CN102065429B - Method for safely switching user terminal in wireless metropolitan area network - Google Patents
Method for safely switching user terminal in wireless metropolitan area network Download PDFInfo
- Publication number
- CN102065429B CN102065429B CN201010608898.2A CN201010608898A CN102065429B CN 102065429 B CN102065429 B CN 102065429B CN 201010608898 A CN201010608898 A CN 201010608898A CN 102065429 B CN102065429 B CN 102065429B
- Authority
- CN
- China
- Prior art keywords
- user terminal
- target
- base station
- access gateway
- sign
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 claims abstract description 31
- 230000008569 process Effects 0.000 claims abstract description 8
- 230000004044 response Effects 0.000 claims description 44
- 238000012217 deletion Methods 0.000 claims description 39
- 230000037430 deletion Effects 0.000 claims description 39
- 230000005540 biological transmission Effects 0.000 claims description 15
- 238000000869 ion-assisted deposition Methods 0.000 description 24
- 238000007726 management method Methods 0.000 description 14
- 238000011161 development Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000013475 authorization Methods 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention relates to the technical field of wireless metropolitan area networks, in particular to a method for safely switching a user terminal in a wireless metropolitan area network. The method comprises the following steps that: a target base station forwards switching request information to a target access gateway; the target base station receives first user terminal joining request information, configures a first controlled port for the user terminal, and sets the first controlled port in a closed state; the target access gateway finishes the session key negotiation process with the user terminal through the target base station; the target access gateway acquires a session key and sends second user terminal joining request information to the target base station; and the target base station sets the first controlled port in an open state. By the method, the user terminal can be safely and quickly switched to the other base station from one base station under different access gateways in the wireless metropolitan area network.
Description
Technical field
The present invention relates to the Overview of wireless MAN technologies field, particularly a kind of user terminal changing method of safe wireless MAN.
Background technology
IEEE 802.16 wireless MANs enjoy all circles' extensive concern as the important development direction of following wireless access technology.Yet safety problem is restricting it always and is further promoting and development.Defined the authentication protocol based on public key encryption algorithm (RSA) and digital certificate in IEEE 802.16d, can realize that the base station is to the authentication of user terminal.The major defect of IEEE 802.16d is: the unilateral authentication of base station to user terminal only is provided, and the authentication of user terminal to the base station is not provided, palmed off base station user cheating terminal and be very easy to.In addition, authorization key (AK) and session key (TEK) are all produced by base station one side, under the condition of this unilateral authentication, are difficult to make user terminal that the mass formation of session key TEK is trusted.IEEE 802.16e has carried out the modification of enhancement to IEEE 802.16d, introduced Extensible Authentication Protocol (Extensible Authentication Protocol is called for short EAP).But, still only comprised the unidirectional authentication of base station to user terminal.
Application number is the safety access method that 200810027930.0 patent " a kind of safety access method of wireless MAN " (being called for short WMAN-SA) provides a kind of wireless MAN, in the Certificate Authority process, adopted the two-way authentication of user terminal and base station to replace original unilateral authentication, it is impossible that the trust that the assailant pretends to be legitimate base station to gain user terminal by cheating becomes, and avoided the possibility of man-in-the-middle attack.In the negotiations process of key, key is produced jointly by user terminal and base station, has replaced by base station assigns, has guaranteed the quality of key, has strengthened the fail safe of wireless MAN.Therefore, improved agreement can satisfy function, the performance requirement of former wireless MAN equally, and safer.
Along with the development of mobile computing business, the demand that the user is switched increases day by day.When following WMAN-SA large scale deployment was used, the switching of user terminal between different base station managed by IAD.And WMAN-SA has only defined the functions such as identity discriminating, key management, data encryption, data discriminating and the protection of resetting, and does not comprise IAD and the user is switched the concrete scheme that manages.
Summary of the invention
Problem for above-mentioned prior art existence, the invention provides a kind of user terminal changing method of safe wireless MAN, to solve in wireless MAN, can realize that user terminal is from the base station technical problem that switches to another base station under different IADs safely and fast.
In order to realize goal of the invention of the present invention, the technical scheme of employing is as follows:
A kind of user terminal changing method of safe wireless MAN, described method comprises:
Target BS receives the handover request information that user terminal sends, and target BS forwards handover request information to target access gateway;
Target access gateway returns to handoff response information to target BS, and target BS forwards handoff response information to user terminal;
Target access gateway sends first to target BS and adds user terminal requests information;
Target BS receives first and adds user terminal requests information, is used for carrying out the first controlled ports of safe transmission for user terminal configuration, the first controlled ports is set is closed condition and return to first to target access gateway to add the user terminal response message;
Target access gateway is completed session key agreement process with user terminal by target BS;
Target access gateway sends second to target BS and adds user terminal requests information;
Target BS receives second and adds user terminal requests information, and it is open mode that the first controlled ports is set, and returns to second to target access gateway and adds the user terminal response message.
As a kind of preferred version, described method also comprises deletion user profile step, specifically comprises:
Current IAD sends deletion user terminal requests information to current base station;
Current base station receives deletion user terminal requests information, close the second controlled ports that is associated with user terminal, the deletion user terminal information, and returning to deletion user terminal response message, described the second controlled ports is that current base station is the port that is used for carrying out safe transmission that user terminal configures.
As further preferred version, before target access gateway adds user terminal requests information to target BS transmission first, carry out deletion user profile step.
As further preferred version, return to target access gateway at target BS second add the user terminal response message after, carry out deletion user profile step.
As preferred version further, described target BS is by the safe access protocol in base station and the target access gateway relation that breaks the wall of mistrust, and current base station is by the safe access protocol in base station and the current IAD relation that breaks the wall of mistrust.
As further preferred version, described target BS forwards user terminal handover request information to target access gateway, controls user terminal by target access gateway and adds the concrete grammar of target BS to comprise:
Target BS receives the handover request information that user terminal sends, and target BS forwards handover request information to target access gateway, and described handover request information comprises current base station sign, current IAD sign and user terminal identification;
Target access gateway returns to handoff response information to target BS, and target BS forwards handoff response information to user terminal, and described handoff response information comprises current base station sign, current IAD sign, user terminal identification and handover request result;
Target access gateway sends first to target BS and adds user terminal requests information, described first adds user terminal requests information to comprise target BS sign, user terminal identification and controlled ports Status Flag, the controlled ports Status Flag is set to not allow to forward the non-management kind of message, and described controlled ports Status Flag is used for sign and whether allows to forward the non-management kind of message;
Target BS receives first and adds user terminal requests information, the first controlled ports that is used for carrying out safe transmission for the user terminal configuration, it is closed condition that the first controlled ports is set, and return to first to target access gateway and add the user terminal response message, described first adds the user terminal response message to comprise that target BS sign, user terminal identification and user terminal add result;
Target access gateway is completed session key agreement process with user terminal by target BS, obtains session key;
Target access gateway sends second to target BS and adds user terminal requests information, described second adds user terminal requests information to comprise target BS sign, user terminal identification, controlled ports Status Flag, and the controlled ports Status Flag is set to allow to forward the non-management kind of message;
Target BS receives second and adds user terminal requests information, it is open mode that the first controlled ports is set, and return to second to target access gateway and add the user terminal response message, described second adds the user terminal response message to comprise that target BS sign, user terminal identification and user terminal add result.
As further preferred version, the concrete grammar of described current base station deletion user terminal information comprises:
Current IAD sends deletion user terminal requests information to current base station, and described deletion user terminal requests information comprises current base station sign and user terminal identification;
Current base station receives deletion user terminal requests information, close the second controlled ports and the deletion user terminal information that is associated with user terminal according to user terminal identification, and return and delete the user terminal response message, described the second controlled ports is that current base station is the port that is used for carrying out safe transmission that user terminal configures, and described deletion user terminal response message comprises current base station sign, user terminal identification and deletion result.
As preferred version further, described target BS is designated the uniqueness sign of target BS, described target BS is designated MAC Address, current base station is designated the uniqueness sign of current base station, current base station is designated MAC Address, user terminal identification is the uniqueness sign of user terminal, the user terminal identification MAC Address.
The present invention realized in wireless MAN, user terminal can be from a base station safely and fast switch to another base station under different IADs.
Description of drawings
Fig. 1 is network topological diagram of the present invention, and user terminal switches to target BS from current base station;
Fig. 2 is message flow chart of the present invention;
Fig. 3 is the flow chart of the embodiment of the present invention.
Embodiment
The present invention will be further described in detail below in conjunction with the drawings and specific embodiments.
Solution of the present invention is: system comprises current IAD, current base station, target access gateway, target BS and user terminal.Complete access based on the WMAN-SA agreement by IAD, user terminal and certificate server, the forwarding of message only is responsible in the base station, and the base station is managed by IAD.When user terminal switches to target BS from current base station, current IAD notice current base station is deleted this user terminal, target access gateway notification target base station adds this user terminal and closes corresponding controlled ports, user terminal and target access gateway carry out session key agreement, controlled ports corresponding to this user terminal opened in target access gateway notification target base station, completes switching.
Be illustrated in figure 3 as the flow chart of the embodiment of the present invention.
Step S101: target BS receives the handover request information that user terminal sends, target BS forwards handover request information to the target access gateway of target BS, described handover request information comprises current IAD sign, current base station sign and user terminal identification, described current base station is the base station of successfully accessing when sending roaming message, current IAD is the IAD that current base station connects, execution in step S102;
Step S102: target access gateway returns to handoff response information to target BS, target BS forwards handoff response information to user terminal, described handoff response information comprises current IAD sign, current base station sign, user terminal identification and handover request result, execution in step S103;
Step S103: current IAD sends deletion user terminal requests information to current base station, and described deletion user terminal requests information comprises current base station sign and user terminal identification, execution in step S104;
Step S104: current base station receives deletion user terminal requests information, close the second controlled ports and the deletion user terminal information that is associated with user terminal according to user terminal identification, and return and delete the user terminal response message, described the second controlled ports is that current base station is the port that is used for carrying out safe transmission that user terminal configures, described deletion user terminal response message comprises current base station sign, user terminal identification and deletion result, execution in step S105;
Step S105: target access gateway sends first to target BS and adds user terminal requests information, described first adds user terminal requests information to comprise target BS sign, user terminal identification and controlled ports Status Flag, the controlled ports Status Flag is set to not allow to forward the non-management kind of message, described controlled ports Status Flag is used for sign and whether allows to forward non-management kind of message, execution in step S106;
Step S106: target BS receives first and adds user terminal requests information, the first controlled ports that is used for carrying out safe transmission for the user terminal configuration, it is closed condition that the first controlled ports is set, and return to first to target access gateway and add the user terminal response message, described first adds the user terminal response message to comprise that target BS sign, user terminal identification and user terminal add result, execution in step S107;
Step S107: target access gateway is completed session key agreement process with user terminal, execution in step S108 by target BS;
Step S108: target access gateway sends second to target BS and adds user terminal requests information, described second adds user terminal requests information to comprise target BS sign, user terminal identification, controlled ports Status Flag, the controlled ports Status Flag is set to allow to forward non-management kind of message, execution in step S109;
Step S109: target BS receives second and adds user terminal requests information, it is open mode that the first controlled ports is set, and return to second to target access gateway and add the user terminal response message, described second adds the user terminal response message to comprise that target BS sign, user terminal identification and user terminal add result.
After controlled ports is closed, only can forward management type (as WMAN-SA) message, if controlled ports is opened, can forward management type message and non-management type (as business such as audio frequency, videos) message.
Step S103~S104 can carry out before step S105~S109, is direct-cut operation, also can carry out after step S105~S109, is soft handover.
As shown in Figure 1, the embodiment of the present invention for be the scene that user terminal switches between a plurality of base stations under different gateway managements, therefore described target BS is by the safe access protocol in base station and the target access gateway relation that breaks the wall of mistrust, current base station is by the safe access protocol in base station and the current IAD relation that breaks the wall of mistrust, target access gateway is connected with certificate server with current IAD, authenticates by certificate server.
The safe access protocol in above-mentioned base station can application reference number is the Chinese patent of CN200910039197.9: " a kind of safety access method of base station of mobile communication system ".
And the terminal security agreement between user terminal and base station can application reference number be 200810027930.0 patent " a kind of safety access method of wireless MAN " (being called for short WMAN-SA) or the standard agreement that adopts IEEE 802.16d.
Due between base station and IAD by the safe access protocol in the base station relation that breaks the wall of mistrust, and the access of terminal security agreement has been adopted in the access of user terminal and current base station, therefore user terminal switches safe and reliable between this and need not to repeat to authenticate, thereby realizes switching fast and safely.
Be illustrated in figure 2 as message flow chart of the present invention.
1. user terminal sends handover request message to target BS, and message comprises: user terminal identification, current base station sign, current IAD sign;
2. after target BS was received handover request message, forwarding messages was to target access gateway;
3. target access gateway sends switching response message to target BS, and message comprises: user terminal identification, current base station sign, current IAD sign, handover request result (success or failure);
4. after target BS is received switching response message, be transmitted to user terminal;
5. current IAD sends deletion user terminal requests message to current base station, and message content comprises: current base station sign, user terminal identification;
6. after current base station is received deletion user terminal requests message, close controlled ports according to user terminal identification, the relevant information of deletion user terminal, transmission deletion user terminal response message, message content comprises: current base station sign, user terminal identification, user terminal deletion result (success or failure);
7. target access gateway adds user terminal requests message to target BS transmission first, message content comprises: target BS sign, user terminal identification, controlled ports Status Flag (this controlled ports Status Flag is for closing, and expression only can forward management type message);
Target BS receive first add user terminal requests message after, send first and add the user terminal response message, message content comprises: target BS sign, user terminal identification, user terminal add result (success or failure);
9. user terminal and target access gateway carry out session key agreement, obtain session key, and target BS carries out message and forwards between user terminal and target access gateway;
10. target access gateway adds user terminal requests message to target BS transmission second, message content comprises: target BS sign, user terminal identification, controlled ports Status Flag (this controlled ports Status Flag is for opening, and expression can forward management type message and non-management kind of message);
11. target BS receive second add user terminal requests message after, open controlled ports corresponding to user terminal, send second and add the user terminal response message, message content comprises: target BS sign, user terminal identification, user terminal add result (success or failure).
Step 5~6 can be in the front execution in step 7~11, also can be in the rear execution in step 7~11.
The above is only the preferred embodiment of the present invention; should be pointed out that for the person of ordinary skill of the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (8)
1. the user terminal changing method of the wireless MAN of a safety, is characterized in that, described method comprises:
Target BS receives the handover request information that user terminal sends, and target BS forwards handover request information to target access gateway;
Target access gateway returns to handoff response information to target BS, and target BS forwards handoff response information to user terminal;
Target access gateway sends first to target BS and adds user terminal requests information;
Target BS receives first and adds user terminal requests information, is used for carrying out the first controlled ports of safe transmission for user terminal configuration, the first controlled ports is set is closed condition and return to first to target access gateway to add the user terminal response message;
Target access gateway is completed session key agreement process with user terminal by target BS;
Target access gateway sends second to target BS and adds user terminal requests information;
Target BS receives second and adds user terminal requests information, and it is open mode that the first controlled ports is set, and returns to second to target access gateway and adds the user terminal response message.
2. changing method according to claim 1, is characterized in that, described method also comprises deletion user profile step, specifically comprises:
Current IAD sends deletion user terminal requests information to current base station;
Current base station receives deletion user terminal requests information, close the second controlled ports that is associated with user terminal, the deletion user terminal information, and returning to deletion user terminal response message, described the second controlled ports is that current base station is the port that is used for carrying out safe transmission that user terminal configures.
3. changing method according to claim 2, is characterized in that, before target access gateway adds user terminal requests information to target BS transmission first, carries out deletion user profile step.
4. changing method according to claim 2, is characterized in that, return to target access gateway at target BS second add the user terminal response message after, carry out deletion user profile step.
5. according to claim 2~4 described changing methods of any one, it is characterized in that, described target BS is by the safe access protocol in base station and the target access gateway relation that breaks the wall of mistrust, and current base station is by the safe access protocol in base station and the current IAD relation that breaks the wall of mistrust.
6. according to claim 1~4 described changing methods of any one, is characterized in that, described target BS forwards user terminal handover request information to target access gateway, controls user terminal by target access gateway and add the concrete grammar of target BS to comprise:
Target BS receives the handover request information that user terminal sends, and target BS forwards handover request information to target access gateway, and described handover request information comprises current base station sign, current IAD sign and user terminal identification;
Target access gateway returns to handoff response information to target BS, and target BS forwards handoff response information to user terminal, and described handoff response information comprises current base station sign, current IAD sign, user terminal identification and handover request result;
Target access gateway sends first to target BS and adds user terminal requests information, described first adds user terminal requests information to comprise target BS sign, user terminal identification and controlled ports Status Flag, the controlled ports Status Flag is set to not allow to forward the non-management kind of message, and described controlled ports Status Flag is used for sign and whether allows to forward the non-management kind of message;
Target BS receives first and adds user terminal requests information, the first controlled ports that is used for carrying out safe transmission for the user terminal configuration, it is closed condition that the first controlled ports is set, and return to first to target access gateway and add the user terminal response message, described first adds the user terminal response message to comprise that target BS sign, user terminal identification and user terminal add result;
Target access gateway is completed session key agreement process with user terminal by target BS, obtains session key;
Target access gateway sends second to target BS and adds user terminal requests information, described second adds user terminal requests information to comprise target BS sign, user terminal identification, controlled ports Status Flag, and the controlled ports Status Flag is set to allow to forward the non-management kind of message;
Target BS receives second and adds user terminal requests information, it is open mode that the first controlled ports is set, and return to second to target access gateway and add the user terminal response message, described second adds the user terminal response message to comprise that target BS sign, user terminal identification and user terminal add result.
7. changing method according to claim 2, is characterized in that, the concrete grammar of described current base station deletion user terminal information comprises:
Current IAD sends deletion user terminal requests information to current base station, and described deletion user terminal requests information comprises current base station sign and user terminal identification;
Current base station receives deletion user terminal requests information, close the second controlled ports and the deletion user terminal information that is associated with user terminal according to user terminal identification, and return and delete the user terminal response message, described the second controlled ports is that current base station is the port that is used for carrying out safe transmission that user terminal configures, and described deletion user terminal response message comprises current base station sign, user terminal identification and deletion result.
8. changing method according to claim 7, it is characterized in that, described target BS is designated the uniqueness sign of target BS, described target BS is designated MAC Address, current base station is designated the uniqueness sign of current base station, current base station is designated MAC Address, and user terminal identification is the uniqueness sign of user terminal, the user terminal identification MAC Address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010608898.2A CN102065429B (en) | 2010-12-28 | 2010-12-28 | Method for safely switching user terminal in wireless metropolitan area network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010608898.2A CN102065429B (en) | 2010-12-28 | 2010-12-28 | Method for safely switching user terminal in wireless metropolitan area network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102065429A CN102065429A (en) | 2011-05-18 |
| CN102065429B true CN102065429B (en) | 2013-06-26 |
Family
ID=44000480
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010608898.2A Expired - Fee Related CN102065429B (en) | 2010-12-28 | 2010-12-28 | Method for safely switching user terminal in wireless metropolitan area network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102065429B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018023544A1 (en) * | 2016-08-04 | 2018-02-08 | 华为技术有限公司 | Communication method, user equipment, base station, control plane network element, and communication system |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1874601A (en) * | 2006-01-18 | 2006-12-06 | 华为技术有限公司 | Implementation method for switching between offices in system |
| CN1997204A (en) * | 2006-01-04 | 2007-07-11 | 华为技术有限公司 | A method for switching among cells |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101766041B (en) * | 2007-07-27 | 2016-08-10 | 富士通株式会社 | Mobile communication system |
-
2010
- 2010-12-28 CN CN201010608898.2A patent/CN102065429B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1997204A (en) * | 2006-01-04 | 2007-07-11 | 华为技术有限公司 | A method for switching among cells |
| CN1874601A (en) * | 2006-01-18 | 2006-12-06 | 华为技术有限公司 | Implementation method for switching between offices in system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102065429A (en) | 2011-05-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US12166897B2 (en) | Authentication mechanism for 5G technologies | |
| US7286671B2 (en) | Secure network access method | |
| Schneider et al. | Towards 5G security | |
| CN105101206B (en) | A kind of WIFI of equipment automatically accesses method and system | |
| KR101508576B1 (en) | Home node-b apparatus and security protocols | |
| US8533461B2 (en) | Wireless local area network terminal pre-authentication method and wireless local area network system | |
| Cao et al. | EGHR: Efficient group-based handover authentication protocols for mMTC in 5G wireless networks | |
| Zhao et al. | Is 5G handover secure and private? A survey | |
| EP1414262A1 (en) | Authentication method for fast handover in a wireless local area network | |
| CN107920350B (en) | A SDN-based privacy protection switching authentication method, 5G heterogeneous network | |
| US20100180111A1 (en) | method of establishing fast security association for handover between heterogeneous radio access networks | |
| WO2010000185A1 (en) | A method, apparatus, system and server for network authentication | |
| US20170150411A1 (en) | Switching method and switching system between heterogeneous networks | |
| WO2010130191A1 (en) | Authentication method of switching access networks, system and device thereof | |
| CN103402201B (en) | A kind of WiFi-WiMAX heterogeneous wireless network authentication method based on pre-authentication | |
| US20080176572A1 (en) | Method of handoff | |
| CN102065429B (en) | Method for safely switching user terminal in wireless metropolitan area network | |
| CN102065427B (en) | Method for safely switching user terminal in wireless metropolitan area network | |
| JP2000244547A (en) | Certification method | |
| CN102045721B (en) | Safe switching method for user terminal in wireless metropolitan area network (WMAN) | |
| CN102065428B (en) | User terminal switching method of safe wireless metropolitan area network | |
| CN1964259B (en) | A method to manage secret key in the course of switch-over | |
| CN111526008A (en) | Authentication method under mobile edge computing architecture and wireless communication system | |
| KR20100021690A (en) | Method and system for supporting authentication and security protected non-access stratum protocol in mobile telecommunication system | |
| Said et al. | A Comparative Study on Security implementation in EPS/LTE and WLAN/802.11 |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130626 Termination date: 20201228 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |