WO2014075238A1

WO2014075238A1 - Security processing method for mobile communication, macro base station, micro base station and user equipment

Info

Publication number: WO2014075238A1
Application number: PCT/CN2012/084586
Authority: WO
Inventors: 彭炎; 刘菁
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2012-11-14
Filing date: 2012-11-14
Publication date: 2014-05-22
Anticipated expiration: 2015-05-14
Also published as: CN103959833B; CN103959833A

Abstract

Disclosed are a security processing method for mobile communication, a macro base station, a micro base station and a user equipment (UE). When the macro base station determines to perform a macro-micro CA or CoMP operation on the UE, the UE can securely communicate with the macro base station and the micro base station. The method comprises: the macro base station obtaining security algorithms supported by the UE and the micro base station; according to security algorithms supported by the UE, the micro base station and the macro base station, performing security algorithm negotiation to obtain a negotiated security algorithm; notifying the UE and the micro base station of the negotiated security algorithm; obtaining a security key used by an air interface of the UE; and the macro base station sending the security key to the micro base station, so that security protection processing can be performed on communication among the UE, the micro base station and the macro base station according to the negotiated security algorithm and the security key. The present invention applies to the communications field.

Description

移动通信的安全处理方法、宏基站、微基站和用户设备技术领域 Security processing method for mobile communication, macro base station, micro base station and user equipment

本发明涉及，尤其涉及一种移动通信的安全处理方法、宏基站、微基站和用户设备。 The present invention relates to a security processing method for a mobile communication, a macro base station, a micro base station, and a user equipment.

背景技术 Background technique

现有的长期演进 LTE ( Long Term Evolution ) 系统中，由于用户设备 UE ( User Equipment )和演进型网络基站 eNB ( evolved Node B )所支持的安全算法可能并不完全相同，为了保证 UE和 eNB之间空口的通信安全性，在 UE和 eNB进行通信前不但需要进行两者的安全算法协商，还需要进行空口安全密钥的派生。 In the existing Long Term Evolution (LTE) system, the security algorithms supported by the user equipment UE (User Equipment) and the evolved network base station eNB (evolved Node B) may not be identical, in order to ensure the UE and the eNB. For the communication security of the air interface, not only the security algorithm negotiation of the two needs to be performed before the communication between the UE and the eNB, but also the derivation of the air interface security key is required.

现有技术中， UE仅存在一个服务节点，并只需要与该节点完成安全算法的协商以及空口密钥的派生过程，就可以对空口进行安全保护。 In the prior art, only one service node exists in the UE, and only the negotiation of the security algorithm with the node and the derivation process of the air interface key are needed to secure the air interface.

在异构网 HetNet ( Heterogeneous Network )松耦合架构场景下，宏基站和基站进行载波聚合 CA ( Carrier Aggregation ) 通信的目的是为了进行网络容量的提升；宏基站和微基站进行多点协作 CoMP ( Coordinated Multi-Point )通信的目的是为了提升边缘用户的性能。无论是 CA还是 CoMP操作， UE都需要同时与宏基站和微基站保持通信，但是现有技术中没有合理的方案使得 UE 在 CA 还是 CoMP 操作时，同时与宏基站和微基站保持安全通信，所以这一问题亟待解决。 In the scenario of Heterogeneous Network (HetNet), the macro base station and the base station perform Carrier Aggregation (CA) communication for the purpose of improving the network capacity. The macro base station and the micro base station perform multi-point cooperation CoMP (Coordinated). Multi-Point) communication is designed to improve the performance of edge users. Regardless of whether it is a CA or a CoMP operation, the UE needs to maintain communication with the macro base station and the micro base station at the same time. However, there is no reasonable solution in the prior art to enable the UE to maintain secure communication with the macro base station and the micro base station simultaneously in the CA or CoMP operation, so This problem needs to be solved urgently.

发明内容 Summary of the invention

本发明的实施例提供一种移动通信的安全处理方法、宏基站、微基站和用户设备， UE、宏基站和微基站能够进行安全算法的协商和安全密钥的获取，进而使得在宏基站和微基站进行 CA 或 CoMP 操作时， UE能够安全的与宏基站和微基站进行通信。 Embodiments of the present invention provide a security processing method for a mobile communication, a macro base station, a micro base station, and a user equipment, where the UE, the macro base station, and the micro base station can perform security algorithm negotiation and security key acquisition, thereby enabling the macro base station and When the micro base station performs CA or CoMP operation, the UE can securely communicate with the macro base station and the micro base station.

为达到上述目的，本发明的实施例采用如下技术方案：第一方面，提供了一种移动通信的安全处理方法，该方法包括：宏基站获取用户设备 UE和微基站支持的安全算法； In order to achieve the above object, the embodiment of the present invention adopts the following technical solutions: A first aspect provides a security processing method for mobile communications, where the method includes: acquiring, by a macro base station, a security algorithm supported by a user equipment UE and a micro base station;

所述宏基站根据所述 UE、微基站和宏基站支持的安全算法，进行安全算法协商，得到协商后的安全算法； The macro base station performs security algorithm negotiation according to the security algorithm supported by the UE, the micro base station, and the macro base station, and obtains the negotiated security algorithm;

所述宏基站向所述 UE和微基站通知所述协商后的安全算法；所述宏基站获取所述 UE空口使用的安全密钥； And the macro base station notifies the UE and the micro base station of the negotiated security algorithm; the macro base station acquires a security key used by the UE air interface;

所述宏基站将所述安全密钥发送给所述微基站，以使得所述 Transmitting, by the macro base station, the security key to the micro base station, so that the

U E、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述安全密钥进行安全保护处理。 The communication between the U E, the micro base station and the macro base station can be subjected to security protection processing according to the negotiated security algorithm and the security key.

结合第一方面，在第一种可能的实现方式中，所述宏基站根据所述 UE、微基站和宏基站支持的安全算法，进行安全算法的协商，得到协商后的安全算法包括： With reference to the first aspect, in a first possible implementation manner, the macro base station performs a security algorithm negotiation according to a security algorithm supported by the UE, the micro base station, and the macro base station, and the obtained security algorithm includes:

所述宏基站根据获取的 UE 和微基站支持的安全算法，以及所述宏基站支持的安全算法，获得所述 UE、微基站和宏基站支持的安全算法的交集，并将所述安全算法的交集中的任一安全算法作为所述协商后的安全算法。 Obtaining, by the macro base station, an intersection of the security algorithms supported by the UE, the micro base station, and the macro base station according to the obtained security algorithm supported by the UE and the micro base station, and the security algorithm supported by the macro base station, and the security algorithm is Any security algorithm in the intersection is used as the negotiated security algorithm.

结合第一方面或第一种可能的实现方式，在第二种可能的实现方式中，所述宏基站获取 UE支持的安全算法包括： With reference to the first aspect or the first possible implementation manner, in a second possible implementation manner, the acquiring, by the macro base station, a security algorithm supported by the UE includes:

在所述 UE接入到宏基站时，获取所述 UE支持的安全算法；在所述宏基站根据所述 UE、微基站和宏基站支持的安全算法，进行安全算法协商，得到协商后的安全算法之前，还包括： Obtaining a security algorithm supported by the UE when the UE accesses the macro base station; performing security algorithm negotiation on the macro base station according to a security algorithm supported by the UE, the micro base station, and the macro base station, to obtain security after negotiation Before the algorithm, it also includes:

所述宏基站确定所述 UE 需要所述宏基站和微基站进行载波聚合 CA或多点协作 CoMP协作通信。 The macro base station determines that the UE needs the macro base station and the micro base station to perform carrier aggregation CA or multi-point cooperative CoMP cooperative communication.

结合第一方面或第一种可能的实现方式，在第三种可能的实现方式中，所述宏基站获取 UE支持的安全算法包括： With reference to the first aspect or the first possible implementation manner, in a third possible implementation manner, the acquiring, by the macro base station, the security algorithm supported by the UE includes:

在所述 UE接入到宏基站时，获取所述 UE支持的安全算法；在所述宏基站向所述 UE通知协商的安全算法之前，还包括：所述宏基站确定所述 UE 需要所述宏基站和微基站进行 CA 或 Before the UE accesses the macro base station, acquiring a security algorithm supported by the UE; before the macro base station notifying the UE of the negotiated security algorithm, the method further includes: the macro base station determining that the UE needs the Macro base station and micro base station perform CA or

CoMP协作通信。结合第一方面或第一种可能的实现方式至第三种可能的实现方式，在第四种可能的实现方式中，所述宏基站获取所述微基站支持的安全算法包括： CoMP collaborative communication. With reference to the first aspect or the first possible implementation manner to the third possible implementation manner, in a fourth possible implementation, the acquiring, by the macro base station, the security algorithm supported by the micro base station includes:

接收所述宏基站操作、管理与维护 OAM 发送的所述宏基站 OAM和基站 OAM协商后的安全算法； Receiving, by the macro base station, a security algorithm negotiated by the macro base station OAM and the base station OAM sent by the OAM;

或者， Or,

所述宏基站向所述宏基站 OAM 发送获取微基站支持的安全算法的请求，以使得所述宏基站 OAM从所述微基站 OAM获取所述微基站支持的安全算法，所述宏基站接收所述宏基站 OAM发送的所述微基站支持的安全算法； The macro base station sends a request for acquiring a security algorithm supported by the micro base station to the macro base station OAM, so that the macro base station OAM acquires a security algorithm supported by the micro base station from the micro base station OAM, where the macro base station receives the a security algorithm supported by the micro base station sent by the macro base station OAM;

或者， Or,

接收所述微基站发送的与所述宏基站进行接口建立的请求，所述接口建立请求中携带有所述微基站支持的安全算法； And receiving, by the micro base station, a request for establishing an interface with the macro base station, where the interface establishment request carries a security algorithm supported by the micro base station;

或者， Or,

接收所述微基站发送的配置更新消息，所述配置更新消息中携带有所述微基站支持的安全算法。 Receiving a configuration update message sent by the micro base station, where the configuration update message carries a security algorithm supported by the micro base station.

结合第一方面或第一种可能的实现方式，在第五种可能的实现方式中，所述宏基站获取 UE支持的安全算法包括： With reference to the first aspect or the first possible implementation manner, in a fifth possible implementation, the acquiring, by the macro base station, the security algorithm supported by the UE includes:

在所述 UE接入到所述宏基站时，所述宏基站获取所述 UE支持的安全算法； When the UE accesses the macro base station, the macro base station acquires a security algorithm supported by the UE;

在所述宏基站获取所述微基站支持的安全算法之前，还包括：所述宏基站确定所述 UE 需要所述宏基站和微基站进行 CA 或 Before the macro base station acquires the security algorithm supported by the micro base station, the method further includes: the macro base station determining that the UE needs the macro base station and the micro base station to perform CA or

CoMP协作通信； CoMP collaborative communication;

所述宏基站获取所述微基站支持的安全算法包括： The security algorithm supported by the macro base station to obtain the micro base station includes:

所述宏基站向所述微基站发送请求信息，所述请求信 , 请求所述微基站将自身支持的安全算法发送给所述宏基站，并接收所述微基站发送的所述微基站支持的安全算法。 The macro base station sends request information to the micro base station, and the request message requests the micro base station to send a security algorithm supported by the micro base station to the macro base station, and receives the micro base station to send the micro base station to support Security algorithm.

结合第一方面或第一种可能的实现方式至第五种可能的实现方式，在第六种可能的实现方式中，所述宏基站获取所述 UE 空口使用的安全密钥包括： With reference to the first aspect or the first possible implementation manner to the fifth possible implementation manner, in a sixth possible implementation manner, the macro base station acquires the UE air interface The security keys used include:

所述宏基站接收移动管理实体发送的所述 UE 空口使用的共享根密钥，并根据所述共享根密钥派生 UE 空口的加密和完整性保护密钥； Receiving, by the macro base station, a shared root key used by the UE air interface sent by the mobility management entity, and deriving an encryption and integrity protection key of the UE air interface according to the shared root key;

所述宏基站将所述安全密钥发送给所述微基站，以使得所述 U E、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述安全密钥进行安全保护处理包括： The macro base station sends the security key to the micro base station, so that communication between the UE, the micro base station, and the macro base station can be securely protected according to the negotiated security algorithm and the security key. Processing includes:

所述宏基站将所述共享根密钥发送给所述微基站，以使得所述微基站根据所述共享根密钥派生 UE空口的加密和完整性保护密钥，所述 UE、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述 UE空口的加密和完整性保护密钥进行安全保护处理。 Transmitting, by the macro base station, the shared root key to the micro base station, so that the micro base station derives an encryption and integrity protection key of the UE air interface according to the shared root key, the UE, the micro base station, and The communication between the macro base stations can perform security protection processing according to the negotiated security algorithm and the encryption and integrity protection keys of the UE air interface.

结合第一方面或第一种可能的实现方式至第五种可能的实现方式，在第七种可能的实现方式中，所述宏基站获取所述 UE 空口使用的安全密钥包括： With reference to the first aspect or the first possible implementation manner to the fifth possible implementation manner, in a seventh possible implementation manner, the acquiring, by the macro base station, the security key used by the UE air interface includes:

接收移动管理实体发送的所述 UE空口使用的共享根密钥；所述宏基站将所述安全密钥发送给所述微基站，以使得所述 U E、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述安全密钥进行安全保护处理包括： Receiving a shared root key used by the UE air interface sent by the mobility management entity; the macro base station transmitting the security key to the micro base station, so that communication between the UE, the micro base station, and the macro base station can Performing security protection processing according to the negotiated security algorithm and the security key includes:

所述宏基站根据所述共享根密钥派生 UE 空口的加密和完整性保护密钥，并将所述加密和完整性保护密钥发送给所述微基站，根据所述加密和完整性保护密钥和所述协商后的安全算法与所述微基站和 UE进行安全通信。 Determining, by the macro base station, an encryption and integrity protection key of the UE air interface according to the shared root key, and transmitting the encryption and integrity protection key to the micro base station, according to the encryption and integrity protection secret The key and the negotiated security algorithm perform secure communication with the micro base station and the UE.

第二方面，提供了一种移动通信的安全处理方法，该方法包括：所述微基站与宏基站进行安全算法的交互，以使得所述宏基站获取所述微基站支持的安全算法； A second aspect provides a security processing method for mobile communications, where the method includes: the micro base station interacts with a macro base station to perform a security algorithm, so that the macro base station acquires a security algorithm supported by the micro base station;

所述微基站接收所述宏基站发送的协商后的安全算法，所述协商后的安全算法是所述宏基站根据所述 UE、微基站和宏基站支持的安全算法，进行安全算法协商后得到的； The micro base station receives the negotiated security algorithm sent by the macro base station, and the negotiated security algorithm is obtained by the macro base station according to the security algorithm supported by the UE, the micro base station, and the macro base station. of;

接收所述宏基站发送的 UE 空口使用的安全密钥，以使得所述 U E、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述安全密钥进行安全保护处理。 Receiving a security key used by the UE air interface sent by the macro base station, so that the The communication between the UE, the micro base station, and the macro base station can perform security protection processing according to the negotiated security algorithm and the security key.

结合第二方面，在第一种可能的实现方式中，所述微基站与宏基站进行安全算法的交互包括： With reference to the second aspect, in a first possible implementation manner, the interaction between the micro base station and the macro base station to perform a security algorithm includes:

所述微基站向微基站 OAM 发送所述微基站支持的安全算法，以使得所述宏基站 OAM与所述微基站 OAM协商所述宏基站和微基站都支持的安全算法，并将所述安全算法发送给所述宏基站； The micro base station sends a security algorithm supported by the micro base station to the micro base station OAM, so that the macro base station OAM and the micro base station OAM negotiate a security algorithm supported by the macro base station and the micro base station, and the security is supported. Sending an algorithm to the macro base station;

或者， Or,

所述微基站向微基站 OAM 发送所述微基站支持的安全算法，以使得所述宏基站 OAM从所述微基站 OAM获得所述微基站支持的安全算法，并将所述微基站支持的安全算法发送给所述宏基站；或者， The micro base station sends the security algorithm supported by the micro base station to the micro base station OAM, so that the macro base station OAM obtains the security algorithm supported by the micro base station from the micro base station OAM, and supports the security supported by the micro base station. Sending an algorithm to the macro base station; or

所述微基站向所述宏基站发送接口建立请求，所述接口建立请求中携带有所述微基站支持的安全算法； The micro base station sends an interface establishment request to the macro base station, where the interface establishment request carries a security algorithm supported by the micro base station;

或者， Or,

所述微基站向所述宏基站发送配置更新消息，所述配置更新消息中携带有所述微基站支持的安全算法； The micro base station sends a configuration update message to the macro base station, where the configuration update message carries a security algorithm supported by the micro base station;

或者， Or,

所述微基站接收所述宏基站发送的请求消息，所述请求消息请求所述微基站将自身支持的安全算法发送给所述宏基站，所述微基站向所述宏基站发送自身支持的安全算法。 Receiving, by the micro base station, a request message sent by the macro base station, the request message requesting the micro base station to send a security algorithm supported by the micro base station to the macro base station, where the micro base station sends the self-supported security to the macro base station. algorithm.

结合第二方面，在第二种可能的实现方式中，所述接收所述宏基站发送的安全密钥，以使得所述 UE、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述安全密钥进行安全保护处理包括： With reference to the second aspect, in a second possible implementation manner, the receiving, by the macro base station, a security key, so that communication between the UE, the micro base station, and the macro base station can be performed according to the negotiated The security algorithm and the security key for security protection processing include:

所述微基站接收所述宏基站发送的所述 UE 空口使用的共享根密钥，根据所述共享根密钥派生 UE空口的加密和完整性保护密钥 , 根据所述加密和完整性保护密钥和所述协商后的安全算法与所述宏基站和 UE进行安全通信；或者， Receiving, by the macro base station, a shared root key used by the UE air interface sent by the macro base station, and deriving an encryption and integrity protection key of the UE air interface according to the shared root key, according to the encryption and integrity protection secret Key and the negotiated security algorithm perform secure communication with the macro base station and the UE; or,

所述微基站接收所述宏基站发送的派生的 UE 空口的加密和完整性保护密钥，以使得所述 UE、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述 UE 空口的加密和完整性保护密钥进行安全保护处理。 Receiving, by the micro base station, an encryption and integrity protection key of the derived UE air interface sent by the macro base station, so that communication between the UE, the micro base station, and the macro base station can be based on the negotiated security algorithm and the The encryption and integrity protection keys of the UE air interface are processed for security protection.

第三方面，提供了一种移动通信的安全处理方法，该方法包括：用户设备 UE向宏基站发送所述 UE支持的安全算法； A third aspect provides a security processing method for mobile communications, where the method includes: the user equipment UE sends a security algorithm supported by the UE to a macro base station;

所述 UE 接收所述宏基站通知的协商后的安全算法，所述协商后的安全算法是所述宏基站根据所述 UE、微基站和宏基站支持的安全算法进行协商后得到的； Receiving, by the UE, the negotiated security algorithm that is notified by the macro base station, where the negotiated security algorithm is obtained by the macro base station according to a security algorithm supported by the UE, the micro base station, and the macro base station;

所述 UE根据所述协商后的安全算法和 UE 空口使用的安全密钥，在所述宏基站将所述安全密钥发送给所述微基站后，与所述宏基站和微基站进行通信。 And the UE communicates with the macro base station and the micro base station after the macro base station sends the security key to the micro base station according to the negotiated security algorithm and the security key used by the UE air interface.

第四方面，提供了一种宏基站，该宏基站包括：第一获取单元、协商单元、通知单元、第二获取单元、发送单元； A fourth aspect provides a macro base station, where the macro base station includes: a first acquiring unit, a negotiating unit, a notifying unit, a second acquiring unit, and a sending unit;

所述第一获取单元，用于获取用户设备 UE 和微基站支持的安全算法； The first acquiring unit is configured to acquire a security algorithm supported by the user equipment UE and the micro base station;

所述协商单元，用于根据所述 UE、微基站和宏基站支持的安全算法，进行安全算法协商，得到协商后的安全算法； The negotiating unit is configured to perform security algorithm negotiation according to a security algorithm supported by the UE, the micro base station, and the macro base station, to obtain a negotiated security algorithm;

所述通知单元，用于向所述 UE 和基站通知所述协商后的安全算法； The notifying unit is configured to notify the UE and the base station of the negotiated security algorithm;

所述第二获取单元，用于获取所述 UE空口使用的安全密钥；所述发送单元，用于将所述安全密钥发送给所述微基站，以使得所述 UE、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述安全密钥进行安全保护处理。 The second acquiring unit is configured to acquire a security key used by the air interface of the UE, and the sending unit is configured to send the security key to the micro base station, so that the UE, the micro base station, and the asteroid base The communication between the stations can perform security protection processing according to the negotiated security algorithm and the security key.

结合第四方面，在第一种可能的实现方式中， In combination with the fourth aspect, in a first possible implementation manner,

所述协商单元，具体用于根据获取的 UE 和微基站支持的安全算法，以及所述宏基站支持的安全算法，获得所述 UE、微基站和宏基站支持的安全算法的交集，并将所述安全算法的交集中的任一安全算法作为所述协商后的安全算法。 The negotiating unit is specifically configured to obtain, according to the obtained security algorithm supported by the UE and the micro base station, and the security algorithm supported by the macro base station, an intersection of the security algorithms supported by the UE, the micro base station, and the macro base station, and Any of the intersections of the security algorithms The full algorithm acts as the negotiated security algorithm.

结合第四方面或第一种可能的实现方式，在第二种可能的实现方式中， In combination with the fourth aspect or the first possible implementation manner, in a second possible implementation manner,

所述第一获取单元，具体用于在所述 UE 接入到宏基站时，获取所述 UE支持的安全算法； The first acquiring unit is specifically configured to: when the UE accesses the macro base station, obtain a security algorithm supported by the UE;

所述宏基站还包括：确定单元； The macro base station further includes: a determining unit;

所述确定单元，用于确定所述 UE 是否需要所述宏基站和微基站进行载波聚合 CA或多点协作 CoMP协作通信； The determining unit is configured to determine whether the UE needs the macro base station and the micro base station to perform carrier aggregation CA or multi-point cooperative CoMP cooperative communication;

所述协商单元，具体用于在所述确定单元确定所述 UE 需要所述宏基站和微基站进行 CA或 CoMP协作通信后，根据所述 UE、微基站和宏基站支持的安全算法，进行安全算法协商，得到协商后的安全算法。 The negotiating unit is specifically configured to: after the determining unit determines that the UE needs the macro base station and the micro base station to perform CA or CoMP cooperative communication, perform security according to a security algorithm supported by the UE, the micro base station, and the macro base station. The algorithm negotiates to obtain the negotiated security algorithm.

结合第四方面或第一种可能的实现方式，在第三种可能的实现方式中， In combination with the fourth aspect or the first possible implementation manner, in a third possible implementation manner,

所述宏基站还包括确定单元； The macro base station further includes a determining unit;

所述确定单元，用于确定所述 UE 需要所述宏基站和微基站进行 CA或 CoMP协作通信； The determining unit is configured to determine that the UE needs the macro base station and the micro base station to perform CA or CoMP cooperative communication;

所述通知单元，还用于在所述确定单元确定所述 UE 需要所述宏基站和鼓基站进行 CA或 CoMP协作通信后，向所述 UE通知协商后的安全算法。 The notifying unit is further configured to notify the UE of the negotiated security algorithm after the determining unit determines that the UE needs the macro base station and the drum base station to perform CA or CoMP cooperative communication.

结合第四方面或第一种可能的实现方式至第三种可能的实现方式，在第四种可能的实现方式中，所述第一获取单元具体用于：接收所述宏基站操作、管理与维护 OAM 发送的所述宏基站 OAM和基站 OAM协商后的安全算法； With reference to the fourth aspect or the first possible implementation manner to the third possible implementation manner, in a fourth possible implementation manner, the first acquiring unit is specifically configured to: receive, operate, and manage the macro base station Maintaining a security algorithm negotiated by the macro base station OAM and the base station OAM sent by the OAM;

或者， Or,

向所述宏基站 OAM 发送获取微基站支持的安全算法的请求，以使得所述宏基站 OAM从所述微基站 OAM获取所述微基站支持的安全算法，接收所述宏基站 OAM 发送的所述微基站支持的安全算法； Sending, to the macro base station OAM, a request for acquiring a security algorithm supported by the micro base station, so that the macro base station OAM obtains the micro base station support from the micro base station OAM a security algorithm, receiving a security algorithm supported by the micro base station sent by the macro base station OAM;

或者， Or,

结合第四方面或第一种可能的实现方式，在第五种可能的实现方式中， In combination with the fourth aspect or the first possible implementation manner, in a fifth possible implementation manner,

所述第一获取单元，还具体用于在所述确定单元确定所述 UE 需要所述宏基站和微基站进行 CA或 CoMP协作通信后，向所述微基站发送请求信息，所述请求信息请求所述微基站将自身支持的安全算法发送给所述宏基站，并接收所述微基站发送的所述微基站支持的安全算法。 The first acquiring unit is further configured to: after the determining unit determines that the UE needs the macro base station and the micro base station to perform CA or CoMP cooperative communication, send request information to the micro base station, where the request information is requested The micro base station sends a security algorithm supported by the micro base station to the macro base station, and receives a security algorithm supported by the micro base station sent by the micro base station.

结合第四方面或第一种可能的实现方式至第五种可能的实现方式，在第六种可能的实现方式中， With reference to the fourth aspect or the first possible implementation manner to the fifth possible implementation manner, in a sixth possible implementation manner,

所述第二获取单元，具体用于接收移动管理实体发送的所述 UE 的空口使用的共享根密钥，并根据所述共享根密钥派生 UE 空口的加密和完整性保护密钥； The second acquiring unit is specifically configured to receive a shared root key used by the air interface of the UE sent by the mobility management entity, and derive an encryption and integrity protection key of the UE air interface according to the shared root key;

所述发送单元，具体用于将所述共享根密钥发送给所述微基站，以使得所述微基站根据所述共享根密钥派生 UE 空口的加密和完整性保护密钥，所述 UE、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述 UE 空口的加密和完整性保护密钥进行安全保护处理。 The sending unit is specifically configured to send the shared root key to the micro base station, so that the micro base station derives an encryption and integrity protection key of the UE air interface according to the shared root key, where the UE The communication between the micro base station and the macro base station can be performed according to the negotiated security algorithm and the encryption and integrity protection key of the UE air interface. Full protection processing.

结合第四方面或第一种可能的实现方式至第五种可能的实现方式，在第七种可能的实现方式中， With reference to the fourth aspect or the first possible implementation manner to the fifth possible implementation manner, in a seventh possible implementation manner,

所述第二获取单元，用于接收移动管理实体发送的所述 UE 的空口使用的共享根密钥，并根据所述共享根密钥派生 UE 空口的加密和完整性保护密钥； The second obtaining unit is configured to receive a shared root key used by the air interface of the UE sent by the mobility management entity, and derive an encryption and integrity protection key of the UE air interface according to the shared root key;

所述发送单元，具体用于将所述 UE 空口的加密和完整性保护密钥发送给所述微基站，以使得所述 UE、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述 UE 空口的加密和完整性保护密钥进行安全保护处理。 The sending unit is specifically configured to send an encryption and integrity protection key of the UE air interface to the micro base station, so that communication between the UE, the micro base station, and the macro base station can be performed according to the negotiated The security algorithm and the encryption and integrity protection keys of the UE air interface perform security protection processing.

第五方面，提供了一种微基站，所述微基站包括：交互单元、接收单元； A fifth aspect provides a micro base station, where the micro base station includes: an interaction unit and a receiving unit;

所述交互单元，用于与宏基站进行安全算法的交互，以使得所述宏基站获取所述微基站支持的安全算法； The interaction unit is configured to perform a security algorithm interaction with the macro base station, so that the macro base station acquires a security algorithm supported by the micro base station;

所述接收单元，用于接收所述宏基站发送的协商后的安全算法，所述协商后的安全算法是所述宏基站根据所述 UE、微基站和宏基站支持的安全算法，进行安全算法协商后得到的； The receiving unit is configured to receive the negotiated security algorithm sent by the macro base station, where the negotiated security algorithm is that the macro base station performs a security algorithm according to a security algorithm supported by the UE, the micro base station, and the macro base station. Obtained after consultation;

所述接收单元，还用于接收所述宏基站发送的 UE 空口使用的安全密钥，以使得所述 UE、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述安全密钥进行安全保护处理。 The receiving unit is further configured to receive a security key used by the UE air interface sent by the macro base station, so that communication between the UE, the micro base station, and the macro base station can be according to the negotiated security algorithm and the The security key is processed for security protection.

结合第五方面，在第一种可能的实现方式中，所述交互单元，具体用于： With reference to the fifth aspect, in a first possible implementation manner, the interaction unit is specifically configured to:

向微基站 OAM 发送所述微基站支持的安全算法，以使得所述宏基站 OAM与所述微基站 OAM协商所述宏基站和微基站都支持的安全算法，并将所述安全算法发送给所述宏基站； Sending the security algorithm supported by the micro base station to the micro base station OAM, so that the macro base station OAM and the micro base station OAM negotiate a security algorithm supported by the macro base station and the micro base station, and send the security algorithm to the Macro base station

或者， Or,

向微基站 OAM 发送所述微基站支持的安全算法，以使得所述宏基站 OAM从所述微基站 OAM获得所述微基站支持的安全算法，并将所述微基站支持的安全算法发送给所述宏基站；或者， Sending the security algorithm supported by the micro base station to the micro base station OAM, so that the macro base station OAM obtains the security algorithm supported by the micro base station from the micro base station OAM, and sends the security algorithm supported by the micro base station to the Macro base station or,

向所述宏基站发送接口建立请求，所述接口建立请求中携带有所述微基站支持的安全算法； Sending an interface establishment request to the macro base station, where the interface establishment request carries a security algorithm supported by the micro base station;

或者， Or,

向所述宏基站发送配置更新消息，所述配置更新消息中携带有所述微基站支持的安全算法； Sending a configuration update message to the macro base station, where the configuration update message carries a security algorithm supported by the micro base station;

或者， Or,

接收所述宏基站发送的请求消息，所述请求消息请求所述微基站将自身支持的安全算法发送给所述宏基站，向所述宏基站发送自身支持的安全算法。 And receiving a request message sent by the macro base station, where the request message requests the micro base station to send a security algorithm supported by itself to the macro base station, and send a self-supported security algorithm to the macro base station.

结合第五方面，在第二种可能的实现方式中， In combination with the fifth aspect, in a second possible implementation manner,

所述接收单元，具体用于接收所述宏基站发送的所述 UE 空口使用的共享根密钥； The receiving unit is specifically configured to receive a shared root key used by the UE air interface sent by the macro base station;

所述微基站还包括派生单元； The micro base station further includes a derivation unit;

所述派生单元，用于在所述接收单元接收到所述 UE 空口使用的共享根密钥之后，根据所述共享根密钥派生 UE 空口的加密和完整性保护密钥，根据所述加密和完整性保护密钥和所述协商后的安全算法与所述宏基站和 UE进行安全通信； Deriving unit, configured to: after the receiving unit receives the shared root key used by the UE air interface, derive an encryption and integrity protection key of the UE air interface according to the shared root key, according to the encryption and An integrity protection key and the negotiated security algorithm perform secure communication with the macro base station and the UE;

或者， Or,

所述接收单元，具体用于接收所述宏基站发送的派生的 UE 空口的加密和完整性保护密钥，以使得所述 UE、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述 UE 空口的加密和完整性保护密钥进行安全保护处理。 The receiving unit is specifically configured to receive an encryption and integrity protection key of the derived UE air interface sent by the macro base station, so that communication between the UE, the micro base station, and the macro base station can be performed according to the negotiated The security algorithm and the encryption and integrity protection keys of the UE air interface perform security protection processing.

第六方面，提供了一种用户设备，所述用户设备包括：发送单元、接收单元和通信单元； A sixth aspect provides a user equipment, where the user equipment includes: a sending unit, a receiving unit, and a communication unit;

所述发送单元，用于向宏基站发送所述 UE支持的安全算法；所述接收单元，用于接收所述宏基站通知的协商后的安全算法，所述协商后的安全算法是所述宏基站根据所述 UE、微基站和宏基站支持的安全算法进行协商后得到的；所述通信单元，用于根据所述协商后的安全算法和 UE 空口使用的安全密钥，在所述宏基站将所述安全密钥发送给所述微基站后，与所述宏基站和微基站进行通信。 The sending unit is configured to send the security algorithm supported by the UE to the macro base station, where the receiving unit is configured to receive the negotiated security algorithm notified by the macro base station, where the negotiated security algorithm is the macro base The station obtains the negotiation according to the security algorithm supported by the UE, the micro base station, and the macro base station; The communication unit is configured to: after the macro base station sends the security key to the micro base station, according to the negotiated security algorithm and a security key used by the UE air interface, and the macro base station and the micro The base station communicates.

第七方面，提供了一种宏基站，所述宏基站包括：收发器、处理器和存储器； According to a seventh aspect, a macro base station is provided, where the macro base station includes: a transceiver, a processor, and a memory;

所述存储器，用于存储所述宏基站支持的安全算法； The memory is configured to store a security algorithm supported by the macro base station;

所述收发器，用于接收用户设备 UE和微基站支持的安全算法；所述处理器，用于根据所述 UE、微基站和宏基站支持的安全算法，进行安全算法协商，得到协商后的安全算法； The transceiver is configured to receive a security algorithm supported by the user equipment UE and the micro base station, where the processor is configured to perform security algorithm negotiation according to a security algorithm supported by the UE, the micro base station, and the macro base station, and obtain the negotiated Security algorithm

所述收发器，还用于向所述 UE 和微基站发送所述协商后的安全算法； The transceiver is further configured to send the negotiated security algorithm to the UE and the micro base station;

所述收发器，还用于接收所述 UE空口使用的安全密钥；所述收发器，还用于将所述安全密钥发送给所述微基站，以使得所述 UE、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述安全密钥进行安全保护处理。 The transceiver is further configured to receive a security key used by the air interface of the UE; the transceiver is further configured to send the security key to the micro base station, so that the UE, the micro base station, and the Acer base The communication between the stations can perform security protection processing according to the negotiated security algorithm and the security key.

结合第七方面，在第一种可能的实现方式中， In combination with the seventh aspect, in a first possible implementation manner,

所述处理器，具体用于根据所述 UE和微基站支持的安全算法，以及所述宏基站支持的安全算法，获得所述 UE、微基站和宏基站支持的安全算法的交集，并将所述安全算法的交集中的任一安全算法作为所述协商后的安全算法。 The processor is specifically configured to obtain, according to a security algorithm supported by the UE and the micro base station, and a security algorithm supported by the macro base station, an intersection of the security algorithms supported by the UE, the micro base station, and the macro base station, and Any security algorithm in the intersection of the security algorithms is used as the negotiated security algorithm.

结合第七方面或第一种可能的实现方式，在第二种可能的实现方式中， In combination with the seventh aspect or the first possible implementation manner, in a second possible implementation manner,

所述收发器，具体用于在所述 UE 接入到宏基站时，接收所述 UE支持的安全算法； The transceiver is specifically configured to: when the UE accesses the macro base station, receive a security algorithm supported by the UE;

所述处理器，还用于确定所述 UE 是否需要所述宏基站和微基站进行载波聚合 CA或多点协作 CoMP协作通信； The processor is further configured to determine whether the UE needs the macro base station and the micro base station to perform carrier aggregation CA or multi-point cooperative CoMP cooperative communication;

所述处理器，具体用于在确定所述 UE 需要所述宏基站和微基站进行 CA或 CoMP协作通信后，根据根据所述 UE、微基站和宏基站支持的安全算法，进行安全算法协商，得到协商后的安全算法。结合第七方面或第一种可能的实现方式，在第三种可能的实现方式中， The processor is specifically configured to: after determining that the UE needs the macro base station and the micro base station to perform CA or CoMP cooperative communication, perform security algorithm negotiation according to a security algorithm supported by the UE, the micro base station, and the macro base station, Get the negotiated security algorithm. In combination with the seventh aspect or the first possible implementation manner, in a third possible implementation manner,

所述收发器，具体用于在所述处理器确定所述 UE 需要所述宏基站和微基站进行 CA或 CoMP协作通信后，向所述 UE发送协商后的安全算法。 The transceiver is specifically configured to: after the determining that the UE needs the macro base station and the micro base station to perform CA or CoMP cooperative communication, send the negotiated security algorithm to the UE.

结合第七方面或第一种可能的实现方式至第三种可能的实现方式，在第四种可能的实现方式中，所述收发器具体用于： With reference to the seventh aspect or the first possible implementation to the third possible implementation, in a fourth possible implementation, the transceiver is specifically configured to:

或者， Or,

向所述宏基站 OAM 发送获取微基站支持的安全算法的请求，以使得所述宏基站 OAM从所述微基站 OAM获取所述微基站支持的安全算法，接收所述宏基站 OAM 发送的所述微基站支持的安全算法； Sending, to the macro base station OAM, a request for acquiring a security algorithm supported by the micro base station, so that the macro base station OAM acquires a security algorithm supported by the micro base station from the micro base station OAM, and receives the Security algorithm supported by the micro base station;

或者， Or,

结合第七方面或第一种可能的实现方式，在第五种可能的实现方式中， In combination with the seventh aspect or the first possible implementation manner, in a fifth possible implementation manner,

所述处理器，还用于确定所述 UE 需要所述宏基站和微基站进行 CA或 CoMP协作通信； The processor is further configured to determine that the UE needs the macro base station and the micro base station to enter CA or CoMP collaborative communication;

所述收发器，还具体用于在所述处理器确定所述 UE 需要所述宏基站和微基站进行 CA或 CoMP协作通信后，向所述微基站发送请求信息，所述请求信息请求所述微基站将自身支持的安全算法发送给所述宏基站，并接收所述微基站发送的所述微基站支持的安全算法。 The transceiver is further configured to: after the processor determines that the UE needs the macro base station and the micro base station to perform CA or CoMP cooperative communication, send request information to the micro base station, where the request information requests the The micro base station sends the security algorithm supported by the micro base station to the macro base station, and receives the security algorithm supported by the micro base station sent by the micro base station.

结合第七方面或第一种可能的实现方式至第五种可能的实现方式，在第六种可能的实现方式中， With reference to the seventh aspect or the first possible implementation manner to the fifth possible implementation manner, in a sixth possible implementation manner,

所述收发器，具体用于接收移动管理实体发送的所述 UE 的空口使用的共享根密钥； The transceiver is specifically configured to receive a shared root key used by the UE of the UE sent by the mobility management entity;

所述处理器，用于根据所述共享根密钥派生 UE 空口的加密和完整性保护密钥； The processor, configured to derive an encryption and integrity protection key of the UE air interface according to the shared root key;

所述收发器，具体用于将所述共享根密钥发送给所述微基站，以使得所述微基站根据所述共享根密钥派生 UE 空口的加密和完整性保护密钥，所述 UE、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述 UE 空口的加密和完整性保护密钥进行安全保护处理。 The transceiver is specifically configured to send the shared root key to the micro base station, so that the micro base station derives an encryption and integrity protection key of the UE air interface according to the shared root key, where the UE The communication between the micro base station and the macro base station can perform security protection processing according to the negotiated security algorithm and the encryption and integrity protection key of the UE air interface.

结合第七方面或第一种可能的实现方式至第五种可能的实现方式，在第七种可能的实现方式中， With reference to the seventh aspect or the first possible implementation manner to the fifth possible implementation manner, in a seventh possible implementation manner,

所述收发器，用于接收移动管理实体发送的所述 UE 的空口使用的共享根密钥； The transceiver is configured to receive a shared root key used by the air interface of the UE sent by the mobility management entity;

所述处理器，还用于根据所述共享根密钥派生 UE 空口的加密和完整性保护密钥； The processor is further configured to derive an encryption and integrity protection key of the UE air interface according to the shared root key;

所述收发器，具体用于将所述 UE 空口的加密和完整性保护密钥发送给所述微基站，以使得所述 UE、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述 UE 空口的加密和完整性保护密钥进行安全保护处理。 The transceiver is specifically configured to send an encryption and integrity protection key of the UE air interface to the micro base station, so that communication between the UE, the micro base station, and the macro base station can be performed according to the negotiated The security algorithm and the encryption and integrity protection keys of the UE air interface perform security protection processing.

第八方面，提供了一种微基站，所述微基站包括：收发器和存储器；所述存储器，用于存储所述微基站支持的安全算法；所述收发器，用于与宏基站进行安全算法的交互，以使得所述宏基站获取所述微基站支持的安全算法； In an eighth aspect, a micro base station is provided, where the micro base station includes: a transceiver and a memory; The memory is configured to store a security algorithm supported by the micro base station; the transceiver is configured to perform a security algorithm interaction with a macro base station, so that the macro base station acquires a security algorithm supported by the micro base station;

所述收发器，还用于接收所述宏基站发送的协商后的安全算法，所述协商后的安全算法是所述宏基站根据所述 UE、微基站和宏基站支持的安全算法，进行安全算法协商后得到的； The transceiver is further configured to receive the negotiated security algorithm sent by the macro base station, where the negotiated security algorithm is that the macro base station performs security according to a security algorithm supported by the UE, the micro base station, and the macro base station. Obtained after the algorithm is negotiated;

所述收发器，还用于接收所述宏基站发送的 UE 空口使用的安全密钥，以使得所述 UE、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述安全密钥进行安全保护处理。 The transceiver is further configured to receive a security key used by the UE air interface sent by the macro base station, so that communication between the UE, the micro base station, and the macro base station can be according to the negotiated security algorithm and the The security key is processed for security protection.

结合第八方面，在第一种可能的实现方式中，所述收发器，具体用于： With reference to the eighth aspect, in a first possible implementation manner, the transceiver is specifically configured to:

或者， Or,

向微基站 OAM 发送所述微基站支持的安全算法，以使得所述宏基站 OAM从所述微基站 OAM获得所述微基站支持的安全算法，并将所述微基站支持的安全算法发送给所述宏基站； Sending the security algorithm supported by the micro base station to the micro base station OAM, so that the macro base station OAM obtains the security algorithm supported by the micro base station from the micro base station OAM, and sends the security algorithm supported by the micro base station to the Macro base station

或者， Or,

结合第八方面，在第二种可能的实现方式中，所述收发器，具体用于接收所述宏基站发送的所述 UE 空口使用的共享根密钥； In combination with the eighth aspect, in a second possible implementation manner, The transceiver is specifically configured to receive a shared root key used by the UE air interface sent by the macro base station;

所述微基站还包括：处理器； The micro base station further includes: a processor;

所述处理器，用于在所述收发器接收到所述 UE 空口使用的共享根密钥之后，根据所述共享根密钥派生 UE 空口的加密和完整性保护密钥，根据所述加密和完整性保护密钥和所述协商后的安全算法与所述宏基站和 UE进行安全通信； The processor, after the transceiver receives the shared root key used by the UE air interface, deriving an encryption and integrity protection key of the UE air interface according to the shared root key, according to the encryption and An integrity protection key and the negotiated security algorithm perform secure communication with the macro base station and the UE;

或者， Or,

所述收发器，具体用于接收所述宏基站发送的派生的 UE 空口的加密和完整性保护密钥，以使得所述 UE、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述 UE 空口的加密和完整性保护密钥进行安全保护处理。 The transceiver is specifically configured to receive an encryption and integrity protection key of the derived UE air interface sent by the macro base station, so that communication between the UE, the micro base station, and the macro base station can be performed according to the negotiated The security algorithm and the encryption and integrity protection keys of the UE air interface perform security protection processing.

第九方面，提供了一种用户设备，所述用户设备包括：收发器、处理器和存储器； A ninth aspect provides a user equipment, where the user equipment includes: a transceiver, a processor, and a memory;

所述存储器，用于存储所述 UE支持的安全算法； The memory is configured to store a security algorithm supported by the UE;

所述收发器，用于接收所述宏基站通知的协商后的安全算法，所述协商后的安全算法是所述宏基站根据所述 UE、微基站和宏基站支持的安全算法进行协商后得到的； The transceiver is configured to receive the negotiated security algorithm notified by the macro base station, where the negotiated security algorithm is obtained by the macro base station according to a security algorithm supported by the UE, the micro base station, and the macro base station. of;

所述处理器，用于根据所述协商后的安全算法和 UE 空口使用的安全密钥，在所述宏基站将所述安全密钥发送给所述微基站后，与所述宏基站和微基站进行通信。 The processor is configured to: after the macro base station sends the security key to the micro base station, according to the negotiated security algorithm and a security key used by the UE air interface, and the macro base station and the micro The base station communicates.

本发明实施例提供了一种移动通信的安全处理方法、宏基站、微基站和用户设备，所述宏基站获取 UE和微基站支持的安全算法；然后，根据所述 UE、微基站和宏基站支持的安全算法，进行安全算法协商，得到协商后的安全算法；所述宏基站向所述用户设备和微基站通知所述协商后的安全算法；所述宏基站获取所述 UE 空口使用的安全密钥，并将所述安全密钥发送给所述微基站，以使得所述 U E、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述安全密钥进行安全保护处理。这样，由于 UE、宏基站和微基站三个网络实体之间能够进行安全算法的协商，以及安全密钥的获取，当宏基站确定对 UE进行宏微 CA或 CoMP操作时， UE能够安全的与宏基站和微基站进行通信。 The embodiment of the present invention provides a security processing method for a mobile communication, a macro base station, a micro base station, and a user equipment, where the macro base station acquires a security algorithm supported by the UE and the micro base station; and then, according to the UE, the micro base station, and the macro base station Supporting the security algorithm, performing security algorithm negotiation, and obtaining the negotiated security algorithm; the macro base station notifying the user equipment and the micro base station of the negotiated security algorithm; and the macro base station acquiring the security of the UE air interface use Key, and transmitting the security key to the micro base station, so that communication between the UE, the micro base station, and the macro base station can be secured according to the negotiated security algorithm and the security key deal with. In this way, due to UE, macro base station and micro base The security algorithm negotiation and the acquisition of the security key can be performed between the three network entities. When the macro base station determines to perform macro-MAC or CoMP operation on the UE, the UE can securely communicate with the macro base station and the micro base station.

附图说明 DRAWINGS

为了更清楚地说明本发明实施例或现有技术中的技术方案，下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍，显而易见地，下面描述中的附图仅仅是本发明的一些实施例，对于本领域普通技术人员来讲，在不付出创造性劳动的前提下，还可以根据这些附图获得其他的附图。图 1 为本发明实施例提供的一种移动通信的安全处理方法流程示意图；图 2 为本发明实施例提供的另一种移动通信的安全处理方法流程示意图； In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below. Obviously, the drawings in the following description are only It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any creative work. FIG. 1 is a schematic flowchart of a method for securely processing a mobile communication according to an embodiment of the present invention; FIG. 2 is a schematic flowchart of another method for securely processing mobile communications according to an embodiment of the present invention;

图 3 为本发明实施例提供的另一种移动通信的安全处理方法流程示意图； 3 is a schematic flowchart of another method for securely processing mobile communications according to an embodiment of the present invention;

图 4 为本发明实施例提供的一种移动通信的安全处理方法交互示意图； 4 is a schematic diagram of an interaction of a security processing method for mobile communication according to an embodiment of the present invention;

图 5 为本发明实施例提供的另一种移动通信的安全处理方法交互示意图；图 6 为本发明实施例提供的另一种移动通信的安全处理方法交互示意图；图 7为本发明实施例提供的一种宏基站的结构示意图；图 8为本发明实施例提供的另一种宏基站的结构示意图；图 9为本发明实施例提供的一种微基站的结构示意图；图 10为本发明实施例提供的一种用户设备的结构示意图；图 1 1为本发明实施例提供的另一种宏基站的结构示意图；图 12为本发明实施例提供的另一种微基站的结构示意图；图 13为本发明实施例提供的另一种用户设备的结构示意图。具体实施方式 FIG. 5 is a schematic diagram of another embodiment of a security processing method for mobile communication according to an embodiment of the present invention; FIG. 6 is a schematic diagram of another method for securely processing a mobile communication according to an embodiment of the present invention; FIG. FIG. 8 is a schematic structural diagram of another macro base station according to an embodiment of the present invention; FIG. 9 is a schematic structural diagram of a micro base station according to an embodiment of the present invention; FIG. 1 is a schematic structural diagram of another macro base station according to an embodiment of the present invention; FIG. 12 is a schematic structural diagram of another micro base station according to an embodiment of the present invention; Another schematic structural diagram of a user equipment provided by an embodiment of the present invention. detailed description

下面将结合本发明实施例中的附图，对本发明实施例中的技术方案进行清楚、完整地描述，显然，所描述的实施例仅仅是本发明一部分实施例，而不是全部的实施例。基于本发明中的实施例，本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例，都属于本发明保护的范围。 The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, but not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.

本发明一实施例提供一种移动通信的安全处理方法，如图 1 所示，该方法的执行主体是宏基站，该方法具体可以包括： An embodiment of the present invention provides a method for securely processing a mobile communication. As shown in FIG. 1 , an execution entity of the method is a macro base station, and the method may specifically include:

101、宏基站获取用户设备 UE和微基站支持的安全算法。 101. The macro base station acquires a security algorithm supported by the user equipment UE and the micro base station.

所述安全算法为可以用于所述 UE与宏基站、 UE与微基站之间进行安全通信，对数据、信令进行加密 /解密和完整性保护操作的算法，例如可以包括加密和完整性保护算法，本发明实施例对此不做限定。 The security algorithm is an algorithm that can be used for secure communication between the UE and the macro base station, the UE and the micro base station, and performs encryption/decryption and integrity protection operations on data and signaling, and may include, for example, encryption and integrity protection. The algorithm is not limited in this embodiment of the present invention.

其中，通常 UE 接入宏基站时，可以通过非接入层 NAS ( Non Access Statum ) 信令将其所支持的安全算法发送给移动性管理实体 MME ( Mobility Management Entity ) , 然后 MME再通过 S I接口信令将收到的 UE支持的安全算法转发给所述宏基站。 Generally, when the UE accesses the macro base station, the security algorithm supported by the UE may be sent to the mobility management entity MME (Mobility Management Entity) through non-access stratum NAS (Non Access Statum) signaling, and then the MME passes through the SI interface. The signaling forwards the received security algorithm supported by the UE to the macro base station.

而所述宏基站获取所述微基站支持的安全算法可以有多种方式。 The macro base station may obtain multiple security modes supported by the micro base station.

例如，所述宏基站获取所述微基站支持的安全算法可以是：由所述宏基站操作、管理和维护 OAM ( Operation Administration and Maintenance ) 和所述微基站 0 AM 之间进行宏基站和微基站所支持安全算法的协商，在协商完成后，所述宏基站 OAM将所述协商后的安全算法发送给所述宏基站，同时，所述微基站 OAM也将所述协商后的安全算法发送给所述微基站，从而保证宏基站和微基站所支持安全算法的一致性。 For example, the macro base station acquiring the security algorithm supported by the micro base station may be: performing macro base station and micro base station between the OAM (Operation Administration and Maintenance) and the micro base station 0 AM by the macro base station. The negotiation of the supported security algorithm, after the negotiation is completed, the macro base station OAM sends the negotiated security algorithm to the macro base station, and the micro base station OAM also sends the negotiated security algorithm to the The micro base station ensures consistency of security algorithms supported by the macro base station and the micro base station.

可选的，所述宏基站获取所述微基站支持的安全算法还可以是：所述宏基站向所述宏基站 OAM 发送获取微基站支持的安全算法的请求，以使得所述宏基站 OAM与所述微基站 OAM进行交互后，从所述微基站 OAM中获取所述微基站支持的安全算法，然后所述宏基站 OAM将所述微基站支持的安全算法发送给所述宏基站。 Optionally, the acquiring, by the macro base station, the security algorithm supported by the micro base station may be: the macro base station sending, to the macro base station OAM, a request for acquiring a security algorithm supported by the micro base station, so that the macro base station OAM and the macro base station After the micro base station OAM interacts, Obtaining a security algorithm supported by the micro base station in the micro base station OAM, and then the macro base station OAM sends a security algorithm supported by the micro base station to the macro base station.

可选的，所述宏基站获取所述微基站支持的安全算法还可以是：在所述宏基站和微基站之间进行接口建立的过程中，所述微基站向宏基站发送接口连接建立的请求时，将所述微基站支持的安全算法携带在所述接口连接建立的请求中。其中，所述接口连接建立的请求可以是 X接口连接建立请求消息。 Optionally, the obtaining, by the macro base station, the security algorithm supported by the micro base station may be: in the process of establishing an interface between the macro base station and the micro base station, the micro base station sends an interface connection to the macro base station. When requested, the security algorithm supported by the micro base station is carried in the request for establishing the interface connection. The request for establishing the interface connection may be an X interface connection establishment request message.

当然，所述微基站与所述宏基站进行配置更新的过程中，也可以在所述微基站发送给所述宏基站的配置更新消息中携带所述微基站支持的安全算法。 Of course, in the process of the configuration update of the micro base station and the macro base station, the security algorithm supported by the micro base station may be carried in the configuration update message sent by the micro base station to the macro base station.

102、所述宏基站根据所述 UE、微基站和宏基站支持的安全算法，进行安全算法协商，得到协商后的安全算法。 102. The macro base station performs security algorithm negotiation according to a security algorithm supported by the UE, the micro base station, and the macro base station, to obtain a negotiated security algorithm.

所述宏基站在获取所述 UE 支持的安全算法和所述微基站支持的安全算法之后，所述宏基站结合自身的安全算法，进行安全算法的协商，得到所述 UE、微基站和宏基站支持的安全算法的交集，将所述安全算法的交集中的任一安全算法作为所述协商后的安全算法，从而将该协商后的安全算法作为所述 UE空口使用的安全算法。 After the macro base station acquires the security algorithm supported by the UE and the security algorithm supported by the micro base station, the macro base station performs a security algorithm negotiation according to its own security algorithm to obtain the UE, the micro base station, and the macro base station. An intersection of the security algorithms is used, and any security algorithm in the intersection of the security algorithms is used as the security algorithm after the negotiation, so that the negotiated security algorithm is used as the security algorithm used by the UE air interface.

如果 UE、微基站和宏基站支持的安全算法没有交集，则宏基站无法协商出 UE 空口使用的安全算法，此时，宏基站和基站不能同时为该 UE提供协作通信。 If the security algorithms supported by the UE, the micro base station, and the macro base station do not intersect, the macro base station cannot negotiate the security algorithm used by the UE air interface. At this time, the macro base station and the base station cannot simultaneously provide cooperative communication for the UE.

103、所述宏基站向所述 UE和微基站通知所述协商后的安全算法。 103. The macro base station notifies the UE and the micro base station of the negotiated security algorithm.

在所述宏基站进行安全算法的协商，并获得协商后的安全算法之后，所述宏基站具体的可以通过宏基站和微基站之间的接口，例如 X接口，将所述协商后的安全算法通知给所述微基站。所述宏基站具体可以通过宏基站和 UE 之间的接口，例如 Uu 接口，向所述 UE通知协商后的安全算法。 After the macro base station performs the negotiation of the security algorithm and obtains the negotiated security algorithm, the macro base station may specifically perform the negotiated security algorithm by using an interface between the macro base station and the micro base station, for example, an X interface. Notifying the micro base station. The macro base station may specifically notify the UE of the negotiated security algorithm by using an interface between the macro base station and the UE, for example, a Uu interface.

104、所述宏基站获取所述 UE空口使用的安全密钥。 104. The macro base station acquires a security key used by the UE air interface.

具体地， UE空口使用的安全密钥可以是：从 MME接收到的所述 UE空口使用的共享根密钥。 Specifically, the security key used by the UE air interface may be: The shared root key used by the UE air interface.

105、所述宏基站将所述安全密钥发送给所述微基站，以使得所述 UE、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述安全密钥进行安全保护处理。 105. The macro base station sends the security key to the micro base station, so that communication between the UE, the micro base station, and the macro base station can be performed according to the negotiated security algorithm and the security key. Security protection processing.

若所述微基站从所述宏基站接收到的是所述 UE 空口使用的共享根密钥，所述微基站将进一步基于该共享根密钥派生 UE 空口使用的加密和完整性保护密钥。 If the micro base station receives the shared root key used by the UE air interface from the macro base station, the micro base station further derives an encryption and integrity protection key used by the UE air interface based on the shared root key.

本发明实施例提供一种移动通信的安全处理方法，所述宏基站获取 UE 和微基站支持的安全算法；然后，根据所述用户设备、微基站和宏基站支持的安全算法，进行安全算法协商，得到协商后的安全算法；所述宏基站向所述 UE 和微基站通知所述协商后的安全算法；所述宏基站获取所述 UE 空口使用的安全密钥，并将所述安全密钥发送给所述微基站，以使得所述 UE、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述安全密钥进行安全保护处理。这样，由于 UE、宏基站和微基站三个网络实体之间能够进行安全算法的协商，以及安全密钥的获取，当宏基站确定对 UE 进行宏微 CA或 CoMP操作时， UE能够安全地与宏基站和微基站进行通信。 The embodiment of the present invention provides a security processing method for mobile communication, where the macro base station acquires a security algorithm supported by the UE and the micro base station; and then performs security algorithm negotiation according to the security algorithm supported by the user equipment, the micro base station, and the macro base station. Obtaining a security algorithm after the negotiation; the macro base station notifying the UE and the micro base station of the negotiated security algorithm; the macro base station acquiring a security key used by the UE air interface, and the security key is used And transmitting to the micro base station, so that communication between the UE, the micro base station, and the macro base station can perform security protection processing according to the negotiated security algorithm and the security key. In this way, since the security algorithm negotiation and the security key acquisition are performed between the UE, the macro base station, and the micro base station, when the macro base station determines to perform macro-MAC or CoMP operation on the UE, the UE can securely cooperate with the UE. The macro base station and the micro base station communicate.

本发明实施例提供一种移动通信的安全处理方法，如图 2所示，该方法的执行主体是微基站，该方法具体可以包括： An embodiment of the present invention provides a method for securely processing a mobile communication. As shown in FIG. 2, the execution entity of the method is a micro base station, and the method may specifically include:

201、所述微基站与宏基站进行安全算法的交互，以使得所述宏基站获取所述微基站支持的安全算法。 201. The micro base station and the macro base station perform a security algorithm interaction, so that the macro base station acquires a security algorithm supported by the micro base station.

所述微基站与所述宏基站进行安全算法的交互，可以是多种方式。 The micro base station interacts with the macro base station to perform a security algorithm, which may be in various manners.

例如，所述微基站与宏基站进行安全算法的交互可以是：所述微基站向微基站 0 A M发送所述微基站支持的安全算法，以使得所述宏基站 OAM与所述微基站 OAM协商所述宏基站和微基站都支持的安全算法，并将所述安全算法发送给所述宏基站。 For example, the interaction between the micro base station and the macro base station may be: the micro base station sends a security algorithm supported by the micro base station to the micro base station 0 AM, so that the macro base station OAM negotiates with the micro base station OAM. And a security algorithm supported by both the macro base station and the micro base station, and sending the security algorithm to the macro base station.

可选的，所述微基站与宏基站进行安全算法的交互可以是：所述微基站向微基站 OAM发送所述微基站支持的安全算法，以使得所述宏基站 OAM 从所述微基站 OAM 获得所述微基站支持的安全算法，并将所述微基站支持的安全算法发送给所述宏基站。 Optionally, the interaction between the micro base station and the macro base station to perform the security algorithm may be: The micro base station sends the security algorithm supported by the micro base station to the micro base station OAM, so that the macro base station OAM obtains the security algorithm supported by the micro base station from the micro base station OAM, and the security algorithm supported by the micro base station Send to the macro base station.

可选的，所述微基站与宏基站进行安全算法的交互可以是：在所述宏基站和所述微基站之间进行接口建立的过程中，所述微基站向所述宏基站发送接口建立请求，所述接口建立请求中携带有所述微基站支持的安全算法。其中，所述接口连接建立的请求可以是 X 接口连接建立请求消息。 Optionally, the interaction between the micro base station and the macro base station to perform the security algorithm may be: in the process of establishing an interface between the macro base station and the micro base station, the micro base station sends an interface to the macro base station to establish an interface. The request, the interface establishment request carries a security algorithm supported by the micro base station. The request for establishing the interface connection may be an X interface connection establishment request message.

可选的，所述微基站与宏基站进行安全算法的交互可以是：在所述微基站与所述宏基站进行配置更新的过程中，也可以向所述宏基站发送配置更新消息，所述配置更新消息中携带有所述微基站支持的安全算法。 Optionally, the interaction between the micro base station and the macro base station to perform the security algorithm may be: in the process of performing configuration update of the micro base station and the macro base station, sending a configuration update message to the macro base station, where The configuration update message carries the security algorithm supported by the micro base station.

可选的，所述微基站与宏基站进行安全算法的交互可以是：在网络部署完成后，所述宏基站确定所述 UE 需要进行宏基站和微基站的 CA或 CoMP协作通信时，所述宏基站可以向所述微基站发送请求消息，所述请求消息请求所述微基站将自身支持的安全算法发送给所述宏基站。在所述微基站接收到所述请求消息后，向所述宏基站发送自身支持的安全算法。 Optionally, the interaction between the micro base station and the macro base station to perform the security algorithm may be: after the network deployment is complete, when the macro base station determines that the UE needs to perform CA or CoMP cooperative communication between the macro base station and the micro base station, The macro base station may send a request message to the micro base station, where the request message requests the micro base station to send a security algorithm supported by itself to the macro base station. After receiving the request message, the micro base station sends a security algorithm supported by itself to the macro base station.

202、所述微基站接收所述宏基站发送的协商后的安全算法，所述协商后的安全算法是所述宏基站根据所述 UE、微基站和宏基站支持的安全算法，进行安全算法协商后得到的。 202. The micro base station receives the negotiated security algorithm sent by the macro base station, where the negotiated security algorithm is that the macro base station performs security algorithm negotiation according to a security algorithm supported by the UE, the micro base station, and the macro base station. After getting it.

在所述宏基站获取所述微基站、 UE和自身支持的安全算法，并进行安全算法的协商之后，所述微基站接收所述宏基站发送的协商后的安全算法。此时，所述协商后的安全算法为所述 UE 空口使用的安全算法。 After the macro base station acquires the security algorithm supported by the micro base station, the UE, and the self, and performs the negotiation of the security algorithm, the micro base station receives the negotiated security algorithm sent by the macro base station. At this time, the negotiated security algorithm is a security algorithm used by the UE air interface.

203、接收所述宏基站发送的 UE空口使用的安全密钥，以使得所述 UE、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述安全密钥进行安全保护处理。 203. Receive a security key used by the UE air interface sent by the macro base station, so that communication between the UE, the micro base station, and the macro base station can be securely protected according to the negotiated security algorithm and the security key. deal with.

在所述宏基站接收到所述 UE 空口使用的共享根密钥后，所述宏基站可以向所述微基站发送所述 UE 空口使用的共享根密钥。所述微基站接收到所述共享根密钥后，根据所述共享根密钥派生 UE 空口的加密和完整性保护密钥，根据所述加密和完整性保护密钥和所述协商后的安全算法与所述宏基站和 UE进行安全通信。 After the macro base station receives the shared root key used by the UE air interface, the macro base station may send the shared root key used by the UE air interface to the micro base station. After receiving the shared root key, the micro base station derives an encryption and integrity protection key of the UE air interface according to the shared root key, according to the encryption and integrity protection key and the negotiated security The algorithm performs secure communication with the macro base station and the UE.

可选的，在所述微基站接收到所述宏基站发送的派生的 UE 空口的加密和完整性保护密钥后，所述微基站根据所述加密和完整性保护密钥以及所述协商后的安全算法，与所述 UE、宏基站之间进行安全通信。 Optionally, after the micro base station receives the encryption and integrity protection key of the derived UE air interface sent by the macro base station, the micro base station according to the encryption and integrity protection key and the The security algorithm performs secure communication with the UE and the macro base station.

本发明实施例提供一种移动通信的安全处理方法，所述微基站与宏基站进行安全算法的交互；所述微基站接收所述宏基站发送的协商后的安全算法；然后，所述微基站接收所述宏基站发送的 UE 空口使用的安全密钥，以使得所述 UE、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述安全密钥进行安全保护处理。这样，由于 UE、宏基站和微基站三个网络实体之间能够进行安全算法的协商，以及安全密钥的获取，当宏基站确定对 UE 进行宏微 CA或 CoMP操作时，UE能够安全地与宏基站和微基站进行通信。 The embodiment of the present invention provides a security processing method for mobile communication, where the micro base station and the macro base station perform a security algorithm interaction; the micro base station receives the negotiated security algorithm sent by the macro base station; and then, the micro base station And receiving, by the macro base station, a security key used by the UE air interface, so that communication between the UE, the micro base station, and the macro base station can perform security protection processing according to the negotiated security algorithm and the security key. In this way, since the security algorithm negotiation and the security key acquisition are performed between the three network entities of the UE, the macro base station, and the micro base station, when the macro base station determines to perform macro-MAC or CoMP operation on the UE, the UE can securely The macro base station and the micro base station communicate.

本发明实施例提供一种移动通信的安全处理方法，如图 3所示，该方法的执行主体是用户设备，该方法具体可以包括： An embodiment of the present invention provides a method for securely processing a mobile communication. As shown in FIG. 3, the execution subject of the method is a user equipment, and the method may specifically include:

301、用户设备 UE向宏基站发送所述 UE支持的安全算法。在所述 UE接入宏基站时，通过 NAS信令将其支持的安全算法发送给 MME ,然后 MME再通过 S 1接口信令将接收到的 UE支持的安全算法转发给所述宏基站。 301. User equipment The UE sends the security algorithm supported by the UE to the macro base station. When the UE accesses the macro base station, the security algorithm supported by the UE is sent to the MME through the NAS signaling, and then the MME forwards the received security algorithm supported by the UE to the macro base station through the S1 interface signaling.

302、所述 UE接收所述宏基站通知的协商后的安全算法，所述协商后的安全算法是所述宏基站根据所述 UE、微基站和宏基站支持的安全算法进行协商后得到的。 302. The UE receives the negotiated security algorithm notified by the macro base station, where the negotiated security algorithm is obtained by the macro base station according to a security algorithm supported by the UE, the micro base station, and the macro base station.

在宏基站获取所述 UE 和微基站支持的安全算法后，所述宏基站对所述 UE、微基站和宏基站支持的安全算法进行协商，获得协商后的安全算法，将协商后的安全算法作为所述 UE 空口使用的安全算法，并将所述协商后的安全算法通知所述 UE和所述微基站。 After the macro base station acquires the security algorithm supported by the UE and the micro base station, the macro base station negotiates a security algorithm supported by the UE, the micro base station, and the macro base station, and obtains a negotiation. The security algorithm uses the negotiated security algorithm as a security algorithm used by the UE air interface, and notifies the UE and the micro base station of the negotiated security algorithm.

303、所述 UE根据所述协商后的安全算法和 UE空口使用的安全密钥，在所述宏基站将所述安全密钥发送给所述微基站后，与所述宏基站和微基站进行通信。 303. The UE performs, according to the negotiated security algorithm and a security key used by the UE air interface, after the macro base station sends the security key to the micro base station, and performs with the macro base station and the micro base station. Communication.

当 UE 接入网络侧，通过空口与微基站或宏基站进行通信时， UE可以根据 NAS层的共享根密钥派生出 Uu接口的共享根密钥 When the UE accesses the network side and communicates with the micro base station or the macro base station through the air interface, the UE may derive the shared root key of the Uu interface according to the shared root key of the NAS layer.

^Κ , 再根据该共享根密钥 ^^进一步派生出：安全密钥 ^K —_enC , 用于 ^Κ , and then further derived based on the shared root key ^^: security key ^K — _enC , used for

UE 和宏基站或微基站间的用户面数据进行加密处理；安全密钥 KRRC— ,用于 UE和宏基站或微基站间的控制面信令进行完整性保护；安全密钥 ^KS 用于 UE和宏基站或微基站间的控制面信令的加密处理。 The user plane data between the UE and the macro base station or the micro base station is encrypted; the security key KRRC_ is used for integrity protection of the control plane signaling between the UE and the macro base station or the micro base station; the security key ^K S is used for the UE Encryption processing of control plane signaling with a macro base station or a micro base station.

在所述 UE获得协商后的安全算法和所述 UE空口使用的安全密钥，并且所述宏基站将所述安全密钥发送给所述微基站后，所述 UE 与所述宏基站和微基站进行通信。其中，所述安全密钥可以是所述共享根密钥，也可以是由所述共享根密钥派生的加密和完整性保护密钥。 After the UE obtains the negotiated security algorithm and the security key used by the UE air interface, and the macro base station sends the security key to the micro base station, the UE and the macro base station and the micro The base station communicates. The security key may be the shared root key or an encryption and integrity protection key derived from the shared root key.

本发明实施例提供了一种移动通信的安全处理方法， UE向宏基站发送所述 UE支持的安全算法；所述 UE接收所述宏基站通知的协商后的安全算法，所述协商后的安全算法是所述宏基站根据所述 UE、微基站和宏基站支持的安全算法进行协商后得到的；所述 UE 根据所述协商后的安全算法和 UE 空口使用的安全密钥，在所述宏基站将所述安全密钥发送给所述微基站后，与所述宏基站和微基站进行通信。这样，由于 UE、宏基站和微基站三个网络实体之间能够进行安全算法的协商，以及安全密钥的获取，当宏基站确定对 UE 进行宏微 CA或 CoMP操作时， UE能够安全地与宏基站和微基站进行通信。 The embodiment of the present invention provides a security processing method for mobile communication, where the UE sends the security algorithm supported by the UE to the macro base station; the UE receives the negotiated security algorithm notified by the macro base station, and the security after the negotiation The algorithm is obtained by the macro base station according to the security algorithm supported by the UE, the micro base station, and the macro base station; the UE is based on the negotiated security algorithm and the security key used by the UE air interface, in the macro base. After transmitting the security key to the micro base station, the station communicates with the macro base station and the micro base station. In this way, since the security algorithm negotiation and the security key acquisition are performed between the UE, the macro base station, and the micro base station, when the macro base station determines to perform macro-MAC or CoMP operation on the UE, the UE can securely cooperate with the UE. The macro base station and the micro base station communicate.

本发明又一实施例提供一种移动通信的安全处理方法，如图 4 所示，该方法具体可以包括： 401、所述宏基站获取所述微基站支持的安全算法。 A further embodiment of the present invention provides a method for securely processing a mobile communication. As shown in FIG. 4, the method may specifically include: 401. The macro base station acquires a security algorithm supported by the micro base station.

所述安全算法包括加密和完整性保护算法，用于所述 UE 与宏基站、微基站之间进行通信，对数据、信令进行加密 /解密和完整性保护操作。 The security algorithm includes an encryption and integrity protection algorithm for communicating between the UE and the macro base station and the micro base station, and performing encryption/decryption and integrity protection operations on data and signaling.

所述宏基站获取所述微基站支持的安全算法可以有多种方式。具体的，参见上一实施例中的所述宏基站获取所述微基站支持的安全算法的描述。 The macro base station may obtain multiple types of security algorithms supported by the micro base station. For details, refer to the description of the security algorithm supported by the micro base station in the macro base station in the previous embodiment.

402、在所述 UE接入到宏基站时，所述宏基站获取所述 UE支持的安全算法。 402. When the UE accesses the macro base station, the macro base station acquires a security algorithm supported by the UE.

在 UE接入宏基站时，所述 UE通过 NAS信令将其所支持的安全算法发送给 MME ,然后 MME再通过 S 1接口信令将收到的 UE支持的安全算法转发给所述宏基站。 When the UE accesses the macro base station, the UE sends the security algorithm supported by the UE to the MME through the NAS signaling, and then the MME forwards the received security algorithm supported by the UE to the macro base station through the S1 interface signaling. .

403、所述宏基站确定所述 UE 需要所述宏基站和微基站进行 CA或 CoMP协作通信。 403. The macro base station determines that the UE needs the macro base station and the micro base station to perform CA or CoMP cooperative communication.

CA 主要用于宏异频组网的场景，而 CoMP 主要用于宏同频组网的场景。例如：当所述宏基站因为信道质量变差或负载较大等原因，不能为所述 UE 提供高质量的网络服务时，宏基站和微基站可以通过 CA或 CoMP协作通信来提高所述 UE的网络服务质量。 The CA is mainly used in the scenario of macro-frequency networking, and CoMP is mainly used in the scenario of macro-frequency networking. For example, when the macro base station cannot provide high quality network services for the UE due to poor channel quality or heavy load, the macro base station and the micro base station may improve the UE by using CA or CoMP cooperative communication. Network service quality.

404、根据所述 UE、微基站和宏基站支持的安全算法，进行安全算法协商，得到协商后的安全算法。 404. Perform security algorithm negotiation according to a security algorithm supported by the UE, the micro base station, and the macro base station, to obtain a negotiated security algorithm.

在宏基站获得 UE 和微基站支持的安全算法之后，所述宏基站结合自身的安全算法，进行安全算法的协商，获得所述 UE、微基站和宏基站支持的安全算法的交集，并将所述安全算法的交集中的任一安全算法作为所述协商后的安全算法，即所述 UE 空口使用的安全算法。 After the macro base station obtains the security algorithm supported by the UE and the micro base station, the macro base station performs a security algorithm negotiation according to its own security algorithm, and obtains an intersection of the security algorithms supported by the UE, the micro base station, and the macro base station, and Any security algorithm in the intersection of the security algorithms is used as the negotiated security algorithm, that is, the security algorithm used by the UE air interface.

如果 UE、微基站和宏基站支持的安全算法没有交集，则宏基站无法协商出 UE 空口使用的安全算法，此时，宏基站和基站不能同时为所述 UE提供协作通信。 If the security algorithms supported by the UE, the micro base station, and the macro base station do not intersect, the macro base station cannot negotiate the security algorithm used by the UE air interface. At this time, the macro base station and the base station cannot simultaneously provide cooperative communication for the UE.

405、所述宏基站向所述 UE和微基站通知所述协商后的安全算法。 405. The macro base station notifies the UE and the micro base station of the negotiated security calculation. Law.

其中，宏基站通过宏基站和 UE之间的 Uu接口向 UE发送协商后的安全算法。具体的，所述宏基站可以向 UE发送 RRC连接重配置消息（ RRC Connection Reconfiguration ) , 其中，所述 RRC连接重配置消息中携带有协商后的安全算法的信息。 The macro base station sends the negotiated security algorithm to the UE through the Uu interface between the macro base station and the UE. Specifically, the macro eNB may send an RRC connection reconfiguration message (RRC Connection Reconfiguration) to the UE, where the RRC connection reconfiguration message carries the information of the negotiated security algorithm.

而所述宏基站向所述微基站发送协商后的安全算法，具体的，在宏微异频组网场景中，所述宏基站可以通过 X接口信令向所述微基站发送服务小区添加请求消息（ SCell Add Request ) , 其中，所述服务小区添加请求消息中携带有协商后的安全算法。 The macro base station sends the negotiated security algorithm to the micro base station. Specifically, in the macro-dipole-frequency networking scenario, the macro base station may send a serving cell add request to the micro base station by using X interface signaling. The message (SCell Add Request), where the serving cell add request message carries the negotiated security algorithm.

406、所述宏基站获取所述 UE空口使用的安全密钥，并将所述安全密钥发送给所述微基站，以使得所述 UE、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述安全密钥进行安全保护处理。 406. The macro base station acquires a security key used by the UE air interface, and sends the security key to the micro base station, so that communication between the UE, the micro base station, and the macro base station can be The negotiated security algorithm and the security key perform security protection processing.

UE 和宏基站或微基站间的用户面数据进行加密处理；安全密钥User plane data between the UE and the macro base station or the micro base station is encrypted; security key

KRRC— ,用于 UE和宏基站或微基站间的控制面信令进行完整性保护；安全密钥 ^KS 用于 UE和宏基站或微基站间的控制面信令的加密处理。所述宏基站可以通过 S 1接口信令从 MME 中获取 UE空口的共享根密钥^ ^，其中共享根密钥是 MME根据密钥派生的。宏基站接收到 UE 的 Uu接口的共享根密钥后，再根据该共享根密钥进一步派生出 UE空口的用户面数据、控制面信令加密 /解密和完整性保护操作的安全密钥 ^KUP— 、 ^KRRC-i ,和 ^KRRC—_enc 。 KRRC- is used for integrity protection of control plane signaling between the UE and the macro base station or the micro base station; the security key ^K S is used for encryption processing of control plane signaling between the UE and the macro base station or the micro base station. The macro base station may obtain the shared root key of the UE air interface from the MME through the S1 interface signaling, where the shared root key is derived by the MME according to the key. After receiving the shared root key of the Uu interface of the UE, the macro base station further derives the user plane data of the UE air interface, the security key ^K UP of the control plane signaling encryption/decryption and integrity protection operation according to the shared root key. -, ^K RRC-i, and ^{K RRC-} _enc.

而若基站与 MME不直接相连，在基站和 UE进行通信时，微基站和 UE之间的用户面数据和控制面信令的加密 /解密和完整性保护处理，需要的安全密钥可以是所述微基站派生的，当然也可以是微基站从宏基站中获取的。 If the base station and the MME are not directly connected, when the base station and the UE communicate, the user plane data and the control plane signaling encryption/decryption and integrity protection processing between the micro base station and the UE, the required security key may be Derived from the micro base station, of course, it may also be obtained by the micro base station from the macro base station.

具体的，若所述安全密钥是所述微基站自行派生的，那么所述微基站首先需要从所述宏基站获取共享根密钥然后所述微基站根据共享根密钥 ^进一步派生出：安全密钥用于 UE和微基站间的用户面数据进行加密处理；安全密钥^^ -_int , 用于 UE和微基站间的控制面信令进行完整性保护；安全密钥^^ 用于 UE和微基站间的控制面信令的加密处理。 Specifically, if the security key is derived by the micro base station, The micro base station first needs to obtain a shared root key from the macro base station, and then the micro base station further derives according to the shared root key: the security key is used for encrypting user plane data between the UE and the micro base station; ^^ - _int , used for integrity protection of control plane signaling between the UE and the micro base station; the security key ^^ is used for encryption processing of control plane signaling between the UE and the micro base station.

若所述微基站需要的安全密钥是微基站从宏基站中获取的，那么所述宏基站根据从 MME 获取到的共享根密钥 ^Κ 进一步派生出 UE和微基站间的安全密钥后，将派生出的 UE和微基站间的安全密钥发送给所述微基站。 If desired the micro base station is a micro base station security key acquired from the macro base station, then the macro base station acquired from the MME according to the root key shared ^Κ further derive security keys between the UE and the micro base station, Sending a security key between the derived UE and the micro base station to the micro base station.

进一步的，在微基站与 UE 只进行用户面的数据传输而不进行控制面信令的传输时，若微基站的安全密钥是由微基站根据共享根密钥 ^派生的，则所述微基站只派生用户面数据的安全密钥若所述微基站的安全密钥是接收宏基站根据共享根密钥 ^Κ 派生的安全密钥，则宏基站只向微基站转发宏基站派生的用户面数据的安全密钥。 Further, when the micro base station and the UE perform only user plane data transmission without control plane signaling, if the micro base station security key is derived by the micro base station according to the shared root key ^, the micro only the base station derives the security key of the user plane data security keys if the micro base station is a macro base station receives ^Κ derived security key, the macro base station forwarding user plane data only macro base station to a micro base station according to the derived root key shared Security key.

若微基站和 MME直接相连，在微基站和 UE进行通信时，则微基站密钥的获得不需要经过宏基站进行转发，具体安全密钥的获得过程与宏基站获得安全密钥的过程相同，本实施例在此不再赘述。 If the micro base station and the MME are directly connected, when the micro base station and the UE communicate, the acquisition of the micro base station key does not need to be forwarded by the macro base station, and the process of obtaining the specific security key is the same as the process of obtaining the security key by the macro base station. This embodiment is not described here.

可选的，所述移动通信的安全处理方法还可以如图 5 所示。其中，在宏基站获取微基站和 UE 支持的安全算法之后，所述宏基站首先进行宏基站、微基站和 UE 的安全算法的协商，将协商后的安全算法作为所述 UE 空口使用的安全算法；在所述宏基站获得了所述协商后的安全算法之后，所述宏基站首先将协商后的安全算法通过宏基站和微基站之间的 X接口通知给所述微基站。这样，在所述宏基站确定所述 UE需要进行宏基站和微基站的 CA或 CoMP协作通信之后，所述宏基站首先向所述 UE 通知所述协商后的安全算法，然后，获取所述 UE 空口使用的安全密钥，并将所述安全密钥发送给所述微基站，以使得所述 UE、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述安全密钥进行安全保护处理，至此，所述移动通信的安全处理方法结束。而详细的技术细节描述，可参考图 4所示方法的描述，本发明实施例对此不再赘述。 Optionally, the security processing method of the mobile communication may also be as shown in FIG. 5. After the macro base station acquires the security algorithm supported by the micro base station and the UE, the macro base station first performs the negotiation of the security algorithm of the macro base station, the micro base station, and the UE, and uses the negotiated security algorithm as the security algorithm used by the UE air interface. After the macro base station obtains the negotiated security algorithm, the macro base station first notifies the negotiated security algorithm to the micro base station through an X interface between the macro base station and the micro base station. In this way, after the macro base station determines that the UE needs to perform CA or CoMP cooperative communication between the macro base station and the micro base station, the macro base station first notifies the UE of the negotiated security algorithm, and then acquires the UE. a security key used by the air interface, and transmitting the security key to the micro base station, so that communication between the UE, the micro base station, and the macro base station can be based on the negotiated security algorithm and the security secret Key for security protection, to Thus, the secure processing method of the mobile communication ends. For a detailed description of the technical details, reference may be made to the description of the method shown in FIG. 4, which is not repeatedly described in the embodiment of the present invention.

在图 5 所示的方法中，宏基站在获取微基站和 UE 的安全算法之后，不论 UE是否需要进行宏基站和微基站的 CA或 CoMP协作通信，所述宏基站都将协商宏基站、微基站和 UE 的安全算法，将协商后的安全算法作为所述 UE 空口使用的安全算法，并将协商后的安全算法发送给微基站。一旦宏基站确定要对 UE 进行宏基站和微基站的 CA或 CoMP协作通信，宏基站可以直接将已经协商好的安全算法发送给 UE , 而不需要在 UE 需要进行宏基站和微基站的 CA 或 CoMP 协作通信时再花费时间进行安全算法的协商，使得 UE在短时间内获得了协商后的安全算法，从而可以快速的为 UE 提供高质量的网络服务。 In the method shown in FIG. 5, after the macro base station acquires the security algorithm of the micro base station and the UE, the macro base station negotiates the macro base station and the micro base station regardless of whether the UE needs to perform CA or CoMP cooperative communication between the macro base station and the micro base station. The security algorithm of the base station and the UE uses the negotiated security algorithm as the security algorithm used by the UE air interface, and sends the negotiated security algorithm to the micro base station. Once the macro base station determines that the CA or CoMP cooperative communication of the macro base station and the micro base station is to be performed on the UE, the macro base station may directly send the negotiated security algorithm to the UE, without requiring the CA of the macro base station and the micro base station to be performed in the UE or When CoMP cooperates, it takes time to negotiate the security algorithm, so that the UE obtains the negotiated security algorithm in a short time, so that the UE can be quickly provided with high-quality network services.

可选的，所述移动通信的安全处理方法还可以如图 6所示。其中，在 UE接入宏基站的时候，宏基站首先获得 UE支持的安全算法；而在所述宏基站确定所述 UE 需要进行宏基站和微基站的 CA 或 CoMP 协作通信后，所述宏基站向微基站发送请求信息，所述请求信息请求所述微基站将所述微基站支持的安全算法发送给所述宏基站；在所述宏基站获取所述微基站支持的安全算法之后，所述宏基站进行宏基站、微基站和 UE 安全算法的协商，将协商后的安全算法作为所述 UE 空口使用的安全算法；在所述宏基站获得协商的安全算法之后，所述宏基站首先将协商后的安全算法通知给所述微基站和 UE , 然后，获取所述 UE空口使用的安全密钥，并将所述安全密钥发送给所述微基站，以使得所述 UE、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述安全密钥进行安全保护处理，至此，移动通信的安全处理方法结束。而详细的技术细节描述，可参考图 4所示方法的描述，本发明实施例对此不再赘述。 Optionally, the security processing method of the mobile communication may also be as shown in FIG. 6. The macro base station first obtains a security algorithm supported by the UE when the UE accesses the macro base station, and the macro base station after the macro base station determines that the UE needs to perform CA or CoMP cooperative communication between the macro base station and the micro base station. Sending request information to the micro base station, the request information requesting the micro base station to send the security algorithm supported by the micro base station to the macro base station; after the macro base station acquires the security algorithm supported by the micro base station, The macro base station performs negotiation between the macro base station, the micro base station, and the UE security algorithm, and uses the negotiated security algorithm as a security algorithm used by the UE air interface; after the macro base station obtains the negotiated security algorithm, the macro base station first negotiates The security algorithm is notified to the micro base station and the UE, and then obtains a security key used by the UE air interface, and sends the security key to the micro base station, so that the UE, the micro base station, and the Acer base The communication between the stations can be performed according to the negotiated security algorithm and the security key, and thus, the mobile communication End security approach. For a detailed description of the technical details, reference may be made to the description of the method shown in FIG. 4, which is not described in detail in the embodiments of the present invention.

图 6所示的方法适用于在网络部署的时候，宏基站没有获得微基站支持的安全算法；这样在网络部署完成后，所述宏基站确定所述 UE需要进行宏基站和微基站的 CA或 CoMP协作通信时，所述宏基站才需要向所述微基站获取所述微基站支持的安全算法，进而宏基站进行安全算法的协商。 The method shown in FIG. 6 is applicable to the macro base station not obtaining the security algorithm supported by the micro base station when the network is deployed; after the network deployment is completed, the macro base station determines that the UE needs to perform the CA of the macro base station and the micro base station or The macro when the CoMP cooperatively communicates The base station needs to obtain the security algorithm supported by the micro base station from the micro base station, and then the macro base station performs the negotiation of the security algorithm.

所述宏基站与所述微基站获得协商后的安全算法，与获取所述 Obtaining the negotiated security algorithm between the macro base station and the micro base station, and acquiring the

UE空口使用的加密和完整性保护密钥可以是同时进行的，也可以是首先获得协商后的安全算法，然后，获得所述 UE 空口使用的加密和完整性保护密钥。 The encryption and integrity protection keys used by the UE air interface may be performed simultaneously, or the negotiated security algorithm may be obtained first, and then the encryption and integrity protection keys used by the UE air interface are obtained.

若微基站和 MME直接相连，则微基站也可以获取宏基站和 UE 支持的安全算法并协商 UE 空口使用的安全算法。从而，使得宏基站、微基站和 UE之间根据所述 UE空口使用的安全算法和所述安全密钥进行安全通信，具体获得宏基站和 UE 支持的安全算法并协商 UE空口使用的安全算法的过程与宏基站获取微基站和 UE支持的安全算法并协商 UE 空口使用的安全算法的方法过程相同，本发明实施例在此不再赘述。 If the micro base station and the MME are directly connected, the micro base station can also obtain the security algorithm supported by the macro base station and the UE and negotiate the security algorithm used by the UE air interface. Therefore, the security algorithm used by the macro base station, the micro base station, and the UE according to the air interface of the UE is securely communicated with the security key, and the security algorithm supported by the macro base station and the UE is specifically obtained, and the security algorithm used by the UE air interface is negotiated. The process is the same as the method in which the macro base station obtains the security algorithm supported by the micro base station and the UE and negotiates the security algorithm used by the UE air interface, and details are not described herein again.

本发明实施例提供了一种移动通信的安全处理方法，所述宏基站获取 UE 和微基站支持的安全算法；然后，根据所述用户设备、微基站和宏基站支持的安全算法，进行安全算法协商，得到协商后的安全算法；将所述协商后的安全算法通知给所述 UE 和微基站；所述宏基站获取所述 UE 空口使用的安全密钥，并将所述安全密钥发送给所述微基站，以使得所述 UE、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述安全密钥进行安全保护处理。这样，由于 UE、宏基站和微基站三个网络实体之间能够进行安全算法的协商，以及安全密钥的获取，这样在宏基站确定对 UE 进行宏微 CA或 CoMP操作时， UE能够安全的与宏基站和微基站进行通信。 The embodiment of the present invention provides a security processing method for mobile communication, where the macro base station acquires a security algorithm supported by the UE and the micro base station; and then performs a security algorithm according to the security algorithm supported by the user equipment, the micro base station, and the macro base station. Negotiating, obtaining a negotiated security algorithm; notifying the UE and the micro base station of the negotiated security algorithm; the macro base station acquiring a security key used by the UE air interface, and sending the security key to The micro base station is configured to enable communication between the UE, the micro base station, and the macro base station to perform security protection processing according to the negotiated security algorithm and the security key. In this way, since the security algorithm negotiation and the security key acquisition can be performed between the three network entities of the UE, the macro base station, and the micro base station, the UE can be secure when the macro base station determines to perform macro-MAC or CoMP operation on the UE. Communicate with the macro base station and the micro base station.

本发明一实施例提供一种宏基站，如图 7 所示，该宏基站 70 包括：第一获取单元 71、协商单元 72、通知单元 73、第二获取单元 74、发送单元 75。 An embodiment of the present invention provides a macro base station. As shown in FIG. 7, the macro base station 70 includes: a first acquiring unit 71, a negotiating unit 72, a notifying unit 73, a second acquiring unit 74, and a sending unit 75.

所述第一获取单元 71 , 用于分别获取用户设备 UE和微基站支持的安全算法。所述安全算法为可以用于所述 UE与宏基站、 UE与微基站之间进行安全通信，对数据、信令进行加密 /解密和完整性保护操作的算法，例如可以包括加密和完整性保护算法，本发明实施例对此不做限定。 The first obtaining unit 71 is configured to separately acquire a security algorithm supported by the user equipment UE and the micro base station. The security algorithm is an algorithm that can be used for secure communication between the UE and the macro base station, the UE and the micro base station, and performs encryption/decryption and integrity protection operations on data and signaling, and may include, for example, encryption and integrity protection. The algorithm is not limited in this embodiment of the present invention.

其中，通常 UE接入宏基站时，可以通过 NAS信令将其所支持的安全算法发送给 MME , 然后 MME再通过 S 1 接口信令将收到的 UE支持的安全算法转发给所述宏基站。 When the UE accesses the macro base station, the security algorithm supported by the UE may be sent to the MME through NAS signaling, and then the MME forwards the received security algorithm supported by the UE to the macro base station through the S1 interface signaling. .

而所述第一获取单元 71 获取所述微基站支持的安全算法可以由多种方式。 The first obtaining unit 71 obtains the security algorithm supported by the micro base station in multiple manners.

例如，所述第一获取单元 71获取所述微基站支持的安全算法可以是：由所述宏基站 OAM和所述基站 OAM之间进行宏基站和基站所支持安全算法的协商，在协商完成后，所述宏基站 OAM将所述协商后的安全算法发送给所述第一获取单元 71 , 同时，所述微基站 OAM也将所述协商后的安全算法发送给所述微基站，从而保证宏基站和微基站所支持安全算法的一致性。 For example, the security algorithm supported by the first acquiring unit 71 to obtain the micro base station may be: performing negotiation between a macro base station OAM and the base station OAM on a security algorithm supported by the macro base station and the base station, after the negotiation is completed. The macro base station OAM sends the negotiated security algorithm to the first acquiring unit 71, and the micro base station OAM also sends the negotiated security algorithm to the micro base station, thereby ensuring the Acer base. The consistency of the security algorithms supported by the station and the micro base station.

可选的，所述第一获取单元 71获取所述微基站支持的安全算法还可以是：所述第一获取单元 71 向所述宏基站 OAM发送获取微基站支持的安全算法的请求，以使得所述宏基站 OAM 与所述微基站 OAM进行交互后，从所述微基站 OAM 中获取所述微基站支持的安全算法，然后所述宏基站 OAM将所述微基站支持的安全算法发送给所述第一获取单元 71。 Optionally, the acquiring, by the first acquiring unit 71, the security algorithm supported by the micro base station may be: the first acquiring unit 71 sends a request for acquiring a security algorithm supported by the micro base station to the macro base station OAM, so that After the macro base station OAM interacts with the micro base station OAM, the security algorithm supported by the micro base station is obtained from the micro base station OAM, and then the macro base station OAM sends the security algorithm supported by the micro base station to the The first obtaining unit 71 is described.

可选的，所述第一获取单元 71获取所述微基站支持的安全算法还可以是：在所述宏基站和微基站之间进行接口建立的过程中，所述微基站向宏基站发送接口连接建立的请求时，将所述微基站支持的安全算法携带在所述接口连接建立的请求中。所述第一获取单元 71从所述接口连接建立的请求中获取所述微基站支持的安全算法。其中，所述接口连接建立的请求可以是 X接口连接建立请求消息。 Optionally, the obtaining, by the first acquiring unit 71, the security algorithm supported by the micro base station may be: in the process of establishing an interface between the macro base station and the micro base station, the micro base station sends an interface to the macro base station. When the connection establishment request is received, the security algorithm supported by the micro base station is carried in the request for establishing the interface connection. The first obtaining unit 71 acquires a security algorithm supported by the micro base station from the request for establishing the interface connection. The request for establishing the interface connection may be an X interface connection establishment request message.

当然，所述微基站与所述宏基站进行配置更新的过程中，也可以在所述微基站发送给所述宏基站的配置更新消息中携带所述微基站支持的安全算法。所述第一获取单元 71从所述配置更新消息中获取所述微基站支持的安全算法。 The micro base station and the macro base station may perform the configuration update, and may also carry the micro base in a configuration update message sent by the micro base station to the macro base station. The security algorithm supported by the station. The first obtaining unit 71 acquires a security algorithm supported by the micro base station from the configuration update message.

所述协商单元 72 , 用于根据所述 UE、微基站和宏基站支持的安全算法，进行安全算法协商，得到协商后的安全算法。 The negotiating unit 72 is configured to perform security algorithm negotiation according to a security algorithm supported by the UE, the micro base station, and the macro base station, to obtain a negotiated security algorithm.

在所述第一获取单元 71获取所述 UE支持的安全算法和所述微基站支持的安全算法之后，所述协商单元 72结合自身的安全算法，进行安全算法的协商，得到所述 UE、微基站和宏基站支持的安全算法的交集，将所述安全算法的交集中的任一安全算法作为所述协商后的安全算法，从而将该协商后的安全算法作为所述 UE 空口使用的安全算法。 After the first obtaining unit 71 acquires the security algorithm supported by the UE and the security algorithm supported by the micro base station, the negotiating unit 72 performs a security algorithm negotiation according to its own security algorithm to obtain the UE and the micro An intersection of a security algorithm supported by the base station and the macro base station, and any security algorithm in the intersection of the security algorithm is used as the negotiated security algorithm, so that the negotiated security algorithm is used as a security algorithm for the UE air interface. .

故，所述协商单元 72 , 具体用于根据所述第一获取单元 71 获取的 UE 和微基站支持的安全算法，以及所述宏基站支持的安全算法，获得所述 UE、微基站和宏基站支持的安全算法的交集，并将所述安全算法的交集中的任一安全算法作为所述协商后的安全算法。 Therefore, the negotiating unit 72 is configured to obtain the UE, the micro base station, and the macro base station according to the security algorithm supported by the UE and the micro base station acquired by the first acquiring unit 71, and the security algorithm supported by the macro base station. An intersection of the supported security algorithms, and any security algorithm in the intersection of the security algorithms is used as the negotiated security algorithm.

如果 UE、微基站和宏基站支持的安全算法没有交集，则所述协商单元 72无法协商出 UE空口使用的安全算法，此时，宏基站和基站不能同时为该 UE提供协作通信。 If the security algorithms supported by the UE, the micro base station, and the macro base station do not intersect, the negotiation unit 72 cannot negotiate the security algorithm used by the UE air interface. At this time, the macro base station and the base station cannot simultaneously provide cooperative communication for the UE.

所述通知单元 73 , 用于向所述 UE和基站通知所述协商后的安全算法。 The notification unit 73 is configured to notify the UE and the base station of the negotiated security algorithm.

在所述协商单元 72进行安全算法的协商，并获得协商后的安全算法之后，所述通知单元 73具体的可以通过宏基站和微基站之间接口，例如 X接口，将所述协商后的安全算法发送给所述微基站。具体的，在宏微异频组网场景中，所述通知单元 73可以通过 X接口信令向所述微基站发送服务小区添加请求消息 ( SCell Add Request ) , 其中，所述服务小区添加请求消息中携带有协商后的安全算法。 After the negotiation unit 72 performs the negotiation of the security algorithm and obtains the negotiated security algorithm, the notification unit 73 may specifically perform the negotiated security through an interface between the macro base station and the micro base station, for example, an X interface. The algorithm is sent to the micro base station. Specifically, in the macro-differential network networking scenario, the notification unit 73 may send a serving cell add request message (SCell Add Request) to the micro base station by using X-interface signaling, where the serving cell adds a request message. It carries a negotiated security algorithm.

所述通知单元 73 具体可以通过宏基站和 UE 之间接口，例如 Uu接口，向所述 UE发送协商后的安全算法。具体的，所述通知单元 73 可以向 UE 发送 RRC 连接重配置消息（ RRC Connection Reconfiguration ) , 其中，所述 RRC连接重配置消息中携带有协商后的安全算法的信息。 The notification unit 73 may send the negotiated security algorithm to the UE through an interface between the macro base station and the UE, for example, a Uu interface. Specifically, the notification unit 73 may send an RRC connection reconfiguration message to the UE, where the RRC connection reconfiguration message carries the negotiation Information about the security algorithm.

所述第二获取单元 74 ,用于获取所述 UE空口使用的安全密钥。具体地， UE空口使用的安全密钥可以是：从 MME接收到的所述 UE 空口使用的共享根密钥，或者，也可以是，所述宏基站由所述共享根密钥进一步派生的 UE空口使用的加密和完整性保护密钥。 The second obtaining unit 74 is configured to obtain a security key used by the UE air interface. Specifically, the security key used by the UE air interface may be: a shared root key used by the UE air interface received from the MME, or may be, the macro base station further derived by the shared root key. The encryption and integrity protection keys used by the air interface.

所述发送单元 75 , 用于将所述安全密钥发送给所述微基站，以使得所述 UE、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述安全密钥进行安全保护处理。 The sending unit 75 is configured to send the security key to the micro base station, so that communication between the UE, the micro base station, and the macro base station can be based on the negotiated security algorithm and the security secret The key is secured.

若所述发送单元 75向所述微基站发送的是所述 UE空口使用的共享根密钥，所述微基站将进一步基于该共享根密钥派生 UE 空口的加密和完整性保护密钥。 If the sending unit 75 sends to the micro base station a shared root key used by the UE air interface, the micro base station further derives an encryption and integrity protection key of the UE air interface based on the shared root key.

在网络部署的时候，所述第一获取单元 71 已经获取所述微基站支持的安全算法。 When the network is deployed, the first obtaining unit 71 has acquired the security algorithm supported by the micro base station.

所述第一获取单元 71 , 具体用于在所述 UE接入到宏基站时，获取所述 UE支持的安全算法。 The first acquiring unit 71 is specifically configured to acquire a security algorithm supported by the UE when the UE accesses the macro base station.

在 UE接入网络侧时，所述 UE通过 NAS信令将其所支持的安全算法发送给 MME ,然后 MME再通过 S 1接口信令将收到的 UE支持的安全算法转发给所述宏基站。 When the UE accesses the network side, the UE sends the security algorithm supported by the UE to the MME through the NAS signaling, and then the MME forwards the received security algorithm supported by the UE to the macro base station through the S1 interface signaling. .

如图 8所示，所述宏基站 70还包括：确定单元 76。 As shown in FIG. 8, the macro base station 70 further includes: a determining unit 76.

所述确定单元 76 , 用于确定所述 UE是否需要所述宏基站和微基站进行 CA或 CoMP协作通信。 The determining unit 76 is configured to determine whether the UE needs the macro base station and the micro base station to perform CA or CoMP cooperative communication.

所述协商单元 73 , 具体用于在所述确定单元 76 确定所述 UE 需要所述宏基站和微基站进行 CA或 CoMP协作通信后，根据所述 UE、微基站和宏基站支持的安全算法，进行安全算法协商，获得协商后的安全算法。可选的，所述第一获取单元 71在获取微基站和 UE的安全算法之后，不论 UE是否需要进行宏基站和微基站的 CA或 CoMP协作通信，所述协商单元 73都将协商宏基站、微基站和 UE的安全算法，将协商后的安全算法作为所述 UE 空口使用的安全算法，然后所述通知单元 74将协商后的安全算法发送给微基站。 The negotiating unit 73 is specifically configured to: after the determining unit 76 determines that the UE needs the macro base station and the micro base station to perform CA or CoMP cooperative communication, according to a security algorithm supported by the UE, the micro base station, and the macro base station, Perform security algorithm negotiation to obtain the negotiated security algorithm. Optionally, after the acquiring, by the first acquiring unit 71, the security algorithm of the micro base station and the UE, the negotiation unit 73 will negotiate the macro base station, whether the UE needs to perform CA or CoMP cooperative communication between the macro base station and the micro base station. The security algorithm of the micro base station and the UE uses the negotiated security algorithm as the security algorithm used by the UE air interface, and then the notification unit 74 sends the negotiated security algorithm to the micro base station.

所述确定单元 76 , 用于确定所述 UE需要所述宏基站和微基站进行 CA或 CoMP协作通信。 The determining unit 76 is configured to determine that the UE needs the macro base station and the micro base station to perform CA or CoMP cooperative communication.

一旦所述确定单元 76确定要对 UE进行宏基站和微基站的 CA 或 CoMP协作通信，所述通知单元 74可以直接将已经协商好的安全算法发送给 UE , 而不需要在 UE需要进行宏基站和微基站的协作通信时再花费时间进行安全算法的协商，使得 UE 在短时间内获得了协商后的安全算法，从而快速的为 UE提供了高质量的网络服务。 Once the determining unit 76 determines that CA or CoMP cooperative communication of the macro base station and the micro base station is to be performed on the UE, the notification unit 74 may directly send the already negotiated security algorithm to the UE without performing the macro base station in the UE. When the cooperative communication with the micro base station is performed, it takes time to negotiate the security algorithm, so that the UE obtains the negotiated security algorithm in a short time, thereby quickly providing the UE with high-quality network services.

故，所述通知单元 74 , 还用于在所述确定单元 76确定所述 UE 需要所述宏基站和微基站进行 CA或 CoMP协作通信后，向所述 UE 通知协商后的安全算法。 Therefore, the notifying unit 74 is further configured to notify the UE of the negotiated security algorithm after the determining unit 76 determines that the UE needs the macro base station and the micro base station to perform CA or CoMP cooperative communication.

可选的，在网络部署的时候，所述第一获取单元 71没有获得微基站支持的安全算法；这样在网络部署完成后，所述确定单元 76确定所述 UE需要进行宏基站和微基站的 CA或 CoMP协作通信时，所述第一获取单元 71 才需要向所述微基站获取所述微基站支持的安全算法，进而所述协商单元 73进行安全算法的协商。 Optionally, when the network is deployed, the first acquiring unit 71 does not obtain the security algorithm supported by the micro base station; after the network deployment is complete, the determining unit 76 determines that the UE needs to perform the macro base station and the micro base station. When the CA or the CoMP is in cooperative communication, the first acquiring unit 71 needs to acquire the security algorithm supported by the micro base station from the micro base station, and the negotiating unit 73 performs the negotiation of the security algorithm.

所以，所述第一获取单元 71 , 还用于在所述确定单元 76 确定所述 UE需要所述宏基站和微基站进行 CA或 CoMP协作通信后，向所述微基站发送请求信息，所述请求信息请求所述微基站将安全算法的上报，以使得所述微基站将自身支持的安全算法发送给所述宏基站，并接收所述微基站发送的所述微基站支持的安全算法。 Therefore, the first obtaining unit 71 is further configured to: after the determining unit 76 determines that the UE needs the macro base station and the micro base station to perform CA or CoMP cooperative communication, send request information to the micro base station, where The request information requests the micro base station to report the security algorithm, so that the micro base station sends the security algorithm supported by the micro base station to the macro base station, and receives the security algorithm supported by the micro base station sent by the micro base station.

UE 和宏基站或微基站间的用户面数据进行加密处理；安全密钥 ^KRRc— ,用于 UE和宏基站或微基站间的控制面信令进行完整性保护；安全密钥 ^KS 用于 UE和宏基站或微基站间的控制面信令的加密处理。所述宏基站可以通过 S 1接口信令从 MME 中获取 UE空口的共享根密钥^ ^，其中共享根密钥是 MME根据密钥派生的。宏基站接收到 UE 的 Uu接口的共享根密钥后，再根据该共享根密钥进一步派生出 UE空口的用户面数据、控制面信令加密 /解密和完整性保护操作的安全密钥 ^KUP—、 ^KRRC-i ,和 ^KRRC—_enc。 User plane data between the UE and the macro base station or the micro base station is encrypted; security key ^K RRc — for integrity control of control plane signaling between the UE and the macro base station or the micro base station; the security key ^K S is used for encryption processing of control plane signaling between the UE and the macro base station or the micro base station. The macro base station may obtain the shared root key of the UE air interface from the MME through the S1 interface signaling, where the shared root key is derived by the MME according to the key. After receiving the shared root key of the Uu interface of the UE, the macro base station further derives the user plane data of the UE air interface, the security key ^K UP of the control plane signaling encryption/decryption and integrity protection operation according to the shared root key. —, ^K RRC-i , and ^K RRC— _enc .

具体的，若所述安全密钥是所述微基站自行派生的，那么所述第二获取单元 74 , 具体用于接收移动管理实体发送的所述 UE 的空口使用的共享根密钥，并根据所述共享根密钥派生 UE 空口的加密和完整性保护密钥。 Specifically, if the security key is derived by the micro base station, the second obtaining unit 74 is specifically configured to receive a shared root key used by the air interface of the UE sent by the mobility management entity, and according to The shared root key derives an encryption and integrity protection key for the UE air interface.

所述发送单元 75 , 具体用于将所述共享根密钥发送给所述微基站，以使得所述微基站根据所述共享根密钥派生 UE 空口的加密和完整性保护密钥，所述 UE、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述 UE 空口的加密和完整性保护密钥进行安全保护处理。 The sending unit 75 is specifically configured to send the shared root key to the micro base station, so that the micro base station derives an encryption and integrity protection key of the UE air interface according to the shared root key, The communication between the UE, the micro base station, and the macro base station can perform security protection processing according to the negotiated security algorithm and the encryption and integrity protection key of the UE air interface.

可选的，若所述微基站需要的安全密钥是微基站从宏基站中获取的，所述第二获取单元 74 , 用于接收移动管理实体发送的所述 UE 的空口使用的共享根密钥，并根据所述共享根密钥派生 UE 空口的加密和完整性保护密钥。 Optionally, if the security key required by the micro base station is obtained by the micro base station from the macro base station, the second acquiring unit 74 is configured to receive the shared root density used by the air interface of the UE sent by the mobility management entity. a key, and deriving an encryption and integrity protection key of the UE air interface according to the shared root key.

所述发送单元 75 , 具体用于将所述 UE空口的加密和完整性保护密钥发送给所述微基站，以使得所述 UE、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述 UE 空口的加密和完整性保护密钥进行安全保护处理。 The sending unit 75 is specifically configured to send the encryption and integrity protection key of the UE air interface to the micro base station, so that communication between the UE, the micro base station, and the macro base station can be performed according to the negotiation. The security algorithm and the encryption and integrity protection keys of the UE air interface are subjected to security protection processing.

进一步的，在微基站只与 UE 进行数据的传输而不进行信令的传输时，若微基站的安全密钥是由微基站根据共享根密钥派生的，则所述微基站只派生用户面数据的安全密钥若所述微基站的安全密钥是接收所述第二获取单元 74根据共享根密钥派生的安全密钥，则所述发送单元 75只向微基站转发所述第二获取单元 74派生的用户面数据的安全密钥 ^Kup—。 Further, the micro base station only performs data transmission with the UE without signaling. During transmission, if the security key of the micro base station is derived by the micro base station according to the shared root key, the micro base station only derives the security key of the user plane data, if the security key of the micro base station is receiving the first two acquisition unit 74 according to the security key shared derived root key, the sending unit 75 is only forwarded to the second micro base station unit 74 acquires the security key ^K derived user plane data up-.

若微基站和 MME 直接相连，则微基站密钥的获得不需要经过所述发送单元 75进行转发，具体安全密钥的获得过程与宏基站获得安全密钥的过程相同，本实施例在此不再赘述。 If the micro base station and the MME are directly connected, the obtaining of the micro base station key does not need to be forwarded by the sending unit 75. The process of obtaining the specific security key is the same as the process of obtaining the security key by the macro base station, and this embodiment does not Let me repeat.

所述宏基站与所述微基站获得协商后的安全算法，与获取所述 UE空口使用的加密和完整性保护密钥可以是同时进行的，也可以是首先获得协商后的安全算法，然后，获得所述 UE 空口使用的加密和完整性保护密钥。 The macro base station and the micro base station obtain the negotiated security algorithm, and may obtain the encryption and integrity protection key used by the UE air interface at the same time, or may obtain the negotiated security algorithm first, and then, Obtain an encryption and integrity protection key used by the UE air interface.

本发明实施例提供了一种宏基站，所述第一获取单元获取 UE 和微基站支持的安全算法；然后，所述协商单元根据所述用户设备、微基站和宏基站支持的安全算法，进行安全算法协商，得到协商后的安全算法；所述通知单元向所述用户设备和微基站通知所述协商后的安全算法；所述第二获取单元获取所述 UE 空口使用的安全密钥，所述发送单元将所述安全密钥发送给所述微基站，以使得所述 U E、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述安全密钥进行安全保护处理。这样，由于 UE、宏基站和微基站三个网络实体之间能够进行安全算法的协商，以及安全密钥的获取，这样在宏基站确定对 UE进行宏微 CA或 CoMP操作时， UE能够安全的与宏基站和微基站进行通信。 The embodiment of the present invention provides a macro base station, where the first acquiring unit acquires a security algorithm supported by the UE and the micro base station; and then, the negotiating unit performs according to the security algorithm supported by the user equipment, the micro base station, and the macro base station. The security algorithm negotiates to obtain the negotiated security algorithm; the notification unit notifies the user equipment and the micro base station of the negotiated security algorithm; the second obtaining unit acquires the security key used by the UE air interface, Transmitting, by the sending unit, the security key to the micro base station, so that communication between the UE, the micro base station, and the macro base station can perform security protection processing according to the negotiated security algorithm and the security key. . In this way, since the security algorithm negotiation and the security key acquisition can be performed between the three network entities of the UE, the macro base station, and the micro base station, the UE can be secure when the macro base station determines to perform macro-MAC or CoMP operations on the UE. Communicate with the macro base station and the micro base station.

本发明一实施例提供一种微基站，如图 9所示，所述微基站 90 包括：交互单元 91、接收单元 92。 An embodiment of the present invention provides a micro base station. As shown in FIG. 9, the micro base station 90 includes: an interaction unit 91 and a receiving unit 92.

所述交互单元 91 , 用于与宏基站进行安全算法的交互，以使得所述宏基站获取所述微基站支持的安全算法。 The interaction unit 91 is configured to perform a security algorithm interaction with the macro base station, so that the macro base station acquires a security algorithm supported by the micro base station.

所述微基站与所述宏基站进行安全算法的交互，可以是多种方式。具体的，参见方法实施例中的所述微基站与所述宏基站进行安全算法的交互的描述。 The interaction between the micro base station and the macro base station by using a security algorithm may be in multiple manners. Specifically, refer to the micro base station in the method embodiment to perform security with the macro base station. A description of the interaction of the full algorithm.

所述接收单元 92 , 用于接收所述宏基站发送的协商后的安全算法，所述协商后的安全算法是所述宏基站根据所述 UE、微基站和宏基站支持的安全算法，进行安全算法协商后得到的。 The receiving unit 92 is configured to receive the negotiated security algorithm sent by the macro base station, where the negotiated security algorithm is that the macro base station performs security according to a security algorithm supported by the UE, the micro base station, and the macro base station. Obtained after the algorithm is negotiated.

在所述宏基站获取所述微基站、 UE和自身支持的安全算法，并进行安全算法的协商之后，所述接收单元 92接收所述宏基站发送的协商后的安全算法。此时，所述协商后的安全算法为所述 UE 空口使用的安全算法。 After the macro base station acquires the security algorithm supported by the micro base station, the UE, and the self, and performs the negotiation of the security algorithm, the receiving unit 92 receives the negotiated security algorithm sent by the macro base station. At this time, the negotiated security algorithm is a security algorithm used by the UE air interface.

所述接收单元 92 , 还用于接收所述宏基站发送的安全密钥，以使得所述 UE、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述安全密钥进行安全保护处理。 The receiving unit 92 is further configured to receive a security key sent by the macro base station, so that communication between the UE, the micro base station, and the macro base station can be based on the negotiated security algorithm and the security key. Perform security protection processing.

具体地， UE空口使用的安全密钥可以是：从 MME接收到的所述 UE 空口使用的共享根密钥，或者，也可以是，所述宏基站由所述共享根密钥进一步派生的 UE空口使用的加密和完整性保护密钥。 Specifically, the security key used by the UE air interface may be: a shared root key used by the UE air interface received from the MME, or may be, the macro base station further derived by the shared root key. The encryption and integrity protection keys used by the air interface.

所述接收单元 92 , 具体用于接收所述宏基站发送的所述 UE空口使用的共享根密钥。 The receiving unit 92 is specifically configured to receive a shared root key used by the UE air interface sent by the macro base station.

所述微基站还包括派生单元 93。 The micro base station also includes a derivation unit 93.

所述派生单元 93 , 用于在所述接收单元接收到所述 UE空口使用的共享根密钥之后，根据所述共享根密钥派生 UE 空口的加密和完整性保护密钥，以使得所述 UE、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述 UE 空口的加密和完整性保护密钥进行安全保护处理。 The deriving unit 93 is configured to: after the receiving unit receives the shared root key used by the UE air interface, deriving an encryption and integrity protection key of the UE air interface according to the shared root key, so that the The communication between the UE, the micro base station, and the macro base station can perform security protection processing according to the negotiated security algorithm and the encryption and integrity protection key of the UE air interface.

在所述宏基站接收到所述 UE 空口使用的共享根密钥后，所述宏基站可以向所述接收单元 92 发送所述 UE 空口使用的共享根密钥。所述接收单元 92 接收到所述共享根密钥后，所述派生单元 93 根据所述共享根密钥派生 UE 空口的加密和完整性保护密钥，根据所述加密和完整性保护密钥和所述协商后的安全算法与所述宏基站和 UE进行安全通信。 After the macro base station receives the shared root key used by the UE air interface, the macro base station may send the shared root key used by the UE air interface to the receiving unit 92. After the receiving unit 92 receives the shared root key, the deriving unit 93 derives an encryption and integrity protection key of the UE air interface according to the shared root key, according to the encryption and integrity protection key and The negotiated security algorithm performs secure communication with the macro base station and the UE.

可选的，在所述微基站接收到所述宏基站发送的派生的 UE 空口的加密和完整性保护密钥后，所述微基站根据所述加密和完整性保护密钥以及所述协商后的安全算法，与所述 UE、宏基站之间进行安全通信。 Optionally, the micro base station receives the derived UE that is sent by the macro base station. After the encryption and integrity protection key of the port, the micro base station performs secure communication with the UE and the macro base station according to the encryption and integrity protection key and the negotiated security algorithm.

所述接收单元 92 , 具体用于接收所述宏基站发送的派生的 UE 空口的加密和完整性保护密钥，以使得所述 UE、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述 UE 空口的加密和完整性保护密钥进行安全保护处理。 The receiving unit 92 is specifically configured to receive an encryption and integrity protection key of the derived UE air interface sent by the macro base station, so that communication between the UE, the micro base station, and the macro base station can be performed according to the negotiation. The security algorithm and the encryption and integrity protection keys of the UE air interface are subjected to security protection processing.

本发明实施例提供一种微基站，所述交互单元与宏基站进行安全算法的交互；所述接收单元接收所述宏基站发送的协商后的安全算法；然后，所述接收单元接收所述宏基站发送的 UE 空口使用的安全密钥，以使得所述 UE、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述安全密钥进行安全保护处理。这样，由于 UE、宏基站和微基站三个网络实体之间能够进行安全算法的协商，以及安全密钥的获取，当宏基站确定对 UE进行宏 CA或 CoMP 操作时， UE能够安全地与宏基站和微基站进行通信。 An embodiment of the present invention provides a micro base station, where the interaction unit performs a security algorithm interaction with a macro base station; the receiving unit receives a negotiated security algorithm sent by the macro base station; and then, the receiving unit receives the macro base. The security key used by the UE air interface sent by the station, so that the communication between the UE, the micro base station and the macro base station can perform security protection processing according to the negotiated security algorithm and the security key. In this way, since the security algorithm negotiation and the security key acquisition are performed between the three network entities of the UE, the macro base station, and the micro base station, when the macro base station determines to perform macro CA or CoMP operation on the UE, the UE can securely communicate with the Acer base. The station communicates with the micro base station.

本发明一实施例提供一种用户设备，如图 10所示，所述用户设备 100包括：发送单元 101、接收单元 102、和通信单元 103。 An embodiment of the present invention provides a user equipment. As shown in FIG. 10, the user equipment 100 includes: a sending unit 101, a receiving unit 102, and a communication unit 103.

所述发送单元 101 , 用于向宏基站发送所述 UE 支持的安全算法。 The sending unit 101 is configured to send the security algorithm supported by the UE to the macro base station.

在所述 UE接入宏基站时，可以通过 NAS信令将其所支持的安全算法发送给 MME , 然后 MME再通过 S 1接口信令将接收到的 UE 支持的安全算法转发给所述宏基站。 When the UE accesses the macro base station, the security algorithm supported by the UE may be sent to the MME through NAS signaling, and then the MME forwards the received security algorithm supported by the UE to the macro base station through the S1 interface signaling. .

所述接收单元 102 , 用于接收所述宏基站通知的协商后的安全算法，所述协商后的安全算法是所述宏基站根据所述 UE、微基站和宏基站支持的安全算法进行协商后得到的。 The receiving unit 102 is configured to receive the negotiated security algorithm that is notified by the macro base station, where the negotiated security algorithm is that the macro base station negotiates according to the security algorithm supported by the UE, the micro base station, and the macro base station. owned.

在宏基站获取所述 UE 和微基站支持的安全算法后，所述宏基站对所述 UE、微基站和宏基站支持的安全算法进行协商，获得协商后的安全算法，将协商后的安全算法作为所述 UE 空口使用的安全算法，并将所述协商后的安全算法通知所述接收单元 102 和所述微基站。 After the macro base station acquires the security algorithm supported by the UE and the micro base station, the macro base station negotiates the security algorithm supported by the UE, the micro base station, and the macro base station, and obtains the negotiated security algorithm, and the negotiated security algorithm As a security algorithm used by the UE air interface, and notifying the receiving unit 102 and the micro by the negotiated security algorithm Base station.

所述通信单元 103 ,用于根据所述协商后的安全算法和 UE空口使用的安全密钥，在所述宏基站将所述安全密钥发送给所述微基站后，与所述宏基站和微基站进行通信。 The communication unit 103 is configured to: after the macro base station sends the security key to the micro base station, according to the negotiated security algorithm and a security key used by the UE air interface, and the macro base station and The micro base station communicates.

在所述接收单元 102获得协商后的安全算法和 UE 空口使用的安全密钥，并且所述宏基站将所述安全密钥发送给所述微基站后，所述 UE 与所述宏基站和微基站进行通信。其中，所述安全密钥可以是所述共享才艮密钥，也可以是由所述共享才艮密钥派生的加密和完整性保护密钥。 After the receiving unit 102 obtains the negotiated security algorithm and the security key used by the UE air interface, and the macro base station sends the security key to the micro base station, the UE and the macro base station and the micro The base station communicates. The security key may be the shared key or an encryption and integrity protection key derived from the shared key.

本发明实施例提供一种用户设备，所述发送单元向宏基站发送所述 UE 支持的安全算法；所述接收单元接收所述宏基站通知的协商后的安全算法，所述协商后的安全算法是所述宏基站根据所述 UE、微基站和宏基站支持的安全算法进行协商后得到的；所述通信单元根据所述协商后的安全算法和 UE 空口使用的安全密钥，在所述宏基站将所述安全密钥发送给所述微基站后，与所述宏基站和微基站进行通信。这样，由于 UE、宏基站和微基站三个网络实体之间能够进行安全算法的协商，以及安全密钥的获取，当宏基站确定对 UE进行宏微 CA或 CoMP操作时， UE能够安全地与宏基站和微基站进行通信。 An embodiment of the present invention provides a user equipment, where the sending unit sends a security algorithm supported by the UE to a macro base station; the receiving unit receives a negotiated security algorithm notified by the macro base station, and the negotiated security algorithm Obtaining, by the macro base station, a security algorithm supported by the UE, the micro base station, and the macro base station, where the communication unit is based on the negotiated security algorithm and a security key used by the UE air interface, in the macro base. After transmitting the security key to the micro base station, the station communicates with the macro base station and the micro base station. In this way, since the security algorithm negotiation and the security key acquisition are performed between the three network entities of the UE, the macro base station, and the micro base station, when the macro base station determines to perform macro-MAC or CoMP operation on the UE, the UE can securely cooperate with the UE. The macro base station and the micro base station communicate.

本发明又一实施例提供一种宏基站，如图 1 1所示，所述宏基站 1 10包括：处理器 1 1 1、收发器 1 12和存储器 1 13 。 A further embodiment of the present invention provides a macro base station. As shown in FIG. 11, the macro base station 1 10 includes: a processor 1 1 1 , a transceiver 1 12 and a memory 1 13 .

所述存储器 1 13 , 用于存储所述宏基站支持的安全算法。所述收发器 1 12 ,用于接收用户设备 UE和微基站支持的安全算法。 The memory 1 13 is configured to store a security algorithm supported by the macro base station. The transceiver 1 12 is configured to receive a security algorithm supported by the user equipment UE and the micro base station.

而所述收发器 1 12接收所述微基站支持的安全算法可以由多种方式。 The transceiver 12 receives the security algorithm supported by the micro base station in a plurality of manners.

例如，所述收发器 1 12接收所述微基站支持的安全算法可以是：在所述宏基站 OAM和所述微基站 OAM之间进行宏基站和微基站所支持安全算法的协商完成后，所述收发器 1 12接收所述宏基站 OAM 发送的所述协商后的安全算法，同时，所述微基站 OAM也将所述协商后的安全算法发送给所述微基站，从而保证宏基站和微基站所支持安全算法的一致性。 For example, the security algorithm supported by the micro-base station by the transceiver 1 12 may be: after the negotiation between the macro base station OAM and the micro base station OAM is performed by the macro base station and the micro base station supporting the security algorithm, The transceiver 1 12 receives the negotiated security algorithm sent by the macro base station OAM, and the micro base station OAM also sends the negotiated security algorithm to the micro base station, thereby ensuring the macro base station and the micro base station. The consistency of the security algorithms supported by the base station.

可选的，所述收发器 1 12接收所述微基站支持的安全算法还可以是：所述收发器 1 12向所述宏基站 OAM发送获取微基站支持的安全算法的请求，以使得所述宏基站 OAM与所述基站 OAM进行交互后，从所述微基站 OAM中获取所述微基站支持的安全算法，然后所述宏基站 OAM 将所述微基站支持的安全算法发送给所述收发器 1 12。 Optionally, the receiving, by the transceiver, the security algorithm supported by the micro base station, may be: the transceiver 1 12 sends a request for acquiring a security algorithm supported by the micro base station to the macro base station OAM, so that the After the macro base station OAM interacts with the base station OAM, the security algorithm supported by the micro base station is obtained from the micro base station OAM, and then the macro base station OAM sends the security algorithm supported by the micro base station to the transceiver. 1 12.

可选的，所述收发器 1 12接收所述微基站支持的安全算法还可以是：在所述宏基站和微基站之间进行接口建立的过程中，所述微基站向宏基站发送接口连接建立的请求时，将所述微基站支持的安全算法携带在所述接口连接建立的请求中。所述收发器 1 12 从所述接口连接建立的请求中获取所述微基站支持的安全算法。其中，所述接口连接建立的请求可以是 X接口连接建立请求消息。当然，所述微基站与所述宏基站进行配置更新的过程中，也可以在所述微基站发送给所述宏基站的配置更新消息中携带所述微基站支持的安全算法。所述收发器 1 12 从所述配置更新消息中获取所述微基站支持的安全算法。 Optionally, the receiving, by the transceiver, the security algorithm supported by the micro base station may be: in the process of establishing an interface between the macro base station and the micro base station, the micro base station sends an interface connection to the macro base station. When the request is established, the security algorithm supported by the micro base station is carried in the request for establishing the interface connection. The transceiver 1 12 obtains a security algorithm supported by the micro base station from a request for establishing the interface connection. The request for establishing the interface connection may be an X interface connection establishment request message. Of course, in the process of performing the configuration update of the micro base station and the macro base station, the security update algorithm supported by the micro base station may be carried in the configuration update message sent by the micro base station to the macro base station. The transceiver 1 12 obtains a security algorithm supported by the micro base station from the configuration update message.

所述处理器 1 1 1 , 用于根据所述 UE、微基站和宏基站支持的安全算法，进行安全算法协商，得到协商后的安全算法。 The processor 1 1 1 is configured to perform security algorithm negotiation according to a security algorithm supported by the UE, the micro base station, and the macro base station, to obtain a negotiated security algorithm.

所述处理器 1 1 1 ,具体用于根据所述 UE和微基站支持的安全算法，以及所述宏基站支持的安全算法，获得所述 UE、微基站和宏基站支持的安全算法的交集，并将所述安全算法的交集中的任一安全算法作为所述协商后的安全算法。 The processor 1 1 1 is specifically configured to obtain, according to a security algorithm supported by the UE and the micro base station, and a security algorithm supported by the macro base station, an intersection of the security algorithms supported by the UE, the micro base station, and the macro base station, where And any security algorithm in the intersection of the security algorithms is used as the negotiated security algorithm.

具体的处理器协商所述 UE、微基站和宏基站支持的安全算法，并得到协商后的安全算法的方法，参见方法的实施例中的描述，本发明实施例在此不再赘述。 For a specific processor, the security algorithm supported by the UE, the micro base station, and the macro base station is negotiated, and the method of the security algorithm is obtained. For details, refer to the description in the embodiment of the method, and details are not described herein again.

所述收发器 1 12 ,还用于向所述 UE和微基站发送所述协商后的安全算法。 The transceiver 1 12 is further configured to send the negotiated security algorithm to the UE and the micro base station.

所述收发器 1 12 , 还用于接收所述 UE空口使用的安全密钥。具体地， UE空口使用的安全密钥可以是：从 MME接收到的所述 UE 空口使用的共享根密钥，或者，也可以是，所述宏基站由所述共享根密钥进一步派生的 UE空口使用的加密和完整性保护密钥。 The transceiver 1 12 is further configured to receive a security key used by the UE air interface. Specifically, the security key used by the UE air interface may be: a shared root key used by the UE air interface received from the MME, or may be, the macro base station further derived by the shared root key. The encryption and integrity protection keys used by the air interface.

所述收发器 1 12 , 还用于将所述安全密钥发送给所述微基站，以使得所述 U E、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述安全密钥进行安全保护处理。 The transceiver 1 12 is further configured to send the security key to the micro base station, so that communication between the UE, the micro base station, and the macro base station can be according to the negotiated security algorithm and the The security key is processed for security protection.

若所述收发器 1 12 向所述微基站发送的是所述 UE 空口使用的共享根密钥，所述微基站将进一步基于该共享根密钥派生 UE 空口的加密和完整性保护密钥。 If the transceiver 1 12 sends to the micro base station a shared root key used by the UE air interface, the micro base station further derives an encryption and integrity protection key of the UE air interface based on the shared root key.

所述收发器 1 12 , 具体用于在所述 UE接入到宏基站时，接收所述 UE支持的安全算法。 The transceiver 1 12 is specifically configured to receive a security algorithm supported by the UE when the UE accesses the macro base station.

在 UE接入网络侧时，通过 NAS信令将其所支持的安全算法发送给 MME ,然后 MME再通过 S 1接口信令将收到的 UE支持的安全算法转发给所述宏基站。 When the UE accesses the network side, the security algorithm supported by the UE is sent to the MME through NAS signaling, and then the MME uses the S1 interface signaling to secure the received UE. The algorithm forwards to the macro base station.

所述处理器 111,用于确定所述 UE需要所述宏基站和微基站进行 CA或 CoMP协作通信。 The processor 111 is configured to determine that the UE needs the macro base station and the micro base station to perform CA or CoMP cooperative communication.

所述处理器 111,具体用于在确定所述 UE需要所述宏基站和微基站进行 CA或 CoMP协作通信后，根据所述 UE、微基站和宏基站支持的安全算法，进行安全算法协商，获得协商后的安全算法。 The processor 111 is specifically configured to: after determining that the UE needs the macro base station and the micro base station to perform CA or CoMP cooperative communication, perform security algorithm negotiation according to a security algorithm supported by the UE, the micro base station, and the macro base station, Obtain the negotiated security algorithm.

可选的，所述收发器 112在获取微基站和 UE的安全算法之后，不论 UE是否需要进行宏基站和微基站的 CA或 CoMP协作通信，所述处理器 111都将协商宏基站、微基站和 UE的安全算法，获得协商后的安全算法，然后所述收发器 112 将协商后的安全算法发送给微基站。一旦所述处理器确定要对 UE 进行宏基站和微基站的 CA 或 CoMP 协作通信，所述收发器 112 可以直接将已经协商好的安全算法发送给 UE, 而不需要在 UE需要进行宏基站和微基站的协作通信时再花费时间进行安全算法的协商，使得 UE 在短时间内获得了协商后的安全算法，从而快速的为 UE提供了高质量的网络服务。 Optionally, after obtaining the security algorithm of the micro base station and the UE, the transceiver 112, whether the UE needs to perform CA or CoMP cooperative communication between the macro base station and the micro base station, the processor 111 will negotiate the macro base station and the micro base station. And the security algorithm of the UE obtains the negotiated security algorithm, and then the transceiver 112 sends the negotiated security algorithm to the micro base station. Once the processor determines that the CA or CoMP cooperative communication of the macro base station and the micro base station is to be performed on the UE, the transceiver 112 may directly send the already negotiated security algorithm to the UE without requiring the macro base station and the UE to perform the macro base station and The cooperative communication of the micro base station takes time to negotiate the security algorithm, so that the UE obtains the negotiated security algorithm in a short time, thereby quickly providing the UE with high-quality network services.

故，所述收发器 112, 还用于在所述处理器 111确定所述 UE需要所述宏基站和微基站进行 CA或 CoMP协作通信后，向所述 UE发送协商后的安全算法。 Therefore, the transceiver 112 is further configured to send the negotiated security algorithm to the UE after the processor 111 determines that the UE needs the macro base station and the micro base station to perform CA or CoMP cooperative communication.

可选的，在网络部署的时候，所述收发器 112没有获得微基站支持的安全算法；这样在网络部署完成后，所述处理器 111 确定所述 UE需要进行宏基站和微基站的 CA或 CoMP协作通信时，所述收发器 112 才需要向所述微基站获取所述微基站支持的安全算法，进而所述处理器 111进行安全算法的协商。 Optionally, when the network is deployed, the transceiver 112 does not obtain a security algorithm supported by the micro base station; after the network deployment is complete, the processor 111 determines that the UE needs to perform the CA of the macro base station and the micro base station. When the CoMP is in cooperative communication, the transceiver 112 needs to acquire the security algorithm supported by the micro base station from the micro base station, and the processor 111 performs negotiation of the security algorithm.

所以，所述收发器 112, 还用于在所述处理器 111确定所述 UE 需要所述宏基站和微基站进行 CA或 CoMP协作通信后，向所述微基站发送请求信息，所述请求信息请求所述微基站将安全算法的上报，以使得所述微基站将自身支持的安全算法发送给所述宏基站，并接收所述微基站发送的所述微基站支持的安全算法。 Therefore, the transceiver 112 is further configured to: after the processor 111 determines that the UE needs the macro base station and the micro base station to perform CA or CoMP cooperative communication, to the micro The base station sends the request information, and the request information requests the micro base station to report the security algorithm, so that the micro base station sends the security algorithm supported by the micro base station to the macro base station, and receives the micro The security algorithm supported by the base station.

KRRC— ,用于 UE和宏基站或微基站间的控制面信令进行完整性保护；安全密钥 ^KS 用于 UE和宏基站或微基站间的控制面信令的加密处理。所述宏基站可以通过 S 1接口信令从 MME 中获取 UE空口的共享根密钥^ ^，其中共享根密钥是 MME根据密钥派生的。宏基站接收到 UE 的 Uu接口的共享根密钥后，再根据该共享根密钥进一步派生出 UE空口的用户面数据、控制面信令加密 /解密和完整性保护操作的安全密钥 ^KUP— ^KRRC-i ,和 ^KRRC—_enc KRRC- is used for integrity protection of control plane signaling between the UE and the macro base station or the micro base station; the security key ^K S is used for encryption processing of control plane signaling between the UE and the macro base station or the micro base station. The macro base station may obtain the shared root key of the UE air interface from the MME through the S1 interface signaling, where the shared root key is derived by the MME according to the key. After receiving the shared root key of the Uu interface of the UE, the macro base station further derives the user plane data of the UE air interface, the security key ^K UP of the control plane signaling encryption/decryption and integrity protection operation according to the shared root key. — ^K RRC-i , and ^K RRC — _enc

具体的，若所述安全密钥是所述微基站自行派生的，那么所述收发器 1 12 , 用于接收移动管理实体发送的所述 UE的空口使用的共享根密钥。 Specifically, if the security key is derived by the micro base station, the transceiver 1 12 is configured to receive a shared root key used by the air interface of the UE sent by the mobility management entity.

所述处理器 1 1 1 ,还用于根据所述共享根密钥派生 UE空口的加密和完整性保护密钥。 The processor 1 1 1 is further configured to derive an encryption and integrity protection key of the UE air interface according to the shared root key.

所述收发器 1 12 , 还用于将所述共享根密钥发送给所述微基站，以使得所述微基站根据所述共享根密钥派生密钥。 The transceiver 1 12 is further configured to send the shared root key to the micro base station, so that the micro base station derives a key according to the shared root key.

可选的，若所述微基站需要的安全密钥是微基站从宏基站中获取的，那么在所述收发器 1 12接收从 MME获取到的共享根密钥后，所述处理器 1 1 1 , 用于根据所述共享密钥进一步派生密钥。 Optionally, if the security key required by the micro base station is obtained by the micro base station from the macro base station, after the transceiver 12 receives the shared root key acquired by the MME, the processor 1 1 1 . For further deriving a key according to the shared key.

所述收发器 1 12 , 还用于将所述派生的密钥发送给所述微基站，以使得所述微基站根据所述处理器 111派生的密钥，和所述 UE进行通信。 The transceiver 1 12 is further configured to send the derived key to the micro base station, The base station is caused to communicate with the UE according to a key derived from the processor 111.

进一步的，在微基站只与 UE 进行数据的传输而不进行信令的传输时，若微基站的安全密钥是由微基站根据共享根密钥派生的，则所述微基站只派生用户面数据的安全密钥若所述微基站的安全密钥是接收所述处理器 111根据共享根密钥 ^^派生的安全密钥，则所述收发器 112 只向微基站转发所述处理器 111 派生的用户面数据的安全密钥 ^Kup—。 Further, when the micro base station transmits data only with the UE without signaling, if the security key of the micro base station is derived by the micro base station according to the shared root key, the micro base station only derives the user plane. Security Key of Data If the security key of the micro base station is a security key derived from the shared root key ^^, the transceiver 112 forwards the processor 111 only to the micro base station. The security key ^K up- of the derived user plane data.

若微基站和 MME 直接相连，则微基站密钥的获得不需要经过所述收发器 112 进行转发，具体安全密钥的获得过程与宏基站获得安全密钥的过程相同，本实施例在此不再赘述。 If the micro base station and the MME are directly connected, the obtaining of the micro base station key does not need to be forwarded by the transceiver 112. The process of obtaining the specific security key is the same as the process of obtaining the security key by the macro base station, and this embodiment does not Let me repeat.

需说明的是，图 11 所示处理器 111、收发器 112与存储器 113 直接连接，在本发明其它一些实施例中，处理器 111、收发器 112 与存储器 113 以及该宏基站 110 的其它模块还可以通过总线进行连接，该总线可以是 IS A ( Industry Standard Architecture , 工业标准体系结构 ) 总线、 PCI ( Peripheral Component, 外部设备互连 ) 总线或 EISA ( Extended Industry Standard Architecture, 扩展工业标准体系结构）总线等。所述总线可以是一条或多条物理线路，当是多条物理线路时可以分为地址总线、数据总线、控制总线等。 It should be noted that the processor 111 and the transceiver 112 are directly connected to the memory 113 in FIG. 11. In other embodiments of the present invention, the processor 111, the transceiver 112, the memory 113, and other modules of the macro base station 110 are further It can be connected via a bus, which can be an IS A (Industry Standard Architecture) bus, a PCI (Peripheral Component) bus or an EISA (Extended Industry Standard Architecture) bus. Wait. The bus may be one or more physical lines, and may be divided into an address bus, a data bus, a control bus, etc. when it is a plurality of physical lines.

另外，对于本领域普通技术人员而言，处理器 111、收发器 112 与存储器 113 的具体实现可以参考前述实施例所述，在此不再赘述。 For a specific implementation of the processor 111, the transceiver 112, and the memory 113, reference may be made to the foregoing embodiments, and details are not described herein.

本发明实施例提供了一种宏基站，所述收发器接收 UE 和微基站支持的安全算法；然后，所述处理器根据所述用户设备、微基站和宏基站支持的安全算法，进行安全算法协商，得到协商后的安全算法；所述收发器分别向所述用户设备和微基站发送协商后的安全算法；所述收发器接收所述 UE 空口使用的安全密钥，并将所述安全密钥发送给所述微基站，以使得所述 UE、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述安全密钥进行安全保护处理。这样，由于 UE、宏基站和微基站三个网络实体之间能够进行安全算法的协商，以及安全密钥的获取，这样在宏基站确定对 UE 进行宏微 CA或 CoMP操作时， UE能够安全的与宏基站和微基站进行通信。 The embodiment of the present invention provides a macro base station, where the transceiver receives a security algorithm supported by the UE and the micro base station. Then, the processor performs a security algorithm according to the security algorithm supported by the user equipment, the micro base station, and the macro base station. Negotiating, obtaining a negotiated security algorithm; the transceiver respectively sending a negotiated security algorithm to the user equipment and the micro base station; the transceiver receiving a security key used by the UE air interface, and the security secret The key is sent to the micro base station, so that communication between the UE, the micro base station, and the macro base station can perform security protection processing according to the negotiated security algorithm and the security key. In this way, since the UE, the macro base station, and the micro base station can enter between three network entities Negotiation of the row security algorithm and acquisition of the security key, so that when the macro base station determines to perform macro-MAC or CoMP operation on the UE, the UE can securely communicate with the macro base station and the micro base station.

本发明又一实施例提供一种微基站，如图 12所示，所述微基站 120包括：收发器 121和存储器 122。 A further embodiment of the present invention provides a micro base station. As shown in FIG. 12, the micro base station 120 includes: a transceiver 121 and a memory 122.

所述存储器 122 , 用于存储所述微基站支持的安全算法。 The memory 122 is configured to store a security algorithm supported by the micro base station.

所述收发器 121 , 用于与宏基站进行安全算法的交互，以使得所述宏基站获取所述微基站支持的安全算法。 The transceiver 121 is configured to perform a security algorithm interaction with the macro base station, so that the macro base station acquires a security algorithm supported by the micro base station.

所述微基站与所述宏基站进行安全算法的交互，可以是多种方式。具体过程，参见方法实施例中的所述微基站与所述宏基站进行安全算法的交互的描述。 The micro base station interacts with the macro base station to perform a security algorithm, which may be in various manners. For a specific process, refer to the description of interaction between the micro base station and the macro base station in the method embodiment.

所述收发器 121 , 用于在所述宏基站获取所述微基站、 UE和宏基站的安全算法并进行安全算法的协商后，接收所述宏基站发送的协商后的安全算法。 The transceiver 121 is configured to receive, after the macro base station obtains the security algorithm of the micro base station, the UE, and the macro base station, and perform the negotiation of the security algorithm, and receive the negotiated security algorithm sent by the macro base station.

在所述宏基站获取所述微基站、 UE和自身支持的安全算法，并进行安全算法的协商之后，所述收发器 121 接收所述宏基站发送的协商后的安全算法。此时，所述协商后的安全算法为所述 UE 空口使用的安全算法。 After the macro base station acquires the security algorithm supported by the micro base station, the UE, and the self, and performs the negotiation of the security algorithm, the transceiver 121 receives the negotiated security algorithm sent by the macro base station. At this time, the negotiated security algorithm is a security algorithm used by the UE air interface.

所述收发器 121 , 还用于接收所述宏基站发送的安全密钥，以使得所述 UE、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述安全密钥进行安全保护处理。 The transceiver 121 is further configured to receive a security key sent by the macro base station, so that communication between the UE, the micro base station, and the macro base station can be based on the negotiated security algorithm and the security key. Perform security protection processing.

所述微基站还包括处理器 123。 The micro base station also includes a processor 123.

所述处理器 123 ,用于在所述收发器 121接收到所述 UE空口使用的共享根密钥之后，根据所述共享根密钥派生 UE 空口的加密和完整性保护密钥，以使得所述 UE、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述 UE 空口的加密和完整性保护密钥进行安全保护处理. The processor 123 is configured to: after the transceiver 121 receives the shared root key used by the UE air interface, derive an encryption and integrity protection key of the UE air interface according to the shared root key, so that the The communication between the UE, the micro base station and the macro base station can be protected according to the negotiated security algorithm and the encryption and integrity protection of the UE air interface. The key is securely processed.

在所述宏基站接收到所述 UE 空口使用的共享根密钥后，所述宏基站可以向所述收发器 121发送所述 UE空口使用的共享根密钥。所述收发器 121接收到所述共享根密钥后，所述处理器 123根据所述共享根密钥派生 UE 空口的加密和完整性保护密钥，根据所述加密和完整性保护密钥和所述协商后的安全算法与所述宏基站和 U E 进行安全通信。 After the macro base station receives the shared root key used by the UE air interface, the macro base station may send the shared root key used by the UE air interface to the transceiver 121. After the transceiver 121 receives the shared root key, the processor 123 derives an encryption and integrity protection key of the UE air interface according to the shared root key, according to the encryption and integrity protection key and The negotiated security algorithm performs secure communication with the macro base station and the UE.

所述收发器 121 , 具体用于接收所述宏基站发送的派生的 UE 空口的加密和完整性保护密钥，以使得所述 UE、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述 UE 空口的加密和完整性保护密钥进行安全保护处理。 The transceiver 121 is configured to receive an encryption and integrity protection key of the derived UE air interface sent by the macro base station, so that communication between the UE, the micro base station, and the macro base station can be performed according to the negotiation. The security algorithm and the encryption and integrity protection keys of the UE air interface are subjected to security protection processing.

需说明的是，图 12所示收发器 121、存储器 122与处理器 123 直接连接，在本发明其它一些实施例中，收发器 13 1、存储器 122 与处理器 132 以及该微基站 130 的其它模块还可以通过总线进行连接，该总线可以是 IS A ( Industry Standard Architecture , 工业标准体系结构 ) 总线、 PCI ( Peripheral Component , 外部设备互连 ) 总线或 EISA ( Extended Industry Standard Architecture , 扩展工业标准体系结构）总线等。所述总线可以是一条或多条物理线路，当是多条物理线路时可以分为地址总线、数据总线、控制总线等。 It should be noted that the transceiver 121 and the memory 122 shown in FIG. 12 are directly connected to the processor 123. In other embodiments of the present invention, the transceiver 13 1 , the memory 122 and the processor 132, and other modules of the micro base station 130 It can also be connected via a bus, which can be an IS A (Industry Standard Architecture) bus, a PCI (Peripheral Component) bus or an EISA (Extended Industry Standard Architecture) Bus, etc. The bus may be one or more physical lines, and may be divided into an address bus, a data bus, a control bus, etc. when it is a plurality of physical lines.

另外，对于本领域普通技术人员而言，收发器 121、存储器 122 与处理器 123 的具体实现可以参考前述实施例所述，在此不再赘述。 For a specific implementation of the transceiver 121, the memory 122, and the processor 123, reference may be made to the foregoing embodiments, and details are not described herein.

本发明实施例提供一种微基站，所述收发器与宏基站进行安全算法的交互；所述收发器接收所述宏基站发送的协商后的安全算法；然后，所述收发器接收所述宏基站发送的 UE空口使用的安全密钥，以使得所述 UE、微基站和宏基站之间的通信能够根据所述协商后的安全算法以及所述安全密钥进行安全保护处理。这样，由于 UE、宏基站和微基站三个网络实体之间能够进行安全算法的协商，以及安全密钥的获取，当宏基站确定对 UE进行宏微 CA或 CoMP操作时， UE能够安全地与宏基站和微基站进行通信。本发明又一实施例提供一种用户设备，如图 13所示，所述用户设备 130 包括：收发器 13 1、处理器 132和存储器 133 。 An embodiment of the present invention provides a micro base station, where the transceiver and a macro base station perform a security algorithm interaction; the transceiver receives a negotiated security algorithm sent by the macro base station; and then, the transceiver receives the macro base. The security key used by the UE air interface sent by the station, so that the communication between the UE, the micro base station, and the macro base station can perform security protection processing according to the negotiated security algorithm and the security key. In this way, since the security algorithm negotiation and the security key acquisition are performed between the three network entities of the UE, the macro base station, and the micro base station, when the macro base station determines to perform macro-MAC or CoMP operation on the UE, the UE can securely cooperate with the UE. The macro base station and the micro base station communicate. A further embodiment of the present invention provides a user equipment. As shown in FIG. 13, the user equipment 130 includes: a transceiver 13 1 , a processor 132 , and a memory 133 .

所述存储器 133 , 用于存储所述 UE支持的安全算法。 The memory 133 is configured to store a security algorithm supported by the UE.

所述收发器 13 1 , 用于向宏基站发送所述存储器 133 存储的所述 UE支持的安全算法，以使得所述宏基站对所述 UE、微基站和宏基站支持的安全算法进行协商，将协商后的安全算法作为所述 UE 空口使用的安全算法，并将所述协商后的安全算法通知所述 UE 和所述微基站。 The transceiver 13 1 is configured to send, to the macro base station, the security algorithm supported by the UE stored in the memory 133, so that the macro base station negotiates a security algorithm supported by the UE, the micro base station, and the macro base station, The negotiated security algorithm is used as a security algorithm used by the UE air interface, and the negotiated security algorithm is notified to the UE and the micro base station.

所述收发器 13 1 , 用于接收所述宏基站通知的协商后的安全算法，所述协商后的安全算法是所述宏基站根据所述 UE、微基站和宏基站支持的安全算法进行协商后得到的。 The transceiver 13 1 is configured to receive the negotiated security algorithm notified by the macro base station, where the negotiated security algorithm is that the macro base station negotiates according to a security algorithm supported by the UE, the micro base station, and the macro base station. After getting it.

所述处理器 132 ,用于根据所述协商后的安全算法和 UE空口使用的安全密钥，在所述宏基站将所述安全密钥发送给所述微基站后，与所述宏基站和微基站进行通信。 The processor 132 is configured to: after the macro base station sends the security key to the micro base station, according to the negotiated security algorithm and a security key used by the UE air interface, and the macro base station and The micro base station communicates.

需说明的是，图 13所示收发器 13 1、处理器 132与存储器 133 直接连接，在本发明其它一些实施例中，收发器 13 1、处理器 132 与存储器 133 以及该用户设备 130 的其它模块还可以通过总线进行连接，该总线可以是 ISA ( Industry Standard Architecture , 工业标准体系结构 ) 总线、 PCI ( Peripheral Component , 外部设备互连 ) 总线或 EISA ( Extended Industry Standard Architecture , 扩展工业标准体系结构）总线等。所述总线可以是一条或多条物理线路，当是多条物理线路时可以分为地址总线、数据总线、控制总线等。 It should be noted that the transceiver 13 1 and the processor 132 shown in FIG. 13 are directly connected to the memory 133. In other embodiments of the present invention, the transceiver 13 1 , the processor 132 and the memory 133 and other components of the user equipment 130 The module can also be connected via a bus, which can be an ISA (Industry Standard Architecture) bus or a PCI (Peripheral Component) bus. Or EISA (Extended Industry Standard Architecture) bus. The bus may be one or more physical lines, and when it is a plurality of physical lines, it may be divided into an address bus, a data bus, a control bus, and the like.

另外，对于本领域普通技术人员而言，收发器 13 1、处理器 132 与存储器 133 的具体实现可以参考前述实施例所述，在此不再赘述。 For a specific implementation of the transceiver 13 1 , the processor 132 , and the memory 133 , reference may be made to the foregoing embodiments, and details are not described herein again.

本发明实施例提供一种用户设备，所述收发器向宏基站发送所述 UE 支持的安全算法；所述收发器接收所述宏基站通知的协商后的安全算法，所述协商后的安全算法是所述宏基站根据所述 UE、微基站和宏基站支持的安全算法进行协商后得到的；所述处理器根据所述协商后的安全算法和 UE 空口使用的安全密钥，在所述宏基站将所述安全密钥发送给所述微基站后，与所述宏基站和微基站进行通信。这样，由于 UE、宏基站和微基站三个网络实体之间能够进行安全算法的协商，以及安全密钥的获取，当宏基站确定对 UE 进行宏微 CA或 CoMP操作时， UE能够安全地与宏基站和微基站进行通信。 An embodiment of the present invention provides a user equipment, where the transceiver sends a security algorithm supported by the UE to a macro base station; the transceiver receives the negotiated security algorithm notified by the macro base station, and the negotiated security algorithm And the macro base station is obtained according to the security algorithm supported by the UE, the micro base station, and the macro base station; and the processor is based on the negotiated security algorithm and a security key used by the UE air interface, in the macro base. After transmitting the security key to the micro base station, the station communicates with the macro base station and the micro base station. In this way, since the security algorithm negotiation and the security key acquisition are performed between the UE, the macro base station, and the micro base station, when the macro base station determines to perform macro-MAC or CoMP operation on the UE, the UE can securely cooperate with the UE. The macro base station and the micro base station communicate.

需说明的是，以上所描述的装置实施例仅仅是示意性的，其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的，作为单元显示的部件可以是或者也可以不是物理单元，即可以位于一个地方，或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。另外，本发明提供的装置实施例附图中，模块之间的连接关系表示它们之间具有通信连接，具体可以实现为一条或多条通信总线或信号线。本领域普通技术人员在不付出创造性劳动的情况下，即可以理解并实施。 It should be noted that the device embodiments described above are merely illustrative, wherein the units described as separate components may or may not be physically separated, and the components displayed as the cells may or may not be physical. Units can be located in one place, or they can be distributed to multiple network units. Some or all of the modules may be selected according to actual needs to achieve the objectives of the solution of the embodiment. In addition, in the drawings of the apparatus embodiments provided by the present invention, the connection relationship between the modules indicates that there is a communication connection between them, and specifically, one or more communication buses or signal lines can be realized. Those of ordinary skill in the art can understand and implement without any creative effort.

通过以上的实施方式的描述，所属领域的技术人员可以清楚地了解到本发明可借助软件加必需的通用硬件的方式来实现，当然也可以通过专用硬件包括专用集成电路、专用 CPU、专用存储器、专用元器件等来实现。一般情况下，凡由计算机程序完成的功能都可以艮容易地用相应的硬件来实现，而且，用来实现同一功能的具体硬件结构也可以是多种多样的，例如模拟电路、数字电路或专用电路等。但是，对本发明而言更多情况下软件程序实现是更佳的实施方式。基于这样的理解，本发明的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来，该计算机软件产品存储在可读取的存储介质中，如计算机的软盘， U 盘、移动硬盘、只读存储器（ ROM , Read-Only Memory )、随机存取存储器（ RAM , Random Access Memory )、磁碟或者光盘等，包括若干指令用以使得一台计算机设备（可以是个人计算机，服务器，或者网络设备等）执行本发明各个实施例所述的方法。 Through the description of the above embodiments, those skilled in the art can clearly understand that the present invention can be implemented by means of software plus necessary general hardware, and of course, dedicated hardware, dedicated CPU, dedicated memory, dedicated memory, Special components and so on. In general, any function performed by a computer program can be easily implemented with the corresponding hardware, and the specific function used to achieve the same function. The hardware structure can also be varied, such as analog circuits, digital circuits, or dedicated circuits. However, for the purposes of the present invention, software program implementation is a better implementation in more cases. Based on such understanding, the technical solution of the present invention, which is essential or contributes to the prior art, may be embodied in the form of a software product stored in a readable storage medium, such as a floppy disk of a computer. , U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), disk or optical disk, etc., including a number of instructions to make a computer device (may be A personal computer, server, or network device, etc.) performs the methods described in various embodiments of the present invention.

以上所述，仅为本发明的具体实施方式，但本发明的保护范围并不局限于此，任何熟悉本技术领域的技术人员在本发明揭露的技术范围内，可轻易想到变化或替换，都应涵盖在本发明的保护范围之内。因此，本发明的保护范围应所述以权利要求的保护范围为准。 The above is only the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or substitutions within the technical scope of the present invention. It should be covered by the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the claims.

Claims

Claim

A security processing method for mobile communication, the method comprising: the macro base station acquiring a security algorithm supported by the user equipment UE and the micro base station;

The macro base station performs security algorithm negotiation according to the security algorithm supported by the UE, the micro base station, and the macro base station, and obtains the negotiated security algorithm;

The macro base station notifies the UE and the micro base station of the negotiated security algorithm;

The macro base station acquires a security key used by the UE air interface; the macro base station sends the security key to the micro base station, so that communication between the UE, the micro base station, and the macro base station can be performed according to the The negotiated security algorithm and the security key perform security protection processing.

The method according to claim 1, wherein the macro base station performs the negotiation of the security algorithm according to the security algorithm supported by the UE, the micro base station, and the macro base station, and the obtained security algorithm includes: Obtaining, by the macro base station, the intersection of the security algorithms supported by the UE, the micro base station, and the macro base station according to the obtained security algorithm supported by the UE and the micro base station, and the security algorithm supported by the macro base station, and the intersection of the security algorithms Any of the security algorithms are used as the negotiated security algorithm.

The method according to claim 1 or 2, wherein the acquiring, by the macro base station, a security algorithm supported by the UE includes:

Obtaining a security algorithm supported by the UE when the UE accesses the macro base station;

Before the security algorithm is negotiated by the macro base station according to the security algorithm supported by the UE, the micro base station, and the macro base station, and the obtained security algorithm is obtained, the macro base station further includes:

The macro base station determines that the UE needs the macro base station and the micro base station to perform carrier aggregation CA or multi-point cooperative CoMP cooperative communication.

Before the UE accesses the macro base station, acquiring a security algorithm supported by the UE; before the macro base station notifying the UE of the negotiated security algorithm, the method further includes: The macro base station determines that the UE needs the macro base station and the micro base station to perform CA or CoMP cooperative communication.

The method according to any one of claims 1-4, wherein the obtaining, by the macro base station, the security algorithm supported by the micro base station comprises:

Receiving, by the macro base station, operating, managing, and maintaining a security algorithm negotiated by the macro base station OAM and the micro base station OAM sent by the OAM; or

The macro base station sends a request for acquiring a security algorithm supported by the micro base station to the macro base station OAM, so that the macro base station OAM obtains a security algorithm supported by the micro base station from the micro base station OAM, where the macro base station receives the a security algorithm supported by the micro base station sent by the macro base station OAM; or

And receiving, by the micro base station, a request for establishing an interface with the macro base station, where the interface establishment request carries a security algorithm supported by the micro base station;

Or,

Receiving a configuration update message sent by the micro base station, where the configuration update message carries a security algorithm supported by the micro base station.

The method according to claim 1 or 2, wherein the acquiring, by the macro base station, the security algorithm supported by the UE comprises:

And acquiring, before the UE accesses the macro base station, the security algorithm supported by the UE; before the acquiring, by the macro base station, the security algorithm supported by the micro base station, the method further includes:

The macro base station determines that the UE needs the macro base station and the micro base station to perform CA or CoMP cooperative communication;

The security algorithm supported by the macro base station to obtain the micro base station includes:

The macro base station sends request information to the micro base station, where the request information requests the micro base station to send a security algorithm supported by the micro base station to the macro base station, and receives the security supported by the micro base station sent by the micro base station. algorithm.

The method according to any one of claims 1-6, wherein the acquiring, by the macro base station, the security key used by the UE air interface includes: Receiving, by the macro base station, a shared root key used by the UE air interface sent by the mobility management entity, and deriving an encryption and integrity protection key of the UE air interface according to the shared root key; Sending a key to the micro base station, so that communication between the UE, the micro base station, and the macro base station can perform security protection processing according to the negotiated security algorithm and the security key, including: the macro base station Transmitting a shared root key to the micro base station, so that the micro base station derives an encryption and integrity protection key of the UE air interface according to the shared root key, and communication between the UE, the micro base station, and the macro base station The security protection process can be performed according to the negotiated security algorithm and the encryption and integrity protection key of the UE air interface.

The method according to any one of claims 1-6, wherein the acquiring, by the macro base station, the security key used by the UE air interface includes:

Receiving a shared root key used by the UE air interface sent by the mobility management entity; the macro base station transmitting the security key to the micro base station, so that communication between the UE, the micro base station, and the macro base station can Performing security protection processing according to the negotiated security algorithm and the security key includes: the macro base station deriving an encryption and integrity protection key of the UE air interface according to the shared root key, and completing the encryption and integrity The sex protection key is sent to the micro base station, and performs secure communication with the base station and the UE according to the encryption and integrity protection key and the negotiated security algorithm.

A security processing method for mobile communication, wherein the micro base station and the macro base station perform a security algorithm interaction, so that the macro base station acquires a security algorithm supported by the micro base station; a negotiated security algorithm sent by the macro base station, where the negotiated security algorithm is obtained by the macro base station according to a security algorithm supported by the UE, the micro base station, and the macro base station, after performing security algorithm negotiation;

And receiving, by the macro base station, a security key used by the UE air interface, so that communication between the UE, the micro base station, and the macro base station can perform security protection processing according to the negotiated security algorithm and the security key.

The method according to claim 9, wherein the interaction between the micro base station and the macro base station to perform a security algorithm includes: The micro base station sends a security algorithm supported by the micro base station to the micro base station OAM, so that the macro base station OAM and the micro base station OAM negotiate a security algorithm supported by the macro base station and the micro base station, and the security is supported. Sending an algorithm to the macro base station; or

The micro base station sends the security algorithm supported by the micro base station to the micro base station OAM, so that the macro base station OAM obtains the security algorithm supported by the micro base station from the micro base station OAM, and supports the security supported by the micro base station. Sending an algorithm to the macro base station; or

The micro base station sends an interface establishment request to the macro base station, where the interface establishment request carries a security algorithm supported by the micro base station; or

The micro base station sends a configuration update message to the macro base station, where the configuration update message carries a security algorithm supported by the micro base station; or

Receiving, by the micro base station, a request message sent by the macro base station, the request message requesting the micro base station to send a security algorithm supported by the micro base station to the macro base station, where the micro base station sends the self-supported security to the macro base station. algorithm.

The method according to claim 9, wherein the receiving a security key sent by the macro base station, so that communication between the UE, the micro base station, and the macro base station can be performed according to the negotiated The security algorithm and the security key performing security protection processing include: the micro base station receiving a shared root key used by the UE air interface sent by the macro base station, and deriving the encryption and integrity of the UE air interface according to the shared root key a security protection key, performing secure communication with the macro base station and the UE according to the encryption and integrity protection key and the negotiated security algorithm; or

Receiving, by the micro base station, an encryption and integrity protection key of the derived UE air interface sent by the macro base station, so that communication between the UE, the micro base station, and the macro base station can be based on the negotiated security algorithm and the The encryption and integrity protection keys of the UE air interface are subjected to security protection processing.

12. A secure processing method for mobile communication, characterized in that The user equipment UE sends the security algorithm supported by the UE to the macro base station; the UE receives the negotiated security algorithm notified by the macro base station, and the negotiated security algorithm is that the macro base station according to the UE and the micro base station Obtained after negotiation with the security algorithm supported by the macro base station;

The UE communicates with the macro base station and the micro base station after the macro base station sends the security key to the micro base station according to the negotiated security algorithm and the security key used by the UE air interface.

A macro base station, comprising: a first acquiring unit, a negotiating unit, a notifying unit, a second obtaining unit, and a sending unit; the first acquiring unit, configured to acquire the user equipment UE and the micro base station a security algorithm; the negotiation unit is configured to perform security algorithm negotiation according to a security algorithm supported by the UE, the micro base station, and the macro base station, to obtain a negotiated security algorithm;

The notifying unit is configured to notify the UE and the base station of the negotiated security algorithm; the second acquiring unit is configured to acquire a security key used by the UE air interface; and the sending unit is configured to: The security key is sent to the micro base station, so that communication between the UE, the micro base station, and the macro base station can perform security protection processing according to the negotiated security algorithm and the security key.

14. The macro base station according to claim 13, wherein:

The negotiating unit is specifically configured to obtain, according to the obtained security algorithm supported by the UE and the micro base station, and a security algorithm supported by the macro base station, an intersection of the security algorithms supported by the UE, the micro base station, and the macro base station, and Any security algorithm in the intersection of the security algorithms is used as the negotiated security algorithm.

The macro base station according to claim 13 or 14, wherein

The first acquiring unit is specifically configured to acquire a security algorithm supported by the UE when the UE accesses the macro base station;

The macro base station further includes: a determining unit;

The determining unit is configured to determine whether the UE needs the macro base station and the micro base station to perform carrier aggregation CA or multi-point cooperative CoMP cooperative communication; The negotiating unit is specifically configured to: after the determining unit determines that the UE needs the macro base station and the micro base station to perform CA or CoMP cooperative communication, perform security according to a security algorithm supported by the UE, the micro base station, and the macro base station. The algorithm negotiates to obtain the negotiated security algorithm.

16. The macro base station according to claim 13 or 14, wherein

The macro base station further includes a determining unit;

The determining unit is configured to determine that the UE needs the macro base station and the micro base station to perform CA or CoMP cooperative communication;

The notifying unit is further configured to notify the UE of the negotiated security algorithm after the determining unit determines that the UE needs the macro base station and the micro base station to perform CA or CoMP cooperative communication.

The macro base station according to any one of claims 13-16, wherein the first acquiring unit is specifically configured to:

Sending, to the macro base station OAM, a request for acquiring a security algorithm supported by the micro base station, so that the macro base station OAM acquires a security algorithm supported by the micro base station from the micro base station OAM, and receives the Security algorithm supported by the micro base station; or

Or,

18. The macro base station according to claim 13 or 14, wherein

The first acquiring unit is specifically configured to acquire a security algorithm supported by the UE when the UE accesses the macro base station; The macro base station further includes a determining unit;

The determining unit is configured to determine that the UE needs the macro base station and the micro base station to perform CA or CoMP cooperative communication; the first acquiring unit is further configured to determine, in the determining unit, that the UE needs the macro base After performing the CA or CoMP cooperative communication, the station and the micro base station send request information to the micro base station, where the request information requests the micro base station to send a security algorithm supported by the micro base station to the macro base station, and receive the micro base station to send The security algorithm supported by the micro base station.

The macro base station according to any one of claims 13 to 18, characterized in that

The second acquiring unit is specifically configured to receive a shared root key used by the air interface of the UE sent by the mobility management entity, and derive an encryption and integrity protection key of the UE air interface according to the shared root key;

The sending unit is specifically configured to send the shared root key to the micro base station, so that the micro base station derives an encryption and integrity protection key of the UE air interface according to the shared root key, where the UE The communication between the micro base station and the macro base station can perform security protection processing according to the negotiated security algorithm and the encryption and integrity protection key of the UE air interface.

The second acquiring unit is configured to receive a shared root key used by the air interface of the UE sent by the mobility management entity, and derive an encryption and integrity protection key of the UE air interface according to the shared root key; a unit, configured to send an encryption and integrity protection key of the UE air interface to the micro base station, so that communication between the UE, the micro base station, and the macro base station can be performed according to the negotiated security algorithm and The encryption and integrity protection keys of the UE air interface are subjected to security protection processing.

A micro base station, the micro base station includes: an interaction unit, a receiving unit, and the interaction unit, configured to perform a security algorithm interaction with a macro base station, so that the macro base station acquires the micro base station Supporting the security algorithm; the receiving unit is configured to receive the negotiated security algorithm sent by the macro base station, where the negotiated security algorithm is supported by the macro base station according to the UE, the micro base station, and the macro base station The algorithm is obtained after the security algorithm is negotiated, and the receiving unit is further configured to receive a security key used by the UE air interface sent by the macro base station, The security between the UE, the micro base station, and the macro base station can be performed according to the negotiated security algorithm and the security key.

The micro base station according to claim 21, wherein the interaction unit is specifically configured to:

Sending the security algorithm supported by the micro base station to the micro base station OAM, so that the macro base station OAM and the micro base station OAM negotiate a security algorithm supported by the macro base station and the micro base station, and send the security algorithm to the Macro base station; or

Sending the security algorithm supported by the micro base station to the micro base station OAM, so that the macro base station OAM obtains the security algorithm supported by the micro base station from the micro base station OAM, and sends the security algorithm supported by the micro base station to the Macro base station; or

Sending an interface establishment request to the macro base station, where the interface establishment request carries a security algorithm supported by the micro base station; or

Sending a configuration update message to the macro base station, where the configuration update message carries a security algorithm supported by the micro base station;

Or,

Receiving a request message sent by the macro base station, the request message requesting the micro base station to send a security algorithm supported by the micro base station to the macro base station, and sending a security algorithm supported by the macro base station to the macro base station.

The micro base station according to claim 21, wherein the receiving unit is specifically configured to receive a shared root key used by the UE air interface sent by the macro base station;

The micro base station further includes a derivation unit;

Deriving unit, configured to: after the receiving unit receives the shared root key used by the UE air interface, derive an encryption and integrity protection key of the UE air interface according to the shared root key, according to the encryption and An integrity protection key and the negotiated security algorithm perform secure communication with the macro base station and the UE; or,

The receiving unit is specifically configured to receive an encryption and integrity protection key of the derived UE air interface sent by the macro base station, so that communication between the UE, the micro base station, and the macro base station can be performed according to the negotiated The security algorithm and the encryption and integrity protection keys of the UE air interface perform security protection processing.

A user equipment, the user equipment, comprising: a sending unit, a receiving unit, and a communication unit; the sending unit, configured to send, to the macro base station, a security algorithm supported by the UE;

The receiving unit is configured to receive the negotiated security algorithm notified by the macro base station, where the negotiated security algorithm is obtained by the macro base station according to a security algorithm supported by the UE, the micro base station, and the macro base station. The communication unit is configured to: after the macro base station sends the security key to the micro base station, according to the negotiated security algorithm and a security key used by the UE air interface, and the macro base station Communicate with the micro base station.

25. A macro base station, the macro base station comprising: a transceiver, a processor, and a memory;

The memory is configured to store a security algorithm supported by the macro base station;

The transceiver is configured to receive a security algorithm supported by the user equipment UE and the micro base station;

The processor is configured to perform security algorithm negotiation according to a security algorithm supported by the UE, the micro base station, and the macro base station, to obtain a negotiated security algorithm, where the transceiver is further configured to send the information to the UE and the base station. a security algorithm for the negotiation; the transceiver is further configured to receive a security key used by the air interface of the UE; the transceiver is further configured to send the security key to the micro base station, so that The communication between the UE, the micro base station, and the macro base station can perform security protection processing according to the negotiated security algorithm and the security key.

26. The macro base station according to claim 25, wherein:

The processor is specifically configured to obtain, according to a security algorithm supported by the UE and the micro base station, and a security algorithm supported by the macro base station, obtain a security algorithm supported by the UE, the micro base station, and the macro base station. And setting, and using any security algorithm in the intersection of the security algorithms as the negotiated security algorithm.

27. A macro base station according to claim 25 or 26, characterized in that

The transceiver is specifically configured to: when the UE accesses the macro base station, receive a security algorithm supported by the UE;

The processor is further configured to determine whether the UE needs the macro base station and the micro base station to perform carrier aggregation CA or multi-point coordinated CoMP cooperative communication; the processor is specifically configured to determine that the UE needs the macro base After performing the CA or CoMP cooperative communication, the station and the micro base station perform security algorithm negotiation according to the security algorithms supported by the UE, the micro base station, and the macro base station, and obtain the negotiated security algorithm.

28. A macro base station according to claim 25 or 26, characterized in that

The processor is further configured to determine whether the UE needs the macro base station and the micro base station to perform carrier aggregation CA or multi-point coordinated CoMP cooperative communication; the transceiver is specifically configured to determine, at the processor, the UE After the macro base station and the micro base station perform CA or CoMP cooperative communication, the negotiated security algorithm is sent to the UE.

The macro base station according to claim 25 or 28, wherein the transceiver device is configured to:

Receiving, by the micro base station, a request for establishing an interface with the macro base station, where the interface establishment request carries a security algorithm supported by the micro base station; or Receiving a configuration update message sent by the micro base station, where the configuration update message carries a security algorithm supported by the micro base station.

30. The macro base station according to claim 25 or 26, wherein

The processor is further configured to determine that the UE needs the macro base station and the micro base station to perform CA or CoMP cooperative communication; the transceiver is further configured to determine, at the processor, that the UE needs the macro base station After performing the CA or CoMP cooperative communication with the micro base station, sending the request information to the micro base station, where the request information requests the micro base station to send a security algorithm supported by the micro base station to the macro base station, and receive the sending by the micro base station. The security algorithm supported by the micro base station.

The macro base station according to any one of claims 25 to 30, characterized in that

The transceiver is specifically configured to receive a shared authentication key used by the air interface of the UE sent by the mobility management entity;

The processor, configured to derive an encryption and integrity protection key of the UE air interface according to the shared root key;

The transceiver is specifically configured to send the shared root key to the micro base station, so that the micro base station derives an encryption and integrity protection key of the UE air interface according to the shared root key, where the UE The communication between the micro base station and the macro base station can perform security protection processing according to the negotiated security algorithm and the encryption and integrity protection key of the UE air interface.

32. The macro base station according to any one of claims 25-30, characterized in that

The transceiver is configured to receive a shared root key used by the air interface of the UE sent by the mobility management entity;

The processor is further configured to derive an encryption and integrity protection key of the UE air interface according to the shared root key;

The transceiver is specifically configured to send an encryption and integrity protection key of the UE air interface to the micro base station, so that communication between the UE, the micro base station, and the macro base station can be performed according to the negotiated The security algorithm and the encryption and integrity protection keys of the UE air interface perform security protection processing.

A micro base station, the micro base station includes: a transceiver and a memory; and the memory is configured to store a security algorithm supported by the micro base station;

The transceiver is configured to perform a security algorithm interaction with the macro base station, so that the macro base station acquires a security algorithm supported by the micro base station; and the transceiver is further configured to receive the negotiated sent by the macro base station a security algorithm, the negotiated security algorithm is obtained by the macro base station according to a security algorithm supported by the UE, the micro base station, and the macro base station, and the security algorithm is negotiated; the transceiver is further configured to receive the macro base. The security key used by the UE air interface sent by the station, so that the communication between the UE, the micro base station and the macro base station can perform security protection processing according to the negotiated security algorithm and the security key.

The micro base station according to claim 33, wherein the transceiver is specifically configured to:

Sending the security algorithm supported by the micro base station to the micro base station OAM, so that the macro base station OAM obtains the security algorithm supported by the micro base station from the micro base station OAM, and sends the security algorithm supported by the micro base station to the Macro base station

Or,

The micro base station according to claim 33, wherein the transceiver is specifically configured to receive a shared root key used by the UE air interface sent by the macro base station;

The micro base station further includes: a processor;

The processor, after the transceiver receives the shared root key used by the UE air interface, deriving an encryption and integrity protection key of the UE air interface according to the shared root key, according to the encryption and An integrity protection key and the negotiated security algorithm perform secure communication with the macro base station and the UE;

Or,

The transceiver is specifically configured to receive an encryption and integrity protection key of the derived UE air interface sent by the macro base station, so that communication between the UE, the micro base station, and the macro base station can be performed according to the negotiated The security algorithm and the encryption and integrity protection keys of the UE air interface perform security protection processing.

36. A user equipment, the user equipment comprising: a transceiver, a processor, and a memory;

The memory is configured to store a security algorithm supported by the UE, the transceiver is configured to receive a negotiated security algorithm notified by the macro base station, and the negotiated security algorithm is that the macro base station is configured according to the Obtained by the security algorithms supported by the UE, the micro base station, and the macro base station;

The processor is configured to: after the macro base station sends the security key to the micro base station, according to the negotiated security algorithm and a security key used by the UE air interface, and the macro base station and the micro The base station communicates.