CN107294723A - The generation of message integrity authentication information and verification method, device and checking system - Google Patents

The generation of message integrity authentication information and verification method, device and checking system Download PDF

Info

Publication number
CN107294723A
CN107294723A CN201610200593.5A CN201610200593A CN107294723A CN 107294723 A CN107294723 A CN 107294723A CN 201610200593 A CN201610200593 A CN 201610200593A CN 107294723 A CN107294723 A CN 107294723A
Authority
CN
China
Prior art keywords
information
terminal
base station
authentication code
request message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610200593.5A
Other languages
Chinese (zh)
Inventor
余媛芳
杜忠达
戴谦
陆婷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201610200593.5A priority Critical patent/CN107294723A/en
Priority to PCT/CN2017/077726 priority patent/WO2017167102A1/en
Publication of CN107294723A publication Critical patent/CN107294723A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity

Abstract

The invention provides a kind of generation of message integrity authentication information and verification method, device and checking system, wherein, the generation method of the message integrity authentication information includes:Terminal at least generates the first integrated authentication code information based on following information:Recover identification information, and send the identification information of the cell of request message;The terminal at least generates the second integrated authentication code information based on first integrated authentication code at least one information and following information:Key, carrying information, message direction and count value;The terminal sends the request message to base station, wherein, the second integrated authentication code information is carried in the request message, and described recover the part or all of of identification information.By the present invention, the safety issue of connection recovery processing between terminal and network in correlation technique is solved, the integrated authentication that connection between terminal and network recovers processing is realized, improves security.

Description

The generation of message integrity authentication information and verification method, device and checking system
Technical field
The present invention relates to the communications field, generation and authentication in particular to a kind of message integrity authentication information Method, device and checking system.
Background technology
Machinery compartment (Machine to Machine, referred to as M2M) communication is the 5th third-generation mobile communication technology (5G) mesh One important topic of preceding research, is also an important applied field of future wireless system.In M2M problems, pin To termination property such as low cost, low-power consumption, Hypomobility, poor throughputs, it is proposed that arrowband Internet of Things (Narrow Band-Internet of Things, referred to as NB-IoT) the sub- problem of research, that is, be in 200khz frequency band NB-IoT low cost terminals (User Equipment, referred to as UE) provide the wireless communication services of poor throughput.
In order to reduce signaling consumption, the power consumption of NB-IoT terminals is reduced, current research is introduced based on user plane optimization Small data transmission mode:Terminal and network set up complete connection, and data are transmitted using DRB, after data transfer is finished, Carrying information context, AS safe contexts etc. are preserved by hanging up flow in terminal and network side, is subsequently sent again During data, both sides recover the context preserved before by recovering flow, are continuing with DRB carryings to transmit data. This mode is also obvious compared to existing LTE processing procedures to save signaling consumption.
When terminal has upstream data to need transmission, if the access bearer context of storage, it can trigger and connect in the air The recovery flow of mouth and network side load.When network side has downlink data to need transmission, the first call terminal of meeting, then Triggering terminal initiates the recovery flow of air interface and network side load.
Inventor has found in research process, in the small data transmission scheme optimized for user plane, connects between terminal and network Connect and recover processing in the presence of the possibility being maliciously tampered, it is necessary to consider effective security measures to ensure that connection recovers processing Security.
For connection recovers the safety issue of processing between terminal and network in correlation technique, not yet propose at present effective Solution.
The content of the invention
The invention provides a kind of generation of message integrity authentication information and verification method, device and checking system, with At least solve the safety issue of connection recovery processing between terminal and network in phase correlation technique.
According to an aspect of the invention, there is provided a kind of generation method of message integrity authentication information, including:Eventually UE is held at least to generate the first integrated authentication code information based on following information:Recover identification information, and transmission request disappears The identification information of the cell of breath, wherein, the identification information that recovers is used to identify the use that triggering recovers to have stored before flow Contextual information needed for the optimal way of family face;The terminal at least based on first integrated authentication code information and with At least one lower information generates the second integrated authentication code information:Key, carrying information, message direction and counting Value;The terminal sends the request message to base station, wherein, described second is carried in the request message complete Property authentication code information, and it is described recover identification information it is part or all of.
Alternatively, the recovery identification information includes at least one of:Terminal iidentification, global cell identity, physics Cell ID, Base Station Identification, the numerical value of predetermined bit length.
Alternatively, the terminal iidentification is numerical value of the length between 16 to 24 bits.
Alternatively, the global cell identity includes at least one of:The place when terminal hangs up contextual information The global cell identity of cell, stores the global cell identity of the cell of the terminal context information.
Alternatively, the Physical Cell Identifier includes at least one of:The place when terminal hangs up contextual information The Physical Cell Identifier of cell, stores the Physical Cell Identifier of the cell of terminal context information.
Alternatively, the Base Station Identification includes at least one of:Place base station when the terminal hangs up contextual information Base Station Identification, store the Base Station Identification of the base station of the terminal context information.
Alternatively, the numerical value of the predetermined bit length includes at least one of:The numerical value of fixed bit length, it is long The numerical value spent between 16 to 44 bits.
According to another aspect of the present invention there is provided a kind of verification method of message integrity authentication information, including: The request message that base station receiving terminal UE is sent, wherein, the second integrated authentication code letter is carried in the request message Breath, and recover the part or all of of identification information, the recovery identification information, which is used to identify before triggering recovers flow, have been deposited Contextual information needed for the user plane optimal way of storage;The base station at least generates the 3rd integrality based on following information Authentication code information:The recovery identification information, and receive the identification information of the cell of the request message;The base Stand and the 4th integrated authentication code letter is at least generated based on the 3rd integrated authentication code at least one information and following information Breath:Key, carrying information, message direction and count value;The 4th integrality of the base station authentication generation Whether authentication code information is consistent with second integrated authentication code information, if it is, determining the request message Integrity protection is proved to be successful.
Alternatively, the recovery identification information includes at least one of:Terminal iidentification, global cell identity, physics Cell ID, Base Station Identification, the numerical value of predetermined bit length.
Alternatively, the terminal iidentification is numerical value of the length between 16 to 24 bits.
Alternatively, the global cell identity includes at least one of:The place when terminal hangs up contextual information The global cell identity of cell, stores the global cell identity of the cell of the terminal context information.
Alternatively, the Physical Cell Identifier includes at least one of:The place when terminal hangs up contextual information The Physical Cell Identifier of cell, stores the Physical Cell Identifier of the cell of terminal context information.
Alternatively, the Base Station Identification includes at least one of:Place base station when the terminal hangs up contextual information Base Station Identification, store the Base Station Identification of the base station of the terminal context information.
Alternatively, the numerical value of the predetermined bit length includes at least one of:The numerical value of fixed bit length, it is long The numerical value spent between 16 to 44 bits.
According to a further aspect of the invention there is provided a kind of generating means of message integrity authentication information, positioned at end End, including:First generation module, the first integrated authentication code information is generated for being at least based on following information:Recover Identification information, and the identification information of the cell of request message is sent, wherein, the recovery identification information is used to identify Contextual information needed for the user plane optimal way stored before triggering recovery flow;Second generation module, for extremely The second integrated authentication code information is generated based on first integrated authentication code at least one information and following information less: Key, carrying information, message direction and count value;Sending module, for sending the request message to base station, Wherein, the second integrated authentication code information, and the portion for recovering identification information are carried in the request message Divide or whole.
According to a further aspect of the invention, a kind of checking device of message integrity authentication information is additionally provided, is located at Base station, including:Receiving module, the request message sent for receiving terminal UE, wherein, taken in the request message With the second integrated authentication code information, and recover the part or all of of identification information, the recovery identification information is used for Contextual information needed for the user plane optimal way stored before mark triggering recovery flow;3rd generation module, is used The 3rd integrated authentication code information is generated in being at least based on following information:The recovery identification information, and receive described The identification information of the cell of request message;4th generation module, for being at least based on the 3rd integrated authentication code letter At least one breath and following information generation the 4th integrated authentication code information:Key, carrying information, message direction, with And count value;Authentication module, the 4th integrated authentication code information and second integrality for verifying generation Whether authentication code information is consistent, if it is, determining that the integrity protection of the request message is proved to be successful.
According to the still another aspect of the present invention there is provided a kind of checking system of message integrity authentication information, including: Terminal and base station, wherein, the terminal includes the generating means of above-mentioned message integrity authentication information;The base station Include the checking device of above-mentioned message integrity authentication information.
By the present invention, the first integrated authentication code information is at least generated based on following information using terminal:Recover mark Information, and the identification information of the cell of request message is sent, wherein, the recovery identification information, which is used to identify, to be triggered Contextual information needed for the user plane optimal way stored before recovery flow;The terminal is at least based on described first Integrated authentication code at least one information and following information generate the second integrated authentication code information:Key, carrying information, Message direction and count value;The terminal sends the request message to base station, wherein, in the request message The second integrated authentication code information, and all or part of mode for recovering identification information are carried, is solved Connection recovers the safety issue of processing between terminal and network in correlation technique, realizes and connects extensive between terminal and network The integrated authentication handled again, improves security.
Brief description of the drawings
Accompanying drawing described herein is used for providing a further understanding of the present invention, constitutes the part of the application, this hair Bright schematic description and description is used to explain the present invention, does not constitute inappropriate limitation of the present invention.In accompanying drawing In:
Fig. 1 is the flow chart of the generation method of message integrity authentication information according to embodiments of the present invention;
Fig. 2 is the structured flowchart of the generating means of message integrity authentication information according to embodiments of the present invention;
Fig. 3 is the flow chart of the verification method of message integrity authentication information according to embodiments of the present invention;
Fig. 4 is the structured flowchart of the checking device of message integrity authentication information according to embodiments of the present invention;
Fig. 5 is the structured flowchart of the checking system of message integrity authentication information according to embodiments of the present invention.
Embodiment
Describe the present invention in detail below with reference to accompanying drawing and in conjunction with the embodiments.It should be noted that not conflicting In the case of, the feature in embodiment and embodiment in the application can be mutually combined.
It should be noted that term " first ", " second " in description and claims of this specification and above-mentioned accompanying drawing Etc. being for distinguishing similar object, without for describing specific order or precedence.
Inventor has found that there are the following problems for the small data transmission scheme optimized for user plane in research process:
It is excellent that user plane has been stored before terminal triggering recovers flow, on default terminal, base station and associated core network element Various contextual informations required for change mode are, it is necessary to define effectively to identify these contextual informations so that terminal Consistent identifier lookup can be used with base station and recovers correct contextual information, herein referred to as recover mark ResumeID.Recover mark by the connection recovery request message transmission of terminal transmission to base station.Because connection recovers to ask Ask message to be sent on the wireless signaling carrying SRB0 without safeguard protection, in order to protect the connection recovery request of terminal not by Malice is distorted, it is necessary to consider that effective security measures ensure the security of connection recovery request.
In view of the above, in the present embodiment there is provided a kind of generation method of message integrity authentication information, Fig. 1 It is the flow chart of the generation method of message integrity authentication information according to embodiments of the present invention, as shown in figure 1, the flow Comprise the following steps:
Step S102, terminal at least generates the first integrated authentication code information based on following information:Recover identification information, And the identification information of the cell of the request message comprising the recovery identification information is sent, wherein, it is described to recover mark Information is used to identify the contextual information needed for the user plane optimal way stored before triggering recovery flow;
Step S104, the terminal is at least raw based on first integrated authentication code at least one information and following information Into the second integrated authentication code information:Key, carrying information, message direction and count value;
Step S106, the terminal sends the request message to base station, wherein, carried in the request message State the second integrated authentication code information, and it is described recover identification information it is part or all of.
The present embodiment is by above-mentioned steps, and terminal utilizes recovery identification information and the transmission for identifying contextual information The identification information of the cell of request message generates the first integrated authentication code information, then based on first integrated authentication code Information generates the second integrated authentication code information, and carries in the request message of transmission second integrated authentication code letter Breath with base station to carry out integrated authentication, so as to solve in correlation technique, connection recovers processing between terminal and network Safety issue, realizes the integrated authentication that connection between terminal and network recovers processing, improves security.
Alternatively, the recovery identification information can include at least one of:Terminal iidentification, global cell identity, Physical Cell Identifier, Base Station Identification, the numerical value of predetermined bit length.The recovery to each above-mentioned type identifies letter below Breath is further elaborated.
As a kind of preferred embodiment, if terminal is judged in the recovery identification information that base station is initiated in first flow, Cell ID is consistent with the cell ID of the current initial request messages of terminal, then recovery mark can not be carried in request message The cell ID part in information is known, to save ascending resource;Correspondingly, if the recovery mark letter that base station is received Not comprising cell ID part in breath, then it is assumed that consistent with current area, so as to construct complete recovery identification information.
If recovering identification information includes terminal iidentification, the terminal iidentification can be length between 16 to 24 bits Numerical value.
If recover identification information include global cell identity, the global cell identity can include it is following at least it One:The global cell identity of place cell, stores the terminal context information when terminal hangs up contextual information Cell global cell identity.
If recover identification information include Physical Cell Identifier, the Physical Cell Identifier can include it is following at least it One:The Physical Cell Identifier of place cell, stores the small of terminal context information when the terminal hangs up contextual information The Physical Cell Identifier in area.
If recovering identification information includes Base Station Identification, the Base Station Identification can include at least one of:It is described The Base Station Identification of place base station, stores the base station of the base station of the terminal context information when terminal hangs up contextual information Mark.
If recovering identification information includes the numerical value of predetermined bit length, the numerical value of the predetermined bit length can be wrapped The numerical value of fixed bit length, or the numerical value including length between 16 to 44 bits are included, the numerical value is possible to include Terminal iidentification and cell ID etc..
Through the above description of the embodiments, those skilled in the art can be understood that according to above-mentioned implementation The method of example can add the mode of required general hardware platform to realize by software, naturally it is also possible to by hardware, but The former is more preferably embodiment in many cases.Based on it is such understand, technical scheme substantially or Say that the part contributed to prior art can be embodied in the form of software product, the computer software product is deposited Storage is in a storage medium (such as ROM/RAM, magnetic disc, CD), including some instructions are to cause a station terminal Equipment (can be mobile phone, computer, server, or network equipment etc.) is performed described in each embodiment of the invention Method.
Corresponding to the sending method of above-mentioned message integrity authentication information, a kind of message is additionally provided in the present embodiment complete The dispensing device of whole property authentication information, the device is used to realize above-described embodiment and preferred embodiment, has carried out What is illustrated repeats no more.As used below, term " module " can realize the software and/or hardware of predetermined function Combination.Although the device described by following examples is preferably realized with software, hardware, or software and The realization of the combination of hardware is also that may and be contemplated.
Fig. 2 is the structured flowchart of the generating means of message integrity authentication information according to embodiments of the present invention, device position In terminal, as shown in Fig. 2 the generating means of the message integrity authentication information include:
First generation module 22, the first integrated authentication code information is generated for being at least based on following information:Recover mark Information, and send the identification information of the cell of request message;Second generation module 24, with the phase of the first generation module 22 Even, for first integrated authentication code information at least generated based on the first generation module 22 and following information at least One of, generation the second integrated authentication code information:Key, carrying information, message direction and count value;Send mould Block 26, is connected with the second generation module 24, for sending the request message to base station, wherein, the request message In carry second integrated authentication code information, and described recover the part or all of of identification information.
In the present embodiment, the verification method of message integrity authentication information is additionally provided, Fig. 3 is according to present invention implementation The flow chart of the verification method of the message integrity authentication information of example, as shown in figure 3, this method includes:
Step S302, the request message that base station receiving terminal is sent, wherein, carry second in the request message complete Whole property authentication code information, and recover the part or all of of identification information, the recovery identification information, which is used to identify, triggers extensive Contextual information needed for the user plane optimal way that resurgent Cheng Qian has stored;
Step S304, the base station at least generates the 3rd integrated authentication code information based at least following information:It is described extensive Multiple identification information, and receive the identification information of the cell of the request message;
Step S306, the base station is at least based on the 3rd integrated authentication code at least one information and following information, Generate the 4th integrated authentication code information:Key, carrying information, message direction and count value;
Step S308, the 4th integrated authentication code information of the base station authentication generation is recognized with second integrality Whether consistent code information is demonstrate,proved, if it is, determining that the integrity protection of the request message is proved to be successful.
The present embodiment is by above-mentioned steps, and base station utilizes recovery identification information and the transmission for identifying contextual information The identification information of the cell of request message, generation the 3rd integrated authentication code information, then based on the 3rd integrated authentication Code information generates the 4th integrated authentication code information, and with carrying second integrality from the request message that terminal is received Authentication code information carries out integrated authentication, so as to solve in correlation technique, connection recovers the peace of processing between terminal and network Full sex chromosome mosaicism, realizes the integrated authentication that connection between terminal and network recovers processing, improves security.
Alternatively, the recovery identification information can include at least one of:Terminal iidentification, global cell identity, Physical Cell Identifier, Base Station Identification, the numerical value of predetermined bit length.The recovery to each above-mentioned type identifies letter below Breath is further elaborated.
As a kind of preferred embodiment, if terminal is judged in the recovery identification information that base station is initiated in first flow, Cell ID is consistent with the cell ID of the current initial request messages of terminal, then recovery mark can not be carried in request message The cell ID part in information is known, to save ascending resource;Correspondingly, if the recovery mark letter that base station is received Not comprising cell ID part in breath, then it is assumed that consistent with current area, so as to construct complete recovery identification information.
If recovering identification information includes terminal iidentification, the terminal iidentification can be length between 16 to 24 bits Numerical value.
If recover identification information include global cell identity, the global cell identity can include it is following at least it One:The global cell identity of place cell, stores the terminal context information when terminal hangs up contextual information Cell global cell identity.
If recover identification information include Physical Cell Identifier, the Physical Cell Identifier can include it is following at least it One:The Physical Cell Identifier of place cell, stores the small of terminal context information when the terminal hangs up contextual information The Physical Cell Identifier in area.
If recovering identification information includes Base Station Identification, the Base Station Identification can include at least one of:It is described The Base Station Identification of place base station, stores the base station of the base station of the terminal context information when terminal hangs up contextual information Mark.
If recovering identification information includes the numerical value of predetermined bit length, the numerical value of the predetermined bit length can be wrapped The numerical value of fixed bit length, or the numerical value including length between 16 to 44 bits are included, the numerical value is possible to include Terminal iidentification and cell ID etc..
Corresponding to the verification method of above-mentioned message integrity authentication information, message integrity is additionally provided in the present embodiment The checking device of authentication information, the device is located at base station, and Fig. 4 is message integrity certification letter according to embodiments of the present invention The structured flowchart of the checking device of breath, as shown in figure 4, the checking device of the message integrity authentication information includes:
Receiving module 42, the request message sent for receiving terminal, wherein, carry second in the request message Integrated authentication code information, and recover the part or all of of identification information, the recovery identification information, which is used to identify, to be triggered Contextual information needed for the user plane optimal way stored before recovery flow;3rd generation module 44, at least 3rd integrated authentication code information is generated based on following information:The recovery identification information that receiving module 42 is received, Yi Jijie Receive the identification information of the cell of the request message;4th generation module 46, is connected with the 3rd generation module 44, is used for The 3rd integrated authentication code at least one the information and following information at least generated based on the 3rd generation module 44, it is raw Into the 4th integrated authentication code information:Key, carrying information, message direction and count value;Authentication module 48, It is connected with the 4th generation module 46, the 4th integrated authentication code information for verifying the generation of the 4th generation module 46 Whether second integrated authentication code information received with receiving module 42 is consistent, if it is, determining the request The integrity protection of message is proved to be successful.
, can be with for the latter it should be noted that above-mentioned modules can be by software or hardware to realize It is accomplished by the following way, but not limited to this:Above-mentioned module is respectively positioned in same processor;Or, above-mentioned module point Wei Yu not be in multiple processors.
In the present embodiment, a kind of terminal, including the first hardware processor are additionally provided, it is complete for performing above-mentioned message The function of modules in the generating means of whole property authentication information.
In the present embodiment, a kind of base station, including the second hardware processor are additionally provided, it is complete for performing above-mentioned message Property authentication information checking device in modules function.
In the present embodiment, a kind of checking system of message integrity authentication information is additionally provided, Fig. 5 is according to the present invention The structured flowchart of the checking system of the message integrity authentication information of embodiment, as shown in figure 5, the system includes:Terminal 20 and base station 40, wherein, the terminal 20 includes the generating means of message integrity authentication information as shown in Figure 2; The base station 40 includes the checking device of message integrity authentication information as shown in Figure 4.
Illustrated with reference to preferred embodiment, preferred embodiment below combines above-described embodiment and its is preferable to carry out Mode.
Embodiment 1
Generation and the transmission method of a kind of message integrity authentication code information of terminal are provided in the present embodiment, including:
Terminal is based on the following integrated authentication of information structuring first code information:Recover identification information, send comprising part or The identification information of the cell of the request message of full recovery identification information.
Terminal is based on following information and generates the second integrity verification code information:First integrated authentication code information, key KEY, carrying information BEARER, message direction DIRECTION, count value COUNT.Wherein, key KEY, Carrying information BEARER, message direction DIRECTION, count value COUNT definition refer to 3GPP rule Model.
The request that the terminal transmission carries partly or entirely recovery identification information and the second integrated authentication code information disappears Cease to base station.
Alternatively, the recovery identification information includes at least one of:Terminal iidentification, global cell identity, physics Cell ID, Base Station Identification, the numerical value of predetermined bit length.
Alternatively, if the cell of terminal transmission recovery request message is identical with recovering the cell in mark, and mark is recovered Cell identity information is included in knowledge, then terminal can not send the cell identity information recovered in identification information, the cell Identification information can be at least one of:Global cell identity, Physical Cell Identifier, Base Station Identification.
Alternatively, the terminal iidentification is numerical value of the length between 16 to 24 bits.
Alternatively, the global cell identity includes at least one of:The terminal is hung up residing during contextual information The global cell identity of cell, stores the global cell identity of the cell of the terminal context information.
Alternatively, the Physical Cell Identifier includes at least one of:The terminal is hung up residing during contextual information The Physical Cell Identifier of cell, stores the Physical Cell Identifier of the cell of terminal context information.
Alternatively, the Base Station Identification at least includes one below:Residing base station when the terminal hangs up contextual information Base Station Identification, store the Base Station Identification of the base station of the terminal context information.
Alternatively, the numerical value of the predetermined bit length includes at least one of:The numerical value of fixed bit length, it is long The numerical value spent between 16 to 44 bits.
Embodiment 2
Generation and the verification method of a kind of message integrity authentication code information of base station are provided in the present embodiment, including:
Base station is based on one of at least following information generation the 3rd integrated authentication code information:Recover identification information, connect The identification information of cell of the packet receiving containing the request message for partly or entirely recovering identification information.
Base station is based on following information and generates the 4th integrity verification code information:3rd integrated authentication code information, key KEY, carrying information BEARER, message direction DIRECTION, count value COUNT.
The 4th integrated authentication code information of its generation of the base station authentication with received by request message it is second complete Property authentication code information is consistent, then it is assumed that the request message integrity protection is proved to be successful.
Alternatively, the recovery identification information includes at least one of:Terminal iidentification, global cell identity, physics Cell ID, Base Station Identification, the numerical value of predetermined bit length.
Alternatively, if not comprising cell identity information in the recovery mark that base station is received, base station thinks described extensive Cell identity information in multiple mark is identical with cell where the request message received, and base station can be by the small of current area Area's identification information constructs complete recovery identification information, and the cell identity information can be at least one of:It is global small Area is identified, Physical Cell Identifier, Base Station Identification.
Alternatively, the terminal iidentification is numerical value of the length between 16 to 24 bits.
Alternatively, the global cell identity includes at least one of:The terminal is hung up residing during contextual information The global cell identity of cell, stores the global cell identity of the cell of the terminal context information.
Alternatively, the Physical Cell Identifier includes at least one of:The terminal is hung up residing during contextual information The Physical Cell Identifier of cell, stores the Physical Cell Identifier of the cell of terminal context information.
Alternatively, the Base Station Identification at least includes one below:Residing base station when the terminal hangs up contextual information Base Station Identification, store the Base Station Identification of the base station of the terminal context information.
Alternatively, the numerical value of the predetermined bit length includes at least one of:The numerical value of fixed bit length, it is long The numerical value spent between 16 to 44 bits.
Embodiment 3
Connection between a kind of terminal and network is provided in the present embodiment and recovers processing method, is comprised the following steps:
Step 1, what base station receiving terminal was sent carries the request for recovering identification information and the second integrated authentication code information Message, the request message is used to ask base station to recover terminal and internetwork connection.
Base station is based on following information and generates the 3rd message integrity authentication code information:Recover identification information, receive bag The identification information of cell containing the request message for recovering identification information.
Base station is based on following information and generates the 4th integrity verification code information:3rd integrated authentication code information, key KEY, carrying information BEARER, message direction DIRECTION, count value COUNT.
The 4th integrated authentication code information of its generation of the base station authentication with received by request message it is second complete Property authentication code information is consistent, then it is assumed that the request message integrity protection is proved to be successful.
Step 2, base station is according to the connection recovered between identification information recovery and terminal.
Alternatively, before above-mentioned steps 1, base station can be, but not limited to all or part of letter by identification information is recovered Breath is sent to terminal.For example, base station can be, but not limited to hang up contextual information when by recover mark whole or Partial information is sent to terminal.
Alternatively, before above-mentioned steps 1, base station can be, but not limited to be used for needed for sending request message to terminal distribution Resource.
Alternatively, above-mentioned request message can be, but not limited to include one below:Recovery request message, carry recovery The message of identification information.
Alternatively, the message for carrying recovery identification information can be, but not limited to include at least one of:Radio Resource Control RRC connection request message, RRC connection re-establishment request messages.
Alternatively, recover identification information to can be, but not limited to include at least one of:Terminal iidentification, global cell mark Know, Physical Cell Identifier, Base Station Identification, the numerical value of predetermined bit length.
Alternatively, the terminal iidentification is numerical value of the length between 16 to 24 bits.
Alternatively, global cell identity can be, but not limited to include at least one of:When terminal hangs up contextual information The global cell identity of residing cell, stores the global cell identity of the cell of terminal context information.
Alternatively, Physical Cell Identifier can be, but not limited to include at least one of:When terminal hangs up contextual information The Physical Cell Identifier of residing cell, stores the Physical Cell Identifier of the cell of terminal context information.
Alternatively, Base Station Identification can be, but not limited at least include one below:Terminal is hung up residing during contextual information The Base Station Identification of base station, stores the Base Station Identification of the base station of terminal context information.
Alternatively, the numerical value of predetermined bit length can be, but not limited to include at least one of:Fixed bit length Numerical value, numerical value of the length between 16 to 44 bits.
Embodiment 4
Connection between a kind of terminal and network is provided in the present embodiment and recovers processing method, and this method includes:
Terminal, which is sent, carries the request message for recovering identification information and the second message integrity authentication code information to base station, Wherein, request message is used to ask base station to recover terminal and internetwork connection.
The second integrity verification code information is generated based on following information:First integrated authentication code information, key KEY, carrying information BEARER, message direction DIRECTION, count value COUNT.
The first integrated authentication code information is based on following information structuring:Recover identification information, send comprising recovery mark Know the identification information of the cell of the request message of information.
Alternatively, before terminal sends and carries request message to the base station for recovering identification information, terminal can be received The recovery identification information distributed by base station.
Alternatively, terminal mode for the recovery identification information that reception is distributed by base station when hanging up contextual information can be wrapped Include:Terminal hangs up the recovery identification information that message sink is distributed by base station when hanging up contextual information by connecting;With/ Or terminal receives the recovery identification information distributed by base station when hanging up contextual information by connection release message.
Alternatively, request message can be, but not limited to include one below:Recovery request message, carry recovery mark The message of information.
Alternatively, the message for carrying recovery identification information can be, but not limited to include at least one of:Radio Resource Control RRC connection request message, RRC connection re-establishment request messages.
Alternatively, recover identification information to can be, but not limited to include at least one of:Terminal iidentification, global cell mark Know, Physical Cell Identifier, Base Station Identification, the numerical value of predetermined bit length.
Alternatively, the terminal iidentification is numerical value of the length between 16 to 24 bits.
Alternatively, global cell identity can be, but not limited to include at least one of:When terminal hangs up contextual information The global cell identity of residing cell, stores the global cell identity of the cell of terminal context information.
Alternatively, Physical Cell Identifier can be, but not limited to include at least one of:When terminal hangs up contextual information The Physical Cell Identifier of residing cell, stores the Physical Cell Identifier of the cell of terminal context information.
Alternatively, Base Station Identification can be, but not limited at least include one below:Terminal is hung up residing during contextual information The Base Station Identification of base station, stores the Base Station Identification of the base station of terminal context information.
Alternatively, the numerical value of predetermined bit length can be, but not limited to include at least one of:Fixed bit length Numerical value, numerical value of the length between 16 to 44 bits.
Embodiments of the invention additionally provide a kind of storage medium.Alternatively, in the present embodiment, above-mentioned storage medium It can be configured to the program code that storage is used to perform following steps:
Step S102, terminal is based on following information and generates the first integrated authentication code information:Recover identification information, and The identification information of the cell of the request message comprising the recovery identification information is sent, wherein, the recovery identification information Contextual information needed for the user plane optimal way stored for identifying triggering to recover before flow;
Step S104, the terminal is based on following information and generates the second integrated authentication code information:First integrality Authentication code information, key, carrying information, message direction and count value;
Step S106, the terminal sends the request message for carrying the second integrated authentication code information to base station.
Alternatively, storage medium is also configured to the program code that storage is used to perform following steps:
Step S302, base station is based at least following information and generates the 3rd integrated authentication code information:Recover identification information, And the identification information of the cell of the request message comprising the recovery identification information is received, wherein, it is described to recover mark Information is used to identify the contextual information needed for the user plane optimal way stored before triggering recovery flow;
Step S304, the base station is based on following information and generates the 4th integrated authentication code information:3rd integrality Authentication code information, key, carrying information, message direction and count value;
Step S306, the 4th integrated authentication code information of the base station authentication generation with by request message from end Whether consistent the second integrated authentication code information received is terminated, if it is, determining the integrality of the request message Protection is proved to be successful.
Alternatively, in the present embodiment, above-mentioned storage medium can include but is not limited to:USB flash disk, read-only storage (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), Mobile hard disk, magnetic disc or CD etc. are various can be with the medium of store program codes.
Obviously, those skilled in the art should be understood that above-mentioned each module of the invention or each step can be with general Computing device realize that they can be concentrated on single computing device, or be distributed in multiple computing device institutes On the network of composition, alternatively, they can be realized with the executable program code of computing device, it is thus possible to It is stored in storage device by computing device to perform, and in some cases, can be with different from herein Order perform shown or described step, they are either fabricated to each integrated circuit modules respectively or will Multiple modules or step in them are fabricated to single integrated circuit module to realize.So, the present invention is not restricted to appoint What specific hardware and software is combined.
The preferred embodiments of the present invention are the foregoing is only, are not intended to limit the invention, for the skill of this area For art personnel, the present invention can have various modifications and variations.Within the spirit and principles of the invention, made Any modification, equivalent substitution and improvements etc., should be included in the scope of the protection.

Claims (17)

1. a kind of generation method of message integrity authentication information, it is characterised in that including:
Terminal UE at least generates the first integrated authentication code information based on following information:Recover identification information, and The identification information of the cell of request message is sent, wherein, the recovery identification information, which is used to identify to trigger, recovers flow Contextual information needed for the preceding user plane optimal way stored;
The terminal is at least based on first integrated authentication code at least one information and following information generation second Integrated authentication code information:Key, carrying information, message direction and count value;
The terminal sends the request message to base station, wherein, described second is carried in the request message complete Whole property authentication code information, and the recovery identification information are part or all of.
2. according to the method described in claim 1, it is characterised in that the recovery identification information includes at least one of: Terminal iidentification, global cell identity, Physical Cell Identifier, Base Station Identification, the numerical value of predetermined bit length.
3. method according to claim 2, it is characterised in that the terminal iidentification be length 16 to 24 bits it Between numerical value.
4. method according to claim 2, it is characterised in that the global cell identity includes at least one of: The global cell identity of place cell, stores the terminal context information when terminal hangs up contextual information The global cell identity of cell.
5. method according to claim 2, it is characterised in that the Physical Cell Identifier includes at least one of: The Physical Cell Identifier of place cell, stores the cell of terminal context information when the terminal hangs up contextual information Physical Cell Identifier.
6. method according to claim 2, it is characterised in that the Base Station Identification includes at least one of:It is described The Base Station Identification of place base station, stores the base of the base station of the terminal context information when terminal hangs up contextual information Station identifications.
7. method according to claim 2, it is characterised in that the numerical value of the predetermined bit length include it is following at least One of:The numerical value of fixed bit length, numerical value of the length between 16 to 44 bits.
8. a kind of verification method of message integrity authentication information, it is characterised in that including:
The request message that base station receiving terminal UE is sent, wherein, the second integrality is carried in the request message Authentication code information, and recover the part or all of of identification information, the recovery identification information, which is used to identify to trigger, to be recovered Contextual information needed for the user plane optimal way stored before flow;
The base station at least generates the 3rd integrated authentication code information based on following information:The recovery identification information, And receive the identification information of the cell of the request message;
The base station is at least based on the 3rd integrated authentication code at least one information and following information generation the 4th Integrated authentication code information:Key, carrying information, message direction and count value;
The 4th integrated authentication code information of the base station authentication generation is believed with second integrated authentication code Whether breath is consistent, if it is, determining that the integrity protection of the request message is proved to be successful.
9. method according to claim 8, it is characterised in that the recovery identification information includes at least one of: Terminal iidentification, global cell identity, Physical Cell Identifier, Base Station Identification, the numerical value of predetermined bit length.
10. method according to claim 9, it is characterised in that the terminal iidentification be length 16 to 24 bits it Between numerical value.
11. method according to claim 9, it is characterised in that the global cell identity includes at least one of: The global cell identity of place cell, stores the terminal context information when terminal hangs up contextual information The global cell identity of cell.
12. method according to claim 9, it is characterised in that the Physical Cell Identifier includes at least one of: The Physical Cell Identifier of place cell, stores the cell of terminal context information when the terminal hangs up contextual information Physical Cell Identifier.
13. method according to claim 9, it is characterised in that the Base Station Identification includes at least one of:It is described The Base Station Identification of place base station, stores the base of the base station of the terminal context information when terminal hangs up contextual information Station identifications.
14. method according to claim 9, it is characterised in that the numerical value of the predetermined bit length include it is following at least One of:The numerical value of fixed bit length, numerical value of the length between 16 to 44 bits.
15. a kind of generating means of message integrity authentication information, positioned at terminal UE, it is characterised in that including:
First generation module, the first integrated authentication code information is generated for being at least based on following information:Recover mark Information, and the identification information of the cell of request message is sent, wherein, the recovery identification information is tactile for identifying Contextual information needed for the user plane optimal way stored before hair recovery flow;
Second generation module, for being at least based on first integrated authentication code at least one information and following information Generate the second integrated authentication code information:Key, carrying information, message direction and count value;
Sending module, for sending the request message to base station, wherein, carried in the request message described Second integrated authentication code information, and the recovery identification information are part or all of.
16. a kind of checking device of message integrity authentication information, positioned at base station, it is characterised in that including:
Receiving module, the request message sent for receiving terminal UE, wherein, carried in the request message Second integrated authentication code information, and recover the part or all of of identification information, the recovery identification information is used to mark Know the contextual information needed for the user plane optimal way stored before triggering recovery flow;
3rd generation module, the 3rd integrated authentication code information is generated for being at least based on following information:It is described to recover Identification information, and receive the identification information of the cell of the request message;
4th generation module, for being at least based on the 3rd integrated authentication code at least one information and following information Generate the 4th integrated authentication code information:Key, carrying information, message direction and count value;
Authentication module, the 4th integrated authentication code information and second integrated authentication for verifying generation Whether code information is consistent, if it is, determining that the integrity protection of the request message is proved to be successful.
17. a kind of checking system of message integrity authentication information, it is characterised in that including:Terminal UE and base station, wherein,
The terminal includes the generating means of message integrity authentication information as claimed in claim 15;
The base station includes the checking device of message integrity authentication information as claimed in claim 16.
CN201610200593.5A 2016-03-31 2016-03-31 The generation of message integrity authentication information and verification method, device and checking system Pending CN107294723A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201610200593.5A CN107294723A (en) 2016-03-31 2016-03-31 The generation of message integrity authentication information and verification method, device and checking system
PCT/CN2017/077726 WO2017167102A1 (en) 2016-03-31 2017-03-22 Methods for generating and verifying message integrity authentication information, device, and verification system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610200593.5A CN107294723A (en) 2016-03-31 2016-03-31 The generation of message integrity authentication information and verification method, device and checking system

Publications (1)

Publication Number Publication Date
CN107294723A true CN107294723A (en) 2017-10-24

Family

ID=59962564

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610200593.5A Pending CN107294723A (en) 2016-03-31 2016-03-31 The generation of message integrity authentication information and verification method, device and checking system

Country Status (2)

Country Link
CN (1) CN107294723A (en)
WO (1) WO2017167102A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019096265A1 (en) * 2017-11-16 2019-05-23 华为技术有限公司 Method and device for requesting connection recovery
CN109803259A (en) * 2017-11-16 2019-05-24 华为技术有限公司 A kind of request restores the method and device of connection
CN110149630A (en) * 2018-02-11 2019-08-20 华为技术有限公司 A kind of negotiation of security algorithm, sending method and device
WO2019178755A1 (en) * 2018-03-20 2019-09-26 Oppo广东移动通信有限公司 Method for integrity validation, network device, ue, and computer storage medium
WO2019191974A1 (en) * 2018-04-04 2019-10-10 Zte Corporation Techniques to manage integrity protection
WO2021196167A1 (en) * 2020-04-03 2021-10-07 Oppo广东移动通信有限公司 Information processing method and apparatus, device and storage medium
CN113950121A (en) * 2020-07-15 2022-01-18 大唐移动通信设备有限公司 Context recovery method and device

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100488281C (en) * 2005-08-24 2009-05-13 华为技术有限公司 Method for acquring authentication cryptographic key context from object base station
CN101931898B (en) * 2009-06-26 2014-03-05 华为技术有限公司 Method, device and system for transmitting user plane data
CN102594555B (en) * 2011-01-17 2015-04-29 华为技术有限公司 Security protection method for data, entity on network side and communication terminal
CN102685741B (en) * 2011-03-09 2014-12-03 华为终端有限公司 Access authentication processing method and system, terminal as well as network equipment

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11627623B2 (en) 2017-11-16 2023-04-11 Huawei Technologies Co., Ltd. Connection resume request method and apparatus
CN109803259A (en) * 2017-11-16 2019-05-24 华为技术有限公司 A kind of request restores the method and device of connection
CN109803258A (en) * 2017-11-16 2019-05-24 华为技术有限公司 A kind of request restores the method and device of connection
WO2019096265A1 (en) * 2017-11-16 2019-05-23 华为技术有限公司 Method and device for requesting connection recovery
CN109803258B (en) * 2017-11-16 2021-10-19 华为技术有限公司 Method and device for requesting to recover connection
CN110149630A (en) * 2018-02-11 2019-08-20 华为技术有限公司 A kind of negotiation of security algorithm, sending method and device
WO2019178755A1 (en) * 2018-03-20 2019-09-26 Oppo广东移动通信有限公司 Method for integrity validation, network device, ue, and computer storage medium
WO2019191974A1 (en) * 2018-04-04 2019-10-10 Zte Corporation Techniques to manage integrity protection
US11770467B2 (en) 2018-04-04 2023-09-26 Zte Corporation Techniques to manage integrity protection
US11711455B2 (en) 2018-04-04 2023-07-25 Zte Corporation Techniques to manage integrity protection
WO2021196167A1 (en) * 2020-04-03 2021-10-07 Oppo广东移动通信有限公司 Information processing method and apparatus, device and storage medium
CN113950121B (en) * 2020-07-15 2023-03-31 大唐移动通信设备有限公司 Context recovery method and device
CN113950121A (en) * 2020-07-15 2022-01-18 大唐移动通信设备有限公司 Context recovery method and device

Also Published As

Publication number Publication date
WO2017167102A1 (en) 2017-10-05

Similar Documents

Publication Publication Date Title
CN107294723A (en) The generation of message integrity authentication information and verification method, device and checking system
CN108271125B (en) Data transmitting method, data receiving method and device
CN112203336B (en) Wireless access control method, device and system
CN108605225B (en) Safety processing method and related equipment
KR102419048B1 (en) Method and system for transmitting temporary identifiers
CN107846270B (en) Transmission strategy configuration method and device, and information transmission method and device
CN107396455A (en) Connection processing method and device
CN103841547B (en) A kind of downlink data transmission method, apparatus and system
CN111447678A (en) Communication method and communication device
JP6697075B2 (en) Method for data transmission in vehicle-to-vehicle / road-to-vehicle communication system
CN110891324B (en) RRC connection method, device and system
CN107241815A (en) Handle the device and method that wireless heterogeneous networks link recovery routine
CN110167192B (en) Bluetooth connection management method and device, electronic equipment and non-transient storage medium
CN107872290A (en) A kind of mark UE method, network side equipment, UE and system
CN110418432A (en) Handle the device and method that wireless heterogeneous networks are rebuild
CN107046734A (en) NAS carries the transmission method and device of data
CN104936306B (en) MTC device group small data secure transmission connection establishment method, HSS and system
CN103813308B (en) A kind of uplink data transmission method, apparatus and system
CN108702303B (en) Method and equipment for carrying out security configuration on radio bearer
CN110087338B (en) Method and equipment for authenticating narrowband Internet of things
CN103281693A (en) Wireless communication authentication method, network translation equipment and terminal
CN114302506B (en) Protocol stack unit based on artificial intelligence AI, data processing method and device
CN112438058B (en) System message updating method, device and storage medium
WO2017036107A1 (en) Differentiated network access method for user equipment, base station and computer storage medium
CN112788795B (en) Connection recovery method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20171024