Title of Invention	METHOD, DEVICE, AND SYSTEM FOR OBTAINING KEYS
Abstract	A method, a device, and a system for obtaining keys are provided herein to enable the network device that requires key information to obtain the key information after the authenticator is relocated. The method includes: The network device that requires key information receives an indication about occurrence of authenticator relocation, sends a key request to the relocated authenticator, and receives the key information returned by the authenticator. Therefore, the mobile user"s network device that requires the key information can still obtain the key information even if the authenticator is relocated, the subsequent communication process can go on normally, and the communication performance of the wireless communication system is improved.

Title of Invention

METHOD, DEVICE, AND SYSTEM FOR OBTAINING KEYS

Abstract

A method, a device, and a system for obtaining keys are provided herein to enable the network device that requires key information to obtain the key information after the authenticator is relocated. The method includes: The network device that requires key information receives an indication about occurrence of authenticator relocation, sends a key request to the relocated authenticator, and receives the key information returned by the authenticator. Therefore, the mobile user"s network device that requires the key information can still obtain the key information even if the authenticator is relocated, the subsequent communication process can go on normally, and the communication performance of the wireless communication system is improved.

Full Text	FIELD OF THE INVENTION The present invention relates to network communication technologies, and in particular, to a solution to obtaining keys in the case that the authenticator is relocated. BACKGROUND With the rapid development of the Internet and the wide application of wireless networks, higher requirements are imposed on the wireless systems for protecting the security of mobile users. In addition to the device authentication, user authentication, and service authentication, a security channel needs to be set up between the Access Points (APs) or Base Stations (BSs) to exchange the confidential information, and a confidentiality channel needs to be set up between the BS and the authenticator, between the authenticator and the authentication server to exchange confidential information. In the wireless networks, the mobile user needs to initiate authentication to the authenticators such as Network Access Server (NAS). After the authentication succeeds, the Foreign Agent (FA) of the mobile user communicates with the NAS to obtain the key information which is applicable in the subsequent communication process. After the re-authentication of the Mobile Station (MS) is initiated, the FA obtains the key. As shown in FIG. 1, the authentication process includes the following steps: Step 1: The MS accesses the network through NAS 1 and is authenticated successfully. Specifically, NAS 1 initiates an authentication process to the Authorization Authentication Accounting (AAA) server, completes the authentication operation, and determines that the MS is authenticated successfully. Step 2: The FA sends a request to NAS 1 to request the Mobile Node (MN)-FA key or the FA-Home Agent (HA) key when necessary. Step 3: The MS is re-authenticated through NAS 1. Like the authentication process, the re-authentication may be initiated by NAS 1 to the AAA server. Step 4: The MS sends an MIP-RRQ (MIP registration) message to the FA. The message carries an authentication extension calculated according to the new key. The Security Parameter Index (SPI) is also calculated according to the FA-Root Key (RK) generated after re-authentication, or is generated by other means. Step 5: After receiving the registration message, the FA compares the SPI in the MIP-RRQ message. Once determining change of the SPI, namely, occurrence of re-authentication, the FA requests the key update information of NAS 1. Because re-authentication has occurred in step 3, the key information on NAS 1 and the MS has been updated, but the FA is unaware of the key information updated after the re-authentication. Therefore, the FA needs to request the updated key information from NAS 1. Step 6: After obtaining the key, the FA can go on to handle the MIP-RRQ message and complete the subsequent process. In the foregoing process, no matter whether re-authentication occurs, as long as the FA is relocated, step 5 needs to be performed after the FA receives the MIP-RRQ message in order to request the key from NAS 1 and obtain the current key for performing the subsequent process. In the process of developing the present invention, the inventor finds at least the following defects in the prior art: In the foregoing process, if the NAS is relocated in the process of re-authenticating the MS, the FA is unable to obtain key information from the relocated NAS. Consequently, after the NAS is relocated, the FA is unable to process the received MIP-RRQ message. SUMMARY The embodiments of the present invention provide a method, a device, and a system for obtaining keys so that the network device that requires the key information can still obtain the key information even if the authenticator is relocated, and the subsequent communication process can go on normally. A method for obtaining keys is provided in an embodiment of the present invention to enable the network device that requires key information to obtain the key information after the authenticator is relocated. The method includes: by a network device that requires key information, receiving an indication about occurrence of authenticator relocation, sending a key request to the relocated authenticator, receiving the key information returned by the authenticator, and obtaining the key information corresponding to the terminal. Another method for obtaining keys is provided in an embodiment of the present invention to enable the network device that requires key information to obtain the key information after re-authentication. The method includes: by a network device that requires key information, receiving an indication about occurrence of re-authentication, and receiving the key information sent by the authenticator and corresponding to the terminal. A network device is provided in an embodiment of the present invention. The network device includes: an authenticator relocation determining unit, adapted to determine relocation of the authenticator corresponding to the terminal according to the received indication about occurrence of authenticator relocation; and a key requesting and obtaining unit, adapted to: send a key request to the relocated authenticator after the authenticator relocation determining unit determines that the authenticator corresponding to the terminal is relocated, receive the key information returned by the authenticator, and obtain the key information corresponding to the terminal. An authenticator is provided in an embodiment of the present invention. The authenticator includes: a key request receiving unit, adapted to receive the key request sent by a network device that requires key information; and a key information sending unit, adapted to send generated key information corresponding to the terminal to the network device that requires the key information after the key request receiving unit receives the key request. A terminal is provided in an embodiment of the present invention. The terminal includes: a relocation determining unit, adapted to: receive the identification information sent by the authenticator in the authentication process, and compare the currently received authenticator identification information with the previously received authenticator identification information to determine whether the authenticator is relocated; and an indication transmitting unit, adapted to send an indication about occurrence of authenticator relocation to the network device that requires key information after the relocation determining unit determines that relocation has occurred. A system for obtaining a key is provided in an embodiment of the present invention. The system includes: an authenticator, adapted to: receive a key request sent by a network device that requires key information, and send the generated key information corresponding to the terminal to the network device; and a network device that requires key information, adapted to: receive an indication about occurrence of authenticator relocation, send a key request to the relocated authenticator, and receive the key information returned by the authenticator. Another system for obtaining a key is provided in an embodiment of the present invention. The system includes: an authenticator, adapted to send the generated key information corresponding to the terminal to a network device that requires key information; and a network device that requires key information, adapted to: receive an indication about occurrence of re-authentication, and receive the key information sent by the authenticator and corresponding to the terminal. The technical solution under the present invention reveals that: The network device that requires the key information can still obtain the key information even if the authenticator is relocated, and the subsequent communication process can go on normally. Therefore, the embodiments of the present invention improve the communication performance of the wireless communication system effectively. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 shows a process of an FA obtaining key information in the prior art; FIG. 2 is the first flowchart of an FA obtaining key information in an embodiment of the present invention; FIG. 3 is the second flowchart of an FA obtaining key information in an embodiment of the present invention; FIG. 4 is the third flowchart of an FA obtaining key information in an embodiment of the present invention; FIG. 5 is a state machine of a process of an FA obtaining key information in an embodiment of the present invention; FIG. 6 shows a complete process of a method for obtaining a key in an embodiment of the present invention; and FIG. 7 shows a structure of a system for obtaining a key in an embodiment of the present invention. DETAILED DESCRIPTION Through the embodiments of the present invention, a network device that requires key information can obtain the key information after the authenticator of the terminal is relocated. That is, the network device that requires key information determines that the authenticator corresponding to the terminal is relocated after receiving an indication about occurrence of authenticator relocation, sends a key request to the relocated authenticator, receives the key information returned by the authenticator, and obtains the key information corresponding to the terminal. In the embodiments of the present invention, the network device that requires key information may be but is not limited to: an FA, a BS, and a gateway (GW). The key information includes at least one of, but is not limited to: a key, an SPI, and a lifecycle. In the process of implementing the present invention, the indication about occurrence of authenticator relocation may be sent by the relocated authenticator, the old authenticator (the authenticator before relocation), the terminal, a Home Agent (HA), or the AAA server to the network device that requires the key information. Optionally, the relocated authenticator, the old authenticator, the terminal, the HA, or the AAA server may send an address of the relocated authenticator to the network device that requires the key information. If the address is sent by the old authenticator, the authenticator needs to maintain the corresponding relation between the terminal and the address of the relocated authenticator, and optionally, set a lifecycle for the corresponding relation. In this way, the maintained corresponding relation information can be deleted after expiry of a preset period to release the occupied storage resources and management resources. In the foregoing process, if the indication is sent by the terminal to the network device that requires the key information, the terminal needs to determine occurrence of authenticator relocation beforehand. The terminal may determine occurrence of authenticator relocation in this way: First, in the authentication process, the authenticator sends its identification information to the terminal; the terminal compares the currently received authenticator identification information with the previously received authenticator identification information, and checks whether the authenticator is relocated according to the comparison result. For example, the identification information may include: address of the authenticator, and/or number of hops from the authenticator to the gateway. In an embodiment of the present invention, after generating the key information corresponding to the terminal, the relocated authenticator may send the key information to the network device that requires the key information. Optionally, the relocated authenticator sends the generated key information corresponding to the terminal to the old authenticator, and the old authenticator sends the key information to the network device. In an embodiment of the present invention, if the network device that requires key information obtains the key information through the foregoing process, then optionally, the network device that requires the key information may judge whether the key information is received from the relocated authenticator after determining that the authenticator corresponding to the terminal is relocated. If no such key information is received, the network device may obtain the key information by sending a key request to the' relocated authenticator. In the process of implementing the present invention, the network device that requires key information may obtain the address of the relocated authenticator before sending a key request to the relocated authenticator. In this way, the network device that requires key information can obtain the address of the relocated authenticator, and send the key request to the relocated authenticator. Specifically, the address of the relocated authenticator may be obtained in two modes: requesting to obtain the address of the relocated authenticator from the old authenticator (namely, the authenticator before relocation); or receiving the address of the relocated authenticator proactively sent by the relocated authenticator or the old authenticator. In the process of relocating the authenticator, if a network device (such as FA, BS, and GW) that requires key information is also relocated, the relocated authenticator may send the key information to the old network device (namely, the network device before relocation) that requires key information first, and the old network device sends the key information to the relocated network device that requires key information; or, the old network device that requires key information sends an indication about relocation of the network device or an address of the relocated network device to the relocated authenticator; or the relocated network device that requires key information sends an indication about relocation of the network device or an address of the relocated network device to the relocated authenticator. In this way, the relocated authenticator can send the key information to the relocated network device that requires the key information. Supposing that the network device that requires key information is an FA, the process of obtaining the key information in different scenarios is described below: (1) The FA is relocated before the NAS is relocated, and the new FA (relocated FA) obtains the address of the old authenticator (the authenticator before relocation). In this case, the new FA serves as the current FA of the terminal, and the network device that requires key information can obtain the key information through the foregoing process. (2) The NAS is relocated before the FA is relocated, and the old FA (the FA before relocation) obtains the address of the new NAS (relocated NAS). In this case, the new FA can obtain the address of the new NAS in the relocation process, and the network device that requires key information can obtain the key information easily. For example, the relocated FA sends an indication about relocation of the FA or an address of the relocated FA to the new NAS, or the old FA sends an indication about relocation of the FA or an address of the new FA to the new NAS. Afterward, the new NAS sends the key information to the relocated FA so that the new NAS can send the key information to the new FA. (3) In the process of relocating the FA, the old NAS is being relocated. In this case, the new FA needs to request a key from the old NAS. In the process of the old NAS sending the key information to the new FA, the following operations may be performed: If the old NAS notifies the address of the new NAS to the new FA when notifying the new FA that the NAS is being relocated, the new FA sends a key request to the new NAS. If the NAS has finished re-authentication, the new NAS returns new key information; otherwise, the new NAS returns an instruction that lets the new FA wait, or sends the new key information to the new FA after completion of re-authentication; and If the old NAS notifies the new FA that the NAS is being relocated without notifying the address of the new NAS, the new FA may request the address of the new NAS from the old NAS (namely, the relocated authenticator may send the key information to the old FA first, and then the old FA sends the key information to the relocated FA), or wait for the new NAS to update the key proactively. In the embodiments of the present invention, before determining that the authenticator corresponding to the terminal is relocated, the network device that requires key information needs to determine whether the terminal is re-authenticated. If the terminal is re-authenticated, the network device that requires key information can further determine whether the authenticator corresponding to the terminal is relocated. If the authenticator is relocated, the network device can obtain the key information according to the embodiments of the present invention. The network device that requires key information determines whether the terminal is re-authenticated in this way: The network device that requires key information stores the SPI between the terminal and the HA. If the received SPI in the registration request sent by the terminal or other devices is different from the stored SPI between the terminal and the HA, the terminal is re-authenticated; otherwise, the terminal is not re-authenticated; or, the network device that requires key information may determine whether the terminal is re-authenticated according to the explicit or implicit re-authentication indication in the received message. If the network device that requires key information is an FA, the key information to be obtained by the FA may be Mobile IP (MIP) key information. This embodiment enables obtaining of the MIP key after the NAS is relocated in the process of the FA updating the MIP key, minimizes contending scenarios, shortens the time spent in obtaining the key, and helps the FA obtain a valid MIP key. The MIP key may be a Mobile Node (MN)-FA key or FA-HA key. However, the embodiments of the present invention are not limited to the exemplary application. In the process of re-authenticating the terminal, the authenticator may be relocated, or the re-authentication is performed on the old authenticator directly. When being relocated, the authenticator needs to notify the address of the new authenticator to the FA so that the FA can request the key information subsequently. The FA relocation is independent of the authenticator relocation, and may be synchronous or asynchronous with the authenticator relocation. Supposing a scenario that the NAS (serving as an authenticator) is relocated and the key information to be obtained by the FA includes an MN-FA key, the process of implementing the embodiment of the present invention is described below. In this scenario, as shown in FIG. 2, FIG. 3 and FIG. 4, the process includes the following steps: Step 1: The MS accesses the network through NAS 1 and is authenticated successfully. Step 2: When requiring an MN-FA key, the FA sends a request (specifically, a context request) to NAS 1, requesting the corresponding key. Step 3: The re-authentication for the MS is performed through NAS 2. That is, the NAS is relocated. In the re-authentication process, the key information on NAS 2 and the MS is updated, but the FA is unaware of the re-authentication event and the updated key information. Step 4: After the re-authentication, the MS or the HA (only the MS is illustrated in the figure here) sends an MIP-RRQ message to the FA. The message carries an authentication extension calculated according to the new key. The SPI in the message is calculated according to the FA-RK generated after the re-authentication, or may be an indication about occurrence of re-authentication. Step 5: After receiving the message, the FA compares the SPI carried in the MIP-RRQ message with the locally maintained SPI. If the two SPIs are different (which indicates that re-authentication has occurred), or if the occurrence of re-authentication is confirmed by an indication, the FA obtains the updated key information. Specifically, the FA may send a context request to NAS 2 to obtain the corresponding key. In this step, if the FA is relocated, the new FA is in the same state after the FA obtains the address of the old NAS. That is, the new FA knows the address of the old NAS and needs to obtain the MIP key information. In this step, the process of requesting the updated key from the NAS comes in three scenarios but is not limited to the three scenarios. As shown in FIG. 2, FIG. 3, and FIG. 4 respectively, the process is as follows. (1) As shown in FIG. 2, if the notification message from NAS 2 to the FA has not arrived at the FA in the process of relocating NAS 2, the FA requests the key update information from NAS 1. NAS 1 returns a NAS relocation indication and/or the address of the new NAS (namely, NAS 2) to the FA, and then the FA sends a key request to NAS 2 to obtain the corresponding MIP key information. (2) As shown in FIG. 3, if the notification message from NAS 2 to the FA has not arrived at the FA in the process of relocating NAS 2, the FA requests the key update information from NAS 1. NAS 1 returns a NAS relocation indication and/or the address of the new NAS (namely, NAS 2) to the FA. Before the FA sends a key request to NAS 2, the notification message about NAS 2 relocation arrives at the FA. If the message carries the updated key and context information, the FA gives up sending the key request; otherwise, the FA sends a key request to NAS 2. (3) As shown in FIG. 4, if the notification message from NAS 2 to the FA arrives at the FA in the process of relocating NAS 2, and if the message carries the updated key and context information, the FA gives up sending a key request to NAS 2; otherwise, the FA sends a key request to NAS 2 to obtain the corresponding MIP key information. If the FA is also relocated and the update message of NAS 2 is sent to the old FA, the old FA needs to forward the update message to the new FA, and therefore, the new FA can still obtain the corresponding MIP key information conveniently; or the old FA returns an indication about FA relocation or the address of the new FA to NAS 2 and then NAS 2 sends the key information to the new FA. Through steps 1-5, the FA obtains the updated key information and then goes on to process the MIP-RRQ message. In the foregoing scenario, in the case that the MIP-RRQ message carries only information about occurrence of re-authentication, another solution is provided in an embodiment of the present invention. In this solution, the MIP-RRQ message may carry an indication about relocation of the NAS. As shown in FIG. 5, the process may include the following steps: Step 1: The first authentication is performed. In the EAP process, NAS 1 sends its own address or the number of hops from the NAS to the serving GW to the MS and keeps a record. Step 2: A re-authentication is performed. The MS obtains the address of NAS 1 or the number of hops from the NAS to the serving GW, and compares the received information with the previously recorded address or the number of hops (namely, the information recorded in step 1). If the information matches, the MS determines that the NAS is not relocated. Step 3: The MIP-RRQ sent by the MS carries an indication, indicating that re-authentication has occurred but the NAS is not relocated. The indication may be: a different algorithm of the SPI, or a separate extension header. For example, if the SPI is an odd number, the NAS is relocated; if the SPI is an even number, the NAS is not relocated. If the indication is an extension header, the extension header may include a type indicative of the relocation state of the NAS or include the address of the current NAS. Step 4: A re-authentication is performed. The MS obtains the address of NAS 2 or the number of hops from the NAS to the serving GW, and compares the received information with the previously recorded address or number of hops (namely, the information recorded in step 1). If the information does not match, the MS determines that the NAS is relocated. Step 5: The MIP-RRQ sent by the MS carries an indication, indicating that the MS is re-authenticated and the NAS is relocated at the same time. Based on the foregoing process, the operations performed by the FA after the FA receives the corresponding MIP-RRQ message may be: (1) After the FA receives the MIP-RRQ message, if the message carries no NAS address information, the FA performs operations according to the indication information in the MIP-RRQ message: If no re-authentication occurs, the FA goes on with the process; if re-authentication has occurred but the NAS is not relocated, the FA requests a key from the old NAS; if re-authentication has occurred and the NAS is relocated at the same time, the FA waits for the new NAS to send a notification proactively; if the notification sent by the new NAS carries no key information required by the FA, the FA needs to request the key information from the new NAS, or request the new NAS information or updated key information from the old NAS; and (2) after the FA receiving the MIP-RRQ message, if the MIP-RRQ message carries the NAS address information, the FA may request the key information from the indicated NAS. In order to further clarify the process of the FA obtaining the MIP key (for example, MN-FA key in the MIP key), the following gives more details about the process with reference to an accompanying drawing. As shown in FIG. 6, the process of implementing a state machine of the FA includes the following steps: Step 1: The FA receives an MIP-RRQ message. Step 2: The FA judges whether an MN-FA key exists locally. If such a key exists, the FA performs step 3; otherwise, the FA performs step 7. Step 3: The FA compares the SPI in the received MIP-RRQ message with the locally stored SP1. If the SPI matches, no re-authentication has occurred, and the FA performs step 15; otherwise, re-authentication has occurred, and the FA performs step 4. Step 4: The FA judges whether the NAS is relocated. If the NAS is relocated, the FA performs step 5; otherwise, the FA performs step 6. The specific judgment method may be, but is not limited to: The FA judges whether the NAS is relocated according to the NAS relocation indication such as the SPI or the Context-Rpt sent by the new NAS. In this step, if the FA is unable to determine whether the NAS is relocated, the FA performs step 7. In this step, if the FA determines that the NAS is relocated, the FA may further determine whether the key of the new NAS is received. If the key of the new NAS is received, the FA performs step 5. The key of the new NAS may be sent by the new NAS directly, or forwarded by the old NAS which receives the key of the new NAS from the new NAS. Step 5: The FA judges whether the address of the new NAS is known; if the address of the new NAS is known, the FA performs step 8; otherwise, the FA performs step 9. Step 6: The FA requests an MN-FA key from the old NAS, and performs step 15. Step 7: The FA requests the MN-FA key from the old NAS, or sets a clock and waits until the information is received from the authenticator (the authenticator that performs the re-authentication). If the FA receives the information fed back by the old NAS, the FA performs step 10; if the FA receives an indication sent by the new NAS, the FA performs step 12. After receiving the information, the FA terminates the set clock. If the FA receives no information from the authenticator before expiry of the clock, the FA discards the MIP-RRQ message. Step 8: The FA requests an MN-FA key from the new NAS (namely, relocated NAS), and performs step 15. Step 9: The FA waits for the indication from the new NAS, or queries the old NAS about the address of the new NAS or the MN-FA key, and performs step 12 after receiving the indication of the new NAS or the feedback from the old NAS. The received indication of the new NAS or feedback of the old NAS may be the MN-FA key of the new NAS or the address of the new NAS. Step 10: According to the feedback information returned by the old NAS, the FA judges whether the NAS is relocated. If the NAS is relocated, the FA performs step 12; otherwise, the FA performs step 11. In this step, the judgment method may be, but is not limited to: The FA judges whether the NAS is relocated according to the received NAS relocation indication such as SPI or Context-Rpt. Step 11: If the feedback sent by the old NAS carries no MN-FA key, the FA sends a request to the old NAS, requesting the corresponding MN-FA key. After obtaining the MN-FA key, the FA performs step 15. If the feedback from the old NAS carries the MN-FA key, the FA performs step 15 directly. Step 12: The FA judges whether the new NAS has sent the corresponding MN-FA key to the FA, namely, judges whether the FA already receives the MN-FA key. If the MN-FA key is received, the FA performs step 13; otherwise, the FA obtains the address of the new NAS from the indication received from the new NAS or the feedback received from the old NAS, and performs step 14. Step 13: The FA obtains the MN-FA key from the information sent by the new NAS, and performs step 15. Step 14: According to the address of the new NAS, the FA requests the corresponding MA-FA key from the new NAS. After obtaining the MN-FA key, the FA performs step 15. Step 15: The FA handles the received MIP-RRQ message according to the obtained key information. A system for enabling a network device to obtain a key is provided in an embodiment of the present invention. As shown in FIG. 7, the system may include the following processing units: (i) Authenticator The authenticator is adapted to: receive a key request sent by a network device that requires key information, and send the generated key information corresponding to the terminal to the network device. The authenticator includes: a key request receiving unit, adapted to receive the key request sent by a network device that requires key information; and a key information sending unit, adapted to send generated key information corresponding to the terminal to the network device that requires the key information after the key request receiving unit receives the key request. Optionally, the authenticator may include a relocation indication sending unit, which is adapted to send an indication about occurrence of authenticator relocation to the network device that requires key information. Specifically, the authenticator may be a new authenticator (relocated authenticator) or an old authenticator (the authenticator before relocation). If the relocation indication sending unit is set in the old authenticator and the network device that requires key information sends the address of the relocated authenticator, the authenticator further includes a terminal information maintaining unit, which is adapted to maintain the corresponding relation between the terminal and the address of the relocated authenticator, and optionally, set a lifecycle for the corresponding relation. The authenticator may include any of the following units: a key information direct-sending unit, adapted to send the key information generated by the relocated authenticator to the network device that requires the key information directly; or a key information indirect-transmitting unit, adapted to send the key information generated by the relocated authenticator to the old authenticator which forwards the key information to the network device that requires the key information. In order to facilitate the terminal to determine whether the authenticator is relocated, the authenticator may further include an identification information sending unit, adapted to send the address of the authenticator or the number of hops from the authenticator to the gateway as identification information to the terminal. (ii) Network device The network device is a network device that requires key information, and is adapted to: receive an indication about occurrence of authenticator relocation, send a key request to the relocated authenticator, and receive the key information returned by the authenticator. More specifically, the network device that requires key information may include: an authenticator relocation determining unit, adapted to determine relocation of the authenticator corresponding to the terminal according to the received indication about occurrence of authenticator relocation; and a key requesting and obtaining unit, adapted to: send a key request to the relocated authenticator after the authenticator relocation determining unit determines that the authenticator corresponding to the terminal is relocated, receive the key information returned by the authenticator, and obtain the key corresponding to the terminal. Optionally, the network device that requires key information may further include a judgment processing unit, adapted to send a notification to the key request obtaining unit if determining that no key information generated by the relocated authenticator is received after the authenticator relocation determining unit determines that the authenticator is relocated. Optionally, the network device that requires key information may further include an authenticator address obtaining unit, adapted to receive and obtain the address of the relocated authenticator sent by the relocated authenticator or by the old authenticator, and notify the key request obtaining unit so that the key request obtaining unit can send a key request to the address of the relocated authenticator. Optionally, the network device that requires key information may include any of the following units: a key information forwarding unit, adapted to receive the key information sent by the relocated authenticator, and send the key information to the relocated network device that requires the key information; or a network device relocation notifying unit, adapted to: return an indication about occurrence of relocation of the network device that requires key information or an address of the relocated network device that requires key information to the relocated authenticator after receiving the key information sent by the relocated authenticator; or proactively send an indication about occurrence of relocation of the network device that requires key information or an address of the relocated network device that requires key information to the relocated authenticator so that the relocated authenticator may send the key information to the relocated network device that requires the key information. (iii) Terminal In some scenarios, the terminal may send an indication to the network device that requires key information to indicate that the authenticator corresponding to the terminal is relocated. Therefore, the terminal may include a processing unit adapted to determine whether the authenticator is relocated. Specifically, the terminal may include: a relocation determining unit, adapted to: receive the identification information sent by the authenticator in the authentication process, and compare the currently received authenticator identification information with the previously received authenticator identification information to determine whether the authenticator is relocated; and an indication transmitting unit, adapted to send an indication about occurrence of authenticator relocation to the network device that requires key information after the relocation determining unit determines that relocation has occurred. In conclusion, the embodiments of the present invention enable the FA to obtain the updated MIP key after the NAS is relocated, thus minimizing the possibility of contending scenarios and shortening the time spent in obtaining the key. The embodiments of the present invention provide a solution that enables the FA to obtain a valid MIP key, and overcome the problems in the prior art. Although the invention has been described through some preferred embodiments, the invention is not limited to such embodiments. It is apparent that those skilled in the art can make modifications and variations to the invention without departing from the spirit and scope of the invention. The invention is intended to cover the modifications and variations provided that they fall in the scope of protection defined by the following claims or their equivalents. WE CLAIM: 1 . A method for obtaining keys, comprising: receiving, by a network device that requires key information, an indication about occurrence of authenticator relocation, and sending a key request to a relocated authenticator, receiving, by the network device, key information corresponding to a terminal returned by the relocated authenticator, and obtaining the key information corresponding to the terminal. 2. The method of claim 1, comprising: sending, by the relocated authenticator, an old authenticator, the terminal, a Home Agent (HA), or an Authorization Authentication Accounting (AAA) server, the indication about occurrence of authenticator relocation to the network device that requires the key information; and/or sending, by the relocated authenticator, the old authenticator, the terminal, the HA, or the AAA server, an address of the relocated authenticator to the network device that requires the key information. 3. The method of claim 2, if the indication is sent by the terminal to the network device that requires the key information, further comprising: obtaining, by the terminal, authenticator identification information sent by network in the authentication process; comparing, by the terminal, the currently received authenticator identification information with previously received authenticator identification information, and determining whether the authenticator is relocated according to the comparison result. 4. The method of claim 3, wherein the authenticator identification information comprises at least one of: an address of the authenticator, an identification of the authenticator, and the number of hops from the authenticator to gateway. 5. The method of any one of claims 1-4, further comprising: generating, by the relocated authenticator, the key information corresponding to the terminal, and sending, by the relocated authenticator, the key information corresponding to the terminal to the network device that requires the key information; or sending, by the relocated authenticator, the key information corresponding to the terminal to an old authenticator, and sending, by the old authenticator, the key information corresponding to the terminal to the network device that requires the key information. 6. The method of claim 5, after receiving the indication about occurrence of authenticator relocation, further comprising: if the network device that requires the key information does not receive the key information corresponding to the terminal generated by the relocated authenticator, sending, by the network device that requires the key information, the key request to the relocated authenticator. 7. The method of any one of claims 1~4, before sending the key request to the relocated authenticator, further comprising: requesting to obtain the address of the relocated authenticator from an old authenticator; or receiving the address of the relocated authenticator sent by the relocated authenticator, the old authenticator, the terminal, the HA, or the AAA server. 8. The method of any one of claims 1-4, wherein, in the process of relocating the authenticator, if the network device that requires key information is also relocated, the method further comprises: obtaining, by the relocated network device that requires key information, the key information sent by the relocated authenticator through the old network device that requires key information; or, sending, by the relocated network device that requires key information, an indication about relocation of the network device that requires key information or an address of the relocated network device that requires key information to the relocated authenticator, obtaining the key information sent by the relocated authenticator; or sending, by the old network device that requires key information, an indication about relocation of the network device that requires key information or an address of the relocated network device that requires key information to the relocated authenticator, sending, by the relocated authenticator, the key information to the relocated network device that requires key information. 9. The method of any one of claims 1~4, before receiving the indication about occurrence of authenticator relocation, further comprising: storing, by the network device that requires key information, Security Parameter Index (SPI) between the terminal and HA; if the received SPI in registration request sent by the terminal or other devices is different from the stored SPI between the terminal and the HA, determining the terminal is re-authenticated. 10. A method for obtaining keys, comprising: receiving, by a network device that requires key information, an indication about occurrence of re-authentication, and receiving the key information corresponding to a terminal sent by the authenticator. 11. The method of claim 10, wherein the authenticator is a re-authentication authenticator. 12. The method of claim 11, after receiving the indication about occurrence of re-authentication, further comprising: starting a timer, and receiving the key information corresponding to the terminal in the valid period of the timer. 1.3. The method of claim 12, further comprising: discarding an IP Registration Request sent by the terminal if the network device that requires key information does not receive the key information in the valid period of the timer. 14. A network device, comprising: an authenticator relocation determining unit, adapted to determine relocation of the authenticator corresponding to a terminal according to a received indication about occurrence of authenticator relocation; and a key requesting and obtaining unit, adapted to send a key request to the relocated authenticator after the authenticator relocation determining unit determines that the authenticator corresponding to the terminal is relocated, receive the key information corresponding to the terminal returned by the relocated authenticator, and obtain the key corresponding to the terminal. 15. The network device of claim 14, further comprising: a judgment processing unit, adapted to send a notification to the key request obtaining unit if determining that no key information generated by the relocated authenticator is received after the authenticator relocation determining unit determines that the authenticator is relocated. 16. The network device of claim 14 or 15, further comprising: an authenticator address obtaining unit, adapted to receive and obtain the address of the relocated authenticator sent by the relocated authenticator or by an old authenticator, and notify the key request obtaining unit. 17. The network device of claim 14, further comprising: a key information forwarding unit, adapted to receive the key information sent by the relocated authenticator, and send the key information to the relocated network device that requires the key information; or a network device relocation notifying unit, adapted to return an indication about occurrence of relocation of the network device that requires key information or an address of the relocated network device that requires key information to the relocated authenticator after receiving the key information sent by the relocated authenticator; or proactively send an indication about occurrence of relocation of the network device that requires key information or an address of the relocated network device that requires key information to the relocated authenticator. 18. An authenticator, comprising: a key request receiving unit, adapted to receive a key request sent by a network device that requires key information; and a key information sending unit, adapted to send generated key information corresponding to the terminal to the network device that requires the key information after the key request receiving unit receives the key request. 19. The authenticator of claim 18, further comprising: an identification information sending unit, adapted to send the address of the authenticator or the number of hops from the authenticator to the gateway as identification information to the terminal. 20. The authenticator of claim 18, further comprising: a key information direct-sending unit, adapted to send the key information generated by the relocated authenticator to the network device that requires the key information directly; or a key information indirect-transmitting unit, adapted to send the key information generated by the relocated authenticator to an old authenticator which forwards the key information to the network device that requires the key information. 21. The authenticator of claim 18, 19 or 20, further comprising: a relocation indication sending unit, adapted to send an indication about occurrence of authenticator relocation and/or the address of the relocated authenticator to the network device that requires key information. 22. The authenticator of claim 21, if the relocation indication sending unit is adapted to send the address of the relocated authenticator to the network device that requires key information, the authenticator further comprising: a terminal information maintaining unit, adapted to maintain the corresponding relation between the terminal and the address of the relocated authenticator; or maintain the corresponding relation between the terminal and the address of the relocated authenticator and set a lifecycle for the corresponding relation. 23. A terminal, comprising: a relocation determining unit, adapted to receive identification information sent by an authenticator in the authentication process, and compare the currently received authenticator identification information with previously received authenticator identification information to determine whether the authenticator is relocated; and an indication transmitting unit, adapted to send an indication about occurrence of authenticator relocation to the network device that requires key information after the relocation determining unit determines that relocation has occurred. 24. A system for obtaining keys, wherein the system comprises an authenticator and a network device that requires key information; the authenticator is adapted to receive a key request sent by the network device that requires key information, and send the generated key information corresponding to the terminal to the network device that requires key information; and the network device that requires key information is adapted to receive an indication about occurrence of authenticator relocation, send the key request to the relocated authenticator, and receive the key information returned by the authenticator. A method, a device, and a system for obtaining keys are provided herein to enable the network device that requires key information to obtain the key information after the authenticator is relocated. The method includes: The network device that requires key information receives an indication about occurrence of authenticator relocation, sends a key request to the relocated authenticator, and receives the key information returned by the authenticator. Therefore, the mobile user's network device that requires the key information can still obtain the key information even if the authenticator is relocated, the subsequent communication process can go on normally, and the communication performance of the wireless communication system is improved.

Full Text

FIELD OF THE INVENTION
The present invention relates to network communication technologies, and in
particular, to a solution to obtaining keys in the case that the authenticator is relocated.
BACKGROUND
With the rapid development of the Internet and the wide application of wireless networks,
higher requirements are imposed on the wireless systems for protecting the security of mobile
users. In addition to the device authentication, user authentication, and service authentication,
a security channel needs to be set up between the Access Points (APs) or Base Stations (BSs)
to exchange the confidential information, and a confidentiality channel needs to be set up
between the BS and the authenticator, between the authenticator and the authentication server
to exchange confidential information.
In the wireless networks, the mobile user needs to initiate authentication to the authenticators
such as Network Access Server (NAS). After the authentication succeeds, the Foreign Agent
(FA) of the mobile user communicates with the NAS to obtain the key information which is
applicable in the subsequent communication process.
After the re-authentication of the Mobile Station (MS) is initiated, the FA obtains the key. As
shown in FIG. 1, the authentication process includes the following steps:
Step 1: The MS accesses the network through NAS 1 and is authenticated successfully.
Specifically, NAS 1 initiates an authentication process to the Authorization Authentication
Accounting (AAA) server, completes the authentication operation, and determines that the
MS is authenticated successfully.
Step 2: The FA sends a request to NAS 1 to request the Mobile Node (MN)-FA key or the
FA-Home Agent (HA) key when necessary.
Step 3: The MS is re-authenticated through NAS 1.
Like the authentication process, the re-authentication may be initiated by NAS 1 to the AAA
server.
Step 4: The MS sends an MIP-RRQ (MIP registration) message to the FA. The message
carries an authentication extension calculated according to the new key. The Security
Parameter Index (SPI) is also calculated according to the FA-Root Key (RK) generated after
re-authentication, or is generated by other means.
Step 5: After receiving the registration message, the FA compares the SPI in the MIP-RRQ
message. Once determining change of the SPI, namely, occurrence of re-authentication, the
FA requests the key update information of NAS 1.

Because re-authentication has occurred in step 3, the key information on NAS 1 and the MS
has been updated, but the FA is unaware of the key information updated after the
re-authentication. Therefore, the FA needs to request the updated key information from NAS
1.
Step 6: After obtaining the key, the FA can go on to handle the MIP-RRQ message and
complete the subsequent process.
In the foregoing process, no matter whether re-authentication occurs, as long as the FA is
relocated, step 5 needs to be performed after the FA receives the MIP-RRQ message in order
to request the key from NAS 1 and obtain the current key for performing the subsequent
process.
In the process of developing the present invention, the inventor finds at least the following
defects in the prior art:
In the foregoing process, if the NAS is relocated in the process of re-authenticating
the MS, the FA is unable to obtain key information from the relocated NAS. Consequently,
after the NAS is relocated, the FA is unable to process the received MIP-RRQ message.
SUMMARY
The embodiments of the present invention provide a method, a device, and a system for
obtaining keys so that the network device that requires the key information can still obtain the
key information even if the authenticator is relocated, and the subsequent communication
process can go on normally.
A method for obtaining keys is provided in an embodiment of the present invention to enable
the network device that requires key information to obtain the key information after the
authenticator is relocated. The method includes:
by a network device that requires key information, receiving an indication about
occurrence of authenticator relocation, sending a key request to the relocated authenticator,
receiving the key information returned by the authenticator, and obtaining the key
information corresponding to the terminal.
Another method for obtaining keys is provided in an embodiment of the present invention to
enable the network device that requires key information to obtain the key information after
re-authentication. The method includes:
by a network device that requires key information, receiving an indication about
occurrence of re-authentication, and receiving the key information sent by the authenticator
and corresponding to the terminal.
A network device is provided in an embodiment of the present invention. The network device

includes:
an authenticator relocation determining unit, adapted to determine relocation of the
authenticator corresponding to the terminal according to the received indication about
occurrence of authenticator relocation; and
a key requesting and obtaining unit, adapted to: send a key request to the relocated
authenticator after the authenticator relocation determining unit determines that the
authenticator corresponding to the terminal is relocated, receive the key information returned
by the authenticator, and obtain the key information corresponding to the terminal.
An authenticator is provided in an embodiment of the present invention. The authenticator
includes:
a key request receiving unit, adapted to receive the key request sent by a network
device that requires key information; and
a key information sending unit, adapted to send generated key information
corresponding to the terminal to the network device that requires the key information after the
key request receiving unit receives the key request.
A terminal is provided in an embodiment of the present invention. The terminal includes:
a relocation determining unit, adapted to: receive the identification information sent
by the authenticator in the authentication process, and compare the currently received
authenticator identification information with the previously received authenticator
identification information to determine whether the authenticator is relocated; and
an indication transmitting unit, adapted to send an indication about occurrence of
authenticator relocation to the network device that requires key information after the
relocation determining unit determines that relocation has occurred.
A system for obtaining a key is provided in an embodiment of the present invention. The
system includes:
an authenticator, adapted to: receive a key request sent by a network device that
requires key information, and send the generated key information corresponding to the
terminal to the network device; and
a network device that requires key information, adapted to: receive an indication
about occurrence of authenticator relocation, send a key request to the relocated
authenticator, and receive the key information returned by the authenticator.
Another system for obtaining a key is provided in an embodiment of the present invention.
The system includes:
an authenticator, adapted to send the generated key information corresponding to the

terminal to a network device that requires key information; and
a network device that requires key information, adapted to: receive an indication
about occurrence of re-authentication, and receive the key information sent by the
authenticator and corresponding to the terminal.
The technical solution under the present invention reveals that: The network device that
requires the key information can still obtain the key information even if the authenticator is
relocated, and the subsequent communication process can go on normally. Therefore, the
embodiments of the present invention improve the communication performance of the
wireless communication system effectively.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 shows a process of an FA obtaining key information in the prior art;
FIG. 2 is the first flowchart of an FA obtaining key information in an embodiment of the
present invention;
FIG. 3 is the second flowchart of an FA obtaining key information in an embodiment of the
present invention;
FIG. 4 is the third flowchart of an FA obtaining key information in an embodiment of the
present invention;
FIG. 5 is a state machine of a process of an FA obtaining key information in an embodiment
of the present invention;
FIG. 6 shows a complete process of a method for obtaining a key in an embodiment of the
present invention; and
FIG. 7 shows a structure of a system for obtaining a key in an embodiment of the present
invention.
DETAILED DESCRIPTION
Through the embodiments of the present invention, a network device that requires key
information can obtain the key information after the authenticator of the terminal is relocated.
That is, the network device that requires key information determines that the authenticator
corresponding to the terminal is relocated after receiving an indication about occurrence of
authenticator relocation, sends a key request to the relocated authenticator, receives the key
information returned by the authenticator, and obtains the key information corresponding to
the terminal.
In the embodiments of the present invention, the network device that requires key
information may be but is not limited to: an FA, a BS, and a gateway (GW). The key
information includes at least one of, but is not limited to: a key, an SPI, and a lifecycle.

In the process of implementing the present invention, the indication about occurrence of
authenticator relocation may be sent by the relocated authenticator, the old authenticator (the
authenticator before relocation), the terminal, a Home Agent (HA), or the AAA server to the
network device that requires the key information. Optionally, the relocated authenticator, the
old authenticator, the terminal, the HA, or the AAA server may send an address of the
relocated authenticator to the network device that requires the key information. If the address
is sent by the old authenticator, the authenticator needs to maintain the corresponding relation
between the terminal and the address of the relocated authenticator, and optionally, set a
lifecycle for the corresponding relation. In this way, the maintained corresponding relation
information can be deleted after expiry of a preset period to release the occupied storage
resources and management resources.
In the foregoing process, if the indication is sent by the terminal to the network device that
requires the key information, the terminal needs to determine occurrence of authenticator
relocation beforehand. The terminal may determine occurrence of authenticator relocation in
this way: First, in the authentication process, the authenticator sends its identification
information to the terminal; the terminal compares the currently received authenticator
identification information with the previously received authenticator identification
information, and checks whether the authenticator is relocated according to the comparison
result. For example, the identification information may include: address of the authenticator,
and/or number of hops from the authenticator to the gateway.
In an embodiment of the present invention, after generating the key information
corresponding to the terminal, the relocated authenticator may send the key information to the
network device that requires the key information. Optionally, the relocated authenticator
sends the generated key information corresponding to the terminal to the old authenticator,
and the old authenticator sends the key information to the network device.
In an embodiment of the present invention, if the network device that requires key
information obtains the key information through the foregoing process, then optionally, the
network device that requires the key information may judge whether the key information is
received from the relocated authenticator after determining that the authenticator
corresponding to the terminal is relocated. If no such key information is received, the network
device may obtain the key information by sending a key request to the' relocated
authenticator.
In the process of implementing the present invention, the network device that requires key
information may obtain the address of the relocated authenticator before sending a key

request to the relocated authenticator. In this way, the network device that requires key
information can obtain the address of the relocated authenticator, and send the key request to
the relocated authenticator. Specifically, the address of the relocated authenticator may be
obtained in two modes:
requesting to obtain the address of the relocated authenticator from the old
authenticator (namely, the authenticator before relocation); or
receiving the address of the relocated authenticator proactively sent by the relocated
authenticator or the old authenticator.
In the process of relocating the authenticator, if a network device (such as FA, BS, and GW)
that requires key information is also relocated, the relocated authenticator may send the key
information to the old network device (namely, the network device before relocation) that
requires key information first, and the old network device sends the key information to the
relocated network device that requires key information; or, the old network device that
requires key information sends an indication about relocation of the network device or an
address of the relocated network device to the relocated authenticator; or the relocated
network device that requires key information sends an indication about relocation of the
network device or an address of the relocated network device to the relocated authenticator.
In this way, the relocated authenticator can send the key information to the relocated network
device that requires the key information.
Supposing that the network device that requires key information is an FA, the process of
obtaining the key information in different scenarios is described below:
(1) The FA is relocated before the NAS is relocated, and the new FA (relocated FA)
obtains the address of the old authenticator (the authenticator before relocation).
In this case, the new FA serves as the current FA of the terminal, and the network
device that requires key information can obtain the key information through the foregoing
process.
(2) The NAS is relocated before the FA is relocated, and the old FA (the FA before
relocation) obtains the address of the new NAS (relocated NAS).
In this case, the new FA can obtain the address of the new NAS in the relocation
process, and the network device that requires key information can obtain the key information
easily. For example, the relocated FA sends an indication about relocation of the FA or an
address of the relocated FA to the new NAS, or the old FA sends an indication about
relocation of the FA or an address of the new FA to the new NAS. Afterward, the new NAS
sends the key information to the relocated FA so that the new NAS can send the key

information to the new FA.
(3) In the process of relocating the FA, the old NAS is being relocated.
In this case, the new FA needs to request a key from the old NAS. In the process of
the old NAS sending the key information to the new FA, the following operations may be
performed:
If the old NAS notifies the address of the new NAS to the new FA when notifying the new FA
that the NAS is being relocated, the new FA sends a key request to the new NAS. If the NAS
has finished re-authentication, the new NAS returns new key information; otherwise, the new
NAS returns an instruction that lets the new FA wait, or sends the new key information to the
new FA after completion of re-authentication; and
If the old NAS notifies the new FA that the NAS is being relocated without notifying the
address of the new NAS, the new FA may request the address of the new NAS from the old
NAS (namely, the relocated authenticator may send the key information to the old FA first,
and then the old FA sends the key information to the relocated FA), or wait for the new NAS
to update the key proactively.
In the embodiments of the present invention, before determining that the authenticator
corresponding to the terminal is relocated, the network device that requires key information
needs to determine whether the terminal is re-authenticated. If the terminal is re-authenticated,
the network device that requires key information can further determine whether the
authenticator corresponding to the terminal is relocated. If the authenticator is relocated, the
network device can obtain the key information according to the embodiments of the present
invention. The network device that requires key information determines whether the terminal
is re-authenticated in this way: The network device that requires key information stores the
SPI between the terminal and the HA. If the received SPI in the registration request sent by
the terminal or other devices is different from the stored SPI between the terminal and the HA,
the terminal is re-authenticated; otherwise, the terminal is not re-authenticated; or, the
network device that requires key information may determine whether the terminal is
re-authenticated according to the explicit or implicit re-authentication indication in the
received message.
If the network device that requires key information is an FA, the key information to be
obtained by the FA may be Mobile IP (MIP) key information. This embodiment enables
obtaining of the MIP key after the NAS is relocated in the process of the FA updating the MIP
key, minimizes contending scenarios, shortens the time spent in obtaining the key, and helps
the FA obtain a valid MIP key. The MIP key may be a Mobile Node (MN)-FA key or FA-HA

key. However, the embodiments of the present invention are not limited to the exemplary
application.
In the process of re-authenticating the terminal, the authenticator may be relocated, or the
re-authentication is performed on the old authenticator directly. When being relocated, the
authenticator needs to notify the address of the new authenticator to the FA so that the FA can
request the key information subsequently. The FA relocation is independent of the
authenticator relocation, and may be synchronous or asynchronous with the authenticator
relocation.
Supposing a scenario that the NAS (serving as an authenticator) is relocated and the key
information to be obtained by the FA includes an MN-FA key, the process of implementing
the embodiment of the present invention is described below. In this scenario, as shown in FIG.
2, FIG. 3 and FIG. 4, the process includes the following steps:
Step 1: The MS accesses the network through NAS 1 and is authenticated successfully.
Step 2: When requiring an MN-FA key, the FA sends a request (specifically, a context request)
to NAS 1, requesting the corresponding key.
Step 3: The re-authentication for the MS is performed through NAS 2. That is, the NAS is
relocated.
In the re-authentication process, the key information on NAS 2 and the MS is updated, but
the FA is unaware of the re-authentication event and the updated key information.
Step 4: After the re-authentication, the MS or the HA (only the MS is illustrated in the figure
here) sends an MIP-RRQ message to the FA. The message carries an authentication extension
calculated according to the new key. The SPI in the message is calculated according to the
FA-RK generated after the re-authentication, or may be an indication about occurrence of
re-authentication.
Step 5: After receiving the message, the FA compares the SPI carried in the MIP-RRQ
message with the locally maintained SPI. If the two SPIs are different (which indicates that
re-authentication has occurred), or if the occurrence of re-authentication is confirmed by an
indication, the FA obtains the updated key information. Specifically, the FA may send a
context request to NAS 2 to obtain the corresponding key.
In this step, if the FA is relocated, the new FA is in the same state after the FA obtains the
address of the old NAS. That is, the new FA knows the address of the old NAS and needs to
obtain the MIP key information.
In this step, the process of requesting the updated key from the NAS comes in three scenarios
but is not limited to the three scenarios. As shown in FIG. 2, FIG. 3, and FIG. 4 respectively,

the process is as follows.
(1) As shown in FIG. 2, if the notification message from NAS 2 to the FA has not
arrived at the FA in the process of relocating NAS 2, the FA requests the key update
information from NAS 1. NAS 1 returns a NAS relocation indication and/or the address of
the new NAS (namely, NAS 2) to the FA, and then the FA sends a key request to NAS 2 to
obtain the corresponding MIP key information.
(2) As shown in FIG. 3, if the notification message from NAS 2 to the FA has not
arrived at the FA in the process of relocating NAS 2, the FA requests the key update
information from NAS 1. NAS 1 returns a NAS relocation indication and/or the address of
the new NAS (namely, NAS 2) to the FA. Before the FA sends a key request to NAS 2, the
notification message about NAS 2 relocation arrives at the FA. If the message carries the
updated key and context information, the FA gives up sending the key request; otherwise, the
FA sends a key request to NAS 2.
(3) As shown in FIG. 4, if the notification message from NAS 2 to the FA arrives at
the FA in the process of relocating NAS 2, and if the message carries the updated key and
context information, the FA gives up sending a key request to NAS 2; otherwise, the FA
sends a key request to NAS 2 to obtain the corresponding MIP key information.
If the FA is also relocated and the update message of NAS 2 is sent to the old FA, the old FA
needs to forward the update message to the new FA, and therefore, the new FA can still obtain
the corresponding MIP key information conveniently; or the old FA returns an indication
about FA relocation or the address of the new FA to NAS 2 and then NAS 2 sends the key
information to the new FA.
Through steps 1-5, the FA obtains the updated key information and then goes on to process
the MIP-RRQ message.
In the foregoing scenario, in the case that the MIP-RRQ message carries only information
about occurrence of re-authentication, another solution is provided in an embodiment of the
present invention. In this solution, the MIP-RRQ message may carry an indication about
relocation of the NAS. As shown in FIG. 5, the process may include the following steps:
Step 1: The first authentication is performed. In the EAP process, NAS 1 sends its own
address or the number of hops from the NAS to the serving GW to the MS and keeps a
record.
Step 2: A re-authentication is performed. The MS obtains the address of NAS 1 or the number
of hops from the NAS to the serving GW, and compares the received information with the
previously recorded address or the number of hops (namely, the information recorded in step

1). If the information matches, the MS determines that the NAS is not relocated.
Step 3: The MIP-RRQ sent by the MS carries an indication, indicating that re-authentication
has occurred but the NAS is not relocated. The indication may be: a different algorithm of the
SPI, or a separate extension header.
For example, if the SPI is an odd number, the NAS is relocated; if the SPI is an even number,
the NAS is not relocated. If the indication is an extension header, the extension header may
include a type indicative of the relocation state of the NAS or include the address of the
current NAS.
Step 4: A re-authentication is performed. The MS obtains the address of NAS 2 or the number
of hops from the NAS to the serving GW, and compares the received information with the
previously recorded address or number of hops (namely, the information recorded in step 1).
If the information does not match, the MS determines that the NAS is relocated.
Step 5: The MIP-RRQ sent by the MS carries an indication, indicating that the MS is
re-authenticated and the NAS is relocated at the same time.
Based on the foregoing process, the operations performed by the FA after the FA receives the
corresponding MIP-RRQ message may be:
(1) After the FA receives the MIP-RRQ message, if the message carries no NAS
address information, the FA performs operations according to the indication information in
the MIP-RRQ message: If no re-authentication occurs, the FA goes on with the process; if
re-authentication has occurred but the NAS is not relocated, the FA requests a key from the
old NAS; if re-authentication has occurred and the NAS is relocated at the same time, the FA
waits for the new NAS to send a notification proactively; if the notification sent by the new
NAS carries no key information required by the FA, the FA needs to request the key
information from the new NAS, or request the new NAS information or updated key
information from the old NAS; and
(2) after the FA receiving the MIP-RRQ message, if the MIP-RRQ message carries
the NAS address information, the FA may request the key information from the indicated
NAS.
In order to further clarify the process of the FA obtaining the MIP key (for example, MN-FA
key in the MIP key), the following gives more details about the process with reference to an
accompanying drawing.
As shown in FIG. 6, the process of implementing a state machine of the FA includes the
following steps:
Step 1: The FA receives an MIP-RRQ message.

Step 2: The FA judges whether an MN-FA key exists locally. If such a key exists, the FA
performs step 3; otherwise, the FA performs step 7.
Step 3: The FA compares the SPI in the received MIP-RRQ message with the locally stored
SP1. If the SPI matches, no re-authentication has occurred, and the FA performs step 15;
otherwise, re-authentication has occurred, and the FA performs step 4.
Step 4: The FA judges whether the NAS is relocated. If the NAS is relocated, the FA performs
step 5; otherwise, the FA performs step 6. The specific judgment method may be, but is not
limited to: The FA judges whether the NAS is relocated according to the NAS relocation
indication such as the SPI or the Context-Rpt sent by the new NAS.
In this step, if the FA is unable to determine whether the NAS is relocated, the FA performs
step 7.
In this step, if the FA determines that the NAS is relocated, the FA may further determine
whether the key of the new NAS is received. If the key of the new NAS is received, the FA
performs step 5. The key of the new NAS may be sent by the new NAS directly, or forwarded
by the old NAS which receives the key of the new NAS from the new NAS.
Step 5: The FA judges whether the address of the new NAS is known; if the address of the
new NAS is known, the FA performs step 8; otherwise, the FA performs step 9.
Step 6: The FA requests an MN-FA key from the old NAS, and performs step 15.
Step 7: The FA requests the MN-FA key from the old NAS, or sets a clock and waits until the
information is received from the authenticator (the authenticator that performs the
re-authentication). If the FA receives the information fed back by the old NAS, the FA
performs step 10; if the FA receives an indication sent by the new NAS, the FA performs step
12.
After receiving the information, the FA terminates the set clock. If the FA receives no
information from the authenticator before expiry of the clock, the FA discards the MIP-RRQ
message.
Step 8: The FA requests an MN-FA key from the new NAS (namely, relocated NAS), and
performs step 15.
Step 9: The FA waits for the indication from the new NAS, or queries the old NAS about the
address of the new NAS or the MN-FA key, and performs step 12 after receiving the
indication of the new NAS or the feedback from the old NAS. The received indication of the
new NAS or feedback of the old NAS may be the MN-FA key of the new NAS or the address
of the new NAS.
Step 10: According to the feedback information returned by the old NAS, the FA judges

whether the NAS is relocated. If the NAS is relocated, the FA performs step 12; otherwise,
the FA performs step 11.
In this step, the judgment method may be, but is not limited to: The FA judges whether the
NAS is relocated according to the received NAS relocation indication such as SPI or
Context-Rpt.
Step 11: If the feedback sent by the old NAS carries no MN-FA key, the FA sends a request to
the old NAS, requesting the corresponding MN-FA key. After obtaining the MN-FA key, the
FA performs step 15. If the feedback from the old NAS carries the MN-FA key, the FA
performs step 15 directly.
Step 12: The FA judges whether the new NAS has sent the corresponding MN-FA key to the
FA, namely, judges whether the FA already receives the MN-FA key. If the MN-FA key is
received, the FA performs step 13; otherwise, the FA obtains the address of the new NAS
from the indication received from the new NAS or the feedback received from the old NAS,
and performs step 14.
Step 13: The FA obtains the MN-FA key from the information sent by the new NAS, and
performs step 15.
Step 14: According to the address of the new NAS, the FA requests the corresponding MA-FA
key from the new NAS. After obtaining the MN-FA key, the FA performs step 15.
Step 15: The FA handles the received MIP-RRQ message according to the obtained key
information.
A system for enabling a network device to obtain a key is provided in an embodiment of the
present invention. As shown in FIG. 7, the system may include the following processing
units:
(i) Authenticator
The authenticator is adapted to: receive a key request sent by a network device that
requires key information, and send the generated key information corresponding to the
terminal to the network device. The authenticator includes:
a key request receiving unit, adapted to receive the key request sent by a network
device that requires key information; and
a key information sending unit, adapted to send generated key information
corresponding to the terminal to the network device that requires the key information after the
key request receiving unit receives the key request.
Optionally, the authenticator may include a relocation indication sending unit, which
is adapted to send an indication about occurrence of authenticator relocation to the network

device that requires key information. Specifically, the authenticator may be a new
authenticator (relocated authenticator) or an old authenticator (the authenticator before
relocation). If the relocation indication sending unit is set in the old authenticator and the
network device that requires key information sends the address of the relocated authenticator,
the authenticator further includes a terminal information maintaining unit, which is adapted to
maintain the corresponding relation between the terminal and the address of the relocated
authenticator, and optionally, set a lifecycle for the corresponding relation.
The authenticator may include any of the following units:
a key information direct-sending unit, adapted to send the key information generated
by the relocated authenticator to the network device that requires the key information
directly; or
a key information indirect-transmitting unit, adapted to send the key information
generated by the relocated authenticator to the old authenticator which forwards the key
information to the network device that requires the key information.
In order to facilitate the terminal to determine whether the authenticator is relocated,
the authenticator may further include an identification information sending unit, adapted to
send the address of the authenticator or the number of hops from the authenticator to the
gateway as identification information to the terminal.
(ii) Network device
The network device is a network device that requires key information, and is adapted
to: receive an indication about occurrence of authenticator relocation, send a key request to
the relocated authenticator, and receive the key information returned by the authenticator.
More specifically, the network device that requires key information may include:
an authenticator relocation determining unit, adapted to determine relocation of the
authenticator corresponding to the terminal according to the received indication about
occurrence of authenticator relocation; and
a key requesting and obtaining unit, adapted to: send a key request to the relocated
authenticator after the authenticator relocation determining unit determines that the
authenticator corresponding to the terminal is relocated, receive the key information returned
by the authenticator, and obtain the key corresponding to the terminal.
Optionally, the network device that requires key information may further include a
judgment processing unit, adapted to send a notification to the key request obtaining unit if
determining that no key information generated by the relocated authenticator is received after
the authenticator relocation determining unit determines that the authenticator is relocated.

Optionally, the network device that requires key information may further include an
authenticator address obtaining unit, adapted to receive and obtain the address of the
relocated authenticator sent by the relocated authenticator or by the old authenticator, and
notify the key request obtaining unit so that the key request obtaining unit can send a key
request to the address of the relocated authenticator.
Optionally, the network device that requires key information may include any of the
following units:
a key information forwarding unit, adapted to receive the key information sent by the
relocated authenticator, and send the key information to the relocated network device that
requires the key information; or
a network device relocation notifying unit, adapted to: return an indication about
occurrence of relocation of the network device that requires key information or an address of
the relocated network device that requires key information to the relocated authenticator after
receiving the key information sent by the relocated authenticator; or proactively send an
indication about occurrence of relocation of the network device that requires key information
or an address of the relocated network device that requires key information to the relocated
authenticator so that the relocated authenticator may send the key information to the relocated
network device that requires the key information.
(iii) Terminal
In some scenarios, the terminal may send an indication to the network device that
requires key information to indicate that the authenticator corresponding to the terminal is
relocated. Therefore, the terminal may include a processing unit adapted to determine
whether the authenticator is relocated. Specifically, the terminal may include:
a relocation determining unit, adapted to: receive the identification information sent
by the authenticator in the authentication process, and compare the currently received
authenticator identification information with the previously received authenticator
identification information to determine whether the authenticator is relocated; and
an indication transmitting unit, adapted to send an indication about occurrence of
authenticator relocation to the network device that requires key information after the
relocation determining unit determines that relocation has occurred.
In conclusion, the embodiments of the present invention enable the FA to obtain the updated
MIP key after the NAS is relocated, thus minimizing the possibility of contending scenarios
and shortening the time spent in obtaining the key. The embodiments of the present invention
provide a solution that enables the FA to obtain a valid MIP key, and overcome the problems

in the prior art.
Although the invention has been described through some preferred embodiments, the
invention is not limited to such embodiments. It is apparent that those skilled in the art can
make modifications and variations to the invention without departing from the spirit and
scope of the invention. The invention is intended to cover the modifications and variations
provided that they fall in the scope of protection defined by the following claims or their
equivalents.

WE CLAIM:
1 . A method for obtaining keys, comprising:
receiving, by a network device that requires key information, an indication about
occurrence of authenticator relocation, and sending a key request to a relocated authenticator,
receiving, by the network device, key information corresponding to a terminal returned by
the relocated authenticator, and obtaining the key information corresponding to the terminal.
2. The method of claim 1, comprising:
sending, by the relocated authenticator, an old authenticator, the terminal, a Home Agent
(HA), or an Authorization Authentication Accounting (AAA) server, the indication about
occurrence of authenticator relocation to the network device that requires the key information;
and/or
sending, by the relocated authenticator, the old authenticator, the terminal, the HA, or the
AAA server, an address of the relocated authenticator to the network device that requires the
key information.
3. The method of claim 2, if the indication is sent by the terminal to the network device that
requires the key information, further comprising:
obtaining, by the terminal, authenticator identification information sent by network in the
authentication process;
comparing, by the terminal, the currently received authenticator identification information
with previously received authenticator identification information, and determining whether
the authenticator is relocated according to the comparison result.
4. The method of claim 3, wherein the authenticator identification information comprises at
least one of: an address of the authenticator, an identification of the authenticator, and the
number of hops from the authenticator to gateway.
5. The method of any one of claims 1-4, further comprising:
generating, by the relocated authenticator, the key information corresponding to the
terminal, and sending, by the relocated authenticator, the key information corresponding to
the terminal to the network device that requires the key information; or
sending, by the relocated authenticator, the key information corresponding to the terminal
to an old authenticator, and sending, by the old authenticator, the key information
corresponding to the terminal to the network device that requires the key information.
6. The method of claim 5, after receiving the indication about occurrence of authenticator

relocation, further comprising:
if the network device that requires the key information does not receive the key
information corresponding to the terminal generated by the relocated authenticator, sending,
by the network device that requires the key information, the key request to the relocated
authenticator.
7. The method of any one of claims 1~4, before sending the key request to the relocated
authenticator, further comprising:
requesting to obtain the address of the relocated authenticator from an old authenticator;
or
receiving the address of the relocated authenticator sent by the relocated authenticator, the
old authenticator, the terminal, the HA, or the AAA server.
8. The method of any one of claims 1-4, wherein, in the process of relocating the
authenticator, if the network device that requires key information is also relocated, the
method further comprises:
obtaining, by the relocated network device that requires key information, the key
information sent by the relocated authenticator through the old network device that requires
key information; or,
sending, by the relocated network device that requires key information, an indication
about relocation of the network device that requires key information or an address of the
relocated network device that requires key information to the relocated authenticator,
obtaining the key information sent by the relocated authenticator; or
sending, by the old network device that requires key information, an indication about
relocation of the network device that requires key information or an address of the relocated
network device that requires key information to the relocated authenticator, sending, by the
relocated authenticator, the key information to the relocated network device that requires key
information.
9. The method of any one of claims 1~4, before receiving the indication about occurrence of
authenticator relocation, further comprising:
storing, by the network device that requires key information, Security Parameter Index
(SPI) between the terminal and HA; if the received SPI in registration request sent by the
terminal or other devices is different from the stored SPI between the terminal and the HA,
determining the terminal is re-authenticated.
10. A method for obtaining keys, comprising:
receiving, by a network device that requires key information, an indication about

occurrence of re-authentication, and receiving the key information corresponding to a
terminal sent by the authenticator.
11. The method of claim 10, wherein the authenticator is a re-authentication authenticator.
12. The method of claim 11, after receiving the indication about occurrence of
re-authentication, further comprising:
starting a timer, and receiving the key information corresponding to the terminal in the
valid period of the timer.
1.3. The method of claim 12, further comprising:
discarding an IP Registration Request sent by the terminal if the network device that
requires key information does not receive the key information in the valid period of the timer.
14. A network device, comprising:
an authenticator relocation determining unit, adapted to determine relocation of the
authenticator corresponding to a terminal according to a received indication about occurrence
of authenticator relocation; and
a key requesting and obtaining unit, adapted to send a key request to the relocated
authenticator after the authenticator relocation determining unit determines that the
authenticator corresponding to the terminal is relocated, receive the key information
corresponding to the terminal returned by the relocated authenticator, and obtain the key
corresponding to the terminal.
15. The network device of claim 14, further comprising:
a judgment processing unit, adapted to send a notification to the key request obtaining
unit if determining that no key information generated by the relocated authenticator is
received after the authenticator relocation determining unit determines that the authenticator
is relocated.
16. The network device of claim 14 or 15, further comprising:
an authenticator address obtaining unit, adapted to receive and obtain the address of the
relocated authenticator sent by the relocated authenticator or by an old authenticator, and
notify the key request obtaining unit.
17. The network device of claim 14, further comprising:
a key information forwarding unit, adapted to receive the key information sent by the
relocated authenticator, and send the key information to the relocated network device that
requires the key information; or
a network device relocation notifying unit, adapted to return an indication about
occurrence of relocation of the network device that requires key information or an address of

the relocated network device that requires key information to the relocated authenticator after
receiving the key information sent by the relocated authenticator; or proactively send an
indication about occurrence of relocation of the network device that requires key information
or an address of the relocated network device that requires key information to the relocated
authenticator.
18. An authenticator, comprising:
a key request receiving unit, adapted to receive a key request sent by a network device
that requires key information; and
a key information sending unit, adapted to send generated key information corresponding
to the terminal to the network device that requires the key information after the key request
receiving unit receives the key request.
19. The authenticator of claim 18, further comprising:
an identification information sending unit, adapted to send the address of the
authenticator or the number of hops from the authenticator to the gateway as identification
information to the terminal.
20. The authenticator of claim 18, further comprising:
a key information direct-sending unit, adapted to send the key information generated by
the relocated authenticator to the network device that requires the key information directly; or
a key information indirect-transmitting unit, adapted to send the key information
generated by the relocated authenticator to an old authenticator which forwards the key
information to the network device that requires the key information.
21. The authenticator of claim 18, 19 or 20, further comprising:
a relocation indication sending unit, adapted to send an indication about occurrence of
authenticator relocation and/or the address of the relocated authenticator to the network
device that requires key information.
22. The authenticator of claim 21, if the relocation indication sending unit is adapted to send
the address of the relocated authenticator to the network device that requires key information,
the authenticator further comprising:
a terminal information maintaining unit, adapted to maintain the corresponding relation
between the terminal and the address of the relocated authenticator; or maintain the
corresponding relation between the terminal and the address of the relocated authenticator
and set a lifecycle for the corresponding relation.
23. A terminal, comprising:
a relocation determining unit, adapted to receive identification information sent by an

authenticator in the authentication process, and compare the currently received authenticator
identification information with previously received authenticator identification information to
determine whether the authenticator is relocated; and
an indication transmitting unit, adapted to send an indication about occurrence of
authenticator relocation to the network device that requires key information after the
relocation determining unit determines that relocation has occurred.
24. A system for obtaining keys, wherein the system comprises an authenticator and a
network device that requires key information;
the authenticator is adapted to receive a key request sent by the network device that
requires key information, and send the generated key information corresponding to the
terminal to the network device that requires key information; and
the network device that requires key information is adapted to receive an indication about
occurrence of authenticator relocation, send the key request to the relocated authenticator,
and receive the key information returned by the authenticator.

A method, a device, and a system for obtaining keys are provided herein to enable the
network device that requires key information to obtain the key information after the
authenticator is relocated. The method includes: The network device that requires key
information receives an indication about occurrence of authenticator relocation, sends a
key request to the relocated authenticator, and receives the key information returned by
the authenticator. Therefore, the mobile user's network device that requires the key
information can still obtain the key information even if the authenticator is relocated, the
subsequent communication process can go on normally, and the communication
performance of the wireless communication system is improved.

Documents:

http://ipindiaonline.gov.in/patentsearch/GrantedSearch/viewdoc.aspx?id=MukMzJwr5JK0T91qH1iWjw==&loc=wDBSZCsAt7zoiVrqcFJsRw==

« Previous Patent

Next Patent »

Patent Number

272382

Indian Patent Application Number

4227/KOLNP/2009

PG Journal Number

14/2016

Publication Date

01-Apr-2016

Grant Date

31-Mar-2016

Date of Filing

07-Dec-2009

Name of Patentee

HUAWEI TECHNOLOGIES CO., LTD.

Applicant Address

HUAWEI ADMINISTRATION BUILDING, BANTIAN, LONGGANG DISTRICT, SHENZHEN, GUANGDONG 518129, P.R. CHINA

Inventors:

#	Inventor's Name	Inventor's Address
1	WU, JIANJUN	HUAWEI ADMINISTRATION BUILDING, BANTIAN, LONGGANG DISTRICT, SHENZHEN, 518129, GUANGDONG P.R. CHINA
2	LIANG, WENLIANG	HUAWEI ADMINISTRATION BUILDING, BANTIAN, LONGGANG DISTRICT, SHENZHEN, 518129, GUANGDONG P.R. CHINA

PCT International Classification Number

H04L9/32; H04L9/32

PCT International Application Number

PCT/CN2008/071254

PCT International Filing date

2008-06-10

PCT Conventions:

#	PCT Application Number	Date of Convention	Priority Country
1	200710145146.5	2007-08-23	China
2	200710136389.2	2007-07-26	China
3	200710112367.2	2007-06-11	China