[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

WO2017118269A1 - Method and apparatus for protecting air interface identity - Google Patents

Method and apparatus for protecting air interface identity Download PDF

Info

Publication number
WO2017118269A1
WO2017118269A1 PCT/CN2016/110194 CN2016110194W WO2017118269A1 WO 2017118269 A1 WO2017118269 A1 WO 2017118269A1 CN 2016110194 W CN2016110194 W CN 2016110194W WO 2017118269 A1 WO2017118269 A1 WO 2017118269A1
Authority
WO
WIPO (PCT)
Prior art keywords
air interface
wireless access
access node
protection key
identifier
Prior art date
Application number
PCT/CN2016/110194
Other languages
French (fr)
Chinese (zh)
Inventor
祝建建
甘露
金兹伯格菲利普
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2017118269A1 publication Critical patent/WO2017118269A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement

Definitions

  • the present invention relates to the field of wireless communication technologies, and in particular, to a method and an apparatus for protecting an air interface identifier.
  • the wireless network access point allocates an air interface ID (Identity) to the accessed user equipment, and the wireless network access point can complete the interaction with the user equipment through the air interface ID. data transmission.
  • the new wireless network access node allocates a new air interface ID to the user equipment, and the new wireless network access node completes according to the new air interface ID. Data transfer with the user device.
  • the wireless network access node sends the air interface ID assigned to the user equipment to the user equipment through the air interface signaling message. If the attacker continuously obtains the air interface ID of the user equipment for a long time, the attacker can obtain the air interface ID based on the air interface ID.
  • the user's mobile track, service characteristics and other information will pose a threat to the user's private information and network security.
  • the embodiments of the present invention provide a method and an apparatus for protecting an air interface identifier, which can solve the problem that the user's private information and the network security are at risk due to the air interface ID leakage.
  • a first aspect of the present invention provides a method for protecting an air interface identifier, the method comprising:
  • the upper network control node receives the network connection request sent by the user equipment UE, where the network connection request includes the identifier of the UE;
  • the upper layer network control node acquires a root key corresponding to the identifier of the UE;
  • the root network corresponding to the identifier of the UE and the first preset by the upper layer network control node The parameter generates a first air interface identifier ID protection key, where the first preset parameter includes an identifier of the UE, a network device ID, a public land mobile network PLMN ID to which the UE belongs, a security algorithm ID, and a random number.
  • the network device ID is an ID of a cell corresponding to the wireless access point accessed by the UE or an ID of a base station corresponding to the wireless access point accessed by the UE;
  • the upper network control node sends the first air interface ID protection key to the wireless access node, so that the wireless access node encrypts and transmits the first air interface ID by using the first air interface ID protection key.
  • the first air interface ID is an air interface ID allocated by the wireless access node to the UE.
  • the present invention generates a first air interface ID protection key for the first air interface ID by using the upper layer network control node, and the wireless access node can pass the first, as compared with the prior art, the air interface ID leakage causes the user's private information and the network security to be at risk.
  • the air interface ID protection key encrypts the first air interface ID, so that the first air interface ID is transmitted in an encrypted form, which avoids the persistent acquisition of the air interface ID by the attacker, and protects the user's private information and network security.
  • the method further includes: after the upper layer network control node generates the first air interface ID protection key according to the root key corresponding to the identifier of the UE and the first preset parameter, the method further includes:
  • the upper layer network control node sends the first air interface ID protection key to the UE.
  • the method further includes:
  • the upper layer network control node sends the first preset parameter to the UE, so that the UE generates the first air interface according to the root key corresponding to the identifier of the UE and the first preset parameter. ID protection key.
  • the method further includes:
  • the new radio access node Sending, by the upper layer network control node, the first air interface ID protection key to the new radio access node, so that the new radio access node performs the second air interface ID by using the first air interface ID protection key.
  • the method further includes:
  • the upper network control node generates the second air interface ID protection key according to the first air interface ID protection key and the second preset parameter, where the second preset parameter is the new wireless access point ID,
  • the new wireless access point corresponds to one of the carrier frequency and the second air interface ID of the cell, and the second air interface ID is an air interface ID allocated by the new wireless access node to the UE;
  • the embodiment of the present invention still needs to allocate the second wireless communication node to the UE after the UE switches to the new wireless access node.
  • the air interface ID acquires the first air interface ID protection key or generates a second air interface ID protection key, so that the second air interface ID is encrypted and transmitted through the first air interface ID protection key or the second air interface ID protection key, thereby protecting user privacy and the network. Safety.
  • the access method of the air interface identifier provided by the embodiment of the present invention can be applied to a scenario in which the UE switches the wireless access node, and is more applicable to the new network architecture, and the air interface ID is allocated by the wireless access node, and is generated by the upper layer network control node.
  • the air interface ID protects the key, so that the transmission air interface ID has better timeliness.
  • the method when the UE has a new wireless access node, the method further includes:
  • the ID protects the key, so that the newly added wireless access node performs encrypted transmission on the third air interface ID by using the first air interface ID protection key, where the third air interface ID is The air interface ID assigned by the UE.
  • the method further includes:
  • the upper network control node generates the third air interface ID protection key according to the first air interface ID protection key and a third preset parameter, where the third preset parameter includes the newly added wireless access node ID And the new air access node corresponds to one of the carrier frequency and the third air interface ID, and the third air interface ID is allocated by the new wireless access node to the UE.
  • Air interface ID ;
  • the third air interface ID protection key to the new wireless access node, so that the newly added wireless access node protects the third air interface by using the third air interface ID
  • the ID is encrypted for transmission.
  • the upper layer network control node acquires the first air interface ID protection key, compared with the prior art, the air interface ID leakage causes the user's private information and the network security to be at risk. Or generating a third air interface ID protection key, so that the third air interface ID is encrypted and transmitted by the first air interface ID protection key or the third air interface ID protection key, and the first air interface ID is still encrypted and transmitted through the first air interface ID protection key.
  • the sending, by the upper layer network control node, the first air interface ID protection key to the wireless access node includes:
  • the upper network control node sends the first air interface ID protection key to one of the wireless access nodes or at least two wireless access nodes serving the UE.
  • the upper layer control network when there are multiple radio access nodes serving the UE, the upper layer control network sends the generated first air interface ID protection key to the plurality of radio access nodes, so that the radio access nodes
  • the first air interface ID can be encrypted and transmitted through the first air interface ID protection key, thereby avoiding the situation that the first air interface ID is leaked.
  • a second aspect of the present invention provides a protection device for an air interface identifier, including:
  • a receiving unit configured to receive an incoming network connection request sent by the user equipment UE, where the network connection request includes an identifier of the UE;
  • An obtaining unit configured to obtain a root key corresponding to the identifier of the UE
  • a generating unit configured to generate a first air interface identifier ID protection key according to the root key and the first preset parameter corresponding to the identifier of the UE, where the first preset parameter includes an identifier of the UE and a network device ID And one or any combination of a public land mobile network PLMN ID, a security algorithm ID, and a random number to which the UE belongs, where the network device ID is an ID of a cell corresponding to the radio access point accessed by the UE or the UE The accessed wireless access point corresponds to the ID of the base station;
  • a sending unit configured to send the first air interface ID protection key to the wireless access node, so that the wireless access node encrypts and transmits the first air interface ID by using the first air interface ID protection key, where
  • the first air interface ID is an air interface ID allocated by the wireless access node to the UE.
  • the sending unit is further configured to send the first air interface ID protection key to the UE, and send the first preset parameter to the UE, And causing the UE to generate the first air interface ID protection key according to the root key corresponding to the identifier of the UE and the first preset parameter.
  • the receiving unit is further configured to receive a key request message sent by the new wireless access node, where the key request message includes an identifier of the UE;
  • the acquiring unit is further configured to acquire the first air interface ID protection key according to the identifier of the UE;
  • the sending unit is further configured to send the first air interface ID protection key to the new wireless access node, so that the new wireless access node protects the second air interface by using the first air interface ID
  • the ID is encrypted, and the second air interface ID is an air interface ID allocated by the new radio access node to the UE.
  • the wireless access node accessed by the UE is switched from the original wireless access node to the new wireless access node,
  • the receiving unit is further configured to receive a key request message sent by the new wireless access node, where the key request message includes an identifier of the UE;
  • the generating unit is further configured to: protect the key and the second preset according to the first air interface ID
  • the parameter generates the second air interface ID protection key, where the second preset parameter is one of the new wireless access point ID, the carrier frequency of the cell corresponding to the new wireless access point, and the second air interface ID.
  • the second air interface ID is an air interface ID allocated by the new radio access node to the UE;
  • the sending unit is further configured to send the second air interface ID protection key to the new wireless access node, so that the new wireless access node protects the second air interface by using the second air interface ID
  • the ID is encrypted for transmission.
  • the obtaining unit is further configured to acquire a first air interface ID protection key according to the identifier of the UE;
  • the sending unit is further configured to send the first air interface ID protection key to the new wireless access node, so that the newly added wireless access node protects the key pair by using the first air interface ID.
  • the three air interface IDs are encrypted and transmitted, and the third air interface ID is an air interface ID allocated by the newly added wireless access node to the UE.
  • the generating unit is further configured to generate the third air interface ID protection key according to the first air interface ID protection key and a third preset parameter, where the third preset parameter includes the newly added wireless access One or any combination of a node ID, a carrier frequency of the cell corresponding to the new wireless access node, and the third air interface ID, where the third air interface ID is the new wireless access node is the UE The assigned air interface ID;
  • the sending unit is further configured to send the third air interface ID protection key to the new wireless access node, so that the newly added wireless access node protects the key pair by using the third air interface ID.
  • the three air interface IDs are encrypted for transmission.
  • the sending unit is further configured to send the first air interface ID protection key to one of the wireless access nodes serving the UE or at least two wireless access nodes.
  • an embodiment of the present invention provides a protection device for an air interface identifier, including:
  • a memory for storing information including program instructions
  • a receiver configured to receive an incoming network connection request sent by the user equipment UE, where the network connection is The request includes the identifier of the UE;
  • a processor coupled to the memory, the receiver, and the transmitter, for controlling execution of the program instruction, specifically, acquiring a root key corresponding to the identifier of the UE; and corresponding to the identifier of the UE
  • the first key parameter and the first preset parameter generate a first air interface identifier ID protection key, where the first preset parameter includes an identifier of the UE, a network device ID, and a public land mobile network PLMN ID to which the UE belongs. And one or any combination of a security algorithm ID and a random number, where the network device ID is an ID of a cell corresponding to the wireless access point accessed by the UE or an ID of a base station corresponding to the wireless access point accessed by the UE;
  • the transmitter is configured to send the first air interface ID protection key to the wireless access node, so that the wireless access node performs encrypted transmission on the first air interface ID by using the first air interface ID protection key.
  • the first air interface ID is an air interface ID allocated by the wireless access node to the UE.
  • the transmitter is further configured to send the first air interface ID protection key to the UE.
  • the transmitter is further configured to send the first preset parameter to the UE, so that the UE generates the first according to a root key corresponding to the identifier of the UE and the first preset parameter.
  • An air interface ID protection key is further configured to send the first air interface ID protection key to the UE.
  • the receiver is further configured to receive a key request message sent by the new wireless access node, where the key request message includes an identifier of the UE;
  • the processor is further configured to acquire the first air interface ID protection key according to the identifier of the UE;
  • the transmitter is further configured to send the first air interface ID protection key to the new wireless access node, so that the new wireless access node protects the second air interface by using the first air interface ID
  • the ID is encrypted, and the second air interface ID is an air interface ID allocated by the new radio access node to the UE.
  • the receiver is further configured to receive a key request message sent by the new wireless access node, where The key request message includes an identifier of the UE;
  • the processor is further configured to generate the second air interface ID protection key according to the first air interface ID protection key and a second preset parameter, where the second preset parameter is the new wireless access point
  • the second preset parameter is the new wireless access point
  • the ID, the new radio access point corresponds to one of the carrier frequency and the second air interface ID
  • the second air interface ID is an air interface ID allocated by the new radio access node to the UE;
  • the transmitter is further configured to send the second air interface ID protection key to the new wireless access node, so that the new wireless access node protects the second air interface by using the second air interface ID
  • the ID is encrypted for transmission.
  • the processor is further configured to acquire a first air interface ID protection key according to the identifier of the UE;
  • the transmitter is further configured to send the first air interface ID protection key to the new wireless access node, so that the newly added wireless access node protects the key pair by using the first air interface ID.
  • the three air interface IDs are encrypted and transmitted, and the third air interface ID is an air interface ID allocated by the newly added wireless access node to the UE.
  • the transmitter is further configured to send the third air interface ID protection key to the new wireless access node, so that the newly added wireless access node protects the key pair by using the third air interface ID.
  • the three air interface IDs are encrypted for transmission.
  • the transmitter is further configured to send the first air interface ID protection key to one of the wireless access nodes serving the UE or at least two wireless access nodes.
  • upper layer network control node Receiving the network connection request sent by the UE, where the network connection request includes the identifier of the UE, and the upper network control node generates the first air interface ID protection key according to the root key corresponding to the identifier of the UE and the first preset parameter, and the upper network control node
  • the first air interface ID protection key is sent to the wireless access node, so that the wireless access node encrypts the first air interface ID according to the first air interface ID protection key, and sends the encrypted first air interface ID to the UE.
  • the air interface ID can be used to generate the first air interface ID protection key for the first air interface ID, and the wireless access node can pass the The first air interface ID protection key encrypts the first air interface ID, so that the first air interface ID is transmitted in an encrypted form, which avoids the persistent acquisition of the air interface ID by the attacker, and protects the user's private information and network security.
  • FIG. 1 is a schematic diagram of a logical structure of a protection system for an air interface identifier according to an embodiment of the present invention
  • FIG. 2 is a flowchart of a method for protecting an air interface identifier according to an embodiment of the present invention
  • FIG. 3 is a flowchart of another method for protecting an air interface identifier according to an embodiment of the present invention.
  • FIG. 4 is a flowchart of another method for protecting an air interface identifier according to an embodiment of the present invention.
  • FIG. 5 is a flowchart of another method for protecting an air interface identifier according to an embodiment of the present invention.
  • FIG. 6 is a schematic diagram of a logical structure of a device for protecting an air interface identifier according to an embodiment of the present disclosure
  • FIG. 7 is a schematic diagram of a logical structure of an upper layer control node in a method for protecting an air interface ID identifier according to an embodiment of the present invention.
  • the embodiment of the present invention provides a protection system for the air interface identifier.
  • the system includes an upper layer network control node and a wireless access node.
  • HSS Home Subscriber Server
  • UE User Equipment
  • the upper network control node may be a node configured by an SDT (Software Defined Topology) unit or an SDP (Software Defined Protocol) unit for managing user equipment service connectivity and mobility performance.
  • SDT Software Defined Topology
  • SDP Software Defined Protocol
  • the SDT unit is configured to determine a radio access node serving the UE after the UE accesses the network.
  • the SDP unit is configured to implement the function of the upper layer network control node after the UE accesses the network.
  • the wireless access node is a wireless access node that the UE accesses through an air interface.
  • the same pre-shared root key in the USIM card of each UE is stored in the HSS for participation in the AKA (Authentication and Key Agreement) authentication.
  • AKA Authentication and Key Agreement
  • the UE is a terminal device that accesses the wireless network.
  • the embodiment of the present invention provides a method for protecting the air interface identifier, which is applied to the protection system of the air interface identifier shown in FIG. 1 , as shown in FIG. 2 , the method includes:
  • the upper layer network control node receives the network connection request sent by the UE, where the network connection request includes the identifier of the UE.
  • the identifier of the UE may be an IMSI (International Mobile Subscriber Identity) of the UE.
  • IMSI International Mobile Subscriber Identity
  • the upper network control node acquires a root key corresponding to the identifier of the UE.
  • the upper network control node generates a first air interface ID protection key according to the root key corresponding to the identifier of the UE and the first preset parameter.
  • the first preset parameter includes the identifier of the UE, the network device ID, one of the PLMN (Public Land Mobile Network) ID, the security algorithm ID, and the random number to which the UE belongs, and the network device ID is
  • the wireless access point accessed by the UE corresponds to the ID of the cell or the ID of the corresponding base station of the wireless access point accessed by the UE.
  • First air interface ID protection key Is the encryption key and/or the security key.
  • the key; the ID may be one or a combination of the identity of the UE, the network device ID, the PLMN ID, and the security algorithm ID.
  • the upper network control node sends the first air interface ID protection key to the wireless access node, so that the wireless access node performs encrypted transmission on the first air interface ID by using the first air interface ID protection key.
  • the first air interface ID is an air interface ID allocated by the wireless access node for the UE, and the first air interface ID is used to identify the identity of the UE in the air interface, and the UE and the wireless access node perform data transmission by using the first air interface ID.
  • the upper layer network control node receives the network connection request sent by the UE, and the network connection request includes the identifier of the UE, and the root network key corresponding to the identifier of the UE and the first pre-layer
  • the parameter is generated to generate the first air interface ID protection key
  • the upper network control node sends the first air interface ID protection key to the wireless access node, so that the wireless access node performs the first air interface ID according to the first air interface ID protection key.
  • Encryption sends the encrypted first air interface ID to the UE.
  • the air interface ID can be used to generate the first air interface ID protection key for the first air interface ID, and the wireless access node can pass the The first air interface ID protection key encrypts the first air interface ID, so that the first air interface ID is transmitted in an encrypted form, which avoids the persistent acquisition of the air interface ID by the attacker, and protects the user's private information and network security.
  • the upper-layer network control node After receiving the network connection request sent by the UE, the upper-layer network control node further includes steps 205 and 206.
  • the upper-layer network control node obtains the authentication data information of the UE from the HSS according to the network connection request.
  • the upper layer network control node performs a two-way authentication operation with the UE by using the authentication data information.
  • step 202 is performed.
  • the method further includes step 207 and step 208.
  • the upper network control node sends the first preset parameter to the UE.
  • the first preset parameter is the same as the related description in the foregoing step 202, and details are not described herein again.
  • the UE generates a first air interface ID protection key according to the root key corresponding to the identifier of the UE and the first preset parameter.
  • the upper network control node may directly send the first air interface ID protection key to the UE, without performing steps 207 and 208.
  • the UE may decrypt the received first air interface ID according to the first air interface ID protection key.
  • the upper network control node sends the first air interface ID protection key to the wireless access node, so that the wireless access node encrypts and transmits the first air interface ID through the first air interface ID protection key. Step 2041 to step 2042.
  • the upper network control node sends the first air interface ID protection key to the wireless access node.
  • the wireless access node performs encrypted transmission on the first air interface ID by using the first air interface ID protection key.
  • the sending, by the wireless access node, the first air interface ID to the UE may be implemented in the following four steps.
  • the wireless access node sends a negotiation message after the security operation to the UE, where the negotiation message includes a security parameter.
  • the completion operation refers to integrity protection, which refers to processing the negotiation message to make negotiation. Messages can be discovered in time after they cannot be tampered with or tampered with.
  • the security parameters include encryption algorithms and guarantee algorithms.
  • the UE may respond to the wireless access node, and the security negotiation succeeds. If the verification fails, the negotiation is rejected.
  • the wireless access node encrypts and transmits the first air interface ID to the UE according to the security parameter and the first air interface ID protection key.
  • the fourth step after receiving the encrypted first air interface ID, the UE decrypts the first air interface ID according to the received first air interface ID protection key or the first air interface ID protection key generated by the UE, in the next operation.
  • the first air interface ID is enabled to transmit data with the wireless access point.
  • the upper layer network control node receives the network connection request sent by the UE, and the network connection request includes the identifier of the UE, and the upper layer network control node generates the first air interface ID protection key according to the identifier of the UE.
  • the wireless access node is configured to enable the wireless access node to encrypt the first air interface ID according to the first air interface ID protection key, and send the encrypted first air interface ID to the UE, and then the UE protects the key pair according to the first air interface ID.
  • the first air interface ID is decrypted.
  • the air interface ID can be used to generate the first air interface ID protection key for the first air interface ID, and the wireless access node can pass the The first air interface ID protection key encrypts the first air interface ID, so that the first air interface ID is transmitted in an encrypted form, which avoids the persistent acquisition of the air interface ID by the attacker, and protects the user's private information and network security.
  • the UE when the UE initially accesses the radio access node service set, that is, when there are at least two radio access nodes serving the UE, in another implementation manner provided by the embodiment of the present invention, the foregoing step 204, the foregoing step 204, The upper network control node sends the first air interface ID protection key to the wireless access node, which can be implemented as follows:
  • the upper network control node transmits the first air interface ID protection key to one of the wireless access nodes serving the UE or at least two wireless access nodes.
  • the upper layer control The network sends the generated first air interface ID protection key to the plurality of wireless access nodes, so that the wireless access nodes can encrypt and transmit the first air interface ID by using the first air interface ID protection key, thereby avoiding the An air interface ID is leaked.
  • the wireless access point connected by the UE changes, when the wireless access point of the UE is switched from the original wireless access point to the new wireless connection.
  • the method further includes:
  • the upper layer network control node receives a key request message sent by the new wireless access node, where the key request message includes an identifier of the UE.
  • the upper layer network control node acquires the first air interface ID protection key according to the identifier of the UE.
  • the upper layer network control node obtains the first air interface ID protection key generated last time according to the identifier of the UE. or,
  • the upper network control node acquires the root key corresponding to the identifier of the UE and the first preset parameter according to the identifier of the UE, and generates a first air interface ID protection key according to the root key corresponding to the identifier of the UE and the first preset parameter.
  • the upper network control node sends the first air interface ID protection key to the new wireless access node, so that the new wireless access node performs encrypted transmission on the second air interface ID by using the first air interface ID protection key.
  • the second air interface ID is an air interface ID allocated by the new wireless access node to the UE.
  • the new air access node encrypts and transmits the second air interface ID to the UE through the first air interface ID protection key, and the original wireless access The node terminates the transmission of the first air interface ID.
  • the foregoing step 402 may be replaced by: the upper layer network control node generates the second air interface ID protection according to the first air interface ID protection key and the second preset parameter.
  • the second preset parameter is one of a new wireless access point ID, a carrier frequency of the cell corresponding to the new wireless access point, and a second air interface ID.
  • the upper network control node after the upper network control node generates the second air interface ID protection key, the upper network control node also needs to send the second air interface ID protection key or the second preset parameter to the UE, so that the UE acquires or generates.
  • the second air interface ID protects the key. If the second preset parameter is Including the second air interface ID, the second preset parameter point may be sent to the UE through the original wireless access node, and the second air interface ID protection key is used to encrypt and transmit the second parameter.
  • the new wireless access node also needs to trigger the operation of the UE to start generating the second air interface ID protection key, for example, the new wireless access node can transmit a specific counter.
  • the parameter triggers the UE to perform an operation of generating a second air interface ID protection key.
  • step 403 may be replaced by: the upper network control node sends the second air interface ID protection key to the new wireless access node, so that the new wireless access node performs the second air interface ID through the second air interface ID protection key. Encrypted transmission.
  • the upper layer network control node receives the key request message sent by the new wireless access node, and the upper layer network control node obtains the first air interface ID protection key according to the identifier of the UE, and the upper layer network control The node sends the first air interface ID protection key to the new wireless access node, so that the new wireless access node encrypts and transmits the second air interface ID through the first air interface ID protection key; or the upper network control node according to the identifier of the UE Corresponding root key and second preset parameter generate a second air interface ID protection key, and send the second air interface ID protection key to the new wireless access node, so that the new wireless access node protects the confidentiality through the second air interface ID.
  • the key encrypts and transmits the second air interface ID.
  • the air interface ID leakage causes the user's private information and the network security to be at risk
  • the embodiment of the present invention still needs to allocate the second wireless communication node to the UE after the UE switches to the new wireless access node.
  • the air interface ID acquires the first air interface ID protection key or generates a second air interface ID protection key, so that the second air interface ID is encrypted and transmitted through the first air interface ID protection key or the second air interface ID protection key, thereby protecting user privacy and the network. Safety.
  • the access method of the air interface identifier provided by the embodiment of the present invention can be applied to a scenario in which the UE switches the wireless access node, and is more applicable to the new network architecture, and the air interface ID is allocated by the wireless access node, and is generated by the upper layer network control node.
  • the air interface ID protects the key, so that the transmission air interface ID has better timeliness.
  • the method is based on the method flow shown in FIG. 2 and FIG. Also includes:
  • the upper layer network control node acquires a first air interface ID protection key.
  • the upper layer network control node directly obtains the first air interface ID protection key generated last time.
  • the upper network control node generates a first air interface ID protection key according to the root key corresponding to the identifier of the UE and the first preset parameter.
  • the upper network control node sends the first air interface ID protection key to the newly added wireless access node, so that the newly added wireless access node encrypts and transmits the third air interface ID by using the first air interface ID protection key.
  • the third air interface ID is an air interface ID allocated by the newly added wireless access node for the UE.
  • the newly added wireless access node encrypts and transmits the third air interface ID to the UE through the first air interface ID protection key, and the original wireless access node still passes the first air interface ID.
  • the protection key encrypts the first air interface ID to the UE.
  • the foregoing step 502 may be replaced by: the upper layer network control node generates a third air interface ID protection according to the first air interface ID protection key and the third preset parameter.
  • the third preset parameter includes one of a new wireless access node ID, a carrier frequency of the corresponding wireless access node, and a third air interface ID.
  • the upper network control node after the upper network control node generates the third air interface protection key, the upper network control node also needs to send the third air interface ID protection key or the third preset parameter to the UE, so that the UE acquires or generates the first Three air interface ID protection key.
  • the third preset parameter may be sent to the UE through the original wireless access node, and the third air interface ID protection key is used to encrypt and transmit the third preset parameter.
  • the newly added wireless access node needs to trigger the operation of the UE to start generating the third air interface ID protection key.
  • the newly added wireless access node can transmit the specific The counter parameter triggers the UE to perform an operation of generating a third air interface ID protection key.
  • step 503 may be replaced by: the upper layer network control node sends the third air interface ID protection key to the newly added wireless access node, so that the newly added wireless access node protects the key pair with the third air interface through the third air interface ID.
  • the ID is encrypted for transmission.
  • the newly added wireless access node encrypts the third air interface ID through the third air interface ID protection key.
  • the original wireless access node still encrypts and transmits the first air interface ID to the UE through the first air interface ID protection key.
  • the upper layer network control node obtains the first air interface ID protection key, and sends the first air interface ID protection key to the newly added wireless access node, so that the new wireless access node is added.
  • the node encrypts and transmits the first air interface ID by using the first air interface ID protection key, or the upper network control node generates a third air interface ID protection key according to the first air interface ID protection key and the third preset parameter, and adds wireless
  • the access node sends the third air interface ID protection key, so that the new wireless access node encrypts and transmits the third air interface ID through the third air interface ID protection key.
  • the first air interface ID protection key when there is a newly added wireless access node, the first air interface ID protection key is generated or a third air interface ID is generated, as compared with the prior art, the air interface ID leakage causes the user's private information and the network security to be at risk.
  • Protecting the key so that the third air interface ID is encrypted and transmitted by the first air interface ID protection key or the third air interface ID protection key, and the first air interface ID is still encrypted and transmitted through the first air interface ID protection key, thereby protecting user privacy and cyber security.
  • the embodiment of the present invention provides a protection device for the air interface identifier, and the device is applied to the upper network control node, such as As shown in FIG. 6, the apparatus includes: a receiving unit 601, an obtaining unit 602, a generating unit 603, and a transmitting unit 604.
  • the receiving unit 601 is configured to receive an incoming network connection request sent by the user equipment UE, where the network connection request includes an identifier of the UE;
  • the obtaining unit 602 is configured to acquire a root key corresponding to the identifier of the UE.
  • the generating unit 603 is configured to generate a first air interface identifier ID protection key according to the root key corresponding to the identifier of the UE and the first preset parameter, where the first preset parameter includes the identifier of the UE, the network device ID, and the public to which the UE belongs.
  • the first preset parameter includes the identifier of the UE, the network device ID, and the public to which the UE belongs.
  • a land mobile network PLMN ID a security algorithm ID, and a random number
  • the network device ID is an ID of a cell corresponding to a radio access point accessed by the UE or an ID of a base station corresponding to a radio access point accessed by the UE;
  • the sending unit 604 is configured to send the first air interface ID protection key generated by the generating unit 603 to the wireless access node, so that the wireless access node performs encrypted transmission on the first air interface ID by using the first air interface ID protection key.
  • the first air interface ID is an air interface ID allocated by the wireless access node to the UE.
  • the sending unit 604 is further configured to send the first air interface ID protection key to the UE.
  • the sending unit 604 is further configured to send the first preset parameter to the UE, so that the UE generates the first air interface ID protection according to the root key corresponding to the identifier of the UE and the first preset parameter. Key.
  • the receiving unit 601 when the wireless access node accessed by the UE is switched from the original wireless access node to the new wireless access node, the receiving unit 601 is further configured to receive the key sent by the new wireless access node. a request message, where the key request message includes an identifier of the UE;
  • the obtaining unit 602 is further configured to acquire, according to the identifier of the UE, the first air interface ID protection key;
  • the sending unit 604 is further configured to send the first air interface ID protection key to the new wireless access node, so that the new wireless access node performs encrypted transmission on the second air interface ID by using the first air interface ID protection key.
  • the second air interface ID is an air interface ID allocated by the new wireless access node to the UE.
  • the receiving unit 601 when the wireless access node accessed by the UE is switched from the original wireless access node to the new wireless access node, the receiving unit 601 is further configured to receive the key sent by the new wireless access node. a request message, where the key request message includes an identifier of the UE;
  • the generating unit 603 is further configured to generate a second air interface ID protection key according to the first air interface ID protection key and the second preset parameter, where the second preset parameter is a new wireless access point ID, and a new wireless access point corresponding cell One or any combination of the carrier frequency and the second air interface ID;
  • the sending unit 604 is further configured to send, to the new wireless access node, the second air interface ID protection key generated by the generating unit 603, so that the new wireless access node encrypts and transmits the second air interface ID by using the second air interface ID protection key. .
  • the acquiring unit 602 is further configured to acquire the first air interface ID protection key according to the identifier of the UE.
  • the sending unit 604 is further configured to send the first air interface ID protection key to the newly added wireless access node, so that the newly added wireless access node encrypts and transmits the third air interface ID by using the first air interface ID protection key.
  • the third air interface ID is an air interface ID allocated by the newly added wireless access node for the UE.
  • the generating unit 603 is further configured to generate a third air interface ID protection key according to the first air interface ID protection key and the third preset parameter.
  • the third preset parameter includes one of a new wireless access node ID, a carrier frequency of the corresponding wireless access node corresponding cell, and a third air interface ID;
  • the sending unit 604 is further configured to send the third air interface ID protection key to the newly added wireless access node, so that the newly added wireless access node encrypts and transmits the third air interface ID by using the third air interface ID protection key.
  • the apparatus for protecting the air interface identifier provided by the embodiment of the present invention, the receiving unit receives the network connection request sent by the UE, where the network connection request includes the identifier of the UE, the acquiring unit acquires the root key corresponding to the identifier of the UE, and the generating unit corresponds to the identifier of the UE.
  • the root key and the first preset parameter generate a first air interface ID protection key, and the sending unit sends the first air interface ID protection key to the wireless access node, so that the wireless access node protects the key according to the first air interface ID.
  • the first air interface ID is encrypted, and the encrypted first air interface ID is sent to the UE.
  • the air interface ID can be used to generate the first air interface ID protection key for the first air interface ID, and the wireless access node can pass the The first air interface ID protection key encrypts the first air interface ID, so that the first air interface ID is transmitted in an encrypted form, which avoids the persistent acquisition of the air interface ID by the attacker, and protects the user's private information and network security.
  • An embodiment of the present invention further provides a device for signal processing.
  • the device is a hardware structure diagram of an upper layer network control node described in FIG.
  • the upper network control node may include a memory 701, a processor 702, a receiver 703, a transmitter 704, and a bus 1005.
  • the memory 701 may be a ROM (Read Only Memory), a static storage device, a dynamic storage device, or a RAM (Random Access Memory).
  • the memory 701 can store an operating system and other applications.
  • the program code for implementing the technical solution provided by the embodiment of the present invention is stored in the memory 701 and executed by the processor 702.
  • the receiver 703 is used for communication between the device and other devices or communication networks (such as, but not limited to, Ethernet, RAN Radio Access Network, WLAN (Wireless Local Area Network), etc.).
  • devices or communication networks such as, but not limited to, Ethernet, RAN Radio Access Network, WLAN (Wireless Local Area Network), etc.
  • the processor 702 can be a general-purpose central processing unit (CPU), a microprocessor, an application specific integrated circuit (ASIC), or one or more integrated circuits for executing related programs.
  • CPU central processing unit
  • ASIC application specific integrated circuit
  • Bus 1005 can include a path for communicating information between various components of the device, such as memory 701, receiver 703, transmitter 704, and processor 702.
  • FIG. 7 only shows the memory 701, the receiver 703, the transmitter 704 and the processor 702, and the bus 704, in a specific implementation process, those skilled in the art will understand that the device also Contains other devices necessary to achieve proper operation. At the same time, those skilled in the art will appreciate that hardware devices that implement other functions may also be included, depending on the particular needs.
  • the receiver 703 in the apparatus is configured to receive an incoming network connection request sent by the user equipment UE, where the network connection request is included.
  • the identity of the UE is included.
  • the processor 702 is coupled to the memory 701, the receiver 703, and the transmitter 704, and is configured to control execution of the program instruction, where the root key corresponding to the identifier of the UE is obtained, and the root key corresponding to the identifier of the UE and the first
  • the preset parameter generates a first air interface identifier ID protection key, where the first preset parameter includes an identifier of the UE, a network device ID, a public land mobile network PLMN ID to which the UE belongs, a security algorithm ID, a random number, or any combination
  • the network device ID is the ID of the cell corresponding to the wireless access point accessed by the UE or the ID of the corresponding base station of the wireless access point accessed by the UE;
  • the transmitter 704 is configured to send the first air interface ID protection key to the wireless access node, so that the wireless access node performs encrypted transmission on the first air interface ID by using the first air interface ID protection key.
  • the first air interface ID is an air interface ID allocated by the wireless access node to the UE.
  • the transmitter 704 is further configured to send the first air interface ID protection key to the UE.
  • the transmitter 704 is further configured to send the first preset parameter to the UE, so that the UE generates the first space according to the root key corresponding to the identifier of the UE and the first preset parameter. Port ID protection key.
  • the receiver 703 is further configured to receive a key request message sent by the new wireless access node, where the key request message includes an identifier of the UE.
  • the processor 702 is further configured to acquire, according to the identifier of the UE, the first air interface ID protection key;
  • the transmitter 704 is further configured to send the first air interface ID protection key to the new wireless access node, so that the new wireless access node performs encrypted transmission on the second air interface ID by using the first air interface ID protection key.
  • the second air interface ID is an air interface ID allocated by the new wireless access node to the UE.
  • the receiver 703 is further configured to receive a key request message sent by the new wireless access node, where the key request message includes an identifier of the UE.
  • the processor 702 is further configured to generate a second air interface ID protection key according to the first air interface ID protection key and the second preset parameter, where the second preset parameter is a new wireless access point ID, a new wireless access point corresponding cell One or any combination of the carrier frequency and the second air interface ID;
  • the transmitter 704 is further configured to send the second air interface ID protection key to the new wireless access node, so that the new wireless access node performs encrypted transmission on the second air interface ID by using the second air interface ID protection key.
  • the processor 702 when the UE has a new wireless access node, the processor 702 is further configured to acquire the first air interface ID protection key according to the identifier of the UE.
  • the transmitter 704 is further configured to send the first air interface ID protection key to the newly added wireless access node, so that the newly added wireless access node encrypts and transmits the third air interface ID by using the first air interface ID protection key.
  • the third air interface ID is an air interface ID allocated by the newly added wireless access node for the UE.
  • the processor 702 when the UE has a new wireless access node, the processor 702 is further configured to generate a third air interface ID protection key according to the first air interface ID protection key and the third preset parameter.
  • the third preset parameter includes a newly added wireless access node ID, and a new wireless access node corresponding One or any combination of a carrier frequency and a third air interface ID of the cell;
  • the transmitter 704 is further configured to send the third air interface ID protection key to the newly added wireless access node, so that the newly added wireless access node encrypts and transmits the third air interface ID by using the third air interface ID protection key.
  • the transmitter 704 when there are at least two radio access nodes serving the UE, the transmitter 704 is further configured to send the first air interface ID protection key to one of the radio access nodes serving the UE. Or at least two wireless access nodes.
  • the apparatus for protecting the air interface identifier provided by the embodiment of the present invention, the receiver receives the network connection request sent by the UE, and the network connection request includes the identifier of the UE, and the processor generates the first according to the root key corresponding to the identifier of the UE and the first preset parameter.
  • An air interface ID protection key the sender sends the first air interface ID protection key to the wireless access node, so that the wireless access node encrypts the first air interface ID according to the first air interface ID protection key, and the encrypted The first air interface ID is sent to the UE.
  • the air interface ID can be used to generate the first air interface ID protection key for the first air interface ID, and the wireless access node can pass the The first air interface ID protection key encrypts the first air interface ID, so that the first air interface ID is transmitted in an encrypted form, which avoids the persistent acquisition of the air interface ID by the attacker, and protects the user's private information and network security.
  • the present invention can be implemented by means of software plus necessary general hardware, and of course, by hardware, but in many cases, the former is a better implementation. .
  • the technical solution of the present invention which is essential or contributes to the prior art, can be embodied in the form of a software product stored in a readable storage medium, such as a floppy disk of a computer.
  • a hard disk or optical disk, etc. includes instructions for causing a computer device (which may be a personal computer, server, or network device, etc.) to perform the methods described in various embodiments of the present invention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)
  • Small-Scale Networks (AREA)

Abstract

The present invention relates to the technical field of wireless communications. Disclosed are a method and apparatus for protecting an air interface identity, which can resolve the problem of risks in user privacy information and network security caused by leakage of an air interface ID. In an embodiment of the present invention, an upper-layer network control node receives a network access connection request sent by a UE, the network access connection request comprising an identity of the UE; the upper-layer network control node obtains a root key corresponding to the identity of the UE; the upper-layer network control node generates a first air interface ID protection key according to the root key corresponding to the identity of the UE and a first preset parameter; and the upper-layer network control node sends the first air interface ID protection key to a wireless access node, so that the wireless access node encrypts a first air interface ID according to the first air interface ID protection key and sends the encrypted first air interface ID to the UE. The solution provided in embodiments of the present invention is used when an air interface ID is transmitted.

Description

一种空口标识的保护方法及装置Method and device for protecting air interface identification
本申请要求于2016年01月06日提交中国专利局、申请号为201610006376.2、发明名称为“一种空口标识的保护方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。The present application claims priority to Chinese Patent Application No. 201610006376.2, entitled "A Method and Apparatus for Protecting Air Interfaces", which is filed on January 06, 2016, the entire contents of which are incorporated herein by reference. In the application.
技术领域Technical field
本发明涉及无线通信技术领域,尤其涉及一种空口标识的保护方法及装置。The present invention relates to the field of wireless communication technologies, and in particular, to a method and an apparatus for protecting an air interface identifier.
背景技术Background technique
在现有的无线通信网络中,无线网络接入点会为接入的用户设备分配一个空口ID(Identity,标识),进而无线网络接入点可通过该空口ID来完成与用户设备之间的数据传输。当用户设备在移动过程中接入不同的无线网络接入节点时,新的无线网络接入节点会为用户设备分配新的空口ID,进而新的无线网络接入节点根据新的空口ID来完成与用户设备之间的数据传输。In the existing wireless communication network, the wireless network access point allocates an air interface ID (Identity) to the accessed user equipment, and the wireless network access point can complete the interaction with the user equipment through the air interface ID. data transmission. When the user equipment accesses different wireless network access nodes during the mobile process, the new wireless network access node allocates a new air interface ID to the user equipment, and the new wireless network access node completes according to the new air interface ID. Data transfer with the user device.
然而,无线网络接入节点通过空口信令消息将为用户设备分配的空口ID发送给用户设备,如果攻击者长时间持续获取某一用户设备的空口ID,则该攻击者可基于该空口ID获取用户的移动轨迹、业务特征等信息,会对用户的隐私信息以及网络安全造成威胁。However, the wireless network access node sends the air interface ID assigned to the user equipment to the user equipment through the air interface signaling message. If the attacker continuously obtains the air interface ID of the user equipment for a long time, the attacker can obtain the air interface ID based on the air interface ID. The user's mobile track, service characteristics and other information will pose a threat to the user's private information and network security.
发明内容Summary of the invention
本发明的实施例提供一种空口标识的保护的方法及装置,可以解决由于空口ID泄露导致用户的隐私信息以及网络安全存在风险的问题。The embodiments of the present invention provide a method and an apparatus for protecting an air interface identifier, which can solve the problem that the user's private information and the network security are at risk due to the air interface ID leakage.
本发明第一方面提供了一种空口标识的保护方法,所述方法包括:A first aspect of the present invention provides a method for protecting an air interface identifier, the method comprising:
上层网络控制节点接收用户设备UE发送的入网连接请求,所述入网连接请求中包括所述UE的标识;The upper network control node receives the network connection request sent by the user equipment UE, where the network connection request includes the identifier of the UE;
所述上层网络控制节点获取所述UE的标识对应的根密钥;The upper layer network control node acquires a root key corresponding to the identifier of the UE;
所述上层网络控制节点根据所述UE的标识对应的根密钥及第一预设 参数生成第一空口标识ID保护密钥,其中所述第一预设参数包括所述UE的标识、网络设备ID、所述UE所属的公共陆地移动网络PLMN ID、安全算法ID、随机数中的一个或任意组合,所述网络设备ID为所述UE接入的无线接入点对应小区的ID或者所述UE接入的无线接入点对应基站的ID;The root network corresponding to the identifier of the UE and the first preset by the upper layer network control node The parameter generates a first air interface identifier ID protection key, where the first preset parameter includes an identifier of the UE, a network device ID, a public land mobile network PLMN ID to which the UE belongs, a security algorithm ID, and a random number. One or any combination, the network device ID is an ID of a cell corresponding to the wireless access point accessed by the UE or an ID of a base station corresponding to the wireless access point accessed by the UE;
所述上层网络控制节点将所述第一空口ID保护密钥发送给无线接入节点,以使得所述无线接入节点通过所述第一空口ID保护密钥对第一空口ID进行加密传输,所述第一空口ID为所述无线接入节点为所述UE分配的空口ID。The upper network control node sends the first air interface ID protection key to the wireless access node, so that the wireless access node encrypts and transmits the first air interface ID by using the first air interface ID protection key. The first air interface ID is an air interface ID allocated by the wireless access node to the UE.
与现有技术中空口ID泄露导致用户的隐私信息以及网络安全存在风险相比,本发明通过上层网络控制节点为第一空口ID生成第一空口ID保护密钥,无线接入节点可以通过第一空口ID保护密钥对第一空口ID进行加密,使得第一空口ID以加密的形式进行传输,避免了空口ID持续性的被攻击者获取,保护了用户的隐私信息以及网络安全。The present invention generates a first air interface ID protection key for the first air interface ID by using the upper layer network control node, and the wireless access node can pass the first, as compared with the prior art, the air interface ID leakage causes the user's private information and the network security to be at risk. The air interface ID protection key encrypts the first air interface ID, so that the first air interface ID is transmitted in an encrypted form, which avoids the persistent acquisition of the air interface ID by the attacker, and protects the user's private information and network security.
结合第一方面,需要指出的是,在所述上层网络控制节点根据所述UE的标识对应的根密钥及第一预设参数生成第一空口ID保护密钥之后,所述方法还包括:With reference to the first aspect, the method further includes: after the upper layer network control node generates the first air interface ID protection key according to the root key corresponding to the identifier of the UE and the first preset parameter, the method further includes:
所述上层网络控制节点将所述第一空口ID保护密钥发送给所述UE。The upper layer network control node sends the first air interface ID protection key to the UE.
结合第一方面,可选的,在所述上层网络控制节点接收UE发送的入网连接请求之后,所述方法还包括:In combination with the first aspect, optionally, after the upper layer network control node receives the network connection request sent by the UE, the method further includes:
所述上层网络控制节点将所述第一预设参数发送给所述UE,以使得所述UE根据所述UE的标识对应的根密钥以及所述第一预设参数生成所述第一空口ID保护密钥。The upper layer network control node sends the first preset parameter to the UE, so that the UE generates the first air interface according to the root key corresponding to the identifier of the UE and the first preset parameter. ID protection key.
在第一方面的基础上,可选的,当所述UE接入的无线接入节点由原无线接入节点切换为新无线接入节点时,所述方法还包括:On the basis of the first aspect, optionally, when the wireless access node that is accessed by the UE is switched from the original wireless access node to the new wireless access node, the method further includes:
所述上层网络控制节点接收所述新无线接入节点发送的密钥请求消息,所述密钥请求消息中包括所述UE的标识;Receiving, by the upper layer network control node, a key request message sent by the new wireless access node, where the key request message includes an identifier of the UE;
所述上层网络控制节点根据所述UE的标识获取所述第一空口ID保护密钥; Obtaining, by the upper layer network control node, the first air interface ID protection key according to the identifier of the UE;
所述上层网络控制节点向所述新无线接入节点发送所述第一空口ID保护密钥,以使得所述新无线接入节点通过所述第一空口ID保护密钥对第二空口ID进行加密传输,所述第二空口ID为所述新无线接入节点为所述UE分配的空口ID。Sending, by the upper layer network control node, the first air interface ID protection key to the new radio access node, so that the new radio access node performs the second air interface ID by using the first air interface ID protection key. Encrypted transmission, where the second air interface ID is an air interface ID allocated by the new radio access node to the UE.
结合第一方面,可选的,当所述UE接入的无线接入点由原无线接入节点切换为新无线接入节点时,所述方法还包括:With reference to the first aspect, optionally, when the wireless access point that the UE accesses is switched from the original wireless access node to the new wireless access node, the method further includes:
所述上层网络控制节点接收所述新无线接入节点发送的密钥请求消息,所述密钥请求消息中包括所述UE的标识;Receiving, by the upper layer network control node, a key request message sent by the new wireless access node, where the key request message includes an identifier of the UE;
所述上层网络控制节点根据所述第一空口ID保护密钥以及第二预设参数生成所述第二空口ID保护密钥,所述第二预设参数为所述新无线接入点ID、所述新无线接入点对应小区的载频、第二空口ID中的其中一个或者任意组合,所述第二空口ID为所述新无线接入节点为所述UE分配的空口ID;The upper network control node generates the second air interface ID protection key according to the first air interface ID protection key and the second preset parameter, where the second preset parameter is the new wireless access point ID, The new wireless access point corresponds to one of the carrier frequency and the second air interface ID of the cell, and the second air interface ID is an air interface ID allocated by the new wireless access node to the UE;
所述上层网络控制节点向所述新无线接入节点发送所述第二空口ID保护密钥,以使得所述新无线接入节点通过所述第二空口ID保护密钥对第二空口ID进行加密传输。Sending, by the upper layer network control node, the second air interface ID protection key to the new radio access node, so that the new radio access node performs the second air interface ID by using the second air interface ID protection key. Encrypted transmission.
与现有技术中空口ID泄露导致用户的隐私信息以及网络安全存在风险相比,本发明实施例在UE切换到新无线接入节点之后,仍需为新无线接入节点为UE分配的第二空口ID获取第一空口ID保护密钥或生成第二空口ID保护密钥,使得第二空口ID通过第一空口ID保护密钥或第二空口ID保护密钥加密传输,保护了用户隐私以及网络安全。另外,本发明实施例提供的空口标识的接入方法能够适用于UE切换无线接入节点的场景,更适用于新型的网络架构,且由无线接入节点分配空口ID,由上层网络控制节点生成空口ID保护密钥,使得传输空口ID具有更好的时效性。Compared with the prior art, the air interface ID leakage causes the user's private information and the network security to be at risk, the embodiment of the present invention still needs to allocate the second wireless communication node to the UE after the UE switches to the new wireless access node. The air interface ID acquires the first air interface ID protection key or generates a second air interface ID protection key, so that the second air interface ID is encrypted and transmitted through the first air interface ID protection key or the second air interface ID protection key, thereby protecting user privacy and the network. Safety. In addition, the access method of the air interface identifier provided by the embodiment of the present invention can be applied to a scenario in which the UE switches the wireless access node, and is more applicable to the new network architecture, and the air interface ID is allocated by the wireless access node, and is generated by the upper layer network control node. The air interface ID protects the key, so that the transmission air interface ID has better timeliness.
在第一方面描述的方案中,当所述UE存在新增无线接入节点时,所述方法还包括:In the solution described in the first aspect, when the UE has a new wireless access node, the method further includes:
所述上层网络控制节点根据所述UE的标识获取第一空口ID保护密钥;Obtaining, by the upper layer network control node, the first air interface ID protection key according to the identifier of the UE;
所述上层网络控制节点向所述新增无线接入节点发送所述第一空口 ID保护密钥,以使得所述新增无线接入节点通过所述第一空口ID保护密钥对第三空口ID进行加密传输,所述第三空口ID为所述新增无线接入节点为所述UE分配的空口ID。Sending, by the upper layer network control node, the first air interface to the newly added wireless access node The ID protects the key, so that the newly added wireless access node performs encrypted transmission on the third air interface ID by using the first air interface ID protection key, where the third air interface ID is The air interface ID assigned by the UE.
可选的,当所述UE存在新增无线接入节点时,所述方法还包括:Optionally, when the UE has a new wireless access node, the method further includes:
所述上层网络控制节点根据所述第一空口ID保护密钥以及第三预设参数生成所述第三空口ID保护密钥,所述第三预设参数包括所述新增无线接入节点ID、所述新增无线接入节点对应小区的载频、所述第三空口ID中的其中一个或者任意组合,所述第三空口ID为所述新增无线接入节点为所述UE分配的空口ID;The upper network control node generates the third air interface ID protection key according to the first air interface ID protection key and a third preset parameter, where the third preset parameter includes the newly added wireless access node ID And the new air access node corresponds to one of the carrier frequency and the third air interface ID, and the third air interface ID is allocated by the new wireless access node to the UE. Air interface ID;
所述上层网络控制节点向所述新增无线接入节点发送所述第三空口ID保护密钥,以使得所述新增无线接入节点通过所述第三空口ID保护密钥对第三空口ID进行加密传输。Sending, by the upper layer network control node, the third air interface ID protection key to the new wireless access node, so that the newly added wireless access node protects the third air interface by using the third air interface ID The ID is encrypted for transmission.
与现有技术中空口ID泄露导致用户的隐私信息以及网络安全存在风险相比,本发明的技术方案中,当存在新增无线接入节点时,上层网络控制节点获取第一空口ID保护密钥或生成第三空口ID保护密钥,使得第三空口ID通过第一空口ID保护密钥或第三空口ID保护密钥加密传输,同时第一空口ID仍通过第一空口ID保护密钥加密传输,保护了用户隐私以及网络安全。In the technical solution of the present invention, when there is a newly added wireless access node, the upper layer network control node acquires the first air interface ID protection key, compared with the prior art, the air interface ID leakage causes the user's private information and the network security to be at risk. Or generating a third air interface ID protection key, so that the third air interface ID is encrypted and transmitted by the first air interface ID protection key or the third air interface ID protection key, and the first air interface ID is still encrypted and transmitted through the first air interface ID protection key. Protect user privacy and network security.
可选的,当存在至少两个无线接入节点服务于所述UE时,所述上层网络控制节点将所述第一空口ID保护密钥发送给无线接入节点包括:Optionally, when the at least two wireless access nodes serve the UE, the sending, by the upper layer network control node, the first air interface ID protection key to the wireless access node includes:
所述上层网络控制节点将所述第一空口ID保护密钥发送给服务于所述UE的其中一个无线接入节点或者至少两个无线接入节点。The upper network control node sends the first air interface ID protection key to one of the wireless access nodes or at least two wireless access nodes serving the UE.
对于本发明提出的技术方案,当存在多个无线接入节点服务于UE时,上层控制网络将生成的第一空口ID保护密钥发送给多个无线接入节点,以使得这些无线接入节点可以通过该第一空口ID保护密钥对第一空口ID进行加密传输,避免了第一空口ID被泄露的情况。For the technical solution proposed by the present invention, when there are multiple radio access nodes serving the UE, the upper layer control network sends the generated first air interface ID protection key to the plurality of radio access nodes, so that the radio access nodes The first air interface ID can be encrypted and transmitted through the first air interface ID protection key, thereby avoiding the situation that the first air interface ID is leaked.
本发明的第二方面提供了一种空口标识的保护装置,包括:A second aspect of the present invention provides a protection device for an air interface identifier, including:
接收单元,用于接收用户设备UE发送的入网连接请求,所述入网连接请求中包括所述UE的标识; a receiving unit, configured to receive an incoming network connection request sent by the user equipment UE, where the network connection request includes an identifier of the UE;
获取单元,用于取所述UE的标识对应的根密钥;An obtaining unit, configured to obtain a root key corresponding to the identifier of the UE;
生成单元,用于根据所述UE的标识对应的根密钥及第一预设参数生成第一空口标识ID保护密钥,其中所述第一预设参数包括所述UE的标识、网络设备ID、所述UE所属的公共陆地移动网络PLMN ID、安全算法ID、随机数中的一个或任意组合,所述网络设备ID为所述UE接入的无线接入点对应小区的ID或者所述UE接入的无线接入点对应基站的ID;a generating unit, configured to generate a first air interface identifier ID protection key according to the root key and the first preset parameter corresponding to the identifier of the UE, where the first preset parameter includes an identifier of the UE and a network device ID And one or any combination of a public land mobile network PLMN ID, a security algorithm ID, and a random number to which the UE belongs, where the network device ID is an ID of a cell corresponding to the radio access point accessed by the UE or the UE The accessed wireless access point corresponds to the ID of the base station;
发送单元,用于将所述第一空口ID保护密钥发送给无线接入节点,以使得所述无线接入节点通过所述第一空口ID保护密钥对第一空口ID进行加密传输,所述第一空口ID为所述无线接入节点为所述UE分配的空口ID。a sending unit, configured to send the first air interface ID protection key to the wireless access node, so that the wireless access node encrypts and transmits the first air interface ID by using the first air interface ID protection key, where The first air interface ID is an air interface ID allocated by the wireless access node to the UE.
结合第二方面,需要指出的是,所述发送单元,还用于将所述第一空口ID保护密钥发送给所述UE;并将所述第一预设参数发送给所述UE,以使得所述UE根据所述UE的标识对应的根密钥以及所述第一预设参数生成所述第一空口ID保护密钥。With reference to the second aspect, it is to be noted that the sending unit is further configured to send the first air interface ID protection key to the UE, and send the first preset parameter to the UE, And causing the UE to generate the first air interface ID protection key according to the root key corresponding to the identifier of the UE and the first preset parameter.
在第二方面中,可以理解的是,当所述UE接入的无线接入节点由原无线接入节点切换为新无线接入节点时,In the second aspect, it can be understood that when the radio access node accessed by the UE is switched from the original radio access node to the new radio access node,
所述接收单元,还用于接收所述新无线接入节点发送的密钥请求消息,所述密钥请求消息中包括所述UE的标识;The receiving unit is further configured to receive a key request message sent by the new wireless access node, where the key request message includes an identifier of the UE;
所述获取单元,还用于根据所述UE的标识获取所述第一空口ID保护密钥;The acquiring unit is further configured to acquire the first air interface ID protection key according to the identifier of the UE;
所述发送单元,还用于向所述新无线接入节点发送所述第一空口ID保护密钥,以使得所述新无线接入节点通过所述第一空口ID保护密钥对第二空口ID进行加密传输,所述第二空口ID为所述新无线接入节点为所述UE分配的空口ID。The sending unit is further configured to send the first air interface ID protection key to the new wireless access node, so that the new wireless access node protects the second air interface by using the first air interface ID The ID is encrypted, and the second air interface ID is an air interface ID allocated by the new radio access node to the UE.
结合第二方面,可选的,当所述UE接入的无线接入节点由原无线接入节点切换为新无线接入节点时,With reference to the second aspect, optionally, when the wireless access node accessed by the UE is switched from the original wireless access node to the new wireless access node,
所述接收单元,还用于接收所述新无线接入节点发送的密钥请求消息,所述密钥请求消息中包括所述UE的标识;The receiving unit is further configured to receive a key request message sent by the new wireless access node, where the key request message includes an identifier of the UE;
所述生成单元,还用于根据所述第一空口ID保护密钥以及第二预设 参数生成所述第二空口ID保护密钥,所述第二预设参数为所述新无线接入点ID、所述新无线接入点对应小区的载频、第二空口ID中的其中一个或者任意组合,所述第二空口ID为所述新无线接入节点为所述UE分配的空口ID;The generating unit is further configured to: protect the key and the second preset according to the first air interface ID The parameter generates the second air interface ID protection key, where the second preset parameter is one of the new wireless access point ID, the carrier frequency of the cell corresponding to the new wireless access point, and the second air interface ID. Or any combination, the second air interface ID is an air interface ID allocated by the new radio access node to the UE;
所述发送单元,还用于向所述新无线接入节点发送所述第二空口ID保护密钥,以使得所述新无线接入节点通过所述第二空口ID保护密钥对第二空口ID进行加密传输。The sending unit is further configured to send the second air interface ID protection key to the new wireless access node, so that the new wireless access node protects the second air interface by using the second air interface ID The ID is encrypted for transmission.
结合第二方面,可选的,当所述UE存在新增无线接入节点时,In combination with the second aspect, optionally, when the UE has a new wireless access node,
所述获取单元,还用于根据所述UE的标识获取第一空口ID保护密钥;The obtaining unit is further configured to acquire a first air interface ID protection key according to the identifier of the UE;
所述发送单元,还用于向所述新增无线接入节点发送所述第一空口ID保护密钥,以使得所述新增无线接入节点通过所述第一空口ID保护密钥对第三空口ID进行加密传输,所述第三空口ID为所述新增无线接入节点为所述UE分配的空口ID。The sending unit is further configured to send the first air interface ID protection key to the new wireless access node, so that the newly added wireless access node protects the key pair by using the first air interface ID. The three air interface IDs are encrypted and transmitted, and the third air interface ID is an air interface ID allocated by the newly added wireless access node to the UE.
结合第二方面,可选的,当所述UE存在新增无线接入节点时,In combination with the second aspect, optionally, when the UE has a new wireless access node,
所述生成单元,还用于根据所述第一空口ID保护密钥以及第三预设参数生成所述第三空口ID保护密钥,所述第三预设参数包括所述新增无线接入节点ID、所述新增无线接入节点对应小区的载频、所述第三空口ID中的其中一个或者任意组合,所述第三空口ID为所述新增无线接入节点为所述UE分配的空口ID;The generating unit is further configured to generate the third air interface ID protection key according to the first air interface ID protection key and a third preset parameter, where the third preset parameter includes the newly added wireless access One or any combination of a node ID, a carrier frequency of the cell corresponding to the new wireless access node, and the third air interface ID, where the third air interface ID is the new wireless access node is the UE The assigned air interface ID;
所述发送单元,还用于向所述新增无线接入节点发送所述第三空口ID保护密钥,以使得所述新增无线接入节点通过所述第三空口ID保护密钥对第三空口ID进行加密传输。The sending unit is further configured to send the third air interface ID protection key to the new wireless access node, so that the newly added wireless access node protects the key pair by using the third air interface ID. The three air interface IDs are encrypted for transmission.
结合第二方面,可选的,当存在至少两个无线接入节点服务于所述UE时,With reference to the second aspect, optionally, when there are at least two wireless access nodes serving the UE,
所述发送单元,还用于将所述第一空口ID保护密钥发送给服务于所述UE的其中一个无线接入节点或者至少两个无线接入节点。The sending unit is further configured to send the first air interface ID protection key to one of the wireless access nodes serving the UE or at least two wireless access nodes.
第三方面,本发明实施例提供一种空口标识的保护装置,包括:In a third aspect, an embodiment of the present invention provides a protection device for an air interface identifier, including:
存储器,用于存储包括程序指令的信息;a memory for storing information including program instructions;
接收器,用于接收用户设备UE发送的入网连接请求,所述入网连接 请求中包括所述UE的标识;a receiver, configured to receive an incoming network connection request sent by the user equipment UE, where the network connection is The request includes the identifier of the UE;
处理器,与所述存储器、所述接收器以及发发送器耦合,用于控制所述程序指令的执行,具体用于获取所述UE的标识对应的根密钥;根据所述UE的标识对应的根密钥及第一预设参数生成第一空口标识ID保护密钥,其中所述第一预设参数包括所述UE的标识、网络设备ID、所述UE所属的公共陆地移动网络PLMN ID、安全算法ID、随机数中的一个或任意组合,所述网络设备ID为所述UE接入的无线接入点对应小区的ID或者所述UE接入的无线接入点对应基站的ID;a processor, coupled to the memory, the receiver, and the transmitter, for controlling execution of the program instruction, specifically, acquiring a root key corresponding to the identifier of the UE; and corresponding to the identifier of the UE The first key parameter and the first preset parameter generate a first air interface identifier ID protection key, where the first preset parameter includes an identifier of the UE, a network device ID, and a public land mobile network PLMN ID to which the UE belongs. And one or any combination of a security algorithm ID and a random number, where the network device ID is an ID of a cell corresponding to the wireless access point accessed by the UE or an ID of a base station corresponding to the wireless access point accessed by the UE;
所述发送器,用于将所述第一空口ID保护密钥发送给无线接入节点,以使得所述无线接入节点通过所述第一空口ID保护密钥对第一空口ID进行加密传输,所述第一空口ID为所述无线接入节点为所述UE分配的空口ID。The transmitter is configured to send the first air interface ID protection key to the wireless access node, so that the wireless access node performs encrypted transmission on the first air interface ID by using the first air interface ID protection key. The first air interface ID is an air interface ID allocated by the wireless access node to the UE.
结合第三方面,可选的,所述发送器还用于将所述第一空口ID保护密钥发送给所述UE。所述发送器,还用于将所述第一预设参数发送给所述UE,以使得所述UE根据所述UE的标识对应的根密钥以及所述第一预设参数生成所述第一空口ID保护密钥。In combination with the third aspect, optionally, the transmitter is further configured to send the first air interface ID protection key to the UE. The transmitter is further configured to send the first preset parameter to the UE, so that the UE generates the first according to a root key corresponding to the identifier of the UE and the first preset parameter. An air interface ID protection key.
结合第三方面,可以理解的是,当所述UE接入的无线接入节点由原无线接入节点切换为新无线接入节点时,With reference to the third aspect, it can be understood that when the radio access node accessed by the UE is switched from the original radio access node to the new radio access node,
所述接收器,还用于接收所述新无线接入节点发送的密钥请求消息,所述密钥请求消息中包括所述UE的标识;The receiver is further configured to receive a key request message sent by the new wireless access node, where the key request message includes an identifier of the UE;
所述处理器,还用于根据所述UE的标识获取所述第一空口ID保护密钥;The processor is further configured to acquire the first air interface ID protection key according to the identifier of the UE;
所述发送器,还用于向所述新无线接入节点发送所述第一空口ID保护密钥,以使得所述新无线接入节点通过所述第一空口ID保护密钥对第二空口ID进行加密传输,所述第二空口ID为所述新无线接入节点为所述UE分配的空口ID。The transmitter is further configured to send the first air interface ID protection key to the new wireless access node, so that the new wireless access node protects the second air interface by using the first air interface ID The ID is encrypted, and the second air interface ID is an air interface ID allocated by the new radio access node to the UE.
结合第三方面,可以理解的是,当所述UE接入的无线接入点由原无线接入节点切换为新无线接入节点时,With reference to the third aspect, it can be understood that when the wireless access point accessed by the UE is switched from the original wireless access node to the new wireless access node,
所述接收器,还用于接收所述新无线接入节点发送的密钥请求消息, 所述密钥请求消息中包括所述UE的标识;The receiver is further configured to receive a key request message sent by the new wireless access node, where The key request message includes an identifier of the UE;
所述处理器,还用于根据所述第一空口ID保护密钥以及第二预设参数生成所述第二空口ID保护密钥,所述第二预设参数为所述新无线接入点ID、所述新无线接入点对应小区的载频、第二空口ID中的其中一个或者任意组合,所述第二空口ID为所述新无线接入节点为所述UE分配的空口ID;The processor is further configured to generate the second air interface ID protection key according to the first air interface ID protection key and a second preset parameter, where the second preset parameter is the new wireless access point The ID, the new radio access point corresponds to one of the carrier frequency and the second air interface ID, and the second air interface ID is an air interface ID allocated by the new radio access node to the UE;
所述发送器,还用于向所述新无线接入节点发送所述第二空口ID保护密钥,以使得所述新无线接入节点通过所述第二空口ID保护密钥对第二空口ID进行加密传输。The transmitter is further configured to send the second air interface ID protection key to the new wireless access node, so that the new wireless access node protects the second air interface by using the second air interface ID The ID is encrypted for transmission.
结合第三方面,可以理解的是,当所述UE存在新增无线接入节点时,With reference to the third aspect, it can be understood that when the UE has a new wireless access node,
所述处理器,还用于根据所述UE的标识获取第一空口ID保护密钥;The processor is further configured to acquire a first air interface ID protection key according to the identifier of the UE;
所述发送器,还用于向所述新增无线接入节点发送所述第一空口ID保护密钥,以使得所述新增无线接入节点通过所述第一空口ID保护密钥对第三空口ID进行加密传输,所述第三空口ID为所述新增无线接入节点为所述UE分配的空口ID。The transmitter is further configured to send the first air interface ID protection key to the new wireless access node, so that the newly added wireless access node protects the key pair by using the first air interface ID. The three air interface IDs are encrypted and transmitted, and the third air interface ID is an air interface ID allocated by the newly added wireless access node to the UE.
结合第三方面,可以理解的是,当所述UE存在新增无线接入节点时,With reference to the third aspect, it can be understood that when the UE has a new wireless access node,
所述处理器,还用于根据所述第一空口ID保护密钥以及第三预设参数生成所述第三空口ID保护密钥,所述第三预设参数包括所述新增无线接入节点ID、所述新增无线接入节点对应小区的载频、所述第三空口ID中的其中一个或者任意组合,所述第三空口ID为所述新增无线接入节点为所述UE分配的空口ID;The processor is further configured to generate the third air interface ID protection key according to the first air interface ID protection key and a third preset parameter, where the third preset parameter includes the newly added wireless access One or any combination of a node ID, a carrier frequency of the cell corresponding to the new wireless access node, and the third air interface ID, where the third air interface ID is the new wireless access node is the UE The assigned air interface ID;
所述发送器,还用于向所述新增无线接入节点发送所述第三空口ID保护密钥,以使得所述新增无线接入节点通过所述第三空口ID保护密钥对第三空口ID进行加密传输。The transmitter is further configured to send the third air interface ID protection key to the new wireless access node, so that the newly added wireless access node protects the key pair by using the third air interface ID. The three air interface IDs are encrypted for transmission.
结合第三方面,需要指出的是,当存在至少两个无线接入节点服务于所述UE时,In conjunction with the third aspect, it should be noted that when there are at least two wireless access nodes serving the UE,
所述发送器,还用于将所述第一空口ID保护密钥发送给服务于所述UE的其中一个无线接入节点或者至少两个无线接入节点。The transmitter is further configured to send the first air interface ID protection key to one of the wireless access nodes serving the UE or at least two wireless access nodes.
本发明实施例提供的空口标识的保护方法及装置,上层网络控制节点 接收UE发送的入网连接请求,入网连接请求中包括UE的标识,上层网络控制节点根据UE的标识对应的根密钥及第一预设参数生成第一空口ID保护密钥,上层网络控制节点将第一空口ID保护密钥发送给无线接入节点,以使得无线接入节点根据第一空口ID保护密钥对第一空口ID进行加密,将加密后的第一空口ID发送给UE。与现有技术中空口ID泄露导致用户的隐私信息以及网络安全存在风险相比,本发明实施例通过上层网络控制节点为第一空口ID生成第一空口ID保护密钥,无线接入节点可以通过第一空口ID保护密钥对第一空口ID进行加密,使得第一空口ID以加密的形式进行传输,避免了空口ID持续性的被攻击者获取,保护了用户的隐私信息以及网络安全。Method and device for protecting air interface identifier provided by embodiment of the present invention, upper layer network control node Receiving the network connection request sent by the UE, where the network connection request includes the identifier of the UE, and the upper network control node generates the first air interface ID protection key according to the root key corresponding to the identifier of the UE and the first preset parameter, and the upper network control node The first air interface ID protection key is sent to the wireless access node, so that the wireless access node encrypts the first air interface ID according to the first air interface ID protection key, and sends the encrypted first air interface ID to the UE. Compared with the prior art, the air interface ID can be used to generate the first air interface ID protection key for the first air interface ID, and the wireless access node can pass the The first air interface ID protection key encrypts the first air interface ID, so that the first air interface ID is transmitted in an encrypted form, which avoids the persistent acquisition of the air interface ID by the attacker, and protects the user's private information and network security.
附图说明DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below. Obviously, the drawings in the following description are only It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any creative work.
图1为本发明实施例提供的一种空口标识的保护系统的逻辑结构示意图;FIG. 1 is a schematic diagram of a logical structure of a protection system for an air interface identifier according to an embodiment of the present invention;
图2为本发明实施例提供的一种空口标识的保护方法的流程图;2 is a flowchart of a method for protecting an air interface identifier according to an embodiment of the present invention;
图3为本发明实施例提供的另一种空口标识的保护方法的流程图;FIG. 3 is a flowchart of another method for protecting an air interface identifier according to an embodiment of the present invention;
图4为本发明实施例提供的另一种空口标识的保护方法的流程图;FIG. 4 is a flowchart of another method for protecting an air interface identifier according to an embodiment of the present invention;
图5为本发明实施例提供的另一种空口标识的保护方法的流程图;FIG. 5 is a flowchart of another method for protecting an air interface identifier according to an embodiment of the present invention;
图6为本发明实施例提供的一种空口标识的保护装置的逻辑结构示意图;FIG. 6 is a schematic diagram of a logical structure of a device for protecting an air interface identifier according to an embodiment of the present disclosure;
图7为本发明实施例提供的空口ID标识的保护方法中上层控制节点的逻辑结构示意图。FIG. 7 is a schematic diagram of a logical structure of an upper layer control node in a method for protecting an air interface ID identifier according to an embodiment of the present invention.
具体实施方式detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例, 而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention. Rather than all embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
为了解决由于空口ID泄露导致用户的隐私信息以及网络安全存在风险的问题,本发明实施例提供一种空口标识的保护系统,如图1所示,该系统包括上层网络控制节点、无线接入节点、HSS(Home Subscriber Server,归属用户服务器)以及UE(User Equipment,用户设备)。In order to solve the problem that the user's private information and the network security are at risk due to the air interface ID leakage, the embodiment of the present invention provides a protection system for the air interface identifier. As shown in FIG. 1 , the system includes an upper layer network control node and a wireless access node. HSS (Home Subscriber Server) and UE (User Equipment).
其中,上层网络控制节点可以是由SDT(Software Defined Topology,软件定义拓扑)单元或者SDP(Software Defined Protocol,软件定义协议栈)单元构成的用于管理用户设备业务连接性以及移动性能的节点。The upper network control node may be a node configured by an SDT (Software Defined Topology) unit or an SDP (Software Defined Protocol) unit for managing user equipment service connectivity and mobility performance.
SDT单元用于当UE接入网络后,确定为UE服务的无线接入节点。The SDT unit is configured to determine a radio access node serving the UE after the UE accesses the network.
SDP单元用于当UE接入网络后,实现上层网络控制节点的功能。The SDP unit is configured to implement the function of the upper layer network control node after the UE accesses the network.
无线接入节点为UE通过空口接入的无线接入节点。The wireless access node is a wireless access node that the UE accesses through an air interface.
HSS中保存有每个UE的USIM卡中相同的预共享根密钥,用于参与AKA(Authentication and Key Agreement,认证与密钥协商协议)认证。The same pre-shared root key in the USIM card of each UE is stored in the HSS for participation in the AKA (Authentication and Key Agreement) authentication.
UE为接入无线网络的终端设备。The UE is a terminal device that accesses the wireless network.
为了避免空口ID泄露,本发明实施例提供一种空口标识的保护方法,应用于图1所示的空口标识的保护系统中,如图2所示,该方法包括:In order to avoid the leakage of the air interface ID, the embodiment of the present invention provides a method for protecting the air interface identifier, which is applied to the protection system of the air interface identifier shown in FIG. 1 , as shown in FIG. 2 , the method includes:
201、上层网络控制节点接收UE发送的入网连接请求,入网连接请求中包括UE的标识。201. The upper layer network control node receives the network connection request sent by the UE, where the network connection request includes the identifier of the UE.
其中,UE的标识可以为UE的IMSI(International Mobile Subscriber Identity,国际移动用户识别码)。The identifier of the UE may be an IMSI (International Mobile Subscriber Identity) of the UE.
202、上层网络控制节点获取UE的标识对应的根密钥。202. The upper network control node acquires a root key corresponding to the identifier of the UE.
203、上层网络控制节点根据UE的标识对应的根密钥及第一预设参数生成第一空口ID保护密钥。203. The upper network control node generates a first air interface ID protection key according to the root key corresponding to the identifier of the UE and the first preset parameter.
其中,第一预设参数包括UE的标识、网络设备ID、UE所属的PLMN(Public Land Mobile Network,公共陆地移动网络)ID、安全算法ID、随机数中的一个或任意组合,网络设备ID为UE接入的无线接入点对应小区的ID或者UE接入的无线接入点对应基站的ID。第一空口ID保护密钥 为加密密钥和/或完保密钥。The first preset parameter includes the identifier of the UE, the network device ID, one of the PLMN (Public Land Mobile Network) ID, the security algorithm ID, and the random number to which the UE belongs, and the network device ID is The wireless access point accessed by the UE corresponds to the ID of the cell or the ID of the corresponding base station of the wireless access point accessed by the UE. First air interface ID protection key Is the encryption key and/or the security key.
具体可以采用随机选择算法生成第一空口ID保护密钥,例如,K=KDF(Key Derivation Function,密钥推导函数)(Key,time),K=KDF(Key,ID,time),K=KDF(Key,SN),K=KDF(Key,ID,SN),或者K=KDF(Key,ID,SN,time);其中,k代表随机选择,Key可以为随机数或者UE的标识对应的根密钥;ID可以为UE的标识,网络设备ID,PLMN ID,安全算法ID中的一个或组合。Specifically, the first air interface ID protection key may be generated by using a random selection algorithm, for example, K=KDF (Key Derivation Function) (Key, time), K=KDF (Key, ID, time), K=KDF (Key, SN), K=KDF (Key, ID, SN), or K=KDF (Key, ID, SN, time); wherein k represents a random selection, and the Key may be a random number or a root corresponding to the identifier of the UE. The key; the ID may be one or a combination of the identity of the UE, the network device ID, the PLMN ID, and the security algorithm ID.
204、上层网络控制节点将第一空口ID保护密钥发送给无线接入节点,以使得无线接入节点通过第一空口ID保护密钥对第一空口ID进行加密传输。204. The upper network control node sends the first air interface ID protection key to the wireless access node, so that the wireless access node performs encrypted transmission on the first air interface ID by using the first air interface ID protection key.
其中,第一空口ID为无线接入节点为UE分配的空口ID,第一空口ID用于标识UE在空口的身份,UE与无线接入节点通过第一空口ID进行数据传输。The first air interface ID is an air interface ID allocated by the wireless access node for the UE, and the first air interface ID is used to identify the identity of the UE in the air interface, and the UE and the wireless access node perform data transmission by using the first air interface ID.
本发明实施例提供的空口标识的保护方法,上层网络控制节点接收UE发送的入网连接请求,入网连接请求中包括UE的标识,上层网络控制节点根据UE的标识对应的根密钥及第一预设参数生成第一空口ID保护密钥,上层网络控制节点将第一空口ID保护密钥发送给无线接入节点,以使得无线接入节点根据第一空口ID保护密钥对第一空口ID进行加密,将加密后的第一空口ID发送给UE。与现有技术中空口ID泄露导致用户的隐私信息以及网络安全存在风险相比,本发明实施例通过上层网络控制节点为第一空口ID生成第一空口ID保护密钥,无线接入节点可以通过第一空口ID保护密钥对第一空口ID进行加密,使得第一空口ID以加密的形式进行传输,避免了空口ID持续性的被攻击者获取,保护了用户的隐私信息以及网络安全。The method for protecting the air interface identifier provided by the embodiment of the present invention, the upper layer network control node receives the network connection request sent by the UE, and the network connection request includes the identifier of the UE, and the root network key corresponding to the identifier of the UE and the first pre-layer The parameter is generated to generate the first air interface ID protection key, and the upper network control node sends the first air interface ID protection key to the wireless access node, so that the wireless access node performs the first air interface ID according to the first air interface ID protection key. Encryption sends the encrypted first air interface ID to the UE. Compared with the prior art, the air interface ID can be used to generate the first air interface ID protection key for the first air interface ID, and the wireless access node can pass the The first air interface ID protection key encrypts the first air interface ID, so that the first air interface ID is transmitted in an encrypted form, which avoids the persistent acquisition of the air interface ID by the attacker, and protects the user's private information and network security.
结合图1所示的系统以及图2所示的方法流程,在上层网络控制节点接收到UE发送的入网连接请求之后还需与UE进行认证,此外,为了使UE能够对加密后的第一空口ID进行解密,还需使UE获知第一空口ID保护密钥,所以,在本发明实施例提供的另一种实现方式中,对UE初始接入一个无线接入点时空口保护的方法进行了描述,如图3所示,在上述步 骤201、上层网络控制节点接收UE发送的入网连接请求之后,还包括步骤205和206。With the system shown in FIG. 1 and the method flow shown in FIG. 2, after the upper-layer network control node receives the network connection request sent by the UE, it needs to perform authentication with the UE, and further, in order to enable the UE to encrypt the first air interface. The ID is decrypted, and the UE needs to know the first air interface ID protection key. Therefore, in another implementation manner provided by the embodiment of the present invention, the method for the UE to initially access a wireless access point air interface protection is performed. Description, as shown in Figure 3, in the above steps Step 201: After receiving the network connection request sent by the UE, the upper network control node further includes steps 205 and 206.
205、上层网络控制节点根据入网连接请求,从HSS中获取UE的认证数据信息。205. The upper-layer network control node obtains the authentication data information of the UE from the HSS according to the network connection request.
206、上层网络控制节点通过认证数据信息与UE进行双向认证操作。206. The upper layer network control node performs a two-way authentication operation with the UE by using the authentication data information.
在双向认证成功之后,执行步骤202。After the mutual authentication is successful, step 202 is performed.
此外,在上述步骤203、上层网络控制节点根据UE的标识对应的根密钥及第一预设参数生成第一空口ID保护密钥之后,该方法还包括步骤207和步骤208。In addition, after the foregoing step 203, the upper layer network control node generates the first air interface ID protection key according to the root key corresponding to the identifier of the UE and the first preset parameter, the method further includes step 207 and step 208.
207、上层网络控制节点将第一预设参数发送给UE。207. The upper network control node sends the first preset parameter to the UE.
其中,第一预设参数与上述步骤202中的相关描述相同,此处不再赘述。The first preset parameter is the same as the related description in the foregoing step 202, and details are not described herein again.
208、UE根据UE的标识对应的根密钥以及第一预设参数生成第一空口ID保护密钥。208. The UE generates a first air interface ID protection key according to the root key corresponding to the identifier of the UE and the first preset parameter.
在本发明实施例提供的另一种实现方式中,无需执行步骤207与208,上层网络控制节点可直接将第一空口ID保护密钥发送给UE。In another implementation manner provided by the embodiment of the present invention, the upper network control node may directly send the first air interface ID protection key to the UE, without performing steps 207 and 208.
可以理解的是,UE获取或者生成第一空口ID保护密钥后,可根据该第一空口ID保护密钥对接收到的第一空口ID进行解密。It can be understood that, after acquiring or generating the first air interface ID protection key, the UE may decrypt the received first air interface ID according to the first air interface ID protection key.
另外,上述步骤204、上层网络控制节点将第一空口ID保护密钥发送给无线接入节点,以使得无线接入节点通过第一空口ID保护密钥对第一空口ID进行加密传输具体实现为步骤2041至步骤2042。In addition, in the foregoing step 204, the upper network control node sends the first air interface ID protection key to the wireless access node, so that the wireless access node encrypts and transmits the first air interface ID through the first air interface ID protection key. Step 2041 to step 2042.
2041、上层网络控制节点将第一空口ID保护密钥发送给无线接入节点。2041. The upper network control node sends the first air interface ID protection key to the wireless access node.
2042、无线接入节点通过第一空口ID保护密钥对第一空口ID进行加密传输。2042. The wireless access node performs encrypted transmission on the first air interface ID by using the first air interface ID protection key.
其中,无线接入节点向UE发送第一空口ID具体可以实现为以下四步。The sending, by the wireless access node, the first air interface ID to the UE may be implemented in the following four steps.
第一步、无线接入节点向UE发送完保操作后的协商消息,协商消息中包括安全参数。In the first step, the wireless access node sends a negotiation message after the security operation to the UE, where the negotiation message includes a security parameter.
其中,完保操作指完整性保护,是指对协商消息进行处理,使得协商 消息在发送过程中无法被篡改或被篡改后也能被及时发现,安全参数包括加密算法以及完保算法。The completion operation refers to integrity protection, which refers to processing the negotiation message to make negotiation. Messages can be discovered in time after they cannot be tampered with or tampered with. The security parameters include encryption algorithms and guarantee algorithms.
第二步、UE验证完保操作,并验证安全参数后,则可响应无线接入节点,安全协商成功,若验证失败,则拒绝协商。In the second step, after the UE verifies the security operation and verifies the security parameter, the UE may respond to the wireless access node, and the security negotiation succeeds. If the verification fails, the negotiation is rejected.
第三步、无线接入节点根据安全参数以及第一空口ID保护密钥将第一空口ID加密传输至UE。In the third step, the wireless access node encrypts and transmits the first air interface ID to the UE according to the security parameter and the first air interface ID protection key.
第四步、UE接收到加密后的第一空口ID之后,根据接收到的第一空口ID保护密钥,或者自身生成的第一空口ID保护密钥对第一空口ID进行解密,在下一次操作中启用该第一空口ID与无线接入点传输数据。The fourth step, after receiving the encrypted first air interface ID, the UE decrypts the first air interface ID according to the received first air interface ID protection key or the first air interface ID protection key generated by the UE, in the next operation. The first air interface ID is enabled to transmit data with the wireless access point.
本发明实施例提供的空口标识的保护方法,上层网络控制节点接收UE发送的入网连接请求,入网连接请求中包括UE的标识,上层网络控制节点根据UE的标识生成第一空口ID保护密钥,并将第一空口ID保护密钥或者第一预设参数发送给上层网络控制节点,使得UE获取或者生成第一空口ID保护密钥,然后上层网络控制节点将第一空口ID保护密钥发送给无线接入节点,以使得无线接入节点根据第一空口ID保护密钥对第一空口ID进行加密,将加密后的第一空口ID发送给UE,进而UE根据第一空口ID保护密钥对第一空口ID进行解密。与现有技术中空口ID泄露导致用户的隐私信息以及网络安全存在风险相比,本发明实施例通过上层网络控制节点为第一空口ID生成第一空口ID保护密钥,无线接入节点可以通过第一空口ID保护密钥对第一空口ID进行加密,使得第一空口ID以加密的形式进行传输,避免了空口ID持续性的被攻击者获取,保护了用户的隐私信息以及网络安全。The method for protecting the air interface identifier provided by the embodiment of the present invention, the upper layer network control node receives the network connection request sent by the UE, and the network connection request includes the identifier of the UE, and the upper layer network control node generates the first air interface ID protection key according to the identifier of the UE. And sending the first air interface ID protection key or the first preset parameter to the upper network control node, so that the UE acquires or generates the first air interface ID protection key, and then the upper network control node sends the first air interface ID protection key to the The wireless access node is configured to enable the wireless access node to encrypt the first air interface ID according to the first air interface ID protection key, and send the encrypted first air interface ID to the UE, and then the UE protects the key pair according to the first air interface ID. The first air interface ID is decrypted. Compared with the prior art, the air interface ID can be used to generate the first air interface ID protection key for the first air interface ID, and the wireless access node can pass the The first air interface ID protection key encrypts the first air interface ID, so that the first air interface ID is transmitted in an encrypted form, which avoids the persistent acquisition of the air interface ID by the attacker, and protects the user's private information and network security.
结合上述方法流程,当UE初始接入无线接入节点服务集合时,即存在至少两个无线接入节点服务于UE时,在本发明实施例提供的另一种实现方式中,上述步骤204、上层网络控制节点将第一空口ID保护密钥发送给无线接入节点具体可以实现为:In the foregoing method, when the UE initially accesses the radio access node service set, that is, when there are at least two radio access nodes serving the UE, in another implementation manner provided by the embodiment of the present invention, the foregoing step 204, The upper network control node sends the first air interface ID protection key to the wireless access node, which can be implemented as follows:
上层网络控制节点将第一空口ID保护密钥发送给服务于UE的其中一个无线接入节点或者至少两个无线接入节点。The upper network control node transmits the first air interface ID protection key to one of the wireless access nodes serving the UE or at least two wireless access nodes.
对于本发明实施例,当存在多个无线接入节点服务于UE时,上层控 制网络将生成的第一空口ID保护密钥发送给多个无线接入节点,以使得这些无线接入节点可以通过该第一空口ID保护密钥对第一空口ID进行加密传输,避免了第一空口ID被泄露的情况。For the embodiment of the present invention, when there are multiple wireless access nodes serving the UE, the upper layer control The network sends the generated first air interface ID protection key to the plurality of wireless access nodes, so that the wireless access nodes can encrypt and transmit the first air interface ID by using the first air interface ID protection key, thereby avoiding the An air interface ID is leaked.
在UE移动的过程中,有可能从一个小区移动到另一个小区,相应的,UE连接的无线接入点会发生变化,当UE的无线接入点由原无线接入点切换为新无线接入点时,在本发明实施例提供的另一种实现方式中,如图4所示,在图2和图3所示的方法流程的基础上,该方法还包括:During the UE mobile process, it is possible to move from one cell to another. Correspondingly, the wireless access point connected by the UE changes, when the wireless access point of the UE is switched from the original wireless access point to the new wireless connection. In another implementation manner provided by the embodiment of the present invention, as shown in FIG. 4, based on the method flow shown in FIG. 2 and FIG. 3, the method further includes:
401、上层网络控制节点接收新无线接入节点发送的密钥请求消息,密钥请求消息中包括UE的标识。401. The upper layer network control node receives a key request message sent by the new wireless access node, where the key request message includes an identifier of the UE.
402、上层网络控制节点根据UE的标识获取第一空口ID保护密钥。402. The upper layer network control node acquires the first air interface ID protection key according to the identifier of the UE.
本步骤具体可以实现为,上层网络控制节点根据UE的标识获取上次生成的第一空口ID保护密钥。或者,In this step, the upper layer network control node obtains the first air interface ID protection key generated last time according to the identifier of the UE. or,
上层网络控制节点根据UE的标识获取UE的标识对应的根密钥以及第一预设参数,进而根据UE的标识对应的根密钥及第一预设参数生成第一空口ID保护密钥。The upper network control node acquires the root key corresponding to the identifier of the UE and the first preset parameter according to the identifier of the UE, and generates a first air interface ID protection key according to the root key corresponding to the identifier of the UE and the first preset parameter.
403、上层网络控制节点向新无线接入节点发送第一空口ID保护密钥,以使得新无线接入节点通过第一空口ID保护密钥对第二空口ID进行加密传输。403. The upper network control node sends the first air interface ID protection key to the new wireless access node, so that the new wireless access node performs encrypted transmission on the second air interface ID by using the first air interface ID protection key.
其中,第二空口ID为新无线接入节点为UE分配的空口ID。The second air interface ID is an air interface ID allocated by the new wireless access node to the UE.
可以理解的是,当UE从原无线接入节点切换至新无线接入节点之后,由新无线接入节点通过第一空口ID保护密钥将第二空口ID加密传输至UE,原无线接入节点终止对第一空口ID的传输。It can be understood that after the UE switches from the original wireless access node to the new wireless access node, the new air access node encrypts and transmits the second air interface ID to the UE through the first air interface ID protection key, and the original wireless access The node terminates the transmission of the first air interface ID.
需要说明的是,在本发明实施例提供的另一种实现方式中,上述步骤402可以替换为:上层网络控制节点根据第一空口ID保护密钥以及第二预设参数生成第二空口ID保护密钥,第二预设参数为新无线接入点ID、新无线接入点对应小区的载频、第二空口ID中的其中一个或者任意组合。It should be noted that, in another implementation manner provided by the embodiment of the present invention, the foregoing step 402 may be replaced by: the upper layer network control node generates the second air interface ID protection according to the first air interface ID protection key and the second preset parameter. The second preset parameter is one of a new wireless access point ID, a carrier frequency of the cell corresponding to the new wireless access point, and a second air interface ID.
值得说明的是,在上层网络控制节点生成第二空口ID保护密钥后,上层网络控制节点还需将第二空口ID保护密钥或者第二预设参数发送给UE,以使得UE获取或者生成第二空口ID保护密钥。如果第二预设参数中 包括第二空口ID,则可通过原无线接入节将第二预设参数点发送给UE,具体需使用第一空口ID保护密钥对第二参数加密传输。It is to be noted that after the upper network control node generates the second air interface ID protection key, the upper network control node also needs to send the second air interface ID protection key or the second preset parameter to the UE, so that the UE acquires or generates. The second air interface ID protects the key. If the second preset parameter is Including the second air interface ID, the second preset parameter point may be sent to the UE through the original wireless access node, and the second air interface ID protection key is used to encrypt and transmit the second parameter.
如果上层网络控制节点将第二预设参数发送给UE,则新无线接入节点还需触发UE开始生成第二空口ID保护密钥的操作,例如,新无线接入节点可以通过传递特定的计数器参数来触发UE执行生成第二空口ID保护密钥的操作。If the upper network control node sends the second preset parameter to the UE, the new wireless access node also needs to trigger the operation of the UE to start generating the second air interface ID protection key, for example, the new wireless access node can transmit a specific counter. The parameter triggers the UE to perform an operation of generating a second air interface ID protection key.
对应的,上述步骤403可以替换为:上层网络控制节点向新无线接入节点发送第二空口ID保护密钥,以使得新无线接入节点通过第二空口ID保护密钥对第二空口ID进行加密传输。Correspondingly, the foregoing step 403 may be replaced by: the upper network control node sends the second air interface ID protection key to the new wireless access node, so that the new wireless access node performs the second air interface ID through the second air interface ID protection key. Encrypted transmission.
本发明实施例提供的空口标识的接入方法,上层网络控制节点接收新无线接入节点发送的密钥请求消息,上层网络控制节点根据UE的标识获取第一空口ID保护密钥,上层网络控制节点将第一空口ID保护密钥发送给新无线接入节点,以使得新无线接入节点通过第一空口ID保护密钥对第二空口ID进行加密传输;或者上层网络控制节点根据UE的标识对应的根密钥以及第二预设参数生成第二空口ID保护密钥,将第二空口ID保护密钥发送给新无线接入节点,以使得新无线接入节点通过第二空口ID保护密钥对第二空口ID进行加密传输。与现有技术中空口ID泄露导致用户的隐私信息以及网络安全存在风险相比,本发明实施例在UE切换到新无线接入节点之后,仍需为新无线接入节点为UE分配的第二空口ID获取第一空口ID保护密钥或生成第二空口ID保护密钥,使得第二空口ID通过第一空口ID保护密钥或第二空口ID保护密钥加密传输,保护了用户隐私以及网络安全。另外,本发明实施例提供的空口标识的接入方法能够适用于UE切换无线接入节点的场景,更适用于新型的网络架构,且由无线接入节点分配空口ID,由上层网络控制节点生成空口ID保护密钥,使得传输空口ID具有更好的时效性。The access method of the air interface identifier provided by the embodiment of the present invention, the upper layer network control node receives the key request message sent by the new wireless access node, and the upper layer network control node obtains the first air interface ID protection key according to the identifier of the UE, and the upper layer network control The node sends the first air interface ID protection key to the new wireless access node, so that the new wireless access node encrypts and transmits the second air interface ID through the first air interface ID protection key; or the upper network control node according to the identifier of the UE Corresponding root key and second preset parameter generate a second air interface ID protection key, and send the second air interface ID protection key to the new wireless access node, so that the new wireless access node protects the confidentiality through the second air interface ID. The key encrypts and transmits the second air interface ID. Compared with the prior art, the air interface ID leakage causes the user's private information and the network security to be at risk, the embodiment of the present invention still needs to allocate the second wireless communication node to the UE after the UE switches to the new wireless access node. The air interface ID acquires the first air interface ID protection key or generates a second air interface ID protection key, so that the second air interface ID is encrypted and transmitted through the first air interface ID protection key or the second air interface ID protection key, thereby protecting user privacy and the network. Safety. In addition, the access method of the air interface identifier provided by the embodiment of the present invention can be applied to a scenario in which the UE switches the wireless access node, and is more applicable to the new network architecture, and the air interface ID is allocated by the wireless access node, and is generated by the upper layer network control node. The air interface ID protects the key, so that the transmission air interface ID has better timeliness.
另外,当UE存在新增无线接入节点时,在本发明实施例提供的另一种实现方式中,如图5所示,在图2和图3所示的方法流程的基础上,该方法还包括:In addition, when the UE has a new wireless access node, in another implementation manner provided by the embodiment of the present invention, as shown in FIG. 5, the method is based on the method flow shown in FIG. 2 and FIG. Also includes:
501、上层网络控制节点获取第一空口ID保护密钥。 501. The upper layer network control node acquires a first air interface ID protection key.
本步骤具体可以实现为,上层网络控制节点直接获取上次生成的第一空口ID保护密钥。或者,In this step, the upper layer network control node directly obtains the first air interface ID protection key generated last time. or,
上层网络控制节点根据UE的标识对应的根密钥及第一预设参数生成第一空口ID保护密钥。The upper network control node generates a first air interface ID protection key according to the root key corresponding to the identifier of the UE and the first preset parameter.
502、上层网络控制节点向新增无线接入节点发送第一空口ID保护密钥,以使得新增无线接入节点通过第一空口ID保护密钥对第三空口ID进行加密传输。502. The upper network control node sends the first air interface ID protection key to the newly added wireless access node, so that the newly added wireless access node encrypts and transmits the third air interface ID by using the first air interface ID protection key.
其中,第三空口ID为新增无线接入节点为UE分配的空口ID。The third air interface ID is an air interface ID allocated by the newly added wireless access node for the UE.
可以理解的是,当存在新增无线接入节点时,新增无线接入节点通过第一空口ID保护密钥将第三空口ID加密传输至UE,原无线接入节点仍通过第一空口ID保护密钥将第一空口ID加密传输至UE。It can be understood that when there is a new wireless access node, the newly added wireless access node encrypts and transmits the third air interface ID to the UE through the first air interface ID protection key, and the original wireless access node still passes the first air interface ID. The protection key encrypts the first air interface ID to the UE.
需要说明的是,在本发明实施例提供的另一种实现方式中,上述步骤502可以替换为:上层网络控制节点根据第一空口ID保护密钥以及第三预设参数生成第三空口ID保护密钥,第三预设参数包括新增无线接入节点ID、新增无线接入节点对应小区的载频、第三空口ID中的其中一个或者任意组合。It should be noted that, in another implementation manner provided by the embodiment of the present invention, the foregoing step 502 may be replaced by: the upper layer network control node generates a third air interface ID protection according to the first air interface ID protection key and the third preset parameter. The third preset parameter includes one of a new wireless access node ID, a carrier frequency of the corresponding wireless access node, and a third air interface ID.
值得说明的是,在上层网络控制节点生成第三空口保护密钥后,上层网络控制节点还需将第三空口ID保护密钥或者第三预设参数发送给UE,以使得UE获取或者生成第三空口ID保护密钥。当第三预设参数中包括第三空口ID时,可通过原无线接入节将第三预设参数发送给UE,具体需使用第一空口ID保护密钥对第三预设参数加密传输。It is to be noted that after the upper network control node generates the third air interface protection key, the upper network control node also needs to send the third air interface ID protection key or the third preset parameter to the UE, so that the UE acquires or generates the first Three air interface ID protection key. When the third air interface ID is included in the third preset parameter, the third preset parameter may be sent to the UE through the original wireless access node, and the third air interface ID protection key is used to encrypt and transmit the third preset parameter.
如果上层网络控制节点将第三预设参数发送给UE,则新增无线接入节点还需触发UE开始生成第三空口ID保护密钥的操作,例如,新增无线接入节点可以通过传递特定的计数器参数来触发UE执行生成第三空口ID保护密钥的操作。If the upper network control node sends the third preset parameter to the UE, the newly added wireless access node needs to trigger the operation of the UE to start generating the third air interface ID protection key. For example, the newly added wireless access node can transmit the specific The counter parameter triggers the UE to perform an operation of generating a third air interface ID protection key.
对应的,上述步骤503可以替换为:上层网络控制节点向新增无线接入节点发送第三空口ID保护密钥,以使得新增无线接入节点通过第三空口ID保护密钥对第三空口ID进行加密传输。Correspondingly, the foregoing step 503 may be replaced by: the upper layer network control node sends the third air interface ID protection key to the newly added wireless access node, so that the newly added wireless access node protects the key pair with the third air interface through the third air interface ID. The ID is encrypted for transmission.
此时新增无线接入节点通过第三空口ID保护密钥将第三空口ID加密 传输至UE,原无线接入节点仍通过第一空口ID保护密钥将第一空口ID加密传输至UE。At this time, the newly added wireless access node encrypts the third air interface ID through the third air interface ID protection key. After being transmitted to the UE, the original wireless access node still encrypts and transmits the first air interface ID to the UE through the first air interface ID protection key.
本发明实施例提供的空口标识的接入方法,上层网络控制节点获取第一空口ID保护密钥,将第一空口ID保护密钥发送给新增无线接入节点,以使得新增无线接入节点通过第一空口ID保护密钥对第一空口ID进行加密传输,或者上层网络控制节点根据第一空口ID保护密钥以及第三预设参数生成第三空口ID保护密钥,向新增无线接入节点发送第三空口ID保护密钥,以使得新增无线接入节点通过第三空口ID保护密钥对第三空口ID进行加密传输。与现有技术中空口ID泄露导致用户的隐私信息以及网络安全存在风险相比,本发明实施例中当存在新增无线接入节点时,获取第一空口ID保护密钥或生成第三空口ID保护密钥,使得第三空口ID通过第一空口ID保护密钥或第三空口ID保护密钥加密传输,同时第一空口ID仍通过第一空口ID保护密钥加密传输,保护了用户隐私以及网络安全。In the access method of the air interface identifier provided by the embodiment of the present invention, the upper layer network control node obtains the first air interface ID protection key, and sends the first air interface ID protection key to the newly added wireless access node, so that the new wireless access node is added. The node encrypts and transmits the first air interface ID by using the first air interface ID protection key, or the upper network control node generates a third air interface ID protection key according to the first air interface ID protection key and the third preset parameter, and adds wireless The access node sends the third air interface ID protection key, so that the new wireless access node encrypts and transmits the third air interface ID through the third air interface ID protection key. In the embodiment of the present invention, when there is a newly added wireless access node, the first air interface ID protection key is generated or a third air interface ID is generated, as compared with the prior art, the air interface ID leakage causes the user's private information and the network security to be at risk. Protecting the key, so that the third air interface ID is encrypted and transmitted by the first air interface ID protection key or the third air interface ID protection key, and the first air interface ID is still encrypted and transmitted through the first air interface ID protection key, thereby protecting user privacy and cyber security.
对应于上述方法实施例,为了解决由于空口ID泄露导致用户的隐私信息以及网络安全存在风险的问题,本发明实施例提供一种空口标识的保护装置,该装置应用于上层网络控制节点中,如图6所示,该装置包括:接收单元601,获取单元602,生成单元603,发送单元604。Corresponding to the foregoing method embodiment, in order to solve the problem that the privacy information of the user and the network security are at risk due to the leakage of the air interface ID, the embodiment of the present invention provides a protection device for the air interface identifier, and the device is applied to the upper network control node, such as As shown in FIG. 6, the apparatus includes: a receiving unit 601, an obtaining unit 602, a generating unit 603, and a transmitting unit 604.
接收单元601,用于接收用户设备UE发送的入网连接请求,入网连接请求中包括UE的标识;The receiving unit 601 is configured to receive an incoming network connection request sent by the user equipment UE, where the network connection request includes an identifier of the UE;
获取单元602,用于获取所述UE的标识对应的根密钥。The obtaining unit 602 is configured to acquire a root key corresponding to the identifier of the UE.
生成单元603,用于根据UE的标识对应的根密钥及第一预设参数生成第一空口标识ID保护密钥,其中第一预设参数包括UE的标识、网络设备ID、UE所属的公共陆地移动网络PLMN ID、安全算法ID、随机数中的一个或任意组合,网络设备ID为UE接入的无线接入点对应小区的ID或者UE接入的无线接入点对应基站的ID;The generating unit 603 is configured to generate a first air interface identifier ID protection key according to the root key corresponding to the identifier of the UE and the first preset parameter, where the first preset parameter includes the identifier of the UE, the network device ID, and the public to which the UE belongs. One or any combination of a land mobile network PLMN ID, a security algorithm ID, and a random number, where the network device ID is an ID of a cell corresponding to a radio access point accessed by the UE or an ID of a base station corresponding to a radio access point accessed by the UE;
发送单元604,用于将生成单元603生成的第一空口ID保护密钥发送给无线接入节点,以使得无线接入节点通过第一空口ID保护密钥对第一空口ID进行加密传输。 The sending unit 604 is configured to send the first air interface ID protection key generated by the generating unit 603 to the wireless access node, so that the wireless access node performs encrypted transmission on the first air interface ID by using the first air interface ID protection key.
其中,第一空口ID为无线接入节点为UE分配的空口ID。The first air interface ID is an air interface ID allocated by the wireless access node to the UE.
在本发明另一实施例中,发送单元604,还用于将第一空口ID保护密钥发送给UE。In another embodiment of the present invention, the sending unit 604 is further configured to send the first air interface ID protection key to the UE.
在本发明另一实施例中,发送单元604,还用于将第一预设参数发送给UE,以使得UE根据UE的标识对应的根密钥以及第一预设参数生成第一空口ID保护密钥。In another embodiment of the present invention, the sending unit 604 is further configured to send the first preset parameter to the UE, so that the UE generates the first air interface ID protection according to the root key corresponding to the identifier of the UE and the first preset parameter. Key.
在本发明另一实施例中,当UE接入的无线接入节点由原无线接入节点切换为新无线接入节点时,接收单元601,还用于接收新无线接入节点发送的密钥请求消息,密钥请求消息中包括UE的标识;In another embodiment of the present invention, when the wireless access node accessed by the UE is switched from the original wireless access node to the new wireless access node, the receiving unit 601 is further configured to receive the key sent by the new wireless access node. a request message, where the key request message includes an identifier of the UE;
获取单元602,还用于根据UE的标识获取第一空口ID保护密钥;The obtaining unit 602 is further configured to acquire, according to the identifier of the UE, the first air interface ID protection key;
发送单元604,还用于向新无线接入节点发送第一空口ID保护密钥,以使得新无线接入节点通过第一空口ID保护密钥对第二空口ID进行加密传输。The sending unit 604 is further configured to send the first air interface ID protection key to the new wireless access node, so that the new wireless access node performs encrypted transmission on the second air interface ID by using the first air interface ID protection key.
其中,第二空口ID为新无线接入节点为UE分配的空口ID。The second air interface ID is an air interface ID allocated by the new wireless access node to the UE.
在本发明另一实施例中,当UE接入的无线接入节点由原无线接入节点切换为新无线接入节点时,接收单元601,还用于接收新无线接入节点发送的密钥请求消息,密钥请求消息中包括UE的标识;In another embodiment of the present invention, when the wireless access node accessed by the UE is switched from the original wireless access node to the new wireless access node, the receiving unit 601 is further configured to receive the key sent by the new wireless access node. a request message, where the key request message includes an identifier of the UE;
生成单元603,还用于根据第一空口ID保护密钥以及第二预设参数生成第二空口ID保护密钥,第二预设参数为新无线接入点ID、新无线接入点对应小区的载频、第二空口ID中的其中一个或者任意组合;The generating unit 603 is further configured to generate a second air interface ID protection key according to the first air interface ID protection key and the second preset parameter, where the second preset parameter is a new wireless access point ID, and a new wireless access point corresponding cell One or any combination of the carrier frequency and the second air interface ID;
发送单元604,还用于向新无线接入节点发送生成单元603生成的第二空口ID保护密钥,以使得新无线接入节点通过第二空口ID保护密钥对第二空口ID进行加密传输。The sending unit 604 is further configured to send, to the new wireless access node, the second air interface ID protection key generated by the generating unit 603, so that the new wireless access node encrypts and transmits the second air interface ID by using the second air interface ID protection key. .
在本发明另一实施例中,当UE存在新增无线接入节点时,获取单元602,还用于根据UE的标识获取第一空口ID保护密钥;In another embodiment of the present invention, when the UE has a new wireless access node, the acquiring unit 602 is further configured to acquire the first air interface ID protection key according to the identifier of the UE.
发送单元604,还用于向新增无线接入节点发送第一空口ID保护密钥,以使得新增无线接入节点通过第一空口ID保护密钥对第三空口ID进行加密传输。The sending unit 604 is further configured to send the first air interface ID protection key to the newly added wireless access node, so that the newly added wireless access node encrypts and transmits the third air interface ID by using the first air interface ID protection key.
其中,第三空口ID为新增无线接入节点为UE分配的空口ID。 The third air interface ID is an air interface ID allocated by the newly added wireless access node for the UE.
在本发明另一实施例中,当UE存在新增无线接入节点时,生成单元603,还用于根据第一空口ID保护密钥以及第三预设参数生成第三空口ID保护密钥,第三预设参数包括新增无线接入节点ID、新增无线接入节点对应小区的载频、第三空口ID中的其中一个或者任意组合;In another embodiment of the present invention, when the UE has a new wireless access node, the generating unit 603 is further configured to generate a third air interface ID protection key according to the first air interface ID protection key and the third preset parameter. The third preset parameter includes one of a new wireless access node ID, a carrier frequency of the corresponding wireless access node corresponding cell, and a third air interface ID;
发送单元604,还用于向新增无线接入节点发送第三空口ID保护密钥,以使得新增无线接入节点通过第三空口ID保护密钥对第三空口ID进行加密传输。The sending unit 604 is further configured to send the third air interface ID protection key to the newly added wireless access node, so that the newly added wireless access node encrypts and transmits the third air interface ID by using the third air interface ID protection key.
本发明实施例提供的空口标识的保护装置,接收单元接收UE发送的入网连接请求,入网连接请求中包括UE的标识,获取单元获取UE的标识对应的根密钥,生成单元根据UE的标识对应的根密钥及第一预设参数生成第一空口ID保护密钥,发送单元将第一空口ID保护密钥发送给无线接入节点,以使得无线接入节点根据第一空口ID保护密钥对第一空口ID进行加密,将加密后的第一空口ID发送给UE。与现有技术中空口ID泄露导致用户的隐私信息以及网络安全存在风险相比,本发明实施例通过上层网络控制节点为第一空口ID生成第一空口ID保护密钥,无线接入节点可以通过第一空口ID保护密钥对第一空口ID进行加密,使得第一空口ID以加密的形式进行传输,避免了空口ID持续性的被攻击者获取,保护了用户的隐私信息以及网络安全。The apparatus for protecting the air interface identifier provided by the embodiment of the present invention, the receiving unit receives the network connection request sent by the UE, where the network connection request includes the identifier of the UE, the acquiring unit acquires the root key corresponding to the identifier of the UE, and the generating unit corresponds to the identifier of the UE. The root key and the first preset parameter generate a first air interface ID protection key, and the sending unit sends the first air interface ID protection key to the wireless access node, so that the wireless access node protects the key according to the first air interface ID. The first air interface ID is encrypted, and the encrypted first air interface ID is sent to the UE. Compared with the prior art, the air interface ID can be used to generate the first air interface ID protection key for the first air interface ID, and the wireless access node can pass the The first air interface ID protection key encrypts the first air interface ID, so that the first air interface ID is transmitted in an encrypted form, which avoids the persistent acquisition of the air interface ID by the attacker, and protects the user's private information and network security.
本发明实施例还提供一种信号处理的装置,如图7所示,该装置为图6描述的上层网络控制节点的硬件结构示意图。其中,上层网络控制节点可包括存储器701,处理器702,接收器703,发送器704,总线1005。An embodiment of the present invention further provides a device for signal processing. As shown in FIG. 7, the device is a hardware structure diagram of an upper layer network control node described in FIG. The upper network control node may include a memory 701, a processor 702, a receiver 703, a transmitter 704, and a bus 1005.
存储器701可以是ROM(Read Only Memory,只读存储器),静态存储设备,动态存储设备或者RAM(Random Access Memory,随机存取存储器)。存储器701可以存储操作系统和其他应用程序。在通过软件或者固件来实现本发明实施例提供的技术方案时,用于实现本发明实施例提供的技术方案的程序代码保存在存储器701中,并由处理器702来执行。The memory 701 may be a ROM (Read Only Memory), a static storage device, a dynamic storage device, or a RAM (Random Access Memory). The memory 701 can store an operating system and other applications. When the technical solution provided by the embodiment of the present invention is implemented by software or firmware, the program code for implementing the technical solution provided by the embodiment of the present invention is stored in the memory 701 and executed by the processor 702.
接收器703用于装置与其他设备或通信网络(例如但不限于以太网,RAN Radio Access Network,无线接入网),WLAN(Wireless Local Area Network,无线局域网)等)之间的通信。 The receiver 703 is used for communication between the device and other devices or communication networks (such as, but not limited to, Ethernet, RAN Radio Access Network, WLAN (Wireless Local Area Network), etc.).
处理器702可以采用通用的中央处理器(Central Processing Unit,CPU),微处理器,应用专用集成电路(Application Specific Integrated Circuit,ASIC),或者一个或多个集成电路,用于执行相关程序,以实现本发明实施例所提供的技术方案。The processor 702 can be a general-purpose central processing unit (CPU), a microprocessor, an application specific integrated circuit (ASIC), or one or more integrated circuits for executing related programs. The technical solution provided by the embodiment of the present invention is implemented.
总线1005可包括一通路,在装置各个部件(例如存储器701、接收器703、发送器704和处理器702)之间传送信息。Bus 1005 can include a path for communicating information between various components of the device, such as memory 701, receiver 703, transmitter 704, and processor 702.
应注意,尽管图7所示的硬件仅仅示出了存储器701、接收器703、发送器704和处理器702以及总线704,但是在具体实现过程中,本领域的技术人员应当明白,该装置还包含实现正常运行所必须的其他器件。同时,根据具体需要,本领域的技术人员应当明白,还可包含实现其他功能的硬件器件。It should be noted that although the hardware shown in FIG. 7 only shows the memory 701, the receiver 703, the transmitter 704 and the processor 702, and the bus 704, in a specific implementation process, those skilled in the art will understand that the device also Contains other devices necessary to achieve proper operation. At the same time, those skilled in the art will appreciate that hardware devices that implement other functions may also be included, depending on the particular needs.
具体的,图7所示的上层网络控制节点用于实现图6实施例所示的装置时,该装置中的接收器703,用于接收用户设备UE发送的入网连接请求,入网连接请求中包括UE的标识。Specifically, when the upper layer network control node shown in FIG. 7 is used to implement the apparatus shown in the embodiment of FIG. 6, the receiver 703 in the apparatus is configured to receive an incoming network connection request sent by the user equipment UE, where the network connection request is included. The identity of the UE.
处理器702,与存储器701、接收器703和发送器704耦合,用于控制程序指令的执行,具体用于获取UE的标识对应的根密钥;根据UE的标识对应的根密钥及第一预设参数生成第一空口标识ID保护密钥,其中第一预设参数包括UE的标识、网络设备ID、UE所属的公共陆地移动网络PLMN ID、安全算法ID、随机数中的一个或任意组合,网络设备ID为UE接入的无线接入点对应小区的ID或者UE接入的无线接入点对应基站的ID;The processor 702 is coupled to the memory 701, the receiver 703, and the transmitter 704, and is configured to control execution of the program instruction, where the root key corresponding to the identifier of the UE is obtained, and the root key corresponding to the identifier of the UE and the first The preset parameter generates a first air interface identifier ID protection key, where the first preset parameter includes an identifier of the UE, a network device ID, a public land mobile network PLMN ID to which the UE belongs, a security algorithm ID, a random number, or any combination The network device ID is the ID of the cell corresponding to the wireless access point accessed by the UE or the ID of the corresponding base station of the wireless access point accessed by the UE;
发送器704,用于将第一空口ID保护密钥发送给无线接入节点,以使得无线接入节点通过第一空口ID保护密钥对第一空口ID进行加密传输。The transmitter 704 is configured to send the first air interface ID protection key to the wireless access node, so that the wireless access node performs encrypted transmission on the first air interface ID by using the first air interface ID protection key.
其中,第一空口ID为无线接入节点为UE分配的空口ID。The first air interface ID is an air interface ID allocated by the wireless access node to the UE.
在本发明另一实施例中,发送器704,还用于将第一空口ID保护密钥发送给UE。In another embodiment of the present invention, the transmitter 704 is further configured to send the first air interface ID protection key to the UE.
在本发明另一实施例中,发送器704,还用于将第一预设参数发送给UE,以使得UE根据UE的标识对应的根密钥以及第一预设参数生成第一空 口ID保护密钥。In another embodiment of the present invention, the transmitter 704 is further configured to send the first preset parameter to the UE, so that the UE generates the first space according to the root key corresponding to the identifier of the UE and the first preset parameter. Port ID protection key.
在本发明另一实施例中,当UE接入的无线接入节点由原无线接入节点切换为新无线接入节点时,In another embodiment of the present invention, when the radio access node accessed by the UE is switched from the original radio access node to the new radio access node,
接收器703,还用于接收新无线接入节点发送的密钥请求消息,密钥请求消息中包括UE的标识;The receiver 703 is further configured to receive a key request message sent by the new wireless access node, where the key request message includes an identifier of the UE.
处理器702,还用于根据UE的标识获取第一空口ID保护密钥;The processor 702 is further configured to acquire, according to the identifier of the UE, the first air interface ID protection key;
发送器704,还用于向新无线接入节点发送第一空口ID保护密钥,以使得新无线接入节点通过第一空口ID保护密钥对第二空口ID进行加密传输。The transmitter 704 is further configured to send the first air interface ID protection key to the new wireless access node, so that the new wireless access node performs encrypted transmission on the second air interface ID by using the first air interface ID protection key.
其中,第二空口ID为新无线接入节点为UE分配的空口ID。The second air interface ID is an air interface ID allocated by the new wireless access node to the UE.
在本发明另一实施例中,当UE接入的无线接入点由原无线接入节点切换为新无线接入节点时,In another embodiment of the present invention, when the wireless access point accessed by the UE is switched from the original wireless access node to the new wireless access node,
接收器703,还用于接收新无线接入节点发送的密钥请求消息,密钥请求消息中包括UE的标识;The receiver 703 is further configured to receive a key request message sent by the new wireless access node, where the key request message includes an identifier of the UE.
处理器702,还用于根据第一空口ID保护密钥以及第二预设参数生成第二空口ID保护密钥,第二预设参数为新无线接入点ID、新无线接入点对应小区的载频、第二空口ID中的其中一个或者任意组合;The processor 702 is further configured to generate a second air interface ID protection key according to the first air interface ID protection key and the second preset parameter, where the second preset parameter is a new wireless access point ID, a new wireless access point corresponding cell One or any combination of the carrier frequency and the second air interface ID;
发送器704,还用于向新无线接入节点发送第二空口ID保护密钥,以使得新无线接入节点通过第二空口ID保护密钥对第二空口ID进行加密传输。The transmitter 704 is further configured to send the second air interface ID protection key to the new wireless access node, so that the new wireless access node performs encrypted transmission on the second air interface ID by using the second air interface ID protection key.
在本发明另一实施例中,当UE存在新增无线接入节点时,处理器702,还用于根据UE的标识获取第一空口ID保护密钥;In another embodiment of the present invention, when the UE has a new wireless access node, the processor 702 is further configured to acquire the first air interface ID protection key according to the identifier of the UE.
发送器704,还用于向新增无线接入节点发送第一空口ID保护密钥,以使得新增无线接入节点通过第一空口ID保护密钥对第三空口ID进行加密传输。The transmitter 704 is further configured to send the first air interface ID protection key to the newly added wireless access node, so that the newly added wireless access node encrypts and transmits the third air interface ID by using the first air interface ID protection key.
其中,第三空口ID为新增无线接入节点为UE分配的空口ID。The third air interface ID is an air interface ID allocated by the newly added wireless access node for the UE.
在本发明另一实施例中,当UE存在新增无线接入节点时,处理器702,还用于根据第一空口ID保护密钥以及第三预设参数生成第三空口ID保护密钥,第三预设参数包括新增无线接入节点ID、新增无线接入节点对应 小区的载频、第三空口ID中的其中一个或者任意组合;In another embodiment of the present invention, when the UE has a new wireless access node, the processor 702 is further configured to generate a third air interface ID protection key according to the first air interface ID protection key and the third preset parameter. The third preset parameter includes a newly added wireless access node ID, and a new wireless access node corresponding One or any combination of a carrier frequency and a third air interface ID of the cell;
发送器704,还用于向新增无线接入节点发送第三空口ID保护密钥,以使得新增无线接入节点通过第三空口ID保护密钥对第三空口ID进行加密传输。The transmitter 704 is further configured to send the third air interface ID protection key to the newly added wireless access node, so that the newly added wireless access node encrypts and transmits the third air interface ID by using the third air interface ID protection key.
在本发明另一实施例中,当存在至少两个无线接入节点服务于UE时,发送器704,还用于将第一空口ID保护密钥发送给服务于UE的其中一个无线接入节点或者至少两个无线接入节点。In another embodiment of the present invention, when there are at least two radio access nodes serving the UE, the transmitter 704 is further configured to send the first air interface ID protection key to one of the radio access nodes serving the UE. Or at least two wireless access nodes.
本发明实施例提供的空口标识的保护装置,接收器接收UE发送的入网连接请求,入网连接请求中包括UE的标识,处理器根据UE的标识对应的根密钥及第一预设参数生成第一空口ID保护密钥,发送器将第一空口ID保护密钥发送给无线接入节点,以使得无线接入节点根据第一空口ID保护密钥对第一空口ID进行加密,将加密后的第一空口ID发送给UE。与现有技术中空口ID泄露导致用户的隐私信息以及网络安全存在风险相比,本发明实施例通过上层网络控制节点为第一空口ID生成第一空口ID保护密钥,无线接入节点可以通过第一空口ID保护密钥对第一空口ID进行加密,使得第一空口ID以加密的形式进行传输,避免了空口ID持续性的被攻击者获取,保护了用户的隐私信息以及网络安全。The apparatus for protecting the air interface identifier provided by the embodiment of the present invention, the receiver receives the network connection request sent by the UE, and the network connection request includes the identifier of the UE, and the processor generates the first according to the root key corresponding to the identifier of the UE and the first preset parameter. An air interface ID protection key, the sender sends the first air interface ID protection key to the wireless access node, so that the wireless access node encrypts the first air interface ID according to the first air interface ID protection key, and the encrypted The first air interface ID is sent to the UE. Compared with the prior art, the air interface ID can be used to generate the first air interface ID protection key for the first air interface ID, and the wireless access node can pass the The first air interface ID protection key encrypts the first air interface ID, so that the first air interface ID is transmitted in an encrypted form, which avoids the persistent acquisition of the air interface ID by the attacker, and protects the user's private information and network security.
通过以上的实施方式的描述,所属领域的技术人员可以清楚地了解到本发明可借助软件加必需的通用硬件的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在可读取的存储介质中,如计算机的软盘,硬盘或光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the present invention can be implemented by means of software plus necessary general hardware, and of course, by hardware, but in many cases, the former is a better implementation. . Based on the understanding, the technical solution of the present invention, which is essential or contributes to the prior art, can be embodied in the form of a software product stored in a readable storage medium, such as a floppy disk of a computer. A hard disk or optical disk, etc., includes instructions for causing a computer device (which may be a personal computer, server, or network device, etc.) to perform the methods described in various embodiments of the present invention.
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以所述权利要求的保护范围为准。 The above is only a specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or substitutions within the technical scope of the present invention. It should be covered by the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the appended claims.

Claims (14)

  1. 一种空口标识的保护方法,其特征在于,包括:A method for protecting an air interface identifier, comprising:
    上层网络控制节点接收用户设备UE发送的入网连接请求,所述入网连接请求中包括所述UE的标识;The upper network control node receives the network connection request sent by the user equipment UE, where the network connection request includes the identifier of the UE;
    所述上层网络控制节点获取所述UE的标识对应的根密钥;The upper layer network control node acquires a root key corresponding to the identifier of the UE;
    所述上层网络控制节点根据所述UE的标识对应的根密钥及第一预设参数生成第一空口标识ID保护密钥,其中所述第一预设参数包括所述UE的标识、网络设备ID、所述UE所属的公共陆地移动网络PLMN ID、安全算法ID、随机数中的一个或任意组合,所述网络设备ID为所述UE接入的无线接入点对应小区的ID或者所述UE接入的无线接入点对应基站的ID;The upper network control node generates a first air interface identifier ID protection key according to the root key and the first preset parameter corresponding to the identifier of the UE, where the first preset parameter includes the identifier of the UE, and the network device ID, one or any combination of a public land mobile network PLMN ID, a security algorithm ID, and a random number to which the UE belongs, where the network device ID is an ID of a cell corresponding to the radio access point accessed by the UE or the The wireless access point accessed by the UE corresponds to the ID of the base station;
    所述上层网络控制节点将所述第一空口ID保护密钥发送给无线接入节点,以使得所述无线接入节点通过所述第一空口ID保护密钥对第一空口ID进行加密传输,所述第一空口ID为所述无线接入节点为所述UE分配的空口ID。The upper network control node sends the first air interface ID protection key to the wireless access node, so that the wireless access node encrypts and transmits the first air interface ID by using the first air interface ID protection key. The first air interface ID is an air interface ID allocated by the wireless access node to the UE.
  2. 根据权利要求1所述的空口标识的保护方法,其特征在于,在所述上层网络控制节点根据所述UE的标识对应的根密钥及第一预设参数生成第一空口ID保护密钥之后,所述方法还包括:The method for protecting an air interface identifier according to claim 1, wherein after the first network control node generates the first air interface ID protection key according to the root key corresponding to the identifier of the UE and the first preset parameter, The method further includes:
    所述上层网络控制节点将所述第一空口ID保护密钥发送给所述UE。The upper layer network control node sends the first air interface ID protection key to the UE.
  3. 根据权利要求1所述的空口标识的保护方法,其特征在于,在所述上层网络控制节点接收UE发送的入网连接请求之后,所述方法还包括:The method for protecting an air interface identifier according to claim 1, wherein after the upper layer network control node receives the network connection request sent by the UE, the method further includes:
    所述上层网络控制节点将所述第一预设参数发送给所述UE,以使得所述UE根据所述UE的标识对应的根密钥以及所述第一预设参数生成所述第一空口ID保护密钥。The upper layer network control node sends the first preset parameter to the UE, so that the UE generates the first air interface according to the root key corresponding to the identifier of the UE and the first preset parameter. ID protection key.
  4. 根据权利要求1-3中任一项所述的空口标识的保护方法,其特征在于,当所述UE接入的无线接入节点由原无线接入节点切换为新无线接入节点时,所述方法还包括:The method for protecting an air interface identifier according to any one of claims 1 to 3, wherein when the wireless access node accessed by the UE is switched from the original wireless access node to a new wireless access node, The method also includes:
    所述上层网络控制节点接收所述新无线接入节点发送的密钥请求消息,所述密钥请求消息中包括所述UE的标识;Receiving, by the upper layer network control node, a key request message sent by the new wireless access node, where the key request message includes an identifier of the UE;
    所述上层网络控制节点根据所述UE的标识获取第一空口ID保护密钥; Obtaining, by the upper layer network control node, the first air interface ID protection key according to the identifier of the UE;
    所述上层网络控制节点向所述新无线接入节点发送所述第一空口ID保护密钥,以使得所述新无线接入节点通过所述第一空口ID保护密钥对第二空口ID进行加密传输,所述第二空口ID为所述新无线接入节点为所述UE分配的空口ID。Sending, by the upper layer network control node, the first air interface ID protection key to the new radio access node, so that the new radio access node performs the second air interface ID by using the first air interface ID protection key. Encrypted transmission, where the second air interface ID is an air interface ID allocated by the new radio access node to the UE.
  5. 根据权利要求1-3中任一项所述的空口标识的保护方法,其特征在于,当所述UE接入的无线接入点由原无线接入节点切换为新无线接入节点时,所述方法还包括:The method for protecting an air interface identifier according to any one of claims 1 to 3, wherein when the wireless access point accessed by the UE is switched from the original wireless access node to the new wireless access node, The method also includes:
    所述上层网络控制节点接收所述新无线接入节点发送的密钥请求消息,所述密钥请求消息中包括所述UE的标识;Receiving, by the upper layer network control node, a key request message sent by the new wireless access node, where the key request message includes an identifier of the UE;
    所述上层网络控制节点根据所述第一空口ID保护密钥以及第二预设参数生成所述第二空口ID保护密钥,所述第二预设参数为所述新无线接入点ID、所述新无线接入点对应小区的载频、第二空口ID中的其中一个或者任意组合,所述第二空口ID为所述新无线接入节点为所述UE分配的空口ID;The upper network control node generates the second air interface ID protection key according to the first air interface ID protection key and the second preset parameter, where the second preset parameter is the new wireless access point ID, The new wireless access point corresponds to one of the carrier frequency and the second air interface ID of the cell, and the second air interface ID is an air interface ID allocated by the new wireless access node to the UE;
    所述上层网络控制节点向所述新无线接入节点发送所述第二空口ID保护密钥,以使得所述新无线接入节点通过所述第二空口ID保护密钥对第二空口ID进行加密传输。Sending, by the upper layer network control node, the second air interface ID protection key to the new radio access node, so that the new radio access node performs the second air interface ID by using the second air interface ID protection key. Encrypted transmission.
  6. 根据权利要求1-3中任一项所述的空口标识的保护方法,其特征在于,当所述UE存在新增无线接入节点时,所述方法还包括:The method for protecting an air interface identifier according to any one of claims 1 to 3, wherein when the UE has a new wireless access node, the method further includes:
    所述上层网络控制节点获取第一空口ID保护密钥;The upper layer network control node acquires a first air interface ID protection key;
    所述上层网络控制节点向所述新增无线接入节点发送所述第一空口ID保护密钥,以使得所述新增无线接入节点通过所述第一空口ID保护密钥对第三空口ID进行加密传输,所述第三空口ID为所述新增无线接入节点为所述UE分配的空口ID。Sending, by the upper layer network control node, the first air interface ID protection key to the new wireless access node, so that the newly added wireless access node protects the third air interface by using the first air interface ID The ID is encrypted, and the third air interface ID is an air interface ID allocated by the newly added wireless access node to the UE.
  7. 根据权利要求1-3中任一项所述的空口标识的保护方法,其特征在于,当所述UE存在新增无线接入节点时,所述方法还包括:The method for protecting an air interface identifier according to any one of claims 1 to 3, wherein when the UE has a new wireless access node, the method further includes:
    所述上层网络控制节点根据所述第一空口ID保护密钥以及第三预设参数生成所述第三空口ID保护密钥,所述第三预设参数包括所述新增无线接入节点ID、所述新增无线接入节点对应小区的载频、所述第三空口ID 中的其中一个或者任意组合,所述第三空口ID为所述新增无线接入节点为所述UE分配的空口ID;The upper network control node generates the third air interface ID protection key according to the first air interface ID protection key and a third preset parameter, where the third preset parameter includes the newly added wireless access node ID The carrier frequency of the cell corresponding to the newly added wireless access node, and the third air interface ID And the third air interface ID is an air interface ID allocated by the newly added wireless access node to the UE;
    所述上层网络控制节点向所述新增无线接入节点发送所述第三空口ID保护密钥,以使得所述新增无线接入节点通过所述第三空口ID保护密钥对第三空口ID进行加密传输。Sending, by the upper layer network control node, the third air interface ID protection key to the new wireless access node, so that the newly added wireless access node protects the third air interface by using the third air interface ID The ID is encrypted for transmission.
  8. 一种空口标识的保护装置,其特征在于,包括:A protection device for an air interface identifier, comprising:
    接收单元,用于接收用户设备UE发送的入网连接请求,所述入网连接请求中包括所述UE的标识;a receiving unit, configured to receive an incoming network connection request sent by the user equipment UE, where the network connection request includes an identifier of the UE;
    获取单元,用于取所述UE的标识对应的根密钥;An obtaining unit, configured to obtain a root key corresponding to the identifier of the UE;
    生成单元,用于根据所述UE的标识对应的根密钥及第一预设参数生成第一空口标识ID保护密钥,其中所述第一预设参数包括所述UE的标识、网络设备ID、所述UE所属的公共陆地移动网络PLMN ID、安全算法ID、随机数中的一个或任意组合,所述网络设备ID为所述UE接入的无线接入点对应小区的ID或者所述UE接入的无线接入点对应基站的ID;a generating unit, configured to generate a first air interface identifier ID protection key according to the root key and the first preset parameter corresponding to the identifier of the UE, where the first preset parameter includes an identifier of the UE and a network device ID And one or any combination of a public land mobile network PLMN ID, a security algorithm ID, and a random number to which the UE belongs, where the network device ID is an ID of a cell corresponding to the radio access point accessed by the UE or the UE The accessed wireless access point corresponds to the ID of the base station;
    发送单元,用于将所述第一空口ID保护密钥发送给无线接入节点,以使得所述无线接入节点通过所述第一空口ID保护密钥对第一空口ID进行加密传输,所述第一空口ID为所述无线接入节点为所述UE分配的空口ID。a sending unit, configured to send the first air interface ID protection key to the wireless access node, so that the wireless access node encrypts and transmits the first air interface ID by using the first air interface ID protection key, where The first air interface ID is an air interface ID allocated by the wireless access node to the UE.
  9. 根据权利要求8所述的空口标识的保护装置,其特征在于,The apparatus for protecting an air interface identifier according to claim 8, wherein
    所述发送单元,还用于将所述第一空口ID保护密钥发送给所述UE。The sending unit is further configured to send the first air interface ID protection key to the UE.
  10. 根据权利要求8所述的空口标识的保护装置,其特征在于,The apparatus for protecting an air interface identifier according to claim 8, wherein
    所述发送单元,还用于将所述第一预设参数发送给所述UE,以使得所述UE根据所述UE的标识对应的根密钥以及所述第一预设参数生成所述第一空口ID保护密钥。The sending unit is further configured to send the first preset parameter to the UE, so that the UE generates the first according to a root key corresponding to the identifier of the UE and the first preset parameter. An air interface ID protection key.
  11. 根据权利要求8-10中任一项所述的空口标识的保护装置,其特征在于,当所述UE接入的无线接入节点由原无线接入节点切换为新无线接入节点时,The apparatus for protecting an air interface identifier according to any one of claims 8 to 10, wherein when the radio access node accessed by the UE is switched from the original radio access node to the new radio access node,
    所述接收单元,还用于接收所述新无线接入节点发送的密钥请求消息,所述密钥请求消息中包括所述UE的标识;The receiving unit is further configured to receive a key request message sent by the new wireless access node, where the key request message includes an identifier of the UE;
    所述获取单元,还用于根据所述UE的标识获取所述第一空口ID保护 密钥;The acquiring unit is further configured to acquire the first air interface ID protection according to the identifier of the UE. Key
    所述发送单元,还用于向所述新无线接入节点发送所述第一空口ID保护密钥,以使得所述新无线接入节点通过所述第一空口ID保护密钥对第二空口ID进行加密传输,所述第二空口ID为所述新无线接入节点为所述UE分配的空口ID。The sending unit is further configured to send the first air interface ID protection key to the new wireless access node, so that the new wireless access node protects the second air interface by using the first air interface ID The ID is encrypted, and the second air interface ID is an air interface ID allocated by the new radio access node to the UE.
  12. 根据权利要求8-10中任一项所述的空口标识的保护装置,其特征在于,当所述UE接入的无线接入节点由原无线接入节点切换为新无线接入节点时,The apparatus for protecting an air interface identifier according to any one of claims 8 to 10, wherein when the radio access node accessed by the UE is switched from the original radio access node to the new radio access node,
    所述接收单元,还用于接收所述新无线接入节点发送的密钥请求消息,所述密钥请求消息中包括所述UE的标识;The receiving unit is further configured to receive a key request message sent by the new wireless access node, where the key request message includes an identifier of the UE;
    所述生成单元,还用于根据所述第一空口ID保护密钥以及第二预设参数生成所述第二空口ID保护密钥,所述第二预设参数为所述新无线接入点ID、所述新无线接入点对应小区的载频、第二空口ID中的其中一个或者任意组合,所述第二空口ID为所述新无线接入节点为所述UE分配的空口ID;The generating unit is further configured to generate the second air interface ID protection key according to the first air interface ID protection key and a second preset parameter, where the second preset parameter is the new wireless access point The ID, the new radio access point corresponds to one of the carrier frequency and the second air interface ID, and the second air interface ID is an air interface ID allocated by the new radio access node to the UE;
    所述发送单元,还用于向所述新无线接入节点发送所述第二空口ID保护密钥,以使得所述新无线接入节点通过所述第二空口ID保护密钥对第二空口ID进行加密传输。The sending unit is further configured to send the second air interface ID protection key to the new wireless access node, so that the new wireless access node protects the second air interface by using the second air interface ID The ID is encrypted for transmission.
  13. 根据权利要求8-10中任一项所述的空口标识的保护装置,其特征在于,当所述UE存在新增无线接入节点时,The apparatus for protecting an air interface identifier according to any one of claims 8 to 10, wherein when the UE has a new wireless access node,
    所述获取单元,还用于根据所述UE的标识获取第一空口ID保护密钥;The obtaining unit is further configured to acquire a first air interface ID protection key according to the identifier of the UE;
    所述发送单元,还用于向所述新增无线接入节点发送所述第一空口ID保护密钥,以使得所述新增无线接入节点通过所述第一空口ID保护密钥对第三空口ID进行加密传输,所述第三空口ID为所述新增无线接入节点为所述UE分配的空口ID。The sending unit is further configured to send the first air interface ID protection key to the new wireless access node, so that the newly added wireless access node protects the key pair by using the first air interface ID. The three air interface IDs are encrypted and transmitted, and the third air interface ID is an air interface ID allocated by the newly added wireless access node to the UE.
  14. 根据权利要求8-10中任一项所述的空口标识的保护装置,其特征在于,当所述UE存在新增无线接入节点时,The apparatus for protecting an air interface identifier according to any one of claims 8 to 10, wherein when the UE has a new wireless access node,
    所述生成单元,还用于根据所述第一空口ID保护密钥以及第三预设参数生成所述第三空口ID保护密钥,所述第三预设参数包括所述新增无线接入节点ID、所述新增无线接入节点对应小区的载频、所述第三空口ID中 的其中一个或者任意组合,所述第三空口ID为所述新增无线接入节点为所述UE分配的空口ID;The generating unit is further configured to generate the third air interface ID protection key according to the first air interface ID protection key and a third preset parameter, where the third preset parameter includes the newly added wireless access a node ID, a carrier frequency of the cell corresponding to the new wireless access node, and the third air interface ID One or any combination, the third air interface ID is an air interface ID allocated by the newly added wireless access node to the UE;
    所述发送单元,还用于向所述新增无线接入节点发送所述第三空口ID保护密钥,以使得所述新增无线接入节点通过所述第三空口ID保护密钥对第三空口ID进行加密传输。 The sending unit is further configured to send the third air interface ID protection key to the new wireless access node, so that the newly added wireless access node protects the key pair by using the third air interface ID. The three air interface IDs are encrypted for transmission.
PCT/CN2016/110194 2016-01-06 2016-12-15 Method and apparatus for protecting air interface identity WO2017118269A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610006376.2 2016-01-06
CN201610006376.2A CN106954210B (en) 2016-01-06 2016-01-06 Protection method and device for air interface identifier

Publications (1)

Publication Number Publication Date
WO2017118269A1 true WO2017118269A1 (en) 2017-07-13

Family

ID=59273216

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/110194 WO2017118269A1 (en) 2016-01-06 2016-12-15 Method and apparatus for protecting air interface identity

Country Status (2)

Country Link
CN (1) CN106954210B (en)
WO (1) WO2017118269A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108769986A (en) * 2018-06-08 2018-11-06 廊坊新奥燃气设备有限公司 A kind of GPRS remote transmitting gas meters encryption communication method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102404721A (en) * 2010-09-10 2012-04-04 华为技术有限公司 Safety protection method and device for Un interface and base station
CN103167492A (en) * 2011-12-15 2013-06-19 华为技术有限公司 Method and device for generating access layer secret key in communication system
US20150365414A1 (en) * 2013-02-04 2015-12-17 Zte Corporation Method and Device for Authenticating Static User Terminal

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101060712B (en) * 2006-04-20 2011-08-24 华为技术有限公司 Wireless connecting establishment method
US20090136043A1 (en) * 2007-11-26 2009-05-28 Motorola, Inc. Method and apparatus for performing key management and key distribution in wireless networks
CN101883346B (en) * 2009-05-04 2015-05-20 中兴通讯股份有限公司 Safe consultation method and device based on emergency call
CN102143494B (en) * 2011-03-25 2016-05-25 华为终端有限公司 Data reporting method, data reporting device and M2M equipment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102404721A (en) * 2010-09-10 2012-04-04 华为技术有限公司 Safety protection method and device for Un interface and base station
CN103167492A (en) * 2011-12-15 2013-06-19 华为技术有限公司 Method and device for generating access layer secret key in communication system
US20150365414A1 (en) * 2013-02-04 2015-12-17 Zte Corporation Method and Device for Authenticating Static User Terminal

Also Published As

Publication number Publication date
CN106954210A (en) 2017-07-14
CN106954210B (en) 2020-02-14

Similar Documents

Publication Publication Date Title
US10601594B2 (en) End-to-end service layer authentication
US11178125B2 (en) Wireless network connection method, wireless access point, server, and system
US11178584B2 (en) Access method, device and system for user equipment (UE)
CN102823282B (en) Key authentication method for binary CDMA
CN110192381B (en) Key transmission method and device
US11909869B2 (en) Communication method and related product based on key agreement and authentication
CN112566119B (en) Terminal authentication method, device, computer equipment and storage medium
EP3065334A1 (en) Key configuration method, system and apparatus
JP2019512942A (en) Authentication mechanism for 5G technology
CN108880813B (en) A method and device for realizing an attachment process
Dantu et al. EAP methods for wireless networks
US20200228977A1 (en) Parameter Protection Method And Device, And System
WO2018076740A1 (en) Data transmission method and related device
WO2020087286A1 (en) Key generation method, device, and system
CN112512045A (en) Communication system, method and device
US10172003B2 (en) Communication security processing method, and apparatus
US20230308875A1 (en) Wi-fi security authentication method and communication apparatus
CN108737431B (en) Confusion-based hierarchical distributed authentication method, device and system in IoT scenarios
WO2023083170A1 (en) Key generation method and apparatus, terminal device, and server
US20170078288A1 (en) Method for accessing communications network by terminal, apparatus, and communications system
US20230208625A1 (en) Communication method and related apparatus
WO2017118269A1 (en) Method and apparatus for protecting air interface identity
CN117692902B (en) Intelligent home interaction method and system based on embedded home gateway
US20230099065A1 (en) Key obtaining method and related apparatus
Faraj Security technologies for wireless access to local area networks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16883395

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16883395

Country of ref document: EP

Kind code of ref document: A1