CN101552983A - Key generating method, key generating device, mobile management entity and user equipment - Google Patents

Key generating method, key generating device, mobile management entity and user equipment Download PDF

Info

Publication number
CN101552983A
CN101552983A CNA2008101032131A CN200810103213A CN101552983A CN 101552983 A CN101552983 A CN 101552983A CN A2008101032131 A CNA2008101032131 A CN A2008101032131A CN 200810103213 A CN200810103213 A CN 200810103213A CN 101552983 A CN101552983 A CN 101552983A
Authority
CN
China
Prior art keywords
key
enb
interim
root
sign
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CNA2008101032131A
Other languages
Chinese (zh)
Inventor
何承东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CNA2008101032131A priority Critical patent/CN101552983A/en
Publication of CN101552983A publication Critical patent/CN101552983A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a key generating method, a key generating device, a mobile management entity and user equipment, wherein the key generating method comprises the following steps that: a target MME receives a ready switching request message sent by a source SGSN, and the ready switching request message carries an encryption key, an integrity protecting key and a target eNB mark; the target MME generates a temporary eNB key according to the encryption key, the integrity protecting key and the target eNB mark and sends a ready switching notice massage to the target eNB, wherein the ready switching notice massage carries the temporary eNB key. The invention can improve the irrelevance of an RRC signaling key and a UP signaling key between different eNBs so as to improve the message safety between the eNB and the UE.

Description

Key generation method, key generating device, mobile management entity and subscriber equipment
Technical field
The present invention relates to wireless communication technology, especially key generation method, key generating device, mobile management entity and subscriber equipment.
Background technology
Existing third generation affiliate engineering (3rd Generation Partnership Project, hereinafter to be referred as: 3GPP), wireless network is divided into wireless access network and core net two parts.As shown in Figure 1, be a framework schematic diagram of prior art 3GPP wireless network.Wherein, be used for subscriber equipment (UserEquipment, hereinafter to be referred as: UE) 101 wireless access network has following three kinds: first kind of wireless access network is global mobile communication (Global System For Mobile Communication, hereinafter to be referred as: GSM) edge wireless access network (GSM Edge Radio Access Network, hereinafter to be referred as: GERAN), this GERAN is the second generation (the second generation, hereinafter to be referred as: 2G) wireless access network, it comprises base transceiver station (Base Transceiver Station, hereinafter to be referred as: BTS) 111 and base station controller (Base Station Controller, hereinafter to be referred as: BSC) 112.Second kind of wireless access network is wireless universal land Access Network (Universal Terrestrial Radio Access Network, hereinafter to be referred as: UTRAN), this UTRAN is the third generation (the third generation, hereinafter to be referred as: 3G) wireless access network, it comprise base station (NodeB) 113 and radio network controller (Radio NetworkController, hereinafter to be referred as: RNC) 114.The core net corresponding with 2G and 3G wireless access network is packet switching (packet switch, hereinafter to be referred as: PS) territory, it comprises service universal grouping wireless service (General Packet Radio Service, hereinafter to be referred as: GPRS) support node (Serving GPRSsupport node, hereinafter to be referred as: SGSN) 121 and Gateway GPRS Support Node (Gateway GPRSsupport node, hereinafter to be referred as: GGSN) 122.The third wireless access network is wireless universal land Access Network (the universal terrestrial radio access network of evolution, hereinafter to be referred as: EUTRAN), Long Term Evolution (Long Term Evolution as the following evolution of 3GPP, hereinafter to be referred as: LTE) Access Network, this EUTRAN comprise evolution base station (evolution NodeB, hereinafter to be referred as: eNB) 115.The core net corresponding with the LTE Access Network is called System Architecture Evolution (System ArchitectureEvolution again, hereinafter to be referred as: SAE) core net, it comprises mobile management entity (mobility managemententity, hereinafter to be referred as: MME) 123, home network client server (Home Subscriber Sever, hereinafter to be referred as: HSS) 124, SAE gateway (SAE Gateway, hereinafter to be referred as: SAE GW) 125 and the public data network gateway (Public Data Network, hereinafter to be referred as: PDN GW) 126.Wherein, PDN GW126 carries out information interaction by PDN127 and GGSN122.
In the future evolution network of 3GPP, security-related network entity is eNB and MME.Wherein the main safety function of eNB is to Radio Resource control (radio resource control; hereinafter to be referred as: RRC) signaling and user's face (UP) signaling are carried out safeguard protection; the main safety function of MME be to non-access signaling (Non-Access Signaling, hereinafter to be referred as: NAS) carry out safeguard protection.Particularly; for guaranteeing the communication security in the future evolution network; UE shares identical RRC signaling key and UP signaling encryption key K_UP_enc with eNB; respectively RRC signaling and UP signaling are encrypted; with the safety of RRC signaling and UP signaling between assurance UE and the eNB, RRC signaling key wherein comprises RRC signaling encryption key K_RRC_enc and RRC signaling integrity protection key K _ RRC_int.In addition, UE also shares identical NAS key with MME, comprises NAS encryption key K_NAS_enc and NAS integrity protection key K _ NAS_int, so that the NAS signaling between UE and the MME is encrypted, guarantees the NAS safety between UE and the MME.When UE when 2G or 3G wireless access network switch to the LTE Access Network, need share identical NAS key with MME by carrying out cipher key agreement process with MME and eNB, share identical RRC signaling key and UP signaling encryption key with eNB.
As shown in Figure 2, be the flow chart of prior art by key agreement generation key, it may further comprise the steps:
Step 201, during the UE access of radio network, to AUC (Authentication Center, hereinafter to be referred as: AuC) initiate register requirement, consult to determine to share key K with AuC, AuC will share key K and send to HSS;
Step 202, UE and HSS consult to generate encryption key CK and integrity protection key IK jointly according to sharing key K, and HSS sends to MME with encryption key CK and integrity protection key IK;
Step 203, UE and MME consult to generate root key Kasme jointly according to encryption key CK and integrity protection key IK, and according to this root key Kasme negotiation generation NAS key and eNB key K eNB, and eNB key K eNB sent to target eNB, wherein the NAS key comprises NAS encryption key K_NAS_enc and NAS integrity protection key K _ NAS_int;
Step 204, UE and target eNB consult to generate RRC signaling encryption key K_RRC_enc, RRC signaling integrity protection key K _ RRC_int and UP signaling encryption key K_UP_enc jointly according to eNB key K eNB.
In realizing process of the present invention; the inventor finds: when UE carries out the network switching; according to the key generative process of prior art as can be known; the eNB key K eNB that different e NB uses generates according to same root key KAMSE; therefore the eNB key K eNB that uses of different e NB is identical, thereby makes that UE and each eNB are also identical by RRC signaling encryption key K_RRC_enc, RRC signaling integrity protection key K _ RRC_int and the UP signaling encryption key K_UP_enc of this eNB key K eNB generation.Like this, if attacking brokenly, security attack person got one of them eNB or the last eNB key K eNB that uses of UE, the RRC signaling key and the UP signaling key that generate by this eNB key K eNB have been obtained, then security attack person not only can destroy the broken eNB of eNB key K eNB and the message safety between the UE got of this quilt, can also destroy the message safety between other eNB and the UE, can't effectively avoid the message safety between other eNB and the UE destroyed.
Summary of the invention
Embodiment of the invention technical problem to be solved is: carry out in the process of network switching at UE, generate different interim eNB key K * eNB at different eNB, thereby can make different eNB generate different eNB key K eNB according to corresponding interim eNB key K * eNB respectively, and then generate different RRC signaling keys and UP signaling key, the irrelevance of RRC signaling key and UP signaling key between the raising different e NB, thereby the information security between raising eNB and the UE.
For solving the problems of the technologies described above, a kind of key generation method that first aspect of the embodiment of the invention provides comprises:
The preparation handoff request message that target MME reception sources SGSN sends carries encryption key, integrity protection key and target eNB sign in this preparation handoff request message;
Described target MME generates interim eNB key according to described encryption key, described integrity protection key and described target eNB sign, and sends the preparation handoff notification message to described target eNB, carries described interim eNB key in this preparation handoff notification message.
By above-mentioned key generation method embodiment provided by the invention; when UE switches to the LTE Access Network by source 2G or 3G Access Network; source SGSN can send the target eNB sign to target MME; by target MME according to encryption key; integrity protection key and target eNB sign generate interim eNB key and send to target eNB; because target MME to what target eNB sent is and the relevant interim eNB key of target eNB sign; the interim eNB key difference that different e NB uses; improved the irrelevance of key between the different e NB; even the interim eNB key of one of them target eNB is got by broken; the also safety of the RRC signaling key of other target eNB of entail dangers to and UP signaling key not, the fail safe that has improved service message between eNB and the UE.
A kind of key generating device that second aspect of the embodiment of the invention provides comprises:
Receiver module is used for receiving target eNB sign;
Interim eNB key production module is used for generating interim eNB key according to encryption key, integrity protection key and described target eNB sign.
The key generating device that the embodiment of the invention provides can identify by receiving target eNB; and according to encryption key, integrity protection key and target eNB sign and the generation interim eNB key relevant with the target eNB sign; thereby can be so that carry out in the process of network switching at UE; the interim eNB key difference that different e NB uses; even the interim eNB key of a target eNB is got by broken; the also safety of the RRC signaling key of other target eNB of entail dangers to and UP signaling key not, the fail safe that has improved service message between eNB and the UE.
The 3rd a kind of mobile management entity that the aspect provides of the embodiment of the invention comprises:
Receiver module is used for receiving and prepares handoff request message, and obtains described encryption key, described integrity protection key and described target eNB sign from this preparation handoff request message;
Interim eNB key production module is used for generating interim eNB key according to described encryption key, described integrity protection key and described target eNB sign;
Sending module is used to send the preparation handoff notification message that carries described interim eNB key.
The mobile management entity that the embodiment of the invention provides; can receive encryption key, integrity protection key and target eNB sign; and generation and the relevant interim eNB key of target eNB sign; thereby can be so that carry out in the process of network switching at UE; interim eNB key difference to different e NB distribution; even the interim eNB key of a target eNB is got by broken; the also safety of the RRC signaling key of other target eNB of entail dangers to and UP signaling key not, the fail safe that has improved service message between eNB and the UE.
The 4th a kind of subscriber equipment that the aspect provides of the embodiment of the invention comprises:
Receiver module is used for receiving target eNB sign;
Interim eNB key production module is used for generating interim eNB key according to encryption key, integrity protection key and described target eNB sign;
The eNB key production module is used for generating the eNB key according to described interim eNB key;
RRC and UP signaling key production module are used for generating RRC signaling encryption key, RRC signaling integrity protection key and UP signaling encryption key according to described eNB key.
The UE that the embodiment of the invention provides, can be in the process that network switches, generate and relevant RRC and the UP signaling key of target eNB sign, thereby make RRC that subscriber equipment can be by different RRC and the secret key encryption of UP signaling and UP signaling and corresponding eNB carry out interacting message, effectively improved the irrelevance of the key that message transfer uses between the UE different e NB, the fail safe that has improved service message between UE and the eNB.
Description of drawings
Fig. 1 is a framework schematic diagram of prior art 3GPP wireless network;
Fig. 2 generates a flow chart of key for prior art;
Fig. 3 is the flow chart of key generation method embodiment one of the present invention;
Fig. 4 is the flow chart of key generation method embodiment two of the present invention;
Fig. 5 is the flow chart of key generation method embodiment three of the present invention;
Fig. 6 is the flow chart of key generation method embodiment four of the present invention;
Fig. 7 is the flow chart of key generation method embodiment five of the present invention;
Fig. 8 is the structural representation of key generating device embodiment one of the present invention;
Fig. 9 is the structural representation of key generating device embodiment two of the present invention;
Figure 10 is the structural representation of key generating device embodiment three of the present invention;
Figure 11 is the structural representation of key generating device embodiment four of the present invention;
Figure 12 is the structural representation of key generating device embodiment five of the present invention;
Figure 13 is the structural representation of key generating device embodiment six of the present invention;
Figure 14 is the structural representation of key generating device embodiment seven of the present invention.
Embodiment
In the embodiment of the invention; when UE switches to the LTE Access Network by source 2G or 3G Access Network; source SGSN can send the target eNB sign to target MME; by target MME according to encryption key; integrity protection key and target eNB sign generate interim eNB key and send to target eNB; because target MME to what target eNB sent is and the relevant interim eNB key of target eNB sign; the interim eNB key difference that different e NB uses; improved the irrelevance of key between the different e NB; even the interim eNB key of one of them target eNB is got by broken; the also safety of the RRC signaling key of other target eNB of entail dangers to and UP signaling key not, the fail safe that has improved service message between eNB and the UE.
As shown in Figure 3, be the flow chart of key generation method embodiment one of the present invention, it may further comprise the steps:
Step 301, the handoff request message that communication entity sends in source SGSN reception sources 2G or the 3G Access Network carries the target eNB sign in this handoff request message;
Step 302, source SGSN sends to target MME and prepares handoff request message, carries encryption key, integrity protection key and target eNB sign in this preparation handoff request message;
Step 303, target MME generates interim eNB key according to encryption key, integrity protection key and target eNB sign, and sends the preparation handoff notification message to target eNB, carries interim eNB key in this preparation handoff notification message.
As shown in Figure 4, be the flow chart of key generation method embodiment two of the present invention, it may further comprise the steps:
Step 401, UE in source 2G or 3G Access Network when the LTE Access Network switches, communication entity in source 2G or 3G Access Network, for example: BTS, NodeB etc. send the measurement report of its each cell signal strength of place of expression.
Step 402, the measurement report decision that communication entity sends by UE in source 2G or the 3G Access Network is carried out network to it and is switched, and obtains the target eNB sign of the LTE Access Network that the UE request switches to from measurement report.
Step 403, the communication entity in source 2G or the 3G Access Network sends handoff request message to source SGSN, wherein carries the target eNB sign.
Step 404, source SGSN sends to target MME and prepares handoff request message, carries encryption key CK, integrity protection key IK and target eNB sign in this preparation handoff request message.
Step 405, target MME generates root key Kasme according to encryption key CK, integrity protection key IK and target eNB sign.
Particularly, can pass through the function f 1 (IK of IK, CK and target eNB sign, CK, the target eNB sign) generates root key Kasme, or further combined with other parameter (for example: the cell ID that UE request switches to, UE user ID, constant etc.) function generates root key Kasme, for example: Kasme=f1 (IK, CK, the target eNB sign, other parameter).
Step 406, target MME generates interim eNB key K * eNB and NAS key according to root key Kasme.Wherein, the NAS key comprises NAS encryption key K_NAS_enc and NAS integrity protection key K _ NAS_int.
Particularly, can generate interim eNB key K * eNB and NAS key by the function of root key Kasme respectively, for example: K*eNB=f2 (Kasme, other parameter), K_NAS_enc=h1 (Kasme, other parameter), K_NAS_int=h2 (Kasme, other parameter).
Step 407, target MME sends to target eNB and prepares handoff notification message, wherein carries temporary key K*eNB.
Step 408, target eNB is returned the preparation switching response message to target MME.
Step 409, target eNB generates eNB key K eNB according to the interim eNB key K * eNB for preparing to carry in the handoff notification message.
Particularly, target eNB can generate eNB key K eNB respectively by the function of interim eNB key K * eNB, for example: KeNB=g1 (K*eNB, other parameter).
Step 410, target eNB generates RRC signaling encryption key K_RRC_enc, RRC signaling integrity protection key K _ RRC_int and UP signaling encryption key K_UP_enc according to eNB key K eNB.
Particularly; target eNB can generate RRC signaling encryption key K_RRC_enc, RRC signaling integrity protection key K _ RRC_int and UP signaling encryption key K_UP_enc by the function of eNB key K eNB; for example: K_RRC_enc=g2 (KeNB; other parameter); K_RRC_int=g3 (KeNB; other parameter), K_UP_enc=g4 (KeNB, other parameter).
Need to prove, the execution of above-mentioned steps 409-410 and step 408 sequence limit that has no time, step 409-410 also can carry out with step 408 or carry out prior to step 408 simultaneously.
Step 411, target MME sends to source SGSN and prepares switching response message.
Step 412, the communication entity of source SGSN in respective sources 2G or 3G Access Network sends switching response message.
Step 413, the communication entity in respective sources 2G or the 3G Access Network sends switching command message to UE, and notice UE switches on the target eNB.Can directly carry the target eNB sign in this switching command message.
Step 414 after UE receives the switching command message that communication entity sends in source 2G or the 3G Access Network, is obtained the target eNB sign, and is obtained encryption key CK, the integrity protection key IK that consults generation with HSS from switching command message.
Step 415, UE adopts the mode identical with target MME according to setting in advance, and generates the identical root key Kasme that generates with target MME by encryption key CK, integrity protection key IK with the target eNB sign.For example: Kasme=f1 (IK, CK, target eNB sign, other parameter).
Step 416, UE adopts the mode identical with target eNB, generates identical interim eNB key K * eNB and the NAS key that generates with target MME according to root key Kasme.Wherein, the NAS key comprises NAS encryption key K_NAS_enc and NAS integrity protection key K _ NAS_int.
Particularly, can generate interim eNB key K * eNB and NAS key by the function of root key Kasme respectively, for example: K*eNB=f2 (Kasme, other parameter), K_NAS_enc=h1 (Kasme, other parameter), K_NAS_int=h2 (Kasme, other parameter).
Step 417, UE adopts the mode identical with target eNB, generates the identical eNB key K eNB that generates with target eNB according to interim eNB key K * eNB.
Particularly, target eNB can generate eNB key K eNB respectively by the function of interim eNB key K * eNB, for example: KeNB=g1 (K*eNB, other parameter).
Step 418, UE adopts the mode identical with target eNB, generates identical RRC signaling encryption key K_RRC_enc, RRC signaling integrity protection key K _ RRC_int and the UP signaling encryption key K_UP_enc that generates with target eNB according to eNB key K eNB.
Particularly; UE can generate RRC signaling encryption key K_RRC_enc, RRC signaling integrity protection key K _ RRC_int and UP signaling encryption key K_UP_enc by the function of eNB key K eNB; for example: K_RRC_enc=g2 (KeNB; other parameter); K_RRC_int=g3 (KeNB; other parameter), K_UP_enc=g4 (KeNB, other parameter).
Afterwards, UE just can switch to the LTE Access Network by source 2G or 3G Access Network, in the process of switching, by and the NAS key that consult to generate of target MME NAS mutual between the two is encrypted, by and target eNB the RRC signaling key and the UP signaling key that consult to generate respectively RRC signaling mutual between the two and UP signaling are encrypted the fail safe of assurance message.
In addition, in the step 414 of the foregoing description, UE also can obtain the target eNB sign by alternate manner.For example: in step 408, target eNB is packaged in the target eNB sign of self in the RRC message, for example the physical channel reconfigures message (Physical ChannelReconfiguration) to RRC message wherein or RRC connects " UE " cell that reconfigures message (RRC connectionreconfiguration), then this RRC message is carried in " Target RNC is to source RNC transparent transmission container (Target RNC to source RNC transparentcontainer) " cell of preparing in the switching response message and issues target MME; Target MME passes through source SGSN with it after receiving and preparing switching response message, that is: the preparation switching response message in the step 411 carries RRC message; Source SGSN passes through communication entity in source 2G or the 3G Access Network by the switching response message in the step 412 with RRC message again; Communication entity in source 2G or the 3G Access Network passes through UE by the switching command message in the step 413 with RRC message; In the step 414, obtain the target eNB sign in the RRC message that UE embeds from switching command message.In addition, can also be target MME carries the target eNB sign in step 411 is issued the preparation switching response message of source SGSN, and source SGSN passes to communication entity in source 2G or the 3G Access Network by the switching response message in the step 412 with the target eNB sign again; Communication entity in source 2G or the 3G Access Network passes through UE by the switching command message in the step 413 with the target eNB sign; In the step 414, UE obtains the target eNB sign from switching command message.
As shown in Figure 5, be the flow chart of key generation method embodiment three of the present invention, it may further comprise the steps:
Step 501, UE in source 2G or 3G Access Network when the LTE Access Network switches, communication entity in source 2G or 3G Access Network, for example: BTS, NodeB etc. send the measurement report of its each cell signal strength of place of expression.
Step 502, the measurement report decision that communication entity sends by UE in source 2G or the 3G Access Network is carried out network to it and is switched, and obtains the target eNB sign of the LTE Access Network that the UE request switches to from measurement report.
Step 503, the communication entity in source 2G or the 3G Access Network sends handoff request message to source SGSN, wherein carries the target eNB sign.
Step 504, source SGSN sends to target MME and prepares handoff request message, carries encryption key CK, integrity protection key IK and target eNB sign in this preparation handoff request message.
Step 505, target MME generates root key Kasme according to encryption key CK and integrity protection key IK.
Particularly, can be by the function f 1 (IK of IK and CK, CK) generate root key Kasme, or further combined with other parameter (for example: the cell ID that UE request switches to, UE user ID, constant etc.) function generates root key Kasme, for example: Kasme=f1 (IK, CK, other parameter).
Step 506, target MME generates temporary root key K * asme and NAS key according to root key Kasme.Wherein, the NAS key comprises NAS encryption key K_NAS_enc and NAS integrity protection key K _ NAS_int.
Particularly, temporary root key K * asme and NAS key can be generated, for example: K*asme=f2 (Kasme by the function of root key Kasme respectively, other parameter), K_NAS_enc=h1 (Kasme, other parameter), K_NAS_int=h2 (Kasme, other parameter).
Step 507, target MME generates interim eNB key K * eNB according to temporary root key K * asme and target eNB sign.
Particularly, can generate interim eNB key K * eNB respectively, for example: K*eNB=f3 (K*asme, target eNB sign, other parameter) by the function of temporary root key K * asme and target eNB sign.
Step 508, target MME sends to target eNB and prepares handoff notification message, wherein carries temporary key K*eNB.
Step 509, target eNB is returned the preparation switching response message to target MME.
Step 510, target eNB generates the eNB key according to the interim eNB key K * eNB for preparing to carry in the handoff notification message.
Particularly, target eNB can generate the eNB key respectively by the function of interim eNB key K * eNB, for example: KeNB=g1 (K*eNB, other parameter).
Step 511, target eNB generates RRC signaling encryption key K_RRC_enc, RRC signaling integrity protection key K _ RRC_int and UP signaling encryption key K_UP_enc according to eNB key K eNB.
Particularly; target eNB can generate RRC signaling encryption key K_RRC_enc, RRC signaling integrity protection key K _ RRC_int and UP signaling encryption key K_UP_enc by the function of eNB key K eNB; for example: K_RRC_enc=g2 (KeNB; other parameter); K_RRC_int=g3 (KeNB; other parameter), K_UP_enc=g4 (KeNB, other parameter).
Need to prove, the execution of above-mentioned steps 510-511 and step 509 sequence limit that has no time, step 510-511 also can carry out with step 509 or carry out prior to step 509 simultaneously.
Step 512, target MME sends to source SGSN and prepares switching response message.
Step 513, the communication entity of source SGSN in respective sources 2G or 3G Access Network sends switching response message.
Step 514, the communication entity in respective sources 2G or the 3G Access Network sends switching command message to UE, and notice UE switches on the target eNB.Can directly carry the target eNB sign in this switching command message.
Step 515; after UE receives the switching command message that communication entity sends in source 2G or the 3G Access Network; obtain the encryption key CK and the integrity protection key IK that consult generation with HSS; and according to setting in advance; adopt the mode identical, generate the identical root key Kasme that generates with target MME with integrity protection key IK by encryption key CK with target MME.For example: Kasme=f1 (IK, CK, other parameter).
Step 516, UE adopts the mode identical with target MME, generates identical temporary root key K * asme and the NAS key that generates with target MME according to root key Kasme.Wherein, the NAS key comprises NAS encryption key K_NAS_enc and NAS integrity protection key K _ NAS_int.
Particularly, temporary root key K * asme and NAS key can be generated, for example: K*asme=f2 (Kasme by the function of root key Kasme respectively, other parameter), K_NAS_enc=h1 (Kasme, other parameter), K_NAS_int=h2 (Kasme, other parameter).
Step 517, UE adopts the mode identical with target eNB, generates the identical interim eNB key K * eNB that generates with target MME according to temporary root key K * asme with the target eNB sign.
Particularly, can generate interim eNB key K * eNB respectively, for example: K*eNB=f3 (K*asme, target eNB sign, other parameter) by the function of temporary root key K * asme and target eNB sign.
In addition, in the switching command message in the step 514, UE also can obtain the target eNB sign by alternate manner.For example: in step 509, target eNB is packaged in the target eNB sign of self in the RRC message, for example the physical channel reconfigures message (PhysicalChannel Reconfiguration) to RRC message wherein or RRC connects " UE " cell that reconfigures message (RRC connectionreconfiguration), then this RRC message is carried in " Target RNC is to source RNC transparent transmission container (Target RNC to source RNC transparentcontainer) " cell of preparing in the switching response message and issues target MME; Target MME passes through source SGSN with it after receiving and preparing switching response message, that is: the preparation switching response message in the step 512 carries RRC message; Source SGSN passes through communication entity in source 2G or the 3G Access Network by the switching response message in the step 513 with RRC message again; Communication entity in source 2G or the 3G Access Network passes through UE by the switching command message in the step 514 with RRC message; In the step 515, obtain the target eNB sign in the RRC message that UE embeds from switching command message.In addition, can also be target MME carries the target eNB sign in step 512 is issued the preparation switching response message of source SGSN, and source SGSN passes to communication entity in source 2G or the 3G Access Network by the switching response message in the step 513 with the target eNB sign again; Communication entity in source 2G or the 3G Access Network passes through UE by the switching command message in the step 514 with the target eNB sign; In the step 515, UE obtains the target eNB sign from switching command message.
Step 518, UE adopts the mode identical with target eNB, generates the identical eNB key K eNB that generates with target eNB according to interim eNB key K * eNB.
Particularly, target eNB can generate eNB key K eNB respectively by the function of interim eNB key K * eNB, for example: KeNB=g1 (K*eNB, other parameter).
Step 519, UE adopts the mode identical with target eNB, generates identical RRC signaling encryption key K_RRC_enc, RRC signaling integrity protection key K _ RRC_int and the UP signaling encryption key K_UP_enc that generates with target eNB according to eNB key K eNB.
Particularly; UE can generate RRC signaling encryption key K_RRC_enc, RRC signaling integrity protection key K _ RRC_int and UP signaling encryption key K_UP_enc by the function of eNB key K eNB; for example: K_RRC_enc=g2 (KeNB; other parameter); K_RRC_int=g3 (KeNB; other parameter), K_UP_enc=g4 (KeNB, other parameter).
Afterwards, UE just can switch to the LTE Access Network by source 2G or 3G Access Network, in the process of switching, by and the NAS key that consult to generate of target MME NAS mutual between the two is encrypted, by and target eNB the RRC signaling key and the UP signaling key that consult to generate respectively RRC signaling mutual between the two and UP signaling are encrypted the fail safe of assurance message.
As shown in Figure 6, be the flow chart of key generation method embodiment four of the present invention, it may further comprise the steps:
Step 601, UE in source 2G or 3G Access Network when the LTE Access Network switches, communication entity in source 2G or 3G Access Network, for example: BTS, NodeB etc. send the measurement report of its each cell signal strength of place of expression.
Step 602, the measurement report decision that communication entity sends by UE in source 2G or the 3G Access Network is carried out network to it and is switched, and obtains the target eNB sign of the LTE Access Network that the UE request switches to from measurement report.
Step 603, the communication entity in source 2G or the 3G Access Network sends handoff request message to source SGSN, wherein carries the target eNB sign.
Step 604, source SGSN sends to target MME and prepares handoff request message, carries encryption key CK, integrity protection key IK and target eNB sign in this preparation handoff request message.
Step 605, target MME generates root key Kasme according to encryption key CK and integrity protection key IK.
Particularly, can be by the function f 1 (IK of IK and CK, CK) generate root key Kasme, or further combined with other parameter (for example: the cell ID that UE request switches to, UE user ID, constant etc.) function generates root key Kasme, for example: Kasme=f1 (IK, CK, other parameter).
Step 606, target MME generates temporary root key K * asme according to root key Kasme and target eNB sign, generates the NAS key according to root key Kasme.Wherein, the NAS key comprises NAS encryption key K_NAS_enc and NAS integrity protection key K _ NAS_int.
Particularly, can generate temporary root key K * asme by root key Kasme and target eNB sign, function by root key Kasme generates the NAS key, for example: K*asme=f2 (Kasme, target eNB sign, other parameter), K_NAS_enc=h1 (Kasme, other parameter), K_NAS_int=h2 (Kasme, other parameter).
Step 607, target MME generates interim eNB key K * eNB according to temporary root key K * asme.
Particularly, can generate interim eNB key K * eNB respectively, for example: K*eNB=f3 (K*asme, other parameter) by the function of temporary root key K * asme.
Step 608, target MME sends to target eNB and prepares handoff notification message, wherein carries temporary key K*eNB.
Step 609, target eNB is returned the preparation switching response message to target MME.
Step 610, target eNB generates the eNB key according to the interim eNB key K * eNB for preparing to carry in the handoff notification message.
Particularly, target eNB can generate the eNB key respectively by the function of interim eNB key K * eNB, for example: KeNB=g1 (K*eNB, other parameter).
Step 611, target eNB generates RRC signaling encryption key K_RRC_enc, RRC signaling integrity protection key K _ RRC_int and UP signaling encryption key K_UP_enc according to eNB key K eNB.
Particularly; target eNB can generate RRC signaling encryption key K_RRC_enc, RRC signaling integrity protection key K _ RRC_int and UP signaling encryption key K_UP_enc by the function of eNB key K eNB; for example: K_RRC_enc=g2 (KeNB; other parameter); K_RRC_int=g3 (KeNB; other parameter), K_UP_enc=g4 (KeNB, other parameter).
Need to prove, the execution of above-mentioned steps 610-611 and step 609 sequence limit that has no time, step 610-611 also can carry out with step 609 or carry out prior to step 609 simultaneously.
Step 612, target MME sends to source SGSN and prepares switching response message.
Step 613, the communication entity of source SGSN in respective sources 2G or 3G Access Network sends switching response message.
Step 614, the communication entity in respective sources 2G or the 3G Access Network sends switching command message to UE, and notice UE switches on the target eNB.Can directly carry the target eNB sign in this switching command message.
Step 615; after UE receives the switching command message that communication entity sends in source 2G or the 3G Access Network; obtain the encryption key CK and the integrity protection key IK that consult generation with HSS; and according to setting in advance; adopt the mode identical, generate the identical root key Kasme that generates with target MME with integrity protection key IK by encryption key CK with target MME.For example: Kasme=f1 (IK, CK, other parameter).
Step 616, UE adopts the mode identical with target MME, generates the identical temporary root key K * asme that generates with target MME according to root key Kasme with the target eNB sign, and generates the NAS key according to root key Kasme.Wherein, the NAS key comprises NAS encryption key K_NAS_enc and NAS integrity protection key K _ NAS_int.
Particularly, can generate temporary root key K * asme respectively by the function of root key Kasme and target eNB sign, function according to root key Kasme generates NAS key NAS key, for example: K*asme=f2 (Kasme, target eNB sign, other parameter), K_NAS_enc=h1 (Kasme, other parameter), K_NAS_int=h2 (Kasme, other parameter).
In addition, in the switching command message in the step 614, UE also can obtain the target eNB sign by alternate manner.For example: in step 609, target eNB is packaged in the target eNB sign of self in the RRC message, for example the physical channel reconfigures message (PhysicalChannel Reconfiguration) to RRC message wherein or RRC connects " UE " cell that reconfigures message (RRC connectionreconfiguration), then this RRC message is carried in " Target RNC is to source RNC transparent transmission container (Target RNC to source RNC transparentcontainer) " cell of preparing in the switching response message and issues target MME; Target MME passes through source SGSN with it after receiving and preparing switching response message, that is: the preparation switching response message in the step 612 carries RRC message; Source SGSN passes through communication entity in source 2G or the 3G Access Network by the switching response message in the step 613 with RRC message again; Communication entity in source 2G or the 3G Access Network passes through UE by the switching command message in the step 614 with RRC message; In the step 615, obtain the target eNB sign in the RRC message that UE embeds from switching command message.In addition, can also be target MME carries the target eNB sign in step 612 is issued the preparation switching response message of source SGSN, and source SGSN passes to communication entity in source 2G or the 3G Access Network by the switching response message in the step 613 with the target eNB sign again; Communication entity in source 2G or the 3G Access Network passes through UE by the switching command message in the step 614 with the target eNB sign; In the step 615, UE obtains the target eNB sign from switching command message.
Step 617, UE adopts the mode identical with target MME, generates the identical interim eNB key K * eNB that generates with target MME according to temporary root key K * asme.
Particularly, can generate interim eNB key K * eNB respectively by the function of temporary root key K * asme and target eNB sign, for example: K*eNB=f3 (K*asme, other parameter).
Step 618, UE adopts the mode identical with target eNB, generates the identical eNB key K eNB that generates with target eNB according to interim eNB key K * eNB.
Particularly, target eNB can generate eNB key K eNB respectively by the function of interim eNB key K * eNB, for example: KeNB=g1 (K*eNB, other parameter).
Step 619, UE adopts the mode identical with target eNB, generates identical RRC signaling encryption key K_RRC_enc, RRC signaling integrity protection key K _ RRC_int and the UP signaling encryption key K_UP_enc that generates with target eNB according to eNB key K eNB.
Particularly; UE can generate RRC signaling encryption key K_RRC_enc, RRC signaling integrity protection key K _ RRC_int and UP signaling encryption key K_UP_enc by the function of eNB key K eNB; for example: K_RRC_enc=g2 (KeNB; other parameter); K_RRC_int=g3 (KeNB; other parameter), K_UP_enc=g4 (KeNB, other parameter).
Afterwards, UE just can switch to the LTE Access Network by source 2G or 3G Access Network, in the process of switching, by and the NAS key that consult to generate of target MME NAS mutual between the two is encrypted, by and target eNB the RRC signaling key and the UP signaling key that consult to generate respectively RRC signaling mutual between the two and UP signaling are encrypted the fail safe of assurance message.
As shown in Figure 7, be the flow chart of key generation method embodiment five of the present invention, it may further comprise the steps:
Step 701, UE in source 2G or 3G Access Network when the LTE Access Network switches, communication entity in source 2G or 3G Access Network, for example: BTS, NodeB etc. send the measurement report of its each cell signal strength of place of expression.
Step 702, the measurement report decision that communication entity sends by UE in source 2G or the 3G Access Network is carried out network to it and is switched, and obtains the target eNB sign of the LTE Access Network that the UE request switches to from measurement report.
Step 703, the communication entity in source 2G or the 3G Access Network sends handoff request message to source SGSN, wherein carries the target eNB sign.
Step 704, source SGSN sends to target MME and prepares handoff request message, carries encryption key CK, integrity protection key IK and target eNB sign in this preparation handoff request message.
Step 705, target MME generates root key Kasme according to encryption key CK and integrity protection key IK.
Particularly, can be by the function f 1 (IK of IK and CK, CK) generate root key Kasme, or further combined with other parameter (for example: the cell ID that UE request switches to, UE user ID, constant etc.) function generates root key Kasme, for example: Kasme=f1 (IK, CK, other parameter).
Step 706, target MME generates interim eNB key K * eNB according to root key Kasme and target eNB sign, and generates the NAS key according to root key Kasme.Wherein, the NAS key comprises NAS encryption key K_NAS_enc and NAS integrity protection key K _ NAS_int.
Particularly, can generate interim eNB key K * eNB respectively by the function of root key Kasme and target eNB sign, function according to root key Kasme generates the NAS key, for example: K*eNB=f2 (Kasme, target eNB sign, other parameter), K_NAS_enc=h1 (Kasme, other parameter), K_NAS_int=h2 (Kasme, other parameter).
Step 707, target MME sends to target eNB and prepares handoff notification message, wherein carries temporary key K*eNB.
Step 708, target eNB is returned the preparation switching response message to target MME.
Step 709, target eNB generates the eNB key according to the interim eNB key K * eNB for preparing to carry in the handoff notification message.
Particularly, target eNB can generate the eNB key by the function of interim eNB key K * eNB, for example: KeNB=g1 (K*eNB, other parameter).
Step 710, target eNB generates RRC signaling encryption key K_RRC_enc, RRC signaling integrity protection key K _ RRC_int and UP signaling encryption key K_UP_enc according to eNB key K eNB.
Particularly; target eNB can generate RRC signaling encryption key K_RRC_enc, RRC signaling integrity protection key K _ RRC_int and UP signaling encryption key K_UP_enc by the function of eNB key K eNB; for example: K_RRC_enc=g2 (KeNB; other parameter); K_RRC_int=g3 (KeNB; other parameter), K_UP_enc=g4 (KeNB, other parameter).
Need to prove, the execution of above-mentioned steps 709-710 and step 708 sequence limit that has no time, step 709-710 also can carry out with step 708 or carry out prior to step 708 simultaneously.
Step 711, target MME sends to source SGSN and prepares switching response message.
Step 712, the communication entity of source SGSN in respective sources 2G or 3G Access Network sends switching response message.
Step 713, the communication entity in respective sources 2G or the 3G Access Network sends switching command message to UE, and notice UE switches on the target eNB.Can directly carry the target eNB sign in this switching command message.
Step 714; after UE receives the switching command message that communication entity sends in source 2G or the 3G Access Network; obtain the encryption key CK, the integrity protection key IK that consult generation with HSS; and according to setting in advance; adopt the mode identical, generate the identical root key Kasme that generates with target MME with integrity protection key IK by encryption key CK with target MME.For example: Kasme=f1 (IK, CK, other parameter).
Step 715, UE adopts the mode identical with target eNB, generates the identical interim eNB key K * eNB that generates with target MME according to root key Kasme with the target eNB sign, and generates the NAS key according to root key Kasme.Wherein, the NAS key comprises NAS encryption key K_NAS_enc and NAS integrity protection key K _ NAS_int.
For example: K*eNB=f2 (Kasme, target eNB sign, other parameter), K_NAS_enc=h1 (Kasme, other parameter), K_NAS_int=h2 (Kasme, other parameter).
Wherein, in the switching command message in the step 714, UE can also obtain the target eNB sign by alternate manner.For example: in step 708, target eNB is packaged in the target eNB sign of self in the RRC message, for example the physical channel reconfigures message (PhysicalChannel Reconfiguration) to RRC message wherein or RRC connects " UE " cell that reconfigures message (RRC connectionreconfiguration), then this RRC message is carried in " Target RNC is to source RNC transparent transmission container (Target RNC to source RNC transparentcontainer) " cell of preparing in the switching response message and issues target MME; Target MME passes through source SGSN with it after receiving and preparing switching response message, that is: the preparation switching response message in the step 711 carries RRC message; Source SGSN passes through communication entity in source 2G or the 3G Access Network by the switching response message in the step 712 with RRC message again; Communication entity in source 2G or the 3G Access Network passes through UE by the switching command message in the step 713 with RRC message; In the step 714, obtain the target eNB sign in the RRC message that UE embeds from switching command message.In addition, can also be target MME carries the target eNB sign in step 711 is issued the preparation switching response message of source SGSN, and source SGSN passes to communication entity in source 2G or the 3G Access Network by the switching response message in the step 712 with the target eNB sign again; Communication entity in source 2G or the 3G Access Network passes through UE by the switching command message in the step 713 with the target eNB sign; In the step 714, UE obtains the target eNB sign from switching command message.
Step 716, UE adopts the mode identical with target eNB, generates the identical eNB key K eNB that generates with target eNB according to interim eNB key K * eNB.
Particularly, target eNB can generate eNB key K eNB respectively by the function of interim eNB key K * eNB, for example: KeNB=g1 (K*eNB, other parameter).
Step 717, UE adopts the mode identical with target eNB, generates identical RRC signaling encryption key K_RRC_enc, RRC signaling integrity protection key K _ RRC_int and the UP signaling encryption key K_UP_enc that generates with target eNB according to eNB key K eNB.
Particularly; UE can generate RRC signaling encryption key K_RRC_enc, RRC signaling integrity protection key K _ RRC_int and UP signaling encryption key K_UP_enc by the function of eNB key K eNB; for example: K_RRC_enc=g2 (KeNB; other parameter); K_RRC_int=g3 (KeNB; other parameter), K_UP_enc=g4 (KeNB, other parameter).
Afterwards, UE just can switch to the LTE Access Network by source 2G or 3G Access Network, in the process of switching, by and the NAS key that consult to generate of target MME NAS mutual between the two is encrypted, by and target eNB the RRC signaling key and the UP signaling key that consult to generate respectively RRC signaling mutual between the two and UP signaling are encrypted the fail safe of assurance message.
As shown in Figure 8, be the structural representation of key generating device embodiment one of the present invention, the key generating device of this embodiment comprises receiver module 801 and interim eNB key production module 802.Wherein, receiver module 801 is used for receiving target eNB sign; The target eNB sign that interim eNB key production module 802 is used for receiving according to receiver module 801 generates interim eNB key K * eNB with receiver module 801 encryption key CK and integrity protection key IK that receive or that generate in advance.
The key generating device that the embodiment of the invention provides can identify and generate and the relevant interim eNB key of target eNB sign with the target eNB sign according to encryption key, integrity protection key by receiving target eNB; thereby can be so that carry out in the process of network switching at UE; the interim eNB key difference that different e NB uses; even the interim eNB key of a target eNB is got by broken; the also safety of the RRC signaling key of other target eNB of entail dangers to and UP signaling key not, the fail safe that has improved service message between eNB and the UE.
In key generating device embodiment shown in Figure 8, interim eNB key production module 802 can comprise the first root key generation unit 901 and the first interim eNB key generation unit 902.Wherein, the first root key generation unit 901 is used for the encryption key CK, the integrity protection key IK that receive according to receiver module 801 and the target eNB sign generates the first root key Kasme; The first interim eNB key generation unit 902 is used for generating interim eNB key according to the first root key Kasme that the first root key generation unit 901 generates.As shown in Figure 9, be the structural representation of key generating device embodiment two of the present invention.
In addition, in key generating device embodiment shown in Figure 8, interim eNB key production module 802 also can comprise the second root key generation unit 1001, the first temporary root key generation unit 1002 and the second interim eNB key generation unit 1003.Wherein, the second root key generation unit 1001 encryption key CK and the integrity protection key IK that are used for receiving according to receiver module 801 generates the second root key Kasme; The first temporary root key generation unit 1002 is used for generating the first temporary root key K * asme according to the second root key Kasme that the second root key generation unit 1001 generates; The first temporary root key K * asme and target eNB sign that the second interim eNB key generation unit 1003 is used for generating according to the first temporary root key generation unit 1002 generate interim eNB key K * eNB.As shown in figure 10, be the structural representation of key generating device embodiment three of the present invention.
In another embodiment of the present invention, the interim eNB key production module 802 among the key generating device embodiment shown in Figure 8 can also comprise the second root key generation unit 1001, the second temporary root key generation unit 1101 and the 3rd interim eNB key generation unit 1102.Wherein, the second root key generation unit 1001 encryption key CK and the integrity protection key IK that are used for receiving according to receiver module 801 generates the second root key Kasme; The second root key Kasme and target eNB sign that the second temporary root key generation unit 1101 is used for generating according to the second root key generation unit 1001 generate the second temporary root key K * asme; The 3rd interim eNB key generation unit 1102 is used for generating interim eNB key K * eNB according to the second temporary root key K * asme that the second temporary root key generation unit 1101 generates.As shown in figure 11, be the structural representation of key generating device embodiment four of the present invention.
As shown in figure 12, structural representation for key generating device embodiment five of the present invention, in this embodiment, the interim eNB key production module 802 among the key generating device embodiment shown in Figure 8 can also comprise the second root key generation unit 1001 and the 4th interim eNB key generation unit 1201.Wherein, the second root key generation unit 1001 encryption key CK and the integrity protection key IK that are used for receiving according to receiver module 801 generates the second root key Kasme; The second root key Kasme and target eNB sign that the 4th interim eNB key generation unit 1201 is used for generating according to the second root key generation unit 1001 generate interim eNB key K * eNB.
Further, to any one key generating device shown in Figure 12, can also comprise sending module 1301, be used to send the preparation handoff notification message of the interim eNB key K * eNB that carries interim eNB key production module 802 generations at Fig. 8; Accordingly; receiver module 801 in embodiment illustrated in fig. 8 also is used to receive encryption key CK and integrity protection key IK; specifically be used for receiving and prepare handoff request message, and from this preparation handoff request message, obtain encryption key CK, integrity protection key IK and target eNB sign.As shown in figure 13, be the structural representation of key generating device embodiment six of the present invention.
In addition, as another key generating device of the present invention, to the basis of any one key generating device embodiment shown in Figure 12, can also comprise eNB key production module 1401, RRC and UP signaling key production module 1402 at Fig. 8.Wherein, eNB key production module 1401 is used for generating eNB key K eNB according to the interim eNB key K * eNB that interim eNB key production module 802 generates; RRC and UP signaling key production module 1402 are used for generating RRC signaling encryption key K_RRC_enc, K_RRC_int and UP signaling encryption key K_UP_enc according to the eNB key K eNB that eNB key production module 1401 generates; Receiver module 801 need not to receive encryption key CK and integrity protection key IK, generates interim eNB key K * eNB according to the target eNB sign with the encryption key CK and the integrity protection key IK that generate in advance by interim eNB key production module 802.As shown in figure 14, be the structural representation of key generating device embodiment seven of the present invention.In addition; on the basis of this embodiment seven; key generating device of the present invention can further include NAS key production module 1302; be used for generating the NAS key, comprise NAS encryption key K_NAS_enc and NAS integrity protection key K _ NAS_int according to first root key or the second root key Kasme that interim eNB key production module 802 generates.
The embodiment of the invention also provides MME, and it can comprise the key generating device shown in any one embodiment of Fig. 8 to 13.This MME can receive by preparing encryption key, integrity protection key and the target eNB sign that handoff request message sends; and generation and the relevant interim eNB key of target eNB sign; thereby can be so that carry out in the process of network switching at UE; interim eNB key difference to different e NB distribution; even the interim eNB key of a target eNB is got by broken; the also safety of the RRC signaling key of other target eNB of entail dangers to and UP signaling key not, the fail safe that has improved service message between eNB and the UE.
The embodiment of the invention also provides UE, and it can comprise the key generating device shown in Fig. 8 to 12 and any one embodiment of Figure 14.This UE can be in the process that network switches, generate and relevant RRC and the UP signaling key of target eNB sign, thereby make RRC that subscriber equipment can be by different RRC and the secret key encryption of UP signaling and UP signaling and corresponding eNB carry out interacting message, effectively improved the irrelevance of the key that message transfer uses between the UE different e NB, the fail safe that has improved service message between UE and the eNB.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential general hardware platform, can certainly pass through hardware, but the former is better execution mode under a lot of situation.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words can embody with the form of software product, this computer software product is stored in the storage medium, comprise that some instructions are with so that a station terminal equipment (can be mobile phone, personal computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
It should be noted last that: above embodiment is only in order to illustrating technical scheme of the present invention, but not the present invention is made restrictive sense.Although the present invention is had been described in detail with reference to above-mentioned preferred embodiment, those of ordinary skill in the art is to be understood that: it still can make amendment or be equal to replacement technical scheme of the present invention, and this modification or be equal to the spirit and scope that replacement does not break away from technical solution of the present invention.

Claims (24)

1, a kind of key generation method is characterized in that, comprising:
The preparation handoff request message that target MME reception sources SGSN sends carries encryption key, integrity protection key and target eNB sign in this preparation handoff request message;
Described target MME generates interim eNB key according to described encryption key, described integrity protection key and described target eNB sign, and sends the preparation handoff notification message to described target eNB, carries described interim eNB key in this preparation handoff notification message.
2, key generation method according to claim 1 is characterized in that, described target MME also comprises after described target eNB sends the preparation handoff notification message:
Described target eNB generates the eNB key according to the described interim eNB key that carries in the described preparation handoff notification message, and generates RRC signaling encryption key, RRC signaling integrity protection key and UP signaling encryption key according to described eNB key.
3, key generation method according to claim 1 is characterized in that, described target MME generates interim eNB key according to described encryption key, described integrity protection key and described target eNB sign and comprises:
Described target MME generates root key according to described encryption key, described integrity protection key and described target eNB sign; Generate described interim eNB key according to described root key.
4, key generation method according to claim 3 is characterized in that, also comprises:
The switching command message that communication entity sends in subscriber equipment reception sources 2G or the 3G Access Network;
Described subscriber equipment generates root key according to described encryption key, described integrity protection key and described target eNB sign;
Described subscriber equipment generates NAS key and interim eNB key according to described root key;
Described subscriber equipment generates the eNB key according to described interim eNB key, and generates RRC signaling encryption key, RRC signaling integrity protection key and UP signaling encryption key according to described eNB key.
5, key generation method according to claim 1 is characterized in that, described target MME generates interim eNB key according to described encryption key, described integrity protection key and described target eNB sign and comprises:
Described target MME generates root key according to described encryption key and described integrity protection key; Generate the temporary root key according to described root key; Generate interim eNB key according to described temporary root key and described target eNB sign.
6, key generation method according to claim 5 is characterized in that, also comprises:
The switching command message that communication entity sends in subscriber equipment reception sources 2G or the 3G Access Network;
Described subscriber equipment generates root key according to described encryption key, described integrity protection key;
Described subscriber equipment generates NAS key and temporary root key according to described root key;
Described subscriber equipment generates interim eNB key according to described temporary root key and described target eNB sign;
Described subscriber equipment generates the eNB key according to described interim eNB key, and generates RRC signaling encryption key, RRC signaling integrity protection key and UP signaling encryption key according to described eNB key.
7, key generation method according to claim 1 is characterized in that, described target MME generates interim eNB key according to described encryption key, described integrity protection key and described target eNB sign and comprises:
Described target MME generates root key according to described encryption key and described integrity protection key; Generate the temporary root key according to described root key and described target eNB sign; Generate interim eNB key according to described temporary root key.
8, key generation method according to claim 7 is characterized in that, also comprises:
The switching command message that communication entity sends in subscriber equipment reception sources 2G or the 3G Access Network;
Described subscriber equipment generates root key according to described encryption key, described integrity protection key;
Described subscriber equipment generates the NAS key according to described root key, and generates the temporary root key according to described root key and described target eNB sign;
Described subscriber equipment generates interim eNB key according to described temporary root key;
Described subscriber equipment generates the eNB key according to described interim eNB key, and generates RRC signaling encryption key, RRC signaling integrity protection key and UP signaling encryption key according to described eNB key.
9, key generation method according to claim 1 is characterized in that, described target MME generates interim eNB key according to described encryption key, described integrity protection key and described target eNB sign and comprises:
Described target MME generates root key according to described encryption key and described integrity protection key; Generate interim eNB key according to described root key and described target eNB sign.
10, key generation method according to claim 9 is characterized in that, also comprises:
The switching command message that communication entity sends in subscriber equipment reception sources 2G or the 3G Access Network;
Described subscriber equipment generates root key according to described encryption key, described integrity protection key;
Described subscriber equipment generates the NAS key according to described root key, and generates interim eNB key according to described root key and described target eNB sign;
Described subscriber equipment generates the eNB key according to described interim eNB key, and generates RRC signaling encryption key, RRC signaling integrity protection key and UP signaling encryption key according to described eNB key.
11, according to claim 3,5,7 or 9 described key generation methods, it is characterized in that, also comprise: described target MME generates the NAS key according to described root key.
12, according to claim 4,6,8 or 10 described key generation methods, it is characterized in that, also comprise:
Described subscriber equipment obtains described target eNB sign from described switching command message.
13, key generation method according to claim 12 is characterized in that, described subscriber equipment obtains described target eNB sign from described switching command message, comprising:
Obtain described target eNB sign in the RRC message that described subscriber equipment carries from described switching command message.
14, key generation method according to claim 13 is characterized in that, obtains described target eNB sign in the RRC message that described subscriber equipment carries and comprise from described switching command message:
Described target eNB is carried at described target eNB sign in the RRC message, and this RRC message is carried at prepares to issue described target MME in the switching response message;
Described target MME sends to communication entity in described source 2G or the 3G Access Network by described source SGSN with described RRC message;
Communication entity in described source 2G or the 3G Access Network sends to subscriber equipment by switching command message with described RRC message.
15, a kind of key generating device is characterized in that, comprising:
Receiver module is used for receiving target eNB sign;
Interim eNB key production module is used for generating interim eNB key according to encryption key, integrity protection key and described target eNB sign.
16, key generating device according to claim 15 is characterized in that, described interim eNB key production module comprises:
The first root key generation unit is used for generating first root key according to encryption key, integrity protection key and described target eNB sign;
The first interim eNB key generation unit is used for generating described interim eNB key according to described first root key.
17, key generating device according to claim 15 is characterized in that, described interim eNB key production module comprises:
The second root key generation unit is used for generating second root key according to encryption key and integrity protection key;
The first temporary root key generation unit is used for generating the first temporary root key according to described second root key;
The second interim eNB key generation unit is used for generating described interim eNB key according to described first temporary root key and described target eNB sign.
18, key generating device according to claim 15 is characterized in that, described interim eNB key production module comprises:
The second root key generation unit is used for generating second root key according to encryption key and integrity protection key;
The second temporary root key generation unit is used for generating the second temporary root key according to described second root key and described target eNB sign;
The 3rd interim eNB key generation unit is used for generating described interim eNB key according to the described second temporary root key.
19, key generating device according to claim 15 is characterized in that, described interim eNB key production module comprises:
The second root key generation unit is used for generating second root key according to encryption key and integrity protection key;
The 4th interim eNB key generation unit is used for generating described interim eNB key according to described second root key and described target eNB sign.
According to any described key generating device of claim 15 to 19, it is characterized in that 20, described receiver module also is used to receive described encryption key and described integrity protection key.
21, key generating device according to claim 20 is characterized in that, also comprises:
Sending module is used to send the preparation handoff notification message that carries described interim eNB key;
Described receiver module is used for receiving prepares handoff request message, and obtains described encryption key, described integrity protection key and described target eNB sign from this preparation handoff request message.
22, according to any described key generating device of claim 15 to 19, it is characterized in that, also comprise:
The eNB key production module is used for generating the eNB key according to described interim eNB key;
RRC and UP signaling key production module are used for generating RRC signaling encryption key, RRC signaling integrity protection key and UP signaling encryption key according to described eNB key.
23, a kind of mobile management entity is characterized in that, comprises the described key generating device of claim 21.
24, a kind of subscriber equipment is characterized in that, comprises the described key generating device of claim 22.
CNA2008101032131A 2008-04-01 2008-04-01 Key generating method, key generating device, mobile management entity and user equipment Pending CN101552983A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNA2008101032131A CN101552983A (en) 2008-04-01 2008-04-01 Key generating method, key generating device, mobile management entity and user equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNA2008101032131A CN101552983A (en) 2008-04-01 2008-04-01 Key generating method, key generating device, mobile management entity and user equipment

Publications (1)

Publication Number Publication Date
CN101552983A true CN101552983A (en) 2009-10-07

Family

ID=41156902

Family Applications (1)

Application Number Title Priority Date Filing Date
CNA2008101032131A Pending CN101552983A (en) 2008-04-01 2008-04-01 Key generating method, key generating device, mobile management entity and user equipment

Country Status (1)

Country Link
CN (1) CN101552983A (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011147153A1 (en) * 2010-05-27 2011-12-01 中兴通讯股份有限公司 Method and system for enabling access stratum (as) security algorithm synchronization
CN102711100A (en) * 2012-04-24 2012-10-03 中国联合网络通信集团有限公司 Voice encryption and decryption processing method as well as base station and network system
WO2013163815A1 (en) * 2012-05-04 2013-11-07 华为技术有限公司 Secure processing method and system during network switching
WO2014040518A1 (en) * 2012-09-13 2014-03-20 电信科学技术研究院 Key isolation method and device
WO2015113197A1 (en) * 2014-01-28 2015-08-06 华为技术有限公司 Apparatus and method for encrypting data
CN104852891A (en) * 2014-02-19 2015-08-19 华为技术有限公司 Secret key generation method, equipment and system
WO2016049888A1 (en) * 2014-09-30 2016-04-07 华为技术有限公司 Private network handover method, and private network type notification method and device
CN103069916B (en) * 2010-08-16 2016-06-15 株式会社Ntt都科摩 Method of mobile communication, mobile communication system and wireless base station
WO2018049864A1 (en) * 2016-09-13 2018-03-22 华为技术有限公司 Network switching protection method, related device and system
CN108551768A (en) * 2018-02-09 2018-09-18 北京小米移动软件有限公司 Terminal is established to the methods, devices and systems of connection with core net to be accessed

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011147153A1 (en) * 2010-05-27 2011-12-01 中兴通讯股份有限公司 Method and system for enabling access stratum (as) security algorithm synchronization
CN103069916B (en) * 2010-08-16 2016-06-15 株式会社Ntt都科摩 Method of mobile communication, mobile communication system and wireless base station
CN102711100B (en) * 2012-04-24 2015-04-15 中国联合网络通信集团有限公司 Voice encryption and decryption processing method as well as base station and network system
CN102711100A (en) * 2012-04-24 2012-10-03 中国联合网络通信集团有限公司 Voice encryption and decryption processing method as well as base station and network system
WO2013163815A1 (en) * 2012-05-04 2013-11-07 华为技术有限公司 Secure processing method and system during network switching
US9681339B2 (en) 2012-05-04 2017-06-13 Huawei Technologies Co., Ltd. Security processing method and system in network handover process
CN103686708A (en) * 2012-09-13 2014-03-26 电信科学技术研究院 Key isolation method and device
WO2014040518A1 (en) * 2012-09-13 2014-03-20 电信科学技术研究院 Key isolation method and device
US9473933B2 (en) 2012-09-13 2016-10-18 China Academy Of Telecommunications Technology Key isolation method and device
CN103686708B (en) * 2012-09-13 2018-01-19 电信科学技术研究院 A kind of secret key insulating method and equipment
WO2015113197A1 (en) * 2014-01-28 2015-08-06 华为技术有限公司 Apparatus and method for encrypting data
CN105103577A (en) * 2014-01-28 2015-11-25 华为技术有限公司 Apparatus and method for encrypting data
CN105103577B (en) * 2014-01-28 2019-05-24 华为技术有限公司 A kind of device and method of encryption data
CN104852891B (en) * 2014-02-19 2018-07-20 华为技术有限公司 A kind of method, equipment and system that key generates
CN104852891A (en) * 2014-02-19 2015-08-19 华为技术有限公司 Secret key generation method, equipment and system
CN105993194A (en) * 2014-09-30 2016-10-05 华为技术有限公司 Private network handover method, and private network type notification method and device
WO2016049888A1 (en) * 2014-09-30 2016-04-07 华为技术有限公司 Private network handover method, and private network type notification method and device
CN105993194B (en) * 2014-09-30 2019-12-06 华为技术有限公司 private network switching method, private network type notification method and device
US10701605B2 (en) 2014-09-30 2020-06-30 Huawei Technologies Co., Ltd. Dedicated network handover method, dedicated network type notification method, and device
WO2018049864A1 (en) * 2016-09-13 2018-03-22 华为技术有限公司 Network switching protection method, related device and system
US10959091B2 (en) 2016-09-13 2021-03-23 Huawei Technologies Co., Ltd. Network handover protection method, related device, and system
CN108551768A (en) * 2018-02-09 2018-09-18 北京小米移动软件有限公司 Terminal is established to the methods, devices and systems of connection with core net to be accessed

Similar Documents

Publication Publication Date Title
CN101552983A (en) Key generating method, key generating device, mobile management entity and user equipment
EP3761598B1 (en) Generating keys for protection in next generation mobile networks
EP2663107B1 (en) Key generating method and apparatus
CN102257842B (en) Enhanced security for direct link communications
EP3654684B1 (en) Key derivation
JP6924848B2 (en) Key generation methods, user equipment, devices, computer-readable storage media, and communication systems
CA2802488C (en) Apparatus and method for transitioning enhanced security context from a utran/geran-based serving network to an e-utran-based serving network
US20170359719A1 (en) Key generation method, device, and system
CN101267668B (en) Key generation method, Apparatus and system
EP3503496B1 (en) Secure establishment method, system and decive of a wireless local area network
CN101925059B (en) Method and system for generating keys in switching process
CN101516089B (en) Switching method and system
CN101257723A (en) Method, apparatus and system for generating cipher key
CN101304311A (en) Method and system for generating cryptographic key
EP3675544A1 (en) Key derivation algorithm negotiation method and apparatus
CN101299888B (en) Cryptographic key generation method, switching method, mobile management entity and customer equipment
EP2648437B1 (en) Method, apparatus and system for key generation
CN103139771A (en) Key generation method and system in switching process
CN101860862B (en) Method and system for establishing enhanced key in moving process from terminal to enhanced universal terrestrial radio access network (UTRAN)
CN101645877A (en) Method, system and network node for consulting cipher key derivative function
CN102378168B (en) The method of multisystem core net notice key and multisystem network
CN101938743A (en) Generation method and device of safe keys
CN102469454A (en) Key setting method in radio network controller (RNC) and wireless network controller as well as terminal
CN102065420A (en) Method, system and device for determining secret key

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Open date: 20091007