CN109819492B - Method and device for determining safety capability - Google Patents

Abstract

The application provides a method and a device for determining safety capability, relates to the technical field of wireless communication, and aims to solve the problem that a main base station in the prior art cannot acquire the safety capability used between a terminal and an auxiliary base station in the process of switching a service base station by the terminal. The method comprises the following steps: the method comprises the steps that a first base station sends a first message to a terminal through a second base station, wherein the first message comprises a first indication, the first indication is used for indicating the terminal to report a first safety capability supported by the terminal, and the first message is used for indicating the terminal to be switched from the second base station to the first base station; the first base station receives a second message from the terminal, wherein the second message is used for determining the first safety capability; the first base station determines a first security capability based on the second message. The method can be applied to acquiring the first security capability in the process of switching the service base station by the terminal.

Description

Method and device for determining safety capability

Technical Field

The embodiment of the invention relates to the technical field of wireless communication, in particular to a method and a device for determining the safety capability.

Background

The Dual Connection (DC) technique refers to a terminal being simultaneously connected to two base stations, one of which is a primary base station and the other of which is a secondary base station. A technique in which a terminal receives downlink data from the two base stations. Compared with the downlink data receiving rate which can be achieved by the terminal under a single base station, the introduction of the DC technology greatly improves the receiving rate.

In consideration of gradual deployment, in a 5G communication system, a primary base station of two base stations accessed by a terminal may be a fourth generation (4G) base station, a secondary base station may be a fifth generation (5G) base station, and the two base stations are connected to a Mobility Management Entity (MME) of an Evolved Packet Core (EPC) of Long Term Evolution (LTE). Generally, the security capabilities used in communication between a terminal and base stations of different systems are different, for example, 4G security capability is used between the terminal and a 4G base station, and 5G security capability is used between the terminal and a 5G base station. The 4G security capability may be a 4G security algorithm supported by the terminal, and the 5G security capability may be a 5G security algorithm supported by the terminal. In this scenario, after the terminal is connected to the primary base station, the primary base station needs to transmit 5G security capability to the secondary base station in order for the terminal and the secondary base station to establish a connection to form a DC.

The main base station can usually obtain 5G security capability from the MME, therefore, the MME needs to be upgraded to have the function of identifying 5G security capability, but in the development process of the mobile network, not all MMEs are upgraded, which results in that the MME without being upgraded may not have the function of identifying 5G security capability. When a terminal performs connection state handover (connected state handover) involving MME change, a source MME (MME accessed through a source base station before the terminal is handed over) needs to transfer 4G security capability and 5G security capability of the terminal to a target MME (MME accessed through a main base station after the terminal is handed over), but the source MME generally cannot transfer the 5G security capability to the target MME under the condition that the source MME is not upgraded and cannot recognize the 5G security capability. At present, after completing connection state switching related to MME change, a terminal may report 5G security capability to a main base station through a Tracking Area Update (TAU) process, so that the main base station obtains the 5G security capability, and specifically, the terminal may carry the 4G security capability and the 5G security capability in a TAU request message.

However, in the prior art, the main base station must obtain the 5G security capability used between the secondary base station and the terminal through the TAU procedure after the handover is completed, which causes the connection between the secondary base station and the terminal to be established only after the handover is completed, thereby resulting in a slow establishment speed of the dual connectivity.

Disclosure of Invention

The application provides a method and a device for determining safety capability, which are used for solving the problem that a main base station in the prior art cannot acquire the safety capability used between a terminal and an auxiliary base station in the process of switching a service base station by the terminal.

In a first aspect, an embodiment of the present invention provides a method for determining a safety capability, including: the method comprises the steps that a first base station sends a first message to a terminal through a second base station, wherein the first message comprises a first indication, the first indication is used for indicating the terminal to report a first safety capability supported by the terminal, and the first message is used for indicating the terminal to be switched from the second base station to the first base station; the first base station receives a second message from the terminal, wherein the second message is used for determining the first safety capability; the first base station determines a first security capability based on the second message.

The application provides a method for determining the security capability, a first base station sends a first message to a terminal through a second base station, the first message comprises a first indication, the first indication is used for indicating the terminal to report a first security capability supported by the terminal, and the first message is used for indicating the terminal to be switched from the second base station to the first base station; the first base station receives a second message from the terminal, wherein the second message is used for determining the first safety capability; the first base station determines a first security capability based on the second message. Therefore, when the first base station does not have the first security capability, the first base station can acquire the first security capability from the terminal, and then the first base station can send the first security capability to the third base station, so that the subsequent terminal can establish the dual connection with the third base station through the first security capability, on the other hand, when the first base station has the security capability, the first base station can firstly establish the dual connection based on the security capability, then determine whether the security capability in the first base station is tampered according to the first security capability sent by the terminal, and when the first base station determines that the first base station is not tampered according to the first security capability, the established dual connection does not need to be modified, so that the dual connection can be established in the process of switching the terminal to the first base station.

With reference to the first aspect, in a first possible implementation manner of the first aspect, the determining, by the first base station, the first security capability according to the second message includes: the first base station determines the first security capability from the handover complete message. In this case, the first base station may obtain the first security capability during the terminal handover process, and may obtain the time of the first security capability in advance, compared with a case where a TAU procedure is required after the handover process in the prior art, so as to advance establishment of the dual connectivity.

With reference to the first aspect or the second possible implementation manner of the first aspect, in a third possible implementation manner of the first aspect, before the first base station sends the first message to the terminal through the second base station, the method provided by the present application further includes: the first base station receives a third message used for indicating the first base station to acquire the first safety capability from the first management entity; the first base station determines a first indication according to the third message.

With reference to any one of the first aspect to any one of the third possible implementation manners of the first aspect, in a fourth possible implementation manner of the first aspect, the determining, by the first base station, the first indication according to the third message includes: the first base station determines the identification information as a first indication; or, the first base station generates the first indication based on the identification information.

With reference to any one of the first aspect to the fourth possible implementation manner of the first aspect, in a fifth possible implementation manner of the first aspect, before the first base station sends the first message to the terminal through the second base station, the method provided by the present application further includes: the first base station receives a fourth message from the first management entity, wherein the fourth message comprises the second safety capability; and the first base station sends the second safety capability to the third base station, and the second safety capability is used for establishing connection between the terminal and the third base station. The first base station firstly sends the second safety capability to the third base station, so that the terminal can firstly establish connection with the third base station through the second safety capability, and the establishment process of the double connection can be carried out in the switching process based on the connection.

With reference to any one of the first aspect to the fifth possible implementation manner of the first aspect, in a sixth possible implementation manner of the first aspect, after the first base station determines the first security capability according to the second message, the method provided by the present application further includes: and if the second safety capability is inconsistent with the first safety capability, the first base station sends a fifth message to the third base station, wherein the fifth message comprises the first safety capability.

With reference to any one of the first aspect to the sixth possible implementation manner of the first aspect, in a seventh possible implementation manner of the first aspect, the determining, by the first base station, the first security capability according to the second message includes: and the first base station determines the second security capability as the first security capability according to the first indication.

With reference to any one of the first aspect to any one of the seventh possible implementation manners of the first aspect, in an eighth possible implementation manner of the first aspect, the first indication is a second security capability, the second message includes the first security capability, and the first base station determines the first security capability according to the second message, including the first base station determining the first security capability from the second message.

In a second aspect, the present application provides a method of determining a safety capability, comprising: the method comprises the steps that a terminal receives a first message, wherein the first message comprises a first indication, the first indication is used for indicating the terminal to report a first safety capability supported by the terminal, and the first message is used for indicating the terminal to be switched from a second base station to a first base station; and the terminal sends a second message to the first base station according to the first indication, wherein the second message is used for indicating the first base station to determine the first safety capability.

With reference to the second aspect, the second message is a handover complete message, and the handover complete message includes the first security capability.

With reference to the second aspect or the first possible implementation manner of the second aspect, in a second possible implementation manner of the first aspect, the first indication is a second security capability, where the second security capability is used to establish a connection between the terminal and a third base station, and the sending, by the terminal, the second message to the first base station according to the first indication includes: and if the second safety capability is not consistent with the first safety capability, the terminal sends a second message to the first base station, wherein the second message comprises the first safety capability.

With reference to any one of the second aspect to the second possible implementation manner of the second aspect, in a third possible implementation manner of the first aspect, the sending, by the terminal, the second message to the first base station according to the first indication includes: and if the second security capability is consistent with the first security capability, the terminal sends a second message to the first base station, wherein the second message is specifically used for indicating that the second security capability is determined as the first security capability.

With reference to any one of the second aspect to the third possible implementation manner of the second aspect, in a fourth possible implementation manner of the first aspect, the method provided by the present application further includes: and the terminal sends the first safety capability to the third base station in the random access process of accessing the third base station.

With reference to any one of the second aspect to the fourth possible implementation manner of the second aspect, in a fifth possible implementation manner of the first aspect, the first security capability is related to a next generation system, and the method provided by the present application further includes: a terminal receives a broadcast message; the terminal determines that the service of the next generation system does not exist in the area where the terminal is located according to the broadcast message; and the terminal sends a third message to the second base station, wherein the third message does not comprise the first safety capability.

Accordingly, in a third aspect, the present application provides a device for determining security capability, which may implement the method for determining security capability described in any one of the first aspect to the first aspect. For example, the device for determining security capability may be a base station or a chip disposed in the base station. Which may be implemented by software, hardware, or by hardware executing the corresponding software.

One design is that the base station includes: a sending unit, configured to send a first message to a terminal through a second base station, where the first message includes a first indication, the first indication is used to indicate that the terminal reports a first security capability supported by the terminal, and the first message is used to indicate that the terminal is switched from the second base station to the first base station; a receiving unit, configured to receive a second message from the terminal, where the second message is used to determine the first security capability; a determining unit for determining the first security capability according to the second message.

With reference to the third aspect, in a first possible implementation manner of the third aspect, the second message is a handover complete message, the handover complete message includes the first security capability, and the determining unit is configured to determine the first security capability from the handover complete message.

With reference to the third aspect or the second possible implementation manner of the third aspect, in a third possible implementation manner of the third aspect, the receiving unit is further configured to receive a third message from the first management entity, where the third message is used to instruct the first base station to acquire the first security capability; and the determining unit is specifically configured to determine the first indication according to the third message.

With reference to any one of the third to third possible implementation manners of the third aspect, in a fourth possible implementation manner of the third aspect, the third message includes identification information, where the identification information is used to indicate that the first security capability is acquired, and the determining unit is configured to determine the identification information as the first indication; or, a determination unit for generating the first indication based on the identification information.

With reference to any one of the third aspect to the fourth possible implementation manner of the third aspect, in a fifth possible implementation manner of the third aspect, the receiving unit is further configured to receive a fourth message from the first management entity, where the fourth message includes the second security capability; and the sending unit is further configured to send a second security capability to the third base station, where the second security capability is used to establish a connection between the terminal and the third base station.

With reference to any one of the third aspect to the fifth possible implementation manner of the third aspect, in a sixth possible implementation manner of the third aspect, the sending unit is further configured to send, to the third base station, a fifth message when the determining unit determines that the second security capability is inconsistent with the first security capability, where the fifth message includes the first security capability.

With reference to any one of the third aspect to the sixth possible implementation manner of the third aspect, in a seventh possible implementation manner of the third aspect, the first indication is a second security capability, and the determining unit is specifically configured to determine the second security capability as the first security capability according to the first indication.

With reference to any one of the third aspect to the seventh possible implementation manner of the third aspect, in an eighth possible implementation manner of the third aspect, the first indication is a second security capability, the second message includes a first security capability, and the determining unit is specifically configured to determine the first security capability from the second message.

In a fourth aspect, the means for determining security capabilities may comprise at least one processor and a communication interface. The processor is configured to support the apparatus for determining security capability to perform related operations of message processing or control performed at the apparatus for determining security capability in the method described in any of the first aspect to the first aspect, and the communication interface may be a transceiver circuit, a communication interface, and a communication interface, which is used to support communication between the apparatus for determining security capability and other network elements (e.g., a core network device or a second base station). Wherein the transceiver circuit is configured to support the device with determined security capability to perform operations related to message reception and transmission on the side of the device with determined security capability in the method described in any one of the first aspect to the first aspect; wherein the memory, the transceiver and the at least one processor are interconnected by wires. Optionally, the memory is configured to couple to at least one processor, and the memory stores the necessary programs (instructions) and data for the device for determining security capabilities.

In a fifth aspect, the present application provides a device for determining security capability, which may implement the method for determining security capability described in any one of the second to the second aspects. For example, the device for determining security capability may be a terminal or a chip disposed in the terminal. Which may be implemented by software, hardware, or by hardware executing the corresponding software.

The application provides an apparatus for determining security capabilities, comprising: a receiving unit, configured to receive a first message, where the first message includes a first indication, the first indication is used to indicate a terminal to report a first security capability supported by the terminal, and the first message is used to indicate the terminal to be switched from a second base station to a first base station; and the sending unit is used for sending a second message to the first base station according to the first indication, wherein the second message is used for indicating the first base station to determine the first safety capability.

With reference to the fifth aspect, in a first possible implementation manner of the fifth aspect, the second message is a handover complete message, and the handover complete message includes the first security capability.

With reference to the fifth aspect or the first possible implementation manner of the fifth aspect, in a second possible implementation manner of the fifth aspect, the first indication is a second security capability, the second security capability is used to establish a connection between the terminal and a third base station, the terminal further includes a determining unit, and the sending unit is configured to send a second message to the first base station when the determining unit determines that the second security capability is inconsistent with the first security capability, where the second message includes the first security capability.

With reference to any one of the fifth aspect to the second possible implementation manner of the fifth aspect, in a third possible implementation manner of the fifth aspect, the first indication is a second security capability, where the second security capability is used to establish a connection between the terminal and a third base station, and the sending unit is further configured to send a second message to the first base station when the determining unit determines that the second security capability is consistent with the first security capability, where the second message is specifically used to indicate that the second security capability is determined as the first security capability.

With reference to any one of the fifth aspect to the third possible implementation manner of the fifth aspect, in a fourth possible implementation manner of the fifth aspect, the sending unit provided in the present application is further configured to send the first security capability to the third base station in a random access procedure with the third base station.

With reference to any one of the fifth possible implementation manner of the fifth aspect to the fourth possible implementation manner of the fourth aspect, in a fifth possible implementation manner of the fifth aspect, the receiving unit is further configured to receive a broadcast message; and the sending unit is further used for sending a third message to the second base station when the determining unit determines that the 5G service does not exist in the area where the terminal is located according to the broadcast message, wherein the third message does not include the first safety capability.

In yet another aspect, the means for determining security capabilities may include at least one processor and a communication interface. The processor is configured to support the apparatus for determining security capability to perform operations related to message processing or control performed at the apparatus for determining security capability in the method described in any of the second aspect to the second aspect, and the communication interface may be a transceiver circuit, a communication interface, and a communication interface, which is used to support communication between the apparatus for determining security capability and other network elements (e.g., a core network device or a first base station). Wherein the transceiver circuit is configured to support the device with determined security capability to perform operations related to message reception and transmission on the side of the device with determined security capability in the method described in any one of the second aspect to the second aspect; wherein the memory, the transceiver and the at least one processor are interconnected by wires. Optionally, the memory is configured to couple to at least one processor, and the memory stores the necessary programs (instructions) and data for the device for determining security capabilities.

In a sixth aspect, an embodiment of the present invention provides a method for determining a safety capability, including: the first management entity receives a first message sent by a second management entity, wherein the first message comprises a first identifier, the first identifier is used for indicating a terminal to sign a first mode, the first management entity sends a second message to a first base station according to the first message, the second message is used for indicating the first base station to acquire a first safety capability, and the first base station is a base station accessed after the terminal is switched.

With reference to the sixth aspect, in a first possible implementation manner of the sixth aspect, the sending, by the first management entity, the second message to the first base station according to the first message includes: and the first management entity determines that the first message does not comprise the first safety capability according to the first identifier, and then the first management entity sends a second message to the first base station.

With reference to the sixth aspect or the first possible implementation manner of the sixth aspect, in a second possible implementation manner of the sixth aspect, the first management entity determines, according to the first identifier, that the first message includes the first security capability, the second message includes a second indication and a third indication, the second indication is used to indicate the first base station to acquire the first security capability, and the third indication is used to indicate the first base station to determine whether the first security capability is consistent with the first security capability acquired by the first base station.

In a seventh aspect, the present application provides a computer-readable storage medium, which when applied in a base station, has instructions stored therein, and when the instructions are executed on a computer, the instructions cause the computer to perform the method for determining the safety capability described in any one of the first aspect to the first aspect.

In an eighth aspect, the present application provides a computer-readable storage medium, which, when applied to a terminal, stores instructions that, when executed on a computer, cause the computer to perform the method for determining the security capability described in any one of the second to the third aspects.

In a ninth aspect, the present application provides a chip system, which is applied in a base station, and the chip system includes at least one processor and an interface circuit, where the interface circuit and the at least one processor are interconnected by a line, and the processor is configured to execute instructions stored in the chip system to perform the method for determining the safety capability described in any one of the first aspect to the first aspect.

In a tenth aspect, the present application provides a chip system, which is applied in a terminal, and the chip system includes at least one processor and an interface circuit, where the interface circuit and the at least one processor are interconnected by a line, and the processor is configured to execute instructions stored in the chip system to perform a method for determining a security capability according to any one of the second aspect to the second aspect.

Optionally, the chip system in the present application further includes the at least one memory, and the at least one memory stores instructions therein.

In an eleventh aspect, the present application provides a computer program product comprising instructions stored thereon, which when run on a base station, cause the base station to perform the method of determining the safety capability as described in the first aspect or any one of the possible designs of the first aspect.

In a twelfth aspect, the present application provides a computer program product comprising instructions stored therein, which when run on a second base station terminal, cause the terminal to perform the method of determining the safety capability as described in the second aspect or any one of the possible designs of the second aspect.

In a thirteenth aspect, the present application provides a communication system comprising a base station as described in the third aspect above, and at least one terminal as described in the fourth aspect.

In a possible design, the system may further include other devices interacting with the base station, the terminal, or the core network device in the scheme provided in the embodiment of the present invention.

Drawings

Fig. 1 is a schematic diagram of a communication system architecture according to an embodiment of the present invention;

fig. 2 is a schematic diagram of communication for determining security capability according to an embodiment of the present invention;

FIG. 3 is a schematic diagram of another communication for determining security capabilities according to an embodiment of the present invention;

FIG. 4 is a schematic diagram of another communication for determining security capability according to an embodiment of the present invention;

FIG. 5 is a schematic diagram of a communication for determining security capabilities according to an embodiment of the present invention;

fig. 6 is a first flowchart illustrating a method for determining security capability according to an embodiment of the present invention;

fig. 7 is a schematic specific flowchart of a method for determining security capability according to an embodiment of the present invention;

fig. 8 is a schematic specific flowchart illustration three of a method for determining security capability according to an embodiment of the present invention;

fig. 9 is a schematic specific flowchart of a method for determining security capability according to an embodiment of the present invention;

fig. 10 is a first schematic structural diagram of a base station according to an embodiment of the present invention;

fig. 11 is a schematic structural diagram of a base station according to an embodiment of the present invention;

fig. 12 is a third schematic structural diagram of a base station according to an embodiment of the present invention;

fig. 13 is a first schematic structural diagram of a terminal according to an embodiment of the present invention;

fig. 14 is a schematic structural diagram of a terminal according to an embodiment of the present invention;

fig. 15 is a schematic structural diagram of a terminal according to a third embodiment of the present invention;

fig. 16 is a schematic structural diagram of a chip system according to an embodiment of the present invention.

Detailed Description

The terms "first", "second", and the like in the present application are only for distinguishing different objects, and do not limit the order thereof. For example, the first base station and the second base station are only used for distinguishing different base stations, and the sequence order of the first base station and the second base station is not limited.

The term "and/or" in this application is only one kind of association relationship describing the associated object, and means that there may be three kinds of relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" in this application generally indicates that the former and latter related objects are in an "or" relationship.

It is noted that, in the present application, words such as "exemplary" or "for example" are used to mean exemplary, illustrative, or descriptive. Any embodiment or design described herein as "exemplary" or "e.g.," is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present concepts related in a concrete fashion.

As shown in fig. 1, fig. 1 is a schematic diagram illustrating a communication system architecture to which the method for obtaining security capability provided by the present application is applied, and as shown in fig. 1, the method includes: a first core network control plane entity 100, a second core network control plane entity 500, wherein at least one main base station 200 (only one main base station is shown in fig. 1) connected with the first core network control plane entity 100, at least one secondary base station (only one secondary base station is shown in fig. 1) 300 connected with the main base station 200, and one or more terminals 400 communicating with the main base station 200 and the secondary base station 300. The first core network control plane entity 100 and the at least one main base station 200 have a control plane connection therebetween. The Master base station may be a 4G base station, i.e., an evolved NodeB (eNB), denoted as Master eNB or MeNB; the secondary base station may be a 5G base station, denoted as secondary gNB or SgNB.

The source base station 600 refers to a base station that the terminal 400 accesses before switching to the main base station 200.

The main base station 200 refers to a base station to which the terminal 400 is accessed after being switched from the source base station 600, and the main base station 200 is responsible for establishing a control plane connection with the first core network control plane entity 100, transmitting a signaling message, determining whether an auxiliary base station is needed, and selecting the auxiliary base station 300 for the terminal 400.

The secondary base station 300, a base station other than the primary base station 200, a node for providing additional radio resources for the terminal, and the first core network control plane entity 100 have no direct control plane connection therebetween.

The second core network control plane entity 500 refers to a core network device accessed by the source base station 600 before the handover of the terminal 400, and may be, for example, an MME in a 4G network.

The first core network control plane entity 100 is a core network device accessed by the main base station 200 after the terminal 400 is switched, and is mainly responsible for functions such as mobility management, bearer management, authentication and authentication of a user, selection of a Serving Gateway (SGW) and a packet data network gateway (PDN GW or PGW), and the like.

Furthermore, the first core network control plane entity 100 may also identify 5G security capabilities.

In the architecture shown in fig. 1, in a 5G scenario, the first core network control plane entity 100 may be an access and mobility management function (AMF) node, the main base station 200 may be a 5G base station, and an interface (interface) between the AMF node and any one of the 5G base stations is referred to as an N2 interface. In the 4G scenario, the first core network control plane entity 100 may be a Mobility Management Entity (MME) 100, the main base station 200 may be a 4G base station, and an interface between the MME and the 4G base station is referred to as an S1 interface. In a New Radio (NR) and new air interface dual connectivity (NR-NR DC) scenario or a new air interface and LTE dual connectivity (NR-LTE DC) scenario, an interface between the primary base station 200 and the secondary base station 300 is referred to as an Xn interface, and is used to support signaling interaction between two base stations. In any DC scenario, a wireless interface (e.g., Uu interface) is established between the main base station 200 and the terminal 400, and may be used for transmitting user plane data and control plane signaling between the main base station 200 and the terminal 400. Meanwhile, a radio interface is also established between the secondary base station 300 and the terminal 400, and the name of the radio interface is not limited in the present application, and the radio interface may be used for transmitting user plane data and control plane signaling between the secondary base station 300 and the terminal 400. That is, when the terminal 400 simultaneously establishes connections with the main base station 200 and the secondary base station 300, the terminal 400 is in the dual connection architecture mode. Wherein, the user plane of the wireless interface mainly transmits user data; the control plane transmits related signaling, and establishes, reconfigures and releases various mobile communication radio bearer services.

Furthermore, an interface between the first core network control plane entity 100 and the second core network control plane entity 500 is referred to as an S10 interface, and an interface between the second core network control plane entity 500 and the main base station 200 may be referred to as an S1-MME interface.

In this application, a Base Station (e.g., a source Base Station, a primary Base Station, or a secondary Base Station) refers to a device providing a Wireless communication function for a terminal, and may be an Access Point (AP) in a Wireless Local Area Network (WLAN), a Base Transceiver Station (BTS) in a Global system for Mobile communications (GSM) or Code Division Multiple Access (CDMA), a Base Station (NodeB, NB) in a Wideband Code Division Multiple Access (WCDMA), an evolved Node B (eNB, or eNodeB) in LTE, or a relay Station or an Access Point, or a Network device in a vehicle, a wearable device, a Base Station (NB) in a future 5G Network, or a Network device in a future Public Land Mobile Network (PLMN), and the like. For convenience of description, apparatuses for providing a terminal with a wireless communication function are collectively referred to as a base station in this application.

A terminal, which may also be referred to as a terminal device, may include a User Equipment (UE), an access terminal, a subscriber unit, a subscriber station, a mobile station, a remote terminal, a mobile device, a user terminal, a wireless communication device, a user agent, or a user equipment. The terminal device may be a Station (STA) in a Wireless Local Area Network (WLAN), and may be a cellular phone, a cordless phone, a Session Initiation Protocol (SIP) phone, a Wireless Local Loop (WLL) station, a Personal Digital Assistant (PDA) device, a handheld device with Wireless communication function, a computing device or other processing device connected to a Wireless modem, a vehicle-mounted device, a wearable device, and a next-Generation communication system, for example, a terminal device in a fifth-Generation (5G) communication Network or a terminal device in a future-evolution Public Land Mobile Network (PLMN) Network, and the like.

As an example, in the embodiment of the present invention, the terminal may also be a wearable device. Wearable equipment can also be called wearable intelligent equipment, is the general term of applying wearable technique to carry out intelligent design, develop the equipment that can dress to daily wearing, like glasses, gloves, wrist-watch, dress and shoes etc.. A wearable device is a portable device that is worn directly on the body or integrated into the clothing or accessories of the user. The wearable device is not only a hardware device, but also realizes powerful functions through software support, data interaction and cloud interaction. The generalized wearable smart device includes full functionality, large size, and can implement full or partial functionality without relying on a smart phone, such as: smart watches or smart glasses and the like, and only focus on a certain type of application functions, and need to be used in cooperation with other devices such as smart phones, such as various smart bracelets for physical sign monitoring, smart jewelry and the like.

Specifically, the primary base station and the secondary base station have different standards in the present application. For example, the primary base station in the present application may be an Evolved Node B (eNB) in an LTE system, that is, a 4G base station, and the secondary base station in the present application may be a base station (gNB) in a 5G system, that is, a 5G base station; or the secondary base station may be a base station in other systems that may be present in the future.

It should be understood that the architecture shown in fig. 1 is only one example of a scenario to which the method provided by the present application is applied, and does not constitute a limitation to the present application, and the technical solution provided by the present application may also be applied to other communication scenarios that require establishment of dual connectivity. There may be other situations for the two systems involved in the dual connectivity, for example, a 4G system and other systems that may appear in the future, and for example, a 5G system and other systems that may appear in the future.

The embodiments of the present application will be described in further detail below based on the above-described common aspects of the present application.

Fig. 2 is a communication diagram of a method for determining a security capability according to an embodiment of the present application. As shown in fig. 2, the method includes: steps S101 to S103.

S101, a first base station sends a first message to a terminal through a second base station, wherein the first message comprises a first indication, the first indication is used for indicating the terminal to report a first safety capability supported by the terminal, and the first message is used for indicating the terminal to be switched from the second base station to the first base station.

Specifically, the second base station is a base station that provides service for the terminal before handover, and the first base station is a base station that provides service for the terminal after handover.

Optionally, the first base station may send the first message to the terminal through the second base station in a process of instructing the terminal to perform handover.

In an example, the first message may be a message indicating the terminal to perform handover, or may also be a signaling message redefined in a handover process of the terminal, which is not limited in this application. For example, the first message may be a handover command message. Of course, the first message may also be other messages, which is not limited in this application.

Illustratively, the first security capability in this application refers to a security capability used when a connection is established between the terminal and the third base station. For example, the third base station may be a 5G base station, and the first security capability may be a 5G security capability, where the 5G security capability may refer to a 5G security algorithm supported by the terminal, such as a 5G ciphering algorithm and/or a 5G integrity protection algorithm. Wherein, the name of the 5G encryption algorithm can be NEA, 5G-EA (5G encryption algorithm), encryption algorithm for 5G or other names; the name of the 5G integrity protection algorithm may be NIA, 5G-IA (5G integration algorithm), integration algorithm for 5G, or other names.

Correspondingly, the terminal receives the first message. For example, the terminal may receive the first message during a handover procedure of the first base station instructing the terminal to perform handover.

S102, the terminal sends a second message to the first base station according to the first indication, wherein the second message is used for indicating the first base station to determine the first safety capability.

In an example, the terminal may send the second message to the first base station in a process of indicating to the first base station that the terminal is handed over to the first base station, where the second message may be a message indicating that the terminal has been handed over to the first base station, or may be a signaling message newly defined in a process of indicating that the terminal is handed over to the first base station, and this is not limited in this application.

For example, the second message may be a handover complete message.

Correspondingly, the first base station receives a second message from the terminal, and the second message is used for determining the first safety capability.

S103, the first base station determines the first safety capability according to the second message.

The application provides a method for determining the security capability, a first base station sends a first message to a terminal through a second base station, the first message comprises a first indication, the first indication is used for indicating the terminal to report a first security capability supported by the terminal, and the first message is used for indicating the terminal to be switched from the second base station to the first base station; the first base station receives a second message from the terminal, wherein the second message is used for determining the first safety capability; the first base station determines a first security capability based on the second message. Therefore, on one hand, when the first base station does not have the first security capability, the first base station can acquire the first security capability from the terminal in the process of switching the terminal to the first base station, and then the first base station can send the first security capability to the third base station, so that the subsequent terminal can establish dual connection with the third base station through the first security capability conveniently, and the establishment of the dual connection can be advanced. On the other hand, when the first base station has the security capability, the first base station may first create a dual connection based on the security capability, and then determine whether the security capability of the first base station is tampered according to the first security capability sent by the terminal, and when the first base station determines that the first base station is not tampered according to the first security capability, the established dual connection may not be modified, so that the dual connection may be established in the process of switching the terminal to the first base station.

Based on fig. 2, fig. 3 is a communication schematic diagram of another method for determining the safety capability according to the embodiment of the present application. In fig. 3, the same contents as those in fig. 2 may refer to the description in fig. 2, and are not repeated in the following. As shown in fig. 3, on the basis of the method shown in fig. 2, the method provided by the present application may further include, before step S101:

s104, the first management entity sends a third message to the first base station, wherein the third message is used for indicating the first base station to acquire the first safety capability.

Optionally, the third message may carry an identification information, where the identification information is used to indicate to acquire the first security capability.

Specifically, the first management entity may be a core network device accessed by the first base station, and the first management entity may identify the first security capability, and for example, the first management entity may be an upgraded MME, that is, an MME that may identify at least the first security capability.

For example, the third message may be a handover request message, for example, a handover request message, which is sent by the first management entity to the first base station, and the third message may be a signaling message newly defined between the first management entity and the first base station in the process that the first management entity requests the first base station to perform handover, which is not limited in this application.

Since there may also be a redirection procedure between the first management entity and the second management entity (an MME accessed by the second base station) before the first management entity requests the first base station to perform handover, based on the redirection procedure, the first management entity may determine the content of the third message, for example, when the first management entity may obtain the second security capability from the redirection procedure, the identification information may be the second security capability, in this case, since the first management entity does not determine whether the second security capability is tampered, the first management entity may first send the second security capability to the first base station, and may obtain the first security capability from the terminal through the first base station, and verify the second security capability. In yet another aspect, the first management entity may generate an identification based on the second management entity not sending the second security capability to the first management entity when the first management entity determines that the terminal has signed up for option3 during the redirection process.

Specifically, the redirection process is as follows: after receiving a handover request message (e.g., handover required message) sent by the second base station, the second management entity sends a redirection request message (e.g., forward location request message) to the first management entity, where the redirection request message typically includes a complete security context of the terminal, and the redirection request message also includes a first identifier, where the first identifier is used to indicate whether the terminal has subscribed to the option 3.

The option3 refers to an implementation of dual connectivity, that is, two base stations accessed by the terminal are a base station eNB (called a master base station, Mater eNB, MeNB) of LTE and a base station gNB (called a Secondary base station, SgNB) of 5G, respectively, and the two base stations are simultaneously connected to a mobility management Entity (mobility management Entity) of an Evolved Packet Core (EPC) of LTE.

Correspondingly, the first base station receives a third message from the first management entity. For example, the first base station may receive the third message in a process in which the first management entity requests the first base station to perform handover.

And S105, the first base station determines the first indication according to the third message.

Specifically, step S105 may be implemented in the following manner: the first base station determines the identification information as a first indication; or, the first base station generates the first indication based on the identification information.

The first security capabilities of the terminal may on the one hand be stored in an existing security field, e.g. a first field, and on the other hand the first security capabilities of the terminal may also be stored in a field different from the existing security field, e.g. a second field, wherein the first field and the second field. Based on this, the following two scenarios are introduced in the present application:

scenario one, when the first security capability can be stored in the existing security field, the second management entity accessed by the terminal through the second base station can identify the first security capability, so that the second management entity and the first management entity can transmit the first security capability that can be identified by the second management entity (hereinafter, the first security capability that can be identified by the second management entity can be referred to as the second security capability) to the first management entity during the redirection process, but the first management entity cannot determine whether the second security capability is tampered after receiving the second security capability, based on which the first management entity can transmit the second security capability to the first base station first, so that the first base station can transmit the second security capability to the third base station, establish a connection between the terminal and the third base station, and in this case, establish a connection between the terminal and the third base station, the process of the terminal switching from the second base station to the first base station can be executed in parallel.

Based on scenario one, the first indication in this application may also be a second security capability, and when the first indication is the second security capability, the second security capability may be consistent with the first security capability, and may also be inconsistent with the first security capability, and whether the second security capability is consistent with the first security capability determines the content of the second message, so the following description will be separately presented:

on one hand, step S102 in the present application can be specifically implemented by the following manner a:

mode A: and the terminal determines that the second safety capability is consistent with the first safety capability according to the first indication, and then the terminal sends a second message to the first base station according to the first indication, wherein the second message is used for indicating that the second safety capability is determined as the first safety capability.

Optionally, the second message may be a message indicating that the handover is completed, for example, a handover complete message, so that the first base station may determine that the second security capability is not tampered based on the handover complete message, and therefore the first base station may determine the second security capability as the first security capability, in which case, the second message may not carry indication information indicating that the second security capability is determined as the first security capability.

Wherein the second indication is used to indicate that the second security capability is consistent with the first security capability, or the second indication is used to indicate that the second security capability is determined to be the first security capability.

For example, the second indicator may be a first indicator, wherein the first indicator is used to indicate that the second security capability is consistent with the first security capability, e.g., the first indicator is "1", or "0".

It should be noted that, in this application, if the second security capability is consistent with the first security capability, it indicates that the second security capability has not been tampered, and if the second security capability is inconsistent with the first security capability, it indicates that the second security capability has been tampered.

Of course, when the terminal determines that the second security capability is consistent with the first security capability according to the first indication, the second message may not include the first security capability.

When step S102 is implemented by step a, step S103 can be implemented by the following step B:

mode B: the first base station determines the second security capability as the first security capability according to the second message.

On the other hand, step S102 in the present application can be specifically implemented by way C:

mode C: and the terminal determines that the second security capability is inconsistent with the first security capability according to the first indication, and the first base station sends a second message to the first base station according to the second indication, wherein the second message comprises the first security capability, or the second message comprises the first security capability and a third indication, and the third indication is used for indicating that the second security capability is inconsistent with the first security capability.

Of course, when the terminal determines that the second security capability is consistent with the first security capability according to the first indication, the second message may not include indication information for indicating that the second security capability is inconsistent with the first security capability, that is, a third indication, where the third indication may be a second indicator, the second indicator is used for indicating that the second security capability is inconsistent with the first security capability, the second indicator may be "0" or "1", which is not limited in this application, and a specific use of 1 or 0 may be negotiated between the terminal and the base station.

When step S102 is implemented by step mode C, step S103 can be implemented by the following mode D:

mode D: and the first base station determines the security capability obtained from the second message as the first security capability according to the second message.

Scenario two, when the first security capability may be stored in a field different from an existing security field, the second management entity may not be able to identify the first security capability, and therefore, during the redirection process performed by the second management entity and the first management entity, the second management entity may not send the first security capability that the second management entity is not able to identify to the first management entity, and therefore, the first management entity may instruct the first base station to acquire the first security capability.

Based on scenario two, step S102 in this application can be implemented in the following manner E:

mode E: and the terminal sends a second message to the first base station according to the first indication, wherein the second message comprises the first safety capability.

When step S102 is implemented by means C, step S103 may be implemented by means D, which is not described herein again.

In a possible implementation manner, based on the scenario one described above, and based on fig. 2, fig. 4 is a communication schematic diagram of another method for determining the safety capability provided in the embodiment of the present application. In fig. 4, the same contents as those in fig. 2 may refer to the description in fig. 2, and are not repeated in the following. As shown in fig. 4, on the basis of the method shown in fig. 2, before step S101, the method provided by the present application may further include:

s106, the first management entity sends a fourth message to the first base station, wherein the fourth message comprises the second safety capability.

Specifically, after the first management entity sends the fourth message to the first base station, the method further includes: the first base station receives a fourth message from the first management entity.

Based on this, the first base station may send the second security capability acquired from the fourth message to the third base station, in step S107, so that the terminal establishes a connection with the third base station according to the second security capability.

S107, the first base station sends second safety capability to the third base station, and the second safety capability is used for establishing connection between the terminal and the third base station.

Optionally, the first base station may send the second security capability to the third base station by sending a cell addition request message, such as a SgNB addition request message.

It should be noted that, in the process of the first base station executing step S107, the first base station may execute step S101 described above, and in this case, the first indication in step S101 may be the first security capability.

After step S107, the third base station may further send a response message (e.g., a cell addition request acknowledgement message, such as SgNB addition request ACK) to the first base station, where the response message is used to indicate that the third base station has established a connection with the terminal, and after the first base station receives the handover completion message sent by the terminal, the first base station may determine that the terminal has established a connection with both the first base station and the third base station, so that dual connectivity is established.

In this application, after the third base station and the terminal establish a connection according to the second security capability, if both the terminal and the first base station can determine whether the second security capability is consistent with the first security capability, the specific determination process may refer to the above-mentioned embodiment, which is not described herein again. Furthermore, when the second security capability is not consistent with the first security capability, both the first base station and the terminal may instruct the third base station to modify the configuration of the established secondary cell group, and therefore, the following will be introduced separately:

in the case that the first base station instructs the third base station to modify the configuration of the established secondary cell group, as shown in fig. 4, on the basis of the method shown in fig. 2, the method provided by the present application may further include, after step S103:

and S108, the first base station sends a fifth message to the first base station when determining that the first safety capability is inconsistent with the second safety capability, wherein the fifth message comprises the first safety capability and is used for modifying the configuration of the secondary cell group.

Illustratively, the fifth message may be a cell modification request message, such as a SgNB modification request message.

Based on fig. 2, fig. 5 is a further method for determining the safety capability provided in the embodiment of the present application, in a case where the terminal instructs the third base station to modify the configuration of the established secondary cell group. In fig. 5, the same contents as those in fig. 2 may refer to the description in fig. 2, and are not repeated in the following. As shown in fig. 5, on the basis of the method shown in fig. 2, the method provided in the present application may further include steps S106 and S107 before step S101, where steps S106 and S107 are the same as steps S106 and S107 in fig. 4, and refer to the detailed description in fig. 4, which is not described herein again. On the basis of the method shown in fig. 2, the method provided by the present application does not perform step S103 after step S102, but further includes:

s109, the terminal sends a fifth message to the third base station, wherein the fifth message comprises the first safety capability.

Optionally, the terminal may send the first security capability to the third base station in a random access procedure with the third base station.

S110, the third base station compares the first safety capability with the second safety capability, and modifies the configuration of the auxiliary cell group if the second safety capability is determined to be inconsistent with the first safety capability.

It should be noted that, in the process of instructing, by the terminal, the third base station to modify the configuration of the established secondary cell group, the second message in step S102 may not carry the first security capability.

Optionally, the first security capability is associated with a next generation system, wherein the next generation system may be a 5G system or other systems that may appear in the future. The method provided by the application can further comprise the following steps:

(a) and the terminal receives the broadcast message.

(b) And the terminal determines that the service of the next generation system does not exist in the area where the terminal is located according to the broadcast message.

(c) And the terminal sends a sixth message to the second base station, wherein the sixth message does not comprise the first safety capability.

For example, the sixth message may be an attach message.

The application provides a method for determining a 5G Security capability for a base station serving a terminal after terminal handover, in which a terminal may determine whether to report a first Security capability to a second base station in an initial Access message through a broadcast message, and when the terminal determines that no 5G service exists in an area where the terminal is located and sends other Security capabilities except the first Security capability to the second base station, for example, the 4G Security capability, the first Security capability may not be tampered with, because if the terminal is an MME that cannot identify the first Security capability, the terminal may not carry the first Security capability in a subsequent Non-Access Stratum Security Mode Command (SMC) message, and the terminal may not know whether the first Security capability reported by an NAS is tampered with.

In addition, it can be appreciated that the first security capability can be transmitted to the second base station when the terminal determines that the service of the next generation system exists in the area where the terminal is located.

Based on the architecture shown in fig. 1, a method for determining the security capability provided by the present application will be described in detail below by taking the first base station as the MeNB, the second base station as the source MME, the first management entity as the destination MME, the second management entity as the source MME, and the third base station as the SgNB.

Example 1

As shown in fig. 6, fig. 6 shows a specific implementation method for determining security capability provided by the present application, including:

s201, the eNB sends a switching request message to the source MME.

The eNB is a base station accessed before the UE is handed over, and may also be referred to as a source base station, for example, the handover request message may be a handover required message, and the source MME is an MME accessed by the eNB.

S202, the source MME sends a redirection request message to the target MME.

The target MME in this application is an MME of an MeNB accessed after the UE handover, and the target MME can identify 5G security capability.

For example, the redirection request message may be a forward relocation request message.

Specifically, the source MME and the destination MME may send a forward location request message therebetween through an S10 interface.

S203, the target MME sends a switching request message to the MeNB, wherein the switching request message carries identification information, and the identification information is used for indicating the MeNB to inform the UE of reporting 5G security capability.

For example, one possible implementation manner is that, in a normal case, a forward location request message sent by a source base station may include a complete security context of a UE, and the forward location request message may also include a second identifier indicating whether the UE subscribes to the option3, and if the destination MME determines that the second identifier indicates that the UE subscribes to the option3, but the source MME does not send the 5G security capability of the UE to the destination MME, the destination MME determines that the handover request message includes the identification information.

It should be noted that, in embodiment 1 of the present application, the 5G security capability based on the UE may be stored in a new field different from the existing security capability field, so that the source MME cannot identify the 5G security capability, and therefore, the redirection request message sent by the source MME to the destination MME does not carry the 5G security capability.

Wherein, the MeNB refers to a base station accessed after the UE is handed over from the source base station.

S204, the MeNB adds the third identity to a container between a source base station and the master base station.

For example, the container may be a target to source transparent container (target to source transit container).

It should be noted that the target to source transit container means a container sent by the MeNB to the UE, and specific contents in the container are not identified and processed in the middle network element, and can be directly transmitted to the source UE.

The MeNB may determine the third identifier in multiple ways in the present application, for example, on one hand, the third identifier in the present application may be the identifier information carried in step S203, that is, the MeNB determines the identifier information as the third identifier. On the other hand, the third identifier may also be generated by the MeNB according to the identifier information, which is not limited in this application.

S205, the MeNB sends a switching confirmation message to the target MME.

For example, the handover confirmation message may be a handover ACK message.

S206, the target MME sends a redirection response message to the source MME.

For example, the redirection response message may be a forward relocation response message.

S207, the source MME sends a switching command message to the eNB.

For example, the handover command message may be a handover command message.

Step S205 and step S206 include a target to source transit container in S204.

S208, the eNB sends a switching command message to the UE, wherein the switching command message comprises a target to source transit container.

For example, the handover command message may be a handover command message.

S209, the UE obtains the third identifier according to the target to source transit container received from the handover command message, and sends a handover complete message to the MeNB, where the handover complete message may include 5G security capability.

For example, the handover complete message may be a handover complete message.

It should be noted that, if the UE does not carry the 5G security capability in the handover complete message in step S209, the UE may also send the 5G security capability to the MeNB in the TAU request message after completing the handover.

Optionally, the UE may determine whether the TAU request message carries the 5G security capability according to the third identifier in the handover command message.

It should be noted that, in the present application, the UE may establish a connection with the MeNB through steps S201 to S209.

S210, after receiving the 5G security capability of the UE, the MeNB can initiate dual connectivity, and the MeNB sends a SgNB cell addition request message to the SgNB.

Specifically, the MeNB may obtain the 5G security capability in the following manner, on one hand, when the handover complete message sent by the UE carries the 5G security capability, the MeNB obtains the 5G security capability from the handover complete message, and on the other hand, if the terminal does not carry the 5G security capability in the handover complete message, the terminal may carry the 5G security capability in the TAU request message according to the third identifier, and at this time, the terminal may receive the 5G security capability in the TAU request message.

For example, the SgNB cell addition request message may be an addition request message.

S211, SgNB replies a cell addition request confirm message to MeNB.

For example, the cell addition request acknowledgement message may be a SgNB addition request ACK message.

It should be noted that, in the present application, after step S211, the terminal may establish a connection with the SgNB according to the 5G security capability, and at this time, a DC architecture may be formed.

It should be noted that, in the present application, when accessing a network for the first time, a UE may determine whether to carry 5G security capability in an attach request message sent to the network according to a received broadcast message, specifically, if the UE determines, according to the received broadcast message, that there is no 5G coverage in an area where the UE is located, the attach request message sent by the UE may not carry 5G security capability, for example, when the UE determines that there is no 5G coverage in the area where the UE is located, the attach request message may carry 4G security capability; if the UE determines that the area where the UE is located has 5G coverage, the UE carries 5G security capability in the sent attach request message, and may also carry 4G security capability. In the application, whether 5G coverage exists is judged by the UE, so as to determine whether 5G Security capability is carried in an attach request message, and when 5G coverage does not exist, the 5G Security capability is not carried in the attach request message, which can protect the 5G Security capability from being tampered, because if the MME cannot identify the 5G Security capability, the MME cannot carry the 5G Security capability in a subsequent Non-Access Stratum Security Mode Command (SMC) message, and the UE cannot know whether the reported 5G Security capability is tampered.

Through the steps S201 to S211, the MeNB may obtain the 5G security capability in the handover complete message sent by the UE, and send the 5G security capability to the SgNB, so that the UE establishes a connection with the SgNB through the 5G security capability, and after the UE successfully establishes a connection with the SgNB, the UE establishes a connection with both the MeNB and the SgNB, thereby forming a dual connection of the UE.

Example 2

As shown in fig. 7, fig. 7 illustrates another specific implementation method for determining security capability provided by the present application, including:

s301, the eNB sends a switching request message to the source MME.

For example, the handover request message may be a handover required message.

S302, the source MME sends a redirection request message to the target MME, wherein the redirection request message comprises the first 5G security capability of the UE.

It should be noted that, in embodiment 2, the first 5G security capability of the UE is placed in the field of the existing security capability, so that the source MME can identify the first 5G security capability and send the first 5G security capability to the destination MME. However, after receiving the first 5G security capability, although the destination MME may identify the first 5G security capability, the destination MME cannot determine whether the first 5G security capability is tampered with at this time.

For example, the redirection request message may be a forward relocation request message, for example.

S303, the target MME sends a switching request message to the MeNB, wherein the switching request message comprises the first 5G security capability.

For example, the handover request message may be a handover request message.

S304, the MeNB sends a cell addition request message to the SgNB according to the first 5G security capability received from the target MME, wherein the cell addition request message comprises the first 5G security capability.

Based on step S304, the UE may establish a connection with the SgNB according to the first 5G security capability, and after the UE and the SgNB successfully establish a connection based on the first 5G security capability, the UE is simultaneously connected with the SgNB and the MeNB, so as to establish dual connectivity for the UE.

In addition, the process and method for establishing the connection between the UE and the SgNB may refer to a scheme in the prior art, which is not limited in this application.

For example, the cell addition request message may be a SgNB addition request message.

S305, SgNB sends a cell addition request acknowledgement message to the MeNB.

For example, the cell addition request acknowledgement message may be a SgNB addition request ACK message.

In the process of executing the step S305, the MeNB may instruct, through the steps S306 to S311, the UE to report the second 5G security capability of the MeNB itself in the handover process of the UE, so that the MeNB may obtain the second 5G security capability reported by the UE from the UE. It should be noted that the above steps S301 to S305 may be performed synchronously with a process in which the MeNB acquires the second 5G security capability reported by the UE from the UE, that is, dual connectivity is established in a handover process performed by the UE.

Specifically, the main base station may refer to the above steps S204 to S209 in the process of instructing, in the handover process of the UE, the UE to report the second 5G security capability of the UE, that is, the steps S306 to S311 may refer to the steps S204 to S209 in sequence, which is not described herein again.

S312, after receiving the target security capability, the MeNB compares the first 5G security capability with the second 5G security capability, and if the MeNB determines that the first 5G security capability is consistent with the second 5G security capability, the MeNB may not modify the configuration of the previously established secondary cell group.

Optionally, the MeNB may send first indication information to the SgNB, where the first indication information is used to indicate that the SgNB may not modify the configuration of the secondary cell group.

Specifically, the secondary cell group is a plurality of cells located under the secondary base station.

S313, if the MeNB determines that the first 5G security capability is inconsistent with the second 5G security capability, the MeNB sends a cell modification request message to the SgNB, where the cell modification request message includes the second 5G security capability.

Optionally, the cell modification request message is used to instruct the SgNB to modify the configuration of the secondary cell group according to the second 5G security capability, so as to modify the connection established between the SgNB and the UE.

It should be noted that, if the MeNB determines that the first 5G security capability is inconsistent with the second 5G security capability, it indicates that the first 5G security capability received by the MeNB has been tampered.

S314, the SgNB sends a cell modification request response message to the MeNB.

For example, the cell modification request response message may be an SgNB modification request ACK message, which indicates that the configuration of the secondary cell group has been modified according to the second 5G security capability.

It should be noted that, when the first 5G security capability is inconsistent with the second 5G security capability, the SgNB and the UE renegotiate the used security algorithm.

In the solution implemented by the foregoing steps S301 to S314, the MeNB may establish a dual connectivity during handover, and after establishing the dual connectivity, determine whether a first 5G security capability used for establishing a connection between the SgNB and the UE is tampered according to a second 5G security capability sent by the UE, when the MeNB determines that the first 5G security capability is not tampered, the MeNB does not need to modify the established dual connectivity at this time, and when the first 5G security capability of the MeNB is tampered, the MeNB may notify the SeNB to modify the configuration of the auxiliary cell group according to the second 5G security capability, so as to modify the established dual connectivity.

Example 3

Fig. 8 shows another specific implementation method for determining security capability provided by the present application, and the specific description can be referred to above. Wherein, fig. 8 includes the following stages:

the first phase is a phase in which the MeNB establishes dual connectivity according to the first 5G security capability acquired from the destination MME, and includes steps S401 to S405, where each of the steps S401 to S405 may correspond to steps S301 to S305 in the foregoing embodiment. The second stage is as follows: step S406. The third phase is a process of requesting the UE to report 5G security capability by the host base station, and includes steps S407 to S410, where each of the steps S407 to S410 may correspond to steps S307 to S310 in the above embodiment, except that the first 5G security capability obtained by the MeNB from the destination is included in the target to source transmission container, and the third identifier in the handover command message sent to the UE in step S410 may be the first 5G security capability. And the fourth stage is that the UE compares the received first 5G safety capability with the second 5G safety capability of the UE, and determines whether the handover completion message sent to the MeNB carries the second 5G safety capability or not according to the comparison result.

S406, the MeNB adds the first 5G security capability to the target to source transit container.

A specific fourth phase may comprise the following steps S411-S413:

s411, the UE judges whether the first 5G safety capability carried in the switching command message is consistent with the second 5G safety capability of the UE. If the UE determines that the first 5G security capability is consistent with the second 5G security capability of the UE, S412 is executed, otherwise S413 is executed.

S412, the UE sends a handover complete message to the MeNB, where the handover complete message carries an indicator, and the indicator is used to indicate that the first 5G security capability and the second 5G security capability are consistent, or the handover complete message may not carry the second 5G security capability.

S413, the UE sends a handover complete message to the MeNB, where the handover complete message carries the second 5G security capability.

For example, the handover complete message may be a handover complete message.

Optionally, when the MeNB determines that the second 5G security capability is inconsistent with the first 5G security capability, fig. 4 may further include a fifth stage, where a specific process of the fifth stage includes: s414, S415, and S4166. Here, S414 may refer to step S312, S415 may refer to step S313, and S416 may refer to step S314 in embodiment 2 described above.

The difference between the implementation scheme of step fig. 8 and the prior art in the present application is that the MeNB may establish dual connectivity during handover, and if the first 5G security capability sent by the destination MME is not tampered, the established dual connectivity does not need to be modified, and in addition, because the MeNB sends the first 5G security capability obtained from the destination MME to the UE, the UE checks whether the UE is tampered, and when the UE determines that the first 5G security capability and the second 5G security capability are not consistent, the UE sends the second 5G security capability to the MeNB, so that both the UE and the MeNB can perceive that the 5G security capability is tampered, and thus, the existence of an attacker is known. In addition, when the UE determines that the first 5G security capability and the second 5G security capability are consistent, it may also indicate that the MeNB first 5G security capability has not been tampered with.

Example 4

Based on fig. 7, as shown in fig. 9, the present application further provides another specific implementation method for determining security capability, which is different from the method shown in fig. 7 in that steps S511-S513 are used to replace steps S313 and S314 in fig. 7 after steps S501-S510 (see steps S301-S310 for details) in fig. 9:

s511, the UE sends a switching completion message to the MeNB.

S512, the UE sends the second 5G security capability to the SgNB in the process of establishing the random access with the SgNB.

For example, the UE may send the second 5G security capability to the SgNB through the third message Msg3 during the process of establishing random access with the SgNB.

S513, the SgNB compares the received second 5G security capability sent by the UE with the first 5G security capability obtained from the MeNB, and determines whether the first 5G security capability is tampered.

Specifically, if the SgNB determines that the first 5G security capability is inconsistent with the second 5G security capability, the SgNB and the UE renegotiate the used security algorithm, which may be referred to in the prior art, and this part is not described herein again.

As shown in fig. 9, since the connection between the UE and the SgNB is already established and the UE is also handed over from the source base station to the MeNB, the DC architecture is successfully established during the UE handover process, then the UE sends the second 5G security capability to the SgNB through the random access process, and the SgNB determines whether the first 5G security capability is tampered according to the received second 5G security capability and the first 5G security capability received from the MeNB, and if the first 5G security capability is not tampered, it indicates that the connection established between the UE and the SgNB does not need to be modified, that is, the established dual connection does not need to be modified.

The above-mentioned scheme provided by the embodiment of the present application is introduced mainly from the perspective of interaction between network elements. It is to be understood that various network elements, such as base stations and terminals. To implement the above functions, it includes hardware structures and/or software modules for performing the respective functions. Those of skill in the art would readily appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

In the embodiment of the present application, the base station and the terminal may be divided into the functional modules according to the above method example, for example, each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. It should be noted that, in the embodiment of the present application, the division of the module is schematic, and is only one logic function division, and there may be another division manner in actual implementation. The following description will be given by taking the division of each function module corresponding to each function as an example:

in the case of integrated units, fig. 10 shows a possible structural diagram of the base station involved in the above-described embodiment. The base station shown in fig. 10 may perform the actions of the first base station in the above-described method embodiments. The base station includes: a transmitting unit 101, a receiving unit 102, and a determining unit 103. For example, the transmitting unit 101 is configured to support the base station to perform steps S101, S107, S108, S205, S210, S304, S307, S313, S404, S407, S415, S504, and S507 in the above-described embodiments. The receiving unit 102 is configured to support the base station to perform steps S102, S104, S106, S203, S209, S211, S303, S305, S311, S314, S403, S405, S412, S413, S416, S503, S505, and S515 in the above-described embodiments. The determination unit 103 is used to support the base station to perform steps S103, S105, S204, S312 in the above embodiments, and/or other processes for the techniques described herein. All relevant contents of each step related to the above method embodiment may be referred to the functional description of the corresponding functional module, and are not described herein again.

Based on the hardware implementation, the sending unit 101 in this application may be a transmitter of a base station, the receiving unit 102 may be a receiver of the base station, the transmitter may be integrated with the receiver of the base station to serve as a transceiver, a specific transceiver may also be referred to as a communication interface, and the determining unit 103 may be integrated on a processor of the base station.

In the case of an integrated unit, fig. 11 shows a schematic diagram of a possible logical structure of the base station involved in the above embodiment. The base station includes: a processing module 112 and a communication module 113. The processing module 112 is used for controlling and managing the actions of the base station. The base station may also comprise a memory module 111 for storing program codes and data of the base station.

The processing module 112 may be a processor or controller, such as a central processing unit, a general purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, a transistor logic device, a hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. A processor may also be a combination of computing functions, e.g., a combination of one or more microprocessors, a digital signal processor and a microprocessor, or the like. The communication module 113 may be a transceiver, a transceiving circuit or a communication interface, etc. The storage module 111 may be a memory.

When the processing module 112 is the processor 120, the communication module 113 is the communication interface 130 or the transceiver, and the storage module 111 is the memory 140, the base station related to the present application may be the device shown in fig. 12.

Wherein the communication interface 130, the at least one processor 120, and the memory 140 are connected to each other through the bus 110; the bus 110 may be a PCI bus or an EISA bus, etc. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 12, but this is not intended to represent only one bus or type of bus. Wherein the memory 140 is used for storing program codes and data of the base station. The communication interface 130 is used to support the base station to communicate with other devices (e.g., terminals), and the processor 120 is used to support the base station to execute the program codes and data stored in the memory 140 to implement a method for determining the safety capability provided by the present application.

In the case of an integrated unit, fig. 13 shows a possible structural diagram of the terminal involved in the above-described embodiment. The terminal includes: a receiving unit 201 and a transmitting unit 202. Among them, the receiving unit 201 is used to support the terminal to execute the steps received at the terminal side in the above embodiments, for example, steps S101, S208, S310, S410 and S510. The transmitting unit 202 is used to support the terminal to execute steps S102, S109, S209, S311, S412, S413, S511, and S512 in the above-described embodiments. In addition, the terminal in this application still includes: a determining unit 203, configured to support the terminal to perform the determining process in the foregoing embodiment. And/or other processes for the techniques described herein. All relevant contents of each step related to the above method embodiment may be referred to the functional description of the corresponding functional module, and are not described herein again.

Based on the hardware implementation, the receiving unit 201 in this application may be a receiver of the terminal, the transmitting unit 202 may be a transmitter of the terminal, the receiver may be integrated with the transmitter of the terminal to serve as a transceiver, a specific transceiver may also be referred to as a communication interface, and the determining unit 203 may be integrated on a processor of the terminal.

In the case of integrated units, fig. 14 shows a schematic diagram of a possible logical structure of the terminal involved in the above-described embodiment. The terminal includes: a processing module 212 and a communication module 213. The processing module 212 is used for controlling and managing the terminal action. The terminal may further comprise a storage module 211 for storing program codes and data of the terminal. The processing module 212 may be a processor or controller, such as a central processing unit, a general purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, a transistor logic device, a hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. A processor may also be a combination of computing functions, e.g., a combination of one or more microprocessors, a digital signal processor and a microprocessor, or the like. The communication module 213 may be a transceiver, a transceiving circuit or a communication interface, etc. The storage module 211 may be a memory.

When the processing module 212 is the processor 220, the communication module 213 is the communication interface 230 or the transceiver, and the storage module 211 is the memory 210, the terminal according to the present application may be the device shown in fig. 15.

Wherein the communication interface 230, the at least one processor 220, and the memory 210 are connected to each other through the bus 200; the bus 200 may be a PCI bus or an EISA bus, etc. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 15, but this is not intended to represent only one bus or type of bus. The memory 210 is used for storing program codes and data of the terminal, among others. The communication interface 230 is used to support the terminal in communicating with other devices (e.g., base stations), and the processor 220 is used to support the terminal in executing program codes and data stored in the memory 210 to implement a method for determining the security capability provided by the present application.

Fig. 16 is a schematic structural diagram of a chip system 150 according to an embodiment of the present invention. Chip system 150 includes at least one processor 1510, memory 1540, and interface circuitry 1530, where memory 1540 may include both read-only memory and random access memory, and provides operating instructions and data to processor 1510. A portion of memory 1540 may also include non-volatile random access memory (NVRAM).

In some embodiments, memory 1540 stores the following elements, executable modules or data structures, or a subset thereof, or an expanded set thereof:

in the embodiment of the present invention, by calling an operation instruction stored in the memory 1540 (the operation instruction may be stored in an operating system), a corresponding operation is performed.

One possible implementation is: the chip systems used by the base station and the terminal have similar structures, but different devices use different chip systems to realize respective functions.

The processor 1510 controls the operation of the terminal and the base station, and the processor 1510 may also be referred to as a Central Processing Unit (CPU). Memory 1540 can include both read-only memory and random-access memory, and provides instructions and data to processor 1510. A portion of memory 1540 may also include non-volatile random access memory (NVRAM). In particular, the various components of the system-on-chip 150 are coupled together by a bus system 1520, where the bus system 1520 may include a power bus, a control bus, a status signal bus, and the like, in addition to a data bus. For clarity of illustration, however, the various buses are labeled in fig. 16 as bus system 1520.

The method disclosed in the above embodiments of the present invention may be applied to the processor 1510 or implemented by the processor 1510. The processor 1510 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by instructions in the form of hardware, integrated logic circuits, or software in the processor 1510. The processor 1510 may be a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. The various methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in the memory 1540, and the processor 1510 reads the information in the memory 1540, and performs the steps of the above method in combination with the hardware thereof.

Optionally, the interface circuit 1530 is configured to perform the steps of receiving and transmitting of the base station and the terminal in the embodiments shown in fig. 2, fig. 3, fig. 4, fig. 5, fig. 6, fig. 7, fig. 8, and fig. 9.

Processor 1510 is configured to perform the steps of the processing of the base station and the terminal in the embodiments shown in fig. 2, fig. 3, fig. 4, fig. 5, fig. 6, fig. 7, fig. 8, and fig. 9.

In the above embodiments, the instructions stored by the memory for execution by the processor may be implemented in the form of a computer program product. The computer program product may be written in the memory in advance or may be downloaded in the form of software and installed in the memory.

The computer program product includes one or more computer instructions. The procedures or functions according to the embodiments of the present application are all or partially generated when the computer program instructions are loaded and executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, e.g., the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means. A computer-readable storage medium may be any available medium that a computer can store or a data storage device, such as a server, a data center, etc., that is integrated with one or more available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.

In another aspect, a computer storage medium having instructions stored thereon, which when executed on a base station, cause the base station to perform actions performed by a first base station in method embodiments is provided.

In yet another aspect, a computer storage medium having instructions stored thereon, which when executed on a terminal, cause the terminal to perform actions performed by the terminal in embodiments is provided.

In one aspect, a computer program product comprising instructions stored therein, which when run on a base station, cause the base station to perform the actions performed by the first base station in the method embodiments is provided.

In yet another aspect, a computer program product comprising instructions stored thereon, which when run on a terminal, cause the terminal to perform the actions performed by the terminal in the method embodiments.

Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of a unit is merely a logical division, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

Units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.

The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.

The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (26)

1. A method of determining a safety capability, comprising:

the first base station receiving a fourth message from the first management entity, the fourth message comprising a second security capability;

the first base station sends the second security capability to a third base station, and the second security capability is used for establishing connection between a terminal and the third base station;

the first base station sends a first message to the terminal through a second base station, wherein the first message comprises a first indication, the first indication is used for indicating the terminal to report a first safety capability supported by the terminal, and the first message is used for indicating the terminal to be switched from the second base station to the first base station;

the first base station receives a second message from the terminal, wherein the second message is used for determining the first safety capability;

and the first base station determines the first safety capability according to the second message.

2. The method of claim 1, wherein the second message is a handover complete message, wherein the handover complete message includes the first security capability, and wherein the determining, by the first base station, the first security capability according to the second message comprises:

the first base station determines the first security capability from the handover complete message.

3. The method of claim 2, wherein before the first base station sends the first message to the terminal through the second base station, the method further comprises:

the first base station receives a third message from a first management entity, wherein the third message is used for indicating the first base station to acquire the first safety capability;

and the first base station determines the first indication according to the third message.

4. The method of claim 3, wherein the third message includes identification information indicating acquisition of the first security capability, and wherein the determining, by the first base station, the first indication according to the third message comprises:

the first base station determines the identification information as the first indication;

or, the first base station generates the first indication based on the identification information.

5. The method of claim 1, wherein after the first base station determines the first security capability according to the second message, the method further comprises:

and if the second security capability is inconsistent with the first security capability, the first base station sends a fifth message to the third base station, wherein the fifth message comprises the first security capability.

6. The method of claim 1, wherein the first indication is the second security capability, and wherein the first base station determines the first security capability according to the second message, comprising:

and the first base station determines the second security capability as the first security capability according to the second message.

7. The method of claim 1, wherein the first indication is the second security capability, wherein the second message includes the first security capability, and wherein the first base station determines the first security capability according to the second message, comprising:

the first base station determines the first security capability from the second message.

8. A method of determining a safety capability, comprising:

a terminal receives a first message, wherein the first message comprises a first indication, the first indication is used for indicating the terminal to report a first safety capability supported by the terminal, and the first message is used for indicating the terminal to be switched from a second base station to a first base station;

the terminal sends a second message to the first base station according to the first indication, wherein the second message is used for indicating the first base station to determine the first safety capability;

the first indication is a second security capability, the second security capability is used for establishing a connection between the terminal and a third base station, and the terminal sends a second message to the first base station according to the first indication, including:

and if the second safety capability is inconsistent with the first safety capability, the terminal sends the second message to the first base station, wherein the second message comprises the first safety capability.

9. The method of claim 8, wherein the second message is a handover complete message, and wherein the handover complete message comprises the first security capability.

10. The method of claim 8, further comprising:

and the terminal sends the first security capability to the third base station in the random access process with the third base station.

11. The method of claim 8, wherein the first indication is a second security capability, wherein the second security capability is used for establishing a connection between the terminal and a third base station, and wherein the terminal sends a second message to the first base station according to the first indication, and wherein the method comprises:

and if the second security capability is consistent with the first security capability, the terminal sends the second message to the first base station, where the second message is specifically used to indicate that the second security capability is determined to be the first security capability.

12. The method of any of claims 8-11, wherein the first security capability relates to a next generation system, the method further comprising:

the terminal receives a broadcast message;

the terminal determines that the service of the next generation system does not exist in the area where the terminal is located according to the broadcast message;

and the terminal sends a third message to the second base station, wherein the third message does not comprise the first safety capability.

13. An apparatus for determining security capabilities, comprising:

a receiving unit, configured to receive a fourth message from the first management entity, where the fourth message includes the second security capability;

a sending unit, configured to send the second security capability to a third base station, where the second security capability is used to establish a connection between a terminal and the third base station;

the sending unit is further configured to send a first message to the terminal through a second base station, where the first message includes a first indication, the first indication is used to indicate that the terminal reports a first security capability supported by the terminal, and the first message is used to indicate that the terminal is switched from the second base station to the first base station;

the receiving unit is further configured to receive a second message from the terminal, where the second message is used to determine the first security capability;

a determining unit, configured to determine the first security capability according to the second message.

14. The apparatus according to claim 13, wherein the second message is a handover complete message, wherein the handover complete message includes the first security capability, and wherein the determining unit is specifically configured to determine the first security capability from the handover complete message.

15. The apparatus of claim 14, wherein the receiving unit is further configured to receive a third message from a first management entity, and the third message is used to instruct the first base station to acquire the first security capability;

the determining unit is specifically configured to determine the first indication according to the third message.

16. The apparatus according to claim 15, wherein the third message includes identification information, the identification information being used to indicate that the first security capability is obtained, and the determining unit is specifically configured to determine the identification information as the first indication; or, the determining unit is specifically configured to generate the first indication based on the identification information.

17. The apparatus of claim 13, wherein if the determining unit determines that the second security capability is inconsistent with the first security capability, the sending unit is further configured to send a fifth message to the third base station, where the fifth message includes the first security capability.

18. The apparatus according to claim 13, wherein the first indication is the second security capability, and wherein the determining unit is specifically configured to determine the second security capability as the first security capability according to the second message.

19. The apparatus according to claim 13, wherein the first indication is the second security capability, wherein the second message comprises the first security capability, and wherein the determining unit is specifically configured to determine the first security capability from the second message.

20. An apparatus for determining security capabilities, comprising:

a receiving unit, configured to receive a first message, where the first message includes a first indication, the first indication is used to indicate a terminal to report a first security capability supported by the terminal, and the first message is used to indicate that the terminal is switched from a second base station to a first base station;

a sending unit, configured to send a second message to the first base station according to the first indication, where the second message is used to indicate the first base station to determine the first security capability; the first indication is a second security capability, the second security capability is used for establishing a connection between the terminal and a third base station, the terminal further includes a determining unit, and if the determining unit determines that the second security capability is inconsistent with the first security capability, the sending unit is further configured to send a second message to the first base station, where the second message includes the first security capability.

21. The apparatus of claim 20, wherein the second message is a handover complete message, and wherein the handover complete message comprises the first security capability.

22. The apparatus of claim 20, wherein the sending unit is further configured to send the first security capability to the third base station during a random access procedure between the apparatus and the third base station.

23. The apparatus of claim 20, wherein the first indication is a second security capability, and wherein the second security capability is used to establish a connection between the terminal and a third base station, the apparatus further comprising a determining unit, and wherein if the determining unit determines that the second security capability is consistent with the first security capability, the sending unit is further configured to send the second message to the first base station, and wherein the second message is specifically used to indicate that the second security capability is determined to be the first security capability.

24. The apparatus according to claim 20 or 21, wherein the first security capability relates to a next generation system, the apparatus further comprising a determining unit; the receiving unit is further configured to receive a broadcast message; the determining unit is used for determining that the service of the next generation system does not exist in the area where the terminal is located according to the broadcast message; the sending unit is further configured to send a third message to the second base station, where the third message does not include the first security capability.

25. A computer-readable storage medium having stored thereon instructions that, when executed, cause a computer to perform the method of determining a safety capability of any of claims 1-12.

26. A chip system, comprising at least one processor and interface circuitry, the interface circuitry and the at least one processor interconnected by a line, the processor configured to execute instructions to perform the method of any of claims 1-12.

Images