In mobile communication system in future, such as B3G (Beyond Third Generation) or LTE-A (Long Term Evolution-Advanced), higher peak data rate and cell throughput capacity will be provided, and greater bandwidth will be required at mean time. At present, available bandwidth less than 2 GHz is rare and part of or all bandwidths required in B3G/LTE-A system can only be found on higher frequency range (such as above 3 GHz). The higher the frequency range is, the faster radio wave propagation attenuation will be, the shorter the transmission distance will be and the more eNB will be required for continuous coverage within a certain area. eNBs require high cost, so it will increase the total deployment cost. To reduce the deployment cost and solve the coverage issue, RN (Relay Node) can be introduced to the system.
FIG. 1 shows the network structure of a LTE-A system introduced with the RN. The RN is wireless connected to a core network through a donor cell under a DeNB (Donor Evolved Node B) other than a direct wired link between the RN and the core network; each RN can control a or several cells; interface between a UE and the RN is called Uu, and that between the RN and the DeNB is called Un.
FIG. 2 shows the diagram of S1 handover process. At present, S1 handover process comprises handover preparation, handover execution and handover notification phases. Wherein, handover preparation phase (Step 2-9 in FIG. 2) is initiated by an eNB (Evolved Node B) which decides the target eNB; a source MME (Mobility Management Entity) shall calculate a new NH (Next Hop) and a NCC (Next hop Chaining Counter) after receiving the Handover Required sent by the source eNB and shall send it to the target eNB for use. In addition, the target eNB shall put the NCC in a transparent container to transfer it to the source eNB through the core network in order to synchronize NH key with the UE.
Furthermore, HO Command message carries a HO Command message (i.e. RRC (Radio Resource Control) connection reconfiguration message in the radio) generated by the target eNB, and the message transferred to the UE by the source eNB; the UE synchronizes the NH with the target eNB based on NCC after receiving the HO Command message and further generates the key used for the radio interface.
FIG. 3 shows the diagram of X2 handover process. Presently, X2 handover process comprises handover preparation, handover execution and path switch phases. Wherein, during X2 handover, since the serving eNB of the UE is transferred from the source eNB to the target eNB, the uplink and downlink user data transmission path between the eNB and a SGW (Serving Gateway) needs to be transferred to the target eNB. The target eNB initiates path switch process after UE handover and notifies the downlink data transmission address and other information to the SGW through MME. The SGW notifies the uplink data transmission address and other information to the eNB through MME in response message.
Specifically, during path switch, the MME generates a new key NH, distributes an NCC for the key and put the NH and NCC in Path Switch Request Acknowledge message to the target eNB. Only the UE and MME can calculate the NH, and eNB is not able to calculate the NH, so the source eNB does not know the NH value sent to the target eNB from the MME; the target eNB and UE calculate the key for the air interface by the NH, and the source eNB cannot calculate the NH, hence security isolation is realized.
The inventor finds that at least the following problems exist in the prior art in the process realizing the present invention:
DeNB usually covers a larger area in relay scenarios. If UE handover failed, it may select a DeNB cell to access, rather other RN. In case of UE handover from an adjacent eNB to the DeNB, to improve the handover success rate, the DeNB can forward the complete Handover Request message to the RN involved in the RRC reestablishment information when forwarding the Handover Request message to the target RN. The Handover Request message includes the RRC reestablishment information prepared by the source eNB, the key NH the MME sends to the target eNB and the corresponding Counter NCC. It will lead to a situation that the same pair of {NH, NCC} is sent to more than one target nodes (RN, DeNB). Once the attacker attacks one of RNs and gets the NH, it can calculate the key used by the UE in radio interface no matter which RN or DeNB the UE is handed over to, so as to crack the content of UE communication and invade the privacy of users.