[go: up one dir, main page]

WO2007033548A1 - A method and device for obtaining the security association information during the mobile terminal handoff procedure - Google Patents

A method and device for obtaining the security association information during the mobile terminal handoff procedure Download PDF

Info

Publication number
WO2007033548A1
WO2007033548A1 PCT/CN2006/001513 CN2006001513W WO2007033548A1 WO 2007033548 A1 WO2007033548 A1 WO 2007033548A1 CN 2006001513 W CN2006001513 W CN 2006001513W WO 2007033548 A1 WO2007033548 A1 WO 2007033548A1
Authority
WO
WIPO (PCT)
Prior art keywords
mobile terminal
access network
security association
network gateway
base station
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2006/001513
Other languages
French (fr)
Chinese (zh)
Inventor
Changhong Shan
Zhibin Lin
Shujun Dang
Yongmao Li
Jun Zhang
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of WO2007033548A1 publication Critical patent/WO2007033548A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • H04W36/0033Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
    • H04W36/0038Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information of security context information

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a method and apparatus for obtaining security association information or a user plane communication encryption key during handover of a mobile terminal.
  • BACKGROUND OF THE INVENTION In a mobile communication system, the mobility of a mobile terminal is such that it often switches from one base station to another. When the mobile terminal switches to another base station, in order to reduce the delay of communication between the mobile terminal and the new base station, new The base station needs to obtain security parameter information, including security association information, required by some mobile terminals to perform communication services on the original serving base station.
  • the security association information that is, the security association context information, the content in the SA (Security Association) context, especially the TEK (Traffic Encryption Key), is used as the MSS.
  • MSS Mobile Subscriber Station, mobile terminal is also called mobile subscription station
  • BS Base Station, base station
  • the SA is actually all the content contained in the context of the SA, and has SAID (Security Association Identity), SA Type (Security Association Type), SA Service Type (Security Alliance Service Type), Cryptographic.
  • SAID Security Association Identity
  • SA Type Security Association Type
  • SA Service Type Security Alliance Service Type
  • Cryptographic The contents of the parameters of the Suite (crypto tuple) and TEK (communication encryption key) pairs, the encryption tuple includes a data encryption algorithm and mode, a data authentication algorithm and mode, and a communication encryption key encryption algorithm and mode.
  • the parameters of the TEK pair include: TEK, KEY-Lifetime (remaining life cycle of communication encryption key), Key- Sequence-Number (communication encryption key serial number), CBC-IV (communication encryption key in CBC) Initial vector in mode), PN (sent packet sequence number), RxPN (received packet number), Associated GKEK Sequence Number (multicast key encryption key sequence number under multicast).
  • a security association such as an encryption key of a base station can be obtained by an Authenticator or an Access Network Gateway (ASN-GW).
  • the authority or the access network gateway may be on a different physical network element than the BS.
  • the authenticator or the access network gateway and the BS are both in an ASN (Access Service Network), but may not be in the same On a physical network element.
  • the problem that needs to be faced is: After the MSS switches between different BSs, how to obtain the communication encryption key and encryption used for communication between the MSS and the target base station through the authenticator or the access network gateway. Security alliance information such as algorithms and patterns is a problem that needs to be solved. At present, there is no way to solve this problem. Summary of the invention
  • An object of the present invention is to provide a method and apparatus for obtaining security association information in a mobile terminal handover process, so that the SA context list (ie, security association information) on the original BS can be taken over in the communication system. .
  • the present invention provides a method for obtaining security association information in a mobile terminal handover process, including: in a process in which a mobile terminal performs handover in a communication system, the target base station acquires the same security association information of the mobile terminal as the original base station as the target base station and the mobile terminal. Security alliance information.
  • the security association information includes a security association, a negotiated encryption algorithm and mode, and/or a communication encryption key and parameter information.
  • the method includes:
  • the authenticator or the access network gateway directly delivers the security association information corresponding to the mobile terminal to the target base station;
  • the target base station requests the security association information of the mobile terminal from the authenticator or the access network gateway, and the authenticator or the access network gateway acquires the required security association information from the original base station, and then, according to the request, the security alliance.
  • the information is sent to the target base station.
  • the original base station reports the security association information of the mobile terminal to the authenticator or the access network gateway through the handover request/instruction information.
  • Methods include:
  • the authenticator or the access network gateway requests the original base station for the security association information of the mobile terminal, and the original base station reports the security association information of the mobile terminal to the authenticator or the access network gateway according to the request;
  • the authenticator or the gateway gateway directly delivers the security association information of the mobile terminal to the target base station; or
  • the Cs authenticator or the access network gateway requests the original base station for the security association information of the mobile terminal, and the original base station reports the security association information of the mobile terminal to the authenticator or the access network gateway according to the request;
  • the target base station requests the security association information of the mobile terminal from the authenticator or the access network gateway, and the authenticator or the access network gateway sends the security association information to the target base station according to the request.
  • the method includes:
  • the target authenticator or the access network gateway requests the original authentication device or the original service access network gateway directly or through the network entity in the target network to request the mobile terminal security alliance information from the original authenticator or the access network gateway.
  • the original authenticator or the original service access network gateway reports the mobile terminal security association information to the target authenticator or the access network gateway;
  • the target authenticator or the access network gateway directly delivers the security association information corresponding to the mobile terminal to the target base station;
  • the target authenticator or the access network gateway requests the original authentication device or the access network gateway directly or through the network entity in the target network to request the mobile terminal security association information from the original authenticator or the access network gateway.
  • the right device or the original service access network gateway reports the mobile terminal security association information to the target authenticator or the access network gateway;
  • the target base station requests the security association information of the mobile terminal from the target authenticator or the access network gateway, and the target authenticator or the access network gateway sends the security association information to the target base station according to the request.
  • the method includes -
  • the target authenticator or the access network gateway requests the mobile terminal security alliance from the original authenticator or the original service access network gateway directly or after the network entity in the target network identifies the original authenticator or the original service access network gateway. information;
  • the original authenticator or the original service access network gateway requests the original base station for the security association information of the mobile terminal; the original base station reports the security association information of the mobile terminal to the original authenticator or the original service access network gateway according to the request;
  • the original authenticator or the original service access network gateway reports the mobile terminal security association information to the target authenticator or the access network gateway;
  • the target authenticator or the access network gateway directly delivers the security association information corresponding to the mobile terminal to the target base station;
  • the target authenticator or the access network gateway requests the mobile terminal security alliance from the original authenticator or the original service access network gateway directly or after the network entity in the target network identifies the original authenticator or the original service access network gateway. information; N, the original authenticator or the original service access network gateway requests the original base station for the security association information of the mobile terminal; the original base station reports the security association information of the mobile terminal to the original authenticator or the original service access network gateway according to the request;
  • the original authenticator or the original service access network gateway reports the mobile terminal security association information to the target authenticator or the access network gateway;
  • the target base station requests the security association information of the mobile terminal from the target authenticator or the access network gateway, and the target authenticator or the access network gateway sends the security association information to the target base station according to the request.
  • the method of the present invention further includes:
  • the target base station obtains the security association information from the handover preparation/confirmation message, or initiates a request for acquiring the security association information of the mobile terminal, triggered by the transmitted parameter and the power adjustment request message sent by the terminal.
  • the mobile communication system includes a microwave access global interworking Wimax system
  • the security association information in the system includes: a security association identifier, a security association type, a security association service type, an encryption tuple, and/or a communication encryption.
  • Key pair information, the encryption tuple includes a data encryption algorithm and a mode, a data authentication algorithm and a mode and/or a communication encryption key encryption algorithm and a mode
  • the communication encryption key pair information includes a communication encryption key, Remaining lifetime of the communication encryption key, communication encryption key serial number, communication encryption key, initial vector of the communication encryption key in CBC mode, packet sequence number, received packet number, and/or under multicast Multicast key encryption key serial number.
  • the present invention also provides an apparatus for obtaining security association information in a handover process of a mobile terminal that implements the foregoing method, including:
  • a security association list sending module configured to provide a security association list to the target base station
  • the security association information obtaining module acquiring the security association information of the mobile terminal of the original base station;
  • the security association information transmission module transmits the security association information of the mobile terminal acquired by the security association information obtaining module to the target base station.
  • the security association list sending module is configured on the original serving base station, and the security association information obtaining module is disposed on the target base station, and/or the authenticator or the access network gateway, and the security alliance information transmission module It is located on the authenticator or access network gateway. .
  • the authenticator or the access network gateway includes a primary authenticator or an original serving access network gateway to which the original base station of the mobile terminal belongs and/or a target authenticator or an access network gateway to which the target base station belongs.
  • the present invention provides a method for obtaining security association information during handover of a mobile terminal, so that after the mobile terminal switches the base station, the target base station can still use the same security as the original base station.
  • Alliance list That is, during the handover process of the mobile terminal, the target base station acquires the mobile terminal and the primordial base. The same security association list is used as a security association between the target base station and the mobile terminal, and a corresponding implementation process is provided. Therefore, the present invention provides a feasible implementation solution for the acquisition of the security association in the handover process of the mobile terminal.
  • Figure 2 is a flow chart 1 of the method of the present invention.
  • Figure 3 is a flow chart 2 of the method of the present invention.
  • Figure 4 is a flow chart 3 of the method of the present invention.
  • Figure 5 is a flow chart 4 of the method of the present invention.
  • FIG. 6 is a schematic view showing the structure of the apparatus of the present invention.
  • Mode for Carrying Out the Invention At the core of the present invention is a method for obtaining a security association in a mobile terminal handover process, so that after the mobile terminal switches the base station, the target base station still uses the same security association as the original base station. That is, during the handover of the mobile terminal, the target base station acquires the same security association as the original base station of the mobile terminal as a security association between the target base station and the mobile terminal.
  • the security associations described herein include the security association information and/or communication encryption keys mentioned above.
  • the process of the mobile terminal switching the base station in the communication system generally includes the following two main situations: 1.
  • the mobile terminal switches between the same authenticator or the BS within the range to which the access network belongs in the communication system; 2.
  • the authenticator or the access network gateway obtains the security association of the mobile terminal on the original base station, there are two main implementation forms: 1.
  • the original base station actively reports the security association of the mobile terminal to the authenticator or the access network.
  • the gateway sends the security association of the mobile terminal to the authenticator or the access gateway after receiving the request message from the authenticator or the access network gateway.
  • the access network gateway includes but is not limited to the original service access network gateway, the target access network gateway, the access network gateway where the authenticator is located, and/or the access network gateway where the foreign agent is located. , and many more. According to the above situation, there are four combinations, and the following is a detailed description of the four specific embodiments in conjunction with the switching request and the conventional processing after the switching.
  • Embodiment 1 As shown in FIG. 2, when the mobile terminal performs the handover between the same authenticator or the BS in the range to which the access network belongs in the communication system, the original base station has actively reported the security association to the corresponding authentication.
  • the method of the present invention includes the following steps when accessing the network gateway:
  • Step 21 The mobile terminal sends a handover request/instruction message to the original base station.
  • Step 22 The original base station sends a handover request/indication message to the authenticator or the access network gateway, where the message includes a mobile terminal identity (MSS), a target base station identifier (T-BSID), and all related to the mobile terminal.
  • MSS mobile terminal identity
  • T-BSID target base station identifier
  • Step 23 Perform an exchange preparation message exchange between the authenticator or the access network gateway and the target base station, so as to prepare for some handover.
  • Step 24 After the handover preparation is completed, the authenticator or the access network gateway needs to reply a response message to the serving base station (ie, the original base station).
  • Step 25 After the handover preparation is completed, the target base station needs to send a message requesting the mobile terminal security association to the authenticator or the access network gateway, where the message needs to include the identifier of the mobile terminal (ie, MSSID).
  • the security base station information of the mobile terminal may be sent after the target base station requests the authenticator or the access network gateway, or may be connected to the authenticator without the target base station.
  • the access gateway requests the security association information of the mobile terminal directly.
  • Step 26 The authenticator or the access network gateway sends the security association information to the target base station according to the request, and the message includes a mobile terminal identifier (MSS) and a corresponding security association list.
  • MSS mobile terminal identifier
  • Step 27 After receiving the SA list sent from the authenticator or the access network gateway, the target base station first allocates a new SA identity (SAID) to the SA in the SA list to replace the old SAID. .
  • SAID SA identity
  • the target base station will update all updated SAIDs associated with an MSS to the MSS so that the SAID on the MSS side is consistent with that on the target base station.
  • Step 29 The session continues and the subsequent session process continues.
  • step 25 is performed after performing step 24, after the target base station receives the Ranging Request (request for adjusting parameters and power information of the uplink and downlink) sent by the mobile terminal.
  • step 25 is performed after the target base station receives the Ranging Request (request for adjusting parameters and power information of the uplink and downlink) sent by the mobile terminal.
  • the Ranging response message will be sent by the target base station to the mobile terminal instead.
  • the method includes:
  • Step 31 The mobile terminal sends a handover request/instruction message to the original base station.
  • Step 32 The original base station sends a handover request/indication message to the authenticator or the access network gateway, where the message includes a mobile terminal identity (MSS) and a target base station identifier (T-BSID).
  • MSS mobile terminal identity
  • T-BSID target base station identifier
  • Step 33 Prepare for some handover between the authenticator or the access network gateway and the target base station.
  • Step 34 The authenticator or the access network gateway replies to the serving base station with a response message.
  • Step 35 The target base station sends a message requesting the mobile terminal security association to the authenticator or the access network gateway; the message includes the identifier (MSS) of the mobile terminal.
  • MSS identifier
  • the target base station may request the original base station to request the security alliance of the mobile terminal from the original base station after the target base station requests to the authenticator or the access network gateway; or may not go to the authenticator or the access without the target base station.
  • the network gateway requests the security association of the mobile terminal directly to the original base station.
  • Step 36 The authenticator or the access network gateway sends an SA message to the original base station, where the identifier of the mobile terminal is specified in the message, so as to obtain the corresponding SA information.
  • Step 37 The original base station reports the SA message of the mobile terminal to the authenticator or the access network gateway according to the request, and the identifier of the mobile terminal also needs to be specified in the message.
  • Step 38 The authenticator or the access network gateway sends the SA message to the target base station according to the request, where the message includes a mobile terminal identifier (MSS) and a corresponding security association list, where the mobile terminal is recorded in the list.
  • MSS mobile terminal identifier
  • Security Alliance information
  • Step 39 After receiving the SA list sent from the authenticator or the access network gateway, the target base station first allocates a new SA identity (SAID) to the SA in the SA list to replace the old SAID. .
  • SAID SA identity
  • Step 310 Start the Ranging process.
  • the target base station will update all updated SAIDs associated with an MSS to the MSS, so that the SAID on the MSS side is consistent with that on the target base station.
  • Step 311 Continue the subsequent session process.
  • step 34 after performing the step 34, after the target base station receives the Ranging Request message sent by the mobile terminal, step 35 is performed, and at this step, in the subsequent step 38, the target is changed to The base station sends a Ranging response message to the mobile terminal.
  • step 35 is performed, and at this step, in the subsequent step 38, the target is changed to The base station sends a Ranging response message to the mobile terminal.
  • Step 41 The mobile terminal sends a handover request/indication message to the original base station.
  • Step 42 The original base station sends a handover request/indication message to the authenticator or the access network gateway, where the message includes a mobile terminal identity (MSS), a target base station identifier (T-BSID), and all related to the mobile terminal.
  • MSS mobile terminal identity
  • T-BSID target base station identifier
  • Step 43 Prepare for some handover between the original authenticator or the original serving access network gateway and the target base station.
  • Step 44 The original authenticator or the original serving access network gateway replies to the serving base station with a response message.
  • Step 45 The target base station sends a message requesting the mobile terminal security association to the target authenticator or the access network gateway; the message includes the identifier of the mobile terminal (MSS);
  • the request message may need to pass through a network entity in the target network, such as a network management device, to find a corresponding original device according to the record information provided by the network device.
  • a network entity in the target network such as a network management device
  • this step may also be requested by the target base station to the target authenticator or the access network gateway, and then the target authenticator or the access network gateway requests the original authenticator or the original serving access network gateway to deliver the mobile terminal.
  • the target authenticator or the access network gateway may request the original authenticator or the original serving access network gateway to deliver the mobile terminal without requesting the target authenticator or the access network gateway.
  • Security Alliance when the second implementation is selected, this step can be omitted.
  • Step 46 The target authenticator or the access network gateway sends the SA request message to the original authenticator or the original service access network gateway according to the request, and the message includes the mobile terminal's indication (MSS) and corresponding The list of security associations to request the corresponding security association information from the original authenticator or the original service access network gateway.
  • MSS mobile terminal's indication
  • Step 47 After receiving the request message, the original authenticator or the original service access network gateway reports the mobile terminal security association message to the target authenticator or the access network gateway, where the message includes the mobile terminal.
  • the identification (MSS) and the corresponding security association list, the security association information of the mobile terminal is recorded in the list.
  • Step 48 The target authenticator or the access network gateway sends the mobile terminal security association message to the target base station, where the message includes the identity of the mobile terminal (MSS) and the corresponding security association list.
  • MSS mobile terminal
  • Step 49 After receiving the SA list sent from the target authenticator or the access network gateway, the target base station first allocates a new SA identity (SAID) to the SA in the SA list to replace the old SA. SAID.
  • SAID SA identity
  • Step 410 after, start the Ranging process, in which the target base station will put all the MSS with The associated updated SAID is updated to the MSS such that the SAID on the MSS side is consistent with that on the target base station.
  • Step 411 the session continues.
  • step 44 after performing step 44, after the target base station receives the Ranging Request message sent by the mobile terminal, step 45 is performed, and at this step, in the subsequent step 48, the target is changed to The base station sends a Ranging response message to the mobile terminal.
  • step 45 is performed, and at this step, in the subsequent step 48, the target is changed to The base station sends a Ranging response message to the mobile terminal.
  • the security association of the mobile terminal is passively reported to the authenticator or the access network gateway, and the method includes:
  • Step 51 The mobile terminal sends a handover request/instruction message to the original base station.
  • Step 52 The original base station sends a handover request/indication message to the authenticator or the access network gateway, where the message includes a mobile terminal identity (MSS), a target base station identifier (T-BSID), and all related to the mobile terminal.
  • MSS mobile terminal identity
  • T-BSID target base station identifier
  • Step 53 Prepare for some handover between the authenticator or the access network gateway and the target base station.
  • Step 54 The authenticator or the access network gateway replies to the serving base station with a response message.
  • Step 55 The target base station sends a message requesting the mobile terminal security association to the target authenticator or the access network gateway; the message includes the identifier of the mobile terminal (MSS);
  • the request message may need to pass through a network entity in the target network, such as a network management device, to find a corresponding original device according to the record information provided by the network device.
  • a network entity in the target network such as a network management device
  • the step 55 is an optional step, and may be requested by the target base station to the target authenticator or the access network gateway, and then requested by the target authenticator or the access network gateway to the original authenticator or the original service access network gateway.
  • the security association of the mobile terminal may be requested to be sent to the target authenticator or the access network gateway without requesting the target base station, and the target authenticator or the access network gateway requests the original authenticator or the original serving access network gateway to send the request.
  • the security association of the mobile terminal, when the second implementation is selected, the step can be omitted.
  • Step 56 The target authenticator or the access network gateway sends the SA request message to the original authenticator or the original service access network gateway according to the request, and the message includes the identifier (MSS) of the mobile terminal and the corresponding Security Alliance list.
  • MSS identifier
  • Step 57 The original authenticator or the original serving access network gateway sends an SA request message to the original base station, where the identifier of the mobile terminal is indicated in the message.
  • Step 58 The original base station reports the SA message of the mobile terminal to the original authenticator or the original service access network gateway according to the request; the identifier of the mobile terminal is indicated in the message.
  • Step 59 The original authenticator or the original service access network gateway reports the mobile terminal security association message to the target authenticator or the access network gateway; the message includes the mobile terminal identifier (MSS) and the corresponding security association list.
  • MSS mobile terminal identifier
  • Step 510 The target authenticator or the access network gateway sends the mobile terminal security association message to the target base station, where the message includes the identity of the mobile terminal (MSS) and the corresponding security association list.
  • MSS mobile terminal
  • Step 511 After receiving the security association list sent from the authenticator or the access network gateway, the target base station first allocates a new security association identifier (SAID) to the SA in the security association list to replace the old one. SAID.
  • SAID security association identifier
  • the Ranging process is started.
  • the target base station will update all the updated SAIDs associated with an MSS to the MSS, so that the SAID on the MSS side is consistent with that on the target base station.
  • Step 513 the session continues.
  • step 54 after performing the step 54, after the target base station receives the Ranging Request message sent by the mobile terminal, step 55 is performed, and in the subsequent step 58, the target is changed to The base station sends a Ranging response message to the mobile terminal.
  • the present invention also provides a device for obtaining a security association in a handover process of a mobile terminal that implements the foregoing method, as shown in FIG. 6, including a security association acquisition module and a security association transmission module, where:
  • Security association acquisition module obtaining a security association of the mobile terminal from the original base station
  • the security association information obtaining module receives the security association information of the mobile terminal sent by the security association information sending module of the original serving base station of the mobile terminal, and the security alliance information sending module is configured to be used in the original service of the mobile terminal.
  • the base station is responsible for providing the security association information to the target base station, that is, the corresponding security association list of the mobile terminal.
  • the security association transmission module transmitting the security association of the mobile terminal acquired by the security association acquisition module to the target base station;
  • the security association information transmission module sends the corresponding security association information to the security association information receiving module set in the target base station, and the security association information receiving module receives the security association information of the mobile terminal in the target base station.
  • the security association obtaining module is configured on a original authenticator or an original serving access network gateway of the mobile terminal in the communication system, or a target authenticator or an access network gateway; the security alliance transmission module The original authenticator or the original serving access network gateway and/or the target authenticator or the access network gateway to which the original base station belongs to the mobile terminal set in the communication system.
  • the device according to the present invention may be specifically configured in an authenticator or an access network gateway, where the access network gateway includes: a primary service access network gateway, a target access network gateway, and an authentication Access network gateway where the device is located and ' And the access network gateway where the foreign agent is located; the authenticator includes: the original authenticator to which the original base station of the mobile terminal belongs and/or the target authenticator to which the target base station belongs.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method and device for the mobile terminal obtaining the security association (SA) information during the handoff procedure enable the target base station use the same SA list recording the SA information as that used by the original base station after the mobile terminal handoffs the base station. That is, during the mobile terminal handoff procedure, the target base station obtains the same SA list used between the mobile terminal and the original base station as the SA list used between the mobile terminal and the target base station. The implementation of the invention makes the same SA list used by the original base station could be used in the target base station after the mobile terminal handoffs the base station. During the mobile terminal handoff procedure, the target base station obtains the same SA list used between the mobile terminal and the original base station as the SA list used between the mobile terminal and the target base station, thus a feasible implementation for obtaining the SA list during the mobile terminal handoff procedure is provided.

Description

一种移动终端切换过程中获得安全联盟信息的方法及装置  Method and device for obtaining security alliance information in handover process of mobile terminal

技术领域 Technical field

本发明涉及通信技术领域,尤其涉及一种移动终端切换过程中获得安全联盟信息或 者用户面通信加密密钥的方法及装置。 发明背景 在移动通信系统中, 移动终端的移动性使得其经常会从一个基站切换至另一个基 站, 当移动终端切换到另一基站后, 为降低移动终端与新的基站进行通信的延迟, 新的 基站需要获得一些移动终端在原服务基站上开展通信业务所需要的安全参数信息,其中 包括安全联盟信息。  The present invention relates to the field of communications technologies, and in particular, to a method and apparatus for obtaining security association information or a user plane communication encryption key during handover of a mobile terminal. BACKGROUND OF THE INVENTION In a mobile communication system, the mobility of a mobile terminal is such that it often switches from one base station to another. When the mobile terminal switches to another base station, in order to reduce the delay of communication between the mobile terminal and the new base station, new The base station needs to obtain security parameter information, including security association information, required by some mobile terminals to perform communication services on the original serving base station.

在 IEEE802. 16中, 所述的安全联盟信息即安全联盟上下文信息, SA ( Security Association,安全联盟)上下文中的内容,尤其是其中的 TEK (Traffic Encryption Key, 通信加密密钥) , 是作为 MSS (Mobile Subscriber Station, 移动终端也称移动订阅台) 和 BS (Base Station, 基站) 之间的用户面和 /或网管的数据加密使用。  In IEEE 802.16, the security association information, that is, the security association context information, the content in the SA (Security Association) context, especially the TEK (Traffic Encryption Key), is used as the MSS. (Mobile Subscriber Station, mobile terminal is also called mobile subscription station) and BS (Base Station, base station) user data and / or network management data encryption use.

需要说明的是,所述的 SA实际上也就是 SA的上下文中包含的所有的内容,有 SAID (安 全联盟标识) 、 SA Type (安全联盟类型) 、 SA Service Type (安全联盟服务类型) 、 Cryptographic Suite (加密元组) 和 TEK (通信加密密钥)对的参数中包含的内容, 所 述的加密元组包含数据加密算法和模式、数据认证算法和模式以及通信加密密钥加密算 法和模式, 所述的 TEK对的参数包含有: TEK、 KEY- Lifetime (通信加密密钥的剩余生命 周期) 、 Key- Sequence- Number (通信加密密钥序列号) 、 CBC- IV (通信加密密钥在 CBC 模式下的初始向量)、 PN (发送的包序列号)、 RxPN (接收到的包号)、 Associated GKEK Sequence Number (组播下的组播密钥加密密钥序列号) 。  It should be noted that the SA is actually all the content contained in the context of the SA, and has SAID (Security Association Identity), SA Type (Security Association Type), SA Service Type (Security Alliance Service Type), Cryptographic. The contents of the parameters of the Suite (crypto tuple) and TEK (communication encryption key) pairs, the encryption tuple includes a data encryption algorithm and mode, a data authentication algorithm and mode, and a communication encryption key encryption algorithm and mode. The parameters of the TEK pair include: TEK, KEY-Lifetime (remaining life cycle of communication encryption key), Key- Sequence-Number (communication encryption key serial number), CBC-IV (communication encryption key in CBC) Initial vector in mode), PN (sent packet sequence number), RxPN (received packet number), Associated GKEK Sequence Number (multicast key encryption key sequence number under multicast).

在 WiMAX (Worldwide Interoperability Microwave Access, 微波接入全球互通) 网络中, 基站的加密密钥等安全联盟可以通过鉴权器 (Authenticator)或接入网网关 (ASN-GW) 中转获得, 所述的鉴权器或接入网网关有可能和 BS处在不同的物理网元上, 在一个鉴权器或接入网网关之下会有多个 BS, 即鉴权器或接入网网关不与 BS位于同一个 物理网元上。 例如, 在 WiMAX网络工作组中, 如图 1所示, 鉴权器或接入网网关和 BS虽然 都处在一个 ASN (Access Service Network, 接入服务网络) 里面, 但是有可能是不处 于同一个物理网元上。 在上述情况下, 需要面临的问题是: MSS在不同 BS之间发生切换后,如何通过鉴权器 或接入网网关获取其与目标基站之间通信需要使用的通信加密密钥和使用的加密算法 和模式等安全联盟信息是一个需要解决的问题。目前,还没有一种方法可以解决该问题。 发明内容 In a WiMAX (Worldwide Interoperability Microwave Access) network, a security association such as an encryption key of a base station can be obtained by an Authenticator or an Access Network Gateway (ASN-GW). The authority or the access network gateway may be on a different physical network element than the BS. There may be multiple BSs under one authenticator or access network gateway, that is, the authenticator or the access network gateway does not communicate with the BS. Located on the same physical network element. For example, in the WiMAX network working group, as shown in Figure 1, the authenticator or the access network gateway and the BS are both in an ASN (Access Service Network), but may not be in the same On a physical network element. In the above case, the problem that needs to be faced is: After the MSS switches between different BSs, how to obtain the communication encryption key and encryption used for communication between the MSS and the target base station through the authenticator or the access network gateway. Security alliance information such as algorithms and patterns is a problem that needs to be solved. At present, there is no way to solve this problem. Summary of the invention

本发明的目的是提供一种移动终端切换过程中获得安全联盟信息的方法及装置, 从 而使得在通信系统中可以将原来的 BS上的 SA上下文列表(即安全联盟信息)拿过来继续 用的问题。  An object of the present invention is to provide a method and apparatus for obtaining security association information in a mobile terminal handover process, so that the SA context list (ie, security association information) on the original BS can be taken over in the communication system. .

本发明的目的是通过以下技术方案实现的:  The object of the invention is achieved by the following technical solutions:

本发明提供了一种移动终端切换过程中获得安全联盟信息的方法, 包括- 在通信系统中移动终端进行切换的过程中, 目标基站获取移动终端与原基站相同的 安全联盟信息作为目标基站与移动终端间的安全联盟信息。  The present invention provides a method for obtaining security association information in a mobile terminal handover process, including: in a process in which a mobile terminal performs handover in a communication system, the target base station acquires the same security association information of the mobile terminal as the original base station as the target base station and the mobile terminal. Security alliance information.

所述的安全联盟信息包括安全联盟、 协商的加密算法和模式和 /或通信加密密钥及 参数信息。  The security association information includes a security association, a negotiated encryption algorithm and mode, and/or a communication encryption key and parameter information.

本发明中, 当移动终端在通信系统中同一个鉴权器或接入网网关所属的范围内的基 站间切换时, 且原基站已经将所述的安全联盟信息主动上报给鉴权器或接入网网关, 所 述方法包括:  In the present invention, when the mobile terminal switches between the base station in the range of the same authenticator or the access network gateway in the communication system, the original base station has actively reported the SA message to the authenticator or the device. The access gateway, the method includes:

鉴权器或接入网网关直接下发该移动终端对应的安全联盟信息给目标基站; 或者,  The authenticator or the access network gateway directly delivers the security association information corresponding to the mobile terminal to the target base station; or

目标基站向鉴权器或接入网网关请求该移动终端的安全联盟信息,鉴权器或接入网 网关从原基站获取所需的安全联盟信息, 然后, 根据所述请求将所述安全联盟信息下发 给目标基站。  The target base station requests the security association information of the mobile terminal from the authenticator or the access network gateway, and the authenticator or the access network gateway acquires the required security association information from the original base station, and then, according to the request, the security alliance. The information is sent to the target base station.

所述的原基站将移动终端的安全联盟信息通过切换请求 /指示信息上报给鉴权器或 接入网网关。  The original base station reports the security association information of the mobile terminal to the authenticator or the access network gateway through the handover request/instruction information.

本发明中, 当移动终端在同一个鉴权器或接入网网关所属的范围内的基站间切换 时, 且原基站是被动上报安全联盟信息给鉴权器或接入网网关, 所述的方法包括: In the present invention, when the mobile terminal switches between the base stations in the range to which the same authenticator or the access network gateway belongs, and the original base station passively reports the security association information to the authenticator or the access network gateway, Methods include:

A、 鉴权器或接入网网关向原基站请求该移动终端的安全联盟信息, 原基站根据请 求上报该移动终端的安全联盟信息给鉴权器或接入网网关; A. The authenticator or the access network gateway requests the original base station for the security association information of the mobile terminal, and the original base station reports the security association information of the mobile terminal to the authenticator or the access network gateway according to the request;

B、 鉴权器或接 /^网网关直接下发该移动终端的安全联盟信息给目标基站; 或者, Cs 鉴权器或接入网网关向原基站请求该移动终端的安全联盟信息, 原基站根据请 求上报该移动终端的安全联盟信息给鉴权器或接入网网关; B. The authenticator or the gateway gateway directly delivers the security association information of the mobile terminal to the target base station; or The Cs authenticator or the access network gateway requests the original base station for the security association information of the mobile terminal, and the original base station reports the security association information of the mobile terminal to the authenticator or the access network gateway according to the request;

D、 目标基站向鉴权器或接入网网关请求该移动终端的安全联盟信息, 鉴权器或接 入网网关根据请求将所述安全联盟信息下发给目标基站。  D. The target base station requests the security association information of the mobile terminal from the authenticator or the access network gateway, and the authenticator or the access network gateway sends the security association information to the target base station according to the request.

本发明中, 当移动终端于通信系统中不同鉴权器或接入网所属的范围内的基站间切 换时, 且原基站已经将所述的安全联盟信息主动上报给原鉴权器或原服务接入网网关, 所述方法包括:  In the present invention, when the mobile terminal switches between different authenticators in the communication system or the base stations in the range to which the access network belongs, the original base station has actively reported the SAS information to the original authenticator or the original service. Accessing the network gateway, the method includes:

E、 目标鉴权器或接入网网关直接或经过目标网络中的网络实体识别出原鉴权器或 原服务接入网网关后向原鉴权器或接入网网关请求该移动终端安全联盟信息,原鉴权器 或原服务接入网网关上报该移动终端安全联盟信息给目标鉴权器或接入网网关;  E. The target authenticator or the access network gateway requests the original authentication device or the original service access network gateway directly or through the network entity in the target network to request the mobile terminal security alliance information from the original authenticator or the access network gateway. The original authenticator or the original service access network gateway reports the mobile terminal security association information to the target authenticator or the access network gateway;

F、 目标鉴权器或接入网网关直接下发该移动终端对应的安全联盟信息给目标基站; 或者,  F. The target authenticator or the access network gateway directly delivers the security association information corresponding to the mobile terminal to the target base station; or

G、 目标鉴权器或接入网网关直接或经过目标网络中网络实体识别出原鉴权器或接 入网网关后向原鉴权器或接入网网关请求该移动终端安全联盟信息,原鉴权器或原服务 接入网网关上报该移动终端安全联盟信息给目标鉴权器或接入网网关;  G. The target authenticator or the access network gateway requests the original authentication device or the access network gateway directly or through the network entity in the target network to request the mobile terminal security association information from the original authenticator or the access network gateway. The right device or the original service access network gateway reports the mobile terminal security association information to the target authenticator or the access network gateway;

. H、 目标基站向目标鉴权器或接入网网关请求该移动终端的安全联盟信息, 目标鉴 权器或接入网网关根据请求将所述安全联盟信息下发给目标基站。  H. The target base station requests the security association information of the mobile terminal from the target authenticator or the access network gateway, and the target authenticator or the access network gateway sends the security association information to the target base station according to the request.

本发明中,当移动终端在通信系统中不同鉴权器或接入网所属的范围内的基站间切 换时, 且原基站是被动上报安全联盟信息给原鉴权器或原服务接入网网关, 所述方法包 括- In the present invention, when the mobile terminal switches between different authenticators or base stations within the range to which the access network belongs in the communication system, and the original base station passively reports the security association information to the original authenticator or the original service access network gateway. , the method includes -

I、 目标鉴权器或接入网网关直接或经过目标网络中网络实体识别出原鉴权器或原 服务接入网网关后向原鉴权器或原服务接入网网关请求该移动终端安全联盟信息;I. The target authenticator or the access network gateway requests the mobile terminal security alliance from the original authenticator or the original service access network gateway directly or after the network entity in the target network identifies the original authenticator or the original service access network gateway. information;

J、 原鉴权器或原服务接入网网关向原基站请求该移动终端的安全联盟信息; 原基 站根据请求上报该移动终端的安全联盟信息给原鉴权器或原服务接入网网关; J, the original authenticator or the original service access network gateway requests the original base station for the security association information of the mobile terminal; the original base station reports the security association information of the mobile terminal to the original authenticator or the original service access network gateway according to the request;

κ、 原鉴权器或原服务接入网网关上报该移动终端安全联盟信息给目标鉴权器或接 入网网关;  κ, the original authenticator or the original service access network gateway reports the mobile terminal security association information to the target authenticator or the access network gateway;

L、 目标鉴权器或接入网网关直接下发该移动终端对应的安全联盟信息给目标基站; 或者,  L. The target authenticator or the access network gateway directly delivers the security association information corresponding to the mobile terminal to the target base station; or

M、 目标鉴权器或接入网网关直接或经过目标网络中网络实体识别出原鉴权器或原 服务接入网网关后向原鉴权器或原服务接入网网关请求该移动终端安全联盟信息; N、 原鉴权器或原服务接入网网关向原基站请求该移动终端的安全联盟信息; 原基 站根据请求上报该移动终端的安全联盟信息给原鉴权器或原服务接入网网关; M. The target authenticator or the access network gateway requests the mobile terminal security alliance from the original authenticator or the original service access network gateway directly or after the network entity in the target network identifies the original authenticator or the original service access network gateway. information; N, the original authenticator or the original service access network gateway requests the original base station for the security association information of the mobile terminal; the original base station reports the security association information of the mobile terminal to the original authenticator or the original service access network gateway according to the request;

0、 原鉴权器或原服务接入网网关上报该移动终端安全联盟信息给目标鉴权器或接 入网网关;  0. The original authenticator or the original service access network gateway reports the mobile terminal security association information to the target authenticator or the access network gateway;

P、 目标基站向目标鉴权器或接入网网关请求该移动终端的安全联盟信息, 目标鉴 权器或接入网网关根据请求将所述安全联盟信息下发给目标基站。  P. The target base station requests the security association information of the mobile terminal from the target authenticator or the access network gateway, and the target authenticator or the access network gateway sends the security association information to the target base station according to the request.

本发明所述的方法还包括:  The method of the present invention further includes:

目标基站从切换准备 /确认消息中获取安全联盟信息, 或者, 在终端发送的发送的 参数和功率调节请求消息的触发下发起获取移动终端安全联盟信息的请求。  The target base station obtains the security association information from the handover preparation/confirmation message, or initiates a request for acquiring the security association information of the mobile terminal, triggered by the transmitted parameter and the power adjustment request message sent by the terminal.

所述的移动通信系统包括微波接入全球互通 Wimax系统, 且在该系统中所述的安全 联盟信息包括- 安全联盟标识符、 安全联盟类型、 安全联盟服务类型、 加密元组和 /或通信加密密 钥对信息, 所述的加密元组包含数据加密算法和模式、 数据认证算法和模式和 /或通信 加密密钥加密算法和模式, 所述的通信加密密钥对信息包含通信加密密钥、通信加密密 钥的剩余生命周期、 通信加密密钥序列号、 通信加密密钥、 通信加密密钥在 CBC模式下 的初始向量、 包序列号、 接收到的包号和 /或在组播下的组播密钥加密密钥序列号。  The mobile communication system includes a microwave access global interworking Wimax system, and the security association information in the system includes: a security association identifier, a security association type, a security association service type, an encryption tuple, and/or a communication encryption. Key pair information, the encryption tuple includes a data encryption algorithm and a mode, a data authentication algorithm and a mode and/or a communication encryption key encryption algorithm and a mode, and the communication encryption key pair information includes a communication encryption key, Remaining lifetime of the communication encryption key, communication encryption key serial number, communication encryption key, initial vector of the communication encryption key in CBC mode, packet sequence number, received packet number, and/or under multicast Multicast key encryption key serial number.

本发明还提供了一种实现上述方法的移动终端切换过程中获得安全联盟信息的装 置, 包括:  The present invention also provides an apparatus for obtaining security association information in a handover process of a mobile terminal that implements the foregoing method, including:

安全联盟列表发送模块, 负责向目标基站提供安全联盟列表;  a security association list sending module, configured to provide a security association list to the target base station;

安全联盟信息获取模块: 获取原基站的该移动终端的安全联盟信息;  The security association information obtaining module: acquiring the security association information of the mobile terminal of the original base station;

安全联盟信息传输模块:将所述安全联盟信息获取模块获取的该移动终端的安全联 盟信息传输至目标基站。  The security association information transmission module transmits the security association information of the mobile terminal acquired by the security association information obtaining module to the target base station.

所述的安全联盟列表发送模块设置于原服务基站上,所述的安全联盟信息获取模块 设置于目标基站, 和 /或, 鉴权器或接入网网关上, 所述的安全联盟信息传输模块设于 鉴权器或接入网网关上。 .  The security association list sending module is configured on the original serving base station, and the security association information obtaining module is disposed on the target base station, and/or the authenticator or the access network gateway, and the security alliance information transmission module It is located on the authenticator or access network gateway. .

所述的鉴权器或接入网网关包括移动终端的原基站所属的原鉴权器或原服务接入网 网关和 /或目标基站所属的目标鉴权器或接入网网关。  The authenticator or the access network gateway includes a primary authenticator or an original serving access network gateway to which the original base station of the mobile terminal belongs and/or a target authenticator or an access network gateway to which the target base station belongs.

由上述本发明提供的技术方案可以看出,本发明提出了一种移动终端切换过程中获 得安全联盟信息的方法, 使得在移动终端切换基站后, 在目标基站仍然可以使用与原基 站相同的安全联盟列表。 也就是在移动终端切换过程中, 目标基站获取移动终端与原基 站相同的安全联盟列表作为目标基站与移动终端间的安全联盟,并提供了相应的实现流 程, 因此, 本发明为移动终端切换过程中安全联盟的获取提供了可行的实现方案。 附图简要说明 图 1为 Wimax系统组网结构示意图; As can be seen from the technical solution provided by the present invention, the present invention provides a method for obtaining security association information during handover of a mobile terminal, so that after the mobile terminal switches the base station, the target base station can still use the same security as the original base station. Alliance list. That is, during the handover process of the mobile terminal, the target base station acquires the mobile terminal and the primordial base. The same security association list is used as a security association between the target base station and the mobile terminal, and a corresponding implementation process is provided. Therefore, the present invention provides a feasible implementation solution for the acquisition of the security association in the handover process of the mobile terminal. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a schematic diagram showing the structure of a Wimax system networking;

图 2为本发明所述的方法的流程图 1;  Figure 2 is a flow chart 1 of the method of the present invention;

图 3为本发明所述的方法的流程图 2;  Figure 3 is a flow chart 2 of the method of the present invention;

图 4为本发明所述的方法的流程图 3;  Figure 4 is a flow chart 3 of the method of the present invention;

图 5为本发明所述的方法的流程图 4;  Figure 5 is a flow chart 4 of the method of the present invention;

图 6为本发明所述的装置的结构示意图。 实施本发明的方式 本发明的核心是提出了一种移动终端切换过程中获得安全联盟的方法,使得在移动 终端切换基站后, 在目标基站仍然使用与原基站相同的安全联盟。也就是在移动终端切 换过程中, 目标基站获取移动终端与原基站相同的安全联盟作为目标基站与移动终端间 的安全联盟。 这里所述的安全联盟包括上文提到的安全联盟信息和 /或通信加密密钥。  Figure 6 is a schematic view showing the structure of the apparatus of the present invention. Mode for Carrying Out the Invention At the core of the present invention is a method for obtaining a security association in a mobile terminal handover process, so that after the mobile terminal switches the base station, the target base station still uses the same security association as the original base station. That is, during the handover of the mobile terminal, the target base station acquires the same security association as the original base station of the mobile terminal as a security association between the target base station and the mobile terminal. The security associations described herein include the security association information and/or communication encryption keys mentioned above.

当移动终端在通信系统中切换基站的过程一般包括以下两种主要情况- 一、 移动终端在通信系统中同一个鉴权器或接入网所属的范围内的 BS之间切换; 二、 移动终端在通信系统中不同鉴权器或接入网所属的范围内的 BS之间切换。 鉴权器或接入网网关获得原基站上的移动终端的安全联盟时, 有两种主要实现形 式- 一、 原基站将所述的移动终端的安全联盟主动上报给鉴权器或接入网网关; 二、 原基站在接到鉴权器或接入网网关的上报请求消息后, 将所述的移动终端的安 全联盟被动上报给鉴权器或接入网 关。  The process of the mobile terminal switching the base station in the communication system generally includes the following two main situations: 1. The mobile terminal switches between the same authenticator or the BS within the range to which the access network belongs in the communication system; 2. The mobile terminal Switching between different authenticators or BSs within the range to which the access network belongs in the communication system. When the authenticator or the access network gateway obtains the security association of the mobile terminal on the original base station, there are two main implementation forms: 1. The original base station actively reports the security association of the mobile terminal to the authenticator or the access network. The gateway sends the security association of the mobile terminal to the authenticator or the access gateway after receiving the request message from the authenticator or the access network gateway.

本发明中, 所述的接入网网关包括但不限于原服务接入网网关, 目标接入网网关, 鉴权器所在的接入网网关, 和 /或, 外地代理所在的接入网网关, 等等。 根据以上的情况有四种组合, 同时配合切换请求与切换后的常规处理以下分为四个 具体实施方式具体描述。 实施方式一 如图 2所示, 当移动终端在通信系统中同一个鉴权器或接入网所属的范围内的 BS之 间进行切换, 且原基站已经将所述的安全联盟主动上报给相应的鉴权器或接入网网关 时, 本发明所述的方法包括以下步骤: In the present invention, the access network gateway includes but is not limited to the original service access network gateway, the target access network gateway, the access network gateway where the authenticator is located, and/or the access network gateway where the foreign agent is located. , and many more. According to the above situation, there are four combinations, and the following is a detailed description of the four specific embodiments in conjunction with the switching request and the conventional processing after the switching. Embodiment 1 As shown in FIG. 2, when the mobile terminal performs the handover between the same authenticator or the BS in the range to which the access network belongs in the communication system, the original base station has actively reported the security association to the corresponding authentication. The method of the present invention includes the following steps when accessing the network gateway:

步骤 21、 移动终端向原基站发送切换请求 /指示消息。 ·  Step 21: The mobile terminal sends a handover request/instruction message to the original base station. ·

步骤 22、 原基站向鉴权器或接入网网关发送切换请求 /指示消息, 在消息中要包含 移动终端标识 (MSS) , 目标基站标识符 (T- BSID) 和与此移动终端相关的所有的安全 联盟的列表, 其中包含着移动终端的安全联盟信息, 通过该步骤可以将基站中的安全联 盟上报给鉴权器或接入网网关。  Step 22: The original base station sends a handover request/indication message to the authenticator or the access network gateway, where the message includes a mobile terminal identity (MSS), a target base station identifier (T-BSID), and all related to the mobile terminal. A list of security associations, including the security association information of the mobile terminal, by which the security association in the base station can be reported to the authenticator or the access network gateway.

步骤 23、鉴权器或接入网网关和目标基站之间进行切换准备消息的交互, 从而做一 些切换时的准备工作。  Step 23: Perform an exchange preparation message exchange between the authenticator or the access network gateway and the target base station, so as to prepare for some handover.

步骤 24、切换准备工作完成后, 所述鉴权器或接入网网关需要给服务基站(即原基 站) 回复一个响应消息。  Step 24: After the handover preparation is completed, the authenticator or the access network gateway needs to reply a response message to the serving base station (ie, the original base station).

步骤 25、切换准备工作完成后, 目标基站则需要向鉴权器或接入网网关发送请求该 移动终端安全联盟的消息, 所述的消息中需要包含移动终端的标识 (即 MSSID) 。  Step 25: After the handover preparation is completed, the target base station needs to send a message requesting the mobile terminal security association to the authenticator or the access network gateway, where the message needs to include the identifier of the mobile terminal (ie, MSSID).

这一步骤不是本发明实现过程中必须的,具体可以经目标基站向鉴权器或接入网网 关请求后再下发该移动终端的安全联盟信息;也可以不经目标基站向鉴 器或接入网网 关请求, 直接下发该移动终端的安全联盟信息, 当选择第二种实现方案时, 则该步骤可 以省去。  This step is not required in the implementation process of the present invention. Specifically, the security base station information of the mobile terminal may be sent after the target base station requests the authenticator or the access network gateway, or may be connected to the authenticator without the target base station. The access gateway requests the security association information of the mobile terminal directly. When the second implementation scheme is selected, the step can be omitted.

步骤 26、鉴权器或接入网网关根据请求将所述安全联盟信息下发给目标基站, 消息 中要包含移动终端的标识 (MSS) 和相应的安全联盟列表。  Step 26: The authenticator or the access network gateway sends the security association information to the target base station according to the request, and the message includes a mobile terminal identifier (MSS) and a corresponding security association list.

步骤 27、 目标基站收到从鉴权器或接入网网关上发过来的安全联盟列表之后, 首先 给安全联盟列表中的 SA分配新的安全联盟标识符 (SAID) , 以替换掉旧的 SAID。  Step 27: After receiving the SA list sent from the authenticator or the access network gateway, the target base station first allocates a new SA identity (SAID) to the SA in the SA list to replace the old SAID. .

步骤 28、 之后, 便开始相应的 Ranging (参数和功率调节) 过程。 在这个过程中, 目标基站将把所有的与某个 MSS相关联的更新的 SAID更新到 MSS, 使得 MSS侧的 SAID和目 标基站上的保持一致。  After step 28, the corresponding Ranging (parameter and power adjustment) process begins. In this process, the target base station will update all updated SAIDs associated with an MSS to the MSS so that the SAID on the MSS side is consistent with that on the target base station.

步骤 29、 会话继续, 继续后续的会话过程。  Step 29. The session continues and the subsequent session process continues.

在上述处理过程中, 在执行步骤 24之后, 也可以在当目标基站收到移动终端发来的 Ranging Request (用于调整上下行链路的参数和功率信息的请求) 消息后, 执行步骤 25, 此时, 在后续的步骤 28, 将改为由目标基站向移动终端发送 Ranging response (寻 址响应) 消息。 实施方式二 In the foregoing process, after performing step 24, after the target base station receives the Ranging Request (request for adjusting parameters and power information of the uplink and downlink) sent by the mobile terminal, step 25 is performed. At this point, in a subsequent step 28, the Ranging response message will be sent by the target base station to the mobile terminal instead. Embodiment 2

如图 3所示, 当移动终端在通信系统中同一个鉴权器或接入网所属的范围内的 BS之 间发生切换, 且原基站是在接到鉴权器或接入网网关的上报请求后, 将所述的移动终端 的安全联盟被动上报给鉴权器或接入网网关时, 所述方法包括:  As shown in FIG. 3, when the mobile terminal switches between the same authenticator or the BS within the range to which the access network belongs in the communication system, and the original base station is reported to the gateway or the access network gateway. After the request, when the security association of the mobile terminal is passively reported to the authenticator or the access network gateway, the method includes:

步骤 31、 移动终端向原基站发送切换请求 /指示消息。  Step 31: The mobile terminal sends a handover request/instruction message to the original base station.

步骤 32、 原基站向鉴权器或接入网网关发送切换请求 /指示消息, 在消息中要包含 移动终端标识 (MSS) 和目标基站标识符 (T-BSID) 。  Step 32: The original base station sends a handover request/indication message to the authenticator or the access network gateway, where the message includes a mobile terminal identity (MSS) and a target base station identifier (T-BSID).

步骤 33、 鉴权器或接入网网关和目标基站之间做一些切换时的准备工作。  Step 33: Prepare for some handover between the authenticator or the access network gateway and the target base station.

步骤 34、 鉴权器或接入网网关给服务基站回复一个响应消息。  Step 34: The authenticator or the access network gateway replies to the serving base station with a response message.

步骤 35、 目标基站向鉴权器或接入网网关发送请求该移动终端安全联盟的消息; 消 息中要包含移动终端的标识(MSS) 。  Step 35: The target base station sends a message requesting the mobile terminal security association to the authenticator or the access network gateway; the message includes the identifier (MSS) of the mobile terminal.

同样, 这一步骤不是必须的, 可以经目标基站向鉴权器或接入网网关请求后目标基 站再向原基站请求该移动终端的安全联盟;也可以不经目标基站向鉴权器或接入网网关 请求, 而直接向原基站请求该移动终端的安全联盟, 当选择第二种实现方案时, 则该步 骤可以省去。  Similarly, this step is not necessary, and the target base station may request the original base station to request the security alliance of the mobile terminal from the original base station after the target base station requests to the authenticator or the access network gateway; or may not go to the authenticator or the access without the target base station. The network gateway requests the security association of the mobile terminal directly to the original base station. When the second implementation scheme is selected, the step can be omitted.

步骤 36、鉴权器或接入网网关向原基站发送安全联盟请求消息, 消息中要指明移动 终端的标识符, 以便于获取对应的安全联盟信息。  Step 36: The authenticator or the access network gateway sends an SA message to the original base station, where the identifier of the mobile terminal is specified in the message, so as to obtain the corresponding SA information.

步骤 37、 原基站根据请求上报该移动终端的安全联盟消息给鉴权器或接入网网关, 消息中同样需要指明移动终端的标识符。  Step 37: The original base station reports the SA message of the mobile terminal to the authenticator or the access network gateway according to the request, and the identifier of the mobile terminal also needs to be specified in the message.

步骤 38、鉴权器或接入网网关根据请求将所述安全联盟消息下发给目标基站, 消息 中要包含移动终端的标识 (MSS)和相应的安全联盟列表, 列表中记录着移动终端的安 全联盟信息。  Step 38: The authenticator or the access network gateway sends the SA message to the target base station according to the request, where the message includes a mobile terminal identifier (MSS) and a corresponding security association list, where the mobile terminal is recorded in the list. Security Alliance information.

步骤 39、 目标基站收到从鉴权器或接入网网关上发过来的安全联盟列表之后, 首先 给安全联盟列表中的 SA分配新的安全联盟标识符 (SAID) , 以替换掉旧的 SAID。  Step 39: After receiving the SA list sent from the authenticator or the access network gateway, the target base station first allocates a new SA identity (SAID) to the SA in the SA list to replace the old SAID. .

步骤 310、 开始 Ranging过程。 在这个过程中, 目标基站将把所有的与某个 MSS相关 联的更新的 SAID更新到 MSS, 使得 MSS侧的 SAID和目标基站上的保持一致。  Step 310: Start the Ranging process. In this process, the target base station will update all updated SAIDs associated with an MSS to the MSS, so that the SAID on the MSS side is consistent with that on the target base station.

步骤 311、 继续后续的会话过程。  Step 311: Continue the subsequent session process.

同样, 在上述处理过程中, 在执行步骤 34之后, 也可以在当目标基站收到移动终端 发来的 Ranging Request消息后, 执行步骤 35, 此时, 在后续的步骤 38, 将改为由目标 基站向移动终端发送 Ranging response消息。 实施方式三 Similarly, in the foregoing process, after performing the step 34, after the target base station receives the Ranging Request message sent by the mobile terminal, step 35 is performed, and at this step, in the subsequent step 38, the target is changed to The base station sends a Ranging response message to the mobile terminal. Embodiment 3

如图 4所示, 当移动终端在通信系统中不同鉴权器或接入网所属的范围内的 BS之间 发生切换, 且原基站已经将所述的安全联盟主动上报给鉴权器或接入网网关时, 则本发 明所述方法包括以下步骤- 步骤 41、 移动终端向原基站发送切换请求 /指示消息。  As shown in FIG. 4, when the mobile terminal switches between the different authenticators or the BSs in the range to which the access network belongs, the original base station has reported the security association to the authenticator or the active association. When the gateway is in the network, the method of the present invention includes the following steps: Step 41: The mobile terminal sends a handover request/indication message to the original base station.

步骤 42、 原基站向鉴权器或接入网网关发送切换请求 /指示消息, 在消息中要包含 移动终端标识 (MSS) , 目标基站标识符 (T-BSID) 和与此移动终端相关的所有的安全 联盟的列表, 以便于上报所述的安全联盟信息。  Step 42: The original base station sends a handover request/indication message to the authenticator or the access network gateway, where the message includes a mobile terminal identity (MSS), a target base station identifier (T-BSID), and all related to the mobile terminal. A list of security associations to facilitate reporting of the security association information described.

步骤 43、 原鉴权器或原服务接入网网关和目标基站之间做一些切换时的准备工作。 步骤 44、 原鉴权器或原服务接入网网关给服务基站回复一个响应消息。  Step 43: Prepare for some handover between the original authenticator or the original serving access network gateway and the target base station. Step 44: The original authenticator or the original serving access network gateway replies to the serving base station with a response message.

步骤 45、 目标基站向目标鉴权器或接入网网关发送请求该移动终端安全联盟的消 息; 消息中要包含移动终端的标识(MSS) ;  Step 45: The target base station sends a message requesting the mobile terminal security association to the target authenticator or the access network gateway; the message includes the identifier of the mobile terminal (MSS);

该请求消息有可能需要经过目标网络中的某个网络实体, 如网管设备, 根据其提供 的记录信息来找到对应的原鉴全器。  The request message may need to pass through a network entity in the target network, such as a network management device, to find a corresponding original device according to the record information provided by the network device.

同样,这一步骤还可以经目标基站向目标鉴权器或接入网网关请求后再由目标鉴权 器或接入网网关向原鉴权器或原服务接入网网关请求下发该移动终端的安全联盟; 或 者, 也可以不经目标基站向目标鉴权器或接入网网关请求, 目标鉴权器或接入网网关向 原鉴权器或原服务接入网网关请求下发该移动终端的安全联盟, 当选择第二种实现方案 时, 则该步骤可以省去。  Similarly, this step may also be requested by the target base station to the target authenticator or the access network gateway, and then the target authenticator or the access network gateway requests the original authenticator or the original serving access network gateway to deliver the mobile terminal. Alternatively, the target authenticator or the access network gateway may request the original authenticator or the original serving access network gateway to deliver the mobile terminal without requesting the target authenticator or the access network gateway. Security Alliance, when the second implementation is selected, this step can be omitted.

步骤 46、 目标鉴权器或接入网网关根据请求将所述安全联盟请求消息下发给原鉴权 器或原服务接入网网关, 消息中要包含移动终端的示识(MSS)和相应的安全联盟列表, 以请求从原鉴权器或原服务接入网网关获得相应的安全联盟信息。  Step 46: The target authenticator or the access network gateway sends the SA request message to the original authenticator or the original service access network gateway according to the request, and the message includes the mobile terminal's indication (MSS) and corresponding The list of security associations to request the corresponding security association information from the original authenticator or the original service access network gateway.

步骤 47、 原鉴权器或原服务接入网网关接收到所述的请求消息后, 上报该移动终端 安全联盟消息给目标鉴权器或接入网网关, 所述的消息中要包含移动终端的标识(MSS) 和相应的安全联盟列表, 列表中记录着移动终端的安全联盟信息。  Step 47: After receiving the request message, the original authenticator or the original service access network gateway reports the mobile terminal security association message to the target authenticator or the access network gateway, where the message includes the mobile terminal. The identification (MSS) and the corresponding security association list, the security association information of the mobile terminal is recorded in the list.

步骤 48、 目标鉴权器或接入网网关下发该移动终端安全联盟消息给目标基站, 消息 中要包含移动终端的标识 (MSS)和相应的安全联盟列表。  Step 48: The target authenticator or the access network gateway sends the mobile terminal security association message to the target base station, where the message includes the identity of the mobile terminal (MSS) and the corresponding security association list.

步骤 49、 目标基站收到从目标鉴权器或接入网网关上发过来的安全联盟列表之后, 首先给安全联盟列表中的 SA分配新的安全联盟标识符 (SAID) , 以替换掉旧的 SAID。  Step 49: After receiving the SA list sent from the target authenticator or the access network gateway, the target base station first allocates a new SA identity (SAID) to the SA in the SA list to replace the old SA. SAID.

步骤 410、之后, 开始 Ranging过程,在这个过程中, 目标基站将把所有的与某个 MSS 相关联的更新的 SAID更新到 MSS, 使得 MSS侧的 SAID和目标基站上的保持一致。 Step 410, after, start the Ranging process, in which the target base station will put all the MSS with The associated updated SAID is updated to the MSS such that the SAID on the MSS side is consistent with that on the target base station.

步骤 411、 会话继续。  Step 411, the session continues.

同样, 在上述处理过程中, 在执行步骤 44之后, 也可以在当目标基站收到移动终端 发来的 Ranging Request消息后, 执行步骤 45, 此时, 在后续的步骤 48, 将改为由目标 基站向移动终端发送 Ranging response消息。 实施方式四  Similarly, in the foregoing process, after performing step 44, after the target base station receives the Ranging Request message sent by the mobile terminal, step 45 is performed, and at this step, in the subsequent step 48, the target is changed to The base station sends a Ranging response message to the mobile terminal. Embodiment 4

如图 5所示, 当移动终端在通信系统中不同鉴权器或接入网所属的范围内切换时, 且原基站是在接到鉴权器或接入网网关的上报请求后,将所述的移动终端的安全联盟被 动上报给鉴权器或接入网网关, 所述方法包括:  As shown in FIG. 5, when the mobile terminal switches within the range of different authenticators or access networks in the communication system, and the original base station is after receiving the report request from the authenticator or the access network gateway, The security association of the mobile terminal is passively reported to the authenticator or the access network gateway, and the method includes:

步骤 51、 移动终端向原基站发送切换请求 /指示消息。  Step 51: The mobile terminal sends a handover request/instruction message to the original base station.

步骤 52、 原基站向鉴权器或接入网网关发送切换请求 /指示消息, 在消息中要包含 移动终端标识 (MSS ) , 目标基站标识符 (T- BSID) 和与此移动终端相关的所有的安全 联盟的列表, 以主动将相应的安全联盟信息上报给鉴权器或接入网网关。  Step 52: The original base station sends a handover request/indication message to the authenticator or the access network gateway, where the message includes a mobile terminal identity (MSS), a target base station identifier (T-BSID), and all related to the mobile terminal. A list of security associations to actively report the corresponding SA information to the authenticator or the access network gateway.

步骤 53、 鉴权器或接入网网关和目标基站之间做一些切换时的准备工作。  Step 53: Prepare for some handover between the authenticator or the access network gateway and the target base station.

步骤 54、 鉴权器或接入网网关给服务基站回复一个响应消息。  Step 54: The authenticator or the access network gateway replies to the serving base station with a response message.

步骤 55、 目标基站向目标鉴权器或接入网网关发送请求该移动终端安全联盟的消 息; 消息中要包含移动终端的标识 (MSS) ;  Step 55: The target base station sends a message requesting the mobile terminal security association to the target authenticator or the access network gateway; the message includes the identifier of the mobile terminal (MSS);

同样, 该请求消息有可能需要经过目标网络中的某个网络实体, 如网管设备, 根据 其提供的记录信息来找到对应的原鉴全器。  Similarly, the request message may need to pass through a network entity in the target network, such as a network management device, to find a corresponding original device according to the record information provided by the network device.

所述的步骤 55为可选步骤,具体可以经目标基站向目标鉴权器或接入网网关请求后 再由目标鉴权器或接入网网关向原鉴权器或原服务接入网网关请求下发该移动终端的 安全联盟, 也可以不经目标基站向目标鉴权器或接入网网关请求, 目标鉴权器或接入网 网关向原鉴权器或原服务接入网网关请求下发该移动终端的安全联盟, 当选择第二种实 现方案时, 则该步骤可以省去。  The step 55 is an optional step, and may be requested by the target base station to the target authenticator or the access network gateway, and then requested by the target authenticator or the access network gateway to the original authenticator or the original service access network gateway. The security association of the mobile terminal may be requested to be sent to the target authenticator or the access network gateway without requesting the target base station, and the target authenticator or the access network gateway requests the original authenticator or the original serving access network gateway to send the request. The security association of the mobile terminal, when the second implementation is selected, the step can be omitted.

步骤 56、 目标鉴权器或接入网网关根据请求将所述安全联盟请求消息下发给原鉴权 器或原服务接入网网关, 消息中要包含移动终端的标识(MSS)和相应的安全联盟列表。  Step 56: The target authenticator or the access network gateway sends the SA request message to the original authenticator or the original service access network gateway according to the request, and the message includes the identifier (MSS) of the mobile terminal and the corresponding Security Alliance list.

步骤 57、原鉴权器或原服务接入网网关向原基站发送安全联盟请求消息, 消息中要 指明移动终端的标识符。  Step 57: The original authenticator or the original serving access network gateway sends an SA request message to the original base station, where the identifier of the mobile terminal is indicated in the message.

步骤 58、原基站根据请求上报该移动终端的安全联盟消息给原鉴权器或原服务接入 网网关; 消息中要指明移动终端的标识符。 步骤 59、原鉴权器或原服务接入网网关上报该移动终端安全联盟消息给目标鉴权器 或接入网网关; 消息中要包含移动终端的标识 (MSS) 和相应的安全联盟列表。 Step 58: The original base station reports the SA message of the mobile terminal to the original authenticator or the original service access network gateway according to the request; the identifier of the mobile terminal is indicated in the message. Step 59: The original authenticator or the original service access network gateway reports the mobile terminal security association message to the target authenticator or the access network gateway; the message includes the mobile terminal identifier (MSS) and the corresponding security association list.

步骤 510、 目标鉴权器或接入网网关下发该移动终端安全联盟消息给目标基站, 消 息中要包含移动终端的标识(MSS)和相应的安全联盟列表。  Step 510: The target authenticator or the access network gateway sends the mobile terminal security association message to the target base station, where the message includes the identity of the mobile terminal (MSS) and the corresponding security association list.

步骤 511、 目标基站收到从鉴权器或接入网网关上发过来的安全联盟列表之后, 首 先给安全联盟列表中的 SA分配新的安全联盟标识符 .(SAID) , 以替换掉旧的 SAID。  Step 511: After receiving the security association list sent from the authenticator or the access network gateway, the target base station first allocates a new security association identifier (SAID) to the SA in the security association list to replace the old one. SAID.

步骤 512、之后, 开始 Ranging过程,在这个过程中, 目标基站将把所有的与某个 MSS 相关联的更新的 SAID更新到 MSS, 使得 MSS侧的 SAID和目标基站上的保持一致。  After step 512, the Ranging process is started. In this process, the target base station will update all the updated SAIDs associated with an MSS to the MSS, so that the SAID on the MSS side is consistent with that on the target base station.

步骤 513、 会话继续。  Step 513, the session continues.

同样, 在上述处理过程中, 在执行步骤 54之后, 也可以在当目标基站收到移动终端 发来的 Ranging Request消息后, 执行步骤 55, 此时, 在后续的步骤 58, 将改为由目标 基站向移动终端发送 Ranging response消息。 本发明还提供了一种实现上述方法的移动终端切换过程中获得安全联盟的装置,如 图 6所示包括安全联盟获取模块与安全联盟传输模块, 其中:  Similarly, in the foregoing process, after performing the step 54, after the target base station receives the Ranging Request message sent by the mobile terminal, step 55 is performed, and in the subsequent step 58, the target is changed to The base station sends a Ranging response message to the mobile terminal. The present invention also provides a device for obtaining a security association in a handover process of a mobile terminal that implements the foregoing method, as shown in FIG. 6, including a security association acquisition module and a security association transmission module, where:

安全联盟获取模块: 从原基站处获取该移动终端的安全联盟;  Security association acquisition module: obtaining a security association of the mobile terminal from the original base station;

所述的安全联盟信息获取模块接收设置于移动终端的原服务基站上的安全联盟信 息发送模块发来的移动终端的安全联盟信息, 所述的安全联盟信息发送模块, 设置于移 动终端的原服务基站中, 负责向目标基站提供安全联盟信息, 即相应的移动终端对应的 安全联盟列表。  The security association information obtaining module receives the security association information of the mobile terminal sent by the security association information sending module of the original serving base station of the mobile terminal, and the security alliance information sending module is configured to be used in the original service of the mobile terminal. The base station is responsible for providing the security association information to the target base station, that is, the corresponding security association list of the mobile terminal.

安全联盟传输模块:将所述安全联盟获取模块获取的该移动终端的安全联盟传输至 目标基站;  The security association transmission module: transmitting the security association of the mobile terminal acquired by the security association acquisition module to the target base station;

所述的安全联盟信息传输模块将相应的安全联盟信息发送给目标基站中设置的安 全联盟信息接收模块, 在目标基站中, 通过所述的安全联盟信息接收模块接收获得移动 终端的安全联盟信息。  The security association information transmission module sends the corresponding security association information to the security association information receiving module set in the target base station, and the security association information receiving module receives the security association information of the mobile terminal in the target base station.

其中,所述的安全联盟获取模块设置于通信系统中的移动终端的原鉴权器或原服务 接入网网关, 或者, 目标鉴权器或接入网网关上; 所述的安全联盟传输模块设置于通信 系统中的移动终端的原基站所属的原鉴权器或原服务接入网网关和 /或目标基站所属的 目标鉴权器或接入网网关上。  The security association obtaining module is configured on a original authenticator or an original serving access network gateway of the mobile terminal in the communication system, or a target authenticator or an access network gateway; the security alliance transmission module The original authenticator or the original serving access network gateway and/or the target authenticator or the access network gateway to which the original base station belongs to the mobile terminal set in the communication system.

也就是说, 本发明所述的装置具体可以设置于鉴权器或接入网网关中, 其中, 所述 的接入网网关包括: 原服务接入网网关、 目标接入网网关、 鉴权器所在的接入网网关和' /或外地代理所在的接入网网关; 所述的鉴权器包括: 移动终端的原基站所属的原鉴权 器和 /或目标基站所属的目标鉴权器。 That is, the device according to the present invention may be specifically configured in an authenticator or an access network gateway, where the access network gateway includes: a primary service access network gateway, a target access network gateway, and an authentication Access network gateway where the device is located and ' And the access network gateway where the foreign agent is located; the authenticator includes: the original authenticator to which the original base station of the mobile terminal belongs and/or the target authenticator to which the target base station belongs.

以上所述, 仅为本发明较佳的具体实施方式, 但本发明的保护范围并不局限于此, 任何熟悉本技术领域的技术人员在本发明揭露的技术范围内, 可轻易想到的变化或替 换, 都应涵盖在本发明的保护范围之内。 因此, 本发明的保护范围应该以权利要求的保 护范围为准。  The above is only a preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or within the technical scope disclosed by the present invention. Alternatives are intended to be covered by the scope of the present invention. Therefore, the scope of protection of the present invention should be determined by the scope of the claims.

Claims

权利要求 Rights request 一种移动终端切换过程中获得安全联盟信息的方法, 其特征在于, 包括- 在通信系统中移动终端进行切换的过程中, 目标基站获取移动终端与原基站相同的 安全联盟信息作为目标基站与移动终端间的安全联盟信息。  A method for obtaining security association information in a mobile terminal handover process, characterized in that, in a process in which a mobile terminal performs handover in a communication system, the target base station acquires the same security association information of the mobile terminal and the original base station as the target base station and the mobile terminal. Security alliance information. 2、根据权利要求 1所述的移动终端切换过程中获得安全联盟信息的方法, 其特征在 于, 所述的安全联盟信息包括安全联盟、 协商的加密算法和模式和 /或通信加密密钥及 参数信息。  The method for obtaining security association information in a mobile terminal handover process according to claim 1, wherein the security association information includes a security association, a negotiated encryption algorithm, and a mode and/or communication encryption key and parameters. information. 3、根据权利要求 1所述的移动终端切换过程中获得安全联盟信息的方法, 其特征在 于, 当移动终端在通信系统中同一个鉴权器或接入网网关所属的范围内的基站间切换 时, 且原基站已经将所述的安全联盟信息主动上报给鉴权器或接入网网关, 所述方法包 括:  The method for obtaining security association information in a handover process of a mobile terminal according to claim 1, wherein when the mobile terminal switches between the same authenticator or the base station within the range to which the access network gateway belongs in the communication system At the same time, the original base station has reported the SA message to the authenticator or the access network gateway. The method includes: 鉴权器或接入网网关直接下发该移动终端对应的安全联盟信息给目标基站; 或者,  The authenticator or the access network gateway directly delivers the security association information corresponding to the mobile terminal to the target base station; or 目标基站向鉴权器^接入网网关请求该移动终端的安全联盟信息,鉴权器或接入网 网关根据所述请求将所述安全联盟信息下发给目标基站。  The target base station requests the security gateway information of the mobile terminal from the access gateway, and the authenticator or the access network gateway sends the security association information to the target base station according to the request. 4、根据权利要求 3所述的移动终端切换过程中获得安全联盟信息的方法, 其特征在 于,所述的原基站将移动终端的安全联盟信息通过切换请求 /指示信息发送给目标基站。  The method for obtaining the security association information in the handover process of the mobile terminal according to claim 3, wherein the original base station transmits the security association information of the mobile terminal to the target base station by using the handover request/indication information. 5、根据权利要求 1所述的移动终端切换过程中获得安全联盟信息的方法, 其特征在 于, 所述的方法还包括:  The method for obtaining the security association information in the handover process of the mobile terminal according to claim 1, wherein the method further comprises: 对于正常切换过程,所述的原服务基产主动发送相应移动终端对应的安全联盟信息 给目标基站,所述的安全联盟信息为直接或通过鉴权器或接入网网关中转发送给目标基 站;  For the normal handover process, the original service base actively sends the security association information corresponding to the corresponding mobile terminal to the target base station, and the security association information is forwarded to the target base station directly or through the authenticator or the access network gateway; 或者,  Or, 对于异常切换过程, 目标基站向原服务基站请求该移动终端的安全联盟信息, 原服 务基站根据所述请求向目标基站^:送相应的安全联盟信息,所述的安全联盟信息为直接 或通过鉴权器或接入网网关中转发送给目标基站。  For the abnormal handover process, the target base station requests the original serving base station for the security association information of the mobile terminal, and the original serving base station sends the corresponding security association information to the target base station according to the request, where the security association information is directly or through authentication. Forwarded to the target base station in the gateway or access network gateway. 6、根据权利要求 1所述的移动终端切换过程中获得安全联盟信息的方法, 其特征在 于, 当移动终端在同一个鉴权器或接入网网关所属的范围内的基站间切换时, 且原基站 是被动上报安全联盟信息给鉴权器或接入网网关, 所述的方法包括:  The method for obtaining security association information in a handover process of a mobile terminal according to claim 1, wherein when the mobile terminal switches between base stations within a range to which the same authenticator or access network gateway belongs, The original base station passively reports the security association information to the authenticator or the access network gateway, and the method includes: A、 鉴权器或接入网网关向原基站请求该移动终端的安全联盟信息, 原基站根据请 求上报该移动终端的安全联盟信息给鉴权器或接入网网关; A. The authenticator or the access network gateway requests the original base station for the security association information of the mobile terminal, and the original base station according to the request Requesting to report the security association information of the mobile terminal to the authenticator or the access network gateway; B、 鉴权器或接入网网关直接下发该移动终端的安全联盟信息给目标基站; 或者,  B. The authenticator or the access network gateway directly sends the security association information of the mobile terminal to the target base station; or C、 鉴权器或接入网网关向原基站请求该移动终端的安全联盟信息, 原基站根据请 求上报该移动终端的安全联盟信息给鉴权器或接入网网关;  C. The authenticator or the access network gateway requests the original base station for the security association information of the mobile terminal, and the original base station reports the security association information of the mobile terminal to the authenticator or the access network gateway according to the request; D、 目标基站向鉴权器或接入网网关请求该移动终端的安全联盟信息, 鉴权器或接 入网网关根据请求将所述安全联盟信息下发给目标基站。  D. The target base station requests the security association information of the mobile terminal from the authenticator or the access network gateway, and the authenticator or the access network gateway sends the security association information to the target base station according to the request. 7、根据权利要求 1所述的移动终端切换过程中获得安全联盟信息的方法, 其特征在 于, 当移动终端于通信系统中不同鉴权器或接入网网关所属的范围内的基站间切换时, 且原基站已经将所述的安全联盟信息主动上报给鉴权器或接入网网关, 所述方法包括: The method for obtaining security association information in a handover process of a mobile terminal according to claim 1, wherein when the mobile terminal switches between different base stations in the communication system or between base stations within the range to which the access network gateway belongs And the original base station has reported the SA message to the authenticator or the access network gateway. The method includes: E、 目标鉴权器或接入网网关直接或经过目标网络中的网络实体识别出原鉴权器或 接入网网关后向原鉴权器或接入网网关请求该移动终端安全联盟信息,原鉴权器或接入 网网关上报该移动终端安全联盟信息给目标鉴权器或接入网网关; E. The target authenticator or the access network gateway requests the original authenticator or the access network gateway directly or through the network entity in the target network to request the mobile terminal security association information from the original authenticator or the access network gateway. The authenticator or the access network gateway reports the mobile terminal security association information to the target authenticator or the access network gateway; F、 目标鉴权器或接入网网关直接下发该移动终端对应的安全联盟信息给目标基站; 或者,  F. The target authenticator or the access network gateway directly delivers the security association information corresponding to the mobile terminal to the target base station; or G、 目标鉴权器或接入网网关直接或经过目标网络中网络实体识别出原鉴权器或接 入网网关后向原鉴权器或接入网网关请求该移动终端安全联盟信息,原鉴权器或接入网 网关上报该移动终端安全联盟信息给目标鉴权器或接入网网关;  G. The target authenticator or the access network gateway requests the original authentication device or the access network gateway directly or through the network entity in the target network to request the mobile terminal security association information from the original authenticator or the access network gateway. The right device or the access network gateway reports the mobile terminal security association information to the target authenticator or the access network gateway; H、 目标基站向目标鉴权器或接入网网关请求该移动终端的安全联盟信息, 目标鉴 权器或接入网网关根据请求将所述安全联盟信息下发给目标基站。  H. The target base station requests the security association information of the mobile terminal from the target authenticator or the access network gateway, and the target authenticator or the access network gateway sends the security association information to the target base station according to the request. 8、根据权利要求 1所述的移动终端切换过程中获得安全联盟信息的方法, 其特征在 于, 当移动终端在通信系统中不同鉴权器或接入网网关所属的范围内的基站间切换时, 且原基站萆被动上报安全联盟信息给鉴权器或接入网网关, 所述方法每括- 8. The method for obtaining security association information in a handover process of a mobile terminal according to claim 1, wherein when the mobile terminal switches between different base stations in the communication system or between base stations within the range to which the access network gateway belongs And the original base station passively reports the security association information to the authenticator or the access network gateway, and the method includes I、 目标鉴权器或接入网网关直接或经过目标网络中网络实体识别出原鉴权器或接 入网网关后向原鉴权器或接入网网关请求该移动终端安全联盟信息; I. The target authenticator or the access network gateway requests the original authentication device or the access network gateway to request the mobile terminal security alliance information directly or after the network entity in the target network identifies the original authenticator or the access network gateway; J、 原鉴权器或接入网网关向原基站请求该移动终端的安全联盟信息; 原基站根据 请求上报该移动终端的安全联盟信息给原鉴权器或接入网网关;  J, the original authenticator or the access network gateway requests the original base station for the security association information of the mobile terminal; the original base station reports the security association information of the mobile terminal to the original authenticator or the access network gateway according to the request; K、 原鉴权器或接入网网关上报该移动终端安全联盟信息给目标鉴权器或接入网网 关;  K, the original authenticator or the access network gateway reports the mobile terminal security association information to the target authenticator or the access network gateway; L 目标鉴权器或接入网网关直接下发该移动终端对应的安全联盟信息给目标基站; 或者, The L-target authenticator or the access network gateway directly delivers the security association information corresponding to the mobile terminal to the target base station; or, M、 目标鉴权器或接入网网关直接或经过目标网络中网络实体识别出原鉴权器或接 入网网关后向原鉴权器或接入网网关请求该移动终端安全联盟信息;  The M, the target authenticator or the access network gateway requests the original authentication device or the access network gateway to request the mobile terminal security alliance information directly or after the network entity in the target network identifies the original authenticator or the access network gateway; N、 原鉴权器或接入网网关向原基站请求该移动终端的安全联盟信息; 原基站根据 请求上报该移动终端的安全联盟信息给原鉴权器或接入网网关;  N, the original authenticator or the access network gateway requests the original base station for the security association information of the mobile terminal; the original base station reports the security association information of the mobile terminal to the original authenticator or the access network gateway according to the request; 0、 原鉴权器或接入网网关上报该移动终端安全联盟信息给目标鉴权器或接入网网 关;  0. The original authenticator or the access network gateway reports the mobile terminal security association information to the target authenticator or the access network gateway; P、 目标基站向目标鉴权器或接入网网关请求该移动终端的安全联盟信息, 目标鉴 权器或接入网网关根据请求将所述安全联盟信息下发给目标基站。  P. The target base station requests the security association information of the mobile terminal from the target authenticator or the access network gateway, and the target authenticator or the access network gateway sends the security association information to the target base station according to the request. 9、根据权利要求 1至 8任一项所述的移动终端切换过程中获得安全联盟信息的方法, 其特征在于, 该方法还包括:  The method for obtaining the security association information in the handover process of the mobile terminal according to any one of claims 1 to 8, wherein the method further comprises: 目标基站在鉴权器或接入网网关发送的切换准备消息, 或者, 在鉴权器或接入网网 关发送的参数和功率调节请求消息的触发下发起获取移动终端安全联盟信息的请求。  The target base station initiates a handover preparation message sent by the authenticator or the access network gateway, or initiates a request for acquiring the security association information of the mobile terminal under the trigger of the parameter and the power adjustment request message sent by the authenticator or the access network gateway. 10、 根据权利要求 1至 8任一项所述的移动终端切换过程中获得安全联盟信息的方 法, 其特征在于, 所述的移动通信系统包括微波接入全球互通 Wimax系统, 且在该系统 中所述的安全联盟信息包括- 安全联盟标识符、 安全联盟类型、 安全联盟服务类型、 加密元组和 /或通信加密密 钥对信息, 所述的加密元组包含数据加密算法和模式、 数据认证算法和模式和 /或通信 加密密钥加密算法和模式, 所述的通信加密密钥对信息包含通信加密密钥、通信加密密 钥的剩余生命周期、 通信加密密钥序列号、 通信加密密钥、 通信加密密钥在 CBC模式下 的初始向量、 包序列号、 接收到的包号和 /或在组播下的组播密钥加密密钥序列号。  The method for obtaining security association information in a mobile terminal handover process according to any one of claims 1 to 8, wherein the mobile communication system comprises a microwave access global interworking Wimax system, and in the system The security association information includes: a security association identifier, a security association type, a security association service type, an encryption tuple, and/or a communication encryption key pair information, where the encryption tuple includes a data encryption algorithm and a mode, and data authentication. Algorithm and mode and/or communication encryption key encryption algorithm and mode, the communication encryption key pair information includes a communication encryption key, a remaining life cycle of the communication encryption key, a communication encryption key serial number, a communication encryption key The initial vector of the communication encryption key in CBC mode, the packet sequence number, the received packet number, and/or the multicast key encryption key sequence number under multicast. 11、 根据权利要求 1至 8任一项所述的移动终端切换过程中获得安全联盟信息的方 法, 其特征在于, 所述的接入网网关包括:  The method for obtaining the security association information in the handover process of the mobile terminal according to any one of claims 1 to 8, wherein the access network gateway comprises: 原服务接入网网关、 目标接入网网关、 鉴权器所在的接入网网关和 /或外地代理所 在的接入网网关。  The original service access network gateway, the target access network gateway, the access network gateway where the authenticator is located, and/or the access network gateway where the foreign agent is located. 12、 一种移动终端切换过程中获得安全联盟信息的装置, 其特征在于, 包括: 安全联盟信息获取模块: 获取原基站的该移动终端的安全联盟信息;  A device for obtaining security association information in a handover process of a mobile terminal, comprising: a security alliance information acquisition module: acquiring security association information of the mobile terminal of the original base station; 安全联盟信息传输模块:将所述安全联盟信息获取模块获取的该移动终端的安全联 盟信息传输至目标基站。  The security association information transmission module transmits the security association information of the mobile terminal acquired by the security association information obtaining module to the target base station. 13、根据权利要求 12所述的移动终端切换过程中获得安全联盟信息的装置, 其特征 在于, 所述的装置设置于鉴权器或接入网网关上。 13. The apparatus for obtaining security association information during handover of a mobile terminal according to claim 12, characterized in that The device is arranged on an authenticator or an access network gateway. 14、根据权利要求 13所述的移动终端切换过程中获得安全联盟信息的装置, 其特征 在于,  14. The apparatus for obtaining security association information during handover of a mobile terminal according to claim 13, wherein: 所述的接入网网关包括: 原服务接入网网关、 目标接入网网关、 鉴权器所在的接入 网网关和 /或外地代理所在的接入网网关;  The access network gateway includes: an original service access network gateway, a target access network gateway, an access network gateway where the authenticator is located, and/or an access network gateway where the foreign agent is located; 所述的鉴权器包括: 移动终端的原基站所属的原鉴权器和 /或目标基站所属的目标 鉴权器。  The authenticator includes: a primary authenticator to which the original base station of the mobile terminal belongs and/or a target authenticator to which the target base station belongs. 15、根据权利要求 12所述的移动终端切换过程中获得安全联盟信息的装置, 其特征 在于,所述的安全联盟信息获取模块接收设置于移动终端的原服务基站上的安全联盟信 息发送模块发来的移动终端的安全联盟信息。  The apparatus for obtaining the security association information in the handover process of the mobile terminal according to claim 12, wherein the security association information acquisition module receives the security association information sending module set on the original serving base station of the mobile terminal. Security alliance information from the mobile terminal. 16、根据权利要求 12所述的移动终端切换过程中获得安全联盟信息的装置,其特征 在于,所述的安全联盟信息传输模块将相应的安全联盟信息发送给目标基站中设置的安 全联盟信息接收模块, 在目标基站中, 通过所述的安全联盟信息接收模块接收获得移动 终端的安全联盟信息。  The apparatus for obtaining the security association information in the handover process of the mobile terminal according to claim 12, wherein the security association information transmission module sends the corresponding security association information to the security alliance information received in the target base station. The module, in the target base station, receives the security association information of the mobile terminal by using the security association information receiving module.
PCT/CN2006/001513 2005-09-19 2006-06-30 A method and device for obtaining the security association information during the mobile terminal handoff procedure Ceased WO2007033548A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200510103479.2 2005-09-19
CN200510103479 2005-09-19

Publications (1)

Publication Number Publication Date
WO2007033548A1 true WO2007033548A1 (en) 2007-03-29

Family

ID=37888535

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2006/001513 Ceased WO2007033548A1 (en) 2005-09-19 2006-06-30 A method and device for obtaining the security association information during the mobile terminal handoff procedure

Country Status (1)

Country Link
WO (1) WO2007033548A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102196511A (en) * 2010-03-15 2011-09-21 中国移动通信集团公司 Method, system and device for optimizing cell parameters

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1321049A (en) * 2000-02-09 2001-11-07 朗迅科技公司 Enhanced safety of hand-over in radio communicaltion
CN1337134A (en) * 1999-01-08 2002-02-20 艾利森电话股份有限公司 Reuse of security associations for improving hand-over performance
CN1630404A (en) * 2003-12-18 2005-06-22 中国电子科技集团公司第三十研究所 Method for managing, distributing, and transferring keys when switching users in a digital cellular mobile communication system
CN1630405A (en) * 2003-12-18 2005-06-22 中国电子科技集团公司第三十研究所 Two-way Authentication Method for User Handover in Digital Cellular Mobile Communication System

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1337134A (en) * 1999-01-08 2002-02-20 艾利森电话股份有限公司 Reuse of security associations for improving hand-over performance
CN1321049A (en) * 2000-02-09 2001-11-07 朗迅科技公司 Enhanced safety of hand-over in radio communicaltion
CN1630404A (en) * 2003-12-18 2005-06-22 中国电子科技集团公司第三十研究所 Method for managing, distributing, and transferring keys when switching users in a digital cellular mobile communication system
CN1630405A (en) * 2003-12-18 2005-06-22 中国电子科技集团公司第三十研究所 Two-way Authentication Method for User Handover in Digital Cellular Mobile Communication System

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102196511A (en) * 2010-03-15 2011-09-21 中国移动通信集团公司 Method, system and device for optimizing cell parameters

Similar Documents

Publication Publication Date Title
US7236477B2 (en) Method for performing authenticated handover in a wireless local area network
KR100813295B1 (en) Method for security association negotiation with Extensible Authentication Protocol in wireless portable internet system
US8549293B2 (en) Method of establishing fast security association for handover between heterogeneous radio access networks
US7984298B2 (en) Method, system and authentication centre for authenticating in end-to-end communications based on a mobile network
TWI393414B (en) Secure session keys context
EP1713289B1 (en) A method for establishing security association between the roaming subscriber and the server of the visited network
WO2019019736A1 (en) Security implementation method, and related apparatus and system
KR20090004896A (en) System and method for optimizing authentication procedure in handover between access systems
WO2009043278A1 (en) A method, system and device for negotiating about safety ability while a terminal is moving
TW200910826A (en) A method and apparatus for new key derivation upon handoff in wireless networks
CN101309503A (en) Wireless handover method, base station and terminal
WO2020248624A1 (en) Communication method, network device, user equipment and access network device
US12156028B2 (en) Wireless network switching method and device
WO2007121669A1 (en) Method and device and system for establishing wireless connection
WO2011120249A1 (en) Multicast key negotiation method suitable for group calling system and a system thereof
WO2009152656A1 (en) Generating method and system for key identity identifier at the time when user device transfers
WO2011015060A1 (en) Extensible authentication protocol authentication method, base station and authentication server thereof
WO2009012052A1 (en) Fast transitioning resource negotiation
WO2016023198A1 (en) Switching method and switching system between heterogeneous networks
CA3190801A1 (en) Key management method and communication apparatus
CN115396887A (en) Rapid and safe switching authentication method, device and system for high-speed mobile terminal
CN100488281C (en) Method for acquring authentication cryptographic key context from object base station
JP5043928B2 (en) Method and apparatus for processing keys used for encryption and integrity
WO2011072513A1 (en) Method and system for establishing security connection between switch equipments
WO2010133073A1 (en) Method for obtaining certificate state information and system for managing certificate state

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06753075

Country of ref document: EP

Kind code of ref document: A1