WO2015113197A1 - Appareil et procédé de chiffrement de données - Google Patents

Appareil et procédé de chiffrement de données Download PDF

Info

Publication number
WO2015113197A1
WO2015113197A1 PCT/CN2014/071651 CN2014071651W WO2015113197A1 WO 2015113197 A1 WO2015113197 A1 WO 2015113197A1 CN 2014071651 W CN2014071651 W CN 2014071651W WO 2015113197 A1 WO2015113197 A1 WO 2015113197A1
Authority
WO
WIPO (PCT)
Prior art keywords
handover
ncc
mme
request message
enb
Prior art date
Application number
PCT/CN2014/071651
Other languages
English (en)
Chinese (zh)
Inventor
张丽佳
张冬梅
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to CN201480000843.XA priority Critical patent/CN105103577B/zh
Priority to PCT/CN2014/071651 priority patent/WO2015113197A1/fr
Publication of WO2015113197A1 publication Critical patent/WO2015113197A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/24Reselection being triggered by specific parameters

Definitions

  • the present invention relates to the field of wireless communications, and in particular, to an apparatus and method for encrypting data. Background technique
  • a user equipment When a user equipment (UE) performs a specific service, such as an MTC (Machine Type Communication) service, it consumes a large amount of network resources, and an evolved Node B (eNB) prevents the UE from performing specific services.
  • a specific service such as an MTC (Machine Type Communication) service
  • MTC Machine Type Communication
  • eNB evolved Node B
  • the impact on the normal network will redirect the UE performing the specific service from the normal network to the specific network, and encrypt the data communicated between the eNB and the UE.
  • a method for encrypting data is provided, which may be: when a UE is attached to a common network, the first MME (Mobility Management Entity) of the common network learns from the subscription information of the UE that the UE needs to be normal.
  • the first MME sends a handover trigger message to the eNB, where the message includes the cause value of the handover (the core network triggered handover); the eNB sends a handover requirement message to the first MME, and the first MME calculates the first NCC.
  • the first NCC is obtained according to the current second NCC, and the first NH is based on the current second.
  • the first MME sends a forward relocation request message to the second MME of the specific network, where the forward relocation request message carries the first NCC and the first NH; and the second MME receives the direction sent by the first MME Re-requesting the request message, and sending a handover request message to the eNB, where the handover request message carries the first NCC and the first NH, and the eNB receives the handover request message sent by the second MME,
  • the first update computation NH NCC and a first key KeNB *, KeNB * according to data for the communication between the eNB and the UE encryption.
  • the prior art has at least the following problems:
  • the handover procedure is performed, and the eNB does not send a handover command message to the UE.
  • the UE cannot obtain the first NCC according to the handover command message, and can not calculate the updated key KeNB*, so that the KeNB on the eNB side and the KeNB on the UE side are not synchronized.
  • the present invention provides an apparatus and method for encrypting data.
  • the technical solution is as follows:
  • the present invention provides an apparatus for encrypting data, the apparatus comprising:
  • a first receiving module configured to receive a handover trigger message sent by the first mobility management entity MME, where the handover trigger message carries an identifier of the user equipment UE;
  • a second receiving module configured to receive a handover request message sent by the second MME
  • a maintaining module configured to keep the key KeNB shared between the evolved base station eNB and the UE unchanged;
  • an cryptographic module configured to perform a strong port key according to the data communicated between the eNB and the UE by the KeNB.
  • the device further includes: a determining module, configured to determine, according to the handover trigger message, that the handover cause is a core network triggered switch;
  • a first sending module configured to send a handover required message to the first MME, where the handover request message carries the handover reason, so that the first MME sends a forward relocation request message to the second MME, where The forward relocation request message carries the handover reason, so that the second MME sends the handover request message to the eNB.
  • the handover request message carries a first next hop chain counter NCC and a first next hop NH, where the first NCC is Obtained by the MME according to the second NCC, the first NH is calculated by the first MME according to the second NH, the second NCC is the current NCC, and the second NH is the current NH.
  • the first NCC is Obtained by the MME according to the second NCC
  • the first NH is calculated by the first MME according to the second NH
  • the second NCC is the current NCC
  • the second NH is the current NH.
  • the handover request message carries a second next hop chain counter NCC and a second next hop NH, the second NCC is the current NCC, and the second NH is the current NH.
  • the forward relocation request message carries a first next hop chain counter NCC and a first next hop NH
  • the first NCC is obtained by adding the first NMC according to the second NCC
  • the first NH is calculated by the first MME according to the second NH
  • the second NCC is the current NCC.
  • Said second NH is the current NH; or
  • the forward relocation request carries a second next hop chain counter NCC and a second next hop NH,
  • the second NCC is the current NCC
  • the second NH is the current NH.
  • the holding module includes:
  • a determining unit configured to determine, according to the handover trigger message or the handover request message, that the handover reason is a core network triggered handover;
  • the present invention provides an apparatus for encrypting data, the apparatus comprising:
  • a second sending module configured to send a handover trigger message to the evolved base station eNB, where the handover trigger message carries an identifier of the user equipment UE, so that the eNB sends a handover required message to the first mobility management entity according to the handover trigger message.
  • a third receiving module configured to receive the handover required message sent by the eNB
  • the acquiring module is configured to obtain a second next hop chain counter NCC and a second next hop NH, where the second NCC is the current NCC, and the second NH is the current NH;
  • a third sending module configured to send a forward relocation request message to the second mobility management entity
  • the MME the forward relocation request message carries a handover reason, and causes the second MME to send a handover request message to the eNB, so that the eNB keeps a key shared between the eNB and the UE.
  • the KeNB is unchanged, and the data communicated between the eNB and the UE is encrypted according to the KeNB.
  • the handover request message carries a first NCC and a first NH, where the first NCC is a first MME, and the first MME is added according to the second NCC. After the first NH is calculated by the first MME according to the second NH; or
  • the handover request message carries the second NCC and the second NH.
  • the forward relocation request message carries a first NCC and a first NH, where the first NCC is the first MME according to the After the second NCC is added, the first NH is calculated by the first MME according to the second NH; or
  • the forward relocation request message carries the second NCC and the second NH.
  • the device further includes: a first carrying module, configured to set a next hop indication NHI of the forward relocation request message to Presetting the identifier, and carrying the second NCC and the second NH, or
  • the present invention provides a method of encrypting data, the method comprising:
  • the key KeNB shared between the evolved base station eNB and the UE is kept unchanged, and data communicated between the eNB and the UE is encrypted according to the KeNB.
  • the method further includes:
  • the handover request message carries a first next hop chain counter NCC and a first next hop NH, where the first The NCC is obtained by the first MME according to the second NCC, the first NH is calculated by the first MME according to the second NH, the second NCC is the current NCC, and the second NH is the current NH; or,
  • the handover request message carries a second next hop chain counter NCC and a second next hop NH, the second NCC is the current NCC, and the second NH is the current NH.
  • the forward relocation request message carries a first next hop chain counter NCC and a first next hop NH
  • the first NCC is obtained by adding the first NMC according to the second NCC
  • the first NH is calculated by the first MME according to the second NH
  • the second NCC is the current NCC.
  • Said second NH is the current NH; or
  • the forward relocation request message carries a second next hop chain counter NCC and a second next hop NH, the second NCC is the current NCC, and the second NH is the current NH.
  • the key KeNB shared by the eNodeB eNB and the UE is unchanged, and includes:
  • the present invention provides a method for encrypting data, where the method includes: sending a handover trigger message to an evolved base station eNB, where the handover trigger message carries a user equipment
  • the identifier of the UE causing the eNB to send a handover required message to the first mobility management entity MME according to the handover trigger message;
  • the second NCC is the current NCC
  • the second NH is the current NH
  • the handover request message carries a first NCC and a first NH
  • the first NCC is the first MME according to the second
  • the first NH is calculated by the first MME according to the second NH;
  • the handover request message carries the second NCC and the second NH.
  • the forward relocation request message carries a first NCC and a first NH, where the first NCC is the first MME according to the After the second NCC is added, the first NH is calculated by the first MME according to the second NH; or
  • the forward relocation request message carries the second NCC and the second NH.
  • the method before the sending the relocation request message to the second mobility management entity (MME), the method further includes:
  • the present invention provides an apparatus for encrypting data, the apparatus comprising: a first memory and a first processor, a method for performing encrypted data according to any of the preceding claims.
  • the present invention provides an apparatus for encrypting data, the apparatus comprising: a second memory and a second processor, a method for performing encrypted data according to any of the claims of the fourth aspect.
  • the eNB receives the handover trigger message sent by the first MME, and receives the handover request message sent by the second MME, and determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, and the eNB acquires the current
  • the KeNB shared with the UE, and the KeNB* is used as the key KeNB* updated after the handover of the MME, that is, the KeNB between the eNB and the UE is kept unchanged, and the data communicated between the eNB and the UE is performed according to the KeNB or KeNB*.
  • Encryption ensures that the eNB side synchronizes with the KeNB on the UE side.
  • FIG. 1 is a schematic structural diagram of an apparatus for encrypting data according to Embodiment 1 of the present invention
  • FIG. 2 is a schematic structural diagram of an apparatus for encrypting data according to Embodiment 2 of the present invention
  • FIG. 3 is a flowchart of a method for encrypting data according to Embodiment 3 of the present invention.
  • FIG. 4 is a flowchart of a method for encrypting data according to Embodiment 4 of the present invention.
  • FIG. 5 is a flowchart of a method for encrypting data according to Embodiment 5 of the present invention.
  • FIG. 6 is a flowchart of a method for encrypting data according to Embodiment 6 of the present invention.
  • FIG. 7 is a schematic structural diagram of an apparatus for encrypting data according to Embodiment 7 of the present invention.
  • FIG. 8 is a schematic structural diagram of an apparatus for encrypting data according to Embodiment 8 of the present invention. detailed description
  • Embodiments of the present invention provide an apparatus for encrypting data.
  • the apparatus includes: a first receiving module 101, configured to receive a handover trigger message sent by a first MME, where the handover trigger message carries an identifier of a user equipment UE;
  • the first MME obtains the identifier of the UE, and sends a handover trigger message to the first receiving module 101, when the first MME needs to switch from the first MME of the common network to the second MME of the specific network.
  • the handover trigger message carries the identity of the UE.
  • the eNB receives the handover trigger message sent by the first MME.
  • the identifier of the UE is any identifier that can identify the UE.
  • the identifier of the UE is not specifically limited.
  • the identity of the UE is the MME UE S1AP (Access Point) ID (identity identification number), that is, the MME uniquely identifies the identity of the UE on the S1 interface or the eNB UE S1AP ID, that is, the eNB uniquely identifies on the SI interface.
  • the first MME is an MME to which the UE is currently attached.
  • the UE initiates an attach procedure to the normal network, and the network side A S-GW (Serving Gateway) or a P-GW (PDN Gateway) establishes a PDN (Public Data Network) connection.
  • S-GW Serving Gateway
  • P-GW Packet Data Network Gateway
  • the second receiving module 102 is configured to receive a handover request message sent by the second MME.
  • the second MME sends a handover request message to the second receiving module 102, and the second receiving module 102 receives the handover request message sent by the second MME, in order to redirect the UE from the first MME to the second MME.
  • the second receiving module 102 when receiving the handover request message sent by the second MME, the second receiving module 102 sends a handover confirmation message to the second MME.
  • the handover confirmation message is used to notify the second MME that the handover can be performed.
  • the maintaining module 103 is configured to keep the key KeNB shared between the evolved base station eNB and the UE unchanged;
  • the holding module 103 includes:
  • a determining unit configured to determine, according to the handover trigger message or the handover request message, that the handover reason is a core network triggered handover;
  • the determining unit is configured according to the first MME, because the handover trigger message is sent by the first MME.
  • the handover triggering message may be used to determine that the handover reason is a handover triggered by the core network.
  • the handover request message carries the handover cause, and the determining unit may determine, according to the handover reason, that the handover cause is a handover triggered by the core network.
  • the handover triggered by the core network only switches the MME to which the UE is attached, and the 'J, the area, and the base station where the UE is located do not change.
  • the holding unit is used to keep the KeNB unchanged.
  • the holding unit acquires the KeNB shared between the current eNB and the UE, and uses the KeNB as the key KeNB* after the MME is switched.
  • the encryption module 104 is configured to encrypt data communicated between the eNB and the UE according to the KeNB or the KeNB*.
  • the encryption module 104 calculates the first key and the second key according to the KeNB*, and performs encryption and integrity protection on the data communicated between the eNB and the UE by using the first key and the second key.
  • the eNB ignores the first ⁇ NCC, NH ⁇ pair and keeps the KeNB unchanged.
  • the device further includes:
  • a determining module configured to determine, according to the handover trigger message, that the handover reason is a core network triggered handover;
  • the first sending module is configured to send a handover required message to the first MME, where the handover request message carries a handover reason, so that the first MME sends a forward relocation request message to the second MME, where the forward relocation request message carries the handover reason So that the second MME sends the handover request message to the eNB.
  • the determining module determines, according to the handover trigger message, that the handover reason is a handover triggered by the core network, and the first sending module sends a handover required message to the first MME.
  • the handover requires the message to carry the handover reason;
  • the first MME receives the handover required message sent by the first sending module, and sends a forward relocation request message to the second MME, where the forward relocation request message carries the handover reason;
  • the reason for the handover carried in the forward relocation request message is used to notify the second MME to switch to the core network triggered handover.
  • the forward relocation request message may also carry Kasme and KSI (Key Set Identifier), and the Kasme and KSI are used to derive the non-access stratum NAS key.
  • Kasme and KSI Key Set Identifier
  • the handover request message may not carry any ⁇ NCC, NH ⁇ pair information; the handover The request message may also carry a first next hop chain counter NCC and a first next hop NH, where the first NCC is obtained by adding the first MME according to the second NCC, and the first NH is calculated by the first MME according to the second NH.
  • the second NCC is the current NCC, and the second NH is the current NH; or the handover request message carries the second next hop chain counter NCC and the second next hop NH, and the second NCC is the current NCC.
  • the second NH is the current NH.
  • the first MME obtains the second NCC and the second NH when receiving the handover required message; when the first MME calculates the first NCC and the first NH according to the second NCC and the second NH, the handover request message carries the first The NCC and the first NH, if the first MME does not calculate the first NCC and the first NH according to the second NCC and the second NH, the handover request message carries the second NCC and the second NH.
  • the handover request message may further carry a handover reason.
  • the first relocation request message carries the first NCC and the first NH.
  • the first NCC is obtained by adding the first MME according to the second NCC, and the first NH is calculated by the first MME according to the second NH.
  • the second NCC is the current NCC, and the second NH is the current NH; or the forward relocation request message carries the second NCC and the second NH, the second NCC is the current NCC, and the second NH is the current NH.
  • the second MME sends a forward relocation response message to the first MME.
  • the second MME obtains one according to the second NCC.
  • the first NCC calculates the first NH according to the second NH, and sends a path change message to the eNB, where the path change message carries the first ⁇ NCC, NH ⁇ pair.
  • the eNB receives the path change message sent by the second MME, and acquires the first ⁇ NCC, NH ⁇ pair.
  • the eNB receives the handover trigger message sent by the first MME, and receives the handover request message sent by the second MME, and determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, and the eNB acquires the current
  • the KeNB shared with the UE, and the KeNB* is used as the key KeNB* updated after the handover of the MME, that is, the KeNB between the eNB and the UE is kept unchanged, and the data communicated between the eNB and the UE is performed according to the KeNB or KeNB*.
  • Encryption ensures that the eNB side synchronizes with the KeNB on the UE side.
  • Embodiments of the present invention provide an apparatus for encrypting data.
  • the device includes: The second sending module 201 is configured to send a handover trigger message to the evolved base station eNB, where the handover trigger message carries the identifier of the user equipment UE, so that the eNB sends a handover requirement message according to the handover trigger message;
  • the first MME obtains the identifier of the UE when the UE needs to switch from the first MME of the common network to the second MME of the specific network, and the second sending module 201 sends a handover trigger message to the first receiving.
  • the handover trigger message carries an identifier of the UE.
  • the eNB receives the handover trigger message sent by the first MME.
  • the identifier of the UE is any identifier that can identify the UE.
  • the identifier of the UE is not specifically limited.
  • the identifier of the UE is the MME UE S1AP ID, that is, the identifier of the MME that uniquely identifies the UE on the S1 interface, or the eNB UE S1AP ID, that is, the identifier of the eNB that uniquely identifies the UE on the SI interface.
  • the first MME is an MME to which the UE is currently attached.
  • the UE initiates an attach procedure to the normal network, and the network side
  • the S-GW or P-GW establishes a PDN connection.
  • the third receiving module 202 is configured to receive the handover required message sent by the eNB;
  • the eNB sends a handover required message to the third receiving module 202 according to the handover trigger message, and the third receiving module 202 receives the handover required message sent by the eNB.
  • An acquiring module configured to obtain a second next hop chain counter NCC and a second next hop NH, where the second NCC is the current NCC, and the second NH is the current NH;
  • the third sending module 203 is configured to send a forward relocation request message to the second mobility management entity MME, where the forward relocation request message carries a handover reason, so that the second MME sends a handover request message to the eNB, so that the eNB keeps The key KeNB shared between the eNB and the UE is unchanged, and the data communicated between the eNB and the UE is encrypted according to the KeNB.
  • the handover request message carries the first NCC and the first NH, where the first NCC is obtained by adding the first MME according to the second NCC, and the first NH is calculated by the first MME according to the second NH; or
  • the handover request message carries a second NCC and a second NH.
  • the handover request message may further carry a handover reason.
  • the third receiving module 202 receives the handover required message sent by the eNB, and confirms that the handover reason is triggered by the core network according to the handover reason in the handover required message, and acquires the second ⁇ NCC, NH ⁇ pair according to the second ⁇
  • the NCC, NH ⁇ pairs calculate the first ⁇ NCC, NH ⁇ pair, that is, the second NCC is incremented by one to obtain the first NCC, and the first NH is calculated according to the second NH.
  • the second ⁇ NCC, NH ⁇ pair is the current ⁇ NCC, NH ⁇ pair, or the old ⁇ NCC, NH ⁇ pair, the second ⁇ NCC, NH ⁇ pair includes the second NCC and the second NH; first ⁇ The NCC, NH ⁇ pairs are fresh ⁇ NCC, NH ⁇ pairs, and the first ⁇ NCC, NH ⁇ pair includes the first NCC and the first NH.
  • the second NCC is the current NCC; the second NH is the current NH.
  • the first MME sends a forward relocation request message to the second MME, where the forward relocation request message carries the handover reason and the first ⁇ NCC, NH ⁇ pair, or the forward relocation request message carries the handover reason And the second ⁇ NCC, NH ⁇ pair.
  • the second MME receives the forward relocation request message sent by the first MME, and sends a handover request message to the eNB.
  • the reason for the handover carried in the forward relocation request message is used to notify the second MME to switch to the core network triggered handover.
  • the forward relocation request message may also carry Kasme and KSI, and the Kasme and KSI are used to derive the non-access stratum NAS key.
  • the second MME receives the forward relocation request message sent by the first MME, and determines that the handover is triggered by the core network according to the handover reason in the forward relocation request message, and the handover request message sent by the second MME to the eNB is not Carrying any ⁇ NCC, NH ⁇ pair information; or, if the forward relocation request message carries the first ⁇ NCC, NH ⁇ pair, the second MME receives the forward relocation request message sent by the first MME, the second MME And determining, according to the handover reason in the forward relocation request message, a handover triggered by the core network, and acquiring a first ⁇ NCC, NH ⁇ pair from the forward relocation request message, where the second MME sends the handover request message to the eNB.
  • the second MME is any MME other than the first MME.
  • the second MME is not specifically limited.
  • the second MME is a specific MME.
  • the eNB receives the handover request message sent by the second MME, and sends a handover confirmation message to the second MME; the eNB keeps the key KeNB shared between the eNB and the UE unchanged, and performs communication between the eNB and the UE according to the KeNB.
  • the data is encrypted.
  • the eNB determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, acquires the KeNB shared between the current eNB and the UE, and uses the KeNB as the key KeNB* after the handover MME;
  • the KeNB* calculates the first key and the second key, and performs encryption and integrity protection on the data communicated between the eNB and the UE by using the first key and the second key.
  • the handover confirmation message is used to notify the second conference that the handover can be performed.
  • the eNB ignores the first ⁇ NCC, NH ⁇ pair and keeps the KeNB unchanged.
  • the second MME sends a forward relocation response message to the first MME.
  • the second MME obtains one according to the second NCC.
  • the first NCC calculates the first NH according to the second NH, and sends a path change message to the eNB, where the path change message carries the first ⁇ NCC, NH ⁇ pair.
  • the eNB receives the path change message sent by the second MME, and acquires the first ⁇ NCC, NH ⁇ pair.
  • the device further includes:
  • a first carrying module configured to set a next hop indication NHI of the forward relocation request message to a preset identifier, and carry a second NCC and a second NH, or
  • a second carrying module configured to set the next hop indication NHI_old of the old evolving packet system EPS security context of the forward relocation request message to a preset identifier, and carry the second NCC and the second HN.
  • the eNB receives the handover trigger message sent by the first MME, and receives the handover request message sent by the second MME, and determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, and the eNB acquires the current
  • the KeNB shared with the UE, and the KeNB* is used as the key KeNB* updated after the handover of the MME, that is, the KeNB between the eNB and the UE is kept unchanged, and the data communicated between the eNB and the UE is performed according to the KeNB or KeNB*.
  • Encryption ensures that the eNB side synchronizes with the KeNB on the UE side.
  • Embodiments of the present invention provide a method of encrypting data.
  • the method includes: Step 301: Receive a handover trigger message sent by a first MME, where the handover trigger message carries an identifier of the UE;
  • Step 302 Receive a handover request message sent by the second MME.
  • Step 303 Keep the key KeNB shared between the eNB and the UE unchanged, and encrypt the data communicated between the eNB and the UE according to the KeNB.
  • the eNB receives the handover trigger message sent by the first MME, and receives the handover request message sent by the second MME, and determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, and the eNB acquires the current KeNB shared with the UE, and the KeNB As the key KeNB* updated after the MME is switched, that is, the KeNB between the eNB and the UE is kept unchanged, and the data communicated between the eNB and the UE is encrypted according to the KeNB or KeNB*, thereby ensuring the eNB side and the UE side.
  • KeNB synchronization Example 4
  • Embodiments of the present invention provide a method of encrypting data.
  • the method includes: Step 401: A first MME sends a handover trigger message to an eNB, where the handover trigger message carries an identifier of the UE;
  • the first MME learns that the UE needs to be handed over from the first MME of the common network to the second MME of the specific network
  • the first MME acquires the identifier of the UE, and sends a handover trigger message to the eNB, where the handover trigger message is sent. Carry the identity of the UE.
  • the identifier of the UE is any identifier that can identify the UE.
  • the identifier of the UE is not specifically limited.
  • the identifier of the UE is the MME UE S1AP ID, that is, the identifier of the MME that uniquely identifies the UE on the S1 interface, or the eNB UE S1AP ID, that is, the identifier of the eNB that uniquely identifies the UE on the SI interface.
  • the first MME is an MME to which the UE is currently attached.
  • step 401 the UE initiates an attach procedure to the normal network and establishes a PDN connection with the S-GW or the P-GW on the network side.
  • Step 402 The eNB receives a handover trigger message sent by the first MME, and determines, according to the handover trigger message, that the handover reason is a handover triggered by the core network.
  • the eNB may determine that the handover reason is a handover triggered by the core network according to the handover trigger message sent by the first MME, and the MME that is triggered by the UE is only the MME attached by the UE. The handover is performed, and the cell and the base station where the UE is located do not change.
  • Step 403 The eNB sends a handover required message to the first MME, where the handover needs the message carrying the reason for the handover;
  • Step 404 The first MME receives a handover required message sent by the eNB, and calculates a first NCC and a first NH according to the handover required message.
  • the first MME receives the handover required message sent by the eNB, and confirms that the handover reason is a handover triggered by the core network according to the handover requirement message, and acquires a second ⁇ NCC, NH ⁇ pair according to the second ⁇ NCC, NH ⁇ pair.
  • the first ⁇ NCC, NH ⁇ pair is calculated, that is, the second NCC is incremented by one to obtain the first NCC, and the first NH is calculated based on the second NH.
  • the second ⁇ NCC, NH ⁇ pair is the current ⁇ NCC, NH ⁇ pair, or the old ⁇ NCC, NH ⁇ pair, the second ⁇ NCC, NH ⁇ pair includes the second NCC and the second NH; first ⁇ The NCC, NH ⁇ pairs are fresh ⁇ NCC, NH ⁇ pairs, and the first ⁇ NCC, NH ⁇ pair includes the first NCC and the first NH.
  • the second NCC is the current NCC; the second NH is the current NH.
  • Step 405 The first MME sends a forward relocation request message to the second MME, where the forward relocation request message carries the handover reason and the first ⁇ NCC, NH ⁇ pair;
  • the reason for the handover carried in the forward relocation request message is used to notify the second MME to switch to the core network triggered handover.
  • the forward relocation request message may further carry a Kasme and a KSI (Key Set Identifier), where the Kasme and the KSI are used to derive a non-access stratum NAS key.
  • KSI Key Set Identifier
  • the second MME is any MME other than the first MME.
  • the second MME is not specifically limited.
  • the second MME is a specific MME.
  • Step 406 The second MME receives the forward relocation request message sent by the first MME, and sends a handover request message to the eNB.
  • the second MME receives the forward relocation request message sent by the first MME, and determines, according to the handover reason in the forward relocation request message, that the handover is triggered by the core network, and the second MME sends the handover request message to the eNB.
  • the second MME receives the forward relocation request message sent by the first MME, and the second MME is triggered by the core network according to the handover reason in the forward relocation request message.
  • the first ⁇ NCC, NH ⁇ pair is obtained from the forward relocation request message, and the first ⁇ NCC, NH ⁇ pair is carried in the handover request message sent by the second MME to the eNB.
  • the handover request message may further carry a handover reason.
  • Step 407 The eNB receives the handover request message sent by the second MME, and sends a handover confirmation message to the second MME.
  • the handover confirmation message is used to notify the second MME that the handover can be performed.
  • Step 408 The eNB keeps the key KeNB shared between the eNB and the UE unchanged, and encrypts data communicated between the eNB and the UE according to the KeNB or KeNB*.
  • the eNB determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, acquires the KeNB shared between the current eNB and the UE, and uses the KeNB as the key KeNB* after the handover MME;
  • the KeNB* calculates the first key and the second key, and performs encryption and integrity protection on the data communicated between the eNB and the UE by using the first key and the second key. It should be noted that, if the handover request message carries the first ⁇ NCC, NH ⁇ pair, the eNB ignores the first ⁇ NCC, NH ⁇ pair and keeps the KeNB unchanged.
  • Step 409 The second MME sends a forward relocation response message to the first MME.
  • the second MME sends a path change message to the eNB.
  • the path change message carries the first ⁇ NCC , NH ⁇ pair.
  • the eNB receives the path change message sent by the second MME, and acquires the first ⁇ NCC, NH ⁇ pair.
  • the eNB receives the handover trigger message sent by the first MME, and receives the handover request message sent by the second MME, and determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, and the eNB acquires the current
  • the KeNB shared with the UE, and the KeNB* is used as the key KeNB* updated after the handover of the MME, that is, the KeNB between the eNB and the UE is kept unchanged, and the data communicated between the eNB and the UE is performed according to the KeNB or KeNB*.
  • Encryption ensures that the eNB side synchronizes with the KeNB on the UE side.
  • Embodiments of the present invention provide a method of encrypting data.
  • the method includes: Step 501: Send a handover trigger message to an eNB, where the handover trigger message carries an identifier of the UE, so that the eNB sends a handover required message to the first MME according to the handover trigger message;
  • Step 502 Receive the handover required message sent by the eNB, and obtain a second NCC and a second NH, where the second NCC is the current NCC, and the second NH is the current NH;
  • Step 503 Send a forward relocation request message to the second MME, where the forward relocation request message carries a handover reason, so that the second MME sends a handover request message to the eNB, so that the eNB keeps the key shared between the eNB and the UE.
  • the KeNB is unchanged, and the data communicated between the eNB and the UE is encrypted according to the KeNB.
  • the eNB receives the handover trigger message sent by the first MME, and receives the handover request message sent by the second MME, and determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, and the eNB acquires the current
  • the KeNB shared with the UE, and the KeNB* is used as the key KeNB* updated after the handover of the MME, that is, the KeNB between the eNB and the UE is kept unchanged, and the data communicated between the eNB and the UE is performed according to the KeNB or KeNB*.
  • Encryption ensures that the eNB side synchronizes with the KeNB on the UE side.
  • Embodiments of the present invention provide a method of encrypting data.
  • the method includes: Step 601: The first MME sends a handover trigger message to the eNB, where the handover trigger message carries the identifier of the UE.
  • the first MME learns that the UE needs to be handed over from the first MME of the common network to the second MME of the specific network
  • the first MME acquires the identifier of the UE, and sends a handover trigger message to the eNB, where the handover trigger message is sent. Carry the identity of the UE.
  • the identifier of the UE is any identifier that can identify the UE.
  • the identifier of the UE is not specifically limited.
  • the identifier of the UE is the MME UE S1AP ID, that is, the identifier of the MME that uniquely identifies the UE on the S1 interface, or the eNB UE S1AP ID, that is, the identifier of the eNB that uniquely identifies the UE on the SI interface.
  • the first MME is an MME to which the UE is currently attached.
  • step 601 the UE initiates an attach procedure to the normal network, and establishes a PDN connection with the S-GW or the P-GW on the network side.
  • Step 602 The eNB receives a handover trigger message sent by the first MME, and determines, according to the handover trigger message, that the handover cause is a handover triggered by the core network.
  • the eNB may determine that the handover reason is a handover triggered by the core network according to the handover trigger message sent by the first MME, and the MME that is triggered by the UE is only the MME attached by the UE. The handover is performed, and the cell and the base station where the UE is located do not change.
  • Step 603 The eNB sends a handover required message to the first MME, where the handover needs the message carrying the reason for the handover;
  • the reason for the handover is used to indicate that the MME to which the UE is attached is to be switched, and the reason for the handover may be any indication message.
  • the reason for the handover is not specifically limited.
  • the reason for the handover may be a handover reason ( Core network triggered switching).
  • Step 604 The first MME receives the handover required message sent by the eNB, and sends a forward relocation request message to the second MME according to the handover required message.
  • the first MME receives the handover required message sent by the eNB, and determines, according to the handover reason in the handover required message, that the handover is triggered by the core network, and sends a forward relocation request message to the second MME, where the forward relocation request is sent.
  • the message carries the reason for the handover, the second ⁇ NCC, NH ⁇ pair;
  • the second ⁇ NCC, NH ⁇ pair is the current ⁇ NCC, NH ⁇ pair, or the old ⁇ NCC, NH ⁇ pair, the second ⁇ NCC, NH ⁇ pair includes the second NCC and the second NH; the second NCC For the current NCC; The second NH is the current NH.
  • the reason for the handover carried in the forward relocation request message is used to notify the second MME to switch to the core network triggered handover.
  • the forward relocation request message may further carry Kasme and KSI, and the Kasme and KSI are used to derive a non-access stratum NAS key.
  • the second MME is any MME other than the first MME.
  • the second MME is not specifically limited.
  • the second MME is a specific MME.
  • Step 605 The second MME receives the forward relocation request message sent by the first MME, and sends a handover request message to the eNB.
  • the second MME receives the forward relocation request message sent by the first MME, and determines, according to the handover reason in the forward relocation request message, that the handover is triggered by the core network, and the second MME sends the handover request message to the eNB.
  • the information of the ⁇ NCC, NH ⁇ pair is not carried; or the second MME receives the forward relocation request message sent by the first MME, and the second MME determines that the handover is triggered by the core network according to the handover reason in the forward relocation request message.
  • the second ⁇ NCC , NH ⁇ pair is obtained from the forward relocation request message, and the second ⁇ NCC , NH ⁇ pair is carried in the handover request message sent by the second MME to the eNB.
  • the handover request message may further carry a handover reason.
  • the NHI (Next Hop Indicator) of the forward relocation request message is set to a preset identifier, and carries the second NCC and the second NH, or NHI_old of the forward relocation request message.
  • Next Hop Indicator for Old EPS (Evolved Packet System) Security Context the next hop indication of the old EPS security context
  • is set as a preset identifier and carries the second NCC and the second HN.
  • the preset identifier is any identifier that can identify the NHI or the NHI_old.
  • the preset identifier is not specifically limited, for example, the preset identifier is 1.
  • Step 606 The eNB receives the handover request message sent by the second MME, and sends a handover confirmation message to the second MME.
  • the handover confirmation message is used to notify the second MME that the handover can be performed.
  • Step 607 The eNB keeps the key KeNB shared between the eNB and the UE unchanged, and encrypts data communicated between the eNB and the UE according to the KeNB or KeNB*.
  • the eNB determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, acquires a KeNB shared between the current eNB and the UE, and uses the KeNB as a cut.
  • the key KeNB* after the MME is changed; the eNB calculates the first key and the second key according to the KeNB*, and performs encryption and integrity protection on the data communicated between the eNB and the UE by using the first key and the second key. .
  • the eNB ignores the second ⁇ NCC, NH ⁇ pair and keeps the KeNB unchanged.
  • Step 608 The second MME sends a forward relocation response message to the first MME.
  • the second MME calculates a first ⁇ NCC, NH ⁇ pair according to the second ⁇ NCC, NH ⁇ pair, and the second MME sends a path change.
  • the message is sent to the eNB, and the path change message carries the first ⁇ NCC, NH ⁇ pair.
  • the eNB receives the path change message sent by the second MME, and acquires the first ⁇ NCC, NH ⁇ pair.
  • the second MME adds the second NCC to obtain the first NCC, and calculates the first NH according to the second NH, the second ⁇ NCC, NH ⁇ pair is the current ⁇ NCC, NH ⁇ pair, and the second ⁇ NCC, NH
  • the pair includes a second NCC and a second NH; the first ⁇ NCC, NH ⁇ pair is a fresh ⁇ NCC, NH ⁇ pair, and the first ⁇ NCC, NH ⁇ pair includes the first NCC and the first NH.
  • the eNB receives the handover trigger message sent by the first MME, and receives the handover request message sent by the second MME, and determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, and the eNB acquires the current
  • the KeNB shared with the UE, and the KeNB* is used as the key KeNB* updated after the handover of the MME, that is, the KeNB between the eNB and the UE is kept unchanged, and the data communicated between the eNB and the UE is performed according to the KeNB or KeNB*.
  • Encryption ensures that the eNB side synchronizes with the KeNB on the UE side.
  • Embodiments of the present invention provide an apparatus for encrypting data.
  • the apparatus includes: a first memory 701 and a first processor 702 for performing the following method of encrypting data:
  • the key KeNB shared between the evolved base station eNB and the UE is kept unchanged, and the data communicated between the eNB and the UE is encrypted according to the KeNB.
  • the method further includes:
  • the handover request message carries a first next hop chain counter NCC and a first next hop NH, where the first NCC is obtained by adding the first MME according to the second NCC, and the first NH is the first MME according to the first Calculated by the second NH, the second NCC is the current NCC, and the second NH is the current NH; or
  • the handover request message carries a second next hop chain counter NCC and a second next hop NH, the second NCC is the current NCC, and the second NH is the current NH.
  • the forward relocation request message carries a first next hop chain counter NCC and a first next hop NH, where the first NCC is obtained by adding the first NMC according to the second NCC.
  • the first NH is calculated by the first MME according to the second NH, the second NCC is the current NCC, and the second NH is the current NH; or
  • the forward relocation request carries a second next hop chain counter NCC and a second next hop NH, the second NCC is the current NCC, and the second NH is the current NH.
  • KeNB shared between the evolved base station eNB and the UE is unchanged, and includes:
  • the handover trigger message or the handover request message it is determined that the handover reason is a handover triggered by the core network, and the KeNB is kept unchanged.
  • the eNB receives the handover trigger message sent by the first MME, and receives the handover request message sent by the second MME, and determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, and the eNB acquires the current
  • the KeNB shared with the UE, and the KeNB* is used as the key KeNB* updated after the handover of the MME, that is, the KeNB between the eNB and the UE is kept unchanged, and the data communicated between the eNB and the UE is performed according to the KeNB or KeNB*.
  • Encryption ensures that the eNB side synchronizes with the KeNB on the UE side.
  • Embodiments of the present invention provide an apparatus for encrypting data.
  • the apparatus includes: a second memory 801 and a second processor 802 for performing the following method of encrypting data:
  • the evolved base station eNB Sending a handover trigger message to the evolved base station eNB, where the handover trigger message carries the user equipment UE
  • the eNB sends a handover required message to the first mobility management entity MME according to the handover trigger message;
  • the second NCC is the current NCC
  • the second NH is the current NH
  • the handover request message carries the first NCC and the first NH, where the first NCC is obtained by adding the first MME according to the second NCC, and the first NH is calculated by the first MME according to the second NH; or
  • the handover request message carries a second NCC and a second NH.
  • the forward relocation request message carries the first NCC and the first NH, and the first NCC is obtained by the first MME according to the second NCC, and the first NH is calculated by the first MME according to the second NH;
  • the forward relocation request message carries the second NCC and the second NH.
  • the method further includes:
  • the next hop indication NHI_old of the old evolved packet system EPS security context of the forward relocation request message is set to a preset identifier, and carries the second NCC and the second HN.
  • the eNB receives the handover trigger message sent by the first MME, and receives the handover request message sent by the second MME, and determines, according to the handover trigger message or the handover request message, that the handover reason is a handover triggered by the core network, and the eNB acquires the current
  • the KeNB shared with the UE, and the KeNB* is used as the key KeNB* updated after the handover of the MME, that is, the KeNB between the eNB and the UE is kept unchanged, and the data communicated between the eNB and the UE is performed according to the KeNB or KeNB*.
  • Encryption ensures that the eNB side synchronizes with the KeNB on the UE side.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention appartient au domaine des communications sans fil. L'invention concerne un appareil et un procédé de chiffrement de données. Le procédé consiste à : recevoir un message de déclenchement de transfert envoyé par une première entité de gestion de la mobilité (MME), le message de déclenchement de transfert contenant un identifiant d'un équipement d'utilisateur (UE) ; recevoir un message de demande de transfert envoyé par une seconde MME ; et conserver inchangée une clé KeNB partagée entre un nœud B évolué (eNB) et l'UE, et chiffrer des données transmises entre l'eNB et l'UE d'après la KeNB. L'appareil comprend un premier module de réception, un second module de réception, un module de conservation et un module de chiffrement. Dans la présente invention, un transfert est déterminé comme devant être déclenché par un réseau central d'après le message de déclenchement de transfert ou le message de demande de transfert, et l'eNB obtient la KeNB actuellement partagée avec l'UE, conserve inchangée la KeNB entre l'eNB et l'UE, et garantit ainsi une synchronisation de la KeNB sur un côté eNB et un côté UE.
PCT/CN2014/071651 2014-01-28 2014-01-28 Appareil et procédé de chiffrement de données WO2015113197A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201480000843.XA CN105103577B (zh) 2014-01-28 2014-01-28 一种加密数据的装置和方法
PCT/CN2014/071651 WO2015113197A1 (fr) 2014-01-28 2014-01-28 Appareil et procédé de chiffrement de données

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2014/071651 WO2015113197A1 (fr) 2014-01-28 2014-01-28 Appareil et procédé de chiffrement de données

Publications (1)

Publication Number Publication Date
WO2015113197A1 true WO2015113197A1 (fr) 2015-08-06

Family

ID=53756094

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/071651 WO2015113197A1 (fr) 2014-01-28 2014-01-28 Appareil et procédé de chiffrement de données

Country Status (2)

Country Link
CN (1) CN105103577B (fr)
WO (1) WO2015113197A1 (fr)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10455414B2 (en) 2014-10-29 2019-10-22 Qualcomm Incorporated User-plane security for next generation cellular networks
US10820193B2 (en) 2017-03-17 2020-10-27 Telefonaktiebolaget Lm Ericsson (Publ) Network node for use in a communication network, a communication device and methods of operating the same
US11019488B1 (en) 2017-11-20 2021-05-25 Telefonaktiebolaget Lm Ericsson (Publ) Security context handling in 5G during handover
US11096045B2 (en) 2017-01-30 2021-08-17 Telefonaktiebolaget Lm Ericsson (Publ) Security context handling in 5G during idle mode

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111031486B (zh) * 2018-10-10 2021-05-11 电信科学技术研究院有限公司 一种定位服务密钥分发方法及其装置

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101291536A (zh) * 2008-05-30 2008-10-22 中兴通讯股份有限公司 一种移动性管理实体负载重平衡的切换方法
CN101500271A (zh) * 2008-02-01 2009-08-05 华为技术有限公司 一种实现核心网设备负载均衡的方法和设备
CN101552983A (zh) * 2008-04-01 2009-10-07 华为技术有限公司 密钥生成方法、密钥生成装置、移动管理实体与用户设备
CN103139771A (zh) * 2011-11-25 2013-06-05 中兴通讯股份有限公司 切换过程中密钥生成方法及***

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101400059B (zh) * 2007-09-28 2010-12-08 华为技术有限公司 一种active状态下的密钥更新方法和设备
CN101325483B (zh) * 2008-07-28 2011-06-15 中国电信股份有限公司 对称密钥更新方法和对称密钥更新装置

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101500271A (zh) * 2008-02-01 2009-08-05 华为技术有限公司 一种实现核心网设备负载均衡的方法和设备
CN101552983A (zh) * 2008-04-01 2009-10-07 华为技术有限公司 密钥生成方法、密钥生成装置、移动管理实体与用户设备
CN101291536A (zh) * 2008-05-30 2008-10-22 中兴通讯股份有限公司 一种移动性管理实体负载重平衡的切换方法
CN103139771A (zh) * 2011-11-25 2013-06-05 中兴通讯股份有限公司 切换过程中密钥生成方法及***

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10455414B2 (en) 2014-10-29 2019-10-22 Qualcomm Incorporated User-plane security for next generation cellular networks
US11096045B2 (en) 2017-01-30 2021-08-17 Telefonaktiebolaget Lm Ericsson (Publ) Security context handling in 5G during idle mode
US11432141B2 (en) 2017-01-30 2022-08-30 Telefonaktiebolaget Lm Ericsson (Publ) Security context handling in 5G during connected mode
US11743718B2 (en) 2017-01-30 2023-08-29 Telefonaktiebolaget Lm Ericsson (Publ) Security context handling in 5G during connected mode
US11924630B2 (en) 2017-01-30 2024-03-05 Telefonaktiebolaget Lm Ericsson (Publ) Security context handling in 5G during idle mode
US10820193B2 (en) 2017-03-17 2020-10-27 Telefonaktiebolaget Lm Ericsson (Publ) Network node for use in a communication network, a communication device and methods of operating the same
US11019488B1 (en) 2017-11-20 2021-05-25 Telefonaktiebolaget Lm Ericsson (Publ) Security context handling in 5G during handover
US11388592B2 (en) 2017-11-20 2022-07-12 Telefonaktiebolaget Lm Ericsson (Publ) Security context handling in 5G during handover

Also Published As

Publication number Publication date
CN105103577A (zh) 2015-11-25
CN105103577B (zh) 2019-05-24

Similar Documents

Publication Publication Date Title
US10958631B2 (en) Method and system for providing security from a radio access network
US8094817B2 (en) Cryptographic key management in communication networks
JP5462411B2 (ja) セキュリティ設定の同期を支援する方法および装置
WO2011137805A1 (fr) Procédé, appareil et système permettant un traitement sécuritaire dans un processus de commutation
EP2248365A2 (fr) Système et méthode de gestion de clés pendant handover dans un système de communication sans fil
JP2012134975A (ja) 捕捉したデータ・パケットの解読方法、lteネットワークにおけるデータ解読方法、ハンドオーバ期間中のデータ解読識別方法、アイドル・モード・モビリティ期間中のデータ解読識別方法、及びユーザ装置識別子を捕捉メッセージに相関させる方法
JP5774096B2 (ja) エアインターフェースキーの更新方法、コアネットワークノード及び無線アクセスシステム
TW200910826A (en) A method and apparatus for new key derivation upon handoff in wireless networks
WO2015113197A1 (fr) Appareil et procédé de chiffrement de données
KR20090063274A (ko) 무선 원격통신에서의 암호화
WO2014169451A1 (fr) Procédé et dispositif pour la transmission de données
WO2017080136A1 (fr) Procédé de distribution et de réception de clés, premier centre de gestion de clés, et premier élément de réseau
WO2009152656A1 (fr) Procédé et système de génération d’identifiant d’identité de clé lors du transfert du dispositif utilisateur
JPWO2011114460A1 (ja) 通信装置及び方法並びに通信システム
TW201705780A (zh) 具有加密的網路可達性上下文的網路架構和安全
KR20150103063A (ko) Scell 및 ue 사이의 암호화 정보 동기 방법
WO2013075417A1 (fr) Procédé et système pour générer une clé durant un transfert intercellulaire
JP2011515904A (ja) ワイヤレス通信システムにおいてハンドオーバ、またはハンドオーバ実行中の鍵管理を実行するシステムおよび方法
WO2011072513A1 (fr) Procédé et système pour établir une connexion de sécurité entre des équipements de commutation
JP5043928B2 (ja) 暗号化および整合性のために使用されるキーを処理する方法および装置
WO2014190828A1 (fr) Procédé, appareil, et système de gestion de clés de sécurité
WO2022027476A1 (fr) Procédé de gestion de clés et appareil de communication
WO2017032298A1 (fr) Procédé de réception et de distribution de clés, centre de gestion de clés, premier élément de réseau et second élément de réseau
WO2017080142A1 (fr) Procédé de distribution, génération et réception de clés, et appareil associé
WO2014026570A1 (fr) Procédé de commutation de clé bidirectionnelle et dispositif de mise en œuvre

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 201480000843.X

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14880624

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14880624

Country of ref document: EP

Kind code of ref document: A1