CN101001252A - Registration method and consultation method and device of user safety algorithmic - Google Patents
Registration method and consultation method and device of user safety algorithmic Download PDFInfo
- Publication number
- CN101001252A CN101001252A CN 200610091966 CN200610091966A CN101001252A CN 101001252 A CN101001252 A CN 101001252A CN 200610091966 CN200610091966 CN 200610091966 CN 200610091966 A CN200610091966 A CN 200610091966A CN 101001252 A CN101001252 A CN 101001252A
- Authority
- CN
- China
- Prior art keywords
- mme
- upe
- algorithm
- user
- registration
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
This invention provides a negotiation method and a device for registration method and a safety algorithm of user, in which, the method includes: UPE starts up registration to MME and adds registration information including a safety algorithm onto the MME, which negotiates with the UE to determine a safety algorithm. From this plan we can see that the UPE reports its supported safety algorithm ability by registration to let the safety algorithm negotiation of the user side is finished in the NE of the control side so as to divide the NE function more reasonable, when the UE and UPE have not any common supported safety algorithm, the MME can decide if the UE adhesion process is done before the route collocation process of the user side to reduce signaling interaction number and lighten operation burden of the system and new negotiation of user side safety algorithm between UPE and UE in the re-location of UPE speeds up the connection process of user sides.
Description
Technical field
The present invention relates to the negotiating algorithm technical field in the network service, relate in particular to the machinery of consultation and the device of a kind of register method and a kind of user's face security algorithm.
Background technology
As shown in Figure 1, existing a kind of GPRS/universal mobile telecommunications system (GPRS/UMTS) network configuration is divided into wireless side and core net two parts.
About the wireless side part, the wireless side of GPRS comprises base station (BTS) and base station controller (BSC), and the wireless side of UMTS comprises radio network controller (RNC) and base station (NodeB), and they are used to realize all and wireless traffic function associated jointly.
About the core net part, this part is used to handle voice calls all in the GPRS/UMTS system and is connected with data, also be used to realize exchange and routing function with external network, core net can be divided into circuit commutative field (CS) territory and packet-switched domain (PS), is respectively applied for to realize supporting voice service and data service.
Described core net CS territory comprises Mobile Switching Center Server (MSC-Server), media gateway (MGW) and gateway MSC server nodes such as (GMSC-Server).MSC-Server is used to transmit the chain of command data in CS territory, realizes mobile management, calls out functions such as control and authentication ciphering; GMSC-Server is used to realize the calling control of GMSC and the chain of command function that mobility is controlled, and MGW is used to realize the transmission of user face data.
Described core net PS territory comprises universal grouping wireless business supporting node (SGSN) and ggsn (GGSN).GGSN mainly is responsible for and external network carries out interface, and simultaneously, GGSN also is responsible for realizing the transmission of user face data.Position and the MSC Server in CS territory of SGSN in the PS territory is similar, and its Core Feature is to realize functions such as routing forwarding, mobile management, session management and user profile storage.
In core-network side, HLR is the shared device in CS and PS territory, is used for storing user subscription information.
Outside last network configuration, third generation co-operative project (3GPP) has been released a kind of new network architecture at present.
The network rack that 3GPP released comprises the Long Term Evolution (LTE) of System Architecture Evolution (SAE) and Access Network, and wherein the Access Network of evolution is called E-UTRAN, the packet core network of evolution (EPC) structure as shown in Figure 1,
Figure 2 shows that the framework of the packet-based core networks (EPC) of evolution.EPC comprises and moves MME, UPE and three logical functional entities of Inter AS Anchor that MME is responsible for the mobile management of chain of command, comprises the management of user's context and mobile status, distributing user temporary identity sign, safety function etc.; UPE is responsible for initiating paging for downlink data under the idle condition, and IP bearing parameter and the interior routing iinformation of network etc. are preserved in management; Inter AS Anchor then serves as the user's face anchor point between different access systems.
In GPRS and UMTS mobile communication system, the network entity of carrying out the encryption/integrity protection of signaling plane and user's face is same, such as the SGSN in the gprs system, and the RNC in the UMTS system.
Different with it is; in evolvement network; because RNC do not existed,, the encryption to user face data is put among the logical functional entity UPE finishes simultaneously moving on among the logical functional entity MME of core net on the encryption of user's Non-Access Stratum signaling and the integrity protection function.
When MME and UPE were present in the same physical entity, algorithm, encryption key and Integrity Key that chain of command and user's face are encrypted with integrity protection all were shared, therefore can rely on unified signaling process to finish and consult and control.
When MME separates with UPE, when promptly MME and UPE were not present in the same physical entity, the encryption and the integrity protection of chain of command and user's face need separately be controlled.
Figure 3 shows that the negotiation schematic diagram of customer side encryption algorithm and protection algorithm integrallty in the existing evolvement network.
Step 11, UE are when initiating professional foundation request or register requirement to MME; chain of command that oneself is supported and user side data are encrypted and the protection algorithm integrallty ability also reports MME simultaneously; wherein the negotiating algorithm of chain of command is finished by MME, and the negotiating algorithm of user's face is finished by setting up the IP carrying.
Step 12, mutual by MME and UPE, MME cryptographic algorithm that UE supported and protection algorithm integrallty ability by setting up IP carrying request notice UPE.
Step 13, UPE get common factor according to own encryption and the protection algorithm integrallty ability of being supported, finish and encrypt and the protection algorithm integrallty negotiation.
Step 14, the authentication process notice UE that after negotiation is finished, negotiation result is initiated to UE by UPE.
User face data between step 15, UE and the UPE adopts cryptographic algorithm and the protection algorithm integrallty consulted to carry out safeguard protection.
MME, UPE have concrete function separately in the network configuration of separating, MME is responsible for mobile management relevant processing and chain of command signaling process; UPE is responsible for business data processing.
Because algorithm of user plane consults to belong to the chain of command signaling process, therefore it is more suitable to be held consultation by MME, but MME can't obtain from UPE and consult the required security algorithm information that UPE supported in the prior art, makes MME can't obtain its information necessary from UPE.
Carry out the chain of command signaling process and conflict mutually by UPE among the present invention, UPE is worked exceeding under the situation of term of reference, be unfavorable for that entire system moves for the ready-portioned function of UPE.
Summary of the invention
The machinery of consultation and the device that the purpose of this invention is to provide a kind of register method and a kind of user's face security algorithm.
The objective of the invention is to be achieved through the following technical solutions:
A kind of user entity comprises to the register method of mobile management entity:
User entity UPE initiates registration to Mobility Management Entity MME, and the log-on message that UPE is carried is loaded among the MME.
Described registration comprises:
UPE initiates registration to MME, and log-on message is sent to MME;
MME receives and writes down the log-on message from UPE;
MME sends the registration response to UPE, confirms to succeed in registration.
Described UPE comprises to the operation that MME initiates registration:
The registration that UPE initiatively initiates to MME when powering on;
Perhaps,
UPE receives the registration of initiating to MME after the register requirement of MME;
Perhaps,
The registration that UPE initiates to MME behind configuration modification;
Perhaps,
The registration that UPE initiates to MME behind relieve congestion.
Described log-on message comprises: cryptographic algorithm information, protection algorithm integrallty information, UPE version information and/or the current load condition of UPE.
A kind of machinery of consultation of user's face security algorithm comprises:
A, UPE initiate registration to MME, will comprise that the log-on message of security algorithm is loaded on MME;
B, MME and UE and definite security algorithm of holding consultation.
Described step B comprises:
B1, UE initiate registration to MME, will comprise that the log-on message of secure algorithm negotiation information is sent to MME;
B2, MME hold consultation to the security algorithm of UPE support and the security algorithm of UE support, select the result of the common security algorithm of supporting of UPE and UE as secure algorithm negotiation;
B3, MME notify UPE and UE respectively with the negotiation result of security algorithm.
Among the described step B, the secure algorithm negotiation between UE and MME is realized to the attaching process that MME initiates at UE, or is realized in the repositioning process of UPE.
Describedly in authentication process, issue the secure algorithm negotiation result to UE simultaneously when in attaching process, carrying out secure algorithm negotiation; Or,
In user's face routing configuration process, issue the secure algorithm negotiation result to UE.
When context is kept at UPE, carry out the UPE reorientation and consult security algorithm; Or,
When context is kept at MME, carry out the UPE reorientation and consult security algorithm.
Describedly carry out the UPE reorientation and consult in the security algorithm when context is kept at UPE, MME carries selected security parameter of MME and the address information of old UPE in the new UPE of request carries out the message of reorientation; MME carries the selected security parameter of MME in sending to the renewal acknowledge message of UE.
Describedly when context is kept at MME, carry out the UPE reorientation and consult in the security algorithm, comprise the security parameter context relevant that MME is selected in the activation context request message (Activate Context Request) that MME sends with UPE; MME carries the selected security parameter of MME in sending to the renewal acknowledge message of UE.
MME notice UPE sets up the IP carrying among the described step B3, and the result feeds back to UPE with secure algorithm negotiation.
A kind of user's face secure algorithm negotiation device, this device is arranged among the Mobility Management Entity MME, and comprises:
The location registration process unit is used for registering with UPE, obtains the security algorithm information of UPE;
The secure algorithm negotiation unit is used for holding consultation according to security algorithm information and the UE of UPE, determines security algorithm.
Described secure algorithm negotiation unit comprises:
The UE information acquisition unit is used for by registering the security algorithm information of obtaining UE with UE;
Adhere to negotiation element, be used for consulting to determine security algorithm at the attaching process that UE initiates to MME;
The relocation negotiation unit is used for consulting to determine security algorithm at the repositioning process of UPE.
As seen from the above technical solution provided by the invention, UPE initiatively reports the security algorithm ability of oneself supporting to MME in registration process, user's face secure algorithm negotiation is finished in chain of command network element MME, and it is more reasonable that Network Element Function is divided; When UE and UPE do not have user's face security algorithm of common support, MME can determine whether to carry out the UE attaching process before user's face routing configuration process, reduce Signalling exchange quantity, mitigation system operation burden; In UPE reorientation flow process, carry out user face data secure algorithm negotiation between new UPE and the UE, accelerated user's face and connected the process of setting up.
Description of drawings
Figure 1 shows that existing GPRS/UMTS network structure;
Figure 2 shows that packet core network configuration diagram rigorous among the 3GPP;
The customer side encryption algorithm and the protection algorithm integrallty that Figure 3 shows that prior art are consulted schematic diagram;
Figure 4 shows that the embodiment of the invention one overall schematic diagram of consulting;
Figure 5 shows that the schematic diagram that the embodiment of the invention two UPE register to MME;
Figure 6 shows that the schematic diagram that the embodiment of the invention three is initiatively registered to the MME initiation when UPE powers on;
Figure 7 shows that the schematic diagram that UPE answers the request of MME to initiate registration to MME in the embodiment of the invention four;
Figure 8 shows that UPE is revising the schematic diagram that the configuration back re-registers to the MME initiation in the embodiment of the invention five;
Figure 9 shows that UPE in the embodiment of the invention six returns to after the normal condition to MME from congestion state initiates the schematic diagram that re-registers;
Figure 10 shows that the embodiment of the invention seven UE and MME carry out the schematic diagram of user security negotiating algorithm;
Figure 11 shows that the embodiment of the invention eight issues the attaching process schematic diagram of negotiation result in authentication process;
Figure 12 shows that the embodiment of the invention nine issues the attaching process schematic diagram of negotiation result in user's face routing configuration process;
Figure 13 shows that the embodiment of the invention ten when context is kept at UPE, UPE carries out the schematic diagram of secure algorithm negotiation in repositioning process;
Figure 14 shows that the embodiment of the invention 11 when context is kept at MME, UPE carries out the schematic diagram of secure algorithm negotiation in repositioning process;
Figure 15 shows that the device schematic diagram of the embodiment of the invention 12.
Embodiment
Core of the present invention is to be obtained the security algorithm information of user entity UPE and each self-supporting of subscriber unit UE respectively by Mobility Management Entity MME; The security algorithm information that MME supports respectively according to UPE and UE is consulted to determine security algorithm, finish the negotiation of security algorithm in MME.
Say that more specifically the present invention is deployed in respectively at MME and UPE under the situation of different physical equipments of SAE network, adopt UPE, allow MME write down cryptographic algorithm ability and protection algorithm integrallty ability that this UPE supports to the mode that MME registers; When UE initiates service connection request, determine that by MME a UE and the common cryptographic algorithm of supporting of UPE and protection algorithm integrallty are used for user face data safe transmission after this, this negotiating algorithm is the result notify UE by MME.
Below in conjunction with the specific embodiment of the invention accompanying drawing the present invention is elaborated.
As shown in Figure 4, the embodiment of the invention one totally is divided into step 41, user entity UPE initiates registration to Mobility Management Entity MME, and the log-on message that UPE is carried is loaded among the MME; 42UE and MME after UPE registration definite security algorithm of holding consultation.
Figure 5 shows that the schematic diagram that the embodiment of the invention two UPE register to MME.
As shown in Figure 5, for the network architecture that MME, UPE separate, the embodiment of the invention two is carrying out when customer side encryption algorithm and protection algorithm integrallty are consulted UPE being registered to MME, totally the comprising of its registration process:
Step 51, UPE initiate registration to MME, and the parameter registrations such as cause description of the load condition that version information, the UPE of UPE is current, the cryptographic algorithm that UPE supported and protection algorithm integrallty and startup registration are to MME;
Step 52, MME receive and write down the log-on message of UPE;
Step 53, MME send registration confirmation message to UPE, confirm that UPE succeeds in registration.
Under different conditions, UPE is also different to the concrete registration step that MME carries out, and is elaborated to the registration of UPE with regard to the MME that carries out under the multiple situation respectively below.
Figure 6 shows that the schematic diagram that the embodiment of the invention three is initiatively registered to the MME initiation when UPE powers on.
Step 61, UPE power on or restart;
Step 62, UPE are powering on or are restarting successfully the back and initiate registration to MME, and the load condition that version information, the UPE of UPE is current, the cryptographic algorithm of support and protection algorithm integrallty and the parameter registrations such as cause description that start registration are to MME;
Step 63, MME receive and write down the log-on message of this UPE;
Step 64, MME send registration confirmation message to UPE, confirm that UPE succeeds in registration.
Figure 7 shows that the schematic diagram that UPE answers the request of MME to initiate registration to MME in the embodiment of the invention four.
Step 71, MME initiatively send registration information to UPE, and request UPE registers to MME, comprises the cause description parameter that triggers the request that re-registers in the described request information;
Step 72, UPE are initiated registration to MME after re-registering solicited message receiving, and the load condition that version information, the UPE of UPE is current, the cryptographic algorithm of support and protection algorithm integrallty and the parameter registrations such as cause description that start registration are to MME;
Step 73, MME receive and write down the log-on message of this UPE;
Step 74, MME send registration confirmation message to UPE, confirm that UPE succeeds in registration.
Figure 8 shows that UPE is revising the schematic diagram that the configuration back re-registers to the MME initiation in the embodiment of the invention five.
Step 81, UPE are configured modification;
Step 82, UPE initiate to re-register request to MME after finishing configuration modification, comprise in the heavy register requirement UPE the current load condition of version information, UPE, support cryptographic algorithm and protection algorithm integrallty and cause the parameters such as cause description that re-register;
Step 83, MME receive and write down the information from UPE, and this UPE information is replaced original UPE information among the MME;
Step 84, MME send to UPE and re-register response message, confirm that UPE re-registers success.
Figure 9 shows that UPE in the embodiment of the invention six returns to after the normal condition to MME from congestion state initiates the schematic diagram that re-registers.
Step 91, UPE provide user face data to handle service after removing congestion state again;
Step 92, UPE initiate re-registration process to MME, wherein comprise the current load condition of version information, UPE of UPE, the cryptographic algorithm and the protection algorithm integrallty of support, cause the parameters such as cause description that re-register;
Step 93, MME refresh log-on message for the UPE that newly receives with its inner original UPE log-on message;
Step 94, MME send to UPE and re-register acknowledge message, confirm that UPE re-registers success.
Fig. 5 is to Figure 9 shows that first process of the present invention is the process of UPE to MME initiation registration, and by the registration of UPE to MME, MME has possessed some cryptographic algorithm abilities and protection algorithm integrallty ability.
After this registration process was finished, the present invention began to carry out its second process, and MME obtains the security algorithm information of UE, carried out user's face secure algorithm negotiation, determined user's cryptographic algorithm and protection algorithm integrallty.
Figure 10 shows that the embodiment of the invention seven UE and MME carry out the schematic diagram of user security negotiating algorithm.
As shown in figure 10, the negotiation key step of UE and MME is as follows:
Step 101, UE initiate to carry cryptographic algorithm ability and protection algorithm integrallty ability that this UE supports in the described request in register requirement or the service request to MME;
Cryptographic algorithm ability that step 102, MME possess self and protection algorithm integrallty ability are compared with cryptographic algorithm ability and protection algorithm integrallty ability that UE is supported, the algorithm of selecting MME and UE to support simultaneously, the chain of command data security transmission when after this UE and MME are mutual;
Step 103, MME send cryptographic algorithm and the protection algorithm integrallty that user's face is finally determined to UPE after determining selected algorithm;
Step 104, MME send cryptographic algorithm and the protection algorithm integrallty that user's face is finally determined to UE after determining selected algorithm.
MME is after determining algorithm in step 103, step 104, and MME does not distinguish sequencing in the time of will distinguishing selected algorithm notice UPE and UE, that is step 103 and step 104 are not distinguished successively.
The secure algorithm negotiation process of UE and MME can realize to the attaching process that MME initiates at UE as shown in figure 10, also can realize in the repositioning process of UPE.
When the secure algorithm negotiation process of UE and MME when UE realizes in the attaching process that MME initiates, its negotiation result can issue to UE in authentication process, also can issue to UE in user's face routing configuration process.
The secure algorithm negotiation that in the attaching process that MME initiates, carries out at UE
Figure 11 shows that the embodiment of the invention eight issues the attaching process schematic diagram of negotiation result in authentication process.
As shown in figure 11, the embodiment of the invention eight realizes that in attaching process the method for secure algorithm negotiation comprises:
Access Network (LTE) connecting system of system architecture (the SAE)/evolution of step 111, UE discovery evolution is also carried out connecting system and network selection procedures;
Step 112, UE send to MME and adhere to request, adhere to and comprise this UE log-on message in the past in the request, as the interim ID of UE, also comprise the security algorithm ability that UE supports, the information of described security algorithm ability is included in the cell;
If step 113 is adhered to and comprised UE log-on message in the past in the request, then MME utilizes this information to go to fetch among the MME information of this UE (for example permanent user ID) in the past;
Step 114, MME in the past send this user's information to new MME;
If step 115 MME is the authentication parameter of this UE not, then MME needs to obtain from HSS the authentication parameter of this UE;
Step 116, MME select a UPE to be used to set up and this UE between the carrying of user data, and because the security algorithm tenability that MME reports when preserving each UPE registration, so MME carries out the negotiation of user face data cryptographic algorithm and protection algorithm integrallty between UE and the UPE;
Step 117, MME are carried out the access authentication procedure to UE, carry the cryptographic algorithm of chain of command and user's face and integral algorithm negotiation result and uplink tunnel information (as UPE ID etc.) in authentication request;
If step 118 MME through consult finding not exist user's face security algorithm of common support, then replys and adheres to failed message and give UE and carry failure cause in message;
If step 119 is to UE authentication success, MME to HSS register show current by this MME for this reason UE serve;
Step 1110, HSS delete the information relevant with this UE among the old MME;
Step 1111, HSS send the message that succeeds in registration to MME;
Step 1112, UE, MME carries out user's face routing configuration between UPE and the IASA, and this process comprises MME and sets up IP carrying request process by notice UPE, and MME feeds back to UPE with user's face secure algorithm negotiation result in this process;
Step 1113, MME are provided for giving tacit consent to the QoS configuration parameter of IP access bearer to evolution Access Network (Evolved RAN);
Step 1114, MME receive adhering to request and distributing interim ID and IP address for this UE of this UE;
Step 1115, UE send and adhere to acknowledge message to MME, and attachment flow finishes.
Figure 12 shows that the embodiment of the invention nine issues the attaching process schematic diagram of negotiation result in user's face routing configuration process.
As shown in figure 12, the embodiment of the invention nine realizes that in attaching process the method for secure algorithm negotiation comprises:
Step 121, UE find the SAE/LTE connecting system and carry out connecting system and network selection procedures;
Step 122, UE send to MME and adhere to request, comprising this UE log-on message in the past
(for example interim ID etc.), the security algorithm ability that UE supports;
If step 123 is adhered to and comprised UE log-on message in the past in the request, then MME utilizes this information to go to fetch among the MME information of this UE (for example permanent user ID) in the past;
Step 124, MME in the past send this user's information to new MME;
If there is the authentication parameter of this UE among step 125 MME, MME carries out the access authentication to UE; If no, then MME needs to obtain from HSS the authentication parameter of this UE, carries out the authentication to this UE again;
In authentication process, MME carries out the cryptographic algorithm and the integral algorithm of chain of command to be consulted, and negotiation result is returned UE;
Step 126, MME to HSS register show current by this MME for this reason UE serve;
Step 127, HSS delete the information relevant with this UE among the old MME;
Step 128, HSS send the message that succeeds in registration to MME;
Step 129, MME select a UPE to be used to set up and this UE between the carrying of user data, and because the security algorithm tenability that MME reports when preserving each UPE registration, so MME carries out the negotiation of user face data cryptographic algorithm and protection algorithm integrallty between UE and the UPE;
If step 1210 MME finds not exist on user's face this moment UE and the common security algorithm of supporting of UPE, then directly notify UE to adhere to and refuse and carry failure cause.
Step 1211, UE, MME, carry out user's face routing configuration between UPE and the IASA, this process comprises MME and sets up IP carrying request process by notice UPE, and in this process uplink tunnel information (as UPE ID etc.) and user's face secure algorithm negotiation result is fed back to UPE;
Step 1212, MME are provided for giving tacit consent to the QoS configuration parameter of IP access bearer to Evolved RAN;
Step 1213, MME receive adhering to request and for this UE distributes interim ID and IP address, notifying UE user's face secure algorithm negotiation result simultaneously of this UE;
Step 1214, UE send and adhere to acknowledge message to MME, and attachment flow finishes.
The secure algorithm negotiation process of UE and MME is except can realizing in the repositioning process at UPE to the attaching process that MME initiates is realized at UE.
The secure algorithm negotiation that in the UPE repositioning process, carries out
Realize that in the UPE repositioning process secure algorithm negotiation comprises the secure algorithm negotiation that the secure algorithm negotiation that carries out or context carry out when being kept at MME when context is kept at UPE.
Figure 13 shows that the embodiment of the invention ten when context is kept at UPE, UPE carries out the schematic diagram of secure algorithm negotiation in repositioning process, and its concrete steps comprise:
Step 131, since UE be in mobile status, might enter among other UPE, so UE need carry out tracking area update (TAU);
Step 132, carry out the reorientation (relocation) that TAU may trigger UPE, move to another UPE pond service area as UE, MME selects the UPE of more suitable UPE as UE.
In this process, MME also may change, and wherein changing needs to carry out context (Context) information exchanging process between MME and the former MME.
The said process according to the present invention; MME preserves the security parameter (as cryptographic algorithm and the protection algorithm integrallty of supporting) that UPE supports; the ability that MME reports according to UE again or be kept at the security capabilities (as cryptographic algorithm and the protection algorithm integrallty of supporting) of the UE among the MME, the security parameter (as cryptographic algorithm and the protection algorithm integrallty of supporting) of therefrom selecting UPE and UE all to support as context.
If the professional relevant context of step 133 is kept at UPE, the selected new UPE of MME request carries out repositioning process, sends RELOCATION REQUEST message, comprising selected security parameter of MME and the address information of old UPE;
Step 134, new UPE ask for context to old UPE, carry out context and shift;
Step 135, new UPE and anchor point (Anchor) upgrade PDP context, set up the user face of new UPE to Anchor;
Step 136, new UPE reply relocation response to MME;
Step 137, carry out TAU and confirm, by the uplink tunnel information of the new UPE of MME notice UE (as UPE ID etc.) and selected security parameter (as cryptographic algorithm and protection algorithm integrallty), like this as UE initiation upstream data, the algorithm that use is stipulated is encrypted;
Step 138, MME notify old UPE deletion PDP context;
Tunnel between step 139, old UPE and the Anchor discharges.
Figure 14 shows that the embodiment of the invention 11 when context is kept at MME, UPE carries out the schematic diagram of secure algorithm negotiation in repositioning process, and its concrete steps comprise:
Step 141, since UE be in mobile status, might enter among other UPE, so UE need carry out tracking area update;
Step 142, TAU may trigger the UPE reorientation, move to another UPE pond service area as UE, and MME selects the UPE of more suitable UPE as UE;
If step 143 PDP context is kept at MME, the selected new UPE of MME request carries out repositioning process, send to activate context request (Activate Context Request) message, comprising selected security parameter of MME and the relevant context of UPE;
Step 144, new UPE send PDP context updating message to Anchor, are updated to the context (address information of Anchor was issued new UPE by the MME keeping records and in the last step) of Anchor;
Step 145, new UPE respond to MME;
Step 146, carry out TAU and confirm, the uplink tunnel information of the UPE that MME notice UE is new and selected security parameter (as cryptographic algorithm and protection algorithm integrallty), like this as UE initiate upstream data, the algorithm that use is stipulated is encrypted;
Step 147 and step 148, MME notify old UPE deletion UPE tunnel to Anchor.
Figure 15 shows that the device schematic diagram of the embodiment of the invention 12.
A kind of user's face secure algorithm negotiation device as shown in the figure, this device is arranged among the Mobility Management Entity MME, and comprises:
The location registration process unit is used for registering with UPE, obtains the security algorithm information of UPE;
The secure algorithm negotiation unit is used for holding consultation according to security algorithm information and the UE of UPE, determines security algorithm.
Described secure algorithm negotiation unit comprises:
The UE information acquisition unit is used for by registering the security algorithm information of obtaining UE with UE;
Adhere to negotiation element, be used for consulting to determine security algorithm at the attaching process that UE initiates to MME;
The relocation negotiation unit is used for consulting to determine security algorithm at the repositioning process of UPE.
Embodiments of the invention 12 user's face secure algorithm negotiation devices are registered by location registration process unit and UPE, make MME obtain the security algorithm that UPE supports after registration; Hold consultation according to security algorithm and the UE that UPE supported in the secure algorithm negotiation unit of this device, in negotiations process, at first register by UE location registration process unit and UE, the security algorithm that UE supported is loaded on MME, select through consultation again that UE and UPE support simultaneously algorithm as the user security algorithm.
The above; only for the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, and anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.
Claims (14)
1, a kind of user entity is characterized in that to the register method of mobile management entity, comprising:
User entity UPE initiates registration to Mobility Management Entity MME, and the log-on message that UPE is carried is loaded among the MME.
2, a kind of user entity according to claim 1 is characterized in that to the register method of mobile management entity, and described registration comprises:
UPE initiates registration to MME, and log-on message is sent to MME;
MME receives and writes down the log-on message from UPE;
MME sends the registration response to UPE, confirms to succeed in registration.
3, a kind of user entity according to claim 2 is characterized in that to the register method of mobile management entity, and described UPE comprises to the operation that MME initiates registration:
The registration that UPE initiatively initiates to MME when powering on;
Perhaps,
UPE receives the registration of initiating to MME after the register requirement of MME;
Perhaps,
The registration that UPE initiates to MME behind configuration modification;
Perhaps,
The registration that UPE initiates to MME behind relieve congestion.
4, according to the register method of each described a kind of user entity of claim 1-3 to mobile management entity; it is characterized in that described log-on message comprises: cryptographic algorithm information, protection algorithm integrallty information, UPE version information and/or the current load condition of UPE.
5, a kind of machinery of consultation of user's face security algorithm is characterized in that, comprising:
A, UPE initiate registration to MME, will comprise that the log-on message of security algorithm is loaded on MME;
B, MME and UE and definite security algorithm of holding consultation.
6, the machinery of consultation of a kind of user's face security algorithm according to claim 5 is characterized in that, described step B comprises:
B1, UE initiate registration to MME, will comprise that the log-on message of secure algorithm negotiation information is sent to MME;
B2, MME hold consultation to the security algorithm of UPE support and the security algorithm of UE support, select the result of the common security algorithm of supporting of UPE and UE as secure algorithm negotiation;
B3, MME notify UPE and UE respectively with the negotiation result of security algorithm.
7, the machinery of consultation of a kind of user's face security algorithm according to claim 6 is characterized in that, among the described step B, the secure algorithm negotiation between UE and MME is realized to the attaching process that MME initiates at UE, or realized in the repositioning process of UPE.
8, the machinery of consultation of a kind of user's face security algorithm according to claim 7 is characterized in that, describedly simultaneously issues the secure algorithm negotiation result to UE when carrying out secure algorithm negotiation in attaching process in authentication process;
Or,
In user's face routing configuration process, issue the secure algorithm negotiation result to UE.
9, the machinery of consultation of a kind of user's face security algorithm according to claim 7 is characterized in that, carries out the UPE reorientation and consult security algorithm when context is kept at UPE;
Or,
When context is kept at MME, carry out the UPE reorientation and consult security algorithm.
10, the machinery of consultation of a kind of user's face security algorithm according to claim 9, it is characterized in that, describedly carry out the UPE reorientation and consult in the security algorithm when context is kept at UPE, MME carries selected security parameter of MME and the address information of old UPE in the new UPE of request carries out the message of reorientation; MME carries the selected security parameter of MME in sending to the renewal acknowledge message of UE.
11, the machinery of consultation of a kind of user's face security algorithm according to claim 9, it is characterized in that, describedly when context is kept at MME, carry out the UPE reorientation and consult in the security algorithm, comprise the security parameter context relevant that MME is selected in the activation context request message (Activate Context Request) that MME sends with UPE; MME carries the selected security parameter of MME in sending to the renewal acknowledge message of UE.
12, the machinery of consultation of a kind of user's face security algorithm according to claim 6 is characterized in that, MME notice UPE sets up the IP carrying among the described step B3, and the result feeds back to UPE with secure algorithm negotiation.
13, a kind of user's face secure algorithm negotiation device is characterized in that this device is arranged among the Mobility Management Entity MME, and comprises:
The location registration process unit is used for registering with UPE, obtains the security algorithm information of UPE;
The secure algorithm negotiation unit is used for holding consultation according to security algorithm information and the UE of UPE, determines security algorithm.
14, a kind of user's face secure algorithm negotiation device according to claim 13 is characterized in that described secure algorithm negotiation unit comprises:
The UE information acquisition unit is used for by registering the security algorithm information of obtaining UE with UE;
Adhere to negotiation element, be used for consulting to determine security algorithm at the attaching process that UE initiates to MME;
The relocation negotiation unit is used for consulting to determine security algorithm at the repositioning process of UPE.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200610091966 CN101001252A (en) | 2006-06-25 | 2006-06-25 | Registration method and consultation method and device of user safety algorithmic |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200610091966 CN101001252A (en) | 2006-06-25 | 2006-06-25 | Registration method and consultation method and device of user safety algorithmic |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101001252A true CN101001252A (en) | 2007-07-18 |
Family
ID=38693060
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200610091966 Pending CN101001252A (en) | 2006-06-25 | 2006-06-25 | Registration method and consultation method and device of user safety algorithmic |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101001252A (en) |
Cited By (27)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009149666A1 (en) * | 2008-06-13 | 2009-12-17 | 华为技术有限公司 | Method, device and system for negotiating algorithm |
| WO2011035733A1 (en) * | 2009-09-28 | 2011-03-31 | 华为技术有限公司 | Method, device and system for data transmission |
| CN101336000B (en) * | 2008-08-06 | 2011-11-30 | 中兴通讯股份有限公司 | Protocol configuration option transmission method, system and user equipment |
| WO2012055114A1 (en) * | 2010-10-29 | 2012-05-03 | Nokia Siemens Networks Oy | Security of user plane traffic between relay node and radio access network |
| CN101155424B (en) * | 2007-09-28 | 2012-07-04 | 中兴通讯股份有限公司 | Method for not executing user face encryption |
| US8219064B2 (en) | 2007-09-03 | 2012-07-10 | Huawei Technologies Co., Ltd. | Method, system, and apparatus for preventing bidding down attacks during motion of user equipment |
| CN102571721A (en) * | 2010-12-31 | 2012-07-11 | 北京大唐高鸿数据网络技术有限公司 | Identifying method for access equipment |
| CN101534506B (en) * | 2008-03-14 | 2012-09-05 | 中兴通讯股份有限公司 | Method for indicating base station security information |
| CN101505474B (en) * | 2008-02-04 | 2013-01-02 | 华为技术有限公司 | Network side processing method in subscriber handover process, network element equipment and network system |
| CN101128061B (en) * | 2007-09-27 | 2013-02-27 | 中兴通讯股份有限公司 | Method and system for mobile management unit, evolving base station and identifying whether UI is encrypted |
| CN101686233B (en) * | 2008-09-24 | 2013-04-03 | 电信科学技术研究院 | Method, system and device for processing mismatching of user equipment (UE) and network security algorithm |
| WO2013091543A1 (en) * | 2011-12-22 | 2013-06-27 | 华为技术有限公司 | Security communication method, device and system for low cost terminal |
| CN104618089A (en) * | 2013-11-04 | 2015-05-13 | 华为技术有限公司 | Negotiation processing method for security algorithm, control network element and system |
| WO2015117489A1 (en) * | 2014-07-31 | 2015-08-13 | 中兴通讯股份有限公司 | Method, device and system for selecting security algorithm |
| WO2015165149A1 (en) * | 2014-04-30 | 2015-11-05 | 中兴通讯股份有限公司 | Configuration method, prose key management functional entity, terminal, system, and storage medium |
| CN105813106A (en) * | 2014-12-31 | 2016-07-27 | ***通信集团公司 | Method and device for determining type of voice service |
| WO2017197589A1 (en) * | 2016-05-17 | 2017-11-23 | 华为技术有限公司 | User plane resource management method, user plane network element, and control plane network element |
| CN107567018A (en) * | 2016-07-01 | 2018-01-09 | 中兴通讯股份有限公司 | Message treatment method and device, terminal, message handling system |
| WO2018041000A1 (en) * | 2016-08-31 | 2018-03-08 | 中兴通讯股份有限公司 | Upf management method, device, and system |
| WO2018137334A1 (en) * | 2017-01-24 | 2018-08-02 | 华为技术有限公司 | Method for negotiating security protection and network element |
| CN108476211A (en) * | 2015-11-02 | 2018-08-31 | 瑞典爱立信有限公司 | Wireless communication |
| WO2018201506A1 (en) * | 2017-05-05 | 2018-11-08 | 华为技术有限公司 | Communication method and related device |
| CN109218325A (en) * | 2017-08-11 | 2019-01-15 | 华为技术有限公司 | Data completeness protection method and device |
| WO2020052414A1 (en) * | 2018-09-10 | 2020-03-19 | 华为技术有限公司 | Data protection method, device and system |
| CN110933669A (en) * | 2019-11-21 | 2020-03-27 | 北京长焜科技有限公司 | Method for quickly registering cross-RAT user |
| CN113381966A (en) * | 2020-03-09 | 2021-09-10 | 维沃移动通信有限公司 | Information reporting method, information receiving method, terminal and network side equipment |
| WO2023151585A1 (en) * | 2022-02-11 | 2023-08-17 | 维沃移动通信有限公司 | Terminal target surface capability reporting and acquiring methods, terminal, and network device |
-
2006
- 2006-06-25 CN CN 200610091966 patent/CN101001252A/en active Pending
Cited By (50)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8219064B2 (en) | 2007-09-03 | 2012-07-10 | Huawei Technologies Co., Ltd. | Method, system, and apparatus for preventing bidding down attacks during motion of user equipment |
| CN103220674B (en) * | 2007-09-03 | 2015-09-09 | 华为技术有限公司 | A kind of method, system and device of preventing degraded attack when terminal moving |
| CN103220674A (en) * | 2007-09-03 | 2013-07-24 | 华为技术有限公司 | Method and system for preventing quality degradation attack during terminal movement and device |
| CN101128061B (en) * | 2007-09-27 | 2013-02-27 | 中兴通讯股份有限公司 | Method and system for mobile management unit, evolving base station and identifying whether UI is encrypted |
| CN101155424B (en) * | 2007-09-28 | 2012-07-04 | 中兴通讯股份有限公司 | Method for not executing user face encryption |
| CN101505474B (en) * | 2008-02-04 | 2013-01-02 | 华为技术有限公司 | Network side processing method in subscriber handover process, network element equipment and network system |
| CN101534506B (en) * | 2008-03-14 | 2012-09-05 | 中兴通讯股份有限公司 | Method for indicating base station security information |
| WO2009149666A1 (en) * | 2008-06-13 | 2009-12-17 | 华为技术有限公司 | Method, device and system for negotiating algorithm |
| CN101605324B (en) * | 2008-06-13 | 2011-06-01 | 华为技术有限公司 | Method, device and system for negotiating algorithm |
| CN101336000B (en) * | 2008-08-06 | 2011-11-30 | 中兴通讯股份有限公司 | Protocol configuration option transmission method, system and user equipment |
| CN101686233B (en) * | 2008-09-24 | 2013-04-03 | 电信科学技术研究院 | Method, system and device for processing mismatching of user equipment (UE) and network security algorithm |
| US9232404B2 (en) | 2009-09-28 | 2016-01-05 | Huawei Technologies Co., Ltd. | Method, apparatus, and system for data transmission |
| WO2011035733A1 (en) * | 2009-09-28 | 2011-03-31 | 华为技术有限公司 | Method, device and system for data transmission |
| WO2012055114A1 (en) * | 2010-10-29 | 2012-05-03 | Nokia Siemens Networks Oy | Security of user plane traffic between relay node and radio access network |
| US9226158B2 (en) | 2010-10-29 | 2015-12-29 | Nokia Solutions And Networks Oy | Security of user plane traffic between relay node and radio access network |
| CN102571721A (en) * | 2010-12-31 | 2012-07-11 | 北京大唐高鸿数据网络技术有限公司 | Identifying method for access equipment |
| WO2013091543A1 (en) * | 2011-12-22 | 2013-06-27 | 华为技术有限公司 | Security communication method, device and system for low cost terminal |
| CN104618089B (en) * | 2013-11-04 | 2019-05-10 | 华为技术有限公司 | Negotiation processing method, control network element and the system of security algorithm |
| CN104618089A (en) * | 2013-11-04 | 2015-05-13 | 华为技术有限公司 | Negotiation processing method for security algorithm, control network element and system |
| US10028136B2 (en) | 2013-11-04 | 2018-07-17 | Huawei Technologies Co., Ltd. | Negotiation processing method for security algorithm, control network element, and control system |
| WO2015165149A1 (en) * | 2014-04-30 | 2015-11-05 | 中兴通讯股份有限公司 | Configuration method, prose key management functional entity, terminal, system, and storage medium |
| US10382953B2 (en) | 2014-04-30 | 2019-08-13 | Zte Corporation | Configuration method, ProSe key management functional entity, terminal, system, and storage medium |
| WO2015117489A1 (en) * | 2014-07-31 | 2015-08-13 | 中兴通讯股份有限公司 | Method, device and system for selecting security algorithm |
| CN105323231B (en) * | 2014-07-31 | 2019-04-23 | 中兴通讯股份有限公司 | Security algorithm selection method, apparatus and system |
| CN105323231A (en) * | 2014-07-31 | 2016-02-10 | 中兴通讯股份有限公司 | Security algorithm selection method, security algorithm selection device and security algorithm selection system |
| CN105813106A (en) * | 2014-12-31 | 2016-07-27 | ***通信集团公司 | Method and device for determining type of voice service |
| CN108476211A (en) * | 2015-11-02 | 2018-08-31 | 瑞典爱立信有限公司 | Wireless communication |
| US11374941B2 (en) | 2015-11-02 | 2022-06-28 | Telefonaktiebolaget Lm Ericsson (Publ) | Wireless communications |
| US10880779B2 (en) | 2016-05-17 | 2020-12-29 | Huawei Technologies Co., Ltd. | User plane resource management method, user plane network element, and control plane network element |
| CN109155994A (en) * | 2016-05-17 | 2019-01-04 | 华为技术有限公司 | A kind of user face method for managing resource, user's veil member and control plane network element |
| US11425604B2 (en) | 2016-05-17 | 2022-08-23 | Huawei Technologies Co., Ltd. | User plane resource management method, user plane network element, and control plane network element |
| WO2017197589A1 (en) * | 2016-05-17 | 2017-11-23 | 华为技术有限公司 | User plane resource management method, user plane network element, and control plane network element |
| CN107567018A (en) * | 2016-07-01 | 2018-01-09 | 中兴通讯股份有限公司 | Message treatment method and device, terminal, message handling system |
| WO2018041000A1 (en) * | 2016-08-31 | 2018-03-08 | 中兴通讯股份有限公司 | Upf management method, device, and system |
| US10856141B2 (en) | 2017-01-24 | 2020-12-01 | Huawei Technologies Co., Ltd. | Security protection negotiation method and network element |
| WO2018137334A1 (en) * | 2017-01-24 | 2018-08-02 | 华为技术有限公司 | Method for negotiating security protection and network element |
| US10798579B2 (en) | 2017-05-05 | 2020-10-06 | Huawei Technologies Co., Ltd | Communication method and related apparatus |
| US11272360B2 (en) | 2017-05-05 | 2022-03-08 | Huawei Technologies Co., Ltd. | Communication method and related apparatus |
| US10798578B2 (en) | 2017-05-05 | 2020-10-06 | Huawei Technologies Co., Ltd. | Communication method and related apparatus |
| CN109219965A (en) * | 2017-05-05 | 2019-01-15 | 华为技术有限公司 | A kind of communication means and relevant apparatus |
| WO2018201506A1 (en) * | 2017-05-05 | 2018-11-08 | 华为技术有限公司 | Communication method and related device |
| CN109219965B (en) * | 2017-05-05 | 2021-02-12 | 华为技术有限公司 | Communication method and related device |
| CN109218325A (en) * | 2017-08-11 | 2019-01-15 | 华为技术有限公司 | Data completeness protection method and device |
| US11025645B2 (en) | 2017-08-11 | 2021-06-01 | Huawei Technologies Co., Ltd. | Data integrity protection method and apparatus |
| US11818139B2 (en) | 2017-08-11 | 2023-11-14 | Huawei Technologies Co., Ltd. | Data integrity protection method and apparatus |
| WO2020052414A1 (en) * | 2018-09-10 | 2020-03-19 | 华为技术有限公司 | Data protection method, device and system |
| CN110933669A (en) * | 2019-11-21 | 2020-03-27 | 北京长焜科技有限公司 | Method for quickly registering cross-RAT user |
| CN113381966A (en) * | 2020-03-09 | 2021-09-10 | 维沃移动通信有限公司 | Information reporting method, information receiving method, terminal and network side equipment |
| CN113381966B (en) * | 2020-03-09 | 2023-09-26 | 维沃移动通信有限公司 | Information reporting method, information receiving method, terminal and network side equipment |
| WO2023151585A1 (en) * | 2022-02-11 | 2023-08-17 | 维沃移动通信有限公司 | Terminal target surface capability reporting and acquiring methods, terminal, and network device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101001252A (en) | Registration method and consultation method and device of user safety algorithmic | |
| US11665668B2 (en) | Offset of international mobile subscriber identity | |
| US11832341B2 (en) | Group communication service request | |
| US11963133B2 (en) | Core paging handling | |
| EP3755060A1 (en) | Closed access group overload and congestion control | |
| US11778564B2 (en) | Monitoring paging in inactive state | |
| US11129215B2 (en) | Location based selection of localized proxy application server | |
| CN103428787B (en) | A kind of base station switch method and device | |
| CN101677470B (en) | Processing method, device and system of service request | |
| CN102714615B (en) | Node fault processing method, system and related device | |
| CN101072092B (en) | Method for realizing control plane and user plane key synchronization | |
| US11317374B2 (en) | RAN paging handling | |
| CN101330425B (en) | Method for establishing tunnel from SGSN to service gateway | |
| CN101384015B (en) | Distributed telecommunication apparatus and service processing method for distributed telecommunication apparatus | |
| CN103428668A (en) | Tracking area updating method and device | |
| US20220248370A1 (en) | Signaling Delivery in a Wireless Network | |
| CN101610554A (en) | Switching, location area updating, the method and system of setting up ISR, equipment between network | |
| CN103152769A (en) | Traffic offload method, traffic offload function entities and core network equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Open date: 20070718 |