CN101001252A - Registration method and consultation method and device of user safety algorithmic - Google Patents
Registration method and consultation method and device of user safety algorithmic Download PDFInfo
- Publication number
- CN101001252A CN101001252A CN 200610091966 CN200610091966A CN101001252A CN 101001252 A CN101001252 A CN 101001252A CN 200610091966 CN200610091966 CN 200610091966 CN 200610091966 A CN200610091966 A CN 200610091966A CN 101001252 A CN101001252 A CN 101001252A
- Authority
- CN
- China
- Prior art keywords
- mme
- upe
- negotiation
- security algorithm
- registration
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
This invention provides a negotiation method and a device for registration method and a safety algorithm of user, in which, the method includes: UPE starts up registration to MME and adds registration information including a safety algorithm onto the MME, which negotiates with the UE to determine a safety algorithm. From this plan we can see that the UPE reports its supported safety algorithm ability by registration to let the safety algorithm negotiation of the user side is finished in the NE of the control side so as to divide the NE function more reasonable, when the UE and UPE have not any common supported safety algorithm, the MME can decide if the UE adhesion process is done before the route collocation process of the user side to reduce signaling interaction number and lighten operation burden of the system and new negotiation of user side safety algorithm between UPE and UE in the re-location of UPE speeds up the connection process of user sides.
Description
Technical Field
The present invention relates to the technical field of algorithm negotiation in network communication, and in particular, to a registration method and a negotiation method and apparatus for a user plane security algorithm.
Background
As shown in fig. 1, a general packet radio service/universal mobile telecommunications system (GPRS/UMTS) network structure is divided into two parts, a radio side and a core network.
With respect to the radio side portion, the radio side of GPRS includes base stations (BTS) and Base Station Controllers (BSC), and the radio side of UMTS includes Radio Network Controllers (RNC) and base stations (NodeB), which together serve to perform all radio service related functions.
Regarding the core network part for handling all voice calls and data connections within the GPRS/UMTS system and for implementing switching and routing functions with external networks, the core network can be divided into a circuit switched domain (CS) domain and a packet switched domain (PS) for implementing support for voice services and data services, respectively.
The core network CS domain comprises nodes such as a mobile switching center Server (MSC-Server), a Media Gateway (MGW), a gateway mobile switching center Server (GMSC-Server) and the like. The MSC-Server is used for transmitting control plane data of the CS domain, and realizing functions of mobility management, call control, authentication encryption and the like; GMSC-Server is used for realizing the control plane functions of call control and mobility control of GMSC, and MGW is used for realizing the transmission of user plane data.
The core network PS domain comprises a general packet radio service support node (SGSN) and a gateway general packet radio service support node (GGSN). The GGSN is mainly responsible for interfacing with external networks, and meanwhile, the GGSN is also responsible for implementing transmission of user plane data. The position of the SGSN in the PS domain is similar to the MSC Server in the CS domain, and the core function of the SGSN is to realize the functions of routing forwarding, mobility management, session management, user information storage and the like.
On the core network side, the HLR is a common device for CS and PS domains, and is used to store the subscription information of the user.
In addition to the above network architecture, a new network architecture is currently introduced by the third generation partnership project (3 GPP).
The network architecture proposed by 3GPP includes System Architecture Evolution (SAE) and Long Term Evolution (LTE) of the access network, referred to as E-UTRAN, the evolved packet core network (EPC) structure is shown in figure 1,
fig. 2 shows the architecture of an evolved packet core network (EPC). The EPC comprises three logic function entities of MME, UPE and Inter AS Anchor, wherein the MME is responsible for the mobility management of a control plane, including user context and mobile state management, user temporary identity distribution, safety function and the like; UPE is responsible for initiating paging for downlink data in idle state, managing and storing IP bearing parameters, routing information in network and the like; the Inter AS Anchor then serves AS the user plane Anchor point between different access systems.
In GPRS and UMTS mobile communication systems, the network entities performing ciphering/integrity protection of the signaling plane and the user plane are the same, such as SGSN in GPRS system, RNC in UMTS system.
In contrast, in the evolved network, because the RNC does not exist anymore, the ciphering and integrity protection functions of the non-access stratum signaling of the user are moved to the logical function entity MME of the core network, and at the same time, the ciphering of the user plane data is completed in the logical function entity UPE.
When MME and UPE exist in the same physical entity, the algorithm for encryption and integrity protection of control plane and user plane, encryption key and integrity key are all shared, so that negotiation and control can be completed by means of uniform signaling flow.
When the MME and UPE are separated, i.e. the MME and UPE do not exist in the same physical entity, the ciphering and integrity protection of the control plane and the user plane need to be controlled separately.
Fig. 3 is a schematic diagram illustrating negotiation between a user plane encryption algorithm and an integrity protection algorithm in an existing evolved network.
Step 11, when initiating a service establishment request or a registration request to the MME, the UE reports the data encryption and integrity protection algorithm capabilities of the control plane and the user plane supported by the UE to the MME at the same time, wherein the algorithm negotiation of the control plane is completed by the MME, and the algorithm negotiation of the user plane is completed by establishing an IP bearer.
And step 12, through the interaction between the MME and the UPE, the MME informs the UPE of the encryption algorithm and the integrity protection algorithm capability supported by the UE through an IP bearing establishment request.
And step 13, the UPE acquires intersection according to the encryption and integrity protection algorithm capability supported by the UPE, and completes the negotiation of the encryption and integrity protection algorithm.
And step 14, after the negotiation is completed, informing the UE of the authentication process initiated by the negotiation result to the UE through the UPE.
And step 15, the user plane data between the UE and the UPE is subjected to security protection by adopting a negotiated encryption algorithm and an integrity protection algorithm.
MME and UPE have respective specific functions in a separated network structure, and the MME is responsible for the processing related to mobility management and the processing of control plane signaling; the UPE is responsible for service data processing.
Because the user plane algorithm negotiation belongs to the control plane signaling processing, the negotiation by the MME is more suitable, but in the prior art, the MME cannot acquire the security algorithm information supported by the UPE required for the negotiation from the UPE, so that the MME cannot acquire the necessary information from the UPE.
In the invention, the UPE executes the control plane signaling processing and conflicts with the role of dividing the UPE, so that the UPE works under the condition of exceeding the function range and is not beneficial to the integral operation of the system.
Disclosure of Invention
The invention aims to provide a registration method and a negotiation method and device of a user plane security algorithm.
The purpose of the invention is realized by the following technical scheme:
a method for registering a user plane entity with a mobile management entity comprises the following steps:
and the user plane entity UPE initiates registration to the mobility management entity MME and loads the registration information carried by the UPE into the MME.
The registration comprises:
the UPE initiates registration to the MME and sends registration information to the MME;
the MME receives and records registration information from the UPE;
and the MME sends a registration response to the UPE and confirms that the registration is successful.
The operation of initiating registration to the MME by the UPE comprises the following steps:
the UPE actively initiates registration to the MME when being electrified;
or,
the UPE initiates registration to the MME after receiving the registration request of the MME;
or,
UPE initiates registration to MME after configuration modification;
or,
UPE registration initiated to MME after congestion release.
The registration information includes: encryption algorithm information, integrity protection algorithm information, UPE version information, and/or the UPE current load status.
A negotiation method of a user plane security algorithm comprises the following steps:
A. the UPE initiates registration to the MME and loads registration information including a security algorithm to the MME;
B. and the MME and the UE negotiate to determine a security algorithm.
The step B comprises the following steps:
b1, UE initiates registration to MME, and sends the registration information including the negotiation information of the security algorithm to MME;
b2, the MME negotiates the security algorithm supported by the UPE and the security algorithm supported by the UE, and selects the security algorithm supported by the UPE and the UE as the negotiation result of the security algorithm;
b3, MME informs UPE and UE of the negotiation result of the security algorithm.
In step B, the security algorithm negotiation between the UE and the MME is implemented in the attach procedure initiated by the UE to the MME, or in the relocation procedure of the UPE.
When the security algorithm negotiation is carried out in the attachment process, the security algorithm negotiation result is simultaneously issued to the UE in the authentication process; or,
and issuing a security algorithm negotiation result to the UE in the process of user plane route configuration.
When the context is stored in the UPE, the UPE is relocated and a security algorithm is negotiated; or,
UPE relocation and negotiation of security algorithms are performed while the context is saved in the MME.
In the UPE relocation and security algorithm negotiation when the context is stored in the UPE, the MME carries security parameters selected by the MME and address information of the old UPE in a message requesting the new UPE to carry out the relocation; and the MME carries the security parameters selected by the MME in the update confirmation message sent to the UE.
In the UPE relocation and security negotiation algorithm when the Context is stored in the MME, an activation Context Request message (activation Context Request) sent by the MME comprises security parameters selected by the MME and a Context related to the UPE; and the MME carries the security parameters selected by the MME in the update confirmation message sent to the UE.
In the step B3, the MME notifies the UPE to establish an IP bearer, and feeds back a security algorithm negotiation result to the UPE.
A user plane security algorithm negotiation device is arranged in a Mobility Management Entity (MME) and comprises the following components:
the registration processing unit is used for registering with the UPE and acquiring the security algorithm information of the UPE;
and the safety algorithm negotiation unit is used for negotiating with the UE according to the safety algorithm information of the UPE and determining a safety algorithm.
The security algorithm negotiation unit includes:
the UE information acquisition unit is used for acquiring the security algorithm information of the UE by registering with the UE;
an attachment negotiation unit, configured to negotiate and determine a security algorithm in an attachment process initiated by the UE to the MME;
and the relocation negotiation unit is used for negotiating and determining a security algorithm in the relocation process of the UPE.
According to the technical scheme provided by the invention, the UPE actively reports the security algorithm capability supported by the UPE to the MME in the registration process, so that the user plane security algorithm negotiation is completed in the control plane network element MME, and the network element function division is more reasonable; when the UE and the UPE do not have a user plane security algorithm supported together, the MME can determine whether to perform a UE attachment process before a user plane route configuration process, so that the signaling interaction quantity is reduced, and the system operation burden is reduced; and carrying out new user plane data security algorithm negotiation between the UPE and the UE in the UPE relocation process, and accelerating the user plane connection establishment process.
Drawings
FIG. 1 is a diagram of a conventional GPRS/UMTS network architecture;
FIG. 2 is a diagram of a strict packet core network architecture in 3 GPP;
FIG. 3 is a diagram illustrating negotiation between a user plane encryption algorithm and an integrity protection algorithm according to the prior art;
FIG. 4 is a diagram illustrating an overall negotiation according to an embodiment of the present invention;
fig. 5 is a schematic diagram illustrating registration of a second UPE with an MME according to an embodiment of the present invention;
fig. 6 is a schematic diagram illustrating that a third embodiment of the present invention actively initiates registration to an MME when a UPE is powered on;
fig. 7 is a schematic diagram illustrating that a UPE initiates registration to an MME upon request of the MME according to a fourth embodiment of the present invention;
fig. 8 is a schematic diagram illustrating that a UPE initiates re-registration to an MME after modifying configuration according to a fifth embodiment of the present invention;
fig. 9 is a schematic diagram illustrating that a re-registration is initiated to an MME after a UPE is restored from a congested state to a normal state in a sixth embodiment of the present invention;
fig. 10 is a schematic diagram illustrating a seventh embodiment of the present invention, where UE and MME perform user security algorithm negotiation;
fig. 11 is a schematic diagram illustrating an attachment process for issuing a negotiation result in an authentication process according to an eighth embodiment of the present invention;
fig. 12 is a schematic diagram illustrating an attach process for issuing a negotiation result in a user plane route configuration process according to a ninth embodiment of the present invention;
fig. 13 is a schematic diagram illustrating security algorithm negotiation performed by a UPE during relocation when context is saved in the UPE according to an embodiment of the present invention;
fig. 14 is a schematic diagram illustrating security algorithm negotiation performed by a UPE in a relocation process when context information is stored in an MME according to an eleventh embodiment of the present invention;
fig. 15 is a schematic view of an apparatus according to a twelfth embodiment of the present invention.
Detailed Description
The core of the invention is that a mobility management entity MME respectively acquires security algorithm information respectively supported by a user plane entity UPE and a user unit UE; and the MME determines a security algorithm according to the security algorithm information negotiation supported by the UPE and the UE respectively, and completes the negotiation of the security algorithm in the MME.
In particular, under the condition that the MME and the UPE are respectively deployed in different physical devices of the SAE network, the invention adopts the mode that the UPE registers to the MME, so that the MME records the encryption algorithm capability and the integrity protection algorithm capability supported by the UPE; when UE initiates a service connection request, MME determines a ciphering algorithm and an integrity protection algorithm which are commonly supported by UE and UPE for the following user plane data security transmission, and the algorithm negotiation result is notified to UE by MME.
The invention will be described in detail below with reference to the accompanying drawings, which illustrate specific embodiments of the invention.
As shown in fig. 4, the embodiment of the present invention is generally divided into step 41, where a user plane entity UPE initiates registration to a mobility management entity MME, and registration information carried by the UPE is loaded into the MME; and (3) the UE and the MME registered by the UPE negotiate to determine a security algorithm.
Fig. 5 is a schematic diagram illustrating registration of a dual UPE to an MME according to an embodiment of the present invention.
As shown in fig. 5, for a network architecture in which an MME and an UPE are separated, in the second embodiment of the present invention, when a user plane encryption algorithm and an integrity protection algorithm are negotiated, the UPE is registered with the MME first, and the registration process generally includes:
step 51, initiating registration to the MME by the UPE, and registering parameters such as version information of the UPE, the current load state of the UPE, an encryption algorithm and an integrity protection algorithm supported by the UPE, a reason description for starting the registration and the like to the MME;
step 52, the MME receives and records the registration information of the UPE;
and step 53, the MME sends a registration confirmation message to the UPE to confirm the success of UPE registration.
The specific registration procedure of UPE to MME is different in different states, and registration of MME to UPE in each of the plurality of cases will be described in detail below.
Fig. 6 is a schematic diagram illustrating that a third embodiment of the present invention actively initiates registration to an MME when a UPE is powered on.
Step 61, powering on or restarting the UPE;
step 62, initiating registration to the MME after the UPE is successfully powered on or restarted, and registering version information of the UPE, the current load state of the UPE, a supported encryption algorithm, an integrity protection algorithm, a reason description for starting registration and other parameters to the MME;
step 63, the MME receives and records the registration information of the UPE;
and step 64, the MME sends a registration confirmation message to the UPE to confirm the success of UPE registration.
Fig. 7 is a schematic diagram illustrating that a UPE initiates registration to an MME upon a request of the MME according to a fourth embodiment of the present invention.
Step 71, the MME actively sends registration request information to the UPE, the UPE is requested to register to the MME, and the request information comprises a reason explanation parameter for triggering a re-registration request;
step 72, the UPE initiates registration to the MME after receiving the re-registration request information, and registers the version information of the UPE, the current load state of the UPE, the supported encryption algorithm and integrity protection algorithm, the reason explanation for starting registration and other parameters to the MME;
step 73, the MME receives and records the registration information of the UPE;
step 74, the MME sends a registration confirmation message to the UPE, confirming that the UPE registration is successful.
Fig. 8 is a schematic diagram illustrating that the UPE initiates re-registration to the MME after modifying the configuration in the fifth embodiment of the present invention.
Step 81, UPE carries out configuration modification;
step 82, initiating a re-registration request to the MME after the configuration modification of the UPE is completed, wherein the re-registration request comprises parameters such as version information of the UPE, the current load state of the UPE, a supported encryption algorithm, an integrity protection algorithm, a reason description causing re-registration and the like;
step 83, the MME receives and records the information from the UPE, and replaces the original UPE information in the MME with the UPE information;
step 84, the MME sends a re-registration response message to the UPE, confirming that the UPE re-registration is successful.
Fig. 9 is a schematic diagram illustrating that a re-registration is initiated to an MME after a UPE is recovered from a congested state to a normal state in a sixth embodiment of the present invention.
Step 91, the UPE provides the user plane data processing service again after the congestion state is removed;
step 92, the UPE initiates a re-registration process to the MME, wherein the re-registration process comprises version information of the UPE, the current load state of the UPE, a supported encryption algorithm and an integrity protection algorithm, and parameters such as a reason explanation causing re-registration;
step 93, the MME refreshes the original UPE registration information in the MME to the newly received UPE registration information;
step 94, the MME sends a re-registration confirmation message to the UPE, confirming that the UPE re-registration is successful.
Fig. 5 to 9 show a first procedure of the present invention, i.e. a procedure in which the UPE initiates registration to the MME, and the MME has some ciphering algorithm capability and integrity protection algorithm capability through registration of the UPE to the MME.
After the registration process is completed, the invention starts to execute the second process, and the MME acquires the security algorithm information of the UE, performs user plane security algorithm negotiation and determines the encryption algorithm and the integrity protection algorithm of the user.
Fig. 10 is a schematic diagram illustrating a seventh embodiment of the present invention, where the UE and the MME perform user security algorithm negotiation.
As shown in fig. 10, the main negotiation steps between the UE and the MME are as follows:
step 101, UE initiates a registration request or a service request to MME, wherein the request carries encryption algorithm capability and integrity protection algorithm capability supported by the UE;
step 102, the MME compares the encryption algorithm capability and the integrity protection algorithm capability of the MME with the encryption algorithm capability and the integrity protection algorithm capability supported by the UE, and selects an algorithm simultaneously supported by the MME and the UE so as to be used for the control plane data security transmission when the UE and the MME interact later;
step 103, after determining the selected algorithm, the MME sends the encryption algorithm and integrity protection algorithm finally determined by the user plane to the UPE;
step 104, after determining the selected algorithm, the MME sends the encryption algorithm and integrity protection algorithm finally determined by the user plane to the UE.
After the MME determines the algorithms in step 103 and step 104, the MME does not distinguish the order when notifying the UPE and the UE of the respectively selected algorithms, that is, step 103 and step 104 do not distinguish the order.
As shown in fig. 10, the security algorithm negotiation process between the UE and the MME may be implemented in an attach process initiated by the UE to the MME, or may be implemented in a relocation process of the UPE.
When the negotiation process of the security algorithm between the UE and the MME is realized in the attachment process initiated by the UE to the MME, the negotiation result can be issued to the UE in the authentication process and also can be issued to the UE in the user plane routing configuration process.
Security algorithm negotiation during UE-initiated attach to MME
Fig. 11 is a schematic diagram of an attach process for issuing a negotiation result in an authentication process according to an eighth embodiment of the present invention.
As shown in fig. 11, the eighth method for implementing security algorithm negotiation in the attach process according to the embodiment of the present invention includes:
step 111, the UE discovers an evolved System Architecture (SAE)/evolved access network (LTE) access system and executes an access system and network selection process;
step 112, the UE sends an attach request to the MME, where the attach request includes previous registration information of the UE, such as a temporary ID of the UE, and also includes security algorithm capability supported by the UE, and the information of the security algorithm capability is included in the cell;
step 113, if the attach request includes the UE pre-registration information, the MME uses the information to retrieve the UE information (e.g. permanent user ID) from the pre-MME;
step 114, sending the information of the user from the previous MME to the new MME;
step 115, if the MME does not have the authentication parameter of the UE, the MME needs to obtain the authentication parameter of the UE from the HSS;
step 116, the MME selects one UPE for establishing a bearer for user data with the UE, and since the MME stores the security algorithm support capability reported when each UPE is registered, the MME performs negotiation of a user plane data encryption algorithm and an integrity protection algorithm between the UE and the UPE;
step 117, the MME executes an access authentication procedure for the UE, and carries the negotiation results of the encryption algorithm and the integrity algorithm of the control plane and the user plane and the uplink tunnel information (e.g. UPE ID, etc.) in the authentication request;
step 118, if the MME finds, through negotiation, that there is no user plane security algorithm supported in common, replying an attach failure message to the UE and carrying a failure reason in the message;
step 119, if the UE is successfully authenticated, the MME registers with the HSS to indicate that the MME is currently serving the UE;
step 1110, the HSS deletes the information related to the UE in the old MME;
step 1111, the HSS sends a registration success message to the MME;
step 1112, configuring the user plane route between the UE, the MME, the UPE and the IASA, where the process includes a process in which the MME notifies the UPE of establishing an IP bearer request, and the MME feeds back a user plane security algorithm negotiation result to the UPE in the process;
step 1113, MME provides QoS configuration parameter for default IP access bearing to evolution access network (Evolved RAN);
step 1114, the MME receives an attach request of the UE and allocates a temporary ID and an IP address to the UE;
step 1115, the UE sends an attach confirm message to the MME, and the attach procedure is ended.
Fig. 12 is a schematic diagram illustrating an attach process for issuing a negotiation result in a user plane route configuration process in an embodiment of the present invention.
As shown in fig. 12, a method for implementing security algorithm negotiation in an attach process in the ninth embodiment of the present invention includes:
step 121, UE discovers SAE/LTE access system and executes access system and network selection process;
step 122, the UE sends an attach request to the MME, which includes the previous registration information of the UE
(e.g., temporary ID, etc.), security algorithm capabilities supported by the UE;
step 123, if the attach request includes the UE pre-registration information, the MME uses the information to retrieve the UE information (e.g. permanent user ID) from the pre-MME;
step 124, sending the information of the user from the previous MME to the new MME;
step 125, if the authentication parameter of the UE is stored in the MME, the MME performs access authentication on the UE; if not, MME needs to obtain the authentication parameter of UE from HSS, and then executes the authentication of UE;
in the authentication process, the MME negotiates an encryption algorithm and an integrity algorithm of a control plane and returns a negotiation result to the UE;
step 126, the MME registers to HSS to indicate that the MME is currently serving the UE;
step 127, the HSS deletes the information related to the UE in the old MME;
step 128, the HSS sends a registration success message to the MME;
step 129, the MME selects one UPE for establishing a bearer for the user data with the UE, and since the MME stores the security algorithm support capability reported when each UPE is registered, the MME performs negotiation of the user plane data encryption algorithm and the integrity protection algorithm between the UE and the UPE;
step 1210, if the MME finds that the security algorithm jointly supported by the UE and the UPE does not exist on the user plane at this time, directly notify the UE of the attach reject and carry the failure reason.
Step 1211, configuring user plane route between the UE, MME, UPE and IASA, where the process includes a process in which the MME notifies the UPE to establish an IP bearer request, and in the process, feeds back uplink tunnel information (such as UPE ID) and a user plane security algorithm negotiation result to the UPE;
step 1212, the MME provides QoS configuration parameters for the default IP access bearer to the Evolved RAN;
step 1213, the MME receives the attach request of the UE and allocates a temporary ID and an IP address to the UE, and notifies the UE of the UE user plane security algorithm negotiation result;
step 1214, the UE sends an attach confirm message to the MME, and the attach procedure is ended.
The negotiation process of the security algorithm between the UE and the MME can be realized in the relocation process of the UPE besides the attachment process initiated by the UE to the MME.
Security algorithm negotiation during UPE relocation
The security algorithm negotiation realized in the UPE relocation process comprises the security algorithm negotiation performed when the context is saved in the UPE or the security algorithm negotiation performed when the context is saved in the MME.
Fig. 13 is a schematic diagram illustrating security algorithm negotiation performed by a UPE in a relocation process when context is saved in the UPE in an embodiment of the present invention, which includes the specific steps of:
step 131, because the UE is in a mobile state and may enter other UPEs, the UE needs to perform Tracking Area Update (TAU);
step 132, perform relocation (relocation) of the UPE that may be triggered by the TAU, if the UE moves to another UPE pool service area, the MME selects a more suitable UPE as the UPE of the UE.
In this process, the MME may also be replaced, where a Context (Context) information exchange procedure needs to be performed between the replacement MME and the old MME.
According to the above process of the present invention, the MME stores security parameters (such as supported ciphering algorithm and integrity protection algorithm) supported by the UPE, and the MME selects security parameters (such as supported ciphering algorithm and integrity protection algorithm) supported by both the UPE and the UE from the security capabilities (such as supported ciphering algorithm and integrity protection algorithm) of the UE, which are reported by the UE or stored as context in the MME.
Step 133, if the service-related context is stored in the UPE, the MME requests the selected new UPE to perform the relocation process, and sends a relocation request message, which includes the security parameters selected by the MME and the address information of the old UPE;
step 134, the new UPE requests a context from the old UPE and carries out context transfer;
step 135, updating PDP context with the new UPE and the Anchor (Anchor), and establishing a user plane from the new UPE to the Anchor;
step 136, the new UPE replies a relocation response to the MME;
step 137, performing TAU confirmation, wherein the MME notifies the UE of new UPE uplink tunnel information (e.g., UPE ID, etc.) and selected security parameters (e.g., ciphering algorithm and integrity protection algorithm), so that if the UE initiates uplink data, ciphering is performed using a prescribed algorithm;
step 138, the MME notifies the old UPE to delete the PDP context;
and step 139, releasing the tunnel between the old UPE and the Anchor.
Fig. 14 is a schematic diagram illustrating security algorithm negotiation performed by a UPE in a relocation process when context information is stored in an MME according to an eleventh embodiment of the present invention, which includes the specific steps of:
step 141, since the UE is in a mobile state and may enter other UPEs, the UE needs to perform tracking area update;
step 142, the TAU may trigger UPE relocation, if the UE moves to another UPE pool service area, the MME selects a more appropriate UPE as the UPE of the UE;
step 143, if the PDP Context is stored in the MME, the MME requests the selected new UPE to perform the relocation process, and sends an Activate Context Request (Activate Context Request) message, which includes security parameters selected by the MME and the associated Context of the UPE;
step 144, the new UPE sends a PDP context update message to the Anchor, and updates the context to the Anchor (the address information of the Anchor is saved and recorded by the MME and is sent to the new UPE in the previous step);
step 145, the new UPE responds to the MME;
step 146, performing TAU confirmation, wherein the MME notifies the UE of the new UPE uplink tunnel information and the selected security parameters (e.g. ciphering algorithm and integrity protection algorithm), so that if the UE initiates uplink data, ciphering is performed using a prescribed algorithm;
step 147 and step 148, the MME notifies the old UPE to delete the tunnel from the UPE to the Anchor.
Fig. 15 is a schematic view of an apparatus according to a twelfth embodiment of the present invention.
As shown in the figure, an apparatus for negotiating a user plane security algorithm is disposed in a mobility management entity MME, and includes:
the registration processing unit is used for registering with the UPE and acquiring the security algorithm information of the UPE;
and the safety algorithm negotiation unit is used for negotiating with the UE according to the safety algorithm information of the UPE and determining a safety algorithm.
The security algorithm negotiation unit includes:
the UE information acquisition unit is used for acquiring the security algorithm information of the UE by registering with the UE;
an attachment negotiation unit, configured to negotiate and determine a security algorithm in an attachment process initiated by the UE to the MME;
and the relocation negotiation unit is used for negotiating and determining a security algorithm in the relocation process of the UPE.
The twelve user plane security algorithm negotiation device of the embodiment of the invention registers with the UPE through the registration processing unit, and after registration, the MME acquires the security algorithm supported by the UPE; a security algorithm negotiation unit of the device negotiates with the UE according to a security algorithm supported by the UPE, registers with the UE through a UE registration processing unit in the negotiation process, loads the security algorithm supported by the UE to an MME, and selects an algorithm simultaneously supported by the UE and the UPE as a user security algorithm through negotiation.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (14)
1. A method for registering a user plane entity with a mobility management entity is characterized by comprising the following steps:
and the user plane entity UPE initiates registration to the mobility management entity MME and loads the registration information carried by the UPE into the MME.
2. The method of claim 1, wherein the registering comprises:
the UPE initiates registration to the MME and sends registration information to the MME;
the MME receives and records registration information from the UPE;
and the MME sends a registration response to the UPE and confirms that the registration is successful.
3. The method of claim 2, wherein the initiating, by the UPE, the registration with the MME by the user plane entity comprises:
the UPE actively initiates registration to the MME when being electrified;
or,
the UPE initiates registration to the MME after receiving the registration request of the MME;
or,
UPE initiates registration to MME after configuration modification;
or,
UPE registration initiated to MME after congestion release.
4. A method for a user plane entity to register with a mobility management entity according to any of claims 1-3, wherein the registration information comprises: encryption algorithm information, integrity protection algorithm information, UPE version information, and/or the UPE current load status.
5. A negotiation method of a user plane security algorithm is characterized by comprising the following steps:
A. the UPE initiates registration to the MME and loads registration information including a security algorithm to the MME;
B. and the MME and the UE negotiate to determine a security algorithm.
6. The negotiation method of user plane security algorithm according to claim 5, wherein said step B comprises:
b1, UE initiates registration to MME, and sends the registration information including the negotiation information of the security algorithm to MME;
b2, the MME negotiates the security algorithm supported by the UPE and the security algorithm supported by the UE, and selects the security algorithm supported by the UPE and the UE as the negotiation result of the security algorithm;
b3, MME informs UPE and UE of the negotiation result of the security algorithm.
7. The negotiation method of user plane security algorithm of claim 6, wherein in step B, the security algorithm negotiation between the UE and the MME is implemented in an attach procedure initiated by the UE to the MME, or in a relocation procedure of the UPE.
8. The negotiation method of user plane security algorithm of claim 7, wherein the security algorithm negotiation result is issued to the UE simultaneously in the authentication process when the security algorithm negotiation is performed in the attachment process;
or,
and issuing a security algorithm negotiation result to the UE in the process of user plane route configuration.
9. The negotiation method of user plane security algorithm according to claim 7, characterized in that UPE relocation and negotiation of security algorithm are performed while context is saved in UPE;
or,
UPE relocation and negotiation of security algorithms are performed while the context is saved in the MME.
10. The negotiation method of a user plane security algorithm according to claim 9, wherein in the UPE relocation and negotiation security algorithm when the context is stored in the UPE, the MME carries security parameters selected by the MME and address information of the old UPE in a message requesting the new UPE to perform relocation; and the MME carries the security parameters selected by the MME in the update confirmation message sent to the UE.
11. The negotiation method of a user plane security algorithm according to claim 9, wherein in the UPE relocation and negotiation security algorithm when the Context is stored in the MME, the activation Context Request message (activation Context Request) sent by the MME includes security parameters selected by the MME and a Context related to the UPE; and the MME carries the security parameters selected by the MME in the update confirmation message sent to the UE.
12. The negotiation method of user plane security algorithm of claim 6, wherein in step B3, the MME notifies the UPE to establish an IP bearer, and feeds back the security algorithm negotiation result to the UPE.
13. A user plane security algorithm negotiation device is arranged in a Mobility Management Entity (MME) and comprises:
the registration processing unit is used for registering with the UPE and acquiring the security algorithm information of the UPE;
and the safety algorithm negotiation unit is used for negotiating with the UE according to the safety algorithm information of the UPE and determining a safety algorithm.
14. The apparatus of claim 13, wherein the security algorithm negotiation unit comprises:
the UE information acquisition unit is used for acquiring the security algorithm information of the UE by registering with the UE;
an attachment negotiation unit, configured to negotiate and determine a security algorithm in an attachment process initiated by the UE to the MME;
and the relocation negotiation unit is used for negotiating and determining a security algorithm in the relocation process of the UPE.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200610091966 CN101001252A (en) | 2006-06-25 | 2006-06-25 | Registration method and consultation method and device of user safety algorithmic |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200610091966 CN101001252A (en) | 2006-06-25 | 2006-06-25 | Registration method and consultation method and device of user safety algorithmic |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101001252A true CN101001252A (en) | 2007-07-18 |
Family
ID=38693060
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200610091966 Pending CN101001252A (en) | 2006-06-25 | 2006-06-25 | Registration method and consultation method and device of user safety algorithmic |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101001252A (en) |
Cited By (27)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009149666A1 (en) * | 2008-06-13 | 2009-12-17 | 华为技术有限公司 | Method, device and system for negotiating algorithm |
| WO2011035733A1 (en) * | 2009-09-28 | 2011-03-31 | 华为技术有限公司 | Method, device and system for data transmission |
| CN101336000B (en) * | 2008-08-06 | 2011-11-30 | 中兴通讯股份有限公司 | Protocol configuration option transmission method, system and user equipment |
| WO2012055114A1 (en) * | 2010-10-29 | 2012-05-03 | Nokia Siemens Networks Oy | Security of user plane traffic between relay node and radio access network |
| CN101155424B (en) * | 2007-09-28 | 2012-07-04 | 中兴通讯股份有限公司 | Method for not executing user face encryption |
| US8219064B2 (en) | 2007-09-03 | 2012-07-10 | Huawei Technologies Co., Ltd. | Method, system, and apparatus for preventing bidding down attacks during motion of user equipment |
| CN102571721A (en) * | 2010-12-31 | 2012-07-11 | 北京大唐高鸿数据网络技术有限公司 | Identifying method for access equipment |
| CN101534506B (en) * | 2008-03-14 | 2012-09-05 | 中兴通讯股份有限公司 | Method for indicating base station security information |
| CN101505474B (en) * | 2008-02-04 | 2013-01-02 | 华为技术有限公司 | Network side processing method in subscriber handover process, network element equipment and network system |
| CN101128061B (en) * | 2007-09-27 | 2013-02-27 | 中兴通讯股份有限公司 | Mobility management unit, evolved base station, method and system for determining whether user plane is encrypted |
| CN101686233B (en) * | 2008-09-24 | 2013-04-03 | 电信科学技术研究院 | Method, system and device for processing mismatching of user equipment (UE) and network security algorithm |
| WO2013091543A1 (en) * | 2011-12-22 | 2013-06-27 | 华为技术有限公司 | Security communication method, device and system for low cost terminal |
| CN104618089A (en) * | 2013-11-04 | 2015-05-13 | 华为技术有限公司 | Negotiation processing method for security algorithm, control network element and system |
| WO2015117489A1 (en) * | 2014-07-31 | 2015-08-13 | 中兴通讯股份有限公司 | Method, device and system for selecting security algorithm |
| WO2015165149A1 (en) * | 2014-04-30 | 2015-11-05 | 中兴通讯股份有限公司 | Configuration method, prose key management functional entity, terminal, system, and storage medium |
| CN105813106A (en) * | 2014-12-31 | 2016-07-27 | 中国移动通信集团公司 | Method and device for determining type of voice service |
| WO2017197589A1 (en) * | 2016-05-17 | 2017-11-23 | 华为技术有限公司 | User plane resource management method, user plane network element, and control plane network element |
| CN107567018A (en) * | 2016-07-01 | 2018-01-09 | 中兴通讯股份有限公司 | Message treatment method and device, terminal, message handling system |
| WO2018041000A1 (en) * | 2016-08-31 | 2018-03-08 | 中兴通讯股份有限公司 | Upf management method, device, and system |
| WO2018137334A1 (en) * | 2017-01-24 | 2018-08-02 | 华为技术有限公司 | Method for negotiating security protection and network element |
| CN108476211A (en) * | 2015-11-02 | 2018-08-31 | 瑞典爱立信有限公司 | Wireless communication |
| WO2018201506A1 (en) * | 2017-05-05 | 2018-11-08 | 华为技术有限公司 | Communication method and related device |
| CN109218325A (en) * | 2017-08-11 | 2019-01-15 | 华为技术有限公司 | Data completeness protection method and device |
| WO2020052414A1 (en) * | 2018-09-10 | 2020-03-19 | 华为技术有限公司 | Data protection method, device and system |
| CN110933669A (en) * | 2019-11-21 | 2020-03-27 | 北京长焜科技有限公司 | Method for quickly registering cross-RAT user |
| CN113381966A (en) * | 2020-03-09 | 2021-09-10 | 维沃移动通信有限公司 | Information reporting method, information receiving method, terminal and network side equipment |
| WO2023151585A1 (en) * | 2022-02-11 | 2023-08-17 | 维沃移动通信有限公司 | Terminal target surface capability reporting and acquiring methods, terminal, and network device |
-
2006
- 2006-06-25 CN CN 200610091966 patent/CN101001252A/en active Pending
Cited By (50)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8219064B2 (en) | 2007-09-03 | 2012-07-10 | Huawei Technologies Co., Ltd. | Method, system, and apparatus for preventing bidding down attacks during motion of user equipment |
| CN103220674B (en) * | 2007-09-03 | 2015-09-09 | 华为技术有限公司 | A kind of method, system and device of preventing degraded attack when terminal moving |
| CN103220674A (en) * | 2007-09-03 | 2013-07-24 | 华为技术有限公司 | Method and system for preventing quality degradation attack during terminal movement and device |
| CN101128061B (en) * | 2007-09-27 | 2013-02-27 | 中兴通讯股份有限公司 | Mobility management unit, evolved base station, method and system for determining whether user plane is encrypted |
| CN101155424B (en) * | 2007-09-28 | 2012-07-04 | 中兴通讯股份有限公司 | Method for not executing user face encryption |
| CN101505474B (en) * | 2008-02-04 | 2013-01-02 | 华为技术有限公司 | Network side processing method in subscriber handover process, network element equipment and network system |
| CN101534506B (en) * | 2008-03-14 | 2012-09-05 | 中兴通讯股份有限公司 | Method for indicating base station security information |
| WO2009149666A1 (en) * | 2008-06-13 | 2009-12-17 | 华为技术有限公司 | Method, device and system for negotiating algorithm |
| CN101605324B (en) * | 2008-06-13 | 2011-06-01 | 华为技术有限公司 | Method, device and system for negotiating algorithm |
| CN101336000B (en) * | 2008-08-06 | 2011-11-30 | 中兴通讯股份有限公司 | Protocol configuration option transmission method, system and user equipment |
| CN101686233B (en) * | 2008-09-24 | 2013-04-03 | 电信科学技术研究院 | Method, system and device for processing mismatching of user equipment (UE) and network security algorithm |
| US9232404B2 (en) | 2009-09-28 | 2016-01-05 | Huawei Technologies Co., Ltd. | Method, apparatus, and system for data transmission |
| WO2011035733A1 (en) * | 2009-09-28 | 2011-03-31 | 华为技术有限公司 | Method, device and system for data transmission |
| WO2012055114A1 (en) * | 2010-10-29 | 2012-05-03 | Nokia Siemens Networks Oy | Security of user plane traffic between relay node and radio access network |
| US9226158B2 (en) | 2010-10-29 | 2015-12-29 | Nokia Solutions And Networks Oy | Security of user plane traffic between relay node and radio access network |
| CN102571721A (en) * | 2010-12-31 | 2012-07-11 | 北京大唐高鸿数据网络技术有限公司 | Identifying method for access equipment |
| WO2013091543A1 (en) * | 2011-12-22 | 2013-06-27 | 华为技术有限公司 | Security communication method, device and system for low cost terminal |
| CN104618089B (en) * | 2013-11-04 | 2019-05-10 | 华为技术有限公司 | Negotiation processing method, control network element and the system of security algorithm |
| CN104618089A (en) * | 2013-11-04 | 2015-05-13 | 华为技术有限公司 | Negotiation processing method for security algorithm, control network element and system |
| US10028136B2 (en) | 2013-11-04 | 2018-07-17 | Huawei Technologies Co., Ltd. | Negotiation processing method for security algorithm, control network element, and control system |
| WO2015165149A1 (en) * | 2014-04-30 | 2015-11-05 | 中兴通讯股份有限公司 | Configuration method, prose key management functional entity, terminal, system, and storage medium |
| US10382953B2 (en) | 2014-04-30 | 2019-08-13 | Zte Corporation | Configuration method, ProSe key management functional entity, terminal, system, and storage medium |
| WO2015117489A1 (en) * | 2014-07-31 | 2015-08-13 | 中兴通讯股份有限公司 | Method, device and system for selecting security algorithm |
| CN105323231B (en) * | 2014-07-31 | 2019-04-23 | 中兴通讯股份有限公司 | Security algorithm selection method, device and system |
| CN105323231A (en) * | 2014-07-31 | 2016-02-10 | 中兴通讯股份有限公司 | Security algorithm selection method, security algorithm selection device and security algorithm selection system |
| CN105813106A (en) * | 2014-12-31 | 2016-07-27 | 中国移动通信集团公司 | Method and device for determining type of voice service |
| CN108476211A (en) * | 2015-11-02 | 2018-08-31 | 瑞典爱立信有限公司 | Wireless communication |
| US11374941B2 (en) | 2015-11-02 | 2022-06-28 | Telefonaktiebolaget Lm Ericsson (Publ) | Wireless communications |
| US10880779B2 (en) | 2016-05-17 | 2020-12-29 | Huawei Technologies Co., Ltd. | User plane resource management method, user plane network element, and control plane network element |
| CN109155994A (en) * | 2016-05-17 | 2019-01-04 | 华为技术有限公司 | A kind of user face method for managing resource, user's veil member and control plane network element |
| US11425604B2 (en) | 2016-05-17 | 2022-08-23 | Huawei Technologies Co., Ltd. | User plane resource management method, user plane network element, and control plane network element |
| WO2017197589A1 (en) * | 2016-05-17 | 2017-11-23 | 华为技术有限公司 | User plane resource management method, user plane network element, and control plane network element |
| CN107567018A (en) * | 2016-07-01 | 2018-01-09 | 中兴通讯股份有限公司 | Message treatment method and device, terminal, message handling system |
| WO2018041000A1 (en) * | 2016-08-31 | 2018-03-08 | 中兴通讯股份有限公司 | Upf management method, device, and system |
| US10856141B2 (en) | 2017-01-24 | 2020-12-01 | Huawei Technologies Co., Ltd. | Security protection negotiation method and network element |
| WO2018137334A1 (en) * | 2017-01-24 | 2018-08-02 | 华为技术有限公司 | Method for negotiating security protection and network element |
| US10798579B2 (en) | 2017-05-05 | 2020-10-06 | Huawei Technologies Co., Ltd | Communication method and related apparatus |
| CN109219965A (en) * | 2017-05-05 | 2019-01-15 | 华为技术有限公司 | A kind of communication means and relevant apparatus |
| US10798578B2 (en) | 2017-05-05 | 2020-10-06 | Huawei Technologies Co., Ltd. | Communication method and related apparatus |
| US11272360B2 (en) | 2017-05-05 | 2022-03-08 | Huawei Technologies Co., Ltd. | Communication method and related apparatus |
| WO2018201506A1 (en) * | 2017-05-05 | 2018-11-08 | 华为技术有限公司 | Communication method and related device |
| CN109219965B (en) * | 2017-05-05 | 2021-02-12 | 华为技术有限公司 | Communication method and related device |
| US11025645B2 (en) | 2017-08-11 | 2021-06-01 | Huawei Technologies Co., Ltd. | Data integrity protection method and apparatus |
| CN109218325A (en) * | 2017-08-11 | 2019-01-15 | 华为技术有限公司 | Data completeness protection method and device |
| US11818139B2 (en) | 2017-08-11 | 2023-11-14 | Huawei Technologies Co., Ltd. | Data integrity protection method and apparatus |
| WO2020052414A1 (en) * | 2018-09-10 | 2020-03-19 | 华为技术有限公司 | Data protection method, device and system |
| CN110933669A (en) * | 2019-11-21 | 2020-03-27 | 北京长焜科技有限公司 | Method for quickly registering cross-RAT user |
| CN113381966A (en) * | 2020-03-09 | 2021-09-10 | 维沃移动通信有限公司 | Information reporting method, information receiving method, terminal and network side equipment |
| CN113381966B (en) * | 2020-03-09 | 2023-09-26 | 维沃移动通信有限公司 | Information reporting method, information receiving method, terminal and network side equipment |
| WO2023151585A1 (en) * | 2022-02-11 | 2023-08-17 | 维沃移动通信有限公司 | Terminal target surface capability reporting and acquiring methods, terminal, and network device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11889471B2 (en) | Paging time adjustment in a wireless network | |
| CN101001252A (en) | Registration method and consultation method and device of user safety algorithmic | |
| US11889465B2 (en) | Paging cause value | |
| US11800432B2 (en) | Location reporting handling | |
| US12096494B2 (en) | Location based selection of localized proxy application server | |
| US11963133B2 (en) | Core paging handling | |
| US11778564B2 (en) | Monitoring paging in inactive state | |
| US11317374B2 (en) | RAN paging handling | |
| US20220264444A1 (en) | Session Management for A Network Slice | |
| US20230085130A1 (en) | Network Slice | |
| US12101740B2 (en) | Signaling delivery in a wireless network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Open date: 20070718 |