WO2015106387A1 - Key verification method, base station, user device and core network element - Google Patents

Abstract

Provided are a key verification method, a base station, a user device and a core network element. Verification can be made as to whether keys between a user device and an auxiliary base station are correct, thereby avoiding data loss or even service interruption between the user device and the auxiliary base station caused by keys and corresponding algorithms being incorrect. The specific solution is: a user device sends verification information to a base station, the verification information being information obtained after the user device performs protection on preset data known to both the user device and the base station via a key derived by the user device and a preset algorithm, the preset algorithm comprising at least one of an encryption algorithm and an integrity protection algorithm; the base station receives the verification information, then obtains target data according to the same preset algorithm, a key derived by an auxiliary base station and the verification information, and it is determined, according to the preset data, the verification information and the target data, whether the key derived by the user device and the key derived by the base station are identical. The present invention is used for checking keys between a user device and a base station.

Description

 Method for verifying key, base station, user equipment and core network element

 The present invention relates to the field of communications, and in particular, to a method for verifying a key, a base station, a user equipment, and a core network element.

Background technique

 The carrier aggregation of the Long Term Evolution (LTE) system can be roughly divided into intra-base station cell aggregation, inter-base station cell aggregation, and the like. The cell aggregation inside the base station is relatively simple because it is controlled by only one evolved base station (eNB). The scheme of inter-base station carrier aggregation is, for example, how to enable dual connectivity of different base stations of a non-ideal backhaul line, that is, how the terminals in the connected state transmit data through the resources of the two base stations to improve the throughput of the terminal.

 Based on the scheme of carrier aggregation between the base stations, the primary base station needs to establish the bearer of the user equipment (User Equipment, UE) to the secondary base station. However, the primary base station or the secondary base station cannot know whether the key associated with the secondary base station derived by the UE is correct. When the secret key is incorrect, the service between the UE and the secondary base station is interrupted.

Summary of the invention

 The embodiment of the present invention provides a method for verifying a key, a base station, a user equipment, and a core network element, which can verify whether the key between the user equipment and the secondary base station is correct, and can avoid the key and the corresponding algorithm. The service interruption between the user equipment and the secondary base station caused by the incorrect.

 In order to achieve the above object, embodiments of the present invention use the following technical solutions:

 In a first aspect, an embodiment of the present invention provides a base station, where the base station includes: a receiving unit, configured to receive verification information sent by a user equipment, where the verification information is that the user equipment passes the preset data The user-derived key and the information obtained by the preset algorithm are protected, and the preset algorithm includes at least one of an encryption algorithm and an integrity protection algorithm;

An acquiring unit, configured to use, according to the base station, a key, the preset algorithm, and a Determining data and the verification information to obtain target data;

 And a determining unit, configured to determine, according to the preset data, the verification information, and the target data, whether the key derived by the user equipment is the same as the key derived by the base station.

 With reference to the first aspect, in a first possible implementation, the base station further includes: a reset unit, configured to: if the user equipment-derived key is different from the base station-derived key, The user equipment re-derives a key or causes the user equipment to delete the base station.

 In conjunction with the first aspect, in a second possible implementation, the receiving unit is specifically configured to:

 Receiving, by the X2 interface, the base station addition complete message from the primary base station, where the base station add complete message carries the check information; or

 Receiving, by the user equipment, a media access control message, where the media access control message carries the verification information; or

 Receiving packet packet convergence protocol data sent by the user equipment, where the packet packet convergence protocol data carries the verification information.

 With reference to the first aspect, in a third possible implementation, the preset data includes at least one of the following:

 a cell identifier under the secondary base station, a physical cell identifier under the secondary base station, a temporary wireless network temporary identifier under the secondary base station, a cell identifier under the primary base station, a physical cell identifier under the primary base station, a temporary wireless network temporary identifier under the primary base station, The identification data stored by the secondary base station and the user equipment, the data transmitted by the primary base station or the secondary base station to the user equipment, and specific numbers.

 In conjunction with the first aspect, in a fourth possible implementation, the base station is a secondary base station.

In a second aspect, the embodiment of the present invention provides another base station, where the base station includes: a receiving unit, configured to receive verification information sent by the user equipment, where the verification information is that the user equipment passes the preset data. The user-derived key and the information obtained by the preset algorithm are protected, and the preset algorithm includes an encryption algorithm and an integrity guarantee. At least one of the algorithms;

 And an acquiring unit, configured to acquire target data according to the key derived by the secondary base station, the preset algorithm, the preset data, and the verification information;

 a determining unit, configured to determine, according to the preset data, the verification information, and the target data, whether a key derived by the user equipment is the same as a key derived by the secondary base station, and a determination result is obtained;

 And a sending unit, configured to send the determination result to the secondary base station.

 With reference to the second aspect, in a first possible implementation, the base station further includes: a reset unit, configured to: if the key derived by the user equipment is different from the derived key of the secondary base station, And causing the user equipment to delete the secondary base station or cause the user equipment to re-derived a key.

 With reference to the second aspect, in a second possible implementation, the receiving unit is specifically configured to:

 And receiving a radio resource control message sent by the user equipment, where the radio resource control message carries the verification information.

 With reference to the second aspect, in a third possible implementation manner, the preset data includes at least one of the following:

 a cell identifier under the secondary base station, a physical cell identifier under the secondary base station, a temporary wireless network temporary identifier under the secondary base station, a cell identifier under the primary base station, a physical cell identifier under the primary base station, a temporary wireless network temporary identifier under the primary base station, The identification data stored by the secondary base station and the user equipment, the data transmitted by the primary base station or the secondary base station to the user equipment, and specific numbers.

 In a third aspect, an embodiment of the present invention provides a user equipment, where the user equipment includes:

 a decryption unit, configured to decrypt the received downlink data according to the key derived by the user equipment and a preset algorithm;

 a determining unit, configured to determine, according to the decrypted data, whether the key derived by the user equipment is the same as the key derived by the secondary base station, including:

Obtaining an internet protocol address and a port number of the decrypted data packet; If the Internet Protocol address and the port number are identifiable, determining that the key derived by the user equipment is the same as the key derived by the secondary base station; or

 If the Internet Protocol address and/or the port number cannot be identified, it is determined that the key derived by the user equipment is different from the key derived by the secondary base station;

 And a sending unit, configured to send the determination result to the secondary base station.

 With reference to the third aspect, in a first possible implementation, the user equipment further includes:

 a notification unit, configured to notify the primary base station to delete the secondary base station if the key derived by the user equipment is different from the key derived by the secondary base station, or notify the primary base station to re-add the secondary base station; or And the primary base station notifies the secondary base station to re-trigger the reconfiguration process; or the primary base station notifies the secondary base station to delete the secondary base station.

 In a fourth aspect, an embodiment of the present invention provides a core network element, where the core network element includes:

 a receiving unit, configured to receive data that is decrypted by the secondary base station according to the key derived by the secondary base station and the uplink data sent by the user equipment by using a preset algorithm;

 a determining unit, configured to determine, according to the decrypted data, whether the key derived by the user equipment is the same as the key derived by the secondary base station, including:

 Obtaining an internet protocol address and a port number of the decrypted data packet; if the internet protocol address and the port number are identifiable, determining that the key derived by the user equipment is the same as the key derived by the secondary base station; Or,

 If the Internet Protocol address and/or the port number cannot be identified, it is determined that the key derived by the user equipment is different from the key derived by the secondary base station;

 And a sending unit, configured to send a result of the determining to the secondary base station.

 With reference to the fourth aspect, in a first possible implementation manner, the core network element further includes:

a notification unit, configured to notify the primary base station to delete the secondary base station if the key derived by the user equipment is different from the key derived by the secondary base station, or notify the primary base station to re-add the secondary base station; or And the primary base station notifies the secondary base station to re-trigger the reconfiguration process; or the primary base station notifies the secondary base station to delete the secondary base station. With reference to the first possible implementation of the fourth aspect, in a second possible implementation manner, the notification unit is specifically configured to:

 Sending, to the mobility management entity, the message that the keys are different, and forwarding, by the mobility management entity, the message that the keys are different from the primary base station, so that the primary base station receives the key Deleting the secondary base station or re-adding the secondary base station after the same message; or notifying the secondary base station to re-trigger the reconfiguration process by using the primary base station; or notifying the secondary base station to delete the auxiliary by the primary base station Base station.

 In a fifth aspect, an embodiment of the present invention provides a method for verifying a key, where the method includes:

 The secondary base station receives the verification information sent by the user equipment, where the verification information is obtained by the user equipment, and the preset data is protected by a key derived by the user equipment and a preset algorithm, where the preset algorithm is used. Include at least one of an encryption algorithm and an integrity protection algorithm;

 The secondary base station acquires target data according to the key derived by the secondary base station, the preset algorithm, the preset data, and the verification information;

 The secondary base station determines, according to the preset data, the verification information, and the target data, whether the key derived by the user equipment is the same as the key derived by the secondary base station.

 With reference to the fifth aspect, in a first possible implementation, the method further includes: if the user equipment-derived key is different from the secondary base station-derived key, re-derive the user equipment The key or the user equipment is deleted from the secondary base station.

 With reference to the fifth aspect, in a second possible implementation manner, the verification information sent by the receiving user equipment includes:

 Receiving, by the X2 interface, the base station addition complete message from the primary base station, where the base station add complete message carries the check information; or

 Receiving, by the user equipment, a media access control message, where the media access control message carries the verification information; or

Receiving packet packet convergence protocol data sent by the user equipment, where the packet is encapsulated The aggregation protocol data carries the verification information.

 With reference to the fifth aspect, in a third possible implementation manner, the preset data includes at least one of the following:

 a cell identifier under the secondary base station, a physical cell identifier under the secondary base station, a temporary wireless network temporary identifier under the secondary base station, a cell identifier under the primary base station, a physical cell identifier under the primary base station, a temporary wireless network temporary identifier under the primary base station, The identification data stored by the secondary base station and the user equipment, the data transmitted by the primary base station or the secondary base station to the user equipment, and specific numbers.

 In a sixth aspect, an embodiment of the present invention provides a method for verifying a key, where the method includes:

 The primary base station receives the verification information sent by the user equipment, where the verification information is information obtained by the user equipment, and the preset data is protected by a key derived by the user equipment and a preset algorithm, and the preset algorithm is used. Include at least one of an encryption algorithm and an integrity protection algorithm;

 The primary base station acquires target data according to the key derived by the secondary base station, the preset algorithm, the preset data, and the verification information;

 Determining, by the primary base station, whether the key derived by the user equipment and the derived key of the secondary base station are the same according to the preset data, the verification information, and the target data, to obtain a determination result;

 The primary base station sends the determination result to the secondary base station.

 With reference to the sixth aspect, in a first possible implementation, the method further includes: if the user equipment-derived key is different from the derived key of the secondary base station, deleting the user equipment The secondary base station or the user equipment is re-derived by a key.

 With reference to the sixth aspect, in a second possible implementation manner, the verification information sent by the receiving user equipment includes:

 And receiving a radio resource control message sent by the user equipment, where the radio resource control message carries the verification information.

With reference to the sixth aspect, in a third possible implementation manner, the preset data packet Including at least one of the following:

 a cell identifier under the secondary base station, a physical cell identifier under the secondary base station, a temporary wireless network temporary identifier under the secondary base station, a cell identifier under the primary base station, a physical cell identifier under the primary base station, a temporary wireless network temporary identifier under the primary base station, The identification data stored by the secondary base station and the user equipment, the data transmitted by the primary base station or the secondary base station to the user equipment, and specific numbers.

 In a seventh aspect, an embodiment of the present invention provides a method for verifying a key, where the method includes:

 The user equipment decrypts the received downlink data according to the key and the preset algorithm derived by the user equipment;

 Determining, by the decrypted data, whether the key derived by the user equipment is the same as the key derived by the secondary base station;

 Sending, by the user equipment, the determination result to the secondary base station;

 The determining, by the user equipment, whether the key derived by the user equipment and the key derived by the secondary base station are the same according to the decrypted data includes:

 The user equipment acquires an internet protocol address and a port number of the decrypted data packet;

 If the Internet Protocol address and the port number are identifiable, determining that the key derived by the user equipment is the same as the key derived by the secondary base station; or

 If the Internet Protocol address and/or the port number cannot be identified, it is determined that the key derived by the user equipment is different from the key derived by the secondary base station.

 With reference to the seventh aspect, in a first possible implementation, if the user equipment-derived key is different from the base station-derived key, the method further includes:

 Notifying the primary base station to delete the secondary base station; or

 Notifying the primary base station to re-add the secondary base station; or

 Notifying the secondary base station to re-trigger the reconfiguration process by using the primary base station; or informing the secondary base station to delete the secondary base station by using the primary base station.

In an eighth aspect, an embodiment of the present invention provides a method for verifying a key, where the method includes: Receiving, by the core network element, the data that the secondary base station decrypts the uplink data sent by the user equipment according to the key derived by the secondary base station and the preset algorithm;

 Determining, by the core network element, whether the key derived by the user equipment is the same as the key derived by the secondary base station according to the decrypted data;

 Sending, by the core network element, the result of the determining to the secondary base station;

 The network element of the core network determines, according to the decrypted data, whether the key derived by the user equipment is the same as the key derived by the secondary base station, including:

 Obtaining an internet protocol address and a port number of the decrypted data packet;

 If the Internet Protocol address and the port number are identifiable, determining that the key derived by the user equipment is the same as the key derived by the secondary base station; or

 If the Internet Protocol address and/or the port number cannot be identified, it is determined that the key derived by the user equipment is different from the key derived by the secondary base station.

 With reference to the eighth aspect, in a first possible implementation, if the user equipment-derived key is different from the secondary base station-derived key, the method further includes: notifying the primary base station to delete the secondary base station ; or

 Notifying the primary base station to re-add the secondary base station; or

 Notifying the secondary base station to re-trigger the reconfiguration process by using the primary base station; or informing the secondary base station to delete the secondary base station by using the primary base station.

 With reference to the first possible implementation manner of the eighth aspect, in a second possible implementation, the notifying the primary base station to delete the secondary base station or notifying the primary base station to re-add the secondary base station includes:

 Sending, to the mobility management entity, the message that the keys are different, and forwarding, by the mobility management entity, the message that the keys are different from the primary base station, so that the primary base station receives the key After the different messages, the secondary base station is deleted or the secondary base station is re-added.

 A ninth aspect provides a base station, where the base station includes: a communication interface, a memory, and a processor; the communication interface is configured to communicate with a network element, the memory is configured to store a computer code; and the processor executes the computer The code is used to:

Receiving verification information sent by the user equipment, where the verification information is the user equipment The preset algorithm includes at least one of an encryption algorithm and an integrity protection algorithm, where the preset data is protected by a key derived by the user equipment and a preset algorithm.

 Obtaining target data according to the key derived by the base station, the preset algorithm, the preset data, and the verification information;

 Determining, according to the preset data, the verification information, and the target data, whether a key derived by the user equipment is the same as a key derived by the base station.

 With reference to the ninth aspect, in a first possible implementation manner, the executing, by the processor, the computer code is further used to:

 And if the user equipment-derived key is different from the base station-derived key, the user equipment is re-derived or the user equipment is deleted.

 In conjunction with the ninth aspect, in a second possible implementation, the processor executing the computer code is further configured to:

 Receiving, by the X2 interface, the base station addition complete message from the primary base station, where the base station add complete message carries the check information; or

 Receiving, by the user equipment, a media access control message, where the media access control message carries the verification information; or

 Receiving packet packet convergence protocol data sent by the user equipment, where the packet packet convergence protocol data carries the verification information.

 With reference to the ninth aspect, in a third possible implementation manner, the preset data includes at least one of the following:

 a cell identifier under the secondary base station, a physical cell identifier under the secondary base station, a temporary wireless network temporary identifier under the secondary base station, a cell identifier under the primary base station, a physical cell identifier under the primary base station, a temporary wireless network temporary identifier under the primary base station, The identification data stored by the secondary base station and the user equipment, the data transmitted by the primary base station or the secondary base station to the user equipment, and specific numbers.

 In conjunction with the ninth aspect, in a fourth possible implementation, the base station is a secondary base station.

A tenth aspect, a base station is provided, where the base station includes: a communication interface, a memory, a processor; the communication interface is configured to communicate with a network element, the memory is configured to store computer code; and the processor executes the computer code to:

 Receiving, by the user equipment, the verification information sent by the user equipment, where the verification information is obtained by the user equipment, by using a key derived by the user equipment, and a preset algorithm, where the preset algorithm includes encryption. At least one of an algorithm and an integrity protection algorithm;

 Obtaining target data according to the key derived by the secondary base station, the preset algorithm, the preset data, and the verification information;

 Determining, according to the preset data, the verification information, and the target data, whether a key derived by the user equipment is the same as a key derived by the secondary base station, and obtaining a determination result;

 And transmitting the determination result to the secondary base station.

 With reference to the tenth aspect, in a first possible implementation, the executing the computer code by the processor is further used to:

 And if the user equipment-derived key is different from the derived key of the secondary base station, the user equipment is deleted or the user equipment is re-derived by the user equipment.

 With reference to the tenth aspect, in a second possible implementation manner, the executing the computer code by the processor is further used to:

 And receiving a radio resource control message sent by the user equipment, where the radio resource control message carries the verification information.

 With reference to the tenth aspect, in a third possible implementation manner, the preset data includes at least one of the following:

 a cell identifier under the secondary base station, a physical cell identifier under the secondary base station, a temporary wireless network temporary identifier under the secondary base station, a cell identifier under the primary base station, a physical cell identifier under the primary base station, a temporary wireless network temporary identifier under the primary base station, The identification data stored by the secondary base station and the user equipment, the data transmitted by the primary base station or the secondary base station to the user equipment, and specific numbers.

In an eleventh aspect, a user equipment is provided, where the user equipment includes: Port, memory, processor; the communication interface for communicating with a network element, the memory for storing computer code; the processor executing the computer code for:

 Decrypting the received downlink data according to the key derived by the user equipment and a preset algorithm;

 Determining, according to the decrypted data, whether the key derived by the user equipment is the same as the key derived by the secondary base station;

 Sending the determination result to the secondary base station;

 The determining, according to the decrypted data, whether the key derived by the user equipment is the same as the key derived by the secondary base station includes:

 Obtaining an internet protocol address and a port number of the decrypted data packet; if the internet protocol address and the port number are identifiable, determining that the key derived by the user equipment is the same as the key derived by the secondary base station; Or,

 If the Internet Protocol address and/or the port number cannot be identified, it is determined that the key derived by the user equipment is different from the key derived by the secondary base station.

 In conjunction with the eleventh aspect, in a first possible implementation, the processor executing the computer code is further configured to:

 And if the key derived by the user equipment is different from the key derived by the secondary base station, notify the primary base station to delete the secondary base station; or notify the primary base station to re-add the secondary base station; or notify by the primary base station The secondary base station re-triggers the reconfiguration process; or the primary base station notifies the secondary base station to delete the secondary base station.

 The twelfth aspect provides a core network element, where the core network element includes: a communication interface, a memory, and a processor; the communication interface is configured to communicate with a network element, and the memory is used to store a computer code; The processor executes the computer code for: receiving data that the secondary base station decrypts the uplink data sent by the user equipment according to the key derived by the secondary base station and a preset algorithm;

 Determining, according to the decrypted data, whether a key derived by the user equipment is the same as a key derived by the secondary base station;

 Sending the result of the determination to the secondary base station;

The determining, according to the decrypted data, the density derived by the user equipment Whether the key is the same as the key derived by the secondary base station, including:

 Obtaining an internet protocol address and a port number of the decrypted data packet; if the internet protocol address and the port number are identifiable, determining that the key derived by the user equipment is the same as the key derived by the secondary base station; Or,

 If the Internet Protocol address and/or the port number cannot be identified, it is determined that the key derived by the user equipment is different from the key derived by the secondary base station.

 In conjunction with the twelfth aspect, in a first possible implementation, the processor executing the computer code is further configured to:

 And if the key derived by the user equipment is different from the key derived by the secondary base station, notify the primary base station to delete the secondary base station; or notify the primary base station to re-add the secondary base station; or notify by the primary base station The secondary base station re-triggers the reconfiguration process; or the primary base station notifies the secondary base station to delete the secondary base station.

 In conjunction with the first possible implementation of the twelfth aspect, in a second possible implementation, the processor executing the computer code is further configured to:

 Sending, to the mobility management entity, the message that the keys are different, and forwarding, by the mobility management entity, the message that the keys are different from the primary base station, so that the primary base station receives the key After the different messages, the secondary base station is deleted or the secondary base station is re-added.

An embodiment of the present invention provides a method for verifying a key, a base station, a user equipment, and a core network element. The user equipment sends check information to the base station, where the check information is known to the user equipment and the base station. The preset data includes at least one of an encryption algorithm and an integrity protection algorithm, and the base station receives the verification information according to the information obtained by the user equipment. The same preset algorithm, the key derived by the secondary base station, and the verification information obtain target data, and determine, according to the preset data, the verification information, and the target data, whether the key derived by the user equipment is the same as the key derived by the base station; or the user equipment After establishing the connection with the secondary base station, after receiving the downlink data packet, the user equipment decrypts the downlink data packet by using the key associated with the secondary base station derived by the user equipment and the corresponding security algorithm, and determines whether the data packet obtained after decryption is correct or not. Whether the key associated with the secondary base station derived from the user equipment is auxiliary The base station-derived key is the same; after the user equipment establishes a connection with the secondary base station, the core network element receives the decrypted data of the uplink data sent by the user equipment according to the base station-derived key and the preset algorithm, and determines the decrypted data. Whether the data packet is correct or not determines whether the key associated with the secondary base station derived by the user equipment is the same as the key derived by the secondary base station. It can verify whether the key between the user equipment and the secondary base station is correct, and can avoid data errors or even service interruption between the user equipment and the secondary base station due to the incorrect key and the corresponding algorithm.

DRAWINGS

 In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below. Obviously, the drawings in the following description are only It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any creative work.

 FIG. 1 is a schematic structural diagram 1 of a base station according to an embodiment of the present invention; FIG. 2 is a schematic flowchart of a derived key of an LTE system;

FIG. 3 is a schematic structural diagram 2 of a base station according to an embodiment of the present invention; FIG. 4 is a schematic structural diagram 1 of another base station according to an embodiment of the present invention; FIG. FIG. 6 is a schematic structural diagram of a user equipment according to an embodiment of the present invention. FIG. 7 is a schematic structural diagram of a user equipment according to an embodiment of the present invention. FIG. 8 is a schematic diagram of an embodiment of the present invention. FIG. 9 is a schematic structural diagram of a core network element according to an embodiment of the present invention. FIG. 9 is a flowchart diagram of a method for verifying a key according to an embodiment of the present invention.

A flow diagram of a method for verifying a key provided by an embodiment of the present invention

12 is a flow chart of a method for verifying a key provided by an embodiment of the present invention

A flow diagram of a method for verifying a key provided by an embodiment of the present invention Intent four;

 FIG. 14 is a flow chart 5 of a method for verifying a key according to an embodiment of the present invention; FIG.

 15 is a flow chart 6 of a method for verifying a key according to an embodiment of the present invention;

 16 is a flow chart 7 of a method for verifying a key according to an embodiment of the present invention;

 17 is a flow chart 8 of a method for verifying a key according to an embodiment of the present invention;

 FIG. 18 is a schematic structural diagram of still another base station according to an embodiment of the present invention; FIG. 19 is a schematic structural diagram of another base station according to an embodiment of the present invention; FIG. 20 is another user provided by an embodiment of the present invention. FIG. 21 is a schematic structural diagram of another core network element according to an embodiment of the present invention.

detailed description

 The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, but not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.

 The embodiment of the present invention provides a base station 20, which can serve as a secondary base station. As shown in FIG. 1, the secondary base station 20 includes: a receiving unit 21, an obtaining unit 22, and a determining unit 23.

 The receiving unit 21 is configured to receive the verification information sent by the user equipment, where the verification information is information obtained by the user equipment after the preset data is protected by the user equipment, and the preset algorithm includes the encryption. At least one of an algorithm and an integrity protection algorithm.

 The preset data may be at least one of the following:

The cell identifier under the secondary base station, the physical cell identifier under the secondary base station, and the secondary base station a temporary identifier of the cell radio network, a cell identifier under the primary base station, a physical cell identifier under the primary base station, a temporary identifier of the cell radio network under the primary base station, identification data stored by the secondary base station and the user equipment, and a primary base station or a secondary base station transmitted to the user Device data, specific numbers.

 For the convenience of description, the following describes the derivative relationship of the security key in the LTE system. The keys on the UE side of the LTE system and the Evolved Packet System (EPS) are independent of each other. , Key derivation Functions (KDF) are graded 4, and 3⁄4 port is shown in Figure 2:

K is a key stored in the Universal Subscriber Identity Module (USIM) and Authentication Center (AuC). It is a permanent fixed key and is the basis of all key generation algorithms.

 CK is a key derived from K for encryption, and IK is a key derived from K for integrity protection. Both CK and IK are located in the UE and Home Subscriber Server (HSS).

K _ASME is a key derived from the UE and HS S using CK and IK.

The K _eNB is derived from K _ASME or derived by the UE and the eNB, and is used to derive various keys of the Access Stratum (AS).

The next hop (NH) is a key obtained by the UE and the Mobility Management Entity (MME) through K _ASME ^i, which is a type of eNB key.

 Key to the user plane service:

The K _UPenc UE and the eNB are derived by using the K _eNB and the encryption algorithm to protect user plane service data;

The K _UPint is derived by the UE and the eNB through the K _eNB and the integrity protection algorithm, and is used to protect user data between the relay node (RN) and the donor base station (Donor eNB, DeNB).

 Radio Resource Control (RRC) related keys:

K _RRCint is derived by the UE and the eNB through the KeNB and the integrity protection algorithm. For protecting RRC messages;

The K _RRC enc is derived by the UE and the eNB through the KeNB and the encryption algorithm, and is used to protect the RRC message.

K _{NA S} enc is a key derived by the UE and the MME according to KASME, and is used to protect the non-access stratum (Non-Access-Stratum, NAS) stream using an encryption algorithm.

K _{NA S in} t is a key derived by the UE and the MME according to K _ASME , and is used to protect the NAS flow using an integrity protection algorithm.

 Specifically, the user equipment-derived key associated with the secondary base station may include at least one of the following: KeNB, KuP enc, KuP int. , KRRCint, RRCenc.

Exemplarily, the user equipment obtains the verification information by using an encryption algorithm and K _UPenc to protect the cell identifier under the secondary base station.

 Optionally, the receiving unit 21 may be specifically configured to:

 Receiving, by the X2 interface, a base station addition completion message from the primary base station, and the base station addition completion message carries the verification information; or

 Receiving a media access control message sent by the user equipment, where the media access control message carries the verification information; or

 Receiving packet packet convergence protocol data sent by the user equipment, and the packet packet convergence protocol data carries verification information.

 For example, the verification information may be included in the RRC Connection Reconfiguration Complete message sent by the UE to the primary base station, and the primary base station sends the base station addition complete message to the secondary base station after receiving the verification information. The verification information is carried in the middle.

 Specifically, carrying the verification information in the radio resource connection reconfiguration complete message may be implemented by adding security confirmation information (securityConfirmation). For example, it can be implemented by the following code:

 RRC Connection Reconfiguration Complete Message

 -- ASN 1 START

RRCConnectionReconfigurationComplete:: rrc-Transactionldentifier RRC-Transactionldentifier criticalExtensions CHOICE {

 rrcConnectionReconfigurationComplete-r8

RRCConnectionReconfigurationComplete-r8-IEs,

 criticalExtensionsFuture SEQUENCE { }

 }

 }

RRCConnectionReconfigurationComplete-r8-IEs : := SEQUENCE

{

 nonCriticalExtension

 RRCConnectionReconfigurationComplete-v8aO-IEs OPTIONAL

}

RRCConnectionReconfigurationComplete-v8aO-IEs : :=

SEQUENCE {

 lateNonCriticalExtension OCTET STRING

 OPTIONAL,

 nonCriticalExtension

 RRCConnectionReconfigurationComplete-v l 020-IEs OPTIONAL }

RRCConnectionReconfigurationComplete-v l 020-IEs : :=

SEQUENCE {

 rlf-InfoAvailable-r l O ENUMERATED {true }

 OPTIONAL,

 logMeasAvailable-rl O ENUMERATED {true }

OPTIONAL, nonCriticalExtension

 RRCConnectionReconfigurationComplete-v l l 30-IEs OPTIONAL

}

RRCConnectionReconfigurationComplete-v l 130-IEs ::=

SEQUENCE {

 connEstFaillnfoAvailable-r l 1 ENUMERATED {true }

 OPTIONAL,

 nonCriticalExtension

 RRCConnectionReconfigurationComplete-v l 2xx-IEs

 OPTIONAL

 }

RRCConnectionReconfigurationComplete-v l 2xx-IEs : :=

SEQUENCE {

 securityConfirmation OCTET STRING

 OPTIONAL,

 nonCriticalExtension SEQUENCE { }

 OPTIONAL

 }

- ASN 1 STOP

 The securityConfirmation can be in the form of a byte stream ( OCTET STRING ) or a bit string ( BIT STRING (SIZE (xx)).

Exemplarily, selecting the preset data in securityConfirmation can be implemented by the following code: security Confirmationlnput: := SEQUENCE { cellldentity Cellldentity _: physCellld PhysCellld c-RNTI C-RNTI

- ASN 1 STOP

 The UE generates a securityConfirmation, which may be an integrity protection result of using a integrity protection algorithm and an integrity protection algorithm for the security Confirmationlnput; or may be an encryption result of using the encryption algorithm and the encryption algorithm of the encryption algorithm for the securityConfirmationlnput; Or a combination of the two.

4. The securityConfirmation is the result of the K _UPenc calculation performed by the UE using the force-to-sense algorithm and the secondary base station, and the primary base station sends a base station adding force completion message to the secondary base station through the X2 interface, wherein the base station adds a force completion message. Carrying securityConfirmation, the sub-base 4 owes i'J securityConfirmation.

 Or, exemplarily, if the verification information is included in a Medium Access Control (MAC) message sent by the user equipment, specifically by adding a securityConfirmation in the MAC message.

 For example, a new logical channel identifier (LCID) value can be newly introduced to represent securityConfirmation, for example, using 0101 1 , where L is the length of the securityConfirmation, where the securityConfirmation is a fixed length, and there can be no L. Put in securityConfirmation. The current LCID value can also be reused, the securityConfirmation can be added to the existing MAC message or the securityConfirmation can be directly transmitted by the UE as data transmission or through the physical layer.

 Exemplarily, selecting the preset data in securityConfirmation can be implemented by the following code:

 securityConfirmationlnput: := SEQUENCE { cellldentity Cellldentity,

physCellld PhysCellld, c-RNTI C-RNTI

- ASN 1 STOP

 The UE generates a securityConfirmation, which may be an integrity protection result of the key calculation used by the security protection algorithm and the integrity protection algorithm of the securityConfirmationlnput; or may be the encryption of the security secret algorithm and the key calculation of the force secret algorithm. The result; or a combination of the two.

It is assumed that securityConfirmation is the result of the UE using the integrity protection algorithm and the derived K _UPint or K _RRCint calculation related to the secondary base station, and the securityConfirmation is added to the MAC message sent by the UE to the secondary base station, and the secondary base station receives the securityConfirmation.

 Alternatively, the verification information may also be included in Packet Data Convergence Protocol (PDCP) data sent by the user equipment.

 Exemplarily, the verification information may be securityConfirmation, the preset data is securityConfirmationlnput, the UE generates a securityConfirmation, and may be an integrity protection result of the key calculation of the integrity protection algorithm and the integrity protection algorithm of the securityConfirmationlnput; or may be The securityConfirmationlnput uses the force secret algorithm and the result of the encryption calculated by the key of the force secret algorithm; or a combination of the two.

 Exemplarily, selecting the preset data in securityConfirmation can be implemented by the following code:

 securityConfirmationlnput: := SEQUENCE { cellldentity Cellldentity,

 physCellld PhysCellld,

 c-RNTI C-RNTI

 }

 - ASN 1 STOP

4 security securityConfirmation is the use of the force secret algorithm and the secondary and secondary As a result of the K _UPenc calculation performed by the station, the primary base station sends a base station adding force completion message to the secondary base station through the X2 interface, wherein the base station adding force completion message carries securityConfirmation, and the secondary base occupies 4 owing i'J securityConfirmation.

 The obtaining unit 22 is configured to acquire target data according to a key derived by the base station, a preset algorithm, preset data, and verification information.

Exemplarily, it is assumed that the verification information is securityConfirmation, and the preset data is securityConfirmationlnput, and the verification information is a result of the calculation of the securityConfirmationlnput by the UE using the power secret algorithm and the derived _KUPenc related to the secondary base station, and the securityConfirmation is added to the primary base station. The base station adds the completion message to the secondary base station. After receiving the securityConfirmation, the secondary base station _decrypts the securityConfirmation according to the encryption algorithm and its own derived K _UPen to obtain a new SecurityConfirmationInstance.

Or, exemplarily, the verification information is securityConfirmation, and the preset data is securityConfirmationlnput, and the verification information is a result of the UE using the integrity protection algorithm and the derived K _UPint or K _{RRCint related} to the security base station, and the securityConfirmationlnput, securityConfirmation In the MAC message sent by the UE to the secondary base station, the secondary base station receives the securityConfirmation and performs integrity protection calculation on the securityConfirmationlnput saved by the integrity protection algorithm and its own derived K _UPint or K _RRCint to obtain a new securityConfirmation.

Or, exemplarily, it is assumed that the verification information is securityConfirmation, and the preset data is securityConfirmationlnput, and the verification information is used by the UE. The secret algorithm and the derived K _UPenc related to the secondary base station calculate the result of the securityConfirmationlnput, the securityConfirmation is added to the PDCP data sent by the UE to the secondary base station, and the secondary base station receives the securityConfirmation and then according to the encryption algorithm and the self-derived K _UPenc pair check information. Perform a decryption calculation to get a new SecurityConfirmationlnpu

The determining unit 23 is configured to determine, according to the preset data, the verification information, and the target data, whether the key derived by the user equipment is the same as the derived key of the base station. Exemplarily, the verification information is securityConfirmation, and the preset data is securityConfirmationlnput. The verification information is the result of the UE using the integrity protection algorithm and the derived K _{UPint related} to the security base station. The securityConfirmationlnput is the UE and the secondary base station. The cell identification data of a secondary base station is stored. After receiving the securityConfirmation, the secondary base station _performs a security protection calculation on the securityConfirmationlnput according to the integrity protection algorithm and its own derived K _UPint to obtain a new securityConfirmation, and determines the new securityConfirmation and the received securityConfirmation. are the same, then the same as if _a UE-derived _"1111 to the secondary base station and the secondary base station itself associated with the derived _K UPin S, or not identical.

Or, exemplarily, the verification information is securityConfirmation, and the preset data is securityConfirmationlnput, and the verification information is a result of the UE using the integrity protection algorithm and the derived K _RRCint related to the security base station to calculate the securityConfirmationlnput, the securityConfirmationlnput is the UE and The secondary base station stores the cell identification data of a secondary base station. After receiving the securityConfirmation, the secondary base station performs a security protection calculation on the securityConfirmationlnput according to the integrity protection algorithm and its own derived K _RRCint to obtain a new securityConfirmation, and judges the new securityConfirmation and the connection. securityConfirmation to L is the same, if the same description of the same UE-derived K _RRCint the secondary base station and the secondary base station associated derived K _RRCint itself, or not identical.

Or, exemplarily, the verification information is securityConfirmation, and the preset data is securityConfirmationlnput, and the verification information is that the UE uses the integrity protection algorithm and the derived _KUPint related to the secondary base station to protect the securityConfirmationlnput integrity and obtain the intermediate variable securityConfirmationTemp. Then, using the encryption algorithm and the derived K _UPenc securityConfirmationTem associated with the secondary base station, j securityConfirmation is obtained. After the secondary base occupies ^L ^j securityConfirmation, the secondary base station first uses the encryption algorithm and its own derived K _UPenc to decrypt the securityConfirmation and obtains the i'j securityConfirmationTem, and then uses the integrity protection algorithm and derived for the securityConfirmationlnput stored by itself. _K UPint the new integrity protection securityConfirmationTemp obtained, and then determining new securityConfirmationTem ^ ^$]] the decrypted security Confirmation securityConfirmationTemp are the same, the same as if the UE described shellfish ¹ J ^ [raw sewage associated with secondary base station K _UPenc K _{UPint is the} same as K _UPenc and K _UPint derived from the secondary base station itself, otherwise it is different.

 Optionally, as shown in FIG. 3, the secondary base station 20 further includes:

 The resetting unit 24 is configured to: if the key derived by the user equipment is different from the derived key of the base station, enable the user equipment to re-derivate the key or delete the base station by the user equipment.

Exemplarily, it is assumed that the result of the judgment by the judging unit 23 is that after the integrity protection is performed, the i'J new security Confirmation is different from the i iJ security Confirmation, and the UE-derived sub-base station is associated with the ₁ ^ ₁₁₁₁ and the auxiliary. The base station itself is different from the 1st _1111. Then, the secondary base station can notify the UE to delete the secondary base station or cause the UE to re-derivate the key associated with the secondary base station.

 The embodiment of the present invention provides a base station, which receives the verification information sent by the user equipment, and the verification information is information obtained by the user equipment after the preset data is protected by the user equipment, and the preset algorithm is used. The method includes: at least one of an encryption algorithm and an integrity protection algorithm; acquiring target data according to a key derived by the base station, a preset algorithm, preset data, and verification information; determining the user equipment according to the preset data, the verification information, and the target data; Whether the derived key is the same as the key derived by the base station. It is possible to check whether the key between the user equipment and the secondary base station is correct, and the service interruption between the user equipment and the secondary base station due to the incorrect key and the corresponding algorithm can be avoided.

 The embodiment of the present invention further provides a base station 30, which can serve as a primary base station. As shown in FIG. 4, the primary base station 30 includes: a receiving unit 3 1 , an obtaining unit 32, a determining unit 33, and a transmitting unit 34.

 The receiving unit 3 1 is configured to receive the verification information sent by the user equipment, where the verification information is information obtained by the user equipment after the preset data is protected by the user equipment, and the preset algorithm includes an encryption algorithm. At least one of integrity protection algorithms.

Specifically, the primary base station receives the radio resource control that is sent by the UE and includes the verification information. Message. For example, the radio resource control message may be an RRC Connection Reconfiguration Complete Message, where the verification information is included.

 Optionally, the preset data includes at least one of the following:

 a cell identifier under the secondary base station, a physical cell identifier under the secondary base station, a temporary wireless network temporary identifier under the secondary base station, a cell identifier under the primary base station, a physical cell identifier under the primary base station, a temporary wireless network temporary identifier under the primary base station, The identification data stored by the secondary base station and the user equipment, the data transmitted by the primary base station or the secondary base station to the user equipment, and specific numbers.

 The obtaining unit 32 is configured to acquire target data according to a key derived by the secondary base station, a preset algorithm, preset data, and check information.

Exemplarily, the primary base station performs the check received from the receiving unit 31 according to the encryption algorithm and the K _UPenc derived from the secondary base station (where K _UPenc is obtained by the primary base station using the same key derivation process as the secondary base station). The information is decrypted to obtain the target data.

 The determining unit 33 is configured to determine, according to the preset data, the verification information, and the target data, whether the key derived by the user equipment and the derived key of the secondary base station are the same, and the judgment result is obtained.

Exemplarily, the target data is data that the UE protects the preset data by using the user equipment-derived K _UPenc and the encryption algorithm, and the target data is K _UPem derived from the primary base station according to the encryption algorithm and the secondary base station _; (K _UPem here) _; is obtained from the primary base station uses the same key derivation process and the secondary base station) for data obtained by the decryption to check information received from the receiving unit 31 to the primary base station determines whether the target data with the preset data to get the same result of determination .

 The sending unit 34 is configured to send the determination result to the secondary base station.

 Exemplarily, the primary base station notifies the secondary base station of the determination result through the X2 interface.

 Optionally, as shown in FIG. 5, the primary base station 30 further includes:

 The resetting unit 35 is configured to: if the key derived by the user equipment is different from the derived key of the secondary base station, enable the user equipment to delete the secondary base station or re-derivate the key by the user equipment.

An embodiment of the present invention provides a base station, which receives verification information sent by a user equipment, where the verification information is a key derived by the user equipment for the preset data by using the user equipment, and is preset. The information obtained by the method after the protection is performed, the preset algorithm includes at least one of an encryption algorithm and an integrity protection algorithm; and the target data is obtained according to a key derived by the secondary base station, a preset algorithm, preset data, and verification information; The data, the verification information, and the target data are determined to determine whether the key derived by the user equipment is the same as the key derived by the secondary base station, and the determination result is obtained; and the determination result is sent to the secondary base station. It is possible to check whether the key between the user equipment and the secondary base station is correct, and the service interruption between the user equipment and the secondary base station due to the incorrect key and the corresponding algorithm can be avoided.

 The embodiment of the present invention further provides a user equipment 40. As shown in FIG. 6, the user equipment 40 includes: a decryption unit 41, a determination unit 42, and a transmission unit 43.

 The decrypting unit 41 is configured to decrypt the received downlink data according to a key derived by the user equipment and a preset algorithm.

 Exemplarily, the preset algorithm may be an encryption algorithm, and a connection is established between the UE and the secondary base station, and the UE decrypts the encrypted downlink data received from the network side according to the key and encryption algorithm derived by the UE, and then obtains The Internet Protocol (IP) is the only one.

 The determining unit 42 is configured to determine, according to the decrypted data, whether the key derived by the user equipment is the same as the key derived by the secondary base station.

 Specifically, the determining unit 42 is configured to:

 Obtaining the Internet Protocol address and port number of the decrypted data packet;

 Identify the internet protocol address and port number of the data packet;

 If the Internet Protocol address and port number can be identified, it is determined that the key derived by the user equipment is the same as the key derived by the secondary base station; or

 If the Internet Protocol address and/or port number cannot be identified, it is determined that the user equipment derived key is not the same as the secondary base station derived key.

 Exemplarily, the determining unit 42 receives the IP packet from the decryption unit 41, and obtains the IP address and port number of the IP file. If the IP address and the port number can be identified, the IP packet is sent to the corresponding application, and It is also indicated that the UE-derived key associated with the secondary base station and the secondary base-derived related key are the same; or,

If the IP address and/or port number cannot be identified, the IP packet is an error packet and It is indicated that the UE-derived key associated with the secondary base station is different from the associated key derived by the secondary base station.

 The sending unit 43 is configured to send a determination result to the secondary base station.

 Exemplarily, the UE sends the judgment result obtained by the determining unit 42 to the secondary base station through the primary base station.

 Optionally, as shown in FIG. 7, the user equipment 40 further includes:

 The notification unit 44 is configured to notify the primary base station to delete the secondary base station if the key derived by the user equipment is different from the key generated by the secondary base station, or notify the primary base station to re-add the secondary base station, or notify the base station of the secondary base station by using the primary base station. The reconfiguration process is re-triggered; or the secondary base station is notified by the primary base station to delete the secondary base station.

 Exemplarily, if the UE-derived key associated with the secondary base station is different from the secondary base-derived related key, the user equipment 40 may notify the primary base station that the secondary base station has a problem, and may indicate which bearer of the secondary base station is out. The problem is that the bearer identifier is carried in the indication, the primary base station determines that the secondary base station has a problem, deletes the secondary base station, or causes the primary base station to re-add the secondary base station; or the user equipment 40 can notify the secondary base station to restart the re-trigger by the primary base station. The connection with the UE is configured; or the user equipment 40 notifies the secondary base station to delete the secondary base station by the primary base station.

 An embodiment of the present invention provides a user equipment, which decrypts received downlink data according to a key derived by the user equipment and a preset algorithm, and determines, according to the decrypted data, a key derived by the user equipment and a key derived by the secondary base station. Whether they are the same; send the judgment result to the secondary base station. It is possible to check whether the key between the user equipment and the secondary base station is correct, and the service interruption between the user equipment and the secondary base station due to the incorrect key and the corresponding algorithm can be avoided.

 An embodiment of the present invention provides a core network element 50. As shown in FIG. 8, the core network element 50 includes:

 The receiving unit 5 1, the judging unit 52, and the transmitting unit 53.

 The receiving unit 5 1 is configured to receive data that is decrypted by the secondary base station according to the key derived by the secondary base station and the uplink data sent by the user equipment according to a preset algorithm.

Exemplarily, where the preset data may be an encryption algorithm between the UE and the secondary base station A connection has been established, and the secondary base station decrypts the encrypted uplink data received from the UE according to the key and encryption algorithm derived from the UE to obtain an Internet Protocol (IP) packet, and sends the IP packet to the core network element. The core network element receives the IP packet.

 The determining unit 52 is configured to determine, according to the decrypted data, whether the key derived by the user equipment is the same as the key derived by the secondary base station.

 Specifically, the determining unit 52 is configured to:

 Obtaining the Internet Protocol address and port number of the decrypted data packet;

 Identify the internet protocol address and port number of the data packet;

 If the Internet Protocol address and port number can be identified, it is determined that the key derived by the user equipment is the same as the key derived by the secondary base station; or

 If the Internet Protocol address and/or port number cannot be identified, it is determined that the key derived by the user equipment is not the same as the key derived by the secondary base station.

 Exemplarily, the determining unit 52 receives the IP packet from the receiving unit 51, and obtains the IP address and the port number of the IP file. If the IP address and the port number can be identified, the IP packet is correct, and the UE-derived The key associated with the secondary base station and the associated key derived by the secondary base station are the same; or,

 If the IP address and/or port number cannot be identified, the IP packet is an error packet, and the UE-derived key associated with the secondary base station and the secondary base-derived related key are different.

 Optionally, as shown in FIG. 9, the core network element 50 further includes:

 The notification unit 54 is configured to: if the key derived by the user equipment is different from the key derived by the secondary base station, the core network element notifies the primary base station to delete the secondary base station; or the core network element notifies the primary base station to re-add the secondary base station; or The core network element notifies the secondary base station to re-trigger the reconfiguration process by the primary base station; or the core network element notifies the secondary base station to delete the secondary base station by the primary base station.

 Optionally, the notification unit 54 can be specifically configured to:

Sending a message with a different key to the mobility management entity, and forwarding, by the mobility management entity, the message that the key is different from the primary base station, so that the primary base station receives the message after the key is different, and then deletes the secondary base station or Re-add the secondary base station; or pass the primary base station It is known that the secondary base station re-triggers the reconfiguration process; or the primary base station notifies the secondary base station to delete the secondary base station.

 Exemplarily, if the UE-derived key associated with the secondary base station is different from the secondary base-derived related key, the core network element 50 may notify the primary base station through the MME or directly notify the primary base station that the secondary base station has a problem. At the same time, it may indicate that the bearer of the secondary base station has a problem, that is, the bearer identifier is carried in the indication, and the primary base station determines that the secondary base station has a problem, deletes the secondary base station, or causes the primary base station to re-add the secondary base station; or the core network element 50 The secondary base station may be notified to re-trigger the reconfiguration of the connection with the UE; or the core network element 50 notifies the secondary base station to delete the secondary base station by the primary base station.

 An embodiment of the present invention provides a core network element, where the receiving base station decrypts the uplink data sent by the user equipment according to the key derived by the base station and a preset algorithm; and determines the key derived by the user equipment according to the decrypted data. Whether the key derived from the secondary base station is the same; the result of the judgment is sent to the secondary base station. It is possible to verify that the key between the user equipment and the secondary base station is correct, and the service interruption between the user equipment and the secondary base station due to the incorrect key and the corresponding algorithm can be avoided.

 An embodiment of the present invention provides a method for verifying a key. Based on the secondary base station, as shown in FIG. 10, the method includes:

 5 101. The secondary base station receives the verification information sent by the user equipment.

 The verification information is obtained by the user equipment, and the preset data includes at least one of an encryption algorithm and a integrity protection algorithm.

 5 102. The secondary base station acquires the target data according to the key, the preset algorithm, the preset data, and the verification information derived by the secondary base station.

 5: The secondary base station determines, according to the preset data, the verification information, and the target data, whether the key derived by the user equipment is the same as the key derived by the secondary base station.

An embodiment of the present invention provides a method for verifying a key. The secondary base station receives the verification information sent by the user equipment, and the verification information is that the user equipment protects the preset data by using a key derived by the user equipment and a preset algorithm. The obtained information, the preset algorithm includes at least one of an encryption algorithm and an integrity protection algorithm; the secondary base station is derived from the secondary base station itself The key, the preset algorithm, the preset data, and the verification information acquire the target data; the secondary base station determines, according to the preset data, the verification information, and the target data, whether the key derived by the user equipment is the same as the key derived by the secondary base station itself. It is possible to check whether the key between the user equipment and the secondary base station is correct, and the service interruption between the user equipment and the secondary base station due to the incorrect key and the corresponding algorithm can be avoided.

 In order to enable a person skilled in the art to more clearly understand the technical solution provided by the embodiment of the present invention, a method for providing a verification key based on a secondary base station according to an embodiment of the present invention is described in detail below by using a specific embodiment, as shown in FIG. 1 . As shown in 1, the method includes:

S201. The secondary base station receives the verification information sent by the user equipment.

 The verification information is information obtained by the user equipment after the preset data is protected by the user-derived key, encryption algorithm, and/or integrity protection algorithm.

 The preset data includes at least one of the following:

 a cell identifier under the secondary base station, a physical cell identifier under the secondary base station, a temporary wireless network temporary identifier under the secondary base station, a cell identifier under the primary base station, a physical cell identifier under the primary base station, a temporary wireless network temporary identifier under the primary base station, The identification data stored by the secondary base station and the user equipment, the data transmitted by the primary base station or the secondary base station to the user equipment, and specific numbers.

 Specifically, the secondary base station receives the base station addition completion message from the primary base station by using the X2 interface, and the base station addition completion message carries the verification information; or

 The secondary base station receives the media access control message sent by the user equipment, where the media access control message carries the verification information; or

 Receiving packet packet convergence protocol data sent by the user equipment, the packet packet convergence protocol data carrying the verification information.

 For example, the verification information may be included in the RRC Connection Reconfiguration Complete message sent by the UE to the primary base station. After receiving the verification information, the primary base station sends the verification information to the secondary base station to send the verification information to the secondary base station.

Specifically, carrying the verification information in the radio resource connection reconfiguration complete message may be implemented by adding a security interface securityConfirmation. For example, it can be implemented by the following code: RRC Connection Reconfiguration Complete Message

 - ASN 1 START

RRCConnectionReconfigurationComplete : := SEQUENCE { rrc-Transactionldentifier RRC-Transactionldentifier, criticalExtensions CHOICE {

 rrcConnectionReconfigurationComplete-r8

RRCConnectionReconfigurationComplete-r8-IEs,

 criticalExtensionsFuture SEQUENCE { }

 }

 }

RRCConnectionReconfigurationComplete-r8-IEs : := SEQUENCE

{

 nonCriticalExtension

 RRCConnectionReconfigurationComplete-v8aO-IEs OPTIONAL

}

RRCConnectionReconfigurationComplete-v8aO-IEs : :=

SEQUENCE {

 lateNonCriticalExtension OCTET STRING

 OPTIONAL,

 nonCriticalExtension

 RRCConnectionReconfigurationComplete-v l 020-IEs OPTIONAL }

RRCConnectionReconfigurationComplete-v l 020-IEs : :=

SEQUENCE { rlf-InfoAvailable-rlO ENUMERATED {true}

OPTIONAL,

 logMeasAvailable-rlO ENUMERATED {true}

 OPTIONAL,

 nonCriticalExtension

 RRCConnectionReconfigurationComplete-vll 30-IEs OPTIONAL

}

RRCConnectionReconfigurationComplete-vl 130-IEs : :=

SEQUENCE {

 connEstFaillnfoAvailable-rl 1 ENUMERATED {true}

 OPTIONAL,

 nonCriticalExtension

 RRCConnectionReconfigurationComplete-vl2xx-IEs

 OPTIONAL

 }

RRCConnectionReconfigurationComplete-vl2xx-IEs : SEQUENCE {

 securityConfirmation OCTET STRING

 OPTIONAL,

 nonCriticalExtension SEQUENCE {}

 OPTIONAL

 }

- ASNISTOP

 The Security Confirmation can be in the form of OCTET STRING or BIT STRING (SIZE (xx).

SEQUENCE { cellldentity Cellldentity_: physCellld PhysCellld c-RNTI C-RNTI Exemplarily, selecting the preset data in securityConfirmation can be passed The following code is implemented:

SEQUENCE { cellldentity Cellldentity _: physCellld PhysCellld c-RNTI C-RNTI

- ASN 1 STOP

 The UE generates a securityConfirmation, which may be an integrity protection result of the key calculation used by the security protection algorithm and the integrity protection algorithm of the securityConfirmationlnput; or may be the encryption of the security secret algorithm and the key calculation of the force secret algorithm. The result; or a combination of the two.

4. The securityConfirmation is the result of the K _UPenc calculation performed by the UE using the force-to-sense algorithm and the secondary base station, and the primary base station sends a base station adding force completion message to the secondary base station through the X2 interface, wherein the base station adds a force completion message. Carrying securityConfirmation, the sub-base 4 owes i'J securityConfirmation.

 Or, exemplarily, if the verification information is included in the MAC message sent by the user equipment, specifically by adding a securityConfirmation in the MAC message.

For example, a new LCID value can be newly introduced to represent securityConfirmation, for example, using 0101 1 , where L is the length of the securityConfirmation, where the securityConfirmation is a fixed length, and can be directly placed into the securityConfirmation without L. The current LCID value can also be reused, the securityConfirmation can be added to the existing MAC message or the securityConfirmation can be directly transmitted by the UE as data transmission or through the physical layer. Exemplarily, selecting the preset data in securityConfirmation can be implemented by the following code:

 securityConfirmationlnput:: SEQUENCE { cellldentity Cellldentity,

 physCellld PhysCellld

 c-RNTI C-RNTI

- ASN 1 STOP

 The UE generates a securityConfirmation, which may be an integrity protection result of the key calculation used by the security protection algorithm and the integrity protection algorithm of the securityConfirmationlnput; or may be the encryption of the security secret algorithm and the key calculation of the force secret algorithm. The result; or a combination of the two.

It is assumed that securityConfirmation is the result of the UE using the integrity protection algorithm and the derived K _UPint or K _RRCint calculation related to the secondary base station, and the securityConfirmation is added to the MAC message sent by the UE to the secondary base station, and the secondary base station receives the securityConfirmation.

 Alternatively, the verification information may also be included in Packet Data Convergence Protocol (PDCP) data sent by the user equipment.

 Exemplarily, the verification information may be a securityConfirmation, and the UE generates a securityConfirmation, which may be an integrity protection result of the key calculation used by the securityConfirmationlnput: 3⁄4 integrity protection algorithm and the integrity protection algorithm; or may be a security secret to the securityConfirmationlnput The algorithm and the result of the encryption of the key calculation of the force-to-mouth algorithm; or a combination of the two.

 Exemplarily, selecting the preset data in securityConfirmation can be implemented by the following code:

 securityConfirmationlnput: := SEQUENCE { cellldentity Cellldentity,

physCellld PhysCellld, c-RNTI C-RNTI

- ASN 1 STOP

4. The securityConfirmation is the result of the K _UPenc calculation performed by the UE using the force-to-sense algorithm and the secondary base station, and the primary base station sends a base station adding force completion message to the secondary base station through the X2 interface, wherein the base station adds a force completion message. Carrying securityConfirmation, the sub-base 4 owes i'J securityConfirmation.

 S202. The secondary base station acquires target data according to a key, a preset algorithm, preset data, and check information derived by the secondary base station.

Exemplarily, it is assumed that the verification information is securityConfirmation, and the preset data is securityConfirmationlnput, and the verification information is a result of the calculation of the securityConfirmationlnput by the UE using the power secret algorithm and the derived _KUPenc related to the secondary base station, and the securityConfirmation is added to the primary base station. The base station adds the completion message to the secondary base station. After receiving the securityConfirmation, the secondary base station decrypts the securityConfirmation according to the encryption algorithm and its own derived K _UPenc to obtain a new SecurityConfirmationInstance.

Or, exemplarily, the verification information is securityConfirmation, and the preset data is securityConfirmationlnput, and the verification information is a result of the UE using the integrity protection algorithm and the derived K _UPint or K _{RRCint related} to the security base station, and the securityConfirmationlnput, securityConfirmation In the MAC message sent by the UE to the secondary base station, the secondary base station receives the securityConfirmation and performs integrity protection calculation on the securityConfirmationlnput saved by the integrity protection algorithm and its own derived K _UPint or K _RRCint to obtain a new securityConfirmation.

Or, exemplarily, it is assumed that the verification information is securityConfirmation, and the preset data is securityConfirmationlnput, and the verification information is used by the UE. The secret algorithm and the derived K _UPenc related to the secondary base station calculate the result of the securityConfirmationlnput, the securityConfirmation is added to the PDCP data sent by the UE to the secondary base station, and the secondary base station receives the securityConfirmation and derives according to the encryption algorithm and itself. The K _UPenc checksum is decrypted to obtain a new SecurityConfirmationlnput.

S203. The secondary base station determines, according to the preset data, the verification information, and the target data, whether the key derived by the user equipment is the same as the key derived by the secondary base station itself.

Exemplarily, the verification information is securityConfirmation, and the preset data is securityConfirmationlnput. The verification information is the result of the UE using the integrity protection algorithm and the derived K _{UPint related} to the security base station. The securityConfirmationlnput is the UE and the secondary base station. The cell identification data of one secondary base station is stored, and after receiving the securityConfirmation, the secondary base station performs a complete securityConfirmation on the securityConfirmationlnput according to the integrity protection algorithm and the self-derived K _UPint to obtain a new securityConfirmation, and determines the new securityConfirmation and the received Whether the securityConfirmation is the same, if it is, it indicates that the UE-derived K _UPint related to the secondary base station is the same as the K _UPin S derived by the secondary base station itself, otherwise it is different.

Or, exemplarily, the verification information is securityConfirmation, and the preset data is securityConfirmationlnput, and the verification information is a result of the UE using the integrity protection algorithm and the derived K _RRCint related to the security base station to calculate the securityConfirmationlnput, the securityConfirmationlnput is the UE and The secondary base station stores the cell identification data of a secondary base station. After receiving the securityConfirmation, the secondary base station performs a security protection calculation on the securityConfirmationlnput according to the integrity protection algorithm and its own derived K _RRCint to obtain a new securityConfirmation, and judges the new securityConfirmation and the connection. securityConfirmation to L is the same, if the same description of the same UE-derived K _RRCint the secondary base station and the secondary base station associated derived K _RRCint itself, or not identical.

Or, exemplarily, the verification information is securityConfirmation, and the preset data is securityConfirmationlnput, and the verification information is that the UE uses the integrity protection algorithm and the derived _KUPint related to the secondary base station to protect the securityConfirmationlnput integrity and obtain the intermediate variable securityConfirmationTemp. Then, using the encryption algorithm and the derived K _UPenc securityConfirmationTem associated with the secondary base station, j securityConfirmation is obtained. Auxiliary base occupation ^L ^j securityConfirmation After that, the secondary base station uses the encryption algorithm and its own derived K _UPenc to decrypt the securityConfirmation and obtain the i'j securityConfirmationTem, and then uses the integrity protection algorithm and the derived K _UPint integrity protection for the stored securityConfirmationlnput to obtain a new securityConfirmationTemp. new securityConfirmationTem ^ are the same and the ground i'J securityConfirmation obtained decrypted securityConfirmationTemp, if the same shellfish described the UE ¹ J ^ [associated with secondary base station K _UPenc raw _sewage, K UPint to the secondary station itself derived K _UPenc, K _UPint corresponds to the same, otherwise it is not the same.

 S204. If the key derived by the user equipment is different from the key derived by the secondary base station, the secondary base station causes the user equipment to delete the secondary base station or re-derivate the key.

Exemplarily, it is assumed that the result of the step S203 is that the integrity protection i'J r securityConfirmation is different from the securityConfirmation, indicating that the UE-derived K _UPint related to the secondary base station is different from the secondary base station derived 1^ _1111. Then, the secondary base station may notify the UE to delete the secondary base station or cause the UE to re-derived the key associated with the secondary base station.

 An embodiment of the present invention provides a method for verifying a key. The secondary base station receives the verification information sent by the user equipment, and the verification information is that the user equipment protects the preset data by using a key derived by the user equipment and a preset algorithm. The obtained information, the preset algorithm includes at least one of an encryption algorithm and an integrity protection algorithm; the secondary base station acquires target data according to a key derived by the secondary base station itself, a preset algorithm, preset data, and check information; The preset data, the verification information, and the target data determine whether the key derived by the user equipment is the same as the key derived by the secondary base station itself. It is possible to check whether the key between the user equipment and the secondary base station is correct, and the service interruption between the user equipment and the secondary base station due to the incorrect key and the corresponding algorithm can be avoided.

 An embodiment of the present invention provides a method for verifying a key. Based on a primary base station, as shown in FIG. 12, the method includes:

 S301. The primary base station receives the verification information sent by the user equipment.

The verification information is information obtained by the user equipment after the preset data is protected by the user equipment-derived key and the preset algorithm, and the preset algorithm includes an encryption algorithm. At least one of the integrity protection algorithms.

 S302. The primary base station acquires target data according to a key derived by the secondary base station, a preset algorithm, preset data, and check information.

 5303. The primary base station determines, according to the preset data, the verification information, and the target data, whether the key derived by the user equipment is the same as the key derived by the secondary base station, and the determination result is obtained.

 5304. The primary base station sends the determination result to the secondary base station.

 An embodiment of the present invention provides a method for verifying a key. The primary base station receives the verification information sent by the user equipment, and the verification information is that the user equipment protects the preset data by using a key derived by the user equipment and a preset algorithm. The obtained information, the preset algorithm includes at least one of an encryption algorithm and an integrity protection algorithm; the primary base station acquires target data according to a key derived from the secondary base station, a preset algorithm, preset data, and check information; The data, the verification information, and the target data are determined to determine whether the key derived by the user equipment is the same as the key derived by the secondary base station, and the judgment result is obtained; the primary base station sends the determination result to the secondary base station. It can verify whether the key between the user equipment and the secondary base station is correct, and can avoid data errors or even service interruption between the user equipment and the secondary base station due to the incorrect key and the corresponding algorithm.

 In order to enable a person skilled in the art to more clearly understand the technical solution provided by the embodiment of the present invention, a method for providing a verification key based on a primary base station according to an embodiment of the present invention is described in detail below by using a specific embodiment, as shown in FIG. As shown, the method includes:

S401. The primary base station receives the verification information sent by the user equipment.

 The verification information is obtained by the user equipment, and the preset data includes at least one of an encryption algorithm and a integrity protection algorithm.

 The preset data includes at least one of the following:

a cell identifier under the secondary base station, a physical cell identifier under the secondary base station, a temporary wireless network temporary identifier under the secondary base station, a cell identifier under the primary base station, a physical cell identifier under the primary base station, a temporary wireless network temporary identifier under the primary base station, The identification data stored by the secondary base station and the user equipment, the data transmitted by the primary base station or the secondary base station to the user equipment, and specific numbers. Specifically, the primary base station receives the radio resource control message that is sent by the UE and includes the verification information. For example, the radio resource control message may be an RRC Connection Reconfiguration Complete Message, where the verification information is included.

 For example, the verification information may be included in the RRC Connection Reconfiguration Complete message sent by the UE to the primary base station. After receiving the verification information, the primary base station sends the verification information to the secondary base station to send the verification information to the secondary base station.

 Specifically, carrying the verification information in the radio resource connection reconfiguration complete message may be implemented by adding a security interface.

 For example, it can be implemented by the following code:

 RRC Connection Reconfiguration Complete Message

 -- ASN 1 START

RRCConnectionReconfigurationComplete : := SEQUENCE { rrc-Transactionldentifier RRC-Transactionldentifier, criticalExtensions CHOICE {

 rrcConnectionReconfigurationComplete-r8

RRCConnectionReconfigurationComplete-r8-IEs,

 criticalExtensionsFuture SEQUENCE { }

 }

 }

RRCConnectionReconfigurationComplete-r8-IEs : := SEQUENCE

{

 nonCriticalExtension

 RRCConnectionReconfigurationComplete-v8aO-IEs OPTIONAL

}

RRCConnectionReconfigurationComplete-v8aO-IEs : : 2 SEQUENCE {

 lateNonCriticalExtension OCTET STRING

 OPTIONAL,

 nonCriticalEx tension

 RRCConnectionReconfigurationComplete-vl020-IEs OPTIONAL

} CConnection econfigurationComplete-vl020-IEs SEQUENCE {

 rlf-InfoAvailable-rlO ENUMERATED {true}

 OPTIONAL,

 logMeasAvailable-rlO ENUMERATED {true}

OPTIONAL,

 nonCriticalExtension

 RRCConnectionReconfigurationComplete-vll30-IEs OPTIONAL

}

RRCConnectionReconfigurationComplete-vl 130-IEs

SEQUENCE {

 connEstFaillnfoAvailable-rl 1 ENUMERATED {true}

OPTIONAL,

 nonCriticalExtension

 RRCConnectionReconfigurationComplete-vl2xx-IEs

 OPTIONAL

 }

RRCConnection econfigurationComplete-vl2xx-IEs

SEQUENCE {

securityConfirmation OCTET STRING OPTIONAL

 nonCriticalExtension SEQUENCE { }

 OPTIONAL

 }

- ASN 1 STOP

 The Security Confirmation can be in the form of OCTET STRING or BIT STRING (SIZE (xx).

 Exemplarily, selecting the preset data in securityConfirmation can be implemented by the following code: securityConfirmationlnput: := SEQUENCE { cellldentity Cellldentity, physCellld PhysCellld, c-RNTI C-RNTI

}

- ASN 1 STOP

 The UE generates a securityConfirmation, which may be an integrity protection result of the key calculation used by the security protection algorithm and the integrity protection algorithm of the securityConfirmationlnput; or may be the encryption of the security secret algorithm and the key calculation of the force secret algorithm. The result; or a combination of the two.

4 security securityConfirmation is the result of the K _UPenc calculation performed by the UE using the power secret algorithm and the secondary base station, and the UE sends an RRC Connection Reconfiguration Complete Message to the primary base station, where the RRC Connection Reconfiguration Complete Message carries the securityConfirmation, and the primary base station receives Go to securityConfirmation. S402. The primary base station acquires target data according to a key derived by the secondary base station, a preset algorithm, preset data, and check information.

Exemplarily, the verification information is securityConfirmation, and the preset data is securityConfirmationlnput, and the verification information is a result of the UE using the integrity protection algorithm and the derived K _UPint related to the secondary base station to calculate the securityConfirmationlnput, the securityConfirmation is In the RRC Connection Reconfiguration Complete Message sent by the UE to the primary base station, the primary base station receives the securityConfirmation according to the integrity protection algorithm and the K _UPint derived from the secondary base station itself (where K _UPint is used by the primary base station to use the same key as the secondary base station) The derived process gets) The integrity protection of securityConfirmationlnput gets a new securityConfirmation.

 The primary base station determines, according to the preset data, the target data, and the check information, whether the key derived by the user equipment is the same as the key derived by the secondary base station, and the judgment result is obtained.

Exemplarily, the verification information is securityConfirmation, and the preset data is securityConfirmationlnput. The verification information is the result of the UE using the integrity protection algorithm and the derived K _{UPint related} to the security base station. The securityConfirmationlnput is the UE and the secondary base station. The cell identification data of one secondary base station is stored. After receiving the securityConfirmation, the primary base station uses the _KUPint derived from the integrity protection algorithm and the secondary base station itself (here! ^^^ is the same key used by the primary base station as the secondary base station) The derivation process obtains a security protection for the securityConfirmationlnput to obtain a new securityConfirmation, and judges whether the new securityConfirmation is the same as the received securityConfirmation. If they are the same, the UE-derived sub-base station-related _{1 -1111} and the secondary base station-derived K are derived. _UPin S is the same, otherwise it is not the same.

 S404. The primary base station sends the determination result to the secondary base station.

 Exemplarily, the primary base station sends the result of the step S303 to the secondary base station through the X2 interface.

S405: If the key derived by the user equipment is different from the derived key of the secondary base station, the user equipment is deleted or the user equipment is re-derived. Exemplarily, it is assumed that the result that the primary base station determines to the secondary base station is: the UE-derived K _UPint associated with the secondary base station and the secondary base station itself are derived! ^^^ is not the same, then the secondary base station can notify the UE to delete the secondary base station or cause the UE to regenerate the key associated with the secondary base station.

 An embodiment of the present invention provides a method for verifying a key, which receives verification information sent by a user equipment, and the verification information is obtained by the user equipment protecting the preset data by using a key derived by the user equipment and a preset algorithm. The information, the preset algorithm includes at least one of an encryption algorithm and an integrity protection algorithm; acquiring target data according to a key derived from the secondary base station, a preset algorithm, preset data, and verification information; according to preset data, verification information And determining, by the target data, whether the key derived by the user equipment is the same as the key derived by the secondary base station, and obtaining a determination result; and sending the determination result to the secondary base station. It can verify whether the key between the user equipment and the secondary base station is correct, and can avoid data errors or even service interruption between the user equipment and the secondary base station due to the incorrect key and the corresponding algorithm.

 An embodiment of the present invention provides a method for verifying a key. Based on the UE, as shown in FIG. 14, the method includes:

 The S50 user equipment decrypts the received downlink data according to the key derived by the user equipment and a preset algorithm.

 S 502. The user equipment determines, according to the decrypted data, whether the key derived by the user equipment is the same as the key derived by the secondary base station.

 Specifically, the user equipment determines, according to the decrypted data, whether the key derived by the user equipment is the same as the key derived by the secondary base station, including:

 The user equipment obtains the Internet Protocol address and the port number of the decrypted data packet; if the Internet Protocol address and the port number can be identified, it is determined that the key derived by the user equipment is the same as the key derived by the secondary base station; or

 If the Internet Protocol address and/or port number cannot be identified, it is determined that the user equipment derived key is not the same as the secondary base station derived key.

 S503. The user equipment sends a determination result to the secondary base station.

An embodiment of the present invention provides a method for verifying a key, where the user equipment decrypts the received downlink data according to a key derived by the user equipment and a preset algorithm; The device determines whether the key derived by the user equipment is the same as the key derived by the secondary base station according to the decrypted data; the user equipment sends the determination result to the secondary base station. It can verify whether the key between the user equipment and the secondary base station is correct, and can avoid data errors or even service interruption between the user equipment and the secondary base station due to the incorrect key and the corresponding algorithm.

 In order to enable a person skilled in the art to more clearly understand the technical solutions provided by the embodiments of the present invention, a method for providing a UE-based verification key according to an embodiment of the present invention is described in detail below by using a specific embodiment, as shown in FIG. Show that the method includes:

 S601. The user equipment decrypts the received downlink data according to a key derived by the user equipment and a preset algorithm.

 Exemplarily, the preset algorithm may be an encryption algorithm, and a connection is established between the UE and the secondary base station, and the UE decrypts the encrypted downlink data received from the network side according to the key and encryption algorithm derived by the UE, and then obtains IP packet.

 S602. The user equipment obtains an internet protocol address and a port number of the decrypted data packet.

 Exemplarily, the UE parses the decrypted IP packet to obtain an IP address and a port number of the packet.

 S603. The user equipment determines, according to the Internet Protocol address and the port number of the data packet, whether the key derived by the user equipment is the same as the key derived by the secondary base station, and the judgment result is obtained.

 Exemplarily, the UE has an IP address and a port number to determine whether the key generated by the UE is the same as the key generated by the secondary base station. If the IP address and the port number can be identified, the IP packet is sent to the corresponding application, and The UE-derived key associated with the secondary base station and the secondary base-derived key are the same; if the IP address and/or port number cannot be identified, the IP packet is an error packet, and the UE-derived The key associated with the secondary base station is different from the associated key derived by the secondary base station.

 S604. The user equipment sends a determination result to the secondary base station.

 Exemplarily, U E sends the result of the judgment to the secondary base station through the primary base station.

The user equipment notifies the primary base station to delete the secondary base station, or the user equipment notifies the primary base station to re-add the secondary base station; or the user equipment notifies the secondary base station to notify the secondary base station. Base station re-trigger reconfiguration flow The user equipment notifies the secondary base station to delete the secondary base station through the primary base station.

 Exemplarily, if the UE-derived key associated with the secondary base station is different from the secondary base-derived related key, the UE may notify the primary base station that the secondary base station has a problem, and may indicate which of the secondary base station has a problem. The bearer identifier is carried in the indication, the primary base station determines that the secondary base station has a problem, deletes the secondary base station, or causes the primary base station to re-add the secondary base station; or the UE may notify the secondary base station to re-trigger the reconfiguration with the UE by the primary base station. Connected; or the UE notifies the secondary base station to delete the secondary base station through the primary base station.

 An embodiment of the present invention provides a method for verifying a key. The user equipment decrypts the received downlink data according to a key derived by the user equipment and a preset algorithm. The user equipment determines the density of the user equipment according to the decrypted data. Whether the key is the same as the key derived by the secondary base station; the judgment result is sent to the secondary base station. It can verify whether the key between the user equipment and the secondary base station is correct, and can avoid data errors or even service interruption between the user equipment and the secondary base station caused by the key and the corresponding algorithm being incorrect.

 An embodiment of the present invention provides a method for verifying a key. Based on a core network element, as shown in FIG. 16, the method includes:

 The S70 core network element receives the data that the secondary base station decrypts the uplink data sent by the user equipment according to the key derived by the secondary base station and the preset algorithm.

 5702. The core network element determines, according to the decrypted data, whether the key derived by the user equipment is the same as the key derived by the secondary base station.

 Specifically, the core network element determines, according to the decrypted data, whether the key derived by the user equipment and the key derived by the secondary base station are the same:

 Obtaining the Internet Protocol address and port number of the decrypted data packet;

 If the Internet Protocol address and port number can be identified, it is determined that the key derived by the user equipment is the same as the key derived by the secondary base station; or

 If the Internet Protocol address and/or port number cannot be identified, it is determined that the user equipment derived key is not the same as the secondary base station derived key.

 5703. The core network element sends a result of the judgment to the secondary base station.

An embodiment of the present invention provides a method for verifying a key, where a core network element receives a number of uplinks sent by a secondary base station to a user equipment according to a key derived by the secondary base station and a preset algorithm. According to the decrypted data, the core network element determines whether the key derived by the user equipment is the same as the key derived by the secondary base station according to the decrypted data; the core network element sends the result of the judgment to the secondary base station. It can verify whether the key between the user equipment and the secondary base station is correct, and can avoid data errors or even service interruption between the user equipment and the secondary base station due to the incorrect key and the corresponding algorithm.

 In order to enable a person skilled in the art to more clearly understand the technical solutions provided by the embodiments of the present invention, a method for providing a verification key based on a core network element of the core network is described in detail by using a specific embodiment. As shown in Figure 17, the method includes:

 5801. The core network element receives the data that the secondary base station decrypts the uplink data sent by the user equipment according to the key derived by the secondary base station and the preset algorithm.

 Exemplarily, the preset data may be an encryption algorithm, and a connection is established between the UE and the secondary base station, and the secondary base station decrypts the encrypted uplink data received from the UE according to the key and encryption algorithm derived by the secondary base station to obtain an IP report. If the IP packet is sent to the core network element, the core network element is connected to the IP address.

 5802. The core network element obtains an internet protocol address and a port number of the decrypted data packet.

 For example, the core network element parses the received IP packet to obtain the IP address and port number of the packet.

 5803. The core network element determines, according to the Internet protocol address and the port number of the data packet, whether the key derived by the user equipment is the same as the key derived by the secondary base station, and the judgment result is obtained.

 Exemplarily, the core network element has an IP address and a port number to determine whether the key of the UE 4 is the same as the key derived by the secondary base station. If the IP address and the port number can be identified, the IP packet is sent to the corresponding one. The application also shows that the UE-derived key associated with the secondary base station and the secondary base-derived related key are the same; if the IP address and/or port number cannot be identified, the IP packet is an error packet, and It is indicated that the UE-derived key associated with the secondary base station and the secondary base-derived related key are different.

 5804. The core network element sends a determination result to the secondary base station.

Exemplarily, the core network element sends the result of the judgment to the secondary base station. S 805. If the key derived by the user equipment is different from the key generated by the secondary base station, the core network element notifies the primary base station to delete the secondary base station; or the core network element notifies the primary base station to re-add the secondary base station; or the core network The element notifies the secondary base station to re-trigger the reconfiguration process by the primary base station; or the core network element notifies the secondary base station to delete the secondary base station by the primary base station.

 Exemplarily, if the UE-derived key associated with the secondary base station is different from the secondary base-derived related key, the core network element may notify the primary base station through the MME or directly notify the primary base station that the secondary base station has a problem, and The bearer may be instructed to carry the problem, that is, the bearer identifier is carried in the indication, and the primary base station determines that the secondary base station has a problem, deletes the secondary base station, or causes the primary base station to re-add the secondary base station; or the core network element passes the primary base station. The secondary base station is notified to delete the secondary base station.

 An embodiment of the present invention provides a method for verifying a key, where a core network element receives data decrypted by a secondary base station according to a key derived by a secondary base station and a preset algorithm for decrypting uplink data sent by the user equipment; Determining, according to the decrypted data, whether the key derived by the user equipment is the same as the key derived by the secondary base station; the core network element sends the result of the judgment to the secondary base station. It can verify whether the key between the user equipment and the secondary base station is correct, and can avoid data errors or even service interruption between the user equipment and the secondary base station due to the incorrect key and the corresponding algorithm.

 An embodiment of the present invention provides a base station 60. As shown in FIG. 18, the user equipment 60 includes: a bus 64; and a processor 61, a memory 62, and an interface 63 connected to the bus 64, wherein the interface 63 is used for communication; The memory 62 is for storing computer code, and the processor 61 is configured to execute the computer code for:

 Receiving the verification information sent by the user equipment, and the verification information is information obtained by the user equipment after the preset data is protected by the user equipment-derived key and the preset algorithm, and the preset algorithm includes an encryption algorithm and an integrity protection algorithm. At least one

 Obtaining target data according to a key derived by the base station, a preset algorithm, preset data, and verification information;

 The user equipment-derived key is determined to be the same as the base station-derived key according to the preset data, the verification information, and the target data.

Optionally, the processor 61 executes the computer code and is further configured to: If the key derived by the user equipment is different from the key derived by the base station, the user equipment is re-derived or the user equipment is deleted.

 Optionally, the processor 61 executes the computer code for receiving the verification information sent by the user equipment, specifically for:

 Receiving, by the X2 interface, a base station addition completion message from the primary base station, and the base station addition completion message carries the verification information; or

 Receiving a media access control message sent by the user equipment, where the media access control message carries the verification information; or

 Receiving packet packet convergence protocol data sent by the user equipment, and the packet packet convergence protocol data carries verification information.

 Optionally, the preset data includes at least one of the following:

 a cell identifier under the secondary base station, a physical cell identifier under the secondary base station, a temporary wireless network temporary identifier under the secondary base station, a cell identifier under the primary base station, a physical cell identifier under the primary base station, a temporary wireless network temporary identifier under the primary base station, The identification data stored by the secondary base station and the user equipment, the data transmitted by the primary base station or the secondary base station to the user equipment, and specific numbers.

 Optionally, the base station is a secondary base station.

 The embodiment of the present invention provides a base station, which receives the verification information sent by the user equipment, and the verification information is information obtained by the user equipment after the preset data is protected by the user equipment, and the preset algorithm is used. The method includes: at least one of an encryption algorithm and an integrity protection algorithm; acquiring target data according to a key derived by the base station, a preset algorithm, preset data, and verification information; determining the user equipment according to the preset data, the verification information, and the target data; Whether the derived key is the same as the key derived by the base station. It is possible to check whether the key between the user equipment and the base station is correct, and the service interruption between the user equipment and the secondary base station due to the incorrect key and the corresponding algorithm can be avoided.

An embodiment of the present invention provides a base station 70. As shown in FIG. 19, the base station 70 includes: a bus 74; and a processor 71, a memory 72, and an interface 73 connected to the bus 74, wherein the interface 73 is used for communication; The memory 72 is for storing computer code, and the processor 71 is configured to execute the computer code for: Receiving the verification information sent by the user equipment, and the verification information is information obtained by the user equipment after the preset data is protected by the user equipment-derived key and the preset algorithm, and the preset algorithm includes an encryption algorithm and an integrity protection algorithm. At least one

 Obtaining target data according to a key derived from the secondary base station, a preset algorithm, preset data, and verification information;

 Determining, according to the preset data, the verification information, and the target data, whether the key derived by the user equipment is the same as the key derived by the secondary base station, and the judgment result is obtained;

 It is used to send the judgment result to the secondary base station.

 Optionally, the processor 71 executes the computer code and is further configured to:

 If the key derived by the user equipment is different from the derived key of the secondary base station, the user equipment deletes the secondary base station or causes the user equipment to re-derived the key.

 Optionally, the processor 71 executes the computer code for receiving the verification information sent by the user equipment, specifically for:

 Receiving a radio resource control message sent by the user equipment, and the radio resource control message carries the verification information.

 Optionally, the preset data includes at least one of the following:

 a cell identifier under the secondary base station, a physical cell identifier under the secondary base station, a temporary wireless network temporary identifier under the secondary base station, a cell identifier under the primary base station, a physical cell identifier under the primary base station, a temporary wireless network temporary identifier under the primary base station, The identification data stored by the secondary base station and the user equipment, the data transmitted by the primary base station or the secondary base station to the user equipment, and specific numbers.

The embodiment of the present invention provides a base station, which receives the verification information sent by the user equipment, and the verification information is information obtained by the user equipment after the preset data is protected by the user equipment, and the preset algorithm is used. The method includes: at least one of an encryption algorithm and an integrity protection algorithm; acquiring target data according to a key derived by the secondary base station, a preset algorithm, preset data, and verification information; determining the user according to the preset data, the verification information, and the target data Whether the key derived by the device is the same as the key derived by the secondary base station, and the judgment result is obtained; the judgment result is sent to the secondary base station. It can check whether the key between the user equipment and the secondary base station is correct, and can avoid the key and the corresponding algorithm being incorrect. Data errors and even business interruptions between the user equipment and the secondary base station.

 An embodiment of the present invention provides a user equipment 80. As shown in FIG. 20, the user equipment 80 includes: a bus 84; and a processor 81, a memory 82, and an interface 83 connected to the bus 84, wherein the interface 83 is used for communication. The memory 82 is for storing computer code, and the processor 81 is configured to execute the computer code for:

 Decrypting the received downlink data according to a key derived by the user equipment and a preset algorithm;

 Determining, according to the decrypted data, whether the key derived by the user equipment is the same as the key derived by the secondary base station;

 Sending a judgment result to the secondary base station;

 The determining, according to the decrypted data, whether the key derived by the user equipment is the same as the key derived by the secondary base station includes:

 Obtaining the Internet Protocol address and port number of the decrypted data packet;

 If the Internet Protocol address and port number can be identified, it is determined that the key derived by the user equipment is the same as the key derived by the secondary base station; or

 If the Internet Protocol address and/or port number cannot be identified, it is determined that the user equipment derived key is not the same as the secondary base station derived key.

 Optionally, the processor 81 executes the computer code and is further configured to:

 If the key derived by the user equipment is different from the key derived by the secondary base station, notify the primary base station to delete the secondary base station; or notify the primary base station to re-add the secondary base station; or notify the secondary base station to re-trigger the reconfiguration process by the primary base station; or pass the primary base station. The secondary base station is notified to delete the secondary base station.

 The embodiment of the present invention provides a user equipment, where the user equipment decrypts the received downlink data according to a key derived by the user equipment and a preset algorithm; the user equipment determines, according to the decrypted data, the key derived by the user equipment and the secondary base station. Whether the derived keys are the same; the user equipment sends the judgment result to the secondary base station. It can verify whether the key between the user equipment and the secondary base station is correct, and can avoid data errors or even service interruption between the user equipment and the secondary base station due to the incorrect key and the corresponding algorithm.

The embodiment of the present invention provides a core network element 90. As shown in FIG. 21, the core network element 90 includes: a bus 94; and a processor 91 connected to the bus 94, and stores And an interface 93, wherein the interface 93 is for communication; the memory 92 is for storing computer code, and the processor 91 is configured to execute the computer code for:

 Receiving, after the secondary base station decrypts the uplink data sent by the user equipment according to the key derived by the secondary base station and the preset algorithm;

 Determining, according to the decrypted data, whether the key derived by the user equipment is the same as the key derived by the secondary base station;

 Sending the result of the judgment to the secondary base station;

 And determining, according to the decrypted data, whether the key derived by the user equipment is the same as the key derived by the secondary base station, including:

 Obtaining the Internet Protocol address and port number of the decrypted data packet;

 If the Internet Protocol address and port number can be identified, it is determined that the key derived by the user equipment is the same as the key derived by the secondary base station; or

 If the Internet Protocol address and/or port number cannot be identified, it is determined that the user equipment derived key is not the same as the secondary base station derived key.

 Optionally, the processor 91 executes the computer code and is further configured to:

 If the key derived by the user equipment is different from the key derived by the secondary base station, notify the primary base station to delete the secondary base station; or notify the primary base station to re-add the secondary base station; or notify the secondary base station to re-trigger the reconfiguration process by the primary base station; or pass the primary base station. The secondary base station is notified to delete the secondary base station.

 Optionally, the processor 91 executes the computer code to notify the primary base station to delete the secondary base station or notify the primary base station to re-add the secondary base station, specifically for:

 Sending a message with a different key to the mobility management entity, and forwarding, by the mobility management entity, a message with a different key to the primary base station, so that the primary base station receives the message with the same key, deletes the secondary base station, or re-adds the auxiliary Base station.

An embodiment of the present invention provides a network element of a core network, which receives data obtained by decrypting uplink data sent by a user equipment according to a key derived by a secondary base station and a preset algorithm, and determining, according to the decrypted data, a user equipment derivative. Whether the key is the same as the key derived by the secondary base station; the result of the judgment is sent to the secondary base station. It can verify whether the key between the user equipment and the secondary base station is correct, and can avoid data errors or even service interruption between the user equipment and the secondary base station due to the incorrect key and the corresponding algorithm. The term "and/or" in the present invention is merely an association relationship describing an associated object, indicating that there may be three relationships, for example, A and/or B, which may indicate that: A exists alone, and both A and B exist, alone There are three cases of B. In addition, the character "/" in this article generally means that the contextual object is an "or" relationship.

 Through the description of the above embodiments, those skilled in the art can clearly understand that for the convenience and brevity of the description, only the division of the above functional modules is illustrated. In practical applications, the above functions can be allocated according to needs. It is completed by different functional modules, that is, the internal structure of the device is divided into different functional modules to complete all or part of the functions described above. For the specific operation of the system, the device, and the unit, the corresponding processes in the foregoing method embodiments may be referred to, and details are not described herein.

 In the several embodiments provided by the present application, it should be understood that the disclosed system, apparatus, and method may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not executed. In addition, the coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be electrical, mechanical or otherwise.

 The units described as separate components may or may not be physically separated, and the components displayed as the units may or may not be physical units, and may be located in one place or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the embodiment of the present embodiment.

 In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may be physically included separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of hardware plus software functional units.

The integrated unit is implemented in the form of a software functional unit and is independent When the product is sold or used, it can be stored on a computer readable storage medium. Based on such understanding, the technical solution of the present invention may contribute to the prior art or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium. The instructions include a plurality of instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor to perform all or part of the steps of the methods of the various embodiments of the present invention. The foregoing storage medium includes: a U disk, a removable hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk or an optical disk, and the like, which can store program codes. .

 The above is only the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or substitutions within the technical scope of the present invention. It should be covered by the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the appended claims.

Claims

claims 1. A base station, characterized by including: The receiving unit is configured to receive verification information sent by the user equipment. The verification information is the information obtained by the user equipment after protecting the preset data through the key and preset algorithm derived from the user equipment. The preset algorithm includes at least one of an encryption algorithm and an integrity protection algorithm; An acquisition unit configured to acquire target data according to the key derived from the base station, the preset algorithm, the preset data and the verification information; A judging unit, configured to judge whether the key derived by the user equipment and the key derived by the base station are the same according to the preset data, the verification information and the target data. 2. The base station according to claim 1, characterized in that, the base station further includes: a reset unit, configured to reset the key derived by the user equipment if the key derived by the user equipment is different from the key derived by the base station. The user equipment re-derives the key or causes the user equipment to delete the base station. 3. The base station according to claim 1, characterized in that the receiving unit is specifically used for: Receive the base station addition completion message from the master base station through the X2 interface, and the base station addition completion message carries the verification information; or Receive a media access control message sent by the user equipment, where the media access control message carries the verification information; or Receive packet aggregation protocol data sent by the user equipment, where the packet aggregation protocol data carries the verification information. 4. The base station according to claim 1, characterized in that the preset data includes at least one of the following: The cell identity under the secondary base station, the physical cell identity under the secondary base station, the temporary cell wireless network identity under the secondary base station, the cell identity under the primary base station, the physical cell identity under the primary base station, the temporary cell wireless network identity under the primary base station, Identification data stored in both the secondary base station and the user equipment, data transmitted to the user equipment by the primary base station or the secondary base station, and specific numbers. 5. The base station according to claim 1, characterized in that: the base station is a secondary base station stand. 6. A base station, characterized by including: The receiving unit is configured to receive verification information sent by the user equipment. The verification information is the information obtained by the user equipment after protecting the preset data through the key and preset algorithm derived from the user equipment. The preset algorithm includes at least one of an encryption algorithm and an integrity protection algorithm; An acquisition unit configured to acquire target data according to the key derived from the secondary base station, the preset algorithm, the preset data and the verification information; A judging unit, configured to judge whether the key derived from the user equipment and the key derived from the secondary base station are the same according to the preset data, the verification information and the target data, and obtain a judgment result; A sending unit, configured to send the judgment result to the secondary base station. 7. The base station according to claim 6, characterized in that, the base station further includes: a reset unit, configured to: if the key derived by the user equipment is different from the key derived by the secondary base station, then The user equipment is caused to delete the secondary base station or the user equipment is allowed to re-derive the key. 8. The base station according to claim 6, characterized in that the receiving unit is specifically used to: Receive a radio resource control message sent by the user equipment, where the radio resource control message carries the verification information. 9. The base station according to claim 6, characterized in that the preset data includes at least one of the following: The cell identity under the secondary base station, the physical cell identity under the secondary base station, the temporary cell wireless network identity under the secondary base station, the cell identity under the primary base station, the physical cell identity under the primary base station, the temporary cell wireless network identity under the primary base station, Identification data stored in both the secondary base station and the user equipment, data transmitted to the user equipment by the primary base station or the secondary base station, and specific numbers. 10. A user equipment, characterized by: including: A decryption unit, configured to decrypt the received downlink data according to the key derived from the user equipment and the preset algorithm; A judging unit, configured to judge whether the key derived from the user equipment and the key derived from the secondary base station are the same based on the decrypted data, including: Obtain the Internet protocol address and port number of the decrypted data packet; If the Internet protocol address and the port number can be identified, it is determined that the key derived by the user equipment is the same as the key derived by the secondary base station; or, If the Internet Protocol address and/or the port number cannot be identified, determine that the key derived from the user equipment is different from the key derived from the secondary base station; A sending unit, configured to send the judgment result to the secondary base station. 11. The user equipment according to claim 10, characterized in that, the user equipment further includes: A notification unit configured to, if the key derived by the user equipment is different from the key derived by the secondary base station, notify the primary base station to delete the secondary base station; or notify the primary base station to re-add the secondary base station. The secondary base station; or notify the base station through the primary base station that the secondary base station re-triggers the reconfiguration process; or notify the base station through the primary base station that the secondary base station deletes the secondary base station. 12. A core network element, characterized by including: A receiving unit, configured to receive the data after the secondary base station decrypts the uplink data sent by the user equipment according to the key derived by the secondary base station and the preset algorithm; A judging unit, configured to judge whether the key derived from the user equipment and the key derived from the secondary base station are the same based on the decrypted data, including: Obtain the Internet protocol address and port number of the decrypted data packet; If the Internet protocol address and the port number can be identified, it is determined that the key derived by the user equipment is the same as the key derived by the secondary base station; or, If the Internet Protocol address and/or the port number cannot be identified, determine that the key derived from the user equipment is different from the key derived from the secondary base station; A sending unit, configured to send the judgment result to the secondary base station. 13. The core network element according to claim 12, characterized in that the core network element further includes: Notification unit, used for if the key derived from the user equipment is different from the key derived from the secondary base station If the keys are different, notify the primary base station to delete the secondary base station; or notify the primary base station to re-add the secondary base station; or notify the secondary base station to re-trigger the reconfiguration process through the primary base station; or notify the secondary base station through the primary base station Notify the secondary base station to delete the secondary base station. 14. The core network element according to claim 13, characterized in that the notification unit is specifically used for: Send the message that the keys are different to the mobility management entity, and the mobility management entity forwards the message that the keys are different to the main base station, so that the main base station receives the key After receiving different messages, delete the secondary base station or re-add the secondary base station; or notify the secondary base station to re-trigger the reconfiguration process through the primary base station; or notify the secondary base station to delete the secondary base station through the primary base station. base station. 15. A method for verifying a key, characterized by including: The secondary base station receives the verification information sent by the user equipment. The verification information is the information obtained by the user equipment after protecting the preset data through the key and preset algorithm derived from the user equipment. The preset algorithm Including at least one of an encryption algorithm and an integrity protection algorithm; The secondary base station acquires target data according to the key derived from the secondary base station, the preset algorithm, the preset data and the verification information; The secondary base station determines whether the key derived by the user equipment and the key derived by the secondary base station are the same based on the preset data, the verification information and the target data. 16. The method according to claim 15, characterized in that the method further includes: If the key derived by the user equipment is different from the key derived by the secondary base station, the user equipment is allowed to re-derive the key or the user equipment deletes the secondary base station. 17. The method according to claim 15, wherein the receiving the verification information sent by the user equipment includes: Receive the base station addition completion message from the master base station through the X2 interface, and the base station addition completion message carries the verification information; or Receive a media access control message sent by the user equipment, where the media access control message carries the verification information; or Receive packet aggregation protocol data sent by the user equipment, where the packet aggregation protocol data carries the verification information. 18. The method according to claim 15, characterized in that the preset data includes at least one of the following: The cell identity under the secondary base station, the physical cell identity under the secondary base station, the temporary cell wireless network identity under the secondary base station, the cell identity under the primary base station, the physical cell identity under the primary base station, the temporary cell wireless network identity under the primary base station, Identification data stored in both the secondary base station and the user equipment, data transmitted to the user equipment by the primary base station or the secondary base station, and specific numbers. 19. A method for verifying a key, characterized by including: The master base station receives the verification information sent by the user equipment. The verification information is the information obtained by the user equipment after protecting the preset data through the key and preset algorithm derived from the user equipment. The preset algorithm Including at least one of an encryption algorithm and an integrity protection algorithm; The primary base station obtains the target data based on the key derived from the secondary base station, the preset algorithm, the preset data and the verification information; The primary base station determines whether the key derived from the user equipment and the key derived from the secondary base station are the same based on the preset data, the verification information and the target data, and obtains a judgment result; The primary base station sends the judgment result to the secondary base station. 20. The method according to claim 19, characterized in that, the method further includes: If the key derived by the user equipment is different from the key derived by the secondary base station, the user equipment is caused to delete the secondary base station or the user equipment is re-derived. 21. The method according to claim 19, wherein the receiving the verification information sent by the user equipment includes: Receive a radio resource control message sent by the user equipment, where the radio resource control message carries the verification information. 22. The method according to claim 19, characterized in that the preset data includes at least one of the following: The cell identity under the secondary base station, the physical cell identity under the secondary base station, the temporary cell wireless network identity under the secondary base station, the cell identity under the primary base station, the physical cell identity under the primary base station, the temporary cell wireless network identity under the primary base station, Identification data stored in both the secondary base station and the user equipment, data transmitted to the user equipment by the primary base station or the secondary base station, and specific numbers. 23. A method for verifying a key, characterized by including: The user equipment decrypts the received downlink data according to the key and preset algorithm derived from the user equipment; The user equipment determines whether the key derived by the user equipment and the key derived by the secondary base station are the same based on the decrypted data; The user equipment sends the judgment result to the secondary base station; Wherein, the user equipment's determination based on the decrypted data whether the key derived by the user equipment and the key derived by the secondary base station are the same includes: The user equipment obtains the Internet protocol address and port number of the decrypted data packet; If the Internet protocol address and the port number can be identified, it is determined that the key derived by the user equipment is the same as the key derived by the secondary base station; or, If the Internet protocol address and/or the port number cannot be identified, it is determined that the key derived from the user equipment is different from the key derived from the secondary base station. 24. The method according to claim 23, wherein if the key derived by the user equipment is different from the key derived by the secondary base station, the method further includes: notifying the primary base station to delete the secondary base station ; or Notify the primary base station to re-add the secondary base station; or Notify the secondary base station to re-trigger the reconfiguration process through the primary base station; or notify the secondary base station to delete the secondary base station through the primary base station. 25. A method for verifying a key, characterized by including: The core network element receives the data after the secondary base station decrypts the uplink data sent by the user equipment according to the key derived by the secondary base station and the preset algorithm; The core network element determines whether the key derived from the user equipment and the key derived from the secondary base station are the same based on the decrypted data; The core network element sends the result of the determination to the secondary base station; wherein the core network element determines the key derived from the user equipment and the key derived from the secondary base station based on the decrypted data. Whether the keys are the same, including: Obtain the Internet protocol address and port number of the decrypted data packet; If the Internet protocol address and the port number can be identified, it is determined that the key derived by the user equipment is the same as the key derived by the secondary base station; or, If the Internet protocol address and/or the port number cannot be identified, it is determined that the key derived from the user equipment is different from the key derived from the secondary base station. 26. The method according to claim 25, wherein if the key derived from the user equipment is different from the key derived from the secondary base station, the method further includes: notifying the primary base station to delete the secondary base station. ; or Notify the primary base station to re-add the secondary base station; or Notify the secondary base station to re-trigger the reconfiguration process through the primary base station; or notify the secondary base station to delete the secondary base station through the primary base station. 27. The method according to claim 26, wherein the notifying the primary base station to delete the secondary base station or notifying the primary base station to re-add the secondary base station includes: Send the message that the keys are different to the mobility management entity, and the mobility management entity forwards the message that the keys are different to the main base station, so that the main base station receives the key After receiving different messages, the secondary base station is deleted or the secondary base station is re-added. 28. A base station, characterized in that, the base station includes: a communication interface, a memory, and a processor; the communication interface is used to communicate with network elements, and the memory is used to store computer code; the processor executes the Computer code for: Receive verification information sent by the user equipment. The verification information is the information obtained by the user equipment after protecting the preset data through the key and preset algorithm derived from the user equipment. The preset algorithm includes encryption. At least one of an algorithm and an integrity protection algorithm; Obtain target data according to the key derived from the base station, the preset algorithm, the preset data and the verification information; Determine the user according to the preset data, the verification information and the target data Whether the key derived by the user equipment is the same as the key derived by the base station. 29. The base station according to claim 28, wherein the processor executes the computer code and is also used for: If the key derived by the user equipment is different from the key derived by the base station, the user equipment is allowed to re-derive the key or the user equipment deletes the base station. 30. The base station according to claim 28, wherein the processor executes the computer code and is also used for: Receive the base station addition completion message from the master base station through the X2 interface, and the base station addition completion message carries the verification information; or Receive a media access control message sent by the user equipment, where the media access control message carries the verification information; or Receive packet aggregation protocol data sent by the user equipment, where the packet aggregation protocol data carries the verification information. 31. The base station according to claim 28, characterized in that the preset data includes at least one of the following: The cell identity under the secondary base station, the physical cell identity under the secondary base station, the temporary cell wireless network identity under the secondary base station, the cell identity under the primary base station, the physical cell identity under the primary base station, the temporary cell wireless network identity under the primary base station, Identification data stored in both the secondary base station and the user equipment, data transmitted to the user equipment by the primary base station or the secondary base station, and specific numbers. 32. The base station according to claim 28, characterized in that the base station is a secondary base station. 33. A base station, characterized in that, the base station includes: a communication interface, a memory, and a processor; the communication interface is used to communicate with network elements, and the memory is used to store computer code; the processor executes the Computer code for: Receive verification information sent by the user equipment. The verification information is the information obtained by the user equipment after protecting the preset data through the key and preset algorithm derived from the user equipment. The preset algorithm includes encryption. At least one of an algorithm and an integrity protection algorithm; Obtain target data according to the key derived from the secondary base station, the preset algorithm, the preset data and the verification information; Determine whether the key derived from the user equipment and the key derived from the secondary base station are the same according to the preset data, the verification information and the target data, and obtain a judgment result; Used to send the judgment result to the secondary base station. 34. The base station according to claim 33, wherein the processor executes the computer code and is further configured to: If the key derived by the user equipment is different from the key derived by the secondary base station, the user equipment is caused to delete the secondary base station or the user equipment is re-derived. 35. The base station according to claim 33, wherein the processor executes the computer code and is further configured to: Receive a radio resource control message sent by the user equipment, where the radio resource control message carries the verification information. 36. The base station according to claim 33, characterized in that the preset data includes at least one of the following: The cell identity under the secondary base station, the physical cell identity under the secondary base station, the temporary cell wireless network identity under the secondary base station, the cell identity under the primary base station, the physical cell identity under the primary base station, the temporary cell wireless network identity under the primary base station, Identification data stored in both the secondary base station and the user equipment, data transmitted to the user equipment by the primary base station or the secondary base station, and specific numbers. 37. A user equipment, characterized in that, the user equipment includes: a communication interface, a memory, and a processor; the communication interface is used to communicate with network elements, and the memory is used to store computer code; the processor executes The computer code is used to: Decrypt the received downlink data according to the key and preset algorithm derived from the user equipment; Determine whether the key derived from the user equipment and the key derived from the secondary base station are the same according to the decrypted data; Send the judgment result to the secondary base station; Wherein, judging whether the key derived from the user equipment and the key derived from the secondary base station are the same based on the decrypted data includes: Obtain the Internet protocol address and port number of the decrypted data packet; If the Internet protocol address and the port number can be identified, it is determined that the key derived from the user equipment is the same as the key derived from the secondary base station; or, If the Internet protocol address and/or the port number cannot be identified, it is determined that the key derived from the user equipment is different from the key derived from the secondary base station. 38. The user equipment according to claim 37, wherein the processor executes the computer code and is also used for: If the key derived by the user equipment is different from the key derived by the secondary base station, notify the primary base station to delete the secondary base station; or notify the primary base station to re-add the secondary base station; or notify the primary base station through the primary base station. The secondary base station re-triggers the reconfiguration process; or the secondary base station notifies the secondary base station to delete the secondary base station through the primary base station. 39. A core network element, characterized in that, the core network element includes: a communication interface, a memory, and a processor; the communication interface is used to communicate with the network element, and the memory is used to store computer code; so The processor executes the computer code for: Receive the data after the secondary base station decrypts the uplink data sent by the user equipment according to the key derived by the secondary base station and the preset algorithm; Determine whether the key derived from the user equipment and the key derived from the secondary base station are the same according to the decrypted data; Send the result of the judgment to the secondary base station; Wherein, determining whether the key derived from the user equipment and the key derived from the secondary base station are the same based on the decrypted data includes: Obtain the Internet protocol address and port number of the decrypted data packet; If the Internet protocol address and the port number can be identified, it is determined that the key derived by the user equipment is the same as the key derived by the secondary base station; or, If the Internet protocol address and/or the port number cannot be identified, it is determined that the key derived from the user equipment is different from the key derived from the secondary base station. 40. The core network element according to claim 39, wherein the processor executes the computer code and is also used for: If the key derived by the user equipment is different from the key derived by the secondary base station, notify the main base station to delete the secondary base station; or notify the main base station to re-add the secondary base station; Or the main base station notifies the secondary base station to re-trigger the reconfiguration process; or the main base station notifies the secondary base station to delete the secondary base station. 41. The core network element according to claim 40, wherein the processor executes the computer code and is also used for: Send the message that the keys are different to the mobility management entity, and the mobility management entity forwards the message that the keys are different to the main base station, so that the main base station receives the key After receiving different messages, the secondary base station is deleted or the secondary base station is re-added.