CN104796887B - A kind of method and apparatus of security information interaction - Google Patents
A kind of method and apparatus of security information interaction Download PDFInfo
- Publication number
- CN104796887B CN104796887B CN201510176852.0A CN201510176852A CN104796887B CN 104796887 B CN104796887 B CN 104796887B CN 201510176852 A CN201510176852 A CN 201510176852A CN 104796887 B CN104796887 B CN 104796887B
- Authority
- CN
- China
- Prior art keywords
- message
- pgw
- terminal
- mme
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000003993 interaction Effects 0.000 title claims abstract description 143
- 238000000034 method Methods 0.000 title claims abstract description 90
- 238000004891 communication Methods 0.000 claims abstract description 62
- 230000008569 process Effects 0.000 claims abstract description 52
- 230000004044 response Effects 0.000 claims description 27
- 230000005540 biological transmission Effects 0.000 abstract description 14
- 230000002452 interceptive effect Effects 0.000 abstract 1
- 238000010586 diagram Methods 0.000 description 10
- 238000004590 computer program Methods 0.000 description 7
- 238000012986 modification Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 230000002457 bidirectional effect Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The present invention relates to the communications fields, disclose a kind of method and apparatus of security information interaction, and the program is:Terminal triggers attachment flow, in attaching process, when receiving the specified message of MME transmissions, by NAS message secure interactive message negotiation is carried out via MME and PGW, and after determining negotiate successfully, terminal establishes escape way between local and PGW, and terminal further after determining adhere to successfully, passes through escape way and PGW carries out information exchange.In this way, carrying out security information with PGW by terminal interacts the information exchange continued after execution after negotiation, the safety that can be not only transmitted with enhancement information, but also forward efficiency of the information in transmission process can be improved.
Description
Technical Field
The present invention relates to the field of communications, and in particular, to a method and an apparatus for secure information interaction.
Background
A terminal is attached under Long Term Evolution (LTE), and then the terminal issues a data Packet through an LTE Network, and in some industrial applications, data security needs to be considered, and when data is transmitted between an air interface, a base station and an Evolved Packet Core Network (EPC), and inside the EPC, encrypted transmission needs to be performed on the data. However, this method is somewhat risky and is not suitable for high security level scenarios.
Specifically, the terminal is powered on and attached, after the attachment is completed, a default bearer is established between the terminal and the network side, and then all the service data is forwarded through the default bearer, which is referred to as a bearer connection relationship diagram shown in fig. 1.
Wherein, in the process of Non-Access Stratum (NAS) attachment, a bidirectional authentication process exists between a network and a terminal number, and the specific flow is as follows: first, a Mobility Management Entity (MME) sends an authentication data request message to a Home Subscriber Server (HSS), and the HSS sends an authentication data response message to the MME. Then, MME initiates an authentication process to the terminal, MME sends a user authentication data request message to the terminal, the terminal sends a user data authentication response message to MME, and at this time, the bidirectional authentication process between the network side and the terminal side is considered to be completed. After the authentication is passed, the MME starts to execute a Security Mode Control (SMC) process, specifically, the MME sends an NAS security mode start request message to the terminal, that is, starts NAS security, and the terminal sends an NAS security mode completion message to the MME, and at this time, it is considered that the SMC process is completed. The keys at the terminal and network sides are secure because they are computed in the HSS and Universal Subscriber Identity Module (USIM), as shown in fig. 2-4.
In the security process of an Access Stratum (AS), in the attachment process, an MME issues a key used by a base station to a base station, the key at a terminal side is calculated by the terminal itself, and the key issued by the MME to the base station is transmitted in a plaintext, so that it is unsafe. Then, the base station sends an AS security mode starting request to the terminal, namely an AS security starting request, and the terminal sends an AS security mode completion message to the base station. As shown in fig. 5 and 6.
However, in the prior art, the encryption and decryption processes of the message between the terminal and the network need to be performed twice, first, the encryption and decryption processes of the air interface between the terminal and the base station are completed, then, the encryption and decryption of the S1u interface between the base station and the Serving GateWay (SGW) are completed, which causes that the encryption and decryption processes need to be performed twice for one data transmission, which affects the data forwarding efficiency, and second, the security information negotiation between the terminal and the network is performed in the clear text, so that for some scenes requiring a higher security level in some industries, there is a security risk. For example, first, an air interface is encrypted, a root key required for air interface encryption is brought to a base station by an MME through an Initial context setup request (Initial context setup request) message in an attach process, the message is transmitted in a clear text, so that data encryption of the air interface has a certain potential safety hazard, and second, transmission between the base station and a core network requires that IP Security (IPsec) is adopted as a protocol, and negotiation of the IPsec is also performed under the condition that two devices do not have a secure channel, so that a certain potential safety hazard also exists on a link called "last kilometer".
Disclosure of Invention
The embodiment of the invention provides a method and a device for safety information interaction, which are used for solving the problems of unsafe data transmission and low data transmission efficiency in the prior art.
The embodiment of the invention provides the following specific technical scheme:
a method of secure information interaction, comprising:
the terminal triggers an attachment process, and in the attachment process, when receiving a specified message sent by a Mobile Management Entity (MME), the terminal performs security interaction message negotiation with a packet data gateway (PGW) through the MME by using a non-access stratum (NAS) message;
after the negotiation is determined to be successful, the terminal establishes a secure channel between the local and the PGW;
and the terminal further performs information interaction with the PGW through the secure channel after determining that the attachment is successful.
Therefore, the safety of information interaction is enhanced, and the efficiency of data forwarding is improved.
Preferably, in the attach procedure, when receiving the specific message sent by the MME, the MME and the PGW perform security interaction message negotiation through the NAS message, including:
in the attachment process, the terminal sends an attachment request message carrying identification information to the MME through the base station, and when receiving an evolved packet system session management (ESM) message sent by the MME based on the attachment request message, the terminal performs secure interaction message negotiation with the PGW through the MME through the NAS message; or,
in the attachment process, the terminal sends an attachment request message to the MME through the base station, and when an attachment success message sent by the MME through the base station is received and an attachment completion message is replied to the MME, the terminal carries out security interaction message negotiation with the PGW through the MME through the NAS message.
Preferably, the terminal performs security interaction message negotiation with the packet data gateway PGW through the MME by using the NAS message, including:
negotiating at least one of a communication key and/or a communication algorithm with the PGW through an MME through NAS message, wherein the communication key and/or the communication algorithm are used for realizing information encryption and decryption in a subsequent information interaction process.
Preferably, further comprising:
and when the terminal receives the message, the terminal decrypts the message based on the communication key and/or the communication algorithm.
Preferably, the terminal performs security interaction message negotiation with the packet data gateway PGW through the MME by using the NAS message, including:
the terminal sends a security interaction request message to an MME through a general message container cell in the NAS layer, the MME forwards the security interaction request message to a Serving Gateway (SGW), and the SGW forwards the security interaction request message to a PGW.
Preferably, after the terminal performs the security interaction message negotiation with the packet data gateway PGW through the MME by using the NAS message, before determining that the negotiation is successful, the method further includes:
when the terminal receives a safety interaction response message sent by the PGW, judging that the terminal and the PGW can negotiate successfully; the safety interaction response message is sent to the SGW by the PGW, then forwarded to the MME by the SGW, and finally sent to the terminal by the MME through a general message container cell in the NAS layer.
Preferably, the secure channel includes: a first tunnel, a second tunnel, and a third tunnel; the first tunnel is located between a terminal and a base station, the second tunnel is located between the base station and an SGW, and the third tunnel is located between the SGW and a PGW.
Preferably, after determining that the attachment is successful, the terminal further performs information interaction with the PGW through the secure tunnel, including:
the terminal further sends the first information to the base station through the first tunnel after determining that the attachment is successful, the base station forwards the first information to the SGW through the second tunnel, and finally the SGW forwards the first information to the PGW through the third tunnel;
and the terminal receives second information sent by the PGW, where the second information is sent to the SGW through the third tunnel when the PGW determines that the second information needs to be sent, and then the second information is forwarded to the base station through the second tunnel by the SGW, and finally the second information is forwarded to the terminal through the first tunnel by the base station.
Preferably, before the terminal sends the first message to the base station, the method further includes: the terminal encrypts the first information based on the communication key and/or the communication algorithm;
before receiving the second information sent by the PGW, the method further includes: and when the PGW determines that the transmission is required, the received second information is encrypted based on the communication key and/or the communication algorithm.
An apparatus for secure information interaction, comprising:
a negotiation unit, configured to trigger an attach procedure by a terminal, and perform security interaction message negotiation with a packet data gateway PGW through a non-access stratum NAS message via a mobility management entity MME when receiving a specified message sent by the MME during an attach procedure;
the establishing unit is used for establishing a secure channel between the local and the PGW by the terminal after the negotiation is determined to be successful;
and the communication unit is used for carrying out information interaction with the PGW through the secure channel after the terminal further determines that the attachment is successful.
Therefore, the safety of information interaction is enhanced, and the efficiency of data forwarding is improved.
Preferably, in the attach procedure, when receiving the specific message sent by the mobility management entity MME, and performing security interaction message negotiation with the packet data gateway PGW through the MME by using a non-access stratum NAS message, the negotiation unit is configured to:
in the attachment process, the terminal sends an attachment request message carrying identification information to the MME through the base station, and when receiving an evolved packet system session management (ESM) message sent by the MME based on the attachment request message, the terminal performs secure interaction message negotiation with the PGW through the MME through the NAS message; or,
in the attachment process, the terminal sends an attachment request message to the MME through the base station, and when an attachment success message sent by the MME through the base station is received and an attachment completion message is replied to the MME, the terminal carries out security interaction message negotiation with the PGW through the MME through the NAS message.
Preferably, the terminal performs security interaction message negotiation with the packet data gateway PGW through the MME by using the NAS message, and the negotiation unit is configured to:
negotiating at least one of a communication key and/or a communication algorithm with the PGW through an MME through NAS message, wherein the communication key and/or the communication algorithm are used for realizing information encryption and decryption in a subsequent information interaction process.
Preferably, the negotiation unit is further configured to:
and when the terminal receives the message, the terminal decrypts the message based on the communication key and/or the communication algorithm.
Preferably, the terminal performs security interaction message negotiation with the packet data gateway PGW through the MME by using the NAS message, and the negotiation unit is configured to:
the terminal sends a security interaction request message to an MME through a general message container cell in the NAS layer, the MME forwards the security interaction request message to a Serving Gateway (SGW), and the SGW forwards the security interaction request message to a PGW.
Preferably, after the terminal performs the security interaction message negotiation with the packet data gateway PGW through the MME by using the NAS message, and before determining that the negotiation is successful, the negotiation unit is further configured to:
when the terminal receives a safety interaction response message sent by the PGW, judging that the terminal and the PGW can negotiate successfully; the safety interaction response message is sent to the SGW by the PGW, then forwarded to the MME by the SGW, and finally sent to the terminal by the MME through a general message container cell in the NAS layer.
Preferably, the secure channel includes: a first tunnel, a second tunnel, and a third tunnel; the first tunnel is located between a terminal and a base station, the second tunnel is located between the base station and an SGW, and the third tunnel is located between the SGW and a PGW.
Preferably, after determining that the attachment is successful, the terminal further performs information interaction with the PGW through the secure tunnel, and the communication unit is configured to:
the terminal further sends the first information to the base station through the first tunnel after determining that the attachment is successful, the base station forwards the first information to the SGW through the second tunnel, and finally the SGW forwards the first information to the PGW through the third tunnel;
and the terminal receives second information sent by the PGW, where the second information is sent to the SGW through the third tunnel when the PGW determines that the second information needs to be sent, and then the second information is forwarded to the base station through the second tunnel by the SGW, and finally the second information is forwarded to the terminal through the first tunnel by the base station.
Drawings
Fig. 1 to 6 are flow charts of information interaction between a terminal and a network side in the prior art;
FIG. 7 is a flowchart illustrating an overview of security information interaction in an embodiment of the present invention;
FIG. 8 is a first flowchart illustrating security information interaction according to an embodiment of the present invention;
FIG. 9 is a second flowchart illustrating security information interaction according to an embodiment of the present invention;
fig. 10 is a schematic structural diagram of a device for secure information interaction according to an embodiment of the present invention.
Detailed Description
In order to avoid the potential safety hazard problem occurring in the information interaction process between the terminal and the network side and the problem of low data forwarding efficiency caused by multiple times of information encryption and decryption in the information interaction process, in the embodiment of the invention, the terminal triggers an attachment process, in the attachment process, when an appointed message sent by an MME is received, the terminal carries out safety interaction message negotiation with a PGW through an NAS message via the MME, after the negotiation is determined to be successful, the terminal establishes a safety channel between the local and the PGW, and after the attachment is further determined to be successful, the terminal carries out information interaction with the PGW through the safety channel.
Preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
Referring to fig. 7, in the embodiment of the present invention, an overview flow of information security interaction is as follows:
step 700: and the terminal triggers an attachment process, and in the attachment process, when receiving a specified message sent by the MME, the terminal performs secure interaction message negotiation with a packet data GateWay (PDN GateWay, PGW) through the NAS message.
In the embodiment of the present invention, when performing secure interaction message negotiation through NAS messages, the following two methods may be adopted, but are not limited to:
the first mode is as follows: in the attachment process, the terminal sends an attachment request message carrying identification information to the MME through the base station, and when receiving an ESM message issued by the MME based on the attachment request message, the terminal performs security interaction message negotiation with the PGW through the MME through the NAS message.
For example, the attach request carries an EPS session management information identifier (ESM information flag) which is a transmission identifier, and is usually set to 1.
The second mode is as follows: in the attachment process, the terminal sends an attachment request message to the MME through the base station, and when an attachment success message sent by the MME through the base station is received, the terminal performs security interaction message negotiation with the PGW through the MME through the NAS message.
Specifically, the process of the terminal and the PGW performing the secure interaction information negotiation is as follows: the terminal sends a security interaction request message to the MME through a general message container cell (Generic message container) in the NAS layer, the MME forwards the security interaction request message to the SGW, and finally the SGW forwards the security interaction request message to the PGW. When the terminal receives the safety interaction response message sent by the PGW, the terminal and the PGW are judged to be successfully negotiated; the safety interaction response message is sent to the SGW by the PGW, then forwarded to the MME by the SGW, and finally sent to the terminal by the MME through the Generic messaging container in the NAS layer.
Further, the content negotiated with the PGW through the NAS message is at least one of a communication key and/or a communication algorithm, where the communication key and/or the communication algorithm are used for implementing encryption and decryption of information in a subsequent information interaction process.
Step 710: and after the negotiation is determined to be successful, the terminal establishes a secure channel between the local and the PGW.
Wherein, this secure channel includes: a first tunnel, a second tunnel, and a third tunnel; the first tunnel is located between the terminal and the base station, the second tunnel is located between the base station and the SGW, and the third tunnel is located between the SGW and the PGW.
Step 720: and the terminal further performs information interaction with the PGW through the secure channel after determining that the attachment is successful.
After the terminal further determines that the attachment is successful, the terminal sends the first information to the base station through the first tunnel, the base station forwards the first information to the SGW through the second tunnel, and finally the SGW forwards the first information to the PGW through the third tunnel; and then receiving second information returned by the PGW, wherein the second information is issued to the SGW by the PGW through a third tunnel based on the received first information, and then forwarded to the base station by the SGW through the second tunnel, and finally forwarded to the terminal by the base station through the first tunnel.
For convenience, a channel between the terminal and the base station is referred to as a first tunnel, an SIU tunnel between the base station and the SGW is referred to as a second tunnel, and an S58 tunnel between the SGW and the PGW is referred to as a third tunnel.
Further, when information interaction is performed between the terminal and the PGW, the terminal encrypts the first information based on the communication key and/or the communication algorithm, and then performs subsequent transmission, when the information is transmitted to the PGW, the PGW decrypts the first information based on the communication key and/or the communication algorithm, before the PGW determines that the second information needs to be transmitted, the terminal encrypts the second information based on the communication key and/or the communication algorithm, and then performs subsequent transmission, and when the second information is transmitted to the terminal, the terminal decrypts the second information based on the communication key and/or the communication algorithm.
The above embodiments are further described in detail with reference to two specific application scenarios.
Referring to fig. 8, after the attachment is completed, a specific procedure for the terminal to perform secure interaction message negotiation with the PGW is as follows:
step 800: the terminal sends an attach request to the MME through the base station.
When the terminal receives the attach success (the SMC procedure of the NAS layer is completed) issued by the MME, the terminal performs the security interaction message negotiation with the PGW through the MME by using the NAS message, specifically, by performing step 801 and 807.
Step 801: and the terminal sends a safety interaction message to the base station.
Step 802: and the base station forwards the security interaction message to the MME.
Step 803: the MME forwards the security interaction message to the SGW.
Step 804: the SGW forwards the secure interaction message to the PGW.
In the process of performing step 801 and 804, the MME and the SGW do not analyze the security interaction message, and forward the security interaction message directly until the security interaction message is sent to the PGW, and the PGW analyzes the security interaction message.
Step 805: the PGW sends a secure interaction response message to the SGW.
Step 806: and the SGW forwards the security interaction response message to the MME.
Step 807: and the MME forwards a security interaction response message to the base station.
Step 808: and the base station forwards a safety interaction response message to the terminal.
In the process of executing step 805 and 808, the MME and the SGW do not parse the security interaction response message, and forward the security interaction response message directly until the security interaction response message is sent to the terminal, and the terminal parses the security interaction response message.
When the terminal receives the security response message, it indicates that the negotiation is successful, and after the negotiation is successful, the terminal starts to send the data packet, specifically, by performing step 809 and 811.
Step 809: and the terminal sends a data message to the base station.
Preferably, the terminal encrypts the data message before sending.
Step 810: and the base station forwards the data message to the SGW through the SIU tunnel.
Step 811: and the SGW forwards the data message to the PGW through the S58 tunnel.
When step 809 and 811 are executed, the base station and the SGW do not parse the received data packet until sending to the PGW, and then step 812 is executed.
Step 812: the PGW decrypts the data message.
Step 813: and the PGW sends a data message to the SGW.
Step 814: and the SGW sends a data message to the base station.
Step 815: and the base station sends a data message to the terminal.
When step 813-815 is executed, the base station and the SGW do not parse the received data packet until sending the data packet to the terminal, and then execute step 816.
Step 816: and the terminal analyzes the data message.
Referring to fig. 9, in the attach process, a specific procedure of the terminal performing secure interaction message negotiation with the PGW is as follows:
step 900: the terminal sends an attach request to the MME through the base station.
Here, the attach request carries the transmission identification information, and generally, the "ESM information flag" is set to 1.
Step 901: and authentication and SMC (sheet communication) processes are executed between the terminal and the MME.
Step 902: the MME sends an ESM request message to the terminal.
Step 903: and the terminal sends an ESM response message carrying the security interaction message to the MME.
Step 904: and the MME sends a session creation request message carrying the security interaction message to the SGW.
Step 905: and the SGW forwards the session creating request message carrying the safety interaction message to the PGW.
In the process of performing step 903-905, the MME and the SGW do not analyze the received message, and forward the message directly until the message is sent to the PGW, and the PGW analyzes the received message carrying the security interaction message.
Step 906: and the PGW sends a session creating response message carrying the secure interaction message to the SGW.
Step 907: and the SGW forwards a creating session response message carrying the security interaction message to the MME.
Step 908: and the MME sends an attachment completion message carrying the security interaction message to the base station.
Step 909: and the base station forwards the attachment message carrying the safety interaction message to the terminal.
In the process of step 906 and 909, the base station, the MME and the SGW do not parse the received message carrying the security interaction message, and forward the message directly until the message is sent to the terminal, and the terminal parses the received message carrying the security interaction response message.
When the terminal receives the attach message carrying the security interaction message, it indicates that the negotiation between the terminal and the PGW is successful and the attach of the terminal is successful, and at this time, the terminal starts to send the data packet, specifically, by performing step 910 and step 912.
Step 910: and the terminal sends a data message to the base station.
Preferably, the terminal encrypts the data message before sending.
And 911, the base station forwards the data message to the SGW through the SIU tunnel.
Step 912: and the SGW forwards the data message to the PGW through the S58 tunnel.
When step 910-912 is executed, the base station and the SGW do not parse the received data packet until sending the data packet to the PGW, and then execute step 913.
Step 913: the PGW decrypts the data message.
Step 914: and the PGW sends a data message to the SGW.
Step 915: and the SGW sends a data message to the base station.
Step 916: and the base station sends a data message to the terminal.
In step 913-.
Step 917: and the terminal decrypts the data message.
Based on the above embodiment, referring to fig. 10, in an embodiment of the present invention, an apparatus for secure information interaction includes: negotiation unit 1000, establishment unit 1001 and communication unit 1002
An apparatus for secure information interaction, comprising:
a negotiation unit 1000, configured to trigger an attach procedure by a terminal, and perform security interaction message negotiation with a packet data gateway PGW through a non-access stratum NAS message via a mobility management entity MME when receiving a specified message sent by the MME during an attach procedure;
an establishing unit 1001, configured to establish, after determining that the negotiation is successful, a secure channel between the local and the PGW by the terminal;
the communication unit 1002 is configured to perform information interaction with the PGW through the secure channel after the terminal further determines that the attachment is successful.
Therefore, the safety of information interaction is enhanced, and the efficiency of data forwarding is improved.
Preferably, in the attach procedure, when receiving the specific message sent by the mobility management entity MME, the negotiation unit 1000 is further configured to perform security interaction message negotiation with the packet data gateway PGW through the MME and a non-access stratum NAS message, where:
in the attachment process, the terminal sends an attachment request message carrying identification information to the MME through the base station, and when receiving an evolved packet system session management (ESM) message issued by the MME based on the attachment request message, the terminal performs security interaction message negotiation with the PGW through the MME through the NAS message; or,
in the attachment process, the terminal sends an attachment request message to the MME through the base station, and when an attachment success message sent by the MME through the base station is received and an attachment completion message is replied to the MME, the terminal carries out security interaction message negotiation with the PGW through the MME through the NAS message.
Preferably, the terminal performs security interaction message negotiation with the packet data gateway PGW through the MME by using the NAS message, and the negotiation unit 1000 is further configured to:
and negotiating at least one of a communication key and/or a communication algorithm with the PGW through the MME by the NAS message, wherein the communication key and/or the communication algorithm are used for realizing the encryption and decryption of the information in the subsequent information interaction process.
Preferably, the negotiation unit 1000 is further configured to:
and when the terminal receives the message, the terminal decrypts the message based on the communication key and/or the communication algorithm.
Preferably, the terminal performs security interaction message negotiation with the packet data gateway PGW through the MME by using the NAS message, and the negotiation unit 1000 is further configured to:
the terminal sends a security interaction request message to the MME through a general message container cell in the NAS layer, the security interaction request message is forwarded to the Serving Gateway (SGW) through the MME, and the SGW forwards the security interaction request message to the PGW.
Preferably, after the terminal performs the security interaction message negotiation with the packet data gateway PGW through the MME by using the NAS message, and before determining that the negotiation is successful, the negotiation unit 1000 is further configured to:
when the terminal receives a safety interaction response message sent by the PGW, judging that the terminal and the PGW can negotiate successfully; the safety interaction response message is sent to the SGW by the PGW, then forwarded to the MME by the SGW, and finally sent to the terminal by the MME through a general message container cell in the NAS layer.
Preferably, the secure channel includes: a first tunnel, a second tunnel, and a third tunnel; the first tunnel is located between the terminal and the base station, the second tunnel is located between the base station and the SGW, and the third tunnel is located between the SGW and the PGW.
Preferably, after determining that the attachment is successful, the terminal further performs information interaction with the PGW through a secure channel, and the communication unit 1002 is further configured to:
the terminal further sends the first information to the base station through the first tunnel after determining that the attachment is successful, the base station forwards the first information to the SGW through the second tunnel, and finally the SGW forwards the first information to the PGW through the third tunnel;
and the terminal receives second information sent by the PGW, wherein the second information is sent to the SGW through a third tunnel when the PGW determines that the second information needs to be sent, and then the second information is forwarded to the base station through the second tunnel by the SGW, and finally the second information is forwarded to the terminal through the first tunnel by the base station.
Preferably, before the terminal sends the first information to the base station, the communication unit 1002 is further configured to: the terminal encrypts the first information based on a communication key and/or a communication algorithm;
before receiving the second information sent by the PGW, the communication unit 1002 is further configured to: and when the received second information is determined to need to be sent by the PGW, encrypting the second information based on the communication key and/or the communication algorithm.
In summary, the embodiments of the present invention provide a method and an apparatus for security information interaction, where the scheme is as follows: the terminal triggers an attachment process, in the attachment process, when receiving a designated message sent by an MME, the terminal performs security interaction message negotiation with a PGW through an NAS message via the MME, after the negotiation is determined to be successful, the terminal establishes a security channel between the local and the PGW, and after the attachment is further determined to be successful, the terminal performs information interaction with the PGW through the security channel. Therefore, after the terminal and the PGW carry out the security information interaction negotiation, the subsequent information interaction is carried out, so that the security of information transmission can be enhanced, and the forwarding efficiency of information in the transmission process can be improved.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various modifications and variations can be made in the embodiments of the present invention without departing from the spirit or scope of the embodiments of the invention. Thus, if such modifications and variations of the embodiments of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to encompass such modifications and variations.
Claims (14)
1. A method of secure information interaction, the method comprising:
a terminal triggers an attachment process, in the attachment process, when receiving a designated message sent by a Mobile Management Entity (MME), sending a security interaction request message to the MME through a general message container cell in a non-access stratum (NAS) layer, forwarding the security interaction request message to a Serving Gateway (SGW) through the MME, and forwarding the security interaction request message to a Packet Gateway (PGW) through the SGW to carry out security interaction message negotiation;
after the negotiation is determined to be successful, the terminal establishes a secure channel between the local and the PGW;
and the terminal further performs information interaction with the PGW through the secure channel after determining that the attachment is successful.
2. The method of claim 1, wherein in an attach procedure, when receiving a specific message sent by a Mobility Management Entity (MME), performing security interaction message negotiation with a packet data gateway (PGW) through a non-access stratum (NAS) message via the MME, the method comprising:
in the attachment process, the terminal sends an attachment request message carrying identification information to the MME through the base station, and when receiving an evolved packet system session management (ESM) message sent by the MME based on the attachment request message, the terminal performs secure interaction message negotiation with the PGW through the MME through the NAS message; or,
in the attachment process, the terminal sends an attachment request message to the MME through the base station, and when an attachment success message sent by the MME through the base station is received and an attachment completion message is replied to the MME, the terminal carries out security interaction message negotiation with the PGW through the MME through the NAS message.
3. The method of claim 1, wherein the terminal performs the security interaction message negotiation with the packet data gateway (PGW) through the MME through the NAS message, and the method comprises the following steps:
negotiating at least one of a communication key and/or a communication algorithm with the PGW through an MME through NAS message, wherein the communication key and/or the communication algorithm are used for realizing information encryption and decryption in a subsequent information interaction process.
4. The method of claim 3, further comprising:
and when the terminal receives the message, the terminal decrypts the message based on the communication key and/or the communication algorithm.
5. The method of claim 1, wherein after the terminal performs the security interaction message negotiation with the packet data gateway (PGW) through the MME through the NAS message and before the negotiation is determined to be successful, the method further comprises:
when the terminal receives a safety interaction response message sent by the PGW, judging that the terminal and the PGW can negotiate successfully; the safety interaction response message is sent to the SGW by the PGW, then forwarded to the MME by the SGW, and finally sent to the terminal by the MME through a general message container cell in the NAS layer.
6. The method of any of claims 1-5, wherein the secure channel comprises: a first tunnel, a second tunnel, and a third tunnel; the first tunnel is located between a terminal and a base station, the second tunnel is located between the base station and an SGW, and the third tunnel is located between the SGW and a PGW.
7. The method of claim 6, wherein the terminal further performs information interaction with the PGW through the secure tunnel after determining that the attachment is successful, comprising:
the terminal further sends the first information to the base station through the first tunnel after determining that the attachment is successful, the base station forwards the first information to the SGW through the second tunnel, and finally the SGW forwards the first information to the PGW through the third tunnel;
and the terminal receives second information sent by the PGW, where the second information is sent to the SGW through the third tunnel when the PGW determines that the second information needs to be sent, and then the second information is forwarded to the base station through the second tunnel by the SGW, and finally the second information is forwarded to the terminal through the first tunnel by the base station.
8. An apparatus for secure information interaction, the apparatus comprising:
a negotiation unit, configured to trigger an attach procedure by a terminal, send, in an attach process, a security interaction request message to a mobility management entity MME through a general message container cell in a non-access stratum NAS layer when receiving a specified message sent by the MME, forward, by the MME, the security interaction request message to a serving gateway SGW, and forward, by the SGW, the security interaction request message to a PGW, to perform a security interaction message negotiation;
the establishing unit is used for establishing a secure channel between the local and the PGW by the terminal after the negotiation is determined to be successful;
and the communication unit is used for carrying out information interaction with the PGW through the secure channel after the terminal further determines that the attachment is successful.
9. The apparatus of claim 8, wherein in an attach procedure, when receiving a specific message sent by a mobility management entity MME, and performing security interworking message negotiation with a packet data gateway PGW through a non-access stratum NAS message via the MME, the negotiating unit is configured to:
in the attachment process, the terminal sends an attachment request message carrying identification information to the MME through the base station, and when receiving an evolved packet system session management (ESM) message sent by the MME based on the attachment request message, the terminal performs secure interaction message negotiation with the PGW through the MME through the NAS message; or,
in the attachment process, the terminal sends an attachment request message to the MME through the base station, and when an attachment success message sent by the MME through the base station is received and an attachment completion message is replied to the MME, the terminal carries out security interaction message negotiation with the PGW through the MME through the NAS message.
10. The apparatus of claim 8, wherein the terminal performs security interworking message negotiation with the packet data gateway (PGW) through the MME through the NAS message, and the negotiation unit is configured to:
negotiating at least one of a communication key and/or a communication algorithm with the PGW through an MME through NAS message, wherein the communication key and/or the communication algorithm are used for realizing information encryption and decryption in a subsequent information interaction process.
11. The apparatus of claim 10, wherein the negotiation unit is further to:
and when the terminal receives the message, the terminal decrypts the message based on the communication key and/or the communication algorithm.
12. The apparatus of claim 8, wherein after the terminal performs the security interaction message negotiation with the packet data gateway (PGW) through the MME through the NAS message and before the negotiation is determined to be successful, the negotiation unit is further configured to:
when the terminal receives a safety interaction response message sent by the PGW, judging that the terminal and the PGW can negotiate successfully; the safety interaction response message is sent to the SGW by the PGW, then forwarded to the MME by the SGW, and finally sent to the terminal by the MME through a general message container cell in the NAS layer.
13. The apparatus of any one of claims 8-12, wherein the secure channel comprises: a first tunnel, a second tunnel, and a third tunnel; the first tunnel is located between a terminal and a base station, the second tunnel is located between the base station and an SGW, and the third tunnel is located between the SGW and a PGW.
14. The apparatus of claim 13, wherein the terminal further performs information interaction with the PGW through the secure tunnel after determining that the attachment is successful, and the communication unit is configured to:
the terminal further sends the first information to the base station through the first tunnel after determining that the attachment is successful, the base station forwards the first information to the SGW through the second tunnel, and finally the SGW forwards the first information to the PGW through the third tunnel;
and the terminal receives second information sent by the PGW, where the second information is sent to the SGW through the third tunnel when the PGW determines that the second information needs to be sent, and then the second information is forwarded to the base station through the second tunnel by the SGW, and finally the second information is forwarded to the terminal through the first tunnel by the base station.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510176852.0A CN104796887B (en) | 2015-04-14 | 2015-04-14 | A kind of method and apparatus of security information interaction |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510176852.0A CN104796887B (en) | 2015-04-14 | 2015-04-14 | A kind of method and apparatus of security information interaction |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104796887A CN104796887A (en) | 2015-07-22 |
| CN104796887B true CN104796887B (en) | 2018-08-21 |
Family
ID=53561315
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510176852.0A Active CN104796887B (en) | 2015-04-14 | 2015-04-14 | A kind of method and apparatus of security information interaction |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104796887B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109155913B (en) * | 2016-06-01 | 2021-05-18 | 华为技术有限公司 | Network connection method, and method and device for determining security node |
| CN108347416B (en) | 2017-01-24 | 2021-06-29 | 华为技术有限公司 | Security protection negotiation method and network element |
| CN109688581A (en) * | 2017-10-18 | 2019-04-26 | ***通信集团吉林有限公司 | A kind of safe transmission method and device of data |
| CN112312389B (en) * | 2019-07-29 | 2022-05-06 | ***通信集团广东有限公司 | Communication information transmission method, communication information transmission device, storage medium and electronic equipment |
| WO2023077309A1 (en) * | 2021-11-03 | 2023-05-11 | Oppo广东移动通信有限公司 | Connection establishment and data transmission methods and apparatuses, and communication device |
| CN117938984A (en) * | 2024-01-29 | 2024-04-26 | 数盾信息科技股份有限公司 | Network data transmission method and device based on high-speed encryption algorithm |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101772106A (en) * | 2008-12-30 | 2010-07-07 | 华为技术有限公司 | Method and system for controlling data transmission path, mobility management network element and terminal |
| CN102438330A (en) * | 2011-12-06 | 2012-05-02 | 大唐移动通信设备有限公司 | Method for attaching to E-TRAN (Evolved Universal Terrestrial Radio Access Network) and mobility management entity |
| CN104506406A (en) * | 2011-11-03 | 2015-04-08 | 华为技术有限公司 | Processing method and equipment for secure data channel |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8630607B2 (en) * | 2011-07-15 | 2014-01-14 | Verizon Patent And Licensing Inc. | Emergency call handoff between heterogeneous networks |
-
2015
- 2015-04-14 CN CN201510176852.0A patent/CN104796887B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101772106A (en) * | 2008-12-30 | 2010-07-07 | 华为技术有限公司 | Method and system for controlling data transmission path, mobility management network element and terminal |
| CN104506406A (en) * | 2011-11-03 | 2015-04-08 | 华为技术有限公司 | Processing method and equipment for secure data channel |
| CN102438330A (en) * | 2011-12-06 | 2012-05-02 | 大唐移动通信设备有限公司 | Method for attaching to E-TRAN (Evolved Universal Terrestrial Radio Access Network) and mobility management entity |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104796887A (en) | 2015-07-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104796887B (en) | A kind of method and apparatus of security information interaction | |
| JP6769014B2 (en) | Security protection negotiation method and network elements | |
| EP2421292B1 (en) | Method and device for establishing security mechanism of air interface link | |
| EP4236618A2 (en) | Secure short message service over non-access stratum | |
| EP3668133A1 (en) | Method, apparatus, and system for supporting multiple imsis | |
| CN102036230B (en) | Method for implementing local route service, base station and system | |
| CN107006049A (en) | A kind of smart machine and its set up the method for equipment room bluetooth connection, device | |
| CN106788989B (en) | Method and equipment for establishing secure encrypted channel | |
| CN104247328B (en) | Data transmission method and device | |
| EP3002965A1 (en) | Efficient terminal authentication in telecommunication networks | |
| US9225516B1 (en) | Combined authentication and encryption | |
| AU2020396746B2 (en) | Provisioning method and terminal device | |
| US10880744B2 (en) | Security negotiation method, security function entity, core network element, and user equipment | |
| EP3211931B1 (en) | Method for managing device-to-device (d2d) communication group, device, and storage medium | |
| CN110601825A (en) | Ciphertext processing method and device, storage medium and electronic device | |
| CN104936306B (en) | MTC device group small data secure transmission connection establishment method, HSS and system | |
| CN107294968A (en) | The monitoring method and system of a kind of audio, video data | |
| CN107567018B (en) | Message processing method and device, terminal and message processing system | |
| CN112235320B (en) | Cipher-based video networking multicast communication method and device | |
| CN110677843A (en) | Application method and device of virtual SIM card based on block chain | |
| CN114079919B (en) | Secure mode configuration method, apparatus, system, and computer-readable storage medium | |
| CN113572801B (en) | Session establishing method, device, access network equipment and storage medium | |
| CN112714439B (en) | Method, device and equipment for secure transmission of communication data and storage medium | |
| CN110120907B (en) | Proposed group-based IPSec VPN tunnel communication method and device | |
| US9602493B2 (en) | Implicit challenge authentication process |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| EXSB | Decision made by sipo to initiate substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |