Title of Invention	'METHOD FOR IMPLEMENTING SECURITY COMMUNICATION BY INDEPENDENTLY SELECTING ENCRYPTION ALGORITHM"
Abstract	The present invention discloses a method for implementing security communication by independently selecting an encryption algorithm. In this method, a bit for representing CI is added, and a judge process for the CI and encryption algorithm supported by both the current subscriber and network is added. Under the condition that CN supports more than one encryption algorithm, if the CI is 1 and a standard encryption algorithm is supported by both UE and CN, the standard encryption algorithm is determined as the encryption algorithm for security communication; otherwise, the communication is disconnected; if the CI is 0 and a self-developed non-standard encryption algorithm is supported by both UE and CN, the encryption algorithm is determined as the encryption algorithm for security communication; otherwise, the communication is disconnected. Under the condition that CN only supports the standard encryption algorithm, if this algorithm is also supported by UE, this standard encryption algorithm is determined as the encryption algorithm for security communication directly; otherwise, the communication is disconnected. This method enables the subscriber to perform security communication utilizing effective encryption algorithm anywhere and satisfies the requirement for independently selecting encryption algorithm in local area. Accordingly, the subscriber interest and service quality is guaranteed.

Title of Invention

'METHOD FOR IMPLEMENTING SECURITY COMMUNICATION BY INDEPENDENTLY SELECTING ENCRYPTION ALGORITHM"

Abstract

The present invention discloses a method for implementing security communication by independently selecting an encryption algorithm. In this method, a bit for representing CI is added, and a judge process for the CI and encryption algorithm supported by both the current subscriber and network is added. Under the condition that CN supports more than one encryption algorithm, if the CI is 1 and a standard encryption algorithm is supported by both UE and CN, the standard encryption algorithm is determined as the encryption algorithm for security communication; otherwise, the communication is disconnected; if the CI is 0 and a self-developed non-standard encryption algorithm is supported by both UE and CN, the encryption algorithm is determined as the encryption algorithm for security communication; otherwise, the communication is disconnected. Under the condition that CN only supports the standard encryption algorithm, if this algorithm is also supported by UE, this standard encryption algorithm is determined as the encryption algorithm for security communication directly; otherwise, the communication is disconnected. This method enables the subscriber to perform security communication utilizing effective encryption algorithm anywhere and satisfies the requirement for independently selecting encryption algorithm in local area. Accordingly, the subscriber interest and service quality is guaranteed.

Full Text	Method for Implementing Security Communication by Independently Selecting Encryption Algorithm Field of the Technology The present invention relates to security communication technology in the 3rd Generation (3G) system, and more particularly to a method for implementing security communication between both cpmmumcation sides by independently determining and selecting an encryption algorithm supported.by both the terminal side and the network side. Background of the Invention At present, in all kinds of communication systems and particularly in mobile communication systems, the implementation of security communication is of great importance for guaranteeing security of information transmitted between subscribers. Therefore, it is necessary to protect the data being transmitted with encryption. Generally, encrypting the data for protection means an encryption algorithm is adopted bv both the communication sides. The transmit side encrypts the data to be transmitted with a selected encryption algorithm and then transmits the encrypted data, which is decrypted with the selected algorithm after being received by the receive side. In the prior 3rd Generation Wideband Code Division Multiple Access (3G WCDMA) mobile communication system, encryption protection can be used during the information transmission process between a User Equipment (UE) and the access network, namely between UE and the UMTS Terrestrial Radio Access Network (UTRAN). In this security communication process, the algorithm adopted by both sides is stored in UE and Radio Network Controller (RNC) of the access network respectively. Actually the RNC stores the encryption algorithms supported by the Core Network (CN). The selection of encryption algorithm is implemented through comparing the algorithms supported by UE and the available algorithms designated by CN with the RNC. Since each encryption algorithm corresponds to one single identifier for User Encryption Algorithm (UEA), the RNC determines an encryption algorithm through comparing the UEAs. According to prescription of the prior WCDMA standard, a UEA occupies 4 bits, in which "0000" is defined as no encryption and "0001" is defined as standard KASUMI encryption algorithm. The other 14 values are undefined and can be used as reservation UEAs for self-defining usage. As is shown in Figure 1, the specific implementing process of the prior encryption protection is as follows. 1) Firstly, a Radio Resource Control (RRC) connection is established. Then UE; sends the security information to the access network after the successful connection, When a subscriber is calling or is being called, the high layer of UE will notify the access layer to establish a RRC connection, in more detail, to establish a RRC: connection between UE and RNC of the access network. After the successful connection, UE sends its security capability information to RNC of the access network by way of a RRC CONNECTION COMPLETE message. RNC stores relevant security information including the UEAs supported by UE. 2) CN initiates establishment of security mode. When CN initiates establishment of security mode, the Visiting Location Register (VLR) of CN determines which UEA shall be selected for use and sends RNC a SECURITY MODE COMMAND message carrying the UEAs and Cipher Key (CK). 3) RNC processes the received SECURITY MODE COMMAND. RNC selects a UEA according to the received UEAs and the stored UEAs supported by UE. Then RNC sends UE a SECURITY MODE COMMAND message carrying the selected UEA. 4) The process after UE receives SECURITY MODE COMMAND is implemented. After receiving SECURITY MODE COMMAND, UE sets the local UE security; capability parameter as the received UE security capability parameter. Meanwhile UE sends SECURITY MODE COMPLETE message to RNC of the access network which means the security mode has been successfully set. 5) Access network receives SECURITY MODE COMPLETE message. After receiving the SECURITY MODE COMPLETE message, RNC of the! access network sends the SECURITY MODE COMPLETE message, which carries the selected UEA, to the VRL of CN. Therefore, a main object of the present invention is to provide a method for implementing security communication by independently selecting an encryption algorithm, which enables the subscriber to perform security communication utilizing effective encryption algorithm anywhere and satisfies the requirement for independently selecting encryption algorithm in local area. Accordingly, the subscriber interest and service quality is guaranteed. To achieve the above-mentioned object, the specific technical scheme of this invention is as follows. A method for implementing security communication by independently selecting an encryption algorithm, comprising: a. when a subscriber is calling or is being called, the Core Network (CN) extracting Mobile Country Code (MCC) of the subscriber and according to said MCC setting value of Customer Identifier (CI) to indicate whether the subscriber is a foreign or domestic subscriber; b. establishing a connection between User Equipment (UE) corresponding to the subscriber and Radio Resource Controller (RRC), after the connection is successfully established, the UE sending a message of RRC connection completion to RNC of the access network, the RNC then storing relevant security information in said message including User Encryption Algorithms (UEAs) supported by the UE; c. when CN initiating establishment procedure of security mode, a Visit Location Register (VLR) of CN selecting at least one UEA, and sending RNC a security mode command message including UEAs, Cipher Key (CK) and CI information; d. after receiving the security mode command message from CN, RNC selecting a UEA for security communication according to the selected UEAs in CN in said message and the stored UEAs supported by the UE; under the condition that CN supports more than one encryption algorithm, if the current subscriber is a foreign subscriber and a standard encryption algorithm is supported by both UE and CN, determining the standard encryption algorithm as the encryption algorithm for security communication; otherwise, determining that no appropriate encryption algorithm is available and disconnecting the communication; if the current subscriber is a domestic subscriber and a non-standard encryption ; algorithm is supported by both UE and CN, determining this encryption algorithm as the encryption algorithm for security communication; otherwise, determining that no j appropriate encryption algorithm is available and disconnecting the communication; under the condition that CN only supports the standard encryption algorithm, if this algorithm is also supported by UE, determining this standard encryption algorithm as the encryption algorithm for security communication directly; otherwise, \ determining that no appropriate encryption algorithm is available and disconnecting the communication; after selecting UEA, RNC sending UE a security mode command message carrying the selected UEA; e. after receiving the security mode command message, UE setting the local UE security capability parameter as the received UE security capability parameter, meanwhile, UE sending a security mode complete message to RNC of the access network; after receiving the message, RNC sending a security mode complete message carrying the selected UEA to VLR of CN; the VLR of CN completing setting of its own security mode after receiving the security mode complete message. The method may further comprise: presetting a Mobile Country Code (MCC) number list and storing the list in CN, regarding the subscribers according with said list as domestic subscribers and regarding the subscribers not according with said list as foreign subscribers. In addition, the method may further comprise: storing the MCCs of foreign subscribers in the MCC number list whose encryption algorithm is the same as that of the domestic subscribers. Moreover, the CI value can be set to 0 if the current subscriber is judged as a domestic subscriber based on MCC, and to 1 if the current subscriber is judged as a foreign subscriber based on MCC. The length of CI can be 1 bit. From the technical scheme described above, it can be seen that the key point of this invention lies in: a CI is added, and judgment for CI and judgment for encryption algorithms supported by the current subscriber and hte network is also added.If a subscriber is a domestic subscriber and both the subscriber and network support the standard encryption algonthm, or if the subscriber is a foreign subscriber and both the subscriber and network support a self-developed encryption algorithm other than the standard encryption algorithm, normal security communication can be implemented; otherwise, security communication is unavailable. Accordingly, this method for implementing security communication by independently selecting an encryption algorithm provided by this invention has the following advantages and characteristics. 1) The method according to the present invention not only satisfies the requirement of adopting private encryption algorithm for domestic security communication, but also ensures that security communication is available for the roaming subscribers by supporting standard encryption algorithm. The problem of abnormal security communication because of conflict between encryption algorithms when the mobile subscriber is roaming around is wholly resolved. Furthermore, better service can be provided for the subscribers. 2) Although the step of extracting MCC of UE by CN is newly added, no additional performance overhead is added because CN must extract MCC of UE originally. 3) Although the parameter CI is added in the SECURITY MODE COMMAND message sent to RNC from CN via lu interface, it hardly affects the implementation of devices because this parameter occupies extremely few bits. 4) Although additional selecting judgment is added after RNC receives SECURITY MODE COMMAND via lu interface, the design for judgment is simple and easily implemented. Furthermore, the application of system in which only standard encryption algorithm is adopted is seldom affected. Brief Description of the Drawings Figure 1 is a signaling flow chart of determining an encryption algorithm in prior art. Figure 2 is a flow chart illustrating the method for determining an encryption algorithm according to the present invention. Detailed Description of the Invention Now, the present invention will be described in detail with reference to the accompanying drawings. To select an encryption algorithm for communication between two sides, it is necessary for RNC to compare encryption algorithms supported by UE and those supported by CN. In order to avoid conflict due to different encryption algorithms during roaming process, judgment for all kinds of possible situations and corresponding choice of encryption algorithm should be added in this comparing process. As information about the country or service provider to which the current subscriber belongs is necessary for judging all kinds of possible situations, an identifier for identifying the country or service provider to which the subscriber belongs is added in the message sending to the access network from CN. RNC can determine the encryption algorithm to be employed according to this identifier and the encryption algorithm supported by the current UE. The precondition to realize the method according to the present invention is that both UE and network support standard encryption algorithm meanwhile encryption is required by the network, namely, UEA is not "0000". In addition, if domestic algorithm is requested, RNC must judge whether the subscriber is a domestic subscriber or a foreign one according to the subscriber identifier, and choose an appropriate encryption algorithm based on the judgment. Moreover, if both standard encryption algorithm and domestic self-developed encryption algorithm are simultaneously supported by the CN, the latter must be adopted for domestic security communication. With reference to Figure 2, a specific implementing process of method according to the present invention at least comprises the following steps. 1) When a subscriber is calling or is being called, CN extracts MCC of this subscriber and then judges whether the subscriber is a domestic subscriber or a foreign one. 2) High layer of UE will notify the access network to establish a RRC connection for this subscriber, namely to establish a RRC connection between UE and RNC. After the connection is successfully established, UE sends its security capability information to the RNC through RRC CONNECTION COMPLETE message indicating the connection has been successfully established. RNC stores relevant i security information including UEAs supported by the UE. 3) When CN initiates establishment of security mode, the VLR of CN determines which UEA shall be selected for use and sends RRC a SECURITY MODE COMMAND message including UEAs, CK and the new added CI information. In this embodiment the length of CI is set at 1 bit. Certainly, the length of CI can be set at more bits according to practical application. CI is set at 0 if the current subscriber is determined as a domestic subscriber according to the MCC of the subscriber, and at 1 if a foreign subscriber. 4) After receiving SECURITY MODE COMMAND message, the RNC selects a UEA for security communication according to the received UEAs and the stored UEAs supported by the UE. This selection process includes the following two instances. a. If CN supports more than one encryption algorithm, the primary two instances are as follows: al. When value of the received CI equals 1 and if both UE and CN support standard encryption algorithm signed as "0001", this standard encryption algorithm is selected as the encryption algorithm for security communication; otherwise no appropriate encryption algorithm is assumed available and the communication connection is disconnected. a2. When value of the received CI equals 0 and if both UE and CN support a standard encryption algorithm other than the one signed as "0001", this encryption algorithm is selected for security communication; otherwise no appropriate encryption algorithm is assumed available and the communication connection is disconnected. Under the instance of al, if the current subscriber is a foreign subscriber but the country or service provider to which the subscriber belongs adopts the same encryption algorithm as that of the roaming location for security communication. For example, China uses "0011" to identify the corresponding algorithm, and Country M is China's neighboring country, M may directly adopt the encryption algorithm which is adopted by China to avoid trouble of self-developing. Thus, when a subscriber of Country M is roaming in China, normal security communication is available. But according to the instance of al, this communication cannot be supported. To avoid :his condition, MCC can be processed in CN. For instance, a MCC number list can be set and stored in CN beforehand. This list includes MCCs of foreign countries adopting the same encryption algorithm as that in the homeland. Before setting the value of CI, MCC number list is searched. Those according with the list are assumed domestic subscribers and the value of relevant CI is set at "0"; those not according with the list are assumed foreign subscribers and the value of relevant CI is set at "1". b. If CN only supports standard encryption algorithm, namely, the SECURITY MODE COMMAND message sent from CN only includes one encryption algorithm identified as "0001", and UE also supports this algorithm, then judgment of CI is not needed and standard encryption algorithm is directly adopted for security communication. After UEA is selected, RNC sends UE a SECURITY MODE COMMAND message carrying the selected UEA. 5) After receiving SECURITY MODE COMMAND message, UE sets local UE security capability parameter as the received UE security capability parameter. Meanwhile UE sends a SECURITY MODE COMPLETE message to RNC of the access network, indicating the successful setting of security mode. 6) After receiving SECURITY MODE COMPLETE message, RNC of the access network immediately sends VLR of CN a SEUCIRTY'MODE COMPLETE message carrying the selected UEA. 7) After receiving SECURITY MODE COMPLETE message, VLR of CN completes setting of its own security mode and then waits until the predetermined time is due, after which security communication between UE and UTRAN begins. This communication is encrypted or decrypted according to the encryption algorithm corresponding to the selected UEA. We Claim: 1. A method for implementing security communication by independently selecting an encryption algorithm, comprising: a. when a subscriber is calling or is being called, the Core Network (CN) extracting Mobile Country Code (MCC) of the subscriber and according to said MCC setting value of Customer Identifier (CI) to indicate whether the subscriber is a foreign or domestic subscriber; b. establishing a connection between User Equipment (UE) corresponding to the subscriber and Radio Resource Controller (RRC), after the connection is successfully established, the UE sending a message of RRC connection completion to RNC of the access network, the RNC then storing relevant security information in said message including User Encryption Algorithms (UEAs) supported by the UE; c. when CN initiating establishment procedure of security mode, a Visit Location Register (VLR) of CN selecting at least one UEA, and sending RNC a security mode command message including UEAs, Cipher Key (CK) and CI information; d. after receiving the security mode command message from CN, RNC selecting a UEA for security communication according to the selected UEAs in CN in said message and the stored UEAs supported by the UE; under the condition that CN supports more than one encryption algorithm, if the current subscriber is a foreign subscriber and a standard encryption algorithm whose UEA is "0001" is supported by both UE and CN, determining the standard encryption algorithm as the encryption algorithm for security communication; otherwise, determining that no appropriate encryption algorithm is available and disconnecting the communication; if the current subscriber is a domestic subscriber and an encryption algorithm whose UEA is not "0001" is supported by both UE and CN, determining this encryption algorithm as the encryption algorithm for security communication; otherwise, determining that no appropriate encryption algorithm is available and disconnecting the communication; under the condition that CN only supports the standard encryption algorithm, if this algorithm is also supported by UE, determining this standard encryption algorithm as the encryption algorithm for security communication directly; otherwise, determining that no appropriate encryption algorithm is available and disconnecting the communication; after selecting UEA, RNC sending UE a security mode command message carrying the selected UEA; e. after receiving the security mode command message, UE setting the local UE security capability parameter as the received UE security capability parameter, meanwhile, UE sending a security mode complete message to RNC of the access network; after receiving the message, RNC sending a security mode complete message carrying the selected UEA to VLR of CN; the VLR of CN completing setting of its own security mode after receiving the security mode complete message. 2. A method as claimed in claim 1, comprising: setting value of the CI at 0 if the current subscriber is judged as a domestic subscriber based on MCC, and at 1 if the current subscriber is judged as a foreign subscriber based on MCC. 3. A method as claimed in claim 1, comprising: presetting a Mobile Country Code (MCC) number list and storing the list in CN, regarding the subscribers according with said list as domestic subscribers and regarding the subscribers not according with said list as foreign subscribers. 4. A method as claimed in claim 2, wherein MCCs of foreign subscribers adopting the same encryption algorithm as that adopted by the domestic subscribers are stored in the MCC number list. 5. A method of any one of claims 1, 2 and 3, wherein the length of CI is 1 bit.

Full Text

Method for Implementing Security Communication by Independently Selecting Encryption Algorithm
Field of the Technology
The present invention relates to security communication technology in the 3rd Generation (3G) system, and more particularly to a method for implementing security communication between both cpmmumcation sides by independently determining and selecting an encryption algorithm supported.by both the terminal side and the network
side.
Background of the Invention
At present, in all kinds of communication systems and particularly in mobile communication systems, the implementation of security communication is of great importance for guaranteeing security of information transmitted between subscribers. Therefore, it is necessary to protect the data being transmitted with encryption. Generally, encrypting the data for protection means an encryption algorithm is adopted bv both the communication sides. The transmit side encrypts the data to be transmitted with a selected encryption algorithm and then transmits the encrypted data, which is decrypted with the selected algorithm after being received by the receive side.
In the prior 3rd Generation Wideband Code Division Multiple Access (3G WCDMA) mobile communication system, encryption protection can be used during the information transmission process between a User Equipment (UE) and the access network, namely between UE and the UMTS Terrestrial Radio Access Network (UTRAN). In this security communication process, the algorithm adopted by both sides is stored in UE and Radio Network Controller (RNC) of the access network respectively. Actually the RNC stores the encryption algorithms supported by the Core Network (CN). The selection of encryption algorithm is implemented through comparing the algorithms supported by UE and the available algorithms designated by CN with the RNC. Since each encryption algorithm corresponds to one single identifier for User Encryption Algorithm (UEA), the RNC determines an encryption algorithm through comparing the UEAs. According to prescription of the prior WCDMA standard, a UEA occupies 4 bits, in which "0000" is defined as no
encryption and "0001" is defined as standard KASUMI encryption algorithm. The other 14 values are undefined and can be used as reservation UEAs for self-defining usage.
As is shown in Figure 1, the specific implementing process of the prior encryption protection is as follows.
1) Firstly, a Radio Resource Control (RRC) connection is established. Then UE;
sends the security information to the access network after the successful connection,
When a subscriber is calling or is being called, the high layer of UE will notify the access layer to establish a RRC connection, in more detail, to establish a RRC: connection between UE and RNC of the access network. After the successful connection, UE sends its security capability information to RNC of the access network by way of a RRC CONNECTION COMPLETE message. RNC stores relevant security information including the UEAs supported by UE.
2) CN initiates establishment of security mode.
When CN initiates establishment of security mode, the Visiting Location Register (VLR) of CN determines which UEA shall be selected for use and sends RNC a SECURITY MODE COMMAND message carrying the UEAs and Cipher Key
(CK).
3) RNC processes the received SECURITY MODE COMMAND.
RNC selects a UEA according to the received UEAs and the stored UEAs supported by UE. Then RNC sends UE a SECURITY MODE COMMAND message carrying the selected UEA.
4) The process after UE receives SECURITY MODE COMMAND is
implemented.
After receiving SECURITY MODE COMMAND, UE sets the local UE security; capability parameter as the received UE security capability parameter. Meanwhile UE sends SECURITY MODE COMPLETE message to RNC of the access network which means the security mode has been successfully set.
5) Access network receives SECURITY MODE COMPLETE message.
After receiving the SECURITY MODE COMPLETE message, RNC of the! access network sends the SECURITY MODE COMPLETE message, which carries the selected UEA, to the VRL of CN.
Therefore, a main object of the present invention is to provide a method for implementing security communication by independently selecting an encryption algorithm, which enables the subscriber to perform security communication utilizing effective encryption algorithm anywhere and satisfies the requirement for independently selecting encryption algorithm in local area. Accordingly, the subscriber interest and service quality is guaranteed.
To achieve the above-mentioned object, the specific technical scheme of this invention is as follows.
A method for implementing security communication by independently selecting an encryption algorithm, comprising:
a. when a subscriber is calling or is being called, the Core Network (CN)
extracting Mobile Country Code (MCC) of the subscriber and according to said MCC
setting value of Customer Identifier (CI) to indicate whether the subscriber is a
foreign or domestic subscriber;
b. establishing a connection between User Equipment (UE) corresponding to the
subscriber and Radio Resource Controller (RRC), after the connection is successfully
established, the UE sending a message of RRC connection completion to RNC of the
access network, the RNC then storing relevant security information in said message
including User Encryption Algorithms (UEAs) supported by the UE;
c. when CN initiating establishment procedure of security mode, a Visit Location
Register (VLR) of CN selecting at least one UEA, and sending RNC a security mode
command message including UEAs, Cipher Key (CK) and CI information;
d. after receiving the security mode command message from CN, RNC selecting
a UEA for security communication according to the selected UEAs in CN in said
message and the stored UEAs supported by the UE;
under the condition that CN supports more than one encryption algorithm, if the current subscriber is a foreign subscriber and a standard encryption algorithm is supported by both UE and CN, determining the standard encryption algorithm as the encryption algorithm for security communication; otherwise, determining that no appropriate encryption algorithm is available and disconnecting the communication; if the current subscriber is a domestic subscriber and a non-standard encryption ; algorithm is supported by both UE and CN, determining this encryption algorithm as
the encryption algorithm for security communication; otherwise, determining that no j appropriate encryption algorithm is available and disconnecting the communication;
under the condition that CN only supports the standard encryption algorithm, if this algorithm is also supported by UE, determining this standard encryption algorithm as the encryption algorithm for security communication directly; otherwise, \ determining that no appropriate encryption algorithm is available and disconnecting the communication;
after selecting UEA, RNC sending UE a security mode command message carrying the selected UEA;
e. after receiving the security mode command message, UE setting the local UE security capability parameter as the received UE security capability parameter, meanwhile, UE sending a security mode complete message to RNC of the access network; after receiving the message, RNC sending a security mode complete message carrying the selected UEA to VLR of CN; the VLR of CN completing setting of its own security mode after receiving the security mode complete message.
The method may further comprise: presetting a Mobile Country Code (MCC) number list and storing the list in CN, regarding the subscribers according with said list as domestic subscribers and regarding the subscribers not according with said list as foreign subscribers.
In addition, the method may further comprise: storing the MCCs of foreign subscribers in the MCC number list whose encryption algorithm is the same as that of the domestic subscribers. Moreover, the CI value can be set to 0 if the current subscriber is judged as a domestic subscriber based on MCC, and to 1 if the current subscriber is judged as a foreign subscriber based on MCC.
The length of CI can be 1 bit.
From the technical scheme described above, it can be seen that the key point of
this invention lies in: a CI is added, and judgment for CI and judgment for encryption
algorithms supported by the current subscriber and hte network is also added.If a
subscriber is a domestic subscriber and both the subscriber and network support the standard encryption algonthm, or if the subscriber is a foreign subscriber and both the subscriber and network support a self-developed encryption algorithm other than the
standard encryption algorithm, normal security communication can be implemented; otherwise, security communication is unavailable.
Accordingly, this method for implementing security communication by independently selecting an encryption algorithm provided by this invention has the following advantages and characteristics.
1) The method according to the present invention not only satisfies the requirement of adopting private encryption algorithm for domestic security communication, but also ensures that security communication is available for the roaming subscribers by supporting standard encryption algorithm. The problem of abnormal security communication because of conflict between encryption algorithms when the mobile subscriber is roaming around is wholly resolved. Furthermore, better service can be provided for the subscribers.
2) Although the step of extracting MCC of UE by CN is newly added, no additional performance overhead is added because CN must extract MCC of UE originally.
3) Although the parameter CI is added in the SECURITY MODE COMMAND message sent to RNC from CN via lu interface, it hardly affects the implementation of devices because this parameter occupies extremely few bits.
4) Although additional selecting judgment is added after RNC receives
SECURITY MODE COMMAND via lu interface, the design for judgment is simple
and easily implemented. Furthermore, the application of system in which only
standard encryption algorithm is adopted is seldom affected.
Brief Description of the Drawings
Figure 1 is a signaling flow chart of determining an encryption algorithm in prior
art.
Figure 2 is a flow chart illustrating the method for determining an encryption algorithm according to the present invention.
Detailed Description of the Invention
Now, the present invention will be described in detail with reference to the accompanying drawings.
To select an encryption algorithm for communication between two sides, it is necessary for RNC to compare encryption algorithms supported by UE and those supported by CN. In order to avoid conflict due to different encryption algorithms during roaming process, judgment for all kinds of possible situations and corresponding choice of encryption algorithm should be added in this comparing process. As information about the country or service provider to which the current subscriber belongs is necessary for judging all kinds of possible situations, an identifier for identifying the country or service provider to which the subscriber belongs is added in the message sending to the access network from CN. RNC can determine the encryption algorithm to be employed according to this identifier and the encryption algorithm supported by the current UE.
The precondition to realize the method according to the present invention is that both UE and network support standard encryption algorithm meanwhile encryption is required by the network, namely, UEA is not "0000". In addition, if domestic algorithm is requested, RNC must judge whether the subscriber is a domestic subscriber or a foreign one according to the subscriber identifier, and choose an appropriate encryption algorithm based on the judgment. Moreover, if both standard encryption algorithm and domestic self-developed encryption algorithm are simultaneously supported by the CN, the latter must be adopted for domestic security communication.
With reference to Figure 2, a specific implementing process of method according to the present invention at least comprises the following steps.
1) When a subscriber is calling or is being called, CN extracts MCC of this subscriber and then judges whether the subscriber is a domestic subscriber or a foreign one.
2) High layer of UE will notify the access network to establish a RRC connection for this subscriber, namely to establish a RRC connection between UE and RNC. After the connection is successfully established, UE sends its security capability information to the RNC through RRC CONNECTION COMPLETE message
indicating the connection has been successfully established. RNC stores relevant i security information including UEAs supported by the UE.
3) When CN initiates establishment of security mode, the VLR of CN determines which UEA shall be selected for use and sends RRC a SECURITY MODE COMMAND message including UEAs, CK and the new added CI information. In this embodiment the length of CI is set at 1 bit. Certainly, the length of CI can be set at more bits according to practical application. CI is set at 0 if the current subscriber is determined as a domestic subscriber according to the MCC of the subscriber, and at 1 if a foreign subscriber.
4) After receiving SECURITY MODE COMMAND message, the RNC selects a UEA for security communication according to the received UEAs and the stored UEAs supported by the UE. This selection process includes the following two instances.
a. If CN supports more than one encryption algorithm, the primary two instances are as follows:
al. When value of the received CI equals 1 and if both UE and CN support standard encryption algorithm signed as "0001", this standard encryption algorithm is selected as the encryption algorithm for security communication; otherwise no appropriate encryption algorithm is assumed available and the communication connection is disconnected.
a2. When value of the received CI equals 0 and if both UE and CN support a standard encryption algorithm other than the one signed as "0001", this encryption algorithm is selected for security communication; otherwise no appropriate encryption algorithm is assumed available and the communication connection is disconnected.
Under the instance of al, if the current subscriber is a foreign subscriber but the country or service provider to which the subscriber belongs adopts the same encryption algorithm as that of the roaming location for security communication. For example, China uses "0011" to identify the corresponding algorithm, and Country M is China's neighboring country, M may directly adopt the encryption algorithm which is adopted by China to avoid trouble of self-developing. Thus, when a subscriber of Country M is roaming in China, normal security communication is available. But according to the instance of al, this communication cannot be supported. To avoid
:his condition, MCC can be processed in CN. For instance, a MCC number list can be set and stored in CN beforehand. This list includes MCCs of foreign countries adopting the same encryption algorithm as that in the homeland. Before setting the value of CI, MCC number list is searched. Those according with the list are assumed domestic subscribers and the value of relevant CI is set at "0"; those not according with the list are assumed foreign subscribers and the value of relevant CI is set at "1".
b. If CN only supports standard encryption algorithm, namely, the SECURITY MODE COMMAND message sent from CN only includes one encryption algorithm identified as "0001", and UE also supports this algorithm, then judgment of CI is not needed and standard encryption algorithm is directly adopted for security communication.
After UEA is selected, RNC sends UE a SECURITY MODE COMMAND message carrying the selected UEA.
5) After receiving SECURITY MODE COMMAND message, UE sets local UE security capability parameter as the received UE security capability parameter. Meanwhile UE sends a SECURITY MODE COMPLETE message to RNC of the access network, indicating the successful setting of security mode.
6) After receiving SECURITY MODE COMPLETE message, RNC of the access network immediately sends VLR of CN a SEUCIRTY'MODE COMPLETE message carrying the selected UEA.
7) After receiving SECURITY MODE COMPLETE message, VLR of CN
completes setting of its own security mode and then waits until the predetermined
time is due, after which security communication between UE and UTRAN begins.
This communication is encrypted or decrypted according to the encryption algorithm
corresponding to the selected UEA.

We Claim:
1. A method for implementing security communication by independently selecting an encryption algorithm, comprising:
a. when a subscriber is calling or is being called, the Core Network (CN) extracting
Mobile Country Code (MCC) of the subscriber and according to said MCC setting
value of Customer Identifier (CI) to indicate whether the subscriber is a foreign or
domestic subscriber;
b. establishing a connection between User Equipment (UE) corresponding to the
subscriber and Radio Resource Controller (RRC), after the connection is successfully
established, the UE sending a message of RRC connection completion to RNC of the
access network, the RNC then storing relevant security information in said message
including User Encryption Algorithms (UEAs) supported by the UE;
c. when CN initiating establishment procedure of security mode, a Visit Location
Register (VLR) of CN selecting at least one UEA, and sending RNC a security mode
command message including UEAs, Cipher Key (CK) and CI information;
d. after receiving the security mode command message from CN, RNC selecting a
UEA for security communication according to the selected UEAs in CN in said
message and the stored UEAs supported by the UE;
under the condition that CN supports more than one encryption algorithm, if the current subscriber is a foreign subscriber and a standard encryption algorithm whose UEA is "0001" is supported by both UE and CN, determining the standard encryption algorithm as the encryption algorithm for security communication; otherwise, determining that no appropriate encryption algorithm is available and disconnecting the communication; if the current subscriber is a domestic subscriber and an encryption algorithm whose UEA is not "0001" is supported by both UE and CN, determining this encryption algorithm as the encryption algorithm for security
communication; otherwise, determining that no appropriate encryption algorithm is available and disconnecting the communication;
under the condition that CN only supports the standard encryption algorithm, if this algorithm is also supported by UE, determining this standard encryption algorithm as the encryption algorithm for security communication directly; otherwise, determining that no appropriate encryption algorithm is available and disconnecting the communication;
after selecting UEA, RNC sending UE a security mode command message carrying the selected UEA;
e. after receiving the security mode command message, UE setting the local UE security capability parameter as the received UE security capability parameter, meanwhile, UE sending a security mode complete message to RNC of the access network; after receiving the message, RNC sending a security mode complete message carrying the selected UEA to VLR of CN; the VLR of CN completing setting of its own security mode after receiving the security mode complete message.
2. A method as claimed in claim 1, comprising: setting value of the CI at 0 if the current subscriber is judged as a domestic subscriber based on MCC, and at 1 if the current subscriber is judged as a foreign subscriber based on MCC.
3. A method as claimed in claim 1, comprising: presetting a Mobile Country Code (MCC) number list and storing the list in CN, regarding the subscribers according with said list as domestic subscribers and regarding the subscribers not according with said list as foreign subscribers.
4. A method as claimed in claim 2, wherein MCCs of foreign subscribers adopting the same encryption algorithm as that adopted by the domestic subscribers are stored in the MCC number list.
5. A method of any one of claims 1, 2 and 3, wherein the length of CI is 1 bit.

Documents:

1589-delnp-2004-abstract.pdf

1589-delnp-2004-claims.pdf

1589-delnp-2004-complete specification(as file).pdf

1589-delnp-2004-complete specification(granted).pdf

1589-delnp-2004-correspondence-others.pdf

1589-delnp-2004-correspondence-po.pdf

1589-delnp-2004-description (complete).pdf

1589-delnp-2004-drawings.pdf

1589-delnp-2004-form-1.pdf

1589-delnp-2004-form-19..pdf

1589-delnp-2004-form-2.pdf

1589-delnp-2004-form-3.pdf

1589-delnp-2004-form-5.pdf

1589-delnp-2004-gpa.pdf

1589-delnp-2004-petition-137.pdf

1589-delnp-2004-petition-138.pdf

« Previous Patent

Next Patent »

Patent Number

218290

Indian Patent Application Number

1589/DELNP/2004

PG Journal Number

22/2008

Publication Date

30-May-2008

Grant Date

31-Mar-2008

Date of Filing

07-Jun-2004

Name of Patentee

HUAWEI TECHNOLOGIES CO.,LTD.

Applicant Address

HUAWEI SERVICE CENTER BUILDING, KEFA ROAD, SCIENCE-BASED INDUSTRIAL PARK, NANSHAN DISTRICT, SHENZHEN, 51807, GUANGDON, P.R. CHINA.

Inventors:

#	Inventor's Name	Inventor's Address
1	ZHENG ZHIBIN	HUAWEI SERVICE CENTER BUILDING, KEFA ROAD, SCIENCE-BASED INDUSTRIAL PARK, NANSHAN DISTRICT, SHENZHEN, 51807, GUANGDON, P.R. CHINA.

PCT International Classification Number

H04L 9/32

PCT International Application Number

PCT/CN02/00223

PCT International Filing date

2002-03-29

PCT Conventions:

#	PCT Application Number	Date of Convention	Priority Country
1	01144225.5	2001-12-13	China