Abstract: Method, device, and system for deriving keys are provided in the field of mobile communications technologies. The method for deriving keys may be used, for example, in a handover process of a User Equipment (UE) from an Evolved Universal Terrestrial Radio Access Network (EUTRAN) to a Universal Terrestrial Radio Access Network (UTRAN). If a failure occurred in a first handover, the method ensures that the key derived by a source Mobility Management Entity (MME) for a second handover process of the UE is different from the key derived for the first handover process of the UE. This is done by changing input parameters used in the key derivation, so as to prevent the situation in the prior art that once the key used on one Radio Network Controller (RNC) is obtained, the keys on other RNCs can be derived accordingly, thereby enhancing the network security.

Abstract: Method, device, and system for deriving keys are provided in the field of mobile communications technologies. The method for deriving keys may be used, for example, in a handover process of a User Equipment (UE) from an Evolved Universal Terrestrial Radio Access Network (EUTRAN) to a Universal Terrestrial Radio Access Network (UTRAN). If a failure occurred in a first handover, the method ensures that the key derived by a source Mobility Management Entity (MME) for a second handover process of the UE is different from the key derived for the first handover process of the UE. This is done by changing input parameters used in the key derivation, so as to prevent the situation in the prior art that once the key used on one Radio Network Controller (RNC) is obtained, the keys on other RNCs can be derived accordingly, thereby enhancing the network security.

Abstract: Method, apparatus and systems are provided for key derivation. A target base station receives multiple keys derived by a source base station, where the keys correspond to cells of the target base station. The target base station selects a key corresponding to the target cell after obtaining information regarding a target cell that a user equipment (UE) is to access. An apparatus for key derivation and a communications system are also provided.

Abstract: Embodiments of the present disclosure provide a method in a network element for access controlling. The method comprises receiving an access request message from a terminal device and checking a data structure for maintaining state information of terminal devices from which the network element has received access request messages, in response to the reception of the access request message. The method also comprises determining whether the requesting terminal device is abnormal based on said checking of the data structure and rejecting the access request of the requesting terminal device in response to determining that the requesting terminal device is abnormal.

Abstract: This application discloses a policy control method, including: after a gateway is connected to a network, receiving a first gateway access identifier; selecting a PCRF entity for the gateway accordingly, and establishing a first session for the gateway to implement policy control on the gateway; when a mobile terminal or a fixed-line device is connected to the network through the gateway to perform service data flow access, receiving a second gateway access identifier; if the second gateway access identifier and the first gateway access identifier are the same, selecting, for a service data flow of the mobile terminal or the fixed-line device, a same PCRF entity, and establishing a second session to implement policy control on the service data flow of the mobile terminal or the fixed-line device. The foregoing manner is used to prevent incorrect policy control from causing an exception.

Abstract: Method, apparatus and systems are provided for key derivation. A target base station receives multiple keys derived by a source base station, where the keys correspond to cells of the target base station. The target base station selects a key corresponding to the target cell after obtaining information regarding a target cell that a user equipment (UE) is to access. An apparatus for key derivation and a communications system are also provided.

Abstract: Embodiments of the present disclosure provide a method in a network element for access controlling. The method comprises receiving an access request message from a terminal device and checking a data structure for maintaining state information of terminal devices from which the network element has received access request messages, in response to the reception of the access request message. The method also comprises determining whether the requesting terminal device is abnormal based on said checking of the data structure and rejecting the access request of the requesting terminal device in response to determining that the requesting terminal device is abnormal.

Abstract: A method, network element, and mobile station (MS) are disclosed. The method includes: obtaining information that a plug-in card of the MS does not support a first encryption algorithm; deleting the first encryption algorithm from an encryption algorithm list permitted by a core network element according to the information that the plug-in card of the MS does not support the first encryption algorithm; sending the encryption algorithm list excluding the first encryption algorithm to an access network element, so that the access network element selects an encryption algorithm according to the encryption algorithm list excluding the first encryption algorithm and the MS capability information sent from the MS and sends the selected encryption algorithm to the MS. By using the method, network element, and MS, errors due to the fact that the plug-in card of the MS does not support an encryption algorithm may be avoided during the encryption process.

Abstract: Embodiments of the present invention provide a method for ensuring uplink quality of service, a base station and a user equipment. The method for ensuring the uplink quality of service includes: receiving a downlink service data flow, where the downlink service data flow carries an uplink transmission control identifier; and controlling, based on the uplink transmission control identifier, a transmission of a service type's uplink data for which an uplink transmission control needs to be performed in an uplink radio bearer, so as to reduce a transmission rate of the service type's uplink data. Through the technical solution provided by embodiments of the present invention, data is recognized in a dedicated radio bearer and controlled when a centralized scheduling is adopted for uplink resources, thereby ensuring the uplink quality of service.

Abstract: A method, an apparatus and a system for key derivation are disclosed. The method includes the following steps: a target base station) receives multiple keys derived by a source base station, where the keys correspond to cells of the target base station; the target base station selects a key corresponding to the target cell after knowing a target cell that a user equipment (UE) wants to access. An apparatus for key derivation and a communications system are also provided.

Abstract: A method, an apparatus and a system for marking a service data packet are provided. A traffic detection function TDF is requested to detect a data flow description or data flow starting or ending information corresponding to a service application type. The detected data flow description or a data flow starting or ending information report, transmitted by the TDF, is received. A data packet marking rule is generated according to the data flow description or the data flow starting or ending information report. A session modification message carrying the data packet marking rule is transmitted to a bearer binding function entity BBF for the BBF to map a data flow identified by the session modification message to a bearer according to the session modification message, and mark a GTP-U header according to the data packet marking rule.

Abstract: This application discloses a policy control method, including: after a gateway is connected to a network, receiving a first gateway access identifier; selecting a PCRF entity for the gateway accordingly, and establishing a first session for the gateway to implement policy control on the gateway; when a mobile terminal or a fixed-line device is connected to the network through the gateway to perform service data flow access, receiving a second gateway access identifier; if the second gateway access identifier and the first gateway access identifier are the same, selecting, for a service data flow of the mobile terminal or the fixed-line device, a same PCRF entity, and establishing a second session to implement policy control on the service data flow of the mobile terminal or the fixed-line device. The foregoing manner is used to prevent incorrect policy control from causing an exception.

Abstract: A method, an apparatus and a system for key derivation are disclosed. The method includes the following steps: a target base station) receives multiple keys derived by a source base station, where the keys correspond to cells of the target base station; the target base station selects a key corresponding to the target cell after knowing a target cell that a user equipment (UE) wants to access. An apparatus for key derivation and a communications system are also provided.

Abstract: A method, an apparatus and a system for key derivation are disclosed. The method includes the following steps: a target base station) receives multiple keys derived by a source base station, where the keys correspond to cells under control of the target base station; the target base station selects a key corresponding to the target cell after knowing a target cell that a user equipment (UE) wants to access. An apparatus for key derivation and a communications system are also provided.

Abstract: A method and an apparatus for authentication are disclosed. The method includes: deciding to release a connection or continue a current service according to native information and network policy after an AKA authentication procedure fails. When the EPS AKA authentication procedure fails, the connection is not released immediately in the present invention, but the connection is released or the current service is continued according to the native information and network policy, thus avoiding unnecessary release of connections and saving resources.

Abstract: A method, a device, and a system for establishing a security mechanism for an air interface are provided in embodiments of the present invention. The method includes: performing security processing for a shared key of an access link according to a shared key between a relay node and a mobility management entity; and sending the shared key of the access link after the security processing to the relay node to enable the relay node to obtain the shared key of the access link based on the shared key between the relay node and the mobility management entity. The present invention reduces the possibility at which the air interface link is hacked, thereby improving the security of the air interface link.

Abstract: Embodiments of the present invention provide a bandwidth control method, a bandwidth control device, and a bandwidth control system. The method includes: receiving, by a PCEF entity or a BBERF entity, a downlink shared bandwidth value of one or multiple sub data flows transmitted by a PCRF entity; and performing bandwidth control to downlink data flows of the one or multiple sub data flows according to the downlink shared bandwidth value. Embodiments of the present invention can perform associated bandwidth control to one or multiple sub data flows in the downlink direction, such that downlink data flows of the one or multiple sub data flows make full use of the shared bandwidth, thereby solving a problem that the existing bandwidth control mechanism hinders efficient use of the bandwidth.

Abstract: Embodiments of the present invention disclose a relay node authentication method, apparatus, and system. The method provided in an embodiment of the present invention includes: sending, by a relay node, an authentication request message to a peer node, where the authentication request message includes a certificate of the relay node, so that the peer node authenticates the relay node according to the certificate of the relay node, where the peer node is a network side node or a security gateway in a security domain where the network side node is located; and receiving, by the relay node, an authentication response message sent by the peer node, where the authentication response message includes a certificate of the peer node, and authenticating the peer node according to the certificate of the peer node.

Abstract: A method, network element, and mobile station (MS) are disclosed. The method includes: obtaining information that a plug-in card of the MS does not support a first encryption algorithm; deleting the first encryption algorithm from an encryption algorithm list permitted by a core network element according to the information that the plug-in card of the MS does not support the first encryption algorithm; sending the encryption algorithm list excluding the first encryption algorithm to an access network element, so that the access network element selects an encryption algorithm according to the encryption algorithm list excluding the first encryption algorithm and the MS capability information sent from the MS and sends the selected encryption algorithm to the MS. By using the method, network element, and MS, errors due to the fact that the plug-in card of the MS does not support an encryption algorithm may be avoided during the encryption process.

Abstract: The present invention discloses a packet-switched network access method, a WLAN access system and a user equipment. The packet-switched network access method includes: receiving indication information sent by a user equipment attached to a WLAN or sent by an HSS/AAA, where the indication information is used to indicate whether the user equipment is capable of providing information of accessing a PS network; and determining, according to the indication information, whether establishing a PDN connection after authentication is successful or after a layer 3 message sent by the user equipment is received, so that the user equipment accesses a PS network by using the WLAN.