Method and system for generating an identifier of a key

Abstract

A method for generating an identifier of a key includes that: when a user equipment (UE) transfers from an evolved UMTS terrestrial radio access network (EUTRAN) to a universal terrestrial radio access network (UTRAN) or a global system for mobile communications (GSM), or an enhanced data rate for GSM evolved radio access network (GERAN), an identifier of a system key after transfer is generated by mapping an identifier KSI.sub.ASME for an access security management entity, and a mobile management entity generates an identifier of a ciphering key (CK) and an integrity key (IK) by mapping the KSI.sub.ASME, and then sends the generated identifier to a serving GPRS support node (SGSN), when the UE transfers from the EUTRAN to the UTRAN, the SGSN stores the ciphering key, the integrity key and the identifier thereof, and when the UE transfers from the EUTRAN to the GERAN, the SGSN assigns the value of the identifier of the ciphering key and the integrity key to an identifier of a ciphering key of the GERAN.

Claims

1. A method for generating an identifier of a key, comprising: when a User Equipment (UE) transfers from an Evolved UMTS Terrestrial Radio Access Network (EUTRAN) to a Global System for Mobile Communications (GSM) or to an enhanced data rate for GSM Evolution Radio Access Network (GERAN), generating, by a Mobility Management Entity (MME), an identifier of a ciphering key and an integrity key by mapping a key set identifier for an access security management entity, and sending the ciphering key, the integrity key and the identifier thereof to a Serving GPRS Support Node (SGSN); assigning, by the SGSN, a value of the identifier of the ciphering key and the integrity key to an identifier of a ciphering key of the GSM or GERAN, wherein the identifier of the ciphering key of the GSM or GERAN is a sequence number of the ciphering key; and generating, by the UE, an identifier of the ciphering key of the GSM or GERAN by mapping the key set identifier of the access security management entity; wherein the generating by mapping comprises: assigning, by the MME, the value of the identifier of the ciphering key and the integrity key to be a value of the key set identifier of the access security management entity, or to be a sum of the value of the key set identifier of the access security management entity and a constant which is appointed by the UE and a network side; and assigning, by the UE, the value of the identifier of the ciphering key of the GSM or GERAN to be the value of the key set identifier of the access security management entity, or to be the sum of the value of the key set identifier of the access security management entity and a constant which is appointed by the UE and the network side.

2. The method according to claim 1, wherein when the UE in an idle state transfers from the EUTRAN to the GSM or to the GERAN, after receiving a user information extraction request message sent by the UE to the SGSN, the MME generates the integrity key, the ciphering key and the identifier of the integrity key and ciphering key, and sends the integrity key, the ciphering key and the identifier thereof to the SGSN via a user information extraction response message.

3. The method according to claim 2, wherein a request message sent by the UE to the SGSN for transferring to the GSM or GERAN in an idle state is a routing area update request message; the user information extraction request message is a context request message; and the user information extraction response message is a context response message.

4. The method according to claim 2, wherein a request message sent by the UE to the SGSN for transferring to the GSM or GERAN in an idle state is an attachment request message; the user information extraction request message is an identification request message; and the user information extraction response message is an identification response message.

5. The method according to claim 1, wherein after determining to transfer to the GSM or GERAN in an idle state and before correspondingly sending the SGSN a completion message indicative of the completion of the transfer to the GSM or GERAN in an idle state, the UE generates an identifier of a ciphering key of the GSM or GERAN by mapping the key set identifier of the access security management entity, and stores the identifier of the ciphering key of the GSM or GERAN, along with the ciphering key of the GSM or GERAN which is generated from the key of the access security management entity.

6. The method according to claim 5, wherein the completion message sent by the UE to the SGSN for indicating the completion of the transfer to the GSM or GERAN in an idle state is a routing area update completion message or an attachment completion message.

7. The method according to claim 1, wherein when the UE transfers from the EUTRAN to a UTRAN under the condition that a radio resource control (RRC) is in an active state, after receiving a handover request, the MME generates a ciphering key, an integrity key and an identifier of the ciphering key and integrity key, and sends the integrity key, the ciphering key and the identifier thereof to the SGSN via a forward redirecting request message; and after receiving a handover command sent by the network side, the UE generates a ciphering key of the GSM or GERAN and an identifier of the ciphering key.

8. The method according to claim 1, further comprising: if a key is associated by the network side and the UE before the UE transfers, and if the identifier of the key associated before the transfer is the same as that of the ciphering key of the GSM or GERAN which is generated through mapping during the transferring process, deleting keys in the SGSN and the UE, which are stored before the transfer.

9. A system for generating an identifier of a key, which is suitable for generating an identifier of a system key when a user equipment (UE) transfers from an Evolved UMTS Terrestrial Radio Access Network (EUTRAN) to a Global System for Mobile Communications (GSM) or to an enhanced data rate for GSM Evolution Radio Access Network (GERAN), comprising: the UE, a Mobility Management Entity (MME) and a Serving GPRS Support Node (SGSN), wherein, the UE is configured to generate an identifier of a ciphering key of the GSM or GERAN by mapping a key set identifier for an access security management entity; the MME is configured to generate an identifier of a ciphering key and an integrity key by mapping a key set identifier for the access security management entity, and to send the ciphering key, the integrity key and the identifier of the ciphering key and integrity key to the SGSN; and the SGSN is configured to receive the ciphering key, the integrity key and the identifier thereof which are sent by the MME, and to assign the value of the identifier of the ciphering key and the integrity key to the identifier of the ciphering key of the GSM or GERAN; wherein, a mode of the generating by mapping comprises: the MME is configured to assign the value of the identifier of the ciphering key and the integrity key to be a value of the key set identifier of the access security management entity, or to be a sum of the value of the key set identifier of the access security management entity and a constant which is appointed by the UE and a network side; and the UE is configured to assign the value of the identifier of the ciphering key of the GSM or GERAN to be the value of the key set identifier of the access security management entity, or to be a sum of the value of the key set identifier of the access security management entity and a constant which is appointed by the UE and the network side.

10. The system according to claim 9, wherein, the UE is further configured to map the value of a key set identifier of the access security management entity (KSI.sub.ASME) to the identifier of the ciphering key of the GSM or GERAN, or to map the value of the identifier KSI.sub.ASME plus a constant to the identifier of the ciphering key of the GSM or GERAN; and store the ciphering key of the GSM or GERAN and the identifier of the ciphering key; the MME is further configured to generate an identifier of the integrity key and the ciphering key, and to map the value of the key set identifier of the access security management entity to the identifier of the integrity key and the ciphering key, or to map the value of the key set identifier of the access security management entity plus a constant to the identifier of the integrity key and the ciphering key; and send the SGSN the ciphering key, the integrity key, and the identifier of the ciphering key and the integrity key which is generated by the second key set identifier mapping unit; and the SGSN is further configured to receive from the MME the ciphering key, the integrity key and the identifier of the ciphering key and integrity key; assign the value of the ciphering key, the integrity key and the identifier thereof to the identifier of the ciphering key of the GSM or GERAN; and store the ciphering key of the GSM or GERAN and the identifier of the ciphering key of the GSM or GERAN.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) FIG. 1 is a schematic diagram illustrating the specific implementation of a method for generating a key set identifier during the transfer from an EUTRAN to a UTRAN according to the present invention;

(2) FIG. 2 is a flowchart illustrating the signaling implementation of a first embodiment according to the method of the present invention;

(3) FIG. 3 is a flowchart illustrating the signaling implementation of a second embodiment according to the method of the present invention;

(4) FIG. 4 is a flowchart illustrating the signaling implementation of a third embodiment according to the method of the present invention;

(5) FIG. 5 is a schematic diagram illustrating the specific implementation of a method for generating a key set identifier during the transfer from an EUTRAN to a GERAN according to the present invention;

(6) FIG. 6 is a flowchart illustrating the implementation of a fourth embodiment according to the method of the present invention;

(7) FIG. 7 is a flowchart illustrating the signaling implementation of a fifth embodiment according to the method of the present invention;

(8) FIG. 8 is a flowchart illustrating the signaling implementation of a sixth embodiment according to the method of the present invention.

DETAILED DESCRIPTION

(9) In order to reuse the key generated by a K.sub.ASME and reduce the signaling interaction between a UE and a network side, it is required to generate an identifier for a key during transferring process. For this reason, the present invention provides a method and system for generating a key set identifier when a UE transfers from an EUTRAN to a UTRAN/GERAN.

(10) The present invention is illustrated below in detail by reference to the accompanying drawings in combination with the embodiments.

(11) FIG. 1 is a schematic diagram illustrating the specific implementation of a method for generating a key set identifier when a UE transfers from an EUTRAN to a UTRAN according to the present invention. The method comprises the following steps:

(12) A1, after receiving a request message, a source MME maps a KSI.sub.ASME into a KSI, that is, assigns the value of the KSI.sub.ASME to the KSI to make KSI=KSI.sub.ASME, and then sends a target SGSN the KSI, along with an IK and CK which are generated by the K.sub.ASME via an interaction message of the source MME and the target SGSN;

(13) A2, after receiving the KSI, the IK and the CK which are sent by the source MME, the target SGSN stores the KSI, the IK and the CK and sends the UE a message indicative of the completion of KSI mapping;

(14) A3, the UE maps the KSI.sub.ASME into the KSI, that is, assigns the value of the KSI.sub.ASME to the KSI to make KSI=KSI.sub.ASME, and stores the KSI, along with the IK and CK which are generated by the K.sub.ASME.

(15) Herein, the source MME and the UE may also make the value of the KSI equal to the sum of the value of the KSI.sub.ASME and a constant. The constant is determined by the UE and a network side together. The sum of the value of the KSI.sub.ASME and the constant should not be 111, and if the sum of the value of the KSI.sub.ASME and the constant is just 111, the UE and the network side are required to determine the sum of the value of the KSI.sub.ASME and the constant to be another value, such as, a next value 000 or other values.

(16) If a key is associated by the UE and the SGSN at the network side before the transfer, and if the value of the KSI associated before the transfer is the same as that of the generated KSI which the KSI.sub.ASME is mapped into during the transferring process, then the keys stored in the UE and the target SGSN before the transfer are deleted.

(17) FIG. 2 illustrates a first embodiment of the method according to the present invention, which depicts a flow of the method for generating an identifier of a key when a UE transfers from an EUTRAN to a UTRAN in an idle state. The method comprises the following steps:

(18) S201, the UE determines to transfer to the UTRAN in an idle state and sends a target SGSN a request message for requesting transfer to the UTRAN in an idle state;

(19) herein, the request message for requesting transfer to the UTRAN in an idle state may be a routing area update request or an attachment request;

(20) S202, after receiving the request message sent by the UE for requesting transfer to the UTRAN in an idle state, the target SGSN sends a source MME a user information extraction request message corresponding to the request message for requesting transfer to the UTRAN in an idle state;

(21) herein, the corresponding refers to a type correspondence between the user information extraction request message sent by the target SGSN to the source MME and the request message received by the target SGSN for requesting transfer to the UTRAN in an idle state;

(22) for example, if in step S201 the request message sent by the UE to the target SGSN is a routing area update request, then the user information extraction request message is a context request message in this step;

(23) for another example, if in step S201 the request message sent by the UE to the target SGSN is an attachment request, then the user information extraction request message is an identification request message in this step;

(24) S203, after receiving the user information extraction request message sent by the target SGSN, the source MME assigns the value of the KSI.sub.ASME to the KSI, that is, makes KSI=KSI.sub.ASME, and generates an IK and a CK using the KSI.sub.ASME;

(25) S204, the source MME sends the target SGSN a user information extraction response message including the KSI, the IK and the CK, wherein:

(26) if in step S203 the source MME receives a context request message from the target SGSN, then the user information extraction response message is a context response message in this step;

(27) if in step S203 the source MME receives an identification request message from the target SGSN, then the user information extraction response message is an identification response message in this step;

(28) S205, after receiving the KSI, the IK and the CK which are sent by the source MME, the target SGSN stores the KSI, the IK and the CK;

(29) S206, the target SGSN sends the UE a message indicative of accepting the transfer to the UTRAN in an idle state, so as to inform the UE of the successful mapping of the identifier of a key of a network side, wherein:

(30) if in step S201 the request message sent by the UE to the target SGSN is a routing area update request, then the message indicative of accepting the transfer to the UTRAN in an idle state is a routing area update accept message in this step;

(31) if in step S201 the request message sent by the UE to the target SGSN is an attachment request, then the message indicative of accepting the transfer to the UTRAN in an idle state is an attachment accept message in this step;

(32) S207, the UE assigns the value of the KSI.sub.ASME to the KSI, that is, makes KSI.sub.ASME=KSI, and stores the KSI, along with the IK and CK which are generated by the K.sub.ASME; and

(33) S208, the UE sends the target SGSN a message indicative of the completion of the transfer to the UTRAN in an idle state, wherein

(34) if in step S201 the request message sent by the UE to the target SGSN is a routing area update request, then the message indicative of the completion of the transfer to the UTRAN in an idle state is a routing area update completion message in this step;

(35) if in step S201 the request message sent by the UE to the target SGSN is an attachment request, then the message indicative of the completion of the transfer to the UTRAN in an idle state is an attachment completion message in this step.

(36) FIG. 3 illustrates a second embodiment of the method according to the present invention, which depicts a flow of the method for generating an identifier of a key when a UE transfers from an EUTRAN to a UTRAN in an idle state, the method comprises the following steps:

(37) S301, the UE determines to transfer to the UTRAN in an idle state, assigns the value of a KSI.sub.ASME to a KSI, that is, makes KSI=KSI.sub.ASME, and stores the KSI, along with an IK and CK which are generated by the K.sub.ASME;

(38) S302, the UE sends a target SGSN a request message for requesting transfer to the UTRAN in an idle state;

(39) herein, the request message for requesting transfer to the UTRAN in an idle state is a routing area update request or an attachment request;

(40) S303, after receiving the request message sent by the UE for requesting transfer to the UTRAN in an idle state, the target SGSN sends a source MME a user information extraction request message corresponding to the request message for requesting transfer to the UTRAN in an idle state, wherein

(41) if in step S302 the request message sent by the UE to the target SGSN is a routing area update request, then the user information extraction request message is a context request message in this step;

(42) and if in step S302 the request message sent by the UE to the target SGSN is an attachment request, then the user information extraction request message is an identification request message in this step;

(43) S304, after receiving the user information extraction request message sent by the target SGSN, the source MME assigns the value of the KSI.sub.ASME to the KSI, that is, makes KSI=KSI.sub.ASME, and generates an IK and a CK using the K.sub.ASME;

(44) S305, the source MME sends the target SGSN a user information extraction response message including the KSI, the IK and the CK, wherein:

(45) if in step S304 the source MME receives a context request message from the target SGSN, then the user information extraction response message is a context response message in this step;

(46) if in step S304 the source MME receives an identification request message from the target SGSN, then the user information extraction response message is an identification response message in this step;

(47) S306, after receiving the KSI, the IK and the CK which are sent by the source MME, the target SGSN stores the KSI along with the IK and the CK;

(48) S307, the target SGSN sends the UE a message indicative of accepting the transfer to the UTRAN in an idle state, so as to inform the UE of the successful mapping of the identifier of a key of a network side, wherein:

(49) if in step 302 the request message sent by the UE to the target SGSN is a routing area update request, then the message indicative of accepting the transfer to the UTRAN in an idle state is a routing area update accept message in this step;

(50) if in step S302 the request message sent by the UE to the target SGSN is an attachment request, then the message indicative of accepting the transfer to the UTRAN in an idle state is an attachment accept message in this step; and

(51) S308, the UE sends the target SGSN a message indicative of the completion of the transfer to the UTRAN in an idle state, wherein

(52) if in step S302 the request message sent by the UE to the target SGSN is a routing area update request, then the message indicative of the completion of the transfer to the UTRAN in an idle state is a routing area update completion message in this step;

(53) if in step S302 the request message sent by the UE to the target SGSN is an attachment request, then the message indicative of the completion of the transfer to the UTRAN in an idle state is an attachment completion message in this step.

(54) FIG. 4 illustrates a third embodiment of the method according to the present invention, which refers to the transfer when an RRC is in an active state, that is, a flow of the method for generating an identifier of a key during the transfer from an EUTRAN to a UTRAN, the method comprises the following steps:

(55) S401, a source eNB determines to initiate a handover;

(56) herein, the determining of the source eNB on the initiation of a handover may be triggered based on a measurement report sent by a UE to the eNB, or the eNB determines to initiate the transfer based on other reasons;

(57) S402, the source eNB sends a handover request to a source MME;

(58) S403, after receiving the handover request, the source MME assigns the value of a KSI.sub.ASME to a KSI, that is, makes KSI=KSI.sub.ASME, and generates an IK and a CK using the K.sub.ASME;

(59) S404, the source MME sends a target SGSN a forward redirecting request including the KSI, the IK and the CK;

(60) S405, the target SGSN stores the KSI along with the IK and the CK;

(61) S406, the target SGSN sends the source MME a forward redirecting response message, so as to inform the source MME that the target network is ready for a handover;

(62) S407, the source MME sends a handover command to the source eNB;

(63) S408, the source eNB sends an EUTRAN handover command to the UE;

(64) S409, after receiving the handover command, the UE assigns the value of the KSI.sub.ASME to the KSI, that is, makes KSI=KSI.sub.ASME, generates an IK and a CK using the K.sub.ASME, and stores the KSI along with the IK and the CK; and

(65) S410, the UE sends a handover success message to a target radio network controller (RNC) to inform the RNC of the successful generation of the KSI of a network side.

(66) FIG. 5 is a schematic diagram illustrating the specific implementation of a method for generating a key set identifier during the transfer from an EUTRAN to a GERAN according to the present invention, the method comprises the following steps:

(67) B1, after receiving a relevant request message, a source MME maps a KSI.sub.ASME into a KSI, that is, assigns the value of the KSI.sub.ASME to the KSI to make KSI=KSI.sub.ASME, and then sends a target SGSN the KSI, along with an IK and CK which are generated by the K.sub.ASME via an interaction message of the source MME and the target SGSN;

(68) B2, after receiving the KSI, the IK and the CK which are sent by the source MME, the target SGSN assigns the value of the KSI to a CKSN, that is, makes CKSN=KSI, stores the CKSN, along with a Kc generated by the IK and the CK, and sends a UE a message indicative of the completion of CKSN mapping;

(69) B3, the UE maps the KSI.sub.ASME into the CKSN, that is, assigns the value of the KSI.sub.ASME to the CKSN to make CKSN=KSI.sub.ASME, and stores the CKSN, along with a Kc generated by the K.sub.ASME.

(70) Herein, the UE may also make the CKSN equal to the sum of the value of the KSI.sub.ASME and a constant, the source MME may also make the value of the KSI equal to the sum of the value of the KSI.sub.ASME and a constant, wherein the above two constants are determined by the UE and a network side together, and the sum of the value of the KSI.sub.ASME and the constant should not be 111, and if the sum of the value of the KSI.sub.ASME and the constant is just 111, the UE and the network side are required to determine the sum of the value of the KSI.sub.ASME and the constant to be another value, such as, a next value 000 or other values.

(71) In this method, if a key is associated by the UE and the SGSN at the network side before the transfer, and if the value of the identifier CKSN of the key is the same as that of the CKSN which the KSI.sub.ASME is mapped into during the transferring process, then the keys stored in the UE and the target SGSN before the transfer are deleted.

(72) FIG. 6 illustrates a fourth embodiment of the method according to the present invention, which depicts a flow of the method for generating an identifier of a key when a UE transfers from an EUTRAN to a GERAN in an idle state, the method comprises the following steps:

(73) S601, the UE determines to transfer to the GERAN in an idle state and sends a target SGSN a request message for requesting transfer to the GERAN in an idle state;

(74) herein, the request message for requesting transfer to the GERAN in an idle state may be a routing area update request or an attachment request;

(75) S602, after receiving the request message sent by the UE for requesting transfer to the GERAN in an idle state, the target SGSN sends a source MME a user information extraction request message corresponding to the request message for requesting transfer to the GERAN in an idle state, wherein:

(76) if in step S601 the request message sent by the UE to the target SGSN is a routing area update request, then the user information extraction request message is a context request message in this step;

(77) if in step S601 the request message sent by the UE to the target SGSN is an attachment request, then the user information extraction request message is an identification request message in this step;

(78) S603, after receiving the user information extraction request message sent by the target SGSN, the source MME assigns the value of the KSI.sub.ASME to a KSI, that is, makes KSI=KSI.sub.ASME, and generates an IK and a CK using a K.sub.ASME;

(79) S604, the source MME sends the target SGSN a user information extraction response message including the KSI, the IK and the CK, wherein:

(80) if in step S603 the source MME receives a context request message from the target SGSN, then the user information extraction response message is a context response message in this step;

(81) if in step S603 the source MME receives an identification request message from the target SGSN, then the user information extraction response message is an identification response message in this step;

(82) S605, after receiving the KSI, the IK and the CK which are sent by the source MME, the target SGSN assigns the value of the KSI to a CKSN, and stores the CKSN, along with a Kc generated by the IK and the CK;

(83) S606, the target SGSN sends the UE a message indicative of accepting the transfer to the GERAN in an idle state, so as to inform the UE of the successful mapping of the identifier of a key of a network side, wherein:

(84) if in step S601 the request message sent by the UE to the target SGSN is a routing area update request, then the message indicative of accepting the transfer to the GERAN in an idle state is a routing area update accept message in this step;

(85) if in step S601 the request message sent by the UE to the target SGSN is an attachment request, then the message indicative of accepting the transfer to the GERAN in an idle state is an attachment accept message in this step;

(86) S607, the UE assigns the value of the KSI.sub.ASME to the CKSN, that is, makes CKSN=KSI.sub.ASME, and stores the CKSN, along with a Kc generated by the K.sub.ASME; and

(87) S608, the UE sends the target SGSN a message indicative of the completion of the transfer to the GERAN in an idle state, wherein:

(88) if in step S601 the request message sent by the UE to the target SGSN is a routing area update request, then the message indicative of the completion of the transfer to the GERAN in an idle state is a routing area update completion message in this step;

(89) if in step S601 the request message sent by the UE to the target SGSN is an attachment request, then the message indicative of the completion of the transfer to the GERAN in an idle state is an attachment completion message in this step.

(90) FIG. 7 illustrates a fifth embodiment of the method according to the present invention, which depicts a flow of the method for generating an identifier of a key when a UE transfers from an EUTRAN to a GERAN in an idle state, the method comprises the following steps:

(91) S701, the UE determines to transfer to the GERAN in an idle state, assigns the value of a KSI.sub.ASME to a CKSN, that is, makes CKSN=KSI.sub.ASME, and stores the CKSN, along with a Kc generated by the K.sub.ASME;

(92) S702, the UE sends a target SGSN a request message for requesting transfer to the GERAN in an idle state;

(93) herein, the request message for requesting transfer to the GERAN in an idle state is a routing area update request or an attachment request;

(94) S703, after receiving the request message sent by the UE for requesting transfer to the GERAN in an idle state, the target SGSN sends a source MME a user information extraction request message corresponding to the request message for requesting transfer to the GERAN in an idle state, wherein:

(95) if in step S702 the request message sent by the UE to the target SGSN is a routing area update request, then the user information extraction request message is a context request message in this step;

(96) if in step S702 the request message sent by the UE to the target SGSN is an attachment request, then the user information extraction request message is an identification request message in this step;

(97) S704, after receiving the user information extraction request message sent by the target SGSN, the source MME assigns the value of the KSI.sub.ASME to a KSI, that is, makes KSI=KSI.sub.ASME, and generates an IK and a CK using the K.sub.ASME;

(98) S705, the source MME sends the target SGSN a user information extraction response message including the KSI, the IK and the CK, wherein:

(99) if in step S704 the source MME receives a context request message from the target SGSN, then the user information extraction response message is a context response message in this step;

(100) if in step S704 the source MME receives an identification request message from the target SGSN, then the user information extraction response message is an identification response message in this step;

(101) S706, after receiving the KSI, the IK and the CK which are sent by the source MME, the target SGSN assigns the value of the KSI to the CKSN, and stores the CKSN, along with a Kc generated by the IK and the CK;

(102) S707, the target SGSN sends the UE a message indicative of accepting the transfer to the GERAN in an idle state, so as to inform the UE of the successful mapping of the identifier of a key of a network side, wherein:

(103) if in step S702 the request message sent by the UE to the target SGSN is a routing area update request, then the message indicative of accepting the transfer to the GERAN in an idle state is a routing area update accept message in this step;

(104) if in step S702 the request message sent by the UE to the target SGSN is an attachment request, then the message indicative of accepting the transfer to the GERAN in an idle state is an attachment accept message in this step; and

(105) S708, the UE sends the target SGSN a message indicative of the completion of the transfer to the GERAN in an idle state, wherein:

(106) if in step S702 the request message sent by the UE to the target SGSN is a routing area update request, then the message indicative of the completion of the transfer to the GERAN in an idle state is a routing area update completion message in this step;

(107) if in step S702 the request message sent by the UE to the target SGSN is an attachment request, then the message indicative of the completion of the transfer to the GERAN in an idle state is an attachment completion message in this step.

(108) FIG. 8 illustrates a sixth embodiment of the method according to the present invention, which depicts a flow of the method for generating an identifier of a key during mobility from an EUTRAN to a GERAN when an RRC is in an active state, the method comprises the following steps:

(109) S801, a source eNB determines to initiate a handover;

(110) herein, the determining of the source eNB on the initiation of a handover may be triggered based on a measurement report sent by a UE to the eNB, or the eNB determines to initiate the transfer based on other reasons;

(111) S802, the source eNB sends a handover request to a source MME;

(112) S803, after receiving the handover request, the source MME assigns the value of a KSI.sub.ASME to a KSI, that is, makes KSI=KSI.sub.ASME, and generates an IK and a CK using the K.sub.ASME;

(113) S804, the source MME sends a target SGSN a forward redirecting request including the KSI, the IK and the CK;

(114) S805, the target SGSN assigns the value of the KSI to a CKSN, that is, makes CKSN=KSI, and stores the CKSN, along with a Kc generated by the IK and the CK;

(115) S806, the target SGSN sends the source MME a forward redirecting response message, so as to inform the source MME that the target network is ready for a handover;

(116) S807, the source MME sends a handover command to the source eNB;

(117) S808, the source eNB sends an EUTRAN handover command to the UE;

(118) S809, after receiving the handover command, the UE assigns the value of the KSI.sub.ASME to the CKSN, that is, makes CKSN=KSI.sub.ASME, generates a Kc using the K.sub.ASME, and stores the generated CKSN and Kc; and

(119) S810, the UE sends a handover success message to a target RNC or BSS to inform the target RNC or BSS of the successful mapping of the CKSN of a network side.

(120) In the above six embodiments, the source MME and the UE may also make the value of the identifier of a key of the target system equal to the sum of the value of the KSI.sub.ASME and a constant, wherein the constant is determined by the UE and the network side together, and the sum of the value of the KSI.sub.ASME and the constant should not be 111, and if the sum of the value of the KSI.sub.ASME and the constant is just 111, the UE and the network side are required to determine the sum of the value of the KSI.sub.ASME and the constant to be another value, such as, a next value 000 or other values.

(121) The KSI.sub.ASME and the KSI.sub.SGSN have been introduced in above descriptions, the format of the KSI.sub.ASME is the same as that of the KSI.sub.SGSN, only the KSI.sub.ASME is taken as an example for description in the above embodiments, the processing method of the KSI.sub.SGSN is the same as that of the KSI.sub.ASME, therefore description relating to the KSI.sub.SGSN is not repeated in the present invention.

(122) The present invention provides a system for generating an identifier of a key, which is suitable for generating an identifier of a key when a UE transfers from an EUTRAN to a UTRAN, the system comprises: a UE, a mobility management entity (MME) and a serving GPRS support node (SGSN), wherein:

(123) the UE is configured to map a KSI.sub.ASME of the EUTRAN into an identifier of a system key of the UTRAN;

(124) the MME is configured to map the KSI.sub.ASME into an identifier of a system key of the UTRAN, and to send the identifier to the target SGSN;

(125) the SGSN is configured to receive and store the identifier of the system key and the ciphering key and the integrity key which are sent by the MME;

(126) the mapping mode is as follows: the MME and the UE directly make the value of the identifier of the system key equal to that of the KSI.sub.ASME, or equal to the sum of the value of the KSI.sub.ASME and a constant which is determined by the UE and a network side together.

(127) Further, the UE comprises:

(128) a first key set identifier mapping unit configured to generate an identifier KSI of an IK and a CK, and to map the value of the identifier KSI.sub.ASME of a key of a root key access security management entity of the EUTRAN to the KSI, or to map the value of the identifier KSI.sub.ASME plus an appointed constant to the KSI;

(129) a first key and identifier thereof storing unit configured to store the system keys of the UTRAN, that is, the IK and CK, and the identifier KSI of the system keys generated by the first key set identifier mapping unit;

(130) a message receiving unit configured to receive a key set identifier mapping success message sent from the network side; and

(131) a message sending unit configured to send a request message to the network side.

(132) Further, the MME unit comprises:

(133) a second key set identifier mapping unit configured to generate an identifier KSI of the IK and the CK, and to map the value of the KSI.sub.ASME to the KS, or to map the value of the KSI.sub.ASME plus an appointed constant to the KSI;

(134) a security parameter sending unit configured to send the identifier KSI of the system keys generated by the second key set identifier mapping unit and the IK and the CK to the SGSN; and

(135) a request message receiving unit configured to receive a key set identifier mapping request.

(136) Further, the SGSN comprises:

(137) a security parameter receiving unit configured to receive the IK and the CK and the identifier KSI of the IK and CK which are sent by the MME;

(138) a third key and identifier thereof storing unit configured to store the received identifier KSI, and the IK and the CK;

(139) a message sending unit configured to inform the UE of a message indicative of the completion of the generation of an identifier of the network side.

(140) By mapping the value of the KSI.sub.ASME in the EUTRAN into the value of the KSI in the UTRAN, the above method and system for generating a key set identifier, simultaneously guarantee that there are no repeated codes in the KSI and the previously-stored key sequence numbers, and solve the problem in existing techniques that the IK and the CK which are obtained through mapping cannot be reused for not being provided with an identifier when a UE transfers from the EUTRAN to the UTRAN.

(141) The present invention also provides a system for generating an identifier of a key, which is suitable for generating an identifier of a key when a UE transfers from an EUTRAN to a GERAN, the system comprises a UE, a mobility management entity (MME) and a serving GPRS support node (SGSN), wherein:

(142) the UE is configured to generate an identifier CKSN of a ciphering key Kc of the GERAN by mapping a key set identifier for an access security management entity;

(143) the MME is configured to generate an identifier of a ciphering key and an integrity key by mapping a key set identifier of the access security management entity, and to send the ciphering key, the integrity key and the identifier of the ciphering key and integrity key to the SGSN; and

(144) the SGSN is configured to receive the ciphering key, the integrity key and identifier thereof which are sent by the MME, and assigning the value of the identifier to the identifier CKSN of the ciphering key Kc of the GERAN.

(145) Further, the UE comprises:

(146) a first key set identifier mapping unit configured to generate an identifier CKSN of a Kc, and to map a value of a root key of the EUTRAN, that is, a value of a key set identifier of an access security management entity (KSI.sub.ASME) to the CKSN, or to map the value of the identifier KSI.sub.ASME plus an appointed constant to the CKSN;

(147) a first key and identifier thereof storing unit configured to store the key Kc generated by a first key generating unit and the identifier CKSN of the key generated by the first key set identifier mapping unit;

(148) a message receiving unit configured to receive a key set identifier mapping completion message sent from a network side; and

(149) a message sending unit configured to send a request message to inform the network side of performing key set identifier mapping.

(150) Further, the mobility management comprises:

(151) a second key set identifier mapping unit configured to generate an identifier KSI of the IK and the CK, and to map the value of the KSI.sub.ASME to the KSI, or to map the value of the KSI.sub.ASME plus an appointed constant to the KSI;

(152) a security parameter sending unit configured to send the SGSN the IK and the CK, and the identifier KSI of the IK and the CK which is generated by the second key set identifier mapping unit;

(153) a request message receiving unit configured to receive a key set identifier mapping request.

(154) Further, the SGSN comprises:

(155) a security parameter receiving unit configured to receive the keys of IK and CK, and the identifier KSI thereof which are sent by the MME;

(156) a third key set identifier mapping unit configured to assign the value of the KSI to the CKSN;

(157) a third key and identifier thereof storing unit configured to store the key Kc and the identifier CKSN of the key Kc; and

(158) a message sending unit configured to inform the UE of a message indicative of the completion of the generation of an identifier of the network side.

(159) By mapping the value of the KSI.sub.ASME into the value of the CKSN, the method and system in the above embodiments for generating a key set identifier, simultaneously guarantee that there are no repeated codes in the CKSN and the key sequence number previously stored by the SGSN, and therefore solve the problem in existing techniques that the IK, the CK or the Kc which the K.sub.ASME is mapped into cannot be reused for not being provided with an identifier when the UE transfers from the EUTRAN to the UTRAN or GERAN. By using the method and system, the IK, the CK or the Kc can be reused after the transfer, the interaction signaling is reduced between the UE and the network side, and the satisfaction level of the user on the use of the network is improved.

(160) Apparently, it should be understood by those skilled in the art that all the modules or steps of the present invention can be realized by universal computing devices, and can be centralized on a single computing device or distributed on a network consisting of multiple computing devices, and optionally can be realized by program codes executable to computing devices, therefore all the modules or steps can be stored in a storage device to be executed by computing devices, or it can be realized by making all the modules or steps into integrated circuit modules respectively, or making multiple modules or steps of them into a single integrated circuit module, thus the present invention is not limited to the combination of any specific hardware and software.

(161) The above mentioned is only preferred embodiments of the present invention but not to limit the present invention, various modifications and changes can be devised by those skilled in the art, and it should be understood that any modification, equivalent substitution and improvement devised without departing from the spirit and scope of the present invention, shall be within the protection scope of the present invention.

INDUSTRIAL APPLICABILITY

(162) By mapping the value of a KSI.sub.ASME into the value of a CKSN, the above method and system for generating an identifier of a key, simultaneously guarantee that there are no repeated codes in the CKSN and the key sequence number previously stored by an SGSN, and therefore solve the problem in existing techniques that, the IK, the CK or the Kc which a K.sub.ASME is mapped into cannot be reused for not being provided with an identifier when a UE transfers from an EUTRAN to a UTRAN or GERAN; thereby the method and system of the present invention make the IK, the CK or the Kc can be reused after the transfer, reducing the interaction signaling between the UE and a network side, improving the satisfaction level of the user on the use of the network, and therefore has high industrial applicability.

Method and system for generating an identifier of a key

Assignee

Inventors

Cpc classification

Classification Explorer

H04W12/041

ELECTRICITY

Classification Explorer

H04L9/083

ELECTRICITY

Classification Explorer

H04L9/321

ELECTRICITY

Classification Explorer

H04L2463/041

ELECTRICITY

Classification Explorer

H04W12/0471

ELECTRICITY

Classification Explorer

H04L2209/80

ELECTRICITY

Classification Explorer

H04W36/0038

ELECTRICITY

Classification Explorer

H04L63/08

ELECTRICITY

Classification Explorer

H04L2463/061

ELECTRICITY

International classification

Classification Explorer

H04K1/00

ELECTRICITY

Classification Explorer

H04W12/04

ELECTRICITY

Classification Explorer

H04L9/08

ELECTRICITY

Classification Explorer

H04L9/32

ELECTRICITY

Classification Explorer

H04W36/00

ELECTRICITY

Abstract

Claims

Description