Method and system for generating key identity identifier when user equipment transfers
First Claim
Patent Images
1. A method for generating a key identity identifier when a UE (user equipment) transfers, including the following steps:
- when a UE transfers from an EUTRAN (evolved UMTS terrestrial radio access network) to a target system, an MME (mobility management entity) of the EUTRAN sending a KSIASME (an identity identifier of an access security management entity key (KASME)) to an SGSN (serving GPRS support node) of the target system, and both the SGSN and the UE mapping the KSIASME into a key identity identifier of the target system.
0 Assignments
0 Petitions
Accused Products
Abstract
A method for generating a key identity identifier when a user equipment (UE) transfers is disclosed. The method includes the following steps: a mobility management entity (MME) of an evolved UMTS terrestrial radio access network (EUTRAN) sends an identity identifier of an access security management entity key (KSIASME) to a serving general packet radio service support node (SGSN) of a target system when the UE transfers from the EUTRAN to the target system, and both the SGSN and the UE map the KSIASME into a key identity identifier of the target system.
9 Citations
32 Claims
-
1. A method for generating a key identity identifier when a UE (user equipment) transfers, including the following steps:
- when a UE transfers from an EUTRAN (evolved UMTS terrestrial radio access network) to a target system, an MME (mobility management entity) of the EUTRAN sending a KSIASME (an identity identifier of an access security management entity key (KASME)) to an SGSN (serving GPRS support node) of the target system, and both the SGSN and the UE mapping the KSIASME into a key identity identifier of the target system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 17, 18, 19, 20, 21, 22)
-
2. The generating method according to claim 1, wherein the mapping method includes the following steps:
- directly assigning the KSIASME to the key identity identifier of the target system, or directly assigning the sum of the KSIASME and a constant that is agreed on by the UE and the network to the key identity identifier of the target system.
-
3. The generating method according to claim 1, wherein the specific steps are as follows when the UE transfers in an idle state from the EUTRAN to a UTRAN (universal terrestrial radio access network):
-
A1;
after receiving a context request message or an identification request message, the MME generates an IK (integrity key) and a CK (ciphering key) based on the KASME, and sends the KSIASME together with the IK and the CK which are generated from the KASME to the SGSN through a context response message or an identification response message;A2;
after receiving the KSIASME, the IK and the CK from the MME, the SGSN maps the KSIASME into a KSI (key set identifier), and stores the KSI, the IK and the CK; and
the SGSN sends a message of indicating mapping completion of the KSI to the UE; andA3;
the UE maps the KSIASME into a KSI, and stores the KSI together with the IK and the CK which are generated from the KASME.
-
-
4. The generating method according to claim 3, wherein step A3 takes place in any step after the UE decides to transfer to the UTRAN in an idle state and before the UE sends a corresponding route area update completion message or route area attachment completion message to the SGSN.
-
5. The generating method according to claim 1, wherein the specific steps are as follows when the UE switches from the EUTRAN to a UTRAN:
-
a1;
after receiving a switching request message, the MME generates an IK and a CK based on the KASME, and sends the KSIASME together with the IK and the CK which are generated from the KASME to the SGSN through a forward and redirect request message;a2;
after receiving the KSIASME together with the IK and the CK from the MME, the SGSN maps the KSIASME into a KSI, and stores the KSI, the IK and the CK together;
the SGSN sends a forward and redirect response message of indicating mapping completion of the KSI to the MME; and
the MME sends a switching command to instruct the UE to switch; anda3;
after receiving the switching command from the network, the UE maps the KSIASME into a KSI, and stores the KSI together with the IK and the CK which are generated from the KASME.
-
-
6. The generating method according to claim 1, wherein the specific steps are as follows when the UE transfers in an idle state from the EUTRAN to a GERAN (general packet radio service (GPRS)/enhanced data rates for global evolution (EDGE) radio access network):
-
B1;
after receiving a context request message or an identification request message, the MME generates an IK and a CK based on the KASME, and sends the KSIASME together with the IK and the CK which are generated from the KASME to the SGSN through a context response message or an identification response message;B2;
after receiving the KSIASME, the IK and the CK from the MME, the SGSN generates a Kc (ciphering key) of the GERAN based on the IK and the CK, maps the KSIASME into a CKSN (ciphering key sequence number) of the GERAN, and stores the CKSN of the GERAN together with the Kc of the GERAN; and
the SGSN sends the UE a message of indicating mapping completion of the CKSN of the GERAN; andB3;
the UE maps the KSIASME into a CKSN of the GERAN, and stores the CKSN of the GERAN together with the Kc of the GERAN generated from the KASME.
-
-
7. The generating method according to claim 6, wherein step B3 takes place in any step after the UE decides to transfer to the GERAN in an idle state and before the UE sends a switching message to the network.
-
8. The generating method according to claim 1, wherein the specific steps are as follows when the UE switches from the EUTRAN to a GERAN:
-
b1;
after receiving a switching request message, the MME generates an IK and a CK based on the KASME, and sends the KSIASME together with the IK and the CK which are generated from the KASME to the SGSN through a forward and redirect request message;b2;
after receiving the KSIASME together with the IK and the CK from the MME, the SGSN generates a Kc of the GERAN based on the IK and the CK, assigns the value of the KSIASME to a CKSN of the GERAN, and stores the CKSN of the GERAN together with the Kc of the GERAN;
the SGSN sends a message of indicating mapping completion of the CKSN of the GERAN to the MME; and
the MME sends a switching command to instruct the UE to switch; andb3;
after receiving the switching command from the network, the UE maps the KSIASME into a CKSN of the GERAN, and stores the CKSN of the GERAN together with the Kc of the GERAN generated from the KASME.
-
-
17. The generating method according to claim 2, wherein the specific steps are as follows when the UE transfers in an idle state from the EUTRAN to a UTRAN:
-
A1;
after receiving a context request message or an identification request message, the MME generates an IK and a CK based on the KASME, and sends the KSIASME together with the IK and the CK which are generated from the KASME to the SGSN through a context response message or an identification response message;A2;
after receiving the KSIASME, the IK and the CK from the MME, the SGSN maps the KSIASME into a KSI, and stores the KSI, the IK and the CK; and
the SGSN sends a message of indicating mapping completion of the KSI to the UE; andA3;
the UE maps the KSIASME into a KSI, and stores the KSI together with the IK and the CK which are generated from the KASME.
-
-
18. The generating method according to claim 17, wherein step A3 takes place in any step after the UE decides to transfer to the UTRAN in an idle state and before the UE sends a corresponding route area update completion message or route area attachment completion message to the SGSN.
-
19. The generating method according to claim 2, wherein the specific steps are as follows when the UE switches from the EUTRAN to a UTRAN:
-
a1;
after receiving a switching request message, the MME generates an IK and a CK based on the KASME, and sends the KSIASME together with the IK and the CK which are generated from the KASME to the SGSN through a forward and redirect request message;a2;
after receiving the KSIASME together with the IK and the CK from the MME, the SGSN maps the KSIASME into a KSI, and stores the KSI, the IK and the CK together;
the SGSN sends a forward and redirect response message of indicating mapping completion of the KSI to the MME; and
the MME sends a switching command to instruct the UE to switch; anda3;
after receiving the switching command from the network, the UE maps the KSIASME into a KSI, and stores the KSI together with the IK and the CK which are generated from the KASME.
-
-
20. The generating method according to claim 2, wherein the specific steps are as follows when the UE transfers in an idle state from the EUTRAN to a GERAN:
-
B1;
after receiving a context request message or an identification request message, the MME generates an IK and a CK based on the KASME, and sends the KSIASME together with the IK and the CK which are generated from the KASME to the SGSN through a context response message or an identification response message;B2;
after receiving the KSIASME, the IK and the CK from the MME, the SGSN generates a Kc of the GERAN based on the IK and the CK, maps the KSIASME into a CKSN of the GERAN, and stores the CKSN of the GERAN together with the Kc of the GERAN; and
the SGSN sends the UE a message of indicating mapping completion of the CKSN of the GERAN; andB3;
the UE maps the KSIASME into a CKSN of the GERAN, and stores the CKSN of the GERAN together with the Kc of the GERAN generated from the KASME.
-
-
21. The generating method according to claim 20, wherein step B3 takes place in any step after the UE decides to transfer to the GERAN in an idle state and before the UE sends a switching message to the network.
-
22. The generating method according to claim 2, wherein the specific steps are as follows when the UE switches from the EUTRAN to a GERAN:
-
b1;
after receiving a switching request message, the MME generates an IK and a CK based on the KASME, and sends the KSIASME together with the IK and the CK which are generated from the KASME to the SGSN through a forward and redirect request message;b2;
after receiving the KSIASME together with the IK and the CK from the MME, the SGSN generates a Kc of the GERAN based on the IK and the CK, assigns the value of the KSIASME to a CKSN of the GERAN, and stores the CKSN of the GERAN together with the Kc of the GERAN;
the SGSN sends a message of indicating mapping completion of the CKSN of the GERAN to the MME; and
the MME sends a switching command to instruct the UE to switch; andb3;
after receiving the switching command from the network, the UE maps the KSIASME into a CKSN of the GERAN, and stores the CKSN of the GERAN together with the Kc of the GERAN generated from the KASME.
-
-
2. The generating method according to claim 1, wherein the mapping method includes the following steps:
-
9. A system for generating a key identity identifier when a UE transfers, including a UE (user equipment), an MME (mobility management entity) and an SGSN (serving GPRS support node):
-
the MME being used for sending a KSIASME (an identity identifier of an access security management entity key (KASME)) to the SGSN when the UE transfers from an EUTRAN (evolved UMTS terrestrial radio access network) to a target system; and both the SGSN and the UE being used for mapping the KSIASME into a key identity identifier of the target system. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
-
10. The generating system according to claim 9, wherein the SGSN/UE performs mapping in the following method:
- directly assigning the KSIASME to the key identity identifier of the target system, or directly assigning the sum of the KSIASME and a constant that is agreed on by the UE and the network to the key identity identifier of the target system.
-
11. The generating system according to claim 9, wherein the UE and the SGSN are also used for deleting a key stored before transferring when the UE and the SGSN have agreed on a key before transferring and a key identity identifier of a target system is the same as the key identity identifier of the target system converted from the KSIASME during transferring.
-
12. The generating system according to claim 9, wherein
the UE consists of a message interaction unit, a key identifier mapping unit and a key and key identifier storage unit; -
the message interaction unit is used for receiving a message from a network side; the key identifier mapping unit is used for mapping the KSIASME into a key identity identifier of a target system when the message interaction unit receives a switching command, a route area update acceptance message or a route area attachment acceptance message; and the key and key identifier storage unit is used for storing a key of a target system and a key identity identifier of the target system together; the MME consists of a request message receiving unit and a security parameter processing unit; the request message receiving unit is used for receiving transfer request messages from other network entities and instructing the security parameter processing unit to process these messages; and the security parameter processing unit is used for generating a CK and an IK from the KASME and sending the KSIASME together with the IK and the CK which are generated from the KASME to the SGSN after receiving the instruction from the request message receiving unit; the SGSN consists of a security parameter receiving unit, a message interaction unit, a key identifier mapping unit, and a key and key identifier storage unit; the security parameter receiving unit is used for receiving the keys and the KSIASME from the MME, sending the KSIASME to the key identifier mapping unit, acquiring the key of the target system based on the keys sent by the MME, and sending it to the key and key identifier storage unit; the key identifier mapping unit is used for mapping the KSIASME into a key identity identifier of the target system after receiving the KSIASME; the key and key identifier storage unit is used for storing both the key of the target system sent by the security parameter receiving unit and the key identity identifier of the target system sent by the key identifier mapping unit, and notifying the message interaction unit of mapping completion after storing; and the message interaction unit is used for sending a notification of mapping success of the network-side key identifier after receiving the message of mapping completion.
-
-
13. The generating system according to claim 12, wherein
the key identifier mapping units in the UE and the SGSN map the KSIASME into a key identity identifier of the target system, i.e. when the target system is a UTRAN, the KSIASME is mapped into a KSI; - and when the target system is a GERAN, the KSIASME is mapped into a CKSN of the GERAN; and
the security parameter receiving unit in the SGSN acquires the key of the target system based on the keys sent by the MME and sends it to the key and key identifier storage unit, i.e. when the target system is a UTRAN, the keys sent by the MME are sent to the key and key identifier storage unit; and
when the target system is a GERAN, the keys sent by the MME are used to generate a Kc of the GERAN which is sent to the key and key identifier storage unit.
- and when the target system is a GERAN, the KSIASME is mapped into a CKSN of the GERAN; and
-
14. The generating system according to claim 12, wherein the key identifier mapping unit in the UE is also used for mapping the KSIASME into the key identity identifier of the target system when the UE decides to transfer in an idle state.
-
15. The generating system according to claim 12, wherein
the message interaction unit in the UE is also used for sending a route area update request message or a route area attachment request message to the SGSN when the UE decides to transfer in an idle state; -
the message interaction unit in the SGSN is also used for sending a corresponding context request message or identification request message to the MME after receiving the route area update request message or the route area attachment request message; the request message receiving unit in the MME sends a first processing instruction to the security parameter processing unit if the transfer request message is a context request message or an identification request message, and the request message receiving unit sends a second processing instruction to the security parameter processing unit if the transfer request message is a switching request message; and the security parameter processing unit in the MME sends the KSIASME together with the IK and the CK which are generated from the KASME to the SGSN through a context response message or an identification response message after receiving the first processing instruction, and the security parameter processing unit sends the KSIASME together with the IK and the CK which are generated from the KASME to the SGSN through a forward and redirect request message after receiving the second processing instruction.
-
-
16. The generating system according to claim 15, wherein the message interaction unit in the SGSN sends a notification of mapping success of the network-side key identifier, i.e.:
- if the message of sending the key and the key identifier by the MME is a context response message or an identification response message, then the message interaction unit sends a route area update acceptance message or a route area attachment acceptance message to the UE to indicate mapping success of the network-side key identifier; and
if the message of sending the key and the key identifier by the MME is a forward and redirect request message, then the message interaction unit sends a forward and redirect response message to the MME to indicate mapping success of the network-side key identifier.
- if the message of sending the key and the key identifier by the MME is a context response message or an identification response message, then the message interaction unit sends a route area update acceptance message or a route area attachment acceptance message to the UE to indicate mapping success of the network-side key identifier; and
-
23. The generating system according to claim 10, wherein
the UE consists of a message interaction unit, a key identifier mapping unit and a key and key identifier storage unit; -
the message interaction unit is used for receiving a message from a network side; the key identifier mapping unit is used for mapping the KSIASME into a key identity identifier of a target system when the message interaction unit receives a switching command, a route area update acceptance message or a route area attachment acceptance message; and the key and key identifier storage unit is used for storing a key of a target system and a key identity identifier of the target system together; the MME consists of a request message receiving unit and a security parameter processing unit; the request message receiving unit is used for receiving transfer request messages from other network entities and instructing the security parameter processing unit to process these messages; and the security parameter processing unit is used for generating a CK and an IK from the KASME and sending the KSIASME together with the IK and the CK which are generated from the KASME to the SGSN after receiving the instruction from the request message receiving unit; the SGSN consists of a security parameter receiving unit, a message interaction unit, a key identifier mapping unit, and a key and key identifier storage unit; the security parameter receiving unit is used for receiving the keys and the KSIASME from the MME, sending the KSIASME to the key identifier mapping unit, acquiring the key of the target system based on the keys sent by the MME, and sending it to the key and key identifier storage unit; the key identifier mapping unit is used for mapping the KSIASME into a key identity identifier of the target system after receiving the KSIASME; the key and key identifier storage unit is used for storing both the key of the target system sent by the security parameter receiving unit and the key identity identifier of the target system sent by the key identifier mapping unit, and notifying the message interaction unit of mapping completion after storing; and the message interaction unit is used for sending a notification of mapping success of the network-side key identifier after receiving the message of mapping completion.
-
-
24. The generating system according to claim 11, wherein
the UE consists of a message interaction unit, a key identifier mapping unit and a key and key identifier storage unit; -
the message interaction unit is used for receiving a message from a network side; the key identifier mapping unit is used for mapping the KSIASME into a key identity identifier of a target system when the message interaction unit receives a switching command, a route area update acceptance message or a route area attachment acceptance message; and the key and key identifier storage unit is used for storing a key of a target system and a key identity identifier of the target system together; the MME consists of a request message receiving unit and a security parameter processing unit; the request message receiving unit is used for receiving transfer request messages from other network entities and instructing the security parameter processing unit to process these messages; and the security parameter processing unit is used for generating a CK and an IK from the KASME and sending the KSIASME together with the IK and the CK which are generated from the KASME to the SGSN after receiving the instruction from the request message receiving unit; the SGSN consists of a security parameter receiving unit, a message interaction unit, a key identifier mapping unit, and a key and key identifier storage unit; the security parameter receiving unit is used for receiving the keys and the KSIASME from the MME, sending the KSIASME to the key identifier mapping unit, acquiring the key of the target system based on the keys sent by the MME, and sending it to the key and key identifier storage unit; the key identifier mapping unit is used for mapping the KSIASME into a key identity identifier of the target system after receiving the KSIASME; the key and key identifier storage unit is used for storing both the key of the target system sent by the security parameter receiving unit and the key identity identifier of the target system sent by the key identifier mapping unit, and notifying the message interaction unit of mapping completion after storing; and the message interaction unit is used for sending a notification of mapping success of the network-side key identifier after receiving the message of mapping completion.
-
-
25. The generating system according to claim 23, wherein
the key identifier mapping units in the UE and the SGSN map the KSIASME into a key identity identifier of the target system, i.e. when the target system is a UTRAN, the KSIASME is mapped into a KSI; - and when the target system is a GERAN, the KSIASME is mapped into a CKSN of the GERAN; and
the security parameter receiving unit in the SGSN acquires the key of the target system based on the keys sent by the MME and sends it to the key and key identifier storage unit, i.e. when the target system is a UTRAN, the keys sent by the MME are sent to the key and key identifier storage unit; and
when the target system is a GERAN, the keys sent by the MME are used to generate a Kc of the GERAN which is sent to the key and key identifier storage unit.
- and when the target system is a GERAN, the KSIASME is mapped into a CKSN of the GERAN; and
-
26. The generating system according to claim 24, wherein
the key identifier mapping units in the UE and the SGSN map the KSIASME into a key identity identifier of the target system, i.e. when the target system is a UTRAN, the KSIASME is mapped into a KSI; - and when the target system is a GERAN, the KSIASME is mapped into a CKSN of the GERAN; and
the security parameter receiving unit in the SGSN acquires the key of the target system based on the keys sent by the MME and sends it to the key and key identifier storage unit, i.e. when the target system is a UTRAN, the keys sent by the MME are sent to the key and key identifier storage unit; and
when the target system is a GERAN, the keys sent by the MME are used to generate a Kc of the GERAN which is sent to the key and key identifier storage unit.
- and when the target system is a GERAN, the KSIASME is mapped into a CKSN of the GERAN; and
-
27. The generating system according to claim 23, wherein the key identifier mapping unit in the UE is also used for mapping the KSIASME into the key identity identifier of the target system when the UE decides to transfer in an idle state.
-
28. The generating system according to claim 24, wherein the key identifier mapping unit in the UE is also used for mapping the KSIASME into the key identity identifier of the target system when the UE decides to transfer in an idle state.
-
29. The generating system according to claim 23, wherein
the message interaction unit in the UE is also used for sending a route area update request message or a route area attachment request message to the SGSN when the UE decides to transfer in an idle state; -
the message interaction unit in the SGSN is also used for sending a corresponding context request message or identification request message to the MME after receiving the route area update request message or the route area attachment request message; the request message receiving unit in the MME sends a first processing instruction to the security parameter processing unit if the transfer request message is a context request message or an identification request message, and the request message receiving unit sends a second processing instruction to the security parameter processing unit if the transfer request message is a switching request message; and the security parameter processing unit in the MME sends the KSIASME together with the IK and the CK which are generated from the KASME to the SGSN through a context response message or an identification response message after receiving the first processing instruction, and the security parameter processing unit sends the KSIASME together with the IK and the CK which are generated from the KASME to the SGSN through a forward and redirect request message after receiving the second processing instruction.
-
-
30. The generating system according to claim 24, wherein
the message interaction unit in the UE is also used for sending a route area update request message or a route area attachment request message to the SGSN when the UE decides to transfer in an idle state; -
the message interaction unit in the SGSN is also used for sending a corresponding context request message or identification request message to the MME after receiving the route area update request message or the route area attachment request message; the request message receiving unit in the MME sends a first processing instruction to the security parameter processing unit if the transfer request message is a context request message or an identification request message, and the request message receiving unit sends a second processing instruction to the security parameter processing unit if the transfer request message is a switching request message; and the security parameter processing unit in the MME sends the KSIASME together with the IK and the CK which are generated from the KASME to the SGSN through a context response message or an identification response message after receiving the first processing instruction, and the security parameter processing unit sends the KSIASME together with the IK and the CK which are generated from the KASME to the SGSN through a forward and redirect request message after receiving the second processing instruction.
-
-
31. The generating system according to claim 29, wherein the message interaction unit in the SGSN sends a notification of mapping success of the network-side key identifier, i.e.:
- if the message of sending the key and the key identifier by the MME is a context response message or an identification response message, then the message interaction unit sends a route area update acceptance message or a route area attachment acceptance message to the UE to indicate mapping success of the network-side key identifier; and
if the message of sending the key and the key identifier by the MME is a forward and redirect request message, then the message interaction unit sends a forward and redirect response message to the MME to indicate mapping success of the network-side key identifier.
- if the message of sending the key and the key identifier by the MME is a context response message or an identification response message, then the message interaction unit sends a route area update acceptance message or a route area attachment acceptance message to the UE to indicate mapping success of the network-side key identifier; and
-
32. The generating system according to claim 30, wherein the message interaction unit in the SGSN sends a notification of mapping success of the network-side key identifier, i.e.:
- if the message of sending the key and the key identifier by the MME is a context response message or an identification response message, then the message interaction unit sends a route area update acceptance message or a route area attachment acceptance message to the UE to indicate mapping success of the network-side key identifier; and
if the message of sending the key and the key identifier by the MME is a forward and redirect request message, then the message interaction unit sends a forward and redirect response message to the MME to indicate mapping success of the network-side key identifier.
- if the message of sending the key and the key identifier by the MME is a context response message or an identification response message, then the message interaction unit sends a route area update acceptance message or a route area attachment acceptance message to the UE to indicate mapping success of the network-side key identifier; and
-
10. The generating system according to claim 9, wherein the SGSN/UE performs mapping in the following method:
-
Specification
- Resources
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeZTE Corporation
-
Original AssigneeZTE Corporation
-
InventorsHuang, Qing, Zhang, Xuwu, Gan, Lu
-
Application NumberUS12/996,630Publication NumberTime in Patent OfficeDaysField of SearchUS Class Current380/272CPC Class CodesH04L 12/6418 Hybrid transportH04W 12/041 Key generation or derivationH04W 12/043 using a trusted network nod...H04W 36/0038 of security context informa...H04W 36/12 Reselecting a serving backb...