In a Long Term Evolution (LTE) network, transmission of a Non-Access Stratum (NAS) message between a Mobility Management Entity (MME) and a User Equipment (UE) is integrity-protected and security-protected. The MME can decide which security algorithm to use according to a network capability reported by the UE and capabilities and the priorities of the security algorithms configured by the MME.
In the existing solution in which capabilities and priorities of algorithms are configured on the MME, it may not be easy to change a set of algorithms and their priorities in the case of fixed configuration data. Moreover currently used algorithms include the Evolved Packet System (EPS) Encryption Algorithms 0 to the EPS Encryption Algorithm 7 (EEA0 to EEA7, where EEA stands for EPS Encryption Algorithm) and the EPS Integrity Algorithm 0 to the EPS Integrity Algorithm 7 (EIA0 to EIA7, where EIA stands for EPS Integrity Algorithm), where the security protection level and the operation efficiency of each of the algorithms are different from those of another algorithm, and the existing solution to configuration of a list of NAS algorithms can not accommodate a demand of a user for the diversity of the NAS security algorithms.
In the LTE network, the MME selects an encryption algorithm and an integrity algorithm primarily dependent upon a UE security capability reported by the UE and a set of algorithms and their priorities configured on the MME.
In the protocol 3GPP TS 33.401 V9.4.0, Section 7.2.4.3, the MME needs to be capable of configuring a list of encryption algorithms and a list of integrity algorithms by configuring the lists of algorithms. When an NAS security context is created, the MME selects an NAS security algorithm ranked at the highest priority from a set of algorithms. And the MME sends the selected algorithm and a security capability supported by the UE to the UE in a Security Mode Command message by initiating a security mode control procedure.
In other words, the MME decides and selects the algorithm according to the UE security capability and the set of NAS security algorithms and priorities of the algorithms configured at the network side.
The security capability of the UE side is decided by algorithms supported by the UE itself and possibly the security capability of the UE itself. The set of NAS security algorithms and the priorities of the algorithms configured at the network side are preconfigured on the MME. If a plurality of UEs report the same security capability, then the MME shall definitely select the same algorithm without reflecting the difference and the diversity between users.
Moreover the security protection level and the operation efficiency of each of the encryption algorithms EEA0 to EEA7 and the integrity algorithms EIA0 to EIA7 are different from those of another algorithm. The efficiency and the security level as required vary from one user to another.
In summary, with the solution in the prior art to configuration of the list of NAS security algorithms at the network side, an operator can not change flexibly for a particular UE a security algorithm for use at the NAS.