A Relay Node (RN) has been introduced to a Long Term Evolution Advanced (LTE-A) in order to extend network coverage. The RN is wirelessly connected with a Donor evolved Node B (DeNB), and the RN can be deployed in a train or another transportation vehicle for the purposes of lowering the number of handovers for a User Equipment (UE) in the transportation vehicle, improving the quality of a signal in a carriage, etc., where the RN deployed on the transportation vehicle is referred to as a mobile RN.
The number of handovers for the UE via an air interface will be lowered due to the introduction of the mobile RN without lowering the number of times for user plane data path switching to be performed in a core network of the UE. This may result in mismatch between the number of handovers for the UE and the number of times for switching in the core network of the UE and consequently in out-of-synchronization between security keys at the network side and the UE side. Eventually a normal service may be unavailable to the UE after being handed over out of a cell of the RN.
FIG. 1 illustrates the network architecture of the LTE, where a Mobility Management Entity is connected with an evolved Node B (eNB) via an S1-MME interface; and the eNB functions as an access network and communicates with the UE via the air interface. There is an MME serving each UE attached to the network, and the MME is referred to as a serving MME of the UE.
FIG. 2 illustrates the key distribution/derivation architecture of the LTE system, where a part of keys are introduced as follows:
KASME represents a key shared by the MME and the UE, where the UE and the MME serving the UE can derive the same key in an Authentication and Key Agreement (AKA) mechanism. Other keys can be derived from the KASME; and the KASME will not be distributed to any eNB node.
KeNB represents an intermediate key shared by a serving eNB of the UE and the UE and can be derived from KASME; and the serving eNB of the UE can derive KeNB as follows:
The MME drives KeNB from KASME and then transmits KeNB to the serving eNB of the UE; or
During a handover, a handover target eNB can use derived KeNB* as KeNB;
KeNB* is used as KeNB for the UE in communication with the handover target eNB. There are the following three sources for KeNB* of the target eNB:
The source eNB derives KeNB* from a Next Hop (NH) key obtained from the MME, and the source eNB transmits KeNB* to the target eNB; or
The source eNB derives KeNB* from currently used KeNB and the source eNB transmits KeNB* to the target eNB; or
The target eNB drives KeNB* from the NH obtained from the MME.
The three sources above for KeNB* relates to two different sets of inputs for calculation of KeNB*;
KeNB* is calculated from the NH, where input parameters are the NH, the Physical Cell Identity (PCI) of a target cell and the Absolute Radio Frequency Channel Number (ARFCN) of the target cell; and
KeNB* is calculated from KeNR used by the source eNB, where input parameters are current KeNB, the PCI of the target cell and the frequency ARFCN of the target cell.
The UE under the source eNB shares currently used KeNB with the source eNB; and also the UE can derive a new NH from KASME. Thus the UE can determine the input parameters to be used and calculate KeNB* consistent with the network side as long as it is known which of the two schemes above to calculate KeNB* applies at the network side;
The NH is used for the UE and the eNB to calculate KeNB* for forward security. The UE and the MME can calculate the NH from KASME and KeNB; or calculate the new NH from KASME and the previous NH;
The so-called forward security refers to that the source eNB is unaware of KeNB used by the handover target eNB of the UE. As mentioned previously, KeNB used by the target eNB may be KeNB*carried by the source eNB in a handover request message, and it can be deemed in this case that no forward security is available. For the availability of forward security, the MME calculates and transmits a new set of {NH, NNC} to the target eNB in a path switching procedure during the handover, and the target eNB can calculate KeNB*unknown to the source eNB from the NH and thereafter initiate an intra-cell handover and transmit a Next Hop Chaining Counter (NCC) to the UE, and the UE calculates the corresponding NH from KASME using the NCC in the same algorithm as the MME and further calculates KeNB* from the NH in the same algorithm as the target eNB. Subsequent to the handover, the target eNB and the UE derive other keys from KeNB* as KeNB and perform encryption and security protection from the purpose of forward security.
The NCC represents a counter associated with an NH to count the total number of generated NHs. The UE can synchronize the NH in use with the network by the received NCC and decide whether the next KeNB* is calculated from current KeNB or from a new NH, where the length of the NCC is 3 bits.
FIG. 3 illustrates an X2 handover process in which the target eNB obtains KeNB* and the NCC from the handover request message transmitted by the source eNB, where the NCC will be transmitted to the UE in a handover command. The UE checks the received NCC against with its stored NCC, and if both of them are the same, then it is determined that KeNB* transmitted by the source eNB to the target eNB has been calculated from KeNB in the source cell, and the UE calculates KeNB* from KeNB in the source cell. If the received NCC is different from the NCC stored by the UE, then it is determined that KeNB* transmitted by the source eNB to the target eNB has been calculated from the NH corresponding to the NCC received by the source eNB, and the UE calculates the difference Delta between the received NCC and its stored NCC as follows:
  Delta  =      {                                                      NCCnew              -              NCCold                                                          (                                                if                  ⁢                                                                          ⁢                  NCCnew                                >                NCCold                            )                                                                          NCCnew              -              NCCold              +              8                                                          (                                                if                  ⁢                                                                          ⁢                  NCCnew                                <                NCCold                            )                                          ,      
Where NCC_new represents the NCC received from the handover command; and the NCC_old represents the NCC stored by the UE. The UE calculates the NH used at the network side from Delta and further calculates KeNB*, transmitted by the source eNB to the target eNB, from the NH. For example, the NCC stored by the UE is 7, and the received NCC is 1. The UE calculates the delta as 1-7+8=2. The UE calculates a new NH (corresponding to (NCC_old+1) mod 8. i.e., 0) from the currently used NH (corresponding to NCC_old, i.e., 7) and KASME; and further calculates the NH used at the network side (corresponding to (NCC_old+2) mod 8. i.e., 1) from the new NH and KASME, that is, the NH is calculated iteratively for a number Delta (here 2) of times. At this time the NH used by the UE is the same as, i.e., synchronized with, that used at the network side, and here the UE updates the stored NCC_old value with NCC_new. After the NH is synchronized, the UE calculates KeNB* by using the synchronized NH, the PCI of the target cell and the frequency ARFCH of the target cell as data parameters.
After the UE accesses the target cell, the serving MME of the UE will transmit a new pair of {NH, NCC} (including the NH and the NCC corresponding to the NH) to the target eNB in a Path Switch Request ACK message for use by the eNB during a subsequent handover of the UE.
The maximum difference between NCCs allowed for out-of-synchronization of the NCCs is 7 due to the 3-bit length of the NCC. By way of an example, if the UE is X2 handed over consecutively for 8 times, and the source eNB calculates KeNB* transmitted to the target eNB from currently used KeNB (it is assumed that KeNB is calculated from an NHx corresponding to an NCCx) in each handover, then the source eNB transmits the NCC equal to the NCCx to the target eNB in preparation of each handover. The target eNB transmits each handover command carrying the NCCx to the UE. However the MME is unaware that the latest NCC has not been used by the source eNB, and the MME will allocate a new pair of {NCC_new, NH} to the UE in a Path Switch Request ACK message, where NCC_new=(NCCx+1) mod 8 for the first handover, NCC_new=(NCCx+2) mod 8 for the second handover, . . . , and NCC_new=(NCCx+8) mod 8 for the eighth handover. Stated otherwise, if no new NH has been used by the source eNB for each of seven consecutive handovers, then the NH used by the UE can not be synchronized with that used at the network side in the eighth handover even if the target eNB uses a new NH and transmits an NCC_new corresponding to the new NH to the UE. This is because that the received difference between the NCC_new and the NCCx is 0 whereas the real difference between the NCC_new and the NCCx is 8. That is, the NH used by the network is a result of eight iterative calculations by the UE from the NH, and such out-of-synchronization can not be corrected by the UE, where out-of-synchronization of the NHs due to the difference of or above 8 between the NCC corresponding to the NH used at the UE side and the NCC corresponding to the latest NH allocated at the network side will be referred to as unrecoverable out-of-synchronization.
At present, a relay node has been introduced by various manufacturers and standardization organizations to a cellular system for extended coverage in order to address the issues of a network deployment cost and coverage. An RN, unchanged in location, which is referred to as a stationary relay node, does not support mobility. FIG. 4 illustrates the network architecture of the LTE-A system to which an RN is introduced, where the RN accesses a core network through a donor cell under a DeNB without any direct wired interface to the core network, and each RN can control one or more cells. In this architecture, an interface between a UE and the RN is referred to as a Uu interface, and an interface between the RN and the DeNB is referred to as a Un interface.
In the case of a mobile RN, the RN needs to be handed over the source DeNB and a target DeNB. Subsequent to the handover, the RN needs to notify a serving MME of the UE (served by the RN) about a change in path of uplink and downlink data so that data originally transmitted to the source DeNB needs to be transmitted to the target DeNB such that the downlink data of the UE can arrive at the RN and be transmitted to the UE. The procedure above of path switching for the UE needs to be performed in a path switching procedure. The serving MME of the UE will allocate a new pair of an NH and an NCC to the UE in a Path Switch Request ACK message.
Referring to FIG. 5, an RN is a serving eNB of a UE connected to the RN. The RN is stationary relative to the UE and the serving eNB of the UE is the RN throughout movement with a transportation vehicle. Thus the UE does not need to be handed over via an air interface. However the RN needs to be handed over between different DeNBs, and unrecoverable out-of-synchronization will occur with the NHs used by the MME and the UE after the RN has been handed over consecutively for eight times.
After unrecoverable out-of-synchronization occurs with the NHs used by the MME and the UE, if the UE is handed over out of the cell of the RN (for example, the UE is carried by the user out of the carriage), then the UE will be unable to calculate the NH used by the MME once any of the eNBs chooses to update a key with the NH transmitted by the MME, thus resulting in an error in encryption or integrity protection of the air interface and consequentially in an interruption of communication.