer establishing module 44 is configured to The basic key K calculated by the calculating module 43 is used for authentication and key negotiation with the mobility management entity, and is used for performing non-access stratum security mode control with the mobility management entity, and The donor base station performs access layer security mode control, and establishes with the donor base station Wireless bearer.

本实施例提供的中继节点, 具体实现无线节点入网方法详见上述方法实 施例,通过在 RRC连接建立过程中,在 RN和集成有 HSS功能的 DeNB之间 交互的消息中携带证书, 进行 RN和 DeNB之间的认证, 并通过 RN和 DeNB 之间交换的 DH参数, 计算类似于 UE入网时 USIM卡中携带的基础密钥 K, 最终完成 RN与 DeNB之间的无线承载建立,从而实现 RN入网时基于证书的 认证方法 , 且使得网络侧 RN入网更加安全。  For the relay node provided in this embodiment, the specific method for implementing the wireless node network access is described in the foregoing method embodiment. In the RRC connection establishment process, the message exchanged between the RN and the DeNB integrated with the HSS function carries the certificate, and the RN is performed. Authenticating with the DeNB, and calculating the basic key K carried in the USIM card when the UE enters the network, by using the DH parameters exchanged between the RN and the DeNB, and finally completing the establishment of the radio bearer between the RN and the DeNB, thereby implementing the RN. The certificate-based authentication method is adopted when accessing the network, and the network-side RN is more secure.

图 5为本发明无线节点入网系统第一实施例的结构示意图。 如图 5所示, 包括: 移动管理实体 51、 集成有归属用户服务器的施主基站 52和中继节点 53。 所述中继节点 53如上述中继节点第一实施例中所描述, 在此不再赘述。 所述集成有归属用户服务器的施主基站 52,用于接收所述中继节点 53发送的 所述中继节点的证书和所述中继节点的迪菲-赫尔曼参数, 并发送所述施主基 站的证书和所述施主基站的迪菲-赫尔曼参数至所述中继节点 53; 根据所述中 继节点的迪菲-赫尔曼参数和所述施主基站的迪菲 -赫尔曼参数计算所述基础 密钥 K; 根据所述基础密钥 K计算的接入层密钥, 与所述中继节点 53进行接 入层安全模式控制。 所述移动管理实体 51 , 用于获取所述集成有归属用户服 务器的施主基站 52基于所述基础密钥 K计算的认证矢量,根据所述认证矢量, 与所述中继节点 53进行认证与密钥协商;并用于根据所述基础密钥 K计算的 非接入层密钥, 与所述中继节点 53进行非接入层安全模式控制。  FIG. 5 is a schematic structural diagram of a first embodiment of a wireless node network access system according to the present invention. As shown in FIG. 5, the method includes: a mobility management entity 51, a donor base station 52 integrated with a home subscriber server, and a relay node 53. The relay node 53 is as described in the first embodiment of the foregoing relay node, and details are not described herein again. The donor base station 52 integrated with the home subscriber server is configured to receive the certificate of the relay node sent by the relay node 53 and the Diffie-Hellman parameter of the relay node, and send the donor a certificate of the base station and a Diffie-Hellman parameter of the donor base station to the relay node 53; a Diffie-Hellman parameter according to the relay node and a Diffie-Hermann of the donor base station The parameter calculates the base key K; and performs an access layer security mode control with the relay node 53 according to the access layer key calculated by the base key K. The mobility management entity 51 is configured to acquire an authentication vector calculated by the donor base station 52 integrated with the home subscriber server based on the basic key K, and perform authentication and confidentiality with the relay node 53 according to the authentication vector. Key negotiation; and for the non-access stratum key calculated according to the basic key K, and performing non-access stratum security mode control with the relay node 53.

本实施例提供的无线节点入网系统, 具体实现无线节点入网方法详见上 述方法实施例, 通过在 RRC连接建立过程中, 在 RN和集成有 HSS功能的 DeNB之间交互的消息中携带证书, 进行 RN和 DeNB之间的认证, 并通过 RN和 DeNB之间交换的 DH参数, 计算类似于 UE入网时 USIM卡中携带的 基础密钥 K, 最终完成 RN与 DeNB之间的无线承载建立,从而实现 RN入网 时基于证书的认证方法 , 且使得网络侧 RN入网更加安全。  The wireless node network access system provided in this embodiment, and the specific method for implementing the wireless node network access, refer to the foregoing method embodiment, where the certificate is carried in the message exchanged between the RN and the DeNB integrated with the HSS function in the RRC connection establishment process. The authentication between the RN and the DeNB, and the DH parameter exchanged between the RN and the DeNB, is similar to the basic key K carried in the USIM card when the UE enters the network, and finally completes the establishment of the radio bearer between the RN and the DeNB. The certificate-based authentication method is adopted when the RN accesses the network, and the network-side RN is more secure.

图 6为本发明无线节点入网方法第四实施例的流程示意图。 如图 6所示, 包括如下步骤: FIG. 6 is a schematic flowchart diagram of a fourth embodiment of a wireless node network access method according to the present invention. As shown in Figure 6, Including the following steps:

步骤 601、 在 RN与 DeNB之间的 RRC连接建立过程中 , 通过 DeNB向 HSS发送 RN的证书和 RN的 DH参数, 以使 HSS根据 RN的证书对 RN进 行认证。  Step 601: In the RRC connection establishment process between the RN and the DeNB, the DeNB sends the RN certificate and the DH parameter of the RN to the HSS, so that the HSS authenticates the RN according to the RN certificate.

步骤 602、 RN通过 DeNB接收 HSS发送的 HSS的证书和 HSS的 DH参 数, 并根据 HSS的证书对 HSS进行认证。  Step 602: The RN receives the HSS certificate sent by the HSS and the DH parameter of the HSS through the DeNB, and authenticates the HSS according to the HSS certificate.

上述步骤 601和步骤 602中, RN和 HSS分别将其自身的证书发送至对 端, 以便实现 RN和 HSS之间基于证书的认证。  In the above steps 601 and 602, the RN and the HSS respectively send their own certificates to the peer to implement certificate-based authentication between the RN and the HSS.

步骤 603、若 RN和 HSS认证成功, 则根据 RN的 DH参数和 HSS的 DH 参数计算基础密钥 K。  Step 603: If the RN and the HSS are successfully authenticated, the basic key K is calculated according to the DH parameter of the RN and the DH parameter of the HSS.

该基础密钥 Κ 类似于 UE入网传统 LTE 时, UE 的全球用户识别卡 ( Universal Subscriber Identity Module , 简称 USIM )中携带的基础密钥 Κ。 本 步骤 603中, K=KDF(KDH); 另外, HSS也会根据 RN的 DH参数和 HSS的 DH参数计算该基础密钥 K,即在 DeNB侧也釆用同样的算法生成该基础密钥 K。 The basic key Κ is similar to the basic key carried in the Universal Subscriber Identity Module (USIM) of the UE when the UE enters the traditional LTE. In this step 603, K=KDF(K DH ); in addition, the HSS also calculates the base key K according to the DH parameter of the RN and the DH parameter of the HSS, that is, the same algorithm is used to generate the base key on the DeNB side. K.

步骤 604、 基于该基础密钥 Κ, 与 ΜΜΕ进行 ΑΚΑ; 与 ΜΜΕ进行 NAS SMC, 并与 DeNB进行 AS SMC, 建立 RN与 DeNB之间的无线承载。  Step 604: Perform a MME based on the base key ΑΚΑ, perform a NAS SMC with the MME, and perform an AS SMC with the DeNB to establish a radio bearer between the RN and the DeNB.

在该步骤 604中, 由于 RN侧产生了基础密钥 K, 后续根据基础密钥 K 计算得到的认证矢量, 进行 RN与 MME之间的 AKA过程, 根据基础密钥 K 计算得到的非接入层密钥, 进行 NAS SMC过程, 并根据基础密钥 K计算得 到的接入层密钥, 进行 RN与 DeNB之间的 AS SMC的过程, 上述过程类似 于 UE入网传统 LTE的过程, RN类似传统 LTE中的 UE完成了 RN入网认证 和安全模式建立的过程, 在此不再赘述。  In this step 604, the RN side generates the basic key K, and the subsequent authentication vector calculated according to the basic key K performs an AKA process between the RN and the MME, and the non-access stratum calculated according to the basic key K. The key, performs the NAS SMC process, and performs the AS SMC process between the RN and the DeNB according to the access layer key calculated by the basic key K. The process is similar to the process of the UE entering the traditional LTE network, and the RN is similar to the traditional LTE. The UE in the process of completing the RN network access authentication and security mode establishment is not described here.

本实施例提供的无线节点入网方法, 通过在 RRC 连接建立过程中, 在 RN和 HSS之间交互的消息中携带证书, 进行 RN和 HSS之间的认证, 并通 过 RN和 HSS之间交换的 DH参数, 计算类似于 UE入网时 USIM卡中携带 的基础密钥 K, 最终完成 RN与 DeNB之间的无线承载建立,从而实现 RN入 网时基于证书的认证方法, 且使得网络侧 RN入网更加安全。 The wireless node network access method provided in this embodiment carries the certificate between the RN and the HSS in the RRC connection establishment process, performs authentication between the RN and the HSS, and performs DH exchange between the RN and the HSS. The calculation is similar to the USIM card carried when the UE enters the network. The basic key K, which finally completes the establishment of the radio bearer between the RN and the DeNB, thereby implementing the certificate-based authentication method when the RN enters the network, and making the network-side RN more secure.

图 7为本发明无线节点入网方法第五实施例的信令流程图。 本实施例中, HSS是独立的物理实体, 而不是位于 DeNB上的, RN和 HSS仍然通过证书 认证, 并协商出基础密钥 K, DeNB在 RN和 HSS的中间转发相应的消息。 如图 7所示, 该无线节点入网方法包括如下步骤:  FIG. 7 is a signaling flowchart of a fifth embodiment of a wireless node network access method according to the present invention. In this embodiment, the HSS is an independent physical entity, rather than being located on the DeNB. The RN and the HSS still pass the certificate authentication, and negotiate the basic key K. The DeNB forwards the corresponding message between the RN and the HSS. As shown in FIG. 7, the method for accessing the wireless node includes the following steps:

步骤 701、 RN向 DeNB发送 RRC连接建立请求消息 , 该 RRC连接建立 请求消息中携带 RN的证书、 RN的 DH参数以及 AUTH参数等信息。  Step 701: The RN sends an RRC connection setup request message to the DeNB, where the RRC connection setup request message carries information such as a certificate of the RN, a DH parameter of the RN, and an AUTH parameter.

步骤 702、 DeNB将接收到的该 RRC连接建立请求消息中的 RN的证书、 RN的 DH参数以及 AUTH参数等信息转发给 HSS, 以使 HSS根据 RN的证 书对 RN进行认证。  Step 702: The DeNB forwards the information of the RN, the DH parameter, and the AUTH parameter of the RN in the received RRC connection setup request message to the HSS, so that the HSS authenticates the RN according to the certificate of the RN.

步骤 703、 HSS将携带有 HSS的证书、 HSS的 DH参数以及 AUTH参数 的消息发送给 DeNB。  Step 703: The HSS sends a message carrying the certificate of the HSS, the DH parameter of the HSS, and the AUTH parameter to the DeNB.

步骤 704、 DeNB收到 HSS的证书、 HSS的 DH参数以及 AUTH参数后, 会向 RN发送 RRC连接建立消息,该 RRC连接建立消息中携带 HSS的证书、 HSS的 DH参数以及 AUTH参数, 以根据 HSS的证书对 HSS进行认证。  Step 704: After receiving the certificate of the HSS, the DH parameter of the HSS, and the AUTH parameter, the DeNB sends an RRC connection setup message to the RN, where the RRC connection setup message carries the HSS certificate, the DH parameter of the HSS, and the AUTH parameter, according to the HSS. The certificate certifies the HSS.

在该步骤中, HSS可以为 RN分配一个 IMSI, 如果分配了, DeNB将该 IMSI也放在 RRC连接建立消息中发送给 RN, 用来唯一标识该 RN。  In this step, the HSS may allocate an IMSI to the RN. If allocated, the DeNB also sends the IMSI to the RN in an RRC Connection Setup message to uniquely identify the RN.

步骤 705、 RN和 HSS才艮据上面步骤 501-步骤 504中的消息里的 RN的 DH参数和 HSS的 DH参数, 分别在本地计算生成基础密钥 K。  Step 705: The RN and the HSS calculate the generated base key K locally according to the DH parameter of the RN and the DH parameter of the HSS in the message in the above steps 501 to 504, respectively.

该基础密钥 Κ类似于 UE入网传统 LTE时,UE的 USIM卡中携带的基础 密钥 K。

Figure imgf000021_0001
The basic key Κ is similar to the basic key K carried in the USIM card of the UE when the UE enters the legacy LTE.
Figure imgf000021_0001

步骤 706、 RN向 DeNB发送 RRC连接建立完成消息 , 该 RRC连接建立 完成消息中携带有 NAS附着请求消息。  Step 706: The RN sends an RRC connection setup complete message to the DeNB, where the RRC connection setup complete message carries a NAS attach request message.

步骤 707、 DeNB向 MME转发 RN的 NAS附着请求消息。  Step 707: The DeNB forwards the NAS attach request message of the RN to the MME.

步骤 708、 MME发现附着的是 RN, 启动 AKA认证过程, 首先向 HSS 发出认证数据请求消息。 Step 708: The MME finds that the RN is attached, and starts the AKA authentication process, first to the HSS. Issue an authentication data request message.

步骤 709、 HSS 会将其根据该基础密钥 K计算得到的认证向量发送至 MME, 该认证向量可以包括 {RAND, XRES, KASME, AUTN}。  Step 709: The HSS sends the authentication vector calculated according to the basic key K to the MME, and the authentication vector may include {RAND, XRES, KASME, AUTN}.

步骤 710、 MME获取到认证向量后, 向 RN发送认证请求, 携带认证用 的 AUTN、 XRES以及计算密钥需要的 RAND。  Step 710: After obtaining the authentication vector, the MME sends an authentication request to the RN, and carries the AUTN and XRES for authentication and the RAND required to calculate the key.

步骤 711、 MME接收 RN计算后返回的携带 RES的认证响应 , 验证该认 证响应中的 RES , 以完成 RN和 MME之间的 AKA认证。  Step 711: The MME receives the authentication response carrying the RES returned by the RN, and verifies the RES in the authentication response to complete the AKA authentication between the RN and the MME.

步骤 712、 通过 SMC进行 RN和 MME之间的 NAS加密算法的协商, 该 SMC过程和现有技术中 UE入网传统 LTE时的 SMC过程相同。  Step 712: Perform a negotiation of the NAS encryption algorithm between the RN and the MME by using the SMC. The SMC process is the same as the SMC process when the UE enters the traditional LTE network in the prior art.

步骤 713、 MME向 DeNB发送 RN的初始上下文建立消息, 该初始上下 文建立消息中携带有 RN和 MME之间 AKA认证过程中计算得到的 AS密钥。  Step 713: The MME sends an initial context setup message of the RN to the DeNB, where the initial context setup message carries the AS key calculated in the AKA authentication process between the RN and the MME.

步骤 714、 通过 SMC进行 DeNB与 RN之间的 AS机密算法的协商, 该 SMC过程和现有技术中 UE入网传统 LTE时的 SMC过程相同。  Step 714: The SMC process is performed by using the SMC to perform the AS confidentiality algorithm between the DeNB and the RN. The SMC process is the same as the SMC process when the UE enters the traditional LTE network in the prior art.

步骤 715、 进行 RN与 DeNB之间的无线承载建立过程, 至此完成 RN入 网认证。  Step 715: Perform a radio bearer setup process between the RN and the DeNB, and complete the RN network access authentication.

由于 RRC连接建立请求消息或 RRC连接建立消息的长度受限, 所以, 在步骤 701-步骤 704中, RN的证书和 /或 HSS的证书也可以考虑用一个位长 更短的证书标识来替代, 而不是证书本身。 当上述的认证过程中 RRC连接建 立请求消息或 RRC链接建立消息中携带的是证书标识而不是证书本身, 那接 收消息的实体需要首先完成和 RA/CA的交互,来获得证书标识所指示的证书, 然后进行对端的基于证书的认证。  Since the length of the RRC connection setup request message or the RRC connection setup message is limited, in steps 701-704, the certificate of the RN and/or the certificate of the HSS may also be replaced by a certificate identifier having a shorter bit length. Not the certificate itself. When the RRC connection establishment request message or the RRC link setup message carries the certificate identifier instead of the certificate itself, the entity receiving the message needs to complete the interaction with the RA/CA to obtain the certificate indicated by the certificate identifier. And then perform peer-based certificate-based authentication.

本实施例提供的无线节点入网方法, DeNB和 HSS为两个分立的实体, 本实施例详细描述了 RN和 HSS之间的证书认证的信令流程,通过在 RRC连 接建立请求消息中携带 RN的证书,在 RRC连接建立消息中携带 HSS的证书, 进行 RN和 HSS之间的基于证书的认证, 并通过 RN和 HSS之间 RRC连接 建立请求消息和 RRC连接建立消息的交互交换 DH参数, 计算类似于 UE入 网时 USIM卡中携带的基础密钥 K, 最终完成 RN与 DeNB之间的无线承载 建立,从而实现 RN入网时基于证书的认证方法,且使得网络侧 RN入网更加 安全。 In the wireless node network access method provided by this embodiment, the DeNB and the HSS are two separate entities. This embodiment describes the signaling process of the certificate authentication between the RN and the HSS in detail, and carries the RN in the RRC connection setup request message. The certificate carries the certificate of the HSS in the RRC connection setup message, performs certificate-based authentication between the RN and the HSS, and exchanges DH parameters between the RRC connection establishment request message and the RRC connection setup message between the RN and the HSS, and the calculation is similar. Enter in UE The basic key K carried in the network-time USIM card finally completes the establishment of the radio bearer between the RN and the DeNB, thereby implementing a certificate-based authentication method for the RN to access the network, and making the network-side RN more secure.

图 8为本发明中继节点第二实施例的结构示意图。 如图 8所示, 该中继 节点包括: 发送模块 81、接收认证模块 82、 计算模块 83和承载建立模块 84。 其中, 发送模块 81 , 用于在中继节点与施主基站之间的无线资源控制连接建 立过程中, 通过所述施主基站向归属用户服务器发送所述中继节点的证书和 所述中继节点的迪菲-赫尔曼参数, 以使所述归属用户服务器根据所述中继节 点的证书对所述中继节点进行认证; 接收认证模块 82, 用于通过所述施主基 站接收所述归属用户服务器发送的所述归属用户服务器的证书和所述归属用 户服务器的迪菲-赫尔曼参数, 并根据所述归属用户服务器的证书对所述归属 用户服务器进行认证; 计算模块 83 , 用于若所述中继节点和所述归属用户服 务器认证成功, 则根据所述中继节点的迪菲-赫尔曼参数和所述接收模块 82 接收的所述归属用户服务器的迪菲 -赫尔曼参数计算基础密钥 K; 承载建立模 块 84, 用于基于所述计算模块 83计算得到的所述基础密钥 K, 与移动管理实 体进行认证与密钥协商; 并用于与所述移动管理实体进行非接入层安全模式 控制, 与所述施主基站进行接入层安全模式控制, 建立与所述施主基站之间 的无线承载。  FIG. 8 is a schematic structural diagram of a second embodiment of a relay node according to the present invention. As shown in FIG. 8, the relay node includes: a sending module 81, a receiving authentication module 82, a calculating module 83, and a bearer establishing module 84. The sending module 81 is configured to send, by the donor base station, the certificate of the relay node and the relay node to the home subscriber server during a radio resource control connection establishment process between the relay node and the donor base station. a Diffie-Hellman parameter, such that the home subscriber server authenticates the relay node according to the certificate of the relay node; and a receiving authentication module 82, configured to receive the home subscriber server by using the donor base station Transmitting the certificate of the home subscriber server and the Diffie-Hellman parameter of the home subscriber server, and authenticating the home subscriber server according to the certificate of the home subscriber server; The relay node and the home subscriber server are successfully authenticated, and then calculated according to the Diffie-Hellman parameter of the relay node and the Diffie-Hellman parameter of the home subscriber server received by the receiving module 82. a base key K; a bearer establishing module 84, configured to calculate the base key K based on the calculation module 83, and mobility management Body authentication and key agreement; and a non-access stratum security mode control and the mobility management entity, a security mode control access layer and the donor base station, and establish a radio bearer between the donor base station.

本实施例提供的中继节点, 具体实现无线节点入网方法详见上述方法实 施例, 通过在 RRC连接建立过程中, 在 RN和 HSS之间交互的消息中携带证 书, 进行 RN和 HSS之间的认证, 并通过 RN和 HSS之间交换的 DH参数, 计算类似于 UE入网时 USIM卡中携带的基础密钥 K, 最终完成 RN与 DeNB 之间的无线承载建立,从而实现 RN入网时基于证书的认证方法,且使得网络 侧 RN入网更加安全。  For the relay node provided in this embodiment, the specific method for implementing the wireless node accessing network is as shown in the foregoing method embodiment. In the RRC connection establishment process, the message exchanged between the RN and the HSS carries the certificate, and the RN and the HSS are performed. Authentication, and through the DH parameters exchanged between the RN and the HSS, the calculation is similar to the basic key K carried in the USIM card when the UE enters the network, and finally completes the establishment of the radio bearer between the RN and the DeNB, thereby implementing the certificate based on the RN entering the network. The authentication method makes the network side RN more secure.

图 9为本发明无线节点入网系统第二实施例的结构示意图。 如图 9所示, 包括: 移动管理实体 91、 归属用户服务器 92、 施主基站 93和中继节点 94。 所述中继节点 94如上述中继节点第二实施例中所描述, 在此不再赘述。 所述 归属用户服务器 92 ,用于接收所述中继节点 94发送的所述中继节点的证书和 所述中继节点的迪菲-赫尔曼参数, 并发送所述归属用户服务器的证书和所述 归属用户服务器的迪菲-赫尔曼参数至所述中继节点 94; 根据所述中继节点的 迪菲-赫尔曼参数和所述归属用户服务器的迪菲-赫尔曼参数计算所述基础密 钥 K; 所述移动管理实体 91 , 用于获取所述归属用户服务器 92基于所述基础 密钥 K计算的认证矢量, 根据所述认证矢量, 与所述中继节点 94进行认证与 密钥协商; 并用于根据所述基础密钥 K计算的非接入层密钥, 与所述中继节 点 94进行非接入层安全模式控制; 所述施主基站 93 , 用于获取所述归属用户 服务器 92基于所述基础密钥 K计算的接入层密钥, 根据所述接入层密钥, 与 所述中继节点 94进行接入层安全模式控制。 FIG. 9 is a schematic structural diagram of a second embodiment of a wireless node network access system according to the present invention. As shown in FIG. 9, the method includes: a mobility management entity 91, a home subscriber server 92, a donor base station 93, and a relay node 94. The relay node 94 is as described in the second embodiment of the foregoing relay node, and details are not described herein again. The home subscriber server 92 is configured to receive a certificate of the relay node sent by the relay node 94 and a Diffie-Hellman parameter of the relay node, and send a certificate of the home subscriber server and Defi-Herman parameter of the home subscriber server to the relay node 94; calculating according to the Diffie-Hellman parameter of the relay node and the Diffie-Hellman parameter of the home subscriber server The base management key 91 is configured to acquire an authentication vector calculated by the home subscriber server 92 based on the basic key K, and perform authentication with the relay node 94 according to the authentication vector. Negotiating with the key; and for non-access stratum key calculation according to the basic key K, performing non-access stratum security mode control with the relay node 94; the donor base station 93, configured to acquire the The home subscriber server 92 performs access layer security mode control with the relay node 94 based on the access layer key calculated based on the base key K.

本实施例提供的无线节点入网系统, 具体实现无线节点入网方法详见上 述方法实施例, 通过在 RRC连接建立过程中, 在 RN和 HSS之间交互的消息 中携带证书, 进行 RN和 HSS之间的认证, 并通过 RN和 HSS之间交换的 DH参数, 计算类似于 UE入网时 USIM卡中携带的基础密钥 K, 最终完成 RN与 DeNB之间的无线承载建立,从而实现 RN入网时基于证书的认证方法, 且使得网络侧 RN入网更加安全。  For the wireless node network access system provided in this embodiment, the specific method for implementing the wireless node network access is described in the foregoing method embodiment. In the RRC connection establishment process, the message exchanged between the RN and the HSS carries a certificate between the RN and the HSS. The authentication, and the DH parameter exchanged between the RN and the HSS, is similar to the basic key K carried in the USIM card when the UE enters the network, and finally completes the establishment of the radio bearer between the RN and the DeNB, thereby implementing the certificate based on the certificate when the RN enters the network. The authentication method of the network side makes the network side RN more secure.

图 10为本发明无线节点入网方法第六实施例的流程示意图。 本实施例中 HSS与 MME集成在同一实体上。 如图 10所示, 包括如下步骤:  FIG. 10 is a schematic flowchart diagram of a sixth embodiment of a wireless node network access method according to the present invention. In this embodiment, the HSS and the MME are integrated on the same entity. As shown in Figure 10, the following steps are included:

步骤 1001、 完成 RN与 DeNB之间的 RRC连接建立。  Step 1001: Complete an RRC connection establishment between the RN and the DeNB.

步骤 1002、 RN发送携带有 RN的证书和 RN的 DH参数的附着请求消息 至集成有 HSS的 MME, 以使 MME根据 RN的证书对 RN进行认证。  Step 1002: The RN sends an attach request message carrying the certificate of the RN and the DH parameter of the RN to the MME integrated with the HSS, so that the MME authenticates the RN according to the certificate of the RN.

步骤 1003、 RN接收 MME发送的携带有 MME的证书和 MME的 DH参 数的非接入层消息 , 并根据 MME的证书对 MME进行认证。  Step 1003: The RN receives the non-access stratum message that is sent by the MME and carries the certificate of the MME and the DH parameter of the MME, and authenticates the MME according to the certificate of the MME.

步骤 1004、若 RN和 MME认证成功 , 则根据 RN的 DH参数和 MME的 DH计算共享密钥。 其中, MME根据 RN的 DH参数和 MME的 DH参数计算所述共享密钥。 步骤 1005、 基于共享密钥, RN与 MME进行 NAS SMC, 并与 DeNB进 行 AS SMC , 建立 RN与 DeNB之间的无线承载。 Step 1004: If the RN and the MME are successfully authenticated, the shared key is calculated according to the DH parameter of the RN and the DH of the MME. The MME calculates the shared key according to the DH parameter of the RN and the DH parameter of the MME. Step 1005: Based on the shared key, the RN performs NAS SMC with the MME, and performs AS SMC with the DeNB to establish a radio bearer between the RN and the DeNB.

根据共享密钥计算得到的非接入层密钥,进行 NAS SMC过程,并根据共 享密钥计算得到的接入层密钥, 进行 RN与 DeNB之间的 AS SMC的过程, 上述过程类似于 UE入网传统 LTE的过程, RN类似传统 LTE中的 UE完成了 RN入网认证和安全模式建立的过程, 在此不再赘述。  The process of performing the AS SMC between the RN and the DeNB according to the non-access stratum key calculated by the shared key, performing the NAS SMC process, and calculating the obtained access layer key according to the shared key, the process is similar to the UE In the process of the traditional LTE network access, the RN completes the process of establishing the RN network access authentication and the security mode, similar to the UE in the traditional LTE, and is not described here.

本实施例提供的无线节点入网方法, 通过在 RN和集成有 HSS的 MME 之间交互的消息中携带证书, 进行 RN和 MME之间的认证, 并通过 RN和 MME之间交换的 DH参数, 计算类似于 UE入网时 USIM卡中携带的共享密 钥 , 最终完成 RN与 DeNB之间的无线承载建立 ,从而实现 RN入网时基于证 书的认证方法, 且使得网络侧 RN入网更加安全。  The wireless node network access method provided in this embodiment performs the authentication between the RN and the MME by carrying the certificate in the message exchanged between the RN and the MME integrated with the HSS, and calculates the DH parameter exchanged between the RN and the MME. Similar to the shared key carried in the USIM card when the UE enters the network, the radio bearer between the RN and the DeNB is finally established, thereby implementing the certificate-based authentication method when the RN enters the network, and making the network-side RN more secure.

图 11为本发明无线节点入网方法第七实施例的信令流程图。 本实施例是 上述第六实施例的具体信令流程, HSS与 MME集成在同一实体上。 如图 11 所示, 包括如下步骤:  FIG. 11 is a signaling flowchart of a seventh embodiment of a wireless node network access method according to the present invention. This embodiment is a specific signaling procedure of the foregoing sixth embodiment, and the HSS and the MME are integrated on the same entity. As shown in Figure 11, the following steps are included:

步骤 1101、 RN向 DeNB发起 RRC连接建立请求消息。  Step 1101: The RN initiates an RRC connection setup request message to the DeNB.

步骤 1102、 DeNB向 RN发送 RRC连接建立消息。  Step 1102: The DeNB sends an RRC connection setup message to the RN.

步骤 1103、 RN向 DeNB回复 RRC连接建立完成消息。  Step 1103: The RN returns an RRC connection setup complete message to the DeNB.

步骤 1104、 RN向集成有 HSS的 MME发送 NAS附着请求消息,该 NAS 附着请求消息中携带 RN的证书和 RN的 DH参数。  Step 1104: The RN sends a NAS attach request message to the MME integrated with the HSS, where the NAS attach request message carries the certificate of the RN and the DH parameter of the RN.

步骤 1105、 MME向 RN发送 IMSI请求消息, 该 IMSI请求消息中携带 MME的证书、 MME的 DH参数以及用于认证的 AUTH参数。  Step 1105: The MME sends an IMSI request message to the RN, where the IMSI request message carries the certificate of the MME, the DH parameter of the MME, and the AUTH parameter used for the authentication.

在该步骤 1105中, 集成在 MME上的 HSS还可以为 RN分配一个 IMSI, 如果分配了, IMSI也会携带在前述 IMSI请求消息中一起发送给 RN, 用来唯 一标识该 RN。  In this step 1105, the HSS integrated on the MME may also allocate an IMSI to the RN. If allocated, the IMSI is also carried in the foregoing IMSI request message and sent to the RN to uniquely identify the RN.

步骤 1106、 RN收到 MME的证书后完成对 MME的认证, 然后在 IMSI 响应消息中携带用于认证的 AUTN参数发送至 MME, 以使 MME根据步骤 1104中发送的 RN的证书对 RN进行证书认证。 Step 1106: After receiving the certificate of the MME, the RN completes the authentication of the MME, and then the IMSI. The AUTN parameter carried in the response message is sent to the MME, so that the MME performs certificate authentication on the RN according to the certificate of the RN sent in step 1104.

步骤 1107、认证双方 RN和 MME分别在本地根据 RN的 DH参数和 MME 的 DH参数, 计算出共享密钥 Kl , K1=KDF(KDH)。 Step 1107: The authentication RN and the MME respectively calculate the shared key K1, K1=KDF(K DH ) according to the DH parameter of the RN and the DH parameter of the MME.

RN和 MME之间基于该共享密钥 K1完成后续的安全过程, 具体可以包 括有两种方案:  The subsequent security process is completed between the RN and the MME based on the shared key K1, and specifically includes two scenarios:

A )将共享密钥 K1作为 AKA认证时的基础密钥 K:  A) Use the shared key K1 as the base key for AKA authentication K:

步骤 1108a、 集成有 HSS功能的 MME会根据该基础密钥 K计算得到认 证向量 , 该认证向量可以包括 {RAND, XRES, KASME, AUTN}。  Step 1108a: The MME integrated with the HSS function calculates an authentication vector according to the basic key K, and the authentication vector may include {RAND, XRES, KASME, AUTN}.

B )将共享密钥 Kl作为根密钥 KASME:  B) Use the shared key Kl as the root key KASME:

步骤 1108b、集成有 HSS功能的 MME从 HSS得到包括该根密钥 KASME 的认证向量 , 该认证向量可以包括 {RAND, XRES, KASME, AUTN}。  Step 1108b: The MME integrated with the HSS function obtains an authentication vector including the root key KASME from the HSS, and the authentication vector may include {RAND, XRES, KASME, AUTN}.

步骤 1109、 MME获取到认证向量后, 向 RN发送认证请求, 携带认证用 的 AUTN、 XRES以及计算密钥需要的 RAND。  Step 1109: After obtaining the authentication vector, the MME sends an authentication request to the RN, and carries the AUTN and XRES for authentication and the RAND required to calculate the key.

步骤 1110、 MME接收 RN计算后返回的携带 RES的认证响应, 验证该 认证响应中的 RES , 以完成 RN和 MME之间的 AKA认证。  Step 1110: The MME receives the authentication response carrying the RES returned by the RN, and verifies the RES in the authentication response to complete the AKA authentication between the RN and the MME.

步骤 1111、 通过 SMC进行 RN和 MME之间的 NAS加密算法的协商, 该 SMC过程和现有技术中 UE入网传统 LTE时的 SMC过程相同。  Step 1111: Perform a negotiation of the NAS encryption algorithm between the RN and the MME by using the SMC. The SMC process is the same as the SMC process when the UE enters the traditional LTE network in the prior art.

步骤 1112、 MME向 DeNB发送 RN的初始上下文建立消息, 该初始上下 文建立消息中携带有 RN和 MME之间 AKA认证过程中计算得到的 AS密钥。  Step 1112: The MME sends an initial context setup message of the RN to the DeNB, where the initial context setup message carries the AS key calculated in the AKA authentication process between the RN and the MME.

步骤 1113、 通过 SMC进行 DeNB与 RN之间的 AS机密算法的协商, 该 SMC过程和现有技术中 UE入网传统 LTE时的 SMC过程相同。  Step 1113: The SMC process is performed by using the SMC to perform the AS confidentiality algorithm between the DeNB and the RN. The SMC process is the same as the SMC process in the traditional LTE when the UE enters the network.

步骤 1114、 进行 RN与 DeNB之间的无线承载建立过程, 至此完成 RN 入网认证。  Step 1114: Perform a radio bearer setup process between the RN and the DeNB, and complete the RN network access authentication.

由于附着请求消息或 IMSI请求消息的长度受限, 所以, 在步骤 1104-步 骤 1105中, RN的证书和 /或 MME的证书也可以考虑用一个位长更短的证书 标识来替代, 而不是证书本身, 那么接收消息的实体需要首先完成和 RA/CA 的交互, 来获得证书标识所指示的证书的内容, 然后进行对端的基于证书的 内容的认证。 Since the length of the attach request message or the IMSI request message is limited, in step 1104 to step 1105, the certificate of the RN and/or the certificate of the MME may also consider a certificate with a shorter bit length. Instead of the certificate itself, the entity receiving the message needs to first complete the interaction with the RA/CA to obtain the content of the certificate indicated by the certificate identifier, and then authenticate the certificate-based content of the peer.

本实施例提供的无线节点入网方法,详细描述了 RN和集成有 HSS的 MME 之间的证书认证的信令流程, 与上述无线节点入网方法第六实施例类似, 同 样可以实现 RN入网时基于证书的认证方法 ,且使得网络侧 RN入网更加安全。  The method for the network access of the wireless node provided in this embodiment describes the signaling procedure of the certificate authentication between the RN and the MME integrated with the HSS, which is similar to the sixth embodiment of the method for accessing the wireless node, and can also implement the certificate based on the RN when accessing the network. The authentication method and make the network side RN more secure.

图 12为本发明中继节点第三实施例的结构示意图。 如图 12所示, 该中 继节点包括: 连接建立模块 121、 发送模块 122、 接收认证模块 123、 计算模 块 124和承载建立模块 125。 其中, 连接建立模块 121 , 用于完成中继节点与 施主基站的无线资源控制连接建立; 发送模块 122, 用于发送携带有所述中继 节点的证书和所述中继节点的迪菲-赫尔曼参数的附着请求消息至集成有归属 用户服务器的移动管理实体, 以使所述移动管理实体根据所述中继节点的证 书对所述中继节点进行认证; 接收认证模块 123 , 用于接收所述移动管理实体 发送的携带有移动管理实体的证书和所述移动管理实体的迪菲-赫尔曼参数的 非接入层消息, 并根据所述移动管理实体的证书对所述移动管理实体进行认 证; 计算模块 124, 用于若所述中继节点和所述移动管理实体认证成功, 则根 据所述中继节点的迪菲-赫尔曼参数和所述接收模块 123接收的所述移动管理 实体的迪菲-赫尔曼参数计算共享密钥; 承载建立模块 125, 用于基于所述计 算模块 124计算得到的所述共享密钥, 与所述移动管理实体进行非接入层安 全模式控制, 并与所述施主基站进行接入层安全模式控制, 建立与所述施主 基站之间的无线承载。  FIG. 12 is a schematic structural diagram of a third embodiment of a relay node according to the present invention. As shown in FIG. 12, the relay node includes: a connection establishing module 121, a sending module 122, a receiving authentication module 123, a computing module 124, and a bearer establishing module 125. The connection establishing module 121 is configured to complete the establishment of the radio resource control connection between the relay node and the donor base station, and the sending module 122 is configured to send the certificate carrying the relay node and the Diffie-He of the relay node. The attach request message of the Manchester parameter to the mobility management entity integrated with the home subscriber server, so that the mobility management entity authenticates the relay node according to the certificate of the relay node; and receives the authentication module 123 for receiving a non-access stratum message carried by the mobility management entity carrying a certificate of a mobility management entity and a Diffie-Hellman parameter of the mobility management entity, and the mobile management entity according to a certificate of the mobility management entity Performing an authentication; the calculating module 124, configured to: according to the Diffie-Hellman parameter of the relay node and the mobile terminal received by the receiving module 123, if the relay node and the mobility management entity are successfully authenticated The Diffie-Hellman parameter of the management entity calculates a shared key; a bearer establishment module 125 is configured to calculate based on the calculation module 124 Said shared key, non-secure mode access control layer and the mobility management entity, and the access layer security mode control and the donor base station, establishing a radio bearer between the donor and the base station.

本实施例提供的中继节点, 具体实现无线节点入网方法详见上述方法实 施例, 通过在 RN和集成有 HSS的 MME之间交互的消息中携带证书, 进行 RN和 MME之间的认证 , 并通过 RN和 MME之间交换的 DH参数 , 计算类 似于 UE入网时 USIM卡中携带的共享密钥,最终完成 RN与 DeNB之间的无 线承载建立,从而实现 RN入网时基于证书的认证方法,且使得网络侧 RN入 网更加安全。 For the relay node provided in this embodiment, the specific method for implementing the wireless node network access is described in the foregoing method embodiment, and the certificate is carried in the message exchanged between the RN and the MME integrated with the HSS, and the authentication between the RN and the MME is performed, and The DH parameter exchanged between the RN and the MME is similar to the shared key carried in the USIM card when the UE enters the network, and finally the radio bearer between the RN and the DeNB is established, thereby implementing a certificate-based authentication method when the RN accesses the network, and Make the network side RN into The network is more secure.

图 13为本发明无线节点入网系统第三实施例的结构示意图。 如图 13所 示, 包括: 集成有归属用户服务器的移动管理实体 131、 施主基站 132和中继 节点 133。 所述中继节点 133如上述中继节点第三实施例中所描述, 在此不再 赘述。 所述集成有归属用户服务器的移动管理实体 131 , 用于接收所述中继节 点 133发送的所述中继节点的证书和所述中继节点的迪菲-赫尔曼参数, 并发 送移动管理实体的证书和所述移动管理实体的迪菲 -赫尔曼参数至所述中继节 点 133; 根据所述中继节点的迪菲-赫尔曼参数和所述移动管理实体的迪菲-赫 尔曼参数计算所述共享密钥; 根据所述共享密钥计算得到的非接入层密钥, 与所述中继节点 133进行非接入层安全模式控制; 所述施主基站 132, 用于获 取所述集成有归属用户服务器的移动管理实体基于所述共享密钥计算的接入 层密钥, 根据所述接入层密钥, 与所述中继节点 133 进行接入层安全模式控 制。  FIG. 13 is a schematic structural diagram of a third embodiment of a wireless node network access system according to the present invention. As shown in FIG. 13, the method includes: a mobility management entity 131 integrated with a home subscriber server, a donor base station 132, and a relay node 133. The relay node 133 is as described in the foregoing third embodiment of the relay node, and details are not described herein again. The mobility management entity 131 integrated with the home subscriber server is configured to receive the certificate of the relay node sent by the relay node 133 and the Diffie-Hellman parameter of the relay node, and send the mobility management a certificate of the entity and a Diffie-Hellman parameter of the mobility management entity to the relay node 133; a Diffie-Hellman parameter of the relay node and a Diffie-Hier of the mobility management entity a shared key; the non-access stratum key calculated according to the shared key, and the non-access stratum security mode control with the relay node 133; the donor base station 132, configured to Obtaining an access layer key calculated by the mobility management entity integrated with the home subscriber server based on the shared key, and performing an access layer security mode control with the relay node 133 according to the access layer key.

本实施例提供的无线节点入网系统, 具体实现无线节点入网方法详见上 述方法实施例, 通过在 RN和集成有 HSS的 MME之间交互的消息中携带证 书 ,进行 RN和 MME之间的认证,并通过 RN和 MME之间交换的 DH参数, 计算类似于 UE入网时 USIM卡中携带的共享密钥,最终完成 RN与 DeNB之 间的无线承载建立,从而实现 RN入网时基于证书的认证方法,且使得网络侧 RN入网更加安全。  The wireless node network access system provided in this embodiment, and the specific method for implementing the wireless node network access, as described in the foregoing method embodiment, carries the authentication between the RN and the MME by carrying the certificate in the message exchanged between the RN and the MME integrated with the HSS. And the DH parameter exchanged between the RN and the MME is used to calculate a shared key that is carried in the USIM card when the UE enters the network, and finally completes the establishment of the radio bearer between the RN and the DeNB, thereby implementing a certificate-based authentication method when the RN enters the network. Moreover, the network side RN is more secure.

图 14为本发明无线节点入网方法第八实施例的流程示意图。 如图 14所 示, 包括如下步骤:  FIG. 14 is a schematic flowchart diagram of an eighth embodiment of a wireless node network access method according to the present invention. As shown in Figure 14, the following steps are included:

步骤 1401、 在 RN和 DeNB之间的 RRC连接建立和 /或无线承载建立的 过程中, 向 DeNB发送 RN的证书和 RN的 DH参数, 以使 DeNB根据 RN的 证书对 RN进行认证。  Step 1401: In the process of establishing an RRC connection and/or establishing a radio bearer between the RN and the DeNB, send the certificate of the RN and the DH parameter of the RN to the DeNB, so that the DeNB authenticates the RN according to the certificate of the RN.

步骤 1402、 接收 DeNB发送的 DeNB的证书和 DeNB的 DH参数, 并根 据 DeNB的证书对 DeNB进行认证。 该步骤 1401-步骤 1402中, RN和 DeNB分别将其自身的证书发送至对端, 以便实现 RN和 DeNB之间的证书认证。 Step 1402: Receive a DeNB certificate sent by the DeNB and a DH parameter of the DeNB, and perform authentication on the DeNB according to the certificate of the DeNB. In step 1401 - step 1402, the RN and the DeNB respectively send their own certificates to the peer to implement certificate authentication between the RN and the DeNB.

步骤 1403、 若 RN和 DeNB认证成功, 则根据 RN的 DH参数和 DeNB 的 DH参数计算认证密钥 AK。  Step 1403: If the RN and the DeNB are successfully authenticated, calculate the authentication key AK according to the DH parameter of the RN and the DH parameter of the DeNB.

其中, DeNB根据 RN的 DH参数和 DeNB的 DH参数计算该认证密钥 The DeNB calculates the authentication key according to the DH parameter of the RN and the DH parameter of the DeNB.

AK。 AK.

步骤 1404、 将该认证密钥 AK作为 RN和 DeNB共享的临时密钥 KeNB, 并基于该临时密钥 KeNB , 与 DeNB进行 AS SMC。  Step 1404: The authentication key AK is used as a temporary key KeNB shared by the RN and the DeNB, and based on the temporary key KeNB, performs AS SMC with the DeNB.

本实施例提供的无线节点入网方法, 通过在 RN和 DeNB之间的 RRC连 接建立和 /或无线承载建立的过程中, 在 RN和 DeNB之间交互的消息中携带 证书,进行 RN和 DeNB之间的认证, 并通过 RN和 DeNB之间交换的 DH参 数,计算类似于 UE入网时计算得到的临时密钥 KeNB,最终完成 RN与 DeNB 之间的无线承载建立,从而实现 RN入网时基于证书的认证方法,且使得网络 侧 RN入网更加安全。  In the wireless node network access method provided by this embodiment, in the process of establishing an RRC connection and/or establishing a radio bearer between the RN and the DeNB, the message exchanged between the RN and the DeNB carries a certificate between the RN and the DeNB. Authentication, and through the DH parameters exchanged between the RN and the DeNB, calculate the temporary key KeNB calculated when the UE enters the network, and finally complete the establishment of the radio bearer between the RN and the DeNB, thereby implementing certificate-based authentication when the RN enters the network. The method makes the network side RN more secure.

图 15为本发明无线节点入网方法第九实施例的信令流程图。本实施例中, RN、 DeNB无需与 HSS进行信令交互以进行基础密钥 K的计算, 只需要在 RN与 DeNB之间通过证书认证, 并在 RN与 DeNB之间进行临时密钥 KeNB 的计算, 并利用生成的临时密钥 KeNB保护 RN与 DeNB之间的 AS消息。如 图 15所示, 包括如下步骤:  FIG. 15 is a signaling flowchart of a ninth embodiment of a wireless node network access method according to the present invention. In this embodiment, the RN and the DeNB do not need to perform signaling interaction with the HSS to perform calculation of the basic key K, only need to pass certificate authentication between the RN and the DeNB, and perform calculation of the temporary key KeNB between the RN and the DeNB. And using the generated temporary key KeNB to protect the AS message between the RN and the DeNB. As shown in Figure 15, the following steps are included:

步骤 1501、 RN向其所属的 DeNB发起 RRC连接建立请求消息, 该 RRC 连接建立请求消息中携带 RN的证书、 随机数 ( nonce ) 1、 RN的 DH参数以 及 AUTH参数等信息, 以使 DeNB根据 RN的证书对 RN进行认证。 其中随 机数是为了使得后续计算得到的共享密钥每一次都不同。  Step 1501: The RN initiates an RRC connection setup request message to the DeNB to which the RN belongs, and the RRC connection setup request message carries information such as a certificate of the RN, a random number (nonce) 1, a DH parameter of the RN, and an AUTH parameter, so that the DeNB according to the RN The certificate authenticates the RN. The random number is to make the shared key obtained in the subsequent calculation different every time.

RN的证书也可以考虑用一个位长更短的证书标识来替代, 而不是证书本 身。 当上述步骤 1501 中 RRC连接建立请求消息中携带的是证书标识而不是 证书本身, 那么, 还包括: 步骤 1501,、 RN需要完成和 RA/CA的消息交互, 来获得证书标识所指示的证书的内容。 然后, 进行对端的基于证书的内容的 认证。 The RN's certificate can also be considered instead of a certificate with a shorter bit length than the certificate itself. When the RRC connection setup request message carries the certificate identifier instead of the certificate itself, the method further includes: Step 1501: The RN needs to complete the message interaction with the RA/CA. To get the content of the certificate indicated by the certificate identifier. Then, the authentication of the peer-based certificate-based content is performed.

步骤 1502、 DeNB向 RN回复 RRC连接建立消息, 该 RRC连接建立消 息中携带 DeNB的证书、 随机数(nonce ) 2、 DeNB的 DH参数以及 AUTH 参数等信息, 以使 RN根据 DeNB的证书对 DeNB进行认证。  Step 1502: The DeNB returns an RRC connection setup message to the RN, where the RRC connection setup message carries information such as a certificate of the DeNB, a random number (nonce) 2, a DH parameter of the DeNB, and an AUTH parameter, so that the RN performs the DeNB according to the certificate of the DeNB. Certification.

DeNB的证书也可以考虑用一个位长更短的证书标识来替代,而不是证书 本身。 当上述步骤 1502中 RRC连接建立消息中携带的是证书标识而不是证 书本身, 那么, 还包括: 步骤 1502,、 DeNB需要完成和 RA/CA的消息交互, 来获得证书标识所指示的证书的内容。 然后, 进行对端的基于证书的内容的 认证。  The DeNB's certificate can also be considered instead of a certificate with a shorter bit length than the certificate itself. When the RRC connection setup message in the above step 1502 carries the certificate identifier instead of the certificate itself, the method further includes: Step 1502: The DeNB needs to complete the message interaction with the RA/CA to obtain the content of the certificate indicated by the certificate identifier. . Then, the authentication of the peer-based certificate-based content is performed.

步骤 1503、 RN和 DeNB根据步骤 1501和步骤 1502中的两条消息里的 RN的 DH参数和 DeNB的 DH参数, 分别在本地计算生成认证密钥 AK, 并 以该认证密钥 AK作为临时密钥 KeNB, 计算 AS信令的加密密钥和完整性保 护密钥等。  Step 1503: The RN and the DeNB respectively calculate and generate the authentication key AK according to the DH parameter of the RN and the DH parameter of the DeNB in the two messages in the step 1501 and the step 1502, and use the authentication key AK as the temporary key. The KeNB calculates an encryption key and an integrity protection key of the AS signaling.

其中, AK=KDF(KDH)。 Where AK=KDF(K DH ).

步骤 1504、 RN向其所属的 DeNB发起 RRC连接建立完成消息, 其中携 带 NAS附着请求消息。  Step 1504: The RN initiates an RRC connection setup complete message to the DeNB to which the RN belongs, and carries a NAS attach request message.

步骤 1505、 RN所属的 DeNB转发 NAS附着请求消息至 MME。  Step 1505: The DeNB to which the RN belongs forwards the NAS attach request message to the MME.

步骤 1506、 MME向 DeNB发送该 RN的初始上下文建立消息。  Step 1506: The MME sends an initial context setup message of the RN to the DeNB.

步骤 1507、 RN所属的 DeNB和 RN之间进行 AS SMC过程, 完成 DeNB 与 RN之间的 AS算法的协商, 并激活 AS保护。  Step 1507: The AS SMC process is performed between the DeNB and the RN to which the RN belongs, and the AS algorithm negotiation between the DeNB and the RN is completed, and the AS protection is activated.

步骤 1508、 进行 RN与 DeNB之间的无线承载建立过程, 至此完成 RN 入网认证。  Step 1508: Perform a radio bearer setup process between the RN and the DeNB, and complete the RN network access authentication.

本实施例只实现 RN与其所属的 DeNB之间的证书认证以及 AS安全保 护, 并不关注 NAS保护方法。  In this embodiment, only the certificate authentication and the AS security protection between the RN and the DeNB to which it belongs are implemented, and the NAS protection method is not concerned.

本实施例提供的无线节点入网方法, 详细描述了 RN和 DeNB之间的证 书认证的信令流程, 与上述无线节点入网方法第八实施例类似, 同样可以实 现 RN入网时基于证书的认证方法 , 且使得网络侧 RN入网更加安全。 The wireless node network access method provided in this embodiment describes the certificate between the RN and the DeNB in detail. The signaling process of the book authentication is similar to the eighth embodiment of the wireless network access method, and the certificate-based authentication method for the RN to access the network is also implemented, and the network-side RN is more secure.

图 16为本发明无线节点入网方法第十实施例的信令流程图。 如图 16所 示, 包括如下步骤:  FIG. 16 is a signaling flowchart of a tenth embodiment of a wireless node network access method according to the present invention. As shown in Figure 16, the following steps are included:

步骤 1601、 RN向其所属的 DeNB发送 RRC连接建立请求消息。  Step 1601: The RN sends an RRC Connection Setup Request message to the DeNB to which it belongs.

步骤 1602、 RN所属的 DeNB向 RN回复 RRC连接建立消息, 完成随机 接入信道的连接建立过程。  Step 1602: The DeNB to which the RN belongs restores an RRC connection setup message to the RN, and completes a connection establishment process of the random access channel.

步骤 1603、 RN向其所属的 DeNB发送 RRC 连接建立完成消息, 其中携 带 NAS附着请求消息。  Step 1603: The RN sends an RRC connection setup complete message to the DeNB to which the RN belongs, where the NAS attach request message is carried.

步骤 1604、 RN所属的 DeNB将该 NAS附着请求消息封装在 S1-AP消息 中传给 MME。  Step 1604: The DeNB to which the RN belongs encapsulates the NAS attach request message in an S1-AP message and transmits the message to the MME.

步骤 1605、 MME通过 S1-AP消息将服务网关 (Serving Gateway, 简称 S-GW )地址、 S1-TEID、 承载服务质量(Bear QoS )、 安全上下文等消息发给 RN所属的 DeNB,激活用于所有激活的演进分组系统( Evolved Packet System , 简称 EPS ) 的无线承载和 SI承载。  Step 1605: The MME sends a message such as a Serving Gateway (S-GW) address, an S1-TEID, a Bearer QoS, a security context, and the like to the DeNB to which the RN belongs, and activates for all the eNBs. The radio bearer and SI bearer of the activated Evolved Packet System (EPS).

步骤 1606、 RN所属的 DeNB将自己的 DeNB的证书通过 RRC无线承载 建立消息发给 RN, 由 RN对该 DeNB进行认证, 该 RRC无线承载建立消息 中还可以携带有随机数 ( nonce ) 1、 DeNB的 DH参数以及 AUTH参数。  Step 1606: The DeNB to which the RN belongs sends the RRC radio bearer setup message to the RN, and the RN authenticates the DeNB. The RRC radio bearer setup message may also carry a random number (nonce). DH parameters and AUTH parameters.

DeNB的证书也可以考虑用一个位长更短的证书标识来替代,而不是证书 本身。 当上述步骤 1606中 RRC无线承载建立消息中携带的是证书标识而不 是证书本身, 那么, 还包括: 步骤 1606'、 DeNB需要完成和 RA/CA的消息 交互, 来获得证书标识所指示的证书的内容。 然后, 进行对端的基于证书的 内容的认证。  The DeNB's certificate can also be considered instead of a certificate with a shorter bit length than the certificate itself. When the RRC radio bearer setup message in the above step 1606 carries the certificate identifier instead of the certificate itself, the method further includes: Step 1606', the DeNB needs to complete the message interaction with the RA/CA to obtain the certificate indicated by the certificate identifier. content. Then, the authentication of the peer-based certificate-based content is performed.

步骤 1607、 RN所属的 DeNB接收 RN发送的 RRC 无线承载建立完成消 息, 该 RRC 无线承载建立完成消息中包含了 RN的证书、 随机数(nonce ) 2、 RN的 DH参数以及 AUTH参数,以使 DeNB根据 RN的证书对 RN进行认证, 完成无线 7 载的建立。 Step 1607: The DeNB to which the RN belongs receives the RRC radio bearer setup complete message sent by the RN, where the RRC radio bearer setup complete message includes the RN certificate, the random number (nonce) 2, the DH parameter of the RN, and the AUTH parameter, so that the DeNB Authenticate the RN according to the certificate of the RN. Complete the establishment of the wireless 7-load.

RN的证书也可以考虑用一个位长更短的证书标识来替代, 而不是证书本 身。 当上述步骤 1607中 RRC 无线承载建立完成消息中携带的是证书标识而 不是证书本身, 那么, 还包括: 步骤 1607,、 RN需要完成和 RA/CA的消息交 互, 来获得证书标识所指示的证书的内容。 然后, 进行对端的基于证书的内 容的认证。  The RN's certificate can also be considered instead of a certificate with a shorter bit length than the certificate itself. When the RRC radio bearer setup complete message carries the certificate identifier instead of the certificate itself in step 1607, the method further includes: Step 1607: The RN needs to complete the message interaction with the RA/CA to obtain the certificate indicated by the certificate identifier. Content. Then, the authentication of the certificate-based content of the peer is performed.

步骤 1608、 RN和 DeNB根据步骤 1606和步骤 1607中的两条消息里的 RN的 DH参数和 DeNB的 DH参数, 分别在本地计算生成认证密钥 AK, 并 以该认证密钥 AK作为临时密钥 KeNB, 计算 AS信令的加密密钥和完整性保 护密钥等。  Step 1608: The RN and the DeNB respectively calculate and generate the authentication key AK according to the DH parameter of the RN and the DH parameter of the DeNB in the two messages in the step 1606 and the step 1607, and use the authentication key AK as the temporary key. The KeNB calculates an encryption key and an integrity protection key of the AS signaling.

步骤 1609、 RN所属的 DeNB和 RN之间进行 AS SMC过程, 完成 DeNB 与 RN之间的 AS算法的协商, 并激活 AS保护。  Step 1609: Perform an AS SMC process between the DeNB and the RN to which the RN belongs, complete the negotiation of the AS algorithm between the DeNB and the RN, and activate the AS protection.

本实施例中的无线节点入网方法是在无线承载建立的时候完成的基于证 书的认证, 需要修改空口协议。 另夕卜,证书认证的过程还可以是,在步骤 1606 中不发送 DeNB的证书, 该 DeNB的证书是在步骤 1609的交互消息中 DeNB 至 RN的下行消息中携带, 从而实现对 DeNB的认证。  The wireless node access method in this embodiment is a certificate-based authentication completed when the radio bearer is established, and the air interface protocol needs to be modified. In addition, the process of certificate authentication may be that the certificate of the DeNB is not sent in step 1606, and the certificate of the DeNB is carried in the downlink message of the DeNB to the RN in the interaction message of step 1609, thereby implementing authentication of the DeNB.

在本实施例中, 若 RN和 DeNB认证失败, 则触发 DeNB发起 RRC连接 释放过程, 或者触发 DeNB指示 MME发起将 RN去附着的过程, 从而断开 RN和 DeNB之间的无线承载连接。  In this embodiment, if the RN and the DeNB fail to be authenticated, the DeNB is triggered to initiate an RRC connection release procedure, or the DeNB is triggered to instruct the MME to initiate a process of de-attaching the RN, thereby disconnecting the radio bearer connection between the RN and the DeNB.

本实施例提供的无线节点入网方法, 详细描述了 RN和 DeNB之间的证 书认证的信令流程, 与上述无线节点入网方法第八实施例类似, 同样可以实 现 RN入网时基于证书的认证方法 , 且使得网络侧 RN入网更加安全。  The method for the network access of the wireless node provided in this embodiment describes the signaling procedure of the certificate authentication between the RN and the DeNB in detail. Similar to the eighth embodiment of the method for accessing the wireless node, the method for authenticating the certificate when the RN enters the network is also implemented. Moreover, the network side RN is more secure.

图 17 为本发明无线节点入网方法第十一实施例的信令流程图。 如图 17 所示, 包括如下步骤:  FIG. 17 is a signaling flowchart of an eleventh embodiment of a method for accessing a wireless node according to the present invention. As shown in Figure 17, the following steps are included:

步骤 1701、 RN向其所属的 DeNB发送 RRC连接建立请求消息。  Step 1701: The RN sends an RRC Connection Setup Request message to the DeNB to which it belongs.

步骤 1702、 RN所属的 DeNB向 RN回复 RRC连接建立消息, 完成随机 接入信道的连接建立过程。 Step 1702: The DeNB to which the RN belongs restores an RRC connection setup message to the RN, and completes randomization. The connection establishment process of the access channel.

步骤 1703、 RN向其所属的 DeNB发送 RRC 连接建立完成消息,该 RRC 连接建立完成消息中携带了 RN的证书,用于 RN所属的 DeNB对 RN的认证。 该 RRC 连接建立完成消息中还携带了随机数(nonce ) 1、 RN的 DH参数以 及 AUTH参数, 其中还携带 NAS附着请求消息。  Step 1703: The RN sends an RRC connection setup complete message to the DeNB to which the RN belongs. The RRC connection setup complete message carries the certificate of the RN, and is used by the DeNB to which the RN belongs to authenticate the RN. The RRC connection setup complete message also carries a random number (nonce) 1, a DH parameter of the RN, and an AUTH parameter, which also carries a NAS attach request message.

RN的证书也可以考虑用一个位长更短的证书标识来替代, 而不是证书本 身。 当上述步骤 1703中 RRC 连接建立完成消息中携带的是证书标识而不是 证书本身, 那么, 还包括: 步骤 1703,、 RN需要完成和 RA/CA的消息交互, 来获得证书标识所指示的证书的内容。 然后, 进行对端的基于证书的内容的 认证。  The RN's certificate can also be considered instead of a certificate with a shorter bit length than the certificate itself. When the RRC connection setup complete message in the above step 1703 is carried in the certificate identifier instead of the certificate itself, the method further includes: Step 1703: The RN needs to complete the message interaction with the RA/CA to obtain the certificate indicated by the certificate identifier. content. Then, the authentication of the peer-based certificate-based content is performed.

步骤 1704、 RN所属的 DeNB将该 NAS附着请求消息封装在 S1-AP消息 中传给 MME。  Step 1704: The DeNB to which the RN belongs encapsulates the NAS attach request message in an S1-AP message and transmits the message to the MME.

步骤 1705、 MME通过 S1-AP消息将服务网关 (Serving Gateway, 简称 S-GW )地址、 S1-TEID、 承载服务质量(Bear QoS )、 安全上下文等消息发给 RN所属的 DeNB,激活用于所有激活的演进分组系统( Evolved Packet System , 简称 EPS ) 的无线承载和 SI承载。  Step 1705: The MME sends a message such as a serving gateway (S-GW) address, an S1-TEID, a bearer QoS, a security context, and the like to the DeNB to which the RN belongs, by using an S1-AP message, and is activated for all The radio bearer and SI bearer of the activated Evolved Packet System (EPS).

步骤 1706、 RN所属的 DeNB将自己的 DeNB的证书通过 RRC无线承载 建立消息发给 RN, 由 RN对该 DeNB进行认证, 该 RRC无线承载建立消息 中还可以携带有随机数 ( nonce ) 2、 DeNB的 DH参数以及 AUTH参数。  Step 1706: The DeNB to which the RN belongs sends the RRC radio bearer setup message to the RN, and the RN authenticates the DeNB. The RRC radio bearer setup message may also carry a random number (nonce). DH parameters and AUTH parameters.

DeNB的证书也可以考虑用一个位长更短的证书标识来替代,而不是证书 本身。 当上述步骤 1706中 RRC无线承载建立消息中携带的是证书标识而不 是证书本身, 那么, 还包括: 步骤 1706,、 DeNB需要完成和 RA/CA的消息 交互, 来获得证书标识所指示的证书的内容。 然后, 进行对端的基于证书的 内容的认证。  The DeNB's certificate can also be considered instead of a certificate with a shorter bit length than the certificate itself. When the RRC radio bearer setup message carries the certificate identifier instead of the certificate itself, the method further includes: Step 1706: The DeNB needs to complete the message interaction with the RA/CA to obtain the certificate indicated by the certificate identifier. content. Then, the authentication of the peer-based certificate-based content is performed.

步骤 1707、 RN和 DeNB根据步骤 1703和步骤 1706中的两条消息里的 RN的 DH参数和 DeNB的 DH参数, 分别在本地计算生成认证密钥 AK, 并 以该认证密钥 AK作为临时密钥 KeNB, 计算 AS信令的加密密钥和完整性保 护密钥等。 Step 1707: The RN and the DeNB respectively calculate and generate an authentication key AK according to the DH parameter of the RN and the DH parameter of the DeNB in the two messages in step 1703 and step 1706, and The authentication key AK is used as the temporary key KeNB, and the encryption key and integrity protection key of the AS signaling are calculated.

通过步骤 1703和步骤 1706中的两条消息的交互,完成 RN入网时基于证 书的认证。  Through the interaction of the two messages in step 1703 and step 1706, the authentication based on the certificate when the RN enters the network is completed.

步骤 1708、 RN所属的 DeNB接收 RN发送的 RRC 无线承载建立完成消 息, 完成 RN和 DeNB之间的无线 载的建立。  Step 1708: The DeNB to which the RN belongs receives the RRC radio bearer setup complete message sent by the RN, and completes the establishment of the radio bearer between the RN and the DeNB.

步骤 1709、 RN所属的 DeNB和 RN之间进行 AS SMC过程, 完成 DeNB 与 RN之间的 AS算法的协商, 并激活 AS保护。  Step 1709: The AS SMC process is performed between the DeNB and the RN to which the RN belongs, and the AS algorithm negotiation between the DeNB and the RN is completed, and the AS protection is activated.

本实施例提供的无线节点入网方法, 详细描述了 RN和 DeNB之间的证 书认证的信令流程, 与上述无线节点入网方法第八实施例类似, 同样可以实 现 RN入网时基于证书的认证方法 , 且使得网络侧 RN入网更加安全。  The method for the network access of the wireless node provided in this embodiment describes the signaling procedure of the certificate authentication between the RN and the DeNB in detail. Similar to the eighth embodiment of the method for accessing the wireless node, the method for authenticating the certificate when the RN enters the network is also implemented. Moreover, the network side RN is more secure.

图 18为本发明中继节点第四实施例的结构示意图。 如图 18所示, 该中 继节点包括: 发送模块 181、 接收认证模块 182、 计算模块 183和承载建立模 块 184。 其中, 发送模块 181 , 用于在中继节点与施主基站之间的无线资源控 制连接建立和 /或无线承载建立的过程中, 向所述施主基站发送所述中继节点 的证书和所述中继节点的迪菲-赫尔曼参数, 以使所述施主基站根据所述中继 节点的证书对所述中继节点进行认证; 接收认证模块 182, 用于接收所述施主 基站发送的所述施主基站的证书和所述施主基站的迪菲-赫尔曼参数, 并根据 所述施主基站的证书对所述施主基站进行认证; 计算模块 183 , 用于若所述中 继节点和所述施主基站认证成功, 则根据所述中继节点的迪菲-赫尔曼参数和 所述接收模块 182接收的所述施主基站的迪菲 -赫尔曼参数计算认证密钥 AK; 承载建立模块 184,用于将所述计算模块 183计算得到的所述认证密钥 AK作 为所述中继节点和所述施主基站共享的临时密钥 KeNB,并基于所述临时密钥 KeNB, 与所述施主基站进行接入层安全模式控制。 另外, 移动管理实体通过 施主基站也会与中继节点进行信息交互。  FIG. 18 is a schematic structural diagram of a fourth embodiment of a relay node according to the present invention. As shown in FIG. 18, the relay node includes: a sending module 181, a receiving authentication module 182, a calculating module 183, and a bearer establishing module 184. The sending module 181 is configured to send, in the process of establishing a radio resource control connection and/or establishing a radio bearer between the relay node and the donor base station, the certificate of the relay node and the middle to the donor base station. Following the Diffie-Hellman parameter of the node, so that the donor base station authenticates the relay node according to the certificate of the relay node; and the receiving authentication module 182 is configured to receive the a certificate of the donor base station and a Diffie-Hellman parameter of the donor base station, and authenticating the donor base station according to the certificate of the donor base station; a calculation module 183, configured to: if the relay node and the donor After the base station authentication succeeds, the authentication key AK is calculated according to the Diffie-Hellman parameter of the relay node and the Diffie-Hellman parameter of the donor base station received by the receiving module 182; the bearer establishing module 184, The authentication key AK calculated by the calculation module 183 is used as a temporary key KeNB shared by the relay node and the donor base station, and based on the temporary key KeNB, The donor base station performs access layer security mode control. In addition, the mobility management entity also interacts with the relay node through the donor base station.

本实施例提供的中继节点, 具体实现无线节点入网方法详见上述方法实 施例 ,通过在 RN和 DeNB之间的 RRC连接建立和 /或无线承载建立的过程中 , 在 RN和 DeNB之间交互的消息中携带证书, 进行 RN和 DeNB之间的认证 , 并通过 RN和 DeNB之间交换的 DH参数,计算类似于 UE入网时计算得到的 临时密钥 KeNB, 最终完成 RN与 DeNB之间的无线承载建立 , 从而实现 RN 入网时基于证书的认证方法, 且使得网络侧 RN入网更加安全。 For the relay node provided in this embodiment, the method for implementing the wireless node access network is as described in the above method. For example, in the process of establishing an RRC connection and/or establishing a radio bearer between the RN and the DeNB, the message exchanged between the RN and the DeNB carries a certificate, performs authentication between the RN and the DeNB, and passes the RN and the RN. The DH parameters exchanged between the DeNBs are calculated similarly to the temporary key KeNB calculated when the UE enters the network, and finally the radio bearer establishment between the RN and the DeNB is completed, thereby implementing a certificate-based authentication method when the RN accesses the network, and the network side RN is implemented. Access to the network is more secure.

图 19为本发明无线节点入网系统第四实施例的结构示意图。 如图 19所 示, 包括: 移动管理实体 191、 施主基站 192和中继节点 193。 所述中继节点 193如上述中继节点第四实施例中所描述, 在此不再赘述。 移动管理实体 191 通过施主基站 192与中继节点 193进行信息交互。 所述施主基站 192, 用于接 收所述中继节点 193发送的所述中继节点的证书和所述中继节点的迪菲 -赫尔 曼参数, 并发送所述施主基站的证书和所述施主基站的迪菲-赫尔曼参数至所 述中继节点 193; 根据所述中继节点的迪菲 -赫尔曼参数和所述施主基站的迪 菲-赫尔曼参数计算所述认证密钥 AK; 将所述认证密钥 AK作为所述中继节 点和所述施主基站共享的临时密钥 KeNB, 并根据所述临时密钥 KeNB, 与所 述中继节点 193进行接入层安全模式控制。  FIG. 19 is a schematic structural diagram of a fourth embodiment of a wireless node network access system according to the present invention. As shown in FIG. 19, the method includes: a mobility management entity 191, a donor base station 192, and a relay node 193. The relay node 193 is as described in the fourth embodiment of the foregoing relay node, and details are not described herein again. The mobility management entity 191 interacts with the relay node 193 via the donor base station 192. The donor base station 192 is configured to receive a certificate of the relay node sent by the relay node 193 and a Diffie-Hellman parameter of the relay node, and send the certificate of the donor base station and the a Diffie-Hellman parameter of the donor base station to the relay node 193; calculating the authentication secret according to the Diffie-Hellman parameter of the relay node and the Diffie-Hellman parameter of the donor base station Key AK; using the authentication key AK as a temporary key KeNB shared by the relay node and the donor base station, and performing an access layer security mode with the relay node 193 according to the temporary key KeNB control.

本实施例提供的无线节点入网系统, 具体实现无线节点入网方法详见上 述方法实施例 ,通过在 RN和 DeNB之间的 RRC连接建立和 /或无线承载建立 的过程中, 在 RN和 DeNB之间交互的消息中携带证书 , 进行 RN和 DeNB 之间的认证, 并通过 RN和 DeNB之间交换的 DH参数, 计算类似于 UE入网 时计算得到的临时密钥 KeNB, 最终完成 RN与 DeNB之间的无线承载建立, 从而实现 RN入网时基于证书的认证方法, 且使得网络侧 RN入网更加安全。  For the wireless node network access system provided by this embodiment, the specific method for implementing the wireless node network access is described in the foregoing method embodiment. In the process of establishing an RRC connection and/or establishing a radio bearer between the RN and the DeNB, between the RN and the DeNB. The interactive message carries the certificate, performs authentication between the RN and the DeNB, and calculates a temporary key KeNB calculated by the UE when the UE enters the network through the DH parameter exchanged between the RN and the DeNB, and finally completes the relationship between the RN and the DeNB. The radio bearer is set up to implement the certificate-based authentication method when the RN accesses the network, and the network-side RN is more secure.

图 20为本发明无线节点入网方法第十二实施例的流程示意图。 本实施例 的认证过程是基于 RN中带有 USIM卡的认证, RN类似于附属 UE。 RN首先 根据其中的 USIM卡完成无线承载建立的过程,建立用户面 /信令面的 IP连接, 再启动基于 IP 层的因特网密钥交换协议第二版本(Internet Key Exchange version 2, 简称 IKEv2 ) 的基于证书的认证过程, 建立 RN和其附属的 DeNB 的 IPSec连接, 完成 RN入网过程。 如图 20所示, 完成 RN入网过程后, 还 包括如下步骤: FIG. 20 is a schematic flowchart diagram of a twelfth embodiment of a wireless node network access method according to the present invention. The authentication process in this embodiment is based on the authentication with the USIM card in the RN, and the RN is similar to the secondary UE. The RN first completes the process of establishing a radio bearer according to the USIM card therein, establishes an IP connection of the user plane/signaling plane, and then starts the second version (Internet Key Exchange version 2, referred to as IKEv2) of the IP layer based Internet Key Exchange Protocol 2 Certificate-based authentication process, establishing RN and its affiliated DeNB The IPSec connection completes the RN access process. As shown in Figure 20, after the RN access process is completed, the following steps are also included:

步骤 2001、 RN发送 IKE安全关联初始协商 ( IKE— SA— INIT )请求消息 至 DeNB , 在该 IKE SA INIT请求消息中包含了参数 {HDR, SAil, Kei, Ni}。  Step 2001: The RN sends an IKE Security Association Initial Negotiation (IKE_SA_INIT) request message to the DeNB, where the parameter {HDR, SAil, Kei, Ni} is included in the IKE SA INIT request message.

其中消息头 HDR中包括安全参数索引 ( Security Parameter Indexes简称 SPIs )、版本号和所需的标志, SAil包括发起方建立 IKE安全关联所支持的加 密算法, Kei是发起方的 DH参数, Ni是发起方的随机数载荷。  The message header HDR includes a Security Parameter Index (SPIs), a version number, and a required flag. The SAil includes an encryption algorithm supported by the initiator to establish an IKE security association, Kei is the DH parameter of the initiator, and Ni is initiated. Square random number load.

步骤 2002、 DeNB回复 IKE— SA— INIT响应消息至 RN,在该 IKE— SA— INIT 响应消息中包含了参数 {HDR, SArl, KEr, Nr, [CERTREQ] }。  Step 2002: The DeNB replies to the IKE-SA-INIT response message to the RN, and the parameters {HDR, SArl, KEr, Nr, [CERTREQ]} are included in the IKE-SA_INIT response message.

其中, DeNB把选择的算法放在 SArl 中; 通过交互 IKE— SA— INIT请求 / 响应消息, 发起方和响应方协商了所需要的加密算法、 认证算法; 通过交换 Ni/Nr和 Kei/Ker, 完成 DH交换, 从而双方可计算出共享的密钥, 这个密钥 用来保护后面的数据以及生成 IPsec安全关联所需要的密钥; [CERTREQ]是证 书请求标识。  The DeNB places the selected algorithm in the SArl. By interacting with the IKE-SA-INIT request/response message, the initiator and the responder negotiate the required encryption algorithm and authentication algorithm. By exchanging Ni/Nr and Kei/Ker, The DH exchange is completed, so that both parties can calculate the shared key, which is used to protect the subsequent data and the key required to generate the IPsec security association; [CERTREQ] is the certificate request identifier.

步骤 2003、 RN 向其所属的 DeNB 发送 IKE— AUTH请求消息, 在该 IKE AUTH 请求消息中包含了参数 {HDR, SK, AUTH, SAi2, TSi, TSr, CFG— REQUEST}。  Step 2003: The RN sends an IKE-AUTH request message to the DeNB to which it belongs, and the IKE AUTH request message includes parameters {HDR, SK, AUTH, SAi2, TSi, TSr, CFG_REQUEST}.

其中, 所携带的参数的具体含义是: HDR包含 SPIs、 版本号和所需的标 志, SAi包括发起方建立 IKE安全关联所支持的加密算法; SK表示报文被保 护, AUTH用来证明知道与 ID相关的秘密, 同时对之前和当前的数据包进行 完整性保护; SAi2携带了用于 IPsec安全关联的密码算法列表, TSi/TSr表示 被 IPsec安全关联保护的数据流, CFG— REQUEST用于向 RN附属的 DeNB请 求证书以进行认证。  The specific meanings of the parameters carried are: HDR contains SPIs, version number and required flags, SAi includes the encryption algorithm supported by the initiator to establish an IKE security association; SK indicates that the message is protected, AUTH is used to prove that ID-related secrets, integrity protection of both previous and current data packets; SAi2 carries a list of cryptographic algorithms for IPsec security associations, TSi/TSr represents data flows protected by IPsec security associations, CFG-REQUEST is used to The DeNB attached to the RN requests a certificate for authentication.

步骤 2004、 RN所属的 DeNB向 RN发送 IKE— AUTH响应消息, 在该 IKE AUTH响应消息中包含了参数 {HDR, SK, AUTH, SAr2, TSi, TSr, [CERT], Config Payload, CFG— REQUEST}。 将 RN所属的 DeNB的证书发送给 RN , 以使 RN完成对其所属的 DeNB 的认证 , 并向 RN请求证书以进行认证。 Step 2004: The DeNB to which the RN belongs sends an IKE-AUTH response message to the RN, where the IKE AUTH response message includes parameters {HDR, SK, AUTH, SAr2, TSi, TSr, [CERT], Config Payload, CFG_REQUEST} . Sending the certificate of the DeNB to which the RN belongs to the RN, so that the RN completes the authentication of the DeNB to which it belongs, and requests the certificate from the RN for authentication.

步骤 2005、 RN 向其所属的 DeNB 发送 IKE— AUTH 响应消息, 在该 IKE AUTH响应消息中包含了参数 {HDR, SK, AUTH, SAr2, Tsi, TSr, [CERT], Config Payload} ,将 RN的证书带给 RN所属的 DeNB, 以使 RN所属的 DeNB 完成对 RN的认证。  Step 050: The RN sends an IKE-AUTH response message to the DeNB to which the RN belongs, and the IKE AUTH response message includes parameters {HDR, SK, AUTH, SAr2, Tsi, TSr, [CERT], Config Payload}, and the RN The certificate is sent to the DeNB to which the RN belongs, so that the DeNB to which the RN belongs completes the authentication of the RN.

同样, 由于消息长度的限制, 在步骤 2004和步骤 2005中, RN的证书、 DeNB 的证书也可以考虑用一个位长更短的证书标识来替代, 而不是证书本 身, 那么接收消息的实体需要首先完成和 RA/CA的交互, 来获得证书标识所 指示的证书的内容, 然后进行对端的基于证书的内容的认证。  Similarly, due to the limitation of the message length, in step 2004 and step 2005, the certificate of the RN and the certificate of the DeNB may also be replaced by a certificate identifier with a shorter bit length instead of the certificate itself, then the entity receiving the message needs to first The interaction with the RA/CA is completed to obtain the content of the certificate indicated by the certificate identifier, and then the authentication of the certificate-based content of the peer is performed.

需要说明的是,为了克服可移动的 USIM卡的安全性低的问题, 当 RN使 用 USIM卡完成了入网的认证, 建立 RN和其附属的 DeNB的 IPSec连接后, 还需要进行证书的认证过程, 如上述步骤所述。 在证书认证的网络侧节点 DeNB/MME上, 如果 RN的证书认证失败, 则需要触发 RN和 DeNB/MME 之间的 Un接口的无线连接 /IPSec连接应该释放或者 MME发起将 RN Detach 去注册的过程。 只有 RN的证书认证成功, RN才可以作为一个网络节点, 激 活 Un接口的承载功能, 否则任何 UE不能通过 RN接入网络。  It should be noted that, in order to overcome the problem of low security of the removable USIM card, when the RN completes the network authentication by using the USIM card, and establishes an IPSec connection between the RN and its attached DeNB, the certificate authentication process is also required. As described in the above steps. On the network side node DeNB/MME of the certificate authentication, if the certificate authentication of the RN fails, the wireless connection/IPSec connection that triggers the Un interface between the RN and the DeNB/MME should be released or the MME initiates the process of registering the RN Detach. . Only after the RN's certificate is successfully authenticated, the RN can act as a network node to activate the bearer function of the Un interface. Otherwise, any UE cannot access the network through the RN.

图 21为本发明中继节点第五实施例的结构示意图。 如图 21所示, 该中 继节点包括: 参数交换模块 2101、 第一发送模块 2102、 接收认证模块 2103 和第二发送模块 2104。 其中, 参数交换模块 2101 , 用于在完成中继节点与施 主基站之间的无线资源控制连接建立和无线承载建立的过程后, 向所述施主 基站发送因特网密钥交换安全关联初始协商请求消息, 并接收所述施主基站 回复的因特网密钥交换安全关联初始协商响应消息, 以交换所述中继节点的 迪菲-赫尔曼参数和所述施主基站的迪菲-赫尔曼参数, 所述迪菲-赫尔曼参数 用于协商所述中继节点与所述施主基站之间的安全保护联盟; 第一发送模块 2102, 用于向所述施主基站发送因特网密钥交换认证请求消息, 所述因特网 密钥交换认证请求消息中携带请求所述施主基站的证书的信息; 接收认证模 块 2103 , 用于接收所述施主基站返回的携带所述施主基站的证书的因特网密 钥交换认证响应消息, 并根据所述施主基站的证书对所述施主基站进行认证, 所述因特网密钥交换认证响应消息中还携带请求所述中继节点的证书的信 息; 第二发送模块 2104, 用于向所述施主基站发送携带所述中继节点的证书 的因特网密钥交换认证响应消息, 以使所述施主基站根据所述中继节点的证 书对所述中继节点进行认证。 FIG. 21 is a schematic structural diagram of a fifth embodiment of a relay node according to the present invention. As shown in FIG. 21, the relay node includes: a parameter switching module 2101, a first sending module 2102, a receiving authentication module 2103, and a second sending module 2104. The parameter exchange module 2101 is configured to send an Internet Key Exchange Security Association Initial Negotiation Request message to the donor base station after completing the process of establishing a radio resource control connection and establishing a radio bearer between the relay node and the donor base station, And receiving an Internet Key Exchange Security Association Initial Negotiation Response message replied by the donor base station to exchange a Diffie-Hellman parameter of the relay node and a Diffie-Hellman parameter of the donor base station, The Diffie-Hellman parameter is used to negotiate a security protection alliance between the relay node and the donor base station; the first sending module 2102 is configured to send an Internet Key Exchange Authentication Request message to the donor base station, where Internet The key exchange authentication request message carries information for requesting the certificate of the donor base station; the receiving authentication module 2103 is configured to receive an Internet key exchange authentication response message that is returned by the donor base station and that carries the certificate of the donor base station, and according to The certificate of the donor base station authenticates the donor base station, the Internet key exchange authentication response message further carries information requesting the certificate of the relay node, and the second sending module 2104 is configured to send to the donor base station And transmitting an Internet Key Exchange Authentication Response message carrying the certificate of the relay node, so that the donor base station authenticates the relay node according to the certificate of the relay node.

本实施例提供的中继节点, 具体实现无线节点入网方法所详见上述方法 第十二实施例, 可以实现 RN入网时基于证书的认证方法 , 且使得网络侧 RN 入网更加安全。  The relay node provided in this embodiment, which specifically implements the wireless node network access method, is described in the foregoing method. The twelfth embodiment can implement the certificate-based authentication method when the RN accesses the network, and makes the network-side RN more secure.

图 22为本发明无线节点入网系统第五实施例的结构示意图。 如图 22所 示, 该无线节点入网系统包括: 施主基站 2201和如上述中继节点第五实施例 所述的中继节点 2202。其中 ,所述施主基站 2201 ,用于接收所述中继节点 2202 发送的所述因特网密钥交换安全关联初始协商请求消息, 并向所述中继节点 2202返回所述因特网密钥交换安全关联初始协商响应消息, 以交换所述中继 节点 2202的迪菲-赫尔曼参数和所述施主基站 2201的迪菲-赫尔曼参数,所述 迪菲-赫尔曼参数用于协商所述中继节点 2202与所述施主基站 2201之间的安 全保护联盟; 接收所述中继节点 2202发送的所述因特网密钥交换认证请求消 息, 所述因特网密钥交换认证请求消息中携带请求所述施主基站 2201的证书 的信息; 并向所述中继节点 2202返回携带所述施主基站 2201 的证书的所述 因特网密钥交换认证响应消息, 所述因特网密钥交换认证响应消息中还携带 请求所述中继节点 2202的证书的信息; 接收所述中继节点 2202发送的携带 所述中继节点 2202的证书的所述因特网密钥交换认证响应消息, 并根据所述 中继节点 2202的证书对所述中继节点 2202进行认证。  FIG. 22 is a schematic structural diagram of a fifth embodiment of a wireless node network access system according to the present invention. As shown in FIG. 22, the wireless node network access system includes: a donor base station 2201 and a relay node 2202 as described in the fifth embodiment of the relay node described above. The donor base station 2201 is configured to receive the Internet Key Exchange Security Association Initial Negotiation Request message sent by the relay node 2202, and return the Internet Key Exchange Security Association Initiality to the relay node 2202. Negotiating a response message to exchange a Diffie-Hellman parameter of the relay node 2202 and a Diffie-Hellman parameter of the donor base station 2201, the Diffie-Hellman parameter being used to negotiate the middle Following the security protection alliance between the node 2202 and the donor base station 2201; receiving the Internet Key Exchange Authentication Request message sent by the relay node 2202, where the Internet Key Exchange Authentication Request message carries the request for the donor Information of the certificate of the base station 2201; and returning, to the relay node 2202, the Internet Key Exchange Authentication Response message carrying the certificate of the donor base station 2201, where the Internet Key Exchange Authentication Response message further carries the request Information of the certificate of the relay node 2202; receiving the cause of the certificate carrying the relay node 2202 sent by the relay node 2202 The special network key exchanges the authentication response message, and authenticates the relay node 2202 according to the certificate of the relay node 2202.

本实施例提供的无线节点入网系统, 具体实现无线节点入网方法所详见 上述方法第十二实施例,可以实现 RN入网时基于证书的认证方法,且使得网 络侧 RN入网更加安全。 The wireless node network access system provided in this embodiment, and the wireless node network access method are specifically implemented in the twelfth embodiment of the foregoing method, which can implement the certificate-based authentication method when the RN accesses the network, and makes the network The network side RN is more secure.

本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流 程, 是可以通过计算机程序来指令相关的硬件来完成, 所述的程序可存储于 一计算机可获取存储介质中, 该程序在执行时, 可包括如上述各方法的实施 例的流程。其中,所述的存储介质可为磁碟、光盘、只读存储记忆体( Read-Only Memory, ROM )或随机存 己忆体 ( Random Access Memory, RAM )等。  A person skilled in the art can understand that all or part of the process of implementing the above embodiment method can be completed by a computer program to instruct related hardware, and the program can be stored in a computer-accessible storage medium. When executed, the flow of an embodiment of the methods as described above may be included. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).

最后应说明的是: 以上实施例仅用以说明本发明的技术方案, 而非对其 限制; 尽管参照前述实施例对本发明进行了详细的说明, 本领域的普通技术 人员应当理解: 其依然可以对前述各实施例所记载的技术方案进行修改, 或 者对其中部分技术特征进行等同替换; 而这些修改或者替换, 并不使相应技 术方案的本质脱离本发明各实施例技术方案的精神和范围。  It should be noted that the above embodiments are only for explaining the technical solutions of the present invention, and are not intended to be limiting; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those skilled in the art that: The technical solutions described in the foregoing embodiments are modified, or some of the technical features are equivalently replaced. The modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

权利要求 Rights request 1、 一种无线节点入网方法, 其特征在于, 包括:  A wireless node network access method, comprising: 在中继节点与集成有归属用户服务器的施主基站之间的无线资源控制连 接建立过程中, 所述中继节点向所述施主基站发送所述中继节点的证书和所 述中继节点的参数, 以使所述施主基站根据所述中继节点的证书对所述中继 节点进行认证;  In the process of establishing a radio resource control connection between the relay node and the donor base station integrated with the home subscriber server, the relay node sends the certificate of the relay node and the parameters of the relay node to the donor base station. So that the donor base station authenticates the relay node according to the certificate of the relay node; 所述中继节点接收所述施主基站发送的所述施主基站的证书和所述施主 基站的参数, 并根据所述施主基站的证书对所述施主基站进行认证。  The relay node receives the certificate of the donor base station and the parameters of the donor base station sent by the donor base station, and authenticates the donor base station according to the certificate of the donor base station. 2、 根据权利要求 1所述的方法, 其特征在于,  2. The method of claim 1 wherein 若所述施主基站发送的所述施主基站的证书为证书的标识信息, 则所述 在根据所述施主基站的证书对所述施主基站进行认证之前, 还包括: 根据所 述证书的标识信息向证书中心获取所述证书的内容;  And if the certificate of the donor base station sent by the donor base station is the identifier information of the certificate, before the authenticating the donor base station according to the certificate of the donor base station, the method further includes: according to the identifier information of the certificate The certificate center obtains the content of the certificate; 所述根据所述施主基站的证书对所述施主基站进行认证, 包括: 根据从 所述证书中心获取的所述证书的内容, 对所述施主基站进行认证。  The authenticating the donor base station according to the certificate of the donor base station includes: authenticating the donor base station according to the content of the certificate obtained from the certificate center. 3、 根据权利要求 1或 2所述的方法, 其特征在于, 所述参数为迪菲-赫 尔曼参数。  3. Method according to claim 1 or 2, characterized in that the parameter is a Diffie-Hellman parameter. 4、 根据权利要求 1或 2所述的方法, 其特征在于, 所述方法还包括: 若所述中继节点和所述施主基站认证成功, 则根据所述中继节点的参数 和所述施主基站的参数计算基础密钥 K;  The method according to claim 1 or 2, wherein the method further comprises: if the relay node and the donor base station are successfully authenticated, according to parameters of the relay node and the donor Calculating the base key K of the parameters of the base station; 基于所述基础密钥 K, 与移动管理实体进行认证与密钥协商; 与所述移 动管理实体进行非接入层安全模式控制, 并与所述施主基站进行接入层安全 模式控制, 建立与所述施主基站之间的无线承载。  Performing authentication and key negotiation with the mobility management entity based on the basic key K; performing non-access stratum security mode control with the mobility management entity, and performing access layer security mode control with the donor base station, establishing and A radio bearer between the donor base stations. 5、 一种中继节点, 其特征在于, 包括:  5. A relay node, comprising: 发送模块, 用于在中继节点与集成有归属用户服务器的施主基站之间的 无线资源控制连接建立过程中, 向所述施主基站发送所述中继节点的证书和 所述中继节点的参数, 以使所述施主基站根据所述中继节点的证书对所述中 继节点进行认证; a sending module, configured to send, by the donor base station, a certificate of the relay node and a parameter of the relay node in a radio resource control connection establishment process between a relay node and a donor base station integrated with a home subscriber server So that the donor base station performs the middle according to the certificate of the relay node. Follow the node for authentication; 接收认证模块, 用于接收所述施主基站发送的所述施主基站的证书和所 述施主基站的参数, 并根据所述施主基站的证书对所述施主基站进行认证; 计算模块, 用于若所述中继节点和所述施主基站认证成功, 则根据所述 中继节点的参数和所述接收模块接收的所述施主基站的参数计算基础密钥 K; 承载建立模块, 用于基于所述计算模块计算得到的所述基础密钥 K, 与 移动管理实体进行认证与密钥协商; 并用于与所述移动管理实体进行非接入 层安全模式控制 , 与所述施主基站之间的接入层安全模式控制 , 建立与所述 施主基站之间的无线 7 载。  Receiving an authentication module, configured to receive a certificate of the donor base station and a parameter of the donor base station sent by the donor base station, and perform authentication on the donor base station according to the certificate of the donor base station; After the relay node and the donor base station are successfully authenticated, the base key K is calculated according to the parameters of the relay node and the parameters of the donor base station received by the receiving module; a bearer establishing module, configured to calculate based on the The basic key K calculated by the module, performing authentication and key negotiation with the mobility management entity; and performing non-access stratum security mode control with the mobility management entity, and an access layer between the donor base station and the donor base station Security mode control establishes a wireless 7-load with the donor base station. 6、 根据权利要求 5所述的节点, 其特征在于, 所述参数为迪菲-赫尔曼 参数。  6. The node of claim 5, wherein the parameter is a Diffie-Hellman parameter. 7、 一种无线节点入网系统, 其特征在于, 包括: 移动管理实体、 集成有 归属用户服务器的施主基站和如权利要求 3所述的中继节点,  A wireless node network access system, comprising: a mobility management entity, a donor base station integrated with a home subscriber server, and a relay node according to claim 3. 所述集成有归属用户服务器的施主基站, 用于接收所述中继节点发送的 所述中继节点的证书和所述中继节点的参数, 并发送所述施主基站的证书和 所述施主基站的参数至所述中继节点; 根据所述中继节点的参数和所述施主 基站的参数计算所述基础密钥 K; 根据所述基础密钥 K计算的接入层密钥, 与所述中继节点进行接入层安全模式控制;  The donor base station integrated with the home subscriber server is configured to receive a certificate of the relay node and a parameter of the relay node sent by the relay node, and send the certificate of the donor base station and the donor base station a parameter to the relay node; calculating the base key K according to a parameter of the relay node and a parameter of the donor base station; an access layer key calculated according to the base key K, and the The relay node performs access layer security mode control; 所述移动管理实体, 用于获取所述集成有归属用户服务器的施主基站基 于所述基础密钥 K计算的认证矢量, 根据所述认证矢量, 与所述中继节点进 行认证与密钥协商; 并用于根据所述基础密钥 K计算的非接入层密钥, 与所 述中继节点进行非接入层安全模式控制。  The mobility management entity is configured to obtain an authentication vector calculated by the donor base station integrated with the home subscriber server based on the basic key K, and perform authentication and key negotiation with the relay node according to the authentication vector; And used for non-access stratum security mode control with the relay node according to the non-access stratum key calculated by the basic key K. 8、 根据权利要求 7所述的系统, 其特征在于, 所述参数为迪菲-赫尔曼 参数。  8. The system of claim 7 wherein the parameter is a Diffie-Hellman parameter. 9、 一种无线节点入网方法, 其特征在于, 包括: 中继节点完成所述中继节点与施主基站之间的无线资源控制连接建立; 所述中继节点发送携带有所述中继节点的证书和所述中继节点的参数的 附着请求消息至集成有归属用户服务器的移动管理实体, 以使所述移动管理 实体根据所述中继节点的证书对所述中继节点进行认证; 9. A wireless node network access method, characterized in that: The relay node completes establishment of a radio resource control connection between the relay node and the donor base station; the relay node sends an attach request message carrying the certificate of the relay node and parameters of the relay node to the integration a mobility management entity having a home subscriber server, to enable the mobility management entity to authenticate the relay node according to the certificate of the relay node; 所述中继节点接收所述移动管理实体发送的携带有移动管理实体的证书 和所述移动管理实体的参数的非接入层消息, 并根据所述移动管理实体的证 书对所述移动管理实体进行认证;  Receiving, by the mobility management entity, a non-access stratum message that carries a certificate of a mobility management entity and a parameter of the mobility management entity, and sends the mobility management entity to the mobility management entity according to the certificate of the mobility management entity. Authenticate; 若所述中继节点和所述移动管理实体认证成功, 则根据所述中继节点的 参数和所述移动管理实体的参数计算共享密钥;  If the relay node and the mobility management entity are successfully authenticated, calculate a shared key according to parameters of the relay node and parameters of the mobility management entity; 基于所述共享密钥, 与所述移动管理实体进行非接入层安全模式控制, 并与所述施主基站进行接入层安全模式控制, 建立与所述施主基站之间的无 线承载。  And performing non-access stratum security mode control with the mobility management entity based on the shared key, and performing access layer security mode control with the donor base station to establish a radio bearer with the donor base station. 10、 根据权利要求 9所述的方法, 其特征在于, 所述共享密钥为基础密 钥 K或 4艮密钥 KASME;  The method according to claim 9, wherein the shared key is a base key K or a key KASME; 当所述共享密钥为基础密钥 K时, 在所述与所述移动管理实体进行非接 入层安全模式控制之前, 还包括: 基于所述基础密钥 K, 与移动管理实体进 行认证与密钥协商。  Before the shared key is the basic key K, before the non-access stratum security mode control with the mobility management entity, the method further includes: performing authentication with the mobility management entity based on the basic key K Key negotiation. 11、 根据权利要求 9所述的方法, 其特征在于,  11. The method of claim 9 wherein: 若所述移动管理实体发送的移动管理实体的证书为证书的标识信息, 则 所述根据所述移动管理实体的证书对所述移动管理实体进行认证之前, 还包 括: 根据所述证书的标识信息向证书中心获取所述证书的内容;  If the certificate of the mobility management entity sent by the mobility management entity is the identifier information of the certificate, before the authenticating the mobility management entity according to the certificate of the mobility management entity, the method further includes: determining, according to the identifier information of the certificate Obtaining the contents of the certificate from the certificate center; 所述根据所述移动管理实体的证书对所述移动管理实体进行认证, 包括: 根据从所述证书中心获取的所述证书的内容, 对所述移动管理实体进行认证。  The authenticating the mobility management entity according to the certificate of the mobility management entity includes: authenticating the mobility management entity according to the content of the certificate obtained from the certificate center. 12、 根据权利要求 9、 10或 11所述的方法, 其特征在于, 所述参数为迪 菲-赫尔曼参数。  12. Method according to claim 9, 10 or 11, characterized in that the parameter is a Defi-Hellman parameter. 13、 一种中继节点, 其特征在于, 包括: 连接建立模块, 用于完成中继节点与施主基站之间的无线资源控制连接 建立; 13. A relay node, comprising: a connection establishing module, configured to complete establishment of a radio resource control connection between the relay node and the donor base station; 发送模块, 用于发送携带有所述中继节点的证书和所述中继节点的参数 的附着请求消息至集成有归属用户服务器的移动管理实体, 以使所述移动管 理实体根据所述中继节点的证书对所述中继节点进行认证;  a sending module, configured to send an attach request message carrying a certificate of the relay node and a parameter of the relay node to a mobility management entity integrated with a home subscriber server, so that the mobility management entity according to the relay The certificate of the node authenticates the relay node; 接收认证模块, 用于接收所述移动管理实体发送的携带有移动管理实体 的证书和所述移动管理实体的参数的非接入层消息, 并根据所述移动管理实 体的证书对所述移动管理实体进行认证;  Receiving an authentication module, configured to receive a non-access stratum message that is sent by the mobility management entity and that carries a certificate of a mobility management entity and a parameter of the mobility management entity, and performs the mobility management according to the certificate of the mobility management entity. Entity for authentication; 计算模块, 用于若所述中继节点和所述移动管理实体认证成功, 则根据 所述中继节点的参数和所述接收模块接收的所述移动管理实体的参数计算共 享密钥;  a calculation module, configured to calculate a sharing key according to a parameter of the relay node and a parameter of the mobility management entity received by the receiving module, if the relay node and the mobility management entity are successfully authenticated; 承载建立模块, 用于基于所述计算模块计算得到的所述共享密钥, 与所 述移动管理实体进行非接入层安全模式控制, 并与所述施主基站进行接入层 安全模式控制, 建立与所述施主基站之间的无线承载。  a bearer establishing module, configured to perform non-access stratum security mode control with the mobility management entity based on the shared key calculated by the computing module, and perform access layer security mode control with the donor base station to establish A radio bearer with the donor base station. 14、 根据权利要求 13所述的节点, 其特征在于, 所述参数为迪菲 -赫尔 曼参数。  14. The node of claim 13 wherein the parameter is a Diffie-Hermann parameter. 15、 一种无线节点入网系统, 其特征在于, 包括: 集成有归属用户服务 器的移动管理实体、 施主基站和如权利要求 8所述的中继节点,  A wireless node network access system, comprising: a mobility management entity integrated with a home subscriber server, a donor base station, and a relay node according to claim 8. 所述集成有归属用户服务器的移动管理实体, 用于接收所述中继节点发 送的所述中继节点的证书和所述中继节点的参数, 并发送移动管理实体的证 书和所述移动管理实体的参数至所述中继节点; 根据所述中继节点的参数和 所述移动管理实体的参数计算所述共享密钥; 根据所述共享密钥计算得到的 非接入层密钥, 与所述中继节点进行非接入层安全模式控制;  The mobility management entity integrated with the home subscriber server is configured to receive a certificate of the relay node and a parameter of the relay node sent by the relay node, and send a certificate of the mobility management entity and the mobility management a parameter of the entity to the relay node; calculating the shared key according to a parameter of the relay node and a parameter of the mobility management entity; a non-access stratum key calculated according to the shared key, and The relay node performs non-access stratum security mode control; 所述施主基站, 用于获取所述集成有归属用户服务器的移动管理实体基 于所述共享密钥计算的接入层密钥, 根据所述接入层密钥, 与所述中继节点 进行接入层安全模式控制。 The donor base station is configured to acquire an access layer key calculated by the mobility management entity integrated with the home subscriber server based on the shared key, and connect to the relay node according to the access layer key Intrusion security mode control. 16、 根据权利要求 15所述的系统, 其特征在于, 所述参数为迪菲 -赫尔 曼参数。 16. The system of claim 15 wherein the parameter is a Diffie-Hermann parameter.
PCT/CN2011/070948 2010-02-12 2011-02-12 Radio node accessing network method, system and relay node Ceased WO2011098048A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201010111422.8A CN102158860B (en) 2010-02-12 2010-02-12 Radio node network-accessing method and system as well as relay node
CN201010111422.8 2010-02-12

Publications (1)

Publication Number Publication Date
WO2011098048A1 true WO2011098048A1 (en) 2011-08-18

Family

ID=44367290

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/070948 Ceased WO2011098048A1 (en) 2010-02-12 2011-02-12 Radio node accessing network method, system and relay node

Country Status (2)

Country Link
CN (1) CN102158860B (en)
WO (1) WO2011098048A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3755064A4 (en) * 2018-02-14 2021-03-17 Vivo Mobile Communication Co., Ltd. NEIGHBORHOOD RELATIONSHIP, WIRELESS RELAY AND NETWORK NODE ESTABLISHMENT PROCESS
CN114830705A (en) * 2019-12-31 2022-07-29 华为技术有限公司 Authentication method, device and system

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103167492B (en) * 2011-12-15 2016-03-30 华为技术有限公司 Generate method and the equipment thereof of access layer secret key in a communications system
GB201201915D0 (en) * 2012-02-03 2012-03-21 Nec Corp Mobile communications device and system
CN106792788B (en) * 2015-11-24 2019-08-23 大唐移动通信设备有限公司 A kind of terminal attachment method and base station
US10588019B2 (en) * 2016-05-05 2020-03-10 Qualcomm Incorporated Secure signaling before performing an authentication and key agreement
CN107809411B (en) * 2016-09-09 2021-12-03 华为技术有限公司 Authentication method of mobile network, terminal equipment, server and network authentication entity
CN108712742B (en) * 2018-03-22 2019-08-27 创新维度科技(北京)有限公司 Internet of Things network security optimization method, user terminal and network side equipment
CN108768661B (en) * 2018-05-29 2021-02-02 如般量子科技有限公司 Improved AKA identity authentication system and method based on symmetric key pool and cross-relay
EP3751817B1 (en) * 2019-06-14 2025-03-19 Samsung Electronics Co., Ltd. Method of dynamically provisioning a key for authentication in relay device
CN114499913B (en) * 2020-10-26 2022-12-06 华为技术有限公司 Encrypted message detection method and protection equipment
CN115720149A (en) * 2020-10-26 2023-02-28 华为技术有限公司 Encrypted message detection method and protection equipment
CN112887947B (en) * 2021-01-14 2021-12-03 南通大学 Bluetooth Mesh clustering networking method for double-layer block chain
US12225130B2 (en) * 2022-01-14 2025-02-11 Micron Technology, Inc. Embedded TLS protocol for lightweight devices
CN115348583B (en) * 2022-10-18 2023-01-03 中国民航信息网络股份有限公司 Communication method and system in high-speed mobile scene

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101292558A (en) * 2005-10-18 2008-10-22 Lg电子株式会社 Method for providing security for relay station
CN101388707A (en) * 2007-09-13 2009-03-18 中兴通讯股份有限公司 Method for realizing network access and initialization by relay station
CN101640887A (en) * 2008-07-29 2010-02-03 上海华为技术有限公司 Authentication method, communication device and communication system
CN101640886A (en) * 2008-07-29 2010-02-03 上海华为技术有限公司 Authentication method, re-authentication method and communication device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101292558A (en) * 2005-10-18 2008-10-22 Lg电子株式会社 Method for providing security for relay station
CN101388707A (en) * 2007-09-13 2009-03-18 中兴通讯股份有限公司 Method for realizing network access and initialization by relay station
CN101640887A (en) * 2008-07-29 2010-02-03 上海华为技术有限公司 Authentication method, communication device and communication system
CN101640886A (en) * 2008-07-29 2010-02-03 上海华为技术有限公司 Authentication method, re-authentication method and communication device

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3755064A4 (en) * 2018-02-14 2021-03-17 Vivo Mobile Communication Co., Ltd. NEIGHBORHOOD RELATIONSHIP, WIRELESS RELAY AND NETWORK NODE ESTABLISHMENT PROCESS
US11576104B2 (en) 2018-02-14 2023-02-07 Vivo Mobile Communication Co., Ltd. Neighboring relationship establishment method, wireless relay and network side node
CN114830705A (en) * 2019-12-31 2022-07-29 华为技术有限公司 Authentication method, device and system

Also Published As

Publication number Publication date
CN102158860A (en) 2011-08-17
CN102158860B (en) 2014-05-21

Similar Documents

Publication Publication Date Title
CN102158860B (en) Radio node network-accessing method and system as well as relay node
US10849191B2 (en) Unified authentication for heterogeneous networks
EP2445143B1 (en) Method and system for accessing a 3rd generation network
US8561200B2 (en) Method and system for controlling access to communication networks, related network and computer program therefor
CN107005927B (en) Access method, device and system of User Equipment (UE)
CN108781366A (en) Authentication Mechanisms for 5G Technology
CN103428690B (en) The safe method for building up of WLAN and system, equipment
EP3304856A1 (en) Unified authentication for integrated small cell and wi-fi networks
CN101371491A (en) Method and arrangement for the creation of a wireless mesh network
WO2012100749A1 (en) Key generating method and apparatus
MX2009002507A (en) Security authentication and key management within an infrastructure-based wireless multi-hop network.
CN101375545A (en) Method and apparatus for providing wireless mesh network
CN101951590B (en) Authentication method, device and system
EP3175639B1 (en) Authentication during handover between two different wireless communications networks
CN101945387B (en) The binding method of a kind of access layer secret key and equipment and system
WO2013181847A1 (en) Method, apparatus and system for wlan access authentication
WO2013185735A2 (en) Encryption realization method and system
CN108293183B (en) Handover between E-UTRAN and WLAN
WO2011091771A1 (en) Relay node authentication method, device and system
CN101656956A (en) Method, system and gateway for accessing 3GPP network
CN101977378A (en) Information transmission method, network side and relay node
CN101911742B (en) Pre-authentication method for inter-rat handover
WO2012083873A1 (en) Method, apparatus and system for key generation
CN107211488A (en) It is used for the method to the business datum application safety of reception by what the WLAN node in integrated wireless communications network was performed
CN102752298B (en) Secure communication method, terminal, server and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11741919

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11741919

Country of ref document: EP

Kind code of ref document: A1