In the LTE (Long Term Evolution) system, security measures are taken for the “AS (Access Stratum)” which is for communication between a mobile station UE and a radio base station eNB.
Specifically, in the LTE system, the “C-plane Ciphering”, “C-plane Integrity Protection”, and “U-plane Ciphering” are employed as such security measures.
In this respect, a key KRRC,ciph is used when the C-plane Ciphering is performed, a key KRRC,IP is used when the C-plane Integrity Protection is performed, and a key KUP,ciph is used when the U-plane Ciphering is performed. All of these keys are generated from a base station key KeNB.
FIG. 5(a) shows a typical layer structure of keys used in the LTE system. Here, a key KASME is a key known only to an upper station MME and a mobile station UE, and is used for generating a base station key KeNB.
Note that, a layer structure of keys used in the LTE system may have a form as shown in FIG. 5 (b), since generating a base station key KeNB requires a parameter called “NH (Next Hop)”, which is generated from a key KASME.
Meanwhile, on a network side, a base station key KeNB is configured to be managed per mobile station UE by each radio base station eNB, and to be updated when the corresponding mobile station UE performs a handover.
The base station key KeNB is also managed by the mobile station UE so that the mobile station UE performs communication with the radio base station eNB. Using the same base station key KeNB, the radio base station eNB and the mobile station UE can perform communication with security.
Next, a brief description is given of a procedure for updating a base station key KeNB with reference to FIG. 6.
In Step (1), when setting up connection for a mobile station UE, an upper station MME generates a temporary initial key (KeNB) on the basis of a key KASME and a “NAS SN (a sequence number in NAS=Non Access Stratum)”.
In Step (2), the upper station MME notifies a radio base station eNB#1 of the temporary initial key (KeNB) as an intermediate key KeNB*. In Step (3), the radio base station eNB#1 stores the received intermediate key KeNB* without changing it as a base station key KeNB.
In Step (11), the upper station MME also generates a parameter NH* on the basis of the key KASME and the temporary initial key (KeNB), and notifies the radio base station eNB#1 of the parameter NH*.
In Step (12), the radio base station eNB#1 stores the received parameter NH* without changing it as a parameter NH.
Consider a case where the mobile station UE thereafter performs a handover from a cell #1 under the control of the radio base station eNB#1 to a cell #2 under the control of a radio base station eNB#2. In this case, the radio base station eNB#1 generates an intermediate key KeNB* in Step (4) by inputting the current base station key KeNB and the PCI (Physical Cell ID) of the cell #2 into a first function, more concretely, on the basis of the first function (key derivation function)=KDF (KeNB, PCI), and notifies the radio base station eNB#2 of the intermediate key KeNB*.
Alternatively, the radio base station eNB#1 generates an intermediate key KeNB* in Step (13) by inputting the current parameter NH and the PCI of the cell #2 into a first function, more concretely, on the basis of the first function (key derivation function)=KDF (NH, PCI), and notifies the radio base station eNB#2 of the intermediate key KeNB*, when the mobile station UE performs a handover from the cell #1 under the control of the radio base station eNB#1 to the cell #2 under the control of the radio base station eNB#2.
In such calculation processing for the intermediate key KeNB*, the key is updated on the basis of the PCI. The operation for updating the key on the basis of the PCI as described above is called a “PCI binding”.
Here, the radio base station eNB#1 also notifies the radio base station eNB#2 of an “index increase identifier (Index increase indicator)” indicating which of KDF (KeNB, PCI) and KDF (NH, PCI) is used as a basis for generating the intermediate key KeNB*.
The radio base station eNB#2 having received the intermediate key KeNB* judges whether or not to perform a “C-RNTI binding” for the intermediate key KeNB*, on the basis of the “index increase identifier”.
Specifically, if the radio base station eNB#2 recognizes from the “index increase identifier” that the intermediate key KeNB* is generated on the basis of KDF (KeNB, PCI), the radio base station eNB#2 generates a base station key KeNB in Step (5) by inputting the intermediate key KeNB* and a mobile station identifier C-RNTI into a second function, more concretely, on the basis of KDF (KeNB*, C-RNTI). Here, the mobile station identifier C-RNTI is allocated temporarily to the mobile station UE in the cell #2.
On the other hand, if the radio base station eNB#2 recognizes from the “index increase identifier” that the intermediate key KeNB* is generated on the basis of a current parameter NH, the radio base station eNB#2 sets the received intermediate key KeNB* as a base station key KenB in Step (14).
Note that, the radio base station eNB#2 acquires a parameter NH newly from the upper station MME, when the upper station MME performs a “Path Switch” , in preparation for a next handover for the mobile station UE.
Moreover, the radio base station eNB#1 notifies the mobile station UE of a parameter NCC (NH Chaining Count) through a handover command signal (Handover Command). Here, the parameter NCC indicates a number for the current parameter NH.
The mobile station UE updates a current base station key KeNB[m] with the following formulae to acquire a base station key KeNB[m+1] if the received parameter NCC is the same as the NCC held in itself.KeNB*=KDF(KeNB[m], PCI)KeNB[m+1]=KDF(KeNB*, C-RNTI)
On the other hand, if the received parameter NCC is larger than the NCC held in the mobile station UE, the mobile station UE repeats calculation with the following formulae and updates the parameter NH until the NCC held in itself becomes equal to the received parameter NCC. The mobile station UE increments by one the NCC held in itself in every calculation with the following formulae:NH*=KDF(KASME, NH[m])NH[m+1]=NH* 
With the aforementioned procedure, the base station key KeNB is updated in both of the mobile station UE and the radio base station eNB.
Meanwhile, when a handover fails for some reasons or when a problem with a radio link (Radio Link Failure) occurs during communication, the communication can be restored by the execution of reconnection control.
In order for the LTE system to succeed in the reconnection control, a radio base station eNB, to which the reconnection is to be performed, needs to hold beforehand the context of the mobile station UE (UE context). The LTE system thus can perform a “handover preparation process (HO Preparation)” on multiple neighbor cells.
The reason why the handover-source radio base station performs a “PCI binding” here is to ensure as much as possible the uniqueness of an intermediate key KeNB* in multiple cells in the execution of a “handover preparation process (HO Preparation)” on the cells and thereby to improve the security in the mobile communication system.
The use of the same intermediate key KeNB* for multiple cells in a handover preparation process accidentally allows radio base stations eNB having the intermediate key KeNB* to derive a base station key KeNB to be used by a handover-target radio base station eNB for communication with the mobile station UE. This makes the network vulnerable in terms of security.