Method and apparatus for obtaining security key in relay system |
|
IPC classes for russian patent Method and apparatus for obtaining security key in relay system (RU 2523954):
         
 Handover method and apparatus in mobile communication system / 2523702
Method includes determining whether to handover user equipment (UE) using an X2 interface, transmitting a handover request message to a target base station (BS), the handover request message including closed subscriber group (CSG) information of the target BS, and receiving a handover request acknowledgement message from the target BS; determining whether to handover the UE using the X2 interface includes, if there is an X2 interface between the source BS and the target BS and if the target BS does not support a CSG or the target BS supports the same CSG supported by the source BS, determining that it is necessary to perform handover of the UE using the X2 interface, and obtaining the CSG information of the target BS through an X2 interface setup procedure.
 Methods and devices facilitating synchronisation of security configurations / 2523695
Terminal sends a security mode complete message to the network entity, on the receipt of which the network entity updates new security parameters. The access terminal initiates a mobility procedure while the security mode procedure is on-going, aborts the security mode procedure and reverts back to the old security parameters. The access terminal sends a mobility update message to the network entity including a dedicated status indicator configured to inform the network entity that the access terminal has reverted back to the old security parameters. In response to the mobility update message, the network entity reverts back to the old security parameters.
 Method and device in wireless network for determining uplink received power target value / 2523688
Method and device in a wireless network, comprising a first node and an adjacent second node, for determining an uplink received power target value of the second node to be used by user equipment which is to be served by the second node, wherein the downlink power capacity of the first node exceeds the downlink power capacity of the second node. The method comprises establishing the uplink received power target value of the first node, obtaining the downlink power capacity of the first node, obtaining the downlink power capacity of the second node, calculating the difference in downlink power capacity between the first node and the second node, and determining the uplink received power target value of the second node, based on the calculated difference in downlink power capacity between the nodes and the established uplink received power target value of the first node.
 Method and terminal for starting and stopping compressed mode / 2523665
Method of starting a compressed mode includes the following steps: a radio network controller (RNC) predetermines a threshold condition of starting a compressed mode and informs user equipment of the threshold condition; the threshold condition of starting the compressed mode is based on the transmission power of the user equipment; the user equipment detects whether itself meets the threshold condition of starting the compressed mode, and when the threshold condition of starting the compressed mode is met, Node B is informed; the user equipment and Node-B start the compressed mode.
 Method and apparatus for power control in wireless communication system / 2523440
Invention relates to wireless communication. A method and apparatus for power control in a wireless communication system are disclosed. The method includes assigning an uplink (UL) control channel to a MS from a base station, determining a location to receive a transmit power control (TPC) command based on the UL control channel, and receiving a TPC command in the determined location and increasing or decreasing transmit power, thereby enabling the reduction of overhead for power control command assignment information.
 Handover method and system in relay network, relay node, control base station and base station / 2523437
Invention relates to mobile communication. The method includes a relay node receiving a first area identifier which identifies the relay node; sending a system information broadcast message carrying the first area identifier to a terminal in a coverage area; receiving a handover request message forwarded by a control base station; and performing, according to the handover request message, a control operation of accessing the relay node on the terminal. The first area identifier which identifies the relay node is allocated to the relay node, so that the terminal in the relay network can be normally handed over from the base station to the relay node.
 Scheduled and autonomous transmission and acknowledgement / 2523359
Invention relates to communication engineering. A subset of mobile stations may be allocated a portion of a shared resource with one or more individual access grants, another subset may be allocated a portion of the shared resource with a single common grant, and yet another subset may be allowed to use a portion of the shared resource without any grant. An acknowledgement and continue command is used to extend all or a subset of the previous grants without the need for additional requests and grants, and their associated overhead.
 Mobile communication system, radio base station and mobile station / 2523261
Invention relates to a mobile communication system. Disclosed is a mobile communication system comprising a mobile station UE which uses carrier combination performed to allow transmission of an uplink data signal to a radio base station eNB using a plurality of elementary carriers having different frequencies, including timer interval TA storage modules, configured to store a timer interval TA corresponding to said plurality of elementary carriers; and state control modules configured to control the state of said plurality of elementary carriers, wherein the state control modules are configured to set as an elementary carrier state, the reading of a timer TA which has run out, an asynchronous state.
 Methods, devices and map databases for green routing / 2523192
Invention relates to methods and navigation devices for determining a route for travelling from a first position to a second position at a relatively low cost. A navigation device comprises memory storing a map database including a plurality of road segments and vehicle cost values, which represent the expected power or fuel consumption of the vehicle derived from acceleration data obtained from a plurality of vehicles that have travelled on the road segments; a processor to determine a route of travel for the vehicle from the first position to the second position, the determined route of travel minimising or relatively reducing the overall expected power or fuel consumption of the vehicle travelling between the first position and the second position; and an output device to output the determined route.
 Method and device in wireless communication system / 2523189
Invention relates to a wireless communication system. A base station is configured to service user equipment. The user equipment is configured to transmit scheduling requests to the base station only at particular instances when scheduling request is possible. The method comprises steps of: initiating transmission of a scheduling request to the base station in the next instance when scheduling request is possible; triggering a scheduling request inhibit timer and inhibiting any additional scheduling request retransmissions in the next instances when scheduling request is possible while the scheduling request inhibit timer is running.
 Method of organising and controlling access to content during hierarchical encoding, processor and transmitting unit for implementing method / 2518444
Invention relates to controlling access to scrambled content during hierarchical encoding. The hierarchical access control method includes: receiving and transmitting to a protective processor second cryptograms (CWi)Ki for i, ranging from 1 to k-1, obtained by encoding control words CW1-CWk-1 using corresponding keys K1-Kk-1, built using at least part of an array formed by data residing in ECMk, and an operational key CEk; decoding the second cryptograms (CWi)Ki, only if access conditions CAk, obtained in the ECMk message, correspond to access rules TA, and without preliminary comparison of access conditions CAi with access rules TA for i, strictly less than k, and, otherwise, blocking decoding of the second cryptograms (CWi)Ki, if access conditions CAk do not correspond to access rules TA.
 Digital rights management apparatus and method / 2504005
Method comprises steps of: encoding a digital program to link said digital program with an authentication agent by packing the digital program and authentication agent into single digital content. Said authentication agent includes a program code executed by a device, wherein the device can reproduce said digital program and execute the program code. The program code is configured to authenticate the device when executed in the device; and provide said device with digital content which includes said digital program and said authentication agent. Said digital program is encrypted via a first encryption algorithm, and the decryption key of the fist encryption algorithm is encrypted via a second encryption algorithm and is stored in the authentication agent.
 Multi-factor content protection / 2501081
Recipient receives content from a publisher. Some content is managed by an access server. The access server controls the recipient's use of managed content through interaction with a trusted agent at the recipient. The content is encrypted on a content key, and the content is associated with policy information. The policy information includes the content key for decrypting the content. The policy information is encrypted on an access server key allowing the policy information to be decrypted by the access server. The content key is received from the access server. The content key is encrypted on a trusted agent key. The content key is further encrypted on additional factor(s) defining additional content protection beyond that provided by trusted agent. The content key is decrypted using the trusted agent key and the at least one additional factor. The content is decrypted using the content key.
 Method, network element and mobile station for negotiating encryption algorithms / 2488976
Method of negotiating encryption algorithms comprises steps of: obtaining information that a plug-in card of the mobile station (MS) does not support a first encryption algorithm; deleting the first encryption algorithm from an encryption algorithm list permitted by a core network element according to the information that the plug-in card of the MS does not support the first encryption algorithm; sending the encryption algorithm list excluding the first encryption algorithm to an access network element, so that the access network element selects an encryption algorithm according to the encryption algorithm list excluding the first encryption algorithm and the MS capability information sent from the MS and sends the selected encryption algorithm to the MS.
 Method and device for transmission of coding parameters / 2469485
Transmitting device codes voice superframes DMR using coding parameters, and sends coding parameters in at least one of voice superframes with the help of the following: identification of a selected number of bits from multiple frames of a vocoder of a voice superframe; replacement of each of identified bits with an appropriate bit of the first coding parameter; placement of at least one coding parameter in the field of inbuilt alarm of the voice superframe; and transmission of a voice superframe with coding parameters into a receiving device. The receiving device extracts coding parameters, which may be an identifier of a key, an identifier of a logic and an initialisation vector for use in decoded messages from the transmitting device.
 Unit using operating system and image forming apparatus using said unit / 2452009
Image forming apparatus comprises: a main housing and a detachable unit. The main housing has a main controller which controls operation of the image forming apparatus. The detachable unit is connected to the main housing and is configured to perform the image forming operation with the main housing. The detachable unit comprises: a memory unit and a central processing unit (CPU). The memory unit stores an initialisation program, unique information associated with the detachable unit, and status information on use of the detachable unit. The CPU performs initialisation using the initialisation program independent of the main housing. The main controller carries out a process of authenticating the detachable unit.
 Method of creating and authenticating collective electronic digital signature certifying electronic document / 2450438
Method of generating and verifying an electronic digital signature (EDS) involves generating an elliptic curve (EC), given over a prime field GF(p), where p is a prime number of the form p=2k±µg2g±µh2h±1, where k≥99; 0<g<k; 0<h<g; µg∈{0,1};µh∈{0,1}, in form of a set of points, each given by two multidigit binary numbers (MDN) - its abscissa and ordinate; n>2 secret keys are generated in form of MDN k1, k2,…, kn; n public keys are generated from the secret keys in form of points P1, P2,…, Pn; the electronic document (ED) represented by MDN N is received; a collective public key is generated in form of points P of the EC, generated depending on points pα1, pα2,…, pα, where α1, α2,…, αm are natural numbers, 2≤m≤n, αj≤n and j=1, 2,…, m, depending on the received ED from values kα1, kα2,…, kα,m and from points P, EDS Q is generated in form of two MDN e and s; first A and second B verification MDN are generated. At least one of the verification MDN is generated depending on the collective public key P, and MDN A and B are compared. The EDS is authentic if their parameters match.
 Content download system, content download method, content supplying apparatus, content supplying method, content receiving apparatus, content receiving method, and programme / 2432686
Disclosed is a content download system comprises: a content supplying device, a content receiving device, a download apparatus designed to download encrypted content and playing control data necessary for playing said content from said content supplying device according to user operations; obtaining apparatus to confirm the existence of a license which includes a key for decrypting said encrypted content based on said playing control data when playing said downloaded content, and to obtain said license according to the confirmation result; and playing apparatus to play said encrypted content using said obtained license. Playing control metafile describes <content_title>, <drm_server_uri>, <license_id>, <license_type>, <license_description>, <user_confirmation>, <user_messsage>, and <price>. In the case when multiple licenses are set for a single content, the items <license_id> through <price> describe only the number of set licenses.
 Method of storing and using cryptographic key / 2417410
Method of storing and using a cryptographic key of asymmetric cryptographic algorithms on elliptical curves, in which a private key d is divided into parts d1,…,dn, where d=d1+…+dn (mod q), which are securely stored on key carriers, cryptographic operations for generating an electronic digital signature, decoding and/or generating a general in accordance with a Diffie-Hellman algorithm are performed distributively on key carriers without generating a general private key, and results of performing these operations are processed in a computer system (assembly unit) which generates a general result of the cryptographic operation, wherein during generation of the electronic digital signature, each key carrier generates a random number ki (7≤i≤n - number of the key carrier), generates the corresponding multiple point of the elliptical curve Ri=ki P and sends it to the computer system which finds the point R=R1+…+Rn and sends the first coordinate of that point (r) to key carriers, after which each key carrier finds si=(rdi+ki e)(mod q) and sends the obtained value to the computer system, where s=(s1+…+sn)(mod q) is generated, wherein the number pair (r, s) is the electronic digital signature.
 Method of creating and authenticating electronic digital signature certifying electronic document / 2409903
Method of generating and verifying an electronic digital signature includes the following sequence of operations: multi-bit binary number p is generated, a secret key in form of a multi-bit binary number x is generated, an open key is generated on the secret key in form of a multi-bit binary number y by raising the multi-bit binary number x to the power of a z-bit binary number k modulo p, where z>16, an electronic document, which is represented by a multi-bit binary number H, is received, depending on the value H and the value of the secret key, an electronic digital signature is created in form of a pair of multi-bit binary numbers (R,S), a first A and a second B authentication multi-bit binary number are formed and then compared, and authenticity of the electronic digital signature is indicated by coincidence of their parametres.
 Method of protecting security data transmitted by transmitter device to receiver device / 2523952
Invention relates to a method of protecting security data transmitted by a transmitter to a receiver, the method comprising periodic transmission to a receiver, alternately with said security data, of neutral data intended to prevent security data filtering.
|
FIELD: radio engineering, communication. SUBSTANCE: invention relates to communication engineering. The method of obtaining a security key in a relay system, wherein a node in a relay system obtains an initial key, in accordance with the initial key, the node obtains a root key of the security key of the radio interface between the node and another node adjoining said node, and in accordance with the root key, the node obtains a security key of the radio interface between the node and said other adjoining node. Therefore, in accordance with the initial key, each lower-level node obtains a root key of the security key of the radio interface between each lower-level node, such that UE data on an interface link Un can be secured accordingly. EFFECT: effective data security in each radio interface segment. 12 cl, 11 dwg
The technical FIELD TO WHICH the INVENTION RELATES. [0002] the Present invention relates to the field of communications technologies, and in particular, to a method and device to obtain the system key in a relay system. The prior art INVENTIONS [0003] LTE-A (Advanced long-term development, LTE-Advanced) is the development of technology standard broadband radio 3GPP LTE, which is closely considered in the present time. To increase throughput on the border of the cell, in LTE-A is entered relay node (Relay Node, RN), to meet the needs of temporary network deployment for operators or users and to maintain the function group move, where RN can be deployed in rural, urban and active home zone access or "dead zone. [0004] RN is located between the donor eNB (DeNB, Donor eNB)belongs to RN and the UE, the RN sends a signal downlink to the UE receives the uplink signal due to the DeNB, where the radio interface between RN and DeNB is called the Un interface and the radio interface between the RN and the UE is called the Uu interface. Data from the DeNB to the UE passes through two segments of the radio interface, i.e. the data reaches the UE through two hops. When you add more RN, in LTE-A may also occur mnogoshagovyi script. [0005] due to the introduction of the RN number NEGP the clients in the communication lines of the air increases, the key level is also increased and the existing security mechanism is unable to perform effective data security in each segment of the radio interface. The INVENTION [0006] embodiments of the present invention provide a method and apparatus for obtaining a security key in a relay system to properly secure data UE link interface Un. [0007] Alternative implementation of the present invention discloses a method for obtaining a security key in a relay system, which includes: getting primary key node in the relay system; in accordance with the initial key receiving node of the root key from the security key of the air interface between the node and another node that is directly adjacent to the said node; and according to the root key of the receiving node security key of the air interface between the node and said another node that is directly adjacent to the said node. [0008] Alternative implementation of the present invention discloses a method for obtaining a security key in a relay system, which includes: receiving the first relay node of the root key in the authentication process with the host, which borders per the th relay node; and in accordance with the root key to obtain the first relay node protection key of the radio interface for performing protection between the first relay node and the adjacent node where adjacent node to the first relay node includes the top-level node to the first relay node and/or the bottom node to the first relay node. [0009] the eNB includes: the module receiving configured to receive a seed node in the relay system; the first module receiving, in accordance with the initial key received by the module receiving, configured to obtain the root key protection key of the radio interface between the node and another node that is directly adjacent to the said node; and a second module for receiving, in accordance with the root key received by the first module receiving configured to receive a security key of the air interface between the node and said another node that is directly adjacent to the said node. [0010] the Relay node includes: the first module receiving configured for: the first relay node obtains a root key in the authentication process with the neighboring node to the first relay node; and the second module of the floor the treatment, configured for: the first relay node receives in accordance with the root key received by the first module receiving the protection key of the radio interface for performing protection between the first relay node and the adjacent node where adjacent node to the first relay node includes the top-level node to the first relay node and/or the bottom node to the first relay node. [0011] In embodiments implementing the present invention, the relay node in the system receives the initial key in accordance with the initial key obtains the root key protection key of the radio interface between the node and another node that is directly adjacent to the node, and in accordance with the root key receives the security key of the air interface between the node and said another node that is directly adjacent to the site, so that you can properly secure data UE link interface Un, that is, each active UE has a set of security settings on the communication line interface of the Un and, in addition, effective security is relative to the data in each segment of the radio interface. BRIEF DESCRIPTION of DRAWINGS [0012] in order To more clearly describe the technical solutions in embodiments of implementation of the present invention or before actuuse the prior art, below are briefly presented accompanying drawings required for describing the embodiments. Obviously, the accompanying drawings in the following description are only some of the options for implementation of the present invention and medium-sized specialists in the art can obtain other drawings from these accompanying drawings without creative efforts. [0013] Figure 1 - block diagram of the operational sequence of the method for obtaining a security key in a relay system in accordance with the first embodiment of the present invention; [0014] Figure 2 - block diagram of the operational sequence of the method for obtaining a security key in a relay system in accordance with the second embodiment of the present invention; [0015] Figure 3 - block diagram of the operational sequence of the method for obtaining a security key in a relay system in accordance with a third embodiment of the present invention; [0016] Figure 4 is a block diagram of the operational sequence of the method for obtaining a security key in a relay system in accordance with the fourth embodiment of the present invention; [0017] Figure 5 is a block diagram of the operational sequence of the method for obtaining a security key in a relay system according to the fifth embodiment of the present invention; [0018] 6 is a block diagram of the operational sequence of the method for obtaining a security key in a relay system in accordance with the sixth embodiment of the present invention; [0019] Fig.7 is a block diagram of the operational sequence of the method for obtaining a security key in a relay system according to the seventh embodiment of the present invention; [0020] Fig - block diagram of the operational sequence of the method for obtaining a security key in a relay system in accordance with the eighth embodiment of the present invention; [0021] Figure 9 is a block diagram of the operational sequence of the method for obtaining a security key in a relay system according to the ninth embodiment of the present invention; [0022] Figure 10 is a schematic structural diagram of a node in the relay system according to the embodiment of the present invention; and [0023] 11 - schematic structural diagram of another node in the relay system according to the embodiment of the present invention. DETAILED DESCRIPTION of embodiments [0024] in Order to clarify the objectives, technical solutions and advantages of the present invention, the present invention clearly and completely described below with exile of left-wing is to the accompanying drawings. It is obvious that variants of implementation that need to be described are only a part and not all variants of implementation of the present invention. On the basis of embodiments of the present invention, all other embodiments of received by specialists in the art without creative efforts should be included in the scope of protection of the present invention. [0025] RN has the following characteristics : [0026] RN can have its own identification information of the physical cell (PCI Physical Cell Identity), which is used for transmission of the synchronization signal and reference signal RN. [0027] the UE may receive from RN scheduling information and feedback hybrid automatic request for retransmission (HARQ, Hybrid Automatic Retransmitting the Request) and send to RN control information of the UE. [0028] For the UE release 8 3GPP RN can be eNB R8, that is, the RN has the characteristic of backward compatibility. [0029] For UE LTE-A RN may be an object that differs from the eNB R8. [0030] In the authentication process in the LTE system, the home subscriber server (HSS, Home Subscriber Server) generates the initial root encryption key and the initial root key integrity protection, namely CK,IK, in accordance with the local primary root key K. In the authentication process, the HSS receives an initial key KASMEcore network in accordance with the CK,the IK and the OTP is to place K ASMEthe MME. MME receives the key KNASwithout access service (NAS Non-Access Stratum), and the initial key KeNBthe access network in accordance with KASMEand MME sends KeNBto the eNB, and the eNB locally receives the key KASlevel access AS Access stratum) in accordance with KeNBwhere KNASincludes the encryption key message the NAS and the security key message integrity NAS and KASincludes the encryption key of the user plane UP (User Plane), key integrity protection for control plane CP (Control Plane) and the encryption key CP. Side UE may also generate CK,IK in accordance with the local primary root key K. UE receives KASMEin accordance with CK,IK UE receives the key KNASNAS and KeNBin accordance with KASMEand UE receives the key KASAS in accordance with KeNB. The way to obtain the key used by the MME and the UE, as follows. [0031] the development Function key (KDF) includes: The derived key = HMAC-SHA-256 (Key, S). Key is an input key, S=FC||P0||L0||P1||L1... Length FC is one byte and is used to distinguish different algorithms, P0 is the input parameter, and L0 is the length of P0. [0032] the Method of obtaining is as follows: KASME=KDF (CK||IK, S10), S10=f (FC, PLMN ID, SQN AK). [0033] the MME and UE receive locally: KeNB=KDF (KASME, S11), S11=f (Uplink NAS COUNT); KNAS=KDF (KASME , S15), S15=f (identification of the type of algorithm id algorithm). [0034] the eNB and UE receive locally: KAS=KDF (KeNB, S15). [0035] S10=f (FC, PLMN ID, SQN AK)=FC||PLMN ID||the length of PLMN-ID ||SQN AK||length (SQN AK), where FC=0×10, and the PLMN ID refers to the ID of the terrestrial mobile communication network for General use. SQN is the serial number, AK can be anonymous key, and the length of xx can be long xx. S11=f (FC, Uplink NAS COUNT)=FC||Uplink NAS COUNT||the length of the Uplink NAS COUNT; where FC=0×11, and the Uplink NAS COUNT may be a count value of the message NAS uplink connection. S15=f (FC, identification of the type of algorithm id algorithm)=FC||hallmark-type algorithm||the length of the distinguishing sign of the type of algorithm||the id of the algorithm||the length of the id algorithm, where FC=0×15, the hallmark of type of algorithm can be a distinctive type of algorithm, and the id of the algorithm may be an identification number of the algorithm. [0036] However, due to the introduction of RN the number of segments of lines of air increases, the key level is also increased and the existing security mechanism is unable to perform effective data security in each segment of the radio interface. To solve this technical problem, a variant of implementation of the present invention provides a way to get the key in mnogochasovoj system, which is characterized by a situation you shall legit as follows. [0037] embodiments of the present invention in further detail, taking as example 3-jumping system and method in each embodiment is also applicable to 2-Sackboy system or a system that contains more than 2 jumps (transitions). [0038] Figure 1 - block diagram of the operational sequence of the method for obtaining a security key in a relay system in accordance with the first embodiment of the present invention. The method includes: [0039] Step 101: the Node in the relay system receives an initial key. [0040] Step 102: according To the initial key of the root node receives the key protection key of the radio interface between the node and another node that is directly adjacent to the said node. [0041] Step 103: according To the root key node receives the security key of the air interface between the node and said another node that is directly adjacent to the said node. [0042] In this embodiment of the present invention, the relay node in the system receives an initial key, in accordance with the initial key of the root node receives the key protection key of the radio interface between the node and said another node that is directly adjacent to the said node, and in accordance with the root key node receives the security key RA is iointerface between the node and said another node, which directly borders with the mentioned site, so that you can properly secure data UE link interface Un, that is, each active UE has a set of security settings on the communication line interface of the Un and, in addition, effective security is relative to the data in each segment of the radio interface. [0043] in Addition, when the node in the relay system is eNB, the primary key node in the relay system includes: [0044] the eNB receives an initial key from the object mobility management (MME). [0045] in Addition, when the node in the relay system, the relay node RN, the primary key node in the relay system includes: [0046] RN receives an initial key from the MME or eNB. [0047] in Addition, when the node in the relay system is a user equipment UE, obtaining a seed node in the relay system includes: [0048] the UE receives an initial key from the top-level node for the UE. [0049] in Addition, when the node in the relay system is eNB, the method further includes: [0050] the eNB receives an initial key from the bottom node to the eNB in accordance with an input parameter of the transmission and primary key. [0051] the eNB sends nachalnika one of the nodes of the lower level for this node. [0052] the eNB sends the input parameter passed to the host, which directly borders with one of the nodes of the lower level node so in accordance with the input parameter of the transmission and primary key one of the nodes of the lower level node and the node that is directly connected with one of the nodes of the lower level of this node received root key protection key of the radio interface between one of the nodes of the lower level of this node and the node that is directly connected with one of the nodes of the lower level of this node. [0053] in Addition, when the node in the relay system, the relay node RN, the method further includes: [0054] RN accepts an input parameter of the transmission, which is sent by the top-level node. [0055] In accordance with the initial key of the root node receives the key protection key of the radio interface between the node and the node that is directly adjacent to the said site, which includes, in particular: [0056] In accordance with the initial key and the input parameter of the transfer relay node RN obtains the root key protection key of the radio interface between the node and the node that is directly adjacent to the said node. [0057] in Addition, when the node in the relay system is a user equipment UE, the method further includes: [0058] the UE receives an input parameter transmission, which is sent by the top-level node. [0059] In accordance with the initial key of the root node receives the key protection key of the radio interface between the node and the node that is directly adjacent to the said site, which includes, in particular: [0060] In accordance with the initial key and the input parameter of the transmitting UE obtains the root key protection key of the radio interface between the node and the node that is directly adjacent to the said node. [0061] Particularly noted that the input parameter in this embodiment, may be an input parameter transfer. [0062] In this embodiment of the present invention, the relay node in the system receives an initial key, in accordance with the initial key of the root node receives the key protection key of the radio interface between the node and said another node that is directly adjacent to the said node, and in accordance with the root key node receives the security key of the air interface between the node and said another node that is directly adjacent to the said site so that you can properly secure data UE link interface Un, that is, each active UE has a set of security settings on the communication line interface of the Un and, in addition effective security is Uchenie security is relative to the data in each segment of the radio interface. [0063] Figure 2 - block diagram of the operational sequence of the method for obtaining a security key in a relay system in accordance with the second embodiment of the present invention. In this embodiment, the UE receives all the keys of the radio interface in accordance with the local primary root key K UE, KeNBis transmitted from the eNB or RN top level to the RN lower-level interface, the input parameter in this embodiment, may be a local input parameter. As shown in figure 2: [0064] Step 201: RN1 accesses the network and the authentication process completes. [0065] Step 202: RN2 accesses the network and the authentication process completes. [0066] Step 203: the UE accesses the network, and the authentication process completes. [0067] the Order of priority between steps 201, 202 and 203 is missing. [0068] Step 204: the MME receives the KNASand the initial key KeNBin accordance with the key KASME'that is generated in the authentication process UE. [0069] At step 204, the method for obtaining the KNASand the initial key KeNBa similar method to get the key in the LTE system, which is not described in detail here. [0070] Step 205: the MME sends to the eNB initial key KeNB. [0071] Step 206: the eNB receives and stores the initial key KeNBthat is sent by the MME. [0072] Step 207: eNB PE napravlyaet to RN1 initial key K eNB. [0073] Step 208: RN1 maintains the initial key KeNB. [0074] Step 209: the eNB and the RN1 locally obtain the root key KeNB' between the eNB and the RN1 in accordance with the initial key KeNBand according to the root key KeNB' get the keys of the radio interface used for protecting UP data and CP data between the eNB and the RN1 and the specific method is as follows: KeNB'=KDF (KeNBf (first input)). [0075] When RN1 accesses the network, the first input parameter may be a parameter C-RNTI1 temporary identification information, which is distributed RN1 through the eNB, where it should be noted that each time RN1 re-applying for a new DeNB received C-RNTI1 different; either the first input parameter may be a parameter RRC MESSAGE COUNT1 value of count messages of radio resource control (RRC) specific UE between the eNB and the RN1; or the first input parameter may be a parameter NONCE1 random values, which is coordinated by eNB with RN1, and the input parameter may include in but not limited to, one or any combination of the previous three types of parameters. [0076] the Keys used for protecting UP data and CP data between the eNB and the RN1, obtained in accordance with the root key KeNB'where the key data protection UP is the key KUPencencryption UP, the keys of the data protection CP t is Auda key K RRCencencryption CP and the key KRRCiintprotect the integrity of the CP, the way to get the three keys refers to the formula to obtain the KASthe input key is the KeNB'and further obtaining a key KUPencconsidered as an example for description, namely: KUPenc= KDF (KeNB', f (identification of the type of encryption algorithm UP, id encryption algorithm UP)), where identification of the type of encryption algorithm UP is a distinguishing characteristic for the type of encryption algorithm UP, and the id of the encryption algorithm UP is the identifier of the encryption algorithm UP. [0077] Step 210: RN1 redirects to RN2 initial key KeNB. [0078] Step 211: RN2 maintains the initial key KeNB. [0079] Step 212: RN1 and RN2 obtain the root key KRN1in accordance with the initial key KeNBwhere way to obtain is: KRN1= KDF (KeNBf (the second input parameter)), where the second input parameter may be a parameter C-RNTI2 temporary identification information, which is distributed RN2 RN1 through when RN2 accesses the network; or the second input parameter may be a parameter RRC MESSAGE COUNT2 values count RRC message, which is related to a specific UE between RN1 and RN2; or the second input parameter may be a parameter NONCE2 random values, which agreed is highlighted by RN1 with RN2. The input parameter may include, but is not limited to, one or any combination of the previous three types of parameters. [0080] the Method for obtaining a key KUPenc' protecting UP data and keys KRRCenc' and KRRCiint' data protection CP link of the Un interface between the RN1 and the RN2 according to the root key KRN1a similar method to obtain the KASin the LTE system, which is not described in detail here. [0081] Step 213: UE locally receives KNASand the initial key KeNBsynthesis method similar to that described in the prior art and is not described in detail here. RN2 and the UE receives the root key KRN2in accordance with the initial key KeNBand get the key of the air interface used for protecting UP data and CP data between the UE and RN2, in accordance with the root key KRN2and the way to obtain the KRN2may include the following two methods. [0082] a. KRN2= KDF (KeNBf (the third input parameter)), where the input key is the KeNBand when the UE accesses the network, the third input parameter may be a parameter C-RNTI3 temporary identification information, which is distributed UE via RN2; or the third input parameter may be a parameter RRC MESSAGE COUNT3 the counter value of the RRC message, which is related to a specific UE between RN2 and the UE; or the third input is Noah parameter may be a parameter NONCE3 random values, which is coordinated by RN2 with the UE, where the input parameter may include, but is not limited to, one or any combination of the previous three types of parameters. [0083] b. KeNBupdated by adopting the style vnutrisajtovoj transfer service to get the root key KRN2in particular: KRN2= KDF (KeNBf (PCI, EARFCN-DL)), where the input key is a key of KeNBused before the transfer, and the input parameters can be PCI of the target cell and the number of EARFCN-DL RF channel of the target cell. [0084] In this embodiment, the present invention eNB receives the initial key KeNBgets the root key KeNB' between the eNB and the node RN1 in accordance with the initial key KeNBin accordance with the root key KeNB' gets the protection key of the radio interface between the eNB and the immediate node of the eNB and forwards the initial key KeNBto each node of the lower level of the received root key protection key of the radio interface between each node of the lower level in accordance with the initial key KeNBand it was possible to appropriately protect the data UE link interface Un, that is, each active UE has a set of security settings on the communication line interface of the Un and, in addition, effective enforcement b is the security is relative to the data in each segment of the radio interface. [0085] Figure 3 - block diagram of the operational sequence of the method for obtaining a security key in a relay system in accordance with a third embodiment of the present invention. In this embodiment, unlike the second variant implementation is that eNB locally receives primary keys of all RN lowest level in accordance with KeNB, then delivers the results obtained or derived parameters for each node of the lower level, where the input parameters in this embodiment, may include an input parameter transfer and local input parameter. As shown in figure 3: [0086] the Steps 301 to 305 are similar to steps 201 to 205 in the second embodiment, and not described in detail here. [0087] Step 306: eNB locally receives an initial key KRN1and KRN2each node in the bottom level in accordance with the initial key KeNBand the way to obtain is as follows: KRN1= KDF (KeNBf (the fourth input parameter)). KRN2= KDF (KeNBf (the fifth input parameter)). [0088] the Fourth input parameter may be an input parameter of the transmission, and when RN2 accesses the network, the fourth input parameter may be a parameter C-RNTI4 temporary identification information, which is distributed RN2 pose the STV RN1, where it should be noted that each time RN2 are re-applying for a new DeNB received C-RNTI4 different; or the fourth input parameter may be a parameter NONCE4 random values, which is coordinated by RN1 with RN2. [0089] the Fifth input parameter may be the fifth input parameter transfer, and when the UE accesses the network, the fifth input of the transmission parameter may be a parameter C-RNTI5 temporary identification information, which is distributed UE via RN2, where it should be noted that each time the UE re-applying for a new DeNB received C-RNTI5 different; or the fifth input of the transmission parameter may be a parameter NONCE5 random values, which is coordinated by eNB with RN1. [0090] alternatively, the fourth input parameter and the fifth input parameter can also be other input parameters, such as id of the corresponding RN or point (value) of the carrier frequency of the corresponding RN. The input parameter may include, but is not limited to, one or any combination of the previous three types of parameters. [0091] Step 307: the eNB sends to the RN1 initial key KeNBand the fourth input parameter. [0092] Step 308: the eNB and the RN1 obtain the root key KeNB' between the eNB and the RN1 in accordance with the initial key KeNB, eNB and the RN1 get the key, use is going to protect UP data and CP data, in accordance with the root key KeNB'the way to obtain the KeNB' looks as follows: KeNB' = KDF (KeNBf (sixth local input parameter)), where, when RN1 accesses the network, the sixth local input parameter may be a parameter C-RNTI6 temporary identification information, which is distributed RN1 through the eNB, where every time RN1 re-applying for a new DeNB received C-RNTI6 different; or the sixth local input parameter may be a parameter RRC MESSAGE COUNT6 the counter value of the RRC messages from a specific UE between the eNB and the RN1; or the sixth local input parameter may be a parameter NONCE6 random values, which is coordinated by eNB with RN1, and local input parameter may include, but is not limited to one or any combination of the previous three types of parameters. [0093] the Keys used for protecting UP data and CP data between the eNB and the RN1, obtained in accordance with the root key KeNB'where the key data protection UP is the key KUPencencryption UP, the keys of the data protection CP are the key KRRCencencryption CP and the key KRRCiintprotect the integrity of the CP, the way to get the three keys refers to the formula to obtain the KASthe input key is the KeNB'and further obtaining a key KUPencconsidered the quality of the ve example for description, namely: KUPenc= KDF (KeNB', f (identification of the type of encryption algorithm UP, id encryption algorithm UP)), where identification of the type of encryption algorithm UP is a distinguishing characteristic for the type of encryption algorithm UP, and the id of the encryption algorithm UP is the identifier of the encryption algorithm UP. [0094] Step 309: the eNB sends to the RN2 initial key KRN1the initial key KeNBand the fifth input parameter. [0095] Step 310: RN1 receives an initial key KRN1RN1 in accordance with the initial key KeNBeNB and the fifth input parameter, RN1 and RN2 obtain the root key KRN1' between the RN1 and the RN2 according to the initial key KRN1and according to the root key KRN1' RN1 and RN2 have the keys KUPenc, KRRCencand KRRCiintradio interface, which are used for protecting UP data and CP data between the RN1 and RN2. The method of obtaining the same way to obtain the KASin the LTE system and the detail is not described here, and the way to obtain the KRN1' looks as follows: KRN1' = KDF (KRN1f (seventh local input parameter)), where the input key is the KRN1and seventh local input parameter may be a parameter RRC MESSAGE COUNT7 the counter value of the RRC message, which is related to a specific UE between RN1 and RN2 or seventh local input PA is amatr can be option C-RNTI7 temporary identification information, which is distributed RN2 RN1 through or seventh local input parameter may be a parameter NONCE7 random values, which is coordinated by RN1 with RN2, where local input parameter may include, but is not limited to, one or any combination of the previous three types of parameters. [0096] Step 311: RN2 receives an initial key KRN2the RN2 according to the initial key KeNBeNB and the fifth input parameter, and the method for obtaining the KRN2a similar way of getting on stage 306. [0097] Step 312: RN2 sends to the UE the fifth input parameter. [0098] Step 313: the UE locally receives KNASand primary keys KeNBand KRN2, how to get the initial key KeNBrefers to the formula to obtain the KeNBand the detail is not described here; the way to obtain the initial key KRN2a similar method to obtain the KRN2at step 306, RN2 and the UE receives the root key KRN2' between RN2 and the UE in accordance with the initial key KRN2, RN2 and the UE receives the key-way radio service are used for protecting UP data and CP data between the UE and RN2, in accordance with KRN2'where way to obtain KRN2' may include the following two methods. [0099] a. KRN2' = KDF (KRN2f (eighth local input parameter)), where the input key is the KRN2and the eighth l is local input parameter may be a parameter RRC MESSAGE COUNT8 values count of messages between RN2 and the UE, or eighth local input parameter may be a parameter C-RNTI8 temporary identification information, which is distributed UE via RN2 or eighth local input parameter may be a parameter NONCE8 random values, which is coordinated by RN2 with the UE, where the input parameter may include, but is not limited to, one or any combination of the previous three types of parameters. [0100] b. KRN2updated by adopting the style vnutrisajtovoj transfer service to get the KRN2'and the specific method is: KRN2' = KDF (KRN2f (PCI, EARFCN-DL)), where the input key may be the key KRN2used before the transfer, the input parameter PCI may be identification information of the physical target cell, and EARFCN-DL can be a number of radio frequency channels in the target cell. [0101] In this embodiment, the present invention eNB receives an initial key of each node in the bottom level in accordance with KeNB, eNB forwards the primary key of each node of the lower level and receives an input parameter, which is the primary key to each node of the lower level of the received root key protection key of the radio interface of each node of the lower level in accordance with the initial key and an input parameter and can be had with testwuide way to protect data UE link interface Un, that is, each active UE has a set of security settings on the communication line interface of the Un and, in addition, effective security is relative to the data in each segment of the radio interface. [0102] Figure 4 - block diagram of the operational sequence of the method for obtaining a security key in a relay system in accordance with the fourth embodiment of the present invention. In this embodiment, unlike the third variant implementation is that primary keys eNB and RN work together in the MME, and then the obtained result is delivered or obtained result and the parameter to be delivered to each node, as shown in figure 4. [0103] Steps 401 through 403 are similar to steps 201 to 203 in the second embodiment, and not described in detail here, where differences are that: [0104] Step 404: the MME receives the KNASand the initial key KeNBeNB under MME in accordance with the key KASMEthat is generated in the authentication process of the UE, and the way to obtain is as follows: KeNB= KDF (KASMEf (UL NAS COUNT)) KRN1= KDF (KASMEf (tenth input parameter)) KRN2= KDF(KASMEf (eleventh input parameter)), where the input key is a key of KASMEthat is generated in the authentication process, UL NAS COUNT is the parameter value calculation NAS signaling uplink communication UE in the MME, the tenth input parameter may include a tenth input parameter transfer, the tenth input transmission parameter may be a parameter NONCE10 random values or the value of the NAS COUNT between the MME and the corresponding RN, the eleventh input parameter may be the eleventh input parameter transfer and eleventh input transmission parameter may be a parameter NONCE11 random values or the value of the NAS COUNT between the MME and the corresponding RN, where the input parameter may include, but is not limited to, one or any combination of the previous three types of parameters. [0105] Step 405: the MME sends to the eNB initial key KeNB. [0106] Step 406: the MME sends to the RN1 initial key KeNBand the tenth input parameter. [0107] Step 407: the MME sends to the RN2 initial key KeNB, KRN1and the eleventh input parameter. [0108] Step 408: RN2 sends to the UE the eleventh input parameter. [0109] Step 409: the RN1 and the eNB obtain the root key KeNB' in accordance with the initial key KeNBin accordance with the root key KeNB' RN1 and the eNB receives the keys of the radio interface, which are used for protecting UP data and CP data between the RN1 and the eNB, and the way to obtain is as follows: KeNB' = KDF (KeNBf (twelfth local input parameter)), where, when RN1 accesses the network, the twelfth local input PA is amatr can be option C-RNTI12 temporary identification information, then RN1 through the eNB, where every time RN1 re-applying for a new DeNB received C-RNTI12 different; or twelfth local input parameter may be a parameter RRC MESSAGE COUNT12 the counter value of the RRC messages specific UE between the eNB and the RN1; or twelfth local input parameter may be a parameter NONCE12 random values, which is coordinated by eNB with RN1, and local input parameter may include, but is not limited to, one or any combination of the previous three types of parameters. [0110] the Keys used for protecting UP data and CP data between the RN1 and the eNB, obtained in accordance with the root key KeNB'the key data protection UP is the key KUPencencryption UP, the keys of the data protection CP are the key KRRCencencryption CP and the key KRRCiintprotect the integrity of the CP, the way to get the three keys refers to the formula to obtain the KASthe input key is the KeNB'and further obtaining a key KUPencconsidered as an example for description, namely: KUPenc= KDF (KeNB', f (identification of the type of encryption algorithm UP, id encryption algorithm UP)), where identification of the type of encryption algorithm UP is a distinguishing characteristic for the type of encryption algorithm UP, and the id of the encryption algorithm UP is the tsya identifier of the encryption algorithm UP. [0111] Step 410: RN1 receives an initial key KRN1RN1 in accordance with the initial key KeNBeNB and the tenth input parameter and method for producing the same as at stage 404 and the detail is not described here; RN1 and RN2, respectively, obtain the root key KRN1' between the RN1 and the RN2 according to the initial key KRN1and method for producing the same as at stage 310 in the third embodiment, and not described in detail here; RN1 and RN2 have the keys KUPenc, KCPencand KCPintprotection of the radio interface, which are used for protecting UP data and CP data between the RN1 and the RN2 according to the root key KRN1'. [0112] Step 411: RN2 receives an initial key KRN2between RN2 and the UE in accordance with the initial key KeNBbetween the RN1 and the eNB and the eleventh input parameter and method for producing the same as in step 404. [0113] Step 412: UE locally receives an initial key KeNBeNB, the UE receives an initial key KRN2RN2 in accordance with KeNBand the eleventh input parameter, UE and RN2 obtain the root key KRN2' between RN2 and the UE in accordance with the initial key KRN2RN2, in accordance with KRN2' RN2 and the UE receives the key KUPenc, KRRCencand KRRCiintradio interface, which is used to protect data CP data and UP between the UE and RN2, the method of obtaining a similar way to the floor the value of K ASin the LTE system and the detail is not described here, and the way to obtain the KRN2' looks as follows. [0114] a. KRN2' = KDF (KRN2f (thirteenth local input parameter)), where the input key is the KRN2and when the UE accesses the network, the thirteenth local input parameter may be a parameter C-RNTI13 temporary identification information, which is distributed UE via RN2; or thirteenth input parameter may be a parameter RRC MESSAGE COUNT13 values count of messages between RN2 and the UE; or the thirteenth local input parameter may be a parameter NONCE13 random values, which is coordinated by RN2 with the UE. Local input parameter may include, but is not limited to, one or any combination of the previous three types of parameters. [0115] b. KRN2updated by adopting the style vnutrisajtovoj transfer service to get the KRN2'and the update method similar to that described in step 313 (b), and detail is not described here. [0116] In this embodiment of the present invention the object MME mobility management receives an initial key node of the eNB under MME and primary key eNB in accordance with the key generated in the authentication process, the MME, and the MME sends to the node of the lower level of the home eNB key or start the key node of the lower level, to the bottom node has received root key protection key of the radio interface between the bottom node and the immediate bottom node to the bottom node in accordance with the initial eNB key or the key generated in the authentication process of the bottom node and the MME. Therefore, it is possible to appropriately protect the data UE link interface Un, that is, each active UE has a set of security settings on the communication line interface Un, so that effective security is relative to the data in each segment of the radio interface. [0117] Figure 5 - block diagram of the operational sequence of the method for obtaining a security key in a relay system according to the fifth embodiment of the present invention. In this embodiment, the security key of the communication line interface Un is based on a constant key Ka RN and can be used to protect specific RB RN, and can also be used to protect all RB UE, which belong to RN. The input parameter in this embodiment, may be a local input parameter. As shown in Fig. 5: [0118] Step 501: RN1 accesses the network and the authentication process ends, where in the process the authentication key KASME_RN1 obtained using Ka. [0119] Step 502: RN2 accesses the network, the authentication process is completed, where in the process the authentication key KASME_RN2 obtained using a Kb. [0120] Step 503: the MME and RN1 respectively receive the KNASand the initial key KRN1RN1 in accordance with the key KASME_RN1, which is generated in the authentication process, the MME and RN2, respectively, receive the KNASand the initial key KRN2RN2 in accordance with the key KASME_RN2, which is generated in the authentication process, the method of obtaining may relate to the formula for obtaining the KNASand the input key is a key generated in the authentication process. [0121] Step 504: the MME sends to the eNB received an initial key KRN1. [0122] Step 505: the MME sends to the RN1 received an initial key KRN2. [0123] Step 506: In accordance with the initial key KRN1RN1 and the eNB receives the keys of the radio interface, which are used for protecting UP data and CP data between the RN1 and the eNB, the method of obtaining the same way to obtain the KNASin the LTE system and the input key is the KRN1. [0124] Step 507: In accordance with the initial key KRN2RN2 obtains a root key KRN2' between RN1 and RN2 and in accordance with the root key KRN2' RN1 and RN2 have the keys of the radio interface, which are used for protecting UP data and CP data between the RN1 and RN2. The method of obtaining the same way to obtain the KASin the LTE system, the input to Ucom is K RN2' and the way to obtain the KRN2' is: KRN2'=KDF (KRN2f (fourteenth input parameter)), where the fourteenth input parameter may be a parameter RRC MESSAGE COUNT14 the counter value of the RRC message, which is related to a specific UE between RN1 and RN2; or fourteenth input parameter may be a parameter C-RNTI14 temporary identification information, which is distributed RN2 RN1 through when RN2 accesses the network; or the fourteenth input parameter may be a parameter NONCE14 random values, which is coordinated by RN1 with RN2, where the input parameter may include, but is not limited to, one or any combination of the previous three types of parameters. [0125] In this embodiment of the present invention the object MME mobility management receives an initial key node of the eNB under MME and primary key eNB in accordance with an input parameter and the key generated in the authentication process, the MME, the MME sends to the node of the lower level of the home eNB key or primary key of the node of the lower level, and the MME sends the input parameter node of the lower level to the bottom level node has received root key protection key of the radio interface between the bottom node and the immediate junction of the lower level of the above-mentioned bottom level node corresponding the input parameter and the initial key eNB or input parameter and key which is generated in the authentication process of the bottom node and the MME. Therefore, it is possible to appropriately protect the data UE link interface Un, that is, each active UE has a set of security settings on the communication line interface Un, so that effective security is relative to the data in each segment of the radio interface. [0126] Each variant implementation of the present invention can also be used in combination, for example, when the Un interface between the RN1 and the eNB has two types of unidirectional channels, namely the unidirectional channel RN1 and unidirectional channel of the UE, respectively. For unidirectional channel RN1 key may be generated using a method in accordance with the fifth embodiment to perform protection, and for one-way channel of the UE can be used a method in accordance with the second embodiment to perform protection. Similarly for unidirectional channel RN2 on the Un interface between the RN1 and RN2 key can also be generated using a method in accordance with the fifth embodiment to perform protection, and for unidirectional channel UE on the Un interface between the RN1 and RN2 key can also be generated using a method in accordance with the second embodiment is La complete protection. For unidirectional channel UE on the Un interface between the RN1 and the eNB key can also be generated using a method in accordance with the third embodiment to perform protection, and for unidirectional channel UE on the Un interface between the RN1 and RN2 key can also be generated using a method in accordance with the third embodiment to perform protection. For unidirectional channel UE on the Un interface between the RN1 and the eNB key can also be generated using a method in accordance with the fourth embodiment to perform protection, and for unidirectional channel UE on the Un interface between the RN1 and RN2 key can also be generated using a method in accordance with the fourth embodiment for complete protection. [0127] 6 is a block diagram of the operational sequence of the method for obtaining a security key in a relay system in accordance with the sixth embodiment of the present invention. In this embodiment, the security key, which is used by RN the lower level, is associated with a key that is used by RN the upper level. The input parameter in this embodiment, may be a local input parameter. As shown in Fig.6: [0128] Step 601: RN1 accesses the network and the process is autentifikacii completes. [0129] Step 602: the MME and RN1 respectively receive the KNASand the initial key KRN1RN1 in accordance with the key KASME_RN1, which is generated in the authentication process, the method of obtaining may be the same as in the LTE system, the input key is a key of KASME_RN1, which is generated in the authentication process, and the input parameter can be Uplink NAS COUNT RN1. [0130] Step 603: the MME sends to the eNB initial key KRN1. [0131] Step 604: In accordance with the initial key KRN1RN1 directly receives the keys of the radio interface, which are used for protecting UP data and CP data between the RN1 and the eNB, the method of obtaining the same way to obtain the KASin the LTE system and the input key is the KRN1. [0132] Step 605: RN2 accesses the network and the authentication process is completed, where the authentication process RN2 MME sends to the RN2 initial key KRN1RN1. [0133] Step 606: the MME and RN2 get KNASand the initial key KRN2RN2 in accordance with KASME_RN2, which is generated in the authentication process, and the initial key KRN1RN1, the way to obtain the KRN2as follows: KRN2=KDF (KASME_RN2, KRN1f (Uplink NAS COUNT at RN2)). [0134] the Input keys are KASME_RN2 and KRN1. [0135] Step 607: the MME sends to the RN1 initial key KRN2. [0136] Step 608: RN2 gets to the Neva key K RN2' between the RN1 and the RN2 according to KRN2in accordance with the root key KRN2' gets the keys of the radio interface, which are used for protecting UP data and CP data between the RN1 and RN2, the method of obtaining the same way to obtain the KASin the LTE system and the input key is the KRN2'. [0137] Step 609: the UE accesses the network, the authentication process is terminated, and KRN1and KRN2sent to the UE. [0138] Step 610: the MME and the UE receives the initial key KeNBand KNASin accordance with the key KASME_UE and KRN2that are generated in the authentication process, where the method for obtaining the KeNBas follows: KeNB=KDF (KASME_UE, KRN2f (Uplink NAS COUNT at UE)). [0139] the Input keys are KASME_UE and KRN2. [0140] Step 611: the MME sends to the RN2 initial key KeNBthe eNB. [0141] Step 612: RN2 obtains a root key KeNB' between the UE and the RN2 according to the initial key KeNBin accordance with KeNB' RN2 and the UE receive the keys of the radio interface, which are used for protecting UP data and CP data between the RN2 and the UE, the input key is the KRN2' and the way to obtain the KeNB' includes two methods. [0142] a. Similar to the way to obtain the KeNB' at step 209 in the second method, the input key is the KeNBthe first input parameter can be a value of the m count RRC messages between the RN2 and the UE, either the first input parameter may be a C-RNTI, which is distributed UE via RN2, either the first input parameter may be a new NONCE value, which is coordinated by RN2 and the UE; and the input parameter may include, but is not limited to, one or any combination of the previous parameters. [0143] b. KeNBupdated by adopting the style vnutrisajtovoj transfer service to get the root key KeNB'and the update method is: KeNB'=KDF (KeNBf (PCI, EARFCN-DL)), where KeNB' may be updated by the key, the input key may be the key KeNBused before the transfer, the input parameter may be a PCI of the target cell, and EARFCN-DL is the number of radio frequency channels in the target cell. [0144] In this embodiment of the present invention, the relay node in the system receives an initial key, in accordance with the initial key of the root node receives the key protection key of the radio interface between the node and another node that is directly adjacent to the said node, and in accordance with the root key node receives the security key of the air interface between the node and said another node that is directly adjacent to the said site so that you can properly secure data UE link interface Un,that is, each active UE has a set of security settings on the communication line interface Un and effective security is regarding the data in each segment of the radio interface. [0145] Fig.7 is a block diagram of the operational sequence of the method for obtaining a security key in a relay system according to the seventh embodiment of the present invention. In this embodiment, RN at each level performs authentication with the top-level node RN and generates a security key of each segment of the radio interface. As shown in Fig.7: [0146] Step 701: RN1 accesses the network, and authentication is performed with eNB. [0147] Step 702: In accordance with the root key KAUT_RN1that is generated in the authentication process between the RN1 and the eNB, RN1 and the eNB respectively receive the keys that are used for protecting UP data and CP data interface between the RN1 and the eNB, the method of obtaining the same way to obtain the KASin the LTE system and the input key is the KRN1. [0148] Step 703: RN2 accesses the network, and authentication is performed RN1. [0149] Step 704: In accordance with the root key KAUT_RN2that is generated in the authentication process between the RN1 and RN2, RN1 and RN2, respectively, receive the keys that are used for protecting UP data and CP data interface between the RN1 and RN2, the method of obtaining references the formula to obtain the KASand the input key is the KRN2. [0150] In this embodiment, the first relay node receives the root CL is h during the authentication procedure with the neighboring node to the first relay node and according to the root key of the first relay node receives the protection key of the radio interface for complete protection between the first relay node and the neighboring node, where the border node to the first relay node includes the top-level node to the first relay node and/or the bottom node to the first relay node, so that you can properly protect the data in each node, that is, each active UE has a set of security settings on the communication line interface Un and effective security is relative to the data in each segment of the radio interface. [0151] This variant implementation of the present invention can also be used in conjunction with options 1, 2 and 3 implementation, the method in accordance with the seventh embodiment is used to protect the unidirectional channel, which is related to RN on the Un interface, and options 1, 2 and 3 of the implementation are used to protect the unidirectional channel, which is related to the UE on the Un interface. [0152] Fig - block diagram of the operational sequence of the method for obtaining a security key in a relay system in accordance with the eighth embodiment of the present invention. In this embodiment, RN at each level performs authentication with eNB, to generate the security key of the radio interface of each segment. As shown in Fig: [0153] the tap 801: RN1 accesses the network, and authentication is performed with eNB. [0154] Step 802: In accordance with the root key KRN1that is generated in the authentication process between the eNB and the RN1, eNB and the RN1 respectively receive the keys that are used for protecting UP data and CP data interface between the eNB and the RN1. [0155] Step 803: RN2 accesses the network, and authentication is performed with eNB. [0156] Step 804: eNB and RN2, respectively, generate the initial key KRN2RN2 in the authentication process, and eNB forwards to RN1 initial key KRN2. RN1 and RN2, respectively, obtain the root key KRN2' between the RN1 and the RN2 according to KRN2in accordance with KRN2' get the keys that are used for protecting UP data and CP data interface between the RN1 and RN2. [0157] In this embodiment, the first relay node obtains a root key in the authentication process with the neighboring node to the first relay node, and according to the root key of the first relay node receives the protection key of the radio interface for performing protection between the first relay node and the neighboring node, where the border node to the first relay node includes the top-level node to the first relay node and/or the bottom node to the first relay node, so that you can properly protect the data in each node, t is is, each active UE has a set of security settings on the communication line interface Un and effective security is relative to the data in each segment of the radio interface. [0158] This variant implementation of the present invention can also be used in conjunction with options 1, 2 and 3 implementation, the method in accordance with the eighth embodiment is used to protect the unidirectional channel, which is related to RN on the Un interface, and options 1, 2 and 3 of the implementation are used to protect the unidirectional channel, which is related to the UE on the Un interface, so that you can properly protect the data UE link interface Un, that is, each active UE has a set of security settings on the communication line interface Un and effective security is regarding the data in each segment of the radio interface. [0159] Fig.9 is a block diagram of the operational sequence of the method for obtaining a security key in a relay system according to the ninth embodiment of the present invention. [0160] Step 901: the First relay node obtains a root key in the authentication process with the neighboring node to the first relay node. [0161] Step 902: according To the root key of the first relay node receives the protection key of the radio interface for performing protection between the first relay node and the adjacent node. [0162] the Border node to the first relay node including the et in the top-level node to the first relay node and/or the bottom node to the first relay node. [0163] In this embodiment of the present invention, the relay node in the system receives an initial key, in accordance with the initial key of the root node receives the key protection key of the radio interface between the node and another node that is directly adjacent to the node, and in accordance with the root key node receives the security key of the air interface between the node and said another node that is directly adjacent to the site, so that you can properly secure data UE link interface Un, that is, each active UE has a set of security settings on the communication line interface Un and effective security is relative to the data in each segment of the radio interface. [0164] Figure 10 is a schematic structural diagram of a node in the relay system according to the embodiment of the present invention, which includes: module 1001 receiving configured to receive a seed node in the relay system; the first module 1002 obtain, in accordance with the initial key received by the module receiving, configured to obtain the root key protection key of the radio interface between the node and another node that is directly adjacent to the site; the second module 1003 get that in with the accordance with the root key, received by the first module receiving configured to receive a security key of the air interface between the node and said another node that is directly adjacent to the node. [0165] the Module receiving specifically configured to: when the node in the relay system is eNB, get primary key from the object MME mobility management. [0166] the Module receiving specifically configured to: when the node in the relay system, the relay node RN, get primary key from the MME or eNB. [0167] the Module receiving specifically configured to: when the node in the relay system is a user equipment UE, receive a primary key from the top-level node for the UE. [0168] in Addition, the device additionally includes: Module additional configured to: when the node in the relay system is eNB, get primary key from the bottom node to the eNB in accordance with the input transmission parameter and an initial key, which is obtained by a module to retrieve. [0169] the Module 1004 configured to send: sends the initial key to one of the nodes of the lower level node, and send the input parameter passed to the host, which directly borders with one of the nodes of the lower level of the node according to the input pair is the ETP transmission and primary key one of the nodes of the lower level node and the node, which directly borders with one of the nodes of the lower level node that has received root key protection key of the radio interface between one of the nodes of the lower level of the node and the node that is directly connected with one of the nodes of the lower level node. [0170] in Addition, when the node in the relay system, the relay node RN, the device additionally includes: Module 1005 is configured to receive: RN takes the input parameter, the transmission from the top-level node. [0171] the First module receiving additionally configured to: RN in accordance with the initial key and the input transmission parameter obtains the root key protection key of the radio interface between the node and the node that is directly adjacent to the node. [0172] in Addition, when the node in the relay system is a user equipment UE, the device additionally includes: The receiving module is additionally configured to: when the node in the relay system is a user equipment UE, accept input parameter transfer from the top-level node. [0173] the First module receiving additionally configured to: UE in accordance with the initial key and the input transmission parameter obtains the root key protection key of the radio interface between the node and the node which directly the state is bordered by the node. [0174] In this embodiment of the present invention, the relay node in the system receives an initial key, in accordance with the initial key of the root node receives the key protection key of the radio interface between the node and said another node that is directly adjacent to the node, and in accordance with the root key node receives the security key of the air interface between the node and said another node that is directly adjacent to the site, so that you can properly protect the data UE link interface Un, that is, each active UE has a set of security settings on the communication line interface Un and effective security is relatively data in each segment of the radio interface. [0175] 11 - schematic structural diagram of a relay node in accordance with the embodiment of the present invention, which includes: The first module 1101 receive configured: the first relay node obtains a root key in the process, in which the first relay node authenticates the border node of the first relay node. The second module 1102 receive configured: the first relay node receives in accordance with the root key, which is received by the first module receiving the key protection is s radio interface for performing protection between the first relay node and the adjacent node. [0176] the Border node to the first relay node includes the top-level node to the first relay node and/or the bottom node to the first relay node. [0177] In this embodiment of the present invention, the relay node in the system receives an initial key, in accordance with the initial key of the root node receives the key protection key of the radio interface between the node and another node that is directly adjacent to the node, and in accordance with the root key node receives the security key of the air interface between the node and said another node that is directly adjacent to the site, so that you can properly secure data UE link interface Un, that is, each active UE has a set of security settings on the communication line interface Un and effective security is relative to the data in each segment of the radio interface. [0178] around the previous description of each alternative implementation specialists in the art can clearly understand that the present invention may be implemented using software on a necessary universal hardware platform, and definitely may be performed using hardware, but in many cases is the first preference is sustained fashion by the implementation. Therefore, based on this understanding, the technical solutions of the present invention or the part contributing to the prior art may be embodied in the form of a software product. The computer program product can be stored on the storage medium, which includes several instructions to specify the computing hardware (may be a personal computer, server, or network equipment) to perform the method in each embodiment of the present invention. [0179] Although the present invention is illustrated and described with reference to some exemplary embodiments of the present invention, specialists in the art should understand that various changes in form and content can be made without deviating from the scope of the present invention. 1. Method for obtaining a security key in a relay system, characterized in that it contains stages, which are: 2. Method for obtaining a security key in a relay system, comprising stages, which are: 3. The method according to P2, in which 4. The method according to claim 2, in which, when the node in the relay system, the relay node RN, the method further comprises: 5. The method according to claim 2, in which, when the node in the relay system is a user equipment UE, the method further comprises: 6. The communication node in the relay system, characterized in that it contains: 7. The communication node according to claim 6, in which 8. The communication node according to claim 6, in which: 9. The communication node according to claim 6, in which the device further comprises: 10. The communication node according to claim 6, in which the device further comprises: 11. The communication node in the relay system, characterized in that it contains: 12. Machine-readable media containing computer program code which when executed by the computing unit makes computing unit to execute steps of the method according to claim 1.
|