A 3rd generation partnership project (3GPP) evolved packet system (EPS) comprises an EUTRAN and an EPS core network (EPC, evolved packet core).
The EPC comprises a mobility management entity (MME). The MME takes charge of operations related to a control plane, such as mobility management, signaling processing of a non-access stratum (NAS), and management of a user security mode. The MME stores a root key of the EUTRAN, that is, a key of an access security management entity (KASME), and uses the KASME and an uplink non-access stratum sequence number (NAS SQN) to generate a root key of an access stratum which is used by an evolved Node B (eNB), that is, an eNB key (KeNB). A key set identifier for access security management entity (KSIASME) or a key set identifier for an SGSN (KSISGSN) is an identifier of the key KASME (or called the key sequence number), which is used for performing identification and retrieval of a key between a UE and a network side and has a length of 3 bits. If the KASME is directly generated through an authentication and key association (AKA) of the EPS, the KSIASME is used as the identifier of the KASME; and if the KASME is generated by mapping a key of the UMTS or the GERAN, the KSISGSN is used as the identifier of the KASME.
When a connection is established between a UE and a network side, the UE or the network side may inform the other party through the KSIASME that the other party may use a designated key that is previously stored, so as to establish a security context, thereby avoiding performing the authentication and key association (AKA) for each connection and saving network resources. When a key needs to be deleted due to the expiration of the lifetime or other reasons, the UE sets the KSIASME to be ‘111’.
In the EUTRAN, the base station device is an eNB, which mainly takes charge of wireless communication, wireless communication management and mobility context management.
In a 3GPP universal mobile telecommunication system (UMTS), the device in charge of the management of packet domain mobility context and/or management of a user security mode is a serving GPRS support node (SGSN). The SGSN further takes charge of the authentication and security management of the UTRAN of the UMTS and stores a key set including an integrity key (IK) and a ciphering key (CK). The identifier of the key set is a key set identifier (KSI), the function and the usage of the KSI are similar to that of the KSIASME in the EPS, both are used for performing identification and retrieval of a key between the UE and the network side, besides the KSI also has a length of 3 bits. When the KSI is equal to ‘111’, it means that no keys can be used and the KSI is invalid. When an association is needed between the UE and the SGSN to establish a UMTS secure connection, if the UE has stored a key that can be used, it sends the stored KSI to the SGSN, the SGSN checks whether the KSI stored by itself is the same as that sent by the UE and, if so, the SGSN uses the stored key set to establish a security context through association and sends the KSI back to the UE to confirm the key the SGSN uses. If no keys that can be used are stored in the UE, the UE sets the KSI to be ‘111’ and sends the KSI to the SGSN; after checking that the KSI is ‘111’, the SGSN sends an authentication request message to an HLR/HSS, then the UE and the network side re-performs an AKA to generate a new key set.
In a GSM/EDGE system, the device in charge of management of the packet domain mobility context and/or management of a user security mode is also an SGSN, the SGSN takes charge of the authentication and security management of a GSM/EDGE radio access network (GERAN), and stores a ciphering key (Kc) of the GERAN; and the identifier of the Kc is a ciphering key sequence number (CKSN), the function and usage of the CKSN are identical to that of the KSI.
When the UE transfers from the EUTRAN to the UTRAN, the MME generates an IK and a CK for a target network using the KASME and sends the generated IK and CK to the SGSN, the UE and the SGSN use the IK and the CK to associate a corresponding security algorithm to establish a UTRAN security context. The transfer includes the following two types: a transfer which is performed when a radio resource control (RRC) is in an active state, and a transfer which is performed when the UE is in an idle state. The transfer in an active state includes a handover and so on, and the transfer in an idle state includes a routing area update, an attachment request and so on.
When the UE transfers from the EUTRAN to the GERAN, the MME generates a CK and an IK using the KASME (with the key generation method that is the same as the method used during the transfer to the UMTS), and then sends the generated IK and CK to the SGSN, and the SGSN uses the IK and the CK to generate the key Kc for the GERAN.
In existing techniques, the KSIASME, the KSI and the CKSN are all generated at the network side during an authentication process and then sent to the UE via an authentication request. However, although the MME generates the IK and the CK which are needed by the UTRAN or GERAN for the target network during the transfer from the EUTRAN to the UTRAN or the GERAN, no corresponding identifiers are provided for this pair of keys. Once the transfer is completed, the UE and the SGSN can neither retrieve the generated key during the transfer nor reuse this pair of keys. When the UE and the network side reestablish an RRC or other connections, as the stored keys cannot be used, the UE and the network side have no choice but to perform an AKA first so as to regenerate new keys and then establish a wireless connection. This will undoubtedly increase the signaling overheads of the UE and the network side and delay the time for the normal communication between the UE and the network side, and as a result, the satisfaction level of the user is reduced.