1. Patent Search
  2. Details

METHOD AND APPARATUS FOR NEGOTIATING SECURITY DURING HANDOVER BETWEEN DIFFERENT RADIO ACCESS TECHNOLOGIES

20190253887 ยท 2019-08-15

    Inventors

    Cpc classification

    International classification

    Abstract

    A solution for security negotiation during handover of a user equipment (UE) between different radio access technologies is provided. In the solution, the UE receives non-access stratum (NAS) security information and access stratum (AS) security information which are selected by the target system and then performs security negotiation with the target system according to the received NAS security information and AS security information. As such, the UE may obtain the key parameter information of the NAS and AS selected by a Long Term Evolution (LTE) system and perform security negotiation with the LTE system when the UE hands over from a different system, such as a Universal Terrestrial Radio Access Network (UTRAN), to the LTE system.

    Claims

    1. A method for a handover from a source system to a target system, the method comprising: receiving, by a base station in the target system, a non access stratum (NAS) algorithm from a mobility management network element in the target system; selecting, by the base station, an access stratum (AS) algorithm; and sending, by the base station, a transparent container including the NAS algorithm and the AS algorithm to a user equipment (UE) through the mobility management network element and the source system; wherein a first radio access technology supported by the source system and a second radio access technology supported by the target system are different.

    2. The method according to claim 1, further comprising: receiving, by the base station, a base station key and a parameter used in a derivation of the base station key from the mobility management network element; wherein the transparent container further includes the parameter used in the derivation of the base station key.

    3. The method according to claim 2, further comprising: receiving, by the base station, UE capability information from the mobility management network element.

    4. The method according to claim 1, wherein the AS algorithm comprises a radio resources control (RRC) algorithm and a user plane (UP) algorithm.

    5. A base station in a target system, comprising: a processor; and a non-transitory memory having processor-executable instructions stored thereon applicable to a handover from a source system to the target system, wherein the processor-executable instructions, when executed by the processor, facilitate: receiving a non access stratum (NAS) algorithm from a mobility management network element in the target system; selecting an access stratum (AS) algorithm; and sending a transparent container including the NAS algorithm and the AS algorithm to a user equipment (UE) through the mobility management network element and the source system; wherein a first radio access technology supported by the source system and a second radio access technology supported by the target system are different.

    6. The base station according to claim 5, wherein the processor-executable instructions, when executed, further facilitate: receiving a base station key and a parameter used in a derivation of the base station key from the mobility management network element; wherein the transparent container further includes the parameter used in the derivation of the base station key.

    7. The base station according to claim 6, wherein the processor-executable instructions, when executed, further facilitate: receiving UE capability information from the mobility management network element.

    8. The base station according to claim 5, wherein the AS algorithm comprises a radio resources control (RRC) algorithm and a user plane (UP) algorithm.

    9. A non-transitory computer-readable medium having processor-executable instructions stored thereon, wherein the processor-executable instructions, when executed, facilitate: receiving a non access stratum (NAS) algorithm from a mobility management network element in a target system; selecting an access stratum (AS) algorithm; and sending a transparent container including the NAS algorithm and the AS algorithm to a user equipment (UE) through the mobility management network element and a source system; wherein a first radio access technology supported by the source system and a second radio access technology supported by the target system are different.

    10. The non-transitory computer-readable medium according to claim 9, wherein the processor-executable instructions, when executed, further facilitate: receiving a base station key and a parameter used in a derivation of the base station key from the mobility management network element; wherein the transparent container further includes the parameter used in the derivation of the base station key.

    11. The non-transitory computer-readable medium according to claim 10, wherein the processor-executable instructions, when executed, further facilitate: receiving UE capability information from the mobility management network element.

    12. The computer readable medium according to claim 9, wherein the AS algorithm comprises a radio resources control (RRC) algorithm and a user plane (UP) algorithm.

    Description

    BRIEF DESCRIPTION OF THE DRAWINGS

    [0024] FIG. 1 shows structure of two security-related strata in the LTE system in the conventional art;

    [0025] FIG. 2 is a flowchart of negotiation between the UE and the 2G system or 3G system in the process of base station handover between a 2G system and a 3G system in the conventional art;

    [0026] FIG. 3 is a flowchart of negotiation between a UE and an LTE system when the UE hands over from a UTRAN to an LTE system in the first embodiment of the present invention;

    [0027] FIG. 4 is a flowchart of negotiation between a UE and an LTE system when the UE hands over from a UTRAN to an LTE system in the second embodiment of the present invention;

    [0028] FIG. 5 shows structure of an eNB device provided in an embodiment of the present invention;

    [0029] FIG. 6 shows structure of an access network device provided in an embodiment of the present invention; and

    [0030] FIG. 7 shows structure of a target MME provided in an embodiment of the present invention.

    DETAILED DESCRIPTION

    [0031] A method and an apparatus for negotiating security during handover between different radio access technologies are provided in an embodiment of the present invention.

    [0032] The UE handover between different radio access technologies herein includes the UE handover from a different system to an LTE system. The method and apparatus provided in the embodiments of the present invention are described below, supposing that the UE hands over from a UTRAN system to an LTE system.

    [0033] In the embodiments of the present invention, when the UE hands over from the UTRAN system to the LTE system, the target MME generates NAS security information and sends the NAS security information to the target eNB. The target eNB also generates AS security information, and creates a transparent container according to the NAS security information and the AS security information.

    [0034] FIG. 3 is a flowchart of negotiating security between a UE and an LTE system when the UE hands over from a UTRAN to an LTE system in the first embodiment of the present invention. The negotiating process includes the following steps:

    [0035] Step 31: First, the source system of the UE decides to perform a handover procedure, and initializes a handover request.

    [0036] Step 32: The source SGSN sends the handover request to the target MME. The handover request includes the UE capability information (including a list of NAS algorithm of the UE, RRC algorithm of the UE, and UP algorithm of the UE) and the key information currently used by the source system (or the key derived by the source system according to the currently used key information).

    [0037] Step 33: According to the received key information, the target MME derives an Access Security Management Entity (ASME) key K.sub.ASME, an NAS key K.sub.NAS, and an eNB key K.sub.eNB, and selects an NAS algorithm.

    [0038] Step 34: The target MME sends the parameters used in K.sub.ASME derivation, parameters used in K.sub.NAS derivation, parameters used in K.sub.eNB derivation, the K.sub.eNB, the selected NAS algorithm, and the list of the RRC algorithm of the UE and UP algorithm of the UE to the target eNB through the handover request.

    [0039] Step 35: The target eNB selects RRC encryption algorithm of the target eNB, integrity protection algorithm of the target eNB, and UP encryption algorithm of the target eNB, and derives an RRC encryption key, an integrity key, and a UP encryption key according to the received K.sub.eNB.

    [0040] The target eNB shall create a transparent container including: parameters used in the RRC encryption key derivation and the UP encryption key derivation; the received parameters used in K.sub.ASME derivation, parameters used in K.sub.NAS derivation, parameters used in K.sub.eNB derivation; the RRC algorithm of the UE and UP algorithm of the UE; the RRC encryption algorithm selected by the target eNB, integrity protection algorithm selected by the target eNB, and UP encryption algorithm selected by the target eNB.

    [0041] Step 36: The target eNB sends the transparent container to the target MME.

    [0042] Step 37: The target MME sends the transparent container to the source SGSN through a handover response.

    [0043] Step 38: The source SGSN transmits the received transparent container to the source access network through a handover response.

    [0044] Step 39: The source access network transmits the contents of the received transparent container to the UE through a handover command.

    [0045] Step 310: According to the parameters used in the RRC encryption key derivation and the UP encryption key derivation, the parameters used in K.sub.ASME derivation, the parameters used in K.sub.NAS derivation, the parameters used in K.sub.eNB derivation in the received contents of the transparent container, the UE derives the RRC encryption key, UP encryption key, K.sub.ASME, K.sub.NAS, and K.sub.eNB, and sets a protection algorithm applicable after handover.

    [0046] FIG. 4 is a flowchart of negotiating security between a UE and an LTE system when the UE hands over from a UTRAN to an LTE system in the second embodiment of the present invention. The negotiating process includes the following steps:

    [0047] Step 41: First, the source system of the UE decides to perform a handover procedure, and initializes a handover request.

    [0048] Step 42: The source SGSN sends the handover request to the target MME. The handover request includes the UE capability information (including a list of the NAS algorithm of the UE, RRC algorithm of the UE, and UP algorithm of the UE), and the key information currently used by the source system (or a processed key).

    [0049] Step 43: According to the received key information, the target MME derives a K.sub.ASME, a K.sub.NAS, and a K.sub.eNB, and selects an NAS algorithm. The target MME includes the selected NAS algorithm, parameters used in K.sub.ASME derivation, parameters used in K.sub.NAS derivation, and parameters used in K.sub.eNB derivation in an NAS container.

    [0050] Step 44: The target MME sends the K.sub.eNB, the list of RRC algorithm of the UE and UP algorithm of the UE, and the NAS container to the target eNB through the handover request.

    [0051] Step 45: The target eNB selects the RRC encryption algorithm of the target eNB, integrity protection algorithm of the target eNB, and UP encryption algorithm of the target eNB, and derives an RRC encryption key, an integrity key, and a UP encryption key according to the received K.sub.eNB.

    [0052] The target eNB includes the following into an RRC container: parameters used in the RRC encryption key derivation and UP encryption key derivation; the RRC algorithm of the UE and UP algorithm of the UE; the RRC encryption algorithm selected by the target eNB, integrity protection algorithm selected by the target eNB, and the UP encryption algorithm selected by the target eNB. The RRC container and the received NAS container are included in a transparent container.

    [0053] Step 46: The target eNB sends the transparent container to the target MME.

    [0054] Step 47: The target MME sends the transparent container to the source SGSN through a handover response.

    [0055] Step 48: The source SGSN transmits the received transparent container to the source access network through a handover command.

    [0056] Step 49: The source access network transmits the contents of the received transparent container to the UE transparently through a handover command.

    [0057] Step 410: According to the parameters used in the RRC encryption key derivation and UP encryption key derivation, the parameters used in K.sub.ASME derivation, the parameters used in K.sub.NAS derivation, and the parameters used in K.sub.eNB derivation in the received contents of the transparent container, the UE derives the corresponding RRC encryption key, UP encryption key, K.sub.ASME, K.sub.NAS, and K.sub.eNB, and sets the relevant algorithm applicable after handover.

    [0058] The process of negotiating security between a UE and an LTE system when the UE hands over from a UTRAN to an LTE system in the third embodiment of the present invention includes the following steps:

    [0059] Step 51: First, the source system of the UE decides to perform a handover procedure, and initializes a handover request. Afterward, the source SGSN sends the handover request to the target MME. The handover request includes the UE capability information (including a list of the NAS algorithm of the UE, RRC algorithm of the UE, and UP algorithm of the UE), and the key information currently used by the source system (or a processed key).

    [0060] Step 52: According to the received key information, the target MME derives a K.sub.ASME, a K.sub.NAS, and a K.sub.eNB, and selects an NAS algorithm. The target MME includes the selected NAS algorithm, parameters used in K.sub.ASME derivation, parameters used in K.sub.NAS derivation, and parameters used in K.sub.eNB derivation in an NAS container. Afterward, the target MME sends the K.sub.eNB, the list of RRC algorithm of the UE and UP algorithm of the UE, and the NAS container to the target eNB through the handover request.

    [0061] Step 53: The target eNB selects RRC encryption algorithm of the target eNB, integrity protection algorithm of the target eNB, and UP encryption algorithm of the target eNB, and derives an RRC encryption key, an integrity key, and a UP encryption key according to the received K.sub.eNB.

    [0062] Afterward, the target eNB includes the following contents in a transparent container: parameters used in the RRC encryption key derivation and UP encryption key derivation; the RRC algorithm of the UE and UP algorithm of the UE; the RRC encryption algorithm selected by the target eNB, integrity protection algorithm selected by the target eNB, the UP encryption algorithm selected by the target eNB, and the received NAS container. Then, the target eNB sends the transparent container to the target MME.

    [0063] Step 54: The target MME sends the transparent container to the source SGSN through a handover response. The source SGSN transmits the received transparent container to the source access network through a handover command. The source access network transmits the contents of the received transparent container to the UE through a handover command.

    [0064] Step 55: According to the parameters used in the RRC encryption key derivation and UP encryption key derivation, the parameters used in K.sub.ASME derivation, the parameters used in K.sub.NAs derivation, and parameters used in K.sub.eNB derivation in the received contents of the transparent container, the UE derives the RRC encryption key, UP encryption key, K.sub.ASME, K.sub.NAs, and K.sub.eNB, and sets the relevant algorithm applicable after handover.

    [0065] The process of negotiating security between a UE and an LTE system when the UE hands over from a UTRAN to an LTE system in the fourth embodiment of the present invention includes the following steps:

    [0066] Step 61: First, the source system of the UE decides to perform a handover procedure, and initializes a handover request. Afterward, the source SGSN sends the handover request to the target MME. The handover request includes the UE capability information (including a list of the RRC algorithm of the UE, and UP algorithm of the UE) and the key information currently used by the source system (or a processed key).

    [0067] Step 62: According to the received key information, the target MME derives a K.sub.ASME, a K.sub.NAS, and a K.sub.eNB, and selects an NAS algorithm.

    [0068] Afterward, the target MME sends the list of the RRC algorithm of the UE and UP algorithm of the UE as well as the K.sub.eNB to the target eNB. The target MME includes the selected NAS algorithm, parameters used in K.sub.ASME derivation, parameters used in K.sub.NAS derivation, and parameters used in K.sub.eNB derivation in an NAS container, and sends the NAS container to the source access network through the source SGSN.

    [0069] Step 63: The target eNB selects RRC encryption algorithm of the target eNB, integrity protection algorithm of the target eNB, and UP encryption algorithm of the target eNB; and derives an RRC encryption key, an integrity key, and a UP encryption key according to the received K.sub.eNB.

    [0070] The target eNB includes the following in an RRC container: parameters used in the RRC encryption key derivation and UP encryption key derivation; the RRC algorithm of the UE and UP algorithm of the UE; the RRC encryption algorithm selected by the target eNB and integrity protection algorithm selected by the target eNB, and the UP encryption algorithm selected by the target eNB. Then, the target eNB sends the contents of the RRC container to the target MME.

    [0071] Step 64: The target MME sends the contents of the RRC container to the source SGSN through a handover response, and the source SGSN transmits the received RRC container to the source access network through a handover command.

    [0072] The source access network sends the contents of the received NAS container and the contents of the RRC container to the UE.

    [0073] Step 65: According to the parameters used in the RRC encryption key derivation and UP encryption key derivation, the parameters used in K.sub.ASME derivation, the parameters used in K.sub.NAS derivation, and the parameters used in K.sub.eNB derivation in the contents of the received NAS container and RRC container, the UE derives the corresponding RRC encryption key, UP encryption key, K.sub.ASME, K.sub.NAS, and K.sub.eNB, and sets the relevant algorithm applicable after handover.

    [0074] The process of negotiating security between a UE and an LTE system when the UE hands over from a UTRAN to an LTE system in the fifth embodiment of the present invention includes the following steps:

    [0075] Step 71: First, the source system of the UE decides to perform a handover procedure, and initializes a handover request. Afterward, the source SGSN sends a handover request to the target MME. The handover request includes the UE capability information (including a list of the RRC algorithm of the UE, and UP algorithm of the UE), and the key information currently used by the source system (or a processed key).

    [0076] Step 72: According to the received key information, the target MME derives a K.sub.ASME, a K.sub.NAS, and a K.sub.eNB, and selects an NAS algorithm.

    [0077] The target MME sends the UE capability information and K.sub.eNB to the target eNB, and includes parameters used in K.sub.ASME derivation, parameters used in K.sub.NAS derivation, and parameters used in K.sub.eNB derivation as well as the NAS algorithm in an NAS container.

    [0078] Step 73: The target eNB selects RRC encryption algorithm of the target eNB, integrity protection algorithm of the target eNB, and UP encryption algorithm of the target eNB; and derives an RRC encryption key, an integrity key, and a UP encryption key according to the received K.sub.eNB.

    [0079] The target eNB includes parameters used in the RRC encryption key derivation and UP encryption key derivation, the RRC encryption algorithm of the target eNB, integrity protection algorithm of the target eNB and UP encryption algorithm of the target eNB in an RRC container, and sends the RRC container to the target MME. The target MME includes the RRC container and the NAS container in a transparent container, and sends the transparent container to the source access network through a source SGSN.

    [0080] The source access network sends the contents of the received transparent container to the UE.

    [0081] Step 74: According to the parameters used in the RRC encryption key derivation and UP encryption key derivation, the parameters used in K.sub.ASME derivation, the parameters used in K.sub.NAS derivation, and the parameters used in K.sub.eNB derivation in the contents of the received NAS container and RRC container, the UE derives the corresponding RRC encryption key, UP encryption key, K.sub.ASME, K.sub.NAS, and K.sub.eNB, and sets the relevant algorithm applicable after handover.

    [0082] The processes of the embodiment 1, embodiment 2, embodiment 3 and embodiment 4 suppose that the UE hands over from the UTRAN to the LTE system, and are also applicable to the scenario of handover from a 2G network to an LTE network, where both the 2G network and the 3G network are called a Packet Switched (PS) domain.

    [0083] If the UE hands over from a Circuit Switched (CS) domain of the 2G/3G to an LTE system, the process of security negotiation between the UE and the LTE network needs to be decided according to the specific handover process of the UE.

    [0084] When the UE hands over from the CS domain of the 2G/3G system to the LTE system, if the UE is disconnected from the CS domain of the 2G/3G system and then connected with the LTE system again, the UE may perform an Authentication and Key Agreement (AKA) process with the LTE system directly, and then obtain the corresponding NAS security information and AS security information from the LTE system.

    [0085] When the UE hands over from the CS domain of the 2G/3G system to the LTE system, if the UE hands over from the CS domain of the 2G/3G system to the PS domain of the 2G/3G system and then hands over to the LTE system smoothly, the process of security association negotiated between the UE and LTE system is the same as that in the foregoing process of handover from the PS domain of the 2G/3G system to the LTE system.

    [0086] When the UE hands over from the CS domain of the 2G/3G system to the LTE system, if the UE hands over from the CS domain of the 2G/3G system to the LTE system, the security association negotiated between the UE and the LTE system is transferred through a Mobile Services Switching Center (MSC) node and a target MME, thus facilitating the UE to obtain the corresponding NAS security information and AS security information.

    [0087] When the UE hands over from the CS domain of the 2G/3G system to the LTE system, if the UE hands over from the IP Multimedia Subsystem (IMS) on the CS domain of the 2G/3G system to the LTE system first, the security association negotiated between the UE and the LTE system is transferred through a Call Session Control Function (CSCF) node of the IMS and a target MME, thus facilitating the UE to obtain the corresponding NAS security information and AS security information.

    [0088] As shown in FIG. 5, an eNB device provided in an embodiment of the present invention includes: (1) a key and algorithm information receiving unit, adapted to receive through a handover request the following sent by a target Mobile Management Entity (MME): parameters used in Non Access Stratum (NAS) key derivation and algorithm information, parameters used in a eNB key derivation, the eNB key and User Equipment (UE) capability information; (2) an algorithm selecting and key deriving unit, adapted to select RRC encryption algorithm of the eNB, integrity protection algorithm of the eNB, and UP encryption algorithm of the eNB according to the information received by the key and algorithm information receiving unit, and derive an RRC encryption key and a UP encryption key; and (3) a transparent container incorporating unit, adapted to includes the following in a transparent container: the parameter and algorithm information of the NAS key and the parameter and algorithm information of the AS key obtained by the key and algorithm information receiving unit; and the RRC encryption key, UP encryption key, RRC encryption algorithm of the eNB, integrity protection algorithm of the eNB, and UP encryption algorithm of the eNB that are obtained by the algorithm selecting and key deriving unit.

    [0089] An eNB device is provided in an embodiment of the present invention. As shown in FIG. 5, the eNB device includes: (1) a key and algorithm information receiving unit, adapted to receive through a handover request the following sent by a target Mobile Management Entity (MME): a Non Access Stratum (NAS) container, an eNB key (K.sub.eNB), and User Equipment (UE) capability information sent; (2) an algorithm selecting and key deriving unit, adapted to select RRC encryption algorithm of the eNB, integrity protection algorithm of the eNB, and UP encryption algorithm of the eNB according to the K.sub.eNB and UE capability information received by the key and algorithm information receiving unit, and derive an RRC encryption key and a UP encryption key; and (3) a transparent container incorporating unit, adapted to include parameters used in the RRC encryption key derivation and UP encryption key derivation, RRC encryption algorithm of the eNB, integrity protection algorithm of the eNB, and UP encryption algorithm of the eNB obtained by the algorithm selecting and key deriving unit in an RRC container; and include the RRC container and the NAS container in a transparent container.

    [0090] A source access network device is provided in an embodiment of the present invention. As shown in FIG. 6, the source access network device includes: (1) an NAS container receiving unit, adapted to receive an NAS container sent by the target MME; (2) an RRC container incorporating unit, adapted to receive an RRC container sent by the target MME; and (3) a transparent container incorporating unit, adapted to include the NAS container received by the NAS container receiving unit and the RRC container received by the RRC container incorporating unit in a transparent container.

    [0091] A target MME is provided in an embodiment of the present invention. As shown in FIG. 7, the target MME includes: (1) an algorithm selecting and key deriving unit, adapted to derive a K.sub.NAS and a K.sub.eNB according to the received key information used by the source system, and select an NAS algorithm; and send the K.sub.eNB and UE capability information to the target eNB through a handover request; (2) an NAS container incorporating unit, adapted to include the NAS algorithm, and the parameters used in K.sub.NAS derivation, and the parameters used in K.sub.eNB derivation in an NAS container; and (3) a transparent container incorporating unit, adapted to receive the RRC container sent by the target eNB, and include the RRC container and the NAS container in a transparent container.

    [0092] To sum up, in the embodiments of the present invention, the security information of the NAS and AS is transmitted to the UE. Therefore, when the UE hands over from a 3G or 2G system, such as Universal Terrestrial Radio Access Network (UTRAN), to the LTE system, the UE obtains the security information of the NAS and AS selected by the LTE system, performs security negotiation with the LTE system, and creates a security correlation between the UE and the LTE system.

    [0093] Furthermore, a transparent container may be generated out of the security information of the NAS and AS selected by the LTE system, the capability information supported by the UE, and the encryption algorithm selected by the target eNB, and the transparent container is transmitted to the UE. Therefore, when the UE hands over from the UTRAN to the LTE system, the UE obtains the parameter information of the NAS key and AS key selected by the LTE system, and the encryption algorithm selected by the target eNB. The UE negotiates the NAS and AS security parameters and the security algorithm between the LTE system and a different system without adding any signaling, and a security correlation is created between the UE and the LTE system.

    [0094] The embodiments of the present invention are compatible with the handover signaling flow between the 2G system and the 3G system, and implement negotiation of the NAS and AS security parameters and the security algorithm between the LTE system and a different system without adding any extra signaling.

    [0095] It is understandable to those skilled in the art that the processes in the foregoing embodiments may be implemented by hardware instructed by a program. The program may be stored in a readable storage medium. Once being executed, the program performs the steps covered by the foregoing methods. The storage medium may be a ROM/RAM, magnetic disk or compact disk.

    [0096] Although the invention has been described through some exemplary embodiments, the invention is not limited to such embodiments. It is apparent that those skilled in the art can make various modifications and variations to the invention without departing from the spirit and scope of the invention. The invention is intended to cover the modifications and variations provided that they fall in the scope of protection defined by the following claims or their equivalents.