CN101436931B - Methods, system, base station and relay station for providing security communication in wireless communication systems - Google Patents
Methods, system, base station and relay station for providing security communication in wireless communication systems Download PDFInfo
- Publication number
- CN101436931B CN101436931B CN2008102129115A CN200810212911A CN101436931B CN 101436931 B CN101436931 B CN 101436931B CN 2008102129115 A CN2008102129115 A CN 2008102129115A CN 200810212911 A CN200810212911 A CN 200810212911A CN 101436931 B CN101436931 B CN 101436931B
- Authority
- CN
- China
- Prior art keywords
- base station
- portable terminal
- secure
- communication
- secure data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
One embodiment of the invention provides a method for providing secure communications in a wireless communication system between a base station, a relay station, and a mobile station in a communication network. The method includes a step of authenticating the mobile terminal through the communication network; a step of generating a secure data by the base station, wherein the secure data including at least a transaction encrypting key and an information acknowledgement code key; a step of transmitting the secure data to the mobile terminal by the base station; and a step of transmitting the secure data to the relay by the base station.
Description
Technical field
The present invention particularly sets up the System and method for of security association about wireless telecommunications in a wireless communications environment.
Background technology
Known wireless network environment links electronic apparatus to the service supplier.More specifically, (Worldwide Interoperability for Microwave Access, network environment WiMAX) connects (intermediate connections) by intermediary and links user's set to a network in the global intercommunication microwave access.WiMAX is a kind of wireless network science and technology, can provide communication to wireless device quite far away.Checking and the delay that causes of checking (reauthentication) again can make that the speed of communicating by letter with client terminal device (clientdevice) is slack-off, and reduce the efficient of WiMAX wireless environment.
Fig. 1 is the calcspar of a conventional wireless communication system of use IEEE802.16d/802.16e WiMAX wireless communication system.Network 100 offers at least one line service network (Connectivity ServiceNetwork, CSN) 102,102 of line service networks use at least one authentication, mandate and charging (Authentication, Authorization, Accounting are hereinafter to be referred as AAA) server 104.CSN102 is attached to gateway (gateway) 106 and 108.Gateway 106 and 108 is a kind of communication network authenticator (authenticator), normally be linked to several base stations (base station, BS) 110 to 115, the quantity of base station is the network demand of depending in certain zone, though a gateway may can only be attached to single base station, a gateway still can be attached to a plurality of base stations.In Fig. 1, be the example explanation with gateway 106 and 108 only, but still the quantity of visual real base station decide the more or less gateway of use.
In Fig. 1, be to be example explanation WiMAX environment with six base stations, but still the spendable gateway of visual reality and WiMAX network demand increase or reduce the quantity of base station.The base station is as base station 110 and 104, in order to communicate by letter with one or more client terminal devices.Client terminal device comprise portable terminal (mobilestation, MS), as portable terminal 120,122 and 124, and user terminal (subscriber station, SS), wherein the base station provides any wireless network services to portable terminal, and provide wired or any wireless network services to user terminal.The network demand of several client terminal devices may be satisfied by single base station, and single base station may be able to be satisfied the demand of portable terminal and user terminal simultaneously.
In known WiMAX network environment, as shown in Figure 1, portable terminal 120,,,, all must be authenticated portable terminal 120 during initial service as base station 110 by a relevant base station as gateway 106 by a gateway each time.By such acts of authentication, as long as can both use service by the gateway by original authentication in the regional extent that portable terminal 120 moves, just need not do more authentication to portable terminal.But, once portable terminal moves on to a zone, be to provide service by another gateway, as gateway 108, then gateway must carry out the reauthentication action earlier before providing service to portable terminal 120.Certified or after authentication when a client terminal device, security association (securityassociations) or two network entities, as portable terminal 120 and base station 110, between security information can be established, to guarantee communication security between the two.
Authentication protocol standard (Authentication protocol standard) in advance on authentication techniques by standardization.These standardized agreements may comprise, authenticate as IEEE802.IX, GSM user identity module extension authentication protocol method (extensible authentication protocol method for GSM (global system for mobile communications) subscriber identity modules (EAP-SIM)), UMTS user identity module extension authentication protocol method and cryptographic key agreement (extensibleauthentication protocol method for universal mobile telecommunications systems (UMTS) authentication and key agreement (EAP-AKA)) with and/or extension authentication protocol method and remote authentication dial and connect user's service agreement (Remote Authentication Dial-in UserService, a kind of combination RADIUS).In addition, standardized Handshake Protocol, as the security association related protocol, can be used in and set up a plurality of security associations on the communication link, standardized Handshake Protocol such as security association and transaction encryption key three-way handshake program (security association and trafficencryption key (SA-TEK) 3-way handshake procedure) and TEK three-way handshake program.
At IEEE802.16d/802.16e WiMAX wireless communication system, these standardized technology are carried out between a base station and a portable terminal.Each standardized authentication techniques needs a plurality of transmission (multiple transmissions), and this can increase the time of authentication and handle required resource.
Fig. 2 is authentication known in the IEEE802.16d/802.16e WiMAX wireless communication system and the signal flow graph of authorization operation.One initialize routine 200 is performed to guarantee that the request of the request network service of portable terminal is authorized to, make the portable terminal can access network, and the security association between portable terminal and the base station (security association) is provided, in order to allow between portable terminal and the base station security information transmission.For instance, when portable terminal 120 when 110 scopes that cover move to the scope that base station 111 covers from original base station, initialize routine 200 may be used to provide the security association between portable terminal and the base station.
In the 1st step of initialize routine 200, mobile terminal 120 is by linker (link upprocess) 202 wireless connections base stations 111, and linker 202 comprises that one measures distance request (ranging request) and a measurement distance response (ranging response) for instance.Portable terminal 120 then continues a plurality of steps of authentication procedure, and authentication procedure may be as IEEE 802.1X full authentication procedure (fullauthentication) 206.Aaa server 104 calculates a master session key, and (master session key MSK) 208 gives portable terminal 120, and sends master session key 208 to gateway 106, and is stored in the cache of gateway 106.The purpose of these authentication procedures as EAP authentication method or other authentication methods, will transmit the MSK 208 that has transmitted by aaa server 104, gateway 106 and portable terminal 120 authentications exactly.Gateway 106 can produce one one-tenths even key, and (Pairwise master Key, PMK) (authentication key AK) 212 gives portable terminal 120 to 210 and one authenticate key, and transmission AK 212 is to the base station 111.
Using in as the initialize routine 200 in the IEEE 802.16d/802.16e WiMAX wireless communication system of Fig. 2, between 111 control base stations 111, base station and the portable terminal 120 whether transfer of data is arranged, this is because identical TEK 222, KEK 220 and AK 212 are all possessed with portable terminal 120 in base station 111, and these all are to produce MACK224.After portable terminal 120 had been set up security association with base station 111, in other words, portable terminal 120 had obtained allowing by network service, uses the ciphered data transmission of TEK222 also therefore to be created between portable terminal 120 and the base station 111.
Please refer to Fig. 1.When the System Operation of Fig. 1, the intensity of signal and the quality of transmission may fail, and this is because network signal causes to client terminal device through gateway 106 or 108 to base station 110-115 again.In addition, when portable terminal during by the service that originally provided serving base station to move to other base stations, the intensity of signal and the quality of transmission also may fail.Signal quality and coverage may be subjected to other factor affecting, as entity building, signal interference, weather and transmission conditions and form.Therefore, coverage gap (gap) zone or leak (hole) zone may take place, and the time may have only limited or do not have the network insertion service at all when the user is positioned at these zones.
One of them method that solves the coverage gap zone just provides more base station, but this may cause a large amount of cost costs.In addition, for fear of such problem, can also adopt relay station (relaystation), as the multinode hop relay procotol technology mentioned among the IEEE802.16j (multi-hoprelaying, MR).Communication between base station and the relay station only strengthens or relaying the signal from base station or portable terminal at relay station, can't involve authentication procedure or set up security association.
Fig. 3 is the calcspar of a known communication system of use IEEE802.16j WiMAX and the communication system with MR framework.Similar to 802.16e WiMAX wireless communication system to IEEE802.16d, by at least one aaa server, as aaa server 104, and at least one gateway, as gateway 106, come access network 100.For convenience's sake, network 100, CSN102, aaa server 104 are represented with core network (core network) 300 with gateway 106.Core network 300, or more accurate be gateway 106, come to communicate by letter with base station 310 to 313 by a wired binding.
In Fig. 3, be to be example explanation with four base stations, but the base station that can also use more or less quantity.The base station as base station 310, generally is can pass through wireless transmission directly and one or more portable terminal direct communications, as portable terminal 320.The base station, as base station 311 and 312, also can be indirectly and one or more communication of mobile terminal.As portable terminal 322,324,326.Generally can communicate by letter with one or more relay stations by radio communication in the base station, as relay station 328,330 and 332, but also can be by wired connection communication.Relay station 328,330 and 332 strengthens or relaying for the signal that receives from or be sent to portable terminal 322 for by Wireless transmission mode.As shown in the figure, relay station 328,330 and 332 is relay stations of fixing.But the base station can also (mobile relay station, MRS) communication be as mobile-relay station 334 with mobile-relay station.Mobile-relay station can reside in train, and aircraft or other motor vehicles can go to link base station or other relayings by mobile-relay station in order to the passenger who has portable terminal to be provided.As shown in Figure 3, mobile-relay station 334 provides wireless service to portable terminal 324 and 326, but the network demand of single portable terminal or several portable terminals may be able to be met by single mobile-relay station.Though Fig. 3 does not represent, the base station, as base station 310 to 313, can with one or more user terminal communications.Therefore, the network demand of a plurality of client terminal devices just can directly be satisfied by single base station or by one or more relay stations.Further, relay station 328,330 and 332 can provide the relay station of wireless service to other, mobile-relay station and/or portable terminal.
On some are used, the increase that the use of relay station may cause station between relay station and the base station and station (station-to-station) switches (handoff) demand, and because the limited overlay area of each relay station (comprising mobile-relay station) may need more to handle the service that resource is handled above-mentioned platform and interstation.In addition, when carrying out the relevant running of secure communication, can consume extra resource from a relay station or base station to the changeover program (handoffprocess) of another relay station or base station, cause the usefulness, frequency range or the quality that communicate to connect to reduce.
The disclosed embodiment of this case is exactly in order to solve above-mentioned these problems.
Summary of the invention
One embodiment of the invention provide a kind of method that secure communication is provided in wireless communication system, be applicable to that this method comprises: authenticate this portable terminal by this communication network between a base station, a relay station and the portable terminal in the communication network; Produce a secure data by this base station, wherein this secure data comprises at least one transaction encryption key and a validation of information sign indicating number key; This secure data is transmitted to this portable terminal in this base station; This secure data is transmitted to this relay station in this base station.
Another embodiment of the present invention provides a kind of base station that secure communication is provided in wireless communication system, be applicable to a communication network, this base station comprises at least one memory, in order to storage data and a plurality of instruction, and at least one processor, in order to this memory of access and carry out these and instruct to carry out an authentication method.This authentication method comprises: authenticate a portable terminal by this communication network; Produce a secure data, wherein this secure data comprises at least one transaction encryption key and a validation of information sign indicating number key; Transmit this secure data to this portable terminal; Transmit this secure data to one relay station.
Another embodiment of the present invention provides a kind of relay station that secure communication is provided in wireless communication system, be applicable to a communication network, this relay station comprises at least one memory, in order to storage data and a plurality of instruction, and at least one processor, in order to this memory of access and carry out these and instruct to carry out an authentication method.This authentication method comprises: respond from one of a portable terminal and measure distance request, authentication request to a base station of transmitting this portable terminal; A secure data that uses this base station to receive, the secure data transmission between execution and this portable terminal, wherein this secure data comprises at least one transaction encryption key and a validation of information sign indicating number key.
Another embodiment of the present invention provides a kind of system that secure communication is provided, and this system comprises a base station and a relay station.This base station in order to provide to the access of a communication network, authenticates at least one portable terminal by this communication network, produces and transmit a secure data.This relay station, with this base station communication, in order to receive this secure data and use this secure data with provide and at least one this portable terminal between the transmission of a plurality of secure datas, wherein this secure data comprises at least one transaction encryption key and a validation of information sign indicating number key.
Description of drawings
Fig. 1 is the calcspar of a conventional wireless communication system of use IEEE802.16d/802.16e WiMAX wireless communication system.
Fig. 2 is authentication known in the IEEE802.16d/802.16e WiMAX wireless communication system and the signal flow graph of authorization operation.
Fig. 3 is the calcspar of a known communication system of use IEEE802.16j WiMAX and the communication system with MR framework.
Fig. 4 is that use according to the present invention is at the calcspar of an embodiment of a wireless communication system of IEEE802.16jWiMAX wireless communication system.
Fig. 5 A is the block schematic diagram of an embodiment of a base station.
Fig. 5 B is the block schematic diagram of an embodiment of a portable terminal.
Fig. 5 C is the block schematic diagram of an embodiment of relay station or mobile-relay station.
Fig. 6 is the signal flow graph according to an embodiment of the authentication in the IEEE802.16d/802.16e WiMAX wireless communication system of the present invention and authorization operation.
Fig. 7 is the signal flow graph according to an embodiment of a switching program of the present invention.
Fig. 8 is the signal flow graph according to another embodiment of a switching program of the present invention.
Fig. 9 is the signal flow graph according to another embodiment of a switching program of the present invention.
Embodiment
The embodiment that mentions in this case specification is provided at the interior a plurality of security associations of network system of IEEE802.16jWiMAX wireless communications environment or other radio communications use relay station.By provide can set up and a portable terminal between secure links and the relay station that a plurality of connection of mobile terminal into network 300 can be provided, overhead (processing overhead) can be reduced significantly.Particularly by the relay station with TEK or MAC is provided, this relay station can be set up with a security association of portable terminal and carry out authentication and mandate to portable terminal, and wherein this TEK is a corresponding portable terminal of thinking access network 300 with MAC.
Fig. 4 is that use according to the present invention is at the calcspar of an embodiment of a wireless communication system of IEEE 802.16j WiMAX wireless communication system, wherein this wireless communication system select to use relay station as the authentication relay station (authenticator relay-relay station, AR-RS).In Fig. 4, a base station 400 is attached to network 300 by a Wireline, and communicates by letter with 404 with one or more relay stations 402 than communication, and relay station is in order to strengthen or signal that relaying receives and be sent to a plurality of AR-RS406 to 409.As shown in Figure 4, AR-RS (MRS) 408 is a mobile-relay station.Safety zone key (security zone key), claim relaying key (relay key again, RK), 410 are spread to relay station 402 and 404 and AR-RS 406 to 409 after relay station 402 and 404 by base station 400, and AR-RS 406 to 409 is certified in other initialize routine to network 300.The safety zone key be used in the IEEE 802.116j network relay station with and/or relay station and base station between the data of a plurality of communication ports (communication channels) and the protection of signal.Relay station 402 and 404 and/or base station 400 can use relaying key 410 to carry out the encryption of data and signal, deciphering and authentification of message.By base station 400, relay station 402 and 404 and the network's coverage area that provides of AR-RS 406 to 409 be called as safe relay area (security relay zone, SRZ) 412.Fig. 4 is with a portable terminal 414 that service is provided by AR-RS 406 and to provide the portable terminal 416 and 418 of service by AR-RS (MRS) 408 be the example explanation, but the network demand of a plurality of portable terminals can be provided by single AR-RS.In addition, though have only AR-RS 408 to be expressed as mobile-relay station on the figure, extra a plurality of AR-RS are still with as mobile-relay station in SRZ412.
When being initialised, portable terminal 414 provides when service by base station 400 each time, all an essential security association of setting up with network 300.As long as portable terminal 414 is mobile in SRZ 412, just can walk around (bypass) further security association foundation and authentication.But, once portable terminal 414 moves on to when providing service regional by another base station, portable terminal 414 just provides service by other base stations, just must set up security association between base station and the portable terminal 414 at different base stations thus, and depend on that the base station whether other are arranged is linked to gateway 106.Authentication to portable terminal 414 also is a part of switching in (handoff) program.Such reauthentication and/or security association creation facilities program (CFP) just cause the delay that portable terminal 414 is provided service.
Fig. 5 A is the block schematic diagram of an embodiment of a base station.Base station 400 can be any type of communicator, in order in a wireless communication system with one or more portable terminals, relay station with and/or AR-RS, between transmit and/or receive signal and/or communication, wherein portable terminal may be portable terminal 414, relay station may may be as AR-RS406 to 409 for relay station 402 and 404, AR-RS.Shown in Fig. 5 A, one or more following elements may be wrapped in each base station 400: at least one CPU 500, random-access memory (ram) 502, read-only memory (ROM) 504, memory 506, database 508, I/O (I/O) device 510, interface 512, antenna 514 etc. at random.CPU 500 is in order to carry out computer program instructions, to carry out different programs and method.RAM502 and ROM504 are in order to access and storage information and computer program instructions.Memory 506 is in order to storage data and information.Database 508 is in order to store a plurality of tables (table), catalogue (list) or other data structures.Said elements is well known to those of ordinary skill in the art, does not give unnecessary details at this.
Fig. 5 B is the block schematic diagram of an embodiment of a portable terminal.As shown in the figure, each portable terminal 414 may comprise one or more following elements: at least one CPU 520, random-access memory (ram) 522, read-only memory (ROM) 524, memory 526, database 528, I/O (I/O) device 520, interface 522, antenna 524 etc. at random.CPU 520 is in order to carry out computer program instructions, to carry out different programs and method.RAM522 and ROM524 are in order to access and storage information and computer program instructions.Memory 526 is in order to storage data and information.Database 528 is in order to store a plurality of tables (table), catalogue (list) or other data structures.Said elements is well known to those of ordinary skill in the art, does not give unnecessary details at this.
Fig. 5 C is the block schematic diagram of an embodiment of relay station or mobile-relay station.Shown in Fig. 5 c, each relay station or mobile-relay station 406 may comprise one or more following elements: at least one CPU 540, random-access memory (ram) 542, read-only memory (ROM) 544, memory 546, database 548, I/O (I/O) device 540, interface 542, antenna 544 etc. at random.CPU 540 is in order to carry out computer program instructions, to carry out different programs and method.RAM542 and ROM544 are in order to access and storage information and computer program instructions.Memory 546 is in order to storage data and information.Database 548 is in order to store a plurality of tables (table), catalogue (list) or other data structures.Said elements is well known to those of ordinary skill in the art, does not give unnecessary details at this.
Fig. 6 is the signal flow graph of the embodiment of the authentication in the IEEE802.16d/802.16e WiMAX wireless communication system and authorization operation one of according to the present invention, wherein this wireless communication system select to use relay station as the authentication relay station (authenticator relay-relay station, AR-RS).One initialize routine 600 is performed to guarantee that the request of the request network service of portable terminal is authorized to, make the portable terminal can access network, and provide a security association (security association) between portable terminal, relay station and authentication relay station, in order to allow between portable terminal and the base station security information transmission.For instance, when portable terminal 414 has just been started shooting (turned on) or when portable terminal 414 is entered AR-RS 406 coverage of service is provided by the coverage that provides by a base station that connects gateway 108, initialize routine 600 may be used to authenticate and foundation and portable terminal 414 between a security association.
In an initial linker 602, portable terminal 414 transmits one and measures the distance request to AR-RS406.406 of AR-RS respond one and measure distance response to portable terminal 414, in order to confirm that whether present portable terminal is in AR-RS 406 coverages.AR-RS 406 then transmit be subjected to relaying key (relaykey) 410 protections an authentication request 604 to the base station 400.Authentication request 604 can be informed by AR-RS 406 provides the recognition data of portable terminal 414 of service to base station 500.Because portable terminal 414 last time or did not recently pass through base station 400 and gateway 106 connected network 300, so portable terminal 414 utilizations use the aaa server 104 of IEEE 802.1X full authentication procedure 206 to authenticate.
When IEEE 802.1X full authentication procedure 206 by after being finished of success, aaa server 104 can calculate a master session key (master session key, MSK) 606 with portable terminal 414.Then aaa server 104 sends MSK 606 to gateway 106.When gateway 106 received MSK 606, gateway 106 can calculate PMK 608 according to MSK 606, and PMK 608 is stored in the cache of gateway 106.Gateway 106 then calculates AK 610 according to PMK 608, and sends AK 610 to base station 400.When base station 400 received AK 610, base station 400 beginnings produced secure data (security material) according to AK 610, and secure data has comprised KEK 612 and MACK 616.MSK 606 has been aaa server 104, gateway 106 and a client terminal device, as portable terminal 414, known to.Therefore portable terminal independently holds MSK 606, and may obtain PMK 608 and AK610, and obtains identical MACK 616 and KEK 612.One client terminal device as portable terminal 414, after a successful authentication is used, as the EAP authentication method, is temporarily stored in PMK 608 in its memory.At this moment, base station 400 authenticates mutually according to MACK 616 execution one SA-TEK three-way handshake program 214 with portable terminal 414.When SA-TEK three-way handshake program 214 during by the finishing of success, base station 400 can produce also transmits secure data to portable terminal 414, and wherein this secure data comprises TEK614, and is subjected to the protection of KEK 612.In one embodiment, TEK 614 is produced at random by base station 400, and in order to be provided at the data confidentiality between base station 400 and the AR-RS 406.Simultaneously, secure data can be transmitted to AR-RS 406 in base station 400, and wherein this secure data comprises TEK 614, and is subjected to the protection of KEK 612.Relay station 406 may receive MACK 615 in order to direct authentication portable terminal 414 and receive TEK 614 in order to encrypt or deciphering will be sent to portable terminal 414 or from the information encrypted of portable terminal 414.One or more safe keys as MK, MSK 606, PMK 608, AK610, KEK612, TEK614, MACK615, all may can be used as secure data.
It is a licensing status that AR-RS406 can switch in communication port between portable terminal 414 and the AR-RS406, to provide portable terminal 414 access networks 300.Further, because portable terminal 414 has TEK614 with AR-RS406, so both sides can exchange ciphered data transmission.More specifically, after portable terminal 414 was certified, TEK614 can be used for the data of encrypted transmission between portable terminal 414 and AR-RS406.If a multicast service (multicastservice) is available; base station 400 can be scattered a multicast key (multicast key) and be given AR-RS406; receive a plurality of transmission that will send a plurality of portable terminals to activation portable terminal 414; wherein the multicast service is that a plurality of information are transmitted simultaneously to a plurality of user end apparatus in a base station, and the multicast key is to protect a plurality of multicast transmission.
Fig. 7 is the signal flow graph according to an embodiment of a switching program of the present invention, and this changeover program is to work as by a present AR-RS, as AR-RS406, be transformed into a target AR-RS, as AR-RS407, in time, take place, and AR-RS with target AR-RS is and identical base station communication at present, as base station 400.In Fig. 7, when transmitting one, portable terminal 414 measures the distance request when giving AR-RS407 and AR-RS407 responds one and measures distance response when giving portable terminal 414, linking 702 therefore been proposed between portable terminal 414 and the AR-RS407, wherein AR-RS407 comprises secure data identification, as the authenticate key identification code (authentication key identification, AKID).Because the preferential authentication of 414 couples of AR-RS406 of portable terminal, this authenticate key identification code identification is stored in a memory of portable terminal 414 at present, as the AK in memory 526, ROM524, RAM522 or the database 528.AR-RS407 requires in (the verification signal request) 704 at an AK confirmation signal, transmit AKID to the base station 400, in order to confirm to be stored in the AK and the memory that is stored in base station 400 of portable terminal 414, as memory 526, ROM524, RAM522 or database 528, whether interior AK meets.Because AR-RS406 and AR-RS407 are in SRZ412, so both share identical relaying keys 410.Based on purpose of safety, use 410 pairs of confirmation signals of relaying key to require 704 to encrypt.In one embodiment, because portable terminal before executed a complete authentication procedure by AR-RS406 and base station 400, therefore the secure data in base station 400 and portable terminal 414 meets, and is to refer to AK610 at this secure data.If AK meets, base station 400 is transmitted an AK and is confirmed that successful information 706 is to AR-RS407.In another embodiment, authentication protocol (Extensible Authentication Protocol over Local Area Network may be extended in order to transmit a Local Area Network by program control in base station 414, EAPOL) start information 708, to trigger the complete proving program 206 of IEEE802.1X.When AR-RS407 receives EAPOL start information 708, AR-RS407 can transmit an EAPOL successful information 710 and give portable terminal 414, skipping over the complete proving program 206 of IEEE802.1X, thus this also point out authentication procedure do not experience the complete proving program 206 of IEEE802.1X can also be successful.
Because this moment, identical secure data may be held with portable terminal 414 in base station 400, as AK610.Portable terminal 414 can be derived MACK616 by AK610 individually with base station 400.Portable terminal 414 may be held the TEK614 that last time calculated and/or the KEK612 that last time produced with base station 400, and can directly verify mutually through carrying out SA-TEK three-way handshake program.In addition, connection relationship as described in Figure 6, base station 400 can produce a new KEK72 and produce a new TEK714 by AK610.Base station 400 uses KEK712 (or TEK612) that TEK714 (or TEK612) is encrypted, and for data confidentiality, the TEK714 (or TEK614) that base station 400 transmission have been encrypted is to portable terminal 414.
410 protections of relaying key and the instant secure data that transmits can be used in base station 400, as TEK714 (or TEK614) and MACK616 to AR-RS407.After AR-RS407 obtained TEK714 (or TEK614), it was a licensing status that AR-RS407 switches in communication port between portable terminal 414 and the AR-RS407, to provide portable terminal 414 access networks 300.Further, because portable terminal 414 has TEK714 (or TEK614) with AR-RS407, so both sides can exchange ciphered data transmission.
Fig. 8 is the signal flow graph of another embodiment of changeover program one of according to the present invention, this changeover program is by an AR-RS who is attached to a present base station, be attached to base station 400 as AR-RS407, be transformed into a target AR-RS802 who is attached to a different target BS 804.In Fig. 8, portable terminal 414 transmits a binding information 702 to one target AR-RS802, wherein links information 702 and comprises a secure data identification code, as AKID.
Because to the preferential authentication of AR-RS407, the AKID identification is stored in the interior AK of a memory of portable terminal 414 at present, and this memory may be memory 526, ROM524, RAM522 or database 528.In an AK confirmation signal requires (verification signal request) 704, target AR-RS802 transmits AKID to the base station 804, whether meet in order to the AK in the memory of confirming to be stored in the AK of portable terminal 414 and to be stored in target BS 804, this memory may be memory 526, ROM524, RAM522 or database 528.AR-RS802 is not and identical base station communication therefore do not share identical relaying key 401, but AR-RS802 to share an identical relaying key 802 with target BS 804 with AR-RS407.If present AK conforms to AK in portable terminal 414 memories in base station 804, authentication success messages (VerificationSuccess message) are transmitted to AR-RS802 in base station 804.If present AK does not conform to AK in portable terminal 414 memories or portable terminal is not held an AK in base station 804, an authentication failure message (Verification Failure message) 808 transmitted to AR-RS802 in base station 804.In the embodiment of Fig. 8, because once be by base station 400 authentications before the portable terminal 414, the AK that portable terminal 414 is held at present or AK610 are not inconsistent with the AK that base station 804 is held, or the base station 804 basic any AK that just do not correspond to portable terminal 414, so an authentication failure message 808 is transmitted to portable terminal 414 in base station 804.When portable terminal 414 receives authentication failure message 808, portable terminal 414 is carried out the complete proving program 206 of IEEE802.1X with aaa server 104,804 to obtain new MSK810, PMK812 and AK414 from the base station.
When all possessing AK814 when base station 804 with portable terminal 414, both can obtain MACK820 and KEK816 from AK814, and the SA-TEK three-way handshake program of carrying out authenticates mutually.When SA-TEK three-way handshake program 214 during by the finishing of success; base station 804 can produce new TEK818 and transmit new TEK818 or old TEK712 to portable terminal 414; to be provided at the data confidentiality between relay station 407 and the portable terminal 407, wherein TEK818 or the TEK712 of base station 804 transmission are the protections that are subjected to KEK816.
TEK818 and MACK820 to AR-RS802 also can be transmitted in base station 804, and wherein TEK818 and MACK820 also are the protections that is subjected to KEK816.After AR-RS802 obtained TEK818 and MACK820, it was a licensing status that AR-RS802 switches in communication port between portable terminal 414 and the AR-RS407, to provide portable terminal 414 access networks 300.Further, because portable terminal 414 has TEK818 and MACK820 with AR-RS802, so both sides can exchange ciphered data transmission.
Though above-mentioned initialize routine and changeover program can be applied in mobile-relay station too, mobile-relay station with utilize the portable terminal of mobile-relay station access network must will be ready to deal with the change of base station, wherein AR-RS, particularly mobile-relay station can't change.
Fig. 9 is the signal flow graph of another embodiment of changeover program one of according to the present invention, and this changeover program is that a mobile-relay station switches to another base station by a present base station.In Fig. 9, in the time of in mobile-relay station AR-RS408 moves to the scope that base station 900 covers, mobile-relay station AR-RS408 can produce related with base station 900. Portable terminal 416 and 418 is connected to AR-RS408, and being connected by base station 900 between portable terminal and the AR-RS408 better kept.When AR-RS408 approaches or in the scope that base station 900 covers the time, in order to upgrade the AK of portable terminal 416 and 418, AR-RS408 can preferentially transmit one and measure range information (ranging message) 902 to portable terminal 416 and 418, must upgrade the secure data that itself has with notice portable terminal 416 and 418.When receiving the reception that measures range information 902 when responding, the essential AK that receives of AR-RS408, and accept and to the similar authentication of a mobile terminal authentication.Gateway 106 may transmit AK and give mobile-relay station in an AK change biography (transfer) 904.
AR-RS408 transmits a reauthentication trigger message (re-authentication trigger message) or secure data lastest imformation 906 to portable terminal 416 and 418.Reauthentication trigger message 906 may be sent to portable terminal 416 and 418 by the load mode with multicast.When the reception that receives reauthentication trigger message 906 was responded, portable terminal 416 to 418 carried out an IEEE802.1X full authentication procedure 206 with aaa server 104 and gateway 106.Gateway 106 existing PMK from gateway calculates a new AK and gives base station 900.Change in the biography 908 at AK, gateway 106 and/or aaa server 104 may transmit the secure data of all portable terminals relevant with AR-RS408, as AK, give base station 900, and can utilize tunnel mode (tunnel mode), disposable all parameters of transmitting the portable terminal that all and AR-RS408 link simultaneously as AK, are given base station 900.In tunnel mode, logic between 2 connects, and as AR-RS408 and gateway 106, is special-purpose, and intermediary node (intermediatenode) can't handle the tunnel package, and just passes on the tunnel package. Portable terminal 416 and 418 is then carried out a SA-TEK three-way handshake program 214 with base station 900.Base station 900 can be changeed at a TEK and passed in 910, sends TEK and the MACK of each portable terminal to AR-RS408, and can utilize tunnel mode to finish.In one embodiment, the secure data of each portable terminal can be assembled in base station 900, and changes in the biography 910 at TEK, and (message aggregation mode) sends AR-RS408 to an information aggregation pattern.In one embodiment, a plurality of TEK that base station 900, portable terminal 416 and 418 receive and MAC can preferentially use earlier and switch (inter-base station handoff) between the base station, to avoid the service broken string in portable terminal 416 and 418.AR-RS408 then can provide secure data to be transferred to portable terminal 416 and 418, and can uselessly carry out authentication procedure to portable terminal 416 and 418.AR-RS408 can only upgrade the verify data in portable terminal 416 and 418 in addition, and in a further embodiment, AR-RS408 can not change 416 and 418 TEK that hold.
Though what Fig. 9 represented is that base station 900 comes the calcaneus rete network to communicate by letter with aaa server 104 by gateway 106, those of ordinary skills are when learning how base station 900 is crossed gateway 108 and come the calcaneus rete network to communicate by letter with aaa server 104 according to the described method of Fig. 9.
System and method disclosed herein may be implemented in Fundamental Digital Circuit or in computer hardware, firmware, software or its combination.Utilize device of the present invention to may be implemented in computer program product, this computer program product is included in about the performed mechanical-readable of programmable processor and gets storage device.Comprising method step of the present invention can be carried out by the programmable processor, and it carries out instruction repertorie, to carry out function of the present invention by operation and generation output signal according to the input data.Comprise embodiments of the invention and may be implemented in executable one or more computer program in the programmable system, it comprises receiving from the data of stocking system and transmits data at least one programmable processor, at least one input unit and at least one output device of stocking system.Computer program may be implemented in high-order or OO program language, with and/or combination or mechanical coding.Language or coding can show compiling or interpreter language or coding.Processor can comprise general or dedicated custom microprocessor.Processor receives instruction or the data from memory.The storage device that comprises computer program instructions and data comprises and comprises semiconductor storage by the nonvolatile storage of all kenels, for example EPROM, EEPROM and flash memory devices; Disc unit, for example internal hard drive and removal formula hard disk; And CD-ROM.Above-mentioned any can be replenished or be included in the ASIC by ASIC.
Those skilled in the art scholar as can be known, different modifications and variations can be applicable to set up the system and method for security association in wireless telecommunication system.For example, those skilled in the art scholar can understand range of requests and response is a kind of signal message type, and other signal messages can be used.In addition, those skilled in the art scholar can understand, and the flow coded key is a kind of type of flow key, and other flow keys can be used, and MACK is a kind of type of authenticate key, and other authenticate keys can be used.Those skilled in the art scholar also can understand, and can be wireless telecommunications or wire communication between base station and the relay station.Though the present invention with preferred embodiment openly as above; so it is not in order to limit scope of the present invention; have in the technical field under any and know the knowledgeable usually; without departing from the spirit and scope of the present invention; when can doing a little change and retouching, so protection scope of the present invention attached claims person of defining after looking is as the criterion.
Claims (23)
1. method that secure communication is provided in wireless communication system is applicable to that this method comprises between a base station, a relay station and the portable terminal in the communication network:
Authenticate this portable terminal by this communication network;
Produce a secure data (security material) by this base station, wherein this secure data comprises at least one transaction encryption key and a validation of information sign indicating number key;
This secure data is transmitted to this portable terminal in this base station; And
This secure data is transmitted to this relay station in this base station,
The step that wherein authenticates this portable terminal also comprises:
This base station receives the authenticate key from a communication network authenticator, and wherein this secure data uses this authenticate key to produce, and this secure data does not comprise this authenticate key.
2. the method that secure communication is provided in wireless communication system as claimed in claim 1 also comprises:
This base station uses this secure data to transmit a plurality of safe communication to this portable terminal.
3. the method that secure communication is provided in wireless communication system as claimed in claim 1, the step that wherein authenticates this portable terminal also comprises:
The complete authentication.
4. the method that secure communication is provided in wireless communication system as claimed in claim 3, the step that wherein authenticates this portable terminal also comprises:
Carry out the IEEE802.1X authentication.
5. the method that secure communication is provided in wireless communication system as claimed in claim 1, the step that wherein authenticates this portable terminal also comprises:
This base station receives the secure data identification code from this portable terminal, and this secure data identification code correspondence is stored in an authenticate key of this portable terminal;
When this portable terminal success of this base station authentication, an authentication success message is transmitted to this portable terminal in this base station; And
When this portable terminal failure of this base station authentication, this base station requires this portable terminal to carry out an IEEE802.1X full authentication procedure.
6. the method that secure communication is provided in wireless communication system as claimed in claim 1 also comprises:
Set up a secure communication path between this base station and this relay station, wherein at least one this secure data is transmitted to this relay station by this secure communication path in this base station.
7. the method that secure communication is provided in wireless communication system as claimed in claim 1, wherein the communication mode between this base station and this relay station is radio communication.
8. the base station that secure communication is provided in wireless communication system is applicable to a communication network, and this base station comprises:
At least one memory is in order to storage data and a plurality of instruction;
And
At least one processor, in order to this memory of access and carry out these and instruct to carry out an authentication method, this authentication method comprises:
Authenticate a portable terminal by this communication network;
Produce a secure data, wherein this secure data comprises at least one transaction encryption key and a validation of information sign indicating number key;
Transmit this secure data to this portable terminal; And
Transmit this secure data to one relay station,
Wherein this authentication method also comprises:
This base station receives the authenticate key from a communication network authenticator, and wherein this secure data uses this authenticate key to produce, and this secure data does not comprise this authenticate key.
9. the base station that secure communication is provided in wireless communication system as claimed in claim 8, wherein this authentication method also comprises:
The complete authentication.
10. the base station that secure communication is provided in wireless communication system as claimed in claim 8, wherein this authentication method also comprises:
Carry out the IEEE802.1X authentication.
11. the base station that secure communication is provided in wireless communication system as claimed in claim 8, wherein this authentication method also comprises:
This base station receives the secure data identification code from this portable terminal, and this secure data identification code correspondence is stored in an authenticate key of this portable terminal;
When this portable terminal success of this base station authentication, an authentication success message is transmitted to this portable terminal in this base station; And
When this portable terminal failure of this base station authentication, this base station requires this portable terminal to carry out an IEEE802.1X full authentication procedure.
12. the base station that secure communication is provided in wireless communication system as claimed in claim 8, wherein also comprise a first processor, in order to set up a secure communication path between this base station and this relay station, wherein at least one this secure data is transmitted to this relay station by this secure communication path in this base station.
13. the base station that secure communication is provided in wireless communication system as claimed in claim 8, wherein the communication mode between this base station and this relay station is radio communication.
14. the relay station that secure communication is provided in wireless communication system is applicable to a communication network, this relay station comprises:
At least one memory is in order to storage data and a plurality of instruction;
One first processor is in order to transmit secure data lastest imformation to a portable terminal, to notify this mobile terminal to update its secure data; And
At least one processor, in order to this memory of access and carry out these and instruct to carry out an authentication method, this authentication method comprises:
Response measures distance request, authentication request to a base station of transmitting this portable terminal from one of this portable terminal; And
The secure data that use is produced and received from this base station by this base station, the secure data transmission between execution and this portable terminal, wherein this secure data comprises at least one transaction encryption key and a validation of information sign indicating number key.
15. the relay station that secure communication is provided in wireless communication system as claimed in claim 14, wherein also in order to set up a secure communication path between this base station and this relay station, wherein this relay station transmits this authentication request to this base station by this secure communication path to this first processor.
16. the relay station that secure communication is provided in wireless communication system as claimed in claim 14, wherein this relay station is a mobile-relay station.
17. the relay station that secure communication is provided in wireless communication system as claimed in claim 14, wherein transmitting this secure data lastest imformation to the transmission means of this portable terminal is a multicast transmission mode.
18. the relay station that secure communication is provided in wireless communication system as claimed in claim 14, wherein the communication mode between this base station and this relay station is radio communication.
19. the system that secure communication is provided, this system comprises:
One base station in order to provide to the access of a communication network, authenticates at least one portable terminal by this communication network, produces and transmit a secure data; And
One relay station, with this base station communication, in order to receive this secure data and use this secure data with provide and at least one this portable terminal between the transmission of a plurality of secure datas, wherein this secure data comprises at least one transaction encryption key and a validation of information sign indicating number key
Wherein this relay station use this secure data with provide and at least one this portable terminal between the transmission of these secure datas and this portable terminal is not carried out an authentication procedure.
20. the system that secure communication is provided as claimed in claim 19, wherein this relay station is a mobile-relay station.
21. the system that secure communication is provided as claimed in claim 20, wherein this base station aggregation and transmit this secure data to this relay station.
22. the system that secure communication is provided as claimed in claim 20, wherein this relay station use this secure data with provide and at least one this portable terminal between the transmission of these secure datas, but do not change this transaction encryption key that this portable terminal is held.
23. the system that secure communication is provided as claimed in claim 19, wherein the communication mode between this base station and this relay station is radio communication.
Applications Claiming Priority (10)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US96977307P | 2007-09-04 | 2007-09-04 | |
US60/969,773 | 2007-09-04 | ||
US98176707P | 2007-10-22 | 2007-10-22 | |
US60/981,767 | 2007-10-22 | ||
US98553807P | 2007-11-05 | 2007-11-05 | |
US60/985,538 | 2007-11-05 | ||
US12/203,652 | 2008-09-03 | ||
US12/203,671 | 2008-09-03 | ||
US12/203,652 US20090271626A1 (en) | 2007-09-04 | 2008-09-03 | Methods and devices for establishing security associations in communications systems |
US12/203,671 US9313658B2 (en) | 2007-09-04 | 2008-09-03 | Methods and devices for establishing security associations and performing handoff authentication in communications systems |
Publications (2)
Publication Number | Publication Date |
---|---|
CN101436931A CN101436931A (en) | 2009-05-20 |
CN101436931B true CN101436931B (en) | 2013-07-10 |
Family
ID=40711169
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2008102129115A Active CN101436931B (en) | 2007-09-04 | 2008-09-04 | Methods, system, base station and relay station for providing security communication in wireless communication systems |
CN2008102157257A Active CN101437226B (en) | 2007-09-04 | 2008-09-04 | Methods, system, relay station and base station for providing safe communication |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2008102157257A Active CN101437226B (en) | 2007-09-04 | 2008-09-04 | Methods, system, relay station and base station for providing safe communication |
Country Status (1)
Country | Link |
---|---|
CN (2) | CN101436931B (en) |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102056160B (en) * | 2009-11-03 | 2013-10-09 | 华为技术有限公司 | Method, device and system for generating key |
CN102056159B (en) * | 2009-11-03 | 2014-04-02 | 华为技术有限公司 | Method and device for acquiring safe key of relay system |
CN102111759A (en) * | 2009-12-28 | 2011-06-29 | 中国移动通信集团公司 | Authentication method, system and device |
CN102196426B (en) * | 2010-03-19 | 2014-11-05 | 中国移动通信集团公司 | Method, device and system for accessing IMS (IP multimedia subsystem) network |
CN103905389B (en) * | 2012-12-26 | 2017-05-24 | 华为终端有限公司 | Relay equipment-based security association, data transmission method, device and system |
EP3396981B1 (en) * | 2016-02-04 | 2020-04-08 | Huawei Technologies Co., Ltd. | Security parameter transmission method and related device |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1251717A (en) * | 1997-02-07 | 2000-04-26 | 萨尔布研究及发展私人有限公司 | Secure packet radio network |
CN1682487A (en) * | 2003-05-15 | 2005-10-12 | 松下电器产业株式会社 | Radio lan access authentication system |
CN1946019A (en) * | 2005-10-04 | 2007-04-11 | 株式会社日立制作所 | Network device, network system and method for updating a key |
WO2007046630A2 (en) * | 2005-10-18 | 2007-04-26 | Lg Electronics Inc. | Method of providing security for relay station |
-
2008
- 2008-09-04 CN CN2008102129115A patent/CN101436931B/en active Active
- 2008-09-04 CN CN2008102157257A patent/CN101437226B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1251717A (en) * | 1997-02-07 | 2000-04-26 | 萨尔布研究及发展私人有限公司 | Secure packet radio network |
CN1682487A (en) * | 2003-05-15 | 2005-10-12 | 松下电器产业株式会社 | Radio lan access authentication system |
CN1946019A (en) * | 2005-10-04 | 2007-04-11 | 株式会社日立制作所 | Network device, network system and method for updating a key |
WO2007046630A2 (en) * | 2005-10-18 | 2007-04-26 | Lg Electronics Inc. | Method of providing security for relay station |
Also Published As
Publication number | Publication date |
---|---|
CN101437226A (en) | 2009-05-20 |
CN101436931A (en) | 2009-05-20 |
CN101437226B (en) | 2012-11-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
TWI445371B (en) | Methods and devices for establishing security associations and performing handoff authentication in wireless communications systems | |
CN101500229B (en) | Method for establishing security association and communication network system | |
EP1739903B1 (en) | Authentication system and method thereof in a communication system | |
CN102215487B (en) | Method and system safely accessing to a private network through a public wireless network | |
EP1900170B1 (en) | Short authentication procedure in wireless data communications networks | |
CA2792490C (en) | Key generation in a communication system | |
KR100762644B1 (en) | WLAN-UMTS Interworking System and Authentication Method Therefor | |
CN101931955B (en) | Authentication method, device and system | |
EP3700162B1 (en) | Systems and methods for authentication | |
CN101951590B (en) | Authentication method, device and system | |
CN101436931B (en) | Methods, system, base station and relay station for providing security communication in wireless communication systems | |
CN102223634A (en) | Method and device for controlling mode of accessing user terminal into Internet | |
KR102119586B1 (en) | Systems and methods for relaying data over communication networks | |
CN101610507A (en) | A kind of method that inserts the 3G-WLAN internet | |
CN101977378A (en) | Information transmission method, network side and relay node | |
CN103096307A (en) | Secret key verification method and device | |
JP4875679B2 (en) | Method and device for establishing security associations and performing handoff authentication in a communication system | |
KR20120067264A (en) | Method for authenticating vehicul communication | |
CN106304400A (en) | The IP address distribution method of wireless network and system | |
CN104168566A (en) | Network accessing method and device | |
CN101742492A (en) | Key processing method and system | |
CN106792687A (en) | The connection method of mobile terminal WIFI network and system | |
WO2012068801A1 (en) | Authentication method for mobile terminal and mobile terminal | |
WO2023178689A1 (en) | Security implementation method and apparatus, device, and network element | |
RU2779029C1 (en) | Access of a non-3gpp compliant apparatus to the core network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant |