COMMUNICATION METHOD AND RELATED APPARATUS

专利摘要:
a communication method and a related device are provided. a base station obtains a security policy, where the security policy includes health protection indication information, and health protection indication information is used to tell the base station whether to enable health protection for a terminal device; and when the health protection indication information tells the base station to activate health protection for the terminal device, the base station sends a target user plan health protection algorithm to the terminal device.
公开号:BR112019023041B1
申请号:R112019023041-6
申请日:2017-07-31
公开日:2021-04-06
发明作者:He Li；Jing Chen；Li Hu
申请人:Huawei Technologies Co., Ltd.；
IPC主号:

专利说明:

[0001] [0001] This application claims priority to Chinese Patent Application No. PCT / CN2017 / 083362, filed with the Chinese Patent Office on May 5, 2017 and entitled "COMMUNICATION METHOD AND RELATED APPARATUS", which is incorporated here by reference in its entirety. TECHNICAL FIELD
[0002] [0002] This application relates to the field of wireless communications technologies and, in particular, to a method of communication and a related device. FUNDAMENTALS
[0003] [0003] In a Long Term Evolution (LTE) system, a terminal device and a base station perform security operations such as encryption / decryption and integrity protection, to provide encryption protection and integrity protection for signaling. As different end devices have different security features, for example, they support different encryption algorithms or integrity protection algorithms, before encryption and integrity protection are performed in an access layer (Access Stratum, AS), a set security algorithms need to be negotiated between the terminal device and the base station. A security algorithm negotiation process includes the following steps:
[0004] [0004] 1. The terminal device sends an attachment request to a mobility management entity (Mobility Management Entity, MME) using the base station. The attachment request carries an algorithm supported by the terminal device.
[0005] [0005] 2. The base station selects, based on a pre-configured algorithm allowed by a service network for use and in combination with the algorithm that is supported by the terminal device and forwarded by the MME, a security algorithm supported by the service network. The security algorithm includes an encryption algorithm and an integrity protection algorithm. The base station generates an AS encryption key based on the selected encryption algorithm and generates an integrity protection key based on the integrity protection algorithm. The security algorithm supported by the service network and selected by the base station is both a security algorithm for a user plan and a security algorithm applied to a signaling plan.
[0006] [0006] 3. Using an AS security mode command procedure (Security mode command, SMC), the terminal device applies the security algorithm selected by the base station to the user plane and signaling plane. For example, the encryption algorithm and the integrity protection algorithm selected by the base station are ported to an AS SMC and sent to the terminal device.
[0007] [0007] In the prior art, the security algorithm applied to the user plane and the signaling plane is determined using the AS SMC procedure, and the security algorithm includes the encryption algorithm and the integrity protection algorithm. A trading solution for this security algorithm is relatively fixed. For example, the same set of safety algorithms is applicable to the user plan and the signaling plan and cannot be divided. For another example, the encryption algorithm and the integrity protection algorithm need to be determined at the same time and cannot be divided. Therefore, the security negotiation algorithm is relatively fixed and cannot adapt to flexible and changing application scenarios. SUMMARY
[0008] [0008] Modalities of this order provide a communication method, a related device and a storage medium, to adapt to a solution in which a user plan integrity protection algorithm can be negotiated flexibly and independently.
[0009] [0009] According to a first aspect, a modality of this request provides a method of communication, including: obtaining, by a base station, a security policy, where the security policy includes information of indication of integrity protection, and the health protection indication information is used to indicate the base station whether health protection is enabled for a terminal device; and when the health protection indication information indicates the base station to enable health protection for the terminal device, send, through the base station, a target user health integrity protection algorithm to the terminal device. In this way, if integrity protection is enabled for the terminal device, it can be selected flexibly based on the security policy. In addition, only when integrity protection is enabled for the terminal device, does the base station send the target user plan integrity protection algorithm to the terminal device. On the one hand, because a user plan security algorithm is negotiated independently, flexibility to separately determine the user plan security algorithm and a signaling plan security algorithm is improved. On the other hand, because the health protection indication information is added, flexibility to determine the target device's target user health integrity protection algorithm is enhanced.
[0010] [0010] Optionally, the integrity protection indication information is an identifier of a user plan integrity protection algorithm. That is, if the security policy is determined to carry an identifier for a user plan integrity protection algorithm, it can be determined that the base station enables integrity protection for the terminal device. The security policy in this modality can carry one or more identifiers of user plan integrity protection algorithms (which can be referred to as a list of algorithms). The user plan integrity protection algorithm carried in the security policy in this modality can be determined based on at least one of a user plan integrity protection algorithm allowed by a service network, an integrity protection algorithm user plan supported by the terminal device, and a user plan integrity protection algorithm allowed by the base station. In other words, the user plan integrity protection algorithm carried in the security policy is a user plan integrity protection algorithm allowed by the service network.
[0011] [0011] Optionally, the obtaining, by a base station, of a security policy can be received, by the base station, the security policy from another network element, or it can be determined, by the base station, the security policy from at least one security policy pre-stored on the base station. The pre-stored security policy on the base station side can also be a pre-configured security policy on the base station side. The base station obtains, in a plurality of ways, the security policy from at least one security policy pre-stored on the base station. For example, a security policy that corresponds to a terminal device identifier and is stored at the base station can be determined based on a match between the terminal identifier and the pre-stored security policy at the base station. For another example, a security policy that corresponds to a session identifier and is stored at the base station can be determined based on a match between the session identifier and the pre-stored security policy at the base station. The solution may be similar to a solution for obtaining security policy by an SMF entity. The details are not described here.
[0012] [0012] Optionally, sending a target user plan integrity protection algorithm to the terminal device by the base station includes: sending the target user plan integrity protection algorithm to the base station to the terminal device using RRC signaling. The solution provided in this modality of this application is implemented by reusing RRC signaling in the prior art, so that better compatibility with the prior art is implemented, and a modification in the prior art is relatively small.
[0013] [0013] In an optional implementation where the base station sends the target user plane integrity protection algorithm to the terminal device, the base station sends a target signaling plan integrity protection algorithm to the terminal device, and the terminal device also determines the target signal plane integrity protection algorithm received as the target user plan integrity protection algorithm. That is, the base station sends an integrity protection algorithm to the terminal device, and the integrity protection algorithm is both a signaling plane integrity protection algorithm and a user plane integrity protection algorithm.
[0014] [0014] Optionally, before the sending, by the base station, of an integrity protection algorithm of the target user plan to the terminal device, the method additionally includes: determining, by the base station, the integrity protection algorithm of target user plan based on a user plan integrity protection algorithm supported by the terminal device and a user plan integrity protection algorithm supported by the base station. In this way, it is possible to consider both the security capability of the terminal device and the security capability of the base station, so that the target user plane integrity protection algorithm matches the security capability of the terminal device and the capability base station security.
[0015] [0015] Optionally, the user plan integrity protection algorithm allowed by the base station is a user plan integrity protection algorithm classified based on a priority, so that a better plan integrity protection algorithm target user on the base station side can be selected. Alternatively, optionally, the user-plane integrity protection algorithm supported by the end device is a user-plane integrity protection algorithm classified based on a priority, so that a better user-plane integrity protection algorithm target on the terminal device side can be selected.
[0016] [0016] Optionally, the security policy additionally includes a user plan integrity protection algorithm allowed by a service network and the determination by the base station of the target user plan integrity protection algorithm based on a user plan integrity protection algorithm supported by the terminal device and a user plan integrity protection algorithm allowed by the base station includes: determining, by the base station, the target user plan integrity protection algorithm based on the user plan integrity protection algorithm allowed by the base station, the user plan integrity protection algorithm supported by the terminal device, and the user plan integrity protection algorithm allowed by the service network. In this way, both the security capability of the terminal device and the security capability of the base station can be considered, and it is also considered a real status of the service network. Therefore, on the one hand, the integrity protection algorithm of the determined target user plan may correspond to the security capability of the terminal device and the security capability of the base station; on the other hand, it corresponds better to the real status of the service network.
[0017] [0017] Optionally, when the security policy additionally includes the user plan integrity protection algorithm allowed by the service network, the base station can also determine an algorithm, included in the security policy, different from the security protection algorithm user plan integrity allowed by the service network, such as the target user plan integrity protection algorithm. For example, an algorithm can be determined from the user plan integrity protection algorithm allowed by the base station as the target user plan integrity protection algorithm.
[0018] [0018] Optionally, the user plan integrity protection algorithm allowed by the service network is a user plan integrity protection algorithm classified based on a priority, so that a better plan integrity protection algorithm target user based on the service network can be selected.
[0019] [0019] Optionally, the method additionally includes: when the security policy additionally includes encryption indication information, and the encryption indication information is used to indicate the base station to enable encryption protection for the terminal device, send, by the base station, a target user plan encryption algorithm for the terminal device; or when the security policy additionally includes a key length, send the key length to the terminal device via the base station; or when the security policy additionally includes DH indication information, and DH indication information is used to indicate the base station to enable DH for the terminal device, send a DH related key to the base station at the terminal device. In this way, any information in the security policy can be indicated more flexibly, so that a security policy finally determined is more adapted to a complex application scenario.
[0020] [0020] Optionally, before the sending, by the base station, of an integrity protection algorithm of the target user plan to the terminal device, the method additionally includes: receiving, by the base station, the quality of service of a session current terminal device from an SMF entity, and allocate, by the base station, a target radio data carrier to the terminal device based on at least one of the security policy and quality of service.
[0021] [0021] To save resources, optionally, the allocation, by the base station, of a target data radio carrier to the terminal device based on at least one of the security policy and the quality of service includes: when there is at least a historical data radio bearer satisfying a first condition at the base station, determine, by the base station, one of at least one historical data radio bearer satisfying the first condition as the target data radio bearer, where quality of service supported by each data radio bearer out of at least one historical data radio bearer meeting the first condition is equal to the quality of service of the current session, and the security policy is the same as a security policy supported by each data radio bearer.
[0022] [0022] Optionally, the first condition includes that the quality of service of two radio data carriers is the same, and the security policies of the two radio data carriers are the same.
[0023] [0023] To save resources, in another optional solution, the allocation, by the base station, of a target data radio carrier to the terminal device based on at least one of the security policy and quality of service includes: when there is no historical data radio bearer satisfying a first condition at the base station, but at least one historical data radio bearer satisfying a second condition, update, by the base station, a historical data radio bearer within the hair least one historical data radio bearer satisfying the second condition, and determine the historical data radio bearer as the target data radio bearer, where quality of service supported by each data radio bearer among the at least one data bearer. historical data radio satisfying the second condition is the same as the quality of service of the current session, and the security policy corresponds to a security policy su carried by each radio data carrier; or quality of service supported by each data radio bearer of at least one historical data radio bearer satisfying the second condition corresponds to the quality of service of the current session, and the security policy is the same as a security policy supported by each radio data carrier; or quality of service supported by each data radio bearer of at least one historical data radio bearer satisfying the second condition corresponds to the quality of service of the current session, and the security policy corresponds to a security policy supported by each bearer data radio.
[0024] [0024] Optionally, the second condition includes that the quality of service of two radio data carriers corresponds to each other, and the security policies of the two radio data carriers are the same. Alternatively, optionally, the second condition includes that the quality of service of two radio data carriers is the same, and the security policies of the two radio data carriers correspond. Alternatively, optionally, the second condition includes that the quality of service of two radio data carriers correspond, and the security policies of the two radio data carriers correspond.
[0025] [0025] To select an appropriate target radio data carrier, in another optional solution, the allocation, by the base station, of a target data radio carrier to the terminal device based on at least one of the security policy and quality of service includes: when there is no historical data radio bearer meeting a first condition at the base station, and at least one historical data radio bearer does not satisfy a second condition at the base station, create, by the station base, the target radio data carrier for the terminal device based on at least one of the security policy and quality of service.
[0026] [0026] To select an appropriate target radio data carrier, in another optional solution, the allocation, by the base station, of a target data radio carrier to the terminal device based on at least one of the security policy and quality of service includes: when there is no historical data radio bearer satisfying a first condition at the base station, create, by the base station, the target data radio bearer for the terminal device based on at least one of the security policy and quality of service.
[0027] [0027] To select an appropriate target radio data carrier, in another optional solution, the allocation, by the base station, of a target data radio carrier to the terminal device based on at least one of the security policy and quality of service includes: creating, by the base station, the target data radio bearer for the terminal device based on at least one of the security policy and quality of service.
[0028] [0028] Optionally, obtaining, by a base station, a security policy includes: receiving, by the base station, the security policy from the SMF entity; or receive, by the base station, a security policy identifier from the SMF entity, and obtain the security policy based on the security policy identifier.
[0029] [0029] Optionally, in this modality of this request, the method additionally includes: obtaining, by the base station, a signaling plan security algorithm supported by the terminal device; determine, by the base station, a target signaling plan security algorithm based on the signaling plan security algorithm supported by the terminal device and on a signaling plan security algorithm permitted by the base station; and adding, by the base station, the target signaling plan security algorithm to an AS access layer SMC security mode command, and sending the AS SMC to the terminal device. In this way, a signal plan algorithm and a user plan security algorithm can be decoupled, so that the user plan security algorithm and the signal plan security algorithm are negotiated separately, to provide a basis to more flexibly determine the user plan security algorithm.
[0030] [0030] Optionally, when determining whether to enable user plane integrity protection, the base station enables user plane integrity protection.
[0031] [0031] Optionally, when determining whether to enable user plan encryption protection, the base station enables user plan encryption protection.
[0032] [0032] Optionally, when the base station determines not to temporarily enable user plan integrity protection, or the base station currently cannot determine whether to enable user plan integrity protection, the base station does not enable data protection. user plan integrity.
[0033] [0033] Optionally, when the base station determines not to temporarily enable user plan encryption protection, or the base station cannot currently determine whether to enable user plan encryption protection, the base station does not enable data protection. user plan encryption.
[0034] [0034] "Temporarily" means that there is a period of time. User plan integrity protection is not enabled temporarily means that user plan integrity protection is not enabled within one period of time, but user plan integrity protection is enabled in another period. That user plan encryption protection is not temporarily enabled means that user plan encryption protection is not enabled within one period of time, but user plan encryption protection is enabled in another period.
[0035] [0035] In an optional implementation, it is stipulated on a network that, after an AS security mode command is received, user plan encryption protection can be enabled, but if enabling user plan integrity protection is notified to the terminal device using an RRC reset message. In this case, the terminal device cannot determine whether to enable user plan integrity protection.
[0036] [0036] In another optional implementation, it is stipulated in a network that, after an AS security mode command is received, only signaling plan security is enabled (signaling plan integrity protection and / or data encryption protection). signaling plan is / are enabled), but if enabling user plan integrity protection and enabling user plan encryption protection are notified to the terminal device using an RRC reset message. In this case, whether to enable user plan integrity protection and to enable user plan encryption protection cannot be determined.
[0037] [0037] Optionally, not enabling user plan integrity protection includes: when enabling user plan integrity protection cannot be determined or it is determined not to temporarily enable user plan integrity protection, generate a protection key user plan integrity, but do not perform user plan integrity protection using the user plan integrity protection key; and when it is determined to enable user plan integrity protection, perform user plan integrity protection using the user plan integrity protection key. In this implementation, the user-plane integrity protection algorithm is obtained before the user-plane integrity protection key is generated, for example, the signaling-plane integrity protection algorithm can also be used as the algorithm of user plan integrity protection.
[0038] [0038] Optionally, not enabling user plan integrity protection includes: when it is determined to enable user plan integrity protection, generate a user plan integrity protection key, and perform user plan integrity protection using the user plan integrity protection key. That is, when enabling user plan integrity protection cannot be determined or is determined not to temporarily enable user plan integrity protection, the user plan integrity protection key may not be generated when user plan is not enabled. Correspondingly, for example, for the terminal device and the base station, if it is determined that the terminal device and the base station do not always enable user plan integrity protection (for example, which may be a predefined condition), the user plan integrity protection key may not be generated.
[0039] [0039] Optionally, not enabling user plan encryption protection includes: when enabling user plan encryption protection it cannot be determined or it is determined not to temporarily enable user plan encryption protection, generate an encryption key user plan, but do not perform user plan encryption protection using the user plan encryption key; and when it is determined to enable user plan encryption protection, perform user plan encryption protection using the user plan encryption key. In this implementation, the user plan encryption algorithm is obtained before the user plan encryption key is generated, for example, the signaling plan encryption algorithm can also be used as the user plan encryption algorithm. . Optionally, not enabling user plan encryption protection includes: when it is determined to enable user plan encryption protection, generate a user plan encryption key, and perform user plan encryption protection using the user encryption key. user plan. That is, when it is not possible to determine whether to enable user plan encryption protection or if it is determined not to temporarily enable user plan encryption protection, the user plan encryption key may not be generated. Correspondingly, for example, for the terminal device and the base station, if it is determined that the terminal device and the base station do not always enable user plan encryption protection (for example, which may be a predefined condition), the user plan encryption key may not be generated.
[0040] [0040] Optionally, the base station obtains health protection indication information and / or encryption indication information, and determines, based on the health protection indication information obtained, whether to enable integrity protection, or determines, based on the encryption indication information, if you enable user plan encryption protection. Health protection indication information is used to indicate whether to enable user plan integrity protection, and encryption indication information is used to indicate whether to enable user plan encryption protection.
[0041] [0041] Optionally, there are a plurality of ways to obtain integrity protection indication information and / or encryption indication information by the base station. For example, the base station generates the health protection indication information and / or the encryption indication information through determination or receives at least one of the health protection indication information and the encryption indication information sent by another network element. The other network element can be the SMF entity.
[0042] [0042] Optionally, the base station can send at least one of the health protection indication information and the encryption indication information to the terminal device, so that the terminal device determines whether to enable user plan integrity protection. and / or enable user plan encryption protection. Alternatively, the terminal device determines whether to enable user plan integrity protection and / or whether to enable user plan encryption protection.
[0043] [0043] Optionally, the integrity protection indication information and / or the encryption indication information can be bit information or an identifier of an algorithm. For example, health protection referral information is an identifier for the target user plan health protection algorithm. For another example, the encryption indication information is an identifier for the target user plan encryption protection algorithm. For another example, 1-bit information is used to indicate health protection indication information or encryption indication information. For another example, 2-bit information is used to indicate health protection indication information and encryption indication information. According to a second aspect, a modality of this request provides a method of communication, including: receiving, by an SMF entity, a request message, where the request message includes a parameter related to a security policy; obtain, by the SMF entity, the security policy or a security policy identifier based on the parameter related to the security policy; and send, through the SMF entity, the security policy or security policy identifier to a base station, where the security policy includes health protection indication information, and health protection indication information is used to indicate the base station if integrity protection is enabled for a terminal device. On the one hand, because a user plan security algorithm is negotiated independently, flexibility to separately determine the user plan security algorithm and a signaling plan security algorithm is improved. On the other hand, because the health protection indication information is added, flexibility to determine the target device's target user health integrity protection algorithm is enhanced.
[0044] [0044] Optionally, the integrity protection indication information is an identifier of a user plan integrity protection algorithm. That is, if the security policy is determined to carry an identifier for a user plan integrity protection algorithm, it can be determined that the base station enables integrity protection for the terminal device. The security policy in this modality can carry one or more identifiers of user plan integrity protection algorithms (which can be referred to as a list of algorithms). The user plan integrity protection algorithm carried in the security policy in this modality can be determined based on at least one of a user plan integrity protection algorithm allowed by a service network, an integrity protection algorithm user plan supported by the terminal device, and a user plan integrity protection algorithm allowed by the base station. In other words, the user plan integrity protection algorithm carried in the security policy is a user plan integrity protection algorithm allowed by the service network.
[0045] [0045] Optionally, the parameter related to the security policy includes at least one of a terminal device identifier, a terminal device DNN data network name, a terminal device slice identifier, quality of service of the terminal device, and a session identifier of the terminal device. In this way, the security policy can be formulated based on different identifiers from different perspectives or at different granularities, and this is more flexible.
[0046] [0046] Optionally, the obtaining, by the SMF entity, of the security policy or of a security policy identifier based on the parameter related to the security policy includes: when the parameter related to the security policy includes the identifier of the terminal device, obtain, by the SMF entity, the security policy based on the identifier of the terminal device and an association relationship between the identifier of the terminal device and the security policy. In this way, the security policy can be determined at a granularity of the end device, so that different end devices can correspond to different security policies.
[0047] [0047] In another optional implementation, the obtaining, by the SMF entity, of the security policy or of a security policy identifier based on the parameter related to the security policy includes: when the parameter related to the security policy includes the identifier of the security policy slice of the terminal device, obtain, by the SMF entity, the security policy based on the slice identifier of the terminal device and an association relationship between the slice identifier and the security policy. In this way, the security policy can be determined on a slice granularity, so that a terminal device accessing different slices can correspond to different security policies.
[0048] [0048] In another optional implementation, the obtaining, by the SMF entity, of the security policy or of a security policy identifier based on the parameter related to the security policy includes: when the parameter related to the security policy includes the security identifier session of the terminal device, obtain, by the SMF entity, the security policy based on the session identifier of the terminal device and an association relationship between the session identifier and the security policy. In this way, the security policy can be determined at the granularity of a session, so that a terminal device starting different sessions can correspond to different security policies.
[0049] [0049] In another optional implementation, the obtaining, by the SMF entity, of the security policy or of a security policy identifier based on the parameter related to the security policy includes: when the parameter related to the security policy includes the quality of terminal device service, obtain the security policy from the SMF entity based on the quality of service of the terminal device. In this way, the security policy can be determined based on the granularity of the quality of service, so that a terminal device starting a different quality of service can correspond to different security policies.
[0050] [0050] Optionally, the security policy additionally includes at least one of the following contents: encryption indication information, where the encryption indication information is used to indicate the base station to enable encryption protection for the terminal device; a key length; DH indication information, where D-H indication information is used to indicate the base station to enable D-H for the terminal device; and a user plan integrity protection algorithm enabled by the service network. In this way, any information in the security policy can be indicated more flexibly, so that a security policy finally determined is more adapted to a complex application scenario.
[0051] [0051] Optionally, the SMF entity sends integrity protection indication information and / or encryption indication information to the base station. Health protection indication information is used to indicate whether to enable user plan health protection, and encryption indication information is used to indicate whether to enable encryption protection. Optionally, the SMF entity determines whether to enable user plan integrity protection and / or whether to enable user plan encryption protection in a plurality of implementations. Consult subsequent modalities, or consult the implementation in which the base station determines whether to enable user plan integrity protection and / or whether to enable user plan encryption protection, and the details are not described here again.
[0052] [0052] According to a third aspect, an embodiment of this application provides a base station, where the base station includes a memory, a transceiver and a processor; memory is configured to store an instruction; the processor is configured to execute the instruction stored in memory and to control the transceiver to perform the reception and sending of signals; and when the processor executes the instruction stored in memory, the base station is configured to carry out the method according to either the first aspect or the implementations of the first aspect.
[0053] [0053] According to a fourth aspect, an embodiment of this request provides an SMF entity, where the SMF entity includes a memory, a transceiver and a processor; memory is configured to store an instruction; the processor is configured to execute the instruction stored in memory and to control the transceiver to perform the reception and sending of signals; and when the processor executes the instruction stored in memory, the SMF entity is configured to perform the method according to either the second aspect or the implementations of the second aspect.
[0054] [0054] According to a fifth aspect, one embodiment of this application provides a base station, configured to implement the method according to either the first aspect or the implementations of the first aspect, and including corresponding functional modules, configured separately to implement steps in the previous method.
[0055] [0055] According to a sixth aspect, a modality of this request provides an SMF entity, configured to implement the method according to either the second aspect or the implementations of the second aspect, and including corresponding functional modules, configured separately to implement steps in the previous method.
[0056] [0056] According to a seventh aspect, one embodiment of this application provides a computer storage medium, where the computer storage medium stores an instruction; and when the instruction is executed on a computer, the computer performs the method according to either the first aspect or the possible implementations of the first aspect.
[0057] [0057] In accordance with an eighth aspect, one embodiment of this application provides a computer storage medium, where the computer storage medium stores an instruction; and when the instruction is executed on a computer, the computer performs the method according to either the second aspect or the possible implementations of the second aspect.
[0058] [0058] According to a ninth aspect, one embodiment of this application provides a computer program product including an instruction and, when the computer program product is run on a computer, the computer performs the method in accordance with any of the first aspect or the possible implementations of the first aspect.
[0059] [0059] According to a tenth aspect, one embodiment of this application provides a computer program product including an instruction and, when the computer program product is run on a computer, the computer performs the method in accordance with any of the second aspect or possible implementations of the second aspect.
[0060] [0060] In the modalities of this request, the security policy includes the indication of integrity protection indication, and the indication of integrity protection indication is used to indicate the base station if it enables integrity protection for the terminal device. The base station obtains the security policy. When the health protection indication information indicates the base station to enable health protection for the terminal device, the base station sends the target user plan health protection algorithm to the terminal device. In this way, if you enable integrity protection for the terminal device, it can be selected flexibly based on the security policy. In addition, only when integrity protection is enabled for the terminal device, does the base station send the target user plan integrity protection algorithm to the terminal device. On the one hand, because a user plan security algorithm is negotiated independently, flexibility to separately determine the user plan security algorithm and a signaling plan security algorithm is improved. On the other hand, because the health protection indication information is added, flexibility to determine the target device's target user health integrity protection algorithm is enhanced. BRIEF DESCRIPTION OF THE DRAWINGS
[0061] [0061] Figure 1 is a schematic diagram of a system architecture to which a modality of this application is applicable;
[0062] [0062] Figure 2 is a schematic flowchart of a method of communication according to one modality of this request;
[0063] [0063] Figure 2a is a schematic flowchart of another method of communication according to one modality of this request;
[0064] [0064] Figure 2b is a schematic flowchart of another method of communication according to one modality of this request;
[0065] [0065] Figure 3 is a schematic structural diagram of a base station according to an embodiment of this application;
[0066] [0066] Figure 4 is a schematic structural diagram of a terminal device according to an embodiment of this application;
[0067] [0067] Figure 5 is a schematic structural diagram of another base station according to an embodiment of this application; and
[0068] [0068] Figure 6 is a schematic structural diagram of another terminal device according to an embodiment of this application. DESCRIPTION OF THE MODALITIES
[0069] [0069] Figure 1 shows an example of a schematic diagram of a system architecture to which the modalities of this application are applicable. As shown in Figure 1, a 5G system architecture includes a terminal device 101. Terminal device 101 can communicate with one or more major networks using a radio access network (Radio Access Network, RAN, for short). The terminal device can refer to the user equipment (User Equipment, UE), an access terminal device, a subscriber unit, a subscriber station, a mobile station, a mobile console, a remote station, a remote terminal device, a mobile device, a user terminal device, terminal device, wireless communications device, user agent or user device. The terminal access device can be a cell phone, a cordless phone, a Session Initiation Protocol (SIP for short) phone, a wireless local loop station (Wireless Local Loop, WLL for short) , a personal digital assistant (Personal Digital Assistant, PDA for short), a portable device with a wireless communication function, a computing device or other processing device connected to a wireless modem, vehicle device, wearable device, device terminal on a future 5G network, or similar.
[0070] [0070] A base station 102 is connected to terminal device 101. Optionally, base station 102 can be a 5G NodeB (5th generation NodeB, gNB), it can be an evolved eNB or it can be a new base station like a LTE NóB eNB, 3G NóB NB or 5G NóB evolved, and can be written as (R) AN in English. Base station 102 can be a device configured to communicate with the terminal device. For example, base station 102 can be a base transceiver station (Base Transceiver Station, BTS) in a GSM or CDMA system, it can be a Node B (NodeB, NB) in a WCDMA system, it can be an evolved Node B ( Evolved NodeB, eNB or eNodeB) on an LTE system or can be a 5G base station. Alternatively, the network device can be a relay node, an access point, a vehicle device, a wearable device, a network side device on a future 5G network, a network device on a future evolved PLMN network or similar.
[0071] [0071] A session management function entity (Session Management Function, SMF) 103 can be a split function of a mobility management module (Mobility Management Entity, MME) in LTE, and may be primarily responsible for establishing a user session, and only after the user session is established, data can be received and transmitted. MME in the LTE system is a network element responsible for security, mobility management and session management on the main network side. Security means that the terminal device 101 needs to perform mutual authentication with a network when the terminal device 101 accesses the network initially. After mutual authentication, the terminal device 101 and the main network generate a key. After the key is generated, the terminal device 101 and the MME perform the algorithm negotiation, namely, the security capacity negotiation. Mobility management is to record location information from the end device 101 and select an appropriate user plan network element device for the end device 101 based on the location information from the end device 101. Session management is responsible for establish a user plan link from the terminal device 101. The terminal device 101 can access the network only after a user's data plan link is established.
[0072] [0072] A user plane function entity (UPF) 104 can be a combination of a service gateway (Serving Gateway, S-GW) and a public data network gateway (Public Data Network Gateway, P-GW) in the LTE system, is a functional network element of the user plan of the terminal device 101 and is primarily responsible for connecting to an external network.
[0073] [0073] A dedicated network (Dedicated Network, DN) 105 can be a network that provides a service for the terminal device 101. For example, some DNs can provide a network access function for the terminal device 101, and some DNs can provide an SMS message function to the terminal device 101. A policy control function (PCF) 106 is additionally included.
[0074] [0074] An authentication server function entity (Authentication Server Function, AUSF) 107 interacts with an authentication credential repository and processing function (Authentication Credential Repository and Processing Function, ARPF) and finalizes an authentication request from a SEAF. The authentication server role entity 107 is also a split role of a home subscriber server (Home Subscriber Server, HSS) in the LTE system. AUSF 107 can be an independent network element. The HSS in the LTE system can store user signature information and a user's long-term key.
[0075] [0075] The ARPF can be integrated with a user data management entity (User Data Management, UDM) 108 as part of the UDM. ARPF is divided from HSS in LTE and is used primarily to store the long-term key. Processing related to the long-term key is also completed here.
[0076] [0076] A function of an access and mobility management function (AMF) 109 is to manage an access problem of the terminal device 101, and to additionally manage the mobility of the terminal device 101. The function can be a mobility management module function (Mobility Management, MM) at MME at LTE, and additionally includes an access management function. A Slice select Function, SSF) 110 is additionally included.
[0077] [0077] A security anchor function entity (SEAF) 111 is responsible for the authentication functions of the terminal device 101 and a network side, and stores an anchor key after the authentication is successful .
[0078] [0078] A security context management function entity (Security Context Management Function, SCMF) 112 obtains a key from SEAF 111 and additionally extracts another key, and is a separate function from the MME. In a real situation, SEAF 111 and SCMF 112 can additionally be combined into a separate authentication function entity (Authentication function, AUF). As shown in Figure 1, SEAF 111 and SCMF 112 are combined in AMF 109 to form a network element.
[0079] [0079] Figure 1 additionally shows possible implementations of an interface in each network element, for example, an NG2 interface between the base station 102 and the AMF entity 109 and an NG9 interface between the base station 102 and the UPF entity 104. The details are not described here.
[0080] [0080] Figure 2 shows an example of a schematic flowchart of a method of communication according to one modality of this request.
[0081] [0081] Based on the previous content, this modality of this request provides a method of communication. As shown in Figure 2, the method includes the following steps.
[0082] [0082] Step 201: A base station obtains a signaling plan security algorithm supported by a terminal device. Optionally, there are a plurality of ways to obtain the signaling plan security algorithm supported by the terminal device. The signaling plan security algorithm supported by the terminal device includes at least one signaling plan encryption algorithm and at least one signaling integrity protection algorithm. For example, the signaling plan security algorithm is received from an AMF. For another example, the signaling plan security algorithm is obtained directly from the terminal device, using a signaling message or preconfigured at the base station.
[0083] [0083] In this modality of this request, a solution is provided to implement step 201. Specifically, the terminal device sends a message of non-access layer (NAS) to the base station. The NAS message is a signaling plan message exchanged between the terminal device and a primary network, for example, an LTE attachment request (attach request) or a 5G registration request. In this modality, a 5G registration request message is used as an example for description, and the same processing can be performed for another NAS message in a similar step. The terminal device sends a Registration Request to the base station. The registration request carries the signaling plan security algorithm supported by the terminal device.
[0084] [0084] Optionally, in the previous example, the registration request can also carry a user plan security algorithm supported by the terminal device. The user plan security algorithm supported by the terminal device can include a user plan integrity protection algorithm supported by the terminal device and a user plan encryption algorithm supported by the terminal device. Any two signaling plan encryption algorithms supported by the terminal device, the signaling plan integrity protection algorithm supported by the terminal device, the user plan integrity protection algorithm supported by the terminal device, and the signaling algorithm supported by the terminal device. User plan encryption supported by the terminal device can be the same or different. In an optional solution, the terminal device can separately report the signaling plan integrity protection algorithm supported by the terminal device, the signaling plan encryption algorithm supported by the terminal device, the supported user plan integrity protection algorithm by the terminal device and the user plan encryption algorithm supported by the terminal device. Alternatively, if at least two of the four algorithms are the same, the terminal device can report one of the two equal algorithms. For example, if the signaling plan integrity protection algorithm supported by the terminal device is the same as the user plan integrity protection algorithm supported by the terminal device, the terminal device reports only the same algorithm corresponding to the protection algorithm signaling plan integrity supported by the terminal device and the user plan integrity protection algorithm supported by the terminal device. If the signal plan encryption algorithm supported by the terminal device is the same as the user plan encryption algorithm supported by the terminal device, the terminal device reports only the same algorithm corresponding to the signal plan encryption algorithm supported by the device terminal and the user plan encryption algorithm supported by the terminal device.
[0085] [0085] In another optional implementation, if the signaling plan encryption algorithm supported by the terminal device, the signaling plan integrity protection algorithm supported by the terminal device, the user plan integrity protection algorithm supported by the device terminal, and the user plan encryption algorithm supported by the terminal device are all the same, the terminal device can report only one algorithm to indicate the four algorithms. For example, the algorithms reported by the terminal device are EEA 1, EEA 2, EIA 1 and EIA 2. Then EEA 1 and EEA 2 can be selected as the signaling plan encryption algorithm and the user plan encryption algorithm. Likewise, EIA 1 and EIA 2 can be selected as the signaling plan integrity protection algorithm and the user plan integrity protection algorithm.
[0086] [0086] For another example, the algorithms reported by the terminal device are EEA 11, EEA 12, EIA 11, EIA 12, EEA 21, EEA 23, EIA 21 and EIA 22. Then, EEA 11 and EEA 12 can be selected as the signaling plan encryption algorithm. EEA 21 and EEA 23 can be selected as the user plan encryption algorithm. EIA 11 and EIA 12 can be selected as the signaling plan integrity protection algorithm. EIA 21 and EIA 22 can be selected as the user plan integrity protection algorithm. For another example, the algorithms reported by the terminal device are EEA 11, EEA 12, EIA 1, EIA 2, EEA 21, EEA 23, EIA 21 and EIA 22. Then, EEA 11 and EEA 12 can be selected as the algorithm for signaling plan encryption. EEA 21 and EEA 23 can be selected as the user plan encryption algorithm. EIA 1 and EIA 2 can be selected as the signaling plan integrity protection algorithm and the user plan integrity protection algorithm. For another example, the algorithms reported by the terminal device are EEA 1, EEA 2, EIA 11, EIA 12, EIA 21 and EIA 22. So EEA 1 and EEA 2 can be selected as a signal plan encryption algorithm and by the algorithm of user plan encryption. EIA 11 and EIA 12 can be selected as the signaling plan integrity protection algorithm. EIA 21 and EIA 22 can be selected as the user plan integrity protection algorithm.
[0087] [0087] In another aspect, in an optional implementation solution, the terminal device can report, using a plurality of signaling parts, the signaling plan security algorithm supported by the terminal device, the integrity plan protection algorithm user supported by the terminal device, and the user plan encryption algorithm supported by the terminal device, where a signaling part includes an algorithm. In another optional solution, the signaling plan security algorithm supported by the terminal device, the user plan integrity protection algorithm supported by the terminal device, and the user plan encryption algorithm supported by the terminal device are reported using a or more signaling parts, where a signaling part includes one or more algorithms. When a signaling part includes a plurality of algorithms, some fields can be predefined in the signaling, and the fields are used to carry corresponding algorithms. For example, a first field, a second field and a third field are defined successively. The first field is predefined to place the signaling plan security algorithm supported by the terminal device. The second field is predefined to place the user plane integrity protection algorithm supported by the terminal device. The third field is predefined to place the user plan encryption algorithm supported by the terminal device. Alternatively, when the three algorithms are the same, only one algorithm is reported in a signaling part and another network element considers by default that the algorithm is the signaling plan security algorithm supported by the terminal device, the integrity protection algorithm user plan supported by the terminal device and the user plan supported encryption algorithm supported by the terminal device. For example, the security features reported by the terminal device are EEA 1, EEA 2, EIA 1 and EIA 2. Then EEA 1 and EEA 2 can be selected as a signaling plan encryption algorithm and a data plan encryption algorithm. user. Likewise, EIA 1 and EIA 2 can be selected as the signaling plan integrity protection algorithm and the user plan integrity protection algorithm. For another example, the security features reported by the UE are EEA 11, EEA 12, EIA 11, EIA 12, EEA 21, EEA 23, EIA 21 and EIA 22. Then, EEA 11 and EEA 12 can be selected as a security algorithm. signaling plan encryption. EEA 21 and EEA 23 can be selected as the user plan encryption algorithm. EIA 11 and EIA 12 can be selected as the signaling plan integrity protection algorithm. EIA 21 and EIA 22 can be selected as the user plan integrity protection algorithm. For another example, the security features reported by the UE are EEA 11, EEA 12, EIA 1, EIA 2, EEA 21, EEA 23, EIA 21 and EIA 22. Then, EEA 11 and EEA 12 can be selected as a security algorithm. signaling plan encryption. EEA 21 and EEA 23 can be selected as the user plan encryption algorithm. EIA 1 and EIA 2 can be selected as the signaling plan integrity protection algorithm and the user plan integrity protection algorithm.
[0088] [0088] Optionally, the base station forwards the registration request to the AMF. Optionally, the AMF sends a first registration acceptance message (Registration Accept) to the base station after the AMF performs mutual authentication with the base station and performs another registration procedure with another main network element, such as a SEAF, a AUSF, SMF, PCF or UDM. The base station forwards the first registration acceptance message received to the terminal device. Forwarding means that the message is not changed. However, an additional parameter is added to the message because the interfaces that carry the message have different functions, to implement a message transmission function. For example, the first record acceptance message is sent to the base station via an N2 interface. In addition to the first registration acceptance message, the N2 interface has information that the base station needs to know. The base station forwards the first registration acceptance message to the UE using an RRC message. In addition to the first registration message, the RRC message can include at least other information that the UE needs to know or information that can be used to find the UE. Alternatively, the first record acceptance message is converted to a certain extent, for example, the format conversion is performed based on different interfaces, and the first converted record acceptance message is forwarded to the terminal device. In this step, if an interface between the AMF and the base station is NG2, the first record acceptance message is ported using an NG2 message. The first registration acceptance message additionally carries a base key (Kan) generated by AMF or SEAF to the base station, and the signaling plan security algorithm supported and reported by the terminal device. Optionally, a registration request message can be placed in a NAS container, and the base key (Kan) and a terminal device security feature can be placed in the NAS container or can be placed outside the NAS container.
[0089] [0089] Step 202: The base station determines a target signaling plan security algorithm based on the signaling plan security algorithm supported by the terminal device and on a signaling plan security algorithm allowed by the base station.
[0090] [0090] In step 202, the base station can optionally pre-configure the signaling plan security algorithm allowed by the base station. Optionally, an algorithm included in the signaling plan security algorithm allowed by the base station is classified based on a priority, for example, it is classified based on operator preference or based on the actual local environment configuration. Optionally, the signaling plan security algorithm allowed by the base station can be configured for the base station using a network management device or it can be configured in a process of installing a software environment during the establishment of the base station. base, or can be configured in another way.
[0091] [0091] In step 202, a possible implementation is as follows: The base station selects, based on the signaling plan security algorithm supported by the terminal device and the signaling plan security algorithm allowed by the base station and classified based on a priority, a signaling plan security algorithm that is supported by the terminal device and that has a higher priority, such as the target signaling plan security algorithm. The target signaling plan security algorithm may include an encryption algorithm and / or an integrity protection algorithm.
[0092] [0092] A possible specific implementation is as follows: The base station selects a set of all the algorithms that exist in the signaling plan security algorithm supported by the terminal device and that also exist in the signaling plan security algorithm allowed by base station, and selects an algorithm with a relatively high priority in the signaling plan security algorithm allowed by the base station from the set of algorithms, such as the target signaling plan security algorithm.
[0093] [0093] It should be noted here that the signaling plan security algorithm allowed by the base station and a user plan security algorithm allowed by the base station can be configured or preconfigured for the base station based on the less in operator preference. The signaling plan security algorithm allowed by the base station includes at least one signaling plan encryption algorithm allowed by the base station and / or at least one signaling plan integrity protection algorithm allowed by the base station. The user plan security algorithm allowed by the base station includes at least one user plan encryption algorithm allowed by the base station and / or at least one user plan integrity protection algorithm allowed by the base station. In addition, at least one signaling plan encryption algorithm allowed by the base station and / or at least one signaling plan integrity protection algorithm allowed by the base station in the signaling plan security algorithm allowed by the base station base is / are ranked based on a priority, and the ranking of priorities can be determined by an operator. The user plan security algorithm allowed by the base station may or may not be classified based on a priority. When the user plan security algorithm allowed by the base station is the same as the signaling plan security algorithm allowed by the base station, and a priority of the user plan security algorithm allowed by the base station is the same at the priority of the signaling plan security algorithm allowed by the base station, the base station can store only a set of algorithms classified based on a priority, that is, store a user plan security algorithm allowed by the base station and classified based on a priority, or a signaling plan security algorithm allowed by the base station and classified based on a priority.
[0094] [0094] Optionally, the base station generates only one signaling plan related key based on the target signaling plan security algorithm, for example, a signaling plan integrity protection key and a plan encryption key signaling. The key related to the signaling plan is, for example, a key related to Radio Resource Control (RRC) and, specifically, it can be an RRC integrity protection key (Krrc-int) and a key RRC encryption (Krrc-enc). The base station can generate the key based on a base key (Kan). Kan is obtained by the base station from a main network element, such as the access and mobility management function (AMF) or the AUSF.
[0095] [0095] Step 203: The base station adds the target signaling plan security algorithm to an access layer security mode command (Access Mode, SMC) and sends the AS SMC to the terminal device.
[0096] [0096] Optionally, in step 203, the base station can send the AS SMC to the terminal device in a plurality of implementations. The AS SMC includes indication information from the target signaling plan security algorithm, for example, an identifier from the target signaling plan security algorithm.
[0097] [0097] In addition, the base station can additionally add the signaling plan security algorithm supported by the terminal device to the AS SMC. Optionally, integrity protection can be performed on the AS SMC using the signaling plan integrity protection key generated by the base station.
[0098] [0098] Optionally, after receiving the AS SMC, the terminal device determines the target signaling plan security algorithm based on the indication information of the target signaling plan security algorithm and generates the signaling plan related key (a method for generating key related to the signaling plan of the terminal device is the same as a method for generating the key related to the signaling plan by the base station), and verifies the integrity protection in AS SMC based on an integrity protection key signage plan. If it is determined that the integrity protection in the AS SMC is qualified, it is determined that the signaling plan integrity protection key on the terminal device side is the same as the signaling plan integrity protection key used by the station basis for AS SMC. Optionally, after step 203, the method additionally includes step 204: The terminal device sends a security mode command completion from AS (Security Mode Command Complete, SMP) to the base station.
[0099] [0099] Optionally, the terminal device can perform encryption and / or integrity protection on the AS SMP using the key related to the generated signaling plan. Optionally, after the base station verifies that the encryption and integrity protection in the AS SMP message is correct, the base station forwards the first registration acceptance information received to the terminal device, or converts the first registration acceptance message to some extent, for example, performs format conversion on the first registration acceptance message based on different interfaces to obtain a second registration acceptance message (Registration Accept), and sends the second registration acceptance message to the terminal device . Then, optionally, the terminal device returns completion of registration (Registration Complete) to the AMF.
[0100] [0100] Based on the example above, it can be learned that, in this modality of this order, only one objective of negotiating the target signaling plan security algorithm by the base station and the terminal device is implemented using the AS SMC procedure, and the signaling plan security algorithm and the user plan security algorithm are decoupled. The signaling plan security algorithm and the user plan security algorithm can be determined separately, thus improving communication flexibility.
[0101] [0101] In addition, in the previous example, an optional solution is the following: The terminal device reports, by sending a registration request, the signaling plan security algorithm supported by the terminal device. Optionally, the terminal device can also add the user plan integrity protection algorithm supported by the terminal device and the user plan encryption algorithm supported by the terminal device to the registration request for reporting. For a specific optional reporting solution, please refer to the previous modality, and the details are not described here again.
[0102] [0102] Optionally, the signaling plan security algorithm supported by the terminal device can also be classified into a signaling plan security algorithm supported by the terminal device in a NAS layer and a signaling plan security algorithm supported by the terminal device in an AS layer. The signaling plan security algorithm supported by the terminal device in the AS layer can also be referred to as a signaling plan security algorithm supported by the terminal device in an RRC layer. When reporting the signaling plan security algorithm supported by the terminal device, the user plan integrity protection algorithm supported by the terminal device, and the user plan encryption algorithm supported by the terminal device, the terminal device can add information indication for each security algorithm. Alternatively, some fields can be predefined, and a way of placing a corresponding algorithm in a corresponding field is used to identify whether each safety algorithm belongs to the signaling plane or the user plane or belongs to the NAS stratum or AS stratum. For example, one field is predefined to place the signaling plan security algorithm and another field is predefined to place the user plan security algorithm. For another example, one field is predefined to place a security algorithm in the NAS layer and another field is predefined to place a security algorithm in the AS layer. Alternatively, the terminal device reports all security algorithms supported by the terminal device to the AMF, and the AMF, instead of the terminal device, distinguishes whether the security algorithms belong to the signaling plane or the user plane. Alternatively, the AMF forwards security algorithms to the base station, and the base station makes a distinction.
[0103] [0103] Correspondingly, when the AMF sends the first registration acceptance message to the base station, all security algorithms reported by the terminal device can be sent to the base station, such as the signaling plan security algorithm, the user plan integrity protection algorithm supported by the terminal device and the user plan encryption algorithm supported by the terminal device. Alternatively, only the signaling plan security algorithm that is supported by the terminal device and which is required by the base station to negotiate the target signaling plan security algorithm is sent to the base station. Alternatively, only the signaling plan security algorithm supported by the terminal device at the RRC layer is transmitted.
[0104] [0104] To be compatible with the prior art, the base station can optionally add indication information to the AS SMC message to negotiate only the target signaling plan security algorithm. After the terminal device analyzes the AS SMC message and finds that the referral information to negotiate only the target signaling plan security algorithm exists, the terminal device generates the signaling plan-related key based only on the plan security algorithm target signaling. In this way, only a set of target signaling plan security algorithms is negotiated between the terminal device and the base station. If the terminal device finds that the referral information to negotiate only the target signaling plan security algorithm does not exist after analyzing the AS SMC information, the terminal device determines the target signaling plan security algorithm determined as an target security, and the target security algorithm is used to generate the key related to the signaling plan and a key related to the user plan. The user plan related key includes a user plan encryption key and a user plan integrity protection key. The signaling plan-related key includes a signaling plan encryption key and a signaling plan integrity protection key. In this way, a set of target signal plane security algorithms and a set of target user plane security algorithms are negotiated between the terminal device and the base station.
[0105] [0105] Optionally, to be compatible with the prior art, the base station can add, to the SM SMC information, indication information used to indicate the negotiation of target signal plan security algorithm and / or indication information used to indicate the negotiation of the key related to the user plan. For example, a bit is added, and the bit can be added or retrieved by reusing a current bit. For example, if the bit is 0, it indicates that only the target signaling plan security algorithm should be negotiated; or if the bit is 1, it indicates that the target signaling plan security algorithm and the key related to the user plan must be negotiated.
[0106] [0106] In this embodiment of this request, the target signaling plan security algorithm includes the target signaling plan integrity protection algorithm and the target signaling plan encryption algorithm. Optionally, two different target signaling plan integrity protection algorithm and target signaling plan encryption algorithm can be negotiated using the AS SMC procedure, or a target signaling plan security algorithm is negotiated and used as the algorithm integrity protection of the target signaling plan and the encryption algorithm of the target signaling plan.
[0107] [0107] In another optional implementation solution, at least one of the target signaling plan integrity protection algorithm and the target signaling plan encryption algorithm can be negotiated using the AS SMC procedure, and the other security algorithm target signaling plan can be negotiated using another procedure.
[0108] [0108] Optionally, the target signaling plan security algorithm negotiated by the base station and the terminal device can be indicated using an algorithm identifier. In an optional implementation solution, regardless of whether the target signaling plan integrity protection algorithm is the same or different from the target signaling plan encryption algorithm, the target signaling plan integrity protection algorithm and the encryption algorithm of target signaling plan are indicated using identifiers from two algorithms. In another optional implementation solution, if the target signaling plan integrity protection algorithm is the same as the target signaling plan encryption algorithm, an identifier for an algorithm can be used to indicate the integrity protection protection algorithm of target signaling plan and the target signaling plan encryption algorithm; and if the target signaling plan integrity protection algorithm is different from the target signaling plan encryption algorithm, identifiers from two algorithms will be used to indicate the target signaling plan integrity protection algorithm and the encryption algorithm of target signaling plan.
[0109] [0109] In another optional solution, this modality of this request includes the target signaling plan security algorithm and the target user plan security algorithm. In an optional implementation solution, regardless of whether the target signaling plan security algorithm is the same or different from the target user plan security algorithm, the target signaling plan security algorithm and the target user plan security algorithm are indicated using identifiers from two sets of algorithms. In another optional implementation solution, if the target signaling plan security algorithm is the same as the target user plan security algorithm, identifiers from a set of algorithms can be used to indicate the signaling plan security algorithm target and the target user plan security algorithm; and if the target signaling plan security algorithm is different from the target user plan security algorithm, identifiers from two sets of algorithms will be used to indicate the target signaling plan security algorithm and the security planing algorithm target user. Identifiers of a set of algorithms corresponding to the target signaling plan security algorithm include an identifier of at least one target signaling plan integrity protection algorithm and an identifier of at least one target signaling plan encryption algorithm. According to the previous example, in the identifiers of a set of algorithms corresponding to the target signaling plan security algorithm, an identifier of one algorithm or identifiers of two algorithms can be used to represent the integrity protection algorithm of the signaling plan target and the target signaling plan encryption algorithm. Correspondingly, the identifiers of a set of algorithms corresponding to the target user plan security algorithm include an identifier of at least one target user plan integrity protection algorithm and an identifier of at least one user plan encryption algorithm. target. According to the previous example, in the identifiers of a set of algorithms corresponding to the security algorithm of the target user plan, an identifier of one algorithm or identifiers of two algorithms can be used to represent the integrity protection algorithm of the signaling plan target and the target user plan encryption algorithm.
[0110] [0110] Figure 2a shows an example of a schematic flowchart of another method of communication according to one modality of this request.
[0111] [0111] Based on the previous description, this modality of this request provides another method of communication. As shown in Figure 2a, the method includes the following steps.
[0112] [0112] Optionally, step 211: An SMF entity receives a request message, where the request message can include an identifier from a terminal device. Optionally, the request message received by the SMF entity can include a variety of types, such as a registration request (Registration Request), a service request (Service Request) or a session establishment request (Session Establishment Request). The session establishment request can also be called the PDU session establishment request.
[0113] [0113] Optionally, if the request message is a service request, the service request can first be sent by the terminal device to a base station, the base station forwards the service request to an AMF and then AMF forwards the service request directly. Forwarding means sending the message to the MFA without changing the content of the original message. When the message is sent to the AMF, another parameter can be added based on a factor such as an interface or the message is converted based on the interface information and then sent to the SMF. If an interface between the base station and the AMF is an N2 interface and an interface between the AMF and the SMF is N11, the service request forwarded by the base station to the AMF is a request that corresponds to the N2 interface, and the service request forwarded by AMF to SMF is a request that corresponds to the N11 interface. The service request is a NAS stratum request. Optionally, the request message can alternatively be a registration request.
[0114] [0114] Optionally, if the request message is a session establishment request, the session establishment request can first be sent by the terminal device to the AMF and then the AMF forwards the session establishment request directly. Forwarding means sending the message to the MFA without changing the content of the original message. When the message is sent to the AMF, another parameter can be added based on a factor such as an interface or the message is converted based on the interface information and then sent to the SMF.
[0115] [0115] Optionally, before the terminal device sends the session establishment request, the terminal device can be in a disconnected session connection state. Optionally, the terminal device and the base station can perform the registration procedure in the previous step again, that is, the terminal device can send a registration request to the base station, to implement the registration of the terminal device and to renegotiate a registration algorithm. security of target signaling plan between the terminal device and the base station in an AS SMC and an AS SMP in the registration procedure.
[0116] [0116] In the previous step, the identifier of the terminal device can include any one or more of an IMSI, IMEI or temporary identity.
[0117] [0117] Step 212: The SMF entity obtains a security policy or a security policy identifier based on a parameter related to the security policy.
[0118] [0118] Step 213: The SMF entity sends the security policy or security policy identifier to a base station, where the security policy includes health protection indication information, and health protection indication information are used to indicate the base station whether integrity protection is enabled for the terminal device.
[0119] [0119] Optionally, the SMF or another network element connected to the SMF stores a match between the security policy and the security policy identifier. In this case, the security policy is completely preconfigured on the SMF, on the base station, on the UE or on another network element connected to the SMF. For example, the security policy is configured based on a specific service, such as a security policy for a VoIP voice service. For example, the security policy is configured based on a service provider, such as a water meter plant. . There are a plurality of configuration bases, which are not listed one by one here. After SMF determines the security policy for the terminal device using the identifier or other parameter of the terminal device, the security policy identifier that corresponds to the security policy can be obtained. The SMF transmits the security policy identifier to the base station, and the base station can perform user plan security protection based on the security policy corresponding to the security policy identifier. For example, the match between the security policy and the security policy identifier is preconfigured in the SMF, and the SMF determines the security policy identifier based on the content of the service request message, for example, the identifier of the terminal device. For another example, if the match between the security policy and the security policy identifier is preconfigured in a PCF, the SMF will need to obtain the security policy identifier from a PDC. For another example, both the SMF and the PCF have a pre-configured security policy identifier, and the security policy identifier that is pre-configured in the PCF can cover the security policy identifier that is configured in the SMF, or that is, the SMF transmits the security policy identifier that is obtained from the PCF to the base station.
[0120] [0120] In an optional implementation, the SMF entity sends the security policy or security policy identifier directly to the base station. For example, the SMF entity sends the security policy corresponding to the terminal device identifier to the base station based on the terminal device identifier and a predefined relationship between the terminal device and the security policy identifier. The predefined security policy can be predefined in the SMF or predefined in the PCF or another network element. The default security policy and the security policy identifier can be predefined in the SMF or can be predefined in the PCF or another network element. In another optional implementation, after the SMF entity receives the request message and before the SMF entity sends the security policy or security policy identifier to the base station based on the request message, the method additionally includes that the SMF entity obtains the security policy based on the request message. In another optional implementation, after the SMF entity receives the request message and before the SMF entity sends the security policy or security policy identifier to the base station based on the request message, the method additionally includes that the SMF obtains the security policy identifier based on the security policy.
[0121] [0121] In another aspect, optionally, the security policy identified by the security policy identifier or the security policy sent by the SMF entity to the base station can be a previously generated security policy or a newly generated security policy.
[0122] [0122] In step 213, the SMF entity sends the security policy or security policy identifier to the base station in a plurality of ways. For example, the SMF entity can generate the security policy based on the parameter related to the security policy. For example, the security policy can be generated based on the identifier of the terminal device or a session identifier, or some generation rules can be predefined or all security policies can be preconfigured.
[0123] [0123] Optionally, the base station can send, based on some information carried in the request message, a security policy or a security policy identifier applicable to the terminal device or the current request message from the terminal device. Optionally, the parameter related to the security policy includes at least one of the terminal device identifier, a data network name (data network name, DNN) of the terminal device, an identifier of a slice of the terminal device, quality of service of the device terminal, and a session identifier of the terminal device. Optionally, the security policy-related parameter includes at least one of the terminal device identifier, the DNN of the terminal device, the slice identifier of the terminal device, the quality of service of the terminal device, the session identifier of the terminal device, and a flow identifier of the terminal device.
[0124] [0124] An association relationship in this modality of this request may include a correspondence, or it may include some rules, or it may include a relationship between some correlations. For example, a correspondence between the related parameter and the security policy can be predefined and then a security policy corresponding to the related parameter is found. For example, a security policy corresponding to the slice identifier is determined based on the slice identifier. For another example, a security policy corresponding to the session identifier is determined based on the session identifier. For another example, a security policy corresponding to the session identifier and the slice identifier is determined based on an association relationship between the session identifier, the slice identifier and the security policy.
[0125] [0125] In another optional implementation, the parameter related to the security policy includes the identifier of the terminal device, and the SMF entity obtains the security policy based on the identifier of the terminal device and an association relationship between the identifier of the terminal device and security policy. For example, the correspondence between the terminal device and the security policy can be stored in the SMF or in another network element connected to the SMF. For example, there is a correspondence between the terminal device and the security policy. For example, in user subscription data, there is a match between an IMSI and a security policy. Therefore, different security policies can be defined for different end devices, based on some service performance requirements of the end devices and the like.
[0126] [0126] For another example, an association relationship between the identifier of the terminal device and the security policy can be predefined. For example, the identifier of the terminal device is associated with a plurality of security policies, and then a security policy can be selected from the plurality of security policies associated with the identifier of the terminal device, or the security policy can be additionally determined on the basis of another parameter, in the related parameter, other than the identifier of the terminal device. For example, a security policy associated with the session identifier is selected from the plurality of security policies associated with the terminal device identifier in combination with the session identifier. For another example, a quality of service flow identifier is determined based on quality of service, and then a corresponding quality of service security policy is determined based on the quality of service flow identifier.
[0127] [0127] For example, an Internet of Things terminal device is responsible only for reading and sending data from a hydrometer, that is, sending the data from the hydrometer to a plant monthly on a fixed date. Therefore, a terminal device security policy is fixed, a terminal device identifier can be configured to match a security policy and, optionally, the security policy can be obtained from user signature data stored in a UDM .
[0128] [0128] In order to describe this modality of this request more clearly, several examples of security policy submission or security policy identifier are described in detail below, based on the related parameter. For details, see the following implementation a1, implementation a2, implementation a3 and implementation a4.
[0129] [0129] Implementation a1
[0130] [0130] A slice identifier for a terminal device is information about a slice accessed by the terminal device in a 5G application scenario and is used to indicate a slice that the terminal device should access.
[0131] [0131] A parameter related to a security policy includes the terminal device slice identifier, and an SMF entity obtains the security policy based on the terminal device slice identifier and an association relationship between the slice identifier and the security policy. Specifically, a terminal device can match an identifier for at least one slice. For example, the terminal device can access different slices, and the user device data from the terminal device can correspond to different security policies on the different slices.
[0132] [0132] The terminal device adds network slice selection assistance information (NSSAI) information to an SR message or to a session establishment request (PDU). SMF obtains a security policy corresponding to the NSSAI. If a security policy for a slice corresponding to the NSSAI is unique, a security policy obtained by the terminal device when accessing the slice is unique. If the NSSAI information includes at least one slice, a slice needs to be selected based on a slice security policy currently accessed by the terminal device (the security policies for different slices may be different). If the security policy for the current slice is unique after determining the accessed slice, the security policy obtained by the terminal device when accessing the slice will be unique. If the security policy for the current slice is not unique, the terminal device will need to better determine the security policy based on other information. There are a plurality of implementations in which the terminal device additionally needs to determine the security policy based on other information. For example, the terminal device makes the selection based on at least one identifier, in the related parameter, different from the slice identifier, for example, using the terminal device identifier or the session identifier.
[0133] [0133] Implementation a2
[0134] [0134] A session identifier for a terminal device is a session identifier corresponding to a session corresponding to a current request message from the terminal device. For example, that the terminal device performs an Internet (Internet) service (such as browsing a web page, watching a video and chatting using WeChat) is a session. The terminal device accesses a company intranet in which the terminal device is located and uses a company-specific service (for example, a company meeting), and this is another session. The terminal device accesses a network to make a VoIP call, and this is another session. Here, an Internet access service (Internet) session identifier can be set to 1; a company intranet session identifier is 2; and a session identifier for the VoIP call is 3.
[0135] [0135] A parameter related to a security policy includes the session identifier of the terminal device, and an SMF entity obtains the security policy based on the session identifier of the terminal device and an association relationship between the session identifier and the security policy. In this way, for the same terminal device, when the terminal device starts different sessions, different security policies can be selected for the different sessions.
[0136] [0136] For example, there is a normal terminal device, and the terminal device only allows services to make a call and send an SMS message. The two services belong to two sessions respectively. Therefore, the quality of service and security policies are different, depending on the different sessions. For the service to make a call, user plan integrity protection does not need to be enabled and key combination is not required. A 128-bit user plan encryption algorithm is used and the user plan encryption key length is 128 bits. For SMS messaging, user plan integrity protection must be enabled and the key combination is required. A 128-bit user plan encryption algorithm, a 128-bit (bit) user plan encryption key, a 256-bit user plan integrity protection algorithm, and a data integrity protection key are used. 256-bit user plan.
[0137] [0137] For example, a service corresponding to the session identifier is an ultra-low latency service. To ensure low latency, the security policy needs to use a user plan integrity protection algorithm and a user plan encryption algorithm that have a relatively low level of security, such as a security plan integrity protection algorithm. 128-bit user plan encryption algorithm and user, and a user-plan integrity protection key and 128-bit user plan encryption key; or no integrity protection algorithm or user plan protection algorithm is enabled. For another example, the service corresponding to the session identifier is a service with a high reliability requirement. Then, not only is a user plan encryption key required for encryption protection, but also a user plan integrity protection key for integrity protection. In addition, a user plan integrity protection algorithm and a user plan encryption algorithm that have a relatively high level of security, such as a user plan integrity protection algorithm and user plan encryption algorithm 256-bit, and a user-plan integrity key and 256-bit user-plan encryption key must be selected. For another example, the service corresponding to the session identifier is a common service, such as a voice service. Therefore, only user plan encryption key protection may be required and user plan integrity protection is not required. In addition, a 256-bit user plan encryption algorithm may be required, but a 128-bit user plan encryption key is sufficient. It can be learned that, in this modality of this request, different security policies can be selected depending on different services, to satisfy a dynamic user plan security requirement.
[0138] [0138] Implementation a3
[0139] [0139] After accessing a slice, a terminal device can initiate a plurality of sessions. Therefore, a slice identifier can correspond to a plurality of session identifiers. A match described here is a logical match. In an actual application, this does not necessarily mean that a match between the session identifier and the slice identifier can be specified.
[0140] [0140] An SMF entity obtains a security policy corresponding to the slice identifier and the session identifier based on an association relationship between a terminal device identifier, the slice identifier, the session identifier and the security policy. In this way, the division of a finer granularity can be obtained and a security policy is selected separately for different sessions started on the same slice accessed by the same terminal device.
[0141] [0141] Implementation a4
[0142] [0142] Optionally, an SMF entity obtains a security policy from a terminal device based on an association relationship between a flow identifier and the security policy. In this way, the division of a finer granularity can be obtained and a security policy is selected separately based on the specific content of the same session initiated on the same network accessed by the same terminal device.
[0143] [0143] For example, the terminal device supports an Internet access service. Therefore, an Internet access data stream can be surfing a web page or watching a video. For this terminal device, the Internet access service belongs to a session 1. Then, browsing a web page is a stream 1 and watching a video is a stream 2. SMF configures the quality of service for the stream 1 when discovering that there is no quality of service that supports flow 1. Flow 2 has the same case. If SMF finds that the quality of service for flow 1 and flow 2 is available, SMF sends the quality of service directly to a base station.
[0144] [0144] Implementation a4
[0145] [0145] A parameter related to a security policy includes the quality of service of a terminal device, and an SMF entity obtains the security policy based on the quality of service of the terminal device. Optionally, some quality of service corresponding to a terminal device identifier can be obtained based on the terminal device identifier included in a request message. For example, quality of service is that the terminal device requires low latency, high security and the like. Then, a set of security policies is defined for the terminal device based on quality of service. In this modality of this request, the security policy can be pre-configured in the SMF or in a PCF, or the quality of service corresponding to a DNN can be obtained from an UPF and / or a UDM and, then, a security policy. safety is achieved based on quality of service. The standard quality of service is inserted in the UDM at the time of subscription. The UPF can learn about the dynamic quality of service from an external network processing call or an SMS message, or it can learn about the dynamic quality of service from the PCF, or it can pre-configure the dynamic quality of service.
[0146] [0146] Optionally, the parameter related to the security policy includes a DNN of the terminal device, and a set of security policies is correspondingly defined based on the DNN. For example, the DNN is Youku. There are many video services on the Youku network and, therefore, a security policy defined for the terminal device may have a lower latency. For another example, the DNN is a website related to finance and, therefore, a security policy defined for the terminal device needs to be more secure.
[0147] [0147] In addition, the quality of service corresponding to the DNN can be obtained based on the DNN from a main network element, such as PCF / UPF or UDM. The quality of service carries a security policy, or a security policy is subsequently defined based on the quality of service. Quality of service obtained from the PCF is dynamic quality of service information, and quality of service obtained from the UDM is standard quality of service information at the time of user subscription.
[0148] [0148] Optionally, the SMF can obtain information from the UDM by sending a subscription data request (Subscription Data Request) to the UDM, and receiving a subscription data response (Subscription Data Response) from the UDM. The SMF can obtain information from the PCF using PDU-CAN session modification information. The SMF can obtain information from the UPF by sending a Session Establishment / Modification Request to the UPF and receiving a Session Establishment / Modification Response from the UDM.
[0149] [0149] In a4 implementation, quality of service can be identified using an identifier (Identification, ID) by a quality of service flow (Quality of Service flow, QoS flow), which can be called a QoS flow ID, QFI for short. In this modality of this request, a quality of service profile (QoS profile) is identified using the QFI.
[0150] [0150] Quality of service may include a plurality of parameters, such as a 5G QoS indicator (QoS, 5QI indicator). The 5QI is used to identify performance characteristics (Performance Characteristics), which can include any one or more of a resource type ((Guaranteed flow bit rate, GBR) or Non-GBR), a degree of packet latency, and a bit error rate, and can additionally include another parameter. 5QI is a basic parameter used by a network element to allocate a resource to quality of service.
[0151] [0151] Quality of service can additionally include an allocation and retention priority (ARP), and the priority can be identified by 1 to 15, indicating a priority of a resource request for quality of service and if the establishment of a radio data carrier may be rejected due to a resource constraint.
[0152] [0152] Quality of service can additionally include two parameters, used to define whether a resource (for example, a data radio bearer) corresponding to another quality of service can be anticipated or whether a data radio bearer established for the quality of service can be hindered by another quality of service.
[0153] [0153] Optionally, for data content with a GBR, the quality of service can additionally include: a GBR (guaranteed flow bit rate) bit rate, which can be used for uplink and downlink. The content of the data with the GBR can be a session or a stream, and the GBR data has a corresponding service level. Different levels of service can also correspond to different quality of service. Non-GBR data corresponds to a standard service level. For example, for an operator, making calls needs to be guaranteed. Therefore, making calls has a GBR guarantee. For an ordinary SMS messaging service, that is, not GBR, a small latency will not be a problem. In addition, for example, if an operator service is purchased for a Tencent game, a non-GBR service flow from the Tencent game will become GBR.
[0154] [0154] Optionally, the quality of service additionally includes a maximum flow bit rate (Maximum Flow Bit Rate, MFBR) and all flows (flow) of a session add up and cannot exceed the rate. When the fee is exceeded, consult the ARP to determine whether to reject the establishment or to anticipate another appeal.
[0155] [0155] Optionally, the quality of service additionally includes notification control. This setting is enabled or disabled. If a radio data carrier cannot be configured for quality of service, it is necessary to determine, based on turning the notification control on / off, whether the terminal device should be notified.
[0156] [0156] Optionally, the security policy additionally includes at least one of the following contents: encryption indication information, where the encryption indication information is used to indicate the base station to enable encryption protection for the terminal device; a key length; DH indication information, where D-H indication information is used to indicate the base station to enable D-H for the terminal device; and a user plan integrity protection algorithm enabled by a service network. That is, the security policy may additionally include one or more of: if you enable user plan encryption, if you enable user plan integrity protection, if you use a 128 or 256 bit encryption / decryption algorithm, if you use a key length of 128 or 256 bits and whether key combination is enabled. Some specific examples are provided. For example, bits are used to indicate content included in the security policy. For example, a bit string 0000000 indicates not to enable user plan encryption protection, and not to enable user plan integrity protection. Because both are not enabled, there are all 0. For another example, a 1010100 bit string indicates to enable user plan encryption protection, but not to enable user plan integrity protection, to use a user encryption algorithm. 128 bits and not to enable key combination. It should be noted that only examples are given and all examples that comply with this rule are covered by this patent. In this modality of this request, the key combination refers to D-H, and D-H is a key combination algorithm.
[0157] [0157] Optionally, when the SMF entity determines that the encryption indication information needs to be enabled in the security policy of the terminal device, the security policy may additionally include a user plan encryption algorithm allowed by the service network. Alternatively, the allowed user plan encryption algorithm to appear in the security policy means that user plan encryption needs to be enabled. Optionally, the service network is a network that provides a service to the terminal device.
[0158] [0158] Optionally, the security policy can include a key length of the user plan integrity protection algorithm or can include a key length of the user plan encryption algorithm. Alternatively, the allowed user plan encryption algorithm appears in the security policy and the algorithm is 256 bits, indicating that a key length of 256 bits is used.
[0159] [0159] Optionally, before the base station obtains the security policy, the method additionally includes that the base station sends first priority indication information to an AMF mobility and access management entity. The first priority indication information is used to indicate that the user plan integrity protection algorithm allowed by the base station is not classified based on a priority.
[0160] [0160] Optionally, the AMF forwards the first priority indication information to the SMF. Therefore, after obtaining the first priority indication information, SMF discovers that the user plan integrity protection algorithm allowed by the base station is not classified based on a priority. Therefore, SMF performs the priority classification in the user plan integrity protection algorithm allowed by the service network or performs the priority classification in the user plan integrity protection algorithm supported by the terminal device. The user plan integrity protection algorithm supported by the terminal device is obtained from the AMF.
[0161] [0161] In another optional implementation, if the SMF does not obtain the first priority indication information, or the SMF discovers, in another way, that the user plan integrity protection algorithm allowed by the base station is classified based on a priority, SMF optionally does not perform priority classification on the user plan integrity protection algorithm allowed by the service network. Optionally, priority classification can be performed on the user plan integrity protection algorithm allowed by the service network based on many factors, for example, based on factors such as a current operator preference and a service network environment local.
[0162] [0162] Optionally, before the base station obtains the security policy, the method additionally includes that the base station sends second priority indication information to the access and mobility management entity AMF. The second priority indication information is used to indicate whether the user plan encryption allowed by the base station is not classified based on a priority.
[0163] [0163] Optionally, the AMF forwards the second priority indication information to the SMF. Therefore, after obtaining the second priority indication information, SMF discovers that the user plan encryption algorithm allowed by the base station is not classified based on a priority. Therefore, SMF performs the priority classification in the user plan encryption algorithm allowed by the service network or performs the priority classification in the user plan encryption algorithm supported by the terminal device. The user plan encryption algorithm supported by the terminal device is obtained from the AMF.
[0164] [0164] In another optional implementation, if the SMF does not obtain the second priority indication information, or the SMF discovers, in another way, that the user plan encryption algorithm allowed by the base station is classified based on a priority, optionally the SMF does not perform priority classification in the user plan encryption algorithm allowed by the service network. Optionally, priority ranking can be performed on the user plan encryption algorithm allowed by the service network based on many factors, for example, based on factors such as a current operator preference and a local service network environment.
[0165] [0165] In the previous example, the priority of the user plan encryption algorithm and the priority of the user plan integrity protection algorithm are described separately. In another optional implementation, a portion of the referral information is used to indicate priorities for the user plan encryption algorithm and the user plan integrity protection algorithm.
[0166] [0166] Optionally, before the base station obtains the security policy, the method additionally includes that the base station sends third priority indication information to the access and mobility management entity AMF. The third priority indication information is used to indicate that the user plan encryption algorithm and the user plan integrity protection algorithm that are allowed by the base station are not classified based on a priority. The user plan encryption algorithm and the user plan integrity protection algorithm can be the same or different.
[0167] [0167] Optionally, the AMF forwards the third priority indication information to the SMF. Therefore, after obtaining the third priority indication information, SMF discovers that the user plan encryption algorithm and the user plan integrity protection algorithm that are allowed by the base station are not classified based on a priority . As a result, SMF performs priority classification on the user plan encryption algorithm and the user plan integrity protection algorithm that are allowed by the network, or performs the priority classification on the user plan encryption algorithm and the user plan integrity protection algorithm that are supported by the terminal device. The user plan encryption algorithm and the user plan integrity protection algorithm that are supported by the terminal device are obtained from the AMF.
[0168] [0168] In another optional implementation, if SMF does not obtain the third priority indication information, or SMF learns, in another way, that the user plan encryption algorithm and the plan integrity integrity protection algorithm users that are allowed by the base station are classified based on a priority. Optionally, SMF does not carry out priority ranking in the user plan encryption algorithm allowed by the service network. Optionally, priority classification can be performed, based on several factors, the user plan encryption algorithm and the user plan integrity protection algorithm that are allowed by the service network, for example, based on factors such as current operator preference and a LAN environment.
[0169] [0169] Figure 2b shows an example of a schematic flowchart of another method of communication according to one embodiment of this request.
[0170] [0170] Based on the previous content, this modality of this request provides a method of communication. As shown in Figure 2b, the method includes the following steps.
[0171] [0171] Step 221: A base station obtains a security policy, where the security policy includes health protection indication information, and health protection indication information is used to indicate that the base station enables protection integrity for a terminal device.
[0172] [0172] Similar to the above content, the security policy can optionally include an allowed user plan encryption algorithm, a user plan integrity protection algorithm allowed by a service network, and referral information indicating whether the key combination must be enabled. Optionally, the user plan encryption algorithm allowed by the service network can include enabling user plan encryption protection and key length information. For example, when the user plan encryption algorithm is 256 bits, a 256 bit key is used. Optionally, if an empty encryption algorithm occurs in the user plan encryption algorithm allowed by the service network, the base station may not enable user plan encryption protection. Optionally, if the user plan integrity protection algorithm allowed by the service network appears in the security policy, the base station enables user plan integrity protection. Optionally, a key length is determined based on the bit information from the integrity algorithm, that is, a 256-bit integrity algorithm uses a 256-bit key. Optionally, the allowed user plan integrity protection algorithm does not have an empty algorithm. If no integrity protection algorithms appear in the security policy, integrity protection is not enabled. Optionally, the base station can also be notified of key length information using other information, for example, using bit information.
[0173] [0173] Step 222: When the health protection indication information indicates the base station to enable health protection for the terminal device, the base station determines a target user plan health protection algorithm.
[0174] [0174] Step 223: The base station sends the target user plan integrity protection algorithm to the terminal device. To find out how the base station sends the target user plan integrity protection algorithm to the terminal device, see the previous content and the details are not described here again.
[0175] [0175] Optionally, the previous AS SMC and AS SMP procedures can additionally be included between steps 221 and 223 and are used to renegotiate a target signaling plan security algorithm between the base station and the terminal device. Specifically, step 201 through step 204 can be added between steps 221 and 223.
[0176] [0176] Optionally, that the base station obtains the security policy includes: the base station receives the security policy from an SMF entity. Alternatively, optionally, the base station pre-stores the security policy and then receives a security policy identifier from the SMF entity and obtains the security policy based on the security policy identifier.
[0177] [0177] Optionally, a layer (Directory System Protocol, SDAP) can be defined at the base station to map the quality of service to a layer of the Packet Data Convergence Protocol, PDCP. Each PDCP layer corresponds to a DRB. Therefore, a previously defined security level needs to be further divided on the RAN side. If security is still performed at the PDCP layer, encryption and decryption and user plan integrity protection will still be completed at the PDCP layer. Since a PDCP layer corresponds to a DRB, only DRB-level security processing can be performed on the RAN side. If security or partial security processing can be moved to the SDAP layer, QoS flow level security processing can be implemented. Partial security means that if only user plan integrity protection is based on flow granularity, only security processing related to integrity protection will need to be placed in the SDAP layer. If the encryption and decryption processing and user plan integrity protection are based on flow granularity, all of them must be completed at the SDAP layer. Therefore, a precondition for security processing based on the level of flow granularity is that security or partial security is implemented in the SDAP layer.
[0178] [0178] For example, there are four service flows (IP-flow) and three QoS flows in a session. The NAS level mapping indicates QoS processing for the first time. An IP flow is mapped as a QoS flow, represented by a QFI (QoS flow ID). It can be seen that an IP 1 flow and an IP 4 flow are placed in a QFI 1 and each of the other flows is in a separate QFI. In the SDAP layer, the SDAP layer maps QFIs from different streams to different PDCP layers. It can be seen that QFI 1 and QFI 2 are placed in a PDCP entity (PDCP entity), indicating that QFI 1 and QFI 2 are transmitted using a DRB. (A PDCP entity corresponds to a DRB carrier) and a QFI-3 is placed in another PDCP-2 entity, which is another DRB carrier.
[0179] [0179] Optionally, a user plan integrity protection algorithm allowed by the base station is a user plan integrity protection algorithm classified based on a priority. Alternatively, a user plan integrity protection algorithm supported by the terminal device is a user plan integrity protection algorithm classified based on a priority. Priority classification can be performed, based on the preference of the local operator, in a local or similar environment, the user plan integrity protection algorithm allowed by the base station, and the user plan integrity protection algorithm allowed by the base station can be pre-configured on the base station. The priority classification can be performed, based on the network access subscription content of the terminal device, a preference of the terminal device and / or similar, in the user plan integrity protection algorithm supported by the terminal device, and can be performed by the terminal device at the time of subscription or purchase of more services. Optionally, the security policy can include the user plan integrity protection algorithm supported by the terminal device.
[0180] [0180] Optionally, in step 222, in an optional implementation solution, the security policy includes at least one user plan integrity protection algorithm. The base station directly determines a user plan integrity protection algorithm on at least one user plan integrity protection algorithm included in the security policy, such as the target user plan integrity protection algorithm. In another optional solution, that the base station determines the target user's plan integrity protection algorithm includes: the base station determines the target user's plan integrity protection algorithm based on the plan's integrity protection algorithm supported by the terminal device and the user plan integrity protection algorithm allowed by the base station.
[0181] [0181] The base station can determine the target user plan integrity protection algorithm in several optional implementations. For example, the base station determines at least one algorithm that belongs to the user plane integrity protection algorithm supported by the terminal device and that also belongs to the user plan integrity protection algorithm allowed by the base station, and determines integrity protection of user plan targeting algorithm on at least one algorithm. Optionally, if the user plan integrity protection algorithm allowed by the base station is a user plan integrity protection algorithm classified based on a priority, an algorithm with a relatively high priority, or a higher priority in the algorithm User plane integrity protection allowed by the base station is determined from at least one algorithm like the target user plan integrity protection algorithm. Optionally, if the user plan integrity protection algorithm supported by the end device is a user plan integrity protection algorithm classified based on a priority, the base station determines an algorithm with a relatively high priority or a priority highest in the user plan integrity protection algorithm supported by the terminal device, starting from at least one algorithm like the target user plan integrity protection algorithm.
[0182] [0182] Optionally, the security policy additionally includes the user plan integrity protection algorithm allowed by the service network. Optionally, the user plan integrity protection algorithm allowed by the service network is a user plan integrity protection algorithm classified based on a priority. Optionally, the user plan integrity protection algorithm allowed by the service network can be preconfigured in SMF. A priority of the user plan integrity protection algorithm allowed by the service network can be classified based on factors such as an operator preference and / or a local environment. Optionally, that the base station determines the target user plan integrity protection algorithm based on the user plan integrity protection algorithm supported by the terminal device and the user plan integrity protection algorithm allowed by the base station base includes the following: The base station determines the target user plan integrity protection algorithm based on the user plan integrity protection algorithm allowed by the base station, the supported user plan integrity protection algorithm by the terminal device, and the user plan integrity protection algorithm allowed by the service network. Specifically, when the user plan integrity protection algorithm allowed by the service network is classified based on a priority, the selection is made using the priority classification allowed by the service network as a primary condition or using the allowed priority classification by the base station as a primary condition. The use of this priority rating depends on a policy from a local operator or other information. For example, a current user plan integrity protection algorithm allowed by the base station was recently updated, and the user plan integrity protection algorithm allowed by the service network was updated a long time ago. Therefore, the priority classification of the user plan integrity protection algorithm allowed by the base station is used as a primary condition. For another example, the priority classification of the user plan integrity protection algorithm allowed by the base station is used as a primary condition by default. If the user plan integrity protection algorithm allowed by the service network is not classified based on a priority, the priority classification of the user plan integrity protection algorithm allowed by the base station is used as a primary condition.
[0183] [0183] The base station can determine the target user plan integrity protection algorithm in several optional implementations. For example, the base station determines at least one algorithm that belongs to the user-plane integrity protection algorithm supported by the terminal device, which also belongs to the user-plane integrity protection algorithm allowed by the base station and that also belongs to the user plan integrity protection algorithm allowed by the service network, and determines the target user plan integrity protection algorithm from at least one algorithm. Optionally, if the user plan integrity protection algorithm allowed by the base station is a user plan integrity protection algorithm classified based on a priority, an algorithm with a relatively high priority, or a higher priority in the algorithm User plane integrity protection allowed by the base station is determined from at least one algorithm like the target user plan integrity protection algorithm. Optionally, if the user plan integrity protection algorithm supported by the end device is a user plan integrity protection algorithm classified based on a priority, the base station determines an algorithm with a relatively high priority or a priority highest in the user plan integrity protection algorithm supported by the terminal device, starting from at least one algorithm like the target user plan integrity protection algorithm. Optionally, if the user plan integrity protection algorithm allowed by the service network is a user plan integrity protection algorithm classified based on a priority, the base station determines an algorithm with a relatively high priority or a highest priority in the user plan integrity protection algorithm allowed by the service network, starting from at least one algorithm such as the target user plan integrity protection algorithm. Optionally, the network in this form of this request can include a 5G network or a network that evolves from the 5G network.
[0184] [0184] Optionally, the method additionally includes the following: When the security policy includes encryption indication information and the encryption indication information is used to indicate the base station to enable encryption protection for the terminal device, the station base sends a target user plan encryption algorithm to the terminal device.
[0185] [0185] Based on the previous content, the following describes a method process in which the base station and the terminal device need to further negotiate the target user plan encryption algorithm.
[0186] [0186] Optionally, the user plan encryption algorithm allowed by the base station is a user plan encryption algorithm classified based on a priority. Alternatively, the user plan encryption algorithm supported by the terminal device is a user plan encryption algorithm classified based on a priority. Priority classification can be performed, based on at least operator preference, the user plan encryption algorithm allowed by the base station, and the user plan encryption algorithm allowed by the base station can be classified by the operator during network construction and can be pre-configured at the base station. Priority classification can be performed, based on operator preference, on the user plan encryption algorithm supported by the terminal device, and the user plan encryption algorithm supported by the terminal device can be classified by the user during the subscription of network access. Optionally, the security policy can include the user plan encryption algorithm supported by the terminal device.
[0187] [0187] Optionally, an optional implementation solution is additionally included. The security policy includes at least one user plan encryption algorithm, and the base station directly determines a user plan encryption algorithm in at least one user plan encryption algorithm included in the security policy, such as target user plan encryption algorithm. In another optional solution, the base station determines the target user plan encryption algorithm based on the user plan encryption algorithm supported by the terminal device and the user plan encryption algorithm allowed by the base station.
[0188] [0188] The base station can determine the target user plan encryption algorithm in several optional implementations. For example, the base station determines at least one algorithm that belongs to the user plan encryption algorithm supported by the terminal device and that also belongs to the user plan encryption algorithm allowed by the base station and determines the encryption algorithm for target user plan from at least one algorithm. Optionally, if the user plan encryption algorithm allowed by the base station is a user plan encryption algorithm classified based on a priority, an algorithm with a relatively high priority or a higher priority in the encryption algorithm will be determined. user plan allowed by the base station, such as the target user plan encryption algorithm, from at least one algorithm that belongs to the user plan encryption algorithm supported by the terminal device and that also belongs to the encryption algorithm user plan allowed by the base station. Optionally, if the user plan encryption algorithm supported by the end device is a user plan encryption algorithm classified based on a priority, the base station determines an algorithm with a relatively high priority or a higher priority in the algorithm user plan encryption algorithm supported by the terminal device, such as the target user plan encryption algorithm of at least one algorithm that belongs to the user device encryption algorithm supported by the terminal device and which also belongs to the plan encryption algorithm allowed by the base station.
[0189] [0189] Optionally, the security policy additionally includes a user plan encryption algorithm allowed by the service network. Optionally, the user plan encryption algorithm allowed by the service network is a user plan encryption algorithm classified based on a priority. Optionally, the user plan encryption algorithm allowed by the service network can be preconfigured in SMF. A priority of the user plan encryption algorithm allowed by the service network can be classified based on at least the operator preference. Optionally, the base station determines the target user plan encryption algorithm based on the user plan encryption algorithm supported by the terminal device and the user plan encryption algorithm allowed by the base station includes the following: The station base determines the target user plan encryption algorithm based on the user plan encryption algorithm allowed by the base station, the user plan encryption algorithm supported by the terminal device, and the allowed user plan encryption algorithm through the service network. Specifically, when the user plan encryption algorithm allowed by the service network is classified based on a priority, the selection is made using the priority classification allowed by the service network as a primary condition. If the user plan encryption algorithm allowed by the service network is not classified based on a priority, a priority of the user plan security algorithm allowed by the base station is used as a primary condition.
[0190] [0190] The base station can determine the target user plan encryption algorithm in several optional implementations. For example, the base station determines at least one algorithm that belongs to the user plan encryption algorithm supported by the terminal device, that also belongs to the user plan encryption algorithm allowed by the base station and that also belongs to the user plan encryption allowed by the service network and determines the target user plan encryption algorithm from at least one algorithm that belongs to the user plan encryption algorithm supported by the terminal device, which also belongs to the encryption algorithm user plan allowed by the base station, and which also belongs to the user plan encryption algorithm allowed by the service network. Optionally, if the user plan encryption algorithm allowed by the base station is a user plan encryption algorithm ranked based on a priority, an algorithm with a relatively high priority, or a higher priority in the plan encryption algorithm allowed by the base station will be determined as the target user plan encryption algorithm of at least one algorithm that belongs to the user plan encryption algorithm supported by the terminal device, which also belongs to the user plan encryption algorithm allowed by the base station, and it also belongs to the user plan encryption algorithm allowed by the service network. Optionally, if the user plan encryption algorithm supported by the end device is a user plan encryption algorithm classified based on a priority, the base station determines an algorithm with a relatively high priority or a higher priority in the algorithm encryption algorithm supported by the terminal device, such as the target user plan encryption algorithm from at least one algorithm that belongs to the user device encryption algorithm supported by the terminal device, which also belongs to the encryption algorithm user plan allowed by the base station and which also belongs to the user plan encryption algorithm allowed by the service network. Optionally, if the user plan encryption algorithm allowed by the service network is a user plan encryption algorithm classified based on a priority, the base station determines an algorithm with a relatively high priority or a higher priority in the user plan encryption algorithm allowed by the service network, such as the target user plan encryption algorithm from at least one algorithm that belongs to the user plan encryption algorithm supported by the terminal device, which also belongs to the algorithm user plan encryption allowed by the base station and which also belongs to the user plan encryption algorithm allowed by the service network.
[0191] [0191] Optionally, when the security policy additionally includes a key length, the base station sends the key length to the terminal device. The key length includes a user plan integrity protection key length and a user plan encryption key length. Optionally, in this modality of this request, when sending information such as the target user plan integrity protection algorithm, the target user plan encryption algorithm and the key length to the terminal device, the base station can use a part signaling, such as an RRC reset request, or uses a plurality of pieces of information.
[0192] [0192] In an optional implementation, if the RRC reset request is used for submission, there may be several ways to submit. For example, an RRC reset message can be used. The RRC reset message can include at least one of a target user plan encryption algorithm, a target user plan integrity protection algorithm, a user plan encryption key length, a user plan integrity protection, a key combination policy (which can also be referred to as DH), information indicating enable or disable, DRB-1 (QoS information), DRB-2 (QoS information) and another parameter .
[0193] [0193] In an optional implementation, if user plan integrity is not enabled, the target user plan integrity protection algorithm will not be transmitted. When the algorithm itself can indicate the key length, the key length indication information may not be carried. When the base station does not support or need to enable the key combination policy, the key combination policy does not need to be transmitted. In this method, the security policy is not transmitted in each DRB. Therefore, this method is applicable to a case where all DRBs use the same security feature. In addition, a target security policy can be configured for all DRBs through a selection process.
[0194] [0194] In another optional implementation, the RRC reconfiguration message can include: a reconfiguration parameter; DRB-1 (target user plan security encryption algorithm-1, [user plan integrity protection algorithm-1]), [user plan encryption key length-1], [key length of user plan integrity protection-1], [key combination policy], QoS parameter, other parameter); and DRB-2 (target user plan security encryption algorithm-2, [user plan integrity protection algorithm-2], [user plan encryption key length-2], [key length of user plan integrity protection-2], [key combination policy], QoS parameter, another parameter), another parameter).
[0195] [0195] The RRC reset message shows only two example cases: DRB-1 and DRB-2. A format ported in the RRC reconfiguration message can be similar to the previous example and all or some of the parameter items can be ported. For example, the parameters included in [] in the previous example can be ported or not. In this way, a target security policy can be configured for each DRB, and the target security policy for each DRB can be the same or the target security policy for each DRB can be different.
[0196] [0196] The two previous methods can also be used together, that is, some target security policies can be shared by all DRBs, and a security policy is different depending on different DRBs. For example, the RRC reset message includes: the target user plan security encryption algorithm; DRB-1 ([user plan integrity protection algorithm-1], [user plan encryption key length-1], [user plan integrity protection key length-1], [olicy key combination], QoS parameter, another parameter); DRB-2 (, [user plan integrity protection algorithm-2], [user plan encryption key length-2], [user plan integrity protection key length-2], [ key combination policy], QoS parameter, another parameter); and another parameter
[0197] [0197] Optionally, before the base station sends the target user plan integrity protection algorithm to the terminal device, the method additionally includes that the base station receives quality of service from a current session from the terminal device from of the SMF entity. Optionally, the quality of service for the current session, and the security policy can be sent using a message or can be sent separately using a plurality of messages. Optionally, the base station additionally receives, from the AMF, some basic information used to generate a key, for example, a base key used to generate a user plan integrity protection key and a base key used to generate a user plan encryption key.
[0198] [0198] Optionally, the base station allocates a data radio bearer (Data Radio Bearer, DRB) to the terminal device based on at least one of the security and quality of service policy, and the data radio bearer is allocated by the base station. The base station allocates, based on at least quality of service, the radio data carrier to the data transmitted to the terminal device. In 5G, on a radio data carrier, there may be data streams corresponding to a plurality of types of quality of service.
[0199] [0199] Optionally, a DRB can correspond to a plurality of quality of service parts. A target radio data carrier is allocated to the terminal device based on at least one of the security policy and quality of service.
[0200] [0200] Optionally, when there is no historical data radio bearer meeting the first condition on the base station and at least one historical data radio bearer does not satisfy the second condition on the base station, the base station configures the radio data carrier target to the terminal device based on at least one of the security policy and quality of service.
[0201] [0201] Optionally, when there is no historical data radio bearer meeting the first condition at the base station, the base station configures the target data radio bearer for the terminal device based on at least one of the safety and quality of service.
[0202] [0202] Optionally, the base station configures the target radio data carrier for the terminal device based on at least one of the security policy and quality of service.
[0203] [0203] Optionally, a previously established history DRB can be selected as the target data radio bearer for the terminal device, or a DRB can be newly established as the target data radio bearer.
[0204] [0204] In an optional implementation, one of the historical data radio bearer can be selected directly first as the target data radio bearer for the terminal device and, if the target data radio bearer cannot be selected from the historical data radio bearer, a new data radio bearer is configured for the terminal device as the target data radio bearer.
[0205] [0205] Alternatively, based on some predefined rules, it is first determined whether the terminal device is allowed to use the historical data radio carrier. If the terminal device is allowed, one of the historical data radio bearers can be selected first as the target data radio bearer for the terminal device. If the target data radio carrier cannot be selected in the historical data radio carrier, a new data radio carrier will be configured for the terminal device and will be used directly as the target data radio carrier. For a more detailed description of the previous solution, the following uses several detailed examples for description.
[0206] [0206] Implementation b1
[0207] [0207] When there is at least one historical data radio bearer meeting the first condition at the base station, the target data radio bearer is one of at least one historical data radio bearer meeting the first condition. The quality of service supported by each data radio bearer of at least one historical data radio bearer satisfying the first condition is the same as the quality of service for the current session, and the security policy is the same as a security policy. security supported by each radio data carrier.
[0208] [0208] Optionally, the first condition includes that the quality of service supported is equal to the quality of service of the current session, and that the security policy obtained in step 221 is the same as the supported security policy.
[0209] [0209] Information on DRB reuse can be implemented by sending a message. For example, the message transmitted to the terminal device for the first time is: RRC reconfiguration message (target-1 user plan encryption algorithm, DRB-1 (QoS-1 information), DRB-2 (QoS- 2), another parameter); the message transmitted to the terminal device for the second time is: RRC reconfiguration message (current user plan encryption algorithm-1, DRB-1 (QoS-1 information), DRB-2 (QoS-2 information), DRB-3 (current user plan encryption algorithm-2, QoS-2/3/4 information, another parameter)). In this way, a DRB-2 security policy is modified to achieve the purpose of reusing QoS. It can be learned from this example that an objective of using the historic data radio bearer as a target data radio bearer is achieved by sending signaling.
[0210] [0210] For another example, to achieve the goal of reusing the history DRB, the message transmitted to the terminal device for the first time is: RRC reconfiguration message (target-1 user plan encryption algorithm, DRB-1 ( QoS-1 information)), DRB-2 (QoS-2 information), another parameter)); the message transmitted to the terminal device a second time is: RRC reconfiguration message (current user plan encryption algorithm-1, DRB-1 (QoS-1 information), DRB-2 (user plan encryption algorithm) current-2, QoS-2 information), another parameter)). In this way, the DRB-2 security policy is modified to achieve the objective of reusing QoS.
[0211] [0211] b2 Implementation
[0212] [0212] When there is no historical data radio carrier satisfying the first condition on the base station, but there is at least one historical data radio carrier satisfying the second condition on the base station, the target data radio carrier is a radio data carrier obtained after one of at least one historical data radio carrier satisfying the second condition is updated based on the security policy. The quality of service supported by each data radio bearer of at least one historical data radio bearer satisfying the second condition is the same as the quality of service of the current session, and the security policy corresponds to a supported security policy for each data radio bearer; or quality of service supported by each data radio bearer of at least one historical data radio bearer satisfying the second condition corresponds to the quality of service of the current session, and the security policy is the same as a security policy supported by each radio data carrier; or quality of service supported by each data radio bearer of at least one historical data radio bearer satisfying the second condition corresponds to the quality of service of the current session, and the security policy corresponds to a security policy supported by each carrier data radio.
[0213] [0213] Optionally, the second condition includes that supported quality of service corresponds to the quality of service of the current session, and that the security policy obtained is the same as the supported security policy. Alternatively, optionally, the second condition includes that the supported quality of service is the same as the quality of service of the current session, and the security policy obtained corresponds to the supported security policy. Alternatively, optionally, the second condition includes that supported quality of service matches the current session's quality of service, and the security policy obtained matches the supported security policy.
[0214] [0214] That is, corresponding security and quality of service policies of the historical data radio bearer found and the target data radio bearer are not completely the same, but are slightly different correspondent. For example, a difference between bandwidth requirements is within a predefined range, so that the historical data radio carrier can be used for minimal modifications. For example, a relationship between a data radio bearer meeting the second condition and the target data radio bearer can satisfy the following: User plan encryption protection, but not user plan integrity protection, is enabled for the data radio bearer satisfying the second condition; user plan encryption protection and user plan integrity protection are enabled for the target data radio bearer; and a data radio carrier target user plan encryption algorithm satisfying the second condition is the same as a target data radio carrier target user plan encryption algorithm. In this case, as a base station resource is limited, a new DRB cannot be configured; or the base station is configured to reuse the historical data radio carrier. Therefore, the base station sends the RRC reset message several times and enables integrity protection.
[0215] [0215] This modality of this request provides a possible implementation: For example, a message transmitted by the base station to the terminal device for the first time is: RRC reconfiguration message (target user plan encryption algorithm, DRB-1 (information QoS-1), DRB-2 (QoS-2 information), another parameter)); a message transmitted by the base station to the terminal device a second time is: RRC reconfiguration message (current user plan encryption algorithm, DRB-1 (QoS-1 information), DRB-2 (integrity protection algorithm) target user plan, QoS-2 information, QoS-3 information), another parameter)). In this way, a DRB-2 resource can be reused. Certainly, there are a plurality of specific implementations, and merely examples are provided here.
[0216] [0216] Implementation b3
[0217] [0217] A radio data carrier is directly configured based on at least one of the security policy or quality of service.
[0218] [0218] Implementation b4
[0219] [0219] The base station presets an association relationship between the radio data carrier, quality of service and security policy, and defines a corresponding identifier for each association relationship, for example, a profile ID Subscriber Profile ID for RAT / Frequency Priority, SPID. That is, regardless of the basis of any one or more of a session ID, IMSI, DNN and NSSAI or whether the search is performed on a UDM, UPF and PCF, SMF obtains a SPID anyway. The SMF then delivers the SPID to a RAN and can find a predefined QoS policy and security policy using the SPID. In this case, SMF does not need to provide any security policy, only the SPID. The RAN can then determine a DRB used based on the SPID, and the DRB used meets the QoS policy and the security policy.
[0220] [0220] Optionally, that the base station sends the target user plane integrity protection algorithm to the terminal device includes that the base station sends the target user plane integrity protection algorithm to the terminal device using the signaling of Radio Resource Control (RRC). Optionally, the RRC signaling includes an RRC reconfiguration request.
[0221] [0221] Optionally, if the security policy indicates that the base station and the end device need to negotiate the target user plan encryption algorithm, the base station additionally needs to send the target user plan encryption algorithm to the device terminal. Optionally, the base station additionally needs to send the key length to the terminal device. If the security policy indicates that the base station and the end device need to negotiate the target user plan encryption algorithm, the key length can include a user plan encryption key length. If the health protection indication information indicates that the base station enables health protection for the terminal device, the key length can include a user plane health protection key length. One or more of the target user plan integrity algorithm, the target user plan encryption algorithm, the key length and quality of service can be sent to the terminal device using a signaling portion, for example, a request for reconfiguration of RRC.
[0222] [0222] Optionally, when the security policy additionally includes DH indication information, and DH indication information is used to indicate the base station to enable DH for the terminal device, the base station sends a key related to DH to the terminal device. The following example describes in detail a signal exchange process between the base station and the terminal device, if the D-H indication information is used to indicate the base station to enable D-H for the terminal device.
[0223] [0223] If the key combination policy is enabled, the base station selects, based on a DH capacity reported by the UE and a DH capacity allowed by the base station, a DH capacity allowed by the base station and that has the highest priority. In addition, the base station generates a public key P1 and a private key B1 based on the selected D-H capacity. The base station sends the public key P1 and the selected D-H capacity to the terminal device, for example, can use an RRC reset message. The terminal device generates a public key P2 and a private key B2 based on the selected D-H capacity, and generates a Kdh key using private key B2 and public key P1. So, Kdh and Kan are used for key combination. A combination method can be Nova-Kan = KDF (Kdh, Kan and another parameter). KDF (key derivation function) is a key generation function, for example, a 256 hash algorithm, and the other parameter can be an update parameter, for example, PDCP COUNT. Kdh and Kan can be used directly for key combinations without using the other parameter. After mixing the keys, a new user plan key is generated based on Nova-Kan and the target user plan security algorithm. In addition, the new user plan key is used to protect the RRC reset message, and then the RRC reset message is sent to the base station. The RRC reset message includes the public key P2. After obtaining public key P2, the base station generates Nova-Kan based on public key P2 and private key B1 using the same method as the terminal device and, in addition, uses the same method as the terminal device to obtain a new user plan key. In addition, the new user plan key is used to verify the RRC reset message. If the verification is successful, the base station will begin to enable the new user plan key.
[0224] [0224] In an optional implementation of the modality shown in Figure 2a or Figure 2b, after step 213 in Figure 2b, the method additionally includes the following: The base station receives the security policy or the security policy identifier, and the base station can select a user plan integrity protection algorithm in the security policy as the target user plan integrity protection algorithm based on information provided in the security policy. The security policy may include one or more user plan integrity protection algorithms. Alternatively, the base station cannot use the user plan integrity protection algorithm in the security policy as the target user plan integrity protection algorithm. Alternatively, when the user plan integrity protection algorithm in the security policy is not in a list of user plan integrity protection algorithms allowed by the base station, the base station does not use the integrity protection algorithm plan in the security policy as the target user plan integrity protection algorithm. In addition, optionally, when the user plan integrity protection algorithm in the security policy is not used as the target user plan integrity protection algorithm, if the base station enables user plan integrity protection, the base station can select one of a user plan integrity protection algorithm other than the user plan integrity protection algorithm in the security policy as the target user plan integrity protection algorithm. For example, the base station can select one of the user plan integrity protection algorithms allowed by the base station as the target user plan integrity protection algorithm. For another example, if a security policy is preconfigured at the base station, and the base station does not receive a security policy delivered by another network element, the base station can select the plan integrity protection algorithm target user based on the preconfigured security policy on the base station. For example, the preconfigured security policy may include one or more user plan integrity protection algorithms, and the base station selects a user plan integrity protection algorithm from the preconfigured security policy as the target user plan integrity protection algorithm. For more other implementations, see the previous content.
[0225] [0225] Optionally, the user plan integrity protection algorithm in the security policy can be the user plan integrity protection algorithm included in the security policy described in the previous content and which is allowed by the service network, or can be determined by the SMF entity based on at least one of the user plan integrity protection algorithm allowed by the service network, the user plan integrity protection algorithm supported by the terminal device, and the integrity protection algorithm user plan allowed by the base station. For example, the SMF entity can determine an algorithm that belongs to the user-plane integrity protection algorithm supported by the terminal device and that also belongs to the user-plane integrity protection algorithm allowed by the base station, such as the integrity protection of target user plan. For another example, the SMF entity can determine an algorithm that belongs to the user-plane integrity protection algorithm supported by the terminal device, which also belongs to the user-plane integrity protection algorithm allowed by the base station and which also belongs to the user plan integrity protection algorithm allowed by the service network, such as the target user plan integrity protection algorithm.
[0226] [0226] The security policy may include a signaling plan integrity protection algorithm, that is, the security policy may include a signaling plan integrity protection algorithm and / or a plan integrity protection algorithm user. For example, the user plan integrity protection algorithm included in the security policy is also a signaling plan integrity protection algorithm, that is, an integrity protection algorithm included in the security policy is used for protection of user plan integrity and for the protection of signaling plan integrity.
[0227] [0227] It can be learned by a person skilled in the art that there are a plurality of implementations of selecting the target user plan encryption algorithm, the target signaling plan integrity protection algorithm, and the plan encryption algorithm. target signaling by the base station. Refer to the solution description to select the target user plan integrity protection algorithm. In the following, we briefly describe several implementations.
[0228] [0228] In an optional implementation of the modality shown in Figure 2a or Figure 2b, after step 213 in Figure 2b, the method additionally includes the following: The base station receives the security policy or the security policy identifier, and the base station can select a user plan encryption algorithm in the security policy as the target user plan encryption algorithm based on the information provided in the security policy. The security policy may include one or more user plan encryption algorithms. Alternatively, the base station may not use the user plan encryption algorithm in the security policy as the target user plan encryption algorithm. Alternatively, when the user plan encryption algorithm in the security policy is not in a list of user plan encryption algorithms allowed by the base station, the base station does not use the user plan encryption algorithm in the policy security as the target user plan encryption algorithm. In addition, optionally, when the user plan encryption algorithm in the security policy is not used as the target user plan encryption algorithm, if the base station enables user plan encryption protection, the base station you can select a user plan encryption algorithm other than the user plan encryption algorithm in the security policy as the target user plan encryption algorithm. For example, the base station can select one of the user plan encryption algorithm allowed by the base station as the target user plan encryption algorithm. For more other implementations, see the previous content.
[0229] [0229] Optionally, the user plan encryption algorithm in the security policy can be the user plan encryption algorithm included in the security policy described in the previous content and which is allowed by the service network, or can be determined by SMF entity based on at least one of the user plan encryption algorithm allowed by the service network, the user plan encryption algorithm supported by the terminal device and the user plan encryption algorithm allowed by the base station. For example, the SMF entity can determine an algorithm that belongs to the user plan encryption algorithm supported by the terminal device and that also belongs to the user plan encryption algorithm allowed by the base station, such as the plan encryption algorithm target user. For another example, the SMF entity can determine an algorithm that belongs to the user plan encryption algorithm supported by the terminal device, which also belongs to the user plan encryption algorithm allowed by the base station and which also belongs to the encryption algorithm user plan allowed by the service network, such as the target user plan encryption algorithm.
[0230] [0230] The security policy may include a signaling plan encryption algorithm, that is, the security policy may include a signaling plan encryption algorithm and / or a user plan encryption algorithm. For example, the user plan encryption algorithm included in the security policy is also a signaling plan encryption algorithm, that is, an encryption algorithm included in the security policy is used for both user plan encryption protection. and signaling plan encryption protection.
[0231] [0231] Optionally, in an implementation of the modality shown in Figure 2a, the method shown in Figure 2a additionally includes that the terminal device obtains an integrity protection algorithm from the target user plan. Specifically, the following two ways can be used:
[0232] [0232] Way 1: The terminal device receives the target user plan integrity protection algorithm sent by the base station. For example, in step 223 in Figure 2b, the base station sends the target user plan integrity protection algorithm to the terminal device and, correspondingly, the terminal device receives the target user plan integrity protection algorithm sent by the base station.
[0233] [0233] Way 2: The terminal device determines the integrity protection algorithm of the target user plan. For example, the end device still uses a previously used target user plan integrity protection algorithm. For another example, the terminal device determines a target signal plane integrity protection algorithm (the target signal plane integrity protection algorithm can be sent by the base station to the terminal device) as the integrity integrity protection algorithm. target user plan. In this way, the flexibility of determining the target user plan integrity protection algorithm by the terminal device can be improved.
[0234] [0234] In addition, the terminal device can additionally determine the target user plan encryption algorithm. For example, the terminal device still uses a previously used target user plan encryption algorithm. For another example, the terminal device determines the target signaling plan encryption algorithm as the target user plan encryption algorithm.
[0235] [0235] In an implementation of the modality shown in Figure 2, the method shown in Figure 2 additionally includes that the base station determines a target user plan integrity protection algorithm and / or a target user plan encryption algorithm . For example, the target signaling plan integrity protection algorithm in the target signaling plan protection algorithm determined in step 202 can also be used as the target user plan integrity protection algorithm, and the encryption algorithm of target signaling plan in the target signaling plan protection algorithm determined in step 202 can also be used as the target user plan encryption algorithm.
[0236] [0236] Optionally, in an implementation of the modalities shown in Figure 2, Figure 2a and Figure 2b, the method additionally includes the following:
[0237] [0237] The base station enables user plane integrity protection; or the terminal device and base station enable user plane integrity protection; or the terminal device enables user plan integrity protection.
[0238] [0238] The following provides a description using the base station as an example to enable user plan integrity protection or enable user plan encryption protection.
[0239] [0239] For example, when a condition to enable user plan integrity protection by the base station is met, the base station enables user plan integrity protection.
[0240] [0240] The condition to enable user plan integrity protection by the base station can be as follows: The base station receives a first predefined user plan message, such as a session establishment acceptance message; or the base station receives user plan information, such as a session ID or QoS profile, where the user plan information can be predefined user plan information, such as a predefined session ID or QoS profile predefined, and the predefined session ID can be a specified session ID; or the base station currently allocates a user plan resource to the terminal device or reallocates a user plan resource to the terminal device, for example, the base station receives a message asking to allocate a user plan resource to the terminal device and if the base station currently reallocates the user plan feature to the terminal device, and a network execution parameter satisfies a predefined network permission condition, the base station can enable user plan integrity protection ; or the security policy received by the base station includes health protection indication information, and health protection indication information indicates to enable user plan health protection; or the base station receives a predefined session service type. For example, the preconfigured security policy may include an association relationship between the predefined session service type and enabling user plan integrity protection. User plan integrity protection can be enabled when the predefined session service type is received.
[0241] [0241] When the condition to enable user plane integrity protection by the base station is met, for several specific implementations in which the base station enables user plane integrity protection, refer to the following implementation c1-a1 through implementation c1-a7.
[0242] [0242] Implementation c1 -a1
[0243] [0243] For example, when receiving a first predefined user plan message within a predefined period of time, the base station can enable user plan integrity protection and the first predefined user plan message can be a message acceptance of session establishment.
[0244] [0244] For example, if the base station receives a session establishment acceptance message (which can also be called a session establishment completion) within the predefined time period, it indicates that the base station is currently in a session establishment procedure, and to improve the security of user plan signaling, user plan integrity protection can be enabled.
[0245] [0245] Implementation C1-a2
[0246] [0246] Upon receiving user plan information within a predefined time period, the base station can enable user plan integrity protection and the user plan information can be a session ID or a predefined QoS profile .
[0247] [0247] For example, if the base station receives any session ID or QoS profile (optionally, which can be received from an N2 interface or obtained directly from the terminal device side) within the predefined time period, the base station base is currently in a session establishment procedure and enables user plan integrity protection. Optionally, signal plan protection can also be enabled.
[0248] [0248] Optionally, enable signaling plan protection can be at least one among enabling signaling plan integrity protection and enabling signaling plan encryption protection. The description in this paragraph is applicable to all the modalities of this order and is no longer provided in the content below.
[0249] [0249] Implementation c1 -a3
[0250] [0250] Upon receiving predefined user plan information within a predefined period of time, the base station can enable user plan integrity protection. The predefined user plan information can be a predefined session ID or a predefined QoS profile. An association relationship between the predefined user plan information and whether to enable user plan integrity protection is predefined on the base station, and the association relationship between the predefined user plan information and the integrity plan protection of the user base. user can be used as part of a pre-configured security policy on the base station.
[0251] [0251] For example, an association relationship is defined between enabling user plan integrity protection and the session ID. Therefore, if the base station receives the predefined session ID within the predefined time period, the base station enables user plan integrity protection. The predefined session ID corresponds to enabling user plan integrity protection in the association relationship between enabling user plan integrity protection and the session ID.
[0252] [0252] For another example, an association relationship is defined between enabling user plan integrity protection and the QoS profile. Therefore, if the base station receives the predefined QoS profile within the predefined time period, the base station enables user plane integrity protection. The predefined session ID corresponds to enabling user plan integrity protection in the association relationship between enabling user plan integrity protection and the session ID.
[0253] [0253] In addition, the association relationship between enabling user plan integrity protection and the session ID can be predefined on the base station, or the base station can receive an updated association relationship sent by another element of network. Optionally, the base station can determine, based on the predefined membership relationship and the updated association relationship, whether to enable user plan integrity protection. For example, when user plan health protection is enabled for the first time, whether to enable user health protection can be determined based on the predefined membership relationship. When a membership relationship is updated at a later time, enabling user plan integrity protection can also be determined based on the last membership relationship only. Comprehensive determination can additionally be carried out in combination with a specific predefined association relationship, an updated association relationship, and a network load status. For example, if the base station reallocates a resource to a session due to overhead, the user plan integrity protection originally enabled for the session will be disabled in a resource reallocation process for the session.
[0254] [0254] Implementation C1-a4
[0255] [0255] If the base station currently allocates a user plan resource to the terminal device or reallocates a user plan resource to the terminal device, the base station can enable user plan integrity protection. For example, when the base station receives, within a predefined period of time, a message requesting to allocate a user plan resource to the terminal device, the base station allocates a user plan resource to the terminal device or reallocates a user plan feature for the terminal device, and the procedure is related to user plan signaling. To improve the security of user plan signaling, user plan integrity protection can be enabled.
[0256] [0256] Implementation c1 -a5
[0257] [0257] If the base station currently reallocates a user plan resource to the terminal device, and a network execution parameter satisfies a predefined network permission condition, the base station can enable user plan integrity protection . The network execution parameter includes an amount of network load and / or a packet loss rate.
[0258] [0258] It should be noted that, in a process of reallocating a resource to a session by the base station, the following two optional implementations can be used:
[0259] [0259] Way 1: A user plan security solution corresponding to a resource previously allocated for the terminal device session is still used. For example, the resource previously allocated to the terminal device session corresponds to enabling user plan integrity protection, and the reallocated resource corresponding to the terminal device session also corresponds to enabling user plan integrity protection.
[0260] [0260] Way 2: A user plan security solution corresponding to the relocated resource corresponding to the session is determined again based on the status of the base station. For example, the status of the base station shows that the packet loss rate for a session is very high. Because user plan integrity protection can increase the rate of packet loss, user plan integrity protection is disabled in a resource reallocation process for the session. For another example, if the base station reallocates a resource to a session due to overhead, in a process of reallocating the resource to the session, the user plan integrity protection originally enabled for the session will be disabled.
[0261] [0261] Obviously, the two optional previous implementations can be combined. For example, if the base station reallocates a resource to a session and the base station's status is normal, user plan integrity protection is kept enabled; or if the status of the base station is abnormal, for example, the base station will reallocate a resource to the session due to overhead, user plan integrity protection will be disabled if user plan integrity protection was originally enabled for the session. For another example, the packet loss rate for a session is very high and therefore a resource is reallocated to the session. Because user plan integrity protection can increase the rate of packet loss, user plan integrity protection is disabled. Optionally, this case can be preconfigured on the base station as part of the security policy (the preconfigured security policy on the base station can also be the preconfigured security policy on the base station in the previous content).
[0262] [0262] Implementation c1 -a6
[0263] [0263] If a security policy received by the base station includes health protection indication information, and the health protection indication information indicates to enable user plan health protection, the base station can enable health protection. user plan. Optionally, health protection indication information can be an identifier for a health protection algorithm, bit indication information, or predefined information. For example, health protection referral information can be sent by an SMF entity. When determining whether an SMF entity's user plan integrity protection condition is met, the SMF entity sends the integrity protection indication information indicating to enable user plan integrity protection. There may be a plurality of implementations in which the SMF entity determines that the SMF entity's user plan integrity protection condition is satisfied, or refer to the base station implementation described in implementation c1-a1 to implementation c1-a5.
[0264] [0264] Implementation c1 -a7
[0265] [0265] A security policy can be preconfigured on the base station, and the preconfigured security policy can include an association relationship between a predefined session service type and enabling user plan integrity protection. . A condition for enabling base plan user protection by the base station may be that the preconfigured security policy on the base station includes the predefined session service type. For example, the preconfigured security policy may include the association relationship between the predefined session service type and enabling user plan integrity protection. When the predefined session service type is received, user plan integrity protection can be enabled. Optionally, if the base station does not receive a security policy sent by a network element, the preconfigured security policy on the base station can be used.
[0266] [0266] For example, the preconfigured security policy on the base station can be specified in a dimension of the user plan data (for example, a type of service). For example, it is specified in the preconfigured security policy at the base station that user plan integrity protection is not enabled for a procedure corresponding to a VoIP service. Therefore, when determining whether a current session matches the VoIP service, the base station does not enable user plane integrity protection.
[0267] [0267] In addition, the security policy can be pre-configured on the base station, or it can be an updated security policy sent by another network element and received by the base station. Optionally, the base station can determine, based on the pre-configured security policy and the updated security policy, whether to enable user integrity protection. For example, when user plan integrity protection is enabled for the first time, whether to enable user integrity protection can be determined based on the preconfigured security policy. When a security policy is updated at a later time, enabling user plan integrity protection can also be determined based on the latest security policy only. Comprehensive determination can additionally be carried out in combination with a specific preconfigured security policy, an updated security policy and a network load status. For example, if the base station reallocates a resource to a session due to overhead, the user plan integrity protection originally enabled for the session will be disabled in a resource reallocation process for the session.
[0268] [0268] In addition, optionally, the method additionally includes that the base station sends integrity protection indication information to the terminal device, where encryption indication information is used to indicate enabling user plan integrity protection. The health protection indication information can be health protection indication information included in the security policy received by the base station.
[0269] [0269] Optionally, in another implementation of the modalities shown in Figure 2, Figure 2a and Figure 2b, the method additionally includes the following:
[0270] [0270] The base station enables user plan encryption protection; or the terminal device and base station enable user plan encryption protection; or the terminal device enables user plan encryption protection.
[0271] [0271] For example, when a condition to enable user plan encryption protection by the base station is met, the base station enables user plan encryption protection.
[0272] [0272] The condition to enable user plan encryption protection by the base station can be as follows: The base station receives a first predefined user plan message, such as a session establishment acceptance message; or the base station receives user plan information, such as a session ID or QoS profile. User plan information can be predefined user plan information, such as a predefined session ID or a predefined QoS profile , and the default session ID can be a specified session ID; or the base station currently allocates a user plan resource to the terminal device or reallocates a user plan resource to the terminal device, for example, the base station receives a message asking to allocate a user plan resource to the terminal device; or the security policy received by the base station includes encryption indication information and the encryption indication information indicates to enable user plan encryption protection; or the base station receives a predefined session service type. For example, the preconfigured security policy may include an association relationship between the predefined session service type and the enabling of user plan encryption protection. User plan encryption protection can be enabled when the predefined session service type is received; or user plan encryption protection can be enabled when signal plan protection is enabled.
[0273] [0273] In addition, optionally, the method additionally includes that the base station sends encryption indication information to the terminal device. The encryption indication information is used to indicate enabling user plan encryption protection. The encryption indication information can be encryption indication information included in the security policy received by the base station.
[0274] [0274] When the condition to enable user plan encryption protection by the base station is met, for several specific implementations in which the base station enables user plan encryption protection, see the following implementation c1-b1 for the implementation c1-b8.
[0275] [0275] Implementation c1 -b1
[0276] [0276] For example, when receiving a first predefined user plan message within a predefined period of time, the base station can enable user plan encryption protection, and the first predefined user plan message can be a session establishment acceptance message.
[0277] [0277] For example, if the base station receives a session establishment acceptance message (which can also be called a full session establishment) within the predefined time period, it indicates that the base station is currently in a procedure for establishing the session, and to improve user plan signaling security, user plan encryption protection can be enabled.
[0278] [0278] Implementation C1-B2
[0279] [0279] Upon receiving user plan information within a predefined period of time, the base station can enable user plan encryption protection, and the user plan information can be a session ID or a QoS profile predefined.
[0280] [0280] For example, if the base station receives any session ID or QoS profile (optionally, which can be received from an N2 interface or obtained directly from the terminal device side) within the predefined period of time, the base station base is currently in a session establishment procedure and enables user plan encryption protection. Optionally, signal plan protection can also be enabled.
[0281] [0281] Optionally, enabling signaling plan protection can be at least one among enabling signaling plan integrity protection and enabling signaling plan encryption protection. The description in this paragraph is applicable to all the modalities of this order and is no longer provided in the content below.
[0282] [0282] Implementation c1 -b3
[0283] [0283] Upon receiving predefined user plan information within a predefined period of time, the base station can enable user plan encryption protection. The predefined user plan information can be a predefined session ID or a predefined QoS profile. An association relationship between the predefined user plan information and whether to enable user plan encryption protection is predefined on the base station, and the association relationship between the predefined user plan information and the plan encryption protection. user can be used as part of a pre-configured security policy on the base station.
[0284] [0284] For example, an association relationship is defined between enabling user plan encryption protection and the session ID. Therefore, if the base station receives the predefined session ID within the predefined time period, the base station enables user plan encryption protection. The predefined session ID corresponds to enabling user plan encryption protection in the association relationship between enabling user plan encryption protection and the session ID.
[0285] [0285] For another example, an association relationship is defined between enabling user plan encryption protection and the QoS profile. Therefore, if the base station receives the predefined QoS profile within the predefined time period, the base station enables user plan encryption protection. The predefined QoS profile corresponds to enabling user plan encryption protection in the association relationship between enabling user plan encryption protection and the session ID.
[0286] [0286] In addition, the association relationship between enabling user plan encryption protection and the session ID can be predefined on the base station, or the base station can receive an updated association relationship sent by another element of network. Optionally, the base station can determine, based on the predefined membership relationship and the updated membership relationship, whether to enable user encryption protection. For example, when user plan encryption protection is enabled for the first time, whether to enable user encryption protection can be determined based on the predefined membership relationship. When a membership relationship is updated at a later time, enabling user plan encryption protection can also be determined based on the last membership relationship only. Comprehensive determination can additionally be carried out in combination with a specific predefined association relationship, an updated association relationship and a network load status. For example, if the base station reallocates a resource to a session due to overhead, the user plan encryption protection originally enabled for the session will be disabled in a resource reallocation process for the session.
[0287] [0287] Implementation C1-B4
[0288] [0288] If the base station currently allocates a user plan resource to the terminal device or reallocates a user plan resource to the terminal device, the base station can enable user plan encryption protection. For example, when the base station receives, within a predefined period of time, a message requesting to allocate a user plan resource to the terminal device, the base station allocates a user plan resource to the terminal device or reallocates a user plan feature for the terminal device and the procedure is related to user plan signaling. To improve the security of user plan signaling, user plan encryption protection can be enabled.
[0289] [0289] Implementation c1 -b5
[0290] [0290] If the base station currently reallocates a user plan resource to the terminal device, and a network execution parameter satisfies a predefined network permission condition, the base station can enable user plan encryption protection . The network execution parameter includes an amount of network load and / or a packet loss rate.
[0291] [0291] It should be noted that, in a process of reallocating a resource to a session by the base station, the following two optional implementations can be used:
[0292] [0292] Way 1: A user plan security solution corresponding to a resource previously allocated for the terminal device session is still used. For example, the resource previously allocated to the terminal device session corresponds to enabling user plan encryption protection, and the reallocated resource corresponding to the terminal device session also corresponds to enabling user plan encryption protection.
[0293] [0293] Way 2: A user plan security solution corresponding to the relocated resource corresponding to the session is determined again based on the status of the base station. For example, the status of the base station shows that the packet loss rate for a session is very high. Because user plan encryption protection can increase the packet loss rate, user plan encryption protection is disabled in a resource reallocation process for the session. For another example, if the base station reallocates a resource to a session due to overhead, in a process of reallocating the resource to the session, the user plan encryption protection originally enabled for the session will be disabled.
[0294] [0294] Obviously, the two optional previous implementations can be combined. For example, if the base station reallocates a resource to a session and the base station's status is normal, user plan encryption protection is kept enabled; or if the status of the base station is abnormal, for example, the base station will reallocate a resource to the session due to overhead, user plan encryption protection will be disabled if user plan encryption protection was originally enabled for the session. For another example, the packet loss rate for a session is very high and therefore a resource is reallocated to the session. Because user plan encryption protection can increase the rate of packet loss, user plan encryption protection is disabled. Optionally, this case can be preconfigured on the base station as part of the security policy (the preconfigured security policy on the base station can also be the preconfigured security policy on the base station in the previous content).
[0295] [0295] Implementation c1 -b6
[0296] [0296] If a security policy received by the base station includes encryption protection indication information, and the encryption protection indication information indicates to enable user plan encryption protection, the base station can enable encryption protection user plan. Optionally, the encryption protection indication information can be an identifier for an encryption algorithm, bit indication information or predefined information. For example, encryption protection indication information can be sent by an SMF entity. When determining whether an SMF entity's user plan encryption protection condition is met, the SMF entity sends the encryption protection indication information indicating to enable user plan encryption protection. There may be a plurality of implementations in which the SMF entity determines that the SMF entity's user plan encryption protection condition is met or refer to the base station implementation described in implementation c1-b1 to implementation c1-b5.
[0297] [0297] Implementation c1 -b7
[0298] [0298] A security policy can be preconfigured on the base station, and the preconfigured security policy can include an association relationship between a predefined session service type and enabling user plan encryption protection. . A condition for enabling user plan encryption protection by the base station may be the type of predefined session service included in the preconfigured security policy on the base station. For example, the preconfigured security policy may include the association relationship between the predefined session service type and the enabling of user plan encryption protection. When the predefined session service type is received, user plan encryption protection can be enabled. Optionally, if the base station does not receive a security policy sent by a network element, the preconfigured security policy on the base station can be used.
[0299] [0299] For example, the preconfigured security policy on the base station can be specified in a dimension of the user plan data (for example, a type of service). For example, it is specified in the preconfigured security policy at the base station that user plan encryption protection is not enabled for a procedure corresponding to a VoIP service. Therefore, when determining whether a current session matches the VoIP service, the base station does not enable user plan encryption protection.
[0300] [0300] In addition, the security policy can be pre-configured on the base station or it can be an updated security policy sent by another network element and received by the base station. Optionally, the base station can determine, based on the pre-configured security policy and the updated security policy, whether to enable user encryption protection. For example, when user plan encryption protection is enabled for the first time, whether to enable user encryption protection can be determined based on the preconfigured security policy. When a security policy is updated at a later time, enabling user plan encryption protection can also be determined based on the latest security policy only. Comprehensive determination can additionally be carried out in combination with a specific preconfigured security policy, an updated security policy and a network load status. For example, if the base station reallocates a resource to a session due to overhead, the user plan encryption protection originally enabled for the session will be disabled in a resource reallocation process for the session.
[0301] [0301] Implementation c1 -b8
[0302] [0302] When enabling signal plan protection (enable signal plan integrity protection and / or signal plan encryption protection), the base station can also enable user plan encryption protection. For example, in the implementation shown in Figure 2, after step 202, an optional implementation is additionally included: When enabling signal plan protection, the base station also enables user plan encryption protection.
[0303] [0303] In this implementation, if the terminal device and the base station enable signaling plan protection, and do not enable user plan integrity protection and user plan encryption protection, when user plan integrity protection and user plan encryption protection are enabled, a state of enabling signal plan protection can be maintained. In this implementation, the base station can send health protection indication information and encryption indication information to the terminal device. In this way, on the one hand, the terminal device can maintain the enabled state of the current signaling plan protection (for example, if the terminal device previously enabled signaling plan integrity protection, but not signaling plan encryption protection, an enabling state of the signaling plan integrity protection, but not the signaling plan encryption protection is maintained). On the other hand, the terminal device enables user plan integrity protection based on health protection indication information, and enables user plan encryption protection based on encryption indication information.
[0304] [0304] In another optional implementation, if the terminal device and base station enable signaling plane protection and user plane encryption protection, but not user plane integrity protection, when user plan is enabled, the base station can send to the terminal device only the health protection indication information used to enable user plan integrity protection. On the one hand, the terminal device can maintain an enabled state of the current signaling plan protection (for example, if the terminal device previously enabled the signaling plan integrity protection, but not the signaling plan encryption protection, a enable status of the signaling plan integrity protection, but not the signaling plan encryption protection is maintained). On the other hand, the terminal device enables user plan integrity protection based on the integrity protection indication information and continuously enables encryption protection. In another optional implementation, the encryption indication information can be transmitted again to indicate that the user plan encryption protection is continuously enabled.
[0305] [0305] The following provides a description using the terminal device as an example to enable user plan integrity protection or enable user plan encryption protection.
[0306] [0306] When a condition to enable user plane integrity protection by the terminal device is met, the terminal device enables user plane integrity protection.
[0307] [0307] The condition for enabling user plan integrity protection by the terminal device can be as follows: The terminal device receives integrity protection indication information sent by the base station, and integrity protection indication information indicating for enable user plan integrity protection; or the terminal device sends a second predefined user plan message, for example, a session establishment request message.
[0308] [0308] When the condition to enable user plan integrity protection by the terminal device is satisfied, for several specific implementations in which the terminal device enables user plan integrity protection, see the following implementation c1-c1 and implementation c1- c2.
[0309] [0309] Implementation c1-c1
[0310] [0310] In an optional implementation of the modalities shown in Figure 2a and Figure 2b, after step 211, the method additionally includes that the base station sends health protection indication information to the terminal device, where the safety indication information Integrity protection are used to indicate whether to enable user plan integrity protection. The health protection indication information can be the health protection indication information included in the security policy obtained by the base station in step 221 in Figure 2b, or it can be determined by the base station in any of the previous implementations c1 -a1 to c1-a7.
[0311] [0311] When the terminal device receives the health protection indication information, and the health protection indication information indicates to enable user plan integrity protection, the terminal device can enable user plan integrity protection.
[0312] [0312] Implementation c1 -c2
[0313] [0313] For example, the terminal device sends a session establishment request message within a predefined period of time, and the terminal device is currently in a session establishment procedure. In this case, to improve user plan security, the terminal device can enable user plan integrity protection.
[0314] [0314] In addition, optionally, if the terminal device uses the c1-c2 implementation, and the terminal device additionally receives the health protection indication information, if there is a conflict between the c1-c2 implementation and the health indication information. integrity protection, the terminal device determines, based on the received integrity protection indication information, whether to enable user plan integrity protection.
[0315] [0315] In an optional implementation of the modalities shown in Figure 2a and Figure 2b, after step 211, the method additionally includes that the base station sends encryption indication information to the terminal device, where the encryption indication information is used to indicate whether to enable user plan encryption protection. The encryption indication information can be the encryption indication information included in the security policy obtained by the base station in step 221 in Figure 2b, or it can be determined by the base station in any of the previous implementations c1-a1 through c1 -a7.
[0316] [0316] For example, when the terminal device receives the encryption indication information and the encryption indication information indicates to enable user plan encryption protection, the terminal device can enable user plan encryption protection.
[0317] [0317] For example, when sending a second predefined user plan message within the predefined time period, the terminal device can enable user plan encryption protection. For example, the terminal device sends a session request message within the predefined time period, and the terminal device is currently in a session establishment procedure. In this case, to improve user plan security, the terminal device can enable user plan encryption protection.
[0318] [0318] In addition, optionally, if the terminal device uses the c1-c2 implementation, and the terminal device additionally receives the encryption indication information, if there is a conflict between the c1-c2 implementation and the encryption indication information, the terminal device will determine, based on the encryption indication information received, whether to enable user plan encryption protection.
[0319] [0319] For another example, by enabling signaling plan protection (enabling signaling plan integrity protection and / or signaling plan encryption protection), the terminal device can also enable user plan encryption protection . For example, in the implementation shown in Figure 2, between step 203 and step 204, the method additionally includes that, when enabling signal plan protection, the base station can also enable user plan encryption protection.
[0320] [0320] The terminal device can determine, based on whether to send the second predefined user plan message within the predefined time period, whether to enable signaling plan protection (signaling plan integrity protection and / or encryption protection signaling plan). The second predefined signal plan message can include a registration request or a service request. Specifically, if it is determined, based on the current procedure, that the terminal device currently initiates a registration request (or a service request), it is determined that the current procedure is a registration procedure (or a service procedure). Since user plan resource allocation information is not received in the procedure, the terminal device can enable signaling plan protection.
[0321] [0321] In addition, the terminal device can optionally determine, based on the signaling plan integrity protection indication information, whether to enable signaling plane integrity protection and can determine, based on the encryption indication information. signaling plan received, if signaling plan encryption protection is enabled. At least one of the signaling plan integrity protection indication information and the signaling plan encryption indication information received by the terminal device can also be sent by another network element to the base station and then forwarded by the signaling station. base for the terminal device. The other network element can be, for example, an SMF entity.
[0322] [0322] Optionally, in an implementation of the modalities shown in Figure 2, Figure 2a and Figure 2b, the method additionally includes the following:
[0323] [0323] The base station does not enable user plane integrity protection; or the terminal device and base station do not enable user plane integrity protection.
[0324] [0324] The following uses an example where the base station does not enable user plan integrity protection for description.
[0325] [0325] When a condition not to enable user plan integrity protection by the base station is met, the base station does not enable user plan integrity protection.
[0326] [0326] The condition for not enabling user plan integrity protection by the base station can be as follows: The base station receives a first predefined signal plan message, such as a registration request completion message or a message completion of service request; or the base station does not receive user plan information or predefined user plan information, such as a session ID, a QoS profile, a predefined session ID or a predefined QoS profile within a predefined period of time; or the base station does not receive, within a predefined period of time, a message requesting to allocate a user plan resource to the terminal device or to reallocate a user plan resource to the terminal device, such as an allocation request message appeal; or the health protection referral information included in the security policy received by the base station indicates not to enable user plan health protection; or a session service type is not a predefined session service type, for example, the preconfigured security policy may include an association relationship between the predefined session service type and enabling plan integrity protection user protection, and user plan integrity protection may not be enabled when the predefined session service type is not received.
[0327] [0327] For example, when a predefined standard condition indicates that the base station does not always enable user plan integrity protection, a user plan integrity protection key is not generated.
[0328] [0328] Optionally, in an implementation of the modalities shown in Figure 2, Figure 2a and Figure 2b, the method additionally includes the following:
[0329] [0329] The base station does not enable user plan encryption protection; or the terminal device and base station do not enable user plan encryption protection.
[0330] [0330] The following uses an example where the base station does not enable user plan encryption protection for description.
[0331] [0331] When a condition not to enable user plan encryption protection by the base station is met, the base station does not enable user plan encryption protection.
[0332] [0332] The condition for not enabling user plan encryption protection by the base station can be as follows: The base station receives a first predefined signal plan message, such as a registration request completion message or a message completion of service request; or the base station does not receive user plan information or predefined user plan information, such as a session ID, a QoS profile, a predefined session ID or a predefined QoS profile within a predefined period of time; or the base station does not receive, within a predefined period of time, a message requesting to allocate a user plan resource to the terminal device or to reallocate a user plan resource to the terminal device, such as an allocation request message appeal; or the encryption protection indication information included in the security policy received by the base station indicates not to enable user plan encryption protection; or a session service type is not a predefined session service type, for example, the preconfigured security policy may include an association relationship between the predefined session service type and enabling plan encryption protection user.
[0333] [0333] For example, when a predefined standard condition indicates that the base station does not always enable user plan encryption protection, a user plan encryption key is not generated.
[0334] [0334] The following uses an example where the terminal device does not enable user plan integrity protection for description.
[0335] [0335] When a condition not to enable user plan integrity protection by the terminal device is met, the terminal device does not enable user plan integrity protection.
[0336] [0336] The condition for not enabling user plan integrity protection by the terminal device can be as follows: The terminal device does not send a second predefined user plan message within a predefined period of time, such as a request message from session setting; or the terminal device receives health protection indication information sent by the base station and health protection indication information indicates not to enable user plan health protection; or the terminal device receives a first predefined signaling plan message within a predefined period of time, such as a registration request completion message or a service request message.
[0337] [0337] For example, when a predefined standard condition indicates that the terminal device does not always enable user plan integrity protection, a user plan integrity protection key is not generated.
[0338] [0338] For example, when a predefined standard condition indicates that the base station does not always enable user plan encryption protection, a user plan encryption key is not generated.
[0339] [0339] The following uses an example in which the terminal device does not enable user plan encryption protection for description.
[0340] [0340] When a condition not to enable user plan encryption protection by the terminal device is met, the terminal device does not enable user plan encryption protection.
[0341] [0341] The condition for not enabling user plan encryption protection by the terminal device can be as follows: The terminal device does not send a second predefined user plan message within a predefined period of time, such as a request message from session setting; or the terminal device receives encryption protection indication information sent by the base station, and the encryption protection indication information indicates not to enable user plan encryption protection.
[0342] [0342] For example, when a predefined standard condition indicates that the terminal device does not always enable user plan encryption protection, a user plan encryption key is not generated.
[0343] [0343] There are a plurality of implementations in which the terminal device or the base station does not enable user plane integrity protection, which are as follows:
[0344] [0344] Way 1 of not enabling user plan integrity protection: that the terminal device or base station does not enable user plan integrity protection can be to generate a user plan integrity protection key, but it does not perform user plan integrity protection using the user plan integrity protection key. That is, when user plan integrity protection is not enabled, the user plan integrity protection key can be generated first, but the user plan integrity protection key is not used; when user plan integrity protection is enabled, the user plan integrity protection key will be used to perform user plan integrity protection.
[0345] [0345] In way 1 of not enabling user plan integrity protection, a user plan integrity protection algorithm is obtained before the terminal device generates the user plan integrity protection key. For example, a signaling plan integrity protection algorithm can be used as the user plan integrity protection algorithm.
[0346] [0346] Way 2 of not enabling user plan integrity protection: that the terminal device or base station does not enable user plan integrity protection can be to generate a user plan integrity protection key and perform protection plan integrity protection using the user plan integrity protection key. That is, when enabling user plan integrity protection cannot be determined or is determined to enable user plan integrity protection, the user plan integrity protection key may not be generated, and the user protection protection key user plan integrity is generated when user plan integrity protection is enabled.
[0347] [0347] Correspondingly, for example, for the terminal device and the base station, if it is determined that the terminal device and the base station do not always enable user plane integrity protection (for example, which can be a predefined condition ), the user plan integrity protection key may not be generated.
[0348] [0348] Implementations in which the base station and the terminal device do not enable user plane integrity protection can be the same or different. For example, the base station and the terminal device use way 1 to not enable user plan integrity protection; or the terminal device uses way 1 of not enabling user plan integrity protection and the base station uses way 2 of not enabling user plan integrity protection.
[0349] [0349] There are a plurality of implementations in which the terminal device or the base station does not enable user plan encryption protection, which are as follows:
[0350] [0350] Way 1 of not enabling user plan encryption protection: that the terminal device or base station does not enable user plan encryption protection includes generating a user plan encryption protection key, but not performing user plan encryption protection using the user plan encryption protection key. That is, when user plan encryption protection is not enabled, the user plan encryption protection key can be generated first, but not be used; and when user plan encryption protection is enabled, user plan encryption protection is performed using the user plan encryption protection key.
[0351] [0351] In way 1 of not enabling user plan encryption protection, a user plan encryption algorithm is obtained before the terminal device generates the user plan encryption protection key. For example, a signal plan encryption algorithm can be used as the user plan encryption algorithm.
[0352] [0352] Way 2 of not enabling user plan encryption protection: that the terminal device or base station does not enable user plan encryption protection includes generating a user plan encryption protection key when protection of user plan encryption is enabled, and perform user plan encryption protection using the user plan encryption protection key. That is, when enabling user plan encryption protection cannot be determined or is determined not to enable user plan encryption protection, the user plan encryption protection key may not be generated, and the encryption key user plan encryption is generated when user plan encryption protection is enabled.
[0353] [0353] Correspondingly, for example, for the terminal device and the base station, if it is determined that the terminal device and the base station do not always enable user plan encryption protection (for example, which can be a predefined condition ), the user plan encryption protection key may not be generated.
[0354] [0354] Implementations in which the base station and the terminal device do not enable user plan encryption protection can be the same or different. For example, the base station and the terminal device use way 1 to not enable user plan encryption protection; or the terminal device uses way 1 of not enabling user plan encryption protection and the base station uses way 2 of not enabling user plan encryption protection.
[0355] [0355] In addition, there are a plurality of implementations in which the base station and the terminal device enable user plan encryption protection. For example, whether to enable user plan encryption protection can be determined based on a predefined stipulation. The predefined stipulation may be that the terminal device enables user plan encryption protection after receiving a security mode command from AS, ie satisfying a base station user plan encryption protection condition includes receiving a command. security mode of AS. Based on this example, for example, satisfying a terminal device user plan integrity protection condition includes that the terminal device receives integrity protection indication information indicating to enable user plan integrity protection. That is, the terminal device enables user plan encryption protection after receiving the AS security mode command, and to enable user plan integrity protection, the base station must notify the terminal device by sending the referral information. integrity protection. In this case, the terminal device does not enable user plan integrity protection when it does not receive the health protection indication information. In addition, when the terminal device receives the health protection indication information indicating to enable user plan integrity protection, the terminal device enables user plan integrity protection. In other words, the terminal device does not enable user plan integrity protection within one period of time, but it can enable user plan integrity protection in another period. That is, the terminal device does not temporarily enable user plan integrity protection. This is different from a case where the terminal device does not always enable user plan integrity protection. The base station and terminal device can further determine, based on a predefined stipulation, whether to enable signaling plan protection (including signaling plan integrity protection and / or signaling plan encryption protection), and the predefined stipulation may be that the terminal device enables signaling plan protection after receiving an AS safe mode command.
[0356] [0356] For another example, when enabling signaling plan protection (enabling signaling plan integrity protection and / or signaling plan encryption protection), the terminal device or base station enables data encryption protection user plan. That is, satisfying the base station's user plan encryption protection condition includes enabling signaling plan protection. In other words, user plan encryption protection can be enabled in conjunction with signaling plan protection, and enabling or disabling user plan integrity protection depends on whether a user plan integrity protection condition of base station is satisfied. For example, after receiving registration acceptance or service request acceptance, the base station can enable signaling plan protection (enables signaling plan integrity protection and / or signaling plan encryption protection), enable user plan encryption protection, but do not enable user plan integrity protection. In addition, in this implementation, the encryption indication information may not be defined.
[0357] [0357] For example, after step 203 in Figure 2, that is, after the base station sends the AS safe mode command to the terminal device, the terminal device enables signaling plane protection, but not the user plan protection, and can generate a signaling plan key (signaling plan integrity protection key and / or user plan encryption protection key) and a user plan key (data protection key) user plan integrity and / or user plan encryption protection key). However, only the signaling plan key is used for protection and the user plan key can be stored. The user plan key is used when user plan protection is enabled.
[0358] [0358] For another example, after step 203 in Figure 2, that is, after the base station sends the AS safe mode command to the terminal device, the terminal device enables signal plane protection, enables signal protection. user plan encryption, and does not enable user plan integrity protection, and can generate a signaling plan key (signaling plan integrity protection key and / or signaling plan encryption protection key), a user plan encryption key, and a user plan integrity protection key. However, only the signaling plan key and the user plan encryption key are used for protection. The user plan integrity protection key can be stored. When user plan health protection is enabled, the user plan health protection key is used to perform health protection.
[0359] [0359] For another example, after step 203 in Figure 2, that is, after the base station sends the AS safe mode command to the terminal device, the terminal device enables signaling plane protection, but not the user plan protection, can generate a signaling plan key (signaling plan integrity protection key and / or signaling plan encryption protection key) and uses the signaling plan key for protection, not generates a user plan key (user plan integrity protection key and / or user plan encryption protection key). For another example, when the request message at step 211 in Figure 2b is a request to establish a session; after step 211, the base station sends an AS safe mode command or an RRC reset message to the terminal device and, after receiving the AS safe mode command or RRC reset message, the terminal device uses the user plan key to perform user plan security protection.
[0360] [0360] For another example, after step 203 in Figure 2, that is, after the base station sends the AS safe mode command to the terminal device, the terminal device enables signal plane protection and plane encryption user, does not enable user plan integrity protection, can generate a signaling plan key (signaling plan integrity protection key and / or signaling plan encryption protection key) and uses the plan key for protection, and can generate a user plan encryption key and use the user plan encryption key for protection, but it does not generate a user plan integrity protection key. For another example, when the request message at step 211 in Figure 2b is a session establishment request, after step 211, the base station sends an AS security mode command or an RRC reset message to the terminal device and, after receiving the AS security mode command or the RRC reset message, the terminal device generates the user plan integrity protection key and uses the user plan integrity protection key to perform user plan security protection.
[0361] [0361] The terminal device can determine, based on integrity protection indication information received from the base station, whether to enable user plane integrity protection, or the terminal device can also determine to enable plan integrity protection. whether or not to use user plan integrity protection, which is described below using implementation c1 and implementation c2. In addition, optionally, to save resources, if the terminal device determines not to enable user plan integrity protection, a user plan integrity protection algorithm may not be sent. That is, in this optional implementation, an empty user plan integrity protection algorithm cannot be sent, but if the terminal device does not enable user plan encryption protection, an empty user plan encryption algorithm will be sent.
[0362] [0362] It should be noted that in the previous modalities and several optional implementations of the modalities, at least one of the integrity protection indication information, the encryption indication information, the signaling plan integrity protection indication information and the signaling plan encryption indication information sent by the base station to the terminal device can be carried in a predefined message. For example, a field is predefined in the predefined message, and the predefined field carries at least one of the health protection indication information, the encryption indication information, the signaling plan health protection indication information and the information signaling plan encryption indication. The predefined message can be an AS safe mode command or an RRC reset request. For example, health protection indication information is sent to the terminal device in the form of an identifier for an algorithm shown in the following implementation c1 -1 (b7).
[0363] [0363] It should be noted that, in the previous modalities and several optional implementations of the modalities, at least one of the integrity protection indication information, the encryption indication information, the signaling plan integrity protection indication information and the signaling plan encryption indication information received by the base station can be carried in the security policy, and c1-1 (b2) to c1-1 (b7) can be used specifically.
[0364] [0364] The following describes various ways of representing the integrity protection indication information and / or the encryption indication information.
[0365] [0365] Implementation c1 -1 (b1)
[0366] [0366] At least one of the integrity protection indication information, the encryption indication information, the signaling plan integrity protection indication information and the signaling plan encryption indication information can be represented by the configuration a session ID in a predefined field. For example, when the base station does not receive the session ID, the session ID in the predefined field in the predefined message sent to the terminal device is set to 0, indicating that only signaling plan protection is enabled, integrity protection user plan encryption is not enabled and user plan encryption is not enabled. When the session ID in the predefined field in the predefined message received by the terminal device is 0, it can be determined that only cue plan protection is enabled (cue plan integrity protection is enabled and / or the encryption protection of signaling plan is enabled), user plan integrity protection indication information is not enabled, and user plan encryption indication information is not enabled.
[0367] [0367] In addition, if you enable signal plan protection, you can enable at least one of the signal plan integrity protection and signal plan encryption protection. Specifically, whether to enable signaling plan integrity protection, signaling plan encryption protection or signaling plan integrity protection and signaling plan encryption protection can be determined based on a predefined or similar rule. For example, cue plan integrity protection and cue plan encryption protection are enabled by default in the predefined rule. The following content similar to this paragraph is not repeated below.
[0368] [0368] For another example, upon receiving the session ID, the base station can set the session ID in the predefined field in the predefined message sent to the terminal device, for a current session ID. If the terminal device receives the predefined message sent by the base station, the predefined field in the predefined message includes the session ID, and the session ID is the current session ID, the terminal device enables user plan encryption protection and user plan integrity protection by default. Optionally, an encryption algorithm selected by the base station for the signaling plan can also be used for the user plan, ie the encryption algorithm selected by the base station is a signaling plan encryption algorithm and an algorithm of user plan encryption. Likewise, a selected signaling plan integrity protection algorithm is used as a user plan integrity protection algorithm. In addition, if the terminal device receives the predefined message sent by the base station, the predefined field in the predefined message includes the session ID and the session ID is not empty, the terminal device can enable user plan integrity protection and / or user plan encryption protection. Specifically, if you enable user plan encryption protection, user plan integrity protection or user plan encryption protection and user plan integrity protection can be determined by referring to the predefined rule or the description in another modality of this. order.
[0369] [0369] In another optional implementation, at least one of the integrity protection indication information, the encryption indication information, the signaling plan integrity protection indication information and the signaling plan encryption indication information can be indicated by defining related QoS information in the predefined field in the predefined message, for example, defining a QFI value. One way to use the QFI value can be similar to a way to use the session ID. For example, when the base station does not receive the QFI, the QFI in the predefined field in the predefined message sent to the terminal device is set to 0, indicating that only signaling plan protection is enabled, the integrity protection indication information user plan information is not enabled, and user plan encryption indication information is not enabled. When the QFI in the received predefined field, the terminal device is 0, it can be determined that only signaling plan protection is enabled, user plan integrity protection indication information is not enabled and encryption indication information user plan are not enabled.
[0370] [0370] Implementation c1 -1 (b2)
[0371] [0371] Health protection indication information and / or encryption indication information can be represented using bit information in a predefined field in a predefined message or in a security policy, for example, the predefined field can include a piece of bit information.
[0372] [0372] For example, in a standard case, user plan encryption protection is enabled, and user plan integrity protection is not enabled. Then, a part of the bit information in the predefined field is the integrity protection indication information. A bit 1 location in the predefined field can indicate enabling user plan integrity protection. A bit location of 0 in the predefined field may indicate that user plan integrity protection is not enabled.
[0373] [0373] For another example, in a standard case, user plan encryption protection is not enabled and user plan integrity protection is enabled. So, a part of the bit information in the predefined field is the encryption indication information. Specifically, a bit 1 location in the predefined field can indicate enabling user plan encryption protection, and a bit 0 location in the predefined field can indicate not enabling user plan encryption protection.
[0374] [0374] For another example, in a standard case, user plan encryption protection is enabled, and user plan integrity protection is enabled. Then, a part of the bit information in the predefined field is the integrity protection indication information and the encryption indication information. A bit 1 location in the predefined field can indicate enabling user plan integrity protection and user plan encryption protection. A bit 0 location in the predefined field may indicate that user plan integrity protection is not enabled and user plan encryption protection is not enabled.
[0375] [0375] Implementation c1 -1 (b3)
[0376] [0376] Health protection indication information and encryption indication information can be represented by bit information in a predefined field in a predefined message or in a security policy. For example, the predefined field can include two pieces of bit information. A bit of bit information indicates whether user plan encryption needs to be enabled or disabled. The other bits of bit information indicate whether user plan integrity protection needs to be enabled or disabled. That is, one part of the bit information is the encryption indication information, and the other part of the bit information is the integrity protection indication information. For example, the bit information corresponding to the encryption indication information in the predefined field is set to 1, indicating that the user plan encryption protection is enabled. The bit information corresponding to the integrity protection indication information in the predefined field is set to 1, indicating that the terminal device enables user plane integrity protection. The bit information corresponding to the encryption indication information in the predefined field is set to 0, indicating that it is not possible to enable user plan encryption protection. The bit information corresponding to the integrity protection indication information in the predefined field is set to 0, indicating that the terminal device does not enable user plane integrity protection.
[0377] [0377] Implementation c1 -1 (b4)
[0378] [0378] Health protection indication information and encryption indication information can be represented by bit information in a predefined field in a predefined message or in a security policy. For example, the predefined field can include four pieces of bit information. A bit of bit information in the predefined field indicates whether user plan encryption protection is enabled. For example, bit information is set to 1, indicating that user plan encryption protection is enabled, and bit information is set to 0, indicating that user plan encryption protection is not enabled. A bit of bit information in the predefined field indicates whether the key length of user plan encryption protection is 128 bits or 256 bits. For example, the bit information is set to 1, indicating that the key length of the user plan encryption protection is 128 bits, and the bit information is set to 0, indicating that the key length of the user plan encryption protection is 128 bits. User plan encryption is 256 bits. A bit of bit information in the predefined field indicates whether a key length of user plane integrity protection is 128 bits or 256 bits. The bit information is set to 1, indicating that the key length of the user plane integrity protection is 128 bits, that is, a 32-bit MAC value is generated. The bit information is set to 0, indicating that the key length of the user plane integrity protection is 256 bits, that is, a 64-bit MAC value is generated. A bit of bit information in the predefined field indicates whether user plane integrity protection is enabled. For example, bit information is set to 1, indicating that user plan integrity protection is enabled, and bit information is set to 0, indicating that user plan integrity protection is not enabled.
[0379] [0379] The health protection indication information and / or the encryption indication information can be examples shown in the previous implementation c1 -1 (b2), implementation c1 -1 (b3) and implementation c1-1 (b4), and can be bit information. Alternatively, the health protection indication information and / or the encryption indication information can be referred to as switching information.
[0380] [0380] In addition, the specific content of the switching information can be combined with a specific method. For example, if user plan encryption protection and user plan integrity protection are enabled and, in addition, if it is defined in a predefined rule that user plan encryption protection is enabled by default, but the user plan integrity protection needs to be determined flexibly, only 1 bit indication information can be carried in a predefined field, and 1 bit indication information is used to indicate whether user plan integrity protection needs be enabled. In addition, if it is defined in the predefined rule that neither user plan encryption protection nor user plan integrity protection is enabled before integrity protection indication information and encryption indication information are received, information 2-bit indication codes can be carried in the predefined field, and are used respectively to indicate whether to enable user encryption protection and to enable user plan integrity protection.
[0381] [0381] Implementation c1 -1 (b5)
[0382] [0382] The integrity protection indication information and / or the encryption indication information can be an identifier of an algorithm. In this case, the health protection indication information and / or the encryption indication information can be carried in a predefined field in a predefined message or in a security policy, or can be carried in a security policy. In other words, the base station sends an algorithm identifier to the terminal device, the algorithm identifier is used to indicate the algorithm, and the algorithm identifier is also the integrity protection indication information and / or the information encryption indication.
[0383] [0383] In an optional implementation, the AS SMC transmitted by the base station port, for example, EIA and EEA numbers on an LTE network, and the EIA and EEA numbers represent an integrity protection algorithm and an encryption algorithm selected. EIA and EEA numbers can be ported to represent health protection indication information, encryption indication information, signaling plan health protection indication information, and health plan encryption indication information signaling. For example, the EIA number indicates that integrity protection is enabled.
[0384] [0384] In another optional implementation, the algorithm identifier can be extended to four predefined fields, which are EIA-RRC, EEA-RRC, EIA-UP and EEA-UP, respectively. A selected algorithm is placed in a corresponding location to represent a current trading method. For example, the base station selects EIA-RRC = 3 and EEA-RRC = 2 and then the integrity protection indication information, the encryption indication information, the plan integrity protection indication information signaling and the signaling plan encryption indication information can be (EIA-RRC = 3, EEA-RRC = 2, EIA-UP = 0, EEA-UP = 0). Therefore, after receiving the information, the terminal device enables signaling plan integrity protection because EIA-RRC is not 0, it enables signaling plan encryption protection because EEA-RRC is not 0, it does not enable signaling plan integrity protection. user because EIA-UP is 0, or does not enable user plan encryption protection because EEA-UP is 0.
[0385] [0385] In addition, in this implementation, the algorithm identifier can not only indicate the integrity protection indication information and the encryption indication information, but also the algorithm. That is, in a case where the modality is used, when the algorithm identifier is sent, the entire algorithm (for example, a target signal plane integrity protection algorithm, a target signal plan encryption algorithm, a target user plan integrity protection algorithm and a target user plan encryption algorithm), health protection indication information and encryption indication information can be indicated.
[0386] [0386] For example, EIA-RRC = 3 can additionally indicate a signal plan integrity protection algorithm. For another example, EEA-RRC = 2 can additionally indicate a signal plan encryption protection algorithm, and EIA-UP = 0 can additionally indicate a user plan integrity protection algorithm. For another example, EEA-UP = 0 can additionally indicate a user plan encryption protection algorithm.
[0387] [0387] In an optional implementation of the modality shown in Figure 2a or Figure 2b, the integrity protection indication information can be an identifier for an algorithm. For example, when the base station enables user plan integrity protection for the terminal device, the health protection indication information can be an identifier of the target user plan integrity protection algorithm.
[0388] [0388] Optionally, when the base station does not enable user plan integrity protection for the terminal device, the health protection indication information can be an identifier for a predefined user plan integrity protection algorithm or can do not carry information about any integrity protection algorithm. That is, an identifier for any integrity protection algorithm or the identifier for the predefined user plan integrity protection algorithm is not sent, which means that the integrity protection indication information indicates not to enable integrity protection. For example, the identifier for the predefined user plan integrity protection algorithm is assumed to be X123. If the health protection indication information received by the terminal device is X123, the terminal device does not enable user plan health protection.
[0389] [0389] In an optional implementation of the modality shown in Figure 2a or Figure 2b, the base station can additionally send encryption indication information to the terminal device, where the encryption indication information is used to indicate the base station if enable user plan encryption protection for the terminal device. When the base station enables user plan encryption protection for the terminal device, the encryption indication information can be an identifier for an algorithm. For example, the encryption indication information is an identifier for a target user plan encryption algorithm.
[0390] [0390] Optionally, when the base station does not enable encryption protection for the terminal device, the encryption indication information can be an identifier for a predefined user plan encryption algorithm or an empty encryption algorithm. That is, an identifier for any encryption algorithm is not sent or the empty encryption algorithm or the predefined user plan encryption algorithm identifier is sent, which means that the encryption indication information indicates not to enable data protection. cryptography. For example, the predefined user plan encryption algorithm identifier is assumed to be X321. If the encryption protection indication information received by the terminal device is X321, the terminal device does not enable user plan encryption protection.
[0391] [0391] In another optional implementation of the modality shown in Figure 2, Figure 2a or Figure 2b, the base station can additionally send indication protection information from signaling plan integrity to the terminal device, where the indication information of signaling plan integrity protection are used to indicate the base station whether to enable signaling plan integrity protection for the terminal device. When the base station enables signaling plan integrity protection for the terminal device, the signaling plan integrity protection indication information can be an identifier for an algorithm. For example, signaling plan integrity protection indication information is an identifier of a target signaling plan integrity protection algorithm.
[0392] [0392] Optionally, when the base station does not enable signaling plan integrity protection for the terminal device, the signaling plan integrity protection indication information can be an identifier of a planing integrity protection algorithm predefined signaling or can be information that does not carry any integrity protection algorithm. For example, the identifier of the predefined signaling plan integrity protection algorithm is assumed to be X456. If the signaling plan integrity protection indication information received by the terminal device is X456, the terminal device does not enable signaling plan integrity protection.
[0393] [0393] In another optional implementation of the modality shown in Figure 2, Figure 2a or Figure 2b, the base station can additionally send signaling encryption indication information to the terminal device, where the encryption indication information of signaling plan are used to indicate the base station whether to enable signaling plan encryption protection for the terminal device. When the base station enables signaling plan encryption protection for the terminal device, the signaling plan encryption indication information can be an identifier for an algorithm. For example, the signaling plan encryption indication information is an identifier of a target signaling plan encryption algorithm.
[0394] [0394] Optionally, when the base station does not enable signaling plan encryption protection for the terminal device, the signaling plan encryption indication information can be an identifier of a predefined signaling plan encryption algorithm or an empty encryption algorithm. For example, it is assumed that the algorithm identifier of the predefined signaling plan encryption algorithm is X654. If the signaling plan encryption protection indication information received by the terminal device is X654, the terminal device does not enable signaling plan encryption protection.
[0395] [0395] Implementation c1 -1 (b6)
[0396] [0396] Health protection indication information and / or encryption indication information can be a session ID and 4-bit information in a predefined field in a predefined message or in a security policy. Therefore, the terminal device must enable corresponding user plan security of the session ID based on the bit information. For example, the terminal device has a plurality of session IDs. Then, the user plan security solutions corresponding to the session IDs may be different. For example, a session ID corresponds to enabling user plan integrity protection and user plan encryption protection. Another session ID may correspond to not enabling user plan integrity protection and enabling user plan encryption protection.
[0397] [0397] Implementation c1 -1 (b7)
[0398] [0398] Health protection indication information and / or encryption indication information can be a session ID and an algorithm identifier in a predefined field in a predefined message or in a security policy.
[0399] [0399] It can be learned from the previous modality that, in the previous implementation, the implementation corresponding to the algorithm identifier and the 4-bit information is relatively flexible, because if the encryption protection of the user plan is enabled and if the integrity User plan protection is enabled can be specified. It can be learned based on the previous modality that, a negotiated signaling plan algorithm can be reused (reused) as the bit information (that is, an algorithm applicable to the signaling plan is also applicable to the user plan, for example, the determined target signaling plan integrity protection algorithm is also used as the target user plane integrity protection algorithm and the determined target signaling plan encryption algorithm is also used as the user plan encryption algorithm target). In addition, the algorithm identifier can implement a difference between the signaling plan algorithm and the user plan security algorithm, for example, a difference between the signaling plan encryption algorithm and the signal plan encryption algorithm. a difference between the signaling plan integrity protection algorithm and the user plan integrity protection algorithm.
[0400] [0400] Health protection indication information and / or encryption indication information can be carried in an RRC reset request message and sent by the base station to the terminal device. In this case, if the current terminal device has enabled user plan encryption protection, but not user plan integrity protection, but the current terminal device determines to enable user plan integrity protection, optionally, the RRC reset request message can transmit only the integrity protection indication information.
[0401] [0401] The base station can generate and send the health protection indication information to the terminal device. In another optional implementation, after receiving the health protection indication information and the encryption indication information, the base station generates new indication information (the new indication information may include only the health protection indication information) , and additionally add the new referral information to the RRC reset request. Since the health protection indication information and the encryption indication information can come from an N2 interface and the interface can change after they are sent, the base station additionally needs to perform, based on a format in the request message. reconfiguration of RRC, some corresponding processing in the integrity protection indication information and / or the encryption indication information that must be carried.
[0402] [0402] In a manner in which the base station sends the health protection indication information and / or the encryption indication information, the base station can directly forward the health protection indication information and / or the encryption indication information for the terminal device.
[0403] [0403] In another way in which the base station sends the integrity protection indication information and / or the encryption indication information, based on the fact that the integrity protection indication information and / or the information encryption indication identifier is / are an identifier of an algorithm, in this case, the base station can determine an identifier of a corresponding target algorithm based on the integrity protection indication information obtained (for example, received by the base station or obtained by determination by the base station) and / or in the cryptographic indication information, and sends the corresponding target algorithm identifier to the terminal device. For example, when enabling user plan integrity protection, the base station determines a target user plan integrity protection algorithm and sends an identifier of the target user plan integrity protection algorithm to the terminal device. Upon receiving the identifier of the target user plan integrity protection algorithm, the end device can enable the user plan integrity protection algorithm, and perform user plan integrity protection using the plan integrity protection algorithm target user.
[0404] [0404] Health protection indication information and / or encryption indication information can be carried in an RRC reset request message and sent by the base station to the terminal device. Optionally, when the health protection indication information and / or the encryption indication information is an algorithm identifier, the RRC message can carry the algorithm identifier.
[0405] [0405] For example, when the health protection indication information and / or the encryption indication information is an identifier of an algorithm, the health protection indication information and / or the encryption indication information can be a list of algorithms. Optionally, if an algorithm in the list of algorithms corresponding to the integrity protection indication information and / or cryptography indication information is an integrity protection algorithm and the integrity protection algorithm is not an empty algorithm, and if the station determine that there is no intersection between a user plan integrity protection algorithm supported by the terminal device, a user plan integrity protection algorithm allowed by the base station, and the list of algorithms corresponding to the protection indication information integrity and / or cryptographic indication information, the base station can select an algorithm that belongs to the user plan integrity protection algorithm supported by the terminal device and that also belongs to the allowed user plan integrity protection algorithm base station, such as the backplane integrity protection algorithm target user. If the algorithm in the list of algorithms corresponding to the health protection indication information and / or encryption indication information is an empty algorithm, the base station does not select the target user plan health protection algorithm, which can be understood as not enabling user plan integrity protection.
[0406] [0406] In addition, optionally, if the algorithm in the algorithm list corresponding to the integrity protection indication information and / or encryption indication information is an encryption algorithm, and the encryption algorithm is not an empty encryption algorithm , and if the base station determines that there is no intersection between a user plan encryption algorithm supported by the terminal device, a user plan encryption algorithm allowed by the base station, and the list of algorithms corresponding to the indication information of integrity protection and / or encryption indication information, the base station can select an algorithm that belongs to the user plan encryption algorithm supported by the terminal device and that also belongs to the user plan encryption algorithm allowed by the base station base, such as the target user plan encryption algorithm. If the algorithm in the list of algorithms corresponding to the integrity protection indication information and / or encryption indication information is an empty encryption algorithm, the base station can select an empty encryption algorithm as the plan encryption algorithm. target user, which can be understood as not enabling user plan encryption protection.
[0407] [0407] For another example, when the health protection indication information and / or the encryption indication information is an identifier for an algorithm, the health protection indication information and / or the encryption indication information can be a list of algorithms, and an algorithm can be selected from the list of algorithms. If the selected algorithm is an integrity protection algorithm, and the selected integrity protection algorithm is a predefined integrity protection algorithm, optionally, before forwarding the selected integrity protection algorithm to the terminal device, the base station verifies that the selected integrity protection algorithm is an algorithm that belongs to a user plane integrity protection algorithm supported by the terminal device and that it also belongs to a user plan integrity protection algorithm allowed by the base station. If so, the selected integrity protection algorithm is sent to the terminal device as the target user plan integrity protection algorithm.
[0408] [0408] On the other hand, if the selected integrity protection algorithm does not satisfy the condition that the algorithm belongs to the user plan integrity protection algorithm supported by the terminal device and also belongs to the integrity plan protection algorithm user allowed by the base station, and the selected integrity protection algorithm is not an empty one, the base station needs to select an algorithm that belongs to a user plan integrity protection algorithm supported by the terminal device and that also belongs to to a user plane integrity protection algorithm allowed by the base station, such as the target user plan integrity protection algorithm, and send the target user plan integrity protection algorithm to the terminal device. On the other hand, if the selected integrity protection algorithm does not satisfy the condition that the algorithm belongs to the user plan integrity protection algorithm supported by the terminal device and also belongs to the user plan integrity protection algorithm allowed by base station, and the selected integrity protection algorithm is an empty algorithm, the base station does not select the target user plan integrity protection algorithm, which can be understood as not enabling user plan integrity protection.
[0409] [0409] In addition, on the other hand, optionally, if the selected algorithm is an encryption algorithm, and the selected encryption algorithm is a predefined encryption algorithm, optionally, before forwarding the selected encryption algorithm to the terminal device, the base station verifies that the selected encryption algorithm is an algorithm that belongs to the user plan encryption algorithm supported by the terminal device and that it also belongs to the user plan encryption algorithm allowed by the base station. If so, the selected encryption algorithm is sent to the terminal device as the target user plan encryption algorithm.
[0410] [0410] On the other hand, if the selected encryption algorithm does not satisfy a condition that the algorithm belongs to the user plan encryption algorithm supported by the terminal device and also belongs to the user plan encryption algorithm allowed by the base station , and the selected encryption algorithm is not an empty one, the base station needs to select an algorithm that belongs to the user plan encryption algorithm supported by the terminal device and that also belongs to the user plan encryption algorithm allowed by the station base, such as the target user plan encryption algorithm, and send the target user plan encryption algorithm to the terminal device. On the other hand, if the selected encryption algorithm does not satisfy the condition that the algorithm belongs to the user plan encryption algorithm supported by the terminal device and also belongs to the user plan encryption algorithm allowed by the base station, and the selected encryption algorithm is an empty algorithm, the base station does not select the target user plan encryption algorithm, which can be understood as not enabling user plan encryption protection.
[0411] [0411] In this modality of this request, the integrity protection indication information and / or the encryption indication information can be carried in an AS security mode command and sent to the terminal device by the base station. Optionally, signaling plan integrity protection indication information and / or signaling plan encryption indication information can also be carried on the AS security mode command and sent to the terminal device by the base station.
[0412] [0412] In an optional implementation, before the terminal device enables user plan integrity protection, the terminal device can verify the AS safety mode command integrity protection. Optionally, the base station performs integrity protection on the AS safe mode command using the user plan integrity protection algorithm. Optionally, after determining, based on security policy, that user plan integrity protection is enabled, the base station can perform integrity protection on the AS security mode command using the integrity integrity protection algorithm. user plan. Optionally, the terminal device checks, using the user plan integrity protection algorithm, that the integrity protection in the AS safe mode command is correct. For example, after discovering that user plan integrity protection is enabled, the end device uses the user plan integrity protection algorithm to verify that the integrity protection in the AS security mode command is correct, and it is not excluded that the user plan integrity protection algorithm is an AS signaling plan integrity protection algorithm currently used. In addition, the base station receives an AS safe mode end message returned by the terminal device. Optionally, the base station checks the integrity protection in the AS security mode end message using the user plan integrity protection algorithm. Optionally, after discovering that the AS safety mode end message carries a MAC-I integrity protection parameter, the base station checks the integrity protection in the AS safety mode end message, and is not deleted that the user plan integrity protection algorithm is a currently used AS signaling plan integrity protection algorithm. Optionally, after receiving the end of safe mode message, the base station correspondingly allows user plan integrity protection (for example, health indication information and encryption indication information indicate to enable plan health protection and not to enable user plan encryption protection, and the base station can enable user plan integrity protection, but not user plan encryption protection after receiving the safe mode end message). In addition, optionally, after correspondingly enabling user plan integrity protection, the base station can send an RRC reset request message to the terminal device and, additionally, optionally, the terminal device returns a reconfiguration completion message. RRC for the base station.
[0413] [0413] In another optional implementation, in case of enabling user plan integrity protection, the health protection indication information can be carried in an AS safe mode command and then the security mode command. AS security is ported in an RRC reconfiguration request message and sent to the terminal device by the base station. Optionally, at least one of the encryption indication information, the signaling plan integrity protection indication information and the signaling plan encryption indication information can also be ported in an AS security mode command and, then, the AS safe mode command is ported in an RRC reset request message and sent to the terminal device by the base station.
[0414] [0414] Figure 3 shows an example of a schematic structural diagram of a base station according to this application.
[0415] [0415] Based on the same concept, this order provides a base station 300, configured to execute the solution according to any of the previous methods. As shown in Figure 3, base station 300 includes a processor 301, a transceiver 302, a memory 303 and a communications interface 304. Processor 301, transceiver 302, memory 303 and communications interface 304 are connected one each other using a 305 bus.
[0416] [0416] The 305 bus can be a peripheral component interconnect (PCI) bus, an extended industry standard architecture (EISA) bus or the like. The bus can be classified as an address bus, a data bus, a control bus or the like. To facilitate the indication, the bus is indicated using only one line in bold in Figure 3. However, this does not indicate that there is only one bus or only one type of bus.
[0417] [0417] Memory 303 may include a volatile memory, for example, a random access memory, RAM, and may also include a non-volatile memory, for example, a flash memory, a hard disk drive (hard disk drive, HDD) or a solid state drive (solid-state drive, SSD); or memory 303 may include a combination of these types of memories.
[0418] [0418] Communications interface 304 may be a wired communications interface, a wireless communications interface, or a combination thereof. The wired communications interface can be, for example, an Ethernet interface. The Ethernet interface can be an optical interface, an electrical interface or a combination thereof. The wireless communications interface can be a WLAN interface.
[0419] [0419] Processor 301 can be a central processing unit (CPU), a network processor (network processor, NP) or a combination of a CPU and an NP. The processor 301 may additionally include a hardware chip. The hardware chip can be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof. The PLD can be a complex programmable logic device (CPLD), an array of programmable field gates (field-programmable gate array, FPGA), a generic array logic (generic array logic, GAL) or any combination of the same.
[0420] [0420] Optionally, memory 303 can be additionally configured to store a program instruction. By invoking the program instruction stored in memory 303, processor 301 can perform one or more steps or an optional implementation in the modalities shown in the previous solutions, so that the base station 300 implements a function of the base station in the previous methods.
[0421] [0421] Processor 301 is configured to execute the instruction stored in memory and to control transceiver 302 to perform signal reception and signal sending. When processor 301 performs the instruction stored in memory, base station 300 can be configured to perform the following solution.
[0422] [0422] Processor 301 is configured to obtain a security policy, where the security policy includes health protection indication information, and health protection indication information is used to indicate the base station whether to enable protection of health. integrity for a terminal device; and when the health protection indication information indicates the base station to enable health protection for the terminal device, it determines a target user plan health protection algorithm. Transceiver 302 is configured to send the target user plane integrity protection algorithm to the terminal device. In this way, if you enable integrity protection for the terminal device, it can be selected flexibly based on the security policy. In addition, only when integrity protection is enabled for the terminal device, does the base station send the target user plan integrity protection algorithm to the terminal device. On the one hand, because a user plan security algorithm is negotiated independently, flexibility to separately determine the user plan security algorithm and a signaling plan security algorithm is improved. On the other hand, because the health protection indication information is added, flexibility to determine the target device's target user health integrity protection algorithm is enhanced.
[0423] [0423] Optionally, transceiver 302 is configured to send the target user plane integrity protection algorithm to the terminal device using RRC Radio Resource Control signaling. The solution provided in this modality of this application is implemented by reusing RRC signaling in the prior art, so that better compatibility with the prior art is implemented, and a modification in the prior art is relatively small. For a specific optional implementation, refer to the previous content and the details are not described here again.
[0424] [0424] Optionally, processor 301 is specifically configured to determine the target user plane integrity protection algorithm based on a user plane integrity protection algorithm supported by the terminal device and a plane integrity protection algorithm allowed by the base station.
[0425] [0425] Optionally, the user plan integrity protection algorithm allowed by the base station is a user plan integrity protection algorithm classified based on a priority or the user plan integrity protection algorithm supported by the terminal device is a user plan integrity protection algorithm classified based on a priority.
[0426] [0426] Optionally, the security policy additionally includes a user plan integrity protection algorithm allowed by a service network. Processor 301 is configured to determine the target user plan integrity protection algorithm based on the user plan integrity protection algorithm allowed by the base station, the user plan integrity protection algorithm supported by the end device , and the user plan integrity protection algorithm allowed by the service network.
[0427] [0427] Optionally, the user plan integrity protection algorithm allowed by the service network is a user plan integrity protection algorithm classified based on a priority.
[0428] [0428] Optionally, processor 301 is additionally configured for: when the security policy additionally includes encryption indication information, and the encryption indication information is used to indicate the base station to enable encryption protection for the terminal device , send a target user plan encryption algorithm to the terminal device using transceiver 302; or when the security policy additionally includes a key length, send the key length to the terminal device using transceiver 302; or when the security policy additionally includes DH indication information, and DH indication information is used to indicate the base station to enable DH for the terminal device, send a DH related key to the terminal device using the 302 transceiver .
[0429] [0429] Optionally, transceiver 302 is specifically configured to receive the quality of service for a current session from the end device from an SMF session management function entity, and processor 301 is additionally configured to allocate a radio bearer of target data to the terminal device based on at least one of the security policy and quality of service.
[0430] [0430] For a specific way of allocating, by processor 301, the target radio data carrier to the terminal device based on at least one of the security policy and quality of service, see the content in the previous method modalities . The details are not described here again.
[0431] [0431] In an optional implementation solution, processor 301 is configured to configure the target data radio carrier for the terminal device based on at least one of the security policy and quality of service.
[0432] [0432] Optionally, transceiver 302 is configured to receive the security policy from the SMF entity; or receive a security policy identifier from the SMF entity, and obtain the security policy based on the security policy identifier.
[0433] [0433] Optionally, processor 301 is additionally configured to: obtain a signaling plan security algorithm supported by the terminal device; and determining a target signaling plan security algorithm based on the signaling plan security algorithm supported by the terminal device and a signaling plan security algorithm permitted by the base station; and transceiver 302 is further configured to add the target signaling plane security algorithm to an AS access layer SMC security mode command and send the AS SMC to the terminal device.
[0434] [0434] Figure 4 shows an example of a schematic structural diagram of an SMF entity according to this request.
[0435] [0435] Based on the same concept, this order provides an SMF 400 entity, configured to execute the solution according to any of the previous methods. As shown in Figure 4, the SMF entity 400 includes a processor 401, a transceiver 402, a memory 403 and a communications interface 404. Processor 401, transceiver 402, memory 403 and communications interface 404 are connected to each other another using a 405 bus.
[0436] [0436] The 405 bus can be a peripheral component interconnect (PCI) bus, an extended industry standard architecture (EISA) bus or the like. The bus can be classified as an address bus, a data bus, a control bus or the like. To facilitate the indication, the bus is indicated using only a bold line in Figure 4. However, this does not indicate that there is only one bus or only one type of bus.
[0437] [0437] The 403 memory can include a volatile memory, for example, a random access memory, RAM, and it can also include a non-volatile memory, for example, a flash memory, a hard disk drive (hard disk drive, HDD) or a solid state drive (solid-state drive, SSD); or memory 403 may include a combination of these types of memories.
[0438] [0438] The 404 communications interface can be a wired communications interface, a wireless communications interface, or a combination thereof. The wired communications interface can be, for example, an Ethernet interface. The Ethernet interface can be an optical interface, an electrical interface or a combination thereof. The wireless communications interface can be a WLAN interface.
[0439] [0439] The 401 processor can be a central processing unit (CPU), a network processor (network processor, NP) or a combination of a CPU and an NP. The 401 processor may additionally include a hardware chip. The hardware chip can be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof. The PLD can be a complex programmable logic device (CPLD), an array of programmable field gates (field-programmable gate array, FPGA), a generic array logic (generic array logic, GAL) or any combination of the same.
[0440] [0440] Optionally, the 403 memory can be additionally configured to store a program instruction. By invoking the program instruction stored in memory 403, processor 401 can perform one or more steps or an optional implementation in the modalities shown in the previous solutions, so that the SMF entity 400 implements a function of the SMF entity in the previous methods.
[0441] [0441] Processor 401 is configured to execute the instruction stored in memory and to control transceiver 402 to perform signal reception and signal sending. When processor 401 performs the instruction stored in memory, the SMF entity 400 can be configured to perform the following solution.
[0442] [0442] Transceiver 402 is configured to receive a request message, where the request message includes a parameter related to a security policy, and sends the security policy or a security policy identifier to a base station. The 401 processor is configured to obtain the security policy or security policy identifier based on the parameter related to the security policy. The security policy includes health protection indication information, and health protection indication information is used to indicate the base station whether health protection is enabled for a terminal device. On the one hand, because a user plan security algorithm is negotiated independently, flexibility to separately determine the user plan security algorithm and a signaling plan security algorithm is improved. On the other hand, because the health protection indication information is added, flexibility to determine a target device plan health protection algorithm for the terminal device is enhanced.
[0443] [0443] In an optional implementation solution, the security policy-related parameter includes at least one of a terminal device identifier, a terminal device DNN data network name, a terminal device slice identifier, quality of terminal device service, and a terminal device session identifier. In this way, the security policy can be formulated based on different identifiers from different perspectives or at different granularities, and this is more flexible.
[0444] [0444] Optionally, the 401 processor is configured for: when the parameter related to the security policy includes the identifier of the terminal device, obtain, by the SMF entity, the security policy based on the identifier of the terminal device and an association relationship between the identifier of the terminal device and the security policy. In this way, the security policy can be determined at a granularity of the end device, so that different end devices can correspond to different security policies.
[0445] [0445] In another optional implementation, processor 401 is configured for: when the parameter related to the security policy includes the identifier of the terminal device slice, obtain, by the SMF entity, the security policy based on the identifier of the device slice terminal and an association relationship between the slice identifier and the security policy. In this way, the security policy can be determined on a slice granularity, so that a terminal device accessing different slices can correspond to different security policies.
[0446] [0446] In another optional implementation, processor 401 is configured to: when the parameter related to the security policy includes the session identifier of the terminal device, obtain, by the SMF entity, the security policy based on the session identifier of the device terminal and an association relationship between the session identifier and the security policy. In this way, the security policy can be determined at the granularity of a session, so that a terminal device starting different sessions can correspond to different security policies.
[0447] [0447] In another optional implementation, the 401 processor is configured for: when the parameter related to the security policy includes the quality of service of the terminal device, obtain, by the SMF entity, the security policy based on the quality of service of the device terminal. In this way, the security policy can be determined based on the granularity of the quality of service, so that a terminal device starting a different quality of service can correspond to different security policies.
[0448] [0448] Optionally, the security policy additionally includes at least one of the following contents: encryption indication information, where the encryption indication information is used to indicate the base station to enable encryption protection for the terminal device; a key length; DH indication information, where D-H indication information is used to indicate the base station to enable D-H for the terminal device; and a user plan integrity protection algorithm enabled by a service network. In this way, any information in the security policy can be indicated more flexibly, so that a security policy finally determined is more adapted to a complex application scenario.
[0449] [0449] Figure 5 shows an example of a schematic structural diagram of a base station according to one embodiment of this application.
[0450] [0450] Based on the same concept, this modality of this order provides a base station, configured to execute the solution according to any of the previous method procedures. As shown in Figure 5, the base station 500 includes a receiving unit 501, a processing unit 502 and a sending unit 503.
[0451] [0451] Processing unit 502 is configured to obtain a security policy, where the security policy includes health protection indication information, and health protection indication information is used to indicate the base station is enabling. integrity protection for a terminal device; and when the health protection indication information indicates the base station to enable health protection for the terminal device, send a target user plan health protection algorithm to the terminal device using the 503 sending unit. send 503 is configured to send the target user plan integrity protection algorithm to the terminal device. In this way, if you enable integrity protection for the terminal device, it can be selected flexibly based on the security policy. In addition, only when integrity protection is enabled for the terminal device, does the base station send the target user plan integrity protection algorithm to the terminal device. On the one hand, because a user plan security algorithm is negotiated independently, flexibility to separately determine the user plan security algorithm and a signaling plan security algorithm is improved. On the other hand, because the health protection indication information is added, flexibility to determine the target device's target user health integrity protection algorithm is enhanced.
[0452] [0452] Optionally, the sending unit 503 is configured to send the target user plan integrity protection algorithm to the terminal device using the RRC Radio Resource Control signaling. The solution provided in this modality of this application is implemented by reusing RRC signaling in the prior art, so that better compatibility with the prior art is implemented, and a modification in the prior art is relatively small. For a specific optional implementation, refer to the previous content and the details are not described here again.
[0453] [0453] Optionally, before sending the target user plan integrity protection algorithm to the terminal device using sending unit 503, processing unit 502 is additionally configured to determine the user plan integrity protection algorithm target based on a user plan integrity protection algorithm supported by the terminal device and a user plan integrity protection algorithm supported by the base station.
[0454] [0454] Optionally, the user plan integrity protection algorithm allowed by the base station is either a user plan integrity protection algorithm classified based on a priority or the user plan integrity protection algorithm supported by the terminal device is a user plan integrity protection algorithm classified based on a priority.
[0455] [0455] Optionally, the security policy additionally includes a user plan integrity protection algorithm allowed by a service network. Processing unit 502 is configured to determine the target user plan integrity protection algorithm based on the user plan integrity protection algorithm allowed by the base station, the user plan integrity protection algorithm supported by the terminal device, and the user plan integrity protection algorithm allowed by the service network.
[0456] [0456] Optionally, the user plan integrity protection algorithm allowed by the service network is a user plan integrity protection algorithm classified based on a priority.
[0457] [0457] Optionally, processing unit 502 is additionally configured for: when the security policy additionally includes encryption indication information, and encryption indication information is used to indicate the base station to enable encryption protection for the terminal device, send a user plan targeting encryption algorithm to the terminal device using sending unit 503; or when the security policy additionally includes a key length, send the key length to the terminal device using the sending unit 503; or when the security policy additionally includes DH indication information, and DH indication information is used to indicate the base station to enable DH for the terminal device, send a DH related key to the terminal device using the DH unit. shipping 503.
[0458] [0458] Optionally, before the target user plan integrity protection algorithm is sent to the terminal device using the sending unit 503, the receiving unit 501 is configured to receive the quality of service of a current session from the terminal device from an SMF session management role entity; and the processing unit 502 is further configured to allocate a target radio data carrier to the terminal device based on at least one of the security policy and quality of service.
[0459] [0459] Processing unit 502 is additionally configured to allocate the target radio data carrier to the terminal device based on at least one of the security policy and quality of service. For a specific way, consult the content in the previous method modalities. The details are not described here again.
[0460] [0460] In an optional implementation solution, processing unit 502 is configured to configure the target data radio carrier for the terminal device based on at least one of the security policy and quality of service.
[0461] [0461] Optionally, the receiving unit 501 is configured to receive the security policy from the SMF entity; or receive a security policy identifier from the SMF entity, and obtain the security policy based on the security policy identifier.
[0462] [0462] Optionally, processing unit 502 is additionally configured to: obtain a signaling plan security algorithm supported by the terminal device; and determining a target signaling plan security algorithm based on the signaling plan security algorithm supported by the terminal device and a signaling plan security algorithm permitted by the base station; and the sending unit 503 is further configured to add the target signaling plane security algorithm to an AS access layer SMC security mode command and send the AS SMC to the terminal device.
[0463] [0463] It must be understood that the division of the previous units is the division of purely logical function. In the actual implementation, all or some units can be integrated into a physical entity or can be physically separate. In this embodiment of this request, the receiving unit 501 and sending unit 503 can be implemented by transceiver 302 and processing unit 502 can be implemented by processor 301. As shown in Figure 3, base station 300 can include the processor 301, transceiver 302 and memory 303. Memory 303 can be configured to store the code used when processor 301 executes a solution, and the code can be a pre-installed program / code when base station 300 is delivered to from a factory.
[0464] [0464] Figure 6 shows an example of a schematic structural diagram of an SMF entity according to an embodiment of this request.
[0465] [0465] Based on the same concept, this modality of this request provides an SMF entity, configured to execute the solution according to any of the previous method procedures. As shown in Figure 6, an SMF entity 600 includes a receiving unit 601 and a processing unit 602. Optionally, the SMF entity 600 additionally includes a sending unit 603.
[0466] [0466] Receiving unit 601 is configured to receive a request message, where the request message includes a parameter related to a security policy, and sends the security policy or a security policy identifier to a base station . Processing unit 602 is configured to obtain the security policy or security policy identifier based on the parameter related to the security policy. The security policy includes health protection indication information, and health protection indication information is used to indicate the base station whether health protection is enabled for a terminal device. On the one hand, because a user plan security algorithm is negotiated independently, flexibility to separately determine the user plan security algorithm and a signaling plan security algorithm is improved. On the other hand, because the health protection indication information is added, flexibility to determine a target device plan health protection algorithm for the terminal device is enhanced.
[0467] [0467] In an optional implementation solution, the parameter related to the security policy includes at least one of a terminal device identifier, a terminal device DNN data network name, a terminal device slice identifier, quality of terminal device service, and a terminal device session identifier. In this way, the security policy can be formulated based on different identifiers from different perspectives or at different granularities, and this is more flexible.
[0468] [0468] Optionally, processing unit 602 is configured for: when the parameter related to the security policy includes the identifier of the terminal device, obtain, by the SMF entity, the security policy based on the identifier of the terminal device and a list association between the identifier of the terminal device and the security policy. In this way, the security policy can be determined at a granularity of the end device, so that different end devices can correspond to different security policies.
[0469] [0469] In another optional implementation, processing unit 602 is configured for: when the parameter related to the security policy includes the slice identifier of the terminal device, obtain, by the SMF entity, the security policy based on the slice identifier of the terminal device and an association relationship between the slice identifier and the security policy. In this way, the security policy can be determined on a slice granularity, so that a terminal device accessing different slices can correspond to different security policies.
[0470] [0470] In another optional implementation, processing unit 602 is configured for: when the parameter related to the security policy includes the session identifier of the terminal device, obtain, by the SMF entity, the security policy based on the session identifier of the terminal device and an association relationship between the session identifier and the security policy. In this way, the security policy can be determined at the granularity of a session, so that a terminal device starting different sessions can correspond to different security policies.
[0471] [0471] In another optional implementation, processing unit 602 is configured for: when the parameter related to the security policy includes the quality of service of the terminal device, obtain, by the SMF entity, the security policy based on the quality of service of the terminal device. In this way, the security policy can be determined based on the granularity of the quality of service, so that a terminal device starting a different quality of service can correspond to different security policies.
[0472] [0472] Optionally, the security policy additionally includes at least one of the following contents: encryption indication information, where the encryption indication information is used to indicate the base station to enable encryption protection for the terminal device; a key length; DH indication information, where D-H indication information is used to indicate the base station to enable D-H for the terminal device; and a user plan integrity protection algorithm enabled by a service network. In this way, any information in the security policy can be indicated more flexibly, so that a security policy finally determined is more adapted to a complex application scenario.
[0473] [0473] It must be understood that the division of the previous units is the division of purely logical function. In the actual implementation, all or some units can be integrated into a physical entity or can be physically separate. In this embodiment of this request, the receiving unit 601 and the sending unit 603 can be implemented by the transceiver 402 and the processing unit 602 can be implemented by the processor 401. As shown in Figure 4, the SMF entity 400 can include the processor 401 , transceiver 402 and memory 403. Memory 403 can be configured to store the code used when processor 401 executes a solution and the code can be a pre-installed program / code when the SMF 400 entity is delivered from a factory.
[0474] [0474] In the previous modalities, all or some of the functions can be implemented using software, hardware, firmware or any combination thereof. When implemented using a software program, all or some of the functions can be implemented in the form of a computer program product. The computer program product includes one or more instructions. When computer program instructions are loaded and executed on a computer, the procedures or functions according to the modalities of this order are all or partially generated. The computer can be a general purpose computer, a dedicated computer, a computer network, or other programmable device. Instructions can be stored on a computer storage medium or can be transmitted from a computer storage medium to another computer storage medium. For example, instructions can be transmitted from one website, computer, server or data center to another website, computer, server or data center in a wired manner (for example, a coaxial cable, an optical fiber or a line of digital (DSL) subscriber) or wireless (for example, infrared, radio or microwave). Computer storage media can be any usable media accessible to a computer or data storage device, such as a server or data center, integrating one or more usable media. Usable media can be a magnetic media (for example, a floppy disk, a hard disk or a magnetic tape or a magneto-optical (MO) disc), an optical media (for example, a CD, a DVD, a BD or HVD ), semiconductor media (for example, a ROM, an EPROM, an EEPROM, a non-volatile memory (NAND FLASH), or a solid state disk (Solid State Disk, SSD)) or similar.
[0475] [0475] An expert in the art must understand that the modalities of this application can be provided as a method, a system, or a computer program product. Therefore, the modalities of this application may use a form of hardware-only modalities, software-only modalities or modalities with a combination of software and hardware. In addition, the modalities of this application may use a form of a computer program product that is implemented on one or more storage media usable per computer (including, but not limited to, a disk memory, a CD-ROM, optical memory and the like) that include computer-usable program code.
[0476] [0476] The modalities of this application are described with reference to the flowcharts and / or block diagrams of the method, the device (system) and the computer program product according to the modalities of this application. It should be understood that instructions can be used to implement each process and / or each block in the flowcharts and / or block diagrams and a combination of a process and / or a block in the flowcharts and / or block diagrams. These instructions can be provided for a general purpose computer, a dedicated computer, an embedded processor, or a processor of any other programmable data processing device to generate a machine, so that instructions executed by a computer or processor from any other programmable data processing device generates an apparatus to implement a function specified in one or more processes in the flowcharts and / or in one or more blocks in the block diagrams.
[0477] [0477] These instructions can be stored in a computer-readable memory that can instruct the computer or any other programmable data processing device to work in a specific way, so that the instructions stored in the computer-readable memory generate an artifact that includes an instruction device. The instruction apparatus implements a function specified in one or more processes in the flowcharts and / or in one or more blocks in the block diagrams.
[0478] [0478] These instructions can be loaded on a computer or other programmable data processing device, so that a series of operations and steps are performed on the computer or on another programmable device, thus generating a computer-implemented processing. Therefore, instructions executed on the computer or on another programmable device provide steps to implement a function specified in one or more processes in flowcharts and / or in one or more blocks in block diagrams.
[0479] [0479] Obviously, a person skilled in the art can make several modifications and variations to the modalities of this request without departing from the spirit and scope of this request. This order is intended to cover these modifications and variations, as long as they are within the scope of protection defined by the following claims and their equivalent technologies.

权利要求:
Claims (18)
[0001]
Communication method, CHARACTERIZED by the fact that it comprises: enable, by a terminal device, signal plan protection after receiving an access layer security mode (AS) command from a base station; receive, by the terminal device, a Radio Resource Control (RRC) reconfiguration message from the base station; enable, by the end device, user plan integrity protection when the RRC reset message includes health protection indication information and health protection indication information is configured to indicate enable user plan health protection .
[0002]
Method, according to claim 1, CHARACTERIZED by the fact that the enabling, by the terminal device, of integrity protection of the user plan, comprises: generate, through the terminal device, a user plan integrity protection key based on an integrity protection algorithm included in the AS SMC; and perform, by the terminal device, the integrity protection of the user plan using the integrity protection key of the user plan.
[0003]
Method, according to claim 1, CHARACTERIZED by the fact that the enabling, by a terminal device, of signaling plan protection, comprises: generate, by the terminal device, signaling plan keys; perform, by the terminal device, protection of the signaling plane using the signaling plane keys; and generate, through the terminal device, a user plan integrity protection key; in which the enabling, by the terminal device, of integrity protection of the user plan, comprises: perform, by the terminal device, the integrity protection of the user plan using the integrity protection key of the user plan.
[0004]
Method according to any one of claims 1 to 3, CHARACTERIZED by the fact that the integrity protection indication information is expressed by a bit, and the integrity protection indication information indicates to enable the integrity plan protection. when the bit value is 1.
[0005]
Method, according to claim 1, CHARACTERIZED by the fact that it additionally comprises: enable, by the end device, user plan encryption protection when the RRC reset message includes encryption protection indication information and the encryption protection indication information is configured to indicate enable user plan encryption protection .
[0006]
Method, according to claim 5, CHARACTERIZED by the fact that the enabling, by a terminal device, of protection of signaling plan, comprises: generate, by the terminal device, signaling plan keys; perform, by the terminal device, protection of the signaling plane using the signaling plane keys; and generate, through the terminal device, a user plan encryption protection key; in which the enabling, by the terminal device, of encryption protection of the user plan, comprises: perform user plan encryption protection using the user plan encryption protection key from the terminal device.
[0007]
Method, according to claim 5, CHARACTERIZED by the fact that the enabling, by the terminal device, of encryption protection of the user plan, comprises: generate, by the end device, a user plan encryption protection key based on an encryption protection algorithm included in the AS SMC; and perform user plan encryption protection using the user plan encryption protection key from the terminal device.
[0008]
Method according to any one of claims 5 to 7, CHARACTERIZED by the fact that the encryption protection indication information is expressed by one bit, and the encryption protection indication information indicates to enable the encryption protection of the plan when the bit value is 1.
[0009]
Method, according to any one of claims 1 to 8, CHARACTERIZED by the fact that after the step of enabling, by a terminal device, signaling plan protection, the method additionally comprises: send an AS safe mode command completion message to the base station via the terminal device.
[0010]
Terminal device, CHARACTERIZED by the fact that it comprises a transceiver and a processor; the processor is configured to enable signaling plane protection after receiving an access layer security mode (AS) command from a base station; the transceiver is configured to receive a Radio Resource Control (RRC) reconfiguration message from the base station; the processor is additionally configured to enable user plan integrity protection when the RRC reconfiguration message includes health protection indication information and health protection indication information is configured to indicate enabling plan health integrity protection. user.
[0011]
Apparatus, according to claim 10, CHARACTERIZED by the fact that the processor is configured to: generate a user plan integrity protection key based on an integrity protection algorithm included in the AS SMC; and perform user plan integrity protection using the user plan integrity protection key.
[0012]
Terminal device according to claim 11, CHARACTERIZED by the fact that the processor is configured to: generate signaling plan keys; perform signaling plan protection using the signaling plan keys; generate user plan integrity protection key; and perform user plan integrity protection using the user plan integrity protection key.
[0013]
Apparatus according to any one of claims 10 to 12, CHARACTERIZED by the fact that the integrity protection indication information is expressed by a bit, and the integrity protection indication information indicates to enable the integrity plan protection. when the bit value is 1.
[0014]
Terminal device, according to claim 10, CHARACTERIZED by the fact that the processor is configured to: enable user plan encryption protection when the RRC reset message includes encryption protection indication information and the encryption protection indication information is configured to indicate enable user plan encryption protection.
[0015]
Terminal device, according to claim 14, CHARACTERIZED by the fact that the processor is configured to: generate signaling plan keys; perform signaling plan protection using the signaling plan keys; and generate user plan encryption protection key; and perform user plan encryption protection using the user plan encryption protection key.
[0016]
Apparatus, according to claim 14, CHARACTERIZED by the fact that the processor is configured to: generate a user plan encryption protection key based on an encryption protection algorithm included in the AS SMC; and perform user plan encryption protection using the user plan encryption protection key.
[0017]
Device according to any one of claims 14 to 16, CHARACTERIZED by the fact that the encryption protection indication information is expressed by a bit, and the encryption protection indication information indicates to enable the encryption protection of the security plan. when the bit value is 1.
[0018]
Apparatus according to any one of claims 10 to 17, CHARACTERIZED by the fact that the processor is configured to: send an AS safe mode command completion message to the base station.

类似技术:

---

公开号 | 公开日 | 专利标题

---

BR112019023041B1|2021-04-06|COMMUNICATION METHOD AND RELATED APPARATUS

---

KR20180109899A|2018-10-08|How to Establish a Roaming Connection

---

JP2021513825A|2021-05-27|Methods and devices for determining SSC mode

---

BR112019022554A2|2020-05-19|methods performed by first and second nodes, first and second nodes, and, communication system.

---

KR20200003906A|2020-01-10|Method and apparatus for processing PDU session

---

CN110830993B|2021-08-20|Data processing method and device and computer readable storage medium

---

US11140545B2|2021-10-05|Method, apparatus, and system for protecting data

---

JPWO2018079692A1|2019-09-19|System, base station, core network node, and method

---

US20200374698A1|2020-11-26|Communication method and communications apparatus

---

CN111641582B|2021-11-09|Safety protection method and device

---

WO2019096279A1|2019-05-23|Secure communication method and device

---

BR112020016253A2|2020-12-15|APPLIANCE, METHOD AND SYSTEM OF SECURITY PROTECTION, COMMUNICATIONS APPLIANCE, ACCESS NETWORK DEVICE, AND LEGIBLE STORAGE MEDIA BY COMPUTER

---

WO2019174582A1|2019-09-19|Message transmission method and device

---

BR112020019989A2|2021-01-26|information submission method, key generation method, and device

同族专利:

---

公开号 | 公开日

---

WO2018201506A1|2018-11-08|

---

CN109561427A|2019-04-02|

---

BR112019023041A2|2020-06-02|

---

CN109640324B|2019-11-19|

---

CN113038461A|2021-06-25|

---

JP2020519190A|2020-06-25|

---

CN113038460A|2021-06-25|

---

EP3541105B1|2020-09-09|

---

EP3796694A1|2021-03-24|

---

US10798578B2|2020-10-06|

---

CN109219965B|2021-02-12|

---

CN109640324A|2019-04-16|

---

US11272360B2|2022-03-08|

---

US10798579B2|2020-10-06|

---

WO2018201630A1|2018-11-08|

---

CN109561427B|2019-11-19|

---

KR102162678B1|2020-10-07|

---

CN109618335B|2020-03-17|

---

JP6943978B2|2021-10-06|

---

EP3541105A4|2019-11-20|

---

CN109618335A|2019-04-12|

---

EP3541105A1|2019-09-18|

---

US20200374691A1|2020-11-26|

---

AU2017413023A1|2019-12-05|

---

BR122020023465B1|2021-08-17|

---

ES2830778T3|2021-06-04|

---

AU2017413023B2|2021-10-21|

---

US20200137577A1|2020-04-30|

---

KR20200003120A|2020-01-08|

---

CN109219965A|2019-01-15|

---

US20190246282A1|2019-08-08|

引用文献:

---

公开号 | 申请日 | 公开日 | 申请人 | 专利标题

---

---

CN101064921B|2006-04-30|2011-12-21|华为技术有限公司|Method for realizing encrypted negotiation for user equipment and network side|

---

CN101075865B|2006-05-16|2011-02-02|华为技术有限公司|Method for starting customer side encryption|

---

CN101001252A|2006-06-25|2007-07-18|华为技术有限公司|Registration method and consultation method and device of user safety algorithmic|

---

CN101242629B|2007-02-05|2012-02-15|华为技术有限公司|Method, system and device for selection of algorithm of user plane|

---

CN101242645B|2007-02-09|2011-02-09|华为技术有限公司|Method and system for mobile terminal to enter from free status to activated status|

---

CN102413461B|2007-05-08|2014-06-04|华为技术有限公司|Method for negotiating safety capacity|

---

ES2684299T3|2008-08-01|2018-10-02|Nokia Siemens Networks Oy|Method, device, system and software product to support legacy P-CSCF to tell the S-CSCF to skip authentication|

---

CN101355811B|2008-09-08|2012-04-25|华为终端有限公司|Method, system and equipment for rebuilding bearing channel|

---

CN101478752B|2009-01-12|2014-11-05|中兴通讯股份有限公司|Cipher key replacing method, system and device|

---

CN101483865A|2009-01-19|2009-07-15|中兴通讯股份有限公司|Cipher key replacing method, system and device|

---

CN101854625B|2009-04-03|2014-12-03|华为技术有限公司|Selective processing method and device of security algorithm, network entity and communication system|

---

KR101712158B1|2009-12-28|2017-03-06|인터디지탈 패튼 홀딩스, 인크|Machine-to-machine gateway architecture|

---

CN102149088A|2010-02-09|2011-08-10|工业和信息化部电信传输研究所|Method for protecting mobile subscriber data integrity|

---

US20110261961A1|2010-04-22|2011-10-27|Qualcomm Incorporated|Reduction in bearer setup time|

---

CN102264066B|2010-05-27|2015-08-12|中兴通讯股份有限公司|A kind ofly realize the synchronous method and system of Access Layer security algorithm|

---

US20110312299A1|2010-06-18|2011-12-22|Qualcomm Incorporated|Methods and apparatuses facilitating synchronization of security configurations|

---

CN102404609A|2010-09-15|2012-04-04|日立民用电子株式会社|Transmitting apparatus and receiving apparatus|

---

CN102487507B|2010-12-01|2016-01-20|中兴通讯股份有限公司|A kind of method and system realizing integrity protection|

---

CN102448058B|2011-01-10|2014-04-30|华为技术有限公司|Method and device for protecting data on Un interface|

---

CN103179559B|2011-12-22|2016-08-10|华为技术有限公司|The safety communicating method of a kind of low cost terminals, Apparatus and system|

---

EP2861020B1|2012-06-08|2017-04-05|Huawei Technologies Co., Ltd.|Signalling plane of a target base station carried out by another base station|

---

US9433032B1|2012-06-14|2016-08-30|Cisco Technology, Inc.|Interface selection for quality of service enforcement|

---

GB2509937A|2013-01-17|2014-07-23|Nec Corp|Providing security information to a mobile device in which user plane data and control plane signalling are communicated via different base stations|

---

CN104936171B|2014-03-21|2019-07-16|中兴通讯股份有限公司|The determination method and device of security algorithm|

---

CN106375989B|2015-07-20|2019-03-12|中兴通讯股份有限公司|The method and user equipment and wireless access minor node of realization access layer safety|

---

US10412056B2|2015-07-24|2019-09-10|Futurewei Technologies, Inc.|Ultra dense network security architecture method|

---

CA2995514C|2015-08-13|2020-04-28|Huawei Technologies Co., Ltd.|Message protection method, and related device, and system|

---

US10582522B2|2015-09-04|2020-03-03|Lg Electronics Inc.|Data transmission and reception method and device of terminal in wireless communication system|

---

US10015740B2|2015-09-30|2018-07-03|Apple Inc.|Voice and data continuity between wireless devices|

---

CN107566115B|2016-07-01|2022-01-14|华为技术有限公司|Secret key configuration and security policy determination method and device|

---

CN113630773A|2017-01-24|2021-11-09|华为技术有限公司|Safety implementation method, equipment and system|

---

WO2018174525A1|2017-03-20|2018-09-27|엘지전자|Method for interaction between layers in wireless communication system and apparatus therefor|

---

WO2018177656A1|2017-03-31|2018-10-04|Telefonaktiebolaget Lm Ericsson |Application topology aware user plane selection in nr and 5gc|CN110493774A|2017-05-06|2019-11-22|华为技术有限公司|Cipher key configuration method, apparatus and system|

---

CN109769412B|2017-09-15|2020-08-04|Oppo广东移动通信有限公司|Method for configuring frequency priority, terminal equipment, base station and core network equipment|

---

US11129017B2|2017-09-28|2021-09-21|Futurewei Technologies, Inc.|System and method for security activation with session granularity|

---

US11051319B2|2018-09-04|2021-06-29|Qualcomm Incorporated|Techniques for low latency communications in wireless local area networks|

---

CN111641944A|2019-03-01|2020-09-08|华为技术有限公司|Communication method and device|

---

EP3846579A4|2019-03-21|2021-09-22|Guangdong Oppo Mobile Telecommunications Corp., Ltd.|Policy determining method and apparatus, and terminal|

---

WO2020205725A1|2019-03-29|2020-10-08|Weihua Qiao|Charging control for non-public network|

---

CN111800369A|2019-04-08|2020-10-20|华为技术有限公司|Communication method and device|

---

CN110113623B|2019-04-18|2021-07-27|浙江工业大学|Audio and video slice transmission platform based on SIP protocol|

---

CN111865569A|2019-04-28|2020-10-30|华为技术有限公司|Key negotiation method and device|

---

CN111988782A|2019-05-23|2020-11-24|华为技术有限公司|Secure session method and device|

---

WO2021026744A1|2019-08-12|2021-02-18|Oppo广东移动通信有限公司|Strategy configuration method, network equipment, and terminal equipment|

---

CN112449400A|2019-08-15|2021-03-05|大唐移动通信设备有限公司|Communication method, device and system|

---

KR20210020690A|2019-08-16|2021-02-24|삼성전자주식회사|Method and apparatus for protect information in a wireless communication|

---

KR20210038352A|2019-09-30|2021-04-07|삼성전자주식회사|Method and ue for handling mobility procedure for ue|

---

CN113381966A|2020-03-09|2021-09-10|维沃移动通信有限公司|Information reporting method, information receiving method, terminal and network side equipment|

---

CN113455032A|2020-05-29|2021-09-28|华为技术有限公司|Communication method and device|

---

KR20220015667A|2020-07-31|2022-02-08|삼성전자주식회사|A method and an apparatus for reduing the processing burden from integrity protection and verification in the next generation wireless communication system|

---

CN114079915A|2020-08-06|2022-02-22|华为技术有限公司|Method, system and device for determining user plane security algorithm|

法律状态:
2021-03-09| B09A| Decision: intention to grant [chapter 9.1 patent gazette]|

---

2021-04-06| B16A| Patent or certificate of addition of invention granted [chapter 16.1 patent gazette]|Free format text: PRAZO DE VALIDADE: 20 (VINTE) ANOS CONTADOS A PARTIR DE 31/07/2017, OBSERVADAS AS CONDICOES LEGAIS. |

优先权:

---

申请号 | 申请日 | 专利标题

---

CNPCT/CN2017/083362|2017-05-05|

---

PCT/CN2017/083362|WO2018201506A1|2017-05-05|2017-05-05|Communication method and related device|

---

PCT/CN2017/095348|WO2018201630A1|2017-05-05|2017-07-31|Communication method and related apparatus|BR122020023465-2A| BR122020023465B1|2017-05-05|2017-07-31|COMMUNICATION SYSTEM, METHOD, SESSION MANAGEMENT FUNCTION ENTITY, BASE STATION, TERMINAL DEVICE AND COMPUTER-READABLE STORAGE MEDIA|