[go: up one dir, main page]

WO2012116599A1 - Security tunnel establishing method and enb - Google Patents

Security tunnel establishing method and enb Download PDF

Info

Publication number
WO2012116599A1
WO2012116599A1 PCT/CN2012/071242 CN2012071242W WO2012116599A1 WO 2012116599 A1 WO2012116599 A1 WO 2012116599A1 CN 2012071242 W CN2012071242 W CN 2012071242W WO 2012116599 A1 WO2012116599 A1 WO 2012116599A1
Authority
WO
WIPO (PCT)
Prior art keywords
base station
shared key
home
core network
network device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2012/071242
Other languages
French (fr)
Chinese (zh)
Inventor
刘晓寒
陈璟
周铮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of WO2012116599A1 publication Critical patent/WO2012116599A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/062Pre-authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer

Definitions

  • the present invention claims the priority of the Chinese patent application filed on March 1, 2011 by the Chinese Patent Office, the application number is 201110049584.8, and the invention is entitled "Safe Tunnel Establishment Method and Base Station", the entire contents of which are incorporated by reference. Combined in this application.
  • the present invention relates to the field of wireless communication technologies, and in particular, to a secure tunnel establishment method and a base station. BACKGROUND OF THE INVENTION For a scenario where a multi-home base station (Home NodeB/Home evolved NodeB; the following is called H(e)NB) deployed in an enterprise network and a campus network, switching between H(e)NBs will occur frequently.
  • H(e)NB multi-home base station deployed in an enterprise network and a campus network
  • the prior art establishes a direct interface between H(e)NBs to support mobility between H(e)NBs.
  • Sexual enhancement not through the security gateway (Security Gateway; the following cartridge: SeGW).
  • the eNB can establish an IPSec tunnel by means of certificate authentication to ensure the security of the direct interface between the eNBs.
  • Embodiments of the present invention provide a method for establishing a secure tunnel and a base station, so as to establish an Internet protocol security between a home base station and a home base station, or between a home base station and a macro base station by using a shared key or a certificate.
  • the following cylinders are called: IPsec) tunnels to ensure the security of the interface between the home base station and the home base station, or between the home base station and the macro base station.
  • IPsec IP Security
  • the first base station obtains a root certificate for verifying the second base station certificate or a shared key between the second base station and the first base station; when the first base station is a home base station, the second base station is a home base station or Or a macro base station; or, when the first base station is a macro base station, the second base station is a home base station;
  • the first base station establishes an Internet Protocol security tunnel with the second base station by using the shared key or the root certificate for verifying the second base station certificate, to ensure that the first base station and the second base station The security of the interface.
  • the embodiment of the invention further provides a first base station, including:
  • an obtaining module configured to obtain a root certificate for verifying the second base station certificate or a shared key between the second base station and the first base station;
  • a establishing module configured to establish an Internet Protocol security tunnel with the second base station by using the shared key or the root certificate for verifying the second base station certificate, to ensure that the first base station and the second base station are The security of the interface.
  • the first base station may obtain a root certificate for verifying the second base station certificate or a shared key between the second base station and the first base station, so that the first base station may pass the shared key or the foregoing
  • the root certificate for verifying the second base station certificate establishes an IPsec tunnel with the second base station, so that the security of the interface between the first base station and the second base station can be ensured.
  • FIG. 1 is a flowchart of an embodiment of a method for establishing a secure tunnel according to the present invention
  • 2 is a flowchart of another embodiment of a method for establishing a secure tunnel according to the present invention
  • FIG. 3 is a flowchart of another embodiment of a method for establishing a secure tunnel according to the present invention
  • FIG. 4 is a flowchart of another embodiment of a method for establishing a secure tunnel according to the present invention.
  • FIG. 5 is a flowchart of an embodiment of a shared key update method according to the present invention.
  • FIG. 6 is a flowchart of another embodiment of a shared key update method according to the present invention.
  • FIG. 7 is a flowchart of another embodiment of a method for establishing a secure tunnel according to the present invention.
  • FIG. 8 is a flowchart of another embodiment of a method for establishing a secure tunnel according to the present invention.
  • FIG. 9 is a schematic structural diagram of an embodiment of a first base station according to the present invention.
  • FIG. 10 is a schematic structural diagram of another embodiment of a first base station according to the present invention.
  • FIG. 11 is a schematic structural diagram of another embodiment of a first base station according to the present invention.
  • FIG. 12 is a schematic structural diagram of another embodiment of a first base station according to the present invention.
  • FIG. 1 is a flowchart of an embodiment of a method for establishing a secure tunnel according to the present invention. As shown in FIG. 1 , the method for establishing a secure tunnel may include:
  • Step 101 The first base station obtains a root certificate (Root Certificate) for verifying the second base station certificate or a shared key (Shared Key) between the second base station and the first base station.
  • a root certificate (Root Certificate) for verifying the second base station certificate or a shared key (Shared Key) between the second base station and the first base station.
  • the second base station when the first base station is a home base station, the second base station may be a home base station or a macro base station; or, when the first base station is a macro base station, the second base station may be a home base station; that is, the first At least one of the base station and the second base station may be a home base station.
  • the macro base station The eNB or other type of macro base station may be used; the home base station may be a HeNB or an HNB, which is not limited in this embodiment.
  • Step 102 The first base station establishes an IP sec tunnel with the second base station by using the shared key or the root certificate for verifying the second base station certificate to ensure the security of the interface between the first base station and the second base station.
  • the first base station obtains a root certificate for verifying the second base station certificate or the shared key between the second base station and the first base station may be: the first base station receives the core network device to send The root certificate or core network device used to verify the second base station certificate is a shared key generated by the second base station and the first base station.
  • the first base station may receive, by the core network device, the updated shared key generated by the core network device as the second base station and the first base station;
  • the first base station may request the core network device to update the shared key, and then receive the update generated by the core network device according to the request of the first base station.
  • the first base station may request the core network device to update the shared key, and then receive the updated shared key generated by the core network device according to the request of the first base station.
  • IKE Internet Key Exchange
  • the first base station may receive the MME or The MME or HeNB GW sent by the HeNB GW is a shared key generated by the second base station and the first base station; or
  • the first base station may further send the MME or the HeNB GW before the first base station receives the root certificate sent by the core network device for verifying the second base station certificate or the core network device is the shared key generated by the second base station and the first base station.
  • the base station configures the forwarding message; in this way, the first base station receives the root certificate sent by the core network device for verifying the second base station certificate or the core network device is the second base station.
  • the shared key generated by the first base station may be: the first base station receives the mobility management entity configuration forwarding message sent by the MME or the HeNB GW, and the mobility management entity configures the forwarding message to carry the root for verifying the second base station certificate.
  • the mobility management entity configuring the forwarding message is that after the MME or the HeNB GW receives the foregoing base station configuration forwarding message, the forwarding message is configured according to the base station configuration.
  • the source node identifier and the destination node identifier determine the root certificate that the base station configures the forwarding message source node and/or the target node to be the home evolved base station, and the MME or HeNB GW is the first base station and
  • the shared key generated by the second base station is sent to the second base station, and is sent to the first base station after receiving the base station configuration forwarding message sent by the second base station.
  • the first base station may receive the HNB GW sent by the HNB GW as a shared secret generated by the second base station and the first base station. Key; or,
  • the first base station After the first base station receives the shared key generated by the core network device and is the shared key generated by the second base station and the first base station, after the first base station registers with the HNB GW, if the second base station detects that the second base station is registered to the HNB GW, The first base station may request the HNB GW to request the Internet Protocol (Internet Protocol; IP address) of the second base station; at this time, the first base station receives the core network device sent by the core network device as the second base station and the first base station
  • the generated shared key may be: The first base station receives the response message sent by the HNB GW, where the response message carries the IP address of the second base station and the shared key generated by the HNB GW in advance for the first base station and the second base station.
  • the first base station may register with the HNB GW, and send the first base station to the HNB GW to detect
  • the information of the neighboring cell home base station, the neighboring cell home base station of the first base station includes the second base station; thus, the first base station receives the shared key generated by the core network device sent by the core network device as the shared key generated by the second base station and the first base station.
  • the first base station receives the information of the neighboring home base station available on the HNB GW sent by the HNB GW, and the HNB GW is a shared key generated by the first base station and the neighboring home base station of the first base station.
  • the first base station may receive information of the updated neighboring home base station sent by the HNB GW through the home base station configuration forwarding process, and the HNB GW is a shared key generated by the first base station and the updated neighboring home base station.
  • the first base station may send the home base station registration request message to the HNB GW before receiving the root certificate sent by the core network device for verifying the second base station certificate,
  • the first base station receives the root certificate that is sent by the core network device and is used to verify the second base station certificate.
  • the first base station receives the home base station registration accept message sent by the HNB GW, and the home base station registration accept message carries the foregoing for verifying the second The root certificate of the base station certificate.
  • the first base station when the core network device is a home base station management system (H(e)NB Management System; the following is called: H(e)MS), the first base station receives the second base station sent by the core network device for verifying Before the root certificate of the certificate or the core network device is the shared key generated by the second base station and the first base station, the first base station may first establish an IPsec tunnel with the security gateway; thus, the first base station receives the information sent by the core network device.
  • H(e)NB Management System the following is called: H(e)MS
  • the root certificate for verifying the second base station certificate or the shared key generated by the core network device for the second base station and the first base station may be: after the location verification of the first base station by the H(e)MS is successful, the first base station receives H ( e) the root certificate or the H(e)MS used by the MS to verify the second base station certificate sent by the MS through the home base station provisioning process, and the shared key generated by the first base station and the neighboring home base station of the first base station;
  • the neighboring home base station of a base station includes a second base station.
  • the first base station may send a base station configuration forwarding message to the MME or the HeNB GW, where the base station configures the forwarding message. Carrying the Diffie-Hellman (DH) group number and the DH value of the first base station, so that the MME or the HeNB GW carries the DH group number and the DH value of the first base station in the first mobility.
  • DH Diffie-Hellman
  • the management entity configuration forwarding message is sent to the second base station; Then, the first base station may receive a second mobility management entity configuration forwarding message sent by the MME or the HeNB GW, where the second mobility management entity configures the forwarding message to carry the DH group number and the DH value selected by the second base station, where the second mobile
  • the MME or the HeNB GW sends the base station configuration forwarding message that is sent by the second base station and carries the DH group number and the DH value selected by the second base station, and then sends the message to the first base station;
  • the shared key between the second base station and the first base station may be: The first base station generates the shared key according to the DH group number and the DH value selected by the second base station.
  • the first base station may obtain a root certificate for verifying the second base station certificate or a shared key between the second base station and the first base station, so that the first base station may use the shared key or the foregoing
  • the root certificate of the second base station certificate is verified to establish an IPsec tunnel with the second base station, so that the security of the interface between the first base station and the second base station can be ensured.
  • FIG. 2 is a flowchart of another embodiment of a method for establishing a secure tunnel according to the present invention.
  • the first base station is HeNB 1
  • the second base station is HeNB 2
  • the core network device is MME or HeNB GW as an example.
  • the MME or the HeNB GW needs to have a shared key generation and distribution function, and the MME or the HeNB GW can complete the distribution of the shared key by using the Configuration Transfer function.
  • the configuration forwarding function is a function of requesting and transmitting configuration information (for example, an IP address, etc.) between two base stations through a core network.
  • the MME or the HeNB GW may distribute the shared key to the HeNB1 and the HeNB2 establishing the direct interface through the mobility management entity configuration forwarding (MME Configuration Transfer) message.
  • MME Configuration Transfer mobility management entity configuration forwarding
  • the method for establishing a secure tunnel may include:
  • Step 201 When the HeNB1 wants to establish a direct interface with the HeNB2, the HeNB1 sends an eNB Configuration Transfer message to the MME or the HeNB GW to request the IP address of the peer HeNB2.
  • Step 202 After the MME or the HeNB GW determines that the source node and/or the target node of the base station configuration forwarding message is the HeNB, the MME or the HeNB GW generates a shared key for the HeNB1 and the HeNB2. Specifically, the MME or the HeNB GW may determine, by using the source node identifier and the destination node identifier in the forwarding message of the base station, that the source node and/or the target node of the base station configuration forwarding message is the HeNB. In this embodiment, the source node of the base station configured to forward the message is HeNB1, and the target node is HeNB2. Therefore, the source node and the target node of the base station configured to forward the message are both HeNBs.
  • Step 203 The MME or the HeNB GW sends a mobility management entity configuration forwarding message to the HeNB2, where the mobility management entity configures the forwarding message to carry the shared key generated by the MME or the HeNB GW for the HeNB1 and the HeNB2.
  • Step 204 The HeNB2 sends a base station configuration forwarding message to the MME or the HeNB GW, where the base station configures the forwarding message to carry the IP address of the HeNB2.
  • Step 205 The MME or the HeNB GW sends a mobility management entity configuration forwarding message to the HeNB1, where the mobility management entity configures the forwarding message to carry the shared key generated by the MME or the HeNB GW for the HeNB1 and the HeNB2, and the IP address of the HeNB2.
  • Step 206 HeNB 1 and HeNB2 perform IKE negotiation through the shared key, and establish an IPSec tunnel between HeNB 1 and HeNB 2 to ensure the security of the direct interface between HeNB1 and HeNB2.
  • the shared key needs to be updated in the following cases:
  • the MME or the HeNB GW sets a shared key period, and after the shared key period set by the MME or the HeNB GW expires, the MME or the HeNB GW generates a new shared key, and configures forwarding through a dedicated message or a mobility management entity.
  • the message sends the updated shared key to HeNB1 and HeNB2;
  • the shared key period is set on the HeNB1 or the HeNB2, and after the shared key period set by the HeNB1 or the HeNB2 expires, the HeNB 1 or the HeNB 2 may request the MME or the HeNB GW to update the shared key by using a dedicated message or a base station configuration forwarding message. After the MME or the HeNB GW generates a new shared key, the updated shared key may be sent to the HeNB1 and the HeNB2 by using a dedicated message or a mobility management entity configuration forwarding message;
  • HeNB1 When HeNB1 initiates IKE negotiation to HeNB2, if HeNB1 or HeNB2 is found If there is no shared key available, the HeNB1 may request the MME or the HeNB GW to update the shared key through a dedicated message or a base station configuration forwarding message. After the MME or the HeNB GW generates a new shared key, the HeNB may use a dedicated message or a mobility management entity. The configuration forwarding message sends the updated shared key to HeNB1 and HeNB2.
  • the HeNB1 can obtain the shared key generated by the MME or the HeNB GW for the HeNB1 and the HeNB2, and the HeNB1 can establish an IPsec tunnel with the HeNB2 through the shared key, so as to ensure the security of the direct interface between the HeNB1 and the HeNB2.
  • FIG. 3 is a flowchart of another embodiment of a method for establishing a secure tunnel according to the present invention.
  • the first base station is HNB1
  • the second base station is HNB2
  • the core network device is HNB GW.
  • the HNB GW needs to have a shared key generation and distribution function, and the HNB GW can complete the distribution of the shared key through the HNB Configuration Transfer function.
  • the home base station configuration forwarding function provides a method for the HNB to obtain the IP address of the neighboring cell HNB.
  • the HNB can establish a direct interface with the neighboring cell HNB by using the IP address sent by the HNB GW.
  • the HNB can use the HNB Application Protocol Registration Accept (HNBAP) to transmit the HNB Application Protocol Registration Accept message to the HNB, the HNB Configuration Transfer Response message, or the home base station configuration forwarding.
  • HNBAP HNB Application Protocol Registration Accept
  • the HNB Configuration Transfer Request message is distributed to the corresponding neighboring cell HNB by the shared key generated by the HNB GW.
  • the method for establishing a secure tunnel may include:
  • Step 301 HNB 1 enters the running mode and has been registered in the HNB GW.
  • Step 302 HNB2 enters an operation mode, and detects a neighboring area, and obtains a neighboring area of HNB2.
  • the neighboring area HNB of the HNB2 includes the HNB 1.
  • Step 303 The HNB2 registers with the HNB GW, and sends the IP address of the HNB2 and the information of the neighboring HNB detected by the HNB2 to the HNB GW.
  • Step 305 The HNB GW sends the information about the neighboring HNBs available on the HNB GW to the HNB2, and sends the shared key generated by the HNB GW to the HNB2 and the neighboring HNB of the HNB2 to the HNB2.
  • Step 306 HNB1 detects HNB2.
  • Step 307 The HNB1 sends a home base station configuration forwarding request message to the HNB GW to request the IP address of the HNB2.
  • Step 308 The HNB GW sends a home base station configuration forwarding response message to the HNB1, where the home base station configures the forwarding response message to carry the IP address of the HNB2, and the shared key generated by the HNB GW in advance for the HNB1 and the HNB2.
  • the HNB GW may directly carry the shared key in the home base station configuration forwarding response message. If the HNB GW does not generate a shared key for HNB1 and HNB2 before the home base station configures the forwarding response message, the HNB GW needs to generate a share for HNB1 and HNB2 before sending the home base station to configure the forwarding response message. The key is sent to the HNB 1 in the home base station configuration forwarding response message.
  • Step 309 The HNB GW finds that the HNB GW controlled neighbor HNB information is not updated to HNB1 at a certain point in time, and the HNB GW is HNB1 and the updated neighboring HNB shared key, and the HNB GW is HNB1 and The updated neighbor HNB generates a shared key.
  • the HNB-GW initiates the home base station configuration forwarding process to provide the information of the updated neighboring cell HNB to the HNB1, and sends the shared key generated by the HNB GW to the HNB1 and the updated neighboring cell HNB to the HNB1.
  • the HNB1 may provide the HNB GW with information of the updated neighboring cell HNB.
  • the HNB1 and the HNB2 can establish an IPSec tunnel through the shared key distributed by the HNB GW to ensure the security of the direct interface between the HNB 1 and the HNB 2.
  • steps 301 to 312 may not be all performed, and only some steps may be performed.
  • steps 302 step 303, step 304, step 305, step 309, and step may be performed.
  • two adjacent HNBs can obtain a shared key.
  • the shared key needs to be updated in the following cases:
  • the HNB GW sets the shared key period. After the shared key period set by the HNB GW expires, the HNB GW generates a new shared key, and configures the forwarding request message through the dedicated message or the home base station to update the shared secret. The key is sent to HNB1 and HNB2;
  • HNB1 or HNB2 may request the HNB GW to update the shared key through a dedicated message or a home base station configuration forwarding request message. After the HNB GW generates a new shared key, the updated shared key may be sent to HNB1 and HNB2 through a dedicated message or a home base station configuration forwarding response message;
  • HNB1 When HNB1 initiates IKE negotiation to HNB2, if it is found that HNB1 or HNB2 does not have a shared key available, HNB1 may request the HNB GW to update the shared key through a dedicated message or a home base station configuration forwarding request message, and the HNB GW generates a new one. After the key is shared, the updated shared key can be sent to HNB1 and HNB2 through a dedicated message or a home base station configuration forwarding response message.
  • the HNB1 can obtain the shared key generated by the HNB GW for the HNB1 and the HNB2, and the HNB1 can establish an IPsec tunnel with the HNB2 through the shared key.
  • the security of the direct interface between HNB1 and HNB2 can be guaranteed.
  • a base station is an H(e)NB
  • a core network device is an H(e)MS.
  • the H(e)MS has a shared key generation and distribution function, and the H(e)MS may be in a home base station provision (H(e)NB Provision) flow, and the H(e)MS may be H(e)
  • the NB generates a shared key with the neighboring area H(e)NB of the H(e)NB, and then supplies the shared key to the H(e)NB along with the neighbor list.
  • the method for establishing a secure tunnel may include:
  • Step 401 An IPSec tunnel is established between the H(e)NB and the security gateway.
  • Step 402 The H(e)MS performs location verification on the H(e)NB. After the location verification succeeds, the H(e)MS sends configuration parameters to the H(e)NB through the home base station provisioning process, where the configuration parameter includes H ( e) information of the neighboring cell H(e)NB of the NB, and the shared key generated by the H(e)NB in advance for the H(e)NB and the neighboring zone H(e)NB of the H(e)NB.
  • the configuration parameter includes H ( e) information of the neighboring cell H(e)NB of the NB, and the shared key generated by the H(e)NB in advance for the H(e)NB and the neighboring zone H(e)NB of the H(e)NB.
  • the H(e)MS may directly carry the shared key in the The configuration parameter is sent to the H(e)NB; if the shared key is not generated for the H(e)NB on the H(e)MS before the configuration parameter is sent, the H(e)MS needs to send the configuration parameters before A shared key is generated for the H(e)NB, and the shared key is carried in the configuration parameter and sent to the H(e)NB.
  • the H(e)NB may request the H(e)MS to update the shared key through a dedicated message; or, at H(e) After the shared key period set by the MS expires or the H(e)MS discovers the neighboring area update of the H(e)NB, the H(e)MS may actively send the flow or the dedicated message to the H(e)NB through the home base station. Send the updated shared secret.
  • FIG. 5 is a flowchart of an embodiment of a shared key update method according to the present invention. As shown in FIG. 5, the shared key update method may include:
  • Step 501 H(e)NB discovers that the shared key period set by the H(e)NB expires or H(e)NB The neighboring area is updated, or the H(e)NB initiates an IKE negotiation to the neighboring area H(e)NB of the H(e)NB, and finds that the H(e)NB or the neighboring area H(e)NB is not available. Shared key.
  • Step 502 The H(e)NB requests the H(e)MS to update the shared key.
  • Step 503 The H(e)MS generates an updated shared key for the H(e)NB and the neighboring area H(e)NB of the H(e)NB.
  • Step 504 The H(e)MS sends the updated shared key to the H(e)NB through the home base station provisioning process or a dedicated message.
  • FIG. 6 is a flowchart of another embodiment of a shared key update method according to the present invention. As shown in FIG. 6, the shared key update method may include:
  • Step 601 The H(e)MS finds that the shared key period set by the H(e)MS expires or the H(e)MS finds that the neighboring area of the H(e)NB is updated.
  • Step 602 The H(e)MS generates an updated shared key for the H(e)NB and the neighboring area H(e)NB of the H(e)NB.
  • Step 603 The H(e)MS sends the updated shared key to the H(e)NB through the home base station provisioning process or a dedicated message.
  • the H(e)NB can obtain the shared key generated by the H(e)MS as the H(e)NB and the neighboring area H(e)NB of the H(e)NB, and then the H(e)NB An IPsec tunnel can be established with the neighboring zone H(e)NB of the H(e)NB by using the shared key, so that the H(e)NB and the neighboring zone H(e)NB of the H(e)NB can be guaranteed. Direct interface security.
  • FIG. 7 is a flowchart of another embodiment of a method for establishing a secure tunnel according to the present invention.
  • the first base station is HeNB1
  • the second base station is HeNB2
  • the core network device is MME or HeNB GW as an example.
  • Step 701 When the HeNB1 wants to establish a direct interface with the HeNB2, the HeNB1 sends a base station configuration forwarding message to the MME or the HeNB GW to request the IP address of the opposite HeNB2.
  • the HeNB1 may also carry the DH group number and the DH value in the base station configuration forwarding message.
  • Step 702 The MME or the HeNB GW sends a mobility management entity configuration forwarding message to the HeNB2, where the mobility management entity configures the forwarding message to carry the DH group number and the DH value sent by the HeNB1.
  • Step 703 The HeNB2 sends a base station configuration forwarding message to the MME or the HeNB GW, where the base station configures the forwarding message to carry the IP address of the HeNB2, and the DH group number and the DH value selected by the HeNB2.
  • Step 704 The MME or the HeNB GW sends a mobility management entity configuration forwarding message to the HeNB1, where the mobility management entity configures the forwarding message to carry the DH group number and the DH value selected by the HeNB2, and the IP address of the HeNB2.
  • step 705 the HeNB1 and the HeNB2 generate a shared key according to the DH group number and the DH value selected by the HeNB2, and establish an IPSec tunnel through the shared key to ensure the security of the direct interface between the HNB1 and the HNB2.
  • the HeNB1 and the HeNB2 can generate a shared key according to the selected DH group number and the DH value, and the IPSec tunnel can be established through the shared key, so that the security of the direct interface between the HeNB1 and the HeNB2 can be ensured.
  • FIG. 8 is a flowchart of another embodiment of a method for establishing a secure tunnel according to the present invention.
  • the first base station is HeNB1
  • the second base station is HeNB2
  • the core network device is MME or HeNB GW as an example.
  • Step 801 When the HeNB1 wants to establish a direct interface with the HeNB2, the HeNB1 sends a base station configuration forwarding message to the MME or the HeNB GW to request the IP address of the opposite HeNB2.
  • Step 802 After the MME or the HeNB GW determines that the source node and/or the target node of the base station configuration forwarding message is the HeNB, the MME or the HeNB GW sends a mobility management entity configuration forwarding message to the HeNB2, where the mobility management entity configures that the forwarding message carries the available information.
  • the MME or the HeNB GW may determine, by using the source node identifier and the destination node identifier in the forwarding message, the source node and/or the target node of the base station configuration forwarding message is HeNB.
  • the source node of the base station configured to forward the message is HeNB1
  • the target node is HeNB2. Therefore, the source node and the target node of the base station configured to forward the message are both HeNBs.
  • Step 803 The HeNB2 sends a base station configuration forwarding message to the MME or the HeNB GW, where the base station configures the forwarding message to carry the IP address of the HeNB2.
  • Step 804 The MME or the HeNB GW sends a mobility management entity configuration forwarding message to the HeNB1, where the mobility management entity configures the forwarding message to carry a root certificate that can be used to verify the HeNB2 certificate, and an IP address of the HeNB2.
  • Step 805 HeNB1 and HeNB2 establish an IPSec tunnel through certificate authentication to ensure the security of the direct interface between HeNB1 and HeNB2.
  • the HeNB1 and the HeNB2 can obtain the root certificate that can be used by the MME or the HeNB GW to verify the peer certificate, so that the HeNB1 and the HeNB2 can establish an IPsec tunnel through the certificate authentication manner, thereby ensuring direct connection between the HeNB1 and the HeNB2.
  • the security of the interface can be obtained by the MME or the HeNB GW to verify the peer certificate, so that the HeNB1 and the HeNB2 can establish an IPsec tunnel through the certificate authentication manner, thereby ensuring direct connection between the HeNB1 and the HeNB2.
  • FIG. 9 is a schematic structural diagram of an embodiment of a first base station according to the present invention.
  • the first base station in this embodiment may implement the process of the embodiment shown in FIG. 1 of the present invention.
  • the first base station may include:
  • the obtaining module 901 is configured to obtain a root certificate used for verifying the second base station certificate or a shared key between the second base station and the first base station; specifically, the obtaining module 901 may receive the second information sent by the core network device for verifying The root certificate of the base station certificate or the core network device is a shared key generated by the second base station and the first base station.
  • the establishing module 902 is configured to use the shared key or the foregoing to verify the second base station certificate
  • the root certificate establishes an IP sec tunnel with the second base station to ensure the security of the direct interface between the first base station and the second base station.
  • the second base station when the first base station is a home base station, the second base station may be a home base station or a macro base station; or, when the first base station is a macro base station, the second base station may be a home base station; that is, the first At least one of the base station and the second base station may be a home base station.
  • the macro base station may be an eNB or another type of macro base station; the home base station may be an HeNB or an HNB, which is not limited in this embodiment.
  • the obtaining module 901 can obtain a root certificate for verifying the second base station certificate or a shared key between the second base station and the first base station, so that the establishing module 902 can use the shared key or the foregoing.
  • the root certificate of the second base station certificate is verified to establish an IPsec tunnel with the second base station, so that the security of the interface between the first base station and the second base station can be ensured.
  • FIG. 10 is a schematic structural diagram of another embodiment of the first base station according to the present invention.
  • the first base station in this embodiment may implement the process of the embodiment shown in FIG. 1 and FIG. 4 of the present invention, and the first base station shown in FIG.
  • the first base station shown in FIG. 10 may further include: a receiving module 903; or, a receiving module 903 and a requesting module 904; or, a negotiating module 905, a requesting module 904, and a receiving module 903.
  • the receiving module 903 is configured to receive, after the expiration of the shared key period set by the core network device, the core network device sent by the core network device as the updated shared key generated by the second base station and the first base station.
  • the requesting module 904 is configured to: after the expiration of the shared key period set by the first base station, request the core network device to update the shared key; at this time, the receiving module 903 may further receive the core network device sent by the core network device according to the The updated shared key generated by the request of a base station.
  • the negotiation module 905 is configured to initiate IKE negotiation to the second base station.
  • the requesting module 904 may also, when the negotiation module 905 initiates the Internet key exchange negotiation, if the negotiation module 905 finds that the first base station or the second base station is not available.
  • the shared key is sent to the core network device to update the shared key.
  • the receiving module 903 can also receive the core network device according to the core network device. The updated shared key generated by the request of the first base station.
  • the first base station may establish an IP sec tunnel with the second base station by using the shared key or the root certificate for verifying the second base station certificate, so that the security of the interface between the first base station and the second base station can be ensured.
  • FIG. 11 is a schematic structural diagram of another embodiment of the first base station according to the present invention.
  • the first base station in this embodiment can implement the flow of the embodiment shown in FIG. 1, FIG. 2, FIG. 7 and FIG. 8 of the present invention.
  • the difference from the first base station shown in FIG. 10 is that the first base station shown in FIG. 11 may further include: a sending module 906, configured to send a base station configuration forwarding message to the mobility management entity or the home evolved base station gateway. ;
  • the obtaining module 901 may receive the mobility management entity configuration forwarding message sent by the mobility management entity or the home evolved base station gateway, where the mobility management entity configures the forwarding message to carry the foregoing root certificate for verifying the second base station certificate. Or a shared key generated by the mobility management entity or the home evolved base station gateway for the first base station and the second base station.
  • the mobility management entity or the home evolved base station gateway receives the base station configuration forwarding message, and determines the base station configuration forwarding message according to the source node identifier and the destination node identifier in the base station configuration forwarding message.
  • the root certificate to be used for verifying the first base station certificate, or the shared key generated by the mobility management entity or the home evolved base station gateway for the first base station and the second base station is sent to The second base station sends the base station configuration forwarding message sent by the second base station to the first base station.
  • the sending module 906 may further send a base station configuration forwarding message to the mobility management entity or the home evolved base station gateway, where the base station configures the forwarding message to carry the DH group number and the DH value of the first base station, so that the mobility management entity or the home
  • the evolved base station gateway sends the DH group number and the DH value of the first base station to the second base station in the first mobility management entity configuration forwarding message.
  • the receiving module 903 can also receive the mobility management entity or the home evolved base station gateway.
  • the sent second mobility management entity configures a forwarding message, and the second mobility management entity configures forwarding forwarding And carrying the DH group number and the DH value selected by the second base station, where the second mobility management entity configuring the forwarding message is that the mobility management entity or the home evolved base station gateway receives the DH group number that is sent by the second base station and carries the second base station selection.
  • the base station and the DH value are configured to forward the message to the first base station.
  • the obtaining module 901 can generate a shared key according to the DH group number and the DH value selected by the second base station.
  • the first base station may establish an IPsec tunnel with the second base station by using a shared key or a root certificate for verifying the second base station certificate, so that the security of the interface between the first base station and the second base station can be ensured.
  • FIG. 12 is a schematic structural diagram of another embodiment of the first base station according to the present invention.
  • the first base station in this embodiment may implement the flow of the embodiment shown in FIG. 1 and FIG. 3 of the present invention as an HNB, or a part of the HNB.
  • the difference from the first base station shown in FIG. 11 is that, in an implementation manner of the embodiment shown in FIG. 12, the first base station may further include:
  • Registration module 907 configured to register to the home base station gateway
  • the detecting module 908 is configured to detect, after the registration module 907 registers with the home base station gateway, the second base station to register with the home base station gateway;
  • the requesting module 904 may also request the IP address of the second base station from the home base station gateway; the obtaining module 901 may receive a response message sent by the home base station gateway, where the response message carries the IP address of the second base station and the home base station gateway is in advance A shared key generated by a base station and a second base station.
  • the sending module 906 may further send information about the neighboring home base station detected by the first base station to the home base station gateway, where the neighboring cell home base station of the first base station includes the second base station;
  • the obtaining module 901 may receive information about a neighboring home base station available on the home base station gateway sent by the home base station gateway, and the shared key generated by the home base station gateway as a first base station and a neighboring home base station of the first base station.
  • the first base station may use a shared key or a root certificate for verifying the second base station certificate.
  • An IPsec tunnel is established with the second base station, so that the security of the interface between the first base station and the second base station can be ensured.
  • modules in the apparatus in the embodiments may be distributed in the apparatus of the embodiment according to the embodiment, or may be correspondingly changed in one or more apparatuses different from the embodiment.
  • the modules of the above embodiments may be combined into one module, or may be further split into a plurality of sub-modules.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Provided are a security tunnel establishing method and an eNB. The security tunnel establishing method includes: a first eNB obtains a root certificate for authenticating the certificate of a second eNB or a shared key between the same and the first eNB; when the first eNB is an H(e)NB, the second eNB is an H(e)NB or macro eNB; or, when the first eNB is a macro eNB, the second eNB is an H(e)NB; the first eNB establishes an Internet protocol security tunnel with the second eNB using the shared key or the root certificate for authenticating the certificate of the second eNB, so as to guarantee the security of an interface between the first eNB and the second eNB. In the embodiments of the present invention, the first eNB can establish an IPsec tunnel with the second eNB using the obtained root certificate for authenticating the certificate of the second eNB or the shared key between the second eNB and the first eNB, thus the security of the interface between the first eNB and the second eNB can be guaranteed.

Description

安全隧道建立方法和基站 本申请要求于 2011 年 03 月 01 日提交中国专利局、 申请号为 201110049584.8、发明名称为"安全隧道建立方法和基站"的中国专利申请的 优先权, 其全部内容通过引用结合在本申请中。 技术领域 本发明涉及无线通讯技术领域, 具体涉及一种安全隧道建立方法和基 站。 背景技术 对于企业网和校园网等多家庭基站 ( Home NodeB/Home evolved NodeB; 以下筒称: H(e)NB )部署的场景, H(e)NB之间的切换将会频繁发 生。 为了保证业务的连续性, 提高 H(e)NB之间切换的成功率和减少切换时 延, 现有技术在 H(e)NB之间建立直接接口来支持 H(e)NB之间的移动性增 强, 而不通过安全网关 ( Security Gateway; 以下筒称: SeGW )。  The present invention claims the priority of the Chinese patent application filed on March 1, 2011 by the Chinese Patent Office, the application number is 201110049584.8, and the invention is entitled "Safe Tunnel Establishment Method and Base Station", the entire contents of which are incorporated by reference. Combined in this application. The present invention relates to the field of wireless communication technologies, and in particular, to a secure tunnel establishment method and a base station. BACKGROUND OF THE INVENTION For a scenario where a multi-home base station (Home NodeB/Home evolved NodeB; the following is called H(e)NB) deployed in an enterprise network and a campus network, switching between H(e)NBs will occur frequently. In order to ensure the continuity of services, improve the success rate of handover between H(e)NBs, and reduce handover delay, the prior art establishes a direct interface between H(e)NBs to support mobility between H(e)NBs. Sexual enhancement, not through the security gateway (Security Gateway; the following cartridge: SeGW).

在现有的宏网络中, 对于基站 (evolved NodeB; 以下筒称: eNB )之 间的直接接口, eNB之间可以通过证书认证的方式建立 IPSec隧道来保证 eNB之间直接接口的安全性。  In the existing macro network, for the direct interface between the base station (evolved NodeB; hereinafter referred to as: eNB), the eNB can establish an IPSec tunnel by means of certificate authentication to ensure the security of the direct interface between the eNBs.

但是,对于 H(e)NB之间的直接接口,或者 eNB与 H(e)NB之间的接口, 无法采用上述方式保证接口的安全性。  However, for the direct interface between the H(e)NBs or the interface between the eNB and the H(e)NB, the security of the interface cannot be ensured in the above manner.

发明内容 本发明实施例提供一种安全隧道建立方法和基站, 以实现家庭基站与 家庭基站之间, 或者家庭基站与宏基站之间通过共享密钥或证书方式建立 因特网协议安全( Internet Protocol Security; 以下筒称: IPsec ) 隧道, 保证 家庭基站与家庭基站之间, 或者家庭基站与宏基站之间接口的安全性。 本发明实施例提供一种安全隧道建立方法, 包括: SUMMARY OF THE INVENTION Embodiments of the present invention provide a method for establishing a secure tunnel and a base station, so as to establish an Internet protocol security between a home base station and a home base station, or between a home base station and a macro base station by using a shared key or a certificate. The following cylinders are called: IPsec) tunnels to ensure the security of the interface between the home base station and the home base station, or between the home base station and the macro base station. An embodiment of the present invention provides a method for establishing a secure tunnel, including:

第一基站获得用于验证第二基站证书的根证书或者第二基站与所述第 一基站之间的共享密钥; 所述第一基站为家庭基站时, 所述第二基站为家 庭基站或宏基站; 或者, 所述第一基站为宏基站时, 所述第二基站为家庭 基站;  The first base station obtains a root certificate for verifying the second base station certificate or a shared key between the second base station and the first base station; when the first base station is a home base station, the second base station is a home base station or Or a macro base station; or, when the first base station is a macro base station, the second base station is a home base station;

所述第一基站通过所述共享密钥或者所述用于验证第二基站证书的根 证书与所述第二基站建立因特网协议安全隧道, 以保证所述第一基站与所 述第二基站之间接口的安全性。  The first base station establishes an Internet Protocol security tunnel with the second base station by using the shared key or the root certificate for verifying the second base station certificate, to ensure that the first base station and the second base station The security of the interface.

本发明实施例还提供一种第一基站, 包括:  The embodiment of the invention further provides a first base station, including:

获得模块, 用于获得用于验证第二基站证书的根证书或者第二基站与 所述第一基站之间的共享密钥;  And an obtaining module, configured to obtain a root certificate for verifying the second base station certificate or a shared key between the second base station and the first base station;

建立模块, 用于通过所述共享密钥或者所述用于验证第二基站证书的 根证书与所述第二基站建立因特网协议安全隧道, 以保证所述第一基站与 所述第二基站之间接口的安全性。  And a establishing module, configured to establish an Internet Protocol security tunnel with the second base station by using the shared key or the root certificate for verifying the second base station certificate, to ensure that the first base station and the second base station are The security of the interface.

通过本发明实施例, 第一基站可以获得用于验证第二基站证书的根证 书或第二基站与第一基站之间的共享密钥, 这样, 第一基站就可以通过上 述共享密钥或者上述用于验证第二基站证书的根证书与第二基站建立 IPsec 隧道, 从而可以保证第一基站与第二基站之间接口的安全性。  According to the embodiment of the present invention, the first base station may obtain a root certificate for verifying the second base station certificate or a shared key between the second base station and the first base station, so that the first base station may pass the shared key or the foregoing The root certificate for verifying the second base station certificate establishes an IPsec tunnel with the second base station, so that the security of the interface between the first base station and the second base station can be ensured.

附图说明 DRAWINGS

实施例或现有技术描述中所需要使用的附图作一筒单地介绍, 显而易见地, 下面描述中的附图是本发明的一些实施例, 对于本领域普通技术人员来讲, 在不付出创造性劳动的前提下, 还可以根据这些附图获得其他的附图。 The drawings used in the embodiments or the description of the prior art are described in a single manner. It is obvious that the drawings in the following description are some embodiments of the present invention, and those of ordinary skill in the art do not pay Other drawings can also be obtained from these drawings on the premise of creative labor.

图 1为本发明安全隧道建立方法一个实施例的流程图; 图 2为本发明安全隧道建立方法另一个实施例的流程图; 图 3为本发明安全隧道建立方法另一个实施例的流程图; 1 is a flowchart of an embodiment of a method for establishing a secure tunnel according to the present invention; 2 is a flowchart of another embodiment of a method for establishing a secure tunnel according to the present invention; FIG. 3 is a flowchart of another embodiment of a method for establishing a secure tunnel according to the present invention;

图 4为本发明安全隧道建立方法另一个实施例的流程图;  4 is a flowchart of another embodiment of a method for establishing a secure tunnel according to the present invention;

图 5为本发明共享密钥更新方法一个实施例的流程图;  FIG. 5 is a flowchart of an embodiment of a shared key update method according to the present invention; FIG.

图 6为本发明共享密钥更新方法另一个实施例的流程图;  6 is a flowchart of another embodiment of a shared key update method according to the present invention;

图 7为本发明安全隧道建立方法另一个实施例的流程图;  7 is a flowchart of another embodiment of a method for establishing a secure tunnel according to the present invention;

图 8为本发明安全隧道建立方法另一个实施例的流程图;  8 is a flowchart of another embodiment of a method for establishing a secure tunnel according to the present invention;

图 9为本发明第一基站一个实施例的结构示意图;  9 is a schematic structural diagram of an embodiment of a first base station according to the present invention;

图 10为本发明第一基站另一个实施例的结构示意图;  10 is a schematic structural diagram of another embodiment of a first base station according to the present invention;

图 11为本发明第一基站另一个实施例的结构示意图;  11 is a schematic structural diagram of another embodiment of a first base station according to the present invention;

图 12为本发明第一基站另一个实施例的结构示意图。  FIG. 12 is a schematic structural diagram of another embodiment of a first base station according to the present invention.

具体实施方式 为使本发明实施例的目的、 技术方案和优点更加清楚, 下面将结合本 发明实施例中的附图, 对本发明实施例中的技术方案进行清楚、 完整地描 述, 显然, 所描述的实施例是本发明一部分实施例, 而不是全部的实施例。 基于本发明中的实施例, 本领域普通技术人员在没有做出创造性劳动的前 提下所获得的所有其他实施例, 都属于本发明保护的范围。 The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. The embodiments are a part of the embodiments of the invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without departing from the inventive work are all within the scope of the present invention.

图 1为本发明安全隧道建立方法一个实施例的流程图, 如图 1所示, 该安全隧道建立方法可以包括:  FIG. 1 is a flowchart of an embodiment of a method for establishing a secure tunnel according to the present invention. As shown in FIG. 1 , the method for establishing a secure tunnel may include:

步骤 101 , 第一基站获得用于验证第二基站证书的根证书 (Root Certificate )或者第二基站与该第一基站之间的共享密钥 ( Shared Key ) 。  Step 101: The first base station obtains a root certificate (Root Certificate) for verifying the second base station certificate or a shared key (Shared Key) between the second base station and the first base station.

本实施例中, 当第一基站为家庭基站时, 第二基站可以为家庭基站或 宏基站; 或者, 当第一基站为宏基站时, 第二基站可以为家庭基站; 也就 是说, 第一基站和第二基站中至少有一个为家庭基站即可。 其中, 宏基站 可以为 eNB或其他类型的宏基站; 家庭基站可以为 HeNB或 HNB, 本实施 例对此不作限定。 In this embodiment, when the first base station is a home base station, the second base station may be a home base station or a macro base station; or, when the first base station is a macro base station, the second base station may be a home base station; that is, the first At least one of the base station and the second base station may be a home base station. Among them, the macro base station The eNB or other type of macro base station may be used; the home base station may be a HeNB or an HNB, which is not limited in this embodiment.

步骤 102,第一基站通过上述共享密钥或者上述用于验证第二基站证书 的根证书与第二基站建立 IPsec隧道,以保证第一基站与第二基站之间接口 的安全性。 Step 102: The first base station establishes an IP sec tunnel with the second base station by using the shared key or the root certificate for verifying the second base station certificate to ensure the security of the interface between the first base station and the second base station.

本实施例的一种实现方式中, 第一基站获得用于验证第二基站证书的 根证书或者第二基站与该第一基站之间的共享密钥可以为: 第一基站接收 核心网设备发送的用于验证第二基站证书的根证书或者核心网设备为第二 基站与第一基站生成的共享密钥。  In an implementation manner of this embodiment, the first base station obtains a root certificate for verifying the second base station certificate or the shared key between the second base station and the first base station may be: the first base station receives the core network device to send The root certificate or core network device used to verify the second base station certificate is a shared key generated by the second base station and the first base station.

本实现方式中, 在核心网设备设置的共享密钥周期到期之后, 第一基 站可以接收核心网设备发送的该核心网设备为第二基站与第一基站生成的 更新后的共享密钥; 或者, 在第一基站设置的共享密钥周期到期之后, 第 一基站可以向核心网设备请求更新共享密钥, 然后接收核心网设备发送的 该核心网设备根据第一基站的请求生成的更新后的共享密钥; 或者, 第一 基站向第二基站发起因特网密钥交换( Internet Key Exchange; 以下筒称: IKE )协商时, 如果发现第一基站或第二基站没有可用的共享密钥, 则第一 基站可以向核心网设备请求更新共享密钥, 然后接收核心网设备发送的该 核心网设备根据第一基站的请求生成的更新后的共享密钥。  In this implementation manner, after the shared key period set by the core network device expires, the first base station may receive, by the core network device, the updated shared key generated by the core network device as the second base station and the first base station; Alternatively, after the shared key period set by the first base station expires, the first base station may request the core network device to update the shared key, and then receive the update generated by the core network device according to the request of the first base station. Or a shared key; or, when the first base station initiates an Internet Key Exchange (hereinafter referred to as: IKE) negotiation to the second base station, if the first base station or the second base station is found to have no shared key available, The first base station may request the core network device to update the shared key, and then receive the updated shared key generated by the core network device according to the request of the first base station.

本实现方式中, 当核心网设备为移动性管理实体( Mobility Management Entity; 以下筒称: MME )或家庭演进基站网关 (HeNB Gateway; 以下筒 称: HeNB GW ) 时, 第一基站可以接收 MME或 HeNB GW发送的 MME 或 HeNB GW为第二基站与第一基站生成的共享密钥; 或者,  In this implementation manner, when the core network device is a Mobility Management Entity (hereinafter referred to as: MME) or a Home Evolved Base Station Gateway (HeNB Gateway; hereinafter referred to as HeNB GW), the first base station may receive the MME or The MME or HeNB GW sent by the HeNB GW is a shared key generated by the second base station and the first base station; or

在第一基站接收核心网设备发送的用于验证第二基站证书的根证书或 者核心网设备为第二基站与第一基站生成的共享密钥之前, 第一基站还可 以向 MME或 HeNB GW发送基站配置转发消息; 这样,第一基站接收核心 网设备发送的用于验证第二基站证书的根证书或者核心网设备为第二基站 与第一基站生成的共享密钥可以为:第一基站接收 MME或 HeNB GW发送 的移动性管理实体配置转发消息, 该移动性管理实体配置转发消息中携带 上述用于验证第二基站证书的根证书,或者 MME或 HeNB GW为第一基站 和第二基站生成的共享密钥; 该移动性管理实体配置转发消息是 MME或 HeNB GW接收到上述基站配置转发消息之后,根据该基站配置转发消息中 的源节点标识和目的节点标识确定该基站配置转发消息的源节点和 /或目标 节点为家庭演进基站之后, 将用于验证第一基站证书的根证书, 或者 MME 或 HeNB GW为第一基站和第二基站生成的共享密钥发送给第二基站, 在 接收到第二基站发送的基站配置转发消息之后发送给第一基站的。 The first base station may further send the MME or the HeNB GW before the first base station receives the root certificate sent by the core network device for verifying the second base station certificate or the core network device is the shared key generated by the second base station and the first base station. The base station configures the forwarding message; in this way, the first base station receives the root certificate sent by the core network device for verifying the second base station certificate or the core network device is the second base station. The shared key generated by the first base station may be: the first base station receives the mobility management entity configuration forwarding message sent by the MME or the HeNB GW, and the mobility management entity configures the forwarding message to carry the root for verifying the second base station certificate. a certificate, or a shared key generated by the MME or the HeNB GW for the first base station and the second base station; the mobility management entity configuring the forwarding message is that after the MME or the HeNB GW receives the foregoing base station configuration forwarding message, the forwarding message is configured according to the base station configuration. The source node identifier and the destination node identifier determine the root certificate that the base station configures the forwarding message source node and/or the target node to be the home evolved base station, and the MME or HeNB GW is the first base station and The shared key generated by the second base station is sent to the second base station, and is sent to the first base station after receiving the base station configuration forwarding message sent by the second base station.

本实现方式中, 当核心网设备为家庭基站网关 (HNB Gateway; 以下 筒称: HNB GW ) 时, 第一基站可以接收 HNB GW发送的该 HNB GW为 第二基站与第一基站生成的共享密钥; 或者,  In this implementation manner, when the core network device is a home base station gateway (HNB Gateway; hereinafter referred to as HNB GW), the first base station may receive the HNB GW sent by the HNB GW as a shared secret generated by the second base station and the first base station. Key; or,

第一基站接收核心网设备发送的该核心网设备为第二基站与第一基站 生成的共享密钥之前, 第一基站注册到 HNB GW之后, 如果检测到第二基 站注册到该 HNB GW,则第一基站可以向 HNB GW请求第二基站的因特网 协议( Internet Protocol; 以下筒称: IP )地址; 这时, 第一基站接收核心网 设备发送的该核心网设备为第二基站与第一基站生成的共享密钥可以为: 第一基站接收 HNB GW发送的响应消息, 该响应消息携带第二基站的 IP 地址和该 HNB GW预先为第一基站与第二基站生成的共享密钥。 另外, 第 一基站接收核心网设备发送的核心网设备为第二基站与第一基站生成的共 享密钥之前, 第一基站可以注册到上述 HNB GW, 并向该 HNB GW发送第 一基站检测到的邻区家庭基站的信息, 该第一基站的邻区家庭基站包括第 二基站; 这样, 第一基站接收核心网设备发送的核心网设备为第二基站与 第一基站生成的共享密钥可以为: 第一基站接收 HNB GW发送的该 HNB GW上可用的邻区家庭基站的信息, 以及该 HNB GW为第一基站与第一基 站的邻区家庭基站生成的共享密钥。 本实现方式中, 在 HNB GW发现该 HNB GW控制的邻区家庭基站的 信息没有更新到第一基站, 且该 HNB GW上没有第一基站与更新后的邻区 家庭基站的共享密钥之后, 第一基站可以接收 HNB GW通过家庭基站配置 转发流程发送的更新后的邻区家庭基站的信息, 以及该 HNB GW为第一基 站与更新后的邻区家庭基站生成的共享密钥。 After the first base station receives the shared key generated by the core network device and is the shared key generated by the second base station and the first base station, after the first base station registers with the HNB GW, if the second base station detects that the second base station is registered to the HNB GW, The first base station may request the HNB GW to request the Internet Protocol (Internet Protocol; IP address) of the second base station; at this time, the first base station receives the core network device sent by the core network device as the second base station and the first base station The generated shared key may be: The first base station receives the response message sent by the HNB GW, where the response message carries the IP address of the second base station and the shared key generated by the HNB GW in advance for the first base station and the second base station. In addition, before the first base station receives the shared key generated by the core network device and is the shared key generated by the second base station and the first base station, the first base station may register with the HNB GW, and send the first base station to the HNB GW to detect The information of the neighboring cell home base station, the neighboring cell home base station of the first base station includes the second base station; thus, the first base station receives the shared key generated by the core network device sent by the core network device as the shared key generated by the second base station and the first base station. The first base station receives the information of the neighboring home base station available on the HNB GW sent by the HNB GW, and the HNB GW is a shared key generated by the first base station and the neighboring home base station of the first base station. In this implementation manner, after the HNB GW finds that the information of the neighboring cell home base station controlled by the HNB GW is not updated to the first base station, and the HNB GW does not have the shared key of the first base station and the updated neighboring home base station, The first base station may receive information of the updated neighboring home base station sent by the HNB GW through the home base station configuration forwarding process, and the HNB GW is a shared key generated by the first base station and the updated neighboring home base station.

本实现方式中, 当核心网设备为 HNB GW时, 第一基站接收核心网设 备发送的用于验证第二基站证书的根证书之前, 第一基站可以向 HNB GW 发送家庭基站注册请求消息, 这样, 第一基站接收核心网设备发送的用于 验证第二基站证书的根证书可以为: 第一基站接收 HNB GW发送的家庭基 站注册接受消息, 该家庭基站注册接受消息携带上述用于验证第二基站证 书的根证书。  In this implementation manner, when the core network device is the HNB GW, the first base station may send the home base station registration request message to the HNB GW before receiving the root certificate sent by the core network device for verifying the second base station certificate, The first base station receives the root certificate that is sent by the core network device and is used to verify the second base station certificate. The first base station receives the home base station registration accept message sent by the HNB GW, and the home base station registration accept message carries the foregoing for verifying the second The root certificate of the base station certificate.

本实现方式中, 当核心网设备为家庭基站管理系统 ( H(e)NB Management System; 以下筒称: H(e)MS )时, 第一基站接收核心网设备发 送的用于验证第二基站证书的根证书或者核心网设备为第二基站与第一基 站生成的共享密钥之前, 第一基站可以先与安全网关之间建立 IPsec隧道; 这样, 第一基站接收核心网设备发送的用于验证第二基站证书的根证书或 者核心网设备为第二基站与第一基站生成的共享密钥可以为:在 H(e)MS对 第一基站的位置验证成功之后,第一基站接收 H(e)MS通过家庭基站供应流 程发送的上述用于验证第二基站证书的根证书或者 H(e)MS 为第一基站与 第一基站的邻区家庭基站生成的共享密钥; 其中, 该第一基站的邻区家庭 基站包括第二基站。  In this implementation manner, when the core network device is a home base station management system (H(e)NB Management System; the following is called: H(e)MS), the first base station receives the second base station sent by the core network device for verifying Before the root certificate of the certificate or the core network device is the shared key generated by the second base station and the first base station, the first base station may first establish an IPsec tunnel with the security gateway; thus, the first base station receives the information sent by the core network device. The root certificate for verifying the second base station certificate or the shared key generated by the core network device for the second base station and the first base station may be: after the location verification of the first base station by the H(e)MS is successful, the first base station receives H ( e) the root certificate or the H(e)MS used by the MS to verify the second base station certificate sent by the MS through the home base station provisioning process, and the shared key generated by the first base station and the neighboring home base station of the first base station; The neighboring home base station of a base station includes a second base station.

本实施例的另一种实现方式中, 第一基站获得第二基站与第一基站之 间的共享密钥之前,第一基站可以向 MME或 HeNB GW发送基站配置转发 消息, 该基站配置转发消息携带第一基站的迪非-赫尔曼( Diffie-Hellman; 以下筒称: DH )组号和 DH值, 以便 MME或 HeNB GW将第一基站的 DH 组号和 DH值携带在第一移动性管理实体配置转发消息中发送给第二基站; 然后,第一基站可以接收 MME或 HeNB GW发送的第二移动性管理实体配 置转发消息,该第二移动性管理实体配置转发消息携带第二基站选择的 DH 组号和 DH值, 该第二移动性管理实体配置转发消息是 MME或 HeNB GW 接收到第二基站发送的携带第二基站选择的 DH组号和 DH值的基站配置转 发消息之后发送给第一基站的; 这样, 第一基站获得第二基站与第一基站 之间的共享密钥可以为: 第一基站根据上述第二基站选择的 DH组号和 DH 值生成上述共享密钥。 In another implementation manner of this embodiment, before the first base station obtains the shared key between the second base station and the first base station, the first base station may send a base station configuration forwarding message to the MME or the HeNB GW, where the base station configures the forwarding message. Carrying the Diffie-Hellman (DH) group number and the DH value of the first base station, so that the MME or the HeNB GW carries the DH group number and the DH value of the first base station in the first mobility. The management entity configuration forwarding message is sent to the second base station; Then, the first base station may receive a second mobility management entity configuration forwarding message sent by the MME or the HeNB GW, where the second mobility management entity configures the forwarding message to carry the DH group number and the DH value selected by the second base station, where the second mobile The MME or the HeNB GW sends the base station configuration forwarding message that is sent by the second base station and carries the DH group number and the DH value selected by the second base station, and then sends the message to the first base station; The shared key between the second base station and the first base station may be: The first base station generates the shared key according to the DH group number and the DH value selected by the second base station.

上述实施例中, 第一基站可以获得用于验证第二基站证书的根证书或 第二基站与第一基站之间的共享密钥, 这样, 第一基站就可以通过上述共 享密钥或者用于验证第二基站证书的根证书与第二基站建立 IPsec隧道,从 而可以保证第一基站与第二基站之间接口的安全性。  In the foregoing embodiment, the first base station may obtain a root certificate for verifying the second base station certificate or a shared key between the second base station and the first base station, so that the first base station may use the shared key or the foregoing The root certificate of the second base station certificate is verified to establish an IPsec tunnel with the second base station, so that the security of the interface between the first base station and the second base station can be ensured.

图 2为本发明安全隧道建立方法另一个实施例的流程图, 本实施例以 第一基站为 HeNB 1 ,第二基站为 HeNB2,核心网设备为 MME或 HeNB GW 为例进行说明。 本实施例中, MME或 HeNB GW需具有共享密钥生成和分 发功能, MME或 HeNB GW可以通过配置转发( Configuration Transfer )功 能来完成共享密钥的分发。 配置转发功能是一个通过核心网在两个基站之 间请求和传送配置信息(例如: IP地址等)的功能。 MME或 HeNB GW可 以通过移动性管理实体配置转发 ( MME Configuration Transfer )消息向建立 直接接口的 HeNBl与 HeNB2分发共享密钥。  FIG. 2 is a flowchart of another embodiment of a method for establishing a secure tunnel according to the present invention. In this embodiment, the first base station is HeNB 1 , the second base station is HeNB 2 , and the core network device is MME or HeNB GW as an example. In this embodiment, the MME or the HeNB GW needs to have a shared key generation and distribution function, and the MME or the HeNB GW can complete the distribution of the shared key by using the Configuration Transfer function. The configuration forwarding function is a function of requesting and transmitting configuration information (for example, an IP address, etc.) between two base stations through a core network. The MME or the HeNB GW may distribute the shared key to the HeNB1 and the HeNB2 establishing the direct interface through the mobility management entity configuration forwarding (MME Configuration Transfer) message.

如图 2所示, 该安全隧道建立方法可以包括:  As shown in FIG. 2, the method for establishing a secure tunnel may include:

步骤 201 , HeNBl希望与 HeNB2建立直接接口时, HeNBl向 MME或 HeNB GW发送基站配置转发( eNB Configuration Transfer ) 消息, 以请求 对端 HeNB2的 IP地址。  Step 201: When the HeNB1 wants to establish a direct interface with the HeNB2, the HeNB1 sends an eNB Configuration Transfer message to the MME or the HeNB GW to request the IP address of the peer HeNB2.

步骤 202, MME或 HeNB GW确定该基站配置转发消息的源节点和 / 或目标节点是 HeNB之后, MME或 HeNB GW为 HeNBl和 HeNB2生成共 享密钥。 具体地, MME或 HeNB GW可以通过基站配置转发消息中的源节点 标识和目的节点标识来确定该基站配置转发消息的源节点和 /或目标节点是 HeNB。 本实施例中, 该基站配置转发消息的源节点为 HeNBl , 目标节点为 HeNB2 , 因此该基站配置转发消息的源节点和目标节点均为 HeNB。 Step 202: After the MME or the HeNB GW determines that the source node and/or the target node of the base station configuration forwarding message is the HeNB, the MME or the HeNB GW generates a shared key for the HeNB1 and the HeNB2. Specifically, the MME or the HeNB GW may determine, by using the source node identifier and the destination node identifier in the forwarding message of the base station, that the source node and/or the target node of the base station configuration forwarding message is the HeNB. In this embodiment, the source node of the base station configured to forward the message is HeNB1, and the target node is HeNB2. Therefore, the source node and the target node of the base station configured to forward the message are both HeNBs.

步骤 203, MME或 HeNB GW向 HeNB2发送移动性管理实体配置转 发消息,该移动性管理实体配置转发消息携带 MME或 HeNB GW为 HeNBl 和 HeNB2生成的共享密钥。  Step 203: The MME or the HeNB GW sends a mobility management entity configuration forwarding message to the HeNB2, where the mobility management entity configures the forwarding message to carry the shared key generated by the MME or the HeNB GW for the HeNB1 and the HeNB2.

步骤 204, HeNB2向 MME或 HeNB GW发送基站配置转发消息, 该 基站配置转发消息中携带 HeNB2的 IP地址。  Step 204: The HeNB2 sends a base station configuration forwarding message to the MME or the HeNB GW, where the base station configures the forwarding message to carry the IP address of the HeNB2.

步骤 205, MME或 HeNB GW向 HeNBl发送移动性管理实体配置转 发消息,该移动性管理实体配置转发消息携带 MME或 HeNB GW为 HeNBl 和 HeNB2生成的共享密钥, 以及 HeNB2的 IP地址。  Step 205: The MME or the HeNB GW sends a mobility management entity configuration forwarding message to the HeNB1, where the mobility management entity configures the forwarding message to carry the shared key generated by the MME or the HeNB GW for the HeNB1 and the HeNB2, and the IP address of the HeNB2.

步骤 206 , HeNB 1与 HeNB2通过上述共享密钥进行 IKE协商,在 HeNB 1 与 HeNB2之间建立 IPSec隧道, 以保证 HeNBl与 HeNB2之间直接接口的 安全性。  Step 206: HeNB 1 and HeNB2 perform IKE negotiation through the shared key, and establish an IPSec tunnel between HeNB 1 and HeNB 2 to ensure the security of the direct interface between HeNB1 and HeNB2.

本实施例中, 在以下情况下需要更新共享密钥:  In this embodiment, the shared key needs to be updated in the following cases:

( 1 ) MME或 HeNB GW设置共享密钥周期,在 MME或 HeNB GW设 置的共享密钥周期到期之后, MME或 HeNB GW生成新的共享密钥, 并通 过专用消息或移动性管理实体配置转发消息将更新后的共享密钥发送给 HeNBl和 HeNB2;  (1) The MME or the HeNB GW sets a shared key period, and after the shared key period set by the MME or the HeNB GW expires, the MME or the HeNB GW generates a new shared key, and configures forwarding through a dedicated message or a mobility management entity. The message sends the updated shared key to HeNB1 and HeNB2;

( 2 ) HeNBl或 HeNB2上设置共享密钥周期, 在 HeNBl或 HeNB2设 置的共享密钥周期到期之后, HeNB 1或 HeNB2可以通过专用消息或基站配 置转发消息向 MME或 HeNB GW请求更新共享密钥, MME或 HeNB GW 生成新的共享密钥之后, 可以通过专用消息或移动性管理实体配置转发消 息将更新后的共享密钥发送给 HeNBl和 HeNB2;  (2) The shared key period is set on the HeNB1 or the HeNB2, and after the shared key period set by the HeNB1 or the HeNB2 expires, the HeNB 1 or the HeNB 2 may request the MME or the HeNB GW to update the shared key by using a dedicated message or a base station configuration forwarding message. After the MME or the HeNB GW generates a new shared key, the updated shared key may be sent to the HeNB1 and the HeNB2 by using a dedicated message or a mobility management entity configuration forwarding message;

( 3 ) HeNBl向 HeNB2发起 IKE协商时, 如果发现 HeNBl或 HeNB2 没有可用的共享密钥, 则 HeNBl可以通过专用消息或基站配置转发消息向 MME或 HeNB GW请求更新共享密钥, MME或 HeNB GW生成新的共享 密钥之后, 可以通过专用消息或移动性管理实体配置转发消息将更新后的 共享密钥发送给 HeNBl和 HeNB2。 (3) When HeNB1 initiates IKE negotiation to HeNB2, if HeNB1 or HeNB2 is found If there is no shared key available, the HeNB1 may request the MME or the HeNB GW to update the shared key through a dedicated message or a base station configuration forwarding message. After the MME or the HeNB GW generates a new shared key, the HeNB may use a dedicated message or a mobility management entity. The configuration forwarding message sends the updated shared key to HeNB1 and HeNB2.

上述实施例中, HeNBl 可以获得 MME或 HeNB GW为 HeNBl 与 HeNB2生成的共享密钥, 进而 HeNBl可以通过上述共享密钥与 HeNB2建 立 IPsec隧道, 从而可以保证 HeNBl与 HeNB2之间直接接口的安全性。  In the foregoing embodiment, the HeNB1 can obtain the shared key generated by the MME or the HeNB GW for the HeNB1 and the HeNB2, and the HeNB1 can establish an IPsec tunnel with the HeNB2 through the shared key, so as to ensure the security of the direct interface between the HeNB1 and the HeNB2.

图 3 为本发明安全隧道建立方法另一个实施例的流程图, 本实施例以 第一基站为 HNB1 , 第二基站为 HNB2, 核心网设备为 HNB GW为例进行 说明。 本实施例中, HNB GW需具有共享密钥生成和分发功能, HNB GW 可以通过家庭基站配置转发( HNB Configuration Transfer )功能来完成共享 密钥的分发。 家庭基站配置转发功能提供了 HNB获取邻区 HNB的 IP地址 的方法, HNB可以利用 HNB GW发送的 IP地址与邻区 HNB建立直接接口。 进而 HNB可以利用 HNB GW发送给 HNB的家庭基站应用协议注册接受 ( HNB Application Protocol Registration Accept; 以下筒称: HNBAP Registration Accept ) 消息、 家庭基站配置转发响应 ( HNB Configuration Transfer Response ) 消息或者家庭基站配置转发请求 ( HNB Configuration Transfer Request ) 消息等将 HNB GW 生成的共享密钥分发给相应的邻区 HNB。  FIG. 3 is a flowchart of another embodiment of a method for establishing a secure tunnel according to the present invention. In this embodiment, the first base station is HNB1, the second base station is HNB2, and the core network device is HNB GW. In this embodiment, the HNB GW needs to have a shared key generation and distribution function, and the HNB GW can complete the distribution of the shared key through the HNB Configuration Transfer function. The home base station configuration forwarding function provides a method for the HNB to obtain the IP address of the neighboring cell HNB. The HNB can establish a direct interface with the neighboring cell HNB by using the IP address sent by the HNB GW. In addition, the HNB can use the HNB Application Protocol Registration Accept (HNBAP) to transmit the HNB Application Protocol Registration Accept message to the HNB, the HNB Configuration Transfer Response message, or the home base station configuration forwarding. The HNB Configuration Transfer Request message is distributed to the corresponding neighboring cell HNB by the shared key generated by the HNB GW.

如图 3所示, 该安全隧道建立方法可以包括:  As shown in FIG. 3, the method for establishing a secure tunnel may include:

步骤 301 , HNB 1进入运行模式, 已经在 HNB GW注册。  Step 301, HNB 1 enters the running mode and has been registered in the HNB GW.

步骤 302, HNB2进入运行模式, 并对邻区进行检测, 获得 HNB2的邻 区 H鼠  Step 302: HNB2 enters an operation mode, and detects a neighboring area, and obtains a neighboring area of HNB2.

其中, 该 HNB2的邻区 HNB包括 HNB 1。  The neighboring area HNB of the HNB2 includes the HNB 1.

步骤 303, HNB2向 HNB GW注册, 并将 HNB2的 IP地址, 以及该 HNB2检测到的邻区 HNB的信息发送给 HNB GW。 步骤 304, HNB GW保存 HNB2的 IP地址以及 HNB2检测到的邻区 HNB的信息,然后 HNB GW为 HNB2以及该 HNB2的邻区 HNB生成共享 密钥。 Step 303: The HNB2 registers with the HNB GW, and sends the IP address of the HNB2 and the information of the neighboring HNB detected by the HNB2 to the HNB GW. Step 304: The HNB GW saves the IP address of the HNB2 and the information of the neighboring cell HNB detected by the HNB2, and then the HNB GW generates a shared key for the HNB2 and the neighboring cell HNB of the HNB2.

步骤 305, HNB GW向 HNB2发送该 HNB GW上可用的邻区 HNB的 信息, 同时将 HNB GW为 HNB2以及该 HNB2的邻区 HNB生成的共享密 钥发给 HNB2。  Step 305: The HNB GW sends the information about the neighboring HNBs available on the HNB GW to the HNB2, and sends the shared key generated by the HNB GW to the HNB2 and the neighboring HNB of the HNB2 to the HNB2.

步骤 306, HNB1检测到 HNB2。  Step 306, HNB1 detects HNB2.

步骤 307, HNB1向 HNB GW发送家庭基站配置转发请求消息来请求 HNB2的 IP地址。  Step 307: The HNB1 sends a home base station configuration forwarding request message to the HNB GW to request the IP address of the HNB2.

步骤 308, HNB GW向 HNB1发送家庭基站配置转发响应消息, 该家 庭基站配置转发响应消息携带 HNB2 的 IP地址, 以及 HNB GW预先为 HNB1和 HNB2生成的共享密钥。  Step 308: The HNB GW sends a home base station configuration forwarding response message to the HNB1, where the home base station configures the forwarding response message to carry the IP address of the HNB2, and the shared key generated by the HNB GW in advance for the HNB1 and the HNB2.

具体地, 如果在发送家庭基站配置转发响应消息之前, HNB GW上已 有 HNB GW为 HNB1和 HNB2生成的共享密钥, 则 HNB GW可以直接将 该共享密钥携带在家庭基站配置转发响应消息中发送给 HNB1;如果在发送 家庭基站配置转发响应消息之前, HNB GW上还没有为 HNB1和 HNB2生 成共享密钥, 则 HNB GW需要在发送家庭基站配置转发响应消息之前, 先 为 HNB1和 HNB2生成共享密钥, 再将该共享密钥携带在家庭基站配置转 发响应消息中发送给 HNB 1。  Specifically, if the HNB GW has a shared key generated by the HNB GW for the HNB1 and the HNB2 before the home base station configures the forwarding response message, the HNB GW may directly carry the shared key in the home base station configuration forwarding response message. If the HNB GW does not generate a shared key for HNB1 and HNB2 before the home base station configures the forwarding response message, the HNB GW needs to generate a share for HNB1 and HNB2 before sending the home base station to configure the forwarding response message. The key is sent to the HNB 1 in the home base station configuration forwarding response message.

步骤 309, HNB GW在某个时间点发现该 HNB GW控制的邻区 HNB 的信息没有更新到 HNB1 , 并且 HNB GW上没有 HNB1和更新后的邻区 HNB的共享密钥, 则 HNB GW为 HNB1和更新后的邻区 HNB生成共享密 钥。  Step 309: The HNB GW finds that the HNB GW controlled neighbor HNB information is not updated to HNB1 at a certain point in time, and the HNB GW is HNB1 and the updated neighboring HNB shared key, and the HNB GW is HNB1 and The updated neighbor HNB generates a shared key.

步骤 310, HNB-GW发起家庭基站配置转发流程向 HNB1提供更新后 的邻区 HNB的信息,同时将 HNB GW为 HNB1和更新后的邻区 HNB生成 的共享密钥发送给 HNB1。 步骤 311 , 可选地, HNB1可以向 HNB GW提供更新的邻区 HNB的信 息。 In step 310, the HNB-GW initiates the home base station configuration forwarding process to provide the information of the updated neighboring cell HNB to the HNB1, and sends the shared key generated by the HNB GW to the HNB1 and the updated neighboring cell HNB to the HNB1. Step 311: Optionally, the HNB1 may provide the HNB GW with information of the updated neighboring cell HNB.

本实施例中, HNB1与 HNB2后续可以通过 HNB GW分发的共享密钥 来建立 IPSec隧道, 以保证 HNB 1与 HNB2之间直接接口的安全性。  In this embodiment, the HNB1 and the HNB2 can establish an IPSec tunnel through the shared key distributed by the HNB GW to ensure the security of the direct interface between the HNB 1 and the HNB 2.

需要说明的是, 对于一个 HNB来说, 上述步骤 301~步骤 312可以不 全部执行, 只执行部分步骤也可, 例如: 可以只执行步骤 302、 步骤 303、 步骤 304、 步骤 305、 步骤 309、 步骤 310和步骤 311 , 或者, 可以只执行 步骤 301、 步骤 306、 步骤 307、 步骤 308、 步骤 309、 步骤 310和步骤 311。 但是不论执行全部步骤, 还是部分步骤, 均可以使两个相邻的 HNB获得共 享密钥。  It should be noted that, for an HNB, the foregoing steps 301 to 312 may not be all performed, and only some steps may be performed. For example, only step 302, step 303, step 304, step 305, step 309, and step may be performed. 310 and step 311, or, only step 301, step 306, step 307, step 308, step 309, step 310, and step 311 may be performed. However, whether all steps or partial steps are performed, two adjacent HNBs can obtain a shared key.

本实施例中, 在以下情况下需要更新共享密钥:  In this embodiment, the shared key needs to be updated in the following cases:

( 1 ) HNB GW设置共享密钥周期, 在 HNB GW设置的共享密钥周期 到期之后, HNB GW生成新的共享密钥, 并通过专用消息或家庭基站配置 转发请求消息将更新后的共享密钥发送给 HNB1和 HNB2;  (1) The HNB GW sets the shared key period. After the shared key period set by the HNB GW expires, the HNB GW generates a new shared key, and configures the forwarding request message through the dedicated message or the home base station to update the shared secret. The key is sent to HNB1 and HNB2;

( 2 ) HNB1或 HNB2上设置共享密钥周期, 在 HNB1或 HNB2设置的 共享密钥周期到期之后, HNB1或 HNB2可以通过专用消息或家庭基站配 置转发请求消息向 HNB GW请求更新共享密钥, HNB GW生成新的共享密 钥之后, 可以通过专用消息或家庭基站配置转发响应消息将更新后的共享 密钥发送给 HNB1和 HNB2;  (2) The shared key period is set on HNB1 or HNB2. After the shared key period set by HNB1 or HNB2 expires, HNB1 or HNB2 may request the HNB GW to update the shared key through a dedicated message or a home base station configuration forwarding request message. After the HNB GW generates a new shared key, the updated shared key may be sent to HNB1 and HNB2 through a dedicated message or a home base station configuration forwarding response message;

( 3 ) HNB1向 HNB2发起 IKE协商时,如果发现 HNB1或 HNB2没有 可用的共享密钥, 则 HNB1可以通过专用消息或家庭基站配置转发请求消 息向 HNB GW请求更新共享密钥, HNB GW生成新的共享密钥之后,可以 通过专用消息或家庭基站配置转发响应消息将更新后的共享密钥发送给 HNB1和 HNB2。  (3) When HNB1 initiates IKE negotiation to HNB2, if it is found that HNB1 or HNB2 does not have a shared key available, HNB1 may request the HNB GW to update the shared key through a dedicated message or a home base station configuration forwarding request message, and the HNB GW generates a new one. After the key is shared, the updated shared key can be sent to HNB1 and HNB2 through a dedicated message or a home base station configuration forwarding response message.

上述实施例中, HNB1可以获得 HNB GW为 HNB1与 HNB2生成的共 享密钥,进而 HNB1可以通过上述共享密钥与 HNB2建立 IPsec隧道,从而 可以保证 HNB1与 HNB2之间直接接口的安全性。 In the foregoing embodiment, the HNB1 can obtain the shared key generated by the HNB GW for the HNB1 and the HNB2, and the HNB1 can establish an IPsec tunnel with the HNB2 through the shared key. The security of the direct interface between HNB1 and HNB2 can be guaranteed.

图 4为本发明安全隧道建立方法另一个实施例的流程图, 本实施例以 基站为 H(e)NB,核心网设备为 H(e)MS为例进行说明。本实施例中, H(e)MS 具有共享密钥生成和分发功能, H(e)MS 可以在家庭基站供应 (H(e)NB Provision )流程中, H(e)MS可以为 H(e)NB与该 H(e)NB的邻区 H(e)NB生 成共享密钥, 然后将共享密钥与邻区列表一起提供给 H(e)NB。  4 is a flowchart of another embodiment of a method for establishing a secure tunnel according to the present invention. In this embodiment, a base station is an H(e)NB, and a core network device is an H(e)MS. In this embodiment, the H(e)MS has a shared key generation and distribution function, and the H(e)MS may be in a home base station provision (H(e)NB Provision) flow, and the H(e)MS may be H(e) The NB generates a shared key with the neighboring area H(e)NB of the H(e)NB, and then supplies the shared key to the H(e)NB along with the neighbor list.

如图 4所示, 该安全隧道建立方法可以包括:  As shown in FIG. 4, the method for establishing a secure tunnel may include:

步骤 401 , H(e)NB和安全网关之间建立 IPSec隧道。  Step 401: An IPSec tunnel is established between the H(e)NB and the security gateway.

步骤 402 , H(e)MS对 H(e)NB进行位置验证,位置验证成功之后, H(e)MS 通过家庭基站供应流程向 H(e)NB发送配置参数,该配置参数中包括 H(e)NB 的邻区 H(e)NB的信息, 以及 H(e)MS预先为 H(e)NB与该 H(e)NB的邻区 H(e)NB生成的共享密钥。  Step 402: The H(e)MS performs location verification on the H(e)NB. After the location verification succeeds, the H(e)MS sends configuration parameters to the H(e)NB through the home base station provisioning process, where the configuration parameter includes H ( e) information of the neighboring cell H(e)NB of the NB, and the shared key generated by the H(e)NB in advance for the H(e)NB and the neighboring zone H(e)NB of the H(e)NB.

具体地,如果在发送配置参数之前, H(e)MS上已有 H(e)MS为 H(e)NB 生成的共享密钥,则 H(e)MS可以直接将该共享密钥携带在配置参数中发送 给 H(e)NB; 如果在发送配置参数之前, H(e)MS上还没有为 H(e)NB生成共 享密钥,则 H(e)MS需要在发送配置参数之前,先为 H(e)NB生成共享密钥, 再将该共享密钥携带在配置参数中发送给 H(e)NB。  Specifically, if the H(e)MS has a shared key generated by the H(e)NB on the H(e)MS before transmitting the configuration parameter, the H(e)MS may directly carry the shared key in the The configuration parameter is sent to the H(e)NB; if the shared key is not generated for the H(e)NB on the H(e)MS before the configuration parameter is sent, the H(e)MS needs to send the configuration parameters before A shared key is generated for the H(e)NB, and the shared key is carried in the configuration parameter and sent to the H(e)NB.

本实施例中, 在 H(e)NB设置的共享密钥周期到期或者 H(e)NB的邻区 更新之后, 或者 H(e)NB向邻区 H(e)NB发起 IKE协商, 发现该 H(e)NB或 邻区 H(e)NB 没有可用的共享密钥之后, H(e)NB 可以通过专用消息向 H(e)MS请求更新共享密钥; 或者, 在 H(e)MS设置的共享密钥周期到期或 者该 H(e)MS发现 H(e)NB的邻区更新之后, 该 H(e)MS可以主动通过家庭 基站供应流程或者专用消息向 H(e)NB发送更新后的共享密钥。  In this embodiment, after the shared key period set by the H(e)NB expires or the neighboring area of the H(e)NB is updated, or the H(e)NB initiates an IKE negotiation to the neighboring area H(e)NB, After the H(e)NB or neighboring zone H(e)NB has no shared key available, the H(e)NB may request the H(e)MS to update the shared key through a dedicated message; or, at H(e) After the shared key period set by the MS expires or the H(e)MS discovers the neighboring area update of the H(e)NB, the H(e)MS may actively send the flow or the dedicated message to the H(e)NB through the home base station. Send the updated shared secret.

图 5为本发明共享密钥更新方法一个实施例的流程图, 如图 5所示, 该共享密钥更新方法可以包括:  FIG. 5 is a flowchart of an embodiment of a shared key update method according to the present invention. As shown in FIG. 5, the shared key update method may include:

步骤 501 , H(e)NB发现该 H(e)NB设置的共享密钥周期到期或者 H(e)NB 的邻区进行了更新, 或者 H(e)NB向该 H(e)NB的邻区 H(e)NB发起 IKE协 商, 发现该 H(e)NB或邻区 H(e)NB没有可用的共享密钥。 Step 501: H(e)NB discovers that the shared key period set by the H(e)NB expires or H(e)NB The neighboring area is updated, or the H(e)NB initiates an IKE negotiation to the neighboring area H(e)NB of the H(e)NB, and finds that the H(e)NB or the neighboring area H(e)NB is not available. Shared key.

步骤 502, H(e)NB向 H(e)MS请求更新共享密钥。  Step 502: The H(e)NB requests the H(e)MS to update the shared key.

步骤 503, H(e)MS为 H(e)NB与该 H(e)NB的邻区 H(e)NB生成更新后 的共享密钥。  Step 503: The H(e)MS generates an updated shared key for the H(e)NB and the neighboring area H(e)NB of the H(e)NB.

步骤 504, H(e)MS通过家庭基站供应流程或者专用消息向 H(e)NB发 送更新后的共享密钥。  Step 504: The H(e)MS sends the updated shared key to the H(e)NB through the home base station provisioning process or a dedicated message.

图 6为本发明共享密钥更新方法另一个实施例的流程图, 如图 6所示, 该共享密钥更新方法可以包括:  FIG. 6 is a flowchart of another embodiment of a shared key update method according to the present invention. As shown in FIG. 6, the shared key update method may include:

步骤 601 , H(e)MS 发现该 H(e)MS 设置的共享密钥周期到期或者该 H(e)MS发现 H(e)NB的邻区进行了更新。  Step 601: The H(e)MS finds that the shared key period set by the H(e)MS expires or the H(e)MS finds that the neighboring area of the H(e)NB is updated.

步骤 602, H(e)MS为 H(e)NB与该 H(e)NB的邻区 H(e)NB生成更新后 的共享密钥。  Step 602: The H(e)MS generates an updated shared key for the H(e)NB and the neighboring area H(e)NB of the H(e)NB.

步骤 603, H(e)MS通过家庭基站供应流程或者专用消息向 H(e)NB发 送更新后的共享密钥。  Step 603: The H(e)MS sends the updated shared key to the H(e)NB through the home base station provisioning process or a dedicated message.

上述实施例中, H(e)NB可以获得 H(e)MS为 H(e)NB与该 H(e)NB的邻 区 H(e)NB 生成的共享密钥, 进而 H(e)NB 可以通过上述共享密钥与该 H(e)NB的邻区 H(e)NB建立 IPsec隧道,从而可以保证 H(e)NB与该 H(e)NB 的邻区 H(e)NB之间直接接口的安全性。  In the foregoing embodiment, the H(e)NB can obtain the shared key generated by the H(e)MS as the H(e)NB and the neighboring area H(e)NB of the H(e)NB, and then the H(e)NB An IPsec tunnel can be established with the neighboring zone H(e)NB of the H(e)NB by using the shared key, so that the H(e)NB and the neighboring zone H(e)NB of the H(e)NB can be guaranteed. Direct interface security.

图 7 为本发明安全隧道建立方法另一个实施例的流程图, 本实施例以 第一基站为 HeNBl ,第二基站为 HeNB2,核心网设备为 MME或 HeNB GW 为例进行说明。  FIG. 7 is a flowchart of another embodiment of a method for establishing a secure tunnel according to the present invention. In this embodiment, the first base station is HeNB1, the second base station is HeNB2, and the core network device is MME or HeNB GW as an example.

步骤 701 , HeNBl希望与 HeNB2建立直接接口时, HeNBl向 MME或 HeNB GW发送基站配置转发消息, 以请求对端 HeNB2的 IP地址。  Step 701: When the HeNB1 wants to establish a direct interface with the HeNB2, the HeNB1 sends a base station configuration forwarding message to the MME or the HeNB GW to request the IP address of the opposite HeNB2.

本实施例中,为了在 HeNBl与 HeNB2之间协商一个共享密钥, HeNBl 还可以在基站配置转发消息中携带 DH组号和 DH值。 步骤 702, MME或 HeNB GW向 HeNB2发送移动性管理实体配置转 发消息, 该移动性管理实体配置转发消息携带 HeNBl 发送的 DH组号和 DH值。 In this embodiment, in order to negotiate a shared key between the HeNB1 and the HeNB2, the HeNB1 may also carry the DH group number and the DH value in the base station configuration forwarding message. Step 702: The MME or the HeNB GW sends a mobility management entity configuration forwarding message to the HeNB2, where the mobility management entity configures the forwarding message to carry the DH group number and the DH value sent by the HeNB1.

步骤 703, HeNB2向 MME或 HeNB GW发送基站配置转发消息, 该 基站配置转发消息中携带 HeNB2的 IP地址, 以及 HeNB2选择的 DH组号 和 DH值。  Step 703: The HeNB2 sends a base station configuration forwarding message to the MME or the HeNB GW, where the base station configures the forwarding message to carry the IP address of the HeNB2, and the DH group number and the DH value selected by the HeNB2.

步骤 704, MME或 HeNB GW向 HeNBl发送移动性管理实体配置转 发消息, 该移动性管理实体配置转发消息携带 HeNB2选择的 DH组号和 DH值, 以及 HeNB2的 IP地址。  Step 704: The MME or the HeNB GW sends a mobility management entity configuration forwarding message to the HeNB1, where the mobility management entity configures the forwarding message to carry the DH group number and the DH value selected by the HeNB2, and the IP address of the HeNB2.

步骤 705, HeNBl与 HeNB2根据 HeNB2选择的 DH组号和 DH值生 成共享密钥, 通过该共享密钥建立 IPSec隧道, 以保证 HNB1与 HNB2之 间直接接口的安全性。  In step 705, the HeNB1 and the HeNB2 generate a shared key according to the DH group number and the DH value selected by the HeNB2, and establish an IPSec tunnel through the shared key to ensure the security of the direct interface between the HNB1 and the HNB2.

上述实施例中, HeNBl与 HeNB2可以根据选择的 DH组号和 DH值生 成共享密钥, 进而可以通过该共享密钥建立 IPSec 隧道, 从而可以保证 HeNBl与 HeNB2之间直接接口的安全性。  In the foregoing embodiment, the HeNB1 and the HeNB2 can generate a shared key according to the selected DH group number and the DH value, and the IPSec tunnel can be established through the shared key, so that the security of the direct interface between the HeNB1 and the HeNB2 can be ensured.

图 8 为本发明安全隧道建立方法另一个实施例的流程图, 本实施例以 第一基站为 HeNBl ,第二基站为 HeNB2,核心网设备为 MME或 HeNB GW 为例进行说明。  FIG. 8 is a flowchart of another embodiment of a method for establishing a secure tunnel according to the present invention. In this embodiment, the first base station is HeNB1, the second base station is HeNB2, and the core network device is MME or HeNB GW as an example.

步骤 801 , HeNBl希望与 HeNB2建立直接接口时, HeNBl向 MME或 HeNB GW发送基站配置转发消息, 以请求对端 HeNB2的 IP地址。  Step 801: When the HeNB1 wants to establish a direct interface with the HeNB2, the HeNB1 sends a base station configuration forwarding message to the MME or the HeNB GW to request the IP address of the opposite HeNB2.

步骤 802, MME或 HeNB GW确定该基站配置转发消息的源节点和 / 或目标节点是 HeNB之后, MME或 HeNB GW向 HeNB2发送移动性管理 实体配置转发消息, 该移动性管理实体配置转发消息携带可用于验证 HeNB 1的证书的根证书。  Step 802: After the MME or the HeNB GW determines that the source node and/or the target node of the base station configuration forwarding message is the HeNB, the MME or the HeNB GW sends a mobility management entity configuration forwarding message to the HeNB2, where the mobility management entity configures that the forwarding message carries the available information. The root certificate for verifying the certificate of HeNB 1.

具体地, MME或 HeNB GW可以通过基站配置转发消息中的源节点 标识和目的节点标识来确定该基站配置转发消息的源节点和 /或目标节点是 HeNB。 本实施例中, 该基站配置转发消息的源节点为 HeNBl , 目标节点为 HeNB2 , 因此该基站配置转发消息的源节点和目标节点均为 HeNB。 Specifically, the MME or the HeNB GW may determine, by using the source node identifier and the destination node identifier in the forwarding message, the source node and/or the target node of the base station configuration forwarding message is HeNB. In this embodiment, the source node of the base station configured to forward the message is HeNB1, and the target node is HeNB2. Therefore, the source node and the target node of the base station configured to forward the message are both HeNBs.

步骤 803, HeNB2向 MME或 HeNB GW发送基站配置转发消息, 该 基站配置转发消息中携带 HeNB2的 IP地址。  Step 803: The HeNB2 sends a base station configuration forwarding message to the MME or the HeNB GW, where the base station configures the forwarding message to carry the IP address of the HeNB2.

步骤 804, MME或 HeNB GW向 HeNBl发送移动性管理实体配置转 发消息, 该移动性管理实体配置转发消息携带可用于验证 HeNB2证书的根 证书, 以及 HeNB2的 IP地址。  Step 804: The MME or the HeNB GW sends a mobility management entity configuration forwarding message to the HeNB1, where the mobility management entity configures the forwarding message to carry a root certificate that can be used to verify the HeNB2 certificate, and an IP address of the HeNB2.

步骤 805, HeNBl与 HeNB2通过证书认证方式建立 IPSec隧道, 以保 证 HeNBl与 HeNB2之间直接接口的安全性。  Step 805: HeNB1 and HeNB2 establish an IPSec tunnel through certificate authentication to ensure the security of the direct interface between HeNB1 and HeNB2.

上述实施例中, HeNBl与 HeNB2可以获得 MME或 HeNB GW发送的 可用于验证对端证书的根证书,这样, HeNBl与 HeNB2就可以通过证书认 证方式建立 IPsec隧道,从而可以保证 HeNBl与 HeNB2之间直接接口的安 全性。  In the foregoing embodiment, the HeNB1 and the HeNB2 can obtain the root certificate that can be used by the MME or the HeNB GW to verify the peer certificate, so that the HeNB1 and the HeNB2 can establish an IPsec tunnel through the certificate authentication manner, thereby ensuring direct connection between the HeNB1 and the HeNB2. The security of the interface.

本领域普通技术人员可以理解: 实现上述方法实施例的全部或部分步 骤可以通过程序指令相关的硬件来完成, 前述的程序可以存储于一计算机 可读取存储介质中, 该程序在执行时, 执行包括上述方法实施例的步骤; 而前述的存储介质包括: ROM、 RAM, 磁碟或者光盘等各种可以存储程序 代码的介质。  A person skilled in the art can understand that all or part of the steps of implementing the above method embodiments may be completed by using hardware related to program instructions, and the foregoing program may be stored in a computer readable storage medium, and the program is executed when executed. The foregoing steps include the steps of the foregoing method embodiments; and the foregoing storage medium includes: a medium that can store program codes, such as a ROM, a RAM, a magnetic disk, or an optical disk.

图 9为本发明第一基站一个实施例的结构示意图, 本实施例中的第一 基站可以实现本发明图 1所示实施例的流程。 如图 9所示, 该第一基站可 以包括:  FIG. 9 is a schematic structural diagram of an embodiment of a first base station according to the present invention. The first base station in this embodiment may implement the process of the embodiment shown in FIG. 1 of the present invention. As shown in FIG. 9, the first base station may include:

获得模块 901 ,用于获得用于验证第二基站证书的根证书或者第二基站 与第一基站之间的共享密钥; 具体地, 获得模块 901 可以接收核心网设备 发送的用于验证第二基站证书的根证书或者该核心网设备为第二基站与第 一基站生成的共享密钥。  The obtaining module 901 is configured to obtain a root certificate used for verifying the second base station certificate or a shared key between the second base station and the first base station; specifically, the obtaining module 901 may receive the second information sent by the core network device for verifying The root certificate of the base station certificate or the core network device is a shared key generated by the second base station and the first base station.

建立模块 902,用于通过上述共享密钥或者上述用于验证第二基站证书 的根证书与第二基站建立 IPsec隧道,以保证第一基站与第二基站之间直接 接口的安全性。 The establishing module 902 is configured to use the shared key or the foregoing to verify the second base station certificate The root certificate establishes an IP sec tunnel with the second base station to ensure the security of the direct interface between the first base station and the second base station.

本实施例中, 当第一基站为家庭基站时, 第二基站可以为家庭基站或 宏基站; 或者, 当第一基站为宏基站时, 第二基站可以为家庭基站; 也就 是说, 第一基站和第二基站中至少有一个为家庭基站即可。 其中, 宏基站 可以为 eNB或其他类型的宏基站; 家庭基站可以为 HeNB或 HNB, 本实施 例对此不作限定。  In this embodiment, when the first base station is a home base station, the second base station may be a home base station or a macro base station; or, when the first base station is a macro base station, the second base station may be a home base station; that is, the first At least one of the base station and the second base station may be a home base station. The macro base station may be an eNB or another type of macro base station; the home base station may be an HeNB or an HNB, which is not limited in this embodiment.

上述实施例中, 获得模块 901 可以获得用于验证第二基站证书的根证 书或第二基站与第一基站之间的共享密钥, 这样, 建立模块 902就可以通 过上述共享密钥或者上述用于验证第二基站证书的根证书与第二基站建立 IPsec隧道, 从而可以保证第一基站与第二基站之间接口的安全性。  In the foregoing embodiment, the obtaining module 901 can obtain a root certificate for verifying the second base station certificate or a shared key between the second base station and the first base station, so that the establishing module 902 can use the shared key or the foregoing. The root certificate of the second base station certificate is verified to establish an IPsec tunnel with the second base station, so that the security of the interface between the first base station and the second base station can be ensured.

图 10为本发明第一基站另一个实施例的结构示意图, 本实施例中的第 一基站可以实现本发明图 1和图 4所示实施例的流程, 与图 9所示的第一 基站相比,不同之处在于,图 10所示的第一基站还可以包括:接收模块 903; 或者, 接收模块 903和请求模块 904; 或者, 协商模块 905、 请求模块 904 和接收模块 903。  FIG. 10 is a schematic structural diagram of another embodiment of the first base station according to the present invention. The first base station in this embodiment may implement the process of the embodiment shown in FIG. 1 and FIG. 4 of the present invention, and the first base station shown in FIG. The first base station shown in FIG. 10 may further include: a receiving module 903; or, a receiving module 903 and a requesting module 904; or, a negotiating module 905, a requesting module 904, and a receiving module 903.

其中,接收模块 903,用于在核心网设备设置的共享密钥周期到期之后, 接收该核心网设备发送的该核心网设备为第二基站与第一基站生成的更新 后的共享密钥。  The receiving module 903 is configured to receive, after the expiration of the shared key period set by the core network device, the core network device sent by the core network device as the updated shared key generated by the second base station and the first base station.

请求模块 904, 用于在第一基站设置的共享密钥周期到期之后, 向核心 网设备请求更新共享密钥; 这时, 接收模块 903还可以接收核心网设备发 送的该核心网设备根据第一基站的请求生成的更新后的共享密钥。  The requesting module 904 is configured to: after the expiration of the shared key period set by the first base station, request the core network device to update the shared key; at this time, the receiving module 903 may further receive the core network device sent by the core network device according to the The updated shared key generated by the request of a base station.

协商模块 905 , 用于向第二基站发起 IKE协商; 这时, 请求模块 904 还可以在协商模块 905在发起因特网密钥交换协商时, 如果协商模块 905 发现第一基站或第二基站没有可用的共享密钥, 则向核心网设备请求更新 共享密钥; 接收模块 903 还可以接收核心网设备发送的该核心网设备根据 第一基站的请求生成的更新后的共享密钥。 The negotiation module 905 is configured to initiate IKE negotiation to the second base station. At this time, the requesting module 904 may also, when the negotiation module 905 initiates the Internet key exchange negotiation, if the negotiation module 905 finds that the first base station or the second base station is not available. The shared key is sent to the core network device to update the shared key. The receiving module 903 can also receive the core network device according to the core network device. The updated shared key generated by the request of the first base station.

上述第一基站可以通过上述共享密钥或者用于验证第二基站证书的根 证书与第二基站建立 IPsec隧道,从而可以保证第一基站与第二基站之间接 口的安全生。 The first base station may establish an IP sec tunnel with the second base station by using the shared key or the root certificate for verifying the second base station certificate, so that the security of the interface between the first base station and the second base station can be ensured.

图 11为本发明第一基站另一个实施例的结构示意图, 本实施例中的第 一基站可以实现本发明图 1、 图 2、 图 7和图 8所示实施例的流程。 与图 10 所示的第一基站相比, 不同之处在于, 图 11所示的第一基站还可以包括: 发送模块 906,用于向移动性管理实体或家庭演进基站网关发送基站配 置转发消息;  FIG. 11 is a schematic structural diagram of another embodiment of the first base station according to the present invention. The first base station in this embodiment can implement the flow of the embodiment shown in FIG. 1, FIG. 2, FIG. 7 and FIG. 8 of the present invention. The difference from the first base station shown in FIG. 10 is that the first base station shown in FIG. 11 may further include: a sending module 906, configured to send a base station configuration forwarding message to the mobility management entity or the home evolved base station gateway. ;

本实施例中, 获得模块 901 可以接收移动性管理实体或家庭演进基站 网关发送的移动性管理实体配置转发消息, 该移动性管理实体配置转发消 息中携带上述用于验证第二基站证书的根证书, 或者移动性管理实体或家 庭演进基站网关为第一基站和第二基站生成的共享密钥。  In this embodiment, the obtaining module 901 may receive the mobility management entity configuration forwarding message sent by the mobility management entity or the home evolved base station gateway, where the mobility management entity configures the forwarding message to carry the foregoing root certificate for verifying the second base station certificate. Or a shared key generated by the mobility management entity or the home evolved base station gateway for the first base station and the second base station.

其中, 该移动性管理实体配置转发消息是移动性管理实体或家庭演进 基站网关接收到基站配置转发消息之后, 根据该基站配置转发消息中的源 节点标识和目的节点标识确定上述基站配置转发消息的源节点和 /或目标节 点为家庭演进基站之后, 将用于验证第一基站证书的根证书, 或者移动性 管理实体或家庭演进基站网关为第一基站和第二基站生成的共享密钥发送 给第二基站, 在接收到第二基站发送的基站配置转发消息之后发送给第一 基站的。  After the mobility management entity configures the forwarding message, the mobility management entity or the home evolved base station gateway receives the base station configuration forwarding message, and determines the base station configuration forwarding message according to the source node identifier and the destination node identifier in the base station configuration forwarding message. After the source node and/or the target node are the home evolved base station, the root certificate to be used for verifying the first base station certificate, or the shared key generated by the mobility management entity or the home evolved base station gateway for the first base station and the second base station is sent to The second base station sends the base station configuration forwarding message sent by the second base station to the first base station.

本实施例中, 发送模块 906还可以向移动性管理实体或家庭演进基站 网关发送基站配置转发消息, 该基站配置转发消息携带第一基站的 DH组 号和 DH值, 以便移动性管理实体或家庭演进基站网关将第一基站的 DH 组号和 DH值携带在第一移动性管理实体配置转发消息中发送给第二基站; 这时, 接收模块 903 还可以接收移动性管理实体或家庭演进基站网关发送 的第二移动性管理实体配置转发消息, 该第二移动性管理实体配置转发消 息携带第二基站选择的 DH组号和 DH值,该第二移动性管理实体配置转发 消息是移动性管理实体或家庭演进基站网关接收到第二基站发送的携带第 二基站选择的 DH组号和 DH值的基站配置转发消息之后发送给第一基站 的。 In this embodiment, the sending module 906 may further send a base station configuration forwarding message to the mobility management entity or the home evolved base station gateway, where the base station configures the forwarding message to carry the DH group number and the DH value of the first base station, so that the mobility management entity or the home The evolved base station gateway sends the DH group number and the DH value of the first base station to the second base station in the first mobility management entity configuration forwarding message. At this time, the receiving module 903 can also receive the mobility management entity or the home evolved base station gateway. The sent second mobility management entity configures a forwarding message, and the second mobility management entity configures forwarding forwarding And carrying the DH group number and the DH value selected by the second base station, where the second mobility management entity configuring the forwarding message is that the mobility management entity or the home evolved base station gateway receives the DH group number that is sent by the second base station and carries the second base station selection. The base station and the DH value are configured to forward the message to the first base station.

本实施例中, 获得模块 901 可以根据第二基站选择的 DH组号和 DH 值生成共享密钥。  In this embodiment, the obtaining module 901 can generate a shared key according to the DH group number and the DH value selected by the second base station.

上述第一基站可以通过共享密钥或者用于验证第二基站证书的根证书 与第二基站建立 IPsec隧道,从而可以保证第一基站与第二基站之间接口的 安全性。  The first base station may establish an IPsec tunnel with the second base station by using a shared key or a root certificate for verifying the second base station certificate, so that the security of the interface between the first base station and the second base station can be ensured.

图 12为本发明第一基站另一个实施例的结构示意图, 本实施例中的第 一基站可以作为 HNB, 或者 HNB的一部分实现本发明图 1和图 3所示实 施例的流程。 与图 11 所示的第一基站相比, 不同之处在于, 本发明图 12 所示实施例的一种实现方式中, 第一基站还可以包括:  FIG. 12 is a schematic structural diagram of another embodiment of the first base station according to the present invention. The first base station in this embodiment may implement the flow of the embodiment shown in FIG. 1 and FIG. 3 of the present invention as an HNB, or a part of the HNB. The difference from the first base station shown in FIG. 11 is that, in an implementation manner of the embodiment shown in FIG. 12, the first base station may further include:

注册模块 907, 用于注册到家庭基站网关;  Registration module 907, configured to register to the home base station gateway;

检测模块 908, 用于在注册模块 907注册到家庭基站网关之后,检测到 第二基站注册到上述家庭基站网关;  The detecting module 908 is configured to detect, after the registration module 907 registers with the home base station gateway, the second base station to register with the home base station gateway;

这时, 请求模块 904还可以向家庭基站网关请求第二基站的 IP地址; 获得模块 901 可以接收家庭基站网关发送的响应消息, 该响应消息携带第 二基站的 IP地址和家庭基站网关预先为第一基站与第二基站生成的共享密 钥。  At this time, the requesting module 904 may also request the IP address of the second base station from the home base station gateway; the obtaining module 901 may receive a response message sent by the home base station gateway, where the response message carries the IP address of the second base station and the home base station gateway is in advance A shared key generated by a base station and a second base station.

本实施例的另一种实现方式中, 发送模块 906还可以向家庭基站网关 发送第一基站检测到的邻区家庭基站的信息, 该第一基站的邻区家庭基站 包括第二基站; 这时, 获得模块 901 可以接收家庭基站网关发送的该家庭 基站网关上可用的邻区家庭基站的信息, 以及该家庭基站网关为第一基站 与第一基站的邻区家庭基站生成的共享密钥。  In another implementation manner of the embodiment, the sending module 906 may further send information about the neighboring home base station detected by the first base station to the home base station gateway, where the neighboring cell home base station of the first base station includes the second base station; The obtaining module 901 may receive information about a neighboring home base station available on the home base station gateway sent by the home base station gateway, and the shared key generated by the home base station gateway as a first base station and a neighboring home base station of the first base station.

上述第一基站可以通过共享密钥或者用于验证第二基站证书的根证书 与第二基站建立 IPsec隧道,从而可以保证第一基站与第二基站之间接口的 安全性。 The first base station may use a shared key or a root certificate for verifying the second base station certificate. An IPsec tunnel is established with the second base station, so that the security of the interface between the first base station and the second base station can be ensured.

本领域技术人员可以理解附图只是一个优选实施例的示意图, 附图中 的模块或流程并不一定是实施本发明所必须的。  A person skilled in the art can understand that the drawings are only a schematic diagram of a preferred embodiment, and the modules or processes in the drawings are not necessarily required to implement the invention.

本领域技术人员可以理解实施例中的装置中的模块可以按照实施例描 述进行分布于实施例的装置中, 也可以进行相应变化位于不同于本实施例 的一个或多个装置中。 上述实施例的模块可以合并为一个模块, 也可以进 一步拆分成多个子模块。  Those skilled in the art can understand that the modules in the apparatus in the embodiments may be distributed in the apparatus of the embodiment according to the embodiment, or may be correspondingly changed in one or more apparatuses different from the embodiment. The modules of the above embodiments may be combined into one module, or may be further split into a plurality of sub-modules.

最后应说明的是: 以上实施例仅用以说明本发明的技术方案, 而非对 其限制; 尽管参照前述实施例对本发明进行了详细的说明, 本领域的普通 技术人员应当理解: 其依然可以对前述各实施例所记载的技术方案进行修 改, 或者对其中部分技术特征进行等同替换; 而这些修改或者替换, 并不 使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。  It should be noted that the above embodiments are only for explaining the technical solutions of the present invention, and are not intended to be limiting; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those skilled in the art that: The technical solutions described in the foregoing embodiments are modified, or some of the technical features are equivalently replaced. The modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

权利要求 Rights request 1、 一种安全隧道建立方法, 其特征在于, 包括: A method for establishing a secure tunnel, comprising: 第一基站获得用于验证第二基站证书的根证书或者第二基站与所述第 一基站之间的共享密钥; 所述第一基站为家庭基站时, 所述第二基站为家 庭基站或宏基站; 或者, 所述第一基站为宏基站时, 所述第二基站为家庭 基站;  The first base station obtains a root certificate for verifying the second base station certificate or a shared key between the second base station and the first base station; when the first base station is a home base station, the second base station is a home base station or Or a macro base station; or, when the first base station is a macro base station, the second base station is a home base station; 所述第一基站通过所述共享密钥或者所述用于验证第二基站证书的根 证书与所述第二基站建立因特网协议安全隧道, 以保证所述第一基站与所 述第二基站之间接口的安全性。  The first base station establishes an Internet Protocol security tunnel with the second base station by using the shared key or the root certificate for verifying the second base station certificate, to ensure that the first base station and the second base station The security of the interface. 2、 根据权利要求 1所述的方法, 其特征在于, 所述第一基站获得用于 验证第二基站证书的根证书或者第二基站与所述第一基站之间的共享密钥 包括:  The method according to claim 1, wherein the obtaining, by the first base station, a root certificate for verifying a second base station certificate or a shared key between the second base station and the first base station includes: 所述第一基站接收核心网设备发送的用于验证第二基站证书的根证书 或者所述核心网设备为所述第二基站与所述第一基站生成的共享密钥。  The first base station receives a root certificate sent by the core network device for verifying the second base station certificate or the core network device is a shared key generated by the second base station and the first base station. 3、 根据权利要求 2所述的方法, 其特征在于, 所述第一基站接收核心 网设备发送的所述核心网设备为所述第二基站与所述第一基站生成的共享 密钥之后, 还包括:  The method according to claim 2, after the first base station receives the shared key generated by the core network device and the shared key generated by the second base station and the first base station, Also includes: 在所述核心网设备设置的共享密钥周期到期之后, 所述第一基站接收 所述核心网设备发送的所述核心网设备为所述第二基站与所述第一基站生 成的更新后的共享密钥。  After the shared key period set by the core network device expires, the first base station receives the update generated by the core network device by the core network device for the second base station and the first base station. Shared key. 4、 根据权利要求 2所述的方法, 其特征在于, 所述第一基站接收核心 网设备发送的所述核心网设备为所述第二基站与所述第一基站生成的共享 密钥之后, 还包括:  The method according to claim 2, after the first base station receives the shared key generated by the core network device and the shared key generated by the second base station and the first base station, Also includes: 在所述第一基站设置的共享密钥周期到期之后, 所述第一基站向所述 核心网设备请求更新共享密钥, 接收所述核心网设备发送的所述核心网设 备根据所述第一基站的请求生成的更新后的共享密钥; 或者, 所述第一基站向所述第二基站发起因特网密钥交换协商时, 如果发现 所述第一基站或所述第二基站没有可用的共享密钥, 则所述第一基站向所 述核心网设备请求更新共享密钥, 接收所述核心网设备发送的所述核心网 设备根据所述第一基站的请求生成的更新后的共享密钥。 After the shared key period set by the first base station expires, the first base station requests the core network device to update the shared key, and receives the core network device sent by the core network device according to the An updated shared key generated by a request of a base station; or When the first base station initiates an Internet key exchange negotiation with the second base station, if it is found that the first base station or the second base station does not have a shared key available, the first base station sends the core network to the core network. The device requests to update the shared key, and receives an updated shared key generated by the core network device according to the request of the first base station by the core network device. 5、 根据权利要求 2或 4所述的方法, 其特征在于, 所述核心网设备包 括移动性管理实体或家庭演进基站网关;  The method according to claim 2 or 4, wherein the core network device comprises a mobility management entity or a home evolved base station gateway; 所述第一基站接收核心网设备发送的用于验证第二基站证书的根证书 或者所述核心网设备为所述第二基站与所述第一基站生成的共享密钥之 前, 还包括:  Before the first base station receives the root certificate that is sent by the core network device to verify the second base station certificate, or the core network device is the shared key generated by the second base station and the first base station, the first base station further includes: 所述第一基站向所述移动性管理实体或家庭演进基站网关发送基站配 置转发消息;  Transmitting, by the first base station, a base station configuration forwarding message to the mobility management entity or the home evolved base station gateway; 所述第一基站接收核心网设备发送的用于验证第二基站证书的根证书 或者所述核心网设备为所述第二基站与所述第一基站生成的共享密钥包 括:  The first base station receives a root certificate sent by the core network device for verifying the second base station certificate or the shared key generated by the core network device for the second base station and the first base station includes: 所述第一基站接收所述移动性管理实体或所述家庭演进基站网关发送 的移动性管理实体配置转发消息, 所述移动性管理实体配置转发消息中携 带所述用于验证第二基站证书的根证书, 或者所述移动性管理实体或所述 家庭演进基站网关为所述第一基站和所述第二基站生成的共享密钥;  The first base station receives a mobility management entity configured to send a forwarding message to the mobility management entity or the home evolved base station gateway, where the mobility management entity configures the forwarding message to carry the verification for the second base station certificate. a root certificate, or a shared key generated by the mobility management entity or the home evolved base station gateway for the first base station and the second base station; 所述移动性管理实体配置转发消息是所述移动性管理实体或所述家庭 演进基站网关接收到所述基站配置转发消息之后, 根据所述基站配置转发 消息中的源节点标识和目的节点标识确定所述基站配置转发消息的源节点 和 /或目标节点为家庭演进基站之后, 将用于验证第一基站证书的根证书, 或者所述移动性管理实体或所述家庭演进基站网关为所述第一基站和所述 第二基站生成的共享密钥发送给所述第二基站, 在接收到所述第二基站发 送的基站配置转发消息之后发送给所述第一基站的。  The mobility management entity configures the forwarding message to be determined by the mobility management entity or the home evolved base station gateway after receiving the base station configuration forwarding message, according to the source node identifier and the destination node identifier in the base station configuration forwarding message. After the base station configures the source node and/or the target node of the forwarding message to be the home evolved base station, the root certificate to be used for verifying the first base station certificate, or the mobility management entity or the home evolved base station gateway is the The shared key generated by the base station and the second base station is sent to the second base station, and is sent to the first base station after receiving the base station configuration forwarding message sent by the second base station. 6、 根据权利要求 2或 4所述的方法, 其特征在于, 所述核心网设备包 括家庭基站网关; 所述第一基站接收核心网设备发送的所述核心网设备为所述第二基站 与所述第一基站生成的共享密钥之前, 还包括: The method according to claim 2 or 4, wherein the core network device comprises a home base station gateway; Before the receiving, by the first base station, the core network device sent by the core network device is the shared key generated by the second base station and the first base station, the first base station further includes: 所述第一基站注册到所述家庭基站网关之后, 检测到所述第二基站注 册到所述家庭基站网关;  After the first base station registers with the home base station gateway, detecting that the second base station is registered to the home base station gateway; 所述第一基站向所述家庭基站网关请求所述第二基站的因特网协议地 址;  The first base station requests an internet protocol address of the second base station from the home base station gateway; 所述第一基站接收核心网设备发送的所述核心网设备为所述第二基站 与所述第一基站生成的共享密钥包括:  The receiving, by the first base station, the shared key generated by the core network device that is sent by the core network device to the second base station and the first base station includes: 所述第一基站接收所述家庭基站网关发送的响应消息, 所述响应消息 携带所述第二基站的因特网协议地址和所述家庭基站网关为所述第一基站 与所述第二基站生成的共享密钥。  Receiving, by the first base station, a response message sent by the home base station gateway, where the response message carries an Internet Protocol address of the second base station and the home base station gateway generates the first base station and the second base station Shared key. 7、 根据权利要求 2或 4所述的方法, 其特征在于, 所述核心网设备包 括家庭基站网关;  The method according to claim 2 or 4, wherein the core network device comprises a home base station gateway; 所述第一基站接收核心网设备发送的所述核心网设备为所述第二基站 与所述第一基站生成的共享密钥之前, 还包括:  Before the first base station receives the shared key generated by the core network device, where the core network device is the second base station and the first base station, the first base station further includes: 所述第一基站注册到所述家庭基站网关, 并向所述家庭基站网关发送 所述第一基站检测到的邻区家庭基站的信息, 所述第一基站的邻区家庭基 站包括所述第二基站;  The first base station is registered with the home base station gateway, and sends information about the neighboring home base station detected by the first base station to the home base station gateway, where the neighboring cell home base station of the first base station includes the first Two base stations; 所述第一基站接收核心网设备发送的所述核心网设备为所述第二基站 与所述第一基站生成的共享密钥包括:  The receiving, by the first base station, the shared key generated by the core network device that is sent by the core network device to the second base station and the first base station includes: 所述第一基站接收所述家庭基站网关发送的所述家庭基站网关上可用 的邻区家庭基站的信息, 以及所述家庭基站网关为所述第一基站与所述第 一基站的邻区家庭基站生成的共享密钥。  Receiving, by the first base station, information about a neighboring home base station available on the home base station gateway sent by the home base station gateway, and the home base station gateway is a neighboring cell family of the first base station and the first base station; The shared key generated by the base station. 8、 根据权利要求 2或 4所述的方法, 其特征在于, 所述核心网设备包 括家庭基站网关;  The method according to claim 2 or 4, wherein the core network device comprises a home base station gateway; 所述第一基站接收核心网设备发送的所述核心网设备为所述第二基站 与所述第一基站生成的共享密钥包括: 在所述家庭基站网关发现所述家庭基站网关控制的邻区家庭基站的信 息没有更新到所述第一基站, 且所述家庭基站网关上没有所述第一基站与 更新后的邻区家庭基站的共享密钥之后, 所述第一基站接收所述家庭基站 网关通过家庭基站配置转发流程发送的更新后的邻区家庭基站的信息, 以 及所述家庭基站网关为所述第一基站与所述更新后的邻区家庭基站生成的 共享密钥。 The receiving, by the first base station, the shared key generated by the core network device that is generated by the core network device by the second base station and the first base station includes: The home base station gateway discovers that the information of the neighboring home base station controlled by the home base station gateway is not updated to the first base station, and the first base station and the updated neighboring home base station are not on the home base station gateway. After the shared key, the first base station receives information of the updated neighboring home base station sent by the home base station gateway through the home base station configuration forwarding process, and the home base station gateway is the first base station and the The shared key generated by the updated neighboring home base station. 9、 根据权利要求 1所述的方法, 其特征在于, 所述第一基站获得第二 基站与所述第一基站之间的共享密钥之前, 还包括:  The method according to claim 1, wherein before the first base station obtains the shared key between the second base station and the first base station, the method further includes: 所述第一基站向移动性管理实体或家庭演进基站网关发送基站配置转 发消息, 所述基站配置转发消息携带所述第一基站的迪非-赫尔曼(DH )组 号和 DH值, 以便所述移动性管理实体或家庭演进基站网关将所述第一基 站的 DH组号和 DH值携带在第一移动性管理实体配置转发消息中发送给所 述第二基站;  Transmitting, by the first base station, a base station configuration forwarding message to a mobility management entity or a home evolved base station gateway, where the base station configuration forwarding message carries a Difei-Hellman (DH) group number and a DH value of the first base station, so that The mobility management entity or the home eNodeB gateway carries the DH group number and the DH value of the first base station in the first mobility management entity configuration forwarding message, and sends the message to the second base station; 所述第一基站接收所述移动性管理实体或所述家庭演进基站网关发送 的第二移动性管理实体配置转发消息, 所述第二移动性管理实体配置转发 消息携带所述第二基站选择的 DH组号和 DH值,所述第二移动性管理实体 配置转发消息是所述移动性管理实体或所述家庭演进基站网关接收到所述 第二基站发送的携带所述第二基站选择的 DH组号和 DH值的基站配置转发 消息之后发送给所述第一基站的;  Receiving, by the first base station, a second mobility management entity configured to send a forwarding message by the mobility management entity or the home eNodeB gateway, where the second mobility management entity configures a forwarding message to carry the second base station selected a DH group number and a DH value, where the second mobility management entity configuration forwarding message is that the mobility management entity or the home evolved base station gateway receives the DH that is sent by the second base station and carries the second base station selection. The base station of the group number and the DH value is configured to forward the message to the first base station; 所述第一基站获得第二基站与所述第一基站之间的共享密钥包括: 所述第一基站根据所述第二家庭演进基站选择的 DH组号和 DH值生成 所述共享密钥。  The obtaining, by the first base station, the shared key between the second base station and the first base station includes: generating, by the first base station, the shared key according to the DH group number and the DH value selected by the second home evolved base station . 10、 一种第一基站, 其特征在于, 包括:  10. A first base station, comprising: 获得模块, 用于获得用于验证第二基站证书的根证书或者第二基站与 所述第一基站之间的共享密钥;  And an obtaining module, configured to obtain a root certificate for verifying the second base station certificate or a shared key between the second base station and the first base station; 建立模块, 用于通过所述共享密钥或者所述用于验证第二基站证书的 根证书与所述第二基站建立因特网协议安全隧道, 以保证所述第一基站与 所述第二基站之间接口的安全性。 And a establishing module, configured to establish an Internet Protocol security tunnel with the second base station by using the shared key or the root certificate for verifying the second base station certificate, to ensure that the first base station and the first base station The security of the interface between the second base stations. 11、 根据权利要求 10所述的基站, 其特征在于, 所述获得模块具体用 于接收核心网设备发送的用于验证第二基站证书的根证书或者所述核心网 设备为所述第二基站与所述第一基站生成的共享密钥。  The base station according to claim 10, wherein the obtaining module is specifically configured to receive a root certificate sent by the core network device for verifying the second base station certificate, or the core network device is the second base station A shared key generated with the first base station. 12、 根据权利要求 11所述的基站, 其特征在于, 还包括:  The base station according to claim 11, further comprising: 接收模块, 用于在所述核心网设备设置的共享密钥周期到期之后, 接 收所述核心网设备发送的所述核心网设备为所述第二基站与所述第一基站 生成的更新后的共享密钥。  a receiving module, configured to receive, after the expiration of the shared key period set by the core network device, the core network device that is sent by the core network device to be updated by the second base station and the first base station Shared key. 13、 根据权利要求 12所述的基站, 其特征在于, 还包括:  The base station according to claim 12, further comprising: 请求模块, 用于在所述第一基站设置的共享密钥周期到期之后, 向所 述核心网设备请求更新共享密钥;  a requesting module, configured to request, after the expiration of the shared key period set by the first base station, an update shared key to the core network device; 所述接收模块, 还用于接收所述核心网设备发送的所述核心网设备根 据所述第一基站的请求生成的更新后的共享密钥。  The receiving module is further configured to receive, by the core network device, the updated shared key generated by the core network device according to the request of the first base station. 14、 根据权利要求 13所述的基站, 其特征在于, 还包括:  The base station according to claim 13, further comprising: 协商模块, 用于向所述第二基站发起因特网密钥交换协商;  a negotiation module, configured to initiate an Internet key exchange negotiation to the second base station; 所述请求模块, 还用于在所述协商模块在发起因特网密钥交换协商时, 如果所述协商模块发现所述第一基站或所述第二基站没有可用的共享密 钥, 则向所述核心网设备请求更新共享密钥。  The requesting module is further configured to: when the negotiation module initiates an Internet key exchange negotiation, if the negotiation module finds that the first base station or the second base station does not have a shared key available, The core network device requests to update the shared key. 15、 根据权利要求 14所述的基站, 其特征在于, 还包括:  The base station according to claim 14, further comprising: 发送模块, 用于向移动性管理实体或家庭演进基站网关发送基站配置 转发消息;  a sending module, configured to send a base station configuration forwarding message to the mobility management entity or the home evolved base station gateway; 所述获得模块, 具体用于接收所述移动性管理实体或所述家庭演进基 站网关发送的移动性管理实体配置转发消息, 所述移动性管理实体配置转 发消息中携带所述用于验证第二基站证书的根证书, 或者所述移动性管理 实体或所述家庭演进基站网关为所述第一基站和所述第二基站生成的共享 密钥。  The obtaining module is configured to receive a mobility management entity configured to send a forwarding message by the mobility management entity or the home eNodeB gateway, where the mobility management entity configures the forwarding message to carry the verification a root certificate of the base station certificate, or a shared key generated by the mobility management entity or the home evolved base station gateway for the first base station and the second base station. 16、 根据权利要求 15所述的基站, 其特征在于, 还包括: 注册模块, 用于注册到家庭基站网关; The base station according to claim 15, further comprising: a registration module, configured to register to the home base station gateway; 检测模块, 用于在所述注册模块注册到所述家庭基站网关之后, 检测 到所述第二基站注册到所述家庭基站网关;  a detecting module, configured to detect, after the registration module is registered to the home base station gateway, that the second base station is registered to the home base station gateway; 所述请求模块, 还用于向所述家庭基站网关请求所述第二基站的因特 网协议地址;  The requesting module is further configured to request, by the home base station gateway, an Internet protocol address of the second base station; 所述获得模块, 具体用于接收所述家庭基站网关发送的响应消息, 所 述响应消息携带所述第二基站的因特网协议地址和所述家庭基站网关预先 为所述第一基站与所述第二基站生成的共享密钥。  The obtaining module is specifically configured to receive a response message sent by the home base station gateway, where the response message carries an Internet Protocol address of the second base station, and the home base station gateway is configured as the first base station and the first The shared key generated by the second base station. 17、 根据权利要求 15所述的基站, 其特征在于,  17. The base station according to claim 15, wherein: 所述发送模块, 还用于向所述家庭基站网关发送所述第一基站检测到 的邻区家庭基站的信息, 所述第一基站的邻区家庭基站包括所述第二基站; 所述获得模块, 具体用于接收所述家庭基站网关发送的所述家庭基站 网关上可用的邻区家庭基站的信息, 以及所述家庭基站网关为所述第一基 站与所述第一基站的邻区家庭基站生成的共享密钥。  The sending module is further configured to send information about the neighboring home base station detected by the first base station to the home base station gateway, where the neighboring cell home base station of the first base station includes the second base station; The module is specifically configured to receive information about a neighboring home base station available on the home base station gateway sent by the home base station gateway, and the home base station gateway is a neighboring cell family of the first base station and the first base station The shared key generated by the base station. 18、 根据权利要求 15所述的基站, 其特征在于,  18. The base station according to claim 15, wherein: 所述发送模块, 还用于向移动性管理实体或家庭演进基站网关发送基 站配置转发消息, 所述基站配置转发消息携带所述第一基站的迪非-赫尔曼 ( DH )组号和 DH值, 以便所述移动性管理实体或家庭演进基站网关将所 述第一基站的 DH组号和 DH值携带在第一移动性管理实体配置转发消息中 发送给所述第二基站;  The sending module is further configured to send a base station configuration forwarding message to the mobility management entity or the home evolved base station gateway, where the base station configuration forwarding message carries the Difei-Hermann (DH) group number and the DH of the first base station. a value, such that the mobility management entity or the home eNodeB gateway carries the DH group number and the DH value of the first base station in the first mobility management entity configuration forwarding message, and sends the message to the second base station; 所述接收模块, 还用于接收所述移动性管理实体或所述家庭演进基站 网关发送的第二移动性管理实体配置转发消息, 所述第二移动性管理实体 配置转发消息携带所述第二基站选择的 DH组号和 DH值,所述第二移动性 管理实体配置转发消息是所述移动性管理实体或所述家庭演进基站网关接 收到所述第二基站发送的携带所述第二基站选择的 DH组号和 DH值的基站 配置转发消息之后发送给所述第一基站的;  The receiving module is further configured to receive a second mobility management entity configured to send a forwarding message sent by the mobility management entity or the home eNodeB gateway, where the second mobility management entity configures a forwarding message to carry the second a DH group number and a DH value selected by the base station, where the second mobility management entity configures the forwarding message to be that the mobility management entity or the home evolved base station gateway receives the second base station and sends the second base station The selected DH group number and the DH value of the base station configuration forwarding message are sent to the first base station; 所述获得模块,具体用于根据所述第二基站选择的 DH组号和 DH值生 成所述共享密钥。 The obtaining module is specifically configured to generate a DH group number and a DH value according to the second base station Into the shared key.
PCT/CN2012/071242 2011-03-01 2012-02-17 Security tunnel establishing method and enb Ceased WO2012116599A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201110049584.8A CN102655641B (en) 2011-03-01 2011-03-01 Secure tunnel method for building up and base station
CN201110049584.8 2011-03-01

Publications (1)

Publication Number Publication Date
WO2012116599A1 true WO2012116599A1 (en) 2012-09-07

Family

ID=46731158

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/071242 Ceased WO2012116599A1 (en) 2011-03-01 2012-02-17 Security tunnel establishing method and enb

Country Status (2)

Country Link
CN (1) CN102655641B (en)
WO (1) WO2012116599A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
MX342101B (en) * 2013-01-30 2016-09-13 Ericsson Telefon Ab L M Security key generation for dual connectivity.
CN104429109B (en) * 2013-07-11 2018-11-16 华为技术有限公司 A communication method and device
US10142323B2 (en) * 2016-04-11 2018-11-27 Huawei Technologies Co., Ltd. Activation of mobile devices in enterprise mobile management
CN112565302A (en) * 2020-12-29 2021-03-26 北京中电飞华通信有限公司 Communication method, system and equipment based on security gateway

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1801705A (en) * 2005-01-07 2006-07-12 华为技术有限公司 Pre-authentication method
CN101257723A (en) * 2008-04-08 2008-09-03 中兴通讯股份有限公司 Key generation method, device and system
CN101309503A (en) * 2007-05-17 2008-11-19 华为技术有限公司 Wireless handover method, base station and terminal
CN101437223A (en) * 2007-11-16 2009-05-20 华为技术有限公司 Access method, system and apparatus for household base station
CN101540999A (en) * 2008-03-19 2009-09-23 华为技术有限公司 Method and equipment for establishing safe data tunnel

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1909520A1 (en) * 2006-10-02 2008-04-09 Matsushita Electric Industrial Co., Ltd. Transmission and reception of system information upon changing connectivity or point of attachment in a mobile communication system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1801705A (en) * 2005-01-07 2006-07-12 华为技术有限公司 Pre-authentication method
CN101309503A (en) * 2007-05-17 2008-11-19 华为技术有限公司 Wireless handover method, base station and terminal
CN101437223A (en) * 2007-11-16 2009-05-20 华为技术有限公司 Access method, system and apparatus for household base station
CN101540999A (en) * 2008-03-19 2009-09-23 华为技术有限公司 Method and equipment for establishing safe data tunnel
CN101257723A (en) * 2008-04-08 2008-09-03 中兴通讯股份有限公司 Key generation method, device and system

Also Published As

Publication number Publication date
CN102655641B (en) 2015-09-30
CN102655641A (en) 2012-09-05

Similar Documents

Publication Publication Date Title
EP2663107B1 (en) Key generating method and apparatus
CN109309920B (en) Security implementation method, related device and system
RU2669780C2 (en) Interaction and integration of various networks of radio access
CN101616410B (en) Access method and access system for cellular mobile communication network
CN101527908B (en) Method for pre-identifying wireless local area network terminal and wireless local area network system
JP5678138B2 (en) Enhanced security for direct link communication
CN107920350B (en) A SDN-based privacy protection switching authentication method, 5G heterogeneous network
CN107079361B (en) Handover to integrated ENode B/AP with context transfer
CN102158860B (en) Radio node network-accessing method and system as well as relay node
WO2011137805A1 (en) Method, apparatus and system for security processing in switch process
WO2010096997A1 (en) Method for implementing a convergent wireless local area network (wlan) authentication and privacy infrastructure (wapi) network architecture in a local mac mode
WO2013097672A1 (en) Inter-base station carrier aggregation security communication method and device
WO2014040481A1 (en) Authentication method and system for wireless mesh network
WO2009094942A1 (en) Method and communication network system for establishing security conjunction
WO2011091771A1 (en) Relay node authentication method, device and system
WO2011088677A1 (en) Method and system for security processing during rrc connection re-establishment
WO2009097789A1 (en) Method and communication system for establishing security association
CN108781110B (en) System and method for relaying data over a communication network
CN108293183B (en) Handover between E-UTRAN and WLAN
CN101309503A (en) Wireless handover method, base station and terminal
WO2013174267A1 (en) Method, system, and device for securely establishing wireless local area network
WO2011054288A1 (en) Method and device for acquiring safe key in relay system
WO2013087010A1 (en) Method and device thereof for generating access stratum key in communication system
KR20150103063A (en) Method for synchronizing encryption information between scell and ue
CN101674578B (en) Method and system for safely accessing femtocell into network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12752279

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12752279

Country of ref document: EP

Kind code of ref document: A1