[go: up one dir, main page]

CN101267670B - An initialization setup method for secret key survival counter between different access systems - Google Patents

An initialization setup method for secret key survival counter between different access systems Download PDF

Info

Publication number
CN101267670B
CN101267670B CN200810066802A CN200810066802A CN101267670B CN 101267670 B CN101267670 B CN 101267670B CN 200810066802 A CN200810066802 A CN 200810066802A CN 200810066802 A CN200810066802 A CN 200810066802A CN 101267670 B CN101267670 B CN 101267670B
Authority
CN
China
Prior art keywords
counter
nas
count
key
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN200810066802A
Other languages
Chinese (zh)
Other versions
CN101267670A (en
Inventor
张旭武
甘露
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xuzhou Naili Macromolecule Technology Co Ltd
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN200810066802A priority Critical patent/CN101267670B/en
Publication of CN101267670A publication Critical patent/CN101267670A/en
Application granted granted Critical
Publication of CN101267670B publication Critical patent/CN101267670B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

一种用于不同接入系统之间密钥生存计数器的初始化设置方法,用户设备从演进的陆地无线接入网向陆地无线接入网移动,需进行小区重选时,执行以下步骤:所述用户设备决定小区重选到UMTS网络时,将计数器COUNT-NAS的高位有效值至少加1作为计数器START的初始值,然后,发送小区重选请求给目标服务UMTS网络;其中,计数器START是陆地无线接入网的完整性密钥IK和加密密钥CK的生存计数器,计数器COUNT-NAS是记录已受到演进的陆地无线接入网的非接入层完整性保护密钥KNAS-int和机密性保护密钥KNAS-enc保护的网络接入服务器信令数量的计数器。本发明可以避免UE在UTRAN和EUTRAN间移动发起小区重选时,密钥生存期被延长的安全漏洞。

Figure 200810066802

A method for initializing and setting key survival counters between different access systems. When a user equipment moves from an evolved terrestrial wireless access network to a terrestrial wireless access network and needs to perform cell reselection, the following steps are performed: the When the user equipment decides to reselect the cell to the UMTS network, it will add at least 1 to the effective value of the high bit of the counter COUNT - NAS as the initial value of the counter START, and then send a cell reselection request to the target serving UMTS network; wherein, the counter START is the terrestrial radio The survival counter of the integrity key IK and the encryption key CK of the access network, the counter COUNT -NAS is to record the integrity protection key K NAS-int and confidentiality of the non-access stratum of the evolved terrestrial wireless access network Protection key K A counter of the number of network access server signalings protected by NAS-enc . The present invention can avoid the safety loophole that the key lifetime is prolonged when UE moves between UTRAN and EUTRAN and initiates cell reselection.

Figure 200810066802

Description

The initial setting method that is used for cryptographic key existence counter among different access systems
Technical field
The present invention relates to moving communicating field, relate in particular to a kind of method that the cryptographic key existence counter among different access systems initialization is provided with that is used for.
Background technology
3GPP (3rd Generation Partnership Project; Third generation partner program) grouping system of evolution (Evolved Packet System; Be called for short EPS) by land radio access web (the Evolved UMTS Terrestrial Radio Access Network of evolution; Be called for short EUTRAN) and EPS core net (Evolved Packet Core is called for short EPC) composition.
Wherein, EPC comprises mobile management unit (MME, Mobility Management Entity), and mobile management unit is responsible for the processing of ambulant management, Non-Access Stratum signaling and the chain of command related works such as management of user security model.Wherein, MME preserves the root key K of EUTRAN ASME(Key Access Security Management Entity, the secret key of access security management entity), and by K ASMEThe Non-Access Stratum integrity protection key K that generates NAS-int(Key Non Access Stratum integrity) and Confidentiality protection key K NAS-enc(Key Non Access Stratum encryption).Also in store these three keys of while UE (User Equipment, subscriber equipment).Also there is a counter COUNT among UE and the MME -NAS, responsible record has received key K NAS-intAnd K NAS-encNAS (Network Access Server, network access server) the signaling quantity of protection.COUNT -NASValue two effects are arranged, one is the input parameter that is used for doing NAS layer integrity protection and Confidentiality protection, another one is to be used for strict restriction key K ASMELife span, work as COUNT -NASValue arrive family of power and influence's value that operator sets, UE and network side will trigger new Authentication and Key Agreement machine-processed (AKA, Authentication and key agreement) and produce new K ASME, all EPS counters are changed to 0 simultaneously.When connecting, UE and MME use START -NASValue come recording counter COUNT -NASHigh Bit Significance.UE uses START -NASCome count initialized device COUNT -NAS, be about to START -NASValue as COUNT -NASThe value of high-order effective bit (MSB:Most Significance Bit, its concrete figure place is by standard definition) be high Bit Significance, break off when connecting, UE uses COUNT -NASThe value of high-order effective bit upgrade START -NASValue.
3GPP UMTS (Universal Mobile Telecommunications System; UMTS) equipment of the management of responsible contextual management of mobility and/or user security model is SGSN (Serving GPRS Support Node, Serving GPRS Support Node) in the system.SGSN also is responsible for authentication UE, and generates key IK (Integrity Key, Integrity Key), CK (Ciphering Key, encryption key).The connecting system of 3GPP UMTS system is UTRAN (UMTS Terrestrial Radio Access Network, a wireless access network).
UE also generates IK, CK simultaneously.In the PS territory, UE usage counter START record receives the signaling quantity of key IK and CK protection, when the family of power and influence who arrives setting when the value of START is worth; Make new AKA with triggering UE and SGSN, produce new IK, CK; The START value puts 0 simultaneously; Therefore at UMTS, counter START is the existence counter of key IK and CK, and its strictness has limited the life span of key.When connecting; UE and RNC (radio network controller; Radio Network Controller) or SGSN use the value of START to be used for the value of high-order effective bit of count initialized device COUNT-I and COUNT-C; When breaking off connection, UE uses the value of the high-order effective bit of COUNT-I and COUNT-C to upgrade the value of START.Wherein counter COUNT-I is the counter of network access server signaling quantity that writes down the Integrity Key IK protection of the land radio access web that receives evolution, and COUNT-C is the counter of network access server signaling quantity that writes down the encryption key IK protection of the land radio access web that receives evolution.
When UE moved to EUTRAN from UTRAN, UE and MME used IK and CK to produce K -ASME, use COUNT simultaneously -NASBe K -ASMEExistence counter, IK and CK are called K -ASMEFather's key, K -ASMEThen be called CK, the sub-key of IK.When UE when EUTRAN transfers to UTRAN, UE and SGSN/RNC use K -ASMEProduce key IK and CK, use START to limit CK simultaneously, the life span of IK, K -ASMEThe father's key that is called IK and CK, IK and CK are K -ASMESub-key.
Owing to when UE carries out district reselecting (TAU, Tracking Area Update) between UTRAN and EUTRAN, do not have mandatory requirement to reuse AKA and carry out key updating, the sub-key that is produced by father's key may continue to use a period of time.
In the prior art; Between UTRAN and EUTRAN during district reselecting; The UE counter is not continued each other and add up, but directly the counter initial value is set to 0, so that behind the TAU; The life span that does not comprise his father's key the life cycle of key, the security breaches that cause key lifetimes to be extended.
Summary of the invention
The present invention provides a kind of initial setting method that is used for cryptographic key existence counter among different access systems, when initiating district reselecting to avoid UE between UTRAN and EUTRAN, to move, and the security breaches that key lifetimes is extended.
In order to solve the problems of the technologies described above; The present invention also provides a kind of initial setting method that is used for cryptographic key existence counter among different access systems; It is characterized in that; Subscriber equipment from the land radio access web of evolution landwards wireless access network move, in the time of need carrying out district reselecting, carry out following steps:
When said subscriber equipment decision district reselecting arrives the UMTS network, with counter COUNT -NASHigh Bit Significance add 1 initial value at least as counter START; Then, send cell re-selection request and give destination service UMTS network;
Wherein, counter START is the Integrity Key IK of land radio access web and the existence counter of encryption key CK, counter COUNT -NASIt is the Non-Access Stratum integrity protection key K that writes down the land radio access web that receives evolution NAS-intWith the Confidentiality protection key K NAS-encThe counter of the network access server signaling quantity of protection.
Further, said method also can have following characteristics:
Said subscriber equipment is earlier with counter COUNT -NASHigh Bit Significance add 1 at least after, compose to give counter START -NAS, the value initialization with counter START is counter START then -NASValue; Counter START wherein -NASBe to be used for recording counter COUNT -NASThe counter of high Bit Significance.
Further, said method also can have following characteristics:
Said subscriber equipment is earlier with counter COUNT -NASHigh Bit Significance add 2 after, compose to give counter START -NASValue initialization with counter START is counter START then -NASValue, i.e. START=START -NAS=MSB (COUNT -NAS)+2; Counter START wherein -NASBe to be used for recording counter COUNT -NASThe counter of high Bit Significance, said MSB is high Bit Significance.
Further, said method also can have following characteristics:
Said UMTS network sends context request to source mobile management unit after receiving that said subscriber equipment sends cell re-selection request; After said source mobile management unit is received, send context response to said UMTS network; The UMTS network sends district reselecting to said subscriber equipment again to be confirmed, notifies its network acceptance area reselection request; Said subscriber equipment sends district reselecting to the target mobile management unit and accomplishes message, and the affirmation district reselecting is accomplished.
Further, said method also can have following characteristics:
In the process that the RRC that said subscriber equipment is initiated after district reselecting is accomplished connects; Said subscriber equipment and said UMTS network come count initialized device COUNT-I, COUNT-C with said START value again; Wherein COUNT-I is the counter of network access server signaling quantity that writes down the Integrity Key IK protection of the land radio access web that receives evolution, and COUNT-C is the counter of network access server signaling quantity that writes down the encryption key CK protection of the land radio access web that receives evolution.
The method of the invention is owing to adopt START and START -NASContinue, and come the initialization associated counter, overcome in the prior art UE between UTRAN and EUTRAN during TAU, the safety defect that the key life cycle is extended with it.
Description of drawings
Fig. 1 moves to EUTRAN when carrying out TAU from UTRAN, the signaling process figure of UE counter initial setting method for embodiment of the invention UE;
Fig. 2 moves to UTRAN when carrying out TAU from EUTRAN, the signaling process figure of counter initial setting method for another embodiment of the present invention UE.
Embodiment
Design of the present invention is: UE moves between different access systems; In the time of district reselecting need being carried out, utilize the START value in the former connecting system, the START value in the initialization goal systems; And when connecting, use the counter in the START value initialization goal systems in the goal systems.
Aim to provide a kind of after UE carries out the TAU between UTRAN and the EUTRAN; The initial method of counter; Make the sub-key life cycle continue the life span of the preceding his father's key of TAU; And after the TAU success, continue the life span of sub-key that adds up, thereby avoid the life span of sub-key to be extended.
Below in conjunction with accompanying drawing and embodiment technical scheme according to the invention is described in detail.
First embodiment
Present embodiment be UE under idle condition, move to EUTRAN from UTRAN, in the time of need carrying out district reselecting, counter is carried out the method that initialization is provided with.Its signaling process is as shown in Figure 1, may further comprise the steps:
Step 101:UE is to START -NASCarry out the initialization setting, make START -NAS=START uses START then -NASTo COUNT -NASCarry out the initialization setting;
To COUNT -NASWhen carrying out initialization and being provided with, be about to START -NASValue as COUNT -NASThe value of high-order effective bit, can be expressed as MSB (COUNT with formula -NAS)=START -NAS, COUNT -NASAll the other bit positions be 0.
UE also need use IK and CK to generate K in this step -ASME, K NAS-intAnd K NAS-enc, because need in follow-up TAU request, use this key to carry out integrity protection.
Step 102:UE sends out the TAU request to target MME, simultaneously with START -NASIssue target MME;
Step 103: target MME sends out context request to source SGSN, and request source SGSN transmits IK, user profile such as CK;
Step 104: source SGSN sends out context response to target MME, and with CK, user related informations such as IK are passed to target MME;
Step 105: target MME uses START -NASTo COUNT -NASCarry out the initialization setting;
Here target MME also uses IK and CK to generate K -ASME, K NAS-intAnd K NAS-enc, be used for the encipherment protection of subsequent message.
Step 106: target MME notifies UE, and TAU is accepted;
Step 107:UE sends out TAU and accomplishes message, confirms that TAU accomplishes.
Second embodiment
Present embodiment be UE under idle condition, move from EUTRAN and UTRAN, in the time of need carrying out TAU, counter is carried out the method that initialization is provided with.As shown in Figure 2, may further comprise the steps:
When step 201:UE decision district reselecting arrives the UMTS network, use COUNT -NASThe START of value initialization with START is set -NAS, be about to COUNT -NASThe value (being also referred to as high Bit Significance) of high-order effective bit add that 2 (also can add and be no less than other integers of 1) backs composes and give START here -NAS, can be expressed as START -NAS=MSB 20(COUNT -NASInitialization, START=START are carried out to START simultaneously in)+2 -NAS
Step 202:UE sends out TAU and asks target SGSN;
Step 203: target SGSN send out context request to the source MME;
Step 204: source MME sends out context response to target SGSN;
Step 205: target SGSN is sent district reselecting to UE and is confirmed that notice UE network has been accepted TAU;
Step 206:UE sends out TAU and accomplishes acknowledge message.
When district reselecting, SGSN does not carry out the initialization setting to START, and after UE initiated the RRC connection, UE and SGSN used the COUNT-I of START value initialization, COUNT-C again.
From foregoing description, owing to adopt START and START -NASContinue, and come the initialization associated counter, overcome in the prior art UE between UTRAN and EUTRAN during TAU, the safety defect that the key life cycle is extended with it.
The above is merely embodiments of the invention, is not limited to the present invention, and for a person skilled in the art, the present invention can have various changes and variation.All within spirit of the present invention and principle, any modification of being done, be equal to replacement, improvement etc., all should be included within the claim scope of the present invention.

Claims (5)

1.一种用于不同接入系统之间密钥生存计数器的初始化设置方法,其特征在于,用户设备从演进的陆地无线接入网向陆地无线接入网移动,需进行小区重选时,执行以下步骤:1. A method for initializing a key survival counter between different access systems, characterized in that, when a user equipment moves from an evolved terrestrial wireless access network to a terrestrial wireless access network and needs to perform cell reselection, Perform the following steps: 所述用户设备决定小区重选到UMTS网络时,将计数器COUNT-NAS的高位有效值至少加1作为计数器START的初始值;然后,发送小区重选请求给目标服务UMTS网络;When the user equipment decides to reselect the cell to the UMTS network, it adds at least 1 to the high effective value of the counter COUNT -NAS as the initial value of the counter START; then, sends a cell reselection request to the target serving UMTS network; 其中,计数器START是陆地无线接入网的完整性密钥IK和加密密钥CK的生存计数器,计数器COUNT-NAS是记录已受到演进的陆地无线接入网的非接入层完整性保护密钥KNAS-int和机密性保护密钥KNAS-enc保护的网络接入服务器信令数量的计数器。Among them, the counter START is the survival counter of the integrity key IK and the encryption key CK of the terrestrial wireless access network, and the counter COUNT -NAS is the record that has been protected by the integrity protection key of the non-access stratum of the evolved terrestrial wireless access network A counter of the number of network access server signaling protected by K NAS-int and the confidentiality protection key K NAS-enc . 2.如权利要求1所述的初始化设置方法,其特征在于:2. The initialization setting method as claimed in claim 1, characterized in that: 所述用户设备是先将计数器COUNT-NAS的高位有效值至少加1后,赋给计数器START-NAS,然后将计数器START的值初始化为计数器START-NAS的值;其中计数器START-NAS是用于记录计数器COUNT-NAS的高位有效值的计数器。The user equipment first adds at least 1 to the high effective value of the counter COUNT -NAS , then assigns it to the counter START -NAS , and then initializes the value of the counter START to the value of the counter START -NAS ; wherein the counter START -NAS is used for A counter that records the high effective value of the counter COUNT -NAS . 3.如权利要求1或2所述的初始化设置方法,其特征在于:3. The initialization setting method as claimed in claim 1 or 2, characterized in that: 所述用户设备是先将计数器COUNT-NAS的高位有效值加2后,赋给计数器START-NAS;然后将计数器START的值初始化为计数器START-NAS的值,即START=START-NAS=MSB(COUNT-NAS)+2;其中计数器START-NAS是用于记录计数器COUNT-NAS的高位有效值的计数器,所述MSB为高位有效值。The user equipment first adds 2 to the high-order effective value of the counter COUNT -NAS , and assigns it to the counter START -NAS ; then initializes the value of the counter START to the value of the counter START -NAS , that is, START=START -NAS =MSB( COUNT -NAS )+2; wherein the counter START -NAS is a counter for recording the high-order effective value of the counter COUNT -NAS , and the MSB is the high-order effective value. 4.如权利要求1或2所述的初始化设置方法,其特征在于:4. The initialization setting method as claimed in claim 1 or 2, characterized in that: 所述目标服务UMTS网络收到所述用户设备发送小区重选请求后,发送上下文请求至源移动管理单元;所述源移动管理单元收到后,发送上下文响应到所述目标服务UMTS网络;所述目标服务UMTS网络再向所述用户设备发送小区重选确认,通知其网络已接受小区重选请求;所述用户设备向目标移动管理单元发送小区重选完成消息,确认小区重选已完成。After the target serving UMTS network receives the cell reselection request sent by the user equipment, it sends a context request to the source mobility management unit; after the source mobility management unit receives it, it sends a context response to the target serving UMTS network; The target serving UMTS network then sends a cell reselection confirmation to the user equipment, notifying the network that the cell reselection request has been accepted; the user equipment sends a cell reselection complete message to the target mobility management unit, confirming that the cell reselection has been completed. 5.如权利要求1或2所述的初始化设置方法,其特征在于:5. The initialization setting method as claimed in claim 1 or 2, characterized in that: 所述用户设备在小区重选完成后发起的RRC连接的过程中,所述用户设备和所述目标服务UMTS网络再用所述START值来初始化计数器COUNT-I、COUNT-C,其中COUNT-I是记录已受到演进的陆地无线接入网的完整性密钥IK保护的网络接入服务器信令数量的计数器,COUNT-C是记录已受到演进的陆地无线接入网的加密密钥CK保护的网络接入服务器信令数量的计数器。During the RRC connection initiated by the user equipment after cell reselection is completed, the user equipment and the target serving UMTS network use the START value to initialize counters COUNT-I and COUNT-C, wherein COUNT-I is a counter that records the number of network access server signaling that has been protected by the integrity key IK of the evolved terrestrial wireless access network, and COUNT-C is a record that has been protected by the encryption key CK of the evolved terrestrial wireless access network A counter of the number of network access server signaling.
CN200810066802A 2008-04-15 2008-04-15 An initialization setup method for secret key survival counter between different access systems Expired - Fee Related CN101267670B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200810066802A CN101267670B (en) 2008-04-15 2008-04-15 An initialization setup method for secret key survival counter between different access systems

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200810066802A CN101267670B (en) 2008-04-15 2008-04-15 An initialization setup method for secret key survival counter between different access systems

Publications (2)

Publication Number Publication Date
CN101267670A CN101267670A (en) 2008-09-17
CN101267670B true CN101267670B (en) 2012-09-05

Family

ID=39989724

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200810066802A Expired - Fee Related CN101267670B (en) 2008-04-15 2008-04-15 An initialization setup method for secret key survival counter between different access systems

Country Status (1)

Country Link
CN (1) CN101267670B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101304311A (en) * 2008-06-12 2008-11-12 中兴通讯股份有限公司 Method and system for generating cryptographic key
CN101409897B (en) * 2008-10-31 2012-12-19 中兴通讯股份有限公司 Control method and apparatus for counter
US10542463B2 (en) * 2017-02-05 2020-01-21 Nokia Of America Corporation System and method for secure cell redirection in wireless networks

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6229806B1 (en) * 1997-12-30 2001-05-08 Motorola, Inc. Authentication in a packet data system
CN1404267A (en) * 2002-10-01 2003-03-19 华中科技大学 Safe network transmission method and system
CN1564509A (en) * 2004-03-23 2005-01-12 中兴通讯股份有限公司 Key consaltation method in radio LAN

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6229806B1 (en) * 1997-12-30 2001-05-08 Motorola, Inc. Authentication in a packet data system
CN1404267A (en) * 2002-10-01 2003-03-19 华中科技大学 Safe network transmission method and system
CN1564509A (en) * 2004-03-23 2005-01-12 中兴通讯股份有限公司 Key consaltation method in radio LAN

Also Published As

Publication number Publication date
CN101267670A (en) 2008-09-17

Similar Documents

Publication Publication Date Title
CN101232736B (en) Method for setting initialization of cryptographic key existence counter among different access systems
CN101232731B (en) Method and system for UE to generate cryptographic key switching from UTRAN to EUTRAN
TWI750130B (en) Apparatus and method for mobility procedure involving mobility management entity relocation
CN112566112B (en) Apparatus, method, and storage medium for wireless communication
KR101102708B1 (en) Methods and apparatus to implement non-access stratumnas security in a long term evolution wireless device
CN101257723A (en) Method, apparatus and system for generating cipher key
CN101083839B (en) Cipher key processing method for switching among different mobile access systems
TWI383639B (en) Method of handling stratum key change and related communication device
CN101267668B (en) Key generation method, Apparatus and system
CN101521873B (en) Method for enabling local security context
CN101304311A (en) Method and system for generating cryptographic key
CN101483865A (en) Cipher key replacing method, system and device
EP3197191A1 (en) Method and devices for avoiding network security desynchronization
CN101720539A (en) Key refresh sae/lte system
KR20130114561A (en) Local security key update at a wireless communication device
JP2017520203A (en) A method and system for providing security from a wireless access network.
CN101094065A (en) Method and system for distributing cipher key in wireless communication network
WO2009152755A1 (en) Method and system for generating an identity identifier of a key
CN102137400A (en) Safety treatment method and system when re-establishing RRC (radio resource control) connection
CN101299888B (en) Cryptographic key generation method, switching method, mobile management entity and customer equipment
CN101267670B (en) An initialization setup method for secret key survival counter between different access systems
CN101355507B (en) Method and system for generating cipher key for updating tracking zonetime
CN101005489A (en) Method for protecting mobile communication system network safety
CN102318259B (en) Method and apparatus for traffic count key management and key count management
CN101867925A (en) Air interface key processing method and system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20180103

Address after: 221000 east of Qingshan Road, Jiawang District, Jiangsu City, Xuzhou province two

Patentee after: XUZHOU NAILI MACROMOLECULE TECHNOLOGY CO., LTD.

Address before: 518057 Nanshan District high tech Industrial Park, Guangdong, South Road, science and technology, ZTE building, legal department

Patentee before: ZTE Corporation

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120905

Termination date: 20180415