Patent Application
20200067702
This application relates to the field of wireless network technologies, and in particular, to a key generation method and a related device.
In a mobile communications system, user equipment (UE) often moves frequently during a use process. When the user equipment moves from a coverage area of a cell or a sector to that of another cell or another sector, a handover occurs in UE communication. After the handover is completed, the UE needs to create a new secure communication key between the UE and a target base station, ensuring communication security between the UE and the target base station.
After a UE handover is completed based on the foregoing process, the new secure communication key is created between the terminal and the target base station, ensuring the communication security between the UE and the target base station. However, a forward security problem exists in a key deduction method. In other words, the source base station may deduce a key used by the handed-over-to target base station from the KeNB used by the source base station. If the source base station is maliciously invaded, and KeNB exposure is caused, communication protection after the UE handover may be broken.
To resolve the foregoing problem, the target base station may initiate one intra-cell handover, so that key deduction is performed again and the source base station no longer knows a newest key of the target base station. However, initiating the intra-cell handover leads to more message exchanges between the terminal and the target base station, and increases network load. In addition, initiating the intra-cell handover increases a communication latency of the terminal, and a low latency service requirement in a 5G scenario cannot be satisfied.
This application provides a key generation method and a related device, to resolve a problem in a prior-art solution that network load and a communication latency are increased because an intra-cell handover is initiated to generate a new key.
According to a first aspect, an embodiment of this application provides a key generation method. The method includes: receiving, by a terminal, a first message sent by a source base station, where the first message includes a key exchange algorithm selected by a target base station and a first public key generated by the target base station; generating a first shared key based on the key exchange algorithm, the first public key, and a first private key generated by the terminal; and sending a second message to the target base station, where the second message includes a second public key generated by the terminal. The target base station also generates the first shared key. In this process, the terminal and the target base station perform a key exchange based on a currently existing message, and a shared key is generated after a handover is completed. Subsequent communication is protected through derivation performed based on the shared key, so that there is no need to deduce a key relying on a key of the source base station. Therefore, a communication latency and network load are reduced while communication security is ensured.
In a possible embodiment, the first message further includes a cell identity and a carrier frequency of a target cell; and before sending the second message to the target base station, the terminal generates a second key based on a prestored first key, and the cell identity and the carrier frequency of the target cell; and performs encryption processing on the second message by using the second key, to ensure communication security between the terminal and the target base station.
In another possible embodiment, before receiving the first message sent by the source base station, the terminal sends a plurality of key exchange algorithms supported by the terminal to the source base station.
In another possible embodiment, the plurality of key exchange algorithms are sent by the source base station to the target base station.
In another possible embodiment, after generating the first shared key based on the key exchange algorithm, the first public key, and the first private key generated by the terminal, the terminal generates an RRC integrity protection key, an RRC encryption key, and a user plane encryption key based on the first shared key.
In another possible embodiment, after generating the first shared key based on the key exchange algorithm, the first public key, and the first private key generated by the terminal, the terminal generates a second shared key based on the first shared key, and the cell identity and the carrier frequency of the target cell.
In another possible embodiment, the first message is an RRC connection reconfiguration message, and the second message is an RRC reconfiguration complete message.
According to a second aspect, an embodiment of this application provides a key generation method. The method includes: receiving, by a target base station, a second message sent by a terminal, where the second message includes a second public key generated by the terminal; and generating a first shared key based on the second public key, a key exchange algorithm selected by the target base station, and a second private key generated by the target base station. In this process, the terminal and the target base station perform a key exchange based on a currently existing message, and a shared key is generated after a handover is completed. Subsequent communication is protected through derivation performed based on the shared key, so that there is no need to deduce a key relying on a key of a source base station. Therefore, a communication latency and network load are reduced while communication security is ensured.
In another possible embodiment, before receiving the second message sent by the terminal, the target base station receives a handover request sent by a source base station, where the handover request includes a plurality of key exchange algorithms supported by the terminal; and selects the key exchange algorithm from the plurality of key exchange algorithms.
In one embodiment, the handover request further includes a next hop chaining count and a second key that is generated by the source base station based on a prestored first key, and a cell identity and a carrier frequency of a target cell.
In another possible embodiment, after selecting the key exchange algorithm from the plurality of key exchange algorithms, the target base station sends a third message to the source base station, where the third message includes the key exchange algorithm selected by the target base station and a first public key generated by the target base station; after receiving the third message, the source base station forwards, to the terminal, the key exchange algorithm and the first public key generated by the target base station; and the terminal generates the first shared key correspondingly.
In another possible embodiment, the third message is a handover complete confirmation message.
In another possible embodiment, after generating the first shared key based on the second public key, the key exchange algorithm selected by the target base station, and the second private key generated by the target base station, the target base station generates an RRC integrity protection key, an RRC encryption key, and a user plane encryption key based on the first shared key.
In another possible embodiment, after generating the first shared key based on the second public key, the key exchange algorithm selected by the target base station, and the second private key generated by the target base station, the target base station generates a second shared key based on the first shared key, and the cell identity and the carrier frequency of the target cell.
According to a third aspect, an embodiment of this application provides a terminal, where the terminal is configured to implement, in a form of hardware/software, a method and a function performed by the terminal in the first aspect, and the hardware/software includes a unit corresponding to the function.
According to a fourth aspect, an embodiment of this application provides a target base station, where the target base station is configured to implement, in a form of hardware/software, a method and a function performed by the target base station in the second aspect, and the hardware/software includes a unit corresponding to the function.
According to a fifth aspect, this application provides another terminal, including a processor, a memory, and a communications bus. The communications bus is configured to implement connection communication between the processor and the memory, and the processor executes a program stored in the memory, to implement the steps of the key generation method provided in the first aspect.
According to a sixth aspect, this application provides another target base station, including a processor, a memory, and a communications bus. The communications bus is configured to implement connection communication between the processor and the memory, and the processor executes a program stored in the memory, to implement the steps of the key generation method provided in the second aspect.
In a possible embodiment, the terminal provided in this application may include a corresponding module configured to perform network device actions in the foregoing method designs. The module may be software and/or hardware.
In a possible embodiment, the base station provided in this application may include a corresponding module configured to perform terminal actions in the foregoing method designs. The module may be software and/or hardware.
Still another aspect of this application provides a computer readable storage medium, where the computer readable storage medium stores an instruction, and when the instruction is run on a computer, the computer is enabled to perform the method in the foregoing aspects.
Still another aspect of this application provides a computer program product including an instruction, where when the instruction is run on a computer, the computer is enabled to perform the method in the foregoing aspects.
To describe the technical solutions in the embodiments of this application or in the background more clearly, the following briefly describes the accompanying drawings required for describing the embodiments of this application or the background.
The following describes the embodiments of this application with reference to the accompanying drawings in the embodiments of this application.
Operation S301. A terminal sends a measurement report to a source base station.
During specific implementation, the source base station may send a measurement request to the terminal. After receiving the measurement request, the terminal first measures a signal of a cell that is covered by the source base station, and then sends the measurement report to the source base station.
In one embodiment, when exchanging an access stratum (AS) security mode command (SMC) during an attach procedure, the terminal may send a DH (Deffie-Hellman) security capability supported by the terminal to the source base station. The source base station stores the DH security capability supported by the terminal in a terminal security context. The DH security capability includes a plurality of key exchange algorithms, each key exchange algorithm includes an algorithm used for subsequent DH key negotiation, a key length, and the like, and the key exchange algorithms are different from each other.
Operation S302. The source base station determines to perform an Xn (a communications interface between base stations) handover based on the measurement report.
During specific implementation, the source base station determines, based on the measurement report, whether the terminal moves from the cell covered by the source base station to a cell covered by the target base station. If determining that the terminal moves from the cell covered by the source base station to the cell covered by the target base station, the source base station determines to perform the Xn handover.
Operation S303. The source base station calculates a second key based on a prestored first key, and a cell identity and a carrier frequency of a target cell, where KeNB*CELL=Func(KeNB, Target-cell PCI, Target-cell DlEarfcn). The derivation formula is defined in 3GPP 33.401 section A.S. KeNB*CELL is the second key (a new key), KeNB is the first key (an original key), Target-cell PCI (Physical Cell ID) is the cell identity of the target cell, and Target-cell DlEarfcn is the carrier frequency of the target cell.
Operation S304. The source base station sends a handover request to the target base station. The handover request includes a plurality of key exchange algorithms supported by the terminal, and the handover request also includes the second key and a next hop chaining count (Next Hop Chaining Count, NCC). The next hop chaining count may be used to deduce the new key from the original key.
Operation S305. The target base station selects the key exchange algorithm from the plurality of key exchange algorithms and generates a first public key and a second private key.
During specific implementation, the target base station may freely select the key exchange algorithm from the plurality of key exchange algorithms. When the first public key and the second private key are generated, the terminal and the target base station agree on an initial number g, and separately generate random numbers Nu and Nt locally, and then the target base station generates a public-private key pair based on the random numbers Nu and Nt.
Operation S306. The target base station sends a third message to the source base station.
The third message may be a handover request confirmation message. The handover request confirmation message includes the key exchange algorithm selected by the target base station and the first public key generated by the target base station.
Operation S307. The source base station sends a first message to the terminal.
The first message may be an RRC connection reconfiguration message. The RRC connection reconfiguration message may include the key exchange algorithm selected by the target base station and the first public key generated by the target base station.
Operation S308. The terminal calculates the second key based on the prestored first key, and the cell identity and the carrier frequency of the target cell, where KeNB*CELL=Func(KeNB, Target-cell PCI, Target-cell DlEarfcn). The derivation formula is defined in 3GPP 33.401 section A.S. KeNB* is the second key (the new key), KeNB is the first key (the original key), Target-cell PCI (Physical Cell ID) is the cell identity of the target cell, and Target-cell DlEarfcn is the carrier frequency of the target cell.
Operation S309. The source base station sends a state transfer message to the target base station. The state transfer message is used to notify the target base station of completion of a handover.
Operation S310. The terminal generates an RRC integrity protection key, an RRC encryption key, and a user plane encryption key based on the second key. The target base station generates the RRC integrity protection key, the RRC encryption key, and the user plane encryption key based on the first key.
Operation S311. The terminal generates a second public key and a first private key.
During specific implementation, the terminal and the target base station first agree on the initial number g, and separately generate the random numbers Nu and Nt locally, and then the terminal generates the public-private key pair based on the random numbers Nu and Nt. The public-private key pair includes the second public key and the first private key.
Operation S312. The terminal sends a second message to the target base station. The second message may be an RRC reconfiguration complete message. The RRC reconfiguration complete message includes the second public key generated by the terminal.
During specific implementation, before sending the second message to the target base station, the terminal first performs encryption processing on the second message by using the previously generated RRC integrity protection key and RRC encryption key, and then sends the encrypted second message to the target base station. After receiving the encrypted second message, the target base station decrypts the second message by using the RRC integrity protection key and the RRC encryption key that are previously generated by the target base station.
Operation S313. The terminal generates a first shared key based on the key exchange algorithm, the first public key, and the first private key generated by the terminal. The target base station generates the first shared key based on the second public key, the key exchange algorithm selected by the target base station, and the second private key generated by the target base station.
Operation S314. The terminal generates the RRC integrity protection key, the RRC encryption key, and the user plane encryption key based on the first shared key. The target base station generates the RRC integrity protection key, the RRC encryption key, and the user plane encryption key based on the first shared key.
In one embodiment, after the terminal generates the first shared key based on the key exchange algorithm, the first public key, and the first private key generated by the terminal, the terminal generates a second shared key based on the first shared key, and the cell identity and the carrier frequency of the target cell. After the target base station generates the first shared key based on the second public key, the key exchange algorithm selected by the target base station, and the second private key generated by the target base station, the terminal generates the second shared key based on the first shared key, and the cell identity and the carrier frequency of the target cell. In this way, a new shared key is generated by using a historical shared key.
In this embodiment of this application, during the Xn handover of the terminal, a DH key exchange is implemented between the terminal and the target base station based on a current message, without requiring additional signaling. After the handover is completed, a secret shared key is created between the terminal and the base station. Subsequent communication is protected through derivation performed based on the shared key, so that there is no need to deduce a key relying on KeNB* of the source base station, and exposure of a historically used key does not lead to exposure of a future session key. In addition, during a handover, identity forgery of the UE and the target base station can be prevented, and a new key negotiated each time can be ensured to be novel and adaptable to the UE and the base station with different key strength security requirements.
The foregoing describes the method in the embodiment of this application in detail. The following provides an apparatus according to the embodiments of this application.
The receiving module 401 is configured to receive a first message sent by a source base station, where the first message includes a key exchange algorithm selected by a target base station and a first public key generated by the target base station.
The processing module 402 is configured to generate a first shared key based on the key exchange algorithm, the first public key, and a first private key generated by the terminal.
The sending module 403 is configured to send a second message to the target base station, where the second message includes a second public key generated by the terminal.
Optionally, the processing module 402 is further configured to generate a second key based on a prestored first key, and a cell identity and a carrier frequency of a target cell, and perform encryption processing on the second message by using the second key.
In one embodiment, the sending module 403 is further configured to send a plurality of key exchange algorithms supported by the terminal to the source base station.
In one embodiment, the processing module 402 is further configured to generate an RRC integrity protection key, an RRC encryption key, and a user plane encryption key based on the first shared key.
In one embodiment, the processing module 402 is further configured to generate a second shared key based on the first shared key, and the cell identity and the carrier frequency of the target cell.
It should be noted that, for implementation of each module, reference may be made to corresponding descriptions in the method embodiment shown in
The receiving module 501 is configured to receive a second message sent by a terminal, where the second message includes a second public key generated by the terminal.
The processing module 502 is configured to generate a first shared key based on the second public key, a key exchange algorithm selected by the target base station, and a second private key generated by the target base station.
In one embodiment, the receiving module 501 is further configured to receive a handover request sent by a source base station, where the handover request includes a plurality of key exchange algorithms supported by the terminal; and the processing module 502 is further configured to select the key exchange algorithm from the plurality of key exchange algorithms.
In one embodiment, the sending module 503 is configured to send a third message to the source base station, where the third message includes the key exchange algorithm selected by the target base station and a first public key generated by the target base station.
In one embodiment, the processing module 502 is further configured to generate an RRC integrity protection key, an RRC encryption key, and a user plane encryption key based on the first shared key.
In one embodiment, the processing module 502 is further configured to generate a second shared key based on the first shared key, and a cell identity and a carrier frequency of a target cell.
It should be noted that, for implementation of each module, reference may be made to corresponding descriptions in the method embodiment shown in
receiving a first message sent by a source base station, where the first message includes a key exchange algorithm selected by a target base station and a first public key generated by the target base station;
generating a first shared key based on the key exchange algorithm, the first public key, and a first private key generated by the terminal; and
sending a second message to the target base station, where the second message includes a second public key generated by the terminal.
Further, the processor may work with the memory and the communications interface to perform an operation performed by the terminal in the foregoing embodiment of this application.
receiving a second message sent by a terminal, where the second message includes a second public key generated by the terminal; and
generating a first shared key based on the second public key, a key exchange algorithm selected by the target base station, and a second private key generated by the target base station.
All or some of the foregoing embodiments may be implemented by using software, hardware, firmware, or any combination thereof. When software is used for implementation, all or some of the foregoing embodiments may be implemented in a form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, all or some of procedures or functions in the embodiments of the present invention are generated. The computer may be a general-purpose computer, a special-purpose computer, a computer network, or another programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or may be transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, the computer instructions may be transmitted from a website, computer, server, or data center to another website, computer, server, or data center in a wired (for example, a coaxial cable, an optical fiber, or a digital subscriber line (DSL) manner or a wireless (for example, infrared, radio, or microwave) manner. The computer-readable storage medium may be any usable medium accessible to a computer, or a data storage device including one or more usable media, such as a server or a data center. The usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, or a magnetic tape), an optical medium (for example, a DVD), a semiconductor medium (for example, a solid state disk Solid State Disk (SSD), or the like.
This application is a continuation of International Application No. PCT/CN2017/083010, filed on May 4, 2017, the disclosure of which is hereby incorporated by reference in its entirety.
| Number | Date | Country | |
|---|---|---|---|
| Parent | PCT/CN2017/083010 | May 2017 | US |
| Child | 16671693 | US |
