CN109863772B - Security policy processing method and related equipment - Google Patents

Security policy processing method and related equipment Download PDF

Info

Publication number
CN109863772B
CN109863772B CN201780065405.5A CN201780065405A CN109863772B CN 109863772 B CN109863772 B CN 109863772B CN 201780065405 A CN201780065405 A CN 201780065405A CN 109863772 B CN109863772 B CN 109863772B
Authority
CN
China
Prior art keywords
security policy
entity
target
identifier
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201780065405.5A
Other languages
Chinese (zh)
Other versions
CN109863772A (en
Inventor
衣强
龙水平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of CN109863772A publication Critical patent/CN109863772A/en
Application granted granted Critical
Publication of CN109863772B publication Critical patent/CN109863772B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/37Managing security policies for mobile devices or for controlling mobile applications

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the application discloses a method for processing a security policy, which is used for meeting different security requirements of different services or users between UE and RAN entities. The method in the embodiment of the application comprises the following steps: a Radio Access Network (RAN) entity acquires a first message aiming at User Equipment (UE), wherein the first message comprises a target security policy; the RAN entity determines an encryption and/or integrity protection strategy of the UE according to the target security strategy; and the RAN entity establishes the radio bearer according to the determined encryption and/or integrity protection strategy of the UE. The embodiment of the application also provides related equipment.

Description

Security policy processing method and related equipment
Technical Field
The present application relates to the field of communications technologies, and in particular, to a security policy processing method and related devices.
Background
With the rapid development of computer technology and internet technology, the user experience requirements for communication services are higher and higher, and when information is acquired from the internet, a server which is being accessed to the internet is required to be capable of accurately and efficiently providing required content. In order to ensure the safety and high efficiency of the access process of the user, a corresponding security policy needs to be adopted to meet the requirement.
The next generation wireless communication network provides services for various types of services, and from the network security perspective, different services or different tenants have different requirements for security, for example, some services or users have high requirements for security, while some services or users have low requirements for security, and in order to meet the different requirements of services or users and reasonably utilize resources, the next generation network can provide security policies with the granularity of services or users, that is, different services or different users use different security policies, so as to meet the different security requirements of different services or users. In the next generation network, a User may also set the most basic or desired security requirements provided by the network through User Equipment (UE), and after the UE requests the security requirements, the network should meet the security requirements of the UE as much as possible. The UE supporting access to the next generation core network may access to the next generation core network not only through the next generation RAN entity, but also through an Evolved universal terrestrial radio access network (E-UTRAN).
At present, a User equipment may put forward a Security requirement, a Security policy control function entity in a network determines a Security policy according to a Security requirement of a UE and a Security capability of a User Plane Gateway (UPGW), so that a Security Management (SM) entity generates a session key according to the determined Security policy, the SM sends the generated session key to the UPGW, and sends the determined Security policy to the UE, and the UE generates the same session key, thereby implementing Security protection between the UE and the UPGW.
The above prior art only considers the determination and implementation of the security policy between the UE and the UPGW, but for some Access technologies, such as accessing the core Network through an Evolved universal terrestrial Radio Access Network (Evolved E-UTRAN) that can Access a next generation core Network, the security end point of the UE and the Network is still at the Radio Access Network (RAN) entity side, and the prior art does not consider how the entity between the UE and the RAN entity implements different services or different security requirements of users, and particularly how to maintain different services or different security requirements of users during the handover process.
Disclosure of Invention
The embodiment of the application provides a method for processing a security policy, which is used for meeting different security requirements of different services or users between UE and a RAN entity.
A first aspect of an embodiment of the present application provides a method for processing a security policy, including: a first entity acquires a first message for establishing a session of the UE, and the first entity acquires a target security policy; the first entity responds to the acquired first message and the target security policy, and sends a second message used for creating the context of the UE at the RAN entity to a Radio Access Network (RAN) entity of the UE, and the second message carries the target security policy used for determining the encryption and/or integrity protection policy of the UE by the RAN entity. In the embodiment of the application, in the process of establishing the initial context, when the security endpoint of the network is located at the wireless access network side, the first entity sends the target security policy to the wireless access network entity, so that different services or different security requirements of users are met.
In one possible design, in a first implementation manner of the first aspect of the embodiment of the present application, the acquiring, by the first entity, the first message and the target security policy for the UE includes: the first entity receives the first message sent by the UE and simultaneously receives the target security policy, and the target security policy can be sent to the first entity together with the first message or can be sent to the first entity separately; or, the first entity receives the first message for establishing the session sent by the UE; the first entity sends a security policy request message to a security policy management function entity; and the first entity receives a security policy request response message sent by the security policy management functional entity, wherein the security policy request response message comprises a target security policy. The embodiment of the application refines the acquisition process, and increases the realizability and operability of the embodiment of the application.
In one possible design, in a second implementation manner of the first aspect of the embodiment of the present application, the acquiring, by the first entity, the first message and the target security policy for the UE includes: the first entity receives the first message sent by the UE and simultaneously receives the access network type of the UE; the first entity sends a security policy request message containing the access network type of the UE to the security policy management functional entity, so that the security policy management functional entity determines security endpoint information of a session to be established according to the access network type of the UE; and the first entity receives a security policy response message sent by the security policy management functional entity, wherein the security policy response message comprises the target security policy, and the target security policy comprises security endpoint information of the session to be established of the UE. The embodiment of the application refines the acquisition process, and increases the realizability and operability of the embodiment of the application.
In a possible design, in a third implementation manner of the first aspect of the embodiment of the present application, the acquiring, by the first entity, the first message and the target security policy for the UE includes: the first entity receives the first message sent by the UE, and receives the access network type of the UE while receiving the first message; and the first entity determines the safety endpoint information of the session to be established of the UE according to the access network type of the UE. The embodiment of the application refines the acquisition process, and increases the realizability and operability of the embodiment of the application.
In a possible design, in a fourth implementation manner of the first aspect of the embodiment of the present application, after the session management entity first entity obtains the first message and the target security policy for the user equipment UE, the method further includes: and the first entity stores the acquired target security policy. The method and the device for storing the target security policy increase the step of storing the target security policy, increase the implementation mode of the embodiment of the application, and improve the steps of the embodiment of the application.
A second aspect of the present application provides a method for processing a security policy, including: a Radio Access Network (RAN) entity acquires a second message comprising a target security policy aiming at User Equipment (UE); the RAN entity determines an encryption and/or integrity protection strategy of the UE according to the target security strategy; and the RAN entity establishes a radio bearer according to the determined encryption and/or integrity protection strategy of the UE. In the embodiment of the application, in the process of establishing the initial context, when the security endpoint of the network is located at the wireless access network side, the wireless access network establishes the radio bearer according to the received target security policy, so that different services or different security requirements of users are met.
In a possible design, in a first implementation manner of the second aspect of the embodiment of the present application, when the radio access network RAN entity acquires the second message for the user equipment UE, the method further includes: the RAN entity acquires a first identifier, wherein the first identifier comprises any one of a session identifier, a slice identifier or a media stream identifier, and the target security policy is a security policy corresponding to the first identifier. The embodiment of the application adds the step of obtaining the first identifier, and the implementation mode of the embodiment of the application, so that the steps of the embodiment of the application are more perfect.
In a possible design, in a second implementation manner of the second aspect of the embodiment of the present application, after the radio access network RAN entity acquires a second message for a user equipment UE, where the second message includes a target security policy, the method further includes: the RAN entity saves the target security policy; or, the RAN entity stores the correspondence between the first identifier and the target security policy. The method and the device for storing the target security policy increase the step of storing the target security policy, increase the implementation mode of the embodiment of the application, and improve the steps of the embodiment of the application.
In a possible design, in a third implementation manner of the second aspect of the embodiment of the present application, the determining, by the RAN entity, the ciphering and/or integrity protection policy of the UE according to the target security policy includes: the RAN entity determines a target algorithm at least according to the target security policy and the security capability of the RAN entity, wherein the target algorithm is an encryption and/or integrity protection algorithm for the UE; the RAN entity establishing a radio bearer according to the determined ciphering and/or integrity protection policy of the UE includes: the RAN entity establishes/switches radio bearers according to the target algorithm. The embodiment of the application refines the determination process of the protection strategy, and increases the realizability and operability of the embodiment of the application.
In a possible design, in a fourth implementation manner of the second aspect of the embodiment of the present application, the determining, by the RAN entity, a ciphering and/or integrity protection policy of the UE according to the target security policy includes: the RAN entity determines a target algorithm at least according to the target security policy and the security capability of the RAN entity, wherein the target algorithm is an encryption and/or integrity protection algorithm which is used on the UE and corresponds to the first identifier; the RAN entity establishing a radio bearer according to the determined ciphering and/or integrity protection policy of the UE includes: the RAN entity establishes/switches radio bearers according to the target algorithm. The embodiment of the application refines the determination process of the protection strategy, and increases the realizability and operability of the embodiment of the application.
In a possible design, in a fifth implementation manner of the second aspect of the embodiment of the present application, the determining, by the RAN entity, a target algorithm according to at least the target security policy and the security capability of the RAN entity includes: the RAN entity judges whether a candidate algorithm meeting the target security policy exists; and if the candidate algorithms meeting the target security policy exist, the RAN entity determines the algorithm with the highest priority in the candidate algorithms as the target algorithm according to the security capability of the RAN entity. The embodiment of the application refines the determination process of the target algorithm, and increases the realizability and operability of the embodiment of the application.
In a possible design, in a sixth implementation manner of the second aspect of the embodiment of the present application, the establishing, by the RAN entity, a radio bearer according to the target algorithm includes: the RAN entity sends a third message to the UE, wherein the third message comprises a corresponding relation between a target algorithm and a second identifier, and the second identifier is any one of a session identifier, a slice identifier, a media stream identifier and a radio bearer identifier, so that the UE stores the corresponding relation between the target algorithm and the second identifier; the RAN entity receives a response message of a third message sent by the UE; and the RAN entity sends a request message for establishing/switching the radio bearer to the UE, wherein the request message for establishing/switching the radio bearer comprises the corresponding relation between the established/switched radio bearer identifier and the second identifier, so that the UE determines the algorithm used by the established/switched radio bearer according to the corresponding relation between the target algorithm and the second identifier. The embodiment of the application provides a specific implementation mode for establishing the radio bearer, and the operability of the embodiment of the application is improved.
In a possible design, in a seventh implementation manner of the second aspect of the embodiment of the present application, the establishing, by the RAN entity, a radio bearer according to the target algorithm includes: and the RAN entity sends a third message, where the third message includes a corresponding relationship between the target algorithm and the second identifier, and a corresponding relationship between an identifier for establishing/switching a radio bearer and the second identifier by the RAN entity, so that the UE determines an algorithm used by the established/switched radio bearer according to the corresponding relationship between the target algorithm and the second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier. The embodiment of the application provides a specific implementation mode for establishing the radio bearer, and the operability of the embodiment of the application is improved.
In a possible design, in an eighth implementation manner of the second aspect of this embodiment of the present application, the acquiring, by the RAN entity, the second message for the UE includes: and the RAN entity receives a second message sent by the first entity, wherein the second message is used for establishing an initial context. The second message is limited in the embodiment of the application, so that the embodiment of the application has more logicality.
In a possible design, in a ninth implementation manner of the second aspect of the embodiment of the present application, the acquiring, by the RAN entity, the second message for the UE includes: and the RAN entity receives a second message sent by the first entity, wherein the second message is used for switching the session of the UE. The second message is limited in the embodiment of the application, so that the embodiment of the application has more logicality.
In a possible design, in a tenth implementation manner of the second aspect of the embodiment of the present application, the RAN is a target RAN entity, and the acquiring, by the RAN entity, the second message for the UE includes: and the RAN entity receives a second message sent by the source RAN entity, wherein the second message is used for switching the session of the UE. The second message is limited in the embodiment of the application, so that the embodiment of the application has more logicality.
A third aspect of the present application provides a method for processing a security policy, including: a second entity acquires a first message, wherein the first message is used for establishing a session; the second entity sends a security policy request message to a security policy management function entity; the second entity receives a security policy response message, wherein the security policy response message contains a target security policy; the second entity sends the first message and also sends the target security policy. In the embodiment of the application, in the process of establishing the initial context, when the security endpoint of the network is located at the wireless access network side, the second entity sends the target security policy to the wireless access network entity, so that different services or different security requirements of users are met.
In one possible design, in a first implementation manner of the third aspect of the embodiment of the present application, the acquiring, by the second entity, the first message includes: a second entity receives the first message, wherein the first message comprises the access network type of the UE; the second entity determines an access network type of the UE; the second entity sending the first message comprises: and the second entity sends the first message and also sends the access network type of the UE. The method and the device for obtaining the access network type increase the process of obtaining the access network type and increase the implementation mode of the embodiment of the application.
In one possible design, in a second implementation manner of the third aspect of the embodiment of the present application, the method further includes: the second entity receiving the first message and the security requirements of the UE; the second entity sends a security policy request message to a security policy management function entity, wherein the security policy request message contains the security requirement of the UE; the second entity receives a security policy response message, wherein the security policy response message contains a target security policy, and the target security policy is determined by the policy control function entity according to the security requirement of the UE; the second entity sends the first message and also sends the target security policy. The method and the device for obtaining the target security policy have the advantages that the process of obtaining the target security policy according to the security requirement of the UE is added, and the implementation mode of the embodiment of the application is increased.
A fourth aspect of the present application provides a method for processing a security policy, including: a source RAN entity decides to initiate a switching process aiming at User Equipment (UE); the source RAN entity sends a first message to a target RAN entity, where the first message is used to request handover, and the first message includes a target security policy for the UE, or the handover request includes a first identifier for the UE and a corresponding target security policy, and the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier. In the embodiment of the application, in the process of switching the UE session, when the security endpoint of the network is located at the wireless access network side, the source wireless access network sends the received target security policy to the target wireless access network, so that different services or different security requirements of users are met.
In one possible design, in a first implementation manner of the fourth aspect of the embodiment of the present application, after the source RAN entity decides to initiate a handover procedure for a user equipment, before the source RAN entity sends a first message to a target RAN entity, the method further includes: the source RAN entity determines a target RAN entity according to a first security policy and a measurement report of the UE, wherein the first security policy is the highest security policy of the target security policy of the UE stored by the source RAN entity or the target security policy of the UE stored by the source RAN entity, and the measurement report comprises signal quality information of candidate RAN entities. The embodiment of the application adds a process of determining the target RAN entity according to the measurement report of the UE, and adds the implementation mode of the embodiment of the application.
In one possible design, in a second implementation manner of the fourth aspect of the embodiment of the present application, the determining, by the source RAN entity, a target RAN entity among the candidate RAN entities according to the first security policy and the measurement report of the UE includes: the source RAN entity determines candidate RAN entities meeting the signal quality requirement according to the measurement report, wherein the measurement report comprises signal quality information of the candidate RAN entities; the source RAN entity determines a RAN entity meeting the first security policy as a target RAN entity in the candidate RAN entities. The embodiment of the application refines the process of determining the target RAN entity, and increases the realizability and operability of the embodiment of the application.
A fifth aspect of the present application provides a method for processing a security policy, including: a target RAN entity acquires a first message and a target security policy, wherein the first message is used for requesting to switch a session of UE; the target RAN entity determines an encryption and/or integrity protection strategy of the UE according to the target security strategy; and the target RAN entity establishes a radio bearer according to the determined encryption and/or integrity protection strategy of the UE. In the embodiment of the application, in the process of switching the UE session, when the security endpoint of the network is located at the wireless access network side, the target wireless access network establishes the wireless bearer according to the received target security policy, so that different services or different security requirements of users are met.
In one possible design, in a first implementation manner of the fifth aspect of the embodiment of the present application, the method further includes: the target RAN entity further obtains a first identifier, where the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier. The embodiment of the application adds the step of obtaining the first identifier, and the implementation mode of the embodiment of the application, so that the steps of the embodiment of the application are more perfect.
In a possible design, in a second implementation manner of the fifth aspect of the embodiment of the present application, the acquiring, by the target RAN entity, the first message and the target security policy includes: the target RAN entity receives a first message sent by a source RAN entity, wherein the first message is used for requesting to switch a session of UE, and the first message comprises a target security policy; or, the target RAN entity receives a first message sent by a source RAN entity, where the first message is used to request a session for switching UE, and the first message includes a first identifier and a corresponding target security policy, where the first identifier includes any one of a session identifier, a slice identifier, and a media stream identifier. The embodiment of the application refines the acquired first message, and increases the realizability and operability of the embodiment of the application.
In a possible design, in a third implementation manner of the fifth aspect of the embodiment of the present application, the acquiring, by the target RAN entity, the first message and the target security policy includes: the target RAN receives a first message sent by a source RAN entity, wherein the first message is used for requesting to switch a session of the UE; the target RAN entity sends a security policy request message to a first core network entity; the target RAN entity receives a security policy response message sent by the first core network entity, where the security policy response message includes the target security policy, and the first core network entity is a first entity or a second entity. The method and the device for obtaining the target security policy refine the process of obtaining the target security policy, and increase the realizability and operability of the method and the device for obtaining the target security policy.
In a possible design, in a fourth implementation manner of the fifth aspect of the embodiment of the present application, the acquiring, by the target RAN entity, the first message and the target security policy includes: the target RAN entity receives a first message sent by a source RAN entity, wherein the first message is used for requesting to switch a session of the UE; the target RAN entity sends a security policy request to a first core network entity, wherein the security policy request comprises a first identifier, the first identifier comprises any one of a slice identifier, a session identifier or a media stream identifier, and the first core network entity is a first entity or a second entity; and the RAN entity receives a security policy response message sent by the first entity, wherein the security policy response message comprises the first identifier and a corresponding target security policy. The method and the device for obtaining the target security policy refine the process of obtaining the target security policy, and increase the realizability and operability of the method and the device for obtaining the target security policy.
In a possible design, in a fifth implementation manner of the fifth aspect of the embodiment of the present application, after the target RAN entity acquires the first message and the target security policy, the method further includes: the target RAN entity sends the received target security policy to a first core network entity so that the first core network entity verifies whether the target security policy is correct according to the saved security policy of the UE, wherein the first core network entity is a first entity or a second entity; or, the target RAN entity sends the received first identifier and the corresponding target security policy to a first core network entity, so that the first core network entity verifies whether the target security policy corresponding to the first identifier is correct according to the relationship between the stored security policy and the identifier of the UE, where the first core network entity is a first entity or a second entity. The method and the device for verifying the target security policy have the advantages that the step of verifying whether the target security policy is correct is added, the implementation mode of the embodiment of the application is added, and the steps of the embodiment of the application are more perfect.
A sixth aspect of the present embodiment provides a method for processing a security policy, where the method includes: a core network entity receives a security policy request message sent by a radio access network RAN entity; and the core network entity sends a security policy response message to the RAN entity, wherein the security policy response message comprises the target security policy. In the embodiment of the application, in the process of switching the UE session, when the security endpoint of the network is located at the wireless access network side, the core network entity sends the target security policy to the wireless access network entity, so that different services or different security requirements of users are met.
In one possible design, in a first implementation manner of the sixth aspect of the embodiment of the present application, the method further includes: the core network entity receives the security policy request message sent by the RAN entity, wherein the security policy request message further includes a first identifier, and the first identifier includes any one of a slice identifier, a session identifier or a media stream identifier; and the core network entity sends a security policy response message to the RAN entity, wherein the security policy response message contains the target security policy, and the target security policy is a target security policy corresponding to the first identifier. The embodiment of the application increases the process of sending the target security policy by the core network entity, and increases the implementation mode of the embodiment of the application.
In a possible design, in a second implementation manner of the sixth aspect of the embodiment of the present application, the core network entity is a first entity or a second entity. The embodiment of the application limits the core network entity, so that the embodiment of the application has more logicality.
A seventh aspect of the present embodiment provides a method for processing a security policy, including: a core network entity receives a target security policy aiming at User Equipment (UE) and sent by a target Radio Access Network (RAN) entity, wherein the target security policy is obtained by the target RAN entity from a source RAN entity in a switching process; and the core network entity verifies whether the target security policy is correct according to the saved security policy of the UE. In the embodiment of the application, in the process of switching the UE session, when the security endpoint of the network is located at the wireless access network side, the core network entity sends the target security policy to the wireless access network entity, so that different services or different security requirements of users are met.
In one possible design, in a first implementation manner of the seventh aspect of the embodiment of the present application, the method further includes: the core network entity receives a first identifier sent by the target RAN entity and a target security policy corresponding to the first identifier, wherein the first identifier and the target security policy corresponding to the first identifier are obtained by the target RAN entity from a source RAN entity in a switching process; and the core network entity verifies whether the target security policy corresponding to the first identifier is correct or not according to the relationship between the stored security policy and the identifier. The embodiment of the application increases the process of sending the target security policy by the core network entity, and increases the implementation mode of the embodiment of the application.
In a possible design, in a second implementation manner of the seventh aspect of the embodiment of the present application, the core network entity is a first entity or a second entity. The embodiment of the application limits the core network entity, so that the embodiment of the application has more logicality.
An eighth aspect of the present application provides a method for processing a security policy, including: a source RAN entity decides to initiate a switching process aiming at User Equipment (UE); the source RAN entity sends a first message to a first entity, wherein the first message is used for requesting to switch a session of UE, the first message comprises a target security policy aiming at the UE, or the switching request comprises a first identifier aiming at the UE and a corresponding target security policy, and the first identifier comprises any one of a session identifier, a slice identifier, a radio bearer identifier or a media stream identifier. In the embodiment of the application, in the process of switching the UE session, when the security endpoint of the network is located at the wireless access network side, the source wireless access network sends the received target security policy to the target wireless access network, so that different services or different security requirements of users are met.
In one possible design, in a first implementation manner of the eighth aspect of the embodiment of the present application, after the source RAN entity decides to initiate a handover procedure for a user equipment UE, before the source RAN entity sends a first message to a first entity, the method further includes: the source RAN entity determines a target RAN entity according to a first security policy and a measurement report of the UE, wherein the first security policy is the highest security policy of the target security policy of the UE stored by the source RAN entity or the target security policy of the UE stored by the source RAN entity, and the measurement report comprises signal quality information of candidate RAN entities. The embodiment of the application adds a process of determining the target RAN entity according to the measurement report of the UE, and adds the implementation mode of the embodiment of the application.
In one possible design, in a second implementation manner of the eighth aspect of the embodiment of the present application, the determining, by the source RAN entity, a target RAN entity according to the first security policy and the measurement report of the UE includes: the source RAN entity determines candidate RAN entities meeting the signal quality requirement according to the measurement report, wherein the measurement report comprises signal quality information of the candidate RAN entities; the source RAN entity determines a RAN entity meeting the first security policy as a target RAN entity in the candidate RAN entities. The embodiment of the application refines the process of determining the target RAN entity, and increases the realizability and operability of the embodiment of the application.
A ninth aspect of the present application provides a method for processing a security policy, including: a target RAN entity acquires a second message, wherein the second message is used for requesting to switch a session of UE, and the second message comprises a target security policy; the target RAN entity determines an encryption and/or integrity protection strategy of the UE according to the target security strategy; and the target RAN entity establishes a radio bearer according to the determined encryption and/or integrity protection strategy of the UE. In the embodiment of the application, in the process of switching the UE session, when the security endpoint of the network is located at the wireless access network side, the target wireless access network establishes the wireless bearer according to the received target security policy, so that different services or different security requirements of users are met.
In a possible design, in a first implementation manner of the ninth aspect of the embodiment of the present application, the acquiring, by the target RAN entity, the second message and the target security policy includes: the target RAN entity receives a second message sent by a first entity, wherein the second message is used for requesting to switch a session of UE, and the second message comprises a target security policy; or, the target RAN entity receives a second message sent by a first entity, where the second message is used to request for switching a session of the UE, and the second message includes a first identifier and a corresponding target security policy, where the first identifier includes any one of a session identifier, a slice identifier, and a media stream identifier. The embodiment of the application refines the acquired second message, and increases the realizability and operability of the embodiment of the application.
A tenth aspect of the present embodiment provides a method for processing a security policy, including: a first entity acquires a first message of User Equipment (UE), wherein the first message is used for requesting to switch a session of the UE; the first entity sends a second message to a target Radio Access Network (RAN) entity of the UE, wherein the second message is used for requesting to switch a session of the UE, and the second message comprises a target security policy, and the target security policy is used for determining a ciphering and/or integrity protection policy of the UE by the target RAN entity. In the embodiment of the application, in the process of switching the UE session, when the security endpoint of the network is located at the wireless access network side, the first entity sends the target security policy to the wireless access network entity, so that different services or different security requirements of users are met.
In one possible design, in a first implementation manner of the tenth aspect of the embodiment of the present application, the acquiring, by the first entity, a first message of a user equipment UE includes: the first entity receives the first message sent by a source base station attached to the UE, and receives the target security policy while receiving the first message; or, the first entity receives a first message sent by a source base station to which the UE is attached, and the first entity obtains a target security policy stored by itself. The method and the device for obtaining the target security policy refine the process of obtaining the target security policy, and increase the realizability and operability of the method and the device for obtaining the target security policy.
In a possible design, in a second implementation manner of the tenth aspect of the embodiment of the present application, the acquiring, by the first entity, a first message of a user equipment UE, where the first message is used to request to switch a session of the UE includes: the first entity receives the first message sent by a source base station attached to the UE, and receives a target RAN entity type of the UE while receiving the first message; the first entity sends a security policy request message to a security policy management function entity, wherein the security policy request message contains a target RAN entity type of the UE, so that the security policy management function entity determines security endpoint information of a session to be switched according to the target RAN entity type of the UE; and the first entity receives a security policy response message sent by the security policy management functional entity, wherein the security policy response message comprises the target security policy, and the target security policy comprises security endpoint information of the session to be established of the UE. The embodiment of the application refines the acquired first message, and increases the realizability and operability of the embodiment of the application.
In a possible design, in a third implementation manner of the tenth aspect of the embodiment of the present application, the acquiring, by the first entity, a first message of a user equipment UE, where the first message is used to request to switch a session of the UE includes: the first entity receives a first message sent by a source base station attached to the UE, and receives a target RAN entity type of the UE while receiving the first message; and the first entity determines the safety endpoint information of the session to be established of the UE according to the target RAN entity type of the UE. The embodiment of the application refines the acquired first message, and increases the realizability and operability of the embodiment of the application.
An eleventh aspect of the present application provides a method for processing a security policy, where the method includes: the method comprises the steps that User Equipment (UE) receives a corresponding relation between a second identifier and a target algorithm, wherein the corresponding relation is sent by a first Radio Access Network (RAN) entity, and receives a corresponding relation between a radio bearer identifier established/switched by the first RAN entity and the second identifier, and the second identifier is any one of a session identifier, a slice identifier, a media stream identifier and a radio bearer identifier; and the UE determines the algorithm used by the established/switched radio bearer according to the corresponding relation between the algorithm and the second identifier. In the embodiment of the application, when the security endpoint of the network is located at the wireless access network side, the user equipment establishes the radio bearer with the wireless access network entity according to the obtained target security policy, so that different services or different security requirements of users are met.
In one possible design, in a first implementation manner of the eleventh aspect of the embodiment of the present application, the method further includes: the UE receives a third message sent by the first RAN entity, wherein the third message comprises a corresponding relation between the second identifier and the target algorithm; the UE stores the corresponding relation between the target algorithm and the second identifier; the UE receives a radio bearer establishment/switching request message sent by the first RAN entity, wherein the radio bearer establishment/switching request message comprises a corresponding relation between a radio bearer identification and a second identification; and the UE determines an algorithm used by the established/switched radio bearer according to the corresponding relation between the target algorithm and the second identifier. The embodiment of the application adds the step of establishing/switching the radio bearer according to the relation between the second identifier and the target algorithm, adds the implementation mode of the embodiment of the application and improves the steps of the embodiment of the application.
In a possible design, in a second implementation manner of the eleventh aspect of the embodiment of the present application, the method further includes: receiving a third message sent by the first RAN entity, where the third message includes a correspondence between a second identifier and a target algorithm and a correspondence between a radio bearer identifier established/switched by the first RAN entity and the second identifier; and the UE determines an algorithm used by the established/switched radio bearer according to the corresponding relation between the target algorithm and the second identifier. The embodiment of the application adds the step of establishing/switching the radio bearer according to the relationship between the second identifier and the target algorithm, and adds the implementation mode of the embodiment of the application.
In one possible design, in a third implementation manner of the eleventh aspect of the embodiment of the present application, the method further includes: when the user rejects the target algorithm, the UE sends a rejection message of a third message to the first RAN entity, and the UE enters an idle state; the UE selects a second RAN entity in the candidate RANs; the UE establishes a connection with a second RAN entity. The method and the device for the target security policy rejection increase steps when the user rejects the target security policy, and increase implementation modes of the method and the device.
In a possible design, in a fourth implementation manner of the eleventh aspect of the embodiment of the present application, the method further includes: the UE receives safety capability information broadcasted by a RAN entity; the UE determines the first RAN entity or the second RAN entity according to capabilities of the RAN entities and security requirements of the UE. The embodiment of the application adds a step of determining the first RAN entity or the second RAN entity by the UE, and adds an implementation mode of the embodiment of the application.
A twelfth aspect of an embodiment of the present application provides a functional entity, where the functional entity is a first entity, and includes: an obtaining unit, configured to obtain a first message and a target security policy for a user equipment UE, where the first message is used to establish a session of the UE; a sending unit, configured to send a second message to a radio access network RAN entity of the UE, where the second message is used to create a context of the UE at the RAN entity, and the second message includes the target security policy, and the target security policy is used for the RAN entity to determine a ciphering and/or integrity protection policy of the UE. In the embodiment of the application, in the process of establishing the initial context, when the security endpoint of the network is located at the wireless access network side, the first entity sends the target security policy to the wireless access network entity, so that different services or different security requirements of users are met.
In one possible design, in a first implementation manner of the twelfth aspect of the embodiment of the present application, the obtaining unit includes: a first receiving subunit, configured to receive the first message sent by the UE, where the first entity receives the target security policy while receiving the first message; or, a second receiving subunit, configured to receive the first message sent by the UE, where the first message is used to establish a session; the first sending subunit is used for sending a security policy request message to the security policy management functional entity; a third receiving subunit, configured to receive a security policy request response message sent by the security policy management functional entity, where the security policy request response message includes a target security policy. The embodiment of the application refines the acquisition process, and increases the realizability and operability of the embodiment of the application.
In a possible design, in a second implementation manner of the twelfth aspect of the embodiment of the present application, the obtaining unit includes: a fourth receiving subunit, configured to receive the first message sent by the UE, and receive an access network type of the UE while receiving the first message; a second sending subunit, configured to send a security policy request message to the security policy management functional entity, where the security policy request message includes an access network type of the UE, so that the security policy management functional entity determines, according to the access network type of the UE, security endpoint information of a session to be established; a fifth receiving subunit, configured to receive a security policy response message sent by the policy management entity, where the security policy response message includes the target security policy, and the target security policy includes security endpoint information of a session to be established of the UE. The embodiment of the application refines the acquisition process, and increases the realizability and operability of the embodiment of the application.
In a possible design, in a second implementation manner of the twelfth aspect of the embodiment of the present application, the obtaining unit includes: a fifth receiving subunit, configured to receive the first message sent by the UE, and receive an access network type of the UE while receiving the first message; and the determining subunit is used for determining the safety endpoint information of the session to be established of the UE according to the access network type of the UE. The embodiment of the application refines the acquisition process, and increases the realizability and operability of the embodiment of the application.
In a possible design, in a third implementation manner of the twelfth aspect of the embodiment of the present application, the first entity further includes: and the storage unit is used for storing the acquired target security policy. The method and the device for storing the target security policy increase the step of storing the target security policy, increase the implementation mode of the embodiment of the application, and improve the steps of the embodiment of the application.
A thirteenth aspect of embodiments of the present application provides a radio access network entity, including: a first obtaining unit, configured to obtain a second message for a user equipment UE, where the second message includes a target security policy; a determining unit, configured to determine an encryption and/or integrity protection policy of the UE according to the target security policy; and the establishing unit is used for establishing the radio bearer according to the determined encryption and/or integrity protection strategy of the UE. In the embodiment of the application, in the process of establishing the initial context, when the security endpoint of the network is located at the wireless access network side, the wireless access network establishes the radio bearer according to the received target security policy, so that different services or different security requirements of users are met.
In one possible design, in a first implementation manner of the thirteenth aspect of the embodiment of the present application, the radio access network entity further includes: a second obtaining unit, configured to obtain a first identifier, where the first identifier includes any one of a session identifier, a slice identifier, and a media stream identifier, and the target security policy is a security policy corresponding to the first identifier. The embodiment of the application adds the step of obtaining the first identifier, and the implementation mode of the embodiment of the application, so that the steps of the embodiment of the application are more perfect.
In a possible design, in a second implementation manner of the thirteenth aspect of the embodiment of the present application, the radio access network entity further includes: the storage unit is used for storing the target security policy; or, the corresponding relationship between the first identifier and the target security policy is saved. The method and the device for storing the target security policy increase the step of storing the target security policy, increase the implementation mode of the embodiment of the application, and improve the steps of the embodiment of the application.
In one possible design, in a third implementation manner of the thirteenth aspect of the embodiment of the present application, the determining unit includes: a determining subunit, configured to determine a target algorithm according to at least the target security policy and a security capability of the RAN entity, where the target algorithm is a ciphering and/or integrity protection algorithm for the UE; the establishing unit includes: and the establishing subunit is used for establishing/switching the radio bearer according to the target algorithm. The embodiment of the application refines the determination process of the protection strategy, and increases the realizability and operability of the embodiment of the application.
In a possible design, in a fourth implementation manner of the thirteenth aspect of the embodiment of the present application, the determining unit includes: the determining subunit is further configured to determine a target algorithm according to at least the target security policy and the security capability of the RAN entity, where the target algorithm is an encryption and/or integrity protection algorithm used on the UE and corresponding to the first identifier; and the establishing subunit is also used for establishing/switching the radio bearer according to the target algorithm. The embodiment of the application refines the determination process of the protection strategy, and increases the realizability and operability of the embodiment of the application.
In one possible design, in a fifth implementation manner of the thirteenth aspect of the embodiment of the present application, the determining subunit includes: the judging module is used for judging whether a candidate algorithm meeting the target security policy exists or not; and the determining module is used for determining the algorithm with the highest priority level in the candidate algorithms as the target algorithm according to the security capability of the RAN entity if the candidate algorithms meeting the target security policy exist. The embodiment of the application refines the determination process of the target algorithm, and increases the realizability and operability of the embodiment of the application.
In a possible design, in a sixth implementation manner of the thirteenth aspect of the embodiment of the present application, the establishing subunit includes: a first sending module, configured to send a third message to the UE, where the third message includes a correspondence between a target algorithm and a second identifier, and the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier, so that the UE stores the correspondence between the target algorithm and the second identifier; a receiving module, configured to receive a response message of a third message sent by the UE; a second sending module, configured to send a radio bearer setup/handover request message to the UE, where the radio bearer setup request message includes a radio bearer identifier for setup/handover and a corresponding relationship between a second identifier, so that the UE determines an algorithm used by the radio bearer setup/handover according to a corresponding relationship between a target algorithm and the second identifier. The embodiment of the application provides a specific implementation mode for establishing the radio bearer, and the operability of the embodiment of the application is improved.
In a possible design, in a seventh implementation manner of the thirteenth aspect of the embodiment of the present application, the creating subunit includes: a third sending module, configured to send a third message, where the third message includes a corresponding relationship between the target algorithm and the second identifier, and a corresponding relationship between an identifier of the RAN entity for establishing/switching the radio bearer and the second identifier, so that the UE determines, according to the corresponding relationship between the target algorithm and the second identifier, an algorithm used by the established/switched radio bearer, and the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier. The embodiment of the application provides a specific implementation mode for establishing the radio bearer, and the operability of the embodiment of the application is improved.
In a possible design, in an eighth implementation manner of the thirteenth aspect of the embodiment of the present application, the first obtaining unit includes: the first receiving subunit is configured to receive a second message sent by the first entity, where the second message is used to establish an initial context. The second message is limited in the embodiment of the application, so that the embodiment of the application has more logicality.
In a possible design, in a ninth implementation manner of the thirteenth aspect of the embodiment of the present application, the first obtaining unit includes: and the second receiving subunit is configured to receive a second message sent by the first entity, where the second message is used for handover. The second message is limited in the embodiment of the application, so that the embodiment of the application has more logicality.
In a possible design, in a tenth implementation manner of the thirteenth aspect of the embodiment of the present application, the RAN is a target RAN entity, and the first obtaining unit includes: and a third receiving subunit, configured to receive a second message sent by the source RAN entity, where the second message is used for handover. The second message is limited in the embodiment of the application, so that the embodiment of the application has more logicality.
A fourteenth aspect of an embodiment of the present application provides a functional entity, where the functional entity is a second entity, and the functional entity includes: an obtaining unit, configured to obtain a first message, where the first message is used to establish a session; a first sending unit, configured to send a security policy request message to a security policy management function entity; a first receiving unit, configured to receive a security policy response message, where the security policy response message includes a target security policy; and the second sending unit is used for sending the first message and also sending the target security policy. In the embodiment of the application, in the process of establishing the initial context, when the security endpoint of the network is located at the wireless access network side, the second entity sends the target security policy to the wireless access network entity, so that different services or different security requirements of users are met.
In a possible design, in a first implementation manner of the fourteenth aspect of the embodiment of the present application, the obtaining unit includes: a receiving subunit, configured to receive the first message, where the first message includes an access network type of the UE; a determining subunit, configured to determine an access network type of the UE; the second transmission unit includes: and the first sending subunit is configured to send the first message and send an access network type of the UE. The method and the device for obtaining the access network type increase the process of obtaining the access network type and increase the implementation mode of the embodiment of the application.
In a possible design, in a second implementation manner of the fourteenth aspect of the embodiment of the present application, the second entity further includes: a second receiving unit, configured to receive the first message and a security requirement of the UE; a third sending unit, configured to send a security policy request message to a security policy management function entity, where the security policy request message includes a security requirement of the UE; a third receiving unit, configured to receive a security policy response message, where the security policy response message includes a target security policy, and the target security policy is determined by the policy control function entity according to a security requirement of the UE; and the fourth sending unit is used for sending the first message and also sending the target security policy. The method and the device for obtaining the target security policy have the advantages that the process of obtaining the target security policy according to the security requirement of the UE is added, and the implementation mode of the embodiment of the application is increased.
A fifteenth aspect of an embodiment of the present application provides a source wireless access network entity, including: a decision unit, configured to decide to initiate a handover process for a user equipment UE; a sending unit, configured to send a first message to a target RAN entity, where the first message is used to request handover, and the first message includes a target security policy for the UE, or the handover request includes a first identifier and a corresponding target security policy for the UE, and the first identifier includes any one of a session identifier, a slice identifier, and a media stream identifier. In the embodiment of the application, in the process of switching the UE session, when the security endpoint of the network is located at the wireless access network side, the wireless access network establishes the radio bearer according to the received target security policy, so that different services or different security requirements of users are met.
In one possible design, in a first implementation manner of the fifteenth aspect of the embodiment of the present application, the source radio access network entity further includes: a determining unit, configured to determine a target RAN entity according to a first security policy and a measurement report of a UE, where the first security policy is a highest security policy of the target security policy of the UE stored by the source RAN entity or the target security policy of the UE stored by the source RAN entity, and the measurement report includes signal quality information of candidate RAN entities. The embodiment of the application adds a process of determining the target RAN entity according to the measurement report of the UE, and adds the implementation mode of the embodiment of the application.
In one possible design, in a second implementation manner of the fifteenth aspect of the embodiment of the present application, the determining unit includes: a first determining subunit, configured to determine, according to the measurement report, a candidate RAN entity meeting a signal quality requirement, where the measurement report includes signal quality information of the candidate RAN entity; a second determining subunit, configured to determine, among the candidate RAN entities, a RAN entity that meets the first security policy as a target RAN entity. The embodiment of the application refines the process of determining the target RAN entity, and increases the realizability and operability of the embodiment of the application.
A sixteenth aspect of the present embodiments provides a target radio access network entity, including: a first obtaining unit, configured to obtain a first message and a target security policy, where the first message is used to request handover; a determining unit, configured to determine, by the target security policy, an encryption and/or integrity protection policy of the UE; and the establishing unit is used for establishing the radio bearer according to the determined encryption and/or integrity protection strategy of the UE. In the embodiment of the application, in the process of switching the UE session, when the security endpoint of the network is located at the wireless access network side, the wireless access network establishes the radio bearer according to the received target security policy, so that different services or different security requirements of users are met.
In one possible design, in a first implementation manner of the sixteenth aspect of the embodiment of the present application, the target radio access network entity further includes: and a second obtaining unit, configured to obtain a first identifier, where the first identifier includes any one of a session identifier, a slice identifier, and a media stream identifier. The embodiment of the application adds the step of obtaining the first identifier, and the implementation mode of the embodiment of the application, so that the steps of the embodiment of the application are more perfect.
In a possible design, in a second implementation manner of the sixteenth aspect of the embodiment of the present application, the first obtaining unit includes: a first receiving subunit, configured to receive a first message sent by a source RAN entity, where the first message is used to request handover, and the first message includes a target security policy; or, the apparatus is configured to receive a first message sent by a source RAN entity, where the first message is used to request handover, and the first message includes a first identifier and a corresponding target security policy, where the first identifier includes any one of a session identifier, a slice identifier, and a media stream identifier. The embodiment of the application refines the acquired first message, and increases the realizability and operability of the embodiment of the application.
In a possible design, in a third implementation manner of the sixteenth aspect of the embodiment of the present application, the first obtaining unit includes: a second receiving subunit, configured to receive a first message sent by a source RAN entity, where the first message is used to request handover; a first sending subunit, configured to send a security policy request message to a first core network entity; a third receiving subunit, configured to receive a security policy response message sent by the first core network entity, where the security policy response message includes the target security policy, and the first core network entity is the first entity or the second entity. The method and the device for obtaining the target security policy refine the process of obtaining the target security policy, and increase the realizability and operability of the method and the device for obtaining the target security policy.
In a possible design, in a fourth implementation manner of the sixteenth aspect of the embodiment of the present application, the first obtaining unit includes: a fourth receiving subunit, configured to receive a first message sent by a source RAN entity, where the first message is used to request handover; a second sending subunit, configured to send a security policy request to a first core network entity, where the security policy request includes a first identifier, the first identifier includes any one of a slice identifier, a session identifier, and a media stream identifier, and the first core network entity is a first entity or a second entity; a fifth receiving subunit, configured to receive a security policy response message sent by the first entity, where the security policy response message includes the first identifier and a corresponding target security policy. The method and the device for obtaining the target security policy refine the process of obtaining the target security policy, and increase the realizability and operability of the method and the device for obtaining the target security policy.
In a possible design, in a fifth implementation manner of the sixteenth aspect of the embodiment of the present application, the radio access network entity further includes: a sending unit, configured to send the received target security policy to a first core network entity, so that the first core network entity verifies whether the target security policy is correct according to the saved security policy of the UE, where the first core network entity is a first entity or a second entity; or, the UE is configured to send the received first identifier and the corresponding target security policy to a first core network entity, so that the first core network entity verifies whether the target security policy corresponding to the first identifier is correct according to the stored relationship between the security policy and the identifier of the UE, where the first core network entity is a first entity or a second entity. The method and the device for verifying the target security policy have the advantages that the step of verifying whether the target security policy is correct is added, the implementation mode of the embodiment of the application is added, and the steps of the embodiment of the application are more perfect.
A seventeenth aspect of an embodiment of the present application provides a core network entity, including: a first receiving unit, configured to receive a security policy request message sent by a RAN entity of a radio access network; a first sending unit, configured to send a security policy response message to the RAN entity, where the security policy response message includes the target security policy. In the embodiment of the application, in the process of switching the UE session, when the security endpoint of the network is located at the wireless access network side, the core network entity sends the target security policy to the wireless access network entity, so that different services or different security requirements of users are met.
In a possible design, in a first implementation manner of the seventeenth aspect of the embodiment of the present application, the core network entity further includes: a second receiving unit, configured to receive the security policy request message sent by the RAN entity, where the security policy request message further includes a first identifier, and the first identifier includes any one of a slice identifier, a session identifier, and a media stream identifier; a second sending unit, configured to send a security policy response message to the RAN entity, where the security policy response message includes the target security policy, and the target security policy is a target security policy corresponding to the first identifier. The embodiment of the application increases the process of sending the target security policy by the core network entity, and increases the implementation mode of the embodiment of the application.
In a possible design, in a second implementation manner of the seventeenth aspect of the embodiment of the present application, the core network entity is a first entity or a second entity. The embodiment of the application limits the core network entity, so that the embodiment of the application has more logicality.
An eighteenth aspect of the present embodiment provides a core network entity, including: a first receiving unit, configured to receive a target security policy for a user equipment UE, sent by the target radio access network RAN entity, where the target security policy is obtained by the target RAN entity from a source RAN entity in a handover process; and the first verification unit is used for verifying whether the target security policy is correct or not according to the saved security policy of the UE. In the embodiment of the application, in the process of switching the UE session, when the security endpoint of the network is located at the wireless access network side, the core network entity sends the target security policy to the wireless access network entity, so that different services or different security requirements of users are met.
In a possible design, in a first implementation manner of the eighteenth aspect of this embodiment, the core network entity further includes: a second receiving unit, configured to receive a first identifier sent by the target RAN entity and a target security policy corresponding to the first identifier, where the first identifier and the target security policy corresponding to the first identifier are obtained by the target RAN entity from a source RAN entity in a handover process; and the second verification unit is used for verifying whether the target security policy corresponding to the first identifier is correct or not according to the relationship between the stored security policy and the identifier. The embodiment of the application increases the process of sending the target security policy by the core network entity, and increases the implementation mode of the embodiment of the application.
In a possible design, in a second implementation manner of the eighteenth aspect of this embodiment of the present application, the core network entity is a first entity or a second entity. The embodiment of the application limits the core network entity, so that the embodiment of the application has more logicality.
A nineteenth aspect of the present embodiment provides a source wireless access network entity, including: a decision unit, configured to decide to initiate a handover process for a user equipment UE; a sending unit, configured to send a first message to a first entity, where the first message is used to request handover, and the first message includes a target security policy for the UE, or the handover request includes a first identifier and a corresponding target security policy for the UE, and the first identifier includes any one of a session identifier, a slice identifier, a radio bearer identifier, and a media stream identifier. In the embodiment of the application, in the process of switching the UE session, when the security endpoint of the network is located at the wireless access network side, the wireless access network establishes the radio bearer according to the received target security policy, so that different services or different security requirements of users are met.
In a possible design, in a first implementation manner of the nineteenth aspect of the embodiment of the present application, the radio access network entity further includes: a determining unit, configured to determine a target RAN entity according to a first security policy and a measurement report of a UE, where the first security policy is a highest security policy of the target security policy of the UE stored by the source RAN entity or the target security policy of the UE stored by the source RAN entity, and the measurement report includes signal quality information of candidate RAN entities. The embodiment of the application adds a process of determining the target RAN entity according to the measurement report of the UE, and adds the implementation mode of the embodiment of the application.
In a possible design, in a second implementation manner of the nineteenth aspect of the embodiment of the present application, the determining unit includes: a first determining subunit, configured to determine, according to the measurement report, a candidate RAN entity meeting a signal quality requirement, where the measurement report includes signal quality information of the candidate RAN entity; a second determining subunit, configured to determine, among the candidate RAN entities, a RAN entity that meets the first security policy as a target RAN entity. The embodiment of the application refines the process of determining the target RAN entity, and increases the realizability and operability of the embodiment of the application.
A twentieth aspect of embodiments of the present application provides a target radio access network entity, including: an obtaining unit, configured to obtain a second message, where the second message is used to request handover, and the second message includes a target security policy; a determining unit, configured to determine an encryption and/or integrity protection policy of the UE according to the target security policy; and the establishing unit is used for establishing the radio bearer according to the determined encryption and/or integrity protection strategy of the UE. In the embodiment of the application, in the process of switching the UE session, when the security endpoint of the network is located at the wireless access network side, the wireless access network establishes the radio bearer according to the received target security policy, so that different services or different security requirements of users are met.
In one possible design, in a first implementation manner of the twentieth aspect of the embodiment of the present application, the obtaining unit includes: a receiving subunit, configured to receive a second message sent by a first entity, where the second message is used to request handover, and the second message includes a target security policy; or, the second message is used to receive a second message sent by the first entity, where the second message is used to request handover, and the second message includes a first identifier and a corresponding target security policy, where the first identifier includes any one of a session identifier, a slice identifier, and a media stream identifier. The embodiment of the application refines the acquired second message, and increases the realizability and operability of the embodiment of the application.
A twenty-first aspect of an embodiment of the present application provides a functional entity, where the functional entity is a first entity, and includes: an obtaining unit, configured to obtain a first message of a user equipment UE, where the first message is used to request to switch a session of the UE; a sending unit, configured to send a second message to a target radio access network RAN entity of the UE, where the second message is used to request to switch a session of the UE, and the second message includes a target security policy, and the target security policy is used for the target RAN entity to determine an encryption and/or integrity protection policy of the UE. In the embodiment of the application, in the process of switching the UE session, when the security endpoint of the network is located at the wireless access network side, the first entity sends the target security policy to the wireless access network entity, so that different services or different security requirements of users are met.
In a possible design, in a first implementation manner of the twenty-first aspect of the embodiment of the present application, the obtaining unit includes: a first receiving subunit, configured to receive the first message sent by a source base station to which the UE is attached, where the first entity receives the target security policy while receiving the first message; or, the first entity is configured to receive a first message sent by a source base station to which the UE is attached, and acquire a target security policy stored by the first entity. The method and the device for obtaining the target security policy refine the process of obtaining the target security policy, and increase the realizability and operability of the method and the device for obtaining the target security policy.
In a possible design, in a second implementation manner of the twenty-first aspect of the embodiment of the present application, the obtaining unit includes: a second receiving subunit, configured to receive the first message sent by a source base station to which the UE is attached, and receive a target RAN entity type of the UE while receiving the first message; a sending subunit, configured to send a security policy request message to a security policy management function entity, where the security policy request message includes a target RAN entity type of the UE, so that the security policy management function entity determines, according to the target RAN entity type of the UE, security endpoint information of a session to be switched; a third receiving subunit, configured to receive a security policy response message sent by the security policy management function entity, where the security policy response message includes the target security policy, and the target security policy includes security endpoint information of a session to be established of the UE. The embodiment of the application refines the acquired first message, and increases the realizability and operability of the embodiment of the application.
In a possible design, in a third implementation manner of the twenty-first aspect of the embodiment of the present application, the obtaining unit includes: a fourth receiving subunit, configured to receive a first message sent by a source base station to which the UE is attached, and receive a target RAN entity type of the UE while receiving the first message; and the determining subunit is used for determining the safety endpoint information of the session to be established of the UE according to the target RAN entity type of the UE. The embodiment of the application refines the acquired first message, and increases the realizability and operability of the embodiment of the application.
A twenty-second aspect of an embodiment of the present application provides a user equipment, including: a first receiving unit, configured to receive a correspondence between a second identifier and a target algorithm, where the second identifier is sent by a RAN entity of a first radio access network, and receive a correspondence between a radio bearer identifier established/switched by the RAN entity and the second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier; and a first determining unit, configured to determine an algorithm used by the established/switched radio bearer according to a correspondence between the algorithm and the second identifier. In the embodiment of the application, when the security endpoint of the network is located at the wireless access network side, the user equipment establishes the radio bearer with the wireless access network entity according to the obtained target security policy, so that different services or different security requirements of users are met.
In one possible design, in a first implementation manner of the twenty-second aspect of the embodiment of the present application, the user equipment further includes: a second receiving unit, configured to receive a third message sent by the first RAN entity, where the third message includes a correspondence between the second identifier and the target algorithm; the storage unit is used for storing the corresponding relation between the target algorithm and the second identifier; a third receiving unit, configured to receive a radio bearer setup/handover request message sent by the first RAN entity, where the radio bearer setup/handover request message includes a corresponding relationship between a radio bearer setup/handover identifier and a second identifier; and a second determining unit, configured to determine an algorithm used by the established/switched radio bearer according to a correspondence between the target algorithm and the second identifier. The embodiment of the application adds the step of establishing/switching the radio bearer according to the relation between the second identifier and the target algorithm, adds the implementation mode of the embodiment of the application and improves the steps of the embodiment of the application.
In a possible design, in a second implementation manner of the twenty-second aspect of the embodiment of the present application, the user equipment further includes: a third receiving unit, configured to receive a third message sent by the first RAN entity, where the third message includes a correspondence between a second identifier and a target algorithm and a correspondence between a radio bearer identifier established/handed over by the first RAN entity and the second identifier; and a third determining unit, configured to determine, according to the correspondence between the target algorithm and the second identifier, an algorithm used by the established/switched radio bearer. The embodiment of the application adds the step of establishing/switching the radio bearer according to the relationship between the second identifier and the target algorithm, and adds the implementation mode of the embodiment of the application.
In a possible design, in a third implementation manner of the twenty-second aspect of the embodiment of the present application, the user equipment further includes: a sending unit, configured to send a reject message of a third message to the first RAN entity when the user rejects the target algorithm, and the UE enters an idle state; a selecting unit configured to select a second RAN entity among the candidate RANs; an establishing unit, configured to establish a connection with a second RAN entity. The method and the device for the target security policy rejection increase steps when the user rejects the target security policy, and increase implementation modes of the method and the device.
In a possible design, in a fourth implementation manner of the twenty-second aspect of the embodiment of the present application, the user equipment further includes: a fourth receiving unit, configured to receive security capability information broadcast by the RAN entity; a fourth determining unit, configured to determine the first RAN entity or the second RAN entity according to a capability of a RAN entity and a security requirement of the UE. The embodiment of the application adds a step of determining the first RAN entity or the second RAN entity by the UE, and adds an implementation mode of the embodiment of the application.
A twenty-third aspect of embodiments of the present application provides a computer-readable storage medium having stored therein instructions, which, when executed on a computer, cause the computer to perform the method of the above-described aspects.
A twenty-fourth aspect of embodiments of the present application provides a computer program product containing instructions that, when executed on a computer, cause the computer to perform the method of the above-described aspects.
According to the technical scheme, the embodiment of the application has the following advantages:
in the technical scheme provided by the embodiment of the application, a Radio Access Network (RAN) entity acquires a first message aiming at User Equipment (UE), wherein the first message comprises a target security policy; the RAN entity determines an encryption and/or integrity protection strategy of the UE according to the target security strategy; and the RAN entity establishes the radio bearer according to the determined encryption and/or integrity protection strategy of the UE. The embodiment of the application meets different safety requirements of different services or users between the UE and the RAN entity.
Drawings
FIG. 1 is a diagram illustrating a conventional network architecture;
fig. 2 is a schematic diagram illustrating an embodiment of a method for processing a security policy according to an embodiment of the present application;
fig. 3 is a flowchart illustrating a specific procedure for establishing a radio bearer in an embodiment of the present application;
fig. 4 is a schematic diagram of another embodiment of a method for processing a security policy provided in an embodiment of the present application;
fig. 5 is a schematic diagram of another embodiment of a method for processing a security policy provided in an embodiment of the present application;
fig. 6 is a schematic diagram of an embodiment of a session management function entity in an embodiment of the present application;
fig. 7 is a schematic diagram of an embodiment of a radio access network entity in an embodiment of the present application;
fig. 8 is a schematic diagram of an embodiment of an access and mobility management functional entity in an embodiment of the present application;
fig. 9 is a schematic diagram of another embodiment of a radio access network entity in the embodiment of the present application;
fig. 10 is a schematic diagram of another embodiment of a radio access network entity in the embodiment of the present application;
fig. 11 is a schematic diagram of an embodiment of a core network entity in an embodiment of the present application;
fig. 12 is a schematic diagram of another embodiment of a core network entity in the embodiment of the present application;
fig. 13 is a schematic diagram of another embodiment of a radio access network entity in the embodiment of the present application;
fig. 14 is a schematic diagram of another embodiment of a radio access network entity in the embodiment of the present application;
fig. 15 is a schematic diagram of another embodiment of a session management function entity in the embodiment of the present application;
FIG. 16 is a diagram of an embodiment of a user equipment in an embodiment of the present application;
FIG. 17a is a schematic diagram of another embodiment of a user equipment in the embodiment of the present application;
FIG. 17b is a schematic diagram of another embodiment of a user equipment in the embodiment of the present application;
fig. 18 is a schematic diagram of an embodiment of a functional entity apparatus in the embodiment of the present application.
Detailed Description
The embodiment of the application provides a method for processing a security policy, which is used for meeting different security requirements of different services or users between UE and a RAN entity.
In order to make the technical field better understand the scheme of the present application, the following description will be made on the embodiments of the present application with reference to the attached drawings.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims of the present application and in the drawings described above, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises," "comprising," or "having," and any variations thereof, are intended to cover non-exclusive inclusions, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Fig. 1 is a schematic diagram of the architecture of a Next Generation (NG) mobile communication system, which is a system architecture widely accepted and recognized in the 3rd Generation Partnership Project (3 GPP) standard development. The Data Network architecture is composed of User Equipment (UE), AN Access Network (AN), a Core Network (CN) and a Data Network (Data Network), wherein the UE, the Access Network and the Core Network are main components of the architecture, and logically they can be divided into two parts, namely a User plane and a control plane, the control plane is responsible for management of the mobile Network, and the User plane is responsible for transmission of service Data.
UE: the method is an entrance for interaction between a mobile user and a network, and can provide basic computing capacity and storage capacity, display a business window for the user and accept operation input of the user. The Next Generation UE supports the Next Generation air interface technology, establishes signal connection and data connection with the access network, and transmits a control signal and service data to the mobile network.
AN: similar to a base station in a traditional network, the base station is deployed at a position close to the UE, provides a network access function for authorized users in a specific area, and can transmit user data using transmission tunnels of different qualities according to user levels, service requirements and the like. The AN can manage the resources of the AN, reasonably utilize the resources, provide access service for the UE as required and forward control signals and user data between the UE and the CN.
CN: and the system is responsible for maintaining subscription data of the mobile network, managing network elements of the mobile network, and providing functions of session management, mobility management, policy management, security authentication and the like for the UE. When the UE is attached, network access authentication is provided for the UE; when the UE has a service request, network resources are distributed to the UE; updating network resources for the UE when the UE moves; when the UE is idle, a fast recovery mechanism is provided for the UE; when the UE is detached, releasing network resources for the UE; when the UE has service data, providing a data routing function for the UE, such as forwarding uplink data to a data network; or receiving downlink data sent for the UE from the data network, forwarding the downlink data to the AN, and sending the downlink data to the UE.
Data Network: the data network is a data network providing service for users, and generally, a client is located in a UE, and a server is located in the data network. The data Network may be a private Network, such as a local area Network, an external Network that is not controlled by an operator, such as the Internet, or a private Network that is co-deployed by an operator, such as for configuring an IP Multimedia Network Subsystem (IMS) service.
In an existing Evolved universal terrestrial radio access network (E-UTRAN), a UE may propose a security requirement, a security policy control function entity in the network determines a security policy according to a security requirement of the UE and a security capability of a User Plane Gateway (UPGW), so that an SM entity generates a session key according to the determined security policy, the SM sends the generated session key to the UPGW, and sends the determined security policy to the UE, and the UE generates the same session key, thereby implementing security protection between the UE and the UPGW. In the prior art, only the determination and implementation of the security policy between the UE and the UPGW are considered, but for some Access technologies, such as through evolved E-UTRAN, the security termination point between the UE and the Network is still on the Radio Access Network (RAN) side, and the prior art does not consider how the entity between the UE and the RAN implements different services or different security requirements of the user.
In the application, a Radio Access Network (RAN) entity acquires a first message aiming at User Equipment (UE), wherein the first message comprises a target security policy; the RAN entity determines an encryption and/or integrity protection strategy of the UE according to the target security strategy; and the RAN entity establishes the radio bearer according to the determined encryption and/or integrity protection strategy of the UE. The embodiment of the application meets different safety requirements of different services or users between the UE and the RAN entity. In the embodiment of the application, when the security endpoint of the network is located at the wireless access network side, the wireless access network establishes the radio bearer according to the received target security policy, thereby meeting different security requirements of different services or users.
In this application, the "first entity" is an entity that implements a session management function, and the "second entity" is an entity that implements an access and mobility management function, and for convenience of description and understanding, in the embodiments of the present application, the "first entity" is referred to as a "session management function entity" and the "second entity" is referred to as an "access and mobility management function entity". It can be understood that the "access and mobility management functional entity" referred to in this application is a name of a core network entity that implements access and mobility management for the terminal device, and the "session management functional entity" is an abbreviation of a core network entity that implements session management for the terminal device by the core network.
For convenience of understanding, a specific flow of the embodiment of the present application is described below, and referring to fig. 2, an embodiment of a method for processing a security policy in the embodiment of the present application includes:
201. the user equipment UE configures the security capability requirements.
The user equipment UE receives the security capability requirement set by the user, and the user can set the security requirement applied to all services or the security requirement applied to a specific service.
202. The UE attaches to the network.
The UE is attached to the network and is authenticated with the core network in a bidirectional mode.
It should be noted that the UE is attached to the network through the RAN entity, and the broadcast information of the RAN entity includes the highest security capability supported by the RAN entity. And the UE selects a cell meeting the safety capability requirement of the UE according to the information broadcast by the RAN entity. The subsequent UE can enter an idle state, and when the UE enters a connected state from the idle state, the UE can select a cell meeting the safety capability requirement of the UE according to the same mode.
203. And the UE sends a session establishment request message, wherein the session establishment request message comprises the safety capability requirement of the UE.
And the UE sends a session establishment request message to the core network, wherein the session establishment request message contains the safety capability requirement of the UE.
It should be noted that the session establishment request message further includes a UE identity, Network Slice Selection Assistance Information (NSSAI), and other Information.
It will be appreciated that NSSAI may include the type of service and other information used to select a slice, as well as an identification of a slice.
204. And the access and mobility management function entity AMF receives the session establishment request message and sends the session establishment request message to the session management function entity SMF.
After receiving the session establishment request message sent by the UE, an Access and Mobility Management Function (AMF) entity. The AMF transmits the received session establishment request message to a Session Management Function (SMF).
It should be noted that the AMF carries the UE access network type in the session establishment request message sent to the SMF, for example, the access network is evolved E-UTRAN or next generation Radio access network (New Radio, NR), and the AMF may determine the access network type of the UE according to a RAN entity identifier of the UE access network.
It can be understood that when the AMF selects the SMF, the security capability requirement of the UE is considered, and the SMF that can satisfy the security requirement of the UE is selected as much as possible.
205. The SMF sends a session policy request message to a security policy management function entity.
The SMF sends a session policy request message to a security policy management function entity, the session policy request message is used for requesting the security policy management function entity to obtain a security policy, the session policy request message contains security requirements of the UE, if the session establishment request message received by the SMF contains NSSAI, the session policy request message also contains NSSAI, and the NSSAI is used for requesting to obtain the security policy of a slice corresponding to the NSSAI.
It should be noted that the session policy request message may further include a UE access network type, which is used by the security policy management functional entity to determine the security termination point according to the access network type of the UE. And the security policy management functional entity determines the security policy of the session according to the security requirement of the UE, the security requirement of the service and the operational security policy.
The specific form of the security policy may be whether encryption or integrity protection policy information is needed, and/or a security requirement policy, where the security requirement policy may be any form such as security level information, a minimum key length needed for maintaining data security, or a security algorithm meeting security requirements, and the application does not limit the specific form; optionally, the security policy includes security endpoint information of the session.
206. And the security policy management functional entity determines the security policy of the UE, wherein the policy is a target security policy.
And the security policy management functional entity determines the security policy of the UE, wherein the policy is a target security policy.
207. And the SMF receives a session policy response message sent by the security policy management function entity.
The SMF receives a session policy response message sent by a security policy management function entity, wherein the session policy response message comprises a security policy of the UE determined by the security policy management function entity, and the policy is a target security policy.
In alternative embodiments, the SMF applies the security policy obtained from the security policy management function to different situations, or the SMF applies it to different situations depending on the content of the security policy obtained from the security policy management function. For example, a security policy is applied to the slice, or a security policy is applied to the session, or a security policy is applied to the media stream.
It should be noted that the security policy management functional entity may be integrated into one entity alone, or integrated with other functional entities respectively.
208. The SMF establishes a session with the core network.
The SMF initiates a session establishment process to establish a session with the core network.
Optionally, in the process, the SMF determines a security termination point of the session, and in this step, the SMF determines the security termination point of the session according to the access network type acquired from the AMF.
It should be noted that, in this embodiment of the present application, the SMF or the security policy management function entity determines that the security endpoint of the session is on the access network side.
209. The SMF sends an initial context setup request message to the AMF, wherein the initial context setup request message comprises the target security policy.
The SMF sends an initial context setup request message to the RAN entity through the AMF, the initial context setup request message including the target security policy.
It should be noted that, when the target security policy is applied to a certain slice, the initial context setup request message further includes an identifier of the slice, and the specific form may be network slice selection assistance information NSSAI, or an identifier of another identified slice of the SMF, which is used to indicate that the security policy corresponds to the slice.
It is to be understood that the target security policy may also be applied to all Radio Bearers (RBs) of the UE, or to a certain session, or to a certain data flow, and the target security policy is configured according to the service requirements of the operator. For example, when the target security policy is applied to a certain session, the initial context setup request message includes a session identification; when the security policy is applied to a certain data flow, the initial context setup request message includes the data flow identification.
It is to be understood that the initial context request message contains a session identity to which the established radio bearer belongs; when the radio bearer requested to be established belongs to a media stream, the initial context request message contains a media stream identifier; if the radio bearer requested to be established by the initial context request belongs to a slice, the initial context request message contains a slice identifier; if the slice identifier, the session identifier, or the media stream identifier further corresponds to the target security policy, that is, the initial context request message carries the correspondence between the target security policy and the identifier, the slice identifier, the session identifier, or the media stream identifier does not need to be repeatedly carried in the initial context request message.
210. And the AMF sends the acquired initial context establishment request message to the RAN entity, wherein the initial context establishment request message comprises the target security policy.
The AMF sends an initial context establishment request message acquired from the SMF to the RAN entity, wherein the initial context establishment request message comprises a target security policy or the target security policy and corresponding identification information.
It should be noted that, when the AMF sends the initial context setup request message to the RAN entity, the AMF may add other information in the process of encapsulating the message, for example, the initial context setup request message may also carry a key (e.g., Kenb) required by the RAN entity side for performing security protection on signaling and data, and the RAN entity side generates a target key required for encryption and/or integrity protection according to the key. It can be understood that there are various ways to generate the key for generating the target key, one way is to generate the key by the AMF, for example, the AMF obtains the root key from the Security Anchor Function (SEAF) to derive the key required by the corresponding RAN entity; or generated by a SEAF from which the AMF is obtained; or may be acquired by the SMF in step 209 and carried in the initial context setup request message in step 209, for example, the SMF obtains the key required by the RAN entity side from the SEAF, or the SMF derives the key required by the RAN entity side from the root key generated by the obtained SEAF. The required key may be applied to all radio bearers RB of the UE, and may also be applied to a specific slice or session.
211. The RAN entity maintains the security policy.
The RAN entity receives an initial context establishment request message, the initial context establishment request message comprises a target security policy, and the RAN entity stores the target security policy after acquiring the target security policy.
It should be noted that, when the target security policy is applied to different situations, the RAN entity needs to store the corresponding relationship between the security policy and the identifier. For example, if the target security policy corresponds to the slice, the RAN entity stores the correspondence between the security policy and the slice identifier; if the target security policy corresponds to the radio bearer RB, the RAN generates a radio bearer identifier and stores the corresponding relationship between the security policy and the radio bearer identifier; if the target security policy corresponds to the session, the RAN entity stores the corresponding relationship between the security policy and the session identifier; if the target security policy corresponds to the media stream, the RAN entity stores the corresponding relationship between the target security policy and the media stream identifier.
It is to be appreciated that the target security policy is utilized to generate a corresponding security context from which the RAN entity establishes the radio bearer.
212. The RAN entity determines the ciphering and/or integrity protection policy for the UE according to the target security policy.
If the target security policy specifies the security requirement, the RAN entity judges whether a candidate algorithm meeting the security requirement of the target security policy exists, wherein the candidate algorithm is an algorithm in a preset algorithm list; meanwhile, the RAN entity also considers the safety capability of the UE, an algorithm which accords with the safety capability of the UE is selected from candidate algorithms, and if the candidate algorithms which meet the safety requirement of a target safety strategy and accord with the capability of the UE exist, the RAN entity determines the algorithm with the highest priority in the candidate algorithms which accord with the conditions as a target encryption and/or integrity protection algorithm according to the safety capability configuration of the RAN entity; and if the candidate algorithm meeting the security requirement of the target security policy does not exist, the RAN entity determines the algorithm with the highest priority level according with the UE capability in the preset algorithms as the target algorithm.
It should be noted that, when the service needs to process data or signaling, and the processing is encryption and/or integrity protection, the RAN entity first selects an encryption and/or integrity protection algorithm according to the target security policy, its own security capability configuration and UE capability determined by the core network, and according to the above principle; when the service does not need to be encrypted or integrity protected, the target security policy specifies that signaling or data does not need to be encrypted or integrity protected, and then the RAN entity does not implement corresponding security protection according to the target security policy and does not determine an encryption and/or integrity protection algorithm any more.
Determining the encryption and/or integrity protection policy according to the target security policy is not limited to determining the encryption and/or integrity protection algorithm, but may also be used to determine the key length according to the security requirements of the target security policy.
When the target policy applies to different situations, the determined encryption and/or integrity protection policy is the encryption and/or integrity protection policy corresponding to the identity in that situation.
213. The RAN entity establishes a radio bearer with the UE.
The RAN entity establishes the radio bearer according to the determined ciphering and/or integrity protection policy of the UE, which may be a ciphering and/or integrity protection algorithm. When the target security policy is applied to different situations, the RAN entity determines an algorithm used by the established radio bearer according to a correspondence between an identifier corresponding to the established radio bearer and the encryption and/or integrity protection policy.
It should be noted that the procedure for the RAN entity to establish the radio bearer with the UE is shown in fig. 3. The method comprises the following specific steps: the RAN entity sends a security mode instruction message to the UE, the security mode instruction comprises a target algorithm, when a target strategy is applied to different conditions, the security mode instruction also carries a second identifier, the second identifier is any one of a session identifier, a slice identifier, a media stream identifier and a radio bearer identifier, and the UE stores the corresponding relation between the target algorithm and the second identifier; receiving a safety mode instruction completion message sent by UE by the RAN entity; RAN entity sends request message for establishing radio bearer to UE; the UE receives a request message for establishing the radio bearer, which is sent by a RAN entity and comprises an established radio bearer identifier and a corresponding second identifier; the UE determines an algorithm used by the established radio bearer according to the corresponding relation between the target algorithm and the second identifier, namely, the corresponding target algorithm is determined according to the second identifier corresponding to the established radio bearer, namely, the algorithm used by the established radio bearer; in a specific implementation process, the UE receives a security mode instruction message, may present the algorithm information corresponding to the second identifier selected by the network to the user, and the user decides whether to accept the algorithm, the presented form is not limited to presenting a specific algorithm, and may also present security level information corresponding to the algorithm, another optional implementation manner presented to the user is to include security level information corresponding to the selected algorithm in the security mode instruction, which is used for presenting to the user, when the user accepts the selected algorithm, the UE returns a security mode instruction completion message, when the user rejects the target algorithm or the security level, the UE sends a security mode instruction failure message to the RAN entity, the rejected RAN entity is the first RAN entity, the UE enters an idle state, and reselects the second RAN entity, and the UE establishes a connection with the second RAN entity; the UE reselects the second RAN entity in a manner that selects the RAN entity in step 202.
It can be understood that, if the target algorithm corresponds to the radio bearer, the security mode instruction message includes radio bearer identification information; if the target algorithm corresponds to the slice, the safety mode instruction message comprises slice identification information; if the target algorithm corresponds to the session, the security mode instruction message includes session identification information, and if the target algorithm corresponds to the media stream, the security mode instruction message includes the media stream identification information.
It should be noted that the present application does not limit the names of the messages in fig. 3, and the names of the messages that perform the same function are all within the scope of the present application.
214. The RAN entity sends an initial context setup response message to the AMF.
The RAN entity sends an initial context setup response message to the AMF.
215. The AMF sends an initial context setup response message to the SMF.
And after acquiring the initial context response message from the RAN entity, the AMF sends the initial context response message to the SMF.
It is understood that the session policy request message may also be sent to the security policy management function entity by the AMF, and obtain the target security policy fed back by the security policy management function entity. Steps 205 to 207 of SMF obtaining the target security policy may be replaced by the following steps:
the method comprises the following steps: the AMF sends a session policy request message to a security policy management function entity.
The session policy request message includes security requirements requested by the UE, and if the AMF receives the session establishment request message and also receives NSSAI information, the session policy request message further includes NSSAI.
Step two: and the security policy management functional entity determines the security policy of the UE, wherein the policy is a target security policy.
The form of the security policy is similar to that described in step 205 and is not described again.
Step three: and the AMF receives a session policy response message sent by the security policy management function entity.
The session policy response message contains the target security policy.
Step four: and the AMF sends the received session establishment request message to the SMF, and sends the acquired target security policy while sending the session establishment request message.
The SMF may apply the security policy obtained from the security policy management function to different situations, or the SMF may apply it to different situations according to the content of the security policy obtained from the security policy management function. For example, a security policy is applied to the slice, or a security policy is applied to the session, or a security policy is applied to the media stream.
It should be noted that a plurality of security policy management functional entities may exist, for example, for different slices, corresponding security policy management functional entities may manage the slices, where a security policy management functional entity outside the slice is referred to as a first security policy management functional entity, after receiving the session establishment request message, the AMF sends a security policy request message to the first security policy management functional entity, where because the session policy request message includes information related to the slice, the first security policy management functional entity may request, from a second security policy management functional entity in charge of the slice, to obtain a target security policy corresponding to the slice. And after obtaining the target security policy, the first security policy management functional entity sends the target security policy to the AMF.
It can be understood that, when the security policy request message is related to the slice, the security policy related to the slice may also be preset in the first security policy management function entity, without requesting the security policy management function entity responsible for the slice to obtain the target security policy, and the first security policy management function entity outside the slice determines the security policy of the session according to the security requirement of the UE, the security requirement of the service, the security policy of the operation, and the security requirement of the slice, and feeds back the determined target security policy to the AMF.
In the embodiment of the present application, in the process of establishing the initial context, when the security endpoint of the network is located on the radio access network side, different security requirements of different services or users are met, and the embodiment is also applicable to a case where the security endpoint does not need to be confirmed and security protection is included on the RAN side by default.
For convenience of understanding, a specific flow of the embodiment of the present application is described below, with reference to fig. 4, when the radio access side implements handover, another embodiment of the method for processing a security policy in the embodiment of the present application includes:
401. the user equipment UE configures the security capability requirements.
The user equipment UE receives the security capability requirement set by the user, and the user can set the security requirement applied to all services or the security requirement applied to a specific service.
402. The UE establishes a session.
The UE establishes a session with the core network, where the session has a corresponding security policy enforced.
403. The source RAN entity decides to initiate handover to the UE.
The source RAN entity decides to initiate a handover procedure to U E.
404. The source RAN entity determines the target RAN entity.
The source RAN entity determines candidate RAN entities meeting the signal quality requirement according to a measurement report of the UE, wherein the measurement report of the UE comprises signal quality information of the candidate RAN entities; the source RAN entity determines a RAN entity which accords with a first security policy as a target RAN entity in the candidate RAN entities, wherein the first security policy is a security policy of UE (user equipment) stored by the source RAN entity, or a security policy or a highest security policy in a UE security context stored by the source RAN entity.
It should be noted that, in an alternative embodiment, when the target RAN entity to be selected is the evolved E-UTRAN, the source RAN selects the target evolved E-UTRAN based on the security policy or the highest security policy in the saved UE security context, where the evolved E-UTRAN meeting the highest security policy requirement in the UE and the signal quality requirement is to be selected as the target RAN entity.
405. The source RAN entity sends a handover request message to the target RAN entity.
The source RAN entity sends a handover request message to the target RAN entity. Carrying a security policy in the switching request message, wherein the policy is a target security policy; when the target security policy is applied to different situations, the handover request message includes the security policy and the identifier corresponding thereto, for example, if the target security policy corresponds to the slice, the handover request message includes the slice identifier and the corresponding security policy; if the target security policy corresponds to the radio bearer RB, the handover request message includes a radio bearer identifier and a corresponding security policy; if the target security policy corresponds to the session, the switching request message contains a session identifier and a corresponding security policy; if the target security policy corresponds to the media stream, the handover request message includes the media stream identifier and the corresponding security policy.
In addition, if the target security policy corresponds to the slice, the handover request further includes a corresponding relationship between the radio bearer identifier and the slice identifier, and in this manner, when the target RAN establishes the radio bearer, the slice identifier corresponding to the radio bearer identifier is determined first, and the security policy of the slice is determined according to the slice identifier, that is, the security policy applied to the radio bearer; similarly, if the target security policy corresponds to the session, the handover request further includes a corresponding relationship between the radio bearer identifier and the session identifier; if the target security policy corresponds to the media stream, the handover request further includes a corresponding relationship between the radio bearer identifier and the media stream identifier.
In an optional implementation manner, the source RAN entity determines whether to carry the security policy or the security policy and the corresponding identifier according to the network type of the target RAN being handed over. When the target RAN entity is evolved E-UTRAN, the source RAN may carry the security policy or security policy of each security context of the UE and the corresponding identifier in the handover request message, and when the source RAN entity determines that the target RAN entity is a next generation Radio access network (New Radio, NR), and the NR is not a security endpoint of the session, the handover request message may not include the security policy information, and only needs to include information required to reestablish the Radio bearer in the target RAN.
The handover request message further includes a key used for radio bearer encryption and/or integrity protection, where the key may be used for all radio bearers, may be a set of different keys corresponding to each radio bearer, and may also be a set of keys corresponding to each slice or each session, or each media stream.
406. And the target RAN entity judges whether the target security policy of the UE is acquired.
The target RAN entity determines whether to acquire the target security policy of the UE, if not, executes step 407 and 408, otherwise, executes step 409.
It should be noted that, in an alternative embodiment, when the target RAN entity is evolved E-UTRAN and the handover request message does not include the security policy, step 407 and 408 are performed; when the target RAN entity is evolved E-UTRAN and the handover request message includes the security policy, step 409 is performed.
407. The target RAN entity sends a security policy request message to the core network entity.
The target RAN entity sends a security policy request message to the core network entity. The core network entity may be an access and mobility management function entity AMF or a session management function entity SMF, and if the target RAN entity sends the security policy request message to the SMF, the security policy request message is sent to the SMF through the AMF.
It should be noted that, in an alternative embodiment, the security policy request message further includes a slice identifier, a session identifier, or a media stream identifier according to an actual application situation of the target security policy.
408. The core network entity sends a security policy response message to the target RAN entity.
A core network entity sends a security policy response message to a target RAN entity, wherein the security policy response message carries a target security policy of UE (user equipment), when the security policy request message does not contain any information, all security policies aiming at the UE are sent to the target RAN entity, and when the security policy request message also contains a slice identifier, the security policy response message contains the slice identifier and the target security policy corresponding to the slice identifier; when the security policy request message also contains a session identifier, the security policy response message contains the session identifier and a target security policy corresponding to the session identifier; when the security policy request message further includes the media stream identifier, the security policy response message includes the media stream identifier and the target security policy corresponding to the media stream identifier.
It should be noted that, if the target RAN entity requests the target security policy of the UE from the SMF, the security policy response message is sent to the target RAN entity through the AMF.
409. The target RAN entity determines the ciphering and/or integrity protection policy of the UE according to the target security policy.
The target RAN entity saves the target security policy before the target RAN determines the ciphering and/or integrity protection policy for the UE.
The determination of the ciphering and/or integrity protection policy for the UE by the target RAN entity according to the target security policy is similar to step 212, and is not repeated here.
It will be appreciated that in an alternative embodiment, when the target RAN entity is evolved E-UTRAN, security protection of the session needs to be performed, and the target RAN determines the ciphering and/or integrity protection policy of the UE according to the target security policy, otherwise this step is not performed.
410. The target RAN entity establishes a radio bearer for handover on the UE.
The target RAN entity establishes a switched radio bearer on the UE, and determines an algorithm used by the switched radio bearer according to a determined target algorithm if the switched radio bearer needs to be encrypted and/or integrity protected according to a target security policy obtained by the target RAN entity. When the target security policy is applied to different situations, the RAN entity determines an algorithm used by the switched radio bearer according to a correspondence between an identifier corresponding to the switched radio bearer and the encryption and/or integrity protection policy.
If the radio bearer switched by the target security policy does not need to be encrypted or integrity protected, the above steps are not executed, and data or signaling corresponding to the radio bearer is not encrypted and/or integrity protected.
411. The target RAN entity sends a handover request response message to the source RAN entity.
And the target RAN entity sends a switching request response message to the source RAN entity, wherein the switching request response message comprises the determined target algorithm. When the target security policy is applied to different situations, the handover request response message includes a corresponding relationship between the target algorithm and a second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier, and the handover request response message further includes a radio bearer identifier switched by the target RAN entity and a second identifier corresponding to the radio bearer, where the second identifier is not a radio bearer identifier, and step 412 is similar to this.
In a specific embodiment, to express the above correspondence, the second identifier may be included twice or included once in the handover request response message, which is not limited, and the following steps are similar.
412. The source RAN entity sends a handover instruction message to the UE.
After the target RAN entity acquires the switching request response message from the source RAN entity, the source RAN entity sends a switching instruction message to the UE, wherein the switching instruction message comprises the determined algorithm. When the target security policy is applied to different situations, the handover instruction message includes a corresponding relationship between a target algorithm and a second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier, so that the UE stores the target algorithm or stores the corresponding relationship between the target algorithm and the second identifier after receiving the handover instruction, and determines, according to the target algorithm, an algorithm used by the radio bearer switched by the target RAN entity.
The handover instruction message further includes a radio bearer identifier switched by the target RAN entity and a second identifier corresponding to the radio bearer, and the UE determines an algorithm used by the radio bearer switched by the target RAN entity according to a corresponding relationship between the target algorithm and the second identifier, that is, determines a target algorithm corresponding to the second identifier according to the second identifier corresponding to the radio bearer identifier switched by the target RAN entity, and the target algorithm is an algorithm used by the switched radio bearer.
Similar to step 213, when the UE receives the target algorithm or the corresponding relationship between the target algorithm and the second identifier, the UE may present the algorithm information corresponding to the second identifier selected by the network to the user, and the user decides whether to accept the algorithm, the form of the presentation is not limited to presenting a specific algorithm, and may also present the security level information corresponding to the algorithm, another optional implementation manner presented to the user is to include the security level information corresponding to the selected algorithm in the handover request response message and the handover command message for presenting to the user, when the user accepts the selected algorithm, the UE accesses the target RAN entity, when the user rejects the target algorithm or the security level, the rejected RAN entity is the first RAN entity, the UE enters an idle state, and reselects the second RAN entity, and the UE establishes a connection with the second RAN entity.
413. The target RAN entity sends a path switch request message to the SMF.
And the target RAN entity sends a path switching request message to the SMF, and informs the SMF of the information that the UE switches the RAN entity.
It should be noted that, if the target RAN entity receives the target security policy of the UE in step 405, the path switching request message includes the target security policy, which is used by the SMF to verify whether the security policy used by the target RAN entity is correct. Wherein the path switch request message is sent to the SMF through the AMF.
In an alternative embodiment, the received target security policy of the UE is sent at the same time as the path switch request message is sent, so that the AMF verifies whether the security policy used by the target RAN is correct.
It is to be understood that, in another alternative embodiment, when the target RAN entity is NR, the path switch request message further includes a target RAN type, for example, the target RAN entity type is NR indication information, so that the SMF determines that the terminating point of the session is at a User Plane Gateway (UPGW) according to the target RAN entity type.
414. And the SMF judges whether the security policy used by the target RAN entity is correct or not according to the stored target security policy of the UE.
And when the judgment is correct, executing a subsequent process, and when the SMF judges that the security policy used by the target RAN entity is incorrect, taking corresponding measures, such as reminding the target RAN entity and the like. Correspondingly, the situation verified by the AMF is similar.
When the SMF determines that the termination point of the session is the UPGW, the SMF creates a corresponding security context between the UE and the UPGW according to the stored target security policy of the UE.
415. The SMF sends a path switch response message to the target RAN entity.
The SMF sends a path switching response message to the target RAN entity, and the path switching response message is sent to the target RAN entity through the AMF.
In the embodiment of the application, in the process of switching the radio bearer, when the security endpoint of the network is positioned at the radio access network side, different services or different security requirements of users are met.
Referring to fig. 5, when the radio access side implements handover, another embodiment of the method for processing security policy in the embodiment of the present application includes:
501. the user equipment UE configures the security capability requirements.
The user equipment UE receives the security capability requirement set by the user, and the user can set the security requirement applied to all services or the security requirement applied to a specific service.
502. The UE establishes a session.
The UE establishes a session with the core network, where the session has a corresponding security policy enforced.
503. The source RAN entity decides to initiate handover to the UE.
The source RAN entity decides to initiate a handover procedure for the UE.
504. The source RAN entity determines the target RAN entity.
The source RAN entity determines candidate RAN entities meeting the signal quality requirement according to a measurement report of the UE, wherein the measurement report of the UE comprises signal quality information of the candidate RAN entities; the source RAN entity determines a RAN entity which accords with a first security policy as a target RAN entity in the candidate RAN entities, wherein the first security policy is a security policy of UE (user equipment) stored by the source RAN entity, or a security policy or a highest security policy in a UE security context stored by the source RAN entity.
It should be noted that, in an alternative embodiment, when the target RAN entity to be selected is the evolved E-UTRAN, the source RAN selects the target evolved E-UTRAN based on the security policy or the highest security policy in the saved UE security context, where the evolved E-UTRAN meeting the highest security policy requirement in the UE and the signal quality requirement is to be selected as the target RAN entity.
505. The source RAN entity sends a handover required message to the access and mobility management function entity, AMF.
The source RAN entity sends a switching requirement message to a session management function entity (SMF), and the switching requirement message is sent to the SMF through an access and mobility management function entity (AMF).
In an optional implementation manner, the handover request message carries security policy information of the UE, where the policy is a target security policy, and when the target security policy is applied to different situations, the handover request message includes the security policy and an identifier corresponding to the security policy, for example, if the target security policy corresponds to a slice, the handover request message includes the slice identifier and a corresponding security policy; if the target security policy corresponds to the radio bearer RB, the handover request message includes a radio bearer identifier and a corresponding security policy; if the target security policy corresponds to the session, the switching request message contains a session identifier and a corresponding security policy; if the target security policy corresponds to the media stream, the handover request message includes the media stream identifier and the corresponding security policy.
In addition, if the target security policy corresponds to the slice, the handover request message further includes a corresponding relationship between the radio bearer identifier and the slice identifier, and in this manner, when the target RAN establishes the radio bearer, the slice identifier corresponding to the radio bearer identifier is determined first, and the security policy of the slice is determined according to the slice identifier, that is, the security policy applied to the radio bearer; similarly, if the target security policy corresponds to the session, the handover request message further includes a corresponding relationship between the radio bearer identifier and the session identifier; if the target security policy corresponds to the media stream, the handover request message further includes a corresponding relationship between the radio bearer identifier and the media stream identifier.
In another optional implementation, the source RAN entity determines whether the handover request message carries the security policy or the security policy and the corresponding identifier according to the network type of the target RAN to be handed over. When the target RAN entity is evolved E-UTRAN, the source RAN may carry the security policy or security policy of each security context of the UE and the corresponding identifier in the handover request message, and when the source RAN entity determines that the target RAN entity is a next generation Radio access network (New Radio, NR), and the NR is not a security endpoint of the session, the handover request message may not include the security policy information, and only needs to include information required to reestablish the Radio bearer in the target RAN.
The handover request message further includes a key used for radio bearer encryption and/or integrity protection, where the key may be used for all radio bearers, may be a set of different keys corresponding to each radio bearer, and may also be a set of keys corresponding to each slice or each session, or each media stream.
506. The AMF sends a switching requirement message to a source Session Management Function (SMF).
The AMF sends a switching requirement message to a source Session Management Function (SMF).
An alternative implementation manner is that, in step 505, the AMF does not include the security policy information of the UE, but recognizes that the request message is to be sent to the SMF, and then the AMF sends the saved security policy information of the UE as the target security policy information to the SMF together with the handover request message, in which case, the handover request message includes the correspondence between the radio bearer identifier and the slice identifier, the correspondence between the radio bearer identifier and the session identifier, or the correspondence between the radio bearer identifier and the media stream identifier.
507. The SMF sends a handover request message to the target RAN entity.
After receiving a handover request message sent by a source RAN entity, the SMF sends a handover request message to a target RAN entity, wherein the handover request message carries security policy information, and the security policy is the target security policy information received from the handover request message.
In another alternative embodiment, the target security policy information not included in steps 505 and 506 is security policy information saved by the SMF for the UE session.
Obtaining target security policy information by using any of the above embodiments, when the target security policy is applied to different situations, including a security policy and an identifier corresponding to the security policy in the handover request, for example, if the target security policy corresponds to a slice, including a slice identifier and a corresponding security policy in the handover request; if the target security policy corresponds to the radio bearer RB, the handover request includes the radio bearer identity and a corresponding security policy; if the target security policy corresponds to the session, the switching request comprises a session identifier and a corresponding security policy; if the target security policy corresponds to the media stream, the handover request includes the media stream identifier and the corresponding security policy.
In addition, the handover request also includes the correspondence between the radio bearer identifier and the identifier obtained by the target RAN entity from the handover request message, such as the correspondence between the radio bearer identifier and the slice identifier, the correspondence between the radio bearer identifier and the session identifier, or the correspondence between the radio bearer identifier and the media stream identifier.
In another optional implementation, the SMF determines the security termination of the session according to the type of the target RAN entity to be handed over, and the SMF may determine the security termination of the session according to the type of the target RAN entity, or may send the target RAN type to the security policy management function entity, and the security policy management function entity determines the security termination of the session and returns the security termination to the SMF. When the target RAN is evolved E-UTRAN, judging that a security endpoint of the session is in a target RAN entity, and carrying security policy information in a handover request message sent to the target RAN; when the source RAN entity determines that the target RAN entity is a next generation Radio access network (New Radio, NR), and the NR is not a security endpoint of the session, the handover request message does not include security policy information, and only needs to include information required for reestablishing a Radio bearer in the target RAN.
It can be understood that, if the SMF changes, the source SMF that receives the handover request message sent by the AMF sends a redirection request message to the target SMF, where the redirection request message includes the target security policy information, and the target SMF sends the handover request message to the target RAN entity according to the redirection request message.
508. The target RAN entity determines the ciphering and/or integrity protection policy of the UE according to the target security policy.
The target RAN entity saves the target security policy before the target RAN determines the ciphering and/or integrity protection policy for the UE.
The determination of the ciphering and/or integrity protection policy of the UE by the target RAN entity according to the target security policy is the same as that in step 212, and this step is not described again.
509. The target RAN entity establishes a radio bearer for handover on the UE.
The target RAN entity establishes a switched radio bearer on the UE, and determines an algorithm used by the switched radio bearer according to a determined target algorithm if the switched radio bearer needs to be encrypted and/or integrity protected according to a target strategy obtained by the target RAN entity. When the target security policy is applied to different situations, the RAN entity determines an algorithm used by the switched radio bearer according to a correspondence between an identifier corresponding to the switched radio bearer and the ciphering and/or integrity protection policy.
And if the radio bearer switched by the target security policy does not need to be encrypted or integrity protected, the steps are not executed, and data or signaling corresponding to the radio bearer is not encrypted or integrity protected.
510. The target RAN entity sends a handover request response message to the SMF.
The target RAN entity sends a handover request response message to the SMF, the handover request response message including the determined algorithm. When the target security policy is applied to different situations, the handover request response message includes a corresponding relationship between the target algorithm and a second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier. When the handover request response message further includes the radio bearer identifier switched by the target RAN entity and a second identifier corresponding to the radio bearer, where the second identifier is not the radio bearer identifier, steps 511 and 512 are similar to this.
The handover request response message is sent to the SMF through the AMF.
In a specific embodiment, to express the above correspondence, the second identifier may be included twice or included once in the handover request response message, which is not limited, and the following steps are similar.
511. The SMF sends a handover command message to the source RAN.
After the SMF acquires the switching request response message from the target RAN entity, the SMF sends a switching instruction message to the source RAN, wherein the switching instruction message comprises a determined algorithm. When the target security policy is applied to different situations, the handover instruction message includes a corresponding relationship between the target algorithm and a second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier, and the handover instruction message also includes a radio bearer identifier switched by the target RAN entity and a second identifier corresponding to the radio bearer.
512. The source RAN sends a handover instruction message to the UE.
And after the source RAN acquires the switching instruction message from the SMF, the source RAN sends the switching instruction message to the UE.
After receiving the handover instruction message, the UE stores the target algorithm, or stores the corresponding relationship between the target algorithm and the second identifier, and determines the algorithm used by the radio bearer switched by the target RAN entity according to the target algorithm, or determines the algorithm used by the radio bearer switched by the target RAN entity according to the corresponding relationship between the target algorithm and the second identifier, that is, determines the target algorithm corresponding to the second identifier according to the second identifier corresponding to the radio bearer switched by the target RAN entity, and uses the target algorithm as the switched radio bearer.
Similar to step 213, when the UE receives the target algorithm or the corresponding relationship between the target algorithm and the second identifier, the UE may present the algorithm information corresponding to the second identifier selected by the network to the user, and the user decides whether to accept the algorithm, the form of the presentation is not limited to presenting a specific algorithm, and may also present the security level information corresponding to the algorithm, another optional implementation manner presented to the user is to include the security level information corresponding to the selected algorithm in the handover instruction message for presenting to the user, when the user accepts the selected algorithm, the UE accesses the target RAN entity, when the user rejects the target algorithm or the security level, the rejected RAN entity is the first RAN entity, the UE enters an idle state, and reselects the second RAN entity, and the UE establishes a connection with the second RAN entity.
In the embodiment of the application, in the process of switching the radio bearer, when the security endpoint of the network is positioned at the radio access network side, different services or different security requirements of users are met.
In the above description on the processing method of the security policy in the embodiment of the present application, referring to fig. 6, the following description on the related device in the embodiment of the present application, and an embodiment of the session management functional entity in the embodiment of the present application includes:
an obtaining unit 601, configured to obtain a first message and a target security policy for a user equipment UE, where the first message is used to establish a session of the UE;
a sending unit 602, configured to send a second message to a radio access network RAN entity of the UE, where the second message is used to create a context of the UE at the RAN entity, and the second message includes a target security policy, and the target security policy is used for the RAN entity to determine a ciphering and/or integrity protection policy of the UE.
Optionally, the obtaining unit 601 may further include:
a first receiving subunit 6011, configured to receive a first message sent by the UE, where the SMF receives the target security policy while receiving the first message; or the like, or, alternatively,
a second receiving subunit 6012, configured to receive a first message sent by the UE, where the first message is used to establish a session;
a first sending subunit 6013, configured to send a security policy request message to a security policy management function entity;
a third receiving subunit 6014, configured to receive a security policy request response message sent by the security policy management function entity, where the security policy request response message includes the target security policy.
Optionally, the obtaining unit 601 may further include:
a fourth receiving subunit 6015, configured to receive the first message sent by the UE, and receive an access network type of the UE while receiving the first message;
a second sending subunit 6016, configured to send a security policy request message to the security policy management functional entity, where the security policy request message includes an access network type of the UE, so that the policy management entity determines security endpoint information of a session to be established according to the access network type of the UE;
a fifth receiving subunit 6017, configured to receive a security policy response message sent by the security policy management function entity, where the security policy response message includes a target security policy, and the target security policy includes security endpoint information of a session to be established of the UE.
Optionally, the obtaining unit 601 may further include:
a sixth receiving subunit 6018, configured to receive the first message sent by the UE, and receive an access network type of the UE while receiving the first message;
determining subunit 6019, configured to determine, according to the access network type of the UE, security endpoint information of the session to be established of the UE.
Optionally, the session management function entity may further include:
a saving unit 603, configured to save the obtained target security policy.
In the embodiment of the application, in the process of establishing the initial context, when the security endpoint of the network is located at the wireless access network side, the session management functional entity sends the target security policy to the wireless access network entity, so that different services or different security requirements of users are met.
Referring to fig. 7, an embodiment of a radio access network entity in the embodiment of the present application includes:
a first obtaining unit 701, configured to obtain a second message for a user equipment UE, where the second message includes a target security policy;
a determining unit 702, configured to determine an encryption and/or integrity protection policy of the UE according to the target security policy;
an establishing unit 703 is configured to establish a radio bearer according to the determined ciphering and/or integrity protection policy of the UE.
Optionally, the radio access network entity may further include:
a second obtaining unit 704, configured to obtain a first identifier, where the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier, and the target security policy is a security policy corresponding to the first identifier.
Optionally, the radio access network entity may further include:
a saving unit 705, configured to save the target security policy; or, the corresponding relationship between the first identifier and the target security policy is saved.
Optionally, the determining unit 702 may further include:
a determining subunit 7021, configured to determine a target algorithm according to at least the target security policy and the security capability of the RAN entity, where the target algorithm is an encryption and/or integrity protection algorithm for the UE;
the establishing unit 703 includes:
a setup subunit 7031 is configured to setup/switch a radio bearer according to the target algorithm.
Optionally, the determining unit 702 may further include:
determining subunit 7021 is further configured to determine a target algorithm at least according to the target security policy and the security capability of the RAN entity, where the target algorithm is an encryption and/or integrity protection algorithm used on the UE and corresponding to the first identifier.
Optionally, the determining subunit 7021 may further include:
a determining module 70211, configured to determine whether a candidate algorithm meeting the target security policy exists;
the determining module 70212 is configured to determine, if there are candidate algorithms that satisfy the target security policy, an algorithm with the highest priority among the candidate algorithms as a target algorithm according to the security capability of the RAN entity.
Optionally, the establishing subunit 7031 may further include:
a first sending module 70311, configured to send a third message to the UE, where the third message includes a correspondence between a target algorithm and a second identifier, and the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier, so that the UE stores the correspondence between the target algorithm and the second identifier;
a receiving module 70312, configured to receive a response message of the third message sent by the UE;
a second sending module 70313, configured to send a radio bearer setup/handover request message to the UE, where the radio bearer setup/handover request message includes a radio bearer identifier of setup/handover and a corresponding relationship of the second identifier, so that the UE determines an algorithm used by the radio bearer setup/handover according to a corresponding relationship between the target algorithm and the second identifier.
Optionally, the establishing subunit 7031 may further include:
a third sending module 70314, configured to send a third message, where the third message includes a corresponding relationship between the target algorithm and the second identifier, and a corresponding relationship between an identifier of the RAN entity for establishing/switching the radio bearer and the second identifier, so that the UE determines, according to the corresponding relationship between the target algorithm and the second identifier, an algorithm used by the established/switched radio bearer, and the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier.
Optionally, the first obtaining unit 701 may further include:
a first receiving subunit 7011, configured to receive a second message sent by the session management function entity SMF, where the second message is used to establish an initial context.
Optionally, the first obtaining unit 701 may further include:
a second receiving subunit 7012, configured to receive a second message sent by the session management function entity SMF, where the second message is used to switch a session of the UE.
Optionally, the first obtaining unit 701 may further include:
a third receiving subunit 7013, configured to receive a second message sent by the source RAN entity, where the second message is used to switch a session of the UE.
In the embodiment of the application, in the process of establishing the initial context, when the security endpoint of the network is located at the wireless access network side, the wireless access network establishes the radio bearer according to the received target security policy, so that different services or different security requirements of users are met.
Referring to fig. 8, an embodiment of an access and mobility management functional entity in an embodiment of the present application includes:
an obtaining unit 801, configured to obtain a first message, where the first message is used to establish a session;
a first sending unit 802, configured to send a security policy request message to a security policy management function entity;
a first receiving unit 803, configured to receive a security policy response message, where the security policy response message includes a target security policy;
a second sending unit 804, configured to send the first message and also send the target security policy.
Optionally, the obtaining unit 801 may further include:
a receiving subunit 8011, configured to receive a first message, where the first message includes an access network type of the UE;
a determining subunit 8012, configured to determine an access network type of the UE;
the second transmitting unit 804 includes:
a first sending subunit 8041, configured to send the first message, and also send an access network type of the UE.
Optionally, the access and mobility management functional entity may further include:
a second receiving unit 805, configured to receive the first message and the security requirement of the UE;
a third sending unit 806, configured to send a security policy request message to the security policy management functional entity, where the security policy request message includes a security requirement of the UE;
a third receiving unit 807, configured to receive a security policy response message, where the security policy response message includes a target security policy, and the target security policy is determined by the policy control function entity according to the security requirement of the UE;
a fourth sending unit 808, configured to send the first message and also send the target security policy.
In the embodiment of the application, in the process of establishing the initial context, when the security endpoint of the network is located at the wireless access network side, the access and mobility management functional entity sends the target security policy to the wireless access network entity, so that different services or different security requirements of users are met.
Referring to fig. 9, another embodiment of a radio access network entity in the embodiment of the present application includes:
a decision unit 901, configured to decide to initiate a handover procedure for a UE;
a sending unit 902, configured to send a first message to a target RAN entity, where the first message is used to request handover, and the first message includes a target security policy for the UE, or the handover request includes a first identifier for the UE and a corresponding target security policy, and the first identifier includes any one of a session identifier, a slice identifier, and a media stream identifier.
Optionally, the radio access network entity may further include:
a determining unit 903, configured to determine a target RAN entity according to a first security policy and a measurement report of the UE, where the first security policy is a highest security policy of a target security policy of the UE stored by a source RAN entity or a target security policy of the UE stored by the source RAN entity, and the measurement report includes signal quality information of a candidate RAN entity.
Optionally, the determining unit 903 may further include:
a first determining subunit 9031, configured to determine, according to a measurement report, a candidate RAN entity meeting the signal quality requirement, where the measurement report includes signal quality information of the candidate RAN entity;
a second determining subunit 9032, configured to determine, among the candidate RAN entities, a RAN entity that conforms to the first security policy as a target RAN entity.
In the embodiment of the application, in the process of switching the UE session, when the security endpoint of the network is located at the wireless access network side, the source wireless access network sends the received target security policy to the target wireless access network, so that different services or different security requirements of users are met.
Referring to fig. 10, another embodiment of a radio access network entity in the embodiment of the present application includes:
a first obtaining unit 1001, configured to obtain a first message and a target security policy, where the first message is used to request to switch a session of a UE;
a determining unit 1002, configured to determine an encryption and/or integrity protection policy of the UE according to the target security policy;
an establishing unit 1003, configured to establish a radio bearer according to the determined ciphering and/or integrity protection policy of the UE.
Optionally, the radio access network entity may further include:
a second obtaining unit 1004, configured to obtain a first identifier, where the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier.
Optionally, the first obtaining unit 1001 may further include:
a first receiving subunit 10011, configured to receive a first message sent by a source RAN entity, where the first message is used to request to switch a session of a UE, and the first message includes a target security policy;
or, the UE shall receive a first message sent by the source RAN entity, where the first message is used to request to switch a session of the UE, and the first message includes a first identifier and a corresponding target security policy, where the first identifier includes any one of a session identifier, a slice identifier, and a media stream identifier.
Optionally, the first obtaining unit 1001 may further include:
a second receiving subunit 10012, configured to receive a first message sent by the source RAN entity, where the first message is used to request to switch a session of the UE;
a first sending subunit 10013, configured to send a security policy request message to a first core network entity;
the third receiving subunit 10014 is configured to receive a security policy response message sent by the first core network entity, where the security policy response message includes a target security policy, and the first core network entity is a session management function entity SMF or an access and mobility management function entity AMF.
Optionally, the first obtaining unit 1001 may further include:
a fourth receiving subunit 10015, configured to receive a first message sent by the source RAN entity, where the first message is used to request to switch a session of the UE;
a second sending subunit 10016, configured to send a security policy request to a first core network entity, where the security policy request includes a first identifier, the first identifier includes any one of a slice identifier, a session identifier, or a media stream identifier, and the first core network entity is a session management function entity SMF or an access and mobility management function entity AMF;
a fifth receiving subunit 10017 is configured to receive a security policy response message sent by the SMF, where the security policy response message includes the first identifier and the corresponding target security policy.
Optionally, the radio access network entity may further include:
a sending unit 1005, configured to send the received target security policy to a first core network entity, so that the first core network entity verifies whether the target security policy is correct according to the stored security policy of the UE, where the first core network entity is a session management function entity SMF or an access and mobility management function entity AMF;
or the like, or, alternatively,
and the core network entity is used for sending the received first identifier and the corresponding target security policy to the first core network entity, so that the first core network entity verifies whether the target security policy corresponding to the first identifier is correct according to the relationship between the stored security policy and the identifier of the UE, and the first core network entity is a session management function entity (SMF) or an access and mobility management function entity (AMF).
In the embodiment of the application, in the process of switching the UE session, when the security endpoint of the network is located at the wireless access network side, the target wireless access network establishes the wireless bearer according to the received target security policy, so that different services or different security requirements of users are met.
Referring to fig. 11, an embodiment of a core network entity in the embodiment of the present application includes:
a first receiving unit 1101, configured to receive a target security policy for a user equipment UE sent by a target radio access network RAN entity, where the target security policy is obtained by the target RAN entity from a source RAN entity in a handover procedure;
a first verifying unit 1102, configured to verify whether the target security policy is correct according to the saved security policy of the UE.
Optionally, the core network entity may further include:
a second receiving unit 1103, configured to receive a first identifier sent by a target RAN entity and a target security policy corresponding to the first identifier, where the first identifier and the target security policy corresponding to the first identifier are obtained by the target RAN entity from a source RAN entity in a handover process;
and a second verifying unit 1104, configured to verify whether the target security policy corresponding to the first identifier is correct according to the relationship between the saved security policy and the identifier.
In the embodiment of the application, in the process of switching the UE session, when the security endpoint of the network is located at the wireless access network side, the core network entity sends the target security policy to the wireless access network entity, so that different services or different security requirements of users are met.
Referring to fig. 12, another embodiment of a core network entity in the embodiment of the present application includes:
a first receiving unit 1201, configured to receive a target security policy for a user equipment UE, sent by a target radio access network RAN entity, where the target security policy is obtained by the target RAN entity from a source RAN entity in a handover process;
a first verifying unit 1202, configured to verify whether the target security policy is correct according to the saved security policy of the UE.
Optionally, the core network entity may further include:
a second receiving unit 1203, configured to receive the first identifier sent by the target RAN entity and a target security policy corresponding to the first identifier, where the target security policy corresponding to the first identifier and the first identifier are obtained by the target RAN entity from the source RAN entity in a handover process;
the second verifying unit 1204 is configured to verify whether the target security policy corresponding to the first identifier is correct according to the relationship between the stored security policy and the identifier.
In the embodiment of the application, in the process of switching the UE session, when the security endpoint of the network is located at the wireless access network side, the core network entity sends the target security policy to the wireless access network entity, so that different services or different security requirements of users are met.
Referring to fig. 13, another embodiment of a radio access network entity in the embodiment of the present application includes:
a decision unit 1301, configured to decide to initiate a handover process for a UE;
a sending unit 1302, configured to send a first message to a session management function entity SMF, where the first message is used to request to switch a session of a UE, and the first message includes a target security policy for the UE, or the switching request includes a first identifier for the UE and a corresponding target security policy, and the first identifier includes any one of a session identifier, a slice identifier, a radio bearer identifier, and a media stream identifier.
Optionally, the radio access network entity may further include:
a determining unit 1303, configured to determine a target RAN entity according to a first security policy and a measurement report of the UE, where the first security policy is a highest security policy of a target security policy of the UE stored by a source RAN entity or a target security policy of the UE stored by the source RAN entity, and the measurement report includes signal quality information of a candidate RAN entity.
Optionally, the determining unit 1303 may further include:
a first determining subunit 13031, configured to determine, according to a measurement report, a candidate RAN entity meeting the signal quality requirement, where the measurement report includes signal quality information of the candidate RAN entity;
a second determining subunit 13032, configured to determine, among the candidate RAN entities, a RAN entity that conforms to the first security policy as a target RAN entity.
In the embodiment of the application, in the process of switching the UE session, when the security endpoint of the network is located at the wireless access network side, the source wireless access network sends the received target security policy to the target wireless access network, so that different services or different security requirements of users are met.
Referring to fig. 14, another embodiment of a radio access network entity in the embodiment of the present application includes:
an obtaining unit 1401, configured to obtain a second message, where the second message is used to request to switch a session of a UE, and the second message includes a target security policy;
a determining unit 1402, configured to determine an encryption and/or integrity protection policy of the UE according to the target security policy;
an establishing unit 1403, configured to establish a radio bearer according to the determined ciphering and/or integrity protection policy of the UE.
Optionally, the obtaining unit 1401 may further include:
a receiving subunit 14011, configured to receive a second message sent by the session management function entity SMF, where the second message is used to request to switch a session of the UE, and the second message includes a target security policy; or, the second message is used to receive a second message sent by the session management function entity SMF, where the second message is used to request to switch a session of the UE, and the second message includes a first identifier and a corresponding target security policy, where the first identifier includes any one of a session identifier, a slice identifier, and a media stream identifier.
In the embodiment of the application, in the process of switching the UE session, when the security endpoint of the network is located at the wireless access network side, the target wireless access network establishes the wireless bearer according to the received target security policy, so that different services or different security requirements of users are met.
Referring to fig. 15, another embodiment of the session management function entity in the embodiment of the present application includes:
an obtaining unit 1501, configured to obtain a first message of a user equipment UE, where the first message is used to request to switch a session of the UE;
a sending unit 1502 is configured to send a second message to a target radio access network RAN entity of the UE, where the second message is used to request a session handover of the UE, and the second message includes a target security policy, and the target security policy is used for the target RAN entity to determine an encryption and/or integrity protection policy of the UE.
Optionally, the obtaining unit 1501 may further include:
a first receiving subunit 15011, configured to receive a first message sent by a source base station to which the UE is attached, where the SMF receives the target security policy while receiving the first message;
or the like, or, alternatively,
the SMF is used for receiving a first message sent by a source base station attached to the UE, and acquiring a target security policy stored by the SMF.
Optionally, the obtaining unit 1501 may further include:
a second receiving subunit 15012, configured to receive the first message sent by the source base station to which the UE is attached, and receive a target RAN entity type of the UE while receiving the first message;
a sending subunit 15013, configured to send a security policy request message to the security policy management functional entity, where the security policy request message includes a target RAN entity type of the UE, so that the security policy management functional entity determines security endpoint information of a session to be switched according to the target RAN entity type of the UE;
a third receiving subunit 15014, configured to receive a security policy response message sent by the security policy management function entity, where the security policy response message includes a target security policy, and the target security policy includes security endpoint information of a session to be established for the UE.
Optionally, the obtaining unit 1501 may further include:
a fourth receiving subunit 15015, configured to receive the first message sent by the source base station to which the UE is attached, and receive the target RAN entity type of the UE while receiving the first message;
a determining subunit 15016, configured to determine security termination information of the session to be established for the UE according to the target RAN entity type of the UE.
In the embodiment of the application, in the process of switching the UE session, when the security endpoint of the network is located at the wireless access network side, the session management functional entity sends the target security policy to the wireless access network entity, thereby meeting different services or different security requirements of users.
Referring to fig. 16, an embodiment of a user equipment in an embodiment of the present application includes:
a first receiving unit 1601, configured to receive a correspondence between a second identifier sent by a RAN entity of a first radio access network and a target algorithm, and receive a correspondence between a radio bearer identifier established/switched by the RAN entity and the second identifier, where the second identifier is any one of a session identifier, a slice identifier, a media stream identifier, and a radio bearer identifier;
a first determining unit 1602, configured to determine an algorithm used by the established/switched radio bearer according to a correspondence between the algorithm and the second identifier.
Optionally, the user equipment may further include:
a second receiving unit 1603, configured to receive a third message sent by the first RAN entity, where the third message includes a correspondence between the second identifier and the target algorithm;
a storage unit 1604, configured to store a corresponding relationship between the target algorithm and the second identifier;
a third receiving unit 1605, configured to receive a request message for establishing/switching a radio bearer, which is sent by the first RAN entity, where the request message for establishing/switching the radio bearer includes a corresponding relationship between an identifier of the radio bearer that is established/switched and the second identifier;
and a second determining unit, configured to determine an algorithm used by the established/switched radio bearer according to a corresponding relationship between the target algorithm and the second identifier.
Optionally, the user equipment may further include:
a fifth receiving unit 1607, configured to receive a third message sent by the first RAN entity, where the third message includes a corresponding relationship between the second identifier and the target algorithm and a corresponding relationship between the radio bearer identifier established/switched by the first RAN entity and the second identifier;
a third determining unit 1608, configured to determine an algorithm used by the established/handed over radio bearer according to the corresponding relationship between the target algorithm and the second identifier.
Optionally, the user equipment may further include:
a sending unit 1609, configured to send a reject message of the third message to the first RAN entity when the user rejects the target algorithm, and the UE enters an idle state;
a selecting unit 1610 configured to select a second RAN entity from the candidate RANs;
an establishing unit 1611, configured to establish a connection with the second RAN entity.
Optionally, the user equipment may further include:
a fourth receiving unit 1612, configured to receive the security capability information broadcast by the RAN entity;
a fourth determining unit 1613, configured to determine the first RAN entity or the second RAN entity according to the capability of the RAN entity and the security requirement of the UE.
In the embodiment of the application, when the security endpoint of the network is located at the wireless access network side, the user equipment establishes the radio bearer with the wireless access network entity according to the obtained target security policy, so that different services or different security requirements of users are met.
Fig. 6 to fig. 16 describe the relevant devices in the embodiment of the present application in detail from the perspective of the modular functional entity, and the following describes the relevant devices in the embodiment of the present application in detail from the perspective of the hardware processing.
Fig. 17a is a schematic structural diagram of a user equipment according to an embodiment of the present application, and refer to fig. 17 a. In case of using integrated units, fig. 17a shows a possible schematic structure of the user equipment involved in the above embodiments. The user equipment 1700 includes: a processing unit 1702 and a communication unit 1703. Processing unit 1702 is configured to control and manage actions of the user equipment, e.g., processing unit 1702 is configured to enable the user equipment to perform steps 201-203 in fig. 2, and/or other processes for the techniques described herein. The communication unit 1703 is configured to support communication of the user equipment with other network entities. The streaming user device may further comprise a storage unit 1701 for storing program codes and data of the user device.
The Processing Unit 1702 may be a Processor or a controller, such as a Central Processing Unit (CPU), a general purpose Processor, a Digital Signal Processor (DSP), an Application-Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a transistor logic device, a hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. A processor may also be a combination of computing functions, e.g., comprising one or more microprocessors, a DSP and a microprocessor, or the like. The communication unit 1703 may be a communication interface, a transceiver circuit, etc., wherein the communication interface is generally referred to and may include one or more interfaces, such as a transceiver interface. The memory unit 1701 may be a memory.
When the processing unit 1702 is a processor, the communication unit 1703 is a communication interface, and the storage unit 1701 is a memory, the ue according to the embodiment of the present application may be the ue shown in fig. 17 b.
Referring to fig. 17b, the user device 1710 includes: a processor 1712, a communication interface 1713, and a memory 1711. Optionally, user device 1710 may also include bus 1714. The communication interface 1713, the processor 1712, and the memory 1711 may be connected to each other via a bus 1714; the bus 1714 may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus 1714 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in FIG. 17b, but this does not indicate only one bus or one type of bus.
Referring to fig. 18, fig. 18 is a schematic structural diagram of a functional entity apparatus 1800 that may generate a relatively large difference due to different configurations or performances, and may include one or more Central Processing Units (CPUs) 1801 (e.g., one or more processors) and a memory 1809, and one or more storage media 1808 (e.g., one or more mass storage devices) for storing an application 1807 or data 1806. Memory 1809 and storage medium 1808 may be, among other things, transient or persistent storage. The program stored in the storage medium 1808 may include one or more modules (not shown), each of which may include a sequence of instructions operating on a server. Further, the processor 1801 may be configured to communicate with the storage medium 1808 to execute a series of instruction operations in the storage medium 1808 on the functional entity apparatus 1800.
The functional entity apparatus 1800 may also include one or more power supplies 1804, one or more wired or wireless network interfaces 1803, one or more input-output interfaces 1804, and/or one or more operating systems 1805, such as Windows Server, Mac OS X, Unix, Linux, FreeBSDTM, and so forth.
The steps performed by the functional entities such as the RAN entity, the access and mobility management functional entity, the session management functional entity, and the core network entity in the above embodiments may be based on the structure shown in fig. 18.
The steps of a method or algorithm described in connection with the disclosure of the embodiments of the application may be embodied in hardware or in software instructions executed by a processor. The software instructions may be comprised of corresponding software modules that may be stored in Random Access Memory (RAM), flash Memory, Read Only Memory (ROM), Erasable Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), registers, a hard disk, a removable disk, a compact disc Read Only Memory (CD-ROM), or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. Of course, the storage medium may also be integral to the processor. The processor and the storage medium may reside in an application specific integrated circuit.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product.
The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that a computer can store or a data storage device, such as a server, a data center, etc., that is integrated with one or more available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions in the embodiments of the present application.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.

Claims (19)

1. A method for processing a security policy, comprising:
a source RAN entity decides to initiate a switching process aiming at User Equipment (UE);
the source RAN entity sends a first message to a target RAN entity based on a security endpoint of a session, wherein the first message is used for requesting to switch a session of UE, the first message comprises a target security policy aiming at the UE, or the first message comprises a first identifier aiming at the UE and a corresponding target security policy, the first identifier comprises any one of a session identifier, a slice identifier or a media stream identifier, and the target security policy is used for determining an encryption and/or integrity protection policy of the UE.
2. The processing method according to claim 1, wherein after the source RAN entity decides to initiate the handover procedure for the user equipment, before the source RAN entity sends the first message to the target RAN entity, the method further comprises:
the source RAN entity determines a target RAN entity according to a first security policy and a measurement report of the UE, wherein the first security policy is the highest security policy of the target security policy of the UE stored by the source RAN entity or the target security policy of the UE stored by the source RAN entity, and the measurement report comprises signal quality information of candidate RAN entities.
3. The processing method of claim 2, wherein the determining, by the source RAN entity, the target RAN entity among the candidate RAN entities according to the first security policy and the measurement report of the UE comprises:
the source RAN entity determines candidate RAN entities meeting the signal quality requirement according to the measurement report, wherein the measurement report comprises signal quality information of the candidate RAN entities;
the source RAN entity determines a RAN entity meeting the first security policy as a target RAN entity in the candidate RAN entities.
4. A method for processing a security policy, comprising:
if the target RAN entity is a security endpoint of the session, the target RAN entity acquires a first message and a target security policy, wherein the first message is used for requesting to switch the session of the UE;
the target RAN entity determines an encryption and/or integrity protection strategy of the UE according to the target security strategy;
and the target RAN entity establishes a radio bearer according to the determined encryption and/or integrity protection strategy of the UE.
5. The processing method of claim 4, further comprising:
the target RAN entity further obtains a first identifier, where the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier.
6. The processing method of claim 4, wherein the obtaining of the first message and the target security policy by the target RAN entity comprises:
the target RAN entity receives a first message sent by a source RAN entity, wherein the first message is used for requesting to switch a session of UE, and the first message comprises a target security policy;
or the like, or, alternatively,
the target RAN entity receives a first message sent by a source RAN entity, wherein the first message is used for requesting switching of a session of UE, the first message comprises a first identifier and a corresponding target security policy, and the first identifier comprises any one of a session identifier, a slice identifier or a media stream identifier.
7. The processing method of claim 4, wherein the obtaining of the first message and the target security policy by the target RAN entity comprises:
the target RAN entity receives a first message sent by a source RAN entity, wherein the first message is used for requesting to switch a session of UE;
the target RAN entity sends a security policy request message to a first core network entity;
the target RAN entity receives a security policy response message sent by the first core network entity, where the security policy response message includes the target security policy, and the first core network entity is a first entity or a second entity.
8. The processing method of claim 4, wherein the obtaining of the first message and the target security policy by the target RAN entity comprises:
the target RAN entity receives a first message sent by a source RAN entity, wherein the first message is used for requesting to switch a session of UE;
the target RAN entity sends a security policy request to a first core network entity, wherein the security policy request comprises a first identifier, the first identifier comprises any one of a slice identifier, a session identifier or a media stream identifier, and the first core network entity is a first entity or a second entity;
and the target RAN entity receives a security policy response message sent by the first entity, wherein the security policy response message comprises the first identifier and a corresponding target security policy.
9. The processing method according to claim 4, wherein after the target RAN entity obtains the first message and the target security policy, the method further comprises:
the target RAN entity sends the target security policy to a first core network entity so that the first core network entity verifies whether the target security policy is correct according to the saved security policy of the UE, wherein the first core network entity is a first entity or a second entity;
or the like, or, alternatively,
and the target RAN entity sends the received first identifier and the corresponding target security policy to a first core network entity, so that the first core network entity verifies whether the target security policy corresponding to the first identifier is correct according to the saved relationship between the security policy and the identifier of the UE, and the first core network entity is a first entity or a second entity.
10. A source wireless access network entity, comprising:
a decision unit, configured to decide to initiate a handover process for a user equipment UE;
a sending unit, configured to send, at a target RAN entity, a first message to the target RAN entity based on a security endpoint of a session, where the first message is used to request to switch a session of a UE, where the first message includes a target security policy for the UE, or includes a first identifier for the UE and a corresponding target security policy, where the first identifier includes any one of a session identifier, a slice identifier, or a media stream identifier, and the target security policy is used to determine an encryption and/or integrity protection policy of the UE.
11. The source radio access network entity of claim 10, wherein the source radio access network entity further comprises:
a determining unit, configured to determine a target RAN entity according to a first security policy and a measurement report of a UE, where the first security policy is a highest security policy of a target security policy of the UE stored by a source radio access network entity or the target security policy of the UE stored by the source radio access network entity, and the measurement report includes signal quality information of candidate RAN entities.
12. The source radio access network entity of claim 11, wherein the determining unit comprises:
a first determining subunit, configured to determine, according to the measurement report, a candidate RAN entity meeting a signal quality requirement, where the measurement report includes signal quality information of the candidate RAN entity;
a second determining subunit, configured to determine, among the candidate RAN entities, a RAN entity that meets the first security policy as a target RAN entity.
13. A target radio access network entity, comprising:
a first obtaining unit, configured to obtain a first message and a target security policy if a security endpoint of a session is in a target wireless access network entity, where the first message is used to request to switch a session of a UE;
a determining unit, configured to determine, by the target security policy, an encryption and/or integrity protection policy of the UE;
and the establishing unit is used for establishing the radio bearer according to the determined encryption and/or integrity protection strategy of the UE.
14. The target radio access network entity of claim 13, wherein the target radio access network entity further comprises:
and a second obtaining unit, configured to obtain a first identifier, where the first identifier includes any one of a session identifier, a slice identifier, and a media stream identifier.
15. The target radio access network entity of claim 13, wherein the first obtaining unit comprises:
a first receiving subunit, configured to receive a first message sent by a source RAN entity, where the first message is used to request a session for UE handover, and the first message includes a target security policy;
or the like, or, alternatively,
the first message is used for receiving a first message sent by a source RAN entity, the first message is used for requesting to switch a session of UE, the first message comprises a first identifier and a corresponding target security policy, and the first identifier comprises any one of a session identifier, a slice identifier or a media stream identifier.
16. The target radio access network entity of claim 13, wherein the first obtaining unit comprises:
a second receiving subunit, configured to receive a first message sent by a source RAN entity, where the first message is used to request to switch a session of a UE;
a first sending subunit, configured to send a security policy request message to a first core network entity;
a third receiving subunit, configured to receive a security policy response message sent by the first core network entity, where the security policy response message includes the target security policy, and the first core network entity is the first entity or the second entity.
17. The target radio access network entity of claim 13, wherein the first obtaining unit comprises:
a fourth receiving subunit, configured to receive a first message sent by a source RAN entity, where the first message is used to request to switch a session of a UE;
a second sending subunit, configured to send a security policy request to a first core network entity, where the security policy request includes a first identifier, the first identifier includes any one of a slice identifier, a session identifier, and a media stream identifier, and the first core network entity is a first entity or a second entity;
a fifth receiving subunit, configured to receive a security policy response message sent by the first entity, where the security policy response message includes the first identifier and a corresponding target security policy.
18. The target radio access network entity of claim 13, wherein the target radio access network entity further comprises:
a sending unit, configured to send the target security policy to a first core network entity, so that the first core network entity verifies whether the target security policy is correct according to the saved security policy of the UE, where the first core network entity is a first entity or a second entity;
or the like, or, alternatively,
the first core network entity is configured to send the received first identifier and the corresponding target security policy to the first core network entity, so that the first core network entity verifies whether the target security policy corresponding to the first identifier is correct according to the stored relationship between the security policy and the identifier of the UE, where the first core network entity is a first entity or a second entity.
19. A computer-readable storage medium storing instructions that, when executed on a computer, cause the computer to perform the method of any one of claims 1-9.
CN201780065405.5A 2017-04-12 2017-04-12 Security policy processing method and related equipment Active CN109863772B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2017/080222 WO2018187961A1 (en) 2017-04-12 2017-04-12 Security policy processing method and related device

Publications (2)

Publication Number Publication Date
CN109863772A CN109863772A (en) 2019-06-07
CN109863772B true CN109863772B (en) 2021-06-01

Family

ID=63792190

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201780065405.5A Active CN109863772B (en) 2017-04-12 2017-04-12 Security policy processing method and related equipment

Country Status (2)

Country Link
CN (1) CN109863772B (en)
WO (1) WO2018187961A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023246457A1 (en) * 2022-06-25 2023-12-28 华为技术有限公司 Security decision negotiation method and network element

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114499936B (en) * 2021-12-20 2024-02-09 广西壮族自治区公众信息产业有限公司 Cloud security policy management method based on network slicing
CN114374553A (en) * 2021-12-30 2022-04-19 中国电信股份有限公司 Time synchronization method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1601943A (en) * 2003-09-25 2005-03-30 华为技术有限公司 Method of selecting safety communication algorithm
CN103188681A (en) * 2009-09-28 2013-07-03 华为技术有限公司 Data transmission method, device and system
CN104780540A (en) * 2008-03-28 2015-07-15 爱立信电话股份有限公司 Identification of a manipulated or defect base station during handover

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1564513A (en) * 2004-04-02 2005-01-12 中兴通讯股份有限公司 Method of selecting encryption computation in mobile communication system
US8856890B2 (en) * 2007-02-09 2014-10-07 Alcatel Lucent System and method of network access security policy management by user and device
GB2454204A (en) * 2007-10-31 2009-05-06 Nec Corp Core network selecting security algorithms for use between a base station and a user device
CN101883346B (en) * 2009-05-04 2015-05-20 中兴通讯股份有限公司 Safe consultation method and device based on emergency call
CN102098676B (en) * 2010-01-04 2015-08-12 电信科学技术研究院 A kind of methods, devices and systems realizing integrity protection
CN102811468B (en) * 2011-06-01 2015-04-29 华为技术有限公司 Relay switch security protection method, base station and relay system
US9369872B2 (en) * 2013-03-14 2016-06-14 Vonage Business Inc. Method and apparatus for configuring communication parameters on a wireless device
CN106156645A (en) * 2015-03-30 2016-11-23 中兴通讯股份有限公司 Terminal data protection method, terminal and equipment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1601943A (en) * 2003-09-25 2005-03-30 华为技术有限公司 Method of selecting safety communication algorithm
CN104780540A (en) * 2008-03-28 2015-07-15 爱立信电话股份有限公司 Identification of a manipulated or defect base station during handover
CN103188681A (en) * 2009-09-28 2013-07-03 华为技术有限公司 Data transmission method, device and system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023246457A1 (en) * 2022-06-25 2023-12-28 华为技术有限公司 Security decision negotiation method and network element

Also Published As

Publication number Publication date
CN109863772A (en) 2019-06-07
WO2018187961A1 (en) 2018-10-18

Similar Documents

Publication Publication Date Title
CN109104394B (en) Session processing method and device
US11533610B2 (en) Key generation method and related apparatus
US10004016B2 (en) MME reselection method and MME
WO2018161796A1 (en) Connection processing method and apparatus in multi-access scenario
CN110831243B (en) Method, device and system for realizing user plane security policy
US11503469B2 (en) User authentication method and apparatus
JP2020536424A (en) Security protection methods, devices and systems
KR20200022512A (en) Network security management method and device
KR102246978B1 (en) Routing method and device
US11140545B2 (en) Method, apparatus, and system for protecting data
CN113068175B (en) User data distribution method, sinking user plane function network element and system
CN108701278B (en) Method for providing a service to a user equipment connected to a first operator network via a second operator network
US20230171822A1 (en) Multi-access connectivity establishment method, apparatus, and system
US8948754B2 (en) Method and apparatus for establishing a communication connection
CN109863772B (en) Security policy processing method and related equipment
KR102490698B1 (en) Communication method for selecting a network slice / service and a communication device performing the same
US20220272577A1 (en) Communication method and communication apparatus
WO2022247812A1 (en) Authentication method, communication device, and system
WO2021037604A1 (en) Amf re-allocation solution with network slice isolation
US11751160B2 (en) Method and apparatus for mobility registration
CN115996378A (en) Authentication method and device
US11576232B2 (en) Method for establishing a connection of a mobile terminal to a mobile radio communication network and communication network device
CN112654043A (en) Registration method and device
US11706614B2 (en) Direct SMF control plane with gNB
WO2022127808A1 (en) Trusted relay communication method and apparatus, terminal, and network side device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant