(19)
(11)EP 2 685 751 B1

(12)EUROPEAN PATENT SPECIFICATION

(45)Mention of the grant of the patent:
06.09.2017 Bulletin 2017/36

(21)Application number: 12785849.6

(22)Date of filing:  18.05.2012
(51)International Patent Classification (IPC): 
H04W 12/04(2009.01)
H04L 29/06(2006.01)
H04W 36/00(2009.01)
(86)International application number:
PCT/CN2012/075765
(87)International publication number:
WO 2012/155862 (22.11.2012 Gazette  2012/47)

(54)

HANDOVER METHOD, BASE STATION, USER EQUIPMENT AND MOBILITY MANAGEMENT ENTITY

WEITERREICHUNGSVERFAHREN, BASISSTATION, BENUTZERVORRICHTUNG UND MOBILITÄTSVERWALTUNGSEINHEIT

PROCÉDÉ DE TRANSFERT INTERCELLULAIRE, STATION DE BASE, ÉQUIPEMENT UTILISATEUR ET ENTITÉ DE GESTION DE MOBILITÉ


(84)Designated Contracting States:
AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

(30)Priority: 18.05.2011 CN 201110128967

(43)Date of publication of application:
15.01.2014 Bulletin 2014/03

(73)Proprietor: Huawei Technologies Co., Ltd.
Longgang District Shenzhen, Guangdong 518129 (CN)

(72)Inventors:
  • CHEN, Jing
    Shenzhen Guangdong 518129 (CN)
  • XIE, Boyun
    Shenzhen Guangdong 518129 (CN)
  • WANG, Tao
    Shenzhen Guangdong 518129 (CN)

(74)Representative: Goddar, Heinz J. et al
Boehmert & Boehmert Anwaltspartnerschaft mbB Pettenkoferstrasse 22
80336 München
80336 München (DE)


(56)References cited: : 
WO-A1-2009/150493
WO-A2-2011/018931
GB-A- 2 472 580
WO-A1-2010/149083
CN-A- 1 937 487
  
  • "3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3GPP System Architecture Evolution (SAE); Security architecture (Release 10)", 3GPP STANDARD; 3GPP TS 33.401, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, no. V10.0.0, 1 April 2011 (2011-04-01), pages 1-113, XP050476632, [retrieved on 2011-04-01]
  
Note: Within nine months from the publication of the mention of the grant of the European patent, any person may give notice to the European Patent Office of opposition to the European patent granted. Notice of opposition shall be filed in a written reasoned statement. It shall not be deemed to have been filed until the opposition fee has been paid. (Art. 99(1) European Patent Convention).


Description

TECHNICAL FIELD



[0001] The present invention relates to the field of radio communications technologies, and in particular, to a handover method, a base station, a user equipment, and a mobility management entity.

BACKGROUND



[0002] With continuous development of mobile communications technologies and gradual network upgrade of operators, a global system for mobile communication (Global System of Mobile Communication; hereinafter referred to as GSM) network, a universal mobile telecommunication system (Universal Mobile Telecommunication System; hereinafter referred to as UMTS) network, and a long term evolution (Long Term Evolution; hereinafter referred to as LTE) network may coexist in a practical network. To ensure continuity and quality of a communication service of a user, it needs to ensure that the user can successfully perform handover between different networks.

[0003] Currently, handover from the UMTS to the GSM has been standardized, a current mechanism has relatively well solved a problem of algorithm negotiation and key negotiation in a handover process, and a user terminal supporting both UMTS access mode and GSM access mode has appeared in the market and is relatively widely applied. In the 3rd generation partnership project (3rd Generation Partnership Project; hereinafter referred to as 3GPP) standard, a mechanism of handover between the LTE network and the UMTS network is also established. However, handover delay of these existing handover technologies is relatively high.

[0004] In a handover solution of handing over from the LTE to the UMTS, a private interface X2-u is introduced to reduce handover delay, where the X2-u interface is an interface between an evolved NodeB (evolved NodeB; hereinafter referred to as eNB) and a radio network controller (Radio Network Controller; hereinafter referred to as RNC). However, this handover solution cannot solve the problem of inter-system key negotiation and algorithm negotiation, thereby resulting in relatively low handover security.

[0005] WO2010/149083A1 & EP2416598A1 disclose a handover process of a UE from an EUTRAN to a UTRAN. A current BS sends a handover required message to a current MME. The current MME generates a random value, and uses the random value and a root key as input parameters of a KDF to derive a key of the UE in a target UTRAN. The current MME sends a relocation request message to a target RNC through SGSN, wherein the relocation request message includes the key of the UE in the target UTRAN, a corresponding KSI, and information such as a security capability of the UTRAN of the UE or GSM/EDGE radio access network. The target RNC sends a forward relation response message to the MME through the target SGSN, wherein the forward relation response message carriers an algorithm identifier selected by the target RNC according to the security capability of the UE.

[0006] "3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3GPP System Architecture Evolution (SAE); Security architecture (Release 10)", 3GPP STANDARD; 3GPP TS 33.401 no V10.0.0 specifies the security architecture. In the handover from E-UTRAN to UTRAN, MME shall transfer the UE security capabilities to the SGSN. The selection of the algorithms in the target system proceeds.

[0007] GB2472580A relates to successive handovers from a LTE system to a UMTS system. A handover required signaling message is sent from the eNB to the LTE core network. Then a forward communication request signal from the LTE core network to the UMTS core network, and a forward communication response delivered therefrom, take account of both the UE identity and the UMTS security context mapped from the LTE network 24 and on the basis of the incremented downlink NAS count.

[0008] WO2009/150493A1 discloses an embodiment that a UE is handed over from an E-UTRAN system to a target system using another communications standard, such as GERAN or UTRAN. The source evolved node-B sends a handover required message to the source MME. The handover controller of the source MME may then determine the current NAS downlink COUNT of a security context maintained in the E-UTRAN system and derived a fresh mapped security context using the determined current NAS downlink COUNT. The handover controller of the source MME forwards a relocation request message comprising the derived fresh mapped context to the target SGSN. The target SGSN sends a forward relation response message acknowledging the relation to the source MME. The handover controller of the source MME may then send a handover command message comprising an indication of the current NAS downlink COUNT value to the source evolved node-B.

SUMMARY



[0009] Embodiments of the present invention provide a handover method of claims 1 and 5, a base station of claim 10, and a network comprising a user equipment of claim 14, and a network comprising a mobility management entity of claim 15, to solve a problem of inter-system key algorithm and algorithm negotiation and enhance handover security.

[0010] An embodiment of the present invention provides a handover method of a user equipment from a long term evolution network to a universal mobile telecommunication system network, including:

obtaining, by a base station, an algorithm used by a user equipment in a universal mobile telecommunication system and four least significant bits of a downlink non-access stratum count; and

sending, by the base station, a handover command to the user equipment, where the handover command carries the algorithm used by the user equipment in the universal mobile telecommunication system and the four least significant bits of the downlink non-access stratum count for the user equipment to calculate a cipher key and an integrity key according to the four least significant bits of the downlink non-access stratum count;

wherein the obtaining, by the base station, the algorithm used by the user equipment in the universal mobile telecommunication system comprises:

sending, by the base station, a handover request message to a radio network controller, wherein the handover request message carries a security capability of the user equipment in the universal mobile telecommunication system, and the security capability of the user equipment in the universal mobile telecommunication system is obtained from an S1 application protocol message sent by a mobility management entity when the user equipment accesses a network, wherein the S1 application protocol message carries the security capability of the user equipment in the universal mobile telecommunication system; and

receiving, by the base station, a handover request acknowledgement message sent by the radio network controller, wherein the handover request acknowledgement message carries the algorithm used by the user equipment in the universal mobile telecommunication system, and the algorithm used by the user equipment in the universal mobile telecommunication system is selected by the radio network controller according to the security capability.



[0011] An embodiment of the present invention further provides a handover method of a user equipment from a long term evolution network to a universal mobile telecommunication systemnetwork, including:

obtaining, by a base station, an algorithm used by a user equipment in a universal mobile telecommunication system and four least significant bits of a downlink non-access stratum count; and

sending, by the eNB, a handover command to the user equipment, wherein the handover command carries the algorithm used by the user equipment in the universal mobile telecommunication system and the four least significant bits of the downlink non-access stratum count;

receiving, by the user equipment, the handover command sent by the base station; and calculating, by the user equipment, a cipher key and an integrity key according to the four least significant bits of the downlink non-access stratum count;

wherein the obtaining, by the base station, the algorithm used by the user equipment in the universal mobile telecommunication system comprises:

sending, by the base station, a handover request message to a radio network controller, wherein the handover request message carries a security capability of the user equipment in the universal mobile telecommunication system, and the security capability of the user equipment in the universal mobile telecommunication system is obtained from an S1 application protocol message sent by a mobility management entity when the user equipment accesses a network, wherein the S1 application protocol message carries the security capability of the user equipment in the universal mobile telecommunication system; and

receiving, by the base station, a handover request acknowledgement message sent by the radio network controller, wherein the handover request acknowledgement message carries the algorithm used by the user equipment in the universal mobile telecommunication system, and the algorithm used by the user equipment in the universal mobile telecommunication system is selected by the radio network controller according to the security capability.



[0012] An embodiment of the present invention further provides a handover method of a user equipment from a long term evolution network to a universal mobile telecommunication system network, including:

obtaining, by an evolved node B, eNB, an algorithm used by a user equipment in a universal mobile telecommunication system and four least significant bits of a downlink non-access stratum count; and

sending, by the base station, a handover command to the user equipment, wherein the handover command carries the algorithm used by the user equipment in the universal mobile telecommunication system and the four least significant bits of the downlink non-access stratum count for the user equipment to calculate a cipher key and an integrity key according to the four least significant bits of the downlink non-access stratum count;

before obtaining, by the eNB, the algorithm used by the user equipment in the universal mobile telecommunication system, the method further including:

sending, by a mobility management entity, an S1 application protocol message when the user equipment accesses a network, wherein the S1 application protocol message carries a security capability of the user equipment in the universal mobile telecommunication system;

wherein the obtaining, by the base station, the algorithm used by the user equipment in the universal mobile telecommunication system comprises:

sending a handover request message to a radio network controller, wherein the handover request message carries the security capability of the user equipment in the universal mobile telecommunication system; and

receiving a handover request acknowledgement message sent by the radio network controller, wherein the handover request acknowledgement message carries the algorithm used by the user equipment in the universal mobile telecommunication system, and the algorithm used by the user equipment in the universal mobile telecommunication system is selected by the radio network controller according to the security capability.



[0013] An embodiment of the present invention further provides a base station, including:

an obtaining module, configured to obtain an algorithm used by a user equipment in a universal mobile telecommunication system and four least significant bits of a downlink non-access stratum count;

a sending module, configured to send a handover command to the user equipment being handed over from a long term evolution network to the universal mobile telecommunication system network, where the handover command carries the algorithm used by the user equipment in the universal mobile telecommunication system and the four least significant bits of the downlink non-access stratum count that are obtained by the obtaining module; and

a receiving module, configured to receive an S1 application protocol message sent by a mobility management entity, wherein the S1 application protocol message carries a security capability of the user equipment in the universal mobile telecommunication system;

wherein the obtaining module comprises:

a first sending submodule, configured to send a handover request message to a radio network controller, wherein the handover request message carries the security capability of the user equipment in the universal mobile telecommunication system; and

a first receiving submodule, configured to receive a handover request acknowledgement message sent by the radio network controller, wherein the handover request acknowledgement message carries the algorithm used by the user equipment in the universal mobile telecommunication system, and the algorithm used by the user equipment in the universal mobile telecommunication system is selected by the radio network controller according to the security capability.



[0014] An embodiment of the present invention further provides a network, including a user equipment and a base station, wherein

the base station is configured to: obtain an algorithm used by the user equipment in a universal mobile telecommunication system and four least significant bits of a downlink non-access stratum count; and send a handover command to the user equipment, wherein the handover command carries the algorithm used by the user equipment in the universal mobile telecommunication system and the four least significant bits of the downlink non-access stratum count;

the user equipment is configured to receive the handover command sent by the base station; and calculate a cipher key and an integrity key according to the four least significant bits of the downlink non-access stratum count;

the base station is configured to obtain the algorithm used by the user equipment in the universal mobile telecommunication system as follows:

send a handover request message to a radio network controller, wherein the handover request message carries a security capability of the user equipment in the universal mobile telecommunication system, and the security capability of the user equipment in the universal mobile telecommunication system is obtained from an S1 application protocol message sent by a mobility management entity when the user equipment accesses a network, wherein the S1 application protocol message carries the security capability of the user equipment in the universal mobile telecommunication system; and

receive a handover request acknowledgement message sent by the radio network controller, wherein the handover request acknowledgement message carries the algorithm used by the user equipment in the universal mobile telecommunication system, and the algorithm used by the user equipment in the universal mobile telecommunication system is selected by the radio network controller according to the security capability.



[0015] An embodiment of the present invention further provides a network, comprising a base station and a mobility management entity, wherein

the base station is configured to obtain an algorithm used by a user equipment in a universal mobile telecommunication system and four least significant bits of a downlink non-access stratum count; and send a handover command to the user equipment, wherein the handover command carries the algorithm used by the user equipment in the universal mobile telecommunication system and the four least significant bits of the downlink non-access stratum count for the user equipment to calculate a cipher key and an integrity key according to the four least significant bits of the downlink non-access stratum count;

the mobility management entity is configured to send an S1 application protocol message when the user equipment accesses a network, wherein the S1 application protocol message carries a security capability of the user equipment in the universal mobile telecommunication system;

the base station is configured to obtain the algorithm used by the user equipment in the universal mobile telecommunication system as follows:

send a handover request message to a radio network controller, wherein the handover request message carries the security capability of the user equipment in the universal mobile telecommunication system; and

receive a handover request acknowledgement message sent by the radio network controller, wherein the handover request acknowledgement message carries the algorithm used by the user equipment in the universal mobile telecommunication system, and the algorithm used by the user equipment in the universal mobile telecommunication system is selected by the radio network controller according to the security capability.



[0016] An embodiment of the present invention further provides a user equipment, including:

a command receiving module, configured to receive a handover command sent by a base station, where the handover command carries an algorithm used by the user equipment in a universal mobile telecommunication system and four least significant bits of a downlink non-access stratum count; and

a calculation module, configured to calculate a cipher key and an integrity key according to the four least significant bits of the downlink non-access stratum count that are received by the command receiving module.



[0017] An embodiment of the present invention further provides a mobility management entity, including:

a first message receiving module, configured to receive a handover request message sent by a base station, where the handover request message carries instruction information for instructing the mobility management entity to send four least significant bits of a downlink non-access stratum count; and

a significant bit sending module, configured to send the four least significant bits of the downlink non-access stratum count to the base station according to the instruction information received by the first message receiving module.



[0018] With embodiments of the present invention, a base station can carry, in a handover command sent to a user equipment, an algorithm used by the user equipment in a universal mobile telecommunication system and four least significant bits of a downlink non-access stratum count, and then the user equipment can calculate a cipher key and an integrity key according to the obtained four least significant bits of the downlink non-access stratum count, and furthermore the user equipment can perform inter-system key negotiation with a mobility management entity according to the cipher key and the integrity key and perform algorithm negotiation with the mobility management entity according to the algorithm used by the user equipment in the universal mobile telecommunication system, so that handover security can be enhanced.

BRIEF DESCRIPTION OF DRAWINGS



[0019] To illustrate the technical solutions in the embodiments of the present invention or in the prior art more clearly, the following briefly introduces the accompanying drawings required for describing the embodiments or the prior art. Apparently, the accompanying drawings in the following description show merely some embodiments of the present invention, and a person of ordinary skill in the art may still derive other drawings from these accompanying drawings without creative efforts.

FIG. 1 is a flowchart of a handover method according to an embodiment of the present invention;

FIG. 2 is a flowchart of a handover method according to another embodiment of the present invention;

FIG. 3 is a flowchart of a handover method according to still another embodiment of the present invention;

FIG. 4 is a flowchart of a handover method according to yet another embodiment of the present invention;

FIG. 5 is a flowchart of a handover method according to still yet another embodiment of the present invention;

FIG. 6 is a flowchart of a handover method according to still yet another embodiment of the present invention;

FIG. 7 is a schematic structural diagram of a base station according to an embodiment of the present invention;

FIG. 8 is a schematic structural diagram of a base station according to another embodiment of the present invention;

FIG. 9 is a schematic structural diagram of a user equipment according to an embodiment of the present invention;

FIG. 10 is a schematic structural diagram of a mobility management entity according to an embodiment of the present invention; and

FIG. 11 is a schematic structural diagram of a mobility management entity according to another embodiment of the present invention.


DESCRIPTION OF EMBODIMENTS



[0020] To make the objectives, technical solutions, and advantages of the embodiments of the present invention more comprehensible, the following clearly and completely describes the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Apparently, the described embodiments are merely a part rather than all of the embodiments of the present invention. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts shall fall within the protection scope of the present invention.

[0021] FIG. 1 is a flowchart of a handover method according to an embodiment of the present invention. As shown in FIG. 1, the handover method may include:

101. Obtain an algorithm used by a user equipment (User Equipment; hereinafter referred to as UE) in a UMTS and four least significant bits (4 Least Significant Bits; hereinafter referred to as 4LSB) of a downlink non-access stratum count (Non-Access Stratum Count; hereinafter referred to as NAS Count).

102. Send a handover command to the UE, where the handover command carries the algorithm used by the UE in the UMTS and the 4LSB of the NAS Count.



[0022] Furthermore, in an implementation manner of this embodiment, before the algorithm used by the UE in the UMTS and the 4LSB of the downlink NAS Count are obtained, a base station may further receive an S1 application protocol (S1 Application Protocol; hereinafter referred to as S1AP) message sent by a mobility management entity (Mobility Management Entity; hereinafter referred to as MME) when the UE accesses a network, where the S1AP message carries a security capability of the UE in the UMTS.

[0023] In this way, the obtaining the algorithm used by the UE in the UMTS may be: the base station sends a handover request message to an RNC, where the handover request message carries the security capability of the UE in a UTRAN; then, the base station may receive a handover request acknowledgement message sent by the RNC, where the handover request acknowledgement message carries the algorithm used by the UE in the UMTS, and the algorithm used by the UE in the UMTS is selected by the RNC according to the security capability.

[0024] In this implementation manner, the obtaining the 4LSB of the downlink NAS Count may be: the base station sends a handover request message to an MME, where the handover request message carries instruction information for instructing the MME to send the 4LSB of the downlink NAS Count; then, the base station may receive the 4LSB of the downlink NAS Count, and the 4LSB of the downlink NAS Count is sent by the MME according to the instruction information.

[0025] In this implementation manner, the obtaining the 4LSB of the downlink NAS Count may also be: the base station monitors and saves the downlink NAS Count, and generates a new NAS Count according to the saved downlink NAS Count; then the base station may obtain 4LSB of the new NAS Count.

[0026] Furthermore, after generating the new NAS Count according to the saved NAS Count, the base station may further send a handover request message to the MME, where the handover request message carries the new NAS Count, so that the MME calculates a cipher key (Cipher Key; hereinafter referred to as CK) and an integrity key (Integrity Key; hereinafter referred to as IK) according to the new NAS Count.

[0027] In this implementation manner, the base station may carry, in the handover command sent to the UE, the algorithm used by the UE in the UMTS and the 4LSB of the new NAS Count. In this way, after receiving the handover command, the UE can determine the NAS Count used by the MME according to the 4LSB of the NAS Count that is carried in the handover command and the NAS Count saved by the UE; then, the UE can calculate the CK and the IK according to the NAS Count used by the MME and a root key.

[0028] In this implementation manner, the base station may send the handover request message to the MME at the same time as, before, or after the base station sends the handover command to the UE, and the sequence of which the base station sends the handover request message to the MME and the base station sends the handover command to the UE is not limited in this implementation manner. That is, in this implementation manner, the base station does not need to send the handover command to the UE only after receiving the handover request response message sent by the MME, but can send the handover command to the UE after obtaining the 4LSB of the downlink NAS Count, thereby saving handover time.

[0029] In another implementation manner of this embodiment, before sending the handover command to the UE, the base station may further firstly send the handover request message to the MME, and then receive a handover request response message sent by the MME, where the handover request response message carries the algorithm used by the UE in the UMTS and the 4LSB of the downlink NAS Count. Next, the base station sends the handover command to the UE. That is, in this implementation manner, the base station can send the handover command to the UE only after receiving the handover request response message sent by the MME.

[0030] In the foregoing embodiment, the base station can carry, in the handover command sent to the UE, the algorithm used by the UE in the UMTS and the 4LSB of the downlink NAS Count, and then, the UE can calculate the CK and the IK according to the obtained 4LSB of the downlink NAS Count, and furthermore, the UE can perform inter-system key negotiation with the MME according to the CK and the IK and perform algorithm negotiation with the MME according to the algorithm used by the UE in the UMTS, so that handover security can be enhanced.

[0031] FIG. 2 is a flowchart of a handover method according to another embodiment of the present invention. As shown in FIG. 2, the handover method may include:

201. An eNB initiates a handover process.

202. The eNB sends a handover request (Handover Request) message to the RNC, where the handover request message carries a security capability of a UE in a UMTS.
In this embodiment, when a UE accesses a network via an LTE system, the UE sends security capabilities of the UE in an LTE system, a UMTS, and a GSM to a core network node MME. Therefore, in order to enable the eNB to obtain the security capabilities of the UE in the UMTS and the GSM, an S1AP message between the MME and the eNB may be extended to carry the security capabilities of the UE in the UMTS and the GSM. Specifically, when the UE accesses the network, the MME can send the security capabilities of the UE in the UMTS and the GSM together to the eNB in the S1AP message sent to the eNB.

203. After receiving the handover request message, the RNC performs operations such as quality of service (Quality of Service; hereinafter referred to as QoS) mapping and resource allocation, and sends a handover request acknowledgement (Handover Request Acknowledgement; hereinafter referred to as Handover Request ACK) message to the eNB, where the handover request acknowledgement message carries an algorithm used by the UE in the UMTS.
Specifically, the RNC may select the algorithm used by the UE in the UMTS according to the security capability of the UE in the UMTS that is carried in the handover request message, and send the selected algorithm to the eNB in the handover request acknowledgement message.

204. The eNB performs handover decision.

205. The eNB sends the handover request message to the MME, where the handover request message carries instruction information for instructing the MME to send 4LSB of a downlink NAS Count.

206. After receiving the instruction information, the MME sends the 4LSB of the downlink NAS Count to the eNB.

207. After receiving the 4LSB sent by the MME, the eNB sends a handover command (Handover Command) message to the UE, where the handover command message carries the algorithm used by the UE in the UMTS and the 4LSB of the downlink NAS Count.
In this embodiment, the eNB can send the handover command message to the UE after receiving the 4LSB of the downlink NAS Count, rather than waiting for receiving a handover request response message sent by the MME, thereby saving handover time.

208. The MME sends a relocation request (Relocation Request) message to a core network (Core Network; hereinafter referred to as CN), and performs a series of relocation operations with the CN.

209. The MME sends a handover request response (Handover Request Response) message to the eNB.

210. The UE is handed over to the RNC. The process of handover from the LTE system to the UMTS ends.



[0032] In the foregoing embodiment, a method is provided for the eNB to obtain the 4LSB of the downlink NAS Count. In addition to the method provided in the foregoing embodiment, there may be another method for the eNB to obtain the 4LSB of the downlink NAS Count, which specifically may be: the eNB monitors and saves the downlink NAS Count, before sending the handover request message to the MME, generates a new NAS Count according to the downlink NAS Count saved by the eNB, and obtains the 4LSB of the new NAS Count.

[0033] After the eNB generates the new NAS Count according to the downlink NAS Count saved by the eNB, in one aspect, the eNB can carry the new NAS Count in the handover request message and send the handover request message to the MME, and the MME can calculate a CK and an IK according to the new NAS Count value; in another aspect, the eNB can send the handover command message to the UE, where the handover command message carries the 4LSB of the generated new NAS Count. After receiving the handover command message, the UE can determine the NAS Count used by the MME according to the 4LSB and the downlink NAS Count saved by the UE itself, and then the UE can complete derivation of the CK and the IK by using the determined NAS Count used by the MME and a root key (Kasme) as an input. The eNB may send the handover request message to the MME at the same time as, before, or after the eNB sends the handover command message to the UE, and the sequence of which the eNB sends the handover request message to the MME and the eNB sends the handover command message to the UE is not limited in this embodiment.

[0034] In the foregoing embodiment, the eNB can carry, in the handover command message sent to the UE, the algorithm used by the UE in the UMTS and the 4LSB of the downlink NAS Count, and then, the UE can calculate the CK and the IK according to the obtained 4LSB of the downlink NAS Count, and furthermore, the UE can perform inter-system key negotiation with the MME according to the CK and the IK and perform algorithm negotiation with the MME according to the algorithm used by the UE in the UMTS, so that handover security can be enhanced.

[0035] FIG. 3 is a flowchart of a handover method according to still another embodiment of the present invention. As shown in FIG. 3, the handover method may include:

301. An eNB initiates a handover process.

302. The eNB sends a handover request message to an RNC.

303. After receiving the handover request message, the RNC performs operations such as QoS mapping and resource allocation, and sends a handover request acknowledgement message to the eNB.

304. The eNB performs handover decision.

305. The eNB sends a handover request message to an MME.

306. The MME sends a relocation request message to a CN, and performs a series of relocation operations with the CN.
Specifically, the MME may send a forward relocation request message to a core network node SGSN, where the forward relocation request message carries a security capability of a UE in a UMTS; the SGSN is short for serving general packet radio service support node (Serving General Packet Radio Service Support Node). The security capability of the UE in the UMTS is sent by the UE to the core network node MME when the UE accesses a network via an LTE system; then the SGSN sends the security capability of the UE in the UMTS to the RNC by the relocation request message, and the RNC selects an algorithm used by the UE in the UMTS according to the security capability of the UE in the UMTS; then the RNC sends the algorithm used by the UE in the UMTS to the SGSN in a relocation response message, and finally the SGSN sends the algorithm used by the UE in the UMTS to the MME by the relocation response message.

307. The MME sends a handover request response message to the eNB, where the handover request response message carries the algorithm used by the UE in the UMTS and the 4LSB of the downlink NAS Count.

308. The eNB sends a handover command message to the UE, where the handover command message carries the algorithm used by the UE in the UMTS and the 4LSB of the downlink NAS Count.
The eNB can send the handover command message to the UE only after receiving the 4LSB of the downlink NAS Count sent by the MME. Therefore, in this embodiment, the eNB is required to send the handover command message to the UE after receiving the handover request response message sent by the MME.

309. The UE is handed over to the RNC. The process of handover from the LTE system to the UMTS ends.



[0036] In the foregoing embodiment, after receiving the handover request response message sent by the MME, the eNB has obtained the algorithm used by the UE in the UMTS and the 4LSB of the downlink NAS Count, and only at this situation the eNB sends the handover command message to the UE, and the handover command message carries the algorithm used by the UE in the UMTS and the 4LSB of the downlink NAS Count, so that inter-system key negotiation and algorithm negotiation can be performed successfully, and handover security can be enhanced.

[0037] FIG. 4 is a flowchart of a handover method according to yet another embodiment of the present invention. As shown in FIG. 4, the handover method may include:

401. A UE receives a handover command sent by a base station, where the handover command carries an algorithm used by the UE in a UMTS and 4LSB of a downlink NAS Count.

402. The UE calculates a CK and an IK according to the 4LSB of the downlink NAS Count.



[0038] Specifically, the UE can determine the NAS Count used by the MME according to the 4LSB of the downlink NAS Count that is carried in the handover command and the downlink NAS Count saved in the UE; then, the UE calculates the CK and the IK according to the NAS Count used by the MME and a Kasme.

[0039] In the foregoing embodiment, after receiving the handover command sent by the base station, the UE can obtain the algorithm used by the UE in the UMTS and the 4LSB of the downlink NAS Count that are carried in the handover command, and then, the UE can calculate the CK and the IK according to the 4LSB of the downlink NAS Count, and then, the UE can perform inter-system key negotiation with the MME according to the CK and the IK and perform algorithm negotiation with the MME according to the algorithm used by the UE in the UMTS, so that handover security can be enhanced.

[0040] FIG. 5 is a flowchart of a handover method according to still yet another embodiment of the present invention, as shown in FIG. 5, the handover method may include:

501. An MME receives a handover request message sent by a base station, where the handover request message carries instruction information for instructing the MME to send 4LSB of a downlink NAS Count.

502. The MME sends the 4LSB of the downlink NAS Count to the base station according to the instruction information.



[0041] In 501 of this embodiment, the instruction information for instructing the MME to send the 4LSB of the downlink NAS Count is 4LSB of a new NAS Count, where the new NAS Count is generated by the base station according to a monitored and saved downlink NAS Count; if the handover request message in 501 further carries the new NAS Count, the MME may further calculate a CK and an IK according to the new NAS Count.

[0042] Furthermore, in this embodiment, after receiving the handover request message sent by the base station, the MME may further send a handover request response message to the base station, where the handover request response message carries an algorithm used by a UE in a UMTS and the 4LSB of the downlink NAS Count.

[0043] In the foregoing embodiment, after receiving the handover request message sent by the base station, the MME sends the 4LSB of the downlink NAS Count to the base station according to the instruction information carried in the handover request message, so that the base station sends the 4LSB to the UE, and then, the UE can calculate the CK and the IK according to the 4LSB sent by the base station and the MME can also calculate the CK and the IK according to the downlink NAS Count corresponding to the 4LSB sent to the base station, and furthermore, the UE and the MME can perform inter-system key negotiation according to the respectively calculated CKs and IKs, so that handover security can be enhanced.

[0044] FIG. 6 is a flowchart of a handover method according to still yet another embodiment of the present invention. As shown in FIG. 6, the handover method may include:

601. An MME receives a handover request message sent by a base station, where the handover request message carries an NAS Count generated by the base station.

602. The MME calculates a CK and an IK according to the NAS Count that is generated by the base station and is carried in the handover request message.



[0045] In the foregoing embodiment, the MME can calculate the CK and the IK according to the NAS Count generated by the base station, and then the MME can perform inter-system key negotiation with a UE according to the CK and the IK, so that handover security can be enhanced.

[0046] A person of ordinary skill in the art can understand: All or some steps for implementing the foregoing method embodiments can be completed by using a program to instruct relevant hardware, the program may be stored in a computer readable storage medium, and the program, during execution, performs the steps including the foregoing method embodiments; the storage medium includes: various media that can store program code, such as a ROM, RAM, magnetic disk, or optical disc.

[0047] FIG. 7 is a schematic structural diagram of a base station according to an embodiment of the present invention, and the base station in this embodiment can implement a process of the embodiment shown in FIG. 1 of the present invention. As shown in FIG. 7, the base station may include:

an obtaining module 71, configured to obtain an algorithm used by a UE in a UMTS and 4LSB of a downlink NAS Count; and

a sending module 72, configured to send a handover command to the UE, where the handover command carries the algorithm used by the UE in the UMTS and the 4LSB of the downlink NAS Count that are obtained by the obtaining module 71.



[0048] In the base station, the sending module 72 can carry, in the handover command sent to the UE, the algorithm used by the UE in the UMTS and the 4LSB of the downlink NAS Count, and then, the UE can calculate a CK and an IK according to the obtained 4LSB of the downlink NAS Count, and furthermore, the UE can perform inter-system key negotiation with an MME according to the CK and the IK and perform algorithm negotiation with the MME according to the algorithm used by the UE in the UMTS, so that handover security can be enhanced.

[0049] FIG. 8 is a schematic structural diagram of a base station according to another embodiment of the present invention, in an implementation manner of this embodiment, the difference between the base station shown in FIG. 8 and the base station shown in FIG. 7 is that the base station shown in FIG. 8 may further include:

a receiving module 73, configured to receive an S1AP message sent by an MME, where the S1AP message carries a security capability of a UE in a UMTS.



[0050] Specifically, the obtaining module 71 may include:

a first sending submodule 711, configured to send a handover request message to an RNC, where the handover request message carries the security capability of the UE in the UMTS; and

a first receiving submodule 712, configured to receive a handover request acknowledgement message sent by the RNC, where the handover request acknowledgement message carries the algorithm used by the UE in the UMTS, and the algorithm used by the UE in the UMTS is selected by the RNC according to the security capability.



[0051] Furthermore, the first sending submodule 711 may further send the handover request message to the MME, where the handover request message carries instruction information for instructing the MME to send 4LSB of a downlink NAS Count;

the first receiving submodule 712 may further receive the 4LSB of the downlink NAS Count that is sent by a mobility management entity according to the instruction information.



[0052] In this implementation manner, the obtaining module 71 may further include:

a monitoring submodule 713, configured to monitor and save the downlink NAS Count;

a generating submodule 714, configured to generate a NAS Count according to the downlink NAS Count saved by the monitoring submodule 713; and

a significant bit obtaining submodule 715, configured to obtain the 4LSB of the NAS Count generated by the generating submodule 714.



[0053] In this implementation manner, the sending module 72 may further send the handover request message to the MME, where the handover request message carries the new NAS Count generated by the generating submodule 714, so that the MME calculates a CK and an IK according to the new NAS Count generated by the generating submodule 714. In this implementation manner, the sending module 72 may further carry, in the handover command sent to the UE, the 4LSB of the new NAS Count generated by the generating submodule 714 and the algorithm used by the UE in the UMTS.

[0054] In this way, after the UE receives the handover command, the UE can determine the NAS Count used by the MME according to the 4LSB of the NAS Count that is carried in the handover command and the NAS Count saved by the UE; then the UE can calculate the CK and the IK according to the NAS Count used by the MME and a root key.

[0055] In another implementation manner of this embodiment, before sending the handover command, the sending module 72 may further send the handover request message to the MME; the obtaining module 71 may receive a handover request response message sent by the MME, where the handover request response message carries the algorithm used by the UE in the UMTS and the 4LSB of the downlink NAS Count. After receiving the handover request response message sent by the MME, the obtaining module 71 has obtained the algorithm used by the UE in the UMTS and the 4LSB of the downlink NAS Count, and only in this situation the sending module 72 sends the handover command to the UE, and carries the algorithm used by the UE in the UMTS and the downlink NAS Count in the handover command.

[0056] In the base station, the sending module 72 can carry, in the handover command sent to the UE, the algorithm used by the UE in the UMTS and the 4LSB of the downlink NAS Count, and then, the UE can calculate the CK and the IK according to the obtained 4LSB of the downlink NAS Count, and furthermore, the UE can perform inter-system key negotiation with the MME according to the CK and the IK and perform algorithm negotiation with the MME according to the algorithm used by the UE in the UMTS, so that handover security can be enhanced.

[0057] FIG. 9 is a schematic structural diagram of a user equipment according to an embodiment of the present invention, and the UE in this embodiment can implement a process of the embodiment shown in FIG. 4 of the present invention.

[0058] As shown in FIG. 9, the UE may include:

a command receiving module 91, configured to receive a handover command sent by a base station, where the handover command carries an algorithm used by the UE in a UMTS and 4LSB of a downlink NAS Count; and

a calculation module 92, configured to calculate a CK and an IK according to the 4LSB of the downlink NAS Count received by the command receiving module 91.



[0059] Specifically, the calculation module 92 can determine an NAS Count used by an MME according to the 4LSB of the downlink non-access stratum count received by the command receiving module 91 and the NAS Count saved by the UE, and calculate the CK and the IK according to the NAS Count used by the MME and a root key.

[0060] In the user equipment, after the command receiving module 91 receives the handover command sent by the base station, the UE can obtain the algorithm used by the UE in the UMTS and the 4LSB of the downlink NAS Count that are carried in the handover command, and then, the calculation module 92 can calculate the CK and the IK according to the 4LSB of the downlink NAS Count, and furthermore, the UE can perform inter-system key negotiation with the MME according to the CK and the IK and perform algorithm negotiation with the MME according to the algorithm used by the UE in the UMTS, so that handover security can be enhanced.

[0061] FIG. 10 is a schematic structural diagram of a mobility management entity according to an embodiment of the present invention, and the MME in this embodiment can implement a process of the embodiment shown in FIG. 5 of the present invention.

[0062] As shown in FIG. 10, the MME may include:

a first message receiving module 1001, configured to receive a handover request message sent by a base station, where the handover request message carries instruction information for instructing the MME to send 4LSB of a downlink NAS Count; and

a significant bit sending module 1002, configured to send the 4LSB of the downlink NAS Count to the base station according to the instruction information received by the first message receiving module 1001.



[0063] Furthermore, the MME may further include:

a first key calculation module 1003, configured to calculate a CK and an IK according to a new NAS Count when the instruction information received by the first message receiving module 1001 for instructing the MME to send the 4LSB of the downlink NAS Count is 4LSB of the new NAS Count and the handover request message further carries the new NAS Count, where the new NAS Count is generated by the base station according to a monitored and saved downlink NAS Count.



[0064] In the foregoing embodiment, after the first message receiving module 1001 receives the handover request message sent by the base station, the significant bit sending module 1002 sends the 4LSB of the downlink NAS Count to the base station according to the instruction information carried in the handover request message, so that the base station sends the 4LSB to a UE, and then, the UE can calculate the CK and the IK according to the 4LSB sent by the base station, and the first key calculation module 1003 can calculate the CK and the IK according to the downlink NAS Count corresponding to the 4LSB that needs to be sent to the base station, and furthermore, the UE and the MME can perform inter-system key negotiation according to the respectively calculated CKs and IKs, so that handover security can be enhanced.

[0065] FIG. 11 is a schematic structural diagram of a mobility management entity according to another embodiment of the present invention, and the MME in this embodiment can implement a process of the embodiment shown in FIG. 6 of the present invention.

[0066] As shown in FIG. 11, the MME may include:

a second message receiving module 1101, configured to receive a handover request message sent by a base station, where the handover request message carries an NAS Count generated by the base station; and

a second key calculation module 1102, configured to calculate a CK and an IK according to the NAS Count generated by the base station and carried in the handover request message that is received by the second message receiving module 1101.



[0067] In the foregoing embodiment, the second key calculation module 1102 can calculate the CK and the IK according to the NAS Count generated by the base station, and then the MME can perform inter-system key negotiation with a UE according to the CK and the IK, so that handover security can be enhanced.

[0068] A person of ordinary skill in the art can understand that the accompanying drawings are only schematic diagrams of one preferred embodiment, and modules or processes in the accompanying drawings are not necessarily required for implementing the present invention.

[0069] A person of ordinary skill in the art can understand that modules in a device in an embodiment can be distributed in the device of the embodiment according to the description of the embodiment, and can also be changed accordingly to be disposed in one or more devices different from this embodiment. The modules of the foregoing embodiments may be combined into one module, or further divided into multiple submodules.

[0070] Finally, it should be noted that the foregoing embodiments are merely intended for describing the technical solutions of the present invention other than limiting the present invention. Although the present invention is described in detail with reference to the foregoing embodiments, a person of ordinary skill in the art should understand that he may still make modifications to the technical solutions described in the foregoing embodiments, or make equivalent replacements to some technical features thereof, without departing from the scope of the technical solutions of the embodiments of the present invention.


Claims

1. A handover method for handing over a user equipment from a long term evolution network to a universal mobile telecommunication system network comprising:

obtaining (101), by a base station, an algorithm used by a user equipment in a universal mobile telecommunication system and four least significant bits of a downlink non-access stratum count; and

sending (102), by the base station, a handover command to the user equipment, wherein the handover command carries the algorithm used by the user equipment in the universal mobile telecommunication system and the four least significant bits of the downlink non-access stratum count for the user equipment to calculate a cipher key and an integrity key according to the four least significant bits of the downlink non-access stratum
count;

characterized in that obtaining (101), by the base station, the algorithm used by the user equipment in the universal mobile telecommunication system comprises:

sending (202, 302), by the base station, a handover request message to a radio network controller, wherein the handover request message carries a security capability of the user equipment in the universal mobile telecommunication system, and the security capability of the user equipment in the universal mobile telecommunication system is obtained from an S1 application protocol message sent by a mobility management entity when the user equipment accesses a network, wherein the S1 application protocol message carries the security capability of the user equipment in the universal mobile telecommunication system; and

receiving (203, 303), by the base station, a handover request acknowledgement message sent by the radio network controller, wherein the handover request acknowledgement message carries the algorithm used by the user equipment in the universal mobile telecommunication system, and the algorithm used by the user equipment in the universal mobile telecommunication system is selected by the radio network controller according to the security capability.


 
2. The method according to claim 1, wherein the obtaining the four least significant bits of the downlink non-access stratum count comprises:

sending (205, 305) a handover request message to the mobility management entity, wherein the handover request message carries instruction information for instructing the mobility management entity to send the four least significant bits of the downlink non-access stratum count; and

receiving (206) the four least significant bits of the downlink non-access stratum count sent by the mobility management entity according to the instruction information.


 
3. The method according to claim 1, wherein the obtaining the four least significant bits of the downlink non-access stratum count comprises:

monitoring and saving the downlink non-access stratum count, and generating a new non-access stratum count according to the saved downlink non-access stratum count; and

obtaining four least significant bits of the new non-access stratum count.


 
4. The method according to claim 3, after the generating the new non-access stratum count according to the saved downlink non-access stratum count, further comprising: sending the handover request message to the mobility management entity, wherein the handover request message carries the new non-access stratum count, so that the mobility management entity calculates the cipher key and the integrity key according to the new non-access stratum count.
 
5. The method according to claim 1, further comprising
receiving (401), by the user equipment, the handover command sent by the base station; and
calculating (402), by the user equipment, a cipher key and an integrity key according to the four least significant bits of the downlink non-access stratum count.
 
6. The method according to claim 5, wherein the calculating, by the user equipment, the cipher key and the integrity key according to the four least significant bits of the downlink non-access stratum count comprises:

determining, by the user equipment, a non-access stratum count used by a mobility management entity, according to the four least significant bits of the downlink non-access stratum count that are carried in the handover command and a downlink non-access stratum count saved by the user equipment; and

calculating, by the user equipment, the cipher key and the integrity key, according to the non-access stratum count used by the mobility management entity and a root key.


 
7. The handover method according to claim 1, wherein before obtaining (101), by the base station, the algorithm used by the user equipment in the universal mobile telecommunication system the method further comprises:

sending, by the mobility management entity, the S1 application protocol message when the user equipment accesses the network.


 
8. The method according to claim 7, wherein the obtaining (101), by the base station, the four least significant bits of the downlink non-access stratum count comprises:

receiving (501), by the mobility management entity, a handover request message sent by the base station, wherein the handover request message carries instruction information for instructing the mobility management entity to send the four least significant bits of the downlink non-access stratum count; and

sending (502), by the mobility management entity, the four least significant bits of the downlink non-access stratum count to the base station according to the instruction information.


 
9. The method according to claim 8 wherein
the instruction information for instructing the mobility management entity to send the four least significant bits of the downlink non-access stratum count is four least significant bits of a new non-access stratum count, and the new non-access stratum count is generated by the base station according to a monitored and saved downlink non-access stratum count; and
if the handover request message further carries the new non-access stratum count, the method further comprises:

calculating (602), by the mobility management entity, the cipher key and the integrity key according to the new non-access stratum count.


 
10. A base station, comprising:

an obtaining module (71), configured to obtain an algorithm used by a user equipment in a universal mobile telecommunication system and four least significant bits of a downlink non-access stratum count; and

a sending module (72), configured to send a handover command to the user equipment being handed over from a long term evolution network to the universal mobile telecommunication system network, wherein the handover command carries the algorithm used by the user equipment in the universal mobile telecommunication system and the four least significant bits of the downlink non-access stratum count that are obtained by the obtaining module (71);

characterized by, further comprising:

a receiving module (73), configured to receive an S1 application protocol message sent by a mobility management entity, wherein the S1 application protocol message carries a security capability of the user equipment in the universal mobile telecommunication system;

wherein the obtaining module (71) comprises:

a first sending submodule (711), configured to send a handover request message to a radio network controller, wherein the handover request message carries the security capability of the user equipment in the universal mobile telecommunication system; and

a first receiving submodule (712), configured to receive a handover request acknowledgement message sent by the radio network controller, wherein the handover request acknowledgement message carries the algorithm used by the user equipment in the universal mobile telecommunication system, and the algorithm used by the user equipment in the universal mobile telecommunication system is selected by the radio network controller according to the security capability.


 
11. The base station according to claim 10, wherein
the first sending submodule (711) is further configured to send a handover request message to the mobility management entity, wherein the handover request message carries instruction information for instructing the mobility management entity to send the four least significant bits of the downlink non-access stratum count; and the first receiving submodule (712) is further configured to receive the four least significant bits of the downlink non-access stratum count sent by the mobility management entity according to the instruction information.
 
12. The base station according to claim 10 or 11, wherein the obtaining module (71) further comprises:

a monitoring submodule (713), configured to monitor and save the downlink non-access stratum count;

a generating submodule (714), configured to generate a new non-access stratum count according to the downlink non-access stratum count saved by the monitoring submodule (713); and

a significant bit obtaining submodule (715), configured to obtain 4LSB of the new non-access stratum count generated by the generating submodule (714).


 
13. The base station according to claim 12, wherein
the sending module (72) is further configured to send the handover request message to the mobility management entity, wherein the handover request message carries the new non-access stratum count generated by the generating submodule (714), so that the mobility management entity calculates a cipher key and an integrity key according to the new non-access stratum count generated by the generating submodule (714).
 
14. A network, comprising a user equipment and a base station of claim 10, wherein
the user equipment is configured to receive (401) the handover command sent by the base station; and calculate a cipher key and an integrity key according to the four least significant bits of the downlink non-access stratum count.
 
15. A network, comprising a base station of claim 10 and a mobility management entity,
wherein
the mobility management entity is configured to send an S1 application protocol message when the user equipment accesses a network, wherein the S1 application protocol message carries a security capability of the user equipment in the universal mobile telecommunication system.
 


Ansprüche

1. Weiterreichungsverfahren zum Weiterreichen einer Benutzervorrichtung aus einem Langzeitentwicklungsnetz zu einem universellen Mobilfunk-Telekommunikationssystemnetz umfassend:

Erhalten (101) durch eine Basisstation eines durch eine Benutzervorrichtung in einem universellen Mobilfunk-Telekommunikationssystem benutzten Algorithmus und vier niedrigstwertiger Bit einer Nichtzugangsschichtzählung auf der Abwärtsstrecke; und

Senden (102) durch die Basisstation eines Weiterreichungsbefehls zu der Benutzervorrichtung, wobei der Weiterreichungsbefehl den durch die Benutzervorrichtung in dem universellen Mobilfunk-Telekommunikationssystem benutzten Algorithmus und die vier niedrigstwertigen Bit der Nichtzugangsschichtzählung auf der Abwärtsstrecke für die Benutzervorrichtung zum Berechnen eines Ziffernschlüssels und eines Integritätsschlüssels gemäß den vier niedrigstwertigen Bit der Nichtzugangsschichtzählung auf der Abwärtsstrecke führt;

dadurch gekennzeichnet, dass Erhalten (101) durch die Basisstation des durch die Benutzervorrichtung in dem universellen Mobilfunk-Telekommunikationssystem benutzten Algorithmus umfasst:

Senden (202, 302) durch die Basisstation einer Weiterreichungsanfragenachricht zu einer Funknetzsteuerung, wobei die Weiterreichungsanfragenachricht eine Sicherheitsfähigkeit der Benutzervorrichtung in dem universellen Mobilfunk-Telekommunikations system führt, und die Sicherheitsfähigkeit der Benutzervorrichtung in dem universellen Mobilfunk-Telekommunikationssystem aus einer durch eine Mobilitätsverwaltungseinheit gesendeten S1-Anwendungsprotokollnachricht erhalten wird, wenn die Benutzervorrichtung auf ein Netz zugreift, wobei die S 1-Anwendungsprotokollnachricht die Sicherheitsfähigkeit der Benutzervorrichtung in dem universellen Mobilfunk-Telekommunikationssystem führt; und

Empfangen (203, 303) durch die Basisstation einer durch die Funknetzsteuerung gesendeten Weiterreichungsanfragebestätigungsnachricht, wobei die Weiterreichungsanfragebestätigungsnachricht den durch die Benutzervorrichtung in dem universellen Mobilfunk-Telekommunikationssystem benutzten Algorithmus führt und der durch die Benutzervorrichtung in dem universellen Mobilfunk-Telekommunikationssystem benutzte Algorithmus durch die Funknetzsteuerung gemäß der Sicherheitsfähigkeit ausgewählt wird.


 
2. Verfahren nach Anspruch 1, wobei das Erhalten der vier niedrigstwertigen Bit der Nichtzugangsschichtzählung auf der Abwärtsstrecke umfasst:

Senden (205, 305) einer Weiterreichungsanfragenachricht zu der Mobilitätsverwaltungseinheit, wobei die Weiterreichungsanfragenachricht Anweisungsinformationen zum Anweisen der Mobilitätsverwaltungseinheit zum Senden der vier niedrigstwertigen Bit der Nichtzugangsschichtzählung auf der Abwärtsstrecke führt; und

Empfangen (206) der vier niedrigstwertigen Bit der durch die Mobilitätsverwaltungseinheit gemäß den Anweisungsinformationen gesendeten Nichtzugangsschichtzählung auf der Abwärtsstrecke.


 
3. Verfahren nach Anspruch 1, wobei das Erhalten der vier niedrigstwertigen Bit der Nichtzugangsschichtzählung auf der Abwärtsstrecke umfasst:

Überwachen und Sichern der Nichtzugangsschichtzählung auf der Abwärtsstrecke und Erzeugen einer neuen Nichtzugangsschichtzählung gemäß der gesicherten Nichtzugangsschichtzählung auf der Abwärtsstrecke, und

Erhalten der vier niedrigstwertigen Bit der neuen Nichtzugangsschichtzählung.


 
4. Verfahren nach Anspruch 3, nach dem Erzeugen der neuen Nichtzugangsschichtzählung gemäß der gesicherten Nichtzugangsschichtzählung auf der Abwärtsstrecke, weiterhin umfassend:

Senden der Weiterreichungsanfragenachricht zu der Mobilitätsverwaltungseinheit, wobei die Weiterreichungsanfragenachricht die neue Nichtzugangsschichtzählung führt, so dass die Mobilitätsverwaltungseinheit den Ziffernschlüssel und den Integritätsschlüssel gemäß der neuen Nichtzugangsschichtzählung berechnet.


 
5. Verfahren nach Anspruch 1, weiterhin umfassend:

Empfangen (401) durch die Benutzervorrichtung des durch die Basisstation gesendeten Weiterreichungsbefehls; und

Berechnen (402) durch die Benutzervorrichtung eines Ziffernschlüssels und eines Integritätsschlüssels gemäß den vier niedrigstwertigen Bit der Nichtzugangsschichtzählung auf der Abwärtsstrecke.


 
6. Verfahren nach Anspruch 5, wobei das Berechnen durch die Benutzervorrichtung des Ziffernschlüssels und des Integritätsschlüssels gemäß den vier niedrigstwertigen Bit der Nichtzugangsschichtzählung auf der Abwärtsstrecke umfasst:

Bestimmen durch die Benutzervorrichtung einer durch eine Mobilitätsverwaltungseinheit benutzten Nichtzugangsschichtzählung gemäß den vier niedrigstwertigen Bit der Nichtzugangsschichtzählung auf der Abwärts strecke, die in dem Weiterreichungsbefehl geführt werden und einer durch die Benutzervorrichtung gesicherten Nichtzugangsschichtzählung auf der Abwärtsstrecke;

Berechnen durch die Benutzervorrichtung des Ziffernschlüssels und des Integritätsschlüssels gemäß der durch die Mobilitätsverwaltungseinheit benutzten Nichtzugangsschichtzählung und eines Wurzelschlüssels.


 
7. Weiterreichungsverfahren nach Anspruch 1, wobei vor Erhalten (101) durch die Basisstation des durch die Benutzervorrichtung in dem universellen Mobilfunk-Telekommunikationssystem benutzten Algorithmus, das Verfahren weiterhin umfasst:

Senden durch die Mobilitätsverwaltungseinheit der S1-Anwendungsprotokollnachricht, wenn die Benutzervorrichtung auf das Netz zugreift.


 
8. Verfahren nach Anspruch 7, wobei das Erhalten (101) durch die Basisstation der vier niedrigstwertigen Bit der Nichtzugangsschichtzählung auf der Abwärtsstrecke umfasst:

Empfangen (501) durch die Mobilitätsverwaltungseinheit einer durch die Basisstation gesendeten Weiterreichungsanfragenachricht, wobei die Weiterreichungsanfragenachricht Anweisungsinformationen zum Anweisen der Mobilitätsverwaltungseinheit zum Senden der vier niedrigstwertigen Bit der Nichtzugangsschichtzählung auf der Abwärtsstrecke führt; und

Senden (502) durch die Mobilitätsverwaltungseinheit der vier niedrigstwertigen Bit der Nichtzugangsschichtzählung auf der Abwärtsstrecke zu der Basisstation gemäß den Anweisungsinformationen.


 
9. Verfahren nach Anspruch 8, wobei
die Anweisungsinformationen zum Anweisen der Mobilitätsverwaltungseinheit zum Senden der vier niedrigstwertigen Bit der Nichtzugangsschichtzählung auf der Abwärtsstrecke vier niedrigstwertige Bit einer neuen Nichtzugangsschichtzählung ist und die neue Nichtzugangsschichtzählung durch die Basisstation gemäß einer überwachten und gesicherten Nichtzugangsschichtzählung auf der Abwärtsstrecke erzeugt wird; und
wenn die Weiterreichungsanfragenachricht weiterhin die neue Nichtzugangsschichtzählung führt, das Verfahren weiterhin umfasst:

Berechnen (602) durch die Mobilitätsverwaltungseinheit des Ziffernschlüssels und des Integritätsschlüssels gemäß der neuen Nichtzugangsschichtzählung.


 
10. Basisstation umfassend:

ein Erhaltungsmodul (71) eingerichtet zum Erhalten eines durch eine Benutzervorrichtung in einem universellen Mobilfunk-Telekommunikationssystem benutzten Algorithmus und vier niedrigstwertiger Bit einer Nichtzugangsschichtzählung auf der Abwärtsstrecke; und

ein Sendemodul (72) eingerichtet zum Senden eines Weiterreichungsbefehls zu der Benutzervorrichtung, die aus einem Langzeitentwicklungsnetz zu dem universellen Mobilfunk-Telekommunikationssystemnetz weitergereicht wird, wobei der Weiterreichungsbefehl den durch die Benutzervorrichtung in dem universellen Mobilfunk-Telekommunikationssystem benutzten Algorithmus und die vier niedrigstwertigen Bit der Nichtzugangsschichtzählung auf der Abwärtsstrecke, die durch das Erhaltungsmodul (71) erhalten werden, führt,

gekennzeichnet durch weiterhin umfassend:

ein Empfangsmodul (73) eingerichtet zum Empfangen einer durch eine Mobilitätsverwaltungseinheit gesendeten S1-Anwendungsprotokollnachricht, wobei die S1-Anwendungsprotokollnachricht eine Sicherheitsfähigkeit der Benutzervorrichtung in dem universellen Mobilfunk-Telekommunikationssystem führt;

wobei das Erhaltungsmodul (71) umfasst:

ein erstes Sende-Teilmodul (711) eingerichtet zum Senden einer Weiterreichungsanfragenachricht zu einer Funknetzsteuerung, wobei die Weiterreichungsanfragenachricht die Sicherheitsfähigkeit der Benutzervorrichtung in dem universellen Mobilfunk-Telekommunikationssystem führt; und

ein erstes Empfangs-Teilmodul (712) eingerichtet zum Empfangen einer durch die Funknetzsteuerung gesendeten Weiterreichungsanfragebestätigungsnachricht, wobei die Weiterreichungsanfragebestätigungsnachricht den durch die Benutzervorrichtung im universellen Mobilfunk-Telekommunikationssystem benutzten Algorithmus führt und der durch die Benutzervorrichtung in dem universellen Mobilfunk-Telekommunikationssystem benutzte Algorithmus durch die Funknetzsteuerung gemäß der Sicherheitsfähigkeit ausgewählt wird.


 
11. Basisstation nach Anspruch 10, wobei
das erste Sende-Teilmodul (711) weiterhin eingerichtet ist zum Senden einer Weiterreichungsanfragenachricht zu der Mobilitätsverwaltungseinheit, wobei die Weiterreichungsanfragenachricht Anweisungsinformationen zum Anweisen der Mobilitätsverwaltungseinheit zum Senden der vier niedrigstwertigen Bit der Nichtzugangsschichtzählung auf der Abwärtsstrecke führt; und
das erste Empfangs-Teilmodul (712) weiterhin eingerichtet ist zum Empfangen der vier niedrigstwertigen Bit der durch die Mobilitätsverwaltungseinheit gemäß den Anweisungsinformationen gesendeten Nichtzugangsschichtzählung auf der Abwärts strecke.
 
12. Basisstation nach Anspruch 10 oder 11, wobei das Erhaltungsmodul (71) weiterhin umfasst:

ein Überwachungs-Teilmodul (713) eingerichtet zum Überwachen und Sichern der Nichtzugangsschichtzählung auf der Abwärtsstrecke;

ein Erzeugungs-Teilmodul (714) eingerichtet zum Erzeugen einer neuen Nichtzugangsschichtzählung gemäß der durch das Überwachungs-Teilmodul (713) gesicherten Nichtzugangsschichtzählung auf der Abwärtsstrecke; und

ein bedeutsames Bit erhaltendes Teilmodul (715) eingerichtet zum Erhalten von 4LSB der durch das Erzeugungs-Teilmodul (714) erzeugten neuen Nichtzugangsschichtzählung.


 
13. Basisstation nach Anspruch 12, wobei
das Sendemodul (72) weiterhin eingerichtet ist zum Senden einer Weiterreichungsanfragenachricht zu der Mobilitätsverwaltungseinheit, wobei die Weiterreichungsanfragenachricht die durch das Erzeugungs-Teilmodul (714) erzeugte neue Nichtzugangsschichtzählung führt, so dass die Mobilitätsverwaltungseinheit einen Ziffernschlüssel und einen Integritätsschlüssel gemäß der durch das Erzeugungs-Teilmodul (714) erzeugten neuen Nichtzugangsschichtzählung berechnet.
 
14. Netz umfassend eine Benutzervorrichtung und eine Basisstation nach Anspruch 10, wobei die Benutzervorrichtung eingerichtet ist zum Empfangen (401) des durch die Basisstation gesendeten Weiterreichungsbefehls und Berechnen eines Ziffernschlüssels und eines Integritätsschlüssels gemäß den vier niedrigstwertigen Bit der Nichtzugangsschichtzählung auf der Abwärtsstrecke.
 
15. Netz umfassend eine Basisstation nach Anspruch 10 und eine Mobilitätsverwaltungseinheit, wobei
die Mobilitätsverwaltungseinheit eingerichtet ist zum Senden einer S1-Anwendungsprotokollnachricht, wenn die Benutzervorrichtung auf ein Netz zugreift, wobei die S1-Anwendungsprotokollnachricht eine Sicherheitsfähigkeit der Benutzervorrichtung in dem universellen Mobilfunk-Telekommunikationssystem führt.
 


Revendications

1. Procédé de transfert pour transférer un équipement utilisateur d'un réseau d'évolution à long terme à un réseau de système de télécommunication mobile universel comprenant de :

obtenir (101), par une station de base, un algorithme utilisé par un équipement utilisateur dans un système de télécommunication mobile universel et quatre bits les moins significatifs d'un compte de strate de non-accès de liaison descendante ; et

envoyer (102), par la station de base, une commande de transfert à l'équipement utilisateur, dans lequel la commande de transfert contient l'algorithme utilisé par l'équipement utilisateur dans le système de télécommunication mobile universel et les quatre bits les moins significatifs du compte de strate de non-accès de liaison descendante pour que l'équipement utilisateur calcule une clé de chiffrement et une clé d'intégrité selon les quatre bits les moins significatifs du compte de strate de non-accès de liaison descendante ;

caractérisé en ce que l'obtention (101), par la station de base, de l'algorithme utilisé par l'équipement utilisateur dans le système de télécommunication mobile universel comprend de :

envoyer (202, 302), par la station de base, un message de demande de transfert à un contrôleur de réseau radio, dans lequel le message de demande de transfert contient une capacité de sécurité de l'équipement utilisateur dans le système de télécommunication mobile universel, et la capacité de sécurité de l'équipement utilisateur dans le système de télécommunication mobile universel est obtenue à partir d'un message de protocole d'application S1 envoyé par une entité de gestion de la mobilité lorsque l'équipement utilisateur accède à un réseau, dans lequel le message de protocole d'application S1 contient la capacité de sécurité de l'équipement utilisateur dans le système de télécommunication mobile universel ; et

recevoir (203, 303), par la station de base, un message d'accusé de réception de demande de transfert envoyé par le contrôleur de réseau radio, dans lequel le message d'accusé de réception de demande de transfert contient l'algorithme utilisé par l'équipement utilisateur dans le système de télécommunication mobile universel, et l'algorithme utilisé par l'équipement utilisateur dans le système de télécommunication mobile universel est sélectionné par le contrôleur de réseau radio en fonction de la capacité de sécurité.


 
2. Procédé selon la revendication 1, dans lequel l'obtention des quatre bits les moins significatifs du compte de strate de non-accès de liaison descendante comprend de :

envoyer (205, 305) un message de demande de transfert à l'entité de gestion de la mobilité, dans lequel le message de demande de transfert contient des informations d'instruction pour donner l'ordre à l'entité de gestion de la mobilité d'envoyer les quatre bits les moins significatifs du compte de strate de non-accès de liaison descendante ; et

recevoir (206) les quatre bits les moins significatifs du compte de strate de non-accès de liaison descendante envoyés par l'entité de gestion de la mobilité en fonction des informations d'instruction.


 
3. Procédé selon la revendication 1, dans lequel l'obtention des quatre bits les moins significatifs du compte de strate de non-accès de liaison descendante comprend de :

surveiller et enregistrer le compte de strate de non-accès de liaison descendante et générer un nouveau compte de strate de non-accès en fonction du compte de strate de non-accès de liaison descendante enregistré ; et

obtenir quatre bits les moins significatifs du nouveau compte de strate de non-accès.


 
4. Procédé selon la revendication 3, après la génération du nouveau compte de strate de non-accès en fonction du compte de strate non-accès de liaison descendante enregistré, comprenant en outre de :

envoyer le message de demande de transfert à l'entité de gestion de la mobilité, dans lequel le message de demande de transfert contient le nouveau compte de strate de non-accès, de sorte que l'entité de gestion de la mobilité calcule la clé de chiffrement et la clé d'intégrité en fonction du nouveau compte de strate de non-accès.


 
5. Procédé selon la revendication 1, comprenant en outre de :

recevoir (401), par l'équipement utilisateur, la commande de transfert envoyée par la station de base ; et

calculer (402), par l'équipement utilisateur, une clé de chiffrement et une clé d'intégrité selon les quatre bits les moins significatifs du compte de strate de non-accès de liaison descendante.


 
6. Procédé selon la revendication 5, dans lequel le calcul, par l'équipement utilisateur, de la clé de chiffrement et de la clé d'intégrité en fonction des quatre bits les moins significatifs du compte de strate de non-accès de liaison descendante comprend de :

déterminer, par l'équipement utilisateur, un compte de strate de non-accès utilisé par une entité de gestion de la mobilité, en fonction des quatre bits les moins significatifs du compte de strate de non-accès de liaison descendante qui sont contenus dans la commande de transfert et d'un compte de strate de non-accès de liaison descendante enregistrés par l'équipement utilisateur ; et

calculer, par l'équipement utilisateur, la clé de chiffrement et la clé d'intégrité, en fonction du compte de strate de non-accès utilisé par l'entité de gestion de la mobilité et d'une clé racine.


 
7. Procédé de transfert selon la revendication 1, dans lequel, avant l'obtention (101), par la station de base, de l'algorithme utilisé par l'équipement utilisateur dans le système de télécommunication mobile universel, le procédé comprend en outre de :

envoyer, par l'entité de gestion de la mobilité, le message de protocole d'application S1 lorsque l'équipement utilisateur accède au réseau.


 
8. Procédé selon la revendication 7, dans lequel l'obtention (101), par la station de base, des quatre bits les moins significatifs du compte de strate de non-accès de liaison descendante comprend de :

recevoir (501), par l'entité de gestion de la mobilité, un message de demande de transfert envoyé par la station de base, dans lequel le message de demande de transfert contient des informations d'instruction pour donner l'ordre à l'entité de gestion de la mobilité d'envoyer les quatre bits les moins significatifs du compte de strate de non-accès de liaison descendante ; et

envoyer (502), par l'entité de gestion de la mobilité, les quatre bits les moins significatifs du compte de strate de non-accès de liaison descendante à la station de base en fonction des informations d'instruction.


 
9. Procédé selon la revendication 8, dans lequel
les informations d'instruction pour donner l'ordre à l'entité de gestion de la mobilité d'envoyer les quatre bits les moins significatifs du compte de strate de non-accès de liaison descendante sont quatre bits les moins significatifs d'un nouveau compte de strate de non-accès, et le nouveau compte de strate de non-accès est généré par la station de base en fonction d'un compte de strate de non-accès de liaison descendante suivi et enregistré ; et
si le message de demande de transfert contient en outre le nouveau compte de strate de non-accès, le procédé comprend en outre de :

calculer (602), par l'entité de gestion de la mobilité, la clé de chiffrement et la clé d'intégrité en fonction du nouveau compte de strate de non-accès.


 
10. Station de base, comprenant :

un module d'obtention (71), configuré pour obtenir un algorithme utilisé par un équipement utilisateur dans un système de télécommunication mobile universel et quatre bits les moins significatifs d'un compte de strate de non-accès de liaison descendante ; et

un module d'envoi (72), configuré pour envoyer une commande de transfert à l'équipement utilisateur qui est transféré à partir d'un réseau d'évolution à long terme vers le réseau de système de télécommunication mobile universel, dans lequel la commande de transfert contient l'algorithme utilisé par l'équipement utilisateur dans le système de télécommunication mobile universel et les quatre bits les moins significatifs du compte de strate de non-accès de liaison descendante qui sont obtenus par le module d'obtention (71) ;

caractérisée par le fait qu'elle comprend en outre :

un module de réception (73), configuré pour recevoir un message de protocole d'application S1 envoyé par une entité de gestion de la mobilité, dans lequel le message de protocole d'application S1 contient une capacité de sécurité de l'équipement utilisateur dans le système de télécommunication mobile universel ;

dans lequel le module d'obtention (71) comprend :

un premier sous-module d'envoi (711), configuré pour envoyer un message de demande de transfert à un contrôleur de réseau radio, dans lequel le message de demande de transfert contient la capacité de sécurité de l'équipement utilisateur dans le système de télécommunication mobile universel ; et

un premier sous-module de réception (712), configuré pour recevoir un message d'accusé de réception de demande de transfert envoyé par le contrôleur de réseau radio, dans lequel le message d'accusé de réception de demande de transfert contient l'algorithme utilisé par l'équipement utilisateur dans le système de télécommunication mobile universel, et l'algorithme utilisé par l'équipement utilisateur dans le système de télécommunication mobile universel est sélectionné par le contrôleur de réseau radio en fonction de la capacité de sécurité.


 
11. Station de base selon la revendication 10, dans laquelle
le premier sous-module d'envoi (711) est en outre configuré pour envoyer un message de demande de transfert à l'entité de gestion de la mobilité, dans lequel le message de demande de transfert contient des informations d'instruction pour donner l'ordre à l'entité de gestion de la mobilité d'envoyer les quatre bits les moins significatifs du compte de strate de non-accès de liaison descendante ; et le premier sous-module de réception (712) est en outre configuré pour recevoir les quatre bits les moins significatifs du compte de strate de non-accès de liaison descendante envoyés par l'entité de gestion de la mobilité en fonction des informations d'instruction.
 
12. Station de base selon la revendication 10 ou 11, dans laquelle le module d'obtention (71) comprend en outre :

un sous-module de surveillance (713), configuré pour surveiller et enregistrer le compte de strate de non-accès de liaison descendante ;

un sous-module de génération (714), configuré pour générer un nouveau compte de strate de non-accès en fonction du compte de strate de non-accès de liaison descendante enregistré par le sous-module de surveillance (713) ; et

un sous-module d'acquisition de bits significatif (715), configuré pour obtenir le 4LSB du nouveau compte de strate de non-accès généré par le sous-module de génération (714).


 
13. Station de base selon la revendication 12, dans laquelle
le module d'envoi (72) est en outre configuré pour envoyer le message de demande de transfert à l'entité de gestion de la mobilité, dans lequel le message de demande de transfert contient le nouveau compte de strate de non-accès généré par le sous-module de génération (714), de sorte que l'entité de gestion de la mobilité calcule une clé de chiffrement et une clé d'intégrité en fonction du nouveau compte de strate de non-accès généré par le sous-module de génération (714).
 
14. Réseau comprenant un équipement utilisateur et une station de base selon la revendication 10, dans lequel
l'équipement utilisateur est configuré pour recevoir (401) la commande de transfert envoyée par la station de base ; et calculer une clé de chiffrement et une clé d'intégrité en fonction des quatre bits les moins significatifs du compte de strate de non-accès de liaison descendante.
 
15. Réseau, comprenant une station de base selon la revendication 10 et une entité de gestion de la mobilité, dans lequel
l'entité de gestion de la mobilité est configurée pour envoyer un message de protocole d'application S1 lorsque l'équipement utilisateur accède à un réseau, dans lequel le message de protocole d'application S1 contient une capacité de sécurité de l'équipement utilisateur dans le système de télécommunication mobile universel.
 




Drawing























Cited references

REFERENCES CITED IN THE DESCRIPTION



This list of references cited by the applicant is for the reader's convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard.

Patent documents cited in the description